Summary
Release readiness for the Business Hub approval-gate work is blocked by two high security findings from the SDLC audit.
Related PR: #53
Related commit: 0fe10d2
Blockers
HIGH: dashboard approval identity is spoofable
The dashboard approval endpoints accept a manager identity from the request body. A local script or browser request can submit an arbitrary resolvedBy value. If no manager allowlist exists, any name is accepted. If an allowlist exists, anyone who knows or guesses a manager name can provide it.
Required fix:
- Add authenticated local manager identity or signed one-time approval tokens.
- Enforce
Content-Type: application/json on approval POSTs.
- Add CSRF nonce protection for dashboard-served approval actions.
- Record audit-proof actor evidence, not just a body string.
- Add tests for spoofed manager name and missing/invalid CSRF or signed token.
HIGH: approval ID path traversal can write outside .rstack/runs
A crafted approval id can encode a runId containing path traversal. The approval resolver decodes the id and writes approvals.json using that decoded run id. The audit PoC wrote an approvals.json file outside the intended run directory in a temp project.
Required fix:
- Validate
runId, taskId, and artifact with strict allowed patterns.
- Resolve the final path and assert it remains under
projectRoot/.rstack/runs.
- Require a target run
manifest.json to exist.
- Add regression tests for encoded traversal approval ids and unsafe queue entries.
Current verification
- Focused approval tests passed:
npx tsx --test tests/dashboard-business-hub.test.js tests/people-layer-approvals.test.js, 13 passed, 0 failed.
- Prior full validation/test/lint passed: 196 agent validations, 101 tests, 0 lint errors.
- Package dry-run reported no private
.rstack/secret-path files included.
- Browser-click/screenshot QA is still missing because Playwright/Puppeteer/browser tooling was unavailable.
Release decision
Do not merge, ship, deploy, or publish this approval-gate work until these high findings are fixed or formally accepted by an authorized manager.
Summary
Release readiness for the Business Hub approval-gate work is blocked by two high security findings from the SDLC audit.
Related PR: #53
Related commit: 0fe10d2
Blockers
HIGH: dashboard approval identity is spoofable
The dashboard approval endpoints accept a manager identity from the request body. A local script or browser request can submit an arbitrary
resolvedByvalue. If no manager allowlist exists, any name is accepted. If an allowlist exists, anyone who knows or guesses a manager name can provide it.Required fix:
Content-Type: application/jsonon approval POSTs.HIGH: approval ID path traversal can write outside
.rstack/runsA crafted approval id can encode a
runIdcontaining path traversal. The approval resolver decodes the id and writesapprovals.jsonusing that decoded run id. The audit PoC wrote anapprovals.jsonfile outside the intended run directory in a temp project.Required fix:
runId,taskId, andartifactwith strict allowed patterns.projectRoot/.rstack/runs.manifest.jsonto exist.Current verification
npx tsx --test tests/dashboard-business-hub.test.js tests/people-layer-approvals.test.js, 13 passed, 0 failed..rstack/secret-path files included.Release decision
Do not merge, ship, deploy, or publish this approval-gate work until these high findings are fixed or formally accepted by an authorized manager.