Skip to content

fix(security): bind artifact recovery to file descriptor#16

Merged
OnourImpram merged 1 commit into
mainfrom
security/v0.6.1-artifact-export-toctou
Jul 17, 2026
Merged

fix(security): bind artifact recovery to file descriptor#16
OnourImpram merged 1 commit into
mainfrom
security/v0.6.1-artifact-export-toctou

Conversation

@OnourImpram

Copy link
Copy Markdown
Owner

Summary

Closes the post-merge CodeQL file-system race in artifact export recovery by opening an existing target once, validating descriptor and path identity, reading through the descriptor, and rejecting symlink, replacement, metadata, size, or content drift.

Also aligns all release metadata at v0.6.1 and records the security and release-validation contract.

## Verification

* Complete npm run safe:publish-check passed locally
* 103 test files and 680 tests passed
* Focused authority regression passed 6 of 6
* 53 schemas and 19 evaluator cases passed
* Privacy, brand, package, SBOM, site, CLI, PDF, and DOCX gates passed

## Release boundary

No npm publication. Merge requires the exact PR commit to pass CodeQL, Ubuntu, Windows, native Rust, and dependency review, followed by a zero-open-alert verification.

@OnourImpram
OnourImpram merged commit 34a82ab into main Jul 17, 2026
6 checks passed
@OnourImpram
OnourImpram deleted the security/v0.6.1-artifact-export-toctou branch July 17, 2026 04:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant