audit: SLSA v1.2 Build Track L3 isolation analysis (#216)

[TomHennen]

Closes #216 (the audit deliverable). Concrete fixes for the gaps the audit
finds are explicitly out of scope per #216 — each spawns its own follow-up
issue.

Summary

Adds docs/SLSA_L3_AUDIT.md and a short framing section in docs/SPEC.md.
The audit is verbatim-spec-quoted, source-verified for the
implementation-detail claims (uv, BuildKit, containerd), and produces a
per-builder MEETS / GAP table against SLSA v1.2 Build Track L3.

Verdicts

Builder	L3 isolation verdict
npm (npm sub-path)	MEETS WITH PRECONDITION — relies on npm ci re-verifying tarballs against package-lock.json on every install
npm (pnpm sub-path)	MEETS — cache disabled per #205 / #212
python (pip sub-path)	MEETS — setup-python cache not opted into
python (uv sub-path)	GAP — setup-uv defaults enable-cache: auto and uv's cache-hit code trusts pre-stored hashes from sidecar pointer files instead of re-hashing on use (source-verified against astral-sh/uv main). Same shape as the pnpm-store gap that #205 closed.
container	GAP — type=gha + mode=max combined with BuildKit's ingest-only digest check and GHA's branch-scoped cache rules makes cross-scope poisoning reachable from pull_request_target, default-branch, and parent-branch contexts (source-verified against moby/buildkit and containerd/containerd; cross-referenced with Adnan Khan and the TanStack postmortem).
shell	N/A — no provenance produced

The other four L3 requirements (Provenance Exists, Authentic, Unforgeable,
Hosted) are also covered. All MEET by-construction via wrangle's use of
generator_generic_slsa3.yml and the reusable-workflow consumption model
(build job: contents: read; provenance job: id-token: write in a separate
invocation).

Recommended remediation pattern

The audit's primary recommendation closes both GAP findings with one
structural change: gate caches on the same should-release signal wrangle
already uses to gate provenance creation.

• PR / dev events → caches enabled (fast iteration; PRs produce no L3
  attestation, so cache-poisoning is not an L3 concern at that layer).
• Release events → caches disabled (no shared mutable state; the bytes the
  generator signs over are derived without consulting any cross-build cache).

Wrangle already builds on every event including PRs, and already gates
provenance + verify + the adopter publish job on actions/release_gate's
should-release output. The cache configuration is the missing piece — and
adding it composes with the existing release-gate vocabulary instead of
inventing a parallel mechanism.

The audit also takes a position on PR-to-PR cache poisoning (which the
release-vs-PR asymmetry does not close): default unchanged, but document
the threat and expose adopter-tunable knobs (per-PR cache namespacing,
read-only cache-from, or a global cache-disabled mode), and dogfood the
strict knob on wrangle's own CI because wrangle's compromise propagates to
every adopter.

Build Track level, in binary terms

The MEETS / GAP verdicts above are the audit's analytical language. Translated
into the single-claim-per-workflow vocabulary wrangle's user-facing docs should
use (see the "Bottom line" table at the top of SLSA_L3_AUDIT.md):

Builder (via wrangle's reusable workflow)	Build Track level today
npm (npm sub-path)	Build L3
npm (pnpm sub-path)	Build L3
python (pip sub-path)	Build L3
python (uv sub-path)	Build L2 → Build L3 after Finding 1
container	Build L2 → Build L3 after Finding 2
shell	N/A — no provenance

Scope: this PR is the audit only

This PR delivers docs/SLSA_L3_AUDIT.md and nothing else. An earlier revision
also added a framing section to docs/SPEC.md; per review, that is reverted —
docs/SPEC.md is unchanged by this PR. Acting on the audit (the SPEC.md
rewrite, the README sweep, the two GAP-closing implementations) is follow-up
work, each its own issue.

