v1.11.0 — service & integration hardening (7 High + 4 Medium)#15
Merged
Conversation
…Medium) High: - /api/export no longer honors caller-supplied approvals (it signed bundles with them, bypassing server-issued challenges + approver authz); always runs unapproved. - /challenges and /approve verify the stored bundle signature before re-running saved.Prompt (409 on failure) — a tampered artifact can't seed a signed approved run. - per-file delete approvals over the web: challenges minted per unit (bare node id, or node#fileRef for destructive delete) via new PolicyView.ApprovalRefs. - fail-closed persistence: /api/run and /approve return 503 (no leaked detail) when a run can't be durably stored, instead of 200 with an unsaved result. - rate limiting (built-in framework limiter, no new dep): per-client /api cap + a stricter policy on POST /api/auth/token. - imported-OpenAPI confirmation keys on the inferred side effect, not the HTTP verb, so a side-effecting GET/HEAD is still gated. - MCP path policy enforces the normalized typed action path (FsRead/FsWrite.Path), not only fixed raw arg keys — closes a custom-mapper bypass. Medium: - read endpoints require >= viewer (roleless principal gets 403). - legacy INTENTMESH_WEB_TOKEN reduced to operator+viewer (no approver), documented dev-only. - security headers (CSP script-src 'self', nosniff, DENY, no-referrer); SPA token moved to sessionStorage. - release hardening: repo NuGet.config (single-source mapping), Docker restore --locked-mode, attestation split into a separate least-privilege CI job. Note: findings overlapping v1.9.2/v1.10.x were re-verified; AllowedHosts, key floor, draft gate, and SHA-pinning remain resolved. 16 new tests; 240 passing + 3 skipped. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes a fifth external review. Every finding was verified against current
masterfirst. 240 passing + 3 env-gated skipped; 16 new tests.High — fixed
/api/exportsigned/bundle output ran with caller-supplied approvals, bypassing server-issued challenges + approver authz. Now always runs unapproved (test:Export_does_not_honor_caller_supplied_approvals)./challenges+/approvenow verify the stored bundle signature before re-runningsaved.Prompt→ 409 on a tampered artifact (test:A_tampered_stored_run_fails_integrity_before_approval).node#fileReffor deletes) via newPolicyView.ApprovalRefs(test:Per_file_delete_confirmations_are_minted_and_approved_per_file)./api/run+/approvereturn 503 (no leaked exception) when a run can't be durably stored./apicap + stricterPOST /api/auth/token(test:Auth_endpoint_is_rate_limited_per_client).OpenApiImporter_ToContract_side_effecting_get_still_requires_confirmation).McpProxy_custom_mapper_with_nonstandard_arg_name_still_enforces_path_policy).Medium — fixed
viewer(roleless principal → 403).INTENTMESH_WEB_TOKENreduced to operator+viewer (no approver), documented dev-only.script-src 'self', nosniff, DENY, no-referrer); SPA token →sessionStorage.NuGet.config(single-source mapping), Docker--locked-moderestore, attestation moved to a separate least-privilege CI job.Documented residuals (not single-PR)
NuGet package signing needs a code-signing certificate; base-image digest pinning needs registry access — both deployment-owned and noted in MATURITY. KMS/HSM and encrypted/WORM storage remain future seams.
🤖 Generated with Claude Code