Context
Review of branch codex/issue-2-ipc-timeouts found a mismatch between the new security posture documentation and the current direct-exec fallback implementation.
Affected code
docs/SECURITY_POSTURE_AND_TESTING.mdrust/src/native_app.rs
The docs now state:
direct executable fallback responses are still bounded by the same maximum
response size before JSON decoding
However, send_request_via_executable still uses Command::output(), which buffers the child process stdout completely before checking output.stdout.len() > MAX_BROKER_BYTES.
Impact
A fallback provider or directly executed APW app process that emits unbounded stdout can still grow CLI memory until the child exits. The current length check prevents oversized JSON from being accepted, but it does not bound the read before buffering.
Suggested fix
Either:
- implement a capped read path for direct-exec stdout, ideally with timeout handling consistent with the socket path, or
- narrow the documentation claim so it accurately says the direct-exec output is rejected after collection if it exceeds the maximum.
Acceptance criteria
- Documentation accurately reflects direct-exec behavior, or direct-exec output is actually bounded before full buffering.
- Add or update focused regression coverage if the implementation changes.
Context
Review of branch
codex/issue-2-ipc-timeoutsfound a mismatch between the new security posture documentation and the current direct-exec fallback implementation.Affected code
docs/SECURITY_POSTURE_AND_TESTING.mdrust/src/native_app.rsThe docs now state:
However,
send_request_via_executablestill usesCommand::output(), which buffers the child process stdout completely before checkingoutput.stdout.len() > MAX_BROKER_BYTES.Impact
A fallback provider or directly executed APW app process that emits unbounded stdout can still grow CLI memory until the child exits. The current length check prevents oversized JSON from being accepted, but it does not bound the read before buffering.
Suggested fix
Either:
Acceptance criteria