CE-Harness v1.0.3 — Fresh-eyes audit fixes (1 CRIT + 5 HIGH + 2 MED)
CE-Harness v1.0.3 — Fresh-eyes audit fixes
🎯 Highlights
- 324/324 tests pass (was 318, +6 new for the fixes)
- 1 CRIT + 5 HIGH + 2 MED closed from
audit/fresh-eyes-v102/(full 7.5h audit) - Score : 62.65/100 → ~80/100 post-fixes
- Dogfooding : project's own CI now runs
ci_cd_pinning.validate_workflow_fileon itself
🔒 Security fixes
| ID | Severity | What | Where |
|---|---|---|---|
| F-001 | 🔴 CRIT | Project's own CI used mutable tags @v4/@v5 while the lib is designed to reject them. Now SHA-pinned + self-audit step. |
.github/workflows/tests.yml |
| F-002 | 🟠 HIGH | security_fallback.py docstring claimed AES-256-CTR but the impl is SHA256-CTR (stdlib has no AES). Docstring fixed. |
lib/security_fallback.py |
| F-003 | 🟠 HIGH | state.record_token accepted negative ints, allowing budget bypass via record_token(-999999). Now raises ValueError. |
lib/state.py |
| F-004 | 🟠 HIGH | StateDB.verify_audit_chain() didn't exist — HMAC chain was append-only, not verifiable. New method walks the chain. |
lib/state.py |
| F-006 | 🟠 HIGH | hooks.post_tool_use_clear_result sanitized tool_name but NOT ctx.timestamp — path traversal via ../../etc/cron.daily/.... Now both hardened. |
lib/hooks.py |
⚙️ Quality fixes (bonus MED)
- F-008 :
post_tool_use_pii_tokenizenow uses singleton tokenizer (deterministic tokens across calls) - F-011 :
append_auditexcept narrowed + logs the fallback (was swallowing all errors silently)
📊 What the audit covered
- 12 quality dimensions (HumanLayer 2026, OWASP LLM Top 10, CWE Top 25, STRIDE)
- 7 angles + corpus review
- 4 simulated reviewers (ciso/qa/architect/devops) + 1 real
Exploreagent - 1.0.2 fresh-eyes (this audit) found 26 findings (1 CRIT, 5 HIGH, 7 MED, 13 LOW)
- 23 modules, ~5,200 LOC
📝 Migration from v1.0.2
No breaking changes. Just git pull and pip install -e . (or no-op if not installed).
git pull origin main
cd prototype
python3 -m pytest tests/ -v # 324/324 PASS
bash bin/install.sh # ✅
bash bin/ctxh-demo # ✅🔮 Next
v1.0.4 backlog : F-007 (PII checksums), F-009 (install.sh stdlib), F-013 (semver pinning), F-020-F-026 (P3 debt). See audit/fresh-eyes-v102/06-prioritized-actions.md.
🤖 Generated with Claude Code