Skip to content

Safe orphan auto-cleanup via strong ownership (reserved namespace / generated-file markers) #487

Description

@toshtag

Context

Follow-up from the security hardening PR (Codex review of bd84281, finding #6manifest authority confusion / arbitrary in-project delete, CWE-73).

That PR closed the vulnerability by gating adapter upgrade orphan auto-prune on the adapter descriptor's ownedPathGlobs (option A). Because claude's ownedPathGlobs is the exact current generated set, an orphan (by definition a path no longer generated) never matches it, so auto-prune is effectively disabled for claude: a renamed/removed generated skill is now surfaced as action: "warn" and kept on disk for manual removal, rather than deleted.

This was the correct security trade-off (favor preserving user files over automatic cleanup) and is intentionally not reverted. But it removes a convenience (rename → stale -N file auto-cleanup).

Why not just widen the glob

Widening ownedPathGlobs to a namespace like .claude/skills/*.md (option B) was rejected: the manifest is project-controlled, so a forged manifest entry for a user-authored skill under .claude/skills/ could then be deleted — the same class of bug, moved to a different directory. The review explicitly warned against this.

Goal (option C)

Restore safe auto-cleanup using a strong ownership signal that does not depend on trusting the manifest, e.g. one of:

  • a reserved prefix for code-pact generated files (e.g. .claude/skills/code-pact-*.md) so ownedPathGlobs can be a namespace that provably excludes user files;
  • generated-file metadata (a header/marker the generator writes and verifies);
  • another out-of-manifest ownership proof.

Then orphan auto-prune can be re-enabled only for paths that match the strong-ownership criterion.

Constraints

  • Must not reintroduce the forged-manifest arbitrary-delete primitive (no broad globs over shared dirs).
  • Requires a migration for already-shipped skill filenames → therefore a separate, non-hotfix change, sequenced after the security PR.
  • Keep the warn + manual-removal UX as the fallback for anything not provably owned.

Acceptance

  • A renamed/removed code-pact-generated file is auto-pruned again (clean managed orphan).
  • A forged manifest entry for a user-authored skill OR an arbitrary in-project file is still never deleted.
  • Regression tests for both.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions