fix: resolve hub signing enforcement deadlock in new repos#545
Merged
dollspace-gay merged 4 commits intodevelopfrom Apr 1, 2026
Merged
fix: resolve hub signing enforcement deadlock in new repos#545dollspace-gay merged 4 commits intodevelopfrom
dollspace-gay merged 4 commits intodevelopfrom
Conversation
Three bugs combined into a deadlock where signing enforcement permanently blocked sync in new repos: 1. allowedSignersFile was never configured because configure_signing() only set it when the file already existed. Now creates an empty allowed_signers file and always configures the path, so signed commits are correctly classified as Invalid (untrusted) instead of Unsigned. 2. Bootstrap commits (init, key publication) are inherently unsigned but enforcement treated them the same as real unsigned commits. Added explicit bootstrap phase tracking via meta/bootstrap.json with "pending"/"complete" lifecycle. 3. No bootstrap awareness in enforcement. Now: - Pending: blocks with actionable instructions to run trust approve - Complete: filters bootstrap commits by message prefix - No state (old repos): full enforcement (backwards compat) Also fixes pre-existing smoke test failures: - Server API tests: capture and send Bearer auth token - Coordination tests: use --force for agent init after crosslink init - Update test using invalid "critical" priority to valid "high" - Milestone test: add sync before milestone creation - Integrity test: accept FAIL when counters exist but are stale Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Convert single-arm match to if/else (clippy::single_match_else) - Reformat long lines per rustfmt rules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
During hub initialization, clean_dirty_state() and agent registration commits may be unsigned. Include their message prefixes in the bootstrap filter so they don't trip enforcement after bootstrap completion. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The init commit that creates locks.json is always unsigned (signing isn't configured yet). The locks signature display now recognizes bootstrap commits and reports them without a scary WARNING. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
allowedSignersFilewas never configured, bootstrap commits were inherently unsigned, and enforcement had no bootstrap awarenessmeta/bootstrap.json) with pending/complete lifecycle — enforcement blocks with actionable instructions during pending, filters bootstrap commits when completeTest plan
signing_enforcement: "enforced"→ clear bootstrap pending errorcrosslink trust approve→ sync succeeds, enforcement activeCloses #644
🤖 Generated with Claude Code