demo: playground.sh — hands-on guarded session to verify every capability#17
Merged
Conversation
…capability recovery-demo.sh tells ONE story (auto pass/fail). playground.sh lets you drive the tool yourself: it drops you into a real guarded shell (git = the shim) with a cheat-sheet, and you type each command and watch the guardrail react — the best way to build trust in what agentic-git actually does. Eight scenes, each `try / expect / verify`: isolation, the deny matrix (cross-branch, worktree, push-guard incl. a trust-root secret-leak block), the provenance trailer, one-command recovery (run in-shell via $AGENTIC_GIT_BIN), containment (even in a stand-in of YOUR real checkout the agent can't move HEAD), and an audited bypass (override a guard, see your exact argv in the event log). Design shaped with an adversarial review (fugu): three-line cheat-sheet, restore runnable inside the shell (not exit-then-script), bypass demoted to an optional side-effect-light final scene, dummy LOCAL origin so push-guard scenes are real but never hit the network, and TTY detection so `--scripted`/non-TTY never hangs. Setup uses throwaway repos in a temp dir (removed on exit); never pushes to a real remote. Verified: `--scripted` asserts all eight scenes; the interactive path was driven through a PTY (cheat-sheet renders, typed `git checkout main` is denied by the shim, `exit` returns cleanly). shellcheck clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A hands-on scenario the operator can run to verify agentic-git's capabilities by hand — complementing
recovery-demo.sh(which tells one story, auto pass/fail).playground.shdrops you into a real guarded shell (git = the shim) with a cheat-sheet; you type each command and watch the guardrail react.Designed with an adversarial review pass (fugu). No
src/changes.Eight scenes (each
try / expect / verify)① isolation · ② cross-branch deny · ③ worktree deny · ④ provenance trailer · ⑤ push guard (
--mirror+ a trust-root secret-leak block) · ⑥ one-command recovery (run in-shell via$AGENTIC_GIT_BIN) · ⑦ containment (even in a stand-in of your real checkout, the agent can't move HEAD) · ⑧ audited bypass (override a guard, see your exactargvin the event log).Design decisions (from the fugu round)
bypass git push --mirrorto the throwaway origin — the op ⑤ just blocked — not a branch/HEAD-moving op, which #2234 hard-denies under bypass anyway).originso push-guard scenes are real yet never hit the network.--scripted/ non-TTY runs every scene + asserts (CI-safe, never hangs on an interactive shell).Verification
./demo/playground.sh --scripted→ asserts all 8 scenes ✓git checkout mainis denied by the shim,$AGENTIC_GIT_BIN versionresolves in-session,exitreturns cleanly ✓shellcheckclean.🤖 Generated with Claude Code