Add 8-layer security test suite + hardening

Code-level defenses:
- cbm_validate_shell_arg(): reject shell metacharacters before popen/system
- SQLite authorizer: block ATTACH/DETACH at engine level
- CORS localhost-only origin reflection (replaces wildcard *)
- Path containment: realpath() check in get_code_snippet
- process-kill restricted to server-spawned PIDs
- SHA256 checksum verification in update command

Security audit scripts (8 layers):
- L1: Static allow-list for dangerous calls + URLs
- L2: Binary string audit (URLs, payloads, credentials)
- L3: Network egress monitoring via strace (Linux)
- L4: Install output path + content validation
- L5: Smoke test hardening (clean shutdown, residual procs)
- L6: Graph UI audit (external domains, CORS, binding)
- L7: MCP robustness (23 adversarial JSON-RPC payloads)
- L8: Vendored integrity (checksums + dangerous call scan)

CI: parallel security-static job (no build needed), binary
layers in smoke jobs per-platform. Cleanup of test fixture
dirs in clean.sh + .gitignore.

Author: DeusData

.github/workflows/dry-run.yml

@@ -57,6 +57,24 @@ jobs:
       - name: Lint
         run: scripts/lint.sh CLANG_FORMAT=clang-format-20
 
+  # ── Step 1b: Security audit (source-only, runs parallel with lint+tests) ──
+  # No build needed — scans source files and vendored deps only.
+  # Binary-level security (L2/L3/L4/L7) runs in smoke jobs per-platform.
+  security-static:
+    if: ${{ !inputs.skip_lint }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: "Layer 1: Static allow-list audit"
+        run: scripts/security-audit.sh
+
+      - name: "Layer 6: UI security audit"
+        run: scripts/security-ui.sh
+
+      - name: "Layer 8: Vendored dependency integrity"
+        run: scripts/security-vendored.sh
+
   # ── Step 2: Unit tests (ASan + UBSan) ───────────────────────
   # macOS: use cc (Apple Clang) — GCC on macOS doesn't ship ASan runtime
   # Linux: use system gcc — full ASan/UBSan support
@@ -166,6 +184,10 @@ jobs:
       - name: Build UI binary
         run: scripts/build.sh --with-ui CC=${{ matrix.cc }} CXX=${{ matrix.cxx }}
 
+      - name: Frontend integrity scan (post-build dist/)
+        if: matrix.goos == 'linux' && matrix.goarch == 'amd64'
+        run: scripts/security-ui.sh
+
       - name: Archive UI binary
         run: |
           tar -czf codebase-memory-mcp-ui-${{ matrix.goos }}-${{ matrix.goarch }}.tar.gz \
@@ -264,6 +286,22 @@ jobs:
       - name: Smoke test (${{ matrix.variant }}, ${{ matrix.goos }}-${{ matrix.goarch }})
         run: scripts/smoke-test.sh ./codebase-memory-mcp
 
+      - name: Binary string audit (${{ matrix.goos }}-${{ matrix.goarch }})
+        if: matrix.variant == 'standard'
+        run: scripts/security-strings.sh ./codebase-memory-mcp
+
+      - name: Install output audit (${{ matrix.goos }}-${{ matrix.goarch }})
+        if: matrix.variant == 'standard'
+        run: scripts/security-install.sh ./codebase-memory-mcp
+
+      - name: Network egress test (${{ matrix.goos }}-${{ matrix.goarch }})
+        if: matrix.variant == 'standard'
+        run: scripts/security-network.sh ./codebase-memory-mcp
+
+      - name: MCP robustness test
+        if: matrix.variant == 'standard' && matrix.goos == 'linux' && matrix.goarch == 'amd64'
+        run: scripts/security-fuzz.sh ./codebase-memory-mcp
+
   smoke-windows:
     if: ${{ !inputs.skip_builds }}
     needs: [build-windows]
@@ -297,3 +335,13 @@ jobs:
       - name: Smoke test (${{ matrix.variant }}, windows-amd64)
         shell: msys2 {0}
         run: scripts/smoke-test.sh ./codebase-memory-mcp.exe
+
+      - name: Binary string audit (windows-amd64)
+        if: matrix.variant == 'standard'
+        shell: msys2 {0}
+        run: scripts/security-strings.sh ./codebase-memory-mcp.exe
+
+      - name: Install output audit (windows-amd64)
+        if: matrix.variant == 'standard'
+        shell: msys2 {0}
+        run: scripts/security-install.sh ./codebase-memory-mcp.exe

.github/workflows/release.yml

@@ -57,6 +57,23 @@ jobs:
       - name: Lint
         run: scripts/lint.sh CLANG_FORMAT=clang-format-20
 
+  # ── Step 1b: Security audit (source-only, runs parallel with lint+tests) ──
+  # No build needed — scans source files and vendored deps only.
+  # Binary-level security (L2/L3/L4/L7) runs in smoke jobs per-platform.
+  security-static:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: "Layer 1: Static allow-list audit"
+        run: scripts/security-audit.sh
+
+      - name: "Layer 6: UI security audit"
+        run: scripts/security-ui.sh
+
+      - name: "Layer 8: Vendored dependency integrity"
+        run: scripts/security-vendored.sh
+
   # ── Step 2: Unit tests (ASan + UBSan) ───────────────────────
   # macOS: use cc (Apple Clang) — GCC on macOS doesn't ship ASan runtime
   # Linux: use system gcc — full ASan/UBSan support
@@ -163,6 +180,10 @@ jobs:
       - name: Build UI binary
         run: scripts/build.sh --with-ui --version ${{ inputs.version }} CC=${{ matrix.cc }} CXX=${{ matrix.cxx }}
 
+      - name: Frontend integrity scan (post-build dist/)
+        if: matrix.goos == 'linux' && matrix.goarch == 'amd64'
+        run: scripts/security-ui.sh
+
       - name: Archive UI binary
         run: |
           tar -czf codebase-memory-mcp-ui-${{ matrix.goos }}-${{ matrix.goarch }}.tar.gz \
@@ -258,6 +279,22 @@ jobs:
       - name: Smoke test (${{ matrix.variant }}, ${{ matrix.goos }}-${{ matrix.goarch }})
         run: scripts/smoke-test.sh ./codebase-memory-mcp
 
+      - name: Binary string audit (${{ matrix.goos }}-${{ matrix.goarch }})
+        if: matrix.variant == 'standard'
+        run: scripts/security-strings.sh ./codebase-memory-mcp
+
+      - name: Install output audit (${{ matrix.goos }}-${{ matrix.goarch }})
+        if: matrix.variant == 'standard'
+        run: scripts/security-install.sh ./codebase-memory-mcp
+
+      - name: Network egress test (${{ matrix.goos }}-${{ matrix.goarch }})
+        if: matrix.variant == 'standard'
+        run: scripts/security-network.sh ./codebase-memory-mcp
+
+      - name: MCP robustness test
+        if: matrix.variant == 'standard' && matrix.goos == 'linux' && matrix.goarch == 'amd64'
+        run: scripts/security-fuzz.sh ./codebase-memory-mcp
+
   smoke-windows:
     needs: [build-windows]
     strategy:
@@ -290,9 +327,19 @@ jobs:
         shell: msys2 {0}
         run: scripts/smoke-test.sh ./codebase-memory-mcp.exe
 
+      - name: Binary string audit (windows-amd64)
+        if: matrix.variant == 'standard'
+        shell: msys2 {0}
+        run: scripts/security-strings.sh ./codebase-memory-mcp.exe
+
+      - name: Install output audit (windows-amd64)
+        if: matrix.variant == 'standard'
+        shell: msys2 {0}
+        run: scripts/security-install.sh ./codebase-memory-mcp.exe
+
   # ── Step 5: Create GitHub release ───────────────────────────
   release:
-    needs: [smoke-unix, smoke-windows]
+    needs: [smoke-unix, smoke-windows, security-static]
     runs-on: ubuntu-latest
     permissions:
       contents: write

.gitignore

@@ -12,6 +12,10 @@ bin/
 *.out
 coverage.txt
 
+# Test fixture temp dirs (created by C test suite in CWD instead of /tmp/)
+cbm_*/
+cli-*/
+
 # IDE
 .idea/
 .vscode/

Makefile.cbm

@@ -310,7 +310,7 @@ PP_OBJ_TEST = $(BUILD_DIR)/preprocessor.o
 
 # ── Targets ──────────────────────────────────────────────────────
 
-.PHONY: test test-foundation test-tsan cbm cbm-with-ui frontend embed clean-c lint lint-tidy lint-cppcheck lint-format
+.PHONY: test test-foundation test-tsan cbm cbm-with-ui frontend embed clean-c lint lint-tidy lint-cppcheck lint-format security
 
 $(BUILD_DIR):
 	mkdir -p $(BUILD_DIR)
@@ -519,3 +519,18 @@ lint: lint-tidy lint-cppcheck lint-format
 # CI linters (no clang-tidy — platform-dependent, enforced locally via pre-commit)
 lint-ci: lint-cppcheck lint-format
 	@echo "=== CI linters passed ==="
+
+# ── Security audit (6 layers) ────────────────────────────────────
+
+# Run all security checks: static audit, binary strings, UI, install, network
+# Requires: production binary already built (make cbm)
+security: cbm
+	@echo "=== Running security audit suite ==="
+	scripts/security-audit.sh
+	scripts/security-strings.sh $(BUILD_DIR)/codebase-memory-mcp
+	scripts/security-ui.sh
+	scripts/security-install.sh $(BUILD_DIR)/codebase-memory-mcp
+	scripts/security-network.sh $(BUILD_DIR)/codebase-memory-mcp
+	scripts/security-fuzz.sh $(BUILD_DIR)/codebase-memory-mcp
+	scripts/security-vendored.sh
+	@echo "=== All security checks passed ==="

scripts/clean.sh

@@ -26,4 +26,10 @@ rm -rf "$ROOT/node_modules"
 # Generated embedded assets (regenerated by embed-frontend.sh)
 rm -f "$ROOT/src/ui/embedded_assets.c"
 
+# Leftover test fixture dirs (C test suite sometimes creates these in CWD)
+find "$ROOT" -maxdepth 1 -type d \( -name 'cbm_*' -o -name 'cli-*' \) -exec rm -rf {} + 2>/dev/null || true
+
+# Leftover test fixture dirs in /tmp
+find /tmp -maxdepth 1 -type d \( -name 'cbm_*' -o -name 'cli-*' \) -user "$(id -u)" -exec rm -rf {} + 2>/dev/null || true
+
 echo "=== Clean complete ==="

scripts/security-allowlist.txt

@@ -0,0 +1,45 @@
+# Security allow-list for dangerous function calls.
+# Format: file:function:justification
+# Lines starting with # are comments. Empty lines are ignored.
+# Any call to a listed function in a .c file under src/ that is NOT on this
+# list causes the security audit (scripts/security-audit.sh) to fail.
+
+# ── Foundation: platform abstraction (defines cbm_popen wrapper) ───────────
+src/foundation/compat_fs.c:popen:cbm_popen wrapper definition (POSIX)
+src/foundation/compat_fs.c:cbm_popen:cbm_popen function definition
+
+# ── CLI: update command (user-initiated, interactive) ──────────────────────
+src/cli/cli.c:system:curl download of release binary (update cmd)
+src/cli/cli.c:system:unzip extraction on Windows (update cmd)
+src/cli/cli.c:system:version verification after update (update cmd)
+src/cli/cli.c:cbm_popen:sha256 checksum verification (update cmd)
+src/cli/cli.c:popen:sha256 checksum computation via shasum
+
+# ── Watcher: git status polling (repo paths validated via cbm_validate_shell_arg) ──
+src/watcher/watcher.c:system:git repo detection (is_git_repo)
+src/watcher/watcher.c:cbm_popen:git HEAD hash (git_head)
+src/watcher/watcher.c:cbm_popen:git working tree status (git_is_dirty)
+src/watcher/watcher.c:cbm_popen:git file count (git_file_count)
+src/watcher/watcher.c:popen:via cbm_popen wrapper calls
+
+# ── MCP server: search and change detection ────────────────────────────────
+src/mcp/mcp.c:cbm_popen:search_code via grep (pattern in temp file, path validated)
+src/mcp/mcp.c:cbm_popen:detect_changes via git diff (args validated)
+src/mcp/mcp.c:cbm_popen:git ls-files count for auto-index (session_root validated)
+src/mcp/mcp.c:cbm_popen:update check to api.github.com (hardcoded URL)
+src/mcp/mcp.c:popen:via cbm_popen wrapper calls
+
+# ── Pipeline: git history parsing (fallback when libgit2 not available) ────
+src/pipeline/pass_githistory.c:cbm_popen:git log for file history (path validated)
+src/pipeline/pass_githistory.c:popen:via cbm_popen wrapper call
+
+# ── UI: HTTP server process management ─────────────────────────────────────
+src/ui/http_server.c:popen:ps process listing for metrics endpoint
+src/ui/http_server.c:fork:spawn indexing subprocess
+src/ui/http_server.c:execl:exec indexing binary in child process
+
+# ── Allowed URLs ───────────────────────────────────────────────────────────
+# Format: URL:justification
+URL:https://api.github.com/repos/DeusData/codebase-memory-mcp/releases/latest:update check
+URL:https://github.com/DeusData/codebase-memory-mcp/releases/latest/download/:binary download + checksums
+URL:http://127.0.0.1:UI server binding (localhost only)