Skip to content

feat(security): implement platform-specific security for macOS and Windows#106

Merged
mpyw merged 8 commits intomainfrom
feature/platform-security-improvements
Jan 14, 2026
Merged

feat(security): implement platform-specific security for macOS and Windows#106
mpyw merged 8 commits intomainfrom
feature/platform-security-improvements

Conversation

@mpyw
Copy link
Copy Markdown
Owner

@mpyw mpyw commented Jan 14, 2026

Summary

  • Implement macOS peer credential verification using LOCAL_PEERCRED via raw syscall
  • Implement macOS core dump prevention using setrlimit(RLIMIT_CORE, 0)
  • Implement Windows minidump prevention using SetErrorMode
  • Document Windows AF_UNIX limitation (no peer credentials, relies on ACLs)
  • Fix memguard usage: use WipeBytes() for cryptographically secure zeroing
  • Unify Linux peer verification to use SyscallConn (same as macOS) to avoid connection disruption
  • Add comprehensive tests for all platforms

Platform Support

Platform Peer Verification Core Dump Prevention
macOS LOCAL_PEERCRED (raw syscall) setrlimit(RLIMIT_CORE, 0)
Linux SO_PEERCRED (GetsockoptUcred) prctl(PR_SET_DUMPABLE, 0)
Windows No-op (relies on socket ACLs) SetErrorMode(SEM_*)
Other No-op No-op

Test plan

  • All existing tests pass
  • New peer verification tests (darwin/linux/windows)
  • New process security tests (darwin/linux/windows)
  • Lint passes
  • CI passes on all platforms

🤖 Generated with Claude Code

mpyw and others added 3 commits January 14, 2026 16:33
@mpyw @claude
feat(security): implement platform-specific security for macOS and Wi…
5d0fd09 
…ndows

- macOS peer credential verification using LOCAL_PEERCRED via raw getsockopt syscall
- macOS core dump prevention using setrlimit(RLIMIT_CORE, 0)
- Windows minidump prevention using SetErrorMode
- Document Windows AF_UNIX limitation (no peer credentials)
- Fix memguard usage: use WipeBytes() for cryptographically secure zeroing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mpyw @claude
refactor(security): improve peer credential verification consistency
dcfd34b 
- Linux: switch from File() to SyscallConn to avoid connection disruption
- macOS: add xucred version validation for forward compatibility
- macOS: extract magic numbers as named constants
- Add unit tests for peer credential verification (darwin/linux)
- Add unit test for process security setup

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mpyw @claude
fix(security): address review feedback
8ebb967 
- Windows: use windows.SEM_* constants instead of duplicating
- Tests: use t.Context() instead of context.Background() (Go 1.21+)
- Tests: fix potential goroutine leak on timeout
- Add Windows-specific tests for peer and process security

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov bot commented Jan 14, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 52.30769% with 31 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.28%. Comparing base (3f0631f) to head (73e2264).
⚠️ Report is 9 commits behind head on main.

Files with missing lines Patch % Lines
...tore/agent/internal/server/security/peer_darwin.go 55.26% 10 Missing and 7 partials ⚠️
...store/agent/internal/server/security/peer_linux.go 44.44% 6 Missing and 4 partials ⚠️
...aging/store/agent/internal/protocol/socket_unix.go 0.00% 2 Missing ⚠️
...e/agent/internal/server/security/process_darwin.go 60.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #106      +/-   ##
==========================================
- Coverage   90.70%   90.28%   -0.42%     
==========================================
  Files         122      131       +9     
  Lines        7339     7415      +76     
==========================================
+ Hits         6657     6695      +38     
- Misses        475      502      +27     
- Partials      207      218      +11
Flag Coverage Δ
e2e 66.71% <38.09%> (-0.04%) ⬇️
platform-darwin 64.44% <54.34%> (?)
platform-linux 62.85% <42.85%> (?)
platform-windows 73.46% <100.00%> (?)
unittests 80.98% <42.85%> (-0.08%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mpyw mpyw force-pushed the feature/platform-security-improvements branch from 99b32a3 to a212278 Compare January 14, 2026 08:06
@mpyw @claude
ci: add platform-specific tests for security package
6bdeb12 
Add two new CI jobs:
- platform-test: Run tests with coverage on Linux, macOS, and Windows
- platform-build: Cross-compile for FreeBSD, OpenBSD, NetBSD

Packages are discovered dynamically via grep for //go:build tags,
excluding GUI and test files.

Update codecov.yml to expect 5 builds (unit + e2e + 3 platforms).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mpyw mpyw force-pushed the feature/platform-security-improvements branch from a212278 to 6bdeb12 Compare January 14, 2026 08:07
mpyw and others added 4 commits January 14, 2026 17:12
@mpyw @claude
test(security): add core dump verification tests
bcc8991 
- Add Linux test verifying PR_GET_DUMPABLE returns 0 after SetupProcess()
- Add macOS test verifying RLIMIT_CORE is 0 after SetupProcess()
- Add platform-lint CI job for Linux, Windows, and macOS

These tests verify that the core dump prevention measures are actually
effective, not just that SetupProcess() returns no error.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mpyw @claude
fix(lint): resolve platform-specific lint errors
d50fd95 
- Fix dupword lint error in process_linux_test.go (reword comment)
- Fix prealloc lint error in peer_windows_test.go (use slice literal)
- Move socketPathFallback to socket_unix.go (!windows build tag)
  to fix unused function error on Windows

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mpyw @claude
ci: disable gci lint on Windows due to false positives
46cb804 
gci linter produces false positives on Windows related to line
ending differences. Import ordering is verified by the main Lint
job on Linux.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mpyw @claude
ci: remove Windows from platform-lint due to gci issues
73e2264 
Windows excluded from platform-lint due to gci formatter false
positives with line endings. Main Lint job (Linux) covers all
essential checks including import ordering.

Windows platform-specific code is still validated via:
- Platform Test (windows) - compilation and tests
- Main Lint job - all linters except platform-specific builds

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mpyw mpyw merged commit 8aa3e75 into main Jan 14, 2026
21 of 23 checks passed
@mpyw mpyw deleted the feature/platform-security-improvements branch January 14, 2026 08:52
@mpyw mpyw mentioned this pull request Jan 14, 2026
Merged
2 tasks
@mpyw mpyw added security Security related issue or fix enhancement New feature or request labels Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement New feature or request security Security related issue or fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mpyw