@maintainabilityai/research-runner 0.1.42 → 0.1.43
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/runner/skills.js +18 -0
- package/package.json +1 -1
package/dist/runner/skills.js
CHANGED
|
@@ -1970,6 +1970,24 @@ const handleAuditVerifyChain = async (input) => {
|
|
|
1970
1970
|
const sealed = signedCount > 0;
|
|
1971
1971
|
const agentEventCount = lines.length - workflowUnsignedCount;
|
|
1972
1972
|
let sealVerified = false;
|
|
1973
|
+
// Bug-Q / Q3 (Codex audit round 2) — a chain that USES per-epoch
|
|
1974
|
+
// signing (any event carries `signer_epoch`) MUST be sealed AND seal-
|
|
1975
|
+
// verified. Without this guard, an attacker could hand-craft a chain
|
|
1976
|
+
// where event 1 is signed (forcing `chainUsesPerEpochSigning=true`)
|
|
1977
|
+
// but every subsequent event is unsigned — `signedCount > 0` would
|
|
1978
|
+
// be true and the per-event check below would pass each unsigned
|
|
1979
|
+
// event as `legitimateUnsigned` if attribution were faked. Equally,
|
|
1980
|
+
// a chain where the runner reports `sealed=true` but the legacy
|
|
1981
|
+
// `chainUsesPerEpochSigning=false` path runs is the gold-product
|
|
1982
|
+
// promise we make to the marketing page. Legacy chains (no event
|
|
1983
|
+
// carries signer_epoch) keep the prior allowance — they predate
|
|
1984
|
+
// Bug O and a user audit-replaying them is intentionally tolerant.
|
|
1985
|
+
if (chainUsesPerEpochSigning && !sealed) {
|
|
1986
|
+
return {
|
|
1987
|
+
ok: false,
|
|
1988
|
+
reason: `per-epoch-chain-not-sealed: chain references signer_epoch (per-epoch signing contract) but no events carry signatures; gold-product contract requires per-epoch chains to be fully sealed`,
|
|
1989
|
+
};
|
|
1990
|
+
}
|
|
1973
1991
|
if (sealed) {
|
|
1974
1992
|
if (signedCount !== agentEventCount) {
|
|
1975
1993
|
return { ok: false, reason: `partial-signatures: ${signedCount}/${agentEventCount} agent-emitted events signed (chain tampered; ${workflowUnsignedCount} workflow-emitted unsigned by-design)` };
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@maintainabilityai/research-runner",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.43",
|
|
4
4
|
"description": "Research + PRD agent runner — orchestrates the Archeologist and PRD pipelines for the MaintainabilityAI governance mesh",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "MaintainabilityAI",
|