fix: add scope-lock-apply helper to unblock autonomous pipeline lock step#27
Merged
Conversation
The pre-tool-scope-guard hook blocks Write/Edit/MultiEdit tool calls to *.scope-lock paths unconditionally. The scope-lock skill had no in-session way to write the lock file: using the Write tool was blocked, and setting SUPERPOWERS_SCOPE_LOCK_WRITE=1 via Bash was also blocked by the self-bypass prevention logic. Fix: add hooks/scope-lock-apply, a dedicated helper the scope-lock skill invokes via the Bash tool. Shell redirection is not gated by the Write tool guard, so the hook never fires. The script extracts the Scope Manifest section using the same awk pattern as tests/plan-scope-check.sh, computes sha256 portably (sha256sum or shasum -a 256), and writes <plan>.scope-lock. Update SKILL.md (scope-lock and alignment-check) to replace the naive "compute sha256 and write the file" instruction with the explicit helper invocation. Update the pre-tool-scope-guard block message to point agents at the helper instead of the now-misleading SUPERPOWERS_SCOPE_LOCK_WRITE env var note. Agent-Logs-Url: https://github.com/GoCodeAlone/claude-superpowers/sessions/5f1aafea-9d74-4c24-be43-32e5f16de6b7 Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix scope-lock skill write step under default install
fix: add scope-lock-apply helper to unblock autonomous pipeline lock step
May 7, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a dedicated scope-lock-apply helper script to allow the autonomous pipeline to generate <plan>.scope-lock files without using the Write/Edit tools (which are intentionally blocked for *.scope-lock), and updates skill docs + guard messaging to point to this sanctioned path.
Changes:
- Introduces
hooks/scope-lock-applyto extract the## Scope Manifestsection, compute SHA-256 portably, and write<plan>.scope-lock. - Updates
skills/scope-lock/SKILL.mdandskills/alignment-check/SKILL.mdto explicitly invoke the helper via Bash instead of using the Write tool. - Updates
hooks/pre-tool-scope-guardmessaging to direct users to the helper when.scope-lockwrites are blocked.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| skills/scope-lock/SKILL.md | Documents the new Bash-helper-based lockfile write procedure. |
| skills/alignment-check/SKILL.md | Aligns alignment-check’s PASS steps with the new helper invocation. |
| hooks/scope-lock-apply | New helper to compute and write <plan>.scope-lock deterministically/portably. |
| hooks/pre-tool-scope-guard | Updates comments and the block message to recommend scope-lock-apply. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
145
to
148
| if printf '%s' "$fpath" | grep -qE '\.scope-lock$'; then | ||
| if [ "${SUPERPOWERS_SCOPE_LOCK_WRITE:-}" != "1" ]; then | ||
| block "Writing to '$(basename "$fpath")' is blocked — .scope-lock files are written exclusively by the scope-lock skill during alignment-check PASS. Direct edits break the manifest integrity guarantee and allow silent scope tampering. To update the lock legitimately: go through the unlock path (recording-decisions → update manifest → re-run alignment-check), which will regenerate the lock file." | ||
| block "Writing to '$(basename "$fpath")' is blocked — .scope-lock files must be written by the scope-lock skill's helper, not via the Write tool. Run: bash \"\${CLAUDE_PLUGIN_ROOT}/hooks/scope-lock-apply\" <plan-path>. The helper extracts the Scope Manifest section, computes its sha256, and writes the lock file via shell redirection (which is not blocked). Direct Write/Edit calls break the manifest integrity guarantee and allow silent scope tampering. To update the lock legitimately after a scope reduction: go through the unlock path (recording-decisions → update manifest → re-run alignment-check → re-run scope-lock-apply)." | ||
| fi |
Contributor
|
@copilot apply changes based on the comments in this thread |
…and break up long block message - Header comment now documents both override paths (agent: scope-lock-apply via Bash; operator: SUPERPOWERS_SCOPE_LOCK_WRITE=1) instead of mentioning only the new helper - Inline section comment updated to match, explicitly calling out both paths - Long block reason string broken into named-variable segments for readability and safer future edits Agent-Logs-Url: https://github.com/GoCodeAlone/claude-superpowers/sessions/b771bd78-7761-446e-b094-f26f0b0e2a38 Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
Contributor
Author
Done in ed32867:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
hooks/scope-lock-applyhelper script (computes sha256 of manifest, writes.scope-lockvia shell — bypasses the Write-tool gate)skills/scope-lock/SKILL.mdto instruct the agent to call the helper via Bash instead of using the Write toolskills/alignment-check/SKILL.mdwith same helper invocation descriptionhooks/pre-tool-scope-guard— header and inline comments now document both the agent path (scope-lock-apply) and the operator path (SUPERPOWERS_SCOPE_LOCK_WRITE=1); long block reason refactored into readable variable segmentsplan-scope-check.sh,skill-cross-refs.sh,skill-content-grep.sh)