Skip to content

Track inherited upstream CodeQL baseline after thin GBrain migration #130

Description

@100yenadmin

TL;DR

PR #129 moves Eva Brain onto upstream GBrain 0.41.18.0 and GitHub Advanced Security surfaces high-severity CodeQL alerts in inherited upstream core files. These are not in Eva-owned plugin/installer surfaces, but they need a tracked baseline so the thin-distribution PR can stay scoped and future hardening can happen deliberately.

Evidence

  • PR: Thin Eva Brain distribution on upstream GBrain 0.41.18.0 #129
  • CodeQL check run reported 52 high alerts.
  • Read-only review confirmed the annotations are in upstream/core paths: src/**, recipes/agent-voice/**, and upstream test/**.
  • No annotations were in Eva-owned surfaces: plugins/**, scripts/update-local-install.sh, scripts/eva-brain-health.mjs, scripts/install-codex-plugin.mjs, .github/workflows/release.yml, .github/workflows/test.yml, or INSTALL_FOR_AGENTS.md.

Decision

Baseline/dismiss the PR-related inherited alerts for the migration PR, then handle hardening as separate upstream/core work. Do not patch 52 unrelated core warnings inside the thin-distribution migration.

Follow-up

Create smaller upstream-oriented issues/PRs by alert family:

  • clear-text logging redaction
  • polynomial regex/ReDoS
  • rate limiting / HTTP admin surface
  • URL host validation
  • test-only benchmark logging

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions