Wave 10: deep audits of 5 unaudited plugins, smoke regression set (W13.1-W13.6) · 47082376ef - dstalk

Wave 10: deep audits of 5 unaudited plugins, smoke regression set (W13.1-W13.6)

Some checks failed

CI / Determine matrix (push) Has been cancelled

Details

CI / ${{ matrix.os }} / ${{ matrix.build_type }} (push) Has been cancelled

Details

- W13.1 anthropic_plugin (architect-yang, 497 lines): rated C. 6 C ABI
  functions lack try/catch (§8 violation); my_chat leaks response_body on
  error path; tool_use response silently dropped.
- W13.2 deepseek_plugin (engineer-sun, 486 lines): rated C+. 7 ABI entries
  unprotected including json::parse paths (malformed JSON terminates);
  SSE [DONE] sentinel match brittle; ~55% code overlap with anthropic
  suggests an ai_plugin_base extraction.
- W13.3 network_plugin (qa-wang, 322 lines): rated C. CRITICAL: TLS
  certificate verification fully disabled (set_verify_mode never called,
  default verify_none accepts any cert) — all AI traffic incl. api_key
  is MITM-vulnerable. DNS resolve has no timeout; catch lacks (...).
- W13.4 lsp_plugin (architect-huang, 749 lines): rated C. CRITICAL:
  guaranteed deadlock at L519-526 → L547 (g_lsp_impl_start holds mutex
  then calls g_lsp_impl_stop which re-locks the same non-recursive
  mutex); 7 vtable funcs unprotected; server→client requests dropped.
- W13.5 session+tools (security-cao, 264+251 lines): rated D+/D. Path
  traversal in builtin_file_read/write (zero validation); global
  static state in both plugins lacks mutex (UAF risk); 9 vtable funcs
  lack try/catch.
- W13.6 smoke regression (qa-xu, +193 lines): 4 new cases — context
  max_tokens trim, config dual-store consistency (exposes that W12.2
  merge is incomplete: dstalk_config_set→config_service.get returns
  null), HTTP error path no-crash, repeated init/shutdown cycle.

Verified: cmake build 0 error 0 warning, ctest 4/4 pass.

Top W14 priorities surfaced: TLS verification (W13.3), LSP deadlock
(W13.4), file-tool path traversal (W13.5), config dual-store still
broken (W13.6 R2), shared try/catch wrapper across all AI plugins.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

This commit is contained in:

XiuChengWu

2026-05-27 09:32:13 +08:00

parent 58869abc15

commit 47082376ef

12 changed files with 1384 additions and 2 deletions

3

agents/architect-yang/profile.md

View File

@@ -23,5 +23,8 @@ performance_log:
   - date: 2026-05-27
     event: "W10.1: 设计协作状态机 + 验收清单 + 失败回退协议，追加 WORKFLOW.md §11–§13"
     rating: completed
   - date: 2026-05-27
     event: "W13.1: 深度审计 anthropic_plugin.cpp (497行)，6个C ABI函数零try/catch (§8违反)，response_body泄漏 + 全局指针竞态，tool_use静默丢弃。综合评级C。报告写入 agents/audits/W13.1-anthropic-audit.md"
     rating: completed
 current_groups: []
 ---

Wave 10: deep audits of 5 unaudited plugins, smoke regression set (W13.1-W13.6) Some checks failed CI / Determine matrix (push) Has been cancelled Details CI / ${{ matrix.os }} / ${{ matrix.build_type }} (push) Has been cancelled Details

3 agents/architect-yang/profile.md Unescape Escape View File

Wave 10: deep audits of 5 unaudited plugins, smoke regression set (W13.1-W13.6)

Some checks failed

CI / Determine matrix (push) Has been cancelled

Details

CI / ${{ matrix.os }} / ${{ matrix.build_type }} (push) Has been cancelled

Details

3

agents/architect-yang/profile.md

View File