claude-dev-env 1.60.0 → 1.61.0

package/hooks/blocking/test_destructive_command_blocker.py

@@ -247,6 +247,10 @@ def test_rm_rf_asks_when_any_target_is_non_ephemeral() -> None:
     assert response["hookSpecificOutput"]["permissionDecision"] == "ask"
 
 
+def test_rm_rf_asks_when_target_has_nested_temp_segment_not_at_root() -> None:
+    _assert_hook_asks("rm -rf /home/victim/temp/secret")
+
+
 def test_rm_rf_asks_when_double_dash_includes_hyphen_prefixed_non_ephemeral_target() -> None:
     payload = _make_bash_payload("rm -rf -- /tmp/scratch -non_ephemeral")
 
@@ -404,6 +408,26 @@ def test_rm_rf_asks_when_tool_input_cwd_is_ephemeral_but_rm_target_is_absolute_n
     assert response["hookSpecificOutput"]["permissionDecision"] == "ask"
 
 
+def test_rm_rf_asks_when_subshell_cd_changes_dir_before_relative_rm() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && (cd /; rm -rf etc)')
+
+
+def test_rm_rf_asks_when_second_top_level_cd_changes_dir_before_relative_rm() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && cd / && rm -rf etc')
+
+
+def test_rm_rf_asks_when_pushd_changes_dir_before_relative_rm() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && pushd / && rm -rf etc')
+
+
+def test_rm_rf_allowed_when_subshell_cd_present_but_rm_target_is_absolute_ephemeral() -> None:
+    _assert_hook_allows('cd "/tmp/scratch" && (cd /; rm -rf /tmp/scratch/keep)')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_target_has_nested_tmp_segment_not_at_root() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && rm -rf /home/victim/tmp/secret')
+
+
 def test_git_push_force_asks_when_leading_cd_into_ephemeral_subdirectory() -> None:
     payload = _make_bash_payload('cd "/tmp/bugteam_scratch" && git push --force')
 
@@ -1038,6 +1062,14 @@ def test_compound_rm_allowed_when_two_absolute_ephemeral_targets_then_echo() ->
     _assert_hook_allows("rm -rf /tmp/pr136 /tmp/difftest && echo 'cleaned'")
 
 
+def test_compound_rm_allowed_when_subshell_paren_glued_rm_targets_absolute_ephemeral() -> None:
+    _assert_hook_allows("rm -rf /tmp/a && (rm -rf /tmp/b)")
+
+
+def test_compound_rm_asks_when_subshell_paren_glued_rm_targets_non_ephemeral() -> None:
+    _assert_hook_asks("rm -rf /tmp/a && (rm -rf /etc)")
+
+
 def test_compound_rm_allowed_when_followed_by_gh_pipeline_and_echo() -> None:
     _assert_hook_allows('rm -rf /tmp/reply && gh pr checks 19 2>&1 | head -5 && echo "x"')
 
@@ -1142,6 +1174,14 @@ def test_compound_rm_asks_when_second_rm_target_glues_redirect_to_non_ephemeral_
     _assert_hook_asks("rm -rf /tmp/a /tmp/b>/etc/hosts")
 
 
+def test_rm_rf_asks_when_cd_ephemeral_but_rm_segment_redirects_to_non_ephemeral_file() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && rm -rf /tmp/x>/etc/passwd')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_relative_rm_target_redirects_to_non_ephemeral_file() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && rm -rf build>/etc/passwd')
+
+
 def test_compound_rm_asks_when_git_config_sets_value_after_ephemeral_rm() -> None:
     _assert_hook_asks("rm -rf /tmp/x && git config --global user.name evil")
 
@@ -1517,6 +1557,26 @@ def test_subshell_grouped_rm_asks_when_benign_command_precedes_grouped_rm() -> N
     _assert_hook_asks("echo hi; (rm -rf /etc)")
 
