PR-B of the T3MP3ST-audit survivors (loop-until-dry adversarial review; each residual grep-verified).
- R2 — argv-taint sink. The tool-firewall bars T4–T6 content from STEERING control flow/scope/egress, but a target/report-derived VALUE flowing into the ARGV of the agent's own gated shell-out (a PoC harness, build, or git command) is a distinct local-blast-radius injection sink the egress gate misses. Name it in tool-firewall.md + a portable-invariants.md line: don't word-split a model/report/target string into a command; for unattended/auto-approved exec a fail-closed argv predicate rejects a target-derived value that reparses as an option or carries shell metacharacters. Isolation contains consequences, but the injected argv still executes and can subvert validation integrity.
- R2b — forensic action_summary.
tool is required non-empty but never carries argv. Require an agent-derived (T3) action_summary on prompt_gated_exec/prompt_gated_write firewall-log rows recording the actual executed command + target/argv (tool-firewall.md + controlled-fields.md + validate_tool_firewall_log + fixtures).
- R10 — secret key-name backstop.
validate_scrub_report scans only agent-enumerated surrogate_map raws, so a secret under a sensitive KEY NAME the agent forgets leaks verbatim. Add a bounded second pass that walks each JSON scrubbed artifact and blocks a non-surrogate string under a small controlled sensitive-key vocabulary (authorization/cookie/token/secret/password/api_key…), surrogate placeholders allowlisted; key on the key NAME (not value) to avoid FPs on missing-authorization sink-class values and Authorization: headers in replay prose. Plus a portable-invariants.md disclosure rule: the enumerated scrub is not a completeness claim.
- R12-residual — Linux path tell. Extend the existing provenance tell-scan (tests/test_repo_hygiene.py) to
/root/ only. /opt/ and /home/ are EXCLUDED with rationale — they appear in legitimate synthetic paths (/opt/skills/… install root in ~20 fixtures; profile/home/cache in integration tests), so a blanket scan would not start green.
Contract-affecting (validator behavior + controlled vocab) → version bump + CHANGELOG + consensus + docs recheck.
🤖 Generated with Claude Code
PR-B of the T3MP3ST-audit survivors (loop-until-dry adversarial review; each residual grep-verified).
toolis required non-empty but never carries argv. Require an agent-derived (T3)action_summaryon prompt_gated_exec/prompt_gated_write firewall-log rows recording the actual executed command + target/argv (tool-firewall.md + controlled-fields.md + validate_tool_firewall_log + fixtures).validate_scrub_reportscans only agent-enumeratedsurrogate_mapraws, so a secret under a sensitive KEY NAME the agent forgets leaks verbatim. Add a bounded second pass that walks each JSON scrubbed artifact and blocks a non-surrogate string under a small controlled sensitive-key vocabulary (authorization/cookie/token/secret/password/api_key…), surrogate placeholders allowlisted; key on the key NAME (not value) to avoid FPs onmissing-authorizationsink-class values andAuthorization:headers in replay prose. Plus a portable-invariants.md disclosure rule: the enumerated scrub is not a completeness claim./root/only./opt/and/home/are EXCLUDED with rationale — they appear in legitimate synthetic paths (/opt/skills/…install root in ~20 fixtures;profile/home/cachein integration tests), so a blanket scan would not start green.Contract-affecting (validator behavior + controlled vocab) → version bump + CHANGELOG + consensus + docs recheck.
🤖 Generated with Claude Code