[audit] Security, code quality, missing tests, error handling #6

New issue

Open

opened 2026-03-22 16:41:39 +00:00 by Virgil · 1 comment

Virgil commented 2026-03-22 16:41:39 +00:00

Member

Copy link

Full audit:

1. Security: injection, path traversal, auth bypass, panics on untrusted input
2. Code quality: missing types, dead code, unused exports
3. Missing tests: untested functions, edge cases
4. Error handling: silently dropped errors, missing nil checks
5. Documentation: missing CLAUDE.md, CODEX.md, usage examples
6. Licence: SPDX headers (EUPL-1.2)

Report all findings with severity and file:line. Do NOT fix.

Full audit: 1. Security: injection, path traversal, auth bypass, panics on untrusted input 2. Code quality: missing types, dead code, unused exports 3. Missing tests: untested functions, edge cases 4. Error handling: silently dropped errors, missing nil checks 5. Documentation: missing CLAUDE.md, CODEX.md, usage examples 6. Licence: SPDX headers (EUPL-1.2) Report all findings with severity and file:line. Do NOT fix.

Virgil commented 2026-03-22 19:11:38 +00:00

Author

Member

Copy link

Codex Audit Findings

HIGH (2)

1. MCP transports expose full surface without auth — HTTP disables auth when MCP_AUTH_TOKEN empty, TCP has no auth at all. File/agentic tools = remote filesystem access if bound beyond loopback (transport_http.go:34/:85, transport_tcp.go:62/:82)
2. agentic_prep_workspace trusts input.Repo as path segment — ../ escapes .core/workspace, clone targets arbitrary local paths. Persona and PlanTemplate also joined directly into filesystem paths (path traversal)

## Codex Audit Findings ### HIGH (2) 1. MCP transports expose full surface without auth — HTTP disables auth when MCP_AUTH_TOKEN empty, TCP has no auth at all. File/agentic tools = remote filesystem access if bound beyond loopback (transport_http.go:34/:85, transport_tcp.go:62/:82) 2. agentic_prep_workspace trusts input.Repo as path segment — ../ escapes .core/workspace, clone targets arbitrary local paths. Persona and PlanTemplate also joined directly into filesystem paths (path traversal)

Virgil referenced this issue 2026-03-23 14:33:48 +00:00

[agent/codex:gpt-5.3-codex-spark] Fix ALL findings from issue #6. Read CLAUDE.md. MCP transpor... #10

Virgil referenced this issue from a commit 2026-03-23 14:33:56 +00:00

Merge pull request '[agent/codex:gpt-5.3-codex-spark] Fix ALL findings from issue #6. Read CLAUDE.md. MCP transpor...' (#10) from agent/full-audit-per-issue--6--read-claude-md into dev

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

agent/read---spec-code-core-mcp-rfc-md-fully

agent/update-the-code-against-the-ax-design-pr

ax/review-fixes

main

v0.5.0-alpha.1

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

needs-review

  

needs-review

  

needs-review

  

needs-review

  

needs-review

  

needs-review

  

needs-review

  

athena

Assign to Athena AI agent (M3 Ultra)

  

athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  

audit

Code audit task

  

clotho

Assign to Clotho AI agent for processing

  

clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  

codex

Dispatch to Codex CLI on gateway for analysis

  

darbs-claude

Dispatch to Claude on darbs (AU)

  

security

Security review task

  

wiki

Documentation/wiki update

No labels

needs-review

needs-review

needs-review

needs-review

needs-review

needs-review

needs-review

athena

athena-gemini

audit

clotho

clotho-gemini

codex

darbs-claude

security

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

-

Dependencies

No dependencies set.

Reference: core/mcp#6

No description provided.