QA: harden Control Center trust UI#45
Merged
Merged
Conversation
Harden and verify the v0.9.0 Control Center trust layer (flight records, timeline, worktree board, context packets, ROI). UI defense-in-depth (continuum/ui/app.js): - Escape the data-task attribute values in the trust views (flightRecordView, contextPacketView) and taskTable. These hold server-generated T%04d ids today, but are read back via dataset.task into API/inspect calls; escaping prevents attribute breakout if id formats ever change. Tests (tests/test_control_center.py, +9): - Empty store: all trust endpoints return HTTP 200 + sane JSON (never 500). - /api/flight-record?task=BOGUS|T9999|"" returns a clean 400 JSON error. - timeline/board with scheduled lanes vs standalone worktree vs nothing. - context_packets degrades gracefully when score_intel/gather_context_intel raise. - trust endpoints are GET-readable without the token; mutations still require it. - XSS: API returns user-controlled strings verbatim; static assertions confirm every user/task-controlled value in the trust views is wrapped in escapeHtml. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scope
Surgical QA of the v0.9.0 Control Center trust layer only:
ControlCentermethods (flight_records,flight_record,timeline,worktree_board,context_packets,roi,_worktree_schedules), the read-only/api/*endpoints, and theapp.jstrust views (timelineView,worktreeBoardView,laneCard,flightRecordView,roiView,contextPacketView,bindFlightRecords,bindContextPackets).Defects found
XSS — none exploitable (rendering already safe)
Audited every interpolation in the trust views. All user/task-controlled strings (task title/objective, agent, branch, lane role, file/owned paths, schedule objective, lane name) are already wrapped in
escapeHtml(...). The only unescaped interpolations were thedata-taskattribute values, which today hold strictly server-generatedT%04dids (not user-controllable), so there was no live XSS hole.Hardened anyway (defense-in-depth):
data-taskinflightRecordView,contextPacketView, andtaskTablenow go throughescapeHtml. These values are read back viadataset.taskinto API/inspect calls, so escaping prevents attribute breakout should id formats ever change.Robustness — confirmed solid
db_file, no tasks): all trust endpoints return HTTP 200 with sane empty JSON — verified no 500/traceback./api/flight-record?task=BOGUSraisesValueError/FlightRecordError, both caught by the handler and returned as a clean 400 JSON error.context_packetsalready has a broadexceptthat degrades to empty/None fields when intel functions raise.Tests added (+9, all green)
tests/test_control_center.py:test_trust_endpoints_on_empty_store_return_200_and_sane_jsontest_flight_record_with_bogus_task_returns_clean_400(BOGUS / T9999 / empty)test_timeline_and_board_with_standalone_worktree_onlytest_timeline_and_board_with_scheduled_lanestest_timeline_and_board_empty_when_nothing_scheduledtest_context_packets_degrade_when_intel_raises(monkeypatchesscore_intel/gather_context_intel)test_trust_endpoints_are_get_readable_without_token(+ mutation still 403)test_trust_endpoints_preserve_malicious_strings_verbatim_for_ui_escapingtest_app_js_escapes_user_controlled_trust_values(static XSS guard: asserts every trust-view interpolation isescapeHtml-wrapped and forbids known-unsafe patterns)Verification
GIT_CONFIG_GLOBAL=/dev/null GIT_CONFIG_SYSTEM=/dev/null python -m unittest discover -s tests→ 295 tests OK. Git-backed tests persist identity in setUp; HTTP servers bind127.0.0.1:0and shut down infinally.🤖 Generated with Claude Code