You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Building on the recent daemon-hardening work (issues #142, #143; draft PRs #144, #145, #146), here is a consolidated, grounded roadmap of the remaining solid hardening/robustness pathways. Opening as a single tracking issue since contributions are frozen until July per CONTRIBUTING — happy to split into per-item issues, re-sequence, or hold entirely per your preference.
Index-backed get_session — crates/coven-cli/src/store.rs:544 loads every session (incl. archived) and .find()s in Rust: an O(n) scan + full deserialize on each per-session API op. Replace with SELECT … WHERE id = ?1.
SQLite WAL + busy_timeout — no journal_mode/busy_timeout is set, so concurrent API/session connections risk database is locked and reader/writer stalls. Set journal_mode=WAL + a busy_timeout at connection open.
Tier 2 — secure & complete the Windows transport (after CI)
.cmd argument-injection hardening — on Windows the harness resolves to a .cmd shim and portable-pty doesn't neutralize cmd.exe metacharacters, so a request prompt reaching argv is a latent injection. (conversation.id already hardened in [prototype] Windows daemon support via named pipes #146.)
Windows pipe owner-only security descriptor — the named pipe is bound with the OS default DACL, not the Unix 0600 owner-only gate. Set an owner-SID SD, or move to AF_UNIX (Win10 1803+).
Context
Building on the recent daemon-hardening work (issues #142, #143; draft PRs #144, #145, #146), here is a consolidated, grounded roadmap of the remaining solid hardening/robustness pathways. Opening as a single tracking issue since contributions are frozen until July per CONTRIBUTING — happy to split into per-item issues, re-sequence, or hold entirely per your preference.
Already in-flight (draft PRs, freeze-acknowledged)
COVEN_HOME/ non-socket socket path.Host/Originguard; includes a fix for a127.evil.com-style prefix bypass in the loopback check.conversation.idto a shell-safe charset and documents a Windows pipe access-control gap.Proposed roadmap
Tier 1 — independent, high-value, low-risk
get_session—crates/coven-cli/src/store.rs:544loads every session (incl. archived) and.find()s in Rust: an O(n) scan + full deserialize on each per-session API op. Replace withSELECT … WHERE id = ?1.busy_timeout— nojournal_mode/busy_timeoutis set, so concurrent API/session connections riskdatabase is lockedand reader/writer stalls. Setjournal_mode=WAL+ abusy_timeoutat connection open..github/workflows/ci.ymlrunsubuntu-latestonly, so the#[cfg(windows)]daemon ([prototype] Windows daemon support via named pipes #146) is never built or tested in CI. Add awindows-latestmatrix leg.COVEN_HOME/socket (geteuidvsMetadataExt::uid).Tier 2 — secure & complete the Windows transport (after CI)
.cmdargument-injection hardening — on Windows the harness resolves to a.cmdshim andportable-ptydoesn't neutralize cmd.exe metacharacters, so a requestpromptreaching argv is a latent injection. (conversation.idalready hardened in [prototype] Windows daemon support via named pipes #146.)kill(2)status/stop path.PipedKilleris Unix-only (setsid+kill(-pid)); Windows needs a Job Object to reap the PTY child tree.Tier 3 — hygiene & robustness
cargo-deny) in CI — advisories/licenses/bans; the dependency tree grew withinterprocess.MAX_TCP_BODY_BYTES/TCP_IO_TIMEOUT.Suggested sequence: 1 → 2 → 3 → (4 / 9 / 10 in parallel) → 5 → 7 → 8 → 6.