Found during the Herdr landed-PR review swarm for PR #41.
Problem
Imported registry entries can currently preserve local-capable execution state,
and explicit remote-only service selection can still fall through to a local
daemon path when no remote URL is configured.
Evidence from the reviewed head:
src/config/loader.ts:322 preserves importedService.source.
src/config/schema.ts:38 permits local/stdio-capable service source values.
tests/config/loader.test.ts:537 codifies preservation of imported source.
src/process/client.ts:417 routes locally when source === "local" || !remote.
This is a trust-boundary bug. Imported registries should not be able to make a
client execute local commands, and source: "remote" should fail closed when no
remote endpoint is available.
Related but not sufficient coverage: #47 covers a narrower Open Brain
remote-local auth fallback case. This issue covers imported registry source
hardening and explicit remote-only routing.
Acceptance criteria
- Imported registry services are forced to remote-safe source semantics, or
local-capable imported backends/fallbacks are rejected.
- Explicit
source: "remote" fails closed when no remote configuration exists.
- Regression tests cover imported registry source override/rejection.
- Regression tests cover remote-only service configuration with no remote URL.
- Relevant typecheck/test command is run and recorded in the fixing PR.
Found during the Herdr landed-PR review swarm for PR #41.
Problem
Imported registry entries can currently preserve local-capable execution state,
and explicit remote-only service selection can still fall through to a local
daemon path when no remote URL is configured.
Evidence from the reviewed head:
src/config/loader.ts:322preservesimportedService.source.src/config/schema.ts:38permits local/stdio-capable service source values.tests/config/loader.test.ts:537codifies preservation of imported source.src/process/client.ts:417routes locally whensource === "local" || !remote.This is a trust-boundary bug. Imported registries should not be able to make a
client execute local commands, and
source: "remote"should fail closed when noremote endpoint is available.
Related but not sufficient coverage: #47 covers a narrower Open Brain
remote-local auth fallback case. This issue covers imported registry source
hardening and explicit remote-only routing.
Acceptance criteria
local-capable imported backends/fallbacks are rejected.
source: "remote"fails closed when no remote configuration exists.