You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: add changelog entries and subagent limitation note
Document the scope pruning changes in CHANGELOG.md (Changed, Removed
sections) and add a DECISIONS.md entry noting that subagents don't
read CLAUDE.md directives -- a known template limitation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: docs/CHANGELOG.md
+17Lines changed: 17 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
8
8
## [Unreleased]
9
9
10
+
### Changed
11
+
- Security model simplified to 2-layer exfiltration defense: iptables firewall (primary) blocks non-approved network domains; `dangerous-actions-blocker.sh` (narrowed) blocks exfiltration via trusted channels (gh gist, gh issue --body, package publishing, secrets in args) -- local destruction (rm -rf, sudo, etc.) is no longer blocked since devcontainer is disposable
12
+
- CLAUDE.md Security section rewritten to describe the 2-layer defense model instead of listing individual hooks
13
+
- Devcontainer simplified: permission tiers removed, single settings.json baseline for all environments
14
+
15
+
### Removed
16
+
- Permission tier system (`.devcontainer/permissions/tier1-assisted.json`, `tier2-autonomous.json`, `tier3-full-trust.json`) and `PERMISSION_TIER` env var -- single settings.json baseline replaces graduated tiers
17
+
-`devcontainer-policy-blocker.sh` hook -- tier-dependent policy enforcement no longer needed
18
+
-`output-secrets-scanner.sh` hook -- conversation leaks to Anthropic are accepted risk
19
+
-`unicode-injection-scanner.sh` hook -- exotic threat with low practical risk
20
+
-`test-on-change.sh` hook -- informational-only hook that added latency without preventing issues
21
+
- All slash commands (`/cove`, `/cove-isolated`, `/security-audit`) -- niche utilities that added complexity without proportional value
22
+
- 6 agents: `agent-auditor`, `security-auditor`, `output-evaluator`, `acceptance-criteria-validator`, `implementation-tracker`, `refactoring-specialist` -- pruned to the 6 agents directly used by the QSP workflow
23
+
-`/edit-permissions` skill -- permission tier system removed
24
+
-`docs/ARCHITECTURE_GUIDE.md`, `docs/DEVCONTAINER_PERMISSIONS.md`, `docs/community/` -- supporting docs for removed features
25
+
- Local destruction patterns from `dangerous-actions-blocker.sh` (`rm -rf`, `sudo`, `DROP DATABASE`, `git push --force`, etc.) -- devcontainer is disposable, these blocks added friction without security value
26
+
10
27
### Added
11
28
- Architecture Deep Dive guide (`docs/ARCHITECTURE_GUIDE.md`) explains why each component exists, what it does under the hood, and what happens if you remove or modify it -- covers all hooks, agents, skills, rules, configuration files, devcontainer layers, and CI/CD workflows with a defense-in-depth diagram and customization guide
12
29
-`/landed` skill for post-merge lifecycle -- verifies merge CI, optionally checks deployments (via `.claude/deploy.json`), cleans up feature branches, and identifies the next phase for P-scope work
Copy file name to clipboardExpand all lines: docs/DECISIONS.md
+10Lines changed: 10 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -105,6 +105,16 @@ When a decision is superseded or obsolete, delete it (git history preserves the
105
105
- Wildcard domains (e.g., `*.example.com`) are skipped with a warning -- DNS cannot resolve wildcard patterns to IPs
106
106
- WebFetch settings changes take effect on container restart (`init-firewall.sh` runs from `postStartCommand`)
107
107
108
+
## 2026-03-18: Subagent CLAUDE.md Limitation
109
+
110
+
**Observation**: Spawned subagents (via the Agent tool) do not read CLAUDE.md or project instructions. They only follow what the parent agent includes in the prompt. This means directives like "use `uv run` for all commands" are silently ignored by subagents unless explicitly passed through.
111
+
112
+
**Decisions**:
113
+
- Known template limitation -- subagents must receive key directives in their spawn prompt
114
+
- Agent `.md` files could include critical directives (e.g., "use `uv run`") but this duplicates CLAUDE.md and creates drift risk
115
+
- For this template repo specifically, `uv run` fails due to `{{project_name}}` placeholders, so `python -m pytest` is the correct fallback
116
+
- No code change for now; document as a known limitation
117
+
108
118
## 2026-03-18: Security Model Simplification
109
119
110
120
**Request**: Prune security infrastructure to essentials. Remove permission tiers,
0 commit comments