security: v0.1 hardening — locked writes, append-only grants, quarantine flags, live-Postgres CI#2
Merged
Merged
Conversation
…nts, read-time quarantine, live-Postgres CI Everything below was verified against a real pgvector/pg17 instance (migrations, full roundtrip, tamper detection, 10 concurrent writers, role grants): - fix(migrations): 001 used postgresql_using="DESC" (index METHOD slot, not sort order) — first bug found the moment real Postgres parsed the DDL; rewritten as a DESC column expression. No deployed DB had applied 001 yet. - fix(concurrency): capture_memory's prev-hash read + insert now run in one transaction under pg_advisory_xact_lock — two concurrent writers previously forked the chain, making legit data fail verification. Live test: 10 parallel writers, one genesis, all prev_hashes unique. - feat(least-privilege): scripts/setup_db_roles.sql creates jeli_app with INSERT+SELECT only — append-only enforced by grants, not code. Live-verified: UPDATE/DELETE denied, SELECT/INSERT allowed. - feat(read-time quarantine): search_memory results now carry injection_flagged so consumers can treat flagged content as data, never instructions. - fix(config honesty): SCOPED_MCP_API_KEY now required only for the (future) http transport — stdio's boundary is process spawn, and requiring an unchecked secret was security theater. - docs: THREAT-MODEL.md — explicit guarantees vs known gaps (temporal fields not integrity-protected; poison-auditable, not poison-proof; chain-key custody). SECURITY.md, CHANGELOG.md, dependabot.yml. - ci: integration job with pgvector service container running alembic + live tests (skipped locally unless JELI_TEST_DB_URL is set). 133 tests locally (129 unit + 4 live integration). Co-Authored-By: Claude Fable 5 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the post-merge hardening list, with every claim live-verified against a real
pgvector/pg17container before pushing:DESCindex bug (first real-PG parse failure, as predicted)pg_advisory_xact_lockjeli_approle = INSERT+SELECT only (scripts/setup_db_roles.sql)injection_flaggedin search resultsPost-merge: tag
v0.1.0-alpha+ GitHub release.🤖 Generated with Claude Code