fix: stale hook entries no longer trip the supply-chain alarm on upgrade#51
Merged
Conversation
Hook renames left orphaned entries in upgraders' settings.json that audit:hooks flagged as SUSPICIOUS (exit 1) — a cry-wolf supply-chain alarm on every legitimate upgrade. - settings-merge: add parallelmax-nudge, review-queue-nudge, track-tldr, tldr-stats to DEPRECATED_COMMAND_PATTERNS so the merge prunes them - audit-hooks: new 'stale' severity — shipped-pattern command whose script no longer exists on disk warns and suggests re-running setup.sh; 'suspicious' (exit 1) is reserved for files that exist but aren't in the manifest (actual dropped-payload shape) - SECURITY.md taxonomy updated; tests for both layers
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
When cc-settings renames or removes a hook script, upgrading users were left with orphaned entries in their
settings.jsonthatbun run audit:hooksflagged as SUSPICIOUS — the supply-chain alarm cried wolf on every legitimate upgrade (one real install showed 6 false suspicious findings after the tool-cadence merge). This makes upgrades clean themselves up and teaches the auditor the difference between a leftover and an actual dropped payload.Fixes #50
Summary
src/lib/settings-merge.ts:parallelmax-nudge.ts,review-queue-nudge.ts,track-tldr.ts,tldr-stats.tsadded toDEPRECATED_COMMAND_PATTERNS— the existing prune path drops them (and accumulated duplicates) on the nextsetup.shrunsrc/lib/audit-hooks.ts: newstaleseverity. Shipped-pattern command whose script is absent from disk → stale (warn, "re-run setup.sh", exit 0). File exists but isn't in the manifest → still suspicious (exit 1) — that's the real dropped-payload shape, and the signal is now sharperverify-hooks.tsSessionStart banner only triggers on suspicious, unchanged by stale findingsSECURITY.mdseverity taxonomy updatedTest Plan
bun test— 520 pass (new: merge prunes renamed-hook groups + duplicates; stale vs dropped-payload classification; stale doesn't fliphasSuspicious)bun run typecheck/bun run lint