# Stage 02 Patch History & Bypass Review

Scan window: `git log -n "${PIOLIUM_COMMIT_SCAN_LIMIT:-500}" --since="${PIOLIUM_COMMIT_SCAN_SINCE:-60 days ago}" --all` (evaluated with defaults: 500 commits, since 60 days ago).  Keyword sweep focused on CVE/security/auth/token/allowlist/deploy/ssh/harden-related commits.

## Relevant historical fixes reviewed

| Commit | Area | Patch summary | Bypass attempts today | Conclusion |
|---|---|---|---|---|
| `8464287` / stash index `bff5334` | Dependency CVEs | Added root `overrides` for `postcss`, `tar`, `tmp`; upgraded `ws` in ingest services from `^8.18.3` to `^8.21.0`. | Checked current root and Docker workspace package manifests: overrides are present in both. Searched all package manifests for direct vulnerable `ws` pins: only ingest services use `^8.21.0`. No sibling service currently pins `ws`, `tar`, `tmp`, or `postcss` directly outside the override coverage. | **Sound** for manifest coverage. Residual risk is lockfile/install-policy dependent; no patch bypass found in source manifests. |
| `5ddfbfa` | Deploy allowlist | Removed broad `deployment/npm/` from `ALLOWED_REMOTE_UNTRACKED`, leaving only the exact signal-cli tarball. | Reviewed current `remoteGitPrecheck()`: it extracts the full untracked path and uses a shell `case` against a generated pattern containing only `deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz`. Because the allowed pattern has no wildcard, paths such as `deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz/evil`, `deployment/npm/x`, or other untracked deployment payloads do not match. Tracked modifications still fail closed. | **Sound**. No alternate deploy precheck path found in current `scripts/deploy.ts`. |
| `2865d56` | Deploy precheck pattern handling | Converted multiple allowed untracked paths into one case alternative pattern instead of emitting malformed case arms. | Current implementation first strips `?? ` into `path` and nests a second `case`, avoiding the earlier malformed pattern/line parsing issue. With a single exact allowlisted file, pattern differential bypass is not apparent. | **Sound**. |
| `39bac1e` plus later deploy hardening | VPS deployment safety | Introduced `scripts/deploy.ts` with local/remote cleanliness checks and non-interactive SSH. Later commits added remote resolution, local-server execution, runtime scopes, and tighter checks. | Checked for command injection through branch/remote names: branch and remote used in remote shell scripts are passed through `shellEscape()`. Checked untrusted config branches: `DEPLOY_NATIVE_SYSTEMCTL_PREFIX` is interpolated into shell scripts unescaped, but this is a local deploy-operator environment override; an attacker who controls it already controls the deployment process. Current-branch deploy requires clean local status and pushes the selected remote before remote switch/pull. | **Sound under intended trust model** (deploy operator controls environment). No remote attacker bypass identified. |
| `e70835e` | Native deploy SSH assumptions | Added `$HOME/.bun/bin` to PATH for native remote precheck/rollout/verification and ensured verification `cd`s into repo. | Not a security fix; reviewed for relocated command execution. It only adds a fixed PATH prefix and does not incorporate attacker-controlled input besides the deploy operator's environment. | **Not security-relevant / no bypass**. |
| `07a9b91` then `7d25608` | Alpaca auth handling | Initially removed deprecated key-pair auth in favor of single bearer token; later restored/normalized current Alpaca key-id + secret handling, including news worker wiring. | Current code centralizes auth in `packages/config/src/alpaca.ts`. Searched for old direct header construction and env names: ingest services call the shared resolver; docs still note legacy bearer fallback. The fallback is intentional compatibility, not an auth bypass, because it is only used when no explicit key-id/secret pair is configured. | **Relocated but currently centralized/sound**. Historical “fix” was corrected by later compatibility patch; no duplicate stale adapter path found. |

## Additional notes

- Several deploy/network commits (`21ec3eb`, `9901b13`/`1c0e2e5`, `cf7ddf3`, `d7e984c`, etc.) are operational hardening/removal of obsolete wrappers. Current repo has a single top-level `deploy` entrypoint invoking `scripts/deploy.ts`; no deprecated `deployment/npm` rollout path remains as an executable bypass surface.
- The `.env.example` and docs still list legacy Alpaca variables, but runtime behavior requires either a complete key-id/secret pair or the explicitly supported legacy bearer token. Missing partial credentials fail closed via `hasAlpacaCredentials()` callers.

## Overall conclusion

No currently exploitable patch bypass was identified in the reviewed security-relevant history. The highest-value checks were the deploy untracked-file allowlist and dependency-CVE manifest coverage; both are presently covered. Recommended follow-up: run dependency audit against the concrete `bun.lock`/container build outputs to confirm the manifest overrides are materialized in deployed artifacts.