Skip to content

fix(context,security): harden §0.1 per holistic review#10

Merged
casabre merged 1 commit into
mainfrom
fix/review-hardening
Jul 4, 2026
Merged

fix(context,security): harden §0.1 per holistic review#10
casabre merged 1 commit into
mainfrom
fix/review-hardening

Conversation

@casabre

@casabre casabre commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Fixes from a holistic expert review of the merged §0.1 code (validate→fix loop, converged green in 2 iterations).

Sev Finding Fix
HIGH A2A executor failed the whole task if getContextPack threw (non-git dir, missing binary, oversized output) try/catch → degrade to plain prompt + warn
HIGH Same for MCP coding_agent_run Separate workspace try/catch (degrade) from startJob (confinement errors still surface as isError)
HIGH git calls used the default 1 MB maxBuffer → large ls-tree/show throws explicit 64 MB maxBuffer
MED (security) isPathWithin used path.resolve (not realpath) → a symlink inside an allowed root could escape canonicalize via realpathSync (+ real-parent/leaf fallback); real-fs symlink test proves the escape is blocked
LOW injected AGENTS.md/CLAUDE.md could close the <workspace-context> block sanitize() strips the delimiter
MED sync-git blocks the event loop on large repos documented caveat

Gates

typecheck ✅ · lint ✅ · test:coverage ✅ (406 tests, 100%) · build ✅. New tests: executor+MCP degrade-on-error, real-fs symlink escape, sanitize.

🤖 Generated with Claude Code

Address findings from a holistic expert review of the §0.1 code:

- [HIGH] Workspace failures no longer fail the task. AgentTaskExecutor and the
  MCP coding_agent_run handler now wrap getContextPack in try/catch and degrade
  to the plain prompt (log a warning). The MCP path keeps startJob errors
  (e.g. repo-path confinement) as real isError results — the two error classes
  are separated.
- [HIGH] defaultGitRunner sets an explicit 64MB maxBuffer so large ls-tree /
  git show output no longer throws (default is 1MB).
- [MED/security] repo-path confinement now canonicalizes via realpathSync (with
  a real-parent + leaf fallback for not-yet-created paths), so a symlink inside
  an allowed root can no longer escape it. Validated with a real-fs symlink test.
- [LOW] augmentTaskPrompt sanitizes injected AGENTS.md/CLAUDE.md content so it
  cannot break out of the <workspace-context> block.
- [MED] documented the sync-git event-loop caveat on the symbol pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@casabre casabre merged commit 161b2fc into main Jul 4, 2026
10 checks passed
@casabre casabre deleted the fix/review-hardening branch July 4, 2026 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant