Skip to content

fix(cli): validate trusted adapter manifests#282

Merged
BunsDev merged 4 commits into
mainfrom
codex/fix-implicit-adapter-trust-vulnerability
Jul 1, 2026
Merged

fix(cli): validate trusted adapter manifests#282
BunsDev merged 4 commits into
mainfrom
codex/fix-implicit-adapter-trust-vulnerability

Conversation

@BunsDev

@BunsDev BunsDev commented Jun 30, 2026

Copy link
Copy Markdown
Member

Motivation

  • The code previously auto-loaded any .json under COVEN_HOME/adapters, creating an implicit trust path that allowed planted manifests to register harnesses which could execute attacker-controlled commands.
  • This change protects the adapter trust store by ensuring only known, bundled adapter recipes are implicitly trusted when their manifest files exactly match the packaged recipe and are regular (non-symlink) files.
  • The install flow is hardened so existing untrusted or stale manifests are replaced rather than silently accepted as already installed.

Description

  • Replace the unconstrained adapter_manifest_paths_in_dir scan of COVEN_HOME/adapters with trusted_adapter_manifest_paths, which only yields manifests for known recipe names that pass exact content matching via trusted_adapter_manifest_matches_recipe.
  • Add trusted_adapter_manifest_matches_recipe to check that a manifest is a non-symlink regular file and that its text matches the bundled recipe returned by known_adapter_manifest before treating it as installed.
  • Update the installer (run_adapter_install) to treat a manifest as installed only if it matches the recipe, and to remove symlinked or stale manifests before writing the trusted manifest.
  • Add tests and regressions: unit test to ensure a planted/modified COVEN_HOME/adapters/hermes.json is ignored, a unit test that a correct bundled Hermes manifest is loaded from COVEN_HOME, and a smoke test verifying coven adapter install hermes replaces an existing planted manifest.

Testing

  • Ran cargo fmt to apply formatting without errors.
  • Ran cargo test -p coven-cli adapter which executed the adapter unit and smoke tests.
  • All adapter-related tests passed (including the new regressions) with no failures.

Codex Task

Copilot AI review requested due to automatic review settings June 30, 2026 19:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens coven-cli’s adapter trust model by only treating COVEN_HOME/adapters/<known>.json as “trusted/installed” when it exactly matches the bundled adapter recipe and is a non-symlink regular file, preventing planted manifests from registering attacker-controlled harness commands.

Changes:

  • Replace broad COVEN_HOME/adapters/*.json loading with a recipe-name allowlist plus exact-content matching (trusted_adapter_manifest_paths / trusted_adapter_manifest_matches_recipe).
  • Harden coven adapter install <recipe> to only treat an adapter as installed when the on-disk manifest matches the bundled recipe, and to replace stale/suspicious manifests.
  • Add unit + smoke regressions to ensure planted manifests are ignored and installs replace pre-existing untrusted manifests.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
crates/coven-cli/src/harness.rs Adds trusted-manifest selection and exact-match validation for known bundled adapter recipes.
crates/coven-cli/src/main.rs Updates adapter install flow to use match-based “installed” detection and replace existing manifests.
crates/coven-cli/tests/smoke.rs Adds smoke regression verifying adapter install hermes replaces a planted manifest.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread crates/coven-cli/src/main.rs Outdated
Comment on lines +848 to +855
if manifest_path.symlink_metadata().is_ok() {
std::fs::remove_file(&manifest_path).with_context(|| {
format!(
"failed to replace trusted adapter manifest {}",
manifest_path.display()
)
})?;
}
Comment thread crates/coven-cli/src/harness.rs
Comment thread crates/coven-cli/src/harness.rs Outdated
Comment on lines +355 to +359
fn trusted_adapter_manifest_paths(coven_home: &Path) -> Vec<PathBuf> {
known_adapter_recipe_names()
.iter()
.filter_map(|adapter_id| {
let path = trusted_adapter_manifest_path(coven_home, adapter_id);
Comment thread crates/coven-cli/tests/smoke.rs Outdated
Comment on lines +367 to +369
let manifest = fs::read_to_string(manifest_path)?;
assert!(manifest.contains("\"executable\": \"hermes\""));
assert!(!manifest.contains("\"executable\":\"sh\""));
@BunsDev BunsDev force-pushed the codex/fix-implicit-adapter-trust-vulnerability branch from db59690 to 73c7f37 Compare June 30, 2026 20:39
BunsDev and others added 2 commits June 30, 2026 22:12
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@BunsDev BunsDev merged commit 5791d5e into main Jul 1, 2026
14 checks passed
@BunsDev BunsDev deleted the codex/fix-implicit-adapter-trust-vulnerability branch July 1, 2026 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants