Skip to content

Harden shard readers and server surfaces#1

Merged
phenomenon0 merged 3 commits intomainfrom
codex
Mar 7, 2026
Merged

Harden shard readers and server surfaces#1
phenomenon0 merged 3 commits intomainfrom
codex

Conversation

@phenomenon0
Copy link
Contributor

@phenomenon0 phenomenon0 commented Mar 7, 2026

Summary

  • harden shard readers and server-facing surfaces across C, Go, Rust, and TypeScript
  • close decompression-bomb and offset-overflow gaps
  • add focused regressions for the audited issues

Included

  • C: overflow-safe entry offset/range validation in shard_v2
  • Go: request body limits, token caps, strict JSON decode, and HTTP timeouts for cmd/ucodec --serve
  • Rust: bounded zstd decompression and stricter range handling in readers
  • TypeScript: bounded zstd decompression and regression coverage

Verification

  • cd shard/c && make test_writer test_metadata test_streaming test_compression && ./test_writer && ./test_metadata && ./test_streaming && ./test_compression
  • cd shard/rs && cargo test --test compression_test --test fuzz_seeds_test --test metadata_test --test schema_test --test streaming_test --test writer_test
  • cd shard/ts && npm test
  • cd shard/ts && npm run build

Remaining Blockers

  • fixture-backed golden/safety suites still require the external ucodec/testdata corpus in this workspace
  • shard/go/cmd/ucodec still depends on unresolved existing Agent-GO module imports, so full build validation is blocked on dependency restoration

phenomenon0 and others added 3 commits March 7, 2026 16:38
@phenomenon0
Harden shard readers and server surfaces
085b3a7
@phenomenon0 @claude
ci: add CI workflow and restore golden/safety test fixtures
23ab985 
- Add cross-language CI (Go, Python, TypeScript, Rust, C) with publish gate
- Copy golden and safety fixture corpus from Agent-GO/cowrie/ucodec/testdata
- Unblocks golden, mmap-golden, and safety test suites across all languages

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@phenomenon0 @claude
fix(c): use-after-free in test_metadata — free buffer after closing r…
69e75d7 
…eader

shard_v2_from_buffer() borrows the pointer (owns_buf=false), so the
backing buffer must outlive the reader. Tests were freeing the buffer
immediately after from_buffer, causing crashes in CI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@phenomenon0 phenomenon0 merged commit 3369184 into main Mar 7, 2026
6 checks passed
@phenomenon0 phenomenon0 deleted the codex branch March 7, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phenomenon0