Skip to content

docs(security): reconcile SEC-6/7/8 status drift with verified code#182

Merged
qnbs merged 2 commits into
mainfrom
docs/security-drift-housekeeping
Jun 20, 2026
Merged

docs(security): reconcile SEC-6/7/8 status drift with verified code#182
qnbs merged 2 commits into
mainfrom
docs/security-drift-housekeeping

Conversation

@qnbs

@qnbs qnbs commented Jun 17, 2026

Copy link
Copy Markdown
Owner

User description

Context

.github/SECURITY.md, docs/SECURITY-THREAT-MODEL.md, and TODO.md disagreed on the status of three Phase-3 security items, so external readers saw either phantom open gaps or phantom delivered controls. Each item was verified against the actual code (importers + wiring, not just file existence) before changing any status.

Findings & fixes

Item Verified reality Doc fix
SEC-7 plugin worker isolation ✅ Delivered + wired — workers/plugin.worker.ts used by pluginRegistry.ts + workerBusManager.ts; adversarial tests .github/SECURITY.md ⬜ → ✅
SEC-8 voice WASM download UX ✅ Delivered + wired — VoiceModelDownloadModal used by VoiceSettingsSection .github/SECURITY.md ⬜ → ✅
SEC-6 DuckDB OPFS encryption 🟡 Not truly deliveredservices/duckdb/duckdbEncryption.ts + unit tests exist, but all 6 exported symbols have 0 production callers; not wired into the persistence path → analytics not encrypted at rest Corrected the over-claim in TODO.md + threat-model checklist to "module exists, integration pending"; .github/SECURITY.md → 🟡 Partial

Marking SEC-6 "complete" would assert an at-rest security control that does not exist — the more dangerous direction of drift — so it is now truthfully represented everywhere.

Also ran scripts/sync-readme-metrics.mjs (recommended housekeeping): README i18n-key metric 2716 → 2726.

Verification

  • Each status verified by repo-wide symbol/import grep (0 production refs for duckdbEncryption exports; confirmed importers for plugin worker + voice modal).
  • Docs-only change.

🤖 Generated with Claude Code


CodeAnt-AI Description

Reconcile security status docs with what is actually shipped

What Changed

  • Updated the security status pages to show SEC-7 plugin isolation and SEC-8 voice download UX as complete, matching the shipped code.
  • Corrected SEC-6 DuckDB encryption to partial everywhere, since the encryption module exists but is not connected to the live data path and analytics are still unencrypted at rest.
  • Kept the threat model, TODO list, and security overview in sync, and refreshed the README locale count.

Impact

✅ Clearer security status for readers
✅ Fewer false “open” security gaps
✅ Fewer false claims of encrypted analytics at rest

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

…tate

External readers were misled by inconsistent security-status docs. Verified
each item against the actual code (importers/wiring, not just file presence):

- SEC-7 (plugin worker isolation): DELIVERED + wired — workers/plugin.worker.ts
  is used by pluginRegistry.ts + workerBusManager.ts with adversarial tests.
  .github/SECURITY.md was stale (⬜) → now ✅.
- SEC-8 (voice WASM download UX): DELIVERED + wired — VoiceModelDownloadModal
  used by VoiceSettingsSection. .github/SECURITY.md stale (⬜) → now ✅.
- SEC-6 (DuckDB OPFS encryption): NOT truly delivered. The module
  services/duckdb/duckdbEncryption.ts + its unit tests exist, but ALL six
  exported symbols have 0 production callers — it is not wired into the
  persistence path, so DuckDB analytics are NOT encrypted at rest. TODO.md
  and the threat-model checklist over-claimed this as ✅; corrected to a
  truthful "module exists, integration pending" across .github/SECURITY.md
  (🟡 Partial), docs/SECURITY-THREAT-MODEL.md (line 44 + checklist), and
  TODO.md (P0-4). Marking it "complete" would assert an at-rest control that
  does not exist — the more dangerous drift.

Also ran scripts/sync-readme-metrics.mjs (recommended housekeeping): README
i18n-key metric 2716 → 2726 (drift fix).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 17, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
worldscript-studio Ready Ready Preview, Comment Jun 20, 2026 5:43am

@codeant-ai

codeant-ai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@codeant-ai codeant-ai Bot added the size:S This PR changes 10-29 lines, ignoring generated files label Jun 17, 2026
qnbs added a commit that referenced this pull request Jun 17, 2026
Command-level companion to docs/CODEANT-REVIEW-LOOP.md for running the loop
across multiple open PRs in one combined pass. Captures the live state of the
architecture-refactor batch (PRs #177#182) and #177's in-progress detail
(3 findings fixed in c7638f1; 2 to justify; threads to reply/resolve) so a
later session can resume and process this plan's PRs together with the next
plan's PRs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@codeant-ai

codeant-ai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@codeant-ai codeant-ai Bot added size:S This PR changes 10-29 lines, ignoring generated files and removed size:S This PR changes 10-29 lines, ignoring generated files labels Jun 20, 2026
@qnbs

qnbs commented Jun 20, 2026

Copy link
Copy Markdown
Owner Author

@CodeAnt-AI review

@codeant-ai

codeant-ai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@codeant-ai codeant-ai Bot added size:S This PR changes 10-29 lines, ignoring generated files and removed size:S This PR changes 10-29 lines, ignoring generated files labels Jun 20, 2026
@codeant-ai

codeant-ai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Sequence Diagram

This diagram illustrates how analytics data currently flows to DuckDB storage without at-rest encryption and shows the intended, but not yet integrated, encryption module, matching the reconciled SEC-6 documentation in this PR.

sequenceDiagram
    participant User
    participant App
    participant Analytics
    participant DuckDBClient
    participant DuckDBEncryption
    participant OPFSStorage

    User->>App: Use features that generate analytics
    App->>Analytics: Record analytics event
    Analytics->>DuckDBClient: Append analytics data
    DuckDBClient->>OPFSStorage: Persist analytics data unencrypted

    opt Planned encryption integration SEC-6
        DuckDBClient->>DuckDBEncryption: Encrypt analytics payload before write
        DuckDBEncryption-->>DuckDBClient: Return encrypted data
    end
Loading

Generated by CodeAnt AI

@qnbs
qnbs merged commit 1c92a7b into main Jun 20, 2026
18 checks passed
@qnbs
qnbs deleted the docs/security-drift-housekeeping branch June 20, 2026 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:S This PR changes 10-29 lines, ignoring generated files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant