From 2b9ce7fa734018990b6d08cb2cac4324175a5b58 Mon Sep 17 00:00:00 2001 From: marcusquinn <6428977+marcusquinn@users.noreply.github.com> Date: Tue, 3 Feb 2026 01:57:58 +0000 Subject: [PATCH 1/2] docs: add security follow-up tasks and plans --- TODO.md | 5 +++ todo/PLANS.md | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 100 insertions(+), 1 deletion(-) diff --git a/TODO.md b/TODO.md index 20cbf6b27..bdbf9135f 100644 --- a/TODO.md +++ b/TODO.md @@ -52,6 +52,11 @@ Tasks with no open blockers - ready to work on. Use `/ready` to refresh this lis ## Backlog +- [ ] t104 Install script integrity hardening (replace curl|sh with verified downloads) #security #supply-chain #plan → [todo/PLANS.md#2026-02-03-install-script-integrity-hardening] ~4h (ai:2h test:1h read:1h) logged:2026-02-03 +- [ ] t105 Remove eval in ampcode-cli.sh (use arrays + whitelist formats) #security #shell ~1h (ai:45m test:15m) logged:2026-02-03 +- [ ] t106 Replace eval in system-cleanup.sh find command construction with safe args #security #shell ~1h (ai:45m test:15m) logged:2026-02-03 +- [ ] t107 Avoid eval-based export in credential-helper.sh; use safe output/quoting #security #shell ~1h (ai:45m test:15m) logged:2026-02-03 +- [ ] t108 Dashboard token storage hardening (avoid localStorage; add reset/clear flow) #security #dashboard #plan → [todo/PLANS.md#2026-02-03-dashboard-token-storage-hardening] ~3h (ai:1.5h test:1h read:30m) logged:2026-02-03 - [ ] t082 Fix version sync inconsistency (VERSION vs package.json/setup.sh/aidevops.sh) #bugfix ~15m (ai:10m test:5m) logged:2026-01-29 - Notes: Release commit bd0695c bumped VERSION to 2.92.1 but missed syncing package.json, setup.sh, aidevops.sh, sonar-project.properties, .claude-plugin/marketplace.json. Either fix manually or ensure version-manager.sh is used for all releases. - [ ] t068 Multi-Agent Orchestration & Token Efficiency #plan → [todo/PLANS.md#2026-01-23-multi-agent-orchestration--token-efficiency] ~5d (ai:3d test:1d read:1d) logged:2026-01-23 started:2026-01-23T00:00Z diff --git a/todo/PLANS.md b/todo/PLANS.md index 6bf00dd46..4a55e94f7 100644 --- a/todo/PLANS.md +++ b/todo/PLANS.md @@ -21,6 +21,98 @@ Each plan includes: ## Active Plans +### [2026-02-03] Install Script Integrity Hardening + +**Status:** Planning +**Estimate:** ~4h (ai:2h test:1h read:1h) + + + +#### Purpose + +Eliminate `curl | sh` installs by downloading scripts to disk, verifying integrity (checksum or signature), and executing locally. This reduces supply-chain exposure in setup and helper scripts. + +#### Context from Discussion + +Targets include: +- `setup.sh` (multiple install blocks) +- `.agent/scripts/qlty-cli.sh` +- `.agent/scripts/coderabbit-cli.sh` +- `.agent/scripts/dev-browser-helper.sh` + +#### Progress + +- [ ] (2026-02-03) Phase 1: Inventory all `curl|sh` usages and vendor verification options ~45m +- [ ] (2026-02-03) Phase 2: Replace with download → verify → execute flow ~2h +- [ ] (2026-02-03) Phase 3: Add fallback behavior and clear error messages ~45m +- [ ] (2026-02-03) Phase 4: Update docs/tests and verify behavior ~30m + + + +#### Decision Log + +(To be populated during implementation) + + + +#### Surprises & Discoveries + +(To be populated during implementation) + + + +### [2026-02-03] Dashboard Token Storage Hardening + +**Status:** Planning +**Estimate:** ~3h (ai:1.5h test:1h read:30m) + + + +#### Purpose + +Replace persistent `localStorage` token usage with session/memory-based storage and add a clear/reset flow to reduce XSS exposure and leaked tokens on shared machines. + +#### Context from Discussion + +Current usage persists `dashboardToken` in `localStorage` in the MCP dashboard UI. Update to session-scoped storage and ensure logout/reset clears state. + +#### Progress + +- [ ] (2026-02-03) Phase 1: Trace token flow and identify all storage/read paths ~45m +- [ ] (2026-02-03) Phase 2: Migrate to session/memory storage and update auth flow ~1.5h +- [ ] (2026-02-03) Phase 3: Add reset/clear UI flow and verify behavior ~45m + + + +#### Decision Log + +(To be populated during implementation) + + + +#### Surprises & Discoveries + +(To be populated during implementation) + + + ### [2025-12-21] aidevops-opencode Plugin **Status:** Planning @@ -800,7 +892,9 @@ disc001,p009,Implementation faster than estimated,All core functionality already p009,beads-sync-helper.sh; todo-ready.sh; beads.md subagent; blocked-by/blocks syntax; hierarchical IDs; TOON schema; setup.sh integration; AGENTS.md docs,Robust sync script; comprehensive docs; seamless integration,Add optional UI installation to setup.sh,2d,1.5d,-25,1 --> - #### Purpose @@ -50,10 +50,10 @@ Targets include: - [ ] (2026-02-03) Phase 4: Update docs/tests and verify behavior ~30m #### Decision Log @@ -76,7 +76,7 @@ m067,p013,Phase 4: Update docs/tests and verify behavior,30m,,2026-02-03T00:00Z, **Estimate:** ~3h (ai:1.5h test:1h read:30m) #### Purpose @@ -94,9 +94,9 @@ Current usage persists `dashboardToken` in `localStorage` in the MCP dashboard U - [ ] (2026-02-03) Phase 3: Add reset/clear UI flow and verify behavior ~45m #### Decision Log @@ -892,9 +892,9 @@ disc001,p009,Implementation faster than estimated,All core functionality already p009,beads-sync-helper.sh; todo-ready.sh; beads.md subagent; blocked-by/blocks syntax; hierarchical IDs; TOON schema; setup.sh integration; AGENTS.md docs,Robust sync script; comprehensive docs; seamless integration,Add optional UI installation to setup.sh,2d,1.5d,-25,1 --> -