claude-dev-env 1.41.0 → 1.43.0

package/_shared/pr-loop/scripts/tests/test_agent_config_carveout.py

@@ -0,0 +1,385 @@
+"""Behavior tests for the agent-config carve-out and stale-trust-entry purge.
+
+Covers two Bugbot findings on PR #467:
+  - Deny rules must be written to permissions.deny so agent-config edits
+    require explicit per-edit user approval.
+  - Trust entries in autoMode.environment must be purged on grant
+    (preventing accumulation across template revisions) and removed on
+    revoke regardless of the exact template wording.
+"""
+
+from __future__ import annotations
+
+import importlib.util
+import json
+import sys
+from pathlib import Path
+from types import ModuleType
+from typing import Any
+
+import pytest
+
+
+def _load_module_from_path(module_name: str, module_path: Path) -> ModuleType:
+    specification = importlib.util.spec_from_file_location(module_name, module_path)
+    assert specification is not None
+    assert specification.loader is not None
+    module = importlib.util.module_from_spec(specification)
+    specification.loader.exec_module(module)
+    return module
+
+
+def _scripts_directory() -> Path:
+    return Path(__file__).parent.parent
+
+
+def _load_common_module() -> ModuleType:
+    scripts_directory = _scripts_directory()
+    scripts_directory_str = str(scripts_directory.resolve())
+    if scripts_directory_str not in sys.path:
+        sys.path.insert(0, scripts_directory_str)
+    return _load_module_from_path(
+        "_claude_permissions_common",
+        scripts_directory / "_claude_permissions_common.py",
+    )
+
+
+def _load_grant_module() -> ModuleType:
+    scripts_directory = _scripts_directory()
+    scripts_directory_str = str(scripts_directory.resolve())
+    if scripts_directory_str not in sys.path:
+        sys.path.insert(0, scripts_directory_str)
+    return _load_module_from_path(
+        "grant_project_claude_permissions",
+        scripts_directory / "grant_project_claude_permissions.py",
+    )
+
+
+def _load_revoke_module() -> ModuleType:
+    scripts_directory = _scripts_directory()
+    scripts_directory_str = str(scripts_directory.resolve())
+    if scripts_directory_str not in sys.path:
+        sys.path.insert(0, scripts_directory_str)
+    return _load_module_from_path(
+        "revoke_project_claude_permissions",
+        scripts_directory / "revoke_project_claude_permissions.py",
+    )
+
+
+def _load_constants_module() -> ModuleType:
+    return _load_module_from_path(
+        "pr_loop_shared_constants.claude_permissions_constants",
+        _scripts_directory()
+        / "pr_loop_shared_constants"
+        / "claude_permissions_constants.py",
+    )
+
+
+def _seed_grant_then_run(
+    fake_settings_path: Path,
+    fake_project_root: Path,
+    monkeypatch: pytest.MonkeyPatch,
+    pre_existing_settings: dict[str, Any],
+) -> None:
+    fake_settings_path.write_text(json.dumps(pre_existing_settings), encoding="utf-8")
+    grant_module = _load_grant_module()
+    monkeypatch.setattr(
+        grant_module,
+        "get_claude_user_settings_path",
+        lambda: fake_settings_path,
+    )
+    monkeypatch.chdir(fake_project_root)
+    grant_module.grant_permissions_for_current_directory()
+
+
+def _seed_revoke_then_run(
+    fake_settings_path: Path,
+    fake_project_root: Path,
+    monkeypatch: pytest.MonkeyPatch,
+    pre_existing_settings: dict[str, Any],
+) -> None:
+    fake_settings_path.write_text(json.dumps(pre_existing_settings), encoding="utf-8")
+    revoke_module = _load_revoke_module()
+    monkeypatch.setattr(
+        revoke_module,
+        "get_claude_user_settings_path",
+        lambda: fake_settings_path,
+    )
+    monkeypatch.chdir(fake_project_root)
+    revoke_module.revoke_permissions_for_current_directory()
+
+
+def _make_fake_project(tmp_path: Path) -> Path:
+    fake_project_root = tmp_path / "fake_project"
+    (fake_project_root / ".claude").mkdir(parents=True)
+    return fake_project_root
+
+
+def _project_path_as_posix(fake_project_root: Path) -> str:
+    return str(fake_project_root).replace("\\", "/")
+
+
+def test_grant_writes_deny_rules_for_every_tool_and_pattern(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]
+) -> None:
+    fake_project_root = _make_fake_project(tmp_path)
+    fake_settings_path = tmp_path / "settings.json"
+    constants_module = _load_constants_module()
+    _seed_grant_then_run(
+        fake_settings_path, fake_project_root, monkeypatch, pre_existing_settings={}
+    )
+    capsys.readouterr()
+    written_settings = json.loads(fake_settings_path.read_text(encoding="utf-8"))
+    deny_list = written_settings["permissions"]["deny"]
+    project_path_posix = _project_path_as_posix(fake_project_root)
+    for each_tool in constants_module.ALL_AGENT_CONFIG_DENY_TOOLS:
+        for each_pattern in constants_module.ALL_AGENT_CONFIG_PATH_PATTERNS:
