From 38626cad2009a39bdbc37ad5d22b359d33910647 Mon Sep 17 00:00:00 2001
From: bellman <bellman@bellmanui-MacBookAir.local>
Date: Fri, 5 Jun 2026 05:36:41 +0900
Subject: [PATCH] docs: mark ROADMAP #85,88,125,126 DONE

85: skills discovery bounded by git root (nearest_git_root in prompt.rs)
88: instruction file discovery bounded by git root
125: git_state reports 'no_git_repo' when not in git repo
126: config section exposes 'merged' key-value pairs

Generated with https://github.com/Yeachan-Heo/gajae-code
Co-authored-by: Gajae Code <dev@gajae-code.com>
---
 ROADMAP.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ROADMAP.md b/ROADMAP.md
index b48525ee..00b51b2b 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -1579,7 +1579,7 @@ Original filing (2026-04-13): user requested a `-acp` parameter to support ACP p
 
    **Source.** Jobdori dogfood 2026-04-17 against `/tmp/cd4` on main HEAD `70a0f0c` (freshly rebuilt on the dogfood machine) in response to Clawhip pinpoint nudge at `1494661235336282248`. Sibling to #83 (build date → "today") and to the 2026-04-08 startup-friction note ("no default `trusted_roots` in settings"): all three are compile-time or batch-time context bleeding into a surface that should be either runtime-resolved or explicitly configured. Distinct from #80/#81/#82 (surfaces misrepresent runtime state) — here the runtime state being described does not even belong to the user in the first place.
 
-85. **`claw skills` walks `cwd.ancestors()` unbounded and treats every `.claw/skills`, `.omc/skills`, `.agents/skills`, `.codex/skills`, `.claude/skills` it finds as active project skills — cross-project leakage and a cheap skill-injection path from any ancestor directory** — dogfooded 2026-04-17 on main HEAD `2eb6e0c` from `/tmp/trap/inner/work`. A directory I do not own (`/tmp/trap/.agents/skills/rogue/SKILL.md`) above the worker's CWD is enumerated as an `active: true` skill by `claw --output-format json skills`, sourced as `project_claw`/`Project roots`, even after the worker's own CWD is `git init`ed to declare a project boundary. Same effect from any ancestor walk up to `/`.
+85. **DONE — `claw skills` walks `cwd.ancestors()` unbounded and treats every `.claw/skills`, `.omc/skills`, `.agents/skills`, `.codex/skills`, `.claude/skills` it finds as active project skills — cross-project leakage and a cheap skill-injection path from any ancestor directory** — dogfooded 2026-04-17 on main HEAD `2eb6e0c` from `/tmp/trap/inner/work`. A directory I do not own (`/tmp/trap/.agents/skills/rogue/SKILL.md`) above the worker's CWD is enumerated as an `active: true` skill by `claw --output-format json skills`, sourced as `project_claw`/`Project roots`, even after the worker's own CWD is `git init`ed to declare a project boundary. Same effect from any ancestor walk up to `/`.
 
    **Concrete repros.**
    1. *Cross-tenant skill injection from a shared `/tmp` ancestor.*
@@ -1703,7 +1703,7 @@ Original filing (2026-04-13): user requested a `-acp` parameter to support ACP p
 
    **Source.** Jobdori dogfood 2026-04-17 against `/tmp/cd8` on main HEAD `d6003be` in response to Clawhip pinpoint nudge at `1494683886658257071`. Second member of the "doctor surface fails to carry machine-readable runtime state" sub-cluster after #86 (config parse failure silently dropped). Adjacent to #50 (tool-spec over-escalation for `bash` / `PowerShell`): #50 is "the required_permission is too high for some commands," #87 is "the current_permission is too high by default when config is absent." Together they pin the permission surface from both ends.
 
-88. **`discover_instruction_files` walks `cwd.ancestors()` unbounded and loads every `CLAUDE.md` / `CLAUDE.local.md` / `.claw/CLAUDE.md` / `.claw/instructions.md` it finds into the *system prompt* as trusted "Claude instructions" — direct prompt injection from any ancestor directory, including world-writable `/tmp`** — dogfooded 2026-04-17 on main HEAD `82bd8bb` from `/tmp/claude-md-injection/inner/work`. An attacker-controlled `CLAUDE.md` one directory above the worker is read verbatim into the agent's system prompt under the `# Claude instructions` section.
+88. **DONE — `discover_instruction_files` walks `cwd.ancestors()` unbounded and loads every `CLAUDE.md` / `CLAUDE.local.md` / `.claw/CLAUDE.md` / `.claw/instructions.md` it finds into the *system prompt* as trusted "Claude instructions" — direct prompt injection from any ancestor directory, including world-writable `/tmp`** — dogfooded 2026-04-17 on main HEAD `82bd8bb` from `/tmp/claude-md-injection/inner/work`. An attacker-controlled `CLAUDE.md` one directory above the worker is read verbatim into the agent's system prompt under the `# Claude instructions` section.
 
    **Concrete repro.**
    ```
@@ -4621,7 +4621,7 @@ ear], /color [scheme], /effort [low|medium|high], /fast, /summary, /tag [label],
 
      **Source.** Jobdori dogfood 2026-04-18 against `/tmp/cdAA2` on main HEAD `bb76ec9` in response to Clawhip pinpoint nudge at `1495000973914144819`. Joins **Silent-flag / documented-but-unenforced** (#96–#101, #104, #108, #111, #115, #116, #117, #118, #119, #121, #122, #123) as 17th — `--model` silently accepts garbage with no validation. Joins **Truth-audit / diagnostic-integrity** — status JSON model field has no provenance. Joins **Parallel-entry-point asymmetry** (#91, #101, #104, #105, #108, #114, #117, #122, #123) as 10th — `--model` flag, `.claw.json model`, and the default model are three sources that disagree (#105 adjacent). Natural bundle: **#105 + #124** — model-resolution pair: 4-surface disagreement (#105) + no validation + no provenance (#124). Also **#122 + #124** — unvalidated-flag pair: `--base-commit` accepts anything (#122) + `--model` accepts anything (#124). Same parser pattern. Session tally: ROADMAP #124.
 
-125. **`git_state: "clean"` is emitted by both `status` and `doctor` JSON even when `in_git_repo: false` — a non-git directory reports the same sentinel as a git repo with no changes. `GitWorkspaceSummary::default()` returns all-zero fields; `is_clean()` checks `changed_files == 0` → true → `headline() = "clean"`. A claw checking `if git_state == "clean" then proceed` would proceed even in a non-git directory. Doctor correctly surfaces `in_git_repo: false` and `summary: "current directory is not inside a git project"`, but the `git_state` field contradicts this by claiming "clean." Separately, `claw init` creates a `.gitignore` file even in non-git directories — not harmful (ready for future `git init`) but misleading** — dogfooded 2026-04-18 on main HEAD `debbcbe` from `/tmp/cdBB2`.
+125. **DONE — `git_state: "clean"` is emitted by both `status` and `doctor` JSON even when `in_git_repo: false` — a non-git directory reports the same sentinel as a git repo with no changes. `GitWorkspaceSummary::default()` returns all-zero fields; `is_clean()` checks `changed_files == 0` → true → `headline() = "clean"`. A claw checking `if git_state == "clean" then proceed` would proceed even in a non-git directory. Doctor correctly surfaces `in_git_repo: false` and `summary: "current directory is not inside a git project"`, but the `git_state` field contradicts this by claiming "clean." Separately, `claw init` creates a `.gitignore` file even in non-git directories — not harmful (ready for future `git init`) but misleading** — dogfooded 2026-04-18 on main HEAD `debbcbe` from `/tmp/cdBB2`.
 
      **Concrete repro.**
      ```
@@ -4689,7 +4689,7 @@ ear], /color [scheme], /effort [low|medium|high], /fast, /summary, /tag [label],
 
      **Source.** Jobdori dogfood 2026-04-18 against `/tmp/cdBB2` on main HEAD `debbcbe` in response to Clawhip pinpoint nudge at `1495016073085583442`. Joins **Truth-audit / diagnostic-integrity** — `git_state: "clean"` is a lie for non-git directories. Adjacent to **#89** (claw blind to mid-rebase) — same field, different missing state. Joins **#100** (status/doctor JSON gaps) — another field whose value doesn't reflect reality. Natural bundle: **#89 + #100 + #125** — git-state-completeness triple: rebase/merge invisible (#89) + stale-base unplumbed (#100) + non-git "clean" lie (#125). Complete coverage of git_state field failures. Session tally: ROADMAP #125.
 
-126. **`/config [env|hooks|model|plugins]` ignores the section argument — all four subcommands return bit-identical output: the same config-file-list envelope `{kind:"config", files:[...], loaded_files, merged_keys, cwd}`. Help advertises "/config [env|hooks|model|plugins] — Inspect Claude config files or merged sections [resume]" — implying section-specific output. A claw invoking `/config model` expecting the resolved model config gets the file-list envelope identical to `/config hooks`. The section argument is parsed and discarded** — dogfooded 2026-04-18 on main HEAD `b56841c` from `/tmp/cdFF2`.
+126. **DONE — `/config [env|hooks|model|plugins]` ignores the section argument — all four subcommands return bit-identical output: the same config-file-list envelope `{kind:"config", files:[...], loaded_files, merged_keys, cwd}`. Help advertises "/config [env|hooks|model|plugins] — Inspect Claude config files or merged sections [resume]" — implying section-specific output. A claw invoking `/config model` expecting the resolved model config gets the file-list envelope identical to `/config hooks`. The section argument is parsed and discarded** — dogfooded 2026-04-18 on main HEAD `b56841c` from `/tmp/cdFF2`.
 
      **Concrete repro.**
      ```