Skip to content

fix: restore task #0040 and renumber review follow-up to #0042#45

Merged
fazxes merged 1 commit intomainfrom
fix/restore-task-0040
Apr 5, 2026
Merged

fix: restore task #0040 and renumber review follow-up to #0042#45
fazxes merged 1 commit intomainfrom
fix/restore-task-0040

Conversation

@fazxes
Copy link
Copy Markdown
Member

@fazxes fazxes commented Apr 5, 2026

Summary

Test plan

  • Docs-only change, no code modifications
  • Verified 0040.md content matches original

@fazxes
fix: restore task #40 (CONTRIBUTING.md) and renumber review follow-up…
b7ea2fd 
… to #42

Task #40 was accidentally overwritten by PR #44. Restored original
CONTRIBUTING.md task content and moved the AGENT_DEFAULT_MODELS sync
test task to #42.
@fazxes fazxes merged commit 2de4be2 into main Apr 5, 2026
2 checks passed
@fazxes fazxes deleted the fix/restore-task-0040 branch April 5, 2026 03:18
fazxes added a commit that referenced this pull request Apr 5, 2026
@fazxes
fix: resolve merge conflict in task numbering
9230cbd 
Upstream had task #43 (CONTRIBUTING.md). Renumber:
- #43: CONTRIBUTING.md (from upstream)
- #44: ParsedHandoff TypedDict (review follow-up)
- #45: Shell injection fix in cleanup functions (review follow-up)
This was referenced Apr 6, 2026
Merged
Merged
fazxes added a commit that referenced this pull request Apr 6, 2026
@fazxes
overseer: fix ALERT_CONTENT pentest-tag bypass + urgent task for Code…
aa533b3 
…x false-green

Pentest findings (session #86):

Finding 2 (CONFIRMED, FIXED):
  ALERT_CONTENT in daemon.sh was sanitized for </prompt_alert> but not
  </pentest_data>. A diff of daemon.sh appearing in the alert file (e.g.
  from a pentest-agent modification that touched the pentest_data wrapper
  lines) would contain the literal closing tag, breaking the XML boundary
  in the next builder prompt. Added a second sed -e expression to strip
  </pentest_data> to [/pentest_data], matching the existing PENTEST_REPORT
  sanitization at line 238.

Finding 1 (CONFIRMED, TASK CREATED -- #169, urgent):
  extract_result_summary only parses Claude's {"type":"result"} JSONL events.
  Codex emits {"type":"item.completed","item":{"type":"agent_message",...}}.
  PENTEST_AGENT defaults to $AGENT, so Codex daemon runs always produce an
  empty PENTEST_REPORT (false-green). Task #169 is urgent and describes
  the fix + required test coverage.

Task priority upgrades (3 security/reliability issues mislabeled low):
  #45 low->normal: shell injection pattern in cleanup_old_logs/cleanup_orphan_branches
  #84 low->normal: path traversal guard missing in readiness.py file reads
  #85 low->normal: latent IndexError crash in readiness display formatting
fazxes added a commit that referenced this pull request Apr 7, 2026
@fazxes
fix: eliminate all python3 -c shell injection in lib-agent.sh + CODEX…
ecb5ad7 
…_THINKING validation

Pentest-2026-04-06 fix-now: two confirmed findings fixed in one comprehensive pass.

1. Five functions (cleanup_old_logs, cleanup_orphan_branches, run_evaluation,
   should_evaluate, notify_human) interpolated $log_dir, $REPO_DIR, ${REPO_DIR:-.},
   or $agent directly into python3 -c "..." strings. Converted all five to the
   established heredoc+sys.argv / env-var pattern matching cleanup_healer_log.
   Closes task #45. (pentest fix-now)

2. NIGHTSHIFT_CODEX_THINKING is validated against ^[a-z_]+$ at startup immediately
   after it is set. A double-quote in the value would break the shell string in
   'codex exec -c "reasoning_effort=\"$CODEX_THINKING\""' and produce an opaque
   failure. Invalid values now fail fast with a clear error. Closes task #189.
   (pentest fix-now)

All 1121 tests pass. bash -n clean. validate-docs clean.
@fazxes fazxes mentioned this pull request Apr 7, 2026
Merged
fazxes added a commit that referenced this pull request Apr 7, 2026
@fazxes
Merge pull request #176 from Recusive/fix/pentest-python3-c-injection…
a31c614 
…-codex-thinking-0045-0100

fix: eliminate python3 -c shell injection + CODEX_THINKING validation (#45 #189)
fazxes added a commit that referenced this pull request Apr 7, 2026
@fazxes
fix: eliminate shell-var interpolation in daemon SESSION_COST python3…
096f41d 
… -c blocks (#183)

Three daemons (daemon.sh, daemon-review.sh, daemon-overseer.sh) each
interpolated shell variables directly into python3 -c strings in their
SESSION_COST, CUMULATIVE, and OVER_BUDGET blocks.  A file path containing
a single-quote (or a poisoned NIGHTSHIFT_BUDGET value) could corrupt the
Python source string silently.

Fix pattern (matching lib-agent.sh convention from task #45):
- All shell vars passed via prefixed env vars (_NS_*) read by os.environ
- OVER_BUDGET float comparison moved to awk -v to remove python3 entirely

Affected vars: $PENTEST_LOG_FILE, $LOG_FILE, $COST_FILE, $SESSION_ID,
$AGENT, $PENTEST_AGENT (SESSION_COST); $COST_FILE (CUMULATIVE);
$CUMULATIVE/$BUDGET (OVER_BUDGET).  11 unsafe interpolations fixed total.

Fixes task #183 (expanded scope to cover full 376-428 range + deprecated
daemons, not just $PENTEST_AGENT/$AGENT as originally scoped).
@fazxes fazxes mentioned this pull request Apr 7, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fazxes