feat: protected-binary security primitives (repocfg schema + hook deny) #56
No reviewers
Labels
No labels
burndown-2026-06
sunday-sprint
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/cli-guard!56
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "feat/security-config-schema"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What
The cli-guard half of the ward security-doctor / protected-binary work (coilyco-flight-deck/ward#4). Two generic primitives a consumer assembles into a
doctor securitysurface and a hook deny.Commits
feat(repocfg): add optional security: config section(closes #54) — declarativesecurity:block:protected_binaries,sudo.forbid_passwordless,hooks.{deny_bare_binaries,route_hints}. Parsed and validated, enforces nothing. Old commands-only configs unchanged.feat(hook): basename-aware protected-binary deny(closes #55) —hook.Protecteddenies a protected binary on the bare token, any absolute-path spelling, and afterenv/sudostrip. Closes the absolute-path bypass a token-keyedRouteleaves open (the 2026-05-08 deny-uv finding). Trailing variadic param, so existingPreToolUsecallers are unchanged. ExportsBasename.Why this shape
Per the repo boundary rule, both packages stay importable without consumer-specific defaults: the schema names fields but bakes in no policy, and the hook takes protected entries as data. The downstream consumer (ward, then kap) supplies the actual protected set.
Validation
go build ./...,go test ./repocfg/ ./hook/,go vet, andgodoc-current.txtregen all green. New tests cover the schema (full/empty/reject-path/reject-mode/reject-dup) and the hook deny (bare, absolute path, env/sudo prefix, piped, substring non-match).Not in this PR
ward-side wiring (
ward doctor security, hook denies,WARD_CONFIG) and the generic doctor host-checks (PATH-shim, sudo posture, credential-env) land separately. ward also needs its cli-guard dependency migrated off the oldgithub.com/coilysiren/cli-guardmodule path first.Adds a declarative security: block to the per-repo config: protected_binaries (name, mode, allowed_wrappers, expected_real_paths, credential_env), sudo.forbid_passwordless, and hooks.{deny_bare_binaries,route_hints}. repocfg parses and validates it (basename-only names, deny-direct mode, no dupes) and enforces nothing on its own. Existing commands: behavior unchanged; a config with no security: yields a zero Security. Dependency root for the ward security-doctor / protected-binary work (coilyco-flight-deck/ward#4). closes #54 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>