Final-polish pass: consolidate security primitives + fix audit-found defects#91
Merged
Conversation
…ects Final-polish pass driven by a multi-agent end-to-end audit (6 finder dimensions, every finding adversarially verified to reject churn; 3 of 13 rejected as spurious/cosmetic). A separate architecture re-audit found NO trust-boundary defects across the v0.6 additions. Defects fixed: - slack::SlackSignature::verify now bounds body/timestamp (MAX_SLACK_BODY / MAX_SLACK_TIMESTAMP) BEFORE any allocation or HMAC work — an unauthenticated caller can no longer force unbounded work (invariant 11). +1 test. - CHANGELOG.md [0.5.0]: merged the duplicate `### Added` block (a union-merge artifact) into one section; no content lost. - docs/live-socket-validation.md: reordered the scrambled F.4–F.7 subsections to ascending (also a union-merge artifact); refreshed F.7's CI-core list to mention the SlackSignature verifier. - README.md: stale test count 834 -> ~1,120 (badge + table). Architecture: - Consolidated the duplicated security primitives — the constant-time 32-byte compare (ct_eq) and hex decoders (hex_val, hex32_decode) — into crustcore-types::hash, beside sha256/hmac_sha256, as the single audited home for every MAC/signature check. Removed the copies from crustcore-receipts, crustcore-daemon (webhook + slack), and crustcore-dev (auth + backend). Behaviour-identical: every consumer's security tests pass unchanged. Net nano size impact ~0 (already in the nano-linked receipts/types graph). +3 tests. - Removed the now-unused DaemonSurface marker enum. `cargo xtask verify` green; nano 438416 bytes (53.5%), unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…contract file] CONTRACT FILE (§7.3) — factual-only sync, no invariant/policy change; isolated in its own commit for serialized maintainer review: - Status line: note v0.5 (version roll) + v0.6 (the GitHub-PR-supervisor roadmap: D.1 task-loop, A.1-A.5, B.1-B.3, C.1-C.3, E.1-E.4, F.1-F.3) are merged to main; signed tag/sign/publish remains the only maintainer-owned step. - Roadmap pointer: docs/roadmap-v0.2.md -> docs/roadmap-v0.6.md (latest), with the v0.2 doc kept as the earlier reference. - Test count: ~834 -> ~1,120 workspace tests (actual: 1121 #[test] annotations). NOT changed (flagged for the maintainer): the nano size figures (478.7 KiB Linux / 412.0 KiB macOS, 59.8%) appear to have drifted — the local macOS size-check reports 428.1 KiB — but the flagship Linux x86_64 figure can't be re-measured off-Linux, so it's left for a maintainer Linux build to confirm. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A final end-to-end cleanup pass, driven by a multi-agent audit (6 finder dimensions — changelog/runbook hygiene, cross-crate duplication, dead code, architecture/trust-boundary integrity, doc accuracy, consistency/bounds — with every finding adversarially verified to reject churn; 3 of 13 candidates rejected as spurious/cosmetic). A separate architecture re-audit confirmed no trust-boundary defects across the v0.6 additions.
Commit 1 —
polish:(non-contract)Defects fixed
SlackSignature::verifynow bounds untrusted input (MAX_SLACK_BODY/MAX_SLACK_TIMESTAMP) before any allocation or HMAC — an unauthenticated caller can no longer force unbounded work (invariant 11). +1 test.CHANGELOG.md [0.5.0]— merged the duplicate### Addedblock (union-merge artifact) into one section; no content lost.docs/live-socket-validation.md— reordered the scrambledF.4–F.7subsections to ascending; refreshed F.7's CI-core list.README.md— stale test count834→~1,120(badge + table).Architecture
ct_eq) + hex decoders (hex_val,hex32_decode) — intocrustcore-types::hash, besidesha256/hmac_sha256, as the single audited home for every MAC/signature check. Removed the copies fromcrustcore-receipts,crustcore-daemon(webhook + slack),crustcore-dev(auth + backend). Behaviour-identical — every consumer's security tests pass unchanged; net nano impact ~0. +3 tests.DaemonSurfacemarker enum.Commit 2 —⚠️ contract file (§7.3) — please review separately
docs(CLAUDE.md):Factual-only status sync (no invariant/policy change): notes v0.5/v0.6 merged to
main, points the roadmap link atdocs/roadmap-v0.6.md, and corrects the~834→~1,120test count. Isolated in its own commit so it can be reviewed/reverted independently.Flagged for the maintainer (not changed here)
The nano size figures in CLAUDE.md/README (478.7 KiB Linux / 412.0 KiB macOS, 59.8%) look drifted — the local macOS
size-checkreports 428.1 KiB — but the flagship Linux x86_64 number can't be re-measured off-Linux. Please re-confirm on a Linux build and update both docs.Verification
cargo xtask verifygreen (fmt, clippy-D warnings, ~1,120 tests, all-features, forbidden-deps, runbook-check, size gate). Nano 438416 bytes (428.1 KiB), 53.5% — unchanged.🤖 Generated with Claude Code