Skip to content

refactor(knowledge): extract generic CUE compiler core and projection…#1

Open
ljahier wants to merge 7 commits into
mainfrom
chore/refine-into-knowledge-runtime
Open

refactor(knowledge): extract generic CUE compiler core and projection…#1
ljahier wants to merge 7 commits into
mainfrom
chore/refine-into-knowledge-runtime

Conversation

@ljahier

@ljahier ljahier commented Jul 16, 2026

Copy link
Copy Markdown
Member

… seams

mendral-app[bot]

This comment was marked as outdated.

mendral-app[bot]

This comment was marked as outdated.

@ljahier
ljahier force-pushed the chore/refine-into-knowledge-runtime branch from 876b1e6 to 97e6fde Compare July 16, 2026 03:50

@mendral-app mendral-app Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs attention — 1 issue in 1 file

The path-traversal vulnerability in sourceProvenance (runtime.go:480) flagged in the previous review remains unfixed — project.Package is joined to root and passed to WalkDir without the ..-escape guard that packageInstance in evaluator.go:629-641 implements. The rest of the new code is well-structured with good test coverage, consistent error handling, and appropriate bounds on the query API.

What this PR does

Extracts a generic CUE compiler core and transport-independent knowledge runtime with catalog, query, evaluation, and provenance APIs. Adds an optional CUE metadata contract (cue/knowledge/knowledge.cue), bounded query API with catalog validation, and named evaluation execution with JSON input overlays. The CLI health check is routed through the new runtime. All new files carry MPL-2.0 headers.

Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.

<assessment>
The path-traversal vulnerability in `sourceProvenance` (runtime.go:480) flagged in the previous review remains unfixed — `project.Package` is joined to root and passed to `WalkDir` without the `..`-escape guard that `packageInstance` in evaluator.go:629-641 implements. The rest of the new code is well-structured with good test coverage, consistent error handling, and appropriate bounds on the query API.
</assessment>

<file name="backend/internal/knowledge/runtime.go">
<issue location="backend/internal/knowledge/runtime.go:478">
`sourceProvenance` still joins `project.Package` to root without the `..`-escape check that `packageInstance` in `evaluator.go:629-641` carefully implements. A crafted `Package` value (e.g. `../../etc`) causes `WalkDir` to read arbitrary directories outside the module root. This was flagged in the previous review and remains unfixed.
</issue>
</file>

Tag @mendral-app with feedback or questions. View session

Comment on lines +478 to +481
packageDir := root
if project.Package != "" && project.Package != "." {
packageDir = filepath.Join(root, project.Package)
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security (P1): sourceProvenance still joins project.Package to root without the ..-escape check that packageInstance in evaluator.go:629-641 carefully implements. A crafted Package value (e.g. ../../etc) causes WalkDir to read arbitrary directories outside the module root. This was flagged in the previous review and remains unfixed.

Suggested change
Suggested change
packageDir := root
if project.Package != "" && project.Package != "." {
packageDir = filepath.Join(root, project.Package)
}
packageDir := root
if project.Package != "" && project.Package != "." {
if filepath.IsAbs(project.Package) {
return Provenance{}, fmt.Errorf("package must be a relative path")
}
packageDir = filepath.Join(root, project.Package)
rel, err := filepath.Rel(root, packageDir)
if err != nil || rel == ".." || strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
return Provenance{}, fmt.Errorf("package path escapes module root")
}
}
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At backend/internal/knowledge/runtime.go, line 478:

<issue>
`sourceProvenance` still joins `project.Package` to root without the `..`-escape check that `packageInstance` in `evaluator.go:629-641` carefully implements. A crafted `Package` value (e.g. `../../etc`) causes `WalkDir` to read arbitrary directories outside the module root. This was flagged in the previous review and remains unfixed.
</issue>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant