[compiler-threat-spec] spec: add CTR-019 Cache-Memory Integrity Enforcement#33908
Merged
pelikhan merged 1 commit intoMay 22, 2026
Merged
Conversation
Document the threat detection rule implemented in PR #33885 that requires detection success before running update_cache_memory jobs. Changes: - Bumped spec version to 1.0.10 - Added CTR-019 to Section 5.1 core rule catalog - Added implementation mapping in Section 7.1 - Added T-CTR-019 test ID in Section 8.1 - Updated mapping audit timestamp in Section 7.2 - Added change log entry for version 1.0.10 The rule enforces cache-memory integrity by preventing cache updates when threat detection has been skipped or failed, ensuring only validated agent outputs are persisted to cache-memory. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
pelikhan
approved these changes
May 22, 2026
pelikhan
deleted the
daily-compiler-threat-spec-update-2026-05-22-e6a8b31361746546
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds CTR-019 Cache-Memory Integrity Enforcement rule to the compiler threat detection specification. This rule documents the requirement that cache-memory updates must only occur when threat detection succeeds, preventing cache pollution from skipped or failed threat scans.
Type of Change
Changes
Documentation
specs/compiler-threat-detection-spec.md (Modified)
cache.go,expression_builder.gocache_memory_threat_detection_test.go,threat_detection_job_combinations_integration_test.goRationale
CTR-019 ensures cache integrity by preventing the
update_cache_memoryjob from executing when threat detection is skipped (e.g., due toif: always()) or fails. This prevents potentially compromised artifacts from polluting the workflow cache, closing a security gap in the threat detection pipeline.The rule formalizes behavior introduced in PR #33885, which switched from
buildDetectionPassedConditiontobuildDetectionSuccessConditionto enforce stricter cache update conditions.References
update_cache_memory#33885cache_memory_threat_detection_test.go,threat_detection_job_combinations_integration_test.gocache.go,expression_builder.goImpact Assessment