+            expected_rule = f"{each_tool}({project_path_posix}/.claude/{each_pattern})"
+            assert expected_rule in deny_list, (
+                f"deny list missing expected rule {expected_rule!r}"
+            )
+
+
+def test_grant_writes_glob_deny_rules_for_every_agent_config_pattern(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]
+) -> None:
+    """Glob must be in the deny tuple so agent-config paths require approval.
+
+    The AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE promises Edit/Write/Read/Glob
+    trust EXCEPT for agent-config files. Glob deny rules are how the EXCEPT
+    clause is honored for the Glob tool.
+    """
+    fake_project_root = _make_fake_project(tmp_path)
+    fake_settings_path = tmp_path / "settings.json"
+    constants_module = _load_constants_module()
+    _seed_grant_then_run(
+        fake_settings_path, fake_project_root, monkeypatch, pre_existing_settings={}
+    )
+    capsys.readouterr()
+    written_settings = json.loads(fake_settings_path.read_text(encoding="utf-8"))
+    deny_list = written_settings["permissions"]["deny"]
+    project_path_posix = _project_path_as_posix(fake_project_root)
+    assert "Glob" in constants_module.ALL_AGENT_CONFIG_DENY_TOOLS
+    assert "Glob" not in constants_module.ALL_PERMISSION_ALLOW_TOOLS
+    for each_pattern in constants_module.ALL_AGENT_CONFIG_PATH_PATTERNS:
+        expected_glob_rule = f"Glob({project_path_posix}/.claude/{each_pattern})"
+        assert expected_glob_rule in deny_list, (
+            f"deny list missing expected Glob rule {expected_glob_rule!r}"
+        )
+
+
+def test_grant_purges_stale_trust_entries_then_writes_current_template(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]
+) -> None:
+    fake_project_root = _make_fake_project(tmp_path)
+    fake_settings_path = tmp_path / "settings.json"
+    project_path_posix = _project_path_as_posix(fake_project_root)
+    stale_entry_a = (
+        f"Trusted local workspace: {project_path_posix}/.claude/** old wording form A"
+    )
+    stale_entry_b = (
+        f"Trusted local workspace: {project_path_posix}/.claude/** "
+        f"different earlier wording"
+    )
+    unrelated_entry = "Some unrelated environment hint"
+    pre_existing_settings: dict[str, Any] = {
+        "autoMode": {
+            "environment": [stale_entry_a, stale_entry_b, unrelated_entry],
+        },
+    }
+    _seed_grant_then_run(
+        fake_settings_path,
+        fake_project_root,
+        monkeypatch,
+        pre_existing_settings=pre_existing_settings,
+    )
+    captured = capsys.readouterr()
+    written_settings = json.loads(fake_settings_path.read_text(encoding="utf-8"))
+    environment_list = written_settings["autoMode"]["environment"]
+    assert stale_entry_a not in environment_list
+    assert stale_entry_b not in environment_list
+    assert unrelated_entry in environment_list
+    matching_trust_entries = [
+        each_entry
+        for each_entry in environment_list
+        if isinstance(each_entry, str)
+        and each_entry.startswith("Trusted local workspace:")
+        and f"{project_path_posix}/.claude/**" in each_entry
+    ]
+    assert len(matching_trust_entries) == 1
+    assert "Stale auto-mode environment entries purged" in captured.out
+
+
+def test_revoke_removes_deny_rules(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]
+) -> None:
+    fake_project_root = _make_fake_project(tmp_path)
+    fake_settings_path = tmp_path / "settings.json"
+    common_module = _load_common_module()
+    constants_module = _load_constants_module()
+    project_path_posix = _project_path_as_posix(fake_project_root)
+    all_deny_rules = common_module.build_agent_config_deny_rules(
+        project_path_posix,
+        constants_module.ALL_AGENT_CONFIG_DENY_TOOLS,
+        constants_module.ALL_AGENT_CONFIG_PATH_PATTERNS,
+    )
+    pre_existing_settings: dict[str, Any] = {
+        "permissions": {
+            "deny": list(all_deny_rules),
+        },
+    }
+    _seed_revoke_then_run(
+        fake_settings_path,
+        fake_project_root,
+        monkeypatch,
+        pre_existing_settings=pre_existing_settings,
+    )
+    capsys.readouterr()
+    written_settings = json.loads(fake_settings_path.read_text(encoding="utf-8"))
+    permissions_section = written_settings.get("permissions", {})
+    remaining_deny_list = permissions_section.get("deny", [])
+    for each_rule in all_deny_rules:
+        assert each_rule not in remaining_deny_list
+
+
+def test_revoke_removes_every_legacy_trust_entry_for_project(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    fake_project_root = _make_fake_project(tmp_path)
+    fake_settings_path = tmp_path / "settings.json"
+    project_path_posix = _project_path_as_posix(fake_project_root)
+    legacy_entry_a = (
+        f"Trusted local workspace: {project_path_posix}/.claude/** template revision A"
+    )
+    legacy_entry_b = (
+        f"Trusted local workspace: {project_path_posix}/.claude/** template revision B"
+    )
+    unrelated_other_project_entry = (
+        "Trusted local workspace: /some/other/project/.claude/** still valid"
+    )
+    pre_existing_settings: dict[str, Any] = {
+        "autoMode": {
+            "environment": [
+                legacy_entry_a,
+                legacy_entry_b,
+                unrelated_other_project_entry,
+            ],
+        },
+    }
+    _seed_revoke_then_run(
+        fake_settings_path,
+        fake_project_root,
+        monkeypatch,
+        pre_existing_settings=pre_existing_settings,
+    )
+    written_settings = json.loads(fake_settings_path.read_text(encoding="utf-8"))
+    environment_list = written_settings.get("autoMode", {}).get("environment", [])
+    assert legacy_entry_a not in environment_list
+    assert legacy_entry_b not in environment_list
+    assert unrelated_other_project_entry in environment_list
+
+
+def test_template_constant_documents_agent_config_carveout() -> None:
+    constants_module = _load_constants_module()
+    template_text = constants_module.AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE
+    assert "agent-config files always require explicit per-edit user approval" in (
+        template_text
+    )
+
+
+def test_is_trust_entry_for_project_predicate_filters_by_prefix_and_project_path() -> (
+    None
+):
+    common_module = _load_common_module()
+    project_path_posix = "/fake/proj"
+    trust_prefix = "Trusted local workspace:"
+    non_string_value: object = 42
+    assert (
+        common_module.is_trust_entry_for_project(
+            non_string_value, project_path_posix, trust_prefix
+        )
+        is False
+    )
+    wrong_prefix_entry = (
+        f"Something else: {project_path_posix}/.claude/** with marker token"
+    )
+    assert (
+        common_module.is_trust_entry_for_project(
+            wrong_prefix_entry, project_path_posix, trust_prefix
+        )
+        is False
+    )
+    different_project_entry = (
+        "Trusted local workspace: /other/project/.claude/** unrelated"
+    )
+    assert (
+        common_module.is_trust_entry_for_project(
+            different_project_entry, project_path_posix, trust_prefix
+        )
+        is False
+    )
+    matching_entry = (
+        f"Trusted local workspace: {project_path_posix}/.claude/** any wording form"
+    )
+    assert (
+        common_module.is_trust_entry_for_project(
+            matching_entry, project_path_posix, trust_prefix
+        )
+        is True
+    )
+
+
+def test_is_trust_entry_rejects_cross_project_path_suffix_collision() -> None:
+    """When the project_path is a path suffix of an unrelated entry's path,
+    the predicate must reject the unrelated entry (the boundary anchor case)."""
+    common_module = _load_common_module()
+    short_project_path = "/projects/foo"
+    trust_prefix = "Trusted local workspace:"
+    longer_unrelated_path_entry = (
+        "Trusted local workspace: /Users/jon/projects/foo/.claude/** unrelated path"
+    )
+    assert (
+        common_module.is_trust_entry_for_project(
+            longer_unrelated_path_entry, short_project_path, trust_prefix
+        )
+        is False
+    )
+    quoted_matching_entry = (
+        f'Trusted local workspace: "{short_project_path}/.claude/**" quoted form'
+    )
+    assert (
+        common_module.is_trust_entry_for_project(
+            quoted_matching_entry, short_project_path, trust_prefix
+        )
+        is True
+    )
+
+
+def test_second_grant_is_idempotent_when_no_other_settings_changed(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]
+) -> None:
+    """Running grant twice in a row must perform zero changes the second time.
+
+    On the second call the existing trust entry is byte-identical to the
+    freshly-formatted current entry, so purge_stale_trust_entries treats it as
+    protected and does not remove it; add_auto_mode_environment_entry then
+    no-ops because the entry is already present.
+    """
+    fake_project_root = _make_fake_project(tmp_path)
+    fake_settings_path = tmp_path / "settings.json"
+    _seed_grant_then_run(
+        fake_settings_path, fake_project_root, monkeypatch, pre_existing_settings={}
+    )
+    first_run_output = capsys.readouterr()
+    assert "No changes needed" not in first_run_output.out
+    grant_module = _load_grant_module()
+    monkeypatch.setattr(
+        grant_module,
+        "get_claude_user_settings_path",
+        lambda: fake_settings_path,
+    )
+    monkeypatch.chdir(fake_project_root)
+    grant_module.grant_permissions_for_current_directory()
+    second_run_output = capsys.readouterr()
+    assert "No changes needed; settings file left untouched." in second_run_output.out
+    assert "Stale auto-mode environment entries purged" not in second_run_output.out

