Conversation
Finding 1 (CI workflow files unguarded): .github/workflows/ci.yml and notify-orbitweb.yml were absent from PROMPT_GUARD_FILES. An agent PR could remove mypy, silence lint, or exfiltrate the ORBITWEB_PAT via a modified notify workflow. Fixed by adding both files to PROMPT_GUARD_FILES and .github/workflows to PROMPT_GUARD_DIRS (catches future new workflow files too). Finding 2 (FEATURE/PR_URL pipe injection): FEATURE and PR_URL were injected into the session index markdown table without stripping pipe chars. A pipe in the agent's Built:/PR: output would create extra cells, causing parse_session_index to silently drop the row, undercounting consecutive roles and corrupting role selection. Fixed by tr -d '|' on both values before injection, matching the existing sanitization applied to PR_TITLE/PR_BRANCH. Watch finding (#3 in pentest): already tracked as task #157.
…TURE/PR_URL - Add comment at daemon.sh early-exit path clarifying FEATURE is always unset at that point (safe, but fragile if code order changes) - Expand tr -d to strip newlines as well as pipes from FEATURE and PR_URL (multiline Built:/PR: values would also corrupt the session index) - Create tasks #158 and #159 for remaining advisory notes: dynamic workflow guard expansion, PROMPT_GUARD_DIRS non-recursive doc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/ci.ymlandnotify-orbitweb.ymlwere absent fromPROMPT_GUARD_FILES. An agent PR could modify these to strip lint/mypy enforcement or exfiltrateORBITWEB_PAT. Fixed: added both files toPROMPT_GUARD_FILES; added.github/workflowstoPROMPT_GUARD_DIRSto catch future new workflow files.FEATUREandPR_URLextracted from agent log output were injected into the session index markdown table without stripping|. Extra pipe chars create extra table cells, causingparse_session_indexto silently drop the row and corrupt role-selection counters (count_consecutive_role,count_sessions_since_role). Fixed:tr -d '|'on both values before injection, matching existingPR_TITLE/PR_BRANCHsanitization.docs/prompt/feedback/are undetected by the guard snapshot. Already tracked as task fix: permanently deploy pentest fixes via all-PR strategy (4th attempt) #157 — no new task needed.Test plan
make checkpassesPROMPT_GUARD_FILEScontains both.github/workflows/*.ymlpaths inlib-agent.shPROMPT_GUARD_DIRScontains.github/workflowsinlib-agent.shtr -d '|'applied toFEATUREandPR_URLindaemon.shbefore index write