gitspace 0.2.0-rc.20 → 0.2.0-rc.21

package/src/utils/shell-escape.ts

@@ -1,40 +0,0 @@
-/**
- * Shell escaping utilities for safe command execution
- * Prevents command injection vulnerabilities when passing user input to shell commands
- */
-
-/**
- * Escape a string argument for safe use in shell commands
- *
- * This function wraps the argument in single quotes and escapes any single quotes
- * within the string by replacing them with '\''
- *
- * @param arg The string to escape
- * @returns Safely escaped string for shell use
- *
- * @example
- * escapeShellArg("my-branch") // "'my-branch'"
- * escapeShellArg("branch'name") // "'branch'\''name'"
- * escapeShellArg("feature/test") // "'feature/test'"
- * escapeShellArg('"; rm -rf / #') // "'\"rm -rf / #'"
- */
-export function escapeShellArg(arg: string): string {
-  // Single quotes protect against all shell metacharacters except single quote itself
-  // To include a single quote, we end the single-quoted string, add an escaped single quote,
-  // and start a new single-quoted string: 'don'\''t' -> "don't"
-  return `'${arg.replace(/'/g, "'\\''")}'`;
-}
-
-/**
- * Escape multiple arguments and join them with spaces
- *
- * @param args Array of arguments to escape
- * @returns Space-separated string of escaped arguments
- *
- * @example
- * escapeShellArgs(["git", "commit", "-m", "my message"])
- * // "'git' 'commit' '-m' 'my message'"
- */
-export function escapeShellArgs(...args: string[]): string {
-  return args.map(escapeShellArg).join(' ');
-}

package/src/utils/utf8.ts

@@ -1,79 +0,0 @@
-/**
- * UTF-8 Boundary Handling Utilities
- *
- * Provides functions for handling UTF-8 encoded data streams,
- * particularly for finding safe split points in byte buffers
- * to avoid breaking multi-byte character sequences.
- */
-
-/**
- * Find the boundary where complete UTF-8 sequences end.
- * Returns the number of bytes that form complete UTF-8 sequences.
- * Any bytes after this boundary are incomplete and should be buffered.
- *
- * This function is useful when streaming UTF-8 data in chunks,
- * where a multi-byte character might be split across chunk boundaries.
- *
- * @param buf - The byte buffer to analyze (Buffer or Uint8Array)
- * @returns The byte offset where complete UTF-8 sequences end
- *
- * @example
- * ```ts
- * const chunk = new Uint8Array([0x48, 0x65, 0x6c, 0x6c, 0x6f, 0xc3]); // "Hello" + incomplete é
- * const boundary = findUtf8Boundary(chunk); // Returns 5
- * const complete = chunk.slice(0, boundary); // "Hello"
- * const incomplete = chunk.slice(boundary); // [0xc3] - buffer for next chunk
- * ```
- */
-export function findUtf8Boundary(buf: Uint8Array | Buffer): number {
-  if (buf.length === 0) return 0;
-
-  // UTF-8 encoding:
-  // - 1 byte:  0xxxxxxx (0x00-0x7F) - always complete
-  // - 2 bytes: 110xxxxx 10xxxxxx (starts with 0xC0-0xDF)
-  // - 3 bytes: 1110xxxx 10xxxxxx 10xxxxxx (starts with 0xE0-0xEF)
-  // - 4 bytes: 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx (starts with 0xF0-0xF7)
-  // Continuation bytes: 10xxxxxx (0x80-0xBF)
-
-  // Start from the last byte and work backwards (up to 3 bytes back)
-  for (let i = 0; i < Math.min(4, buf.length); i++) {
-    const pos = buf.length - 1 - i;
-    const byte = buf[pos];
-
-    // Skip continuation bytes (10xxxxxx) - keep looking for the leading byte
-    if ((byte & 0xc0) === 0x80) {
-      continue;
-    }
-
-    // Found a leading byte at pos - check if sequence is complete
-    let expectedLen: number;
-    if ((byte & 0x80) === 0x00) {
-      // ASCII (0xxxxxxx) - 1 byte
-      expectedLen = 1;
-    } else if ((byte & 0xe0) === 0xc0) {
-      // 2-byte sequence (110xxxxx)
-      expectedLen = 2;
-    } else if ((byte & 0xf0) === 0xe0) {
-      // 3-byte sequence (1110xxxx)
-      expectedLen = 3;
-    } else if ((byte & 0xf8) === 0xf0) {
-      // 4-byte sequence (11110xxx)
-      expectedLen = 4;
-    } else {
-      // Invalid leading byte - treat buffer as complete
-      return buf.length;
-    }
-
-    const actualLen = buf.length - pos;
-    if (actualLen >= expectedLen) {
-      // Sequence is complete
-      return buf.length;
-    } else {
-      // Incomplete sequence - boundary is at this position
-      return pos;
-    }
-  }
-
-  // Only found continuation bytes (malformed UTF-8) - buffer conservatively
-  return Math.max(0, buf.length - 3);
-}

package/src/utils/workspace-id.ts

@@ -1,55 +0,0 @@
-import { isAbsolute, relative, resolve, sep } from 'path';
-
-export function toWorkspaceId(projectName: string, workspaceName: string): string {
-  return `${projectName}:${workspaceName}`;
-}
-
-export function toCanonicalWorkspaceId(workspace: { projectName: string; id: string }): string {
-  return toWorkspaceId(workspace.projectName, workspace.id);
-}
-
-export function matchesWorkspaceId(
-  workspace: { projectName: string; id: string },
-  workspaceId: string
-): boolean {
-  return workspace.id === workspaceId || toCanonicalWorkspaceId(workspace) === workspaceId;
-}
-
-export function resolveWorkspaceName(projectName: string, workspaceId: string): string {
-  const prefix = `${projectName}:`;
-  if (workspaceId.startsWith(prefix)) {
-    return workspaceId.slice(prefix.length);
-  }
-  return workspaceId;
-}
-
-export function detectWorkspaceContextFromCwd(
-  cwd: string,
-  gitspaceDir: string
-): { projectName: string; workspaceName: string } | null {
-  const resolvedCwd = resolve(cwd);
-  const resolvedGitspaceDir = resolve(gitspaceDir);
-
-  const cwdRelativeToGitspace = relative(resolvedGitspaceDir, resolvedCwd);
-  if (
-    cwdRelativeToGitspace === '' ||
-    cwdRelativeToGitspace === '.' ||
-    cwdRelativeToGitspace.startsWith('..') ||
-    isAbsolute(cwdRelativeToGitspace)
-  ) {
-    return null;
-  }
-
-  const parts = cwdRelativeToGitspace.split(sep).filter(Boolean);
-  if (parts.length < 3 || parts[1] !== 'workspaces') {
-    return null;
-  }
-
-  const projectName = parts[0];
-  const workspaceName = parts[2];
-  if (!projectName || !workspaceName) {
-    return null;
-  }
-
-  return { projectName, workspaceName };
-}

package/src/utils/workspace-state.ts

@@ -1,427 +0,0 @@
-/**
- * Workspace state tracking utilities.
- *
- * State is persisted in workspace-local gitspace.lock (JSON).
- */
-
-import { createHash } from 'crypto';
-import { existsSync, readFileSync, unlinkSync, writeFileSync } from 'fs';
-import { join } from 'path';
-import { SpacesError } from '../types/errors.js';
-import type {
-  ConfirmStep,
-  InputStep,
-  OnboardingStep,
-  SecretStep,
-  SpacesBundle,
-  ConfirmStepResult,
-} from '../types/bundle.js';
-
-const SETUP_MARKER_FILE = 'gitspace.lock';
-
-export type WorkspaceLockPhaseStatus = 'never' | 'success' | 'failed';
-
-export interface WorkspaceLockConfirmState {
-  status: ConfirmStepResult['status'];
-  fingerprint: string;
-}
-
-export interface WorkspaceLockSetupState {
-  status: WorkspaceLockPhaseStatus;
-  ranAt?: string;
-  error?: string;
-  inputsUsed: Record<string, string>;
-  inputFingerprints: Record<string, string>;
-  secretFingerprints: Record<string, string>;
-  confirmsUsed: Record<string, WorkspaceLockConfirmState>;
-  usedOptionalSteps: Record<string, true>;
-  setupFingerprint?: string;
-}
-
-export interface WorkspaceLockSelectState {
-  status: WorkspaceLockPhaseStatus;
-  ranAt?: string;
-  error?: string;
-}
-
-export interface WorkspaceLockBundleState {
-  bundleHash: string;
-  stepFingerprints: Record<string, string>;
-}
-
-export interface WorkspaceLockState {
-  version: 1;
-  bundle?: WorkspaceLockBundleState;
-  setup: WorkspaceLockSetupState;
-  select: WorkspaceLockSelectState;
-}
-
-interface BuildSetupStateOptions {
-  bundle?: SpacesBundle;
-  bundleHash?: string;
-  stepFingerprints?: Record<string, string>;
-  bundleValues?: Record<string, string>;
-  bundleSecrets?: Record<string, string>;
-  confirmResults?: Record<string, ConfirmStepResult>;
-}
-
-export function getWorkspaceLockPath(workspacePath: string): string {
-  return join(workspacePath, SETUP_MARKER_FILE);
-}
-
-export function createEmptyWorkspaceLockState(): WorkspaceLockState {
-  return {
-    version: 1,
-    setup: {
-      status: 'never',
-      inputsUsed: {},
-      inputFingerprints: {},
-      secretFingerprints: {},
-      confirmsUsed: {},
-      usedOptionalSteps: {},
-    },
-    select: {
-      status: 'never',
-    },
-  };
-}
-
-function isRecord(value: unknown): value is Record<string, unknown> {
-  return !!value && typeof value === 'object' && !Array.isArray(value);
-}
-
-function normalizeSetupState(value: unknown): WorkspaceLockSetupState {
-  const defaults = createEmptyWorkspaceLockState().setup;
-  if (!isRecord(value)) {
-    return defaults;
-  }
-
-  const status = value.status;
-  const normalizedStatus: WorkspaceLockPhaseStatus =
-    status === 'success' || status === 'failed' || status === 'never'
-      ? status
-      : 'never';
-
-  return {
-    status: normalizedStatus,
-    ranAt: typeof value.ranAt === 'string' ? value.ranAt : undefined,
-    error: typeof value.error === 'string' ? value.error : undefined,
-    inputsUsed: isRecord(value.inputsUsed)
-      ? Object.fromEntries(Object.entries(value.inputsUsed).filter(([, v]) => typeof v === 'string')) as Record<string, string>
-      : {},
-    inputFingerprints: isRecord(value.inputFingerprints)
-      ? Object.fromEntries(Object.entries(value.inputFingerprints).filter(([, v]) => typeof v === 'string')) as Record<string, string>
-      : {},
-    secretFingerprints: isRecord(value.secretFingerprints)
-      ? Object.fromEntries(Object.entries(value.secretFingerprints).filter(([, v]) => typeof v === 'string')) as Record<string, string>
-      : {},
-    confirmsUsed: isRecord(value.confirmsUsed)
-      ? Object.fromEntries(
-          Object.entries(value.confirmsUsed)
-            .filter(([, v]) => isRecord(v) && typeof v.fingerprint === 'string' && (v.status === 'passed' || v.status === 'skipped'))
-            .map(([k, v]) => {
-              const item = v as { status: ConfirmStepResult['status']; fingerprint: string };
-              return [k, { status: item.status, fingerprint: item.fingerprint }];
-            })
-        )
-      : {},
-    usedOptionalSteps: isRecord(value.usedOptionalSteps)
-      ? Object.fromEntries(Object.keys(value.usedOptionalSteps).map((key) => [key, true])) as Record<string, true>
