fix(security): defense in depth — input-path cap + cache read-path size check (#95 / #83 follow-up) (#96)

sgwannabe · claude · web-flow · commit 2136c56261a3 · 2026-04-25T20:30:17.000+09:00
* feat(scripts): validate-idea-input.sh — input-path size cap (#95 / #83) Add layer-1 enforcement of the 5000-codepoint idea_summary cap before the seed idea reaches schema validation. The schema's maxLength only fires at S-3 (post-Socratic), well after the idea has already been written to runs/<id>/idea.json, hashed into the cache key, and inflated into the Socratic system prompt. This new validator (cited from commands/new.md + run-supervisor.md) closes the bypass. Wire-up: scripts/pre-flight.sh grows --idea / --idea-file flags so the existing M1 pre-flight pathway gates the size cap as a hard failure (exit 1). Default mode is reject, never silent-truncate. --truncate remains as an opt-in for non-interactive automation only. Refs umbrella #95, deferred from PR #83. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(cache): defense-in-depth length check on cmd_get JSON read (#95 / #83) Add a belt-and-suspenders 5000-codepoint check on cached payloads that are idea.spec.json-shaped (top-level dict with a string idea_summary). If the on-disk content exceeds the cap, treat as cache poison and report miss (exit 1) so the caller regenerates against a freshly- validated spec. Non-spec-shaped payloads (e.g. previews.json arrays) are passed through unchanged. Rationale: the schema gate at S-3 is the canonical authority, but a replay path that loads idea.spec.json from disk and skips re-validation (e.g. weak-alias hit + Socratic skip) would bypass it if the file was mutated post-write. This catches that case. Refs umbrella #95, deferred from PR #83. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(security): input-path + read-path cap regression coverage (#95 / #83) Extend tests/fixtures/security/verify-security.sh with three new sections: [#95-L1] validate-idea-input.sh negative (5001), positive (5000), Unicode codepoint counting (Korean), argv vs stdin parity, empty rejection, --truncate mode. [#95-L1-wire] scripts/pre-flight.sh --idea/--idea-file integration — proves the layer-1 helper is actually wired into the pre-flight code path as a hard failure (exit 1), not merely documented. [#95-L3] preview-cache.sh cmd_get poison reject for spec-shaped payloads with idea_summary > 5000, plus boundary accept (5000) and array-payload passthrough. Refs umbrella #95, deferred from PR #83. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(commands): /pf:new cites validate-idea-input enforcement (#95 / #83) Document the layer-1 size-cap gate in two places: - plugins/preview-forge/commands/new.md pre-flight step 8 — cites scripts/pre-flight.sh --idea / scripts/validate-idea-input.sh, documents the bypass policy (NONE — --no-cache does not bypass) and the default-reject UX. - plugins/preview-forge/agents/meta/run-supervisor.md step 11 — M1 Run Supervisor prompt now knows to invoke the validator BEFORE §0.4 idea.json write, §0.8 detect-surface, §0.9 recommend-profile, and any cache-key hashing. Refs umbrella #95, deferred from PR #83. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(security): apply PR #96 review feedback (gemini) - pre-flight.sh: parse `--idea` regardless of value emptiness so `--idea ""` hard-fails through validate-idea-input.sh's empty-reject branch instead of silently falling through as a legacy invocation (gemini #2 + codex #6 — gate bypass on empty seed). - pre-flight.sh: capture validator stderr in a single execution (`2>&1 >/dev/null` capture) instead of running the validator twice to compute rc + message (gemini #3 — efficiency, halves python3 invocations on the failure path). - validate-idea-input.sh: bound `sys.stdin.read(MAX_LEN+1)` so a multi-megabyte seed cannot inflate Python peak RSS just to count code points (gemini #4). Pass MAX_LEN through argv and drain remaining stdin in chunks to avoid SIGPIPE-on-printf under `set -euo pipefail`. - validate-idea-input.sh: same bounded read + argv pass for the --truncate branch; closes the `$MAX_LEN` shell-interpolation surface in the inline python source (gemini #5 — defense-in-depth on the python -c contract, parallels preview-cache.sh::py_read_json). - run-supervisor.md: replace `<<< "<idea>"` here-string example with the positional-arg form (or `printf '%s' | … -` stdin form), and document explicitly that bash here-strings append a trailing newline which would falsely reject seeds at exactly 5000 code points (gemini #1). Also document `<idea>` / `<id>` / `<ts>` placeholder replacement convention. Refs PR #96 review comments (gemini-code-assist #1-#5, codex #6) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/plugins/preview-forge/agents/meta/run-supervisor.md b/plugins/preview-forge/agents/meta/run-supervisor.md
@@ -47,8 +47,9 @@ model: opus
    - `action == "hint"`: prompt 생략, `/pf:status` 출력에 "💡 Consider --profile=pro next time"로 정적 힌트만
    - `action == "none"`: no-op
 10. **Blackboard 초기화**: `runs/r-<ts>/blackboard.db` 생성 + 초기 row: `(run.pre_flight_passed, ts, cwd, cli_ver, profile, surface, escalation_action)`.
