Skip to content

feat: v0.2.0-dev — security hardening, STPA-Sec, code quality, planning#34

Merged
avrabe merged 4 commits intomainfrom
chore/v0.2.0-planning
Mar 16, 2026
Merged

feat: v0.2.0-dev — security hardening, STPA-Sec, code quality, planning#34
avrabe merged 4 commits intomainfrom
chore/v0.2.0-planning

Conversation

@avrabe
Copy link
Contributor

@avrabe avrabe commented Mar 16, 2026
edited
Loading

v0.2.0-dev: security + quality + safety analysis

Security hardening (S1-S4)

  • CSP header on all dashboard responses
  • Markdown raw HTML filtering (XSS prevention)
  • git clone hook protection (core.hooksPath=/dev/null)
  • WASM adapter output validation

Code quality (Q1-Q5)

  • results.rs error type fix (anyhow→crate::error::Error)
  • html_escape() deduplication
  • ProjectContext consolidation (4 functions→1 struct)
  • LinkGraph::reachable() O(n²)→O(n)
  • TRACED_STATUSES constant

STPA-Sec (68 new safety artifacts)

  • 5 hazards (H-13..H-17): XSS, WASM supply chain, git hooks
  • 5 system constraints (SC-15..SC-19)
  • 15 UCAs, 13 loss scenarios, 13 controller constraints
  • Architecture section 8.8: Security Hardening
  • Verification section 12: STPA-Sec Test Requirements

Planning docs (6)

  • rowan-salsa completion, formal verification, coverage gaps
  • OSLC analysis, STPA-Sec analysis, code duplication report

395 artifacts, 408 tests, 0 warnings, PASS

@claude
chore: v0.2.0 planning — 4 analysis docs, FEAT-020 promoted, AADL ini…
910ccdc 
…t fix

Plan docs:
- rowan-salsa-completion: 4-phase LSP-ready migration (22 work items)
- formal-verification-completion: 37 proofs, Kani CI ready
- coverage-gap-analysis: STPA gaps (23 new artifacts needed)
- oslc-analysis: deprioritize OSLC, focus on ReqIF + needs.json

FEAT-020 promoted to approved — Playwright verified AADL rendering.
Fixed initAadlDiagrams DOMContentLoaded trigger.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@codecov
Copy link

codecov bot commented Mar 16, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 85.00000% with 9 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
rivet-core/src/externals.rs 76.00% 6 Missing ⚠️
rivet-core/src/results.rs 50.00% 3 Missing ⚠️

📢 Thoughts on this report? Let us know!

Test and others added 3 commits March 16, 2026 17:16
@claude
docs: STPA-Sec analysis — 5 new hazards, 15 UCAs, XSS/supply chain fi…
b03a225 
…ndings

Fresh STPA + STPA-Sec analysis identifying:
- H-13: XSS via unescaped artifact content in dashboard/export
- H-14: WASM adapter supply chain (untrusted code)
- H-15: Commit traceability false positives
- H-16: Dashboard stale data after reload failure
- H-17: git clone code execution via rivet.yaml
- 5 new system constraints (SC-15..19)
- 15 new UCAs + 14 loss scenarios
- OSLC lifecycle gap check results
- Critical: no CSP header, no WASM signature verification

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
feat: STPA-Sec artifacts — 5 hazards, 15 UCAs, 13 loss scenarios, sec…
872de2a 
…urity hardening docs

New STPA analysis for v0.2.0 security hardening:
- H-13..H-17: XSS, WASM supply chain, commit false positives, stale dashboard, git hooks
- SC-15..SC-19: HTML escaping, WASM validation, ID store check, reload reporting, hook disable
- 15 UCAs (UCA-D-3..D-4, UCA-C-18..C-25, UCA-L-6..L-7)
- 13 loss scenarios (LS-C-5..C-15, LS-D-3, LS-L-3)
- 13 controller constraints
- Architecture section 8.8: Security Hardening
- Verification section 12: STPA-Sec Test Requirements
- 5 REQ→SC links for security constraints
- 395 artifacts, PASS, 0 warnings

Implements: SC-15, SC-16, SC-17, SC-18, SC-19
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
feat: security hardening — CSP, markdown sanitization, git hooks, WAS…
f3eb8ba 
…M validation + code quality

Security (S1-S4):
- CSP header on all dashboard responses
- Markdown raw HTML filtering (strips <script>, <iframe>, etc.)
- git clone --config core.hooksPath=/dev/null on all sync operations
- WASM adapter output validation (empty ID/type rejection, HTML stripping)

Code quality (Q3 partial):
- ProjectContext consolidation in main.rs

408 tests, 0 failures.

Implements: SC-15, SC-16, SC-17, SC-18, SC-19
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions[bot]
github-actions bot reviewed Mar 16, 2026
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Rivet Criterion Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.

Benchmark suite Current: f3eb8ba Previous: 4e34c0c Ratio
query/10000 143897 ns/iter (± 468) 112323 ns/iter (± 1309) 1.28

This comment was automatically generated by workflow using github-action-benchmark.

@avrabe avrabe changed the title chore: v0.2.0 planning — analysis docs, FEAT-020 promoted feat: v0.2.0-dev — security hardening, STPA-Sec, code quality, planning Mar 16, 2026
@avrabe avrabe merged commit 7a06ac5 into main Mar 16, 2026
14 of 16 checks passed
@avrabe avrabe deleted the chore/v0.2.0-planning branch March 16, 2026 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avrabe