Skip to content

fix(matchers): ignore auth prose for missing-auth guards#618

Merged
kunaldhongade merged 1 commit into
mainfrom
fix/616-auth-comments-missing-auth
Jun 30, 2026
Merged

fix(matchers): ignore auth prose for missing-auth guards#618
kunaldhongade merged 1 commit into
mainfrom
fix/616-auth-comments-missing-auth

Conversation

@kunaldhongade

Copy link
Copy Markdown
Contributor

Closes #616

Problem

security-missing-auth-entrypoint treated any raw auth substring in an entire file as evidence of an auth guard. A comment like NO authentication/authorization check could suppress a real missing-auth finding for an exported destructive function.

Fix

  • Strip JS/TS comments and string literals before checking auth markers.
  • Tighten auth marker matching to guard-shaped code tokens instead of arbitrary substrings.
  • Add positive and decoy matcher tests for the destructive export case.
  • Add benchmark positive and decoy scenarios so the public corpus catches this regression.

Red to green evidence

Before the matcher fix, the new targeted test failed:

expected [] to have a length of 1 but got 0

After the fix, the built benchmark reports:

totalExpected: 22
totalMatched: 22
overallRecall: 1
security-missing-auth-entrypoint: 3/3
security false positives: 0
falsePositiveRate: 0.0278
llmCalled: false
telemetrySent: false

Validation

  • pnpm install
  • pnpm run lint
  • pnpm typecheck
  • pnpm vitest run packages/matchers/test/matchers.test.ts packages/cli/test/benchmark.test.ts packages/cli/test/benchmark-corpus.test.ts
  • pnpm test
  • pnpm build
  • pnpm --filter @submuxhq/codedecay pack --dry-run
  • pnpm eval:benchmark
  • node packages/cli/dist/index.js benchmark --format json

@github-actions github-actions Bot added type: test Test coverage, fixtures, or verification improvements area: cli CLI package or command behavior labels Jun 30, 2026
@github-actions

Copy link
Copy Markdown

CodeDecay PR Check

Lead catch: Test appears to copy implementation logic — packages/cli/test/benchmark-corpus.test.ts:353

packages/cli/test/benchmark-corpus.test.ts includes logic copied from packages/cli/src/benchmark/corpus.ts; this can make tests pass without protecting real behavior.

Risk: High · Merge 100/100 · Decay 10/100 · Security 100/100

Full CodeDecay report

CodeDecay Report

Overall risk: High

Score Value
Merge risk 100/100
Decay risk 10/100
Security risk 100/100
Findings Count
High 8
Medium 3
Low 7

Changed Files

  • packages/cli/src/benchmark/corpus.ts modified (+58/-0)
  • packages/cli/test/benchmark-corpus.test.ts modified (+5/-3)
  • packages/cli/test/benchmark.test.ts modified (+21/-13)
  • packages/matchers/src/defaults.ts modified (+34/-3)
  • packages/matchers/src/utils.ts modified (+76/-0)
  • packages/matchers/test/matchers.test.ts modified (+69/-0)

Likely Impacted Areas

  • Low Source code (source): packages/cli/src/benchmark/corpus.ts, packages/matchers/src/defaults.ts, packages/matchers/src/utils.ts
  • Low Tests (test): packages/cli/test/benchmark-corpus.test.ts, packages/cli/test/benchmark.test.ts, packages/matchers/test/matchers.test.ts

Language And Parser Coverage

  • Source files classified: 6
  • Fully supported parser files: 6
  • Limited files: 0
  • Unsupported files: 0

Merge Risk Breakdown

  • Score: 100/100
  • Raw score before dampeners: 100/100
  • Adjusted score before severity cap: 100/100
  • Highest contributing severity: High

Top contributors:

  • +30 Path traversal candidate (direct): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.
  • +30 Path traversal candidate (direct): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.
  • +30 Path traversal candidate (direct): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.
  • +30 Project invariant may be impacted (direct): Memory invariant "No hidden cloud or model call" applies to this change. The OSS CLI must remain useful without telemetry, API keys, hosted services, required LLM calls, or CodeDecayCloud.
  • +30 Project invariant may be impacted (direct): Memory invariant "Commands are explicit" applies to this change. CodeDecay must not run project commands unless they are configured and safety.allowCommands is true.

Decay Risk Breakdown

  • Score: 10/100
  • Raw score before dampeners: 14/100
  • Adjusted score before severity cap: 10/100
  • Highest contributing severity: Medium
  • Evidence mode: heuristic-only

Top contributors:

  • +10 High complexity in changed function (heuristic): stripComments has estimated cyclomatic complexity 19.
  • +3 Change size (structural): Changed lines amplify review cost across 6 file(s).
  • +1 File spread (structural): Change breadth spans 6 file(s).

Dampeners:

  • -4 Heuristic-only dampener: Decay stays conservative until direct evidence exists.

Notes:

  • Heuristic-only decay is capped at 54/100 until direct evidence exists.

Security Risk Breakdown

  • Score: 100/100
  • Raw score before dampeners: 100/100
  • Adjusted score before severity cap: 100/100
  • Highest contributing severity: High

Top contributors:

  • +30 Path traversal candidate (direct): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.
  • +30 Path traversal candidate (direct): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.
  • +30 Path traversal candidate (direct): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.
  • +18 Missing auth entry-point candidate (heuristic): A public route or controller entry point changed without an obvious auth/session guard in the file. Evidence: Route/controller entry point has no obvious auth, session, token, or permission guard in the same file.
  • +6 Change size (structural): Changed lines amplify review cost across 6 file(s).

Security Matcher Coverage

  • Changed source files scanned: 3
  • Security candidates found: 4
  • Skipped files: 0

Security Candidates

  • High Missing auth entry-point candidate CWE-306 (entry-point) at packages/cli/src/benchmark/corpus.ts:1: Route/controller entry point has no obvious auth, session, token, or permission guard in the same file.
  • High Path traversal candidate CWE-22 (direct) at packages/cli/src/benchmark/corpus.ts:507: File access is built from request-controlled input.
  • High Path traversal candidate CWE-22 (direct) at packages/cli/src/benchmark/corpus.ts:523: File access is built from request-controlled input.
  • High Path traversal candidate CWE-22 (direct) at packages/cli/src/benchmark/corpus.ts:526: File access is built from request-controlled input.

Test Evidence

  • Mode: heuristic-only
  • Sources: none
  • Changed source coverage:
  • packages/cli/src/benchmark/corpus.ts: not measured (no measurable changed lines)
  • packages/matchers/src/defaults.ts: not measured (no measurable changed lines)
  • packages/matchers/src/utils.ts: not measured (no measurable changed lines)
  • Notes:
  • No runtime coverage artifact was found. Test audit remains heuristic-only.

High Risk Findings

  • Test appears to copy implementation logic (packages/cli/test/benchmark-corpus.test.ts:353): packages/cli/test/benchmark-corpus.test.ts includes logic copied from packages/cli/src/benchmark/corpus.ts; this can make tests pass without protecting real behavior.
  • Project invariant may be impacted (packages/cli/src/benchmark/corpus.ts:83): Memory invariant "No hidden cloud or model call" applies to this change. The OSS CLI must remain useful without telemetry, API keys, hosted services, required LLM calls, or CodeDecayCloud.
  • Project invariant may be impacted (packages/cli/src/benchmark/corpus.ts:83): Memory invariant "Commands are explicit" applies to this change. CodeDecay must not run project commands unless they are configured and safety.allowCommands is true.
  • Project invariant may be impacted (packages/cli/src/benchmark/corpus.ts:83): Memory invariant "Tool evidence is separate from AI suggestions" applies to this change. Reports must not present agent/model suggestions as verified evidence unless backed by deterministic checks or command output.
  • Missing auth entry-point candidate (packages/cli/src/benchmark/corpus.ts:1): A public route or controller entry point changed without an obvious auth/session guard in the file. Evidence: Route/controller entry point has no obvious auth, session, token, or permission guard in the same file.
  • Path traversal candidate (packages/cli/src/benchmark/corpus.ts:507): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.
  • Path traversal candidate (packages/cli/src/benchmark/corpus.ts:523): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.
  • Path traversal candidate (packages/cli/src/benchmark/corpus.ts:526): File-system access appears to use request-controlled path input. Evidence: File access is built from request-controlled input.

Medium Risk Findings

  • High complexity in changed function (packages/matchers/src/utils.ts:219): stripComments has estimated cyclomatic complexity 19.
  • Project invariant may be impacted (packages/cli/src/benchmark/corpus.ts:83): Memory invariant "Output must be actionable" applies to this change. Redteam reports and agent bundles should say what behavior to verify, which test proof is weak or missing, and what task a coding agent should perform.
  • Changed test does not reference changed source (packages/matchers/test/matchers.test.ts:226): packages/matchers/test/matchers.test.ts changed, but it does not appear to exercise any changed source file.

Low Risk Findings

  • Architecture note applies (packages/cli/src/benchmark/corpus.ts:83): CLI is the published surface: The public npm package is @submuxhq/codedecay and the binary is codedecay. Internal workspace packages are implementation details.
  • Source area changed (packages/cli/src/benchmark/corpus.ts:83): packages/cli/src/benchmark/corpus.ts touches a source area and should be reviewed for regression impact.
  • Source area changed (packages/matchers/src/defaults.ts:11): packages/matchers/src/defaults.ts touches a source area and should be reviewed for regression impact.
  • Source area changed (packages/matchers/src/utils.ts:219): packages/matchers/src/utils.ts touches a source area and should be reviewed for regression impact.
  • Test area changed (packages/cli/test/benchmark-corpus.test.ts:250): packages/cli/test/benchmark-corpus.test.ts touches a test area and should be reviewed for regression impact.
  • Test area changed (packages/cli/test/benchmark.test.ts:30): packages/cli/test/benchmark.test.ts touches a test area and should be reviewed for regression impact.
  • Test area changed (packages/matchers/test/matchers.test.ts:226): packages/matchers/test/matchers.test.ts touches a test area and should be reviewed for regression impact.

Recommended Checks

  • Add or run tests covering packages/matchers/src/utils.ts
  • Add or update tests that exercise packages/cli/src/benchmark/corpus.ts
  • Exercise packages/cli/src/benchmark/corpus.ts through its public API instead of copying its logic
  • Flow check (CLI release smoke): Run built CLI smoke tests
  • Flow check (CLI release smoke): Run package dry-run
  • Flow check (CLI release smoke): Run published-package or tarball demo before release
  • Flow check (Pull request redteam review): Check weak or missing test proof
  • Flow check (Pull request redteam review): Keep deterministic evidence separate from AI suggestions
  • Flow check (Pull request redteam review): Review edge cases and agent fix tasks
  • Flow check (Pull request redteam review): Run codedecay redteam against the PR diff
  • packages/cli/test/benchmark-corpus.test.ts
  • packages/config/test/config-defaults-loading.test.ts

Notes

CodeDecay is deterministic and local-first. This report was generated without telemetry, API keys, LLMs, or model calls.


Found by CodeDecay - deterministic, local-first, no telemetry.

@kunaldhongade kunaldhongade merged commit 804d55b into main Jun 30, 2026
7 checks passed
@kunaldhongade kunaldhongade deleted the fix/616-auth-comments-missing-auth branch June 30, 2026 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: cli CLI package or command behavior type: test Test coverage, fixtures, or verification improvements

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(matchers): prevent auth comments from hiding missing-auth findings

1 participant