Kayos 104f49c441 clients/mcp: apply audit findings — release-blocker fix on upload (093021c → new) ... HIGH: - S1: upload_file allow-root + symlink-resolve + size-cap. Env: CLAWDFORGE_UPLOAD_ROOT (default cwd), CLAWDFORGE_UPLOAD_MAX_BYTES (default 100MiB). README updated with threat-model paragraph. LOW: - S2: logger.propagate = False (stdout discipline defense-in-depth) - S3: catch-all error message no longer echoes str(e) (host paths) - S4: whitelist healthz/upload tool response fields - S5: pattern-validate ff_* file tokens in run schema - C1: strict-bool guard on timeout_secs/ttl_secs - C2: coerce empty-string model/system to None Deps: - requests>=2.32 (CVE-2024-35195) - urllib3>=2.2.2 (CVE-2024-37891) - mcp>=1.2.0 Audit: memory/clawdforge-audits/mcp-093021c.md		2026-04-28 23:10:33 -07:00
..
bash	clients/bash: apply audit findings — security hardening + correctness fixes (347fdde → new)	2026-04-28 23:09:06 -07:00
c	clients/c: initial C SDK for clawdforge	2026-04-28 23:01:52 -07:00
cpp	clients/cpp: initial C++ SDK for clawdforge	2026-04-28 23:02:51 -07:00
csharp	clients/csharp: initial C# SDK for clawdforge	2026-04-28 22:53:09 -07:00
go	clients/go: apply audit findings — fmt + doc + test coverage (3c62613 → new)	2026-04-28 23:08:46 -07:00
java	clients/java: initial Java SDK for clawdforge	2026-04-28 22:49:06 -07:00
kotlin	clients/kotlin: initial Kotlin SDK for clawdforge	2026-04-28 23:04:24 -07:00
mcp	clients/mcp: apply audit findings — release-blocker fix on upload (093021c → new)	2026-04-28 23:10:33 -07:00
php	clients/php: initial PHP SDK for clawdforge	2026-04-28 22:41:02 -07:00
python	clients/python: apply audit findings (90e158f → next)	2026-04-28 23:07:38 -07:00
ruby	clients/ruby: apply audit findings (b1d6e3f -> new)	2026-04-28 23:07:49 -07:00
rust	clients/rust: initial Rust SDK for clawdforge	2026-04-28 22:35:16 -07:00
swift	clients/swift: initial Swift SDK for clawdforge	2026-04-28 22:48:27 -07:00
typescript	clients/typescript: initial TypeScript SDK for clawdforge	2026-04-28 22:42:46 -07:00