v0.2.0-alpha — security fixes + audit hardening

Upgrade urgency: recommended

Three memory-safety bugs found by libFuzzer harnesses are fixed in this release. The most severe is a heap-buffer-overflow in the NETLINK_SOCK_DIAG reply walker, which processes kernel-supplied bytes — the classic netlink-parser CVE pattern. A separate GitHub Security Advisory has been filed against this bug; downstream packagers and distros should treat v0.1.0-alpha as withdrawn.

Security fixes

• Heap-buffer-overflow in peer_lookup.c:134 (NLMSG_OK walk). NLMSG_NEXT advances by NLMSG_ALIGN(nlmsg_len) (4-byte aligned) but NLMSG_OK only validated nlmsg_len <= remaining without alignment. A crafted nlmsg_len whose 4-byte-aligned size exceeds remaining slipped past NLMSG_OK, then len -= align(nlmsg_len) underflowed size_t, and the next iteration dereferenced past the buffer. Severity: high (kernel-supplied bytes; reachable by any CAP_NET_ADMIN process posting crafted netlink replies). Fixed in #10. CWE-125 / CWE-191.
• Two heap-buffer-overflows in nft_handler.c:163 and nft_handler.c:208 (substitute_placeholders). Three write paths in the function, only the matched-placeholder path had a bounds check. Triggered by replacement strings whose total expansion approaches 2*src_len. Severity: medium (admin-controlled fragment input; trust model means an attacker would already need root file-write to trigger, but ASan-detectable OOB regardless). Fixed in #8.
• Off-by-one in validate_cgroup_path. Found by inspection during refactor for the differential oracle. Severity: low (trusted input from sd_pid_get_cgroup). Fixed in #10.

New stable contracts

• Linux audit-syscall channel (§6.2.7). Every fragment-rejection path now emits an AUDIT_USER_ERR (1109) record via libaudit's audit_log_user_message(), with reason tags missing | perms | content | nft-syntax. SOC consumers parsing /var/log/audit/audit.log get denied-session events without subscribing to the systemd journal. The journald channel (§6.2) stays in place; audit is additive. (#15)
• Failed-open rollback (#9). A failed open_session now leaves no nft state, no transient scope, and no session-identity JSON — clean retry is always safe. Integration test 10.14 guards both rollback paths.

Hardening + test infrastructure

• 8 libFuzzer harnesses, 9 functions ≥ 90% coverage. Property assertions, not just crash-only. Found 4 real bugs (3 heap OOBs + 1 off-by-one). Sustained nightly fuzz cron (fuzz-nightly.yml, 30 min × 8 harnesses, 03:17 UTC). (#7, #8, #10, #12)
• Differential oracle harness (Phase 4.1). 5 small parsers cross-validated against an independent Python re-implementation; 286 inputs. (#11, #13)
• Property-based tests (Phase 4.2). Idempotence + round-trip on the same parsers. (#14)
• Mutation testing (Phase 4.3). mull (LLVM-IR mutator) wired in via make mutation-report and weekly mutation.yml workflow. (#18)
• Reproducibility check. make reproducibility-check verifies bit-identical same-machine builds. (#17)
• OSTIF best-practices alignment. SECURITY.md, security.txt, third-party inventory, response timelines, incident-response runbook, OpenSSF Best Practices badge. (#16, #17)

Documentation

• New: docs/SECURITY_PRACTICES.md, docs/REPRODUCIBLE_BUILDS.md, docs/INCIDENT_RESPONSE.md, docs/THIRD_PARTY.md, docs/FUZZ_SURFACE.md.
• The unit + integration test stage matrix and CI gate inventory now live in docs/CONTRIBUTING.txt § Tests rather than in the README.

Reproducible-build artefact hash

b2591c3afb061d7033297f6beffa1ebea9fc9911f64c0c11a60155b3f3aea46c  pam_authnft.so

Verify locally with make reproducibility-check after make — the hash above was recorded on the maintainer's build host (Arch Linux, gcc + glibc; toolchain version dependence documented in docs/REPRODUCIBLE_BUILDS.md).

Upgrading

• No source-level migration required. The PAM interface (two exported symbols), nftables set schema, and fragment ownership model are unchanged.
• The only newly-allowlisted seccomp syscall classes are libaudit's socket(AF_NETLINK) + sendto/sendmsg — already in the existing allowlist.
• Recommended verification path after upgrade: make test-container && make test-integration-container.