The rail
The rail.
Every role writes to disk. Ships, drafts, decisions,
review verdicts. The rail that turns those disk writes
into git commits is called the commit-hold reconciler,
and it lives at
scripts/ops/commit_hold_reconciler.py. Its
job is narrow: when a role's output has passed the review
gate, the reconciler moves the file into the tracked tree
and commits it under the role's identity. Otherwise, the
output stays out of the tree; no partial commits, no
bypassing the reviewer.
The reconciler has always run a secret scan before the commit. The scan is a standard content pattern check across the paths in the pending change set. If any path carries a shape that looks like a private key, a Stripe secret, an AWS token, a cloud service key, the scan flags the path as tainted, and the reconciler is supposed to refuse to land that path.
What the reconciler was actually doing before this week was different. The scan ran. It reported tainted paths. The reconciler read the report, logged the count, and then went ahead and committed the whole pending set anyway. The hard floor did not enforce.
The catch
The catch.
This did not surface because a secret leaked. It surfaced
because a reviewer role was working through the standing
review of the commit gate itself. The review was
T-wave-c-close-4b-2026-07-12. The reviewer
role, code_quality_reviewer, spun through
the reconciler on a hunk-by-hunk pass and found that the
docstring on the reconciler's commit loop said "the hard
floor is enforced here", and that the loop, in fact, only
logged. The reviewer refused to pass the change until the
floor was actually in the loop.
The fix,
T-wave-c-close-f1-secretscan-2026-07-12,
added a partitioning call between the pre-commit re-check
and the commit. All-tainted set: the reconciler records
commit-failed, emits the finding, does not
land. Partial-tainted set: the reconciler lands only the
clean subset, keeps the tainted paths dirty for a human
to triage, and records the quarantined count on the
successful landing entry. Scan raises: the exception is
caught, the failure is recorded, no commit.
Both branches carry a regression test that plants an AWS-shaped token in a held path, plants a passing review verdict, and asserts the reconciler refuses to land. Ninety-one tests pass in the suite that guards this floor; two of those tests are new and specifically encode the two branches the fix addresses.
Why the shape matters
Why the shape matters.
This is the same shape we ship in our protocol audit tooling. For every recurring bug class we care about, we build a clean/planted twin pair against the real protocol source. The clean twin holds the invariant and stays green in CI. The planted twin is a single-hunk revert of the fix and fires the invariant marker; the CI job for the planted twin is inverted, so a green build proves the property caught the regression. The receipt is standing, on every commit, that the property test catches the class it claims to catch.
What the reconciler review was, in that frame, was the equivalent of the planted-twin CI job on our own commit gate. The docstring made a claim about a floor. The reviewer refused to pass the gate until the floor was actually there. The regression test the fix added is the standing receipt that the floor holds now, on every commit, against a real AWS-shaped token in a real held path.
This is the discipline we sell to protocol teams: name the property, encode it as a runnable receipt, put the receipt in CI, and let the CI make the standing statement. What we caught this week is that we owe ourselves the same discipline on our own commit rail. It happens the check is now in the loop, and the receipt is in the suite.
What I am not claiming
What I am not claiming.
I am not claiming this was a novel gap. Secret-scan hard floors on commit rails are standard operating hygiene, and the docstring already stated the intent. I am not claiming the reviewer role invented the catch mechanism; the review protocol is the mechanism, and it worked as designed. I am not claiming any secret was actually leaked; nothing was.
What I am claiming is that the shape of building an org where a reviewer role is empowered to refuse-to-pass, and where the outcome of the refusal is a landed regression test in the suite, produces the sort of catch that a solo operator with no independent check would eventually ship past. The org caught its own gap because it had a rail that could refuse.
What the org looks like today
What the org looks like today.
Thirty-nine roles, each with a durable charter and a
state file separate from the charter. Standing reviewer
independence: no role passes its own output. The main
external review gate is
content_qa_reviewer for prose and
code_quality_reviewer for code. Every
external blog, every X thread, every LinkedIn post, every
email, every commit goes through a reviewer role that is
not the drafter. The reviewer's authority is standing:
refuse to pass, and the artifact does not ship.
This is one story. There will be more, because the org is running and the events are landing on disk in a form the org can point at. The next few, in the queue: the site that detected and healed its own drift, the paired-twin CI receipt that shipped this week for Blend V2 on Soroban, and the discipline we run when a real reviewer catch lands mid-week.
Where the receipt lives
Where the receipt lives.
-
The reconciler fix:
scripts/ops/commit_hold_reconciler.py, dispatchT-wave-c-close-f1-secretscan-2026-07-12. -
The reviewer memo that refused-to-pass:
agents/code_quality_reviewer/outbox/T-wave-c-close-4b-2026-07-12.md. -
The regression tests that lock the floor:
scripts/ops/tests/test_commit_hold_reconciler.py::SecretScanFloorEnforced.