Skip to content

Commit 8ec17cb

Browse files
dfa1claude
andcommitted
docs: move security contract to CLAUDE.md
Add a Security contract section to CLAUDE.md so it's a standing invariant Claude always sees, not text buried in TODO.md. Fix dangling SECURITY.md links in ADR-0001/0003/0004 (that file never existed) to point at CLAUDE.md instead. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
1 parent 5a59962 commit 8ec17cb

5 files changed

Lines changed: 20 additions & 13 deletions

File tree

CLAUDE.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,15 @@ if (cap == n) { // fast path: zero modulos, vec
184184
Profile with JFR (`-prof stack:lines=10`); `idiv`/`sdiv`/arithmetic helpers as the hot frame is
185185
almost always this.
186186

187+
## Security contract
188+
189+
The reader memory-maps and parses untrusted binary input. Every malformed input must throw
190+
`VortexException`, never `ArrayIndexOutOfBoundsException`, `NegativeArraySizeException`,
191+
`OutOfMemoryError`, `StackOverflowError`, a raw FlatBuffer runtime exception, or a Protobuf parser
192+
exception. See [TODO.md §Security](TODO.md) for the current gap list (per-encoding adversarial
193+
tests, resource caps, fuzz infra) and [ADR 0003](adr/0003-vortex-exception-sanitization.md) /
194+
[ADR 0004](adr/0004-resource-caps-read-options.md) for the design.
195+
187196
## Reference implementation
188197

189198
When stuck on encode/decode behavior, consult **in this order**:

TODO.md

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,8 @@
1515

1616
## Security
1717

18-
**Contract:** the reader memory-maps and parses untrusted binary input. Every malformed input must
19-
throw `VortexException`, never `ArrayIndexOutOfBoundsException`, `NegativeArraySizeException`,
20-
`OutOfMemoryError`, `StackOverflowError`, a raw FlatBuffer runtime exception, or a Protobuf
21-
parser exception. Each entry below is either a known gap, a contract audit, or supporting infra.
18+
See [CLAUDE.md §Security contract](CLAUDE.md) for the invariant. Each entry below is either a
19+
known gap, a contract audit, or supporting infra.
2220

2321
### Per-encoding adversarial tests
2422

adr/0001-split-read-and-write-runtimes.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -264,8 +264,8 @@ of CI / integration-test fallout, plus reviewer time. Not a weekend.
264264
### Positive
265265

266266
- **Public API never exposes raw `MemorySegment`** for the read path.
267-
`VortexHandle.slice` disappears from the public surface. The SECURITY.md
268-
contract is enforced architecturally, not by audit-trail convention.
267+
`VortexHandle.slice` disappears from the public surface. The CLAUDE.md
268+
§Security contract is enforced architecturally, not by audit-trail convention.
269269
- **PR #27's 33 `unwrapForSubParser` sites collapse to a handful**
270270
only the decoders that genuinely call a sub-parser
271271
(`ProtoReader`-bound decoders: Constant, Pco, Sparse, plus Zstd's
@@ -353,6 +353,6 @@ of CI / integration-test fallout, plus reviewer time. Not a weekend.
353353

354354
- [PR #27`sec(parser): BoundedSegment + audit trail for untrusted asSlice`](https://github.com/dfa1/vortex-java/pull/27)
355355
- [Phase 1–4 commits — BoundedSegment introduction and migration](https://github.com/dfa1/vortex-java/pull/27/commits)
356-
- [SECURITY.md — the contract this work hardens](../SECURITY.md)
356+
- [CLAUDE.md §Security contract](../CLAUDE.md)
357357
- [CLAUDE.md — current "three touch-points" rule for adding an encoding](../CLAUDE.md)
358358
- [TODO.md — parser hardening backlog](../TODO.md)

adr/0003-vortex-exception-sanitization.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
- **Deciders:** project maintainer
66
- **Related:** [ADR 0001 — Split read and write runtimes](0001-split-read-and-write-runtimes.md),
77
[ADR 0004 — Resource caps and `ReadOptions`](0004-resource-caps-read-options.md),
8-
[SECURITY.md](../SECURITY.md)
8+
[CLAUDE.md §Security contract](../CLAUDE.md)
99

1010
## Context
1111

@@ -45,7 +45,7 @@ no sanitization contract.
4545

4646
Message sanitization governs *what a `VortexException` says*. A separate,
4747
orthogonal gap governs *whether a `VortexException` is thrown at all*. The
48-
reader's contract (SECURITY.md) is: any malformed input throws
48+
reader's contract (CLAUDE.md §Security contract) is: any malformed input throws
4949
`VortexException`, never a raw JDK exception. But ~21 `MemorySegment.asSlice`
5050
call sites take offsets/lengths straight from untrusted layout/footer
5151
metadata and pass them to the JDK unguarded:
@@ -415,7 +415,7 @@ programmatically inspect exception types, this decision can be revisited.
415415

416416
## References
417417

418-
- [SECURITY.md — injection threat model](../SECURITY.md)
418+
- [CLAUDE.md §Security contract](../CLAUDE.md)
419419
- [PR #27`BoundedSegment` + audit trail for untrusted `asSlice`](https://github.com/dfa1/vortex-java/pull/27)
420420
- [ADR 0001 — Split read and write runtimes](0001-split-read-and-write-runtimes.md)
421-
- [TODO.md §"Error messages — structural sanitization"](../TODO.md)
421+
- [TODO.md §"`VortexException` message sanitization"](../TODO.md)

adr/0004-resource-caps-read-options.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
- **Status:** Accepted — implementation pending
44
- **Date:** 2026-06-13
55
- **Deciders:** project maintainer
6-
- **Related:** [SECURITY.md](../SECURITY.md), [TODO.md §Resource caps](../TODO.md)
6+
- **Related:** [CLAUDE.md §Security contract](../CLAUDE.md), [TODO.md §Resource caps](../TODO.md)
77

88
## Context
99

@@ -170,6 +170,6 @@ a user-facing query limit, not a security cap.
170170

171171
## References
172172

173-
- [SECURITY.md — zip-bomb and depth-bomb mitigations](../SECURITY.md)
173+
- [CLAUDE.md §Security contract](../CLAUDE.md)
174174
- [TODO.md §Resource caps](../TODO.md)
175175
- [ADR 0003 — VortexException sanitization](0003-vortex-exception-sanitization.md)

0 commit comments

Comments
 (0)