+11. **Idea-input size cap** (umbrella #95 follow-up, deferred from PR #83 — defense-in-depth layer 1): supervisor MUST run `scripts/validate-idea-input.sh "<idea>"` (positional-arg form; or pipe via `printf '%s' "<idea>" | scripts/validate-idea-input.sh -`; or `scripts/pre-flight.sh --idea "<idea>"`) on the raw seed text **BEFORE** §0.4 (`runs/<id>/idea.json` write), §0.8 (`scripts/detect-surface.sh`), §0.9 (`scripts/recommend-profile.sh`), and any cache-key hashing (§4 weak-key probe / §6 strong-key lookup in `commands/new.md`). Validator exits 0 if `len ≤ 5000` Unicode code points, exits 2 otherwise. On exit 2, abort the run and surface the validator's stderr to the user — never silently truncate. The schema's `idea_summary.maxLength: 5000` is the canonical authority; this gate is belt-and-suspenders so a multi-megabyte seed idea cannot inflate the Socratic system prompt or sha256 keyspace before validation fires. **Do NOT use a bash here-string (`<<< "<idea>"`)** — bash here-strings append a trailing newline and would inflate the count by 1, falsely rejecting seeds at exactly 5000 code points. Note: `<idea>` / `<id>` / `<ts>` placeholders must be replaced with actual runtime values.
 
-CLI에서 `scripts/pre-flight.sh` 또는 `pf check`가 동일 검증을 수동으로 제공. 이 스크립트의 로직을 system prompt 상에서 모방하되, 실제 파일 system 접근은 Bash tool로 수행.
+CLI에서 `scripts/pre-flight.sh` 또는 `pf check`가 동일 검증을 수동으로 제공. 이 스크립트의 로직을 system prompt 상에서 모방하되, 실제 파일 system 접근은 Bash tool로 수행. 아이디어 size cap까지 포함해 한 줄로 돌리려면 `scripts/pre-flight.sh --idea "<seed>"`.
 
 ### 1. Run 생명주기 관장
 - **Post-Socratic escalation re-check** (v1.7.0+ A-2): I1 idea-clarifier가 `runs/<id>/idea.spec.json` Write를 끝낸 **직후**, pre-flight §0.9와 동일한 `scripts/recommend-profile.sh`를 한 번 더 호출한다. 호출 형태 (§0.9과 대칭):
diff --git a/plugins/preview-forge/commands/new.md b/plugins/preview-forge/commands/new.md
@@ -52,8 +52,9 @@ M1 Run Supervisor는 **모든 작업 전** 다음을 순서대로 검증합니
 5. **api.anthropic.com 연결** — 기본 reachability 확인.
 6. **LESSONS pre-load** — `~/.claude/preview-forge/memory/LESSONS.md`에서 관련 카테고리(1. PreviewDD, 4. Memory, 6. Plugin 배포)를 읽어 department lead들의 system prompt에 주입.
 7. **profile resolve** (v1.3+) — `--profile` 플래그 · env `PF_PROFILE` · `settings.json` defaultProfile 순으로 해결 → `runs/<id>/.profile` 파일에 기록. 이후 모든 hook·monitor가 이 값을 참조.
+8. **idea-input size cap** (umbrella #95 follow-up — defense in depth, layer 1) — orchestrator MUST invoke [`scripts/pre-flight.sh --idea "<seed>"`](../../../scripts/pre-flight.sh) (or the equivalent direct call to [`scripts/validate-idea-input.sh`](../../../scripts/validate-idea-input.sh)) on the raw seed idea **BEFORE** writing it to `runs/<id>/idea.json`, computing any cache key (`scripts/preview-cache.sh key …`), or expanding the I1 Socratic interview prompt. The validator exits 0 if `len(idea) ≤ 5000` Unicode code points (matching the `idea_summary` schema cap), exits non-zero otherwise. On non-zero, abort the run with the validator's stderr message — do NOT silently truncate. Rationale: the schema's `idea_summary.maxLength: 5000` only fires at S-3 validation, well after the seed idea has already inflated the Socratic system prompt and been hashed into the cache key. This pre-flight gate stops a 10MB seed idea at the door. Bypass policy: NONE — `--no-cache` does not bypass this check. Truncate mode (`scripts/validate-idea-input.sh --truncate -`) exists for non-interactive automation pipelines that explicitly opt in; `/pf:new` itself MUST default to reject so the user keeps full intent over what gets trimmed. The size cap also runs at S-3 schema validation as the canonical authority — this layer-1 gate is belt-and-suspenders.
 
-CLI 환경에서는 `scripts/pre-flight.sh` 또는 `pf check`로 동일 검증 수동 실행 가능.
+CLI 환경에서는 `scripts/pre-flight.sh` 또는 `pf check`로 동일 검증 수동 실행 가능. 아이디어 텍스트까지 포함해 한 번에 검증하려면 `scripts/pre-flight.sh --idea "<seed>"` (or `--idea-file <path>` for inputs that may exceed ARG_MAX).
 
 ## 동작 (pre-flight 통과 후)
 
diff --git a/scripts/pre-flight.sh b/scripts/pre-flight.sh
@@ -13,6 +13,55 @@ set -euo pipefail
 # Resolve paths
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
+# Optional idea text — when supplied, run the layer-1 size cap (#95
+# follow-up, deferred from PR #83) BEFORE any of the env checks below
+# return success. Two argv shapes are accepted so callers (CLI / M1
+# Run Supervisor / mock-bootstrap) can wire in cheaply:
+#
+#   scripts/pre-flight.sh --idea "<seed text>"
+#   scripts/pre-flight.sh --idea-file <path>     # reads file, supports >ARG_MAX
+#
+# Both invoke `scripts/validate-idea-input.sh` with the same exit-code
+# contract: 0 on pass, 2 on cap violation. A non-zero rc here surfaces
+# as a hard pre-flight failure (`exit 1` in the summary section), which
+# matches how the rest of `bad_count` is treated. Empty-string idea
+# (e.g. `--idea ""`) is rejected by validate-idea-input.sh's own empty-
+# check (parallels preview-cache.sh::cmd_key T-9.1), so callers who
+# accidentally pass unset-JSON-field text get a hard fail too.
+IDEA_TEXT_FILE=""
+IDEA_TEXT_FILE_OWNED=0   # 1 = we created it, must rm on exit
+cleanup_idea_tmp() {
+  if [[ "$IDEA_TEXT_FILE_OWNED" -eq 1 && -n "$IDEA_TEXT_FILE" && -f "$IDEA_TEXT_FILE" ]]; then
+    rm -f "$IDEA_TEXT_FILE"
+  fi
+}
+trap cleanup_idea_tmp EXIT
+
+if [[ "${1:-}" == "--idea" ]]; then
+  # Parse `--idea` regardless of emptiness — empty seed is exactly the
+  # case we want to hard-fail at validate-idea-input.sh (T-9.1 parallel),
+  # NOT silently skip the gate by falling through as a legacy invocation.
+  if [[ $# -lt 2 ]]; then
+    echo "pre-flight.sh: --idea requires an argument (use --idea \"\" to test the empty-reject path)" >&2
+    exit 1
+  fi
+  IDEA_TEXT_FILE="$(mktemp -t pf-preflight-idea-XXXXXX)"
+  IDEA_TEXT_FILE_OWNED=1
+  printf '%s' "$2" > "$IDEA_TEXT_FILE"
+  shift 2
+elif [[ "${1:-}" == "--idea-file" ]]; then
+  if [[ $# -lt 2 ]]; then
+    echo "pre-flight.sh: --idea-file requires a path argument" >&2
+    exit 1
+  fi
+  if [[ ! -f "$2" ]]; then
+    echo "pre-flight.sh: --idea-file path not found: $2" >&2
+    exit 1
+  fi
+  IDEA_TEXT_FILE="$2"
+  shift 2
+fi
+
 # Walk up from cwd looking for a plugin repo signature
 # (`.claude-plugin/marketplace.json` — this is any Claude Code plugin marketplace repo).
 # We deliberately don't restrict to "two-weeks-team" since forks, other marketplace
@@ -51,6 +100,32 @@ ok()   { echo "  ✓ $1"; }
 echo "=== Preview Forge pre-flight ==="
 echo
 
+# 0. Idea-input size cap (#95 follow-up, deferred from PR #83) — only
+# runs when the caller passed `--idea` / `--idea-file`. Skipped silently
+# for the legacy invocation `scripts/pre-flight.sh` with no args (env
+# check only). When triggered, this is the layer-1 gate that protects
+# the rest of the pipeline (idea.json write, cache key hash, Socratic
+# prompt expansion) from a >5000-code-point seed idea.
+if [[ -n "$IDEA_TEXT_FILE" ]]; then
+  echo "[0] Idea-input size cap (≤5000 code points)"
+  if [[ ! -x "$SCRIPT_DIR/validate-idea-input.sh" ]]; then
+    fail "validate-idea-input.sh missing or not executable at $SCRIPT_DIR/validate-idea-input.sh"
+  else
+    # Capture stderr in a single execution (gemini PR #96 review): the
+    # previous shape ran the validator twice — once for rc, once for the
+    # message — which is wasteful (and re-streams the entire idea twice
+    # through python3). `2>&1 >/dev/null` redirects stderr→stdout while
+    # discarding stdout so $(…) only collects the error message.
+    if validator_err=$("$SCRIPT_DIR/validate-idea-input.sh" - < "$IDEA_TEXT_FILE" 2>&1 >/dev/null); then
+      ok "idea text within 5000-code-point cap"
+    else
+      validator_rc=$?
+      fail "idea text rejected by validate-idea-input.sh (rc=$validator_rc): ${validator_err}"
+    fi
+  fi
+  echo
+fi
+
 # 1. cwd hygiene
 CWD="$(pwd)"
 echo "[1/7] Workspace (cwd)"
diff --git a/scripts/preview-cache.sh b/scripts/preview-cache.sh
@@ -249,6 +249,51 @@ cmd_get() {
     return 1
   fi
 
+  # Defense-in-depth size check (umbrella #95 follow-up, deferred from PR #83).
+  # If the cached payload is `idea.spec.json`-shaped (has a top-level
+  # `idea_summary` string field), treat any value > 5000 code points as
+  # cache poison and report a miss so the caller regenerates against a
+  # freshly-validated spec.
+  #
+  # Why belt-and-suspenders: the schema gate at S-3 already rejects
+  # oversized `idea_summary`. But a cache replay path that reads
+  # `idea.spec.json` from disk and short-circuits validation (e.g. weak-
+  # alias hit + Socratic skip) would bypass that gate entirely if the
+  # on-disk file was mutated after the original write. A length check
+  # here closes that bypass.
+  #
+  # Why "treat as miss" not "fail loudly": cache reads are non-
+  # authoritative by design (TTL expiry, Socratic spec change → both
+  # already cause a benign miss). Returning 1 here lets the caller
+  # regenerate, mirroring the existing TTL-expiry path. No data loss —
+  # just a forced re-validate. This matches the existing W1-W4 cache
+  # safety posture (get-fallback exit 2, etc).
+  #
+  # Why python3 (not jq / shell parsing): zero-third-party-dep policy
+  # (LESSON 0.4); python3 is already a hard dep here (see py_read_json
+  # / py_file_age helpers above). The script handles the not-spec-shaped
+  # case (e.g. a raw `previews.json` array) by simply skipping the check
+  # — only spec-shaped payloads with a string `idea_summary` are gated.
+  local oversize_check
+  oversize_check=$(python3 -c "
+import json, sys
+try:
+    d = json.load(open(sys.argv[1], encoding='utf-8'))
+except Exception:
+    print('skip')
+    sys.exit(0)
+if isinstance(d, dict):
+    summary = d.get('idea_summary')
+    if isinstance(summary, str) and len(summary) > 5000:
+        print('poison')
+        sys.exit(0)
+print('ok')
+" "$file" 2>/dev/null || echo "skip")
+  if [[ "$oversize_check" == "poison" ]]; then
+    echo "preview-cache.sh: cached payload at '$file' has idea_summary > 5000 chars — treating as poisoned cache, reporting miss" >&2
+    return 1
+  fi
+
   cat "$file"
 }
 
diff --git a/scripts/validate-idea-input.sh b/scripts/validate-idea-input.sh
@@ -0,0 +1,173 @@
+#!/usr/bin/env bash
+# Preview Forge — Layer-1 input-path size cap for /pf:new.
+#
+# WHY (umbrella #95 follow-up, deferred from PR #83)
+# ---------------------------------------------------
+# `plugins/preview-forge/schemas/idea-spec.schema.json` caps `idea_summary`
+# at 5000 chars. That cap fires at the **S-3 schema validation layer**,
+# i.e. AFTER the seed idea has already been:
+#   - copied into runs/<id>/idea.json
+#   - inflated into the I1 Socratic interview prompt (system prompt + 3
+#     AskUserQuestion modals)
+#   - keyed through `scripts/preview-cache.sh key` (which itself hashes
+#     the raw idea string into the cache key — a 10MB idea would happily
+#     stream through sha256)
+#
+# A 10MB seed idea today would walk through all of that BEFORE the
+# schema layer rejects it. This script is the layer-1 gate cited from
+# `plugins/preview-forge/commands/new.md`: callers (CLI helper or
+# orchestrator) invoke it with the raw seed text and reject early if it
+# exceeds the 5000-char cap, mirroring the schema's `maxLength`.
+#
+# DEFAULT IS REJECT, not silent-truncate
+# --------------------------------------
+# Truncation would silently lose user intent — half the idea disappears
+# and the Socratic interview proceeds against a corrupted seed. Explicit
+# reject + a clear error message lets the user decide whether to trim.
+# `--truncate` is provided for callers that opt in (e.g. an automation
+# pipeline that re-emits the trimmed payload back to a file).
+#
+# USAGE
+#   validate-idea-input.sh "<idea text>"            # argv form
+#   validate-idea-input.sh - < idea.txt             # stdin form (- sentinel,
+#                                                   # parallels preview-cache.sh
+#                                                   # T-9.3 convention)
+#   validate-idea-input.sh --truncate "<idea text>" # emit first 5000 chars
+#   validate-idea-input.sh --truncate -             # truncate from stdin
+#
+# EXIT CODES
+#   0  → length ≤ 5000 chars; (default mode) idea echoed to stdout
+#                              unchanged; (truncate mode) idea echoed
+#                              unchanged
+#   2  → length > 5000 chars; (default mode) reject with stderr message;
+#                              (truncate mode) first 5000 chars echoed,
+#                              warning to stderr, exit 0 (NOT 2)
+#   64 → usage error
+#
+# CHARACTER vs BYTE COUNTING
+# --------------------------
+# The schema's `maxLength` is JSON Schema's `maxLength` keyword, which
+# per the spec counts **Unicode code points** (not UTF-8 bytes). We use
+# python3's `len(str)` which is exactly that — keeping this gate aligned
+# with the schema gate so a Korean idea that passes here doesn't get
+# rejected at S-3 (or vice versa). Zero-third-party-dep policy preserved
+# (LESSON 0.4): python3 is already a hard dependency for the rest of
+# the plugin (preview-cache helpers, hooks).
+
+set -euo pipefail
+
+MAX_LEN=5000
+mode="reject"
+
+usage() {
+  cat >&2 <<'EOF'
+usage: validate-idea-input.sh [--truncate] {<idea-text> | -}
+  - reads idea text from argv (one positional arg) or stdin (when arg is `-`)
+  - default mode: exit 2 + stderr message if len > 5000 code points
+  - --truncate: emit first 5000 code points + stderr warn, exit 0
+EOF
+  exit 64
+}
+
+if [[ $# -lt 1 ]]; then
+  usage
+fi
+
+if [[ "$1" == "--truncate" ]]; then
+  mode="truncate"
+  shift
+fi
+
+if [[ $# -ne 1 ]]; then
+  usage
+fi
+
+idea_arg="$1"
+
+# Read the idea text. Mirror the `-` sentinel convention used by
+# scripts/preview-cache.sh::cmd_key (see T-9.3 rationale): callers that
+# may exceed ARG_MAX (macOS ~256KB, some hosts smaller) pipe via stdin.
+if [[ "$idea_arg" == "-" ]]; then
+  # Use the same "append _ then strip exactly one" trick as preview-cache
+  # to preserve trailing newlines through bash command substitution.
+  idea=$(cat; echo _)
+  idea="${idea%_}"
+else
+  idea="$idea_arg"
+fi
+
+# Empty input is a hard reject (parallels preview-cache.sh T-9.1: an
+# empty seed idea cannot be a legitimate Socratic input either, and
+# silently passing "" would make the rest of the pipeline misbehave).
+if [[ -z "$idea" ]]; then
+  echo "validate-idea-input.sh: idea text is empty — refusing" >&2
+  exit 2
+fi
+
+# Length check via python3 (Unicode code points, matching JSON Schema
+# `maxLength` semantics — see header). Argv pass + single-quoted heredoc
+# closes the inline-string interpolation surface (same pattern as
+# scripts/preview-cache.sh::py_read_json caller contract).
+#
+# Bounded read (gemini PR #96 review): we only need to know whether the
+# length exceeds MAX_LEN, so cap stdin.read at MAX_LEN+1 code points to
+# avoid pulling a multi-megabyte payload into Python memory. If the read
+# returns exactly MAX_LEN+1 chars, we know length > MAX_LEN. We pass
+# MAX_LEN as argv to avoid shell-interpolating it into the inline python
+# source (parallels preview-cache.sh::py_read_json contract).
+#
+# Note: python MUST drain the rest of stdin even after the bounded read,
+# otherwise `printf '%s' "$idea"` upstream gets SIGPIPE when python
+# exits early — and `set -euo pipefail` propagates that as rc=141 to the
+# overall pipeline. Cheap drain: a no-op .read(1<<20) loop. Cost is the
+# same as the unbounded form but bounded *peak* memory by chunking, so
+# we still meet the gemini review intent (peak RSS, not total throughput).
+length=$(printf '%s' "$idea" | python3 -c '
+import sys
+limit = int(sys.argv[1])
+data = sys.stdin.read(limit + 1)
+n = len(data)
+# Drain remaining bytes in chunks so upstream printf does not SIGPIPE
+# under pipefail. Chunk size keeps peak RSS bounded.
+while sys.stdin.read(1 << 20):
+    pass
+print(n)
+' "$MAX_LEN")
+
+if [[ "$length" -le "$MAX_LEN" ]]; then
+  # Pass-through: emit the idea on stdout for the caller to capture
+  # (truncate mode emits same content).
+  printf '%s' "$idea"
+  exit 0
+fi
+
+# Over the cap.
+if [[ "$mode" == "truncate" ]]; then
+  echo "validate-idea-input.sh: idea length>${MAX_LEN} — truncating to first $MAX_LEN code points" >&2
+  # Bounded read + argv pass (gemini PR #96 review): only read MAX_LEN
+  # code points (we throw away anything beyond), and pass MAX_LEN through
+  # argv so the python source itself stays single-quoted — no shell
+  # interpolation surface.
+  printf '%s' "$idea" | python3 -c '
+import sys
+limit = int(sys.argv[1])
+sys.stdout.write(sys.stdin.read(limit))
+# Drain to avoid upstream printf SIGPIPE under pipefail (see length-
+# check rationale above).
+while sys.stdin.read(1 << 20):
+    pass
+' "$MAX_LEN"
+  exit 0
+fi
+
+# Default mode: hard reject. Note: `length` is bounded at MAX_LEN+1 by
+# the read cap above (gemini PR #96 review — peak RSS protection), so
+# we report ">${MAX_LEN}" instead of the exact overflow count.
+cat >&2 <<EOF
+validate-idea-input.sh: idea length>${MAX_LEN} (exact: ≥${length}) exceeds $MAX_LEN-character cap.
+
+The /pf:new seed idea is bounded at $MAX_LEN Unicode code points to match
+the idea-spec schema's idea_summary maxLength. Please shorten the idea, or
+re-invoke with --truncate to silently trim to the first $MAX_LEN chars.
+EOF
+exit 2
diff --git a/tests/fixtures/security/verify-security.sh b/tests/fixtures/security/verify-security.sh