 
+def test_string_execution_asks_when_subshell_paren_glued_to_bash_dash_c() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && (bash -c \'rm -rf /etc\')')
+
+
+def test_string_execution_asks_when_subshell_paren_glued_to_timeout_wrapping_bash() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && (timeout 5 bash -c \'rm -rf /etc\')')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_subshell_paren_glued_to_rm_targets_etc() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && (rm -rf /etc)')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_brace_glued_to_rm_targets_etc() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && {rm -rf /etc;}')
+
+
+def test_rm_rf_allowed_when_cd_ephemeral_and_subshell_paren_wraps_relative_ephemeral_target() -> None:
+    _assert_hook_allows('cd "/tmp/scratch" && (rm -rf build)')
+
+
 # --- convergence branch exemption unit tests ---
 
 import importlib.util
@@ -1773,3 +1833,156 @@ def test_launcher_execution_allows_when_timeout_infinity_wraps_ephemeral_rm() ->
 
 def test_launcher_execution_allows_when_timeout_seconds_wraps_ephemeral_rm() -> None:
     _assert_hook_allows("timeout 5 rm -rf /tmp/scratch")
+
+
+def test_rm_rf_allowed_when_cd_worktree_then_temp_env_var_rm_then_mkdir_tar_compound() -> None:
+    _assert_hook_allows(
+        'cd "/Users/dev/proj/.git/worktrees/spindle" '
+        '&& rm -rf "$TEMP/pr621_check" '
+        '&& mkdir -p "$TEMP/pr621_check" '
+        "&& git archive HEAD packages | tar -x -C \"$TEMP/pr621_check\" "
+        '&& ls "$TEMP/pr621_check/packages" | head -40'
+    )
+
+
+def test_rm_rf_allowed_when_cd_worktree_then_find_exec_rm_then_pytest_compound() -> None:
+    _assert_hook_allows(
+        'cd "/Users/dev/proj/worktrees/os-update-system" '
+        '&& find shared_utils/samsung_utils -name "__pycache__" -type d '
+        "-exec rm -rf {} + 2>/dev/null"
+        '; PYTHONPATH="/Users/dev/proj/worktrees/os-update-system" '
+        'C:/Python313/python.exe -m pytest "tests/" -p no:cacheprovider -q 2>&1 | tail -15'
+    )
+
+
+def test_rm_rf_allowed_when_cd_ephemeral_and_sibling_mkdir_has_dash_p_flag() -> None:
+    _assert_hook_allows('cd "/tmp/scratch" && rm -rf build && mkdir -p out')
+
+
+def test_rm_rf_allowed_when_cd_ephemeral_and_rm_target_uses_temp_env_var() -> None:
+    _assert_hook_allows('cd "/tmp/scratch" && rm -rf "$TEMP/build"')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_bash_dash_c_executes_rm_on_non_ephemeral() -> None:
+    _assert_hook_asks("cd \"/tmp/scratch\" && rm -rf build && bash -c 'rm -rf /etc'")
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_rm_target_uses_non_temp_env_var() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && rm -rf "$HOME/important"')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_and_second_rm_segment_targets_non_ephemeral() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && rm -rf build && rm -rf /etc/passwd')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_bin_rm_targets_non_ephemeral() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && /bin/rm -rf /etc')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_target_is_command_substitution() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && rm -rf $(somecmd)')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_target_is_brace_expansion_escaping_namespace() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && rm -rf {build,/etc}')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_temp_var_splices_after_absolute_literal_prefix() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && rm -rf /data$TMP/x')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_find_exec_rm_search_root_escapes_namespace() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && find /etc -name x -exec rm -rf {} +')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_subshell_find_exec_rm_search_root_escapes() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && (find /etc -exec rm -rf {} +)')
+
+
+def test_rm_rf_asks_when_find_exec_rm_safe_but_sibling_standalone_rm_targets_non_ephemeral() -> None:
+    _assert_hook_asks(
+        'cd "/tmp/scratch" && find . -name x -exec rm -rf {} + ; rm -rf /etc/passwd'
+    )
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_find_exec_rm_redirects_to_non_ephemeral_file() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && find /tmp/scratch -exec rm -rf {} + >/etc/passwd')
+
+
+def test_rm_rf_allowed_when_cd_ephemeral_and_relative_build_target() -> None:
+    _assert_hook_allows('cd "/tmp/scratch" && rm -rf build')
+
+
+def test_rm_rf_allowed_when_cd_ephemeral_and_find_exec_rm_search_root_is_dot() -> None:
+    _assert_hook_allows('cd "/tmp/scratch" && find . -name x -exec rm -rf {} +')
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_find_exec_bash_dash_c_deletes_non_ephemeral() -> None:
+    _assert_hook_asks("cd \"/tmp/scratch\" && find . -exec bash -c 'rm -rf /etc' \\;")
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_find_exec_sh_dash_c_deletes_non_ephemeral() -> None:
+    _assert_hook_asks("cd \"/tmp/scratch\" && find . -exec sh -c 'rm -rf /etc' \\;")
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_find_execdir_bash_dash_c_deletes_non_ephemeral() -> None:
+    _assert_hook_asks("cd \"/tmp/scratch\" && find . -execdir bash -c 'rm -rf /etc' \\;")
+
+
+def test_rm_rf_asks_when_cd_ephemeral_but_find_exec_python_dash_c_deletes_non_ephemeral() -> None:
+    _assert_hook_asks(
+        "cd \"/tmp/scratch\" && find . -exec python -c 'import os; os.system(\"rm -rf /etc\")' \\;"
+    )
+
+
+# H1: find global option before the search root must not defeat the escape check
+
+
+def test_rm_rf_asks_when_find_dash_l_global_option_precedes_non_ephemeral_search_root() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && find -L /etc -name x -exec rm -rf {} +')
+
+
+def test_rm_rf_asks_when_find_dash_p_global_option_precedes_non_ephemeral_execdir_root() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && find -P /etc -execdir rm -rf {} +')
+
+
+def test_rm_rf_asks_when_find_optimization_level_option_precedes_non_ephemeral_search_root() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && find -O3 /etc -exec rm -rf {} +')
+
+
+def test_rm_rf_asks_when_standalone_find_optimization_option_precedes_non_ephemeral_search_root() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && find -O /etc -exec rm -rf {} +')
+
+
+def test_rm_rf_asks_when_find_debug_option_value_precedes_non_ephemeral_search_root() -> None:
+    _assert_hook_asks('cd "/tmp/scratch" && find -D tree /etc -exec rm -rf {} +')
+
+
+def test_rm_rf_allowed_when_find_global_option_precedes_ephemeral_dot_search_root() -> None:
+    _assert_hook_allows('cd "/tmp/scratch" && find -L . -name x -exec rm -rf {} +')
+
+
+# H2: multi -exec with a \\; terminator must not sever the destructive action from detection
+
+
+def test_rm_rf_asks_when_multi_exec_second_action_runs_bash_dash_c_deleting_non_ephemeral() -> None:
+    _assert_hook_asks(
+        "cd \"/tmp/scratch\" && find . -exec touch {} \\; -exec bash -c 'rm -rf /etc' \\;"
+    )
+
+
+def test_rm_rf_asks_when_multi_exec_second_action_runs_sh_dash_c_deleting_non_ephemeral() -> None:
+    _assert_hook_asks(
+        "cd \"/tmp/scratch\" && find . -exec echo {} \\; -exec sh -c 'rm -rf /etc' \\;"
+    )
+
+
+def test_rm_rf_allowed_when_multi_exec_both_actions_target_only_ephemeral_paths() -> None:
+    _assert_hook_allows("cd \"/tmp/scratch\" && find . -exec echo {} \\; -exec rm -rf {} \\;")
+
+
+# H3: parallel forwarding an interpreter that deletes a non-ephemeral path must ask
+
+
+def test_rm_rf_asks_when_parallel_forwards_bash_dash_c_deleting_non_ephemeral() -> None:
+    _assert_hook_asks("cd \"/tmp/scratch\" && parallel bash -c 'rm -rf /etc' ::: x")

