Polish pass — CI hygiene gates, Rust CI, doc tone#38
Merged
AndrewAltimit merged 2 commits intomainfrom Apr 21, 2026
Merged
Conversation
CI gates that CLAUDE.md claimed were enforced but weren't:
* Wire check_detection_pairing, check_no_committed_drivers, and
check_no_real_tenants into both main-ci.yml and pr-validation.yml
as a "Repo hygiene" step. All three pass against current repo state.
* Add cargo build --workspace + cargo test --workspace to both
workflows with --test-threads=1 (several crates manipulate
EXPLOIT_LAB_ACTIVE inside tests and race under parallel execution).
Pre-existing flake found while adding Rust CI:
* c2crypto::tests::tampered_ct_is_rejected used wire.pop()/push('A')
which was a no-op ~1/64 runs when the final base64 char was 'A'.
Replace with a char guaranteed to be different.
Doc tone — enumerated counts removed from .md files, kept in code:
* README.md: drop "308+ tests", "51 payloads, 7 channels",
"17 CVE reproductions", "19 techniques", "5 pluggable transports",
"15 individual exploit modules", "20 EDR GUIDs", "22-entry symbol
allowlist", "11 named gap advisories". Replaced with qualitative
phrasing. Port numbers, event IDs, ESC identifiers, and protocol
byte-sizes kept — those are technical invariants, not marketing.
* tools/llm-attacks/README.md: 53-payload claim (stale) dropped.
* tools/forensic-analysis/README.md and tools/browser-ext-attacks/
README.md: minor count cleanup.
cves/README.md Status column:
* Four thin-stub entries (CVE-2025-2857, -4918, -5959, -2796) reworded
to honestly describe what the dir contains vs. what it could imply.
Rust crypto design doc (new):
* tools/rust/crypto/DESIGN.md explains why the C2 channel uses
X25519 + ChaCha20-Poly1305 + HKDF-SHA256 while sleep-mask and
amsi-patchless use RC4/XOR (research-accurate, not confidentiality).
Linked from CLAUDE.md.
Local validation: all three hygiene checks PASS, full Rust workspace
tests pass single-threaded, Python pytest 44 passed 3 skipped,
dashboard build succeeds, both workflow YAMLs parse.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The Rust build step added in the previous commit emits proc-macro .so files into tools/rust/target/release/deps/ — legitimate cargo output, not committed binaries. The secret-and-binary scan was matching them and failing the job. Broaden the exclusion list from './.venv/*' and './.git/*' to also cover '*/target/*' and '*/.venv/*' (the latter catches nested venvs inside reports/). The same exclusion is added to the large-file check in pr-validation.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the specific gaps surfaced by an end-to-end review. Small edits only — no feature work, no scope change.
tools/ci/check_detection_pairing.py,check_no_committed_drivers.py, andcheck_no_real_tenants.pyexist and pass locally, but no workflow invoked them.CLAUDE.mdclaimed they were CI-enforced. They are now.cargo build --workspace+cargo test --workspace -- --test-threads=1in bothmain-ci.ymlandpr-validation.yml. The workspace's tests were previously unchecked by CI.c2crypto::tests::tampered_ct_is_rejectedusedwire.pop(); wire.push('A')— a no-op ~1/64 runs. Replaced with a char guaranteed different..mddocs ("308+ tests", "51 payloads, 7 channels", "17 CVE reproductions", "19 techniques", "5 pluggable transports", etc.). Qualitative phrasing reads more professional and doesn't rot. Technical invariants (port numbers, event IDs, ESC identifiers, protocol byte-sizes) kept.cves/README.mdreworded to describe scope accurately (e.g.,Pwn2Own Berlin→Trigger from Pwn2Own Berlin writeup).tools/rust/crypto/DESIGN.mdexplaining why C2 uses X25519+ChaCha20-Poly1305 while sleep-masks use RC4/XOR (research-accurate, not confidentiality). Linked fromCLAUDE.md.Notes / held for review
Equation Group-inspiredframing intools/framework/was deliberately left alone — matches an existing preference.cargo teston CI runs single-threaded because several crates shareEXPLOIT_LAB_ACTIVEenv state across tests and race in parallel. This is a workspace-wide testing-hygiene smell worth addressing later (mutex guard, ortemp_envcrate) but out of scope here.Test plan
python3 tools/ci/check_detection_pairing.pyreports PASS locally.python3 tools/ci/check_no_committed_drivers.pyreports PASS locally.python3 tools/ci/check_no_real_tenants.pyreports PASS locally.cd tools/rust && cargo test --workspace -- --test-threads=1passes locally.python3 reports/databricks-apps-assessment/build.pysucceeds and produces the dashboard.tools/rust/crypto/DESIGN.mdreads accurately for the C2 channel vs sleep-mask distinction.cves/README.md— thin-stub Status column entries no longer imply full exploits.Diff: 10 files, +197 / −23 lines. One new file (
DESIGN.md). No deletions.Generated with Claude Code