Hi team — I reviewed the hook automation paths in arscontexta and found several places where secure defaults could be improved.
Important context: this report is about hardening and trust boundaries. It does not claim malicious intent.
Summary
Current behavior is convenient for trusted single-user workflows, but risky in adversarial or mixed-trust environments.
Findings
- Broad auto-staging + commit-hook bypass
hooks/scripts/auto-commit.sh uses git add -A and commits with --no-verify.- Risk: accidental staging of sensitive/unrelated files and bypass of local security hooks.
- Repo-local script execution from SessionStart
hooks/scripts/session-orient.sh runs bash ops/scripts/reconcile.sh --compact if present.- Risk: arbitrary repo-local execution surface at session start.
- Raw context injection into model context
session-orient.sh emits raw file content (self/goals.md, self/identity.md, etc.) directly into the conversation context.- Risk: prompt-injection-style instruction smuggling via vault content.
- Fail-open vault detection / marker auto-creation
hooks/scripts/vaultguard.sh auto-creates .arscontexta based on fallback checks.- Risk: hooks can activate in places where explicit opt-in was not intended.
Proposed hardening (minimal breakage)
- Add a
security_mode config with default strict.
- In strict mode, replace
git add -A with an allowlisted set of paths.
- In strict mode, disable
--no-verify by default (allow explicit override).
- Gate
reconcile.sh execution behind explicit opt-in (allow_reconcile_exec: false default).
- Treat loaded file content as untrusted data:
- wrap in clear delimiters,
- prepend non-instructional framing,
- cap size per file.
- Require explicit marker presence for activation (no fallback auto-create in strict mode).
- Document this threat model in
SECURITY.md (“trusted personal vault” vs “shared/untrusted repo”).
Why this helps
These changes preserve current UX for trusted workflows (compat mode) while giving security-conscious users a safer default profile.
If useful, I can open a PR with a backward-compatible strict/legacy toggle.
Hi team — I reviewed the hook automation paths in
arscontextaand found several places where secure defaults could be improved.Important context: this report is about hardening and trust boundaries. It does not claim malicious intent.
Summary
Current behavior is convenient for trusted single-user workflows, but risky in adversarial or mixed-trust environments.
Findings
hooks/scripts/auto-commit.shusesgit add -Aand commits with--no-verify.hooks/scripts/session-orient.shrunsbash ops/scripts/reconcile.sh --compactif present.session-orient.shemits raw file content (self/goals.md,self/identity.md, etc.) directly into the conversation context.hooks/scripts/vaultguard.shauto-creates.arscontextabased on fallback checks.Proposed hardening (minimal breakage)
security_modeconfig with defaultstrict.git add -Awith an allowlisted set of paths.--no-verifyby default (allow explicit override).reconcile.shexecution behind explicit opt-in (allow_reconcile_exec: falsedefault).SECURITY.md(“trusted personal vault” vs “shared/untrusted repo”).Why this helps
These changes preserve current UX for trusted workflows (compat mode) while giving security-conscious users a safer default profile.
If useful, I can open a PR with a backward-compatible strict/legacy toggle.