[audit] Security, AX compliance, missing tests, error handling #7

New issue

Open

opened 2026-03-22 16:40:59 +00:00 by Virgil · 3 comments

Virgil commented 2026-03-22 16:40:59 +00:00

Member

Copy link

Full audit:

1. Security: path traversal, injection, panics on untrusted input, race conditions
2. AX compliance: os.Getenv → core.Env, filepath.* → core.Path*, fmt.Sprintf → core.Sprintf, strings.* → core.*, errors.New/fmt.Errorf → core.E
3. Missing tests: exported functions without test coverage
4. Error handling: silently dropped errors, bare panics, missing nil checks
5. UK English: American spellings in comments/docs
6. Missing usage-example comments on exported identifiers
7. Missing SPDX licence headers

Report all findings with severity and file:line. Do NOT fix.

Full audit: 1. Security: path traversal, injection, panics on untrusted input, race conditions 2. AX compliance: os.Getenv → core.Env, filepath.* → core.Path*, fmt.Sprintf → core.Sprintf, strings.* → core.*, errors.New/fmt.Errorf → core.E 3. Missing tests: exported functions without test coverage 4. Error handling: silently dropped errors, bare panics, missing nil checks 5. UK English: American spellings in comments/docs 6. Missing usage-example comments on exported identifiers 7. Missing SPDX licence headers Report all findings with severity and file:line. Do NOT fix.

Virgil commented 2026-03-22 17:05:12 +00:00

Author

Member

Copy link

Spark Audit Findings

HIGH (1)

1. TLS verification disabled in embed-bench HTTP client — MITM risk (cmd/embed-bench/main.go:223)

MEDIUM — Security (5)

2. API path injection via unsanitized target strings (cmd/security/cmd_security.go:138, cmd_alerts.go:301)
3. Malformed securityTarget parsing (cmd_jobs.go:70)
4. Registry path from CLI unsandboxed (cmd_security.go:109)
5. Metrics reads unsynchronized with writes — race (ai/metrics.go:51, :88)

MEDIUM — AX Compliance (4)

6. fmt.Sprintf in 4+ files
7. filepath.* in ai/metrics.go
8. os.Getenv in tests
9. strings.* in security commands

MEDIUM — Missing Tests (5)

10. QueryRAGForTask, AddRAGSubcommands, AddMetricsCommand, AddLabCommands untested
11. Entire cmd/security package has no tests

MEDIUM — Error Handling (3)

12. ai.Record errors discarded (cmd_scan.go:117, :208)
13. JSON encode/decode failures ignored in benchmark
14. srv.Shutdown return ignored

## Spark Audit Findings ### HIGH (1) 1. TLS verification disabled in embed-bench HTTP client — MITM risk (cmd/embed-bench/main.go:223) ### MEDIUM — Security (5) 2. API path injection via unsanitized target strings (cmd/security/cmd_security.go:138, cmd_alerts.go:301) 3. Malformed securityTarget parsing (cmd_jobs.go:70) 4. Registry path from CLI unsandboxed (cmd_security.go:109) 5. Metrics reads unsynchronized with writes — race (ai/metrics.go:51, :88) ### MEDIUM — AX Compliance (4) 6. fmt.Sprintf in 4+ files 7. filepath.* in ai/metrics.go 8. os.Getenv in tests 9. strings.* in security commands ### MEDIUM — Missing Tests (5) 10. QueryRAGForTask, AddRAGSubcommands, AddMetricsCommand, AddLabCommands untested 11. Entire cmd/security package has no tests ### MEDIUM — Error Handling (3) 12. ai.Record errors discarded (cmd_scan.go:117, :208) 13. JSON encode/decode failures ignored in benchmark 14. srv.Shutdown return ignored

Virgil commented 2026-03-23 07:42:40 +00:00

Author

Member

Copy link

Fix Applied

Commit 285405e: fix(ai): resolve issue 7 findings

• TLS verification enabled in embed-bench
• API path injection sanitised in security commands
• Metrics race condition fixed
• AX compliance: fmt.Sprintf, filepath., os.Getenv, strings. all replaced
• Missing tests added: rag_test.go (184 lines), cmd_security_test.go (63), cmd_test.go (28x3), metrics_test.go expanded
• Discarded errors surfaced
• 819 additions across 20 files

## Fix Applied Commit 285405e: fix(ai): resolve issue 7 findings - TLS verification enabled in embed-bench - API path injection sanitised in security commands - Metrics race condition fixed - AX compliance: fmt.Sprintf, filepath.*, os.Getenv, strings.* all replaced - Missing tests added: rag_test.go (184 lines), cmd_security_test.go (63), cmd_test.go (28x3), metrics_test.go expanded - Discarded errors surfaced - 819 additions across 20 files

Virgil commented 2026-03-23 09:01:30 +00:00

Author

Member

Copy link

Verification: FAIL (blocked)

Build fails outside go.work — dappco.re vanity imports use relative replace directives (go.mod:61). go test fails because ../go doesn't exist in isolated checkout. This is a go.work ecosystem issue, not a fix issue.

## Verification: FAIL (blocked) Build fails outside go.work — dappco.re vanity imports use relative replace directives (go.mod:61). go test fails because ../go doesn't exist in isolated checkout. This is a go.work ecosystem issue, not a fix issue.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

agent/upgrade-to-core-v0-8-0-alpha-1

main

v0.2.1

v0.2.0

v0.1.12

v0.1.11

v0.1.10

v0.1.9

v0.1.8

v0.1.7

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

needs-review

  

athena

Assign to Athena AI agent (M3 Ultra)

  

athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  

audit

Code audit task

  

clotho

Assign to Clotho AI agent for processing

  

clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  

codex

Dispatch to Codex CLI on gateway for analysis

  

darbs-claude

Dispatch to Claude on darbs (AU)

  

security

Security review task

  

wiki

Documentation/wiki update

No labels

needs-review

athena

athena-gemini

audit

clotho

clotho-gemini

codex

darbs-claude

security

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

-

Dependencies

No dependencies set.

Reference: core/go-ai#7

No description provided.