fix(linkedin-studio): S13 — close S12 WARN ($-scalar + false-green test) + $-safety lint guard
Closes the 2 grep/Read-verified findings from the S12 cold full-brief re-review (docs/remediation/review.md, WARN 0/1/1/0, 0 dropped) and closes the $-injection CLASS — not the line — across the whole state-updater.mjs mutation surface. See docs/remediation/review.md (S13 ALLOW, 0/0/0/0) for the full closure record: replaceField -> replacement function; the 3 additive-insert sites -> functions (m === $1, behavior-preserving); a scalar assert.match pins last_post_topic; and a behavioral, coverage-complete, self-testing Section 12 guard (check-replace-safety.mjs) that is mutation-proven. Docs three-doc + residuals updated. test-runner.sh 71/0/0, node --test 98/98.
This commit is contained in:
parent
36f79dd702
commit
431a893f7c
10 changed files with 665 additions and 9 deletions
|
|
@ -13,8 +13,10 @@
|
|||
# Step 21; the agent model-consistency guard (each agents/<name>.md frontmatter
|
||||
# model: must match every surface declaration, and canonical rosters must list
|
||||
# every agent) in S11; the render-chain propagation guard (no honesty pattern a
|
||||
# command was cleaned of survives in the reference it renders from) in S12. All
|
||||
# four are live below (Sections 8, 9, 10 and 11).
|
||||
# command was cleaned of survives in the reference it renders from) in S12; the
|
||||
# `$`-safety guard (no untrusted value reaches a String.replace replacement STRING
|
||||
# in state-updater.mjs — proven behaviorally, coverage-complete, self-testing) in
|
||||
# S13. All five are live below (Sections 8, 9, 10, 11 and 12).
|
||||
#
|
||||
# Usage: bash scripts/test-runner.sh
|
||||
# bash 3.2-safe: plain arrays only, no `declare -A`, no `mapfile`/`readarray`.
|
||||
|
|
@ -417,6 +419,34 @@ fi
|
|||
|
||||
echo ""
|
||||
|
||||
# --- Section 12: `$`-Safety (String.replace replacement) ---
|
||||
echo "--- \$-Safety (String.replace replacement) ---"
|
||||
|
||||
# state-updater.mjs mutates the state file from untrusted user content (post
|
||||
# topics, hooks, targets, partners, …). In a JS replacement *string*, `$&`/`` $` ``/
|
||||
# `$'`/`$$`/`$n` are special, so a `$`-bearing value rewrites the field; a
|
||||
# replacement *function* inserts its return verbatim. Added in S13 after a cold
|
||||
# full-brief review found the LAST member of this class: S12 converted the 5
|
||||
# section-append sites to functions but left `replaceField` (the scalar writer) on a
|
||||
# replacement string, and the S12 `$`-test asserted only the section entry — never
|
||||
# the `last_post_topic` scalar — so the corruption shipped green. This is the S9→S12
|
||||
# "close the class, not the line" lesson on the `$`-axis: rather than grep a
|
||||
# syntactic proxy (which cannot tell a replacement-position template literal from a
|
||||
# RegExp-pattern one across multi-line calls), check-replace-safety.mjs drives EVERY
|
||||
# exported mutator with an adversarial payload of every special token in every
|
||||
# free-text + date field and asserts verbatim survival. Two structural backstops run
|
||||
# inside it on every invocation: COVERAGE-COMPLETENESS (a new export without
|
||||
# `$`-coverage fails) and a NON-VACUITY SELF-TEST (a naive string-replace MUST
|
||||
# corrupt the payload, a function MUST preserve it — else a PASS is meaningless),
|
||||
# mirroring Section 8/10/11.
|
||||
if node scripts/check-replace-safety.mjs; then
|
||||
pass "\$-safety: no untrusted value reaches a String.replace replacement string (behavioral, coverage-complete, self-testing)"
|
||||
else
|
||||
fail "\$-safety guard failed — a state-updater String.replace replacement is \$-unsafe; see check-replace-safety.mjs output above"
|
||||
fi
|
||||
|
||||
echo ""
|
||||
|
||||
# --- Summary ---
|
||||
echo "================================================"
|
||||
echo "RESULTS"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue