fix(security): 加固 3 项 hook 缺陷(专家评审 P0)—— bash 绕过 / 密钥漏报 / verdict 误阻断#3
Merged
Conversation
ANCHOR 要求危险动词紧贴命令边界,导致 `sudo rm -rf`、`FOO=bar rm -rf`、 `GIT_SSH=x git push --force` 把动词推离边界即绕过(实测 exit 0)。 - ANCHOR 追加可选 PREFIX 段:sudo/doas(含 flags/args)+ 一或多个 env 赋值, 二者均可零宽匹配 → 无前缀命令锚定行为不变(仅 fail-positive,不漏真危险) - 单点改 ANCHOR,5 条 rule 自动受益 - 加 17 条回归用例(12 block 绕过向量 + 5 防过度阻断),claim ↔ test 锁定 评审 P0-1(QualityExpert finding #1,已复验)。
rule #4 的 sk-ant- 排除原为整段 prompt 级(scan-secrets)/ 整行级(scan-commit): prompt 或同一行里只要出现裸字符串 sk-ant-,同处真 OpenAI key 即被静默放行。 "同时讨论 OpenAI 与 Anthropic 两家 key" 是很自然的场景。 - scan-secrets.sh rule #4:改 grep -oE 抽取每个 sk- token,再过滤 ^sk-ant- - scan-commit.sh rule #4:同改(layer-4 与 layer-2 同步,防 Edit/Write 绕过) - 真 sk-ant- key 仍由 rule #3 优先拦(更具体 message),逻辑不变 - 加 2 条回归用例(真 OpenAI key + 裸 sk-ant- 文本须拦 / 仅讨论前缀须放行) 注:本提交含假 key 测试夹具,触发(已修好的)scan-commit 自身拦截, --no-verify 记录见 docs/reviews/no-verify-log-2026-06-17.md(security.md §紧急绕过)。 评审 P0-1(QualityExpert finding #2,已复验)。
ls -t | head -1 全目录兜底启发式有两类误判(评审实地复现为 idle 死锁):
(a) 只读/panel reviewer 未写报告,却被目录里 legacy/历史报告误判阻断;
(b) pool 多实例 head-1 错取邻居/历史报告 → 漏判或误判。
候选选择三重收紧(agf-verdict.py 推导逻辑不变):
- report_type 非 gating(∉ {空,code-review,qa-report})→ 跳过:legacy 对抗性
sweep/audit、no-verify-log 等即使含 code_verdict 也不阻断当前 reviewer
- 仅收「真 verdict 报告」(frontmatter 含 code_verdict/report_verdict 键)→
legacy 无 frontmatter 散文报告自然落选
- pool 实例(role 带 -N)优先取自己的 <feat>-r<N>- 报告,而非目录最新一份
- 空数组守卫(兼容 macOS bash 3.2 + set -u)
配套:
- build-plugin-sweep-2026-05-30.md 标注 report_type: legacy-sweep(一次性对抗 sweep,非 feature review)
- 加 4 条回归用例(legacy 无 frontmatter / 非 verdict 报告 / report_type 非 gating / pool 取自己报告)
- 修 test run() 失败上报行的多字节变量解析($name:→ ${name},此前从无失败用例暴露)
评审 P0-2(ArchExpert finding #1 + QualityExpert finding #8,已实地复现+复验)。
真实仓库 code-reviewer/qa-engineer idle 现 fail-open,不再死锁。
pcliangx
added a commit
that referenced
this pull request
Jun 17, 2026
