Components: InstallHooks.ts + the shipped hooks/SecurityPipeline.hook.ts + the USER scaffold (install/USER/SECURITY/), LifeOS 6.0.0 skill payload.
What happens: the USER scaffold ships SECURITY/README.md but no SECURITY/PATTERNS.yaml, while the installed SecurityPipeline hook is fail-closed: if the patterns file is absent it blocks with CRITICAL: Security patterns file missing — fail-closed. The hook matches Bash, Read, Write, and Edit — so the moment InstallHooks.ts --apply copies the 6.0.0 hook files onto a machine without that file, the installing AI loses every file/shell tool mid-setup and cannot create the missing file through normal means. The installer wedges itself.
Repro: LifeOS 6.0.0 Setup on a harness whose config tree has no LIFEOS/USER/SECURITY/PATTERNS.yaml (true for upgrades-in-progress and any partial scaffold) → bun Tools/InstallHooks.ts --apply → next Bash/Read/Write call is blocked; so is every retry, including attempts to write PATTERNS.yaml itself.
Suggested fixes (either closes it):
- Ship a minimal valid
PATTERNS.yaml in the USER scaffold (install/USER/SECURITY/), or
- Have
InstallHooks.ts pre-flight the patterns file and refuse to apply (loud blocker) until it exists — matching the payload's own 'FAIL LOUD, never wedge' convention.
Fail-closed is the right security posture at steady state; the bug is only that the installer can reach the fail-closed state with no recovery path.
Components:
InstallHooks.ts+ the shippedhooks/SecurityPipeline.hook.ts+ the USER scaffold (install/USER/SECURITY/), LifeOS 6.0.0 skill payload.What happens: the USER scaffold ships
SECURITY/README.mdbut noSECURITY/PATTERNS.yaml, while the installed SecurityPipeline hook is fail-closed: if the patterns file is absent it blocks withCRITICAL: Security patterns file missing — fail-closed. The hook matches Bash, Read, Write, and Edit — so the momentInstallHooks.ts --applycopies the 6.0.0 hook files onto a machine without that file, the installing AI loses every file/shell tool mid-setup and cannot create the missing file through normal means. The installer wedges itself.Repro: LifeOS 6.0.0 Setup on a harness whose config tree has no
LIFEOS/USER/SECURITY/PATTERNS.yaml(true for upgrades-in-progress and any partial scaffold) →bun Tools/InstallHooks.ts --apply→ next Bash/Read/Write call is blocked; so is every retry, including attempts to write PATTERNS.yaml itself.Suggested fixes (either closes it):
PATTERNS.yamlin the USER scaffold (install/USER/SECURITY/), orInstallHooks.tspre-flight the patterns file and refuse to apply (loud blocker) until it exists — matching the payload's own 'FAIL LOUD, never wedge' convention.Fail-closed is the right security posture at steady state; the bug is only that the installer can reach the fail-closed state with no recovery path.