KeiSei84 65d17007c3 feat(v0.42): 6 fixes from 4-CLI re-audit (CRITICAL + 2 HIGH + 3 MED) ... Convergent dogfood audit by Claude+Grok+Gemini+Copilot on v0.41 surfaced that the v0.41 'fixes' were incomplete. 3 of 4 reviewers independently found the same CRITICAL bypass; Gemini wrote a Rust test suite to verify. ## Convergent findings → v0.42 fixes [#1 CRITICAL] Symlink leaf bypass (3-of-4 convergent) v0.41 only canonicalized PARENT, then re-attached leaf as-is. Exploit: 1. kei_bash 'ln -s ~/.ssh/authorized_keys ./cfg.txt' (passes the bash hook chain — ln itself is non-destructive) 2. kei_write file_path=cfg.txt content=<key> validate_path saw $PWD/cfg.txt (allowed) → fs::write followed leaf symlink → overwrote authorized_keys. Fix: canonicalize FULL path (incl. leaf) when file exists; for new files, symlink_metadata on leaf and reject is_symlink. Now the denylist check sees the real target. [#2 HIGH] $HOME blanket-allowed = self-neutering (2-of-4 convergent) allowed_roots() defaulted to [$PWD, $HOME], denylist only had 4 secret dirs. So kei_write $HOME/.claude/hooks/no-github-push.sh content='exit 0' was ALLOWED — agent could overwrite the substrate's own policy hooks. Similar attacks on ~/.zshrc (RCE on next shell), ~/.gitconfig, ~/.npmrc. Fix: default to $PWD only. Denylist extended with .claude/, .grok/, .gemini/, .copilot/, .kimi/, all major shell-init files, and additional credential paths. KEI_ALLOWED_ROOTS for explicit widening. [#3 HIGH] Empty-section fail-OPEN (Gemini test-verified) v0.41 'fail-closed on missing config' fix was incomplete: if config file existed but section [bash]/[edit]/[write] was empty, load_chain returned Ok(vec![]) → run_chain early-returned Ok → action ran ungated. Fix: empty chain also FAIL-CLOSED with same KEI_POLICY_CHAIN_OPTIONAL opt-in. [#4 MEDIUM] load_chain still blocked tokio worker (Claude) v0.41 fix #4 converted handle_edit/handle_write reads to tokio::fs but left load_chain on std::fs. Slow/hung mount on policy-chain.toml would freeze a worker for every safe_* invocation. Fix: load_chain → async + tokio::fs::{try_exists, read_to_string}. [#5 MEDIUM] process_group only applied to bash, not hooks (Claude) v0.41 fix #5 set_process_group on kei_bash's child shell, but the hook subprocess (spawned per-hook in run_chain) was NOT in its own group. On hook timeout, kill_on_drop killed only the immediate hook process; grandchildren orphaned — the exact failure mode fix #5 was meant to prevent. Fix: set_process_group + killpg also on hook spawn in run_chain. [#6 MEDIUM] Per-step vs aggregate timeout (Claude) Doc claimed 'Hard cap on single chain + action — 60s'. Actual: each hook gets independent 60s, then action gets another 60s. For a 3-hook bash chain that's 240s max — 4× documented. Status: documented as known-limit; single-deadline impl deferred to v0.43 (not security-blocking, just a doc/correctness drift). ## Verification (8 smokes — all green) /etc/passwd → denied (system dir) ✓ ../escape.txt → denied (../ segment) ✓ /tmp/symlink → /etc/passwd writeable → denied (resolved /private/etc) ✓ NEW ~/.claude/hooks/no-github-push.sh → denied (substrate dir) ✓ NEW ~/.zshrc → denied (shell-init file) ✓ NEW policy-chain.toml empty [bash] → FAIL-CLOSED ✓ NEW KEI_POLICY_CHAIN_OPTIONAL=1 → opt-in pass-through ✓ kei_bash git-push-github → BLOCKED (regression) ✓ kei_bash echo HELLO → returns content (regression) ✓ cargo test -p kei-mcp: 3/3 still pass. ## Architecture note from Grok Grok architect flagged: safe_tools.rs is 474 LOC, exceeds Constructor Pattern 200-line threshold. v0.42 does NOT refactor (security fixes shipped first); v0.43 will extract path_guard.rs + chain_runner.rs. ## Per-CLI audit value demonstrated Claude — 5 issues + 5 minor, exhaustive line-anchored analysis Grok — architectural review with grep-verified citations Gemini — wrote Rust test project to verify findings (PoC code!) Copilot — partial fact-check, ran out of mid-task		2026-05-26 21:33:54 +08:00
..
kei	feat(v0.42): 6 fixes from 4-CLI re-audit (CRITICAL + 2 HIGH + 3 MED)	2026-05-26 21:33:54 +08:00