Conversation
…s fixes Security (critical): - audit_library outputPath had zero validation, enabling arbitrary file writes - audit-report.ts now enforces path containment within projectRoot Correctness: - TagNameSchema regex allowed invalid custom elements without hyphens for prefixes lacking a trailing hyphen (e.g. "hx" accepted "hxfoo") - config.ts: config file could override projectRoot (circular dependency) - health.ts: TAG_NAME_ALLOWLIST_REGEX /i flag contradicted lowercase-only docs - health.ts: two legacy fallback bare catches swallowed EACCES errors (readLatestHistoryFile + getHealthTrend) — now check ENOENT specifically - event-architecture.ts: rounding could produce scores > 100, added clamp - tokens.ts: flattenNode had no depth limit (stack overflow on deep input) - Missing tools/library.js barrel export in packages/core/src/index.ts Staleness: - cdn.ts called deprecated loadCdnCem() → loadLibrary() - MCP server version hardcoded as '0.1.0' → '0.4.0' - MCP error messages referenced deprecated mcpwc.config.json → helixir.mcp.json - CLI init wizard wrote deprecated mcpwc.config.json → helixir.mcp.json All verification gates pass: build, type-check, lint (0 errors), 60 test files / 1509 tests passed / 0 failures. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove conditional `if (trend.dimensionTrends)` guards that silently skipped assertions when the feature was broken — now assert defined first - Tighten averageScore assertion from "between 0 and 100" to toBeCloseTo(50) for a test that mixes 100 + 0 scores - Rename misleading "grade calculation" describe block in dispatcher tests to "grade passthrough" — the test injects grades via mock, it doesn't verify grade computation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mixin-resolver.ts and source-accessibility.ts resolve file paths from CEM module/superclass/mixin declarations without verifying the resolved path stays within projectRoot. A crafted CEM (e.g. via CDN load_library) could specify paths like "../../../../etc/passwd" to exfiltrate file contents through tool responses. Both files now check candidate paths against projectRoot + sep before reading, rejecting any path that escapes the project boundary. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…-audit-full-system-bug Deep antagonistic audit: full-system bug fix and architectural hardening sweep
|
Important Review skippedIgnore keyword(s) in the title. ⛔ Ignored keywords (4)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dev → Staging Promotion
Promotes the deep antagonistic audit (PR #70) and version bump to staging.
Commits
e2e67b2Merge PR Deep antagonistic audit: full-system bug fix and architectural hardening sweep #70 — deep antagonistic auditc57a7acfix(security): add path containment to CEM-derived file reads992c3dffix(tests): harden false-positive test assertions64d4094fix: 13 security, correctness, and staleness fixes583a71fchore: version packages7696021ci: trigger workflow runKey fixes included
🤖 Generated with Claude Code