portal

Author SHA1 Message Date

Author	SHA1	Message	Date
Дмитрий	4cfca9cc55	feat(m5): 7.4 workflow-gate inline-script + keychain-паттерны (Пакет 7, C5, Блок 4.4) Закрыта дыра C5 (inline `script` был вне охвата → полный обход workflow-гейта): - decide: inline `script` гейтится как scriptPath — скан DANGEROUS_PATTERNS + одобрение по sha256 контента (approve_workflow_script, 5-мин окно). Без одобрения → block. - DANGEROUS_PATTERNS +keytar +get/set/delete/findPassword\|Credentials(Sync) — контроллер не напишет workflow, читающий ключ подписанта/судьи из OS-keychain (действует и для scriptPath). - main: при inline берёт content/sha256 из tool_input.script напрямую. NB: regex-детектор eval()/child_process — паттерн-матчер, не вызов (header-коммент L19-21). +5 тестов. enforce-workflow-gate 10/10. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 15:18:46 +03:00
Дмитрий	5520534424	feat(router-gate-v4): Stream H Task 3 — Workflow gate F2 hook (scriptPath approval + content scan + sha256 + resumeFromRunId block) Closes v3.8 FATAL F2: nested agent() calls inside Workflow scripts were invisible to PreToolUse gates. New tools/enforce-workflow-gate.mjs hook (PreToolUse, block-mode) enforces: 1. scriptPath requires approve_workflow_script record in ~/.claude/runtime/askuser-decisions-<sess>.jsonl with sha256 of content and 5-min window (mirrors approve_git_operation pattern). 2. scriptContent static-scanned for dangerous patterns: env-key reads (ROUTER_LLM_KEY/ANTHROPIC_API_KEY/GITHUB_TOKEN/SENTRY_AUTH_TOKEN), eval(), child_process spawn/exec/fork, absolute fs writes outside /tmp, path traversal (../../../). 3. sha256 mismatch between approval and current content → block (catches modification after approval). 4. resumeFromRunId blocked unconditionally (state replay risk per spec). 5. Per-agent inheritance via CLAUDE_GATE_INHERIT env is handled by subagent-prompt-prefix.mjs (Stream E) — this hook focuses on the outer Workflow tool call. Nested agent() inside Workflow inherits parent gate. Regression: vitest tools 1731/1731 GREEN (was 1726; +5 workflow-gate tests under "enforce-workflow-gate scriptPath approval (F2)" describe block). DEFERRED: .claude/settings.json registration (matcher "Workflow" → command "node tools/enforce-workflow-gate.mjs", block-mode, timeout 5000ms) — the settings.json file is in DEFAULT_PROTECTED_PATTERNS and enforce-read-path- deny.mjs (Smoke 5 emergency fix `25e184e5`) has no LEGIT_SKILLS exemption like enforce-normative-content-rules.mjs does. Harness Edit/Write tracker cannot be satisfied without a successful Read first. Will be batched into a single manual settings.json registration step at end of Phase H-α alongside H5/H6/H7 hook registrations. Hook code is fully implemented and unit-tested; activation pending settings.json update. Stream H Task 3 of 11. Plan: docs/superpowers/plans/2026-05-30-router-gate-v4-stream-H.md	2026-05-30 10:50:50 +03:00

Дмитрий

4cfca9cc55

feat(m5): 7.4 workflow-gate inline-script + keychain-паттерны (Пакет 7, C5, Блок 4.4)

Закрыта дыра C5 (inline `script` был вне охвата → полный обход workflow-гейта):
- decide: inline `script` гейтится как scriptPath — скан DANGEROUS_PATTERNS + одобрение по
  sha256 контента (approve_workflow_script, 5-мин окно). Без одобрения → block.
- DANGEROUS_PATTERNS +keytar +get/set/delete/findPassword|Credentials(Sync) — контроллер
  не напишет workflow, читающий ключ подписанта/судьи из OS-keychain (действует и для scriptPath).
- main: при inline берёт content/sha256 из tool_input.script напрямую.
NB: regex-детектор eval()/child_process — паттерн-матчер, не вызов (header-коммент L19-21).

+5 тестов. enforce-workflow-gate 10/10.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-07 15:18:46 +03:00

Дмитрий

5520534424

feat(router-gate-v4): Stream H Task 3 — Workflow gate F2 hook (scriptPath approval + content scan + sha256 + resumeFromRunId block)

Closes v3.8 FATAL F2: nested agent() calls inside Workflow scripts were
invisible to PreToolUse gates. New tools/enforce-workflow-gate.mjs hook
(PreToolUse, block-mode) enforces:

1. scriptPath requires approve_workflow_script record in
   ~/.claude/runtime/askuser-decisions-<sess>.jsonl with sha256 of content
   and 5-min window (mirrors approve_git_operation pattern).
2. scriptContent static-scanned for dangerous patterns: env-key reads
   (ROUTER_LLM_KEY/ANTHROPIC_API_KEY/GITHUB_TOKEN/SENTRY_AUTH_TOKEN),
   eval(), child_process spawn/exec/fork, absolute fs writes outside /tmp,
   path traversal (../../../).
3. sha256 mismatch between approval and current content → block (catches
   modification after approval).
4. resumeFromRunId blocked unconditionally (state replay risk per spec).
5. Per-agent inheritance via CLAUDE_GATE_INHERIT env is handled by
   subagent-prompt-prefix.mjs (Stream E) — this hook focuses on the outer
   Workflow tool call. Nested agent() inside Workflow inherits parent gate.

Regression: vitest tools 1731/1731 GREEN (was 1726; +5 workflow-gate tests
under "enforce-workflow-gate scriptPath approval (F2)" describe block).

DEFERRED: .claude/settings.json registration (matcher "Workflow" → command
"node tools/enforce-workflow-gate.mjs", block-mode, timeout 5000ms) — the
settings.json file is in DEFAULT_PROTECTED_PATTERNS and enforce-read-path-
deny.mjs (Smoke 5 emergency fix 25e184e5) has no LEGIT_SKILLS exemption
like enforce-normative-content-rules.mjs does. Harness Edit/Write tracker
cannot be satisfied without a successful Read first. Will be batched into
a single manual settings.json registration step at end of Phase H-α
alongside H5/H6/H7 hook registrations. Hook code is fully implemented and
unit-tested; activation pending settings.json update.

Stream H Task 3 of 11. Plan: docs/superpowers/plans/2026-05-30-router-gate-v4-stream-H.md

2026-05-30 10:50:50 +03:00

2 Commits