From 343b0fb94ab19c696476c32733ef460326254ca1 Mon Sep 17 00:00:00 2001 From: vikingowl <26+vikingowl@noreply.somegit.dev> Date: Tue, 19 May 2026 23:30:08 +0200 Subject: [PATCH] chore(todo): mark post-audit security work complete MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Waves 1-3 + ADR-004 are all merged; the 2026-05-19 external audit's 14 findings are closed. TODO.md no longer needs to track the in- progress wave or scoped-but-not-drafted waves — they're all done. --- TODO.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/TODO.md b/TODO.md index 887609c..9d2f011 100644 --- a/TODO.md +++ b/TODO.md @@ -2,13 +2,13 @@ Active plans, newest first: -- **[`docs/superpowers/plans/2026-05-19-security-wave1-safeprovider.md`](docs/superpowers/plans/2026-05-19-security-wave1-safeprovider.md)** - — post-audit hardening, Wave 1. Closes the four firewall-bypass - call sites (SLM classifier, summarizer, prompt hook, routerStreamer) - by introducing `security.SafeProvider` at the provider boundary. - **In progress on `feat/security-wave1-safeprovider`** — implementation - complete; ADR and merge pending. Waves 2 (incognito coherence) and - 3 (scanner + path hygiene) are scoped but not yet drafted. +- **Post-audit security hardening** — **complete (2026-05-19)**. All 14 + findings from the external review are closed across three waves + + one ADR: + - [Wave 1 — SafeProvider boundary](docs/superpowers/plans/2026-05-19-security-wave1-safeprovider.md) + - [Wave 2 — Incognito coherence](docs/superpowers/plans/2026-05-19-security-wave2-incognito.md) + - [Wave 3 — Scanner + path hygiene](docs/superpowers/plans/2026-05-19-security-wave3-scanner-paths.md) + - [ADR-004 — PostToolUse hook ordering](docs/essentials/decisions/004-posttooluse-hook-ordering.md) - **[`docs/superpowers/plans/2026-05-19-post-slm-unlock.md`](docs/superpowers/plans/2026-05-19-post-slm-unlock.md)** — outstanding work after the SLM unlock session. Phases A (two-stage tool routing), B (CLI agent binary override), C (user profiles), and