5
1
Fork
You've already forked hence
0

harden: security fixes, durability, and repo hygiene #18

Open
hugooconnor wants to merge 1 commit from harden/security-and-hygiene-fixes into main
pull from: harden/security-and-hygiene-fixes
merge into: anuna:main
anuna:main
anuna:hence/plan-IMPL-015-review-fixes
anuna:hence/plan-IMPL-015
anuna:hence/plan-IMPL-011-continuation
anuna:feat/req-006-supervision
anuna:audit-fixes
anuna:feat/improvements-sprint
anuna:spindle-lisp-refactor

Hardens hence following a multi-agent review: security fixes, durability guarantees for concurrent plan mutation, repo hygiene, and contributor onboarding. All ten findings were source-verified (a couple of agent-flagged issues turned out to be false positives and were dropped).

Security

  • identity: private keys now written 0o600; loading repairs loose perms on existing identity files in place
  • storage: bootstrap peer hints validated as multiaddrs before caching (prevents registry poisoning by a malicious peer); replica_path rejects non-hex plan ids (path-traversal footgun)
  • remote/client: capability tokens validated before URL-path interpolation

Durability & correctness

  • lifecycle: P2P appends hold a PlanFileLock across the decrypt-append-reencrypt cycle — fixes silent lost updates when concurrent agents mutate the same plan. Local appends now lock + fsync, matching the spawn path.
  • storage: replica writes are atomic (temp file + rename) so a crash mid-write can't corrupt a replica
  • complete: uses the format-aware separator instead of a hardcoded SPL hyphen

Tests & CI

  • identity: added unit tests (keygen, PKCS#8 round-trip, permissions) to a previously untested module
  • perf: untimed warmup before the latency NFR measurement (first-exec OS overhead was masking the real ~60ms timing)
  • ci: new release-build perf job so the NFR-007 bounds (binary size, latency) are actually enforced — debug builds relax them

Hygiene & docs

  • .gitignore now covers binaries, tarballs, dist dirs, PDFs, scratch files
  • main.rs: dropped misleading #[allow(dead_code)] on live modules; kept targeted item-level allows where warnings would otherwise fire (this surfaced that the auth SPAKE2 module is genuinely unwired)
  • added CONTRIBUTING.md documenting the sibling spindle-rust checkout
  • README: replaced stale Racket build steps with accurate Rust instructions
  • archived docs-audit.md (v0.6.7) under reviews/

Verification

  • cargo test: 984 passed, 0 failed, 12 ignored (P2P network tests)
  • cargo test --release --test perf: passes
  • cargo fmt --check and cargo clippy -- -D warnings: clean

🤖 Generated with Claude Code

Hardens hence following a multi-agent review: security fixes, durability guarantees for concurrent plan mutation, repo hygiene, and contributor onboarding. All ten findings were source-verified (a couple of agent-flagged issues turned out to be false positives and were dropped). ## Security - **identity**: private keys now written `0o600`; loading repairs loose perms on existing identity files in place - **storage**: bootstrap peer hints validated as multiaddrs before caching (prevents registry poisoning by a malicious peer); `replica_path` rejects non-hex plan ids (path-traversal footgun) - **remote/client**: capability tokens validated before URL-path interpolation ## Durability & correctness - **lifecycle**: P2P appends hold a `PlanFileLock` across the decrypt-append-reencrypt cycle — fixes silent lost updates when concurrent agents mutate the same plan. Local appends now lock + `fsync`, matching the spawn path. - **storage**: replica writes are atomic (temp file + rename) so a crash mid-write can't corrupt a replica - **complete**: uses the format-aware separator instead of a hardcoded SPL hyphen ## Tests & CI - **identity**: added unit tests (keygen, PKCS#8 round-trip, permissions) to a previously untested module - **perf**: untimed warmup before the latency NFR measurement (first-exec OS overhead was masking the real ~60ms timing) - **ci**: new release-build perf job so the NFR-007 bounds (binary size, latency) are actually enforced — debug builds relax them ## Hygiene & docs - `.gitignore` now covers binaries, tarballs, dist dirs, PDFs, scratch files - `main.rs`: dropped misleading `#[allow(dead_code)]` on live modules; kept targeted item-level allows where warnings would otherwise fire (this surfaced that the `auth` SPAKE2 module is genuinely unwired) - added `CONTRIBUTING.md` documenting the sibling `spindle-rust` checkout - README: replaced stale Racket build steps with accurate Rust instructions - archived `docs-audit.md` (v0.6.7) under `reviews/` ## Verification - `cargo test`: 984 passed, 0 failed, 12 ignored (P2P network tests) - `cargo test --release --test perf`: passes - `cargo fmt --check` and `cargo clippy -- -D warnings`: clean 🤖 Generated with [Claude Code](https://claude.com/claude-code)
harden: security fixes, durability, and repo hygiene
Some checks failed
ci/woodpecker/push/ci Pipeline failed
ci/woodpecker/pr/ci Pipeline failed
74854b6d2a
Security
- identity: write private keys 0o600; repair loose perms on load
- storage: validate bootstrap hints as multiaddrs before caching
- storage: reject non-hex plan ids in replica_path (path traversal)
- remote/client: validate capability tokens before URL interpolation
Durability & correctness
- lifecycle: hold PlanFileLock across P2P decrypt-append-reencrypt
 (fixes lost updates between concurrent agents); lock + fsync local
 appends to match the spawn path
- storage: atomic replica writes (temp file + rename)
- complete: use format-aware separator instead of hardcoded hyphen
Tests & CI
- identity: add unit tests (keygen, PKCS#8 round-trip, permissions)
- perf: untimed warmup before the latency NFR measurement
- ci: add release-build perf job so NFR-007 bounds are enforced
Hygiene & docs
- gitignore: cover binaries, tarballs, dist dirs, PDFs, scratch files
- main: drop misleading dead_code allows on live modules; keep
 targeted item-level allows where warnings would otherwise fire
- add CONTRIBUTING.md documenting the sibling spindle-rust checkout
- README: replace stale Racket build steps with Rust instructions
- archive docs-audit.md (v0.6.7) under reviews/
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Some checks failed
ci/woodpecker/push/ci Pipeline failed
ci/woodpecker/pr/ci Pipeline failed
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin harden/security-and-hygiene-fixes:harden/security-and-hygiene-fixes
git switch harden/security-and-hygiene-fixes

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff harden/security-and-hygiene-fixes
git switch harden/security-and-hygiene-fixes
git rebase main
git switch main
git merge --ff-only harden/security-and-hygiene-fixes
git switch harden/security-and-hygiene-fixes
git rebase main
git switch main
git merge --no-ff harden/security-and-hygiene-fixes
git switch main
git merge --squash harden/security-and-hygiene-fixes
git switch main
git merge --ff-only harden/security-and-hygiene-fixes
git switch main
git merge harden/security-and-hygiene-fixes
git push origin main
Sign in to join this conversation.
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
anuna/hence!18
Reference in a new issue
anuna/hence
No description provided.
Delete branch "harden/security-and-hygiene-fixes"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?