-      : {},
-    setupFingerprint: typeof value.setupFingerprint === 'string' ? value.setupFingerprint : undefined,
-  };
-}
-
-function normalizeSelectState(value: unknown): WorkspaceLockSelectState {
-  const defaults = createEmptyWorkspaceLockState().select;
-  if (!isRecord(value)) {
-    return defaults;
-  }
-
-  const status = value.status;
-  const normalizedStatus: WorkspaceLockPhaseStatus =
-    status === 'success' || status === 'failed' || status === 'never'
-      ? status
-      : 'never';
-
-  return {
-    status: normalizedStatus,
-    ranAt: typeof value.ranAt === 'string' ? value.ranAt : undefined,
-    error: typeof value.error === 'string' ? value.error : undefined,
-  };
-}
-
-function normalizeBundleState(value: unknown): WorkspaceLockBundleState | undefined {
-  if (!isRecord(value)) {
-    return undefined;
-  }
-
-  if (typeof value.bundleHash !== 'string') {
-    return undefined;
-  }
-
-  const stepFingerprints = isRecord(value.stepFingerprints)
-    ? Object.fromEntries(Object.entries(value.stepFingerprints).filter(([, v]) => typeof v === 'string')) as Record<string, string>
-    : {};
-
-  return {
-    bundleHash: value.bundleHash,
-    stepFingerprints,
-  };
-}
-
-export function readWorkspaceLockState(workspacePath: string): WorkspaceLockState | null {
-  const markerPath = getWorkspaceLockPath(workspacePath);
-  if (!existsSync(markerPath)) {
-    return null;
-  }
-
-  try {
-    const raw = readFileSync(markerPath, 'utf-8');
-    const parsed = JSON.parse(raw) as unknown;
-    if (!isRecord(parsed) || parsed.version !== 1) {
-      return null;
-    }
-
-    return {
-      version: 1,
-      bundle: normalizeBundleState(parsed.bundle),
-      setup: normalizeSetupState(parsed.setup),
-      select: normalizeSelectState(parsed.select),
-    };
-  } catch {
-    return null;
-  }
-}
-
-export function writeWorkspaceLockState(workspacePath: string, state: WorkspaceLockState): void {
-  const markerPath = getWorkspaceLockPath(workspacePath);
-
-  try {
-    writeFileSync(markerPath, `${JSON.stringify(state, null, 2)}\n`, 'utf-8');
-  } catch (error) {
-    throw new SpacesError(
-      `Failed to write workspace lock: ${error instanceof Error ? error.message : 'Unknown error'}`,
-      'SYSTEM_ERROR',
-      2
-    );
-  }
-}
-
-export function hasSetupBeenRun(workspacePath: string): boolean {
-  const state = readWorkspaceLockState(workspacePath);
-  return state?.setup.status === 'success';
-}
-
-export function markSetupComplete(workspacePath: string): void {
-  const state = readWorkspaceLockState(workspacePath) || createEmptyWorkspaceLockState();
-  state.setup.status = 'success';
-  state.setup.ranAt = new Date().toISOString();
-  state.setup.error = undefined;
-  writeWorkspaceLockState(workspacePath, state);
-}
-
-export function clearSetupMarker(workspacePath: string): void {
-  const markerPath = getWorkspaceLockPath(workspacePath);
-
-  try {
-    if (existsSync(markerPath)) {
-      unlinkSync(markerPath);
-    }
-  } catch {
-    // Ignore errors - this is just for testing
-  }
-}
-
-function deepSortForHash(value: unknown): unknown {
-  if (Array.isArray(value)) {
-    return value.map((item) => deepSortForHash(item));
-  }
-
-  if (value && typeof value === 'object') {
-    const record = value as Record<string, unknown>;
-    const sorted: Record<string, unknown> = {};
-    for (const key of Object.keys(record).sort()) {
-      sorted[key] = deepSortForHash(record[key]);
-    }
-    return sorted;
-  }
-
-  return value;
-}
-
-export function fingerprintValue(value: string): string {
-  return createHash('sha256').update(value).digest('hex').slice(0, 16);
-}
-
-export function getBundleStepKey(step: OnboardingStep): string {
-  if (step.type === 'input' || step.type === 'secret') {
-    return `${step.type}:${step.configKey}`;
-  }
-
-  return `${step.type}:${step.id}`;
-}
-
-function fingerprintInputStep(step: InputStep): string {
-  return createHash('sha256')
-    .update(JSON.stringify(deepSortForHash({
-      type: step.type,
-      id: step.id,
-      title: step.title,
-      description: step.description,
-      required: step.required !== false,
-      configKey: step.configKey,
-      defaultValue: step.defaultValue ?? null,
-      validationPattern: step.validationPattern ?? null,
-      validationMessage: step.validationMessage ?? null,
-    })))
-    .digest('hex')
-    .slice(0, 16);
-}
-
-function fingerprintSecretStep(step: SecretStep): string {
-  return createHash('sha256')
-    .update(JSON.stringify(deepSortForHash({
-      type: step.type,
-      id: step.id,
-      title: step.title,
-      description: step.description,
-      required: step.required !== false,
-      configKey: step.configKey,
-      validationPattern: step.validationPattern ?? null,
-      validationMessage: step.validationMessage ?? null,
-    })))
-    .digest('hex')
-    .slice(0, 16);
-}
-
-function fingerprintConfirmStep(step: ConfirmStep): string {
-  return createHash('sha256')
-    .update(JSON.stringify(deepSortForHash({
-      type: step.type,
-      id: step.id,
-      title: step.title,
-      description: step.description,
-      required: step.required !== false,
-      checkCommand: step.checkCommand ?? null,
-      installUrl: step.installUrl ?? null,
-      confirmPrompt: step.confirmPrompt ?? null,
-    })))
-    .digest('hex')
-    .slice(0, 16);
-}
-
-function fingerprintStep(step: OnboardingStep): string {
-  if (step.type === 'input') {
-    return fingerprintInputStep(step);
-  }
-  if (step.type === 'secret') {
-    return fingerprintSecretStep(step);
-  }
-  if (step.type === 'confirm') {
-    return fingerprintConfirmStep(step);
-  }
-
-  return createHash('sha256')
-    .update(JSON.stringify(deepSortForHash({
-      type: step.type,
-      id: step.id,
-      title: step.title,
-      description: step.description,
-      required: step.required !== false,
-    })))
-    .digest('hex')
-    .slice(0, 16);
-}
-
-export function buildBundleStepFingerprints(bundle: SpacesBundle): Record<string, string> {
-  const steps = bundle.onboarding || [];
-  const fingerprints: Record<string, string> = {};
-
-  for (const step of steps) {
-    fingerprints[getBundleStepKey(step)] = fingerprintStep(step);
-  }
-
-  return fingerprints;
-}
-
-export function buildSetupState(options: BuildSetupStateOptions): WorkspaceLockSetupState {
-  const {
-    bundle,
-    bundleHash,
-    stepFingerprints,
-    bundleValues = {},
-    bundleSecrets = {},
-    confirmResults = {},
-  } = options;
-
-  const steps = bundle?.onboarding || [];
-  const usedOptionalSteps: Record<string, true> = {};
-  const inputFingerprints: Record<string, string> = {};
-  const secretFingerprints: Record<string, string> = {};
-  const confirmsUsed: Record<string, WorkspaceLockConfirmState> = {};
-  const inputsUsed: Record<string, string> = {};
-
-  for (const step of steps) {
-    const key = getBundleStepKey(step);
-    const isOptional = step.required === false;
-
-    if (step.type === 'input') {
-      const value = bundleValues[step.configKey] ?? '';
-      if (value.length > 0) {
-        inputsUsed[step.configKey] = value;
-      }
-      inputFingerprints[step.configKey] = fingerprintValue(value);
-      if (isOptional && value.length > 0) {
-        usedOptionalSteps[key] = true;
-      }
-      continue;
-    }
-
-    if (step.type === 'secret') {
-      const value = bundleSecrets[step.configKey] ?? '';
-      secretFingerprints[step.configKey] = fingerprintValue(value);
-      if (isOptional && value.length > 0) {
-        usedOptionalSteps[key] = true;
-      }
-      continue;
-    }
-
-    if (step.type === 'confirm') {
-      const result = confirmResults[step.id];
-      if (result) {
-        confirmsUsed[key] = {
-          status: result.status,
-          fingerprint: stepFingerprints?.[key] ?? fingerprintStep(step),
-        };
-        if (isOptional) {
-          usedOptionalSteps[key] = true;
-        }
-      }
-    }
-  }
-
-  const setupFingerprint = createHash('sha256')
-    .update(JSON.stringify(deepSortForHash({
-      bundleHash: bundleHash ?? null,
-      stepFingerprints: stepFingerprints ?? {},
-      inputsUsed,
-      inputFingerprints,
-      secretFingerprints,
-      confirmsUsed,
-      usedOptionalSteps,
-    })))
-    .digest('hex')
-    .slice(0, 16);
-
-  return {
-    status: 'success',
-    ranAt: new Date().toISOString(),
-    inputsUsed,
-    inputFingerprints,
-    secretFingerprints,
-    confirmsUsed,
-    usedOptionalSteps,
-    setupFingerprint,
-  };
-}

package/src/version.generated.d.ts

@@ -1,2 +0,0 @@
-/** Generated at build time - see build script */
-export const VERSION: string;

package/todo-security.md

@@ -1,92 +0,0 @@
-# Security Audit Findings
-
-**Date:** 2026-01-07
-**Last Updated:** 2026-01-08 (P1 auth + relay signature fixes)
-**Scope:** Worker API, Relay Server, Crypto Implementation, CLI/Serve Daemon
-
----
-
-## Priority Checklist (single source of truth)
-
-### P0 - Before Launch
-- [ ] Add backpressure handling - Prevent memory exhaustion (`src/relay/server.ts`)
-- [ ] Add idle connection timeout - Clean up stale relay connections (`src/relay/server.ts`)
-- [ ] Add rate limiting to auth endpoints - Cloudflare WAF rate limiting rule (infra) (`worker/src/handlers/auth.ts`, `worker/src/handlers/subdomains.ts`)
-- [x] Fix path traversal - Validate pathname doesn't escape WEB_DIST_PATH (`src/relay/server.ts`)
-- [x] Fix encryption key derivation - Use HKDF instead of zero-padding (legacy decrypt fallback) (`worker/src/services/cloudflare.ts`)
-- [x] Add connection rate limiting - Per-IP limits on relay connections (`src/relay/server.ts`)
-- [x] Fix command injection - Sanitize checkCommand in onboarding.ts (`src/utils/onboarding.ts`)
-- [x] Session fixation vulnerability
-- [x] X3DH handshake security
-- [x] Client identity proof bypass
-- [x] Relay machine takeover
-
-### P1 - Soon After Launch
-- [x] Device fingerprint stored but not validated during token usage (`worker/src/middleware/auth.ts:53`)
-- [x] Validate device_name length/charset (`worker/src/handlers/auth.ts:146`)
-- [x] Session cookie uses `SameSite=Lax` instead of `Strict` (`worker/src/handlers/auth.ts:108`)
-- [x] Signature verification not enforced on client messages (`src/relay/server.ts`)
-- [x] Client can claim any `clientIdentityId` without proof on data messages (`src/relay/server.ts:731`)
-- [x] Fix file permissions - chmod 0o600 on config files after write (`src/core/config.ts`)
-- [x] Fix tunnel token exposure - Use stdin/fd instead of env var (`src/commands/serve.ts`)
-- [x] Fix Zip Slip - Validate extracted paths don't escape target dir + reject symlinks (`src/core/bundle.ts`)
-- [x] OAuth state parameter not validated
-- [x] Account limit race condition
-- [x] Identity file permissions
-- [x] Permission flags not enforced
-- [x] Invite singleUse not enforced
-
-### P2 - Follow-up
-- [ ] Restrict CORS in production - Remove localhost origin (`worker/src/index.ts:22-30`)
-- [ ] Challenge timeout of 30s may be too long (`src/relay/server.ts:102`)
-- [ ] Health endpoint exposes metrics without auth (`src/relay/server.ts:165`)
-- [ ] Add audit logging of critical operations
-- [ ] Session enumeration possible without granular permission check (`src/lib/remote-session/session-handler.ts:246`)
-- [ ] Unix socket permissions not explicitly set (`src/serve/daemon.ts:228`)
-- [ ] Relay port/bind parameters not validated (`src/commands/relay.ts:49-51`)
-- [x] Access list file permissions (`src/core/access.ts`)
-
-### P3 - Backlog
-- [ ] No signing key rotation mechanism (`src/core/identity.ts`)
-- [ ] Missing X-Content-Type-Options header (`worker/src/index.ts`)
-- [ ] Missing security headers in relay responses (`src/relay/server.ts`)
-- [ ] Documentation says ChaCha20 but uses AES-GCM (`src/lib/tmux-lite/crypto/secretbox.ts` comments)
-- [ ] Verbose error messages may leak paths (`src/commands/serve.ts`)
-
----
-
-## Removed / Not Applicable After Verification
-
-- Subdomain token endpoint does verify active status (`worker/src/handlers/subdomains.ts:262`)
-- accountId is always set (fallbacks to machineId) (`src/relay/server.ts:436`)
-- JWT clock skew entry references a file not present in this repo (`jwt.ts`)
-- Custom timingSafeEqual entry references a file not present in this repo (`jwt.ts`)
-
----
-
-## Crypto Assessment: STRONG
-
-The crypto implementation passed security review:
-- AES-256-GCM with proper nonce handling
-- scrypt for password-based key derivation (N=32K, r=8, p=1)
-- X25519 with low-order point validation (all 8 points checked)
-- X3DH handshake with mutual authentication
-- Ed25519 signatures with timestamp replay protection
-- HKDF-SHA256 with domain separation for key derivation
-- File permissions: 0o700 for directories, 0o600 for files
-
-Note: This assessment applies to tmux-lite crypto. Worker tunnel token encryption now uses HKDF with a legacy decrypt fallback.
-
----
-
-## Summary
-
-| Severity | Count | Status |
-|----------|-------|--------|
-| **Critical** | 6 | 2 Open / 4 Resolved |
-| **High** | 9 | 1 Open / 8 Resolved |
-| **Medium** | 8 | 7 Open / 1 Resolved |
-| **Low** | 5 | 5 Open |
-| **Fixed** | 22 | Resolved |
-
-**Priority Focus:** Idle connection timeout, WAF auth rate limiting, backpressure handling, CORS restriction, audit logging, session enumeration controls.