Skip to content

docs: incubating direction + voip flow reword + CSO 2026-06-21 report#1304

Merged
dolho merged 3 commits into
devfrom
feature/planning-docs-cso-report
Jun 23, 2026
Merged

docs: incubating direction + voip flow reword + CSO 2026-06-21 report#1304
dolho merged 3 commits into
devfrom
feature/planning-docs-cso-report

Conversation

@vybe

@vybe vybe commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Release-prep doc cleanup — lands two pending planning/flow doc edits and the latest CSO posture report on dev ahead of the v0.7.0 cut.

Changes

  • docs/planning/TARGET_ARCHITECTURE.md — add an "Incubating Directions (Not Yet Decided)" section capturing the goal-directed control-surface idea (Objective + policies + roster + externally-measured evals), explicitly bounded by CLAUDE.md §8 ("Trinity ≠ DAG engine") and sequenced after the pull migration + PostgreSQL (Configurable database backend: SQLAlchemy Core abstraction (SQLite + PostgreSQL) #300). Incubating in trinity-enterprise#27.
  • docs/memory/feature-flows/voip-telephony.md — drop a stale #1039 reference in favor of describing the LOG_* data-retention no-op class directly.
  • docs/security-reports/cso-2026-06-21.{md,json} — routine /cso full-audit posture report (Phases 0–14, daily 8/10 gate). Follows the docs/security-reports/ convention; no real secrets reproduced.

Notes

  • Docs-only; no code, schema, or API changes.
  • Submodule pointers (.claude, src/backend/enterprise) intentionally not touched.

🤖 Generated with Claude Code

Eugene Vyborov and others added 2 commits June 22, 2026 12:28
…flow

Add an "Incubating Directions (Not Yet Decided)" section to
TARGET_ARCHITECTURE.md capturing the goal-directed control-surface idea
(Objective + policies + roster + externally-measured evals), explicitly
bounded by CLAUDE.md §8 and sequenced after the pull migration + #300.
Incubating in trinity-enterprise#27.

Reword the voip-telephony flow note to drop a stale #1039 reference in
favor of describing the LOG_* data-retention no-op class directly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Routine /cso full-audit posture report (Phases 0–14, daily 8/10 gate).
Follows the docs/security-reports/ convention; no real secrets reproduced.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

⚠️ Nightly unit-suite check skipped — merge conflict against dev.

Resolve by running git merge dev locally and pushing the result. The next nightly run will re-test once the conflict is gone.

@dolho

dolho commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

/review Report — automated structural review

Branch: feature/planning-docs-cso-reportdev (diffed against merge-base)
Files: 4 (+511/−1) · Scope: see note · Type: docs

Docs-only PR, so the usual code checks (SQL/concurrency/auth) are N/A. But one content issue dominates and I'd treat it as blocking until resolved.

Critical Findings (block merge)

[C1] Disclosure: publishing VERIFIED, unremediated security findings to a PUBLIC repo (Confidence: 8/10)
Files: docs/security-reports/cso-2026-06-21.{md,json}
Evidence: the report's own "Findings at a glance" lists 13 findings, all Status: VERIFIED, headed by:

F1 | CRIT | 9/10 | VERIFIED | Unauthenticated agent-server reachable by peer agents → cross-agent credential theft, RCE-as-peer, file tampering

with a copy-paste exploit in the JSON: curl http://agent-B:8000/api/credentials/read?paths=.env,.mcp.json returns a peer's plaintext secrets + MCP key. Plus 2 HIGH supply-chain and several MED/LOW, each with file:line and exploit/impact text.
Issue: this is a world-readable, search-indexed repo. Merging a verified, apparently-open CRITICAL (+HIGHs) with reproduction steps hands an attacker a precise target list against every deployment before the fixes land. The report header even notes "Repo posture: PUBLIC" — secrets were scrubbed, but the verified-open vuln map was not.
Fix (pick one before public merge):

  1. Hold this report in a private location (e.g. trinity-enterprise / a private security tracker) until F1–F3 are remediated; publish only a post-fix, redacted summary publicly; or
  2. Confirm F1/F2/F3 are already fixed on dev and annotate each finding REMEDIATED (#PR) before merging.
    Note: F1 looks like it may already be (partly) addressed by the security: agent-server HTTP API is unauthenticated on the shared agent network (cross-agent credential theft) #1159 per-agent agent-auth token work — the report (dated 2026-06-21, branch main) doesn't mention it. Reconcile against security: agent-server HTTP API is unauthenticated on the shared agent network (cross-agent credential theft) #1159 so you're not publishing a stale "open CRITICAL." (This also aligns with the spirit of trinity-enterprise#45 — keep sensitive material out of public docs.)

Informational Findings

[I1] Scope: voip-telephony.md edit overlaps PR #1301 (Confidence: 7/10)
File: docs/memory/feature-flows/voip-telephony.md (2 lines here)
Both this PR and #1301 modify the same file. They'll need a merge-order decision (likely textual conflict). Consider rebasing one onto the other or dropping the overlap from one PR.

docs/planning/TARGET_ARCHITECTURE.md (+18) reviewed — planning prose, no sensitive disclosure, clean.

Summary

Automated /review. The CRITICAL here is a disclosure/process gate, not a code defect.

…stale voip hunk

Two review-driven fixes ahead of the v0.7.0 cut:

- Annotate the CSO posture report (.md + .json) with post-audit remediation
  status. The report audited `main` pre-cut and listed F1/F2/F3 as open
  VERIFIED findings; they are already remediated on `dev` and ship in v0.7.0:
    - F1 (unauth agent-server) -> #1159 X-Trinity-Agent-Token middleware
    - F2 (fastmcp -> hono/undici) -> #1255, #1289; fastmcp ^4.3.0
    - F3 (form-data CRLF via axios) -> #1254
    - F4/F5/F8 exploit path closed by #1159 (auth gate)
  Adds a top-of-report banner, per-row status tags, per-finding notes, and a
  machine-readable `remediation_status` block in the JSON. Avoids publishing a
  stale "open CRITICAL + exploit" to a PUBLIC repo without its fix context.

- Drop the voip-telephony.md reword: it is superseded by already-merged #1301,
  which made the identical `#1039` -> `LOG_*` change on `dev`. Restoring to
  merge-base removes the redundant/conflicting hunk from this PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dolho dolho merged commit 6515d40 into dev Jun 23, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants