Problem
taskrunner.sh:264-268 whitelists which task categories receive the ratchet (baseline→post typecheck/test comparison). Currently docs|tests|research|deploy skip ratchet entirely.
This collides with downstream automerge policy (AEGIS auto-merges docs and tests PRs). A task that is:
- Miscategorized as
tests while making structural changes, or
- Correctly categorized as
tests but bundling untyped helper additions
…reaches origin and gets automerged without ever hitting typecheck/test validation.
Verification
- Hook ordering and PreToolUse gates are correct (verified in adversarial review)
safety-gate.sh and blast-radius preflight do their job at execution time- The gap is specifically in post-execution ratchet coverage
Proposed fix
One-line default flip. Make ratchet opt-out:
# before (~line 264)
case "\$category" in
docs|tests|research|deploy) ratchet=false ;;
*) ratchet=true ;;
esac
# after
ratchet=\${TASK_RATCHET:-true}
case "\$category" in
research|deploy) ratchet=false ;; # legitimately unratchetable
esacresearch produces no code to ratchet against. deploy operates on already-validated artifacts. Everything else — including docs and tests — should ratchet by default. Tasks that need to opt out can set \"ratchet\": false\ explicitly in queue.json.
Why this matters
Adversarial review of the broader self-attestation concern found this as the one real adjacent gap. The signal-vs-gate enforcement model is sound; the coverage carve-out is not.
Scope
- 1 file (
taskrunner.sh)
- ~5 lines changed
- No new abstractions
Surfaced via consolidated agent-team review 2026-05-24.
Problem
taskrunner.sh:264-268whitelists which task categories receive the ratchet (baseline→post typecheck/test comparison). Currentlydocs|tests|research|deployskip ratchet entirely.This collides with downstream automerge policy (AEGIS auto-merges
docsandtestsPRs). A task that is:testswhile making structural changes, ortestsbut bundling untyped helper additions…reaches
originand gets automerged without ever hitting typecheck/test validation.Verification
safety-gate.shand blast-radius preflight do their job at execution timeProposed fix
One-line default flip. Make ratchet opt-out:
researchproduces no code to ratchet against.deployoperates on already-validated artifacts. Everything else — includingdocsandtests— should ratchet by default. Tasks that need to opt out can set\"ratchet\": false\explicitly in queue.json.Why this matters
Adversarial review of the broader self-attestation concern found this as the one real adjacent gap. The signal-vs-gate enforcement model is sound; the coverage carve-out is not.
Scope
taskrunner.sh)Surfaced via consolidated agent-team review 2026-05-24.