v0.8.64: Land and verify security hardening/code-scanning fixes

[Hmbown]

Problem

The v0.8.64 release train needs one explicit public tracker for the security-hardening work that is currently split across CodeQL findings, advisory-class reports, and local integration commits. The goal is to make the release gate clear without publishing exploit details in a public issue.

Evidence

Live CodeQL on main currently reports high-severity findings across these broad areas:

• Path-boundary validation for config, subagent state, MCP cwd, and runtime store paths.
• Secret/log redaction and generated runtime-token handling.
• HTTPS/TLS enforcement for provider and fleet alert traffic.
• Local tool trust boundaries for fetch, JS execution, and image/file analysis surfaces.

The v0.8.64 integration branch already contains candidate fixes for several of these areas, but they still need to be landed, pushed, and verified by CI/code scanning on the branch that will release.

Expected behavior

Before v0.8.64 ships:

• Security hardening commits are visible on the release branch and reviewable.
• CodeQL findings that correspond to fixed code paths are closed by analysis rather than hand-waved.
• Any remaining findings are triaged into clear follow-up issues with owner, severity, and release decision.
• Runtime behavior stays compatible for legitimate user config paths and local workflows.

Likely files / commands to inspect

• crates/config/src/lib.rs and crates/config/src/tests.rs
• crates/tui/src/tools/subagent/mod.rs
• crates/tui/src/mcp.rs
• crates/tui/src/runtime_threads.rs
• crates/tui/src/runtime_api.rs
• crates/tui/src/fleet/alerts.rs
• crates/tui/src/client.rs
• crates/tui/src/tools/fetch_url.rs
• crates/tui/src/tools/js_execution.rs
• crates/tui/src/vision/tools.rs
• scripts/check-provider-registry.py

Suggested gates:

• cargo test -p codewhale-config --locked
• cargo test -p codewhale-tui --bin codewhale-tui --locked <focused filters>
• cargo fmt --all -- --check
• cargo check -p codewhale-config --locked
• cargo check -p codewhale-tui --bin codewhale-tui --locked
• git diff --check
• CodeQL/code scanning rerun on the release branch after push

Acceptance criteria

• Security hardening commits are organized into reviewable PR(s) or a clearly scoped release branch update.
• CodeQL high findings on the release target are closed or explicitly triaged with a release decision.
• No generated runtime tokens, provider credentials, webhook secrets, or session identifiers are printed/logged in cleartext except where intentionally redacted or user-facing by design.
• Config and state path handling rejects traversal/symlink escape while preserving documented --config, CODEWHALE_CONFIG_PATH, and legacy DEEPSEEK_CONFIG_PATH workflows.
• Project-local config cannot loosen user/global approval or sandbox posture, cannot introduce arbitrary instruction-file reads, and cannot silently enable shell execution.
• Network-bearing alert/provider/tool paths enforce HTTPS/TLS or otherwise have an explicit, documented local-only exception.
• Focused tests and formatting/check gates are recorded in the PR or release notes.

Related

• v0.8.64: Add natural-language auto-review policy and a pre-push review gate #3144
• CodeWhale is overly involved in making modifications, engaging in self-questioning and self-answering and deviating from user intent #3275

[Hmbown]

v0.8.64 integration security verification update from local branch codex/v0.8.64-integration.

Local security-hardening commits currently carried include:

• Config/state path hardening: 7985f6f17, daf199a18, 4becde948, plus runtime-store symlink guards.
• TLS/secret handling: ac33b2014, e97462e2d, d72a74a2c, 5b19e8416.
• Local tool trust boundaries: 26de44a8b.
• Auto-review / provenance rails: b4d660428, 8ecc185bc, 45923d788, c09d3669e.
• App-server non-loopback auth hardening: a915246ae.

Focused verification run locally:

• cargo test -p codewhale-config --locked
• cargo test -p codewhale-tui --bin codewhale-tui --locked symlinked_state
• cargo test -p codewhale-tui --bin codewhale-tui --locked symlinked_item
• cargo test -p codewhale-tui --bin codewhale-tui --locked workspace_mcp_config
• cargo test -p codewhale-tui --bin codewhale-tui --locked runtime_auth
• cargo test -p codewhale-tui --bin codewhale-tui --locked required_https
• cargo test -p codewhale-tui --bin codewhale-tui --locked fleet_alert_url_validation_requires_https
• cargo test -p codewhale-tui --bin codewhale-tui --locked fetch_url
• cargo test -p codewhale-tui --bin codewhale-tui --locked js_execution
• cargo test -p codewhale-tui --bin codewhale-tui --locked vision
• cargo test -p codewhale-tui --bin codewhale-tui --locked tls_skip_verify
• cargo test -p codewhale-tui --bin codewhale-tui --locked doctor_tls_status_warns_when_active_provider_skips_verification
• cargo test -p codewhale-app-server --locked insecure_tls_skip_verify_is_rejected
• cargo test -p codewhale-app-server --locked generated_auth_status_does_not_render_token
• cargo test -p codewhale-app-server --locked auth
• Python import smoke for scripts/check-provider-registry.py::redact_sensitive_text confirmed bearer/API-key/token-style text is redacted.

Remaining release gate: these fixes still need to be visible on the pushed release branch and verified by CI/CodeQL there. I am not closing or marking the public code-scanning alerts resolved from local-only evidence.

[Hmbown]

Additional local v0.8.64 security-train update on codex/v0.8.64-integration.

New local commits since the last tracker note:

• 5c7d48bd6 fix(tui): load configured auto-review policy
• a6d5de8ad fix(tui): hold shell publish commands for review
• 4f7a77db3 feat(tui): write pre-push review receipts

Fresh verification added today:

• v0.8.64: Add natural-language auto-review policy and a pre-push review gate #3144 auto-review/config/background path: cargo test -p codewhale-tui --bin codewhale-tui --locked auto_review; background shell/verifier filters; cargo fmt --all -- --check; cargo check -p codewhale-tui --bin codewhale-tui --locked; git diff --check
• v0.8.64: Add natural-language auto-review policy and a pre-push review gate #3144 review receipts: cargo test -p codewhale-tui --bin codewhale-tui --locked review; cargo fmt --all -- --check; cargo check -p codewhale-tui --bin codewhale-tui --locked; git diff --check
• CodeWhale is overly involved in making modifications, engaging in self-questioning and self-answering and deviating from user intent #3275 provenance/review-only rails after the auto-review changes: review_only_external_input_gets_read_only_policy_until_write_is_explicit, non_external_provenance_cannot_inherit_yolo_auto_approval, turn_tool_registry_builder_keeps_plan_mode_read_only_for_files, provenance, and runtime_turn_metadata_marks_non_authoritative_input filters all pass locally.

Open security+v0.8.64 issues now remain #3368, #3275, and #3144. There are no open PRs matching label:security label:v0.8.64 at the moment.

Still not treating this tracker as resolved from local evidence: the integration branch is not pushed here, public CodeQL alerts still need to be verified on a scanned branch, and CI needs to run against the branch before release.

[Hmbown]

Additional local v0.8.64 security-train update on codex/v0.8.64-integration: added 8bc3ec0a8 (feat(tui): validate pre-push review receipts).

This extends the #3144 receipt work with a concrete local gate: codewhale review --check-receipt validates the current diff against a durable receipt without calling a model and fails on changed diff fingerprints, unsupported receipt schema, unresolved risk, or failed attached checks.

Verification added:

• cargo test -p codewhale-tui --bin codewhale-tui --locked review
• cargo fmt --all -- --check
• cargo check -p codewhale-tui --bin codewhale-tui --locked
• git diff --check
• cargo run -p codewhale-tui --bin codewhale-tui --locked -- review --help

Still local-only. This tracker remains open until the branch is pushed, CI/CodeQL scan the pushed branch, and public code-scanning/security findings can be verified against that scanned state.

[Hmbown]

Fresh local v0.8.64 security-train audit on codex/v0.8.64-integration.

Public CodeQL still reports 22 open high-severity alerts on main, so I am still treating this tracker as open until a pushed release branch is scanned. Locally, the integration branch now has fresh focused coverage for the advisory-class surfaces represented by those fixes:

• cargo test -p codewhale-tui --bin codewhale-tui --locked fetch_url — 31 passed, including DNS preflight / restricted address handling.
• cargo test -p codewhale-tui --bin codewhale-tui --locked js_execution — 7 passed, including sanitized child env coverage.
• cargo test -p codewhale-tui --bin codewhale-tui --locked vision — 23 passed, including image path traversal / symlink containment and git history option-like revision checks caught by the shared filter.
• cargo test -p codewhale-tui --bin codewhale-tui --locked git_show — 2 passed.
• cargo test -p codewhale-tui --bin codewhale-tui --locked git_blame — 3 passed.
• cargo test -p codewhale-tui --bin codewhale-tui --locked rlm_eval_requires_approval — passed.
• cargo test -p codewhale-tui --bin codewhale-tui --locked exec_shell_interact_requires_approval — passed.
• cargo test -p codewhale-config --locked project_merge_only_tightens_approval_and_sandbox_policy — passed.
• cargo test -p codewhale-config --locked state_resolvers_reject_path_traversal_subdirs — passed.
• cargo test -p codewhale-config --locked normalize_config_file_path_rejects_traversal — passed.
• cargo test -p codewhale-app-server --locked auth_token — 4 passed.
• cargo test -p codewhale-app-server --locked non_loopback — 3 passed.
• python3 scripts/check-provider-registry.py — provider registry drift check passed.
• cargo test -p codewhale-tui --bin codewhale-tui --locked huggingface_ — 6 passed.
• git diff --check — clean.

