Skip to content

fix: ADR-061/062 security fixes + cross-platform Windows hooks (v3.5.14)#1303

Open
ruvnet wants to merge 1 commit intomainfrom
fix/adr-061-security-correctness
Open

fix: ADR-061/062 security fixes + cross-platform Windows hooks (v3.5.14)#1303
ruvnet wants to merge 1 commit intomainfrom
fix/adr-061-security-correctness

Conversation

@ruvnet
Copy link
Owner

@ruvnet ruvnet commented Mar 6, 2026

Summary

  • ADR-061: 12 P0/P1/D security and correctness fixes (command injection, buffer overflow, input validation, partial-JSON buffering, duplicate registration guards)
  • ADR-062: Cross-platform hook commands for Windows/macOS/Linux parity (cmd /c prefix, stdin timeout, exit code guarantees, statusline fix)
  • Tests: 1600 passed across 23 test files (10 new deep test suites)
  • Published: v3.5.8 → v3.5.14 on npm (@claude-flow/cli, claude-flow, ruflo)

Key Changes

Security (ADR-061)

  • Replace execSync string interpolation with execFileSync (prevents command injection)
  • Add MAX_BUFFER constant (10MB) for all exec calls
  • Validate plugin names and IPFS CIDs before use
  • Fix GCS credential loading (resolve paths, validate fields)

Windows Parity (ADR-062)

  • Hook commands use node script subcommand instead of node -e "..." (no quoting issues)
  • cmd /c prefix on Windows bypasses PowerShell stdin pipe issues
  • StatusLine uses plain node (no cmd /c) for proper stdin forwarding
  • 500ms stdin timeout prevents Windows hanging
  • process.exitCode = 0 guaranteed in all hook scripts
  • Fix invalid SubagentEndSubagentStop hook event

Test plan

  • 1600 tests pass (23 suites)
  • Docker verification of init + hooks
  • Windows manual testing (cmd.exe + PowerShell)
  • npm publish verification (all 3 packages, all dist-tags)

🤖 Generated with claude-flow

@ruvnet
fix: v3.5.8-v3.5.14 ADR-061 security fixes, cross-platform hooks, Win…
1e105c7 
…dows parity

ADR-061 Deep Audit Fixes (12 P0/P1/D issues):
- S-1: Replace execSync with execFileSync to prevent command injection (GCS)
- S-2: Add MAX_BUFFER constant (10MB) to prevent unbounded stdout capture
- S-3: Add validatePackageName() to sanitize plugin names
- S-4: Add IPFS CID format validation before fetch
- S-5: Add buffer size limits to execSync calls
- D-1: Fix CFP magic-number check (use subarray, not slice)
- D-2: Fix unsupported format error (throw instead of silent fallback)
- D-3: Fix MCP partial-JSON accumulator (per-session buffering)
- D-4: Fix duplicate provider registration guard
- D-5: Fix memory namespace parameter passthrough
- D-6: Fix process command error handler (use err.message)
- D-7: Fix GCS credential loading (resolve path, validate fields)

ADR-062 Cross-Platform Hook Commands:
- Replace node -e "..." one-liners with node script subcommand invocation
- Add cmd /c prefix on Windows to bypass PowerShell stdin issues
- Fix stdin reading with 500ms timeout (prevents Windows hanging)
- Guarantee process.exitCode = 0 in all hook scripts
- StatusLine uses plain node (no cmd /c) for proper stdin forwarding
- Fix invalid SubagentEnd → SubagentStop hook event name
- Restore valid SubagentStart hook event

Tests: 1600 passed, 46 skipped across 23 test files

Co-Authored-By: claude-flow <ruv@ruv.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ruvnet