llm-security/STATE.md
2026-06-20 11:10:24 +02:00

36 lines
2.4 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# STATE — llm-security
**Active focus:** Security-fix track (from `docs/security-fix-brief-2026-06-20.md`). Critical review
DONE. Must-fixes **F-1 / F-2 / F-3 ALL DONE** across Sessions A + B. **Next = Session C (release).**
TRG/SIG/AST (TRG/SIG/AST) shipped Steps 17; v7.8.0 release (Step 8) stays DEFERRED until Session C.
## Critical-review verdict (DONE — do NOT re-derive)
- **F-1 / F-2 / F-3 = MUST FIX. ALL DONE.** Verified real, fixes local + mechanical.
- **F-5 / F-6 = cheap cleanup. DONE** (Session A).
- **F-4 = optional** (LOW, by-design MCP spawn; confirm-gate is a judgment call) — still open.
- F-2 prefix containment does NOT stop a symlink-escape — noted inline in the fix; residual gap.
## Multi-session plan — FIXES COMPLETE
- **Session A — F-1 (CRITICAL) + F-5/F-6. DONE (5f50899, pushed).** `git()` → array-arg `spawnSync`.
- **Session B — F-2 + F-3 (both HIGH). DONE (commit 3f64aa5).**
- F-2 `scanners/auto-cleaner.mjs` (~:776): prefix-containment before write — a finding whose
`resolve(target, f.file)` escapes the tree is refused + reported skipped. Repro
`tests/scanners/auto-cleaner-traversal.test.mjs` (`../secret.txt`) RED→GREEN.
- F-3 `hooks/scripts/pre-install-supply-chain.mjs` `inspectNpmPackage`: `npm view` now
`spawnSync('npm',['view',spec,'--json'])` (no shell). Repro
`tests/hooks/supply-chain-injection.test.mjs` (`$(>/abs/PWNED)`) RED→GREEN. `execSafe` kept for
the static `npm audit --json` call (no interpolation).
- Suite 1863/0 (was 1860; +3). gitleaks clean. F-1 repro re-run GREEN (sink still closed).
## COLD START (next session = Session C — RELEASE)
1. `pwd` + `git status`. Confirm 3f64aa5 + the STATE commit are present (and pushed — see notes).
2. Cut v7.8.0 (TRG/SIG/AST Step 8) now that the B → A security gates pass. Read
`docs/plans/trekplan-2026-06-20-TRG/SIG/AST-gap-analysis.md` Step 8 + `docs/version-history.md`.
3. Version-sync ALL refs before the bump commit (package.json, README badges, CHANGELOG, CLAUDE.md);
check consistency. Optionally add the F-4 confirm-gate.
## Continuity notes
- Disclosure hold LIFTED: F-1 fix + `review-2026-06-20.md` + brief already on `origin/main`. Push
Session-B fixes normally.
- origin = Forgejo `open/llm-security` (never GitHub). Push window: weekdays 20:0023:00; weekends/
holidays anytime. Outside window at session end → commit locally, PARK the push, say so explicitly.