chore(infra): harden Claude session hook + add version-vs-tag publish guard#60
Merged
Merged
Conversation
… guard Two infra-only changes responding to org-wide tracking issues filed in runcycles/.github. .claude/session-start-global-deny.sh Synced from the new canonical at runcycles/.github/shared-config/. The script now carries a top-of-file callout explaining that Part 2 mutates every sibling repo under /home/user/*, and honors a new env var CYCLES_CLAUDE_SKIP_REMOTE_REWRITE=1 to opt out of the multi-repo rewrite. Part 1 (global MCP deny rules) is unchanged. Tracks runcycles/.github#63. .github/workflows/python-publish.yml Added a "Verify pyproject version matches tag" step that runs on tag-triggered builds. Uses tomllib to read pyproject.toml's project.version and fails fast if it doesn't match the tag (e.g. v0.5.0 against pyproject.toml still on 0.4.1 or a dev0 pre-release). PyPI rejects duplicate versions server-side anyway, but this surfaces the operator error before the build/upload phase. Python analog of the Java SNAPSHOT-guard tracked in runcycles/.github#61. AUDIT.md Appended "Infrastructure Hardening (added 2026-05-12)" section noting both changes are infra-only with no protocol or wire-format impact. Not in this PR: bumping the reusable-workflow ref ci.yml@main → @v1 for runcycles/.github#60. That follow-up is blocked on the v1 tag being cut in runcycles/.github after PR #64 there merges.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two infra-only changes responding to org-wide tracking issues filed in
runcycles/.github:.claude/session-start-global-deny.shsynced from the new canonical atruncycles/.github/shared-config/(tracksruncycles/.github#63).github/workflows/python-publish.ymlgained a version-vs-tag guard (Python analog ofruncycles/.github#61)Both are infra-only. No SDK source changed, no protocol impact, no version bump.
Changes
.claude/session-start-global-deny.sh(sync from canonical)The script now (a) carries a top-of-file callout explaining that Part 2 mutates the
originremote of every sibling repo under/home/user/*, not just the current checkout, and (b) honorsCYCLES_CLAUDE_SKIP_REMOTE_REWRITE=1to opt out of the multi-repo rewrite for local Claude Code runs. Part 1 (global MCP deny rules) is unchanged..github/workflows/python-publish.yml(new guard step)Added
Verify pyproject version matches tagbetweensetup-pythonand the build. Runs only on tag-triggered builds (refs/tags/v*). Readspyproject.tomlviatomlliband fails fast if the declared version doesn't match the tag — e.g., tagv0.5.0againstpyproject.tomlstill on0.4.1or adev0pre-release.PyPI already rejects duplicate versions server-side, so the actual harm without this guard is a noisy late-stage failure rather than a wrong publish. The guard surfaces the operator error before the build/upload phase.
AUDIT.mdAppended
Infrastructure Hardening (added 2026-05-12)section. Explicit "Protocol conformance: unchanged" — these are CI/Claude-config changes, no SDK source touched, test suite unaffected.Not in this PR (follow-up)
The third related issue is
runcycles/.github#60— bumping the reusable-workflow ref:That bump is blocked on the
v1tag being cut inruncycles/.github, which is in turn blocked onruncycles/.github#64merging (the canonical-script PR). Splitting it out keeps this PR safe to merge anytime without breaking CI.Test plan
python -m yaml.safe_loadparsespython-publish.ymlbash -non.claude/session-start-global-deny.shpyproject.tomlversion and verify the workflow fails at the verify step, not at the upload stepCYCLES_CLAUDE_SKIP_REMOTE_REWRITE=1set and confirm sibling repooriginURLs are untouched