# STATE — llm-security **Active focus:** Security-fix track (from `docs/security-fix-brief-2026-06-20.md`). Critical review is DONE — brief verified sound. Implement the must-fixes over MULTIPLE sessions (context-limited). TRG/SIG/AST (TRG/SIG/AST) shipped Steps 1–7; v7.8.0 release (Step 8) stays DEFERRED behind these fixes. ## Critical-review verdict (DONE — do NOT re-derive) - **F-1 / F-2 / F-3 = MUST FIX.** Verified real, correctly diagnosed, fixes are local + mechanical. - **F-5 / F-6 = cheap cleanup.** `git rm -- ./--json .orphaned_at` — both confirmed present in repo root. - **F-4 = optional** (LOW, by-design MCP spawn; a confirm-gate is a judgment call). - No false positives / over-scoping in the must-layer. One gap to add: F-2's prefix containment does not stop a symlink-escape — note it, but the prefix check is the must-do part. ## Multi-session plan (TDD each: repro → red → green; full `node --test` green; gitleaks clean) - **Session A — F-1 (CRITICAL) + cleanup.** Convert the `git()` helper in `scanners/git-forensics.mjs` (`:59-66`, currently `execSync(\`git ${cmd}\`)`) to `spawnSync('git', [...tokens], {cwd})` — one change fixes every call site (`:202/:211/:223/:231/ :549/:564` already pass discrete tokens). Add a fixture repo with a hostile filename; assert the scan completes and the injected side-effect never runs (write failing repro FIRST). Keep existing git-forensics tests green (glob `commands/*.md` must still match via git, not shell). Fold in F-5/F-6 `git rm`. Commit + push. - **Session B — F-2 + F-3 (both HIGH).** - F-2 `scanners/auto-cleaner.mjs` (sink ~`:776`, write ~`:878-881`): before write assert `absPath === targetPath || absPath.startsWith(targetPath + sep)`; else skip + report. Test: a finding `file: "../escape.txt"` is refused, not written. - F-3 `scanners/lib/supply-chain-data.mjs:221-227` (`execSafe` = `execSync`) reached via `hooks/scripts/pre-install-supply-chain.mjs:254`: switch to `spawnSync('npm',['view',spec,'--json'])` OR validate spec `^[@/A-Za-z0-9._-]+$` first. Test: spec `foo;touch X` must not execute `touch`. - **Session C — release.** Then Step 8 (v7.8.0) per `docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md`. Optionally F-4 confirm-gate. ## COLD START (next session = Session A) 1. `pwd` + `git status` (expect clean). Read `docs/security-fix-brief-2026-06-20.md` + this STATE. 2. Start Session A (F-1) TDD — write the failing repro FIRST, then convert `git()`. ## Continuity notes - Brief's "disclosure hold" gate is MOOT: review `738770e` + brief `fea943b` are already on `origin/main`. Push the F-1 fix normally; no special bundling needed. - origin = Forgejo `open/llm-security` (never GitHub). Push window: weekdays 20:00–23:00; weekends/ holidays anytime. TRG/SIG/AST scanners (14 total, suite 1859/0) already shipped + pushed.