Context
Follow-up from the security hardening PR (Codex review of bd84281, finding #6 — manifest authority confusion / arbitrary in-project delete, CWE-73).
That PR closed the vulnerability by gating adapter upgrade orphan auto-prune on the adapter descriptor's ownedPathGlobs (option A). Because claude's ownedPathGlobs is the exact current generated set, an orphan (by definition a path no longer generated) never matches it, so auto-prune is effectively disabled for claude: a renamed/removed generated skill is now surfaced as action: "warn" and kept on disk for manual removal, rather than deleted.
This was the correct security trade-off (favor preserving user files over automatic cleanup) and is intentionally not reverted. But it removes a convenience (rename → stale -N file auto-cleanup).
Why not just widen the glob
Widening ownedPathGlobs to a namespace like .claude/skills/*.md (option B) was rejected: the manifest is project-controlled, so a forged manifest entry for a user-authored skill under .claude/skills/ could then be deleted — the same class of bug, moved to a different directory. The review explicitly warned against this.
Goal (option C)
Restore safe auto-cleanup using a strong ownership signal that does not depend on trusting the manifest, e.g. one of:
- a reserved prefix for code-pact generated files (e.g.
.claude/skills/code-pact-*.md) so ownedPathGlobs can be a namespace that provably excludes user files;
- generated-file metadata (a header/marker the generator writes and verifies);
- another out-of-manifest ownership proof.
Then orphan auto-prune can be re-enabled only for paths that match the strong-ownership criterion.
Constraints
- Must not reintroduce the forged-manifest arbitrary-delete primitive (no broad globs over shared dirs).
- Requires a migration for already-shipped skill filenames → therefore a separate, non-hotfix change, sequenced after the security PR.
- Keep the
warn + manual-removal UX as the fallback for anything not provably owned.
Acceptance
- A renamed/removed code-pact-generated file is auto-pruned again (clean managed orphan).
- A forged manifest entry for a user-authored skill OR an arbitrary in-project file is still never deleted.
- Regression tests for both.
Context
Follow-up from the security hardening PR (Codex review of
bd84281, finding #6 — manifest authority confusion / arbitrary in-project delete, CWE-73).That PR closed the vulnerability by gating
adapter upgradeorphan auto-prune on the adapter descriptor'sownedPathGlobs(option A). Because claude'sownedPathGlobsis the exact current generated set, an orphan (by definition a path no longer generated) never matches it, so auto-prune is effectively disabled for claude: a renamed/removed generated skill is now surfaced asaction: "warn"and kept on disk for manual removal, rather than deleted.This was the correct security trade-off (favor preserving user files over automatic cleanup) and is intentionally not reverted. But it removes a convenience (rename → stale
-Nfile auto-cleanup).Why not just widen the glob
Widening
ownedPathGlobsto a namespace like.claude/skills/*.md(option B) was rejected: the manifest is project-controlled, so a forged manifest entry for a user-authored skill under.claude/skills/could then be deleted — the same class of bug, moved to a different directory. The review explicitly warned against this.Goal (option C)
Restore safe auto-cleanup using a strong ownership signal that does not depend on trusting the manifest, e.g. one of:
.claude/skills/code-pact-*.md) soownedPathGlobscan be a namespace that provably excludes user files;Then orphan auto-prune can be re-enabled only for paths that match the strong-ownership criterion.
Constraints
warn+ manual-removal UX as the fallback for anything not provably owned.Acceptance