Claude/audit project improvements wm0w8#11
Merged
Conversation
Audit of the upload + publish + MCP-serving paths found a critical chain: - author.server.insertDraftPackage hardcoded author_handle="@admin" and author_verified=true for EVERY uploaded package, regardless of uploader. - The UI bulkUploadPackages trusted a client-supplied `publish:true`, and the "packages author write" RLS policy is FOR ALL USING(author_id=uid) with no WITH CHECK and no column-level guard. Since the browser uses the anon key, an authenticated user could bypass all server-fn gates with a direct PostgREST update setting is_published+review_status='approved'+ author_verified=true, getting an arbitrary/malicious skill served by the MCP discovery tools to every connected agent as admin-verified and review-approved, with no adversarial testing. Fixes: - insertDraftPackage now always creates a private, unverified, draft package (author_verified=false, is_published=false, review_status=draft). - New migration adds BEFORE INSERT/UPDATE triggers that revert any change to trust/visibility columns (author_verified, author_handle, review_status, reviewed_*, is_published, install_count, author_id) unless the caller is an admin; the author write policy gets a WITH CHECK; any published-but-unapproved drift is normalized. - UI upload no longer offers an instant-publish toggle; publishing routes through submit-for-review + admin approval. Dead `publish` plumbing removed from the upload pipeline; admin import/meta-ads flows now publish via an explicit, authorized post-insert update. - MCP instructions/tool copy corrected (they advertised publish:true which the code never honored). https://claude.ai/code/session_01CV6zb1KBVoe3eBttyK9U4Z
Make "every published primitive is adversarially vetted" an enforced invariant rather than a convention an admin could skip. - review.functions.setReviewStatus now blocks approval (422) unless the CURRENT version of the package has an adversarial run with zero high/critical failures, severity-weighted score >= 0.9 and pass rate >= 0.9. - Defense-in-depth: a BEFORE UPDATE trigger (require_adversarial_pass) enforces the same bar at the database layer, so no path — server fn, admin tool, or direct service-role write — can flip a package to published/approved without a passing run on the live version. Trigger ordering means it composes correctly with the trust-column guard. - Admin import / meta-ads "publish" now submits drafts into the gated review queue (review_status='pending') instead of auto-approving, so there is a single enforced publish chokepoint. https://claude.ai/code/session_01CV6zb1KBVoe3eBttyK9U4Z
Resolved package.json by taking the superset: - keep validate:content with --experimental-strip-types (the prompt-injection guard gate added in PR#8 needs the TS loader); PR#7's audit-skills.mjs also uses --experimental-strip-types so this is consistent - keep audit:skills (PR#7's malicious-function / injection gate) - test:plain keeps tests/trust-attestation.test.mjs - test:ts is the union: adds tests/audit-skills.test.mjs alongside the trust/guard suites CI workflow auto-merged: it now runs both validate:content and audit:skills on content/security PRs. The two security gates are complementary — validate:content enforces schema + injection on contributed packages; audit:skills adds malicious-function / exfiltration heuristics. Both reuse the production inspectContent guard so detection stays in sync.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR add?
Type
version)Checklist (for content PRs)
slugand the type's folderbun run validate:contentpasses locallyNotes for reviewers