You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(security): honor robots.txt for all discovery sources; cap HATEOAS request budget
- robots.txt now applies to endpoints sourced from an OpenAPI/Swagger spec too.
Phase 1 records spec endpoints unchecked, and phases 4 (method testing, incl.
POST/PUT/DELETE under --test-all-methods) and 5 (schema extraction) previously
probed them with no robots.txt check, bypassing the tool's ethical contract.
- Response-driven (HATEOAS) discovery now respects the max_requests budget; it
had no such parameter and followed unbounded links per round, exceeding the
configured request limit that the other strategies honor.
- tests: TestResponseDrivenBudget + TestRobotsAppliesToAllSources; both verified
red against the unfixed code (no false pass). Suite 19 -> 21 green.
- chore: gitignore LOCK*.txt.
Reviewed by a fresh reviewer subagent; Fable 5 was flagged on this security tool
so Opus 4.8 took over (module-review loop run 9).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011c2rFLwVHQVshAQJVNzWDS
0 commit comments