Skip to content

6.0.0 installer: SecurityPipeline hook fail-closes on missing USER/SECURITY/PATTERNS.yaml and wedges the installing agent (all tools blocked) #1401

Description

@infinitelyloopy-bt

Components: InstallHooks.ts + the shipped hooks/SecurityPipeline.hook.ts + the USER scaffold (install/USER/SECURITY/), LifeOS 6.0.0 skill payload.

What happens: the USER scaffold ships SECURITY/README.md but no SECURITY/PATTERNS.yaml, while the installed SecurityPipeline hook is fail-closed: if the patterns file is absent it blocks with CRITICAL: Security patterns file missing — fail-closed. The hook matches Bash, Read, Write, and Edit — so the moment InstallHooks.ts --apply copies the 6.0.0 hook files onto a machine without that file, the installing AI loses every file/shell tool mid-setup and cannot create the missing file through normal means. The installer wedges itself.

Repro: LifeOS 6.0.0 Setup on a harness whose config tree has no LIFEOS/USER/SECURITY/PATTERNS.yaml (true for upgrades-in-progress and any partial scaffold) → bun Tools/InstallHooks.ts --apply → next Bash/Read/Write call is blocked; so is every retry, including attempts to write PATTERNS.yaml itself.

Suggested fixes (either closes it):

  1. Ship a minimal valid PATTERNS.yaml in the USER scaffold (install/USER/SECURITY/), or
  2. Have InstallHooks.ts pre-flight the patterns file and refuse to apply (loud blocker) until it exists — matching the payload's own 'FAIL LOUD, never wedge' convention.

Fail-closed is the right security posture at steady state; the bug is only that the installer can reach the fail-closed state with no recovery path.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions