fix: Round 3+4 codebase audit fixes#27
Merged
Merged
Conversation
…or propagation H-1: Add filesystem capability sync to governance mid-run reload (governance_config.cpp) — FS_READ/FS_WRITE now removed when config tightens filesystem.mode, matching startup syncGovernanceToSandbox(). H-2: --diff formatter flag now shows unified diff output (main.cpp) instead of printing the full formatted text. M-1: JS executor re-throws on error (js_executor_adapter.cpp) instead of swallowing exceptions and returning null — matches Python executor. M-2: Document watch evaluation limitation in debugger (debugger.cpp). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
NAAb Governance Report
All governance checks passed! Generated by NAAb Governance Engine v4.0 |
Replaces terse "not yet implemented" with actionable guidance pointing to executeWithReturn() or the subprocess-based executor as alternatives. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…e guards, lockfile safety H-1: Add subscript (U+2090-U+209C) and superscript (U+2070-U+207F, U+00B2/B3/B9) normalization to governance Unicode scanner. Closes bypass vector where os.systeₘ() evaded pattern matching. M-1: Add dangerous Python import patterns (import os/subprocess/shutil/ ctypes/pty/commands) to checkCodeInjection() pre-execution scan. M-2: Add .is_string()/.is_boolean()/.is_number_integer() type guards to critical governance_config.cpp fields (version, extends, description, per-language timeout/max_lines/max_output_size, require_explicit, mode). M-3: Replace bare catch(...) in lockfile.cpp with logged exception + parse_failed flag that prevents save() from overwriting valid data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--diffformatter flag now shows unified diff instead of full formatted textTest plan
cmake .. && make naab-lang -j4— 0 errorsbash run-all-tests.sh— 396 tests, 0 unexpected failures (2 runs)bash tests/security/test_error_msg_leaks.sh— 738 checks, 0 failures🤖 Generated with Claude Code