fix(publish): fail closed when a present witness signature was never verified (#4 HIGH-1)#124
Merged
Merged
Conversation
…verified (#4 HIGH-1) Beta feedback #4 (HIGH-1): witness verification is a guaranteed no-op — no kernel backend exposes witnessVerify, so witness-client.ts's crypto-verify delegate always falls through to the shape-only degraded path, which returned {valid:true}. publish.ts only threw on !valid, so a shape-valid witness.json carrying a GARBAGE signature (64-hex key, 128-hex sig, schema 1) sailed through and the harness published as "signed" — a signature that was never checked. This closes the publish exploit without needing the (native-publish-gated) NAPI/WASM verifier: - witness-client.ts: VerificationResult gains `unverified?: boolean`; the degraded path now sets it (valid stays true so read-only `verify`/`doctor` diagnostics are unchanged — they only assert shape). - publish.ts: a present-but-unverified witness now FAILS CLOSED ("Refusing to publish this harness as signed") unless the caller passes allowUnverified — which then warns the signature was NOT checked. - publish-cmd.ts: `--allow-unverified-witness` flag + a loud warning line. Live-verified via real `harness publish`: a shape-valid, garbage-128-hex-sig witness now fails closed (exit 1, clear message); `--allow-unverified-witness` proceeds with the warning. 2 new tests (exploit closed + explicit opt-in); the degraded `verify` test still reports VALID; full create-agent-harness suite 363/363; tsc clean. Not in this PR (needs Rust + NAPI/WASM export, native-publish-gated): wiring a real witnessVerify so a GENUINE signature can be cryptographically checked. Until then publishing a "signed" harness requires the explicit --allow-unverified-witness acknowledgement. Co-Authored-By: claude-flow <ruv@ruv.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What / why
Fixes HIGH-1 from the AQE beta-feedback (#4). Witness verification is a guaranteed no-op: no kernel backend exposes
witnessVerify, sowitness-client.ts's crypto-verify delegate always falls through to the shape-only degraded path, which returned{valid:true}.publish.tsonly threw on!valid, so a shape-validwitness.jsoncarrying a garbage signature (64-hex key, 128-hex sig, schema 1) sailed through and the harness published as "signed" — a signature that was never checked.Change (JS-only — closes the publish exploit without the native verifier)
witness-client.ts:VerificationResultgainsunverified?: boolean; the degraded path sets it.validstaystrueso read-onlyverify/doctordiagnostics are unchanged (they only assert shape).publish.ts: a present-but-unverified witness now fails closed — "Refusing to publish this harness as signed" — unless the caller passesallowUnverified, which then warns the signature was not checked.publish-cmd.ts:--allow-unverified-witnessflag + a loud warning line.Live-verify (real
harness publish)Shape-valid witness, garbage 128-hex signature:
With⚠️ warning.
--allow-unverified-witness: proceeds (dry-run) after theTests
publish.test.ts): the garbage-sig witness is refused;allowUnverifiedlets it proceed.verifytest still reportsVALID(diagnostics unchanged).create-agent-harnesssuite 363/363;tscclean.Not in this PR (native-publish-gated)
Wiring a real
witnessVerifythrough NAPI+WASM so a genuine signature can actually be cryptographically checked (the rest of HIGH-1's fix). Until then, publishing a "signed" harness requires the explicit--allow-unverified-witnessacknowledgement — no silent false "verified" claim.🤖 Generated with claude-flow