Skip to content

fix(evolution): constrain pending skill path operations#89

Draft
cursor[bot] wants to merge 3 commits into
mainfrom
cursor/critical-bug-investigation-7038
Draft

fix(evolution): constrain pending skill path operations#89
cursor[bot] wants to merge 3 commits into
mainfrom
cursor/critical-bug-investigation-7038

Conversation

@cursor
Copy link
Copy Markdown

@cursor cursor Bot commented Jun 3, 2026

Summary

  • Fixes a critical path traversal bug in pending skill read/confirm/reject paths where skill_name was joined directly under _evolved/_pending.
  • Adds a shared single-segment pending skill name validator in skilllite-evolution, applies it to mutating operations and desktop SKILL.md reads, and keeps valid pending skill confirm/reject behavior unchanged.
  • Adds regression tests proving absolute-path deletion and .. movement attempts are rejected while out-of-scope directories survive.

Task Linkage

  • Task ID: TASK-2026-067
  • Task folder: tasks/TASK-2026-067-pending-skill-path-safety/

Injected Specs

  • spec/architecture-boundaries.md (reviewed; no boundary changes)
  • spec/security-nonnegotiables.md (security fix)
  • spec/testing-policy.md (Rust code change)
  • spec/docs-sync.md (reviewed; no docs needed because no user-facing command/env/policy wording changed)

Validation Evidence

  • Commands executed:
    • cargo test -p skilllite-evolution pending_skill -- --nocapture
    • cargo test -p skilllite-evolution
    • cargo test -p skilllite-commands
    • cargo fmt --check
    • cargo clippy --all-targets -- -D warnings
    • cargo test
    • python3 scripts/validate_tasks.py
  • Key results:
    • Focused traversal tests: 3 passed; 0 failed; 94 filtered out
    • skilllite-evolution: 97 passed; 0 failed
    • skilllite-commands: 23 passed; 0 failed
    • Full workspace cargo test: passed
    • Task validation: Task validation passed (67 task directories checked)
    • Environment note: first validation attempt was blocked by Cargo 1.83 lacking edition 2024 support; updated stable toolchain to Rust/Cargo 1.96 per AGENTS.md, then validation passed.

Regression Scope

  • Areas likely affected:
    • skilllite evolution confirm|reject
    • Desktop evolution pending skill read/confirm/reject bridge
    • skilllite-evolution pending skill filesystem operations
  • Explicit non-goals:
    • No pending skill storage redesign
    • No command name or JSON output shape changes
    • No broader evolution policy changes

Docs Sync (EN/ZH)

  • Not needed
  • Updated EN + ZH docs
  • Files:
    • N/A

Review Checklist

  • Acceptance criteria in tasks/TASK-2026-067-pending-skill-path-safety/TASK.md satisfied
  • tasks/TASK-2026-067-pending-skill-path-safety/STATUS.md updated with latest progress
  • tasks/TASK-2026-067-pending-skill-path-safety/REVIEW.md includes merge readiness decision
  • tasks/board.md status is up to date
Open in Web View Automation 

cursoragent and others added 3 commits June 3, 2026 11:10
@cursoragent @EXboys
fix(evolution): constrain pending skill paths
cbe3de0 
Co-authored-by: EXboy <EXboys@users.noreply.github.com>
@cursoragent @EXboys
test(evolution): cover pending skill traversal
e552772 
Co-authored-by: EXboy <EXboys@users.noreply.github.com>
@cursoragent @EXboys
docs(task): record pending skill path safety validation
a02798c 
Co-authored-by: EXboy <EXboys@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent