islandflow/piolium/attack-surface/patch-bypass-summary.md

Stage 02 Patch History & Bypass Review

Scan window: git log -n "${PIOLIUM_COMMIT_SCAN_LIMIT:-500}" --since="${PIOLIUM_COMMIT_SCAN_SINCE:-60 days ago}" --all (evaluated with defaults: 500 commits, since 60 days ago). Keyword sweep focused on CVE/security/auth/token/allowlist/deploy/ssh/harden-related commits.

Relevant historical fixes reviewed

Commit	Area	Patch summary	Bypass attempts today	Conclusion
8464287 / stash index bff5334	Dependency CVEs	Added root overrides for postcss, tar, tmp; upgraded ws in ingest services from ^8.18.3 to ^8.21.0.	Checked current root and Docker workspace package manifests: overrides are present in both. Searched all package manifests for direct vulnerable ws pins: only ingest services use ^8.21.0. No sibling service currently pins ws, tar, tmp, or postcss directly outside the override coverage.	Sound for manifest coverage. Residual risk is lockfile/install-policy dependent; no patch bypass found in source manifests.
5ddfbfa	Deploy allowlist	Removed broad deployment/npm/ from ALLOWED_REMOTE_UNTRACKED, leaving only the exact signal-cli tarball.	Reviewed current remoteGitPrecheck(): it extracts the full untracked path and uses a shell case against a generated pattern containing only deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz. Because the allowed pattern has no wildcard, paths such as deployment/docker/signal-cli-0.14.3-Linux-native.tar.gz/evil, deployment/npm/x, or other untracked deployment payloads do not match. Tracked modifications still fail closed.	Sound. No alternate deploy precheck path found in current scripts/deploy.ts.
2865d56	Deploy precheck pattern handling	Converted multiple allowed untracked paths into one case alternative pattern instead of emitting malformed case arms.	Current implementation first strips ?? into path and nests a second case, avoiding the earlier malformed pattern/line parsing issue. With a single exact allowlisted file, pattern differential bypass is not apparent.	Sound.
39bac1e plus later deploy hardening	VPS deployment safety	Introduced scripts/deploy.ts with local/remote cleanliness checks and non-interactive SSH. Later commits added remote resolution, local-server execution, runtime scopes, and tighter checks.	Checked for command injection through branch/remote names: branch and remote used in remote shell scripts are passed through shellEscape(). Checked untrusted config branches: DEPLOY_NATIVE_SYSTEMCTL_PREFIX is interpolated into shell scripts unescaped, but this is a local deploy-operator environment override; an attacker who controls it already controls the deployment process. Current-branch deploy requires clean local status and pushes the selected remote before remote switch/pull.	Sound under intended trust model (deploy operator controls environment). No remote attacker bypass identified.
e70835e	Native deploy SSH assumptions	Added $HOME/.bun/bin to PATH for native remote precheck/rollout/verification and ensured verification cds into repo.	Not a security fix; reviewed for relocated command execution. It only adds a fixed PATH prefix and does not incorporate attacker-controlled input besides the deploy operator's environment.	Not security-relevant / no bypass.
07a9b91 then 7d25608	Alpaca auth handling	Initially removed deprecated key-pair auth in favor of single bearer token; later restored/normalized current Alpaca key-id + secret handling, including news worker wiring.	Current code centralizes auth in packages/config/src/alpaca.ts. Searched for old direct header construction and env names: ingest services call the shared resolver; docs still note legacy bearer fallback. The fallback is intentional compatibility, not an auth bypass, because it is only used when no explicit key-id/secret pair is configured.	Relocated but currently centralized/sound. Historical “fix” was corrected by later compatibility patch; no duplicate stale adapter path found.

Additional notes

• Several deploy/network commits (21ec3eb, 9901b13/1c0e2e5, cf7ddf3, d7e984c, etc.) are operational hardening/removal of obsolete wrappers. Current repo has a single top-level deploy entrypoint invoking scripts/deploy.ts; no deprecated deployment/npm rollout path remains as an executable bypass surface.
• The .env.example and docs still list legacy Alpaca variables, but runtime behavior requires either a complete key-id/secret pair or the explicitly supported legacy bearer token. Missing partial credentials fail closed via hasAlpacaCredentials() callers.

Overall conclusion

No currently exploitable patch bypass was identified in the reviewed security-relevant history. The highest-value checks were the deploy untracked-file allowlist and dependency-CVE manifest coverage; both are presently covered. Recommended follow-up: run dependency audit against the concrete bun.lock/container build outputs to confirm the manifest overrides are materialized in deployed artifacts.