docs+agent: post-Dependabot-wave doc fixes (W1 FORM4_FETCH_SKIP + W3 literature-searcher injection guard)#226
Merged
Merged
Conversation
…literature-searcher prompt-injection guard) Output from the post-PR-#225 parallel dependency-auditor + security-reviewer spawn (2026-05-23, session 3) — actionable follow-ups from the 15-vuln Dependabot triage. 15-vuln triage outcome (no code change needed): - All 15 are next@14.2.35 SSR / middleware / Server-Actions / Image-optimization / API-route advisories → ALL route to issue #41 (Next 14→16 migration tracker) - Static-export exploitability = effectively zero (no SSR runtime, no middleware, no Server Actions, no Image endpoint, no API routes; Vercel CDN serves pre-built static HTML) - CVE baseline: 25 open (1C/8H/12M/4L) → 15 open (0C/6H/7M/2L) after PR #194's next 14.2.15→14.2.35 + postcss override closed 10 - 14 GHSA IDs confirmed; 1 (7th MODERATE) needs API confirmation when token access is restored — to be appended on issue #41 separately security-reviewer findings — 0 CRITICAL + 4 WARN; 2 land here, 2 deferred: - W1 (this PR) — FORM4_FETCH_SKIP=1 operational escape hatch was undocumented anywhere user-facing. Added §Gotchas entry in CLAUDE.md + §Security considerations entry in AGENTS.md describing the env var, where it's set (pre-merge-prod-sim.yml), and the safe default (absence = no skip) - W3 (this PR) — .claude/agents/literature-searcher.md Hard Constraints lacked an explicit untrusted-content guard against prompt injection in fetched papers / SEC HTML. Added a constraint that treats every WebFetch result as data to QUOTE + CITE, never to execute — handles "ignore previous instructions" / "fetch this other URL" / "modify your output" injection vectors - W2 deferred — compute-rankings.yml workflow-level contents:write is pre-existing + justified (commit-JSON step is the only writer); narrowing to job-scope is a future optimization - W4 deferred — log-bash.sh logs raw bash command (including inline env-var values) to gitignored .claude/session.log; severity low because file is gitignored + local-only; optional sed-scrub later Doc-only — no compute / schema / scoring / valuation / frontend / Python / TS code change. CLAUDE.md + AGENTS.md lockstep satisfied (both touched; §Phase status in-flight note added). https://claude.ai/code/session_01JwntEE4PNAXSMkZxRA9BB4
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
… date docs-reviewer verdict on PR #226 (commit 35942ea) was PASS-AS-IS with one optional clarity nit (CLAUDE.md §Phase status in-flight block, line 1447): before: "1 (the 7th MODERATE) needs Dependabot-alerts-API confirmation when token access is restored." after: "1 (the 7th MODERATE) — Dependabot-alerts-API confirmation pending (token access unavailable as of 2026-05-23)." §Conventions rule: replace future-tense for unfinished work with present-tense + date so the doc doesn't rot when the "when X happens" clause becomes irrelevant. No substance change. No new file touched. https://claude.ai/code/session_01JwntEE4PNAXSMkZxRA9BB4
This was referenced May 24, 2026
dackclup
added a commit
that referenced
this pull request
May 24, 2026
… ci-triage-engineer (#228) Surfaced by the post-PR-#225 live-fire of the three new sub-agents on 2026-05-23 (session 4). vercel-preview-auditor returned a clean WAIT verdict citing "Vercel MCP not reachable in subagent session" — a real infrastructure gap, not an agent prompt issue. ci-triage-engineer worked around the same gap by falling back to git history + the squash-merge commit body (correct fallback discipline) but hit GitHub API rate-limits on the unauthenticated fallback path. Root cause: the Claude Code sub-agent runtime does NOT auto-inherit MCP tools from the parent session. Each sub-agent is restricted to the tools listed explicitly in its `tools:` frontmatter field; MCP tools must be enumerated by full name `mcp__<server>__<tool>`. Two-part fix: (a) `.claude/agents/vercel-preview-auditor.md` — `tools:` frontmatter extended to list 7 Vercel MCP tools by their UUID-namespaced name (`mcp__0addee55-c9d7-44a2-b1b2-355b2d3fc4fd__*`): list_deployments / get_deployment / get_deployment_build_logs / get_runtime_logs / web_fetch_vercel_url / get_project / list_projects. Hard-constraint bullet added: "If Vercel MCP tools are NOT in your context, surface as WAIT (MCP access gap) and escalate to main; do NOT fabricate deployment status." The UUID is OAuth-connection-specific so a fresh clone by a different user would have a different UUID and the pinned frontmatter would silently fail to match — the escalation path keeps the agent useful in that scenario. (b) `.claude/agents/ci-triage-engineer.md` — `tools:` frontmatter extended to list 6 GitHub MCP tools (stable `mcp__github__*` namespace): pull_request_read / list_pull_requests / list_commits / get_commit / search_pull_requests / search_code. Hard-constraint bullet added: "If GitHub MCP unavailable, may fall back to local git history as primary evidence (squash-merge commit body, refs) — but must explicitly cite the access gap in the report; never fabricate check-run IDs or log URLs." Docs: - CLAUDE.md §Gotchas — new bullet documenting the sub-agent MCP inheritance limitation so future agent authors don't repeat the gap; lists the GitHub stable-namespace vs UUID-based connector distinction - CLAUDE.md §Phase status — in-flight entry for this PR + reworded 2 stale "in flight (this PR)" headers from PR #226 + PR #227 to "merged via PR #N" so the §Phase status tracker reflects post-merge state - AGENTS.md §Phase + version state — mirrored in-flight entry + same PR #227 stale-header reword Doc-only PR — no compute / schema / scoring / valuation / frontend / Python / TS production-code change. Tests unchanged. ruff trivially passes. https://claude.ai/code/session_01JwntEE4PNAXSMkZxRA9BB4 Co-authored-by: Claude <noreply@anthropic.com>
7 tasks
dackclup
added a commit
that referenced
this pull request
May 24, 2026
Closes the 2 remaining security-reviewer WARNs deferred from PR #226 (W1 + W3 shipped there; W2 + W4 bundled here as one focused security-hardening PR). Both fixes are operational hygiene with no compute / schema / production-code surface. W2 — .github/workflows/compute-rankings.yml workflow-perm narrowing --- The workflow-level `permissions: contents: write` was wider than needed — only the final `Commit JSON outputs` step inside the `compute:` job is a writer. Fix: - Workflow-level default narrowed to `contents: read` (least privilege baseline; any future job added to this file inherits read unless it explicitly opts up) - The `compute:` job explicitly opts up to `contents: write` so the `git commit + push` step still works Behavior unchanged for the compute job; only the default surface shrinks. YAML parse-verified clean. W4 — .claude/hooks/log-bash.sh inline-credential scrub --- Previously the hook appended the raw Bash command (including any inline env-var dereference like `EDGAR_USER_AGENT=foo python ...` or an `Authorization: Bearer <tok>` header) to gitignored `.claude/session.log`. Severity is LOW because the file is gitignored + local-only, but an accidental `cat .claude/session.log` during a screen-share or pasted into a gist could leak the credential. Fix: `sed` pre-filter redacts the value half of common secret-prefix tokens before appending; the prefix stays so the log is still readable for "which integration was being called" debugging. Covered prefixes: - GitHub: ghp_ / gho_ / ghu_ / ghs_ / ghr_ / github_pat_ - Anthropic: sk-ant-api* - OpenAI generic: sk-* - AWS: AKIA* / ASIA* - Google API: AIza* - Slack: xox[abprs]-* - Bare `Bearer <tok>` / `Authorization: Bearer <tok>` headers Manual scrub test: in: curl -H "Authorization: Bearer ghp_abcdef123...890" ... out: curl -H "Authorization: Bearer ghp_[REDACTED]" ... Fail-open discipline preserved — if `sed` errors (unlikely), the existing `|| true` falls back to the original command, never blocks the hook. Defense-in-depth: the gitignore remains the primary guard; this shrinks the blast radius of an accidental local leak. CLAUDE.md + AGENTS.md lockstep satisfied via §Phase status in-flight notes (no new §Gotchas — these are not invariants future code authors need to remember; they're hardening of existing surfaces). https://claude.ai/code/session_01JwntEE4PNAXSMkZxRA9BB4 Co-authored-by: Claude <noreply@anthropic.com>
