fix(context,security): harden §0.1 per holistic review#10
Merged
Conversation
Address findings from a holistic expert review of the §0.1 code: - [HIGH] Workspace failures no longer fail the task. AgentTaskExecutor and the MCP coding_agent_run handler now wrap getContextPack in try/catch and degrade to the plain prompt (log a warning). The MCP path keeps startJob errors (e.g. repo-path confinement) as real isError results — the two error classes are separated. - [HIGH] defaultGitRunner sets an explicit 64MB maxBuffer so large ls-tree / git show output no longer throws (default is 1MB). - [MED/security] repo-path confinement now canonicalizes via realpathSync (with a real-parent + leaf fallback for not-yet-created paths), so a symlink inside an allowed root can no longer escape it. Validated with a real-fs symlink test. - [LOW] augmentTaskPrompt sanitizes injected AGENTS.md/CLAUDE.md content so it cannot break out of the <workspace-context> block. - [MED] documented the sync-git event-loop caveat on the symbol pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes from a holistic expert review of the merged §0.1 code (validate→fix loop, converged green in 2 iterations).
getContextPackthrew (non-git dir, missing binary, oversized output)try/catch→ degrade to plain prompt + warncoding_agent_runtry/catch(degrade) fromstartJob(confinement errors still surface asisError)gitcalls used the default 1 MBmaxBuffer→ largels-tree/showthrowsmaxBufferisPathWithinusedpath.resolve(not realpath) → a symlink inside an allowed root could escapecanonicalizeviarealpathSync(+ real-parent/leaf fallback); real-fs symlink test proves the escape is blockedAGENTS.md/CLAUDE.mdcould close the<workspace-context>blocksanitize()strips the delimiterGates
typecheck✅ ·lint✅ ·test:coverage✅ (406 tests, 100%) ·build✅. New tests: executor+MCP degrade-on-error, real-fs symlink escape, sanitize.🤖 Generated with Claude Code