From 888ae33f11ea86d26bc5cce15671eab6b437f685 Mon Sep 17 00:00:00 2001 From: Jonathan Chun Date: Sat, 28 Feb 2026 11:34:42 -0800 Subject: [PATCH 1/2] fix(manifest): allow diagnostic flags for systemctl and journalctl Add missing read-only flags that were causing command rejections: - systemctl list-units: allow --failed (filters to failed units) - journalctl: allow -p/--priority (filter by syslog priority) and --no-pager (essential for non-interactive use) These flags were identified from production logs where legitimate diagnostic commands were being rejected. Co-Authored-By: Claude Opus 4.6 --- manifest/manifests/journalctl.yaml | 5 +++++ manifest/manifests/systemctl_list-units.yaml | 1 + 2 files changed, 6 insertions(+) diff --git a/manifest/manifests/journalctl.yaml b/manifest/manifests/journalctl.yaml index e8c6655..4836b23 100644 --- a/manifest/manifests/journalctl.yaml +++ b/manifest/manifests/journalctl.yaml @@ -11,6 +11,11 @@ flags: takes_value: true - flag: "--until" takes_value: true + - flag: "-p" + takes_value: true + - flag: "--priority" + takes_value: true + - flag: "--no-pager" - flag: "-f" deny: true reason: "Follow mode hangs until timeout. Use --since/--until for bounded queries." diff --git a/manifest/manifests/systemctl_list-units.yaml b/manifest/manifests/systemctl_list-units.yaml index bd80fb8..9deb9ba 100644 --- a/manifest/manifests/systemctl_list-units.yaml +++ b/manifest/manifests/systemctl_list-units.yaml @@ -4,5 +4,6 @@ category: services flags: - flag: "--type" takes_value: true + - flag: "--failed" stdin: false stdout: true From d0be433d64dc8f902e27b86e3d6ea427d01fe748 Mon Sep 17 00:00:00 2001 From: Jonathan Chun Date: Sat, 28 Feb 2026 11:47:58 -0800 Subject: [PATCH 2/2] fix(manifest): allow additional safe diagnostic flags Add commonly-used read-only flags that were rejected in production: - journalctl: -t/--identifier, -k/--dmesg, -b, -o/--output, -r/--reverse, -x/--catalog - ps: --sort, -p, -u, -C, --no-headers - top: -o, -p, -u, -w All flags are read-only/diagnostic and safe to allow. Co-Authored-By: Claude Opus 4.6 --- manifest/manifests/journalctl.yaml | 15 +++++++++++++++ manifest/manifests/ps.yaml | 9 +++++++++ manifest/manifests/top.yaml | 8 ++++++++ 3 files changed, 32 insertions(+) diff --git a/manifest/manifests/journalctl.yaml b/manifest/manifests/journalctl.yaml index 4836b23..a1ade83 100644 --- a/manifest/manifests/journalctl.yaml +++ b/manifest/manifests/journalctl.yaml @@ -16,6 +16,21 @@ flags: - flag: "--priority" takes_value: true - flag: "--no-pager" + - flag: "-t" + takes_value: true + - flag: "--identifier" + takes_value: true + - flag: "-k" + - flag: "--dmesg" + - flag: "-b" + - flag: "-o" + takes_value: true + - flag: "--output" + takes_value: true + - flag: "-r" + - flag: "--reverse" + - flag: "-x" + - flag: "--catalog" - flag: "-f" deny: true reason: "Follow mode hangs until timeout. Use --since/--until for bounded queries." diff --git a/manifest/manifests/ps.yaml b/manifest/manifests/ps.yaml index 30329c8..52cacb0 100644 --- a/manifest/manifests/ps.yaml +++ b/manifest/manifests/ps.yaml @@ -6,5 +6,14 @@ flags: - flag: "-f" - flag: "-o" takes_value: true + - flag: "--sort" + takes_value: true + - flag: "-p" + takes_value: true + - flag: "-u" + takes_value: true + - flag: "-C" + takes_value: true + - flag: "--no-headers" stdin: false stdout: true diff --git a/manifest/manifests/top.yaml b/manifest/manifests/top.yaml index a13a6d7..40dc4fb 100644 --- a/manifest/manifests/top.yaml +++ b/manifest/manifests/top.yaml @@ -5,6 +5,14 @@ flags: - flag: "-b" - flag: "-n" takes_value: true + - flag: "-o" + takes_value: true + - flag: "-p" + takes_value: true + - flag: "-u" + takes_value: true + - flag: "-w" + takes_value: true - flag: "-d" deny: true reason: "Only batch mode with fixed iteration count is allowed"