v1.15.0 — container startup, audit binding & prod-auth hardening (3 High + 6 Medium)#20
Merged
Merged
Conversation
…h hardening (3 High + 6 Medium) High: - Web host falls back to the EMBEDDED bundle when no dataset/compiled dir is on disk, so a container starts self-contained instead of exiting fatally. - MCP pre-forward audit binds the EXACT normalized forwarded payload via a signed external.call.json (captures content/edits/pattern/body the typed action omits); owner sidecar is HMAC-signed and records a distinct principal (not tenant==principal). - Production auth: INTENTMESH_AUTH_KEY must differ from INTENTMESH_AUDIT_KEY; INTENTMESH_PROXY_SECRET must be >=16 chars; rate-limit key uses the LAST X-Forwarded-For hop (proxy-stamped), not the spoofable leftmost. Medium: - Untrusted SideEffectHint:"none" can't suppress a side-effecting GET/HEAD. - Run ids are 128-bit (32 hex); Save fails closed on a same-id different-signature collision (idempotent re-save still allowed). - Web host enforces retention: per-tenant live runs capped to INTENTMESH_RUNS_KEEP (default 1000; older archived). - Opt-in NuGet signing wired in CI (signs when a cert secret is set; checksums after). - Doc/version drift fixed (README version; stale WEB_TOKEN proxy guidance replaced). RunArtifactStore: RecordOwner/ReadOwner signing, RecordExternalCall/ReadExternalCall, ExternalCallRecord, RunOwner.Signature/KeyId. 5 new tests; 256 passing + 3 skipped. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes an eighth external review. Verified against current
masterfirst. 256 passing + 3 env-gated skipped.High
IntentMesh.Corewhen nodataset/compiledis on disk, so a published image starts self-contained instead of exiting fatally.external.call.jsonrecords the precise normalized JSON-RPC payload (incl.write_file.content,edit_file.edits,search_files.pattern, email body). Owner sidecar is HMAC-signed; MCP records a distinct principal (Mcp_forward_records_the_signed_exact_payload_including_content,A_signed_owner_sidecar_detects_tampering_under_verification).INTENTMESH_AUTH_KEYmust differ fromINTENTMESH_AUDIT_KEY;INTENTMESH_PROXY_SECRET≥16 chars; rate-limit key uses the last (proxy-stamped)X-Forwarded-Forhop.Medium
SideEffectHint:"none"can't suppress a side-effecting GET/HEAD (OpenApiImporter_untrusted_none_hint_cannot_suppress_a_side_effecting_get).Run_id_is_a_128_bit_content_address_and_resave_is_idempotent).INTENTMESH_RUNS_KEEP, default 1000) —Retention_caps_live_runs_per_tenant.WEB_TOKENproxy guidance replaced).🤖 Generated with Claude Code