potiuk opened a new pull request, #199:
URL: https://github.com/apache/airflow-steward/pull/199
## Summary
`setup-isolated-setup-install` now offers the operator a choice between
**per-project** scope (the existing behavior — configure the current adopter
repo only) and **whole-user** scope (configure every Claude-Code-aware git repo
on the host, existing and future, via a global `core.hooksPath` hook). The
choice is presented up front with a loud disclosure of the `core.hooksPath`
shadowing trade-off; the operator picks deliberately, never silently.
Builds on the project-local sandbox-allowlist fix from #198 — same helper
script, same write target (`<worktree>/.claude/settings.local.json`), but now
optionally invoked across every checkout on the host plus a global
`post-checkout` hook that keeps the allowlist current for any future `git
checkout` / `git clone` / `git worktree add`.
### What landed
- **New helper** `tools/agent-isolation/git-global-post-checkout.sh` —
universal `post-checkout` hook installed at `~/.claude/git-hooks/post-checkout`
when the operator picks whole-user scope. Two responsibilities (best-effort,
idempotent): (1) `setup-steward verify --auto-fix-symlinks` for steward-adopted
repos (detected via `.apache-steward.lock`); (2) `sandbox-add-project-root.sh`
for any project with a `.claude/` directory.
- **`setup-isolated-setup-install` Step P restructured:**
- **Step P.0** — `AskUserQuestion` between per-project (default) and
whole-user.
- **Step P.0a** — *only on whole-user choice* — loud disclosure block
explaining that `core.hooksPath` shadows every per-repo `.git/hooks/*` across
the host; pre-commit / commit-msg / pre-push / etc. need to be migrated into
`~/.claude/git-hooks/` if the operator wants them to keep firing. Explicit
acknowledgement required before proceeding. Reversal documented (`git config
--global --unset core.hooksPath`).
- **Step P.1** — install the script (both scopes).
- **Step P.2** — run helper for current project (per-project scope only).
- **Step P.2-whole-user** — prompt for walking root dirs (defaults:
`~/code/`, `~/projects/`, `~/dev/`, `~/work/`), depth-limited `find` with noise
exclusions, run helper on each found checkout. Settings-only — no per-repo hook
installs.
- **Step P.3-whole-user** — install the global `post-checkout` + `git
config --global core.hooksPath ~/.claude/git-hooks/`. Reiterates the shadowing
implication.
- **`setup-isolated-setup-verify` Check 8** gains a scope-detection
sub-check: reads `git config --global core.hooksPath`; if pointing at the
framework's path, verifies the global `post-checkout` exists, is executable,
matches the framework source. Surfaces a one-line informational note every run
when whole-user scope is in effect ("per-repo hooks are inert across the host —
chosen during install").
- **`setup-isolated-setup-update`** drift-check coverage extended to include
`~/.claude/git-hooks/post-checkout` when whole-user scope is detected.
- **`docs/setup/secure-agent-setup.md`** — new subsection *Per-project vs
whole-user scope* with the scope-comparison table, the `core.hooksPath`
shadowing trade-off, the "when to pick which" guidance, and the reversal
command.
- **`tools/agent-isolation/README.md`** — table row for the new global hook
script.
## Test plan
- [ ] Run `/setup-isolated-setup-install` on a host where `core.hooksPath`
is unset; pick **per-project**; confirm no global git config is touched and
only the current repo's `settings.local.json` is populated.
- [ ] Run `/setup-isolated-setup-install` again, this time picking
**whole-user**; confirm the loud disclosure fires, the walking pass enumerates
the prompted root dirs, each found checkout with `.claude/` gets
`settings.local.json` populated, `~/.claude/git-hooks/post-checkout` is
installed and executable, and `git config --global --get core.hooksPath`
resolves to `~/.claude/git-hooks`.
- [ ] After whole-user setup, run `git clone <some-repo>` and confirm the
new clone's initial checkout fires the global hook (verify by inspecting that
the clone's `.claude/settings.local.json` is populated if a `.claude/` is
present, or that no error fires otherwise).
- [ ] On a clean repo with no `.claude/`, confirm the global hook is a
silent no-op (no `.claude/` created, no error).
- [ ] `git config --global --unset core.hooksPath`; run
`/setup-isolated-setup-verify`; confirm scope-detection sub-check reports
per-project mode.
- [ ] Edit `~/.claude/git-hooks/post-checkout` to introduce drift; run
`/setup-isolated-setup-update`; confirm the drift is surfaced.
- [ ] Confirm a non-steward project with a `.claude/` dir gets its
`settings.local.json` populated by the walking pass without any
steward-specific artefacts leaking in.
Generated-by: Claude Code (Opus 4.7)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
