Skip to content

Harden launch readiness#13

Merged
0xadvait merged 1 commit into
mainfrom
hardening/launch-readiness
Jun 6, 2026
Merged

Harden launch readiness#13
0xadvait merged 1 commit into
mainfrom
hardening/launch-readiness

Conversation

@0xadvait

@0xadvait 0xadvait commented Jun 6, 2026

Copy link
Copy Markdown
Owner

Launch-hardening pass. Reviewed: based on latest main (clean merge), full suite 90 passed (+11 new tests/test_hardening.py), no regression to fetchers/retrieval/banner.

  • Safer agent defaults, opt-in danger: drop --dangerously-bypass-approvals-and-sandbox from the default codex provider + fetcher presets and --yolo from hermes; re-enable per-config (sources.codex.unsafe_bypass, sources.hermes.unsafe_yolo). Provider timeouts added.
  • command shell gated behind sources.command.allow_shell: true (argv stays the default, no shell).
  • Input hardening: validate the postgres table_prefix identifier (SQL-injection guard), reject non-http(s) URL schemes, skip stale pgvector payloads.
  • doxa doctor -- config/storage/provider/semantic readiness check.
  • remove_source keyed by source id (no title/url collision); sources list counts by id.
  • Packaging: SPDX license, license-files, py3.13 classifier, [project.urls]; compact doxa init output; CI + release GitHub workflows.

🤖 Generated with Claude Code

@0xadvait
0xadvait merged commit 362a05c into main Jun 6, 2026
@0xadvait
0xadvait deleted the hardening/launch-readiness branch June 6, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant