fix(injection-points): address 3 Copilot findings on PR #5601 — KDF chain understated, backlog paths, name attribution#5608
Closed
AceHack wants to merge 1 commit into
Conversation
…hain understatement, backlog cross-ref paths, name attribution Copilot caught 3 findings on PR #5601 (merged at 976b352) before the auto-merge fired. All 3 confirmed via direct inspection. Finding 1 (line 116, KDF chain understated): Catalog said: "AES-256-GCM with key derived from HKDF(USB-UUID || operator-passphrase, salt, info)" Actual code (tools/installer/zeta-creds-crypto.ts:80-125): Layer 1: scrypt(passphrase, salt) → stretched 32 bytes (memory-hard KDF; OWASP 2026 N=2^17 r=8 p=1) Layer 2: HKDF-SHA256(usbUuid || "|" || stretched, salt, info="zeta-b0852-cred-persistence-v1") → 32-byte AES-256 key The scrypt layer was added per 2026-05-27 security-review HIGH finding (HKDF alone assumes high-entropy IKM which passphrases violate). Catalog now describes the two-layer chain accurately + cites the authoritative implementation file. Finding 2 (line 43 + line 58, backlog cross-references too generic): Catalog had: [B-0789](../docs/backlog/) [B-0792](../docs/backlog/) Fixed to: [B-0789](../docs/backlog/P1/B-0789-iter4-ssh-key-and-hashedpassword-substrate-for-cluster-bringup-2026-05-26.md) [B-0792](../docs/backlog/P1/B-0792-iter5-wifi-credentials-injection-via-usb-esp-for-zero-typing-cluster-bringup-without-ethernet-load-bearing-for-homelab-persona-aaron-2026-05-26.md) Consistent with fully-resolved paths used for B-0852/B-0859/B-0833 elsewhere in the doc. Finding 3 (line 179, name attribution on non-history-surface doc): Catalog had: "Per Aaron 2026-05-27 in B-0852:" (direct first-name attribution on non-history-surface doc) Fixed to: "Per the operator 2026-05-27 in B-0852:" Per the name-attribution convention. Line 10 verbatim quote ("Aaron's Mac keychain") preserved verbatim because it IS the source quote from zeta-install.sh:392 — verbatim source quotes must stay verbatim per substrate-honest discipline. Per .claude/rules/blocked-green-ci-investigate-threads.md verify- before-fix: all 3 findings confirmed via direct line-level inspection (awk -v N=<line>) + crypto file content + backlog file inventory. Copilot thread IDs to resolve after merge: - PRRT_kwDOSF9kNM6FNMA4 (line 116, KDF chain) - PRRT_kwDOSF9kNM6FNMBT (line 58, backlog paths) - PRRT_kwDOSF9kNM6FNMBo (line 179, name attribution) Per operator "pay time now while things are simple to avoid sprawling complexity later" — fix-fwd before substrate accretes. Co-Authored-By: Claude <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
5 tasks
There was a problem hiding this comment.
Pull request overview
Fix-forward documentation update to the full-ai-cluster/INJECTION-POINTS.md install-time injection-point catalog to align it with the current credential-persistence crypto implementation and tighten cross-references.
Changes:
- Replaced the KDF description for the encrypted cred-blob to match the actual scrypt → HKDF chain used in
tools/installer/zeta-creds-crypto.ts. - Updated backlog links for B-0789 and B-0792 to point to the specific per-row backlog files (instead of the backlog directory).
- Removed named attribution in body prose (“Per the operator …” instead of a personal name).
auto-merge was automatically disabled
May 27, 2026 19:32
Repository rule violations found
AceHack
added a commit
that referenced
this pull request
May 27, 2026
…B-boot + DevOps-objectives-as-levels (NOT hand-crafted video-game levels) (#5611) * backlog(B-0865): Zeta instantiation of ARC-AGI-3-style benchmark — USB-boot starting state + DevOps objectives as levels (NOT hand-crafted video-game levels) Operator directive 2026-05-27 verbatim: "search ARC3 AGI internet and substrate we are going to create our own version, boot our USB and have the agents make it through devops objectives instead of hand crafted video game levels." ARC-AGI-3 substrate inventory (per WebSearch 2026-05-27): François Chollet's interactive agentic-intelligence benchmark, launched 2026, $2M prize pool, human 100% / frontier AI <1% (GPT-5.4 + Claude Opus 4.6 Max both 0.3% as of March 2026). First interactive ARC variant where agents must explore novel turn-based environments, infer goals without instructions, build internal models, plan action sequences. B-0865 extends B-0761 (Zeta-as-ARC-AGI-style-benchmark-substrate) into the SPECIFIC operational instantiation: - Starting state: freshly USB-booted Zeta cluster (1/2/3 nodes per tier) - Level catalog: declarative manifest of DevOps objectives organized in 6 tiers (Bootstrap / Multi-node / Resilience / Scale+GitOps / Adversarial / Identity+self-recovery) - Agent runtime: candidate AI agents act via kubectl / SSH / GitOps PRs / hardware-level access - Judge: deterministic acceptance-criteria evaluator + scoring rubric - Recovery / reset: boot-off-USB-again via B-0859 3-mode substrate Composes with the today's substrate-engineering cascade: - PR #5581/#5582/#5586/#5589/#5594/#5599: streams-substrate cascade - PR #5601: INJECTION-POINTS.md catalog - PR #5606: B-0857.2 install.sh universal routing - PR #5608: catalog fix-fwd - B-0852: cred-persistence (cheap reset; identity preservation) - B-0857: install.sh universal entry (USB-boot reset reproducibility) - B-0859: 3-mode USB-boot recovery substrate (the benchmark's reset) - B-0864: streams-substrate (agent-action-protocol scope) Substrate-honest framing per .claude/rules/verify-existing-substrate- before-authoring.md: B-0761 is the parent (general claim); B-0865 mints NEW substrate covering the specific operational instantiation (USB-boot + DevOps-objectives + our-own-ARC3-version). Composition explicit; parent row preserved unchanged. Distinction from canonical ARC-AGI-3: - Canonical: hand-crafted abstract grid puzzles; Core Knowledge priors only; tests fluid intelligence - Zeta B-0865: real DevOps substrate; maximal knowledge dependence (k3s + NixOS + GitOps + Longhorn); tests operational-substrate competence COMPLEMENTARY not competitive — both valid; different scopes; both test efficient exploration + goal inference + planning. P2 + GATED behind cluster-stability per operator's "this is critical we get this usb right not fast fast comes after our self healing usb is stable where we can have a stable 3 node cluster and iterate without worrying about the cluster going down or having to recreate all 3 nodes from scratch constantly." The prerequisite IS the stable substrate the benchmark runs on. 12 sub-rows queued for future decomposition (B-0865.1 through B-0865.12) covering: level-catalog manifest schema; judge runtime; 6 tiers of levels; agent-runtime substrate; scoring + leaderboard; public-surface naming review; B-0761 composition cross-link. Co-Authored-By: Claude <noreply@anthropic.com> * backlog(B-0865): append operator follow-up sharpening — leaderboard substrate + HA-k8s+observability+helm/argocd playing-field scope + AGI-vs-video-games normative positioning Operator 2026-05-27 verbatim follow-up: "This could give us a leaderboard to compete against with Zeta the usb is the playing fields HA k8s cluster with observablity and a bunch of helm/argocd apps, way better test of AGI as compared to video games." Three substantive extensions to B-0865: EXTENSION 1 — Leaderboard substrate Zeta isn't just the test environment — it's the OPPONENT + the platform. 4 competition modes named: cross-agent, vs-human-operator, vs-prior-self, vs-Zeta-autonomy-ceiling. Sharpens sub-row B-0865.10 (scoring + leaderboard) to support explicit competition-against-Zeta mode. EXTENSION 2 — Playing-field substrate-engineering scope Names the three load-bearing components: HA k8s cluster (3-node quorum target per B-0859) + observability (Prometheus/Grafana/logs/ traces) + helm/ArgoCD apps. Sharpens sub-row B-0865.1 (level-catalog manifest schema) to encode these as named substrate-types. EXTENSION 3 — AGI benchmark normative positioning 5-row comparison table: video-game-shaped tests (incl. canonical ARC abstract puzzles) vs DevOps-objectives-on-real-HA-k8s-cluster across real-world transfer / substrate realism / gaming-the-benchmark risk / operational competence measurement / substrate ecosystem