Skip to content

docs: add security follow-up tasks and plans #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
marcusquinn merged 2 commits into from
Feb 3, 2026
Merged

docs: add security follow-up tasks and plans #292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2b9ce7f
docs: add security follow-up tasks and plans
marcusquinn Feb 3, 2026
4e84bc1
fix: align TOON metadata and auto-advance full loop
marcusquinn Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .agent/scripts/full-loop-helper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -603,6 +603,15 @@ cmd_start() {
cmd_run_foreground() {
local prompt="$1"
run_task_phase "$prompt"

# Auto-advance when task phase completes in v2.
# Legacy mode leaves a Ralph state file; in that case we must wait for manual completion.
if [[ -f ".agent/loop-state/ralph-loop.local.state" ]] || [[ -f ".claude/ralph-loop.local.state" ]]; then
print_warning "Task loop still active (legacy mode). Run: full-loop-helper.sh resume when complete."
return 0
fi

cmd_resume
return 0
}

Expand Down
12 changes: 11 additions & 1 deletion TODO.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,11 @@ Tasks with no open blockers - ready to work on. Use `/ready` to refresh this lis

## Backlog

- [ ] t104 Install script integrity hardening (replace curl|sh with verified downloads) #security #supply-chain #plan → [todo/PLANS.md#2026-02-03-install-script-integrity-hardening] ~4h (ai:2h test:1h read:1h) logged:2026-02-03
- [ ] t105 Remove eval in ampcode-cli.sh (use arrays + whitelist formats) #security #shell ~1h (ai:45m test:15m) logged:2026-02-03
- [ ] t106 Replace eval in system-cleanup.sh find command construction with safe args #security #shell ~1h (ai:45m test:15m) logged:2026-02-03
- [ ] t107 Avoid eval-based export in credential-helper.sh; use safe output/quoting #security #shell ~1h (ai:45m test:15m) logged:2026-02-03
- [ ] t108 Dashboard token storage hardening (avoid localStorage; add reset/clear flow) #security #dashboard #plan → [todo/PLANS.md#2026-02-03-dashboard-token-storage-hardening] ~3h (ai:1.5h test:1h read:30m) logged:2026-02-03
- [ ] t082 Fix version sync inconsistency (VERSION vs package.json/setup.sh/aidevops.sh) #bugfix ~15m (ai:10m test:5m) logged:2026-01-29
- Notes: Release commit bd0695c bumped VERSION to 2.92.1 but missed syncing package.json, setup.sh, aidevops.sh, sonar-project.properties, .claude-plugin/marketplace.json. Either fix manually or ensure version-manager.sh is used for all releases.
- [ ] t068 Multi-Agent Orchestration & Token Efficiency #plan → [todo/PLANS.md#2026-01-23-multi-agent-orchestration--token-efficiency] ~5d (ai:3d test:1d read:1d) logged:2026-01-23 started:2026-01-23T00:00Z
Expand Down Expand Up @@ -242,7 +247,12 @@ Tasks with no open blockers - ready to work on. Use `/ready` to refresh this lis
- [x] t067 Optimise OpenCode MCP loading with on-demand activation #opencode #performance #mcp ~4h (ai:2h test:1h read:1h) logged:2026-01-21 blocked-by:t056 started:2026-01-21T06:15Z completed:2026-01-21 actual:30m
- Notes: Implemented on-demand MCP loading pattern. Updated generate-opencode-agents.sh to sync MCP index on agent generation. Added MCP On-Demand Loading section to AGENTS.md. Pattern: MCPs disabled globally, enabled per-subagent via frontmatter, discoverable via mcp-index-helper.sh search.

<!--TOON:backlog[52]{id,desc,owner,tags,est,est_ai,est_test,logged,status,blocked_by,blocks,parent}:
<!--TOON:backlog[57]{id,desc,owner,tags,est,est_ai,est_test,logged,status,blocked_by,blocks,parent}:
t104,Install script integrity hardening (replace curl|sh with verified downloads),,security|supply-chain|plan,4h,2h,1h,2026-02-03T00:00Z,pending,,,
t105,Remove eval in ampcode-cli.sh (use arrays + whitelist formats),,security|shell,1h,45m,15m,2026-02-03T00:00Z,pending,,,
t106,Replace eval in system-cleanup.sh find command construction with safe args,,security|shell,1h,45m,15m,2026-02-03T00:00Z,pending,,,
t107,Avoid eval-based export in credential-helper.sh; use safe output/quoting,,security|shell,1h,45m,15m,2026-02-03T00:00Z,pending,,,
t108,Dashboard token storage hardening (avoid localStorage; add reset/clear flow),,security|dashboard|plan,3h,1.5h,1h,2026-02-03T00:00Z,pending,,,
t073,Document Extraction Subagent & Workflow,,plan|document-extraction|docling|extractthinker|presidio|pii|local-llm|privacy,3h,1h,2h,2026-01-25T01:00Z,pending,,,
t073.1,Implementation (all subagents + scripts),,document-extraction,1h,1h,,2026-01-25T01:00Z,pending,,,t073
t073.2,Integration Testing,,document-extraction|testing,2h,,2h,2026-01-25T01:00Z,pending,t073.1,,t073
Expand Down
96 changes: 95 additions & 1 deletion todo/PLANS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,98 @@ Each plan includes:

## Active Plans

### [2026-02-03] Install Script Integrity Hardening

**Status:** Planning
**Estimate:** ~4h (ai:2h test:1h read:1h)

<!--TOON:plan{id,title,status,phase,total_phases,owner,tags,est,est_ai,est_test,est_read,logged,started}:
p016,Install Script Integrity Hardening,planning,0,4,,security|supply-chain|setup,4h,2h,1h,1h,2026-02-03T00:00Z,
-->

#### Purpose

Eliminate `curl | sh` installs by downloading scripts to disk, verifying integrity (checksum or signature), and executing locally. This reduces supply-chain exposure in setup and helper scripts.

#### Context from Discussion

Targets include:
- `setup.sh` (multiple install blocks)
- `.agent/scripts/qlty-cli.sh`
- `.agent/scripts/coderabbit-cli.sh`
- `.agent/scripts/dev-browser-helper.sh`

#### Progress

- [ ] (2026-02-03) Phase 1: Inventory all `curl|sh` usages and vendor verification options ~45m
- [ ] (2026-02-03) Phase 2: Replace with download → verify → execute flow ~2h
- [ ] (2026-02-03) Phase 3: Add fallback behavior and clear error messages ~45m
- [ ] (2026-02-03) Phase 4: Update docs/tests and verify behavior ~30m
Comment on lines +47 to +50
Copy link

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The plan to replace curl | sh is a great security improvement. To make the plan even more robust, consider explicitly prioritizing cryptographic signature verification (e.g., GPG/PGP) over simple checksums where available. While checksums ensure integrity against download corruption, signatures also verify authenticity, protecting against a compromised server providing both a malicious script and a matching malicious checksum.

You could add this to Phase 1: Inventory all curl|sh usages and vendor verification options (preferring signatures over checksums).


<!--TOON:milestones[4]{id,plan_id,desc,est,actual,scheduled,completed,status}:
m064,p016,Phase 1: Inventory curl|sh usages and verification options,45m,,2026-02-03T00:00Z,,pending
m065,p016,Phase 2: Replace with download-verify-execute flow,2h,,2026-02-03T00:00Z,,pending
m066,p016,Phase 3: Add fallback behavior and error messages,45m,,2026-02-03T00:00Z,,pending
m067,p016,Phase 4: Update docs/tests and verify behavior,30m,,2026-02-03T00:00Z,,pending
-->

#### Decision Log

(To be populated during implementation)

<!--TOON:decisions[0]{id,plan_id,decision,rationale,date,impact}:
-->

#### Surprises & Discoveries

(To be populated during implementation)

<!--TOON:discoveries[0]{id,plan_id,observation,evidence,impact,date}:
-->

### [2026-02-03] Dashboard Token Storage Hardening

**Status:** Planning
**Estimate:** ~3h (ai:1.5h test:1h read:30m)

<!--TOON:plan{id,title,status,phase,total_phases,owner,tags,est,est_ai,est_test,est_read,logged,started}:
p017,Dashboard Token Storage Hardening,planning,0,3,,security|auth|dashboard,3h,1.5h,1h,30m,2026-02-03T00:00Z,
-->

#### Purpose

Replace persistent `localStorage` token usage with session/memory-based storage and add a clear/reset flow to reduce XSS exposure and leaked tokens on shared machines.

#### Context from Discussion

Current usage persists `dashboardToken` in `localStorage` in the MCP dashboard UI. Update to session-scoped storage and ensure logout/reset clears state.

#### Progress

- [ ] (2026-02-03) Phase 1: Trace token flow and identify all storage/read paths ~45m
- [ ] (2026-02-03) Phase 2: Migrate to session/memory storage and update auth flow ~1.5h
- [ ] (2026-02-03) Phase 3: Add reset/clear UI flow and verify behavior ~45m
Comment on lines +92 to +94
Copy link

@gemini-code-assist gemini-code-assist bot Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This is an excellent plan for hardening token storage. Moving from localStorage to session or in-memory storage is a great step. To further enhance security and provide defense-in-depth against XSS, consider adding a task to this plan to review and enforce a strict Content Security Policy (CSP). A strong CSP can prevent the execution of unauthorized scripts, which is the root cause of XSS attacks that could steal tokens even from sessionStorage.


<!--TOON:milestones[3]{id,plan_id,desc,est,actual,scheduled,completed,status}:
m068,p017,Phase 1: Trace token flow and storage paths,45m,,2026-02-03T00:00Z,,pending
m069,p017,Phase 2: Migrate to session/memory storage and update auth flow,1.5h,,2026-02-03T00:00Z,,pending
m070,p017,Phase 3: Add reset/clear UI flow and verify behavior,45m,,2026-02-03T00:00Z,,pending
-->

#### Decision Log

(To be populated during implementation)

<!--TOON:decisions[0]{id,plan_id,decision,rationale,date,impact}:
-->

#### Surprises & Discoveries

(To be populated during implementation)

<!--TOON:discoveries[0]{id,plan_id,observation,evidence,impact,date}:
-->

### [2025-12-21] aidevops-opencode Plugin

**Status:** Planning
Expand Down Expand Up @@ -800,7 +892,9 @@ disc001,p009,Implementation faster than estimated,All core functionality already
p009,beads-sync-helper.sh; todo-ready.sh; beads.md subagent; blocked-by/blocks syntax; hierarchical IDs; TOON schema; setup.sh integration; AGENTS.md docs,Robust sync script; comprehensive docs; seamless integration,Add optional UI installation to setup.sh,2d,1.5d,-25,1
-->

<!--TOON:active_plans[9]{id,title,status,phase,total_phases,owner,tags,est,est_ai,est_test,est_read,logged,started}:
<!--TOON:active_plans[12]{id,title,status,phase,total_phases,owner,tags,est,est_ai,est_test,est_read,logged,started}:
p016,Install Script Integrity Hardening,planning,0,4,,security|supply-chain|setup,4h,2h,1h,1h,2026-02-03T00:00Z,
p017,Dashboard Token Storage Hardening,planning,0,3,,security|auth|dashboard,3h,1.5h,1h,30m,2026-02-03T00:00Z,
p001,aidevops-opencode Plugin,planning,0,4,,opencode|plugin,2d,1d,0.5d,0.5d,2025-12-21T01:50Z,
p002,Claude Code Destructive Command Hooks,planning,0,4,,claude|git|security,4h,2h,1h,1h,2025-12-21T12:00Z,
p003,Evaluate Merging build-agent and build-mcp into aidevops,planning,0,3,,architecture|agents,4h,2h,1h,1h,2025-12-21T14:00Z,
Expand Down