feat(rules): hard-BLOCK local hard smuggled-token channels in strict/paranoid#100
Open
fu351 wants to merge 1 commit into
Open
feat(rules): hard-BLOCK local hard smuggled-token channels in strict/paranoid#100fu351 wants to merge 1 commit into
fu351 wants to merge 1 commit into
Conversation
…paranoid A hard smuggled-token channel (bidi / Unicode tag-block / invisible / noncharacter - near-zero false positive, no legitimate use in tool traffic) that stays LOCAL previously only stepped up to AUTH, which an operator can rubber-stamp under alert fatigue. Strict/Paranoid now escalate the local case to BLOCK, mirroring the existing trifecta_hard_block precedent. Raise-only (ADR 0021): only escalates an existing local AUTH to BLOCK, only in the strictest modes; Light/Balanced unchanged. External-destination BLOCK branch untouched (already mode-independent).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Slice
What this PR does
Strict/Paranoid now hard-BLOCK a LOCAL hard smuggled-token channel (bidi / Unicode tag-block / invisible / noncharacter — the near-zero-false-positive HARD channels), instead of only stepping up to AUTH. Mirrors the existing
trifecta_hard_blockmode escalation exactly. Light/Balanced are unchanged (still AUTH). The external-destination BLOCK branch is untouched (already mode-independent).Motivation: a hard smuggling channel has no legitimate use in tool traffic, so in the strictest modes it should be refused outright rather than left to an AUTH prompt a fatigued operator may rubber-stamp.
Tests added (run in CI)
tests/unit/test_token_channel_hard_block.py— 8 deterministic tests: strict/paranoid -> BLOCK; balanced/light -> AUTH (unchanged); external-destination -> BLOCK in every mode; no-channel -> PASS; raise-only (strict verdict >= balanced viaVERDICT_ORDER); redaction (decoded payload + raw smuggled bytes never appear inexplanation/reason_codes).Public-release safety (doberman-core only)
Security checklist
Edge cases covered / Deviations from plan / Risks introduced
engine.rules->policyalready used bycommands.py/destinations.py/role_boundary.py). Full suite green locally: 1368 passed, 4 skipped, 91% coverage.