security: defend all paths against .muse/ leaking into snapshots
Defense-in-depth: .muse/ VCS internals must never appear in working-tree snapshots. Four layers of protection now in place:
1. _collect_paths explicit-path branch (code_stage.py): _is_inside_muse_dir guard silently skips any path under .muse/ before staging.
2. _collect_paths -u/-A/no-path branches (code_stage.py): head_manifest iteration now skips keys starting with .muse/ so pre-fix corruption in a committed snapshot cannot be perpetuated by a restage.
3. run_add current_stage carry-forward (code_stage.py): updated_stage is initialized by filtering .muse/ entries from current_stage. Guards against the case where a commit was a no-op (snapshot matched HEAD after stripping) and therefore did not clear the stage.
4. CodePlugin.snapshot() (plugin.py): both the committed manifest and the stage entries are filtered at snapshot-build time, providing a last-resort guard regardless of how entries entered the stage.
Tests I7-I12 in TestSecurityI cover all four layers.
0 comments
muse hub commit comment sha256:b013815083fdd10f9d31261ba8e8df38340e8e0ab2811f0a165ffa2608578677 --body "your comment"
No comments yet. Be the first to start the discussion.