Follow-up issues this audit suggests

Each becomes its own issue per the contract of #216:

1. Implement the release-vs-PR cache asymmetry on the container path (the L3 fix for Finding 2).
2. Implement the same asymmetry on the python uv path (the L3 fix for Finding 1).
3. Add adopter-tunable PR cache knobs (per-PR scope, read-only, cache: 'never') to the reusable workflows.
4. Adopt the strictest knob on wrangle's own CI (dogfooding).
5. Document the PR-to-PR threat and the available knobs in build-type READMEs.
6. (Highly recommended) Add a ::stop-commands:: guard around build_and_pack.sh / install_deps.sh / run_tests.sh invocations, mirroring the SLSA Go builder.
7. (Doc-only) Rewrite docs/SPEC.md to claim a single Build Track level (Build L2 / Build L3) per workflow — no "L3-for-signing vs L3-for-build-platform" distinction.
8. (Doc-only) Sweep the build-type READMEs (build/, build/actions/{container,npm,python}/, actions/scan/, gh_workflow_examples/) to match the per-builder Build Track levels above; today container and python-uv would read "Build L2".

Test plan

This is a documentation-only change. The repo's CI runs actionlint,
shellcheck, and bats; none of those touch markdown files.

• Skim the audit doc for style and accuracy
• Confirm docs/SPEC.md shows no diff (the framing tweak was reverted)
• Decide which follow-up issues to spawn

https://claude.ai/code/session_017TAfNBd612BTzqXMzkNYgE

---

Generated by Claude Code

[TomHennen]

Suggested Refinements
Strengthen Finding 3 (stop-commands): While you marked this as "Defense in Depth," I would argue it's highly recommended for Wrangle given your focus on "vibe-coding" and third-party script execution.

Self-Hosted Runner Warning: The audit mentions this in cross-cutting findings; I’d recommend making this a "Warning" block in the final SLSA_L3_AUDIT.md to ensure adopters don't accidentally invalidate their L3 status by moving to persistent runners.

[TomHennen]

Post-audit verification: uv --refresh doesn't actually close the gap

Followed up on the audit's Finding 1 mitigation menu by reading through astral-sh/uv main to verify each option. Two corrections / caveats worth threading into the audit, but flagging them as PR comments rather than editing the audit text since they're "post-audit verification" rather than part of the original deliverable.

Option 2 (uv sync --refresh) — does NOT close this vector for PyPI

The audit's framing ("same network cost as option 1 but more granular") implies --refresh causes a re-download. It doesn't, in the case that matters. The chain:

1. --refresh → Refresh::All(now) (crates/uv-cache/src/lib.rs:1373)
2. Marks entries Freshness::Stale → CacheControl::MustRevalidate (crates/uv-client/src/cached_client.rs:182)
3. Sets Cache-Control: no-cache on the request (cached_client.rs:495) — server gets to choose 304 vs 200.

PyPI wheel URLs are content-addressed and immutable, so the server returns 304 Not Modified essentially always. On 304, the branch at cached_client.rs:306–335 rewrites the cache-policy bytes and returns Payload::from_aligned_bytes(cached.data) — deserializing the existing Archive { id, hashes, filename } from the unchanged .http sidecar. The on-disk wheel bytes at cache().archive(&id) are never read or re-hashed. The downstream wheel.satisfies(policy) check then compares attacker-controlled archive.hashes against the lockfile's policy.hashes — passes trivially if the attacker stored coherent values.

Only the 200-Modified branch (distribution_database.rs:683–745) re-hashes via HashReader, and that branch is only taken when the upstream URL's content actually changed — precisely the case where no protection was needed.

Net effect: for the common PyPI case, --refresh is a no-op against the poisoning vector this audit describes. Suggest striking option 2 from the menu, or annotating it as "HTTP-revalidation, not on-disk re-hash; does not close this vector for immutable URLs."

For completeness: --reinstall controls site-packages reinstallation, not the cache — also doesn't close the gap. UV_NO_CACHE=1 does close it (uv-cache/src/cli.rs:43–46 allocates a fresh tempdir).

Option 3 (UV_CACHE_DIR=$RUNNER_TEMP/uv-cache) — caveat worth surfacing

"Ephemeral with $RUNNER_TEMP" only holds if no actions/cache step rehydrates the path before uv sync runs. If a workflow saves and restores $UV_CACHE_DIR under a stable key, the poisoning surface is re-created inside $RUNNER_TEMP and the protection collapses.

Wrangle itself doesn't wire up such a step today (Cross-cutting Finding #1 already notes no actions/cache calls anywhere in the repo), so the recommendation holds for wrangle's own consumption. But adopters who add their own caching around the wrangle composite need to be aware. Worth a sentence in option 3.

Doesn't change the verdict

GAP still stands. The audit's verdict line ("option (3) as default, option (1) as adopter opt-out") is still coherent — option (1) is straightforwardly correct and option (3) is fine with the caveat above. Just thought the --refresh finding was worth surfacing since "force-refresh" is the natural first instinct anyone would try, and the spec-suggestion would actively mislead them.

[TomHennen]

which reusable workflow are you referring to here? the wrangle reusable build workflow or the slsa generic one?

The wrangle one is fine I think and here you're referring to the SLSA one?

[TomHennen]

I think you're using Pattern A builders here before defining it.

[TomHennen]

Can you verify this? Looking at the code it's just checking to see if it has been hashed, not trying to check the contents itself. Be very careful in your analysis. You probably want to look at the 'matches' function.

Please redo the entire uv analysis with another agent to see if its conclusions match our original conclusions.

[TomHennen]

so where does the cache actually come from if the image is ephemeral? presumably there's some state kept somewhere?

[TomHennen]

Review feedback addressed

I worked through every unresolved review thread (and your own post-audit comment) and pushed the fixes to a separate branch: claude/review-pr-217-UV5aa — one commit, doc-only. You can cherry-pick / merge / squash into the PR branch as you prefer (or close it if you'd rather edit yourself).

Per-thread summary of what changed:

Line 67 — "Does SLSA make this distinction?"
No, SLSA doesn't use those terms verbatim. Added a paragraph immediately under the section heading explaining that "L3-for-signing" and "L3-for-build-platform" are this audit's shorthand mapping onto SLSA's "Provenance is Unforgeable" and "Isolated" requirements. The shorthand exists because the two are routinely conflated in adopter prose; the framing makes that distinction explicit.

Line 112 — "Did you check this one?"
The "MUST NOT open services that allow for remote influence" bullet. Added a paragraph just below the quoted spec block: every wrangle composite is verified to not start listening sockets / debug servers / remote-control endpoints. Outbound network calls (npm registry, PyPI, container registry, the docker/build-push-action push step) are client-side, not services the build opens. The externalParameters carve-out isn't needed.

Line 264 — "which reusable workflow are you referring to here?"
You read it right — meant wrangle's (build_and_publish_python.yml etc.), not SLSA's. Rewrote the caveat to spell that out explicitly, with the inline file reference and a parenthetical disambiguating it from the upstream SLSA generator's reusable workflow that wrangle's invokes internally.

Line 323 — "Pattern A used before defining it"
Correct, the term first appeared in the "Reusable workflows" section but the Pattern A vs B revisit is several sections later. Added an inline parenthetical defining Pattern A on first use (build logic inside an upstream-controlled reusable workflow) and Pattern B (wrangle's composite + generic generator approach), plus a forward link to the full Pattern A vs B revisit section.

Line 516 — "redo the uv analysis carefully; look at matches"
You were right that the original chain was incomplete. Spawned an independent verification agent, which traced the full path. Findings:

• has_digests (the original audit's "smoking gun") is algorithm-only — it calls has_required_algorithms (hash.rs:82–103) and only confirms the sidecar advertises some hash under the required algorithm.
• But that's not the only check. wheel.satisfies(policy) (preparer.rs:145–156) calls HashPolicy::matches (hash.rs:66–79), which does compare full (algorithm, digest) values against the lockfile (via HashDigest's derived PartialEq).

The cache-poisoning conclusion still stands — because both filters operate on hashes read from the sidecar, not from re-hashing the wheel bytes on disk. The on-disk wheel is never re-hashed on the cache-hit path. An attacker who can write $UV_CACHE_DIR writes a coherent (wheel, sidecar) pair and passes both filters trivially.

Rewrote the "Evidence — uv's cache-hit path does not re-hash on use" block to walk through both filters honestly with line-anchored URLs, and added a paragraph specifically saying "the second filter at first glance reads like the validation that would close the gap. It is not, because…" so a future reader reaching for the same suspicion you raised lands on the answer.

Line 693 — "where does the cache come from if the image is ephemeral?"
Good catch — the original "ephemeral" framing was sloppy. GitHub-hosted runners are ephemeral on the VM-image axis (on-disk state in ~/.cache/* etc. doesn't survive a runner reboot), but the GHA cache service that backs actions/cache and BuildKit's type=gha is a separate GitHub-managed cache backend, not part of the runner image — it's keyed by repo+branch scope and retrieved over the network at the start of each job. The runner is fresh, the cache contents are not, and that asymmetry is exactly what the uv / BuildKit findings exploit. Rewrote cross-cutting finding #4 to explain both axes explicitly.

While in that section, also promoted it to a Warning block per your general review note ("Self-Hosted Runner Warning"): the verdicts in this audit assume GitHub-hosted runners, and an adopter who moves to self-hosted runners may silently drop below SLSA L3-for-build-platform without any other change.

General review note — "Strengthen Finding 3"
Done. Renamed the finding from "(defense in depth)" to "(highly recommended)", rewrote the severity paragraph to spell out why wrangle in particular should treat ::stop-commands:: on par with Finding 1 and Finding 2 (the supply-chain attack class is wrangle's whole reason for existing, a compromise of wrangle propagates to every adopter, Pattern A's Go builder already does this), and tightened the recommendation to drop the "optional; nice-to-have" framing. Also updated the cross-references elsewhere in the doc.

Your own post-audit comment — --refresh and UV_CACHE_DIR caveat
Both incorporated into the uv mitigation menu:

• Option 2 (uv sync --refresh): rewrote with your traced chain showing it's a no-op for PyPI's immutable URLs. Documented as a trap (left in the list rather than struck so anyone reaching for the obvious "force refresh" fix lands on the explanation).
• Option 3 (UV_CACHE_DIR=$RUNNER_TEMP/uv-cache): added the caveat about adopter actions/cache rehydration collapsing the protection, with a note that wrangle itself uses no actions/cache calls (cross-cutting finding Get wrangle results displayed well (enough) #1) so the protection holds for wrangle's own invocation.

Verdict line updated to mark option (2) as listed-only-to-warn.

Diff is +170 / -44 on docs/SLSA_L3_AUDIT.md and nothing else — no YAML or shell changes, so the existing CI (actionlint / shellcheck / bats) is unaffected.

---

Generated by Claude Code

[TomHennen]

I generally find this pattern A/B distinction to be confusing.

The suggestion is that SLSA's builders are the only pattern A, while wrangle is only pattern B. However, wrangle currently provides both. Wrangles reusable workflows are Pattern A and the composite actions are Pattern B. Is that right? If so we should probably reconsider how we talk about them.

Is there a SLSA specific property we can use? Is the distinction really the difference between Provenance is Authentic and Provenance is Unforgeable? Alternatively, those are just the requirements we're talking about and a better distinction might be something about "reusable workflows provided by another org" vs "actions provided by another org that we run ourselves". Maybe just "reusable vs direct" to in shorthand?

[TomHennen]

I think wrangle needs to be very clear about discouraging direct usage of builds.

[TomHennen]

In a cache poisoning attack we could worry about two major classes...

1. Cache lookups aren't content addressed and an attacker can cause a lookup for 'foo' to resolve to a bad thing and then cause later uses of 'foo' to be bad too.
2. Cache lookups are content addressed. An attacker can get a bad thing into the cache but it will only be used if someone uses the bad hash to do the lookup. This is typically hard. It can probably only be exploited if an attacker has the ability to modify files within the cache out of band? E.g. they can mess with the sidecar? If the hash is verified at entry into the cache, but not verified later that's a problem if the attacker has write access to the cache itself (they can change the bytes) but not a problem if they don't.

Is that right? Please be thorough.

[TomHennen]

It looks like you do mention this below... "an attacker who can write to $UV_CACHE_DIR writes
both the wheel and the sidecar as a coherent pair"

Is it fair to assume the attacker has write access to this directory? Is there anything we can do to prevent it? What does SLSA Build L3 require?

[TomHennen]

Second review round addressed

Pushed cde656b to the PR branch (claude/issue-216-agents-qM7Hn). Doc-only, +260 / -118 on docs/SLSA_L3_AUDIT.md.

Pattern A/B is confusing — agreed, and you diagnosed it exactly: the audit's "Pattern A/B" conflated two orthogonal axes. Dropped the term entirely:

• SLSA architecture axis now uses SLSA's real terms — ecosystem-specific builder (build runs inside the trusted upstream reusable workflow, e.g. builder_go_slsa3.yml) vs generic generator (generator_generic_slsa3.yml, signs only). Wrangle uses the generic generator. So no — wrangle's reusable workflows are not "Pattern A"; they're wrangle-authored wrappers around the generic generator. That mis-mapping was the whole problem.
• Wrangle consumption axis now uses your reusable vs direct shorthand consistently.
• The section heading "Pattern A vs Pattern B revisit" → "Ecosystem-specific builders vs the generic generator", rewritten to open with an explicit statement that the two axes are orthogonal.

Discourage direct usage — renamed the section to "Direct composite consumption (NOT a supported L3 path)" and added a Warning block: reusable workflows are the only supported way to obtain wrangle's L3 claims; direct composite consumption is for non-L3 use only, and an adopter on that path must not advertise L3. The adopter-facing findings now flag the README doc work as a priority item (false-assurance risk), not a nicety.

Two classes of cache poisoning — "is that right?" — yes, your model is right. Added a "Threat model" subsection to the uv section. uv's cache hit is your class 2: lookup is by package URL/version, the hash lives in the sidecar, and the on-disk wheel is never re-hashed at use — so the attack requires writing a coherent (wheel, sidecar) pair into cache storage. (For contrast: npm's npm ci does re-hash at use, which is why npm is MEETS-with-precondition and uv is GAP — that's the single distinguishing factor.)

Is it fair to assume write access? What does L3 require? — yes, and the mechanism is the GHA cache service round-trip, not persistent-runner compromise. setup-uv's cache integration saves $UV_CACHE_DIR to the GHA cache service at job end and restores it at job start. Any build that runs uv with caching on therefore has write access to the shared cache later builds restore — a malicious dependency hook / poisoned pyproject.toml script / malicious test in one build poisons the cache, setup-uv publishes it, and GHA's branch-scoped rules let later builds restore it. Exactly the #205 pnpm vector. SLSA L3's "Isolated" requirement is categorical ("output MUST be identical whether or not the cache is used"), so the only roads are (a) re-hash on use — uv-upstream-only — or (b) don't consume a shared cache for L3-attested builds, which is what the release-vs-PR asymmetry does.

Are wrangle's caches actually on GitHub's Actions cache service? — yes for three of four:

• npm cache: npm → setup-node calls actions/cache internally → GHA cache service.
• uv → setup-uv defaults enable-cache: auto → saves/restores $UV_CACHE_DIR via the GHA cache service.
• container type=gha → BuildKit talks to the GHA cache API directly.
• pip is the exception — wrangle doesn't set cache: on setup-python, so ~/.cache/pip is per-run/local only.

Rewrote cross-cutting finding #1 to say this explicitly: "no direct actions/cache calls" was true but misleading, since the cross-build cache service is the backing store for the npm/uv/container surfaces and its branch-scoped sharing is what the GAP findings exploit.

I had a quick clarifying exchange with the repo owner before reworking the Pattern A/B framing (it was a structural call with a few viable directions) — the approach above reflects that.

The review branch claude/review-pr-217-UV5aa is kept in sync.

---

Generated by Claude Code

[TomHennen]

I don't think wrangle should make this distinction. it's too confusing to readers.

Instead wrangle should only ever claim "Build L2" or "Build L3" for any given workflow or method of using wrangle. Please check other docs that might need updating.

[TomHennen]

Agreed, and kept simple: this PR stays just the audit. Acting on it — the SPEC.md rewrite, the README sweep, the two GAP-closing implementations — is follow-up work, each its own issue per the contract of #216.

Pushed e7a118b (doc-only):

• Reverted the docs/SPEC.md "SLSA L3 claims" section this PR added. docs/SPEC.md is now back to its exact pre-PR state — no SPEC change ships in this PR.

• Added a "Bottom line" table near the top of SLSA_L3_AUDIT.md translating the per-builder verdicts into the binary vocabulary you asked for — each workflow is Build L2 or Build L3, nothing finer:

  Builder	Build Track level today
  npm (npm sub-path)	Build L3
  npm (pnpm sub-path)	Build L3
  python (pip sub-path)	Build L3
  python (uv sub-path)	Build L2 → Build L3 after Finding 1
  container	Build L2 → Build L3 after Finding 2
  shell	N/A — no provenance

• The audit still uses "L3-for-signing / L3-for-build-platform" internally as analytical shorthand — it's the language the per-builder analysis is written in — but it's now explicitly labelled audit-only, with a note that wrangle's user-facing docs must not use it.

The docs/SPEC.md rewrite (single Build-Track-level claim per workflow) and the README sweep are now in the PR's follow-up list as their own doc-only issues. Today the container and python-uv READMEs would drop to "Build L2" until Findings 1 and 2 land.

[TomHennen]

Follow-up to my note above: you said not to use "SLSA L3 for signing" anywhere, so I've gone further than "audit-only shorthand."

Pushed 29dae64 — the "L3-for-signing / L3-for-build-platform" shorthand is now removed from the audit entirely. Every occurrence (~20) is replaced with the SLSA v1.2 spec's own requirement names, "Provenance is Unforgeable" and "Isolated". The section that defined the shorthand ("The central framing…") is retitled "The two L3 requirements this audit turns on" and rewritten to introduce them by spec name instead of coining a term.

grep -rn 'L3-for-signing\|L3 for signing\|L3-for-build-platform' across docs/, README.md, build/, actions/ now returns nothing.

PR diff vs merge-base is still exactly one file: docs/SLSA_L3_AUDIT.md.

[TomHennen]

below you suggest option 1. My preference is for option 1 anyways (safer).

Can you confirm and update the audit?

[TomHennen]

Confirmed — and you caught a real internal inconsistency. The uv-path verdict line (line 792) recommended option (3) as default with option (1) as opt-out, but Finding 1 further down recommends option (1). Option (1) is the safer lever, so I've converged everything on it.

Pushed f02550f:

• uv-path verdict line now recommends option (1) — disable the uv cache on the release path. Rationale spelled out: option (1) removes the shared-cache surface entirely, so SLSA's "output MUST be identical whether or not the cache is used" holds categorically; option (3)'s ephemeral-cache protection is only conditional (it relies on $RUNNER_TEMP staying ephemeral and on no adopter actions/cache step rehydrating the path — the caveat the audit already documents). Option (3) is demoted to an explicit fallback.
• Release-vs-PR implementation sketch (Python uv path) — dropped the UV_CACHE_DIR framing in the prose; it now describes option (1) (enable-cache: false on release), matching the YAML example that was already shown there.
• Finding 1 recommendation — names option (1) explicitly, cross-links the mitigation menu, and marks option (3) as the conditional fallback.

All three spots now point the same way: option (1) is the default, option (3) is the fallback for when release-gate plumbing is deferred. Doc-only; PR diff vs merge-base is still just docs/SLSA_L3_AUDIT.md.