Skip to content

fix: security hardening across CLI#104

Merged
rhuanbarreto merged 7 commits into
mainfrom
worktree-nifty-singing-swing
Mar 21, 2026
Merged

fix: security hardening across CLI#104
rhuanbarreto merged 7 commits into
mainfrom
worktree-nifty-singing-swing

Conversation

@rhuanbarreto

Copy link
Copy Markdown
Contributor

Summary

  • RuleContext path sandboxing: All file operations (readFile, readJSON, grep, grepFiles, glob) validate paths stay within project root. Blocks ../ traversal, absolute paths, cross-drive access (Windows), and symlinks.
  • Credentials file permissions: ~/.archgate/credentials written with 0600 permissions.
  • URL credential encoding: encodeURIComponent() applied to credentials in marketplace URLs.
  • Tar extraction validation: Archive entries validated for path traversal before extraction in both plugin install and binary upgrade flows.
  • HTTP redirect protection: redirect: "error" on token claim, signup, and plugin download endpoints.
  • SHA256 checksum verification: Release workflow generates .sha256 files per artifact; archgate upgrade verifies checksums on download.
  • PII consent prompt: Signup flow asks for explicit consent before sending data to plugins service.
  • Corrupted settings resilience: claude-settings.ts wraps JSON parse in try-catch.
  • Path join consistency: adr/list.ts uses path.join() instead of template string concatenation.
  • Security documentation: New guide page (EN + PT-BR) covering trust model, CI/CD best practices for fork PRs, credential handling.

Test plan

  • bun run validate passes (lint, typecheck, format, 437 tests, 21 ADR rules, build)
  • New tests/engine/runner-security.test.ts covers path traversal, absolute paths, glob traversal, symlink rejection, and cross-drive access (7 tests)
  • Existing runner tests continue passing with sandboxed RuleContext
  • archgate check passes against the project's own ADRs

rhuanbarreto and others added 3 commits March 21, 2026 01:05
- Sandbox RuleContext file operations to project root (path traversal + symlink protection)
- Set credentials file permissions to 0600
- URL-encode credentials in marketplace URLs
- Validate tar archive entries before extraction (plugin-install + binary-upgrade)
- Disable HTTP redirects on security-sensitive fetch endpoints
- Add SHA256 checksum generation to release workflow and verification on download
- Add PII consent prompt before signup
- Wrap JSON.parse in try-catch for corrupted settings files
- Use path.join() instead of template string concatenation in adr/list
- Add security documentation page (EN + PT-BR)
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Mar 21, 2026

Copy link
Copy Markdown

Deploying archgate-cli with  Cloudflare Pages  Cloudflare Pages

Latest commit: fec0f68
Status: ✅  Deploy successful!
Preview URL: https://e065967e.archgate-cli.pages.dev
Branch Preview URL: https://worktree-nifty-singing-swing.archgate-cli.pages.dev

View logs

rhuanbarreto and others added 4 commits March 21, 2026 01:11
10 tests covering the full loadRuleAdrs → runChecks pipeline with
on-disk .rules.ts files attempting path traversal, absolute paths,
glob escapes, symlink following, and legitimate access.
@rhuanbarreto rhuanbarreto merged commit ba2ba49 into main Mar 21, 2026
9 checks passed
@rhuanbarreto rhuanbarreto deleted the worktree-nifty-singing-swing branch March 21, 2026 00:28
@github-actions github-actions Bot mentioned this pull request Mar 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant