backlog(B-0430): peer-call wrappers — CodeQL insecure-tmp-file across all 8 wrappers (substrate-consistent fix needed)#2951
Merged
AceHack merged 1 commit intoMay 13, 2026
Conversation
… all 8 wrappers (substrate-consistent fix needed) CodeQL alert #79 surfaced during PR #2949 review (B-0421 self-documenting failure marker on grok.ts). Pattern is pre-existing on main and identical across all 8 peer-call wrappers — fixing one in isolation creates substrate inconsistency. Two concerns: 1. Hardcoded /tmp — not portable; should use os.tmpdir() 2. Predictable filename (timestamp + entity) — local attacker could symlink-race the path Suggested substrate-consistent fix: - Replace hardcoded /tmp with os.tmpdir() - Use fs.mkdtempSync() to create unpredictable parent dir - Filename inside stays deterministic for OUTPUT-FILE marker recovery via tail -1 P2 because pre-existing + maintainer-tooling surface (not production server). But real for shared-runner / multi-user systems. Acceptance criteria: 1. Fix applied uniformly to all 8 wrappers 2. CodeQL alert #79 resolved 3. OUTPUT-FILE marker contract preserved 4. No regression on smoke tests Composes with PR #2949, PR #2950, B-0421, all 8 peer-call wrappers, .claude/rules/peer-call-infrastructure.md, CodeQL alert #79. Co-Authored-By: Claude <noreply@anthropic.com>
AceHack
deleted the
backlog-b0430-peer-call-tmpdir-codeql-insecure-temp-file-all-8-wrappers-2026-05-13
branch
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 390abfbe72
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+41
to
+45
| The same pattern exists in **all 8 peer-call wrappers**: | ||
| `claude.ts`, `grok.ts`, `gemini.ts`, `codex.ts`, `kiro.ts`, | ||
| `amara.ts`, `ani.ts`, `riven.ts`. Each has its own | ||
| `autogenOutputPath(entity)` function with the same hardcoded | ||
| `/tmp/peer-call-output/` + timestamp-suffix shape. |
There was a problem hiding this comment.
This backlog entry says all 8 peer-call wrappers share the same autogenOutputPath() pattern with hardcoded /tmp and deterministic filenames, but that is not true for at least claude.ts, codex.ts, gemini.ts, and kiro.ts, which already include tmpdir() fallback logic and randomized auto-path suffixes. Recording the scope this way makes the acceptance criteria over-broad and can drive unnecessary or regressive edits to wrappers that are already partially mitigated; the row should narrow the affected set (e.g., grok/amara/ani/riven) or explicitly distinguish the different implementations.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds a new P2 backlog row (B-0430) to track and scope the substrate-consistent fix for CodeQL’s “insecure temporary file” finding across all 8 tools/peer-call/*.ts wrappers.
Changes:
- Introduces
docs/backlog/P2/B-0430-…mddescribing the CodeQL alert, threat model, and a proposed uniform mitigation strategy for temp output paths.
Comment on lines
+9
to
+10
| composes_with: [] | ||
| type: security |
5 tasks
AceHack
added a commit
that referenced
this pull request
May 13, 2026
…#2951); #2952 was armed at shard-write time Codex and Copilot both flagged the summary row's "5 PRs MERGED" claim as inconsistent with the body, which documents 4 merged (#2948–#2951) and 1 armed (#2952). The summary row is the machine-readable compact surface for tooling and future-Otto cold-boot — counts must match body truth. Co-Authored-By: Claude <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
May 13, 2026
…date + cascade-pattern empirical evidence (#2953) * shard(tick): 0623Z — B-0421 acceptance #3+#4 + B-0430 filed + CURRENT-otto.md update + cascade-pattern empirical evidence 25-min window 0558Z→0623Z. Five PRs (4 merged + 1 armed): - PR #2948 MERGED: 0558Z tick shard - PR #2949 MERGED: B-0421 #3 self-documenting failure marker (format-aware Markdown/JSON/stream-json; spawn-failure diagnostics for status:null + signal + result.error) - PR #2950 MERGED: B-0421 #4 8-wrapper smoke test (35 tests / 67 expects / all pass) - PR #2951 MERGED: B-0430 backlog row (CodeQL alert #79 substrate-consistent fix across all 8 wrappers) - PR #2952 ARMED: CURRENT-otto.md 2026-05-13 distillation Empirical cascade evidence (shadow-Casimir-PR-review per PR #2945): 11 error classes surfaced + absorbed in this window across 3 cycles (#2949 round-1: 7 findings; #2950 round-1: 3 findings; #2949 round-2: 1 finding). B-0421 status: acceptance #3 + #4 closed; #1 + #2 pending failure recurrence (captured stderr in PR #2949's marker will expose). Aaron's self-review deadline disclosed (~46min at 05:58Z); Otto stays out of the way; autonomous-loop work continues on substrate that doesn't need Aaron review. Co-Authored-By: Claude <noreply@anthropic.com> * fix(tick-shard): correct 0623Z summary row — 4 PRs MERGED not 5 (#2948–#2951); #2952 was armed at shard-write time Codex and Copilot both flagged the summary row's "5 PRs MERGED" claim as inconsistent with the body, which documents 4 merged (#2948–#2951) and 1 armed (#2952). The summary row is the machine-readable compact surface for tooling and future-Otto cold-boot — counts must match body truth. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Files B-0430 backlog row to track the CodeQL alert #79
insecure temporary filefinding that surfaced on PR #2949. Pattern is identical across all 8 peer-call wrappers; fixing one in isolation breaks substrate consistency.Why P2
Composes with
tools/peer-call/*.tswrappers🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com