Two structural regions the office extractors missed, no new dependency:
- .docx table cells (they live outside doc.paragraphs);
- grouped .pptx shapes (add_group_shape moves a shape inside the group, so the
extractor recurses through MSO_SHAPE_TYPE.GROUP to reach it).
Each proven by an injection-in-region REJECT plus a clean-region ADMIT. Tests
310 -> 314.
The pptx payload hides where an audience watching the slides does not look. The
extractor surfaces all three regions into the concept text so the stage-2 scan
catches the injection:
- speaker notes (slide.notes_slide.notes_text_frame.text);
- off-slide (off-canvas) text boxes (shape.text_frame.text, position-agnostic);
- image/shape alt-text (cNvPr@descr, read off the XML — python-pptx 1.0.2 has no
stable public accessor across shape types).
Detach-proof: same visible slide without notes ADMITs. python-pptx imported
lazily (dev/showcase-scoped, not a core dep). Tests 305 -> 310.
The docx payload hides where a human reviewing the file in Word does not look.
The extractor surfaces all three regions into the concept text so the stage-2
scan catches the injection:
- hidden/vanish runs (w:vanish) — still runs, so paragraph.text includes them;
- review comments (doc.comments[].text);
- core metadata properties (subject/keywords/comments/title/category/author).
Detach-proof: the same visible body WITHOUT the hidden run ADMITs, so it is the
extractor surfacing the hidden region that caught it, not merely 'a docx'.
python-docx is imported lazily (dev/showcase-scoped, not a core dep). Tests
300 -> 305.
- .csv: cells leading with =/+/-/@ (leading whitespace stripped first) are the
CSV-injection/DDE vector the guard cannot recognize, so the front-end refuses
them; the raw cell text is still materialized so a prompt-injection phrase in a
cell is caught by the stage-2 scan (T1). Detach-proof: plain-cell version of
the same file ADMITs. Numeric -/+ leads are the accepted FP (honest-limits).
- folder: walked member-by-member with relative paths preserved, so a reserved
basename member (index.md) lands on the guard's T4 gate; symlinks refused.
Refactor: per-file dispatch shared by top-level drops and folder walk (strict
raises on unsupported top-level suffix, folder skips). Tests 293 -> 300.
The front-end reads zip entries in memory (never extracts to disk), so it owns
the container caps while a traversal entry maps onto the guard's path gate:
- zip-slip: a '../../evil.md' entry materializes onto a traversal concept path
(preserved verbatim, not normalized) -> stage-2 T4 -> FAIL_SECURE -> REJECT.
- zip-bomb: per-entry + per-archive uncompressed-size caps (OWASP LLM10) refuse
an oversize entry before its bytes are read; a bounded read defends a lying
header. Detach-proof: a generous cap admits the same archive, so the cap is
load-bearing.
- symlink entry: refused at the front-end (no legitimate concept meaning).
Caps are kwargs on extract_inbox/receive (small in tests, generous by default).
Tests 288 -> 293.
Realistic-upload showcase (PLAN §247), first slice. A stage-1 front-end reads
dropped files and materializes them into an OKF bundle {concept_path: text} +
provenance; receive() wires extract -> import_bundle -> verdict. This slice
covers .txt/.md (stdlib only); .zip/.csv/folder/.docx/.pptx follow.
- Front-end lives in tests/ (showcase/dev-scoped), core stays stdlib-only:
dependencies=[] untouched; python-docx/python-pptx added to the [dev] extra
(used from stage 2d/2e), never a public [extract] extra (not v1 per PLAN).
- .txt injection -> guard T1 -> REJECT; clean .txt -> ADMIT; a dropped .md keeps
its frontmatter so a dangerous value -> T2 REJECT; an index.* upload
materializes onto the reserved uploads/index.md -> T4 REJECT.
- Detach-proof: neuter extraction to an empty bundle -> the poisoned upload
ADMITs, proving the verdict depends on extraction carrying the payload.
Tests 282 -> 288.