package/_shared/pr-loop/scripts/tests/test_claude_permissions_common.py

@@ -138,10 +138,12 @@ def test_save_settings_temp_suffix_includes_pid_and_random_token(
 
 def test_text_file_encoding_sourced_from_config() -> None:
     config_module_path = (
-        Path(__file__).parent.parent / "config" / "claude_permissions_constants.py"
+        Path(__file__).parent.parent
+        / "pr_loop_shared_constants"
+        / "claude_permissions_constants.py"
     )
     specification = importlib.util.spec_from_file_location(
-        "config.claude_permissions_constants", config_module_path
+        "pr_loop_shared_constants.claude_permissions_constants", config_module_path
     )
     assert specification is not None
     assert specification.loader is not None

package/_shared/pr-loop/scripts/tests/test_claude_permissions_constants.py

@@ -7,10 +7,12 @@ from types import ModuleType
 
 def _load_constants_module() -> ModuleType:
     module_path = (
-        Path(__file__).parent.parent / "config" / "claude_permissions_constants.py"
+        Path(__file__).parent.parent
+        / "pr_loop_shared_constants"
+        / "claude_permissions_constants.py"
     )
     specification = importlib.util.spec_from_file_location(
-        "config.claude_permissions_constants", module_path
+        "pr_loop_shared_constants.claude_permissions_constants", module_path
     )
     assert specification is not None
     assert specification.loader is not None
@@ -26,6 +28,16 @@ def test_exposes_all_permission_allow_tools_tuple() -> None:
     assert constants_module.ALL_PERMISSION_ALLOW_TOOLS == ("Edit", "Write", "Read")
 
