From 09a1e607134d791dcbe922ce6035a54e38993c5b Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Thu, 30 Apr 2026 02:04:34 -0400 Subject: [PATCH 1/3] =?UTF-8?q?backlog(B-0107):=20add=20P3=20row=20?= =?UTF-8?q?=E2=80=94=20CodeQL=20dismiss=20pattern=20for=20peer-call=20sibl?= =?UTF-8?q?ings?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Surfaced during slice-15 PR #896 review on 2026-04-30: CodeQL flagged `js/indirect-command-line-injection` (medium severity) on `runContextCmd` in tools/peer-call/grok.ts. By-design — the script contract is 'user explicitly supplies a shell command via --context-cmd'; same trust boundary as bash original's `eval`. Resolution on #896 was per-PR dismissal via gh api code-scanning/ alerts/N. The two sibling ports (gemini.sh + codex.sh) will hit the same alert when ported. This row tracks the structural fix: add a path-scoped query-filter to .github/codeql/codeql-config.yml so all 3 peer-call TS ports share one acknowledgment. Composes with B-0086 (TS+Bun migration) and PR #896. Effort S. P3 — not blocking; per-PR dismissal works as fallback. --- ...ql-peer-call-dismiss-pattern-2026-04-30.md | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md diff --git a/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md b/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md new file mode 100644 index 000000000..e3b122fa4 --- /dev/null +++ b/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md @@ -0,0 +1,74 @@ +--- +id: B-0107 +priority: P3 +status: open +title: CodeQL `js/indirect-command-line-injection` dismissal pattern for peer-call siblings (gemini.ts, codex.ts) +tier: factory-hygiene +effort: S +ask: surfaced during slice-15 PR #896 review on 2026-04-30 +created: 2026-04-30 +last_updated: 2026-04-30 +composes_with: [B-0086] +tags: [ci-codeql, peer-call, by-design-suppression, missing-mechanism] +--- + +# CodeQL by-design dismissal pattern for peer-call siblings + +When porting `tools/peer-call/grok.sh` to TS in slice 15 (PR #896), +CodeQL flagged `js/indirect-command-line-injection` (medium severity) +on the `runContextCmd` shell-out. This is **by-design** — the script +contract is "user explicitly supplies a shell command via +`--context-cmd`"; same trust boundary as the bash original's `eval`. + +Resolution on PR #896: dismiss the alert via API (`gh api code-scanning/ +alerts/N -X PATCH -f state=dismissed -f "dismissed_reason=won't fix"`) +with a 280-char justification. + +The two sibling ports — `tools/peer-call/gemini.sh` and +`tools/peer-call/codex.sh` — will hit the same alert when ported +(slices 16 + 17 candidates) since they have the same `runContextCmd` +pattern. + +## Two options + +**A — Per-PR dismissal (status quo)** +- Each sibling-port PR triggers the alert + needs the same + dismissal API call. +- Cost: ~30 seconds per PR. +- Pro: explicit per-instance acknowledgment. +- Con: repeated boilerplate; reviewer fatigue; drift risk if a + future sibling port subtly changes the shape. + +**B — Structural exclusion in `.github/codeql/codeql-config.yml`** +- One-time exclusion of the rule for `tools/peer-call/*.ts`. +- Cost: ~1 PR (small YAML change). +- Pro: drift-resistant; no per-PR work; consistent across siblings. +- Con: blanket suppression — if a real injection bug landed in a + future peer-call refactor, CodeQL wouldn't catch it. + +## Recommendation + +Option B with a tight path scope (`tools/peer-call/*.ts`) and a +comment in the YAML referencing this row. The `runContextCmd` +helper has a stable shape; if it ever changes form (e.g., to use +`shell-quote` per CodeQL's recommendation), the exclusion can be +removed in the same PR. + +## Acceptance criteria + +- `.github/codeql/codeql-config.yml` adds a `query-filters` exclusion + for `js/indirect-command-line-injection` on path + `tools/peer-call/*.ts`. +- Comment in YAML cites this row + slice 15 + by-design justification. +- New PR for slice 16 (gemini port) does NOT raise the alert. + +## Composes with + +- **B-0086** — TS+Bun migration trajectory. +- **PR #896** — slice 15 (peer-call/grok) where the dismissal pattern + first surfaced. + +## Effort + +**S (small)** — ~10 lines of YAML + commit + verify on next sibling +PR. From 79766aedcaa2e76e543badd0b7dc15153d59c119 Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Thu, 30 Apr 2026 02:07:01 -0400 Subject: [PATCH 2/3] =?UTF-8?q?fix(B-0107):=20MD032=20=E2=80=94=20blank=20?= =?UTF-8?q?lines=20around=20lists=20under=20bold=20headings?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md b/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md index e3b122fa4..f91a17b0b 100644 --- a/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md +++ b/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md @@ -32,6 +32,7 @@ pattern. ## Two options **A — Per-PR dismissal (status quo)** + - Each sibling-port PR triggers the alert + needs the same dismissal API call. - Cost: ~30 seconds per PR. @@ -40,6 +41,7 @@ pattern. future sibling port subtly changes the shape. **B — Structural exclusion in `.github/codeql/codeql-config.yml`** + - One-time exclusion of the rule for `tools/peer-call/*.ts`. - Cost: ~1 PR (small YAML change). - Pro: drift-resistant; no per-PR work; consistent across siblings. From 28e513dbfee785ef983d161517f092f8d3323518 Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Thu, 30 Apr 2026 02:10:19 -0400 Subject: [PATCH 3/3] =?UTF-8?q?review(B-0107):=20fix=20Copilot=20threads?= =?UTF-8?q?=20=E2=80=94=20broken=20inline-code-span=20+=20acceptance-crite?= =?UTF-8?q?ria=20specificity?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two Copilot threads on PR #897: 1. Broken inline-code span: gh-api command was wrapped in backticks but split across two lines, breaking markdown rendering. Switched to a fenced bash code block with line-continuations + placeholder for alert ID. 2. Acceptance-criteria specificity: original said 'query-filters' exclusion but path-scoping a single rule is non-trivial in CodeQL config. Reframed to require verifying the syntax during implementation (CodeQL supports query-filters rule-scoped AND paths-ignore path-scoped; per-rule + per-path needs combining them or a custom suite). Added link to GitHub docs. --- ...ql-peer-call-dismiss-pattern-2026-04-30.md | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md b/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md index f91a17b0b..929b76bcb 100644 --- a/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md +++ b/docs/backlog/P3/B-0107-codeql-peer-call-dismiss-pattern-2026-04-30.md @@ -20,9 +20,16 @@ on the `runContextCmd` shell-out. This is **by-design** — the script contract is "user explicitly supplies a shell command via `--context-cmd`"; same trust boundary as the bash original's `eval`. -Resolution on PR #896: dismiss the alert via API (`gh api code-scanning/ -alerts/N -X PATCH -f state=dismissed -f "dismissed_reason=won't fix"`) -with a 280-char justification. +Resolution on PR #896: dismiss the alert via API with a 280-char +justification: + +```bash +gh api repos/Lucent-Financial-Group/Zeta/code-scanning/alerts/ \ + -X PATCH \ + -f state=dismissed \ + -f "dismissed_reason=won't fix" \ + -f "dismissed_comment=<280-char justification>" +``` The two sibling ports — `tools/peer-call/gemini.sh` and `tools/peer-call/codex.sh` — will hit the same alert when ported @@ -58,9 +65,14 @@ removed in the same PR. ## Acceptance criteria -- `.github/codeql/codeql-config.yml` adds a `query-filters` exclusion - for `js/indirect-command-line-injection` on path - `tools/peer-call/*.ts`. +- `.github/codeql/codeql-config.yml` adds a CodeQL filter that + scopes `js/indirect-command-line-injection` to exclude + `tools/peer-call/*.ts`. The exact syntax should be verified + during implementation: CodeQL supports `query-filters` (rule- + scoped) and `paths-ignore` (path-scoped); per-rule + per-path + scoping requires combining them or using a custom suite — see + CodeQL docs at + before committing the form. - Comment in YAML cites this row + slice 15 + by-design justification. - New PR for slice 16 (gemini port) does NOT raise the alert.