fix: remediate all 56 adversarial-audit findings (2026-07-08)#127
Merged
Conversation
…se audit Fixes every CONFIRMED/PLAUSIBLE finding from docs/audits/codebase-audit-2026-07-08.md (committed alongside): 14 high, 26 medium, 16 low, IDs cited per-change in the PR. Highlights: --rollback backup now covers everything cleanOldConfig wipes (H7); code-intel engine swaps propagate past the first install and both MCP surfaces agree (H8/H9); handoffs are project-scoped with auto-populated content (H10/H11); statusline git spawns are all timeout-bounded (H6); SECURITY.md now states the fingerprint's true scope and audit:hooks scans env+mcpServers too (H12); reviewer/security-reviewer lost their diff-blinding worktree isolation (H3/H4); maestro/oracle/qa/deslopper tool grants match their documented workflows (H2/H13/H14/M2); one shared redactSecrets supersedes three divergent pattern sets (M23); shared slug regex across all schemas (M12); doc tables re-synced to reality across MANUAL, README, hooks-reference, agent-models, frontmatter-reference (H1/H5/M3-M6/M24/L2/L3). Deferred by design (documented in the report): the provenance-manifest merge redesign (tension T1), fingerprint scope extension (T2), and upstream-scanner live fetch (M13) — docs now state actual behavior.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Fixes everything the 2026-07-08 adversarial codebase audit found — the failed-install data-loss trap, the engine switch that silently never applied, handoffs that saved empty stubs and bled across projects, and ~40 smaller correctness, security-honesty, and doc-drift defects. The full audit report ships in this PR (
docs/audits/codebase-audit-2026-07-08.md) with a stable ID per finding; every change below cites its ID.Summary
Installer/merge — H7:
--rollbackbackup now snapshots every directorycleanOldConfigwipes. H8/H9:CC_CODE_INTEL_ENGINEchanges now propagate on re-install (stale cc-settings output no longer masquerades as a user edit) and settings.json + ~/.claude.json get the same tldr definition. M10/L8: light-tier strip is per-command with canonicalKey identity. M9: array-default merge gap documented as a known limitation.Hooks — H6: all statusline git spawns timeout-bounded. M7: pre-edit-validate header matches its Edit-only wiring (Write inputs lack
old_string; wiring it would break new-file creation). M8/L4/L5/L6: threshold text derived from the env var, correct session-id fallback, schema-validated cache reads, most-recent-20 file cap.Scripts — H10: hook-driven handoffs auto-populate branch/files/commits and are marked
source: auto; skill doc now states auto-vs-manual content. H11: handoff store project-scoped with legacy-path fallback (plus session-start cleanup and post-compact lookup updated to the new layout). M17/M18/M20/L11/L12/L13: regex, exit-code, gate-output-capture, and listing-resilience fixes.Security — H12: SECURITY.md states the fingerprint's true scope (hooks block only) and
audit:hooksnow also scansenvandmcpServersagainst the suspicious patterns. M21/M22: deny rules added forgit push --force/git branch -Dand Edit/MultiEdit on settings.json. M19/M23: one canonicalsrc/lib/redact.ts(superset patterns) replaces three divergent redactors; falsy-zero parseInt fixed.Definitions — H2/H13/H14/M2: maestro, oracle, qa, deslopper can now execute their own documented workflows (tool grants fixed; oracle's explore binding removed so its fork keeps the full toolset). H3/H4: reviewer + security-reviewer no longer use
isolation: worktree, which made them blind to the diff they review. L1: profiles pinopus[1m].Schemas/linters — M11/M12/M15/L10: typed agent fields, one shared slug regex, angle-bracket scan for agents+profiles, shared frontmatter regex. Generated schemas re-emitted.
Docs — H1/H5/M3/M4/M5/M6/M14/M16/M24/L2/L3/L7/L9/M13: tables and claims re-synced to reality (hooks reference, model routing incl. codex-verifier, skill counts 37, Sanity MCP moved to optional, guardrails claim tsc-only, upstream scanner described honestly).
Tests/CI — M25/M26/L14/L15/L16: behavioral tests for pre-edit-validate + delegation-detector, dead
manual-sync.shdeleted,lint:knowledgeCI step now lints a real fixture, two test-truth fixes. Net +10 test files.Deferred by design (documented in the report's design tensions): provenance-manifest merge redesign (T1), fingerprint scope extension (T2), upstream-scanner live fetch. A Codex cross-model pass was attempted but the CLI hung; the report is Claude-verified only (every finding independently re-traced by a second adversarial pass before fixing).
Test Plan
bun run typecheckcleanbun test— 843 pass / 0 fail (was 777; +66 from new coverage)bun run lint— exit 0, only the 4 pre-existing warningsbun run lint:skills/lint:agents/lint:profiles— 0 errorsbun run compose+bun run schemas:emit— clean, regenerated output committedconfig/40-hooks.jsonuntouched — no fingerprint churn for existing installs