llm-security/STATE.md

40 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# STATE — llm-security
**Active focus:** Security-fix track (from `docs/security-fix-brief-2026-06-20.md`). Critical review
is DONE — brief verified sound. Implement the must-fixes over MULTIPLE sessions (context-limited).
TRG/SIG/AST (TRG/SIG/AST) shipped Steps 17; v7.8.0 release (Step 8) stays DEFERRED behind these fixes.
## Critical-review verdict (DONE — do NOT re-derive)
- **F-1 / F-2 / F-3 = MUST FIX.** Verified real, correctly diagnosed, fixes are local + mechanical.
- **F-5 / F-6 = cheap cleanup.** `git rm -- ./--json .orphaned_at` — both confirmed present in repo root.
- **F-4 = optional** (LOW, by-design MCP spawn; a confirm-gate is a judgment call).
- No false positives / over-scoping in the must-layer. One gap to add: F-2's prefix containment does
not stop a symlink-escape — note it, but the prefix check is the must-do part.
## Multi-session plan (TDD each: repro → red → green; full `node --test` green; gitleaks clean)
- **Session A — F-1 (CRITICAL) + cleanup.** Convert the `git()` helper in
`scanners/git-forensics.mjs` (`:59-66`, currently `execSync(\`git ${cmd}\`)`) to
`spawnSync('git', [...tokens], {cwd})` — one change fixes every call site (`:202/:211/:223/:231/
:549/:564` already pass discrete tokens). Add a fixture repo with a hostile filename; assert the
scan completes and the injected side-effect never runs (write failing repro FIRST). Keep existing
git-forensics tests green (glob `commands/*.md` must still match via git, not shell). Fold in
F-5/F-6 `git rm`. Commit + push.
- **Session B — F-2 + F-3 (both HIGH).**
- F-2 `scanners/auto-cleaner.mjs` (sink ~`:776`, write ~`:878-881`): before write assert
`absPath === targetPath || absPath.startsWith(targetPath + sep)`; else skip + report. Test: a
finding `file: "../escape.txt"` is refused, not written.
- F-3 `scanners/lib/supply-chain-data.mjs:221-227` (`execSafe` = `execSync`) reached via
`hooks/scripts/pre-install-supply-chain.mjs:254`: switch to `spawnSync('npm',['view',spec,'--json'])`
OR validate spec `^[@/A-Za-z0-9._-]+$` first. Test: spec `foo;touch X` must not execute `touch`.
- **Session C — release.** Then Step 8 (v7.8.0) per
`docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md`. Optionally F-4 confirm-gate.
## COLD START (next session = Session A)
1. `pwd` + `git status` (expect clean). Read `docs/security-fix-brief-2026-06-20.md` + this STATE.
2. Start Session A (F-1) TDD — write the failing repro FIRST, then convert `git()`.
## Continuity notes
- Brief's "disclosure hold" gate is MOOT: review `738770e` + brief `fea943b` are already on
`origin/main`. Push the F-1 fix normally; no special bundling needed.
- origin = Forgejo `open/llm-security` (never GitHub). Push window: weekdays 20:0023:00; weekends/
holidays anytime. TRG/SIG/AST scanners (14 total, suite 1859/0) already shipped + pushed.