This was referenced May 24, 2026
Merged
dackclup
added a commit
that referenced
this pull request
May 27, 2026
…AUDE.md (#271) Refactors a user-shared research report (Master Prompt + 6 phase sub-prompts + CLAUDE.md template) into the existing doc surface without creating a new .claude/skills/agentic-6-phase/ skill. The report's underlying logic is already implemented in the 18 subagents + CLAUDE.md §Auto-routing; what was genuinely missing was a 6-phase mapping table a new session can scan in < 30 sec on top of the 9 phases. Scope (2 substance files + 1 INFLIGHT entry): - WORKFLOW.md — new section "Agentic 6-Phase Cadence" between §"Tools You'll Use Daily" and §"Phase Overview". Mapping table (Step × Fire trigger × Subagent(s) × Done when) over Planning → Code Gen → Integration → Test → Deploy → Monitor + 5 cadence invariants. Reuses the 18 standing subagents — no new agent files. Session-start protocol cites schema 0.10.5-phase4.5e (PRs #264 + #265; cron #4 still at 0.10.4, next cron Wed 2026-05-27 re-renders at 0.10.5), defense layer 33 declared = 7 vetoes + 26 annotates, tag v1.3.0-phase4.5e, CVE baseline 15 open (0C / 6H / 7M / 2L) after PR #194 patch + PR #226 triage. - CLAUDE.md — new §Conventions bullet "Session-start phase identification" (~5 lines) pointing readers at PHASE_STATUS.md §"Current state" + WORKFLOW.md §"Agentic 6-Phase Cadence" using the standing 18 subagents. - PHASE_STATUS_INFLIGHT.md — new in-flight entry per PR #237 side-file lockstep convention. Out of scope (deliberately NOT done per user direction 2026-05-27): - NO .claude/skills/agentic-6-phase/ — overhead exceeds benefit - NO Master Prompt / phase sub-prompts copied into the repo - NO edits to any of the 18 subagent files under .claude/agents/ - NO AGENTS.md substance edit — the cadence is Claude-Code-subagent- specific; cross-tool agents would route differently. INFLIGHT entry satisfies §Conventions "ship with every PR" lockstep. docs-reviewer verdict (2026-05-27, agent id a2c87ed3679f55fe5): NEEDS-CROSS-REF-FIX — both items applied in this commit: 1. CVE attribution: "after PR #226 triage" → "after PR #194 patch + PR #226 triage" (PR #194 closed the 10 advisories; PR #226 documented the resulting state) 2. Step 4 fire-trigger col: "Sections A-J" → "Sections A-L" (Section L added by PR #221 OSAP proxy invariant; internal match with the same row's Done-when col) All else passes: 4 cited numbers, 18 agent names, 3 cross-refs, token budget (WORKFLOW ≤ 1 page, CLAUDE ≤ 5 lines), Rule 16 + Rule 18 no contradiction. Pre-existing SKILL.md schema-version table gap (rows for 0.10.5-phase4.5e PR #264 + valuation_output_anomalous rename PR #265 missing) escalated to schema-sentinel as separate doc-only PR per docs-reviewer recommendation — not blocking on this scope. Verification: - ruff check . — N/A (no Python) - python -m compute.output.schema_check — N/A (no schemas) - pytest tests/ -m "not network" — N/A (no test surface) - docs-reviewer subagent — PASS after the 2 fixes above Co-authored-by: Claude <noreply@anthropic.com>
Merged
4 tasks
dackclup
added a commit
that referenced
this pull request
Jun 2, 2026
…ditor injection guard (#381) Adds `<N` upper bounds on 5 previously-unbounded Python deps (numpy <3 · tenacity <10 · yfinance <2 · lxml <7 · pyarrow <25) to prevent surprise major-version Dependabot footguns. Adds untrusted-content prompt-injection guard to vercel-preview-auditor.md Hard Constraints (mirrors W3 pattern from literature-searcher.md PR #226). Doc + dep bounds only — no compute / schema / scoring / valuation / frontend code change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Output from the post-PR-#225 parallel
dependency-auditor+security-reviewerspawn (2026-05-23, session 3) — actionablefollow-ups from the 15-vuln Dependabot triage that landed on
mainafter PR #225.
Dependabot 15-vuln triage outcome — no code change needed
All 15 alerts (6 High / 7 Moderate / 2 Low) are
next@14.2.35SSR / middleware / Server-Actions / Image-optimization / API-route
advisories. None have a 14.2.x backport. All 15 route to issue
#41 (Next 14→16 migration tracker).
Static-export exploitability is effectively zero per #41's own
original risk rating — QuantRank has no SSR runtime, no middleware,
no Server Actions, no
<Image>optimization endpoint, no APIroutes; Vercel CDN serves pre-built static HTML.
CVE baseline updates:
14 GHSA IDs confirmed by
dependency-auditor; 1 (the 7th MODERATE)needs Dependabot-alerts API confirmation when token access is
restored — to be appended on issue #41 separately, not in this PR.
Python side clean (
requests 2.33.1past 2.32.0 fix ·pyarrow ≥15.0past 14.0.1 critical ·
lxml ≥5.0past 5.2 fix). GitHub Actions allon current major (
checkout@v6/setup-node@v6/setup-python@v6/
cache@v5/github-script@v9/upload-artifact@v7). NPMoverridesforpostcss@8.5.15intact.security-reviewerfindings — 0 CRITICAL + 4 WARN2 land here as doc fixes; 2 deferred:
FORM4_FETCH_SKIP=1operational escape hatch wasundocumented anywhere user-facing. Added §Gotchas entry in CLAUDE.md
var, where it's set (
.github/workflows/pre-merge-prod-sim.yml),and the safe default behavior (absence = no skip).
.claude/agents/literature-searcher.mdHardConstraints lacked an explicit untrusted-content guard against
prompt injection in fetched papers / SEC HTML / arbitrary URLs.
Added a constraint bullet that treats every
WebFetchresult asdata to QUOTE and CITE, never to execute — handles the "ignore
previous instructions" / "fetch this other URL" / "modify your
output" injection vectors that academic-PDF + arbitrary-URL
retrieval surfaces.
compute-rankings.ymlworkflow-levelcontents: writeis pre-existing + justified (the commit-JSON stepis the only writer); narrowing to job-scope is a future
optimization, not a regression.
.claude/hooks/log-bash.shlogs raw bash command(including inline env-var values) to gitignored
.claude/session.log; severity low because file is gitignored +local-only; optional
sed-scrub follow-up if desired.Files touched
CLAUDE.mdAGENTS.md.claude/agents/literature-searcher.mdCLAUDE.md + AGENTS.md lockstep satisfied (per §Conventions "ship with
every PR"). Doc-only — no compute / schema / scoring / valuation /
frontend / Python / TS / dep change.
Test plan
git diff --statshows 3 files / 74 insertions onlyruff/schema_check/pytesttrivially unaffected by this PR
docs-reviewersonnet spawn on this diff (substance check)before flipping to Ready
Out of scope (follow-ups)
mcp__github__add_issue_commentaction, not bundled herealerts API access
https://claude.ai/code/session_01JwntEE4PNAXSMkZxRA9BB4
Generated by Claude Code