feat: agent identity, provenance, and open-source release security remediation#14
Merged
Conversation
…audit/scaffold - `lacp-agent-id`: persistent agent IDs per (hostname, project) pair with register/show/touch/revoke/list - `lacp-provenance`: SHA-256 hash-chained session receipts with start/end/verify/log/export - `lacp-brain-stack audit`: system-wide memory coverage report across all Claude projects - `lacp-brain-stack scaffold-all`: batch-create memory dirs for high-traffic projects missing them - `lacp-brain-stack init --with-gitnexus`: optional GitNexus code intelligence MCP wiring - Full CI coverage for all new commands (test-agent-id.sh, test-provenance.sh, test-brain-stack.sh)
Critical: - Add fcntl.flock() exclusive locking to agent-id registry (register, touch, revoke) and provenance chain append to prevent TOCTOU races - Add corrupted JSON recovery with automatic backup to agent-id registry (try/except + .corrupt.<ts> backup + empty recreation) High: - Fix pre-existing mode-gates and security-controls test failures caused by LACP_SANDBOX_RECURSION_GUARD env pollution from session hooks bypassing all gate logic - Add double-start warning to provenance (log when pending.json already exists) Medium: - Add edge case tests: corrupted registry recovery, double-start warning, corrupted chain mid-file detection - Fix verify_cmd crash on corrupted chain lines (safe_parse helper) - Add CHANGELOG 0.3.0 release section, deduplicate README brain-ingest, add mcp-health to README, add env var reference to CLAUDE.md Low: - Document SHA-256 truncation to 96 bits as design choice - Add trap cleanup to test-route-policy.sh
Resolve 6 conflicts: - CHANGELOG.md: keep 0.3.0 section header from branch - README.md: accept main's additions (brain-ingest, mcp-health cleanup) - bin/lacp-agent-id: keep branch (file locking + JSON recovery) - bin/lacp-provenance: keep branch (file locking + double-start) - scripts/ci/test-agent-id.sh: keep branch (corrupted registry test) - scripts/ci/test-provenance.sh: keep branch (double-start + chain tests)
…plugin curation - Add smart-connections, calendar, automatic-linker, obisidian-note-linker, mcp-tools to community_plugins manifest - Add smart-connections default settings (local transformers embeddings) - Add `lacp-obsidian install-plugins` subcommand: resolves plugin IDs via official Obsidian registry, downloads GitHub release assets, registers in community-plugins.json (--dry-run, --json supported) - Wire install-plugins into brain-stack init - Add brain-doctor check for smart-connections Obsidian plugin
…source release
- Replace ~/control/sessions and ~/control/skills with ${LACP_SESSIONS_ROOT} / ${LACP_SKILLS_ROOT}
- Replace ~/obsidian/nyk with ~/obsidian/vault in obsidian manifest and CLI fallbacks
- Genericize graph_view colorGroups in obsidian manifest (remove personal taxonomy)
- Replace personal automation paths in CI tests with ${HOME}/.lacp/automation
- Replace personal paths in docs with $LACP_ROOT / $LACP_KNOWLEDGE_ROOT
- Add .claude/ and .gitnexus/ to .gitignore
- Add missing command refs (repos-index, skill-score) to README
- Fix context-contract example using ~/control path in README
- Add AGENTS.md, repos-index command, and repos-index test
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Agent identity & provenance system plus security remediation for open-source release.
Agent Identity & Provenance
fcntl.flock()exclusive locking for agent-id registry and provenance chain (TOCTOU prevention).corrupt.<ts>backupLACP_SANDBOX_RECURSION_GUARDenv pollution)pending.jsonexistsOpen-Source Security Remediation
~/control/,~/obsidian/nyk) with env-var defaults (${LACP_SESSIONS_ROOT},${LACP_SKILLS_ROOT},~/obsidian/vault)graph_viewcolorGroups in obsidian manifest (remove personal vault taxonomy)${HOME}/.lacp/automation$LACP_ROOT/$LACP_KNOWLEDGE_ROOT.claude/and.gitnexus/to.gitignorerepos-index,skill-score) to READMEAGENTS.md,bin/lacp-repos-index, andtest-repos-index.shVerification
grep -r '~/control/' bin/ scripts/ docs/ config/→ 0 matchesgrep -r 'obsidian/nyk' config/→ 0 matchesbin/lacp-test --quick→ passesTest plan
bin/lacp-test --quick— passestest-agent-id.sh— passestest-provenance.sh— passestest-mode-and-gates.sh— passestest-security-controls.sh— passestest-route-policy.sh— passes🤖 Generated with Claude Code