Community PR status from this pass:

• fix(config): restore huggingface env precedence #3329 by @gaord is carried locally as 7772391fa; I left a thank-you/status note with the fresh registry + Hugging Face test evidence.
• fix(app-server): require auth for non-loopback binds #3332 by @cyq1017 remains superseded by the already-carried app-server auth hardening (a915246ae) and was already thanked/statused.
• fix(cli): tear down delegated serve/app-server child on dispatcher ex… #3317 by @wuisabel-gif remains carried locally with authorship preserved; the remaining app-server: clean up delegated serve child when dispatcher exits #3259 edge stays open as documented.

Remaining release gate is unchanged: push the integration branch when Hunter approves, let CI/CodeQL scan the pushed release target, then close or split any findings that survive that scanned state. I am not marking public security/code-scanning items resolved from local-only evidence.

[Hmbown]

Additional local v0.8.64 dependency-audit pass on codex/v0.8.64-integration.

Rust:

• cargo audit completed against 669 locked crate dependencies with no vulnerable crates reported.
• It reported 3 allowed maintenance warnings, all through the existing starlark dependency stack: derivative (RUSTSEC-2024-0388), fxhash (RUSTSEC-2025-0057), and paste (RUSTSEC-2024-0436). I found no repo-local RustSec allowlist file; these are audit warnings rather than vulnerability failures.

JavaScript/package lockfiles:

• npm audit --omit=dev --audit-level=moderate passed with found 0 vulnerabilities in root, web, extensions/vscode, integrations/feishu-bridge, and integrations/telegram-bridge.
• npm audit --audit-level=moderate also passed with found 0 vulnerabilities in the same directories.

This does not replace the remaining CodeQL/CI gate for the pushed release branch, but it removes dependency advisories from the local v0.8.64 security blocker list.

[Hmbown]

Security hardening update for v0.8.64:

Prepared on codex/v0.8.64-integration at local commit d2c7b0338:

• Config path IO now revalidates the resolved config path before existence checks and reads.
• Environment-provided config paths now flow through the same config path sanitizer before use.
• Subagent state persistence now validates both the final state path and temporary write path against the manager workspace boundary.
• Added regressions for env config traversal and out-of-workspace subagent state paths.

Verification:

• cargo test -p codewhale-config --locked passed, 168 tests.
• cargo test -p codewhale-tui --bin codewhale-tui --locked persist_state_rejects_state_path_outside_workspace passed.
• cargo test -p codewhale-tui --bin codewhale-tui --locked symlinked_state passed, 3 tests.
• cargo fmt --all -- --check passed.
• git diff --check passed.

I also checked the TLS-related pasted alert against this integration branch: provider TLS-skip config currently warns and then fails client construction instead of disabling certificate verification. I am leaving that noted as branch-local evidence until the next CodeQL run confirms the alert state.

[Hmbown]

Additional v0.8.64 local security hardening update on codex/v0.8.64-integration.

New local commits:

• 6084ffa2b fix(security): validate worktree metadata reciprocity
• 6f2a14f75 fix(security): gate interpreter tools before execution

What changed at a release-tracker level:

• The worktree sandbox allowance now requires reciprocal Git worktree metadata before adding external Git metadata paths to writable roots. This preserves the worktree usability fix while narrowing the trust boundary.
• Local interpreter-style execution now routes through the shared post-approval execution path instead of separate early execution handling. The existing approval classification for those tools is now enforced by the same path used for other approval-gated tools.

Verification run locally:

• cargo test -p codewhale-tui --bin codewhale-tui --locked workspace_write_
• cargo test -p codewhale-tui --bin codewhale-tui --locked sandbox::policy
• cargo test -p codewhale-tui --bin codewhale-tui --locked code_execution_runs_through_common_executor_after_approval_gate
• cargo test -p codewhale-tui --bin codewhale-tui --locked code_execution
• cargo test -p codewhale-tui --bin codewhale-tui --locked js_execution
• cargo test -p codewhale-tui --bin codewhale-tui --locked run_shell_command_op_requests_approval_and_executes_shell
• cargo fmt --all -- --check
• git diff --check

This remains local-only evidence. Keeping this tracker open until Hunter approves pushing the integration branch and CI/CodeQL scan the release target.

[Hmbown]

Additional local v0.8.64 security hardening update on codex/v0.8.64-integration.

New local commit:

• 4a82f72b5 fix(security): keep rlm eval behind approval

What changed at a release-tracker level:

• The raw-Python RLM evaluation surface now stays behind an explicit approval decision even when the generic registered-tool auto-approve shortcut is active.
• Existing auto-approve behavior for ordinary required tools is preserved and pinned by test, so this is a narrow interpreter-surface hardening rather than a broad mode-behavior change.

Verification run locally:

• cargo test -p codewhale-tui --bin codewhale-tui --locked rlm_eval
• cargo test -p codewhale-tui --bin codewhale-tui --locked generic_required_tools_keep_auto_approve_behavior
• cargo fmt --all -- --check
• git diff --check

This is still local-only evidence. The tracker should remain open until Hunter approves pushing the integration branch and CI/CodeQL scan the release target.