gnoma

Author SHA1 Message Date

Author	SHA1	Message	Date
vikingowl	9853a522e6	refactor(security): consolidate TOCTOU-safe path canonicalization `3c87527` added engine/paths.go:resolveCanonical, duplicating the ancestor-walk + EvalSymlinks algorithm that already lived in fs/guard.go:ResolveWrite. Two implementations of the same TOCTOU defense is exactly the wrong shape for security code — a bug fix in one would silently miss the other. Extracts the shared algorithm to security.CanonicalizePath. Both call sites become thin wrappers that pre-anchor relative paths against the appropriate root (cwd for engine, workspace root for guard). The "hit-root" defensive branch in engine's version (commented "highly unlikely") is tightened to match guard's error behavior. Adds focused unit tests for the helper covering existing path, non-existent leaf, non-existent mid-component, symlinked ancestor, and relative-path rejection.	2026-05-20 01:50:38 +02:00
vikingowl	3c875276c9	feat(security): implement multi-wave audit remediation and agy provider support Implemented full security remediation following Universal Security Pilot protocol: - W1: Enforced SecureProvider at router and engine boundaries to prevent bypasses. - W1: Implemented path-sensitive policy for MCP tools. - W2: Added SHA256 hash verification for SLM downloads (llamafile). - W3: Enhanced secret redaction for private keys (full body) and high-entropy strings. - W4: Fixed symlink-based filesystem sandbox escapes in paths and grep. - W4: Documented CLI agent trust boundaries. Also added 'agy' (Antigravity) as a subprocess CLI provider with plain-text JSON schema support.	2026-05-20 01:13:13 +02:00
vikingowl	176926924c	feat(engine): M8 cleanup — Wave B skill enforcement - Add tool.PathSensitiveTool interface (ExtractPaths); implement on all 6 fs tools - Add engine.TurnOptions.AllowedPaths: restricts tool filesystem access per skill invocation - Bash is denied outright when AllowedPaths is active (unparseable command args) - fs tools with empty path (cwd default) resolved via os.Getwd() and validated - Add engine.TurnOptions.AllowedTools + AllowedPaths wiring in pipe mode (main.go) and TUI skill dispatch (tui/app.go) - Remove TODO(M8.3) from skill.Frontmatter — enforcement is now complete	2026-05-07 15:29:33 +02:00

9853a522e6

refactor(security): consolidate TOCTOU-safe path canonicalization

3c87527 added engine/paths.go:resolveCanonical, duplicating the
ancestor-walk + EvalSymlinks algorithm that already lived in
fs/guard.go:ResolveWrite. Two implementations of the same TOCTOU defense
is exactly the wrong shape for security code — a bug fix in one would
silently miss the other.

Extracts the shared algorithm to security.CanonicalizePath. Both call
sites become thin wrappers that pre-anchor relative paths against the
appropriate root (cwd for engine, workspace root for guard). The
"hit-root" defensive branch in engine's version (commented "highly
unlikely") is tightened to match guard's error behavior.

Adds focused unit tests for the helper covering existing path,
non-existent leaf, non-existent mid-component, symlinked ancestor, and
relative-path rejection.

2026-05-20 01:50:38 +02:00

vikingowl

3c875276c9

feat(security): implement multi-wave audit remediation and agy provider support

Implemented full security remediation following Universal Security Pilot protocol:
- W1: Enforced SecureProvider at router and engine boundaries to prevent bypasses.
- W1: Implemented path-sensitive policy for MCP tools.
- W2: Added SHA256 hash verification for SLM downloads (llamafile).
- W3: Enhanced secret redaction for private keys (full body) and high-entropy strings.
- W4: Fixed symlink-based filesystem sandbox escapes in paths and grep.
- W4: Documented CLI agent trust boundaries.

Also added 'agy' (Antigravity) as a subprocess CLI provider with plain-text JSON schema support.

2026-05-20 01:13:13 +02:00

vikingowl

176926924c

feat(engine): M8 cleanup — Wave B skill enforcement

- Add tool.PathSensitiveTool interface (ExtractPaths); implement on all 6 fs tools
- Add engine.TurnOptions.AllowedPaths: restricts tool filesystem access per skill invocation
- Bash is denied outright when AllowedPaths is active (unparseable command args)
- fs tools with empty path (cwd default) resolved via os.Getwd() and validated
- Add engine.TurnOptions.AllowedTools + AllowedPaths wiring in pipe mode (main.go) and TUI skill dispatch (tui/app.go)
- Remove TODO(M8.3) from skill.Frontmatter — enforcement is now complete

2026-05-07 15:29:33 +02:00

3 Commits