package/hooks/blocking/test_verification_verdict_store.py

@@ -6,6 +6,7 @@ path the verified_commit_gate hook runs.
 """
 
 import importlib.util
+import json
 import pathlib
 import subprocess
 import sys
@@ -25,6 +26,8 @@ store_spec.loader.exec_module(store_module)
 is_verification_exempt_diff = store_module.is_verification_exempt_diff
 resolve_merge_base = store_module.resolve_merge_base
 branch_surface_manifest = store_module.branch_surface_manifest
+manifest_sha256 = store_module.manifest_sha256
+workflow_verdict_covers_surface = store_module.workflow_verdict_covers_surface
 
 constants_spec = importlib.util.spec_from_file_location(
     "verified_commit_constants",
@@ -276,3 +279,212 @@ def test_production_change_is_gated_on_nonstandard_default_branch(
         encoding="utf-8",
     )
     assert _exemption_for(work_dir) is False
+
+
+MATCHING_MANIFEST_SHA256 = "a" * 64
+OTHER_MANIFEST_SHA256 = "b" * 64
+VERIFIER_AGENT_TYPE = "code-verifier"
+
+
+def _verdict_transcript_text(is_all_pass: bool, bound_manifest_sha256: str) -> str:
+    verdict_record = {
+        "all_pass": is_all_pass,
+        "findings": [],
+        "manifest_sha256": bound_manifest_sha256,
+    }
+    assistant_text = (
+        "Verification complete.\n\n```verdict\n"
+        + json.dumps(verdict_record)
+        + "\n```\n"
+    )
+    assistant_entry = {
+        "type": "assistant",
+        "message": {"content": [{"type": "text", "text": assistant_text}]},
+    }
+    return json.dumps(assistant_entry) + "\n"
+
+
+def _write_agent_transcript(
+    subagents_dir: pathlib.Path,
+    agent_id: str,
+    agent_type: str,
+    transcript_text: str,
+    should_write_sidecar: bool,
+) -> None:
+    workflow_dir = subagents_dir / "workflows" / "wf_x"
+    workflow_dir.mkdir(parents=True, exist_ok=True)
+    (workflow_dir / f"agent-{agent_id}.jsonl").write_text(
+        transcript_text, encoding="utf-8"
+    )
+    if should_write_sidecar:
+        (workflow_dir / f"agent-{agent_id}.meta.json").write_text(
+            json.dumps({"agentType": agent_type}), encoding="utf-8"
+        )
+
+
+def _session_transcript_path(tmp_path: pathlib.Path, session_id: str) -> pathlib.Path:
+    session_root = tmp_path / "projects" / "demo"
+    session_root.mkdir(parents=True)
+    transcript_path = session_root / f"{session_id}.jsonl"
+    transcript_path.write_text("", encoding="utf-8")
+    return transcript_path
+
+
+def test_workflow_verdict_covers_surface_true_for_matching_passing_verifier(
+    tmp_path: pathlib.Path,
+) -> None:
+    transcript_path = _session_transcript_path(tmp_path, "sess1")
+    subagents_dir = tmp_path / "projects" / "demo" / "sess1" / "subagents"
+    _write_agent_transcript(
+        subagents_dir,
+        "01",
+        VERIFIER_AGENT_TYPE,
+        _verdict_transcript_text(True, MATCHING_MANIFEST_SHA256),
+        should_write_sidecar=True,
+    )
+    assert (
+        workflow_verdict_covers_surface(
+            str(transcript_path), MATCHING_MANIFEST_SHA256
+        )
+        is True
+    )
+
+
+def test_workflow_verdict_covers_surface_false_for_nonmatching_hash(
+    tmp_path: pathlib.Path,
+) -> None:
+    transcript_path = _session_transcript_path(tmp_path, "sess1")
+    subagents_dir = tmp_path / "projects" / "demo" / "sess1" / "subagents"
+    _write_agent_transcript(
+        subagents_dir,
+        "01",
+        VERIFIER_AGENT_TYPE,
+        _verdict_transcript_text(True, OTHER_MANIFEST_SHA256),
+        should_write_sidecar=True,
+    )
+    assert (
+        workflow_verdict_covers_surface(
+            str(transcript_path), MATCHING_MANIFEST_SHA256
+        )
+        is False
+    )
+
+
+def test_workflow_verdict_covers_surface_false_for_all_pass_false(
+    tmp_path: pathlib.Path,
