potiuk opened a new pull request, #86:
URL: https://github.com/apache/airflow-steward/pull/86
## Summary
- `sandbox.filesystem.allowWrite` is added with `~/.cache/` and
`~/.local/share/uv/`. Without write access to these paths, common
dev-loop tools fail under the sandbox: `uv` cannot open
`~/.cache/uv/sdists-v9/.git`, `prek` cannot write `~/.cache/prek/prek.log`,
and `ruff`/`mypy` cannot maintain their on-disk caches.
- `sandbox.filesystem.allowRead` is broadened from `~/.cache/uv/` to
`~/.cache/` so the read side covers the same dev-tool caches that
the new write entry covers.
- Adopter-setup docs gain a note about the `--worktree` agent-isolation
case: sibling agent worktrees and the main repo's `.git/` need read
access to the parent path that contains them, which is
project-specific (e.g. adopters whose checkout sits at
`~/code/<project>/` should add that directory to `allowRead`).
## Test plan
- [x] `prek run --files .claude/settings.json
docs/setup/secure-agent-setup.md`
— all relevant hooks (markdownlint, typos, TOC, EOF/whitespace
checks) pass.
- [x] In a live Airflow contributor session, the same change applied
to `~/.claude/settings.json` unblocked `uv run`, `prek run`, and
`git` operations on agent worktrees that previously failed with
`Operation not permitted` on `~/.cache/uv/sdists-v9/.git` and
`~/.cache/prek/prek.log`.
- [ ] CI: `prek run --all-files` and `zizmor` (auto-run on PR).
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Opus 4.7 (1M context)
Generated-by: Claude Opus 4.7 (1M context) following the framework's
agent-authored-fixes pattern.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
