|
5 | 5 | - **Deciders:** project maintainer |
6 | 6 | - **Related:** [ADR 0001 — Split read and write runtimes](0001-split-read-and-write-runtimes.md), |
7 | 7 | [ADR 0004 — Resource caps and `ReadOptions`](0004-resource-caps-read-options.md), |
8 | | - [SECURITY.md](../SECURITY.md) |
| 8 | + [CLAUDE.md §Security contract](../CLAUDE.md) |
9 | 9 |
|
10 | 10 | ## Context |
11 | 11 |
|
@@ -45,7 +45,7 @@ no sanitization contract. |
45 | 45 |
|
46 | 46 | Message sanitization governs *what a `VortexException` says*. A separate, |
47 | 47 | orthogonal gap governs *whether a `VortexException` is thrown at all*. The |
48 | | -reader's contract (SECURITY.md) is: any malformed input throws |
| 48 | +reader's contract (CLAUDE.md §Security contract) is: any malformed input throws |
49 | 49 | `VortexException`, never a raw JDK exception. But ~21 `MemorySegment.asSlice` |
50 | 50 | call sites take offsets/lengths straight from untrusted layout/footer |
51 | 51 | metadata and pass them to the JDK unguarded: |
@@ -415,7 +415,7 @@ programmatically inspect exception types, this decision can be revisited. |
415 | 415 |
|
416 | 416 | ## References |
417 | 417 |
|
418 | | -- [SECURITY.md — injection threat model](../SECURITY.md) |
| 418 | +- [CLAUDE.md §Security contract](../CLAUDE.md) |
419 | 419 | - [PR #27 — `BoundedSegment` + audit trail for untrusted `asSlice`](https://github.com/dfa1/vortex-java/pull/27) |
420 | 420 | - [ADR 0001 — Split read and write runtimes](0001-split-read-and-write-runtimes.md) |
421 | | -- [TODO.md §"Error messages — structural sanitization"](../TODO.md) |
| 421 | +- [TODO.md §"`VortexException` message sanitization"](../TODO.md) |
0 commit comments