Sensitive-boundary code health
Status: Open — split out from Codebase health: Rust strictness, structure, and AI reviewability so routine code-health work can be analyzed without loading credential, secret, supply-chain, and control-surface details.
Why this is separate
Anthropic's Fable 5 launch notes and redeployment notes describe broad safeguards that fall back on cybersecurity-related requests, intentionally including ambiguous benign work. This page therefore owns jackin❯ code-health work whose subject matter is sensitive-boundary: credential flow, redaction, host/control boundaries, workflow and dependency hardening, and supply-chain provenance. Routine linting, module extraction, tests, docs freshness, performance budgets, and telemetry shape stay in the code-health item.
Scope boundary
Keep this page as the source of truth for sensitive-boundary enforcement items that would otherwise make routine code-health planning trigger model safeguards. Do not duplicate the full code-health program here; link back to the routine page for Rust strictness, restructuring, deterministic tests, perf budgets, docs drift, and agent-feedback loops.
Work moved from routine code health
Toolchain, workflow, and supply-chain canaries
- Workflow security lint. Add zizmor beside the existing
actionlintgate: template injection, credential persistence, mutableuses:references, and excessivepermissions:across.github/workflows/. The workflows are code an agent edits; lint them like code. - Secret scanning. Run gitleaks over the tree and each PR's commits. jackin❯ forwards real credentials (
op,gh, agent auth) through env and config surfaces, and agent-authored fixtures are the likeliest leak vector; a committed token is a revocation incident even when review catches it. - Dependency review beyond advisories.
cargo deny/cargo auditcatch known-bad dependencies; they say nothing about unreviewed code.crates/AGENTS.mdrecords a deliberate cargo-vet/cargo-crev no-adopt while jackin❯ is solo-maintainer; this item is that decision's named revisit trigger. Trial cargo-vet as an advisory lane in exemptions-heavy mode, importing shared audits so the marginal cost of an explicit audit record per new/updated dependency stays near zero. Promote to a gate only if audit-import coverage proves the burden negligible, and update the AGENTS entry when the trial starts. - Auditable binaries. Build releases with cargo-auditable so the exact dependency graph is embedded in the shipped binary and
cargo audit binworks on artifacts in the wild — the binary-side complement of the syft SBOM the release pipeline already produces. - License and advisory rationale. Require every non-Apache/MIT license exception and every advisory ignore to carry a rationale or grouped policy note so the current strict supply-chain posture stays reviewable.
- Transitive-unsafe dependency census. Run a pinned one-time or advisory
cargo geigercensus and document its scope, false positives, and revisit trigger. Then explicitly adopt a scheduled metric or record an evidence-backed no-adopt decision; first-partyunsafe_code = "forbid"does not cover dependency implementations.
Sensitive shared contracts
- Process execution boundary. Consolidate command-output wrappers for
op,gh, xtask, capsule probes, and runtime shell commands into one capture/timeout/retry/status/redaction model. Every call site that can handle protected values must use the shared boundary. - Agent auth/path contract. Define one declarative per-agent path and credential contract consumed by host provisioning and in-container setup, rather than duplicating agent config-dir rules across
jackin-instanceandjackin-capsule. - GitHub URL normalization. Move duplicated URL normalization and credential stripping into a lower-level shared utility with table tests.
- Security-specific dylint rules. Add first-party lints for direct process execution outside the boundary, telemetry/export calls that bypass the typed API, and schema/config fields that add a credential-bearing path without the matching schema and migration artifacts.
Executable security policy tests
- No silent host writes. Property/table tests over the mount planner and Docker-args builder: for arbitrary valid configs, generated mounts and writable paths never include host dotfiles,
.gitcontrol dirs, or host remotes unless the corresponding opt-in is set — and when it is set, the opt-in must be visible in the launch-summary model. The forbidden-path table lives in one source of truth shared between the test and the implementation. - Telemetry and error redaction. Golden/property tests feed canary credentials through launch/auth paths and assert credential-shaped strings never appear in
clog!/cdebug!output, error chains, diagnostics JSONL, or OTLP export. - Control-socket authorization. Tests pin who may connect/attach/displace and what an unauthenticated peer can observe, so a protocol refactor cannot silently widen the control surface.
- Credential env-only posture. Under hardened Docker profiles, prefer env-only or otherwise reduced credential exposure and emit a posture decision per agent auth type. Coordinate with Docker Runtime Hardening Contract and Container credential exposure.
- Shared sensitive-test fixtures. Once two or more launch, auth, or telemetry suites need them, provide one downward-only shared canary-secret corpus and sink-agnostic negative-assertion API in
jackin-test-support. Acceptance: console, capsule file, diagnostics JSONL, and OTLP conformance reuse the same corpus/assertions; a digit-only snapshot normalizer or an unused helper is not completion evidence.
Telemetry safety gates
- Redaction before every sink. One shared redaction layer ahead of console, file, and OTLP: key-pattern and value-pattern scrubbing, typed summaries instead of raw Docker inspect JSON / env arrays / generated Dockerfiles, artifact links for large payloads. The telemetry-redaction policy tests above are the gate.
- Conformance assertions for sensitive export. The telemetry conformance lane from routine Phase 8 must include negative assertions for protected values, bounded span-name cardinality, logs correlated to spans, and default-mode export volume within budget.
- Issue fingerprint hygiene. Error grouping must exclude container ids, run ids, paths, uids, and command text so one recurring failure is one issue with N events and no sensitive dynamic identifiers in the grouping key.
First-wave implementation plans
The detailed executor plans that include sensitive examples live under security-review/README.md. Keep those out of routine plans/ work so a code-health executor can work without loading them.
| Plan | Why it lives here |
|---|---|
Plan 001 | Clears a RustSec advisory and validates the dependency-policy lane |
Plan 002 | Fixes a diagnostics redaction gap for compound credential names |
Plan 005 | Moves forwarded credentials out of process argv |
Plan 006 | Hardens role-repo clone inputs and transport policy |
Relationship to existing security roadmap items
| Item | Relationship |
|---|---|
| Docker Runtime Hardening Contract | Runtime profile enforcement and credential env-only posture |
| Security Threat Model & Signed Releases | Release signing, provenance, SBOM, and in-process artifact verification |
| Open review findings | Catalog of accepted review findings; move rows here when they become planned security code-health work |
| Auth reliability and convenience program | Auth lifecycle, health, source folders, and live sync |
| Credential source pattern | Generalized credential representation across env, command, OS store, and file backends |
| Host bridge — secrets and approved host actions | Operator-mediated host actions and mid-session credential requests |
Research and prior art
- Claude Fable 5 and Claude Mythos 5 — documents Fable 5's broad classifiers, fallback behavior, and covered areas.
- Redeploying Fable 5 — documents the larger cybersecurity safety margin, benign false positives during routine coding/debugging, and why ambiguous defensive work can be routed away from Fable.
- zizmor — static security analysis for GitHub Actions workflows, complementing the
actionlintgate CI already runs. - gitleaks — secret scanning for credential surfaces.
- cargo-vet — dependency audit records with shared-audit imports.
- cargo-auditable — embeds the dependency list in release binaries so
cargo audit binworks on shipped artifacts.
Verification commands for roadmap edits
When this page or roadmap sidebar structure changes, run:
cargo xtask roadmap audit
cargo xtask docs repo-links
cargo xtask research check