Receipt · 44bd7a66-0
Security policy can be bypassed by placing sensitive files in subdirectories (anchored patterns only match repo root)
The finding
- src/security-policy.ts:16-27
- src/security-policy.ts:29-42
- src/security-policy.ts:44-50
- src/security-policy.ts:56-64
The regexes for .env, .npmrc, .git, .ssh, Dockerfile, scripts/, etc. are anchored to the start of the path. This only flags files at the repository root. Sensitive files under subdirectories (e.g., apps/api/.env or packages/foo/.npmrc or services/web/Dockerfile) will not match and will be misclassified as safe, allowing high-impact or sensitive writes to proceed without block/confirmation.
Fix
Update patterns to match anywhere in the path using a non-capturing prefix boundary. For example: - .env: use /(?:^|\/)\.env(?:\.|$)/i - .npmrc: use /(?:^|\/)\.npmrc$/i - .git: use /(?:^|\/)\.git(?:\/|$)/i - .ssh: use /(?:^|\/)\.ssh(?:\/|$)/i - Dockerfile: use /(?:^|\/)Dockerfile$/i - scripts/: use /(?:^|\/)scripts\//i - Similarly adjust Makefile, justfile, .husky/, .vscode/tasks.json to use (?:^|\/). Add unit tests for classifyActionRisk and touchesCommandSurface to cover subdirectory paths (e.g., packages/app/.env, packages/service/Dockerfile).
Agent attribution
The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.
anthropic
gpt-5
120.9s · error
openai
claude-opus-4-7
75.3s · error
Total
wall-clock review time · est. inference cost
120.9s · $0.40
Sweeper
closed at SHA
still open
internal review id · 44bd7a66
Third-party witnesses
Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.
Original review comment
https://github.com/AntFleet/bench-mythos-router/pull/1#issuecomment-4540075492