audit: Wave 2 Batch 2 — rule-traversal + rule-sql + rule-crypto#61
Merged
Nelson Spence (Fieldnote-Echo) merged 5 commits intomainfrom Mar 14, 2026
Merged
audit: Wave 2 Batch 2 — rule-traversal + rule-sql + rule-crypto#61Nelson Spence (Fieldnote-Echo) merged 5 commits intomainfrom
Nelson Spence (Fieldnote-Echo) merged 5 commits intomainfrom
Conversation
Closes SR-02 gaps with Tier A evidence for rule-traversal (3 regexes), rule-sql (4 patterns incl. _PERCENT_SQL/_CONCAT_SQL primary targets), and rule-crypto (random pattern). Closes SR-01 gap for rule-crypto (RC4, ARC4, Blowfish, random.random/choice/getrandbits now tested). Adds 1MB long-line tolerance tests and safe-negative specificity anchors. All SQL ReDoS tests pass — no backtracking vulnerability found. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SR checklist: 7/9 PASS, 1 N/A (SR-06), 1 Partial (SR-09). Overall: 7.4/10 Adequate (provisional). One LOW finding (F-TRV-001): fixture matrix edge-case gaps. Dim 4 at 6 — ReDoS proven on 2 quantifier-bearing patterns, _TRAVERSAL_RE structurally immune (no quantifiers). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SR checklist: 7/9 PASS, 1 N/A (SR-06), 1 Partial (SR-09). Overall: 7.4/10 Adequate (provisional). One LOW finding (F-SQL-001): fixture matrix missing near-miss negatives. SR-02 PRIMARY STRESS TEST PASSED: _PERCENT_SQL and _CONCAT_SQL with .*\b...\b.* structure do not exhibit catastrophic backtracking. Dim 4 at 6 — strongest adversarial suite in batch (5 tests) but coverage is narrow (ReDoS only). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SR checklist: 7/9 PASS, 1 N/A (SR-06), 1 Partial (SR-09). Overall: 7.5/10 Adequate (provisional). One LOW finding (F-CRY-001): missing context-sensitive negatives. Dim 4 at 6 — all patterns structurally safe. Dim 5 at 7 — pattern-specific messages with remediation guidance. Dim 6 at 8 — strongest test coverage in batch (24 tests, all 7 entries + all 6 random variants proven). _in_tests_dir() confirmed as established convention (3 rules), not ownership drift — documented as Dim 7 design observation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Mark rule-traversal (7.4), rule-sql (7.4), rule-crypto (7.5) as CURRENT. Add cross-unit audit entry. 15/30 units now CURRENT — halfway mark reached. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Navi Bot (project-navi-bot)
approved these changes
Mar 14, 2026
Collaborator
Navi Bot (project-navi-bot)
left a comment
Navi Bot (project-navi-bot)
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
Navi Bot (project-navi-bot)
approved these changes
Mar 14, 2026
Collaborator
Navi Bot (project-navi-bot)
left a comment
Navi Bot (project-navi-bot)
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
✅ Grippy Review — PASSScore: 94/100 | Findings: 3 Delta: 3 new Commit: 68e2fd1 |
Navi Bot (project-navi-bot)
approved these changes
Mar 14, 2026
Collaborator
Navi Bot (project-navi-bot)
left a comment
Navi Bot (project-navi-bot)
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
Navi Bot (project-navi-bot)
approved these changes
Mar 14, 2026
Collaborator
Navi Bot (project-navi-bot)
left a comment
Navi Bot (project-navi-bot)
left a comment
There was a problem hiding this comment.
All required CI checks passed. Auto-approved by navi-bot.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
_PERCENT_SQLand_CONCAT_SQLin rule-sql use.*\b...\b.*structure — the adversarial evidence supports the pattern-safety argument (all pass under 5s timeout with 100K-char inputs)What changed
Commit 1: Tests (evidence generation)
Commits 2-4: Scorecards
ctx.added_lines_for()— design note, not drift.*\b...\b.*does not backtrack_in_tests_dir()confirmed as 3-rule convention, not ownership driftCommit 5: FRESHNESS.md
Calibration checkpoint
_in_tests_dir()grounded — established convention across 3 rules (weak_crypto, secrets, creds), not engine-level concernTest plan
uv run ruff check src/grippy/ tests/— all cleanuv run ruff format --check src/grippy/ tests/— all cleanuv run mypy src/grippy/— 0 issuesuv run pytest tests/ -v— 1075 passed, 0 failuresuv run pre-commit run --all-files— all passed🤖 Generated with Claude Code