fix(security): prevent command injection via --resume state restoration

[Maleick]

Motivation

• The resume flow previously restored verify_cmd and guard_cmd from autoresearch-state.json and would execute them, allowing an attacker-controlled state file to inject arbitrary shell commands when --resume is used.
• The change closes this trust boundary by ensuring executable commands are only accepted from the current invocation, preventing command injection while preserving resume functionality.

Description

• Require Verify: (and optionally Guard:) to be provided by the user when resuming and ignore verify_cmd/guard_cmd values loaded from autoresearch-state.json so executable commands from disk are never executed.
• Mark verify_cmd and guard_cmd in the state schema as record-only metadata and add explicit resume protocol steps that restore only non-executable loop state.
• Add trust-boundary guidance to the autonomous loop protocol and the skill invariants to prevent future regressions.
• Updated files: plugins/autoresearch/commands/autoresearch.md, plugins/autoresearch/skills/autoresearch/references/state-management.md, plugins/autoresearch/skills/autoresearch/references/autonomous-loop-protocol.md, and plugins/autoresearch/skills/autoresearch/SKILL.md.

Testing

• Inspected the modified files to confirm the new resume semantics and trust-boundary text appear as intended; inspection succeeded.
• Verified repository diffs show only the intended documentation and protocol changes; diff verification succeeded.
• Applied the patch and recorded the change in the repository metadata; the patch application and repository update succeeded.

---

Codex Task

[Copilot]

Pull request overview

This PR updates the Autoresearch plugin’s documentation and protocols to close a trust boundary in --resume: executable commands (Verify:/Guard:) must come from the current invocation and must never be restored from autoresearch-state.json, preventing command injection from tampered state files.

Changes:

• Document that verify_cmd / guard_cmd in autoresearch-state.json are record-only metadata and must not be executed on resume.
• Update the resume protocol to restore only non-executable loop state and require Verify: to be provided again when resuming.
• Add explicit trust-boundary guidance to the autonomous loop protocol and skill invariants.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
plugins/autoresearch/skills/autoresearch/SKILL.md	Adds a safety invariant stating commands from state must not be trusted on --resume.
plugins/autoresearch/skills/autoresearch/references/state-management.md	Clarifies schema semantics for verify_cmd/guard_cmd and updates resume steps to avoid executing commands from disk.
plugins/autoresearch/skills/autoresearch/references/autonomous-loop-protocol.md	Adds a trust-boundary step to the Verify phase to prevent command execution from resumed state.
plugins/autoresearch/commands/autoresearch.md	Updates --resume docs and resume execution steps to require Verify: on resume and ignore state-file command fields.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.