Skip to content

Self-tooling run-security & scrub hardening: argv-taint + forensic action_summary + secret key-name backstop + /root tell (R2/R2b/R10/R12-residual) #158

Description

@omkhar

PR-B of the T3MP3ST-audit survivors (loop-until-dry adversarial review; each residual grep-verified).

  • R2 — argv-taint sink. The tool-firewall bars T4–T6 content from STEERING control flow/scope/egress, but a target/report-derived VALUE flowing into the ARGV of the agent's own gated shell-out (a PoC harness, build, or git command) is a distinct local-blast-radius injection sink the egress gate misses. Name it in tool-firewall.md + a portable-invariants.md line: don't word-split a model/report/target string into a command; for unattended/auto-approved exec a fail-closed argv predicate rejects a target-derived value that reparses as an option or carries shell metacharacters. Isolation contains consequences, but the injected argv still executes and can subvert validation integrity.
  • R2b — forensic action_summary. tool is required non-empty but never carries argv. Require an agent-derived (T3) action_summary on prompt_gated_exec/prompt_gated_write firewall-log rows recording the actual executed command + target/argv (tool-firewall.md + controlled-fields.md + validate_tool_firewall_log + fixtures).
  • R10 — secret key-name backstop. validate_scrub_report scans only agent-enumerated surrogate_map raws, so a secret under a sensitive KEY NAME the agent forgets leaks verbatim. Add a bounded second pass that walks each JSON scrubbed artifact and blocks a non-surrogate string under a small controlled sensitive-key vocabulary (authorization/cookie/token/secret/password/api_key…), surrogate placeholders allowlisted; key on the key NAME (not value) to avoid FPs on missing-authorization sink-class values and Authorization: headers in replay prose. Plus a portable-invariants.md disclosure rule: the enumerated scrub is not a completeness claim.
  • R12-residual — Linux path tell. Extend the existing provenance tell-scan (tests/test_repo_hygiene.py) to /root/ only. /opt/ and /home/ are EXCLUDED with rationale — they appear in legitimate synthetic paths (/opt/skills/… install root in ~20 fixtures; profile/home/cache in integration tests), so a blanket scan would not start green.

Contract-affecting (validator behavior + controlled vocab) → version bump + CHANGELOG + consensus + docs recheck.

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions