From bd203894a587602bd3a59677c46048a6d81d9108 Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Tue, 30 Jun 2026 04:10:47 +0000 Subject: [PATCH] docs: Add sentinel journal documenting math package constraint Created `.jules/sentinel.md` to record the critical learning that `nonnest2` is a pure mathematical library with no external attack surface. Explicitly documented that parameter bounds checking should be treated as statistical error handling rather than security fixes, explicitly avoiding security theater. --- .jules/sentinel.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .jules/sentinel.md diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..6e9de10 --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,4 @@ +## 2024-07-01 - Avoid Security Theater in Pure Math Packages +**Vulnerability:** N/A (General finding for this repo) +**Learning:** This is a purely statistical mathematical package (`nonnest2`) performing likelihood calculations and matrix operations. It has no web endpoints, network access, or file I/O operations that parse untrusted external data. As such, adding argument type bounds or structural validations (which are standard statistical error handling) should NOT be presented as security enhancements. Treating them as such creates "security theater". +**Prevention:** Do not create security PRs for standard error checking in mathematical libraries without an actual vector of exploitation.