Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
2.8 KiB
2.8 KiB
STATE — llm-security
Active focus: Security-fix track (from docs/security-fix-brief-2026-06-20.md). Critical review
DONE — brief verified sound. Implementing must-fixes over MULTIPLE sessions (context-limited).
Session A (F-1 + F-5/F-6) DONE + pushed. Next = Session B (F-2 + F-3).
TRG/SIG/AST (TRG/SIG/AST) shipped Steps 1–7; v7.8.0 release (Step 8) stays DEFERRED behind these fixes.
Critical-review verdict (DONE — do NOT re-derive)
- F-1 / F-2 / F-3 = MUST FIX. Verified real, correctly diagnosed, fixes are local + mechanical.
- F-5 / F-6 = cheap cleanup. DONE —
--json+.orphaned_atremoved in Session A. - F-4 = optional (LOW, by-design MCP spawn; a confirm-gate is a judgment call).
- One gap to add: F-2's prefix containment does NOT stop a symlink-escape — note it, but the prefix check is the must-do part.
Multi-session plan (TDD each: repro → red → green; full node --test green; gitleaks clean)
- Session A — F-1 (CRITICAL) + cleanup. DONE (commit
5f50899, pushed).git()inscanners/git-forensics.mjsnowspawnSync('git', [...tokens], {cwd})(no shell); ALL ~25 call sites pass discrete arrays. Reprotests/scanners/git-injection.test.mjs(hostile$(...)filename) RED→GREEN. F-5/F-6git rmfolded in. Suite 1860/0. - Session B — F-2 + F-3 (both HIGH). ← NEXT
- F-2
scanners/auto-cleaner.mjs(sink ~:776resolve(targetPath, f.file), write ~:878-881): before write assertabsPath === targetPath || absPath.startsWith(targetPath + sep); else skip + report. Test: a findingfile: "../escape.txt"is refused, not written. - F-3
scanners/lib/supply-chain-data.mjs:221-227(execSafe=execSync) reached viahooks/scripts/pre-install-supply-chain.mjs:254→inspectNpmPackage: switch tospawnSync('npm',['view',spec,'--json'])OR validate spec^[@/A-Za-z0-9._-]+$first. Test: specfoo;touch Xmust not executetouch.
- F-2
- Session C — release. Then Step 8 (v7.8.0) per
docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md. Optionally F-4 confirm-gate.
COLD START (next session = Session B)
pwd+git status(expect clean). Readdocs/security-fix-brief-2026-06-20.md(F-2/F-3) + this STATE.- Start Session B TDD — F-2 first (failing repro: a
../escape.txtfinding must be refused), then F-3. - Mirror the Session-A pattern: array-arg
spawnSync(style refscanners/lib/git-clone.mjs), repro-first, keep suite green, gitleaks clean, commit + push.
Continuity notes
- Disclosure hold MOOT: review
738770e+ brieffea943balready onorigin/main(verified). No special bundling — push fixes normally. - origin = Forgejo
open/llm-security(never GitHub). Push window: weekdays 20:00–23:00; weekends/ holidays anytime. Suite now 1860/0 (was 1859; +1 F-1 regression test).