Commit 65147a7
committed
feat(prompt): cross-source seam injection scan for context files (#395)
Closes the pre-existing scanner gap surfaced by the #388 security review:
the context-file injection scanner is regex-on-contiguous-text, so a
payload split across the seam between two concatenated fragments slips
through (each fragment scans clean; the structural markers between them —
## headers, > imported-from markers — break the regex).
Add a cross-seam pass: join the fragment BODIES with those markers
removed and scan as one stream. Wired into both multi-source loaders:
- _load_agents_md: joins nested AGENTS.md/override bodies (## headers
dropped via _section_body, internal markdown headings preserved).
- _load_claude_md: strips > imported-from markers from the import-
resolved blob.
A cross-seam hit blocks the whole source (fail-safe — the combination is
the attack). Per-fragment scanning is unchanged; this is an added gate.
Tests: AGENTS.md cross-file split, CLAUDE.md body->import and
import->import splits all blocked; benign two-file merge with internal
headings not blocked. 167 passed.1 parent 417a68c commit 65147a7
2 files changed
Lines changed: 110 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
63 | 63 | | |
64 | 64 | | |
65 | 65 | | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
66 | 109 | | |
67 | 110 | | |
68 | 111 | | |
| |||
1920 | 1963 | | |
1921 | 1964 | | |
1922 | 1965 | | |
| 1966 | + | |
| 1967 | + | |
| 1968 | + | |
| 1969 | + | |
| 1970 | + | |
| 1971 | + | |
| 1972 | + | |
| 1973 | + | |
1923 | 1974 | | |
1924 | 1975 | | |
1925 | 1976 | | |
| |||
1945 | 1996 | | |
1946 | 1997 | | |
1947 | 1998 | | |
| 1999 | + | |
| 2000 | + | |
| 2001 | + | |
| 2002 | + | |
| 2003 | + | |
| 2004 | + | |
| 2005 | + | |
| 2006 | + | |
| 2007 | + | |
| 2008 | + | |
1948 | 2009 | | |
1949 | 2010 | | |
1950 | 2011 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
871 | 871 | | |
872 | 872 | | |
873 | 873 | | |
| 874 | + | |
| 875 | + | |
| 876 | + | |
| 877 | + | |
| 878 | + | |
| 879 | + | |
| 880 | + | |
| 881 | + | |
| 882 | + | |
| 883 | + | |
| 884 | + | |
| 885 | + | |
| 886 | + | |
| 887 | + | |
| 888 | + | |
| 889 | + | |
| 890 | + | |
| 891 | + | |
| 892 | + | |
| 893 | + | |
| 894 | + | |
| 895 | + | |
| 896 | + | |
| 897 | + | |
| 898 | + | |
| 899 | + | |
| 900 | + | |
| 901 | + | |
| 902 | + | |
| 903 | + | |
| 904 | + | |
| 905 | + | |
| 906 | + | |
| 907 | + | |
| 908 | + | |
| 909 | + | |
| 910 | + | |
| 911 | + | |
| 912 | + | |
| 913 | + | |
| 914 | + | |
| 915 | + | |
| 916 | + | |
| 917 | + | |
| 918 | + | |
| 919 | + | |
| 920 | + | |
| 921 | + | |
| 922 | + | |
874 | 923 | | |
875 | 924 | | |
876 | 925 | | |
| |||
0 commit comments