Files
portal/docs/superpowers/specs
Дмитрий b510a75826 spec(router-gate): v2 closes 10 holes from adversarial audit
Adversarial review of v1 found 10 bypass paths:
- Fatal: AskUserQuestion = universal unlock (1 question = full bypass)
- Critical: Bash unlimited / Skill-invoke-no-followthrough / State-files edit
- Serious: Subagent inheritance / Direct-invocation regex too wide
- Edge cases: leading questions / multi-direct / failure mode / chain TTL

V2 closes all 10:
- 3.1 Protected paths (hard-deny for runtime/settings/skill/hook files)
- 3.2 Subagent gate inheritance via subagent-prompt-prefix injection
- 3.3 Failure modes — explicit fail-CLOSE policy
- 3 chain-state TTL 24h + explicit-clear markers
- 4 Direct invocation = strict whitelist (slash-cmd / Skill() / used N / делай exact)
- 4 Multiple direct invocations require AskUser between executions
- 4.5 AskUserQuestion answer parsing — gate reads transcript response,
  unlocks only for explicitly-approved action, blocks on stop answer
- 4.6 Post-skill partial unlock (Read/Grep/next-chain-step allowed,
  Edit/Write require additional AskUser, Bash requires whitelist+approval)
- 4.7 Question quality detector in rationalization-audit (blocks
  missing-stop-option, flags leading options, off-topic questions)
- 5.1 Bash content rules: whitelist read-only / hard-blacklist mutating /
  conditional-whitelist after AskUser approval / path-deny overlay

Implementation cost: 6-8.5h (v1) to 8.5-12h (v2). +2.5-3.5h for
Bash content parser, answer parser, question-quality detector,
hard-deny logic.

Spec v1 (commit 7a43c175) remains in git as baseline.

cspell-words.txt += детектирован / fgrep / chgrp.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-29 05:24:40 +03:00
..
@
2026-05-17 15:32:03 +03:00