feat(security): ship pre-release security posture docs/tests/fuzz/CI#54
feat(security): ship pre-release security posture docs/tests/fuzz/CI#54
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f4c81b4cff
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
bb-connor
force-pushed
the
audit-fix/2026-02-10-wave3-remediation
branch
from
f4c81b4 to
ec15c3e
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a2f500c3fb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e6cc36a877
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Also defer git host IP DNS checks until after cache hit checks in hush-cli remote extends, with regression coverage for offline cached git policy resolution.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e0d88a8f26
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Codex Review: Didn't find any major issues. Chef's kiss. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
1 participant
Summary
This PR upgrades the repo to a security-grade pre-release posture with additive docs, contract regressions, fuzz coverage, CI sensors, and a deterministic blackbox abuse battery.
Docs and governance
THREAT_MODEL.md,NON_GOALS.mdSECURITY.mdfor pre-release disclosure policy and GHSA/CVE guidancedocs/ops/safe-defaults.md,docs/ops/operational-limits.mdtools/scripts/check-advisory-expiry.shSecurity contract tests
crates/libs/clawdstrike/tests/security_regressions.rscrates/services/hushd/tests/security_regressions.rscrates/services/hush-cli/tests/abuse_harness.rs(slowloris, flood, DNS rebind-like pinning, stalled forwarder, CONNECT/SNI mismatch)Deterministic test hooks (no default behavior change)
crates/services/hush-cli/src/hush_run.rscrates/services/hushd/src/remote_extends.rsfor fuzz/test surfacesFuzzing
fuzz_irm_fs_parsefuzz_irm_net_parsefuzz_remote_extends_parsefuzz/Cargo.tomland document usage infuzz/README.mdfuzz/Cargo.lockCI / sensors
.github/workflows/miri.yml).github/workflows/sanitizers.yml)Validation
Executed locally:
cargo fmt --all -- --checkcargo clippy --all-targets --all-features -- -D warningscargo test --workspacecargo test -p clawdstrike --test security_regressions -- --nocapturecargo test -p hushd --test security_regressions -- --nocapturecargo test -p hush-cli --test abuse_harness -- --nocapturecargo test -p hush-cli hush_run::tests::connect_proxy_rejects_ip_target_with_allowlisted_sni_mismatch -- --exactcargo test -p hush-cli hush_run::tests::connect_proxy_hostname_target_is_ip_pinned_after_policy_check -- --exacttools/scripts/check-advisory-expiry.shcargo deny checkcargo audit --deny warnings --ignore RUSTSEC-2024-0375 --ignore RUSTSEC-2025-0141 --ignore RUSTSEC-2024-0388 --ignore RUSTSEC-2024-0436 --ignore RUSTSEC-2025-0134 --ignore RUSTSEC-2021-0145cargo +nightly fuzz run fuzz_policy_parse -- -max_total_time=10 -verbosity=0 -print_final_stats=1cargo +nightly fuzz run fuzz_irm_net_parse -- -max_total_time=10 -verbosity=0 -print_final_stats=1cargo +nightly fuzz run fuzz_remote_extends_parse -- -max_total_time=10 -verbosity=0 -print_final_stats=1