Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01V3s6WnubSSrFjAQTLQdVbG
36 lines
2.4 KiB
Markdown
36 lines
2.4 KiB
Markdown
# STATE — llm-security
|
||
|
||
**Active focus:** Security-fix track (from `docs/security-fix-brief-2026-06-20.md`). Critical review
|
||
DONE. Must-fixes **F-1 / F-2 / F-3 ALL DONE** across Sessions A + B. **Next = Session C (release).**
|
||
TRG/SIG/AST (TRG/SIG/AST) shipped Steps 1–7; v7.8.0 release (Step 8) stays DEFERRED until Session C.
|
||
|
||
## Critical-review verdict (DONE — do NOT re-derive)
|
||
- **F-1 / F-2 / F-3 = MUST FIX. ALL DONE.** Verified real, fixes local + mechanical.
|
||
- **F-5 / F-6 = cheap cleanup. DONE** (Session A).
|
||
- **F-4 = optional** (LOW, by-design MCP spawn; confirm-gate is a judgment call) — still open.
|
||
- F-2 prefix containment does NOT stop a symlink-escape — noted inline in the fix; residual gap.
|
||
|
||
## Multi-session plan — FIXES COMPLETE
|
||
- **Session A — F-1 (CRITICAL) + F-5/F-6. DONE (5f50899, pushed).** `git()` → array-arg `spawnSync`.
|
||
- **Session B — F-2 + F-3 (both HIGH). DONE (commit 3f64aa5).**
|
||
- F-2 `scanners/auto-cleaner.mjs` (~:776): prefix-containment before write — a finding whose
|
||
`resolve(target, f.file)` escapes the tree is refused + reported skipped. Repro
|
||
`tests/scanners/auto-cleaner-traversal.test.mjs` (`../secret.txt`) RED→GREEN.
|
||
- F-3 `hooks/scripts/pre-install-supply-chain.mjs` `inspectNpmPackage`: `npm view` now
|
||
`spawnSync('npm',['view',spec,'--json'])` (no shell). Repro
|
||
`tests/hooks/supply-chain-injection.test.mjs` (`$(>/abs/PWNED)`) RED→GREEN. `execSafe` kept for
|
||
the static `npm audit --json` call (no interpolation).
|
||
- Suite 1863/0 (was 1860; +3). gitleaks clean. F-1 repro re-run GREEN (sink still closed).
|
||
|
||
## COLD START (next session = Session C — RELEASE)
|
||
1. `pwd` + `git status`. Confirm 3f64aa5 + the STATE commit are present (and pushed — see notes).
|
||
2. Cut v7.8.0 (TRG/SIG/AST Step 8) now that the B− → A− security gates pass. Read
|
||
`docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md` Step 8 + `docs/version-history.md`.
|
||
3. Version-sync ALL refs before the bump commit (package.json, README badges, CHANGELOG, CLAUDE.md);
|
||
check consistency. Optionally add the F-4 confirm-gate.
|
||
|
||
## Continuity notes
|
||
- Disclosure hold LIFTED: F-1 fix + `review-2026-06-20.md` + brief already on `origin/main`. Push
|
||
Session-B fixes normally.
|
||
- origin = Forgejo `open/llm-security` (never GitHub). Push window: weekdays 20:00–23:00; weekends/
|
||
holidays anytime. Outside window at session end → commit locally, PARK the push, say so explicitly.
|