Summary
gstack-config set brain_trust_policy@local personal fails with a validation error when gbrain is configured as a stdio (local PGLite) engine, making /setup-gbrain report DONE_WITH_CONCERNS and silently skip writing the trust policy.
Root cause
endpoint_hash() in bin/gstack-config intentionally falls back to the literal string "local" when no MCP URL is found (stdio engines have no URL to hash):
# bin/gstack-config ~L161
# MCP server URL. Falls back to the literal 'local' when no MCP is configured.
endpoint_hash() {
...
printf '%s' "local" # ← stdio fallback
}The comment at L138 even documents this intent:
# brain_trust_policy@<hash> — unset on fresh install; setup-gbrain
# writes 'personal' for local engines,
However, the key validator on both get and set only allows hex characters after @:
# get (L265) and set (L280) — same pattern in both
if ! printf '%s' "$KEY" | grep -qE '^[a-zA-Z0-9_]+(@[a-f0-9]+)?$'; then
echo "Error: key must contain only alphanumeric characters, underscores, and an optional @<hex-hash> suffix" >&2
exit 1
fi
local contains l and o which are outside [a-f0-9], so the key brain_trust_policy@local is rejected even though endpoint_hash() produces it by design.
The same hex-only pattern also appears in the get value-lookup grep (L270).
Affected lines
| Line |
Code |
| 265 |
grep -qE '^[a-zA-Z0-9_]+(@[a-f0-9]+)?$' (get validator) |
| 270 |
grep -E "^${KEY%@*}(@[a-f0-9]+)?:" (get value lookup) |
| 280 |
grep -qE '^[a-zA-Z0-9_]+(@[a-f0-9]+)?$' (set validator) |
Fix
Change [a-f0-9]+ → [a-zA-Z0-9]+ at all three sites. This covers both sha8/sha16 hex hashes (remote endpoints) and the local fallback (stdio engines) without opening up anything unsafe.
# get + set validators
grep -qE '^[a-zA-Z0-9_]+(@[a-zA-Z0-9]+)?$'
# get value lookup
grep -E "^${KEY%@*}(@[a-zA-Z0-9]+)?:"Error message wording should also drop "hex-" from "optional @<hex-hash> suffix".
Observed behaviour
/setup-gbrain on a stdio/local-PGLite engine reports:
DONE_WITH_CONCERNS — minor:
gstack-config set brain_trust_policy@local personal fails validation because
the @<hash> suffix regex requires hex-only ([a-f0-9]+) and endpoint-hash
returns the literal 'local' for stdio engines.
The trust policy is never written; the concern is non-fatal but visible on every /setup-gbrain run.
Verified in
~/.claude/skills/gstack commits a5833c4 (v1.57.10.0) and 8241949 (v1.57.9.0) — present in both.
Summary
gstack-config set brain_trust_policy@local personalfails with a validation error when gbrain is configured as a stdio (local PGLite) engine, making/setup-gbrainreportDONE_WITH_CONCERNSand silently skip writing the trust policy.Root cause
endpoint_hash()inbin/gstack-configintentionally falls back to the literal string"local"when no MCP URL is found (stdio engines have no URL to hash):The comment at L138 even documents this intent:
However, the key validator on both
getandsetonly allows hex characters after@:localcontainslandowhich are outside[a-f0-9], so the keybrain_trust_policy@localis rejected even thoughendpoint_hash()produces it by design.The same hex-only pattern also appears in the
getvalue-lookup grep (L270).Affected lines
grep -qE '^[a-zA-Z0-9_]+(@[a-f0-9]+)?$'(get validator)grep -E "^${KEY%@*}(@[a-f0-9]+)?:"(get value lookup)grep -qE '^[a-zA-Z0-9_]+(@[a-f0-9]+)?$'(set validator)Fix
Change
[a-f0-9]+→[a-zA-Z0-9]+at all three sites. This covers both sha8/sha16 hex hashes (remote endpoints) and thelocalfallback (stdio engines) without opening up anything unsafe.Error message wording should also drop "hex-" from "optional @<hex-hash> suffix".
Observed behaviour
/setup-gbrainon a stdio/local-PGLite engine reports:The trust policy is never written; the concern is non-fatal but visible on every
/setup-gbrainrun.Verified in
~/.claude/skills/gstackcommitsa5833c4(v1.57.10.0) and8241949(v1.57.9.0) — present in both.