Skip to content

docs(security): Spec 077 — scanner simplification (spec/plan/tasks)#784

Merged
Dumbris merged 3 commits into
mainfrom
077-scanner-simplification
Jul 1, 2026
Merged

docs(security): Spec 077 — scanner simplification (spec/plan/tasks)#784
Dumbris merged 3 commits into
mainfrom
077-scanner-simplification

Conversation

@Dumbris

@Dumbris Dumbris commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

Planning package (spec → plan → tasks) for Spec 077 — Scanner Simplification: make the deterministic offline detect engine (Spec 076) the always-on default scanner that needs zero Docker, and demote the six Docker scanner plugins + source-code extraction to an opt-in deep scan that never blocks or degrades the baseline verdict. Findings from all scanners merge into a single unified report.

This PR is docs/spec-only — no code. Implementation lands via per-user-story PRs that reference this spec.

What's inside specs/077-scanner-simplification/

  • spec.md — 4 prioritized user stories (US1 offline baseline · US2 unified report · US3 opt-in deep scan · US4 quiet notifications), 21 FRs, 8 measurable SCs.
  • plan.md — constitution check (all 6 principles pass; Security-by-Default nuance justified), structure, complexity tracking.
  • research.md — 8 grounded decisions (D1–D8) with rationale + alternatives.
  • data-model.md + contracts/ — unified ScanReport/Finding/DeepScanDescriptor + security.deep_scan config schema.
  • quickstart.md — 7 verification scenarios mapped to success criteria.
  • tasks.md — 42 TDD-first tasks organized by user story.

Key decisions

  • Delete the duplicate legacy tpaRules + legacy embedded-secret path; the detect engine is the sole in-process baseline.
  • Preserve today's blocking posture via one new hard-tier phrase_injection check (curated high-confidence phrases); broader phrasing stays soft/review-only.
  • security.deep_scan opt-in (off by default); baseline verdict is independent of deep-scan availability (no more confusing "degraded").
  • Quarantine state machine and the Docker plugins themselves are unchanged (out of scope).

Related: Spec 077 (specs/077-scanner-simplification)

Planning package for making the deterministic offline detect engine the
always-on default scanner and demoting the Docker scanners + source
extraction to an opt-in deep scan that never blocks or degrades the baseline
verdict, with a single unified report.

- specs/077-scanner-simplification/spec.md: 4 user stories, 21 FRs, 8 SCs
- plan.md: constitution check (all 6 principles), structure, complexity tracking
- research.md: 8 grounded decisions (D1-D8) + alternatives
- data-model.md + contracts/: unified report + security config schema
- quickstart.md: 7 verification scenarios
- CLAUDE.md: Recent Changes entry (speckit agent-context)

Docs/spec-only; no code touched. Implementation follows via per-story PRs.

Related: Spec 077 (specs/077-scanner-simplification)
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 1, 2026

Copy link
Copy Markdown

Deploying mcpproxy-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 16e39db
Status:⚡️  Build in progress...

View logs

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

📦 Build Artifacts

Workflow Run: View Run
Branch: 077-scanner-simplification

Available Artifacts

  • archive-darwin-amd64 (28 MB)
  • archive-darwin-arm64 (25 MB)
  • archive-linux-amd64 (16 MB)
  • archive-linux-arm64 (14 MB)
  • archive-windows-amd64 (28 MB)
  • archive-windows-arm64 (25 MB)
  • frontend-dist-pr (0 MB)
  • installer-dmg-darwin-amd64 (21 MB)
  • installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

  1. Go to the workflow run page linked above
  2. Scroll to the bottom "Artifacts" section
  3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 28496544285 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

Dumbris added a commit that referenced this pull request Jul 1, 2026
… (Spec 077 US1)

Related #784
Related: Spec 077 (specs/077-scanner-simplification)

The detect-corpus validator (specs/065-evaluation-foundation/datasets) hardcodes
the set of coherent malicious categories and the gated-category coverage rules.
Spec 077 US1 promoted phrase_injection to a real gated hard category (registered
in cmd/scan-eval gateChecks + categoryCheck), so the validator must recognize it
or reject the new corpus entries.

## Changes
- validDetectCategory: accept malicious category "phrase_injection".
- gatedDetectCategories: add "phrase_injection" (now measured by the gate;
  capability_mismatch stays excluded — soft/measured-not-gated).
- hardNegPrefix: map "phrase_injection" -> "hn_phrase".
- Rename the two branch-local phrase_injection hard-negatives
  (hn_send_email/hn_upload_file -> hn_phrase_*) to satisfy the id-prefix
  convention. Pre-existing corpus entries untouched (append-only respected).

This STRENGTHENS coverage: the gate now requires phrase_injection to carry both
malicious samples and resembling hard-negatives.

## Testing
- go test ./... — all ok (exit 0); previously-failing
  TestDetectCorpus_SchemaAndProvenance + TestDetectCorpus_GatedCoverage pass.
- scan-eval --gate — recall 1.0000, fp 0.0000 (phrase_injection gated 7/7).
- golangci-lint v2 clean.
Dumbris added 2 commits July 1, 2026 09:53
roadmap.yaml (from main via #785) references specs/077; regenerate the
rendered view so the per-spec badge (0/42, drafted) and the epic status row
reflect the spec landing in this PR. Keeps the roadmap-up-to-date CI check
green.

Related: Spec 077 (specs/077-scanner-simplification)
@Dumbris Dumbris merged commit 5b0cfbe into main Jul 1, 2026
1 check was pending
@Dumbris Dumbris deleted the 077-scanner-simplification branch July 1, 2026 06:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants