Skip to content

[FOLLOWUP #202] Privacy-gate mechanical-net precision + wrapper hardening #203

Description

@kiki830621

Follow-up findings from #202 Phase 1 verify (adversarial wrapper-security review). All NON-BLOCKING — the gate is correct and attestation enforcement is airtight (11 break-probes, none reached exec gh without a valid attestation). These are scripts/gh-egress.sh mechanical-net precision + edge-case hardening.

Recommended before wider rollout

1. Over-broad .claude.json filename net (dogfooding hazard). part (i) refuses any body merely mentioning the filename .claude.json. The bare filename is public (it's in Anthropic's docs); the private thing is its contents (already handled by part (ii)). Effect: issues discussing the config file — including issues about this gate itself, like #202 — cannot be filed through the gate. Privacy benefit ≈ 0, friction real. Fix: drop the bare-filename check, keep the content match. Also aligns impl with the spec wording ("verbatim ~/.claude.json content", not the filename token).

2. Content net extracts all paths, not just project keys (comment/impl mismatch). part (ii) greps "(/[^"]{11,})" across the whole config, but the comment says "project-path string". Public tool paths in mcpServers[].command/env (e.g. /opt/homebrew/bin/...) get treated as leaks. Tighten to only the projects object. Friction is pure-loss on private/LIGHT repos.

Edge-case hardening (belt-and-suspenders; off the real idd-issue path)

  1. stdin/FIFO body-file bypass-F - / -F /dev/stdin / -F <(...): [ -r "$arg" ] is false, body unscanned but gh still reads it. Architecturally hard (can't consume the stream gh needs). LLM self-review remains primary.
  2. $HOME unbound crash under set -u — aborts exit 1 (undocumented) if both IDD_CLAUDE_JSON and HOME unset. Fails closed; rare.
  3. Phantom empty positional argexec ... "${GH_ARGS[@]:-}" on empty array yields issue create ''. Only on zero forwarded args (never real). Idiom fix: ${GH_ARGS[@]+"${GH_ARGS[@]}"}.
  4. Split-token attestation — body as separate unquoted tokens --body --scrub-attested warn sets ATTESTED with no real attestation. Not reachable from well-formed callers (quoted single-arg body is correctly refused).

Source: #202 Phase 1 verify — adversarial wrapper-security reviewer. Refs #202.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions