fix: address verified gadfly P3 review (3-cloud fleet)
executus CI / test (push) Has been cancelled

All 3 cloud models converged on a real access-control bug; fixed it + the
other genuine findings (the false-positives were dropped):

Security (HIGH — all 3 models):
- create_file_url skipped ValidateScope: a same-skill caller could mint a
  PUBLIC url for a file scoped to another user/run. Now runs ValidateScope
  (admin-aware), skipped only for the descendant-grant case — mirroring the
  read tools.

Other real fixes:
- ValidateScope hard-coded `false` at every call site (admin branch dead) ->
  pass inv.CallerIsAdmin (the executor sets it via the host AdminPolicy; still
  false/fail-closed when no admin). Stale "no admin flag" comment corrected.
- create_file_url: ExpiresInSeconds clamped BEFORE the *time.Second multiply
  (huge values overflowed to a negative duration that slipped under the cap,
  minting already-expired tokens); swallowed json.Marshal error now returned.
- RegisterMeta: build the default budget WITH the configured MaxPerRun (was
  NewInMemorySearchBudget(nil) -> hardcoded 10, ignoring MetaDeps.MaxPerRun).
- classify: all-zero scores no longer return a false-positive top-1 winner;
  coerceClassifyScore uses strconv.ParseFloat (rejects trailing garbage like
  "50extra" that fmt.Sscanf silently accepted).
- file_delete: honor the descendant grant (parent can clean up a worker's
  artifacts) — was the lone cross-skill-reject-outright file tool.
- meta tools: input caps truncate at a UTF-8 rune boundary (truncateUTF8), not
  mid-rune.
- think: removed the dead `var _ = fmt.Errorf` import-keeper; file_save default
  aligned to 16 MiB (matched RegisterStore).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-26 22:31:59 -04:00
parent 78e6858751
commit d0bd3ec3d9
19 changed files with 100 additions and 34 deletions
+12 -3
View File
@@ -49,11 +49,20 @@ func NewFileDelete(storage FileStorage) tool.Tool {
}
return "", fmt.Errorf("file_delete: %w", err)
}
// Honor the descendant grant like the read tools do, so a parent
// orchestrator can clean up a worker's artifacts (gadfly flagged the
// asymmetry: delete previously rejected cross-skill outright).
grantedViaDescendant := false
if meta.SkillID != inv.SkillID {
return "", fmt.Errorf("file_delete: file does not belong to this skill")
if !descendantFileGrant(ctx, storage, inv, meta.SkillID) {
return "", fmt.Errorf("file_delete: file does not belong to this skill")
}
grantedViaDescendant = true
}
if err := ValidateScope(inv, meta.Scope, false); err != nil {
return "", fmt.Errorf("file_delete: %w", err)
if !grantedViaDescendant {
if err := ValidateScope(inv, meta.Scope, inv.CallerIsAdmin); err != nil {
return "", fmt.Errorf("file_delete: %w", err)
}
}
if err := storage.FileDelete(ctx, args.FileID); err != nil {