Skip to content

fix(integrity): re-baseline anchor on legitimate release upgrade#1263

Merged
FabioLeitao merged 2 commits into
mainfrom
fix/integrity-rebaseline-on-upgrade-1262
Jul 15, 2026
Merged

fix(integrity): re-baseline anchor on legitimate release upgrade#1263
FabioLeitao merged 2 commits into
mainfrom
fix/integrity-rebaseline-on-upgrade-1262

Conversation

@FabioLeitao

Copy link
Copy Markdown
Collaborator

Summary

Fixes false integrity_state=tampered / -alpha after a legitimate package upgrade that reuses the same SQLite DB (reproduced: pipx upgrade post4→post5 + shared audit_demo.db).

Cause: E.3 re-verify compared module hashes without checking whether release_label changed.

Fix: when stored release_label ≠ current _release_label(), UPDATE the single anchor row to the new baseline and append a re-baseline event. Same label + hash drift still tampers (not softened). Aligns with E.6 (tamper-evident, not proof).

Related: #1262 (issue exists; no auto-close — link only).

Test plan

  • ./scripts/check-all.sh --enforced
  • Upgrade path → validated + re-baseline event + one row
  • Same label + drift → still tampered
  • Bugbot on concurrency / soften risk

Security note

Re-baseline only on release_label change. GATE_FILE untouched.

Made with Cursor

Legitimate version bumps that change CRITICAL_MODULES no longer false-tint
as tampered when reusing SQLite; same-label hash drift still tampers (#1262).

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Automated security review identified one net-new finding after deduplication and live-head revalidation.

Open in Web View Automation 

Sent by Cursor Security Agent: Security Reviewer

Comment thread core/integrity_anchor.py
Prove release upgrade stays clean (suffix empty) while same-label drift
still forces -alpha via is_tampered / alpha_version_suffix (#1262).
@FabioLeitao
FabioLeitao merged commit 034da7f into main Jul 15, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant