Objective
Treat model output, repository contents, PR text, and external inputs as untrusted data.
Work
- Preserve untrusted-data wrapping across L1->L2, supporter->moderator, and L2->L3 prompt paths.
- Test delimiter spoofing, role override, output-format manipulation, JSON breakout, hidden-prompt requests, and premature verdict injection.
- Redact API keys, tokens, repo credentials, and provider auth errors in logs and sessions.
- Bound path access for config, diff context, MCP repo paths, and session reads.
- Keep GitHub token permissions minimal and document fork-secret behavior.
Acceptance Gate
- Prompt-injection boundary tests pass for every LLM-to-LLM handoff.
- Secret redaction tests cover CLI logs, JSON output, session files, GitHub comments, and MCP responses.
- Path traversal tests cover diff context reads, session reads, config edits, and MCP repo paths.
- Security-sensitive large-diff files are prioritized before non-sensitive files.
Source: docs/PRODUCTION_READINESS_ROADMAP.md Phase 5.
Objective
Treat model output, repository contents, PR text, and external inputs as untrusted data.
Work
Acceptance Gate
Source:
docs/PRODUCTION_READINESS_ROADMAP.mdPhase 5.