e4d80ed556
CI: restore main detect-secrets scan ( #38438 )
...
* Tests: stabilize detect-secrets fixtures
* Tests: fix rebased detect-secrets false positives
* Docs: keep snippets valid under detect-secrets
* Tests: finalize detect-secrets false-positive fixes
* Tests: reduce detect-secrets false positives
* Tests: keep detect-secrets pragmas inline
* Tests: remediate next detect-secrets batch
* Tests: tighten detect-secrets allowlists
* Tests: stabilize detect-secrets formatter drift
2026-03-07 10:06:35 -08:00
44820dcead
fix(hooks): gate methods before auth lockout accounting
2026-03-07 18:05:09 +00:00
262fef6ac8
fix(discord): honor commands.allowFrom in guild slash auth ( #38794 )
...
* fix(discord): honor commands.allowFrom in guild slash auth
* Update native-command.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update native-command.commands-allowfrom.test.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix(discord): address slash auth review feedback
* test(discord): add slash auth coverage for allowFrom variants
* fix: add changelog entry for discord slash auth fix (#38794 ) (thanks @jskoiz)
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Shadow <hi@shadowing.dev>
2026-03-07 12:03:52 -06:00
278e5220ec
test: narrow pairing setup helper token type
2026-03-07 17:58:31 +00:00
9dc759023b
refactor(agents): share skill plugin fixture writer in tests
2026-03-07 17:58:31 +00:00
7eb48d3cf8
refactor(auto-reply): share discord auth registry test fixture
2026-03-07 17:58:31 +00:00
ce9719c654
refactor(test-utils): share direct channel plugin test fixture
2026-03-07 17:58:31 +00:00
5f56333016
refactor(commands): dedupe config-only channel status fixtures
2026-03-07 17:58:31 +00:00
bcb587a3bc
refactor(commands): dedupe channel plugin test fixture builders
2026-03-07 17:58:31 +00:00
66de964c59
refactor(tui): dedupe mode-specific exec secret fixtures
2026-03-07 17:58:31 +00:00
e60b28fd1f
refactor(tui): dedupe gateway token resolution path
2026-03-07 17:58:31 +00:00
a96ef12061
refactor(memory): dedupe local embedding init concurrency fixtures
2026-03-07 17:58:31 +00:00
72df4bd624
refactor(web): dedupe self-chat response-prefix tests
2026-03-07 17:58:31 +00:00
7e94dec679
refactor(pairing): dedupe inferred auth token fixtures
2026-03-07 17:58:31 +00:00
19245dd547
refactor(gateway): dedupe blocked chat reply mock setup
2026-03-07 17:58:31 +00:00
4cdf867cb1
refactor(gateway): dedupe maintenance timer test setup
2026-03-07 17:58:31 +00:00
0de6778f13
refactor(gateway): dedupe legacy migration validation assertions
2026-03-07 17:58:31 +00:00
f7a7f08e15
refactor(gateway): dedupe probe route assertion loops
2026-03-07 17:58:31 +00:00
25efbdafce
refactor(gateway): dedupe missing-local-token fixture tests
2026-03-07 17:58:31 +00:00
49df8ab7b6
refactor(gateway): dedupe invalid image request assertions
2026-03-07 17:58:31 +00:00
b7733d6f5c
refactor(agents): dedupe oauth token env setup tests
2026-03-07 17:58:31 +00:00
ca49372a8d
refactor(agents): dedupe anthropic turn validation fixtures
2026-03-07 17:58:31 +00:00
02b3e85eac
refactor(agents): dedupe embedded fallback e2e helpers
2026-03-07 17:58:31 +00:00
2d4a0c79a3
refactor(agents): dedupe nodes photos_latest camera tests
2026-03-07 17:58:31 +00:00
2891c6c93c
refactor(agents): dedupe model fallback probe failure tests
2026-03-07 17:58:31 +00:00
e41613f6ec
refactor(agents): dedupe kilocode fetch-path tests
2026-03-07 17:58:31 +00:00
53c1ae229f
refactor(agents): dedupe minimax api-key normalization tests
2026-03-07 17:58:31 +00:00
4e8fcc1d3d
refactor(cli): dedupe command secret gateway env fixtures
2026-03-07 17:58:31 +00:00
c1a8f8150e
refactor(commands): dedupe gateway status token secret fixtures
2026-03-07 17:58:31 +00:00
4113a0f39e
refactor(gateway): dedupe readiness healthy snapshot fixtures
2026-03-07 17:58:31 +00:00
c5bb6db85b
refactor(cron): share isolated-agent turn core test setup
2026-03-07 17:58:31 +00:00
41e0c35b61
refactor(cron): reuse cron job builder in issue-13992 tests
2026-03-07 17:58:31 +00:00
90a41aa1f7
refactor(discord): dedupe resolve channels fallback tests
2026-03-07 17:58:31 +00:00
1fc11ea7d8
refactor(daemon): dedupe systemd restart test scaffolding
2026-03-07 17:58:30 +00:00
a31d3cad96
refactor(fetch-guard): clarify cross-origin redirect header filtering
2026-03-07 17:58:05 +00:00
7735a0b85c
fix(security): use icacls /sid for locale-independent Windows ACL audit ( #38900 )
...
* fix(security): use icacls /sid for locale-independent Windows ACL audit
On non-English Windows editions (Russian, Chinese, etc.) icacls prints
account names in the system locale. When Node.js reads the output in a
different code page the strings are garbled (e.g. "NT AUTHORITY\???????"
for "NT AUTHORITY\СИСТЕМА"), causing summarizeWindowsAcl to classify SYSTEM
and Administrators as untrusted and flag the config files as "others
writable" — a false-positive security alert.
Fix:
1. Pass /sid to icacls so it outputs security identifiers (*S-1-5-X-...)
instead of locale-dependent account names.
2. Extend SID_RE to accept the leading * that icacls prepends to SIDs in
/sid mode: /^\*?s-\d+-\d+(-\d+)+$/i
3. Strip the * before looking up the bare SID in TRUSTED_SIDS / the
per-user USERSID set so *S-1-5-18 is correctly classified as SYSTEM
(trusted) and *S-1-5-32-544 as Administrators (trusted).
Tests:
- Update the inspectWindowsAcl "returns parsed ACL entries" assertion to
expect the /sid flag in the icacls call.
- Add "classifies *S-1-5-18 (icacls /sid prefix form of SYSTEM) as trusted"
SID classification test.
- Add "classifies *S-1-5-32-544 (icacls /sid Administrators) as trusted".
- Add inspectWindowsAcl end-to-end test with /sid-format mock output
(*S-1-5-18, *S-1-5-32-544, user SID) — all three classified as trusted.
Fixes #35834
* fix(security): classify world-equivalent SIDs as 'world' when using icacls /sid
When icacls is invoked with /sid, world-equivalent principals like
Everyone, Authenticated Users, and BUILTIN\Users are emitted as raw
SIDs (*S-1-1-0, *S-1-5-11, *S-1-5-32-545). classifyPrincipal() had
no SID-based mapping for these, so they fell through to the generic
'group' category instead of 'world', silently downgrading security
findings that should trigger world-write/world-readable alerts.
Fix: add a WORLD_SIDS constant and check it before falling back to
'group'. Add three regression tests to lock in the behaviour.
* Security: resolve owner SID fallback for Windows ACL audit
---------
Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-07 12:49:33 -05:00
46715371b0
fix(security): strip custom auth headers on cross-origin redirects
2026-03-07 17:34:42 +00:00
8e20dd22d8
Secrets: harden SecretRef-safe models.json persistence ( #38955 )
2026-03-07 11:28:39 -06:00
6f3990ddca
refactor(commands): dedupe onboard search perplexity test setup
2026-03-07 17:05:23 +00:00
8e6acded82
refactor(commands): dedupe message command secret-config tests
2026-03-07 17:05:23 +00:00
0a73328053
refactor(cli): dedupe restart health probe setup tests
2026-03-07 17:05:23 +00:00
8fd043abac
refactor(cron): dedupe interim retry fallback assertions
2026-03-07 17:05:23 +00:00
d103918891
refactor(commands): dedupe model probe target test fixtures
2026-03-07 17:05:23 +00:00
bffec0f5d5
refactor(discord): dedupe message preflight test runners
2026-03-07 17:05:23 +00:00
9849ee8390
refactor(discord): share message handler test scaffolding
2026-03-07 17:05:23 +00:00
3381efc5c1
refactor(discord): dedupe native command ACP routing test setup
2026-03-07 17:05:23 +00:00
949beca0c2
refactor(slack): dedupe app mention in-flight race setup
2026-03-07 17:05:23 +00:00
d33efeef10
refactor(slack): reuse shared prepare test scaffolding
2026-03-07 17:05:23 +00:00
08aae60dc9
refactor(plugin-sdk): extract shared channel prelude exports
2026-03-07 17:05:23 +00:00
969b9029c0
refactor(slack): dedupe app mention race test setup
2026-03-07 17:05:23 +00:00
Vincent Koc
Peter Steinberger
jsk
Byungsker
Josh Avant