Skip to content

Systematically harden CLI process trust boundaries #33

New issue
New issue
Open
Open
Systematically harden CLI process trust boundaries#33
Labels
P2-mediumMedium priorityarea/ci-cdCI/CD workflow generationenhancementNew feature or requestneeds-investigationstatus/needs-triagetriaged
@tsavo-at-pieces

Description

@tsavo-at-pieces
tsavo-at-pieces
opened on Feb 25, 2026

Context

After the PR #29 hardening and follow-up fixes (6e04666), most review findings are addressed. A few broader, cross-command trust-boundary risks remain and should be handled as a dedicated pass.

This issue tracks those remaining items so they are implemented intentionally instead of piecemeal.

Remaining hardening scope

  1. Constrain update-all --scan-root trust boundary

    • update_all_command.dart currently accepts arbitrary scanRoot.
    • Add policy and enforcement (e.g. require within cwd/repo unless explicit override flag).

  2. Reduce shell-string execution surface (sh -c)

    • Audit CiProcessRunner.runSync(command) call sites and other shell string interpolation paths.
    • Migrate to argument-array process APIs where practical.
    • For unavoidable shell strings, require centralized escaping helper and tests.

  3. Validate repository slug inputs consistently

    • For --repo / GITHUB_REPOSITORY-derived values used in git URLs, tags, and links.
    • Enforce canonical owner/repo format before use.

  4. Constrain writable/readable path inputs in prompt + artifact helpers

    • Validate path arguments (e.g., prompt/artifact file paths) resolve inside expected repo/runtime dirs.

  5. Add regression tests for these trust boundaries

    • Negative tests for rejected paths/slugs.
    • Positive tests for valid inputs.
    • Ensure behavior is explicit and documented.

Definition of done

  • scanRoot boundary policy implemented and tested.
  • Shell-string execution surface audited and reduced.
  • Repo slug validation implemented at all relevant entry points.
  • Path-boundary checks added for file-path inputs.
  • Tests added for each new guardrail.
  • Documentation updated where user-facing behavior changes.

Notes

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2-mediumMedium priorityarea/ci-cdCI/CD workflow generationenhancementNew feature or requestneeds-investigationstatus/needs-triagetriaged

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions