The segmented risk classifier (crates/norn/src/tool/risk.rs) closes the first-token evasions nicely, but the is_harmless whitelist (risk.rs:185-208) matches on first token only, and find is in it. Consequences at current HEAD:
find . -delete → Harmless ("read-only commands with no side effects") — a deletion command lands in the tier presumably exempt from approval gates.
find / -exec rm -rf {} + → MediumRisk, but only by accident: split_shell_segments splits on {/}/;, so the \/+ residue becomes an unknown-command segment that defaults to MediumRisk. Nothing detects the indirected rm; the tier is tokeniser shrapnel, and it is still under-tiered for a recursive delete (bare rm is HighRisk).
- The module doc (risk.rs:17-21) lists
find -exec as falling "through to the MediumRisk default for unknown commands" — but find is not unknown, it is whitelisted Harmless, and find -delete is not covered by the residual-limits note at all. The documented floor is higher than the actual behaviour, which is the wrong direction for a security doc.
(Deliberately not raising the VISION config-extensibility point here — C34 is tracked and N-006 scoped this phase as hardcoded patterns; this issue is only about the active misclassification.)
Optional fix (take it or leave it): in classify_segment, check for mutating find flags before the harmless whitelist:
if first_token == "find"
&& segment.split_whitespace().any(|t| matches!(t, "-delete" | "-exec" | "-execdir" | "-ok" | "-okdir"))
{
return BashRiskTier::HighRisk; // or classify the -exec'd command recursively
}
plus tests for find . -delete and find . -exec rm {} \;, and a doc-comment correction either way. The same first-token-trusts-flags pattern may be worth a glance for sed -i/awk (currently MediumRisk, which seems fine) — find is the only whitelisted-Harmless command that takes destructive flags.
Surfaced during a documentation/quality review of norn for the Meridian workspace; file:line verified against fd1c587. Optional fix only — entirely your call on approach.
The segmented risk classifier (
crates/norn/src/tool/risk.rs) closes the first-token evasions nicely, but theis_harmlesswhitelist (risk.rs:185-208) matches on first token only, andfindis in it. Consequences at current HEAD:find . -delete→ Harmless ("read-only commands with no side effects") — a deletion command lands in the tier presumably exempt from approval gates.find / -exec rm -rf {} +→ MediumRisk, but only by accident:split_shell_segmentssplits on{/}/;, so the\/+residue becomes an unknown-command segment that defaults to MediumRisk. Nothing detects the indirectedrm; the tier is tokeniser shrapnel, and it is still under-tiered for a recursive delete (barermis HighRisk).find -execas falling "through to theMediumRiskdefault for unknown commands" — butfindis not unknown, it is whitelisted Harmless, andfind -deleteis not covered by the residual-limits note at all. The documented floor is higher than the actual behaviour, which is the wrong direction for a security doc.(Deliberately not raising the VISION config-extensibility point here — C34 is tracked and N-006 scoped this phase as hardcoded patterns; this issue is only about the active misclassification.)
Optional fix (take it or leave it): in
classify_segment, check for mutatingfindflags before the harmless whitelist:plus tests for
find . -deleteandfind . -exec rm {} \;, and a doc-comment correction either way. The same first-token-trusts-flags pattern may be worth a glance forsed -i/awk(currently MediumRisk, which seems fine) —findis the only whitelisted-Harmless command that takes destructive flags.Surfaced during a documentation/quality review of norn for the Meridian workspace; file:line verified against
fd1c587. Optional fix only — entirely your call on approach.