alignment. Substrate-engineering claim: AGI tested in this substrate is ACTUAL AGI at operational scope, not narrow-puzzle-intelligence dressed up. Sub-row sharpenings applied: - B-0865.1: manifest encodes HA-shape + observability-state + helm/argocd-state - B-0865.10: leaderboard supports 4 competition modes - New candidate B-0865.13: public positioning + comparison-substrate with canonical ARC-AGI-3 + other agentic benchmarks Composes with .claude/rules/edge-defining-work-not-speculation.md — building this benchmark IS edge-defining work; nothing of this shape exists publicly. Carved sentence (operator 2026-05-27 keeper): "The USB is the playing field, HA k8s cluster with observability and a bunch of helm/argocd apps, way better test of AGI as compared to video games." Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude <noreply@anthropic.com>
4 tasks
Member
Author
|
Superseded by #5621 — same pattern as #5620 superseding #5606. PR #5621 addresses both Copilot findings via restructure (table cell simplified; KDF mechanism + parameters in a sub-section below with code blocks instead of inline-code-in-table-cell that has the markdown-pipe-escaping issue) + corrects entropy wording to substrate-honest work-factor naming per OWASP + the 2026-05-27 security-review HIGH finding rationale already documented in tools/installer/zeta-creds-crypto.ts. |
AceHack
pushed a commit
that referenced
this pull request
May 27, 2026
…ce brittle line-range reference with symbol+constants reference; cite OWASP cheat sheet for scrypt parameters + soften operational-cost claim Copilot caught 2 P1 findings on PR #5621 (the supersedes-#5608 fix). Both valid. Finding 1 (P1, line 124, brittle line reference): Was: `tools/installer/zeta-creds-crypto.ts:80-125` (line numbers drift; doesn't cover SCRYPT_N + SCRYPT_MAXMEM constants declared higher in the file) Fixed: `tools/installer/zeta-creds-crypto.ts` (the `deriveKey` function + the `SCRYPT_*` + `KEY_LEN` + `SALT_LEN` + `HKDF_INFO` constants declared near the top of the file) — symbol-based + constants-named; survives line-number drift. Finding 2 (P1, line 134, uncited operational + standard claims): Was: "OWASP 2026 recommended parameters: N=2^17, r=8, p=1." + "~1-2 seconds of CPU per derivation" (no citation; generalized across-machines) Fixed: - Concrete citation: [OWASP Password Storage Cheat Sheet] (https://cheatsheetseries.owasp.org/cheatsheets/ Password_Storage_Cheat_Sheet.html#scrypt) at parameter- selection date 2026-05-27 - Bump procedure named: visit cheat sheet at next security-review cadence; update both the cheat-sheet-citation date here AND the SCRYPT_N/SCRYPT_R/SCRYPT_P constants in zeta-creds-crypto.ts - Operational cost claim softened: "per the source-code comment's empirical timing context, on the maintainer's modern CPU at parameter-selection time, ~1-2 seconds of CPU per derivation" + "per-machine operational cost will vary with CPU + memory bandwidth" — substrate-honest; no across-machines generalization. Per .claude/rules/blocked-green-ci-investigate-threads.md verify- before-fix: both findings inspected via direct line-level reading; both confirmed real + fixed. Copilot thread IDs to resolve after merge: - PRRT_kwDOSF9kNM6FNhdV (line 124, brittle line reference) - PRRT_kwDOSF9kNM6FNhd3 (line 134, uncited OWASP + operational cost) Pre-existing MD060 IDE warnings (compact table column-style without spaces around pipes) NOT addressed in this commit — same warnings on all prior-merged commits to this file; not CI-blocking. Co-Authored-By: Claude <noreply@anthropic.com>
AceHack
added a commit
that referenced
this pull request
May 27, 2026
…-entropy wording (supersedes #5608) (#5621) * fix(injection-points): KDF chain documentation — restructure for accurate markdown rendering + work-factor-not-entropy wording (addresses Copilot findings on PR #5608; supersedes #5608) Supersedes PR #5608. Two valid Copilot findings on that PR: Finding 1 (markdown rendering): My earlier fix put backslash-escaped pipes (\|\| and "\|") inside inline code spans in a table cell. Markdown code spans render backslashes literally, so readers saw "\|\|" / "\"\|\"" instead of intended "||" / "|". Finding 2 (entropy wording): "stretches low-entropy passphrase into high-entropy intermediate" is misleading — scrypt does NOT increase the underlying entropy of a weak passphrase (in information-theoretic terms, a weak passphrase remains weak). What scrypt provides is a tunable work-factor cost per guess, making brute-force memory- prohibitively expensive on GPU/ASIC. Both addressed by restructuring: - Table cell at line 116 simplified to: "AES-256-GCM; key derived via 2-layer scrypt → HKDF chain (full mechanism + parameters below)" — no pipe-in-inline-code issue - New "KDF chain detail (mechanism + parameters)" sub-section below the table with full mechanism in code blocks (markdown code blocks don't have the pipe-escaping issue inline code in table cells