guru-connect

azcomputerguru/guru-connect

Fork 0

Commit Graph

Author	SHA1	Message	Date
Mike Swanson	16017456aa	docs: 2026-05-31 security re-audit (Phase-1 EXIT) + roadmap reconcile All checks were successful Build and Test / Build Agent (Windows) (push) Successful in 6m59s Details Build and Test / Build Server (Linux) (push) Successful in 10m35s Details Build and Test / Security Audit (push) Successful in 4m3s Details Build and Test / Build Summary (push) Successful in 7s Details /gc-audit --pass=security re-pass over the deployed v0.3.0 code: PASS, 0 CRITICAL/HIGH/MEDIUM/LOW. The 3 relay CRITICALs stay closed (verified in code AND live against the deployed binary), the prior agent-update-TLS HIGH and chat-logging LOW are fixed, and the net-new SPEC-004 surface (machine_uid dedup gate, session reaper/supersede, operator removal API) audits clean — no non-admin removal path, no uid-spoof hijack, no auth-plane crossover. Marks v2 Phase 1 formally exited (secure-session-core Task 8 complete). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 18:19:09 -07:00
Mike Swanson	9f44807230	audit: security pass re-audit (2026-05-30) — 3 CRITICALs verified CLOSED Some checks failed Build and Test / Build Agent (Windows) (push) Successful in 7m1s Details Build and Test / Build Server (Linux) (push) Successful in 10m17s Details Build and Test / Security Audit (push) Has started running Details Build and Test / Build Summary (push) Has been cancelled Details Independent /gc-audit --pass=security re-derivation of the v2 secure-session-core rebuild: all three 2026-05-29 relay CRITICALs confirmed closed with no bypass (any-JWT-joins-session, viewer-WS blacklist, JWT-as-agent-key). Relay plane clean; consent/code paths fail closed; abuse surface bounded; rate limiting proxy-aware. Net-new: 1 HIGH (agent auto-update disables TLS cert verification -> MITM-RCE, agent/src/update.rs:45,111 — outside the relay plane), 1 LOW (chat content logged), 2 INFO. Report: reports/2026-05-30-gc-audit.md. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-30 18:48:48 -07:00
Mike Swanson	486debfc52	docs(audit): add inaugural gc-audit report 2026-05-29 All checks were successful Build and Test / Build Agent (Windows) (push) Successful in 6m14s Details Build and Test / Build Server (Linux) (push) Successful in 10m29s Details Build and Test / Security Audit (push) Successful in 4m12s Details Build and Test / Build Summary (push) Successful in 10s Details First /gc-audit run (also a dry run validating the skill). 7 passes. 4 CRITICAL (3 relay-plane auth failures: any-JWT session hijack, viewer-WS blacklist bypass, JWT-accepted-as-agent-key; 1 functional: dashboard protobuf.ts wire-incompatible). Plus deploy.yml stub leaving prod 57 commits stale. Proposed roadmap/tech-debt deltas listed (not yet applied, pending review). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-29 17:46:26 -07:00

Author

SHA1

Message

Date

Mike Swanson

16017456aa

docs: 2026-05-31 security re-audit (Phase-1 EXIT) + roadmap reconcile

Build and Test / Build Agent (Windows) (push) Successful in 6m59s

Details

Build and Test / Build Server (Linux) (push) Successful in 10m35s

Details

Build and Test / Security Audit (push) Successful in 4m3s

Details

Build and Test / Build Summary (push) Successful in 7s

Details

/gc-audit --pass=security re-pass over the deployed v0.3.0 code: PASS,
0 CRITICAL/HIGH/MEDIUM/LOW. The 3 relay CRITICALs stay closed (verified in
code AND live against the deployed binary), the prior agent-update-TLS HIGH
and chat-logging LOW are fixed, and the net-new SPEC-004 surface (machine_uid
dedup gate, session reaper/supersede, operator removal API) audits clean —
no non-admin removal path, no uid-spoof hijack, no auth-plane crossover.

Marks v2 Phase 1 formally exited (secure-session-core Task 8 complete).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-31 18:19:09 -07:00

Mike Swanson

9f44807230

audit: security pass re-audit (2026-05-30) — 3 CRITICALs verified CLOSED

Build and Test / Build Agent (Windows) (push) Successful in 7m1s

Details

Build and Test / Build Server (Linux) (push) Successful in 10m17s

Details

Build and Test / Security Audit (push) Has started running

Details

Build and Test / Build Summary (push) Has been cancelled

Details

Independent /gc-audit --pass=security re-derivation of the v2 secure-session-core
rebuild: all three 2026-05-29 relay CRITICALs confirmed closed with no bypass
(any-JWT-joins-session, viewer-WS blacklist, JWT-as-agent-key). Relay plane clean;
consent/code paths fail closed; abuse surface bounded; rate limiting proxy-aware.
Net-new: 1 HIGH (agent auto-update disables TLS cert verification -> MITM-RCE,
agent/src/update.rs:45,111 — outside the relay plane), 1 LOW (chat content logged),
2 INFO. Report: reports/2026-05-30-gc-audit.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-30 18:48:48 -07:00

Mike Swanson

486debfc52

docs(audit): add inaugural gc-audit report 2026-05-29

Build and Test / Build Agent (Windows) (push) Successful in 6m14s

Details

Build and Test / Build Server (Linux) (push) Successful in 10m29s

Details

Build and Test / Security Audit (push) Successful in 4m12s

Details

Build and Test / Build Summary (push) Successful in 10s

Details

First /gc-audit run (also a dry run validating the skill). 7 passes.
4 CRITICAL (3 relay-plane auth failures: any-JWT session hijack,
viewer-WS blacklist bypass, JWT-accepted-as-agent-key; 1 functional:
dashboard protobuf.ts wire-incompatible). Plus deploy.yml stub leaving
prod 57 commits stale. Proposed roadmap/tech-debt deltas listed (not
yet applied, pending review).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-29 17:46:26 -07:00

3 Commits