docs(security): Shell-runtime trust model + GH-004 reframe (Phase C, C5)#217
Merged
Conversation
Monster Phase C, item C5. Decision: document Shell = trusted. ADRs were removed from this repo (#153), so this is a regular doc, not an ADR. docs/runtime-trust-model.md states the trust boundary: the Shell runtime is not a security sandbox (it runs trusted repo code with the invoking user's privileges; use a container runtime for untrusted pipelines), while Sykli's own file operations stay path-contained. GH-4 reframed: instead of asserting a shell command can't read /etc/passwd (which the Shell runtime cannot prevent and does not claim to), it asserts Sykli's own containment — a success_criteria path that traverses the workdir is rejected ("path escapes task workdir"). Retires the LAST expected_failure case; the black-box suite is now 167 passed / 0 expected-red / 0 failed. Closes #209. (.gitignore: docs/ is an allowlist; added !docs/runtime-trust-model.md so the new doc is actually tracked.) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Monster Phase C — item C5 from
docs/audit-2026-05-22.md. Decision: document Shell = trusted.Note on "ADR"
The option was framed as an ADR, but ADRs were intentionally removed from this repo (#153, "remove ADR system"). So this is a regular doc — re-establishing
docs/adr/would contradict that decision. The substance (document the trust model) is unchanged.Changes
docs/runtime-trust-model.md(new): the Shell runtime is not a security sandbox — it runs trusted repo code with the invoking user's privileges; untrusted pipelines need a container runtime. Sykli's own file ops (copy, mounts,success_criteria/evidence_requiredpaths) stay path-contained (Path.expand+path_within?+ symlink rejection).success_criteriapath that traverses the workdir is rejected at runtime (resolve_criterion_path→path escapes task workdir), proving the engine contains its own file access. The old case asserted command-sandboxing the Shell runtime never provided. Fixture renamedpath_traversal_command→path_traversal_criterion.Milestone
GH-4 was the last
expected_failurecase. The black-box suite is now 167 passed / 0 expected-red / 0 failed — zero known-broken cases (the audit's original 12 flags are all resolved across phases A, B, and C).Note
.gitignoreuses a docs allowlist; added!docs/runtime-trust-model.mdso the new doc is actually tracked (same trap as the Phase A untracked files).Verification
No Elixir source changed. Black-box: all 167 pass, 0 expected-red. JSON dataset validated.
🤖 Generated with Claude Code