+) -> None:
+    transcript_path = _session_transcript_path(tmp_path, "sess1")
+    subagents_dir = tmp_path / "projects" / "demo" / "sess1" / "subagents"
+    _write_agent_transcript(
+        subagents_dir,
+        "01",
+        VERIFIER_AGENT_TYPE,
+        _verdict_transcript_text(False, MATCHING_MANIFEST_SHA256),
+        should_write_sidecar=True,
+    )
+    assert (
+        workflow_verdict_covers_surface(
+            str(transcript_path), MATCHING_MANIFEST_SHA256
+        )
+        is False
+    )
+
+
+def test_workflow_verdict_covers_surface_false_for_non_verifier_sidecar(
+    tmp_path: pathlib.Path,
+) -> None:
+    transcript_path = _session_transcript_path(tmp_path, "sess1")
+    subagents_dir = tmp_path / "projects" / "demo" / "sess1" / "subagents"
+    _write_agent_transcript(
+        subagents_dir,
+        "01",
+        "clean-coder",
+        _verdict_transcript_text(True, MATCHING_MANIFEST_SHA256),
+        should_write_sidecar=True,
+    )
+    assert (
+        workflow_verdict_covers_surface(
+            str(transcript_path), MATCHING_MANIFEST_SHA256
+        )
+        is False
+    )
+
+
+def test_workflow_verdict_covers_surface_false_for_missing_sidecar(
+    tmp_path: pathlib.Path,
+) -> None:
+    transcript_path = _session_transcript_path(tmp_path, "sess1")
+    subagents_dir = tmp_path / "projects" / "demo" / "sess1" / "subagents"
+    _write_agent_transcript(
+        subagents_dir,
+        "01",
+        VERIFIER_AGENT_TYPE,
+        _verdict_transcript_text(True, MATCHING_MANIFEST_SHA256),
+        should_write_sidecar=False,
+    )
+    assert (
+        workflow_verdict_covers_surface(
+            str(transcript_path), MATCHING_MANIFEST_SHA256
+        )
+        is False
+    )
+
+
+def test_workflow_verdict_covers_surface_false_for_missing_subagents_dir(
+    tmp_path: pathlib.Path,
+) -> None:
+    transcript_path = _session_transcript_path(tmp_path, "sess1")
+    assert (
+        workflow_verdict_covers_surface(
+            str(transcript_path), MATCHING_MANIFEST_SHA256
+        )
+        is False
+    )
+
+
+def test_workflow_verdict_covers_surface_true_when_transcript_is_under_subagents(
+    tmp_path: pathlib.Path,
+) -> None:
+    subagents_dir = tmp_path / "projects" / "demo" / "sess1" / "subagents"
+    _write_agent_transcript(
+        subagents_dir,
+        "01",
+        VERIFIER_AGENT_TYPE,
+        _verdict_transcript_text(True, MATCHING_MANIFEST_SHA256),
+        should_write_sidecar=True,
+    )
+    caller_transcript_path = (
+        subagents_dir / "workflows" / "wf_x" / "agent-00.jsonl"
+    )
+    caller_transcript_path.write_text("", encoding="utf-8")
+    assert (
+        workflow_verdict_covers_surface(
+            str(caller_transcript_path), MATCHING_MANIFEST_SHA256
+        )
+        is True
+    )
+
+
+def test_manifest_hash_cli_prints_live_surface_hash(tmp_path: pathlib.Path) -> None:
+    work_dir = _make_repo_with_origin(tmp_path)
+    (work_dir / "src" / "app.py").write_text(
+        "def add(left: int, right: int) -> int:\n    return left - right\n",
+        encoding="utf-8",
+    )
+    merge_base_sha = resolve_merge_base(str(work_dir))
+    assert merge_base_sha is not None
+    surface_manifest_text = branch_surface_manifest(str(work_dir), merge_base_sha)
+    assert surface_manifest_text is not None
+    expected_hash = manifest_sha256(surface_manifest_text)
+    completed_process = subprocess.run(
+        [
+            sys.executable,
+            str(_HOOK_DIR / "verification_verdict_store.py"),
+            "--manifest-hash",
+            str(work_dir),
+        ],
+        check=True,
+        capture_output=True,
+        text=True,
+    )
+    assert completed_process.stdout.strip() == expected_hash