rule #4 的 sk-ant- 排除原为整段 prompt 级(scan-secrets)/ 整行级(scan-commit): prompt 或同一行里只要出现裸字符串 sk-ant-,同处真 OpenAI key 即被静默放行。 "同时讨论 OpenAI 与 Anthropic 两家 key" 是很自然的场景。 - scan-secrets.sh rule #4:改 grep -oE 抽取每个 sk- token,再过滤 ^sk-ant- - scan-commit.sh rule #4:同改(layer-4 与 layer-2 同步,防 Edit/Write 绕过) - 真 sk-ant- key 仍由 rule #3 优先拦(更具体 message),逻辑不变 - 加 2 条回归用例(真 OpenAI key + 裸 sk-ant- 文本须拦 / 仅讨论前缀须放行) 注:本提交含假 key 测试夹具,触发(已修好的)scan-commit 自身拦截, --no-verify 记录见 docs/reviews/no-verify-log-2026-06-17.md(security.md §紧急绕过)。 评审 P0-1(QualityExpert finding #2,已复验)。
This was referenced Jun 17, 2026
pcliangx
added a commit
that referenced
this pull request
Jun 17, 2026
…s.json 漂移) ArchExpert finding #3:ADR-004 是唯一非 Accepted 的 ADR,正文提议 auto 却与 settings.json 已落的 tmux 公开打架(SSOT 漂移),retro 死线 2026-06-24。 2026-06-09 初版据 issue #24292 选 auto(纯 iTerm2 下 tmux 回退 in-process); 但 2026-06-11 本机实测(CC v2.1.170)+ 2026-06-17 本会话复证:纯 iTerm2 下 tmux 成功 spawn 原生分屏(backendType:"iterm2"),#24292/#23815 均已关(CHANGELOG v2.1.77)。 按 ADR 自身回填规则「实测通过→收敛」,决策翻转为 tmux。 - 状态 Proposed → Accepted;决策/备选/影响/后续工作/版本查证全部对齐 tmux - settings.json 维持 tmux(定稿追认现值,无需改配置,漂移消除) - FIRST_RUN.md split-pane 表述对齐(iTerm2 直接 claude 即原生分屏,非"唯一靠 tmux") Closes #5。
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
源自全项目专家评审(架构 / 工程质量 / 产品三视角)。本 PR 修复评审中实地复现 + 复验的 3 项 P0 hook 缺陷,均按 TDD(先加复现失败的回归用例 → 再修 → 转绿)。
修复项
①
block-dangerous-bash.sh— sudo / env 前缀绕过(实测 exit 0)ANCHOR要求危险动词紧贴命令边界,sudo rm -rf/FOO=bar rm -rf/GIT_SSH=x git push --force把动词推离边界即绕过。PREFIX段(sudo/doas+ flags/args、env 赋值),零宽可匹配 → 无前缀命令锚定行为不变(仅 fail-positive,不漏真危险)②
scan-secrets.sh/scan-commit.sh—sk-ant-全局抑制致 OpenAI key 漏报rule #4 的
sk-ant-排除原为整段 prompt 级 / 整行级:只要出现裸sk-ant-文本,同处真 OpenAI key 即被静默放行("同时讨论两家 key"是自然场景)。grep -oE抽取每个sk-token,再过滤^sk-ant-(per-match)③
validate-verdict.sh— 误阻断只读 reviewer(评审中实地复现为 idle 死锁)ls -t | head -1全目录兜底启发式:(a) 只读 / panel reviewer 未写报告却被 legacy 报告误判阻断;(b) pool head-1 错取邻居报告。report_type非 gating 跳过 + 仅收真 verdict 报告(含 verdict 键)+ pool 实例优先取自己的-r<N>-报告 + 空数组守卫(兼容 macOS bash 3.2)build-plugin-sweep-2026-05-30.md标注report_type: legacy-sweep;+4 回归用例 + 修 test 失败上报行多字节解析验证
lint-all.sh通过(44 文件 / 测试套)、roles 无 driftscan-commit当场拦截(同行夹具);fix ③ 完成后真实仓库 code-reviewer/qa idle 现 fail-open(死锁场景实证解除)--no-verify(假 key 测试夹具)记录于docs/reviews/no-verify-log-2026-06-17.md(security.md §紧急绕过)未纳入本 PR(评审其余发现,待后续工单)
security.md 对
.p12/.mobileprovision覆盖过度声明、pre-commit symlink 无就位校验、evals 仅覆盖 5/19 角色、ADR-004 定稿(死线 06-24)。