has) - Wording corrected: scrypt provides "tunable work-factor cost per guess" + "makes brute-force memory-prohibitively expensive on GPU/ASIC" + "scrypt is the layer that makes the IKM cryptographically suitable for HKDF input" (per OWASP guidance; per the 2026-05-27 security-review HIGH finding rationale documented in the zeta-creds-crypto.ts source) LAYER 1 — scrypt: stretched = scrypt(passphrase, salt, length=32, N=2^17, r=8, p=1, maxmem=256MB) LAYER 2 — HKDF-SHA256: ikm = concat(usbUuid_utf8, "|", stretched) key = HKDF-SHA256(ikm, salt, info="zeta-b0852-cred-persistence-v1", length=32) Operator-named threat preserved verbatim: "we can put a key on the usb too if wnated tied to the uuid so it can't be copied to uuid" — the HKDF UUID-binding defense. Why supersedes (not fix-fwd): PR #5608 used force-push-restricted branch path; new-branch path is policy-respected alternative. Pattern matches PR #5620 superseding PR #5606. Copilot thread IDs to resolve when closing #5608: - PRRT_kwDOSF9kNM6FNUvq (line 116, backslash escaping) - PRRT_kwDOSF9kNM6FNUwj (line 116, entropy wording) Co-Authored-By: Claude <noreply@anthropic.com> * fix(injection-points): address 2 Copilot findings on PR #5621 — replace brittle line-range reference with symbol+constants reference; cite OWASP cheat sheet for scrypt parameters + soften operational-cost claim Copilot caught 2 P1 findings on PR #5621 (the supersedes-#5608 fix). Both valid. Finding 1 (P1, line 124, brittle line reference): Was: `tools/installer/zeta-creds-crypto.ts:80-125` (line numbers drift; doesn't cover SCRYPT_N + SCRYPT_MAXMEM constants declared higher in the file) Fixed: `tools/installer/zeta-creds-crypto.ts` (the `deriveKey` function + the `SCRYPT_*` + `KEY_LEN` + `SALT_LEN` + `HKDF_INFO` constants declared near the top of the file) — symbol-based + constants-named; survives line-number drift. Finding 2 (P1, line 134, uncited operational + standard claims): Was: "OWASP 2026 recommended parameters: N=2^17, r=8, p=1." + "~1-2 seconds of CPU per derivation" (no citation; generalized across-machines) Fixed: - Concrete citation: [OWASP Password Storage Cheat Sheet] (https://cheatsheetseries.owasp.org/cheatsheets/ Password_Storage_Cheat_Sheet.html#scrypt) at parameter- selection date 2026-05-27 - Bump procedure named: visit cheat sheet at next security-review cadence; update both the cheat-sheet-citation date here AND the SCRYPT_N/SCRYPT_R/SCRYPT_P constants in zeta-creds-crypto.ts - Operational cost claim softened: "per the source-code comment's empirical timing context, on the maintainer's modern CPU at parameter-selection time, ~1-2 seconds of CPU per derivation" + "per-machine operational cost will vary with CPU + memory bandwidth" — substrate-honest; no across-machines generalization. Per .claude/rules/blocked-green-ci-investigate-threads.md verify- before-fix: both findings inspected via direct line-level reading; both confirmed real + fixed. Copilot thread IDs to resolve after merge: - PRRT_kwDOSF9kNM6FNhdV (line 124, brittle line reference) - PRRT_kwDOSF9kNM6FNhd3 (line 134, uncited OWASP + operational cost) Pre-existing MD060 IDE warnings (compact table column-style without spaces around pipes) NOT addressed in this commit — same warnings on all prior-merged commits to this file; not CI-blocking. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix-fwd for PR #5601 (merged `976b3521a`). Copilot caught 3 real findings in the just-landed catalog; all 3 confirmed via direct inspection per
.claude/rules/blocked-green-ci-investigate-threads.mdverify-before-fix discipline.Findings + fixes
1. KDF chain understated (line 116)
Was: "AES-256-GCM with key derived from `HKDF(USB-UUID || operator-passphrase, salt, info)`"
Actual (per `tools/installer/zeta-creds-crypto.ts:80-125`):
The scrypt layer was added per the 2026-05-27 security-review HIGH finding (HKDF alone assumes high-entropy IKM which passphrases violate). Catalog now describes the two-layer chain accurately + cites the authoritative implementation file.
2. Backlog cross-references too generic (line 43 + line 58)
Was: `B-0789` and `B-0792`
Fixed: full paths matching the convention used elsewhere in the doc for B-0852/B-0859/B-0833.
3. Name attribution on non-history-surface doc (line 179)
Was: "Per Aaron 2026-05-27 in B-0852:"
Fixed: "Per the operator 2026-05-27 in B-0852:" per the name-attribution convention.
Note: line 10 verbatim quote ("Aaron's Mac keychain") preserved verbatim because it IS the source quote from
zeta-install.sh:392— verbatim source quotes must stay verbatim per substrate-honest discipline. Copilot's finding correctly distinguished body prose (line 179, fixed) from source quote (line 10, preserved).Copilot thread IDs to resolve after merge
Test plan
Per operator: "pay time now while things are simple to avoid sprawling complexity later" — fix-fwd before substrate accretes around the inaccurate KDF description.
🤖 Generated with Claude Code