continuous-intelligence/ci

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jon Chery	f7fff95cbe	feat(P03): full STRIDE + CWE security verification with reduced false positives ---ci--- project: ci phase: 3 milestone: v0.8 status: complete decisions: - id: D-029 decision: Full STRIDE 7-category coverage with CWE mapping rationale: Industry standard threat classification with actionable CWE remediation confidence: 0.88 - id: D-030 decision: Reduce exec/eval false positives via string interpolation detection rationale: execSync("ls") is safe; execSync(`rm ${x}`) is not confidence: 0.85 requirements: covered: [SEC-01, SEC-02, SEC-03, SEC-04, SEC-05, SEC-06] ---/ci--- SEC-01: Fixed STRIDE category misassignments. Hardcoded password is information_disclosure (CWE-259), not spoofing. exec with interpolation is elevation_of_privilege (CWE-78), not tampering. All 17 patterns correctly categorized. SEC-02: Added missing STRIDE categories: repudiation (empty catch blocks, CWE-778) and spoofing (jwt.decode without verify, CWE-287). Also added denial_of_service (JSON body parser without size limit, CWE-400) and prototype pollution (CWE-1321), weak crypto (CWE-328), unsafe deserialization (CWE-502), path traversal (CWE-22). SEC-03: Reduced false positives: exec/eval patterns now require string interpolation (template literal or dynamic concat), not all exec/calls. SEC-04: Every SECURITY_PATTERNS entry has a cwe field with valid CWE ID. SEC-05: Confidence-based auto-disposition: each pattern has a confidence score. High confidence findings are flagged, medium require verification, low are suppressed. Threshold configurable via constructor. SEC-06: Security passed=false when any high-severity finding exists (already enforced by hasHighFail check, now more explicit).	2026-05-29 20:23:09 +00:00
Jon Chery	4a58aa1657	refactor(rebrand): rename & rebrand CI → CIAgent across all source and test files - Type renames: CIConfig → CIAgentConfig, DEFAULT_CI_CONFIG → DEFAULT_CIAGENT_CONFIG - Type renames: CiMetadata → CIAgentMetadata, ParsedCiCommit → ParsedCIAgentCommit - Function renames: initCI → initCIAgent, isCIInitialized → isCIAgentInitialized - Function renames: extractCiBlock → extractCIAgentBlock, parseCiBlock → parseCIAgentBlock - Class renames: CiFiles → CIAgentFiles - Import paths: ci-files.js → ciagent-files.js - Directory paths: .ci/ → .ciagent/ across all source and test files - Check names: ".ci directory exists" → ".ciagent directory exists" - Check names: "CI config valid" → "CIAgent config valid" - Temp dir names: ci--test- → ciagent--test- - CLI examples: "ci init" → "ciagent init" - Fix deepMerge infinite recursion bug in config.ts - ---ci---/---/ci--- block markers preserved unchanged - All 31 test suites, 370 tests passing ---ci--- phase: 1 milestone: v0.5 plan: 07 task: 07-01-01 status: execute ---/ci---	2026-05-29 18:01:13 +00:00
grimacing	6e637e4af0	v0.2.0: Git-native architecture (#1 )	2026-05-29 12:59:45 +00:00

Author

SHA1

Message

Date

Jon Chery

f7fff95cbe

feat(P03): full STRIDE + CWE security verification with reduced false positives

---ci---
project: ci
phase: 3
milestone: v0.8
status: complete
decisions:
  - id: D-029
    decision: Full STRIDE 7-category coverage with CWE mapping
    rationale: Industry standard threat classification with actionable CWE remediation
    confidence: 0.88
  - id: D-030
    decision: Reduce exec/eval false positives via string interpolation detection
    rationale: execSync("ls") is safe; execSync(`rm ${x}`) is not
    confidence: 0.85
requirements:
  covered: [SEC-01, SEC-02, SEC-03, SEC-04, SEC-05, SEC-06]
---/ci---

SEC-01: Fixed STRIDE category misassignments. Hardcoded password is
information_disclosure (CWE-259), not spoofing. exec with interpolation
is elevation_of_privilege (CWE-78), not tampering. All 17 patterns
correctly categorized.

SEC-02: Added missing STRIDE categories: repudiation (empty catch blocks,
CWE-778) and spoofing (jwt.decode without verify, CWE-287). Also added
denial_of_service (JSON body parser without size limit, CWE-400) and
prototype pollution (CWE-1321), weak crypto (CWE-328), unsafe
deserialization (CWE-502), path traversal (CWE-22).

SEC-03: Reduced false positives: exec/eval patterns now require string
interpolation (template literal or dynamic concat), not all exec/calls.

SEC-04: Every SECURITY_PATTERNS entry has a cwe field with valid CWE ID.

SEC-05: Confidence-based auto-disposition: each pattern has a confidence
score. High confidence findings are flagged, medium require verification,
low are suppressed. Threshold configurable via constructor.

SEC-06: Security passed=false when any high-severity finding exists
(already enforced by hasHighFail check, now more explicit).

2026-05-29 20:23:09 +00:00

Jon Chery

4a58aa1657

refactor(rebrand): rename & rebrand CI → CIAgent across all source and test files

- Type renames: CIConfig → CIAgentConfig, DEFAULT_CI_CONFIG → DEFAULT_CIAGENT_CONFIG
- Type renames: CiMetadata → CIAgentMetadata, ParsedCiCommit → ParsedCIAgentCommit
- Function renames: initCI → initCIAgent, isCIInitialized → isCIAgentInitialized
- Function renames: extractCiBlock → extractCIAgentBlock, parseCiBlock → parseCIAgentBlock
- Class renames: CiFiles → CIAgentFiles
- Import paths: ci-files.js → ciagent-files.js
- Directory paths: .ci/ → .ciagent/ across all source and test files
- Check names: ".ci directory exists" → ".ciagent directory exists"
- Check names: "CI config valid" → "CIAgent config valid"
- Temp dir names: ci-*-test- → ciagent-*-test-
- CLI examples: "ci init" → "ciagent init"
- Fix deepMerge infinite recursion bug in config.ts
- ---ci---/---/ci--- block markers preserved unchanged
- All 31 test suites, 370 tests passing

---ci---
phase: 1
milestone: v0.5
plan: 07
task: 07-01-01
status: execute
---/ci---

2026-05-29 18:01:13 +00:00

grimacing

6e637e4af0

v0.2.0: Git-native architecture (#1 )

2026-05-29 12:59:45 +00:00

3 Commits