Allow agent files to set git user identity (name/email) #94

New Issue

2026-05-28T20:53:08-04:00

didericis commented

2026-05-28 20:53:08 -04:00

Problem

git.user.name / git.user.email is a bottle-only field today (manifest.py _AGENT_KEYS rejects anything else in agent frontmatter). The only way to give an agent a distinct commit identity is to author a whole separate bottle — coupling commit attribution (a purpose/presentation concern) to the security boundary (the bottle). This is why e.g. a claude-dev-implementer bottle exists largely to carry one user.name.

Proposal

Let agent files declare git.user (name/email only). At launch the agent's git.user overlays the referenced bottle's git.user per-field (agent wins on non-empty), mirroring the existing extends: overlay from PRD 0025.

Keep git.remotes bottle-only — that block carries credentials (IdentityFile, KnownHostKey) and is boundary-relevant.
Apply the overlay at Manifest.bottle_for(), the single chokepoint both backends already use, so provisioners need no changes.

Why this is safe

Git author identity is not a credential or capability: push auth is the bottle's git.remotes token/key, and the author field is already forgeable from inside the bottle (git config user.email ... at runtime). The manifest field is only a default. Allowing agents to set it does not widen the attack surface; attribution integrity is a commit-signing concern, not an author-field one.

Follow-up: PRD + implementation.

## Problem `git.user.name` / `git.user.email` is a **bottle-only** field today (`manifest.py` `_AGENT_KEYS` rejects anything else in agent frontmatter). The only way to give an agent a distinct commit identity is to author a whole separate bottle — coupling commit attribution (a *purpose/presentation* concern) to the security boundary (the bottle). This is why e.g. a `claude-dev-implementer` bottle exists largely to carry one `user.name`. ## Proposal Let **agent** files declare `git.user` (name/email only). At launch the agent's `git.user` overlays the referenced bottle's `git.user` per-field (agent wins on non-empty), mirroring the existing `extends:` overlay from PRD 0025. - Keep `git.remotes` **bottle-only** — that block carries credentials (IdentityFile, KnownHostKey) and is boundary-relevant. - Apply the overlay at `Manifest.bottle_for()`, the single chokepoint both backends already use, so provisioners need no changes. ## Why this is safe Git author identity is **not a credential or capability**: push auth is the bottle's `git.remotes` token/key, and the author field is already forgeable from inside the bottle (`git config user.email ...` at runtime). The manifest field is only a default. Allowing agents to set it does not widen the attack surface; attribution integrity is a commit-*signing* concern, not an author-field one. Follow-up: PRD + implementation.

didericis added the Kind/Enhancement label 2026-05-28 20:53:40 -04:00

didericis-claude was assigned by didericis

2026-05-28 20:53:55 -04:00

didericis referenced this issue from a commit

2026-05-28 20:58:04 -04:00

docs(prd): add PRD 0027 agent-level git user identity

didericis referenced a pull request that will close this issue

2026-05-28 20:58:21 -04:00

PRD 0027: Agent-level git user identity #95

didericis referenced this issue from a commit

2026-05-28 21:10:58 -04:00

feat(manifest): lift git.user to the agent layer