Summary
The merged-change revert guard (#287's fix, PR #288) cannot reach a conclusive answer in the environment it runs in: the sandboxed execute agent's checkout has no git credentials, so every history-deepening fetch in the guard fails, merge-base returns nothing, and the guard prints INCONCLUSIVE … failing closed — which, because the guard is prompt-embedded bash whose "fail closed" is an echo, blocks nothing. On the evaluated pilot run the guard was inconclusive on every invocation while two live #326-class incidents merged (one deleted doc never restored). The suite's only dedicated anti-revert control is inoperative in production.
Evidence
Guard source: .github/workflows/sdd-execute-sonnet.md:683 (same block in the opus/haiku variants) — the fetch ladder:
git fetch --no-tags --unshallow origin ... \
|| git fetch --no-tags --deepen=500 origin ... \
|| git fetch --no-tags origin ...
From a pilot execute-run agent transcript (run artifacts; see docs/specs/03-spec-run-evaluation/evidence/_retro-report.md):
fatal: could not read Username for 'https://github.com': No such device or address
revert-guard: INCONCLUSIVE: no merge-base with origin/main; failing closed
All three fetch forms fail identically (no credential helper in the agent sandbox; the checkout token is not persisted for ad-hoc git fetch), so the guard can only ever conclude INCONCLUSIVE on any branch whose shallow checkout lacks the divergence point — i.e. precisely the stale-base branches the guard exists to catch. The run then proceeds: "failing closed" has no enforcement teeth (no exit, no required check; downstream behavior is up to the agent).
Consequences observed in the evaluated run (all post-#287-fix): an agent arch PR deleted a 308-line merged spike doc with green checks (never restored); a later PR's initial diff was a five-way stale-base revert bundle that sat warning-only for 13.5 h. The #326 generalization (net-diff-vs-main as a required, re-run-on-push check) remains the real fix; this issue covers making the existing guard operative meanwhile.
Fix
- Give the guard a working fetch path: persist credentials for the agent's git (or pre-deepen the checkout in the workflow's deterministic setup steps, before the agent runs —
fetch-depth: 0 for the base branch ref costs little and removes the credential dependence entirely).
- Give "failing closed" teeth: run the guard as a deterministic step whose non-zero exit blocks PR creation/update, not as prompt bash — INCONCLUSIVE and REVERT-RISK should both be blocking outcomes with a needs-human hand-off, per the guard's own comment.
- Assert non-shallow before scanning and report a guard-self-failure distinctly from a clean pass (the run-evaluation spec's collector treats "the scan itself failed" as its own signal).
Related
#287 (origin incident + point fix), #317 (spec-side variant), #326 (open generalization this does not replace).
Summary
The merged-change revert guard (#287's fix, PR #288) cannot reach a conclusive answer in the environment it runs in: the sandboxed execute agent's checkout has no git credentials, so every history-deepening fetch in the guard fails,
merge-basereturns nothing, and the guard printsINCONCLUSIVE … failing closed— which, because the guard is prompt-embedded bash whose "fail closed" is anecho, blocks nothing. On the evaluated pilot run the guard was inconclusive on every invocation while two live #326-class incidents merged (one deleted doc never restored). The suite's only dedicated anti-revert control is inoperative in production.Evidence
Guard source:
.github/workflows/sdd-execute-sonnet.md:683(same block in the opus/haiku variants) — the fetch ladder:From a pilot execute-run agent transcript (run artifacts; see
docs/specs/03-spec-run-evaluation/evidence/_retro-report.md):All three fetch forms fail identically (no credential helper in the agent sandbox; the checkout token is not persisted for ad-hoc
git fetch), so the guard can only ever conclude INCONCLUSIVE on any branch whose shallow checkout lacks the divergence point — i.e. precisely the stale-base branches the guard exists to catch. The run then proceeds: "failing closed" has no enforcement teeth (no exit, no required check; downstream behavior is up to the agent).Consequences observed in the evaluated run (all post-#287-fix): an agent arch PR deleted a 308-line merged spike doc with green checks (never restored); a later PR's initial diff was a five-way stale-base revert bundle that sat warning-only for 13.5 h. The #326 generalization (net-diff-vs-main as a required, re-run-on-push check) remains the real fix; this issue covers making the existing guard operative meanwhile.
Fix
fetch-depth: 0for the base branch ref costs little and removes the credential dependence entirely).Related
#287 (origin incident + point fix), #317 (spec-side variant), #326 (open generalization this does not replace).