package/hooks/blocking/test_verified_commit_gate.py

@@ -6,8 +6,10 @@ decide what to gate.
 """
 
 import importlib.util
+import json
 import os
 import pathlib
+import subprocess
 import sys
 
 import pytest
@@ -25,6 +27,21 @@ assert gate_spec.loader is not None
 gate_module = importlib.util.module_from_spec(gate_spec)
 gate_spec.loader.exec_module(gate_module)
 gated_repo_directories = gate_module.gated_repo_directories
+deny_reason_for_directory = gate_module.deny_reason_for_directory
+
+store_spec = importlib.util.spec_from_file_location(
+    "verification_verdict_store",
+    _HOOK_DIR / "verification_verdict_store.py",
+)
+assert store_spec is not None
+assert store_spec.loader is not None
+store_module = importlib.util.module_from_spec(store_spec)
+store_spec.loader.exec_module(store_module)
+resolve_merge_base = store_module.resolve_merge_base
+branch_surface_manifest = store_module.branch_surface_manifest
+manifest_sha256 = store_module.manifest_sha256
+
+PRODUCTION_SOURCE = "def add(left: int, right: int) -> int:\n    return left + right\n"
 
 
 def test_plain_git_commit_is_gated() -> None:
@@ -366,3 +383,113 @@ def test_git_verb_inside_gh_comment_body_is_not_gated() -> None:
     assert gated_repo_directories(
         'gh pr comment -b "please git commit your work"', "/d"
     ) == []
+
+
+def _run_git(repo_dir: pathlib.Path, *git_arguments: str) -> None:
+    subprocess.run(
+        ["git", "-C", str(repo_dir), *git_arguments],
+        check=True,
+        capture_output=True,
+        text=True,
+    )
+
+
+def _make_gated_repo(tmp_path: pathlib.Path) -> pathlib.Path:
+    origin_dir = tmp_path / "origin.git"
+    work_dir = tmp_path / "work"
+    work_dir.mkdir()
+    subprocess.run(
+        ["git", "init", "--bare", "--initial-branch=main", str(origin_dir)],
+        check=True,
+        capture_output=True,
+        text=True,
+    )
+    _run_git(work_dir, "init", "--initial-branch=main")
+    _run_git(work_dir, "config", "user.email", "tests@example.com")
+    _run_git(work_dir, "config", "user.name", "Gate Tests")
+    (work_dir / "app.py").write_text(PRODUCTION_SOURCE, encoding="utf-8")
+    _run_git(work_dir, "add", "-A")
+    _run_git(work_dir, "commit", "-m", "base")
+    _run_git(work_dir, "remote", "add", "origin", str(origin_dir))
+    _run_git(work_dir, "push", "-u", "origin", "main")
+    (work_dir / "app.py").write_text(
+        "def add(left: int, right: int) -> int:\n    return left - right\n",
+        encoding="utf-8",
+    )
+    return work_dir
+
+
+def _live_surface_hash(work_dir: pathlib.Path) -> str:
+    merge_base_sha = resolve_merge_base(str(work_dir))
+    assert merge_base_sha is not None
+    surface_manifest_text = branch_surface_manifest(str(work_dir), merge_base_sha)
+    assert surface_manifest_text is not None
+    return manifest_sha256(surface_manifest_text)
+
+
+def _write_workflow_verdict(
+    transcript_path: pathlib.Path, bound_manifest_sha256: str
+) -> None:
+    subagents_dir = transcript_path.with_suffix("") / "subagents"
+    workflow_dir = subagents_dir / "workflows" / "wf_x"
+    workflow_dir.mkdir(parents=True)
+    verdict_record = {
+        "all_pass": True,
+        "findings": [],
+        "manifest_sha256": bound_manifest_sha256,
+    }
+    assistant_text = (
+        "Verification complete.\n\n```verdict\n"
+        + json.dumps(verdict_record)
+        + "\n```\n"
+    )
+    assistant_entry = {
+        "type": "assistant",
+        "message": {"content": [{"type": "text", "text": assistant_text}]},
+    }
+    (workflow_dir / "agent-01.jsonl").write_text(
+        json.dumps(assistant_entry) + "\n", encoding="utf-8"
+    )
+    (workflow_dir / "agent-01.meta.json").write_text(
+        json.dumps({"agentType": "code-verifier"}), encoding="utf-8"
+    )
+
+
+def _isolate_home(monkeypatch: pytest.MonkeyPatch, fake_home: pathlib.Path) -> None:
+    home_text = str(fake_home)
+    monkeypatch.setenv("HOME", home_text)
+    monkeypatch.setenv("USERPROFILE", home_text)
+    monkeypatch.delenv("HOMEDRIVE", raising=False)
+    monkeypatch.delenv("HOMEPATH", raising=False)
+
+
+def test_workflow_verdict_allows_commit_without_a_minted_verdict_file(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: pathlib.Path
+) -> None:
+    fake_home = tmp_path / "home"
+    fake_home.mkdir()
+    _isolate_home(monkeypatch, fake_home)
+    work_dir = _make_gated_repo(tmp_path)
+    live_surface_hash = _live_surface_hash(work_dir)
+    transcript_path = tmp_path / "projects" / "demo" / "sess1.jsonl"
+    transcript_path.parent.mkdir(parents=True)
+    transcript_path.write_text("", encoding="utf-8")
+    _write_workflow_verdict(transcript_path, live_surface_hash)
+    assert (
+        deny_reason_for_directory(str(work_dir), str(transcript_path)) is None
+    )
+
+
+def test_no_verdict_of_either_kind_denies_the_commit(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: pathlib.Path
+) -> None:
+    fake_home = tmp_path / "home"
+    fake_home.mkdir()
+    _isolate_home(monkeypatch, fake_home)
+    work_dir = _make_gated_repo(tmp_path)
+    transcript_path = tmp_path / "projects" / "demo" / "sess1.jsonl"
+    transcript_path.parent.mkdir(parents=True)
+    transcript_path.write_text("", encoding="utf-8")
+    deny_reason = deny_reason_for_directory(str(work_dir), str(transcript_path))
+    assert deny_reason is not None
+    assert "VERIFIED_COMMIT_GATE" in deny_reason