Skip to content

chore: promote staging to main — security audit hardening#72

Merged
himerus merged 7 commits intomainfrom
staging
Mar 17, 2026
Merged

chore: promote staging to main — security audit hardening#72
himerus merged 7 commits intomainfrom
staging

Conversation

@himerus
Copy link
Copy Markdown
Contributor

@himerus himerus commented Mar 16, 2026

Staging → Main Promotion

What's included

Deep antagonistic audit (PR #70) — 16 fixes across security, correctness, staleness, and test quality.

Security (critical)

  • audit_library outputPath arbitrary file write → FilePathSchema + path containment
  • audit-report.ts path traversal fix
  • mixin-resolver.ts + source-accessibility.ts path containment for CEM-derived reads

Correctness

  • TagNameSchema regex, config.ts circular override, TAG_NAME_ALLOWLIST_REGEX case flag
  • health.ts bare catch error swallowing, event-architecture.ts score >100 rounding
  • tokens.ts flattenNode stack overflow depth limit, missing tools/library.js barrel export

Staleness

  • cdn.ts deprecated loadCdnCem → loadLibrary, MCP server version 0.1.0 → 0.4.0
  • Error messages + CLI init → helixir.mcp.json

Test quality

  • Removed conditional guards silently skipping assertions
  • Tightened loose averageScore assertion

Verification

🤖 Generated with Claude Code

himerus and others added 7 commits March 16, 2026 18:08
@himerus
ci: trigger workflow run
7696021
@github-actions @himerus
chore: version packages
583a71f
@himerus @claude
fix: deep antagonistic audit — 13 security, correctness, and stalenes…
64d4094 
…s fixes

Security (critical):
- audit_library outputPath had zero validation, enabling arbitrary file writes
- audit-report.ts now enforces path containment within projectRoot

Correctness:
- TagNameSchema regex allowed invalid custom elements without hyphens for
  prefixes lacking a trailing hyphen (e.g. "hx" accepted "hxfoo")
- config.ts: config file could override projectRoot (circular dependency)
- health.ts: TAG_NAME_ALLOWLIST_REGEX /i flag contradicted lowercase-only docs
- health.ts: two legacy fallback bare catches swallowed EACCES errors
  (readLatestHistoryFile + getHealthTrend) — now check ENOENT specifically
- event-architecture.ts: rounding could produce scores > 100, added clamp
- tokens.ts: flattenNode had no depth limit (stack overflow on deep input)
- Missing tools/library.js barrel export in packages/core/src/index.ts

Staleness:
- cdn.ts called deprecated loadCdnCem() → loadLibrary()
- MCP server version hardcoded as '0.1.0' → '0.4.0'
- MCP error messages referenced deprecated mcpwc.config.json → helixir.mcp.json
- CLI init wizard wrote deprecated mcpwc.config.json → helixir.mcp.json

All verification gates pass: build, type-check, lint (0 errors),
60 test files / 1509 tests passed / 0 failures.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@himerus @claude
fix(tests): harden false-positive test assertions from audit
992c3df 
- Remove conditional `if (trend.dimensionTrends)` guards that silently
  skipped assertions when the feature was broken — now assert defined first
- Tighten averageScore assertion from "between 0 and 100" to toBeCloseTo(50)
  for a test that mixes 100 + 0 scores
- Rename misleading "grade calculation" describe block in dispatcher tests
  to "grade passthrough" — the test injects grades via mock, it doesn't
  verify grade computation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@himerus @claude
fix(security): add path containment to CEM-derived file reads
c57a7ac 
mixin-resolver.ts and source-accessibility.ts resolve file paths from
CEM module/superclass/mixin declarations without verifying the resolved
path stays within projectRoot. A crafted CEM (e.g. via CDN load_library)
could specify paths like "../../../../etc/passwd" to exfiltrate file
contents through tool responses.

Both files now check candidate paths against projectRoot + sep before
reading, rejecting any path that escapes the project boundary.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@himerus
Merge pull request #70 from bookedsolidtech/feature/deep-antagonistic…
e2e67b2 
…-audit-full-system-bug

Deep antagonistic audit: full-system bug fix and architectural hardening sweep
@himerus
Merge pull request #71 from bookedsolidtech/dev
84c2a16 
chore: promote dev to staging — audit hardening
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Mar 16, 2026

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (4)
  • AUDIT
  • audit
  • Deep Audit
  • deep-audit

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a0996a2f-0dab-45eb-9d14-87626d3aa38f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch staging
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@himerus himerus added the skip-changeset Skip changeset requirement (infra/CI PRs) label Mar 17, 2026
@himerus himerus closed this Mar 17, 2026
@himerus himerus reopened this Mar 17, 2026
@himerus himerus merged commit e7eae41 into main Mar 17, 2026
23 of 25 checks passed
@himerus himerus mentioned this pull request Mar 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip-changeset Skip changeset requirement (infra/CI PRs)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@himerus