Skip to content

demo: playground.sh — hands-on guarded session to verify every capability#17

Merged
suzuke merged 1 commit into
mainfrom
demo/playground-scenario
Jul 5, 2026
Merged

demo: playground.sh — hands-on guarded session to verify every capability#17
suzuke merged 1 commit into
mainfrom
demo/playground-scenario

Conversation

@suzuke

@suzuke suzuke commented Jul 5, 2026

Copy link
Copy Markdown
Owner

What

A hands-on scenario the operator can run to verify agentic-git's capabilities by hand — complementing recovery-demo.sh (which tells one story, auto pass/fail). playground.sh drops you into a real guarded shell (git = the shim) with a cheat-sheet; you type each command and watch the guardrail react.

Designed with an adversarial review pass (fugu). No src/ changes.

Eight scenes (each try / expect / verify)

① isolation · ② cross-branch deny · ③ worktree deny · ④ provenance trailer · ⑤ push guard (--mirror + a trust-root secret-leak block) · ⑥ one-command recovery (run in-shell via $AGENTIC_GIT_BIN) · ⑦ containment (even in a stand-in of your real checkout, the agent can't move HEAD) · ⑧ audited bypass (override a guard, see your exact argv in the event log).

Design decisions (from the fugu round)

  • Restore runnable inside the shell, not exit-then-script.
  • Bypass demoted to an optional, side-effect-light final scene (bypass git push --mirror to the throwaway origin — the op ⑤ just blocked — not a branch/HEAD-moving op, which #2234 hard-denies under bypass anyway).
  • A local bare origin so push-guard scenes are real yet never hit the network.
  • TTY detection: --scripted / non-TTY runs every scene + asserts (CI-safe, never hangs on an interactive shell).

Verification

  • ./demo/playground.sh --scripted → asserts all 8 scenes ✓
  • Interactive path driven through a PTY: cheat-sheet renders, typed git checkout main is denied by the shim, $AGENTIC_GIT_BIN version resolves in-session, exit returns cleanly ✓
  • shellcheck clean.

🤖 Generated with Claude Code

…capability

recovery-demo.sh tells ONE story (auto pass/fail). playground.sh lets you drive
the tool yourself: it drops you into a real guarded shell (git = the shim) with
a cheat-sheet, and you type each command and watch the guardrail react — the
best way to build trust in what agentic-git actually does.

Eight scenes, each `try / expect / verify`: isolation, the deny matrix
(cross-branch, worktree, push-guard incl. a trust-root secret-leak block), the
provenance trailer, one-command recovery (run in-shell via $AGENTIC_GIT_BIN),
containment (even in a stand-in of YOUR real checkout the agent can't move HEAD),
and an audited bypass (override a guard, see your exact argv in the event log).

Design shaped with an adversarial review (fugu): three-line cheat-sheet, restore
runnable inside the shell (not exit-then-script), bypass demoted to an optional
side-effect-light final scene, dummy LOCAL origin so push-guard scenes are real
but never hit the network, and TTY detection so `--scripted`/non-TTY never hangs.

Setup uses throwaway repos in a temp dir (removed on exit); never pushes to a
real remote. Verified: `--scripted` asserts all eight scenes; the interactive
path was driven through a PTY (cheat-sheet renders, typed `git checkout main` is
denied by the shim, `exit` returns cleanly). shellcheck clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@suzuke suzuke merged commit 27167f3 into main Jul 5, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant