tractatus

john/tractatus

Fork 0

Commit graph

Author	SHA1	Message	Date
TheFlow	e821987d9a	feat(security): implement attack surface exposure prevention (inst_084) Adds comprehensive protection against exposing internal implementation details in public-facing documentation. New Governance Rule (inst_084): - Quadrant: SYSTEM - Persistence: HIGH - Scope: Public documents (confidential:false) - Enforcement: Pre-commit hooks (mandatory) Implementation: 1. attack-surface-validator.util.js - Pattern detection for file paths, API endpoints, admin URLs, ports - Frontmatter parsing (respects confidential:true exemption) - Code block exemption (doesn't flag technical examples) - Intelligent line numbering for violation reporting 2. check-attack-surface.js - Pre-commit script that scans staged documents - User-friendly violation reporting with suggestions - Integration with git workflow 3. Pre-commit hook integration - Added as Check #3 in git hooks - Runs after prohibited terms, before test requirements - Blocks commits with attack surface exposures Detection Patterns: ✅ File paths: src/, public/, scripts/* ✅ API endpoints: /api/, /admin/ ✅ File naming patterns: .util.js, .service.js ✅ Port numbers in prose ✅ Connection strings Exemptions: - Code blocks (```) - Inline code (`) - Confidential documents (confidential:true) - Internal technical documentation Security Rationale (Defense-in-Depth): - Prevents reconnaissance by obscuring architecture - Reduces attack surface by hiding implementation paths - Complements credential protection (inst_069/070) - Part of layered security strategy (inst_072) Testing: - Validated against test document with known exposures - 7 violations detected correctly - Code block exemption verified - All expected pattern types detected Example Violations Blocked: ❌ "Dashboard at /admin/audit-analytics.html" ✅ "Administrative Dashboard" ❌ "GET /api/admin/audit-logs endpoint" ✅ "Authenticated API for audit data" ❌ "In activity-classifier.util.js" ✅ "The activity classifier" This enforcement prevented the exact security issue discovered in governance-bi-tools.md which exposed admin paths and API endpoints. Also fixed prohibited terms checker to exempt instruction-history.json (which contains prohibited term DEFINITIONS, not violations). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-27 12:11:43 +13:00
TheFlow	e7efdc7810	feat(governance): second wave enforcement - 64% improvement (28% → 46%) Implements 7 additional architectural enforcement mechanisms: ✅ Prohibited Terms Detection (inst_016/017/018): - scripts/check-prohibited-terms.js - Scans for absolute assurance terms ("guarantee", "100% secure") - Detects maturity claims without evidence ("production-ready", "battle-tested") - Checks statistics require citation or [NEEDS VERIFICATION] - Integrated into .git/hooks/pre-commit (Check 2) ✅ Credential Exposure Prevention (inst_069/070): - scripts/check-credential-exposure.js - Detects real API keys, secrets, passwords in documentation - Validates example credentials use proper patterns (EXAMPLE/REDACTED) - CRITICAL: Runs first in pre-commit (Check 0) ✅ Confidential Document Protection (inst_012/015): - scripts/check-confidential-docs.js - Prevents deployment of internal/session-handoff documents - Scans filenames and content for [CONFIDENTIAL]/[INTERNAL] markers - Integrated into scripts/deploy.sh pre-flight checks ✅ Enhanced Pre-Commit Hook: Now runs 4 checks in order: 0. Credential exposure (CRITICAL) 1. CSP compliance 2. Prohibited terms 3. Test requirements ✅ Enhanced Deployment Script: - Added confidential document check to deploy.sh - Scans public/ and docs/ before deployment - Blocks deployment if confidential markers found ✅ Updated Enforcement Map: - Added all new mechanisms to audit-enforcement.js - Updated inst_008_CONSOLIDATED mapping - New mappings: inst_012, inst_015, inst_016, inst_017, inst_018, inst_069, inst_070 📊 Enforcement Progress: - Wave 1: 11/39 imperative instructions enforced (28%) - Wave 2: 18/39 imperative instructions enforced (46%) - Improvement: +7 instructions = +64% increase - Remaining gaps: 21/39 (54%) 🎯 Next Priority Gaps: - inst_013/043/045: API security validation - inst_019: Context pressure comprehensive accounting - inst_025: Deployment file mapping - inst_039/040: Batch operation verification - inst_079/080/081: Values/principles (process-based) 🔒 Security Posture: - CRITICAL security checks now run first (credential exposure) - All text files scanned before commit - All deployment candidates scanned before rsync 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-25 13:26:33 +13:00

Author

SHA1

Message

Date

TheFlow

e821987d9a

feat(security): implement attack surface exposure prevention (inst_084)

Adds comprehensive protection against exposing internal implementation
details in public-facing documentation.

