Skip to content

fix: auth+safety hardening (#70 #72 #76)#77

Open
keylimesoda wants to merge 1 commit intoMartian-Engineering:mainfrom
keylimesoda:fix/auth-and-safety
Open

fix: auth+safety hardening (#70 #72 #76)#77
keylimesoda wants to merge 1 commit intoMartian-Engineering:mainfrom
keylimesoda:fix/auth-and-safety

Conversation

@keylimesoda
Copy link

@keylimesoda keylimesoda commented Mar 15, 2026

Summary

Three security fixes from adversarial code review: cross-session data leakage (Critical), grant depth enforcement (High), and ReDoS mitigation (Medium).

#70 (Critical) — Cross-session data leakage via lcm_grep/describe/expand_query

Sub-agents could bypass conversation scope by passing allConversations=true or arbitrary conversationId to tools that didn't consult the grant system.

Fix: resolveLcmConversationScope() now accepts optional grant context. When a sub-agent has a delegated grant, scope is restricted to allowedConversationIds. Sub-agents without grants are restricted to their own conversation. Uniform "Not found" errors prevent cross-conversation existence leaks.

Files: lcm-conversation-scope.ts, lcm-grep-tool.ts, lcm-describe-tool.ts, lcm-expand-query-tool.ts

#72 (High) — Grant maxDepth not enforced

validateExpansion() checked grant existence and scope but never compared request depth against grant.maxDepth.

Fix: Added depth check after existing scope checks. Token cap enforcement intentionally left as clamp (existing wrapWithAuth() behavior is correct).

File: expansion-auth.ts

#76 (Medium) — ReDoS in regex grep

Both store searchRegex() methods compiled user-provided patterns via new RegExp() with no validation.

Fix: New regex-safety.ts with nested quantifier detection, pattern length cap, and compile validation. Typed UnsafeRegexError surfaces to tool layer. SQL candidate queries capped at 10K rows. Note: this is a bounded mitigation, not a complete ReDoS fix.

Files: regex-safety.ts (new), conversation-store.ts, summary-store.ts

Test Results

60 tests pass (4 new in regex-safety, 3 new in lcm-tools, 1 updated in expansion-auth).

Changes

12 files changed, 536 insertions(+), 69 deletions(-)

fix: auth+safety hardening for Martian-Engineering#70 Martian-Enginee…
384f0a8 
…ring#72 Martian-Engineering#76

Martian-Engineering#70 (Critical) — Cross-session data leakage
- Grant-aware conversation scoping in resolveLcmConversationScope()
- lcm_grep, lcm_describe, lcm_expand_query now enforce grant boundaries
- Sub-agents without grants restricted to own conversation
- Uniform 'Not found' errors prevent cross-conversation existence leaks

Martian-Engineering#72 (High) — maxDepth enforcement in validateExpansion()
- Rejects requests exceeding grant maxDepth
- tokenCap enforcement unchanged (clamped by wrapWithAuth, not rejected)

Martian-Engineering#76 (Medium) — ReDoS mitigation in regex grep
- Nested quantifier detection + pattern length cap + compile validation
- Typed UnsafeRegexError surfaces to tool layer instead of silent empty results
- MAX_REGEX_SCAN_ROWS (10,000) caps candidate query in both stores
- Note: bounded mitigation, not complete ReDoS fix

60 tests pass (4 new in regex-safety, 3 new in lcm-tools, 1 updated in expansion-auth)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@keylimesoda