Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2.8 KiB
2.8 KiB
STATE — llm-security
Active focus: Security-fix track (from docs/security-fix-brief-2026-06-20.md). Critical review
is DONE — brief verified sound. Implement the must-fixes over MULTIPLE sessions (context-limited).
TRG/SIG/AST (TRG/SIG/AST) shipped Steps 1–7; v7.8.0 release (Step 8) stays DEFERRED behind these fixes.
Critical-review verdict (DONE — do NOT re-derive)
- F-1 / F-2 / F-3 = MUST FIX. Verified real, correctly diagnosed, fixes are local + mechanical.
- F-5 / F-6 = cheap cleanup.
git rm -- ./--json .orphaned_at— both confirmed present in repo root. - F-4 = optional (LOW, by-design MCP spawn; a confirm-gate is a judgment call).
- No false positives / over-scoping in the must-layer. One gap to add: F-2's prefix containment does not stop a symlink-escape — note it, but the prefix check is the must-do part.
Multi-session plan (TDD each: repro → red → green; full node --test green; gitleaks clean)
- Session A — F-1 (CRITICAL) + cleanup. Convert the
git()helper inscanners/git-forensics.mjs(:59-66, currentlyexecSync(\git ${cmd}`)) tospawnSync('git', [...tokens], {cwd})— one change fixes every call site (:202/:211/:223/:231/ :549/:564already pass discrete tokens). Add a fixture repo with a hostile filename; assert the scan completes and the injected side-effect never runs (write failing repro FIRST). Keep existing git-forensics tests green (globcommands/*.mdmust still match via git, not shell). Fold in F-5/F-6git rm`. Commit + push. - Session B — F-2 + F-3 (both HIGH).
- F-2
scanners/auto-cleaner.mjs(sink ~:776, write ~:878-881): before write assertabsPath === targetPath || absPath.startsWith(targetPath + sep); else skip + report. Test: a findingfile: "../escape.txt"is refused, not written. - F-3
scanners/lib/supply-chain-data.mjs:221-227(execSafe=execSync) reached viahooks/scripts/pre-install-supply-chain.mjs:254: switch tospawnSync('npm',['view',spec,'--json'])OR validate spec^[@/A-Za-z0-9._-]+$first. Test: specfoo;touch Xmust not executetouch.
- F-2
- Session C — release. Then Step 8 (v7.8.0) per
docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md. Optionally F-4 confirm-gate.
COLD START (next session = Session A)
pwd+git status(expect clean). Readdocs/security-fix-brief-2026-06-20.md+ this STATE.- Start Session A (F-1) TDD — write the failing repro FIRST, then convert
git().
Continuity notes
- Brief's "disclosure hold" gate is MOOT: review
738770e+ brieffea943bare already onorigin/main. Push the F-1 fix normally; no special bundling needed. - origin = Forgejo
open/llm-security(never GitHub). Push window: weekdays 20:00–23:00; weekends/ holidays anytime. TRG/SIG/AST scanners (14 total, suite 1859/0) already shipped + pushed.