Xor

.codex/config.toml

@@ -5,13 +5,14 @@
 
 approval_policy = "on-request"      # work inside the sandbox without prompts; ask to cross the boundary
 sandbox_mode    = "workspace-write" # read repo, edit workspace, run local commands
-web_search      = "disabled"        # no external integrations (D5)
+web_search      = "disabled"        # no external integrations
 
 [features]
 hooks = true
 
 [sandbox_workspace_write]
-# Network OFF by design (v1). This blocks `git push` (good) AND `git fetch` — so there is NO
+# Network OFF by design. This blocks `git push` (good) AND `git fetch` — so there is NO
 # in-session fetch on Codex; refresh remote state OUTSIDE the session first (see docs/agent-config.md).
-# Intentional deviation from scope D4's "fetch allowed" line — pending human sign-off.
+# Keeping fetch outside the session is the deliberate trade-off: enabling network would remove the
+# sandbox layer from the push denial.
 network_access = false

.codex/rules/agent-lab.rules

@@ -2,13 +2,13 @@
 # Codex execpolicy: allow local git + forbid remote git/PR. The PreToolUse guard
 # (tools/pretooluse-guard.sh) is the AUTHORITATIVE denier; these are belt-and-suspenders.
 # Token-based: path-prefixes and origin/* refs are guard-enforced, not expressible here.
-# CODEX_V1: 'git fetch' intentionally omitted — workspace-write sandbox is network-off.
+# 'git fetch' intentionally omitted — workspace-write sandbox is network-off.
 
 # -- allow: local git (clean token prefixes only; workspace-write auto-runs the rest) --
 prefix_rule(pattern = ["shellcheck"], decision = "allow", justification = "agent-lab lint")
 prefix_rule(pattern = ["git", "add"], decision = "allow", justification = "agent-lab local-git set")
 prefix_rule(pattern = ["git", "commit"], decision = "allow", justification = "agent-lab local-git set")
-# CODEX_V1: ["git","fetch"] N/A — network-off
+# ["git","fetch"] N/A — network-off
 prefix_rule(pattern = ["git", "switch"], decision = "allow", justification = "agent-lab local-git set")
 prefix_rule(pattern = ["git", "checkout"], decision = "allow", justification = "agent-lab local-git set")
 prefix_rule(pattern = ["git", "branch"], decision = "allow", justification = "agent-lab local-git set")

.devguard/README.md

@@ -10,7 +10,7 @@ Files:
 Example:
 
 ```bash
-./scripts/dev/guard-diff M2
+./scripts/dev/guard-diff release
 ```
 
-Then `.devguard/forbid-M2.txt` is applied in addition to defaults.
+Then `.devguard/forbid-release.txt` is applied in addition to defaults.

.github/CONTRIBUTING.md

@@ -0,0 +1,26 @@
+# Contributing to agent-lab
+
+**This project does not accept contributions from non-members.**
+
+Pull requests and issues from anyone who is not a member of the organization will be closed without review.
+
+## Why?
+
+`agent-lab` is a specialized, opinionated containment lab. It is developed under a strict internal process (see `AGENTS.md`, `doctrine/`, and the guard tooling) to maintain its security and design invariants. We do not have the bandwidth or model to review external contributions.
+
+## What you _can_ do
+
+- Use the code locally for your own experiments (Apache 2.0 license).
+- Fork the repository for personal or internal use.
+- File issues **only** if you are a member (they will still be triaged internally).
+- Report security issues privately (see [SECURITY.md](../SECURITY.md)).
+
+## For organization members
+
+- Follow the documented internal workflow.
+- Never push or open PRs from outside the defined process.
+- Work is done on agent branches; the human owns the remote gate.
+
+If you have questions about usage of the lab itself (running your own copy), the README and docs inside the repo are the authoritative source. There is no separate public support channel.
+
+Thank you for understanding.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,30 @@
+> **Note to external users:** This project does **not** accept contributions or bug reports from non-members. Issues opened by non-members will be closed. Please do not open this issue if you are not a member.
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Run '....'
+3. See error
+
+**Expected behavior**
+A clear description of what you expected to happen.
+
+**Environment (if relevant)**
+- OS: [e.g. Ubuntu 24.04]
+- Docker version:
+- Compose version:
+- Branch / commit:
+
+**Additional context**
+Add any other context about the problem here.
+
+**Screenshots or logs** (if applicable)
+
+---
+
+_Only members should submit this. External submissions will be closed._

