jarvis/dd0c
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BMad code reviews complete for all 6 products

Browse Source 
P1 route: Gemini — 'Ship the proxy, stop writing tests for the tests'
P2 drift: Gemini — mTLS revocation, state lock corruption, RLS pool leak
P3 alert: Gemini — replay attacks, trace propagation, SQS claim-check
P4 portal: Manual — discovery reliability is existential risk
P5 cost: Manual — concurrent baselines, remediation RBAC, pricing staleness
P6 run: Gemini — policy update loophole, AST parsing, audit streaming
This commit is contained in:
Max Mayfield
2026-03-01 02:09:19 +00:00
parent 9cc5aeaa03
commit b24cfa7c0d
4 changed files with 220 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
products/06-runbook-automation/test-architecture/bmad-review.md Normal file
View File

@@ -0,0 +1,53 @@
# dd0c/run — BMad Code Review
**Reviewer:** BMad Code Review Agent (Gemini)
**Date:** March 1, 2026
**Verdict:** "Executing shell commands in customer infrastructure is playing with fire, and this architecture has serious blind spots."
---
## Severity-Rated Findings
### 🔴 Critical
1. **The Policy Update Loophole.** If the SaaS is compromised, an attacker doesn't need to send a malicious command — they push a malicious *policy update* or agent binary update that disables the Scanner RED layer. If the agent trusts the SaaS for updates without an offline, customer-controlled root of trust (like a locally provisioned public key), "zero-trust" is security theater.
2. **Obfuscation Beyond Base64.** Testing for semicolons, backticks, null bytes, and base64 is basic. Missing: environment variable concatenation (`X=rm; Y=-rf; $X $Y`), hex encoding (`\x2f\x62\x69\x6e`), and `eval`. The Scanner RED needs to parse the AST of the shell command (use `shfmt` or `mvdan.cc/sh`), not just regex it, or it will get bypassed.
3. **Rollback Failure Blackhole.** "Rollback failure → manual intervention" will wait indefinitely if the network is severed or the box is locked up. Need a hard TTL/timeout on the intervention state that automatically fails-closed and alerts out-of-band.
4. **Root Can Delete Audit History.** "Audit log encryption" is useless if the attacker `rm -rf`s the local logs before the agent flushes the gRPC buffer. If the SaaS is compromised and gives an attacker local root, they can wipe their tracks. Need forward-secrecy and append-only cryptographic hash chains shipped *immediately* (streaming, not batching).
### 🟡 Important
5. **Idempotency vs. Network Partitions.** Double execution prevention is great, but if a partition happens *during* a non-idempotent command (like `INSERT` or `DROP`), the agent might think it failed, retry, and nuke the database. Agent needs to enforce idempotency at the script level or fail-stop on partition.
6. **Concurrent Execution Locks.** If two agents (or a resurrected ghost process) try to execute the state machine simultaneously on the same host, race conditions. Need aggressive PID locking or atomic file locks.
7. **gRPC 10MB Buffer Truncation Attack.** If an attacker spams STDOUT to hit the 10MB limit, do you truncate the logs, drop the connection, or crash? If you truncate, they can hide their malicious payload at the end of a 10MB garbage string.
### 🟢 Nice-to-Have
8. **Dual-layer classifier is smart.** Scanner overriding LLM is the right call. Never trust an LLM with root access.
---
## Must-Have Before Launch
1. **Cryptographic signatures for policy/agent updates.** Agent must verify updates against a key stored locally on the customer's box, completely separate from the SaaS database.
2. **Streaming append-only audit logs.** Do not buffer logs locally. Stream them with hash chains so if the box is compromised, the attacker can't alter the past.
3. **Strict shell AST parsing.** Regex for dangerous commands is a losing game. Use a real shell parser (`shfmt` or `mvdan.cc/sh`) to evaluate the syntax tree for the Canary Suite.
4. **Intervention deadlock TTLs.** Hard fail-close timeouts for any manual intervention states.
5. **Canary Suite on every commit.** 50 known-destructive commands must ALWAYS be 🔴.
## V1 Cut List
- Slack payload forgery protection — rely on standard TLS/Auth and webhook secrets.
- Unicode homoglyph detection — edge case, not V1.
- K3s RBAC sandbox matrix — start with Ubuntu/Amazon Linux only.
- Dashboard UI Playwright tests — manual testing sufficient.
- Compliance export (CSV/PDF) — manual export is fine for V1.
---
*"If your agent trusts the SaaS for updates without an offline root of trust, your zero-trust is just security theater."*