← Back to Case Library

Repo-guardrails allowlist blocked legitimate files as false-positive violations

DomainDEVOPS ImpactLow
Error Signature
Guardrail check reports false-positive violations for legitimate, already-reviewed repository files

control-plane's repo-guardrails.json is an explicit allowlist of top-level paths permitted in the repository. Several files that legitimately needed to exist were missing from this allowlist, causing the guardrail check to flag them as violations even though they were intentional, reviewed additions.

Root Cause

repo-guardrails.json enforces a closed allowlist model (anything not explicitly listed is flagged), so any new legitimate top-level file or directory must be added to the manifest in the same change that introduces it - these entries had been missed.

Solution Steps

  1. Add the missing legitimate paths to the topLevel.allowed array in data/manifests/repo-guardrails.json.
  2. Confirm the manifest is valid JSON with a real, populated allowlist.

Validation

[object Object]

Rollback

[object Object]

Ecosystem: devops

License: CC-BY-4.0

Last updated: Jul 6, 2026

Case ID: a13de09d-706b-4ec9-b125-0f7b3557f4ca