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+blank_issues_enabled: false
+contact_links:
+  - name: 🔒 Security Vulnerability Report
+    url: https://github.com/uscient/agent-lab/blob/master/SECURITY.md
+    about: Please report security issues privately via the channel described in SECURITY.md. Do not open a public issue.
+  - name: ❓ Usage questions or help running the lab
+    url: https://github.com/uscient/agent-lab#readme
+    about: This repo is published for reference. Refer to the README, docs/, and code comments. We do not provide public user support or triage.
+  - name: 📖 Project documentation
+    url: https://github.com/uscient/agent-lab
+    about: Start with the README. Most answers are already in the repo.

.github/ISSUE_TEMPLATE/general_feedback.md

@@ -0,0 +1,9 @@
+> **Note:** This project does not accept external contributions, feature requests, or general feedback via GitHub issues from non-members. This issue will be closed.
+
+This repository is a reference implementation of a containment lab. 
+
+- For usage of the lab: read the README and files in the repo.
+- For security: see SECURITY.md and use the private reporting channel.
+- For everything else: this is not a community project accepting input from outside the organization.
+
+If you are a member and have legitimate internal feedback, please use the proper internal channels instead of (or in addition to) opening an issue.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,34 @@
+> **⚠️ Important policy notice**
+>
+> This repository **does not accept contributions from non-members of the organization**.
+>
+> Any pull request opened by a non-member will be closed without review or merge.
+>
+> If you are an authorized member, please delete the notice above and continue.
+
+---
+
+## Summary
+
+<!-- One line summary of the change -->
+
+## Motivation / Context
+
+<!-- Why is this change needed? -->
+
+## Changes
+
+<!-- Bullet list of what was done -->
+
+## Testing
+
+<!-- How was this tested locally or in the lab? -->
+
+## Checklist (members only)
+
+- [ ] Change is minimal and focused
+- [ ] Tests / validation scripts pass (`./scripts/dev/check ...`)
+- [ ] No secrets or policy violations introduced
+- [ ] Follows internal process (AGENTS.md / doctrine)
+
+If you are not a member, please close this PR instead of submitting.

.github/workflows/ci.yml

@@ -0,0 +1,42 @@
+name: CI
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
+
+permissions:
+  contents: read
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Install shellcheck
+        run: sudo apt-get update -qq && sudo apt-get install -y -qq shellcheck
+
+      - name: Lint
+        run: ./scripts/dev/lint-scripts
+
+      - name: Check + validate
+        run: |
+          ./scripts/dev/check default full
+          ./tools/validate.sh
+
+      - name: Build devbox
+        run: |
+          docker buildx build \
+            --cache-from type=gha \
+            --cache-to type=gha,mode=max \
+            --load \
+            -t agent-lab/devbox:local \
+            -f images/devbox/Dockerfile .

.github/workflows/codeql.yml

@@ -0,0 +1,30 @@
+name: CodeQL
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
+  schedule:
+    - cron: "0 6 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: actions
+
+      - uses: github/codeql-action/analyze@v3

.gitignore

@@ -51,3 +51,7 @@ node_modules/
 # Docker compose override files may contain local paths or secrets
 compose.override.yaml
 compose.*.override.yaml
+
+# Temp location for machine account token (used for xor-machine auth while commits appear as xormania)
+# Will be deleted after setup. Never commit tokens.
+/tmp/ignore/