Skip to content

feat: security pattern whitelist for output filters #443

Closed
#452
Closed
feat: security pattern whitelist for output filters#443
#452
Labels
securitySecurity-related issuetoolsTool execution and MCP integration
@bug-ops

Description

@bug-ops
bug-ops
opened on Feb 17, 2026

Parent

Epic #426, Plan: .local/plan/m26.1-output-filtering-improvements.md
Priority: P0 (security critical)

Problem

Aggressive filtering can hide security-critical warnings (e.g., unused Result on decrypt_password, panic traces, SQL injection patterns).

Design

SecurityPatterns struct with compiled regex list covering 6 categories:

  1. Rust compiler warnings (unused Result, panic at, unwrap())
  2. Unsafe code (unsafe code, FFI, raw pointer)
  3. Auth (authentication failed, unauthorized, 401/403)
  4. Crypto (weak cipher, deprecated algorithm, MD5, SHA-1)
  5. SQL/Injection (SQL injection, unsafe query)
  6. Dependencies (RUSTSEC-, security advisory)

All filters call security whitelist before returning. Appends preserved lines with visual separator. User-defined patterns via config (additive).

Acceptance Criteria

  • SecurityPatterns struct with regex list
  • extract_security_lines() method
  • Core patterns cover all 6 categories (18+ patterns)
  • All filters call security whitelist
  • Config for user-defined patterns
  • Unit tests for each category
  • Integration test: filter + security warning preservation
  • Performance: <10us for 100KB input

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issuetoolsTool execution and MCP integration

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions