Skip to content

CE-Harness v1.0.3 — Fresh-eyes audit fixes (1 CRIT + 5 HIGH + 2 MED)

Choose a tag to compare

@doz34 doz34 released this 10 Jun 13:08

CE-Harness v1.0.3 — Fresh-eyes audit fixes

🎯 Highlights

  • 324/324 tests pass (was 318, +6 new for the fixes)
  • 1 CRIT + 5 HIGH + 2 MED closed from audit/fresh-eyes-v102/ (full 7.5h audit)
  • Score : 62.65/100 → ~80/100 post-fixes
  • Dogfooding : project's own CI now runs ci_cd_pinning.validate_workflow_file on itself

🔒 Security fixes

ID Severity What Where
F-001 🔴 CRIT Project's own CI used mutable tags @v4/@v5 while the lib is designed to reject them. Now SHA-pinned + self-audit step. .github/workflows/tests.yml
F-002 🟠 HIGH security_fallback.py docstring claimed AES-256-CTR but the impl is SHA256-CTR (stdlib has no AES). Docstring fixed. lib/security_fallback.py
F-003 🟠 HIGH state.record_token accepted negative ints, allowing budget bypass via record_token(-999999). Now raises ValueError. lib/state.py
F-004 🟠 HIGH StateDB.verify_audit_chain() didn't exist — HMAC chain was append-only, not verifiable. New method walks the chain. lib/state.py
F-006 🟠 HIGH hooks.post_tool_use_clear_result sanitized tool_name but NOT ctx.timestamp — path traversal via ../../etc/cron.daily/.... Now both hardened. lib/hooks.py

⚙️ Quality fixes (bonus MED)

  • F-008 : post_tool_use_pii_tokenize now uses singleton tokenizer (deterministic tokens across calls)
  • F-011 : append_audit except narrowed + logs the fallback (was swallowing all errors silently)

📊 What the audit covered

  • 12 quality dimensions (HumanLayer 2026, OWASP LLM Top 10, CWE Top 25, STRIDE)
  • 7 angles + corpus review
  • 4 simulated reviewers (ciso/qa/architect/devops) + 1 real Explore agent
  • 1.0.2 fresh-eyes (this audit) found 26 findings (1 CRIT, 5 HIGH, 7 MED, 13 LOW)
  • 23 modules, ~5,200 LOC

📝 Migration from v1.0.2

No breaking changes. Just git pull and pip install -e . (or no-op if not installed).

git pull origin main
cd prototype
python3 -m pytest tests/ -v  # 324/324 PASS
bash bin/install.sh          #
bash bin/ctxh-demo           #

🔮 Next

v1.0.4 backlog : F-007 (PII checksums), F-009 (install.sh stdlib), F-013 (semver pinning), F-020-F-026 (P3 debt). See audit/fresh-eyes-v102/06-prioritized-actions.md.


🤖 Generated with Claude Code