New Governance Rule (inst_084):
- Quadrant: SYSTEM
- Persistence: HIGH
- Scope: Public documents (confidential:false)
- Enforcement: Pre-commit hooks (mandatory)

Implementation:
1. attack-surface-validator.util.js
   - Pattern detection for file paths, API endpoints, admin URLs, ports
   - Frontmatter parsing (respects confidential:true exemption)
   - Code block exemption (doesn't flag technical examples)
   - Intelligent line numbering for violation reporting

2. check-attack-surface.js
   - Pre-commit script that scans staged documents
   - User-friendly violation reporting with suggestions
   - Integration with git workflow

3. Pre-commit hook integration
   - Added as Check #3 in git hooks
   - Runs after prohibited terms, before test requirements
   - Blocks commits with attack surface exposures

Detection Patterns:
✅ File paths: src/*, public/*, scripts/*
✅ API endpoints: /api/*, /admin/*
✅ File naming patterns: *.util.js, *.service.js
✅ Port numbers in prose
✅ Connection strings

Exemptions:
- Code blocks (```)
- Inline code (`)
- Confidential documents (confidential:true)
- Internal technical documentation

Security Rationale (Defense-in-Depth):
- Prevents reconnaissance by obscuring architecture
- Reduces attack surface by hiding implementation paths
- Complements credential protection (inst_069/070)
- Part of layered security strategy (inst_072)

Testing:
- Validated against test document with known exposures
- 7 violations detected correctly
- Code block exemption verified
- All expected pattern types detected

Example Violations Blocked:
❌ "Dashboard at /admin/audit-analytics.html"
✅ "Administrative Dashboard"
❌ "GET /api/admin/audit-logs endpoint"
✅ "Authenticated API for audit data"
❌ "In activity-classifier.util.js"
✅ "The activity classifier"

This enforcement prevented the exact security issue discovered in
governance-bi-tools.md which exposed admin paths and API endpoints.

Also fixed prohibited terms checker to exempt instruction-history.json
(which contains prohibited term DEFINITIONS, not violations).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-27 12:11:43 +13:00

TheFlow

e7efdc7810

feat(governance): second wave enforcement - 64% improvement (28% → 46%)

Implements 7 additional architectural enforcement mechanisms:

✅ Prohibited Terms Detection (inst_016/017/018):
- scripts/check-prohibited-terms.js
- Scans for absolute assurance terms ("guarantee", "100% secure")
- Detects maturity claims without evidence ("production-ready", "battle-tested")
- Checks statistics require citation or [NEEDS VERIFICATION]
- Integrated into .git/hooks/pre-commit (Check 2)

✅ Credential Exposure Prevention (inst_069/070):
- scripts/check-credential-exposure.js
- Detects real API keys, secrets, passwords in documentation
- Validates example credentials use proper patterns (EXAMPLE/REDACTED)
- CRITICAL: Runs first in pre-commit (Check 0)

✅ Confidential Document Protection (inst_012/015):
- scripts/check-confidential-docs.js
- Prevents deployment of internal/session-handoff documents
- Scans filenames and content for [CONFIDENTIAL]/[INTERNAL] markers
- Integrated into scripts/deploy.sh pre-flight checks

✅ Enhanced Pre-Commit Hook:
Now runs 4 checks in order:
0. Credential exposure (CRITICAL)
1. CSP compliance
2. Prohibited terms
3. Test requirements

✅ Enhanced Deployment Script:
- Added confidential document check to deploy.sh
- Scans public/ and docs/ before deployment
- Blocks deployment if confidential markers found

✅ Updated Enforcement Map:
- Added all new mechanisms to audit-enforcement.js
- Updated inst_008_CONSOLIDATED mapping
- New mappings: inst_012, inst_015, inst_016, inst_017, inst_018, inst_069, inst_070

📊 Enforcement Progress:
- Wave 1: 11/39 imperative instructions enforced (28%)
- Wave 2: 18/39 imperative instructions enforced (46%)
- Improvement: +7 instructions = +64% increase
- Remaining gaps: 21/39 (54%)

🎯 Next Priority Gaps:
- inst_013/043/045: API security validation
- inst_019: Context pressure comprehensive accounting
- inst_025: Deployment file mapping
- inst_039/040: Batch operation verification
- inst_079/080/081: Values/principles (process-based)

🔒 Security Posture:
- CRITICAL security checks now run first (credential exposure)
- All text files scanned before commit
- All deployment candidates scanned before rsync

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-25 13:26:33 +13:00

2 commits