security: pre-release red/green/purple hardening (1 CRIT + 8 HIGH closed)#27
Merged
Conversation
…esearch + procedure)
…from untrusted project config - inert filter was a 3-prefix denylist; a hostile cloned repo .clx/config.yaml could still set layer1_enabled/default_decision/ auto_allow_reads/prompt_sensitivity/trust_mode/layer1_timeout_ms/ user_learning.* to neuter the validator with zero user interaction - now drops the whole validator.* and user_learning.* subtrees for untrusted configs; hash-trusted path unchanged; closes B4-1/B4-2/R1-NEW-2
…t hosts - azure.rs no longer embeds the raw HTTP response body in LlmError; build_error_summary redacts then bounds it (status + x-request-id) - redact_secrets now scrubs *.openai.azure.com / .azure-api.net / .cognitiveservices.azure.com tenant+endpoint hosts (no over-redaction) - redact at the tracing warn sink and the health CLI prints; closes the prior-leak tenant-URL class
- is_overbroad_allow_pattern: an allow pattern that reduces to only wildcards (*, **, Bash(*), ...) matches arbitrary commands - load_learned_rules skips+WARNs such rows (defense-in-depth at the L0 load boundary); clx_rules MCP add rejects them before persisting - deny rules unrestricted; scoped allows (Bash(git status)) unaffected
…en MCP cred mask - apply_env_overrides emits a loud WARN when CLX_VALIDATOR_* weakens the validator; new Config::security_env_overrides_active() exposes the list for hook audit logging (no cross-crate coupling) - MCP clx_credentials mask is now [REDACTED:<bracket>] with no head/tail plaintext and only a coarse length bucket (was 6 plaintext chars + exact len)
…ovenance) - CI + release: cargo audit (RustSec) + cargo deny (advisories/licenses/ sources/bans) as blocking gates; committed deny.toml with documented ignores for the 5 unmaintained transitive advisories (serde_yml unsound tracked) and the permissive NCSA/CDLA licenses - release: CycloneDX SBOM + actions/attest-build-provenance (keyless Sigstore); binary code-signing/notarization remains a documented gap
…cumented in register)
blackaxgit
added a commit
that referenced
this pull request
May 19, 2026
0.8.0 -> 0.8.1. Ships the red/green/purple CRIT+HIGH fixes (PR #27). Auto-Tag -> v0.8.1 -> release.yml (arm64 + cargo-audit/deny + SBOM + provenance + Homebrew).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pre-release Red / Green / Purple security hardening
Authorized defensive pre-release assessment of CLX's own codebase, run
RED → GREEN → PURPLE with orchestrator gates. Full procedure +
artifacts in
specs/2026-05-19-rgp-*.md.RED — confirmed, release-blocking
.clx/config.yamlcould neuter the validator with zero interaction (3-prefix denylist gap)*/Bash(*)learned or MCP-added allow rule → L0 whitelist of every commandCLX_VALIDATOR_*parent-env disable applied silentlyclx_credentialsmask leaked 6 plaintext chars + exact lengthGREEN — fixes (each with closing regression tests, all green)
validator.*/user_learning.*subtrees for untrusted configs; hash-trusted pathunchanged; benign
auto_recall.*still merges.build_error_summaryredacts-then-bounds Azure bodies;redact_secretsscrubs*.openai.azure.com/.azure-api.net/.cognitiveservices.azure.com; redaction at the warn + CLI sinks.is_overbroad_allow_patternrejects wildcard-onlyallow patterns at both the learned-load and MCP-add boundaries.
security_env_overrides_active()accessor;credential mask now
[REDACTED:<bracket>](no plaintext, coarse len).cargo audit+cargo deny(committeddeny.toml,documented ignores) gate CI + release; CycloneDX SBOM + keyless
build-provenance attestation.
PURPLE — independent verdict
SHIP — with 2 tracked pre-1.0 conditions (zero findings OPEN, no
blocking list). Each release-blocking finding re-derived against the
fixed source and confirmed neutralized; no GREEN-introduced regression
or mitigation weakening; full sign-off in
specs/2026-05-19-rgp-purple-signoff.md.Tracked non-blocking follow-ons (file as 1.0-milestone):
security_env_overrides_active()to aclx-hookaudit-DBevent (forensic defense-in-depth).
environment:gate toupdate-homebrew.CVE) — tracked migration;
deny.tomlenumerates it and fails closedon any new advisory.
Gates
cargo nextest run --workspace1718 passed / 9 keychain-skipped / 0failed · clippy
-D warnings· fmt ·cargo deny·cargo audit·workflow YAML — all clean. No
#[ignore]un-gated.