 
+def test_exposes_all_agent_config_deny_tools_tuple_with_glob() -> None:
+    assert constants_module.ALL_AGENT_CONFIG_DENY_TOOLS == (
+        "Edit",
+        "Write",
+        "Read",
+        "Glob",
+    )
+    assert "Glob" not in constants_module.ALL_PERMISSION_ALLOW_TOOLS
+
+
 def test_auto_mode_environment_entry_template_is_format_string() -> None:
     rendered_template_text = (
         constants_module.AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE.format(
@@ -36,6 +48,29 @@ def test_auto_mode_environment_entry_template_is_format_string() -> None:
     assert ".claude/**" in rendered_template_text
 
 
+def test_template_derives_human_readable_pattern_list_from_pattern_tuple() -> None:
+    """Every pattern in ALL_AGENT_CONFIG_PATH_PATTERNS must surface in the
+    rendered template through its derived human-readable form, and the
+    template must still expose the {project_path} placeholder for .format()
+    substitution at runtime."""
+    template_text: str = constants_module.AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE
+    assert "{project_path}" in template_text
+    for each_pattern in constants_module.ALL_AGENT_CONFIG_PATH_PATTERNS:
+        if each_pattern.endswith("/**"):
+            directory_name = each_pattern[: -len("/**")]
+            expected_phrase = f"anything under {directory_name}/"
+        elif each_pattern == "mcp.json":
+            expected_phrase = "the mcp.json file"
+        else:
+            expected_phrase = each_pattern
+        assert expected_phrase in template_text, (
+            f"template missing derived phrase for pattern {each_pattern!r}: "
+            f"expected {expected_phrase!r}"
+        )
+    rendered_template_text = template_text.format(project_path="/tmp/x")
+    assert "/tmp/x" in rendered_template_text
+
+
 def test_get_claude_user_settings_path_ends_in_settings_json() -> None:
     resolved_settings_path = constants_module.get_claude_user_settings_path()
     assert resolved_settings_path.name == constants_module.CLAUDE_SETTINGS_FILENAME

package/_shared/pr-loop/scripts/tests/test_claude_settings_keys_constants.py

@@ -7,10 +7,12 @@ from types import ModuleType
 
 def _load_constants_module() -> ModuleType:
     module_path = (
-        Path(__file__).parent.parent / "config" / "claude_settings_keys_constants.py"
+        Path(__file__).parent.parent
+        / "pr_loop_shared_constants"
+        / "claude_settings_keys_constants.py"
     )
     specification = importlib.util.spec_from_file_location(
-        "config.claude_settings_keys_constants", module_path
+        "pr_loop_shared_constants.claude_settings_keys_constants", module_path
     )
     assert specification is not None
     assert specification.loader is not None

package/_shared/pr-loop/scripts/tests/test_code_rules_gate_constants.py

@@ -7,10 +7,12 @@ from types import ModuleType
 
 def _load_constants_module() -> ModuleType:
     module_path = (
-        Path(__file__).parent.parent / "config" / "code_rules_gate_constants.py"
+        Path(__file__).parent.parent
+        / "pr_loop_shared_constants"
+        / "code_rules_gate_constants.py"
     )
     specification = importlib.util.spec_from_file_location(
-        "config.code_rules_gate_constants", module_path
+        "pr_loop_shared_constants.code_rules_gate_constants", module_path
     )
     assert specification is not None
     assert specification.loader is not None

package/_shared/pr-loop/scripts/tests/test_fix_hookspath_constants.py

@@ -11,9 +11,13 @@ from types import ModuleType
 
 
 def _load_constants_module() -> ModuleType:
-    module_path = Path(__file__).parent.parent / "config" / "fix_hookspath_constants.py"
+    module_path = (
+        Path(__file__).parent.parent
+        / "pr_loop_shared_constants"
+        / "fix_hookspath_constants.py"
+    )
     specification = importlib.util.spec_from_file_location(
-        "config.fix_hookspath_constants", module_path
+        "pr_loop_shared_constants.fix_hookspath_constants", module_path
     )
     assert specification is not None
     assert specification.loader is not None

package/_shared/pr-loop/scripts/tests/test_grant_project_claude_permissions.py

@@ -1,7 +1,8 @@
 """Smoke tests for grant_project_claude_permissions wiring.
 
 Confirms the module imports cleanly with the constants now sourced from
-config/claude_permissions_constants.py and config/claude_settings_keys_constants.py.
+pr_loop_shared_constants/claude_permissions_constants.py and
+pr_loop_shared_constants/claude_settings_keys_constants.py.
 """
 
 from __future__ import annotations
@@ -17,7 +18,6 @@ def _load_grant_module() -> ModuleType:
     parent_directory = str(scripts_directory.resolve())
     if parent_directory not in sys.path:
         sys.path.insert(0, parent_directory)
-    sys.modules.pop("config", None)
     module_path = scripts_directory / "grant_project_claude_permissions.py"
     specification = importlib.util.spec_from_file_location(
         "grant_project_claude_permissions", module_path

package/_shared/pr-loop/scripts/tests/test_post_audit_thread.py

@@ -36,11 +36,10 @@ from typing import Any
 THIS_FILE_DIRECTORY = Path(__file__).resolve().parent
 SCRIPT_DIRECTORY = THIS_FILE_DIRECTORY.parent
 
-sys.modules.pop("config", None)
 if str(SCRIPT_DIRECTORY) not in sys.path:
     sys.path.insert(0, str(SCRIPT_DIRECTORY))
 
-from config.post_audit_thread_constants import (  # noqa: E402
+from pr_loop_shared_constants.post_audit_thread_constants import (  # noqa: E402
     ALL_GH_AUTH_TOKEN_COMMAND_PARTS,
     ALL_RETRY_BACKOFF_SECONDS,
     BUGTEAM_REVIEWER_ACCOUNT_ENV_VAR_NAME,

package/_shared/pr-loop/scripts/tests/test_post_audit_thread_constants.py

@@ -7,10 +7,12 @@ from types import ModuleType
 
 def _load_constants_module() -> ModuleType:
     module_path = (
-        Path(__file__).parent.parent / "config" / "post_audit_thread_constants.py"
+        Path(__file__).parent.parent
+        / "pr_loop_shared_constants"
+        / "post_audit_thread_constants.py"
     )
     specification = importlib.util.spec_from_file_location(
-        "config.post_audit_thread_constants", module_path
+        "pr_loop_shared_constants.post_audit_thread_constants", module_path
     )
     assert specification is not None
     assert specification.loader is not None

package/_shared/pr-loop/scripts/tests/test_preflight.py

@@ -31,7 +31,7 @@ def _load_preflight_module() -> ModuleType:
 
 preflight = _load_preflight_module()
 
-from config.preflight_constants import (  # noqa: E402
+from pr_loop_shared_constants.preflight_constants import (  # noqa: E402
     PYTEST_INI_FILENAME,
     PYTEST_NO_TESTS_COLLECTED_EXIT_CODE,
 )
@@ -204,16 +204,19 @@ def test_should_exit_nonzero_when_subprocess_run_raises_os_error(
 
 
 def test_preflight_uses_shared_hooks_path_suffix_constant() -> None:
-    """Preflight's expected suffix must come from config.fix_hookspath_constants
-    so the canonical hooks directory is defined in exactly one place."""
+    """Preflight's expected suffix must come from
+    pr_loop_shared_constants.fix_hookspath_constants so the canonical hooks
+    directory is defined in exactly one place."""
     scripts_directory = str(Path(__file__).parent.parent.resolve())
     if scripts_directory not in sys.path:
         sys.path.insert(0, scripts_directory)
     constants_module_path = (
-        Path(__file__).parent.parent / "config" / "fix_hookspath_constants.py"
+        Path(__file__).parent.parent
+        / "pr_loop_shared_constants"
+        / "fix_hookspath_constants.py"
     )
     constants_specification = importlib.util.spec_from_file_location(
-        "config.fix_hookspath_constants",
+        "pr_loop_shared_constants.fix_hookspath_constants",
         constants_module_path,
     )
     assert constants_specification is not None
@@ -234,15 +237,18 @@ def test_preflight_skip_uses_shared_env_var_constant(
     capsys: pytest.CaptureFixture[str],
     monkeypatch: pytest.MonkeyPatch,
 ) -> None:
-    """The preflight skip env-var name must come from config/preflight_constants.py."""
+    """The preflight skip env-var name must come from
+    pr_loop_shared_constants/preflight_constants.py."""
     scripts_directory = str(Path(__file__).parent.parent.resolve())
     if scripts_directory not in sys.path:
         sys.path.insert(0, scripts_directory)
     constants_module_path = (
-        Path(__file__).parent.parent / "config" / "preflight_constants.py"
+        Path(__file__).parent.parent
+        / "pr_loop_shared_constants"
+        / "preflight_constants.py"
     )
     constants_specification = importlib.util.spec_from_file_location(
-        "config.preflight_constants",
+        "pr_loop_shared_constants.preflight_constants",
         constants_module_path,
     )
     assert constants_specification is not None
@@ -306,8 +312,9 @@ def test_preflight_does_not_import_unused_repository_root_marker_constant() -> N
 
 def test_pytest_no_tests_collected_helper_returns_named_constant() -> None:
     """The pytest "no tests collected" exit code must be sourced from the
-    named constant in config/preflight_constants.py rather than the bare
-    literal 5 inside the function body (CODE_RULES magic-values rule)."""
+    named constant in pr_loop_shared_constants/preflight_constants.py rather
+    than the bare literal 5 inside the function body (CODE_RULES magic-values
+    rule)."""
     assert preflight._pytest_exit_code_no_tests_collected() == (
         PYTEST_NO_TESTS_COLLECTED_EXIT_CODE
     )
@@ -317,30 +324,6 @@ def test_pytest_no_tests_collected_helper_returns_named_constant() -> None:
     )
 
 
-def test_preflight_bootstrap_moves_script_directory_to_front() -> None:
-    """Import bootstrap keeps exactly one script directory entry at the front."""
-    module_path = Path(__file__).parent.parent / "preflight.py"
-    script_directory_resolved = str(module_path.parent.resolve())
-    script_directory_absolute = str(module_path.parent.absolute())
-    original_sys_path = list(sys.path)
-    try:
-        sys.path.insert(0, script_directory_resolved)
-        sys.path.insert(0, script_directory_resolved)
-        sys.path.insert(0, str(module_path.parents[4]))
-        _load_preflight_module()
-        assert os.path.samefile(sys.path[0], script_directory_resolved)
-        equivalent_count = sum(
-            1
-            for each_entry in sys.path
-            if os.path.exists(each_entry)
-            and os.path.samefile(each_entry, script_directory_resolved)
-        )
-        assert equivalent_count == 1
-        assert sys.path[0] == script_directory_absolute
-    finally:
-        sys.path[:] = original_sys_path
-
-
 def test_main_uses_correct_changed_files_function_name() -> None:
     """main() must call get_changed_files, not the undefined get_all_changed_files."""
     main_source = inspect.getsource(preflight.main)
@@ -528,24 +511,6 @@ def test_explicit_scope_all_with_base_ref_should_not_call_get_changed_files(
     mock_get_changed.assert_not_called()
 
 
-def test_preflight_bootstrap_matches_code_rules_sys_path_pattern() -> None:
-    """Bootstrap must clear duplicate script_directory entries, then guard insert."""
-    module_path = Path(__file__).parent.parent / "preflight.py"
-    source = module_path.read_text(encoding="utf-8")
-    assert "_entry_points_at_preflight_script_directory" in source, (
-        "Bootstrap must remove script_directory entries using path equivalence"
-    )
-    assert "for each_index in range(len(sys.path) - 1, -1, -1):" in source, (
-        "Bootstrap must walk sys.path to drop duplicate script directory entries"
-    )
-    assert "_preflight_scripts_path_entry not in sys.path:" in source, (
-        "Bootstrap insert must be guarded for code_rules_gate compliance"
-    )
-    assert "sys.path.insert(0, _preflight_scripts_path_entry)" in source, (
-        "Bootstrap must insert the absolute script directory at index 0"
-    )
-
-
 def test_has_discoverable_tests_should_include_untracked_test_files(
     tmp_path: Path,
 ) -> None: