chore: add scripts to list and read GHSA

Author: patriksimek

.claude/skills/fix-vulnerability/SKILL.md

@@ -24,15 +24,24 @@ Wear three hats simultaneously:
 
 ## Tools
 
-- **GitHub CLI (`gh`)** — authenticated. Use the **repository** security advisories endpoint (not `/advisories`, which only lists published ones):
+- **Repo scripts (preferred for advisory reads)** — the REST API does not expose advisory comment threads, so we scrape the authenticated web UI via a `GH_SESSION_COOKIE` stored in `.env`. Use these instead of the `gh` advisory endpoints whenever you need the **discussion / reporter messages**:
   ```bash
-  # Fetch a private repo advisory by GHSA ID
+  # List non-published advisories (draft / triage) — default
+  node scripts/list-advisories.mjs
+  # All states, or only published
+  node scripts/list-advisories.mjs --all
+  node scripts/list-advisories.mjs --published
+  # Read the full thread (initial report + every comment) for one advisory
+  node scripts/read-ghsa-thread.mjs GHSA-xxxx-xxxx-xxxx
+  ```
+  The cookie acquisition flow is documented in `scripts/read-ghsa-thread.mjs`. If a call dies with "cookie expired", refresh it before continuing — do not fall back to `gh api` for thread content.
+
+- **GitHub CLI (`gh`)** — authenticated. Use the **repository** security advisories endpoint for metadata, CVSS, CWE, affected versions, and for the **temporary private fork** workflow (see step 6):
+  ```bash
+  # Advisory metadata (PoC excerpt, CVSS, CWE, severity, status)
   gh api repos/patriksimek/vm2/security-advisories/GHSA-xxxx-xxxx-xxxx
-  # List all repo advisories (incl. draft / triage)
-  gh api repos/patriksimek/vm2/security-advisories
-  # Filter by state
-  gh api "repos/patriksimek/vm2/security-advisories?state=triage"
   ```
+  The thread / comments are NOT in this payload — use the scripts above for those.
 
 - **`docs/ATTACKS.md`** — institutional memory. Every fix you make updates this doc.
 
@@ -50,7 +59,16 @@ Identify the trust boundary in precise terms: which objects live in the host rea
 
 ### 2. Advisory deep-dive
 
-Fetch the full advisory with `gh`. Extract: the PoC, CVSS vector, CWE classification, and any linked priors the reporter references — **follow the full history chain**. Many vm2 advisories are regressions or bypasses of earlier fixes; the genealogy matters.
+Fetch the full advisory **and the discussion thread**:
+
+```bash
+gh api repos/patriksimek/vm2/security-advisories/<GHSA-id>   # metadata, CVSS, CWE
+node scripts/read-ghsa-thread.mjs <GHSA-id>                  # initial report + every comment
+```
+
+The thread is where reporters post follow-ups, bypass PoCs, and confirmation/rejection of your patches — it is not available via the REST API. Always read it in full before designing a fix, and re-read it after the reporter responds.
+
+Extract: the PoC, CVSS vector, CWE classification, and any linked priors the reporter references — **follow the full history chain**. Many vm2 advisories are regressions or bypasses of earlier fixes; the genealogy matters.
 
 Classify the vulnerability against ATTACKS.md's Tier 1 primitives (categories 1–5) and Tier 2 techniques (6–15). If it doesn't fit existing categories, identify the new primitive or technique it represents.
 
@@ -144,7 +162,60 @@ Apply the fix with minimal, self-contained diff. Comment every security-critical
 
 **Iterate with `/hacker`**: run the red-team skill against the patched tree. A bypass means the structural invariant is wrong, not that you need a tighter patch on the same line. Loop steps 5–7 until `/hacker` finds nothing.
 
-### 8. Document
+### 8. Commit to the temporary private fork
+
+Each advisory gets its own **temporary private fork** at `patriksimek/vm2-ghsa-<short-id>`. This fork is what the reporter (added as a collaborator on the advisory) sees and reviews; **never** push the embargoed fix to `origin` (`patriksimek/vm2`) until the advisory is published.
+
+**Check whether a fork already exists** as a git remote pointing at the GHSA-specific repo:
+
+```bash
+git remote -v | grep -i "vm2-ghsa-<short-id>" || echo "no remote yet"
+```
+
+Naming convention: the remote is conventionally named with the leading short-id chunk (e.g. `ghsa-248r` for `GHSA-248r-7h7q-cr24`), the repository is `patriksimek/vm2-ghsa-<full-id>`.
+
+**If the fork does NOT exist** — create it via the dedicated advisory-fork endpoint (not a generic `gh repo fork`). This endpoint creates the temporary private fork that is linked back to the advisory's UI:
+
+```bash
+# Create the temporary private fork for this advisory
+gh api -X POST repos/patriksimek/vm2/security-advisories/<GHSA-id>/forks
+# Response includes the new repo's full name and ssh_url; wire it up as a remote
+git remote add ghsa-<short-id> git@github.com:patriksimek/vm2-ghsa-<GHSA-id>.git
+```
+
+If the API call returns 202/Accepted, the fork is being created asynchronously — poll `gh api repos/patriksimek/vm2-ghsa-<GHSA-id>` until it returns 200 before pushing.
+
+**If the fork DOES exist** — this is a follow-up commit (e.g. reporter found a bypass, requested a tweak). Add an additional commit to the existing branch on that fork. Do not force-push or rebase prior commits the reporter has already reviewed.
+
+**Push the fix**:
+
+```bash
+git push ghsa-<short-id> HEAD:main          # or a dedicated fix branch
+```
+
+**Disclosure hygiene**:
+- Do not push to `origin` or open a public PR.
+- Commit messages MAY reference the GHSA ID — the fork is private and visible only to maintainers + reporter.
+- Never reference reporter names or embargo dates in commits, code comments, or `CHANGELOG.md`.
+
+### 9. Post-commit summary
+
+After every commit (initial fix or follow-up), produce a **short** summary of what changed and post it to the advisory thread / share with the user. Keep it terse — the details live in the diff, the tests, and `ATTACKS.md`.
+
+Template:
+
+```
+GHSA-<id> — <one-line description>
+
+Root cause: <one sentence>
+Fix: <one sentence pointing at the chokepoint, e.g. "added X check in lib/bridge.js apply trap">
+Tests: test/ghsa/<GHSA-id>/repro.js + N variants
+ATTACKS.md: category <N> (<new | updated>)
+```
+
+Do not restate the PoC, list every changed line, or rehash the threat model — the reporter can read the diff.
+
+### 10. Document
 
 Update `docs/ATTACKS.md` following the [Category Entry Format](../../../docs/ATTACKS.md#category-entry-format) at the top of the doc:
 
@@ -156,9 +227,7 @@ Update `docs/ATTACKS.md` following the [Category Entry Format](../../../docs/ATT
 
 Update `CHANGELOG.md` with a one-line entry under the next release: `fix(GHSA-xxxx-xxxx-xxxx): <one-line description>`.
 
-**Disclosure hygiene**: do not push the fix branch to a public remote, open a public PR, or reference the GHSA ID in commit messages until the advisory is published. For embargoed work, commit locally and coordinate per `SECURITY.md`.
-
-### 9. Final review
+### 11. Final review
 
 Answer every question with evidence:
 

.gitignore

@@ -1,4 +1,5 @@
 /node_modules
 .DS_Store
 .vscode
-/test.js
+/test.js
+.env

scripts/list-advisories.mjs

@@ -0,0 +1,214 @@
+#!/usr/bin/env node
+// List non-published GitHub Security Advisories on patriksimek/vm2.
+//
+// Uses the same session cookie as scripts/read-ghsa-thread.mjs. See that file
+// for cookie acquisition instructions.
+//
+// Usage:
+//   node scripts/list-advisories.mjs              # non-published (default)
+//   node scripts/list-advisories.mjs --all        # published too
+//   node scripts/list-advisories.mjs --published  # only published
+
+import { readFileSync, existsSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve } from 'node:path';
+
+const OWNER = 'patriksimek';
+const REPO = 'vm2';
+const ENV_FILE = resolve(dirname(fileURLToPath(import.meta.url)), '..', '.env');
+
+function loadDotenv(path) {
+  if (!existsSync(path)) return;
+  for (const rawLine of readFileSync(path, 'utf8').split('\n')) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith('#')) continue;
+    const eq = line.indexOf('=');
+    if (eq === -1) continue;
+    const key = line.slice(0, eq).trim();
+    let val = line.slice(eq + 1).trim();
+    if ((val.startsWith('"') && val.endsWith('"')) || (val.startsWith("'") && val.endsWith("'"))) {
+      val = val.slice(1, -1);
+    }
+    if (!(key in process.env)) process.env[key] = val;
+  }
+}
+
+loadDotenv(ENV_FILE);
+
+function die(msg, code = 1) {
+  process.stderr.write(`error: ${msg}\n`);
+  process.exit(code);
+}
+
+function loadCookie() {
+  const c = process.env.GH_SESSION_COOKIE?.trim();
+  if (!c) die(`GH_SESSION_COOKIE not set. Add it to ${ENV_FILE} or export in your shell.`);
+  return c;
+}
+
+function decodeEntities(s) {
+  return s
+    .replace(/&/g, '&')
+    .replace(/&lt;/g, '<')
+    .replace(/&gt;/g, '>')
+    .replace(/&quot;/g, '"')
+    .replace(/&#39;/g, "'")
+    .replace(/&nbsp;/g, ' ')
+    .replace(/&#x([0-9a-f]+);/gi, (_, h) => String.fromCodePoint(parseInt(h, 16)))
+    .replace(/&#(\d+);/g, (_, d) => String.fromCodePoint(parseInt(d, 10)));
+}
+
+function stripTags(s) {
+  return decodeEntities(s.replace(/<[^>]+>/g, '')).replace(/\s+/g, ' ').trim();
+}
+
+async function fetchPage(url, cookie) {
+  const res = await fetch(url, {
+    redirect: 'manual',
+    headers: {
+      cookie,
+      'user-agent': 'vm2-maintainer ghsa-list',
+      accept: 'text/html',
+    },
+  });
+  if (res.status >= 300 && res.status < 400) {
+    const loc = res.headers.get('location') || '';
+    if (loc.includes('/login')) {
+      die(`cookie expired. Refresh GH_SESSION_COOKIE (see scripts/read-ghsa-thread.mjs header).`);
+    }
+    die(`unexpected redirect to ${loc}`);
+  }
+  if (!res.ok) die(`HTTP ${res.status} fetching ${url}`);
+  const html = await res.text();
+  if (/<title>Sign in to GitHub/i.test(html)) {
+    die(`got login page despite 200 OK — cookie likely stale.`);
+  }
+  return html;
+}
+
+// Each row is an <li class="Box-row..."> containing a status icon, title link,
+// id, opened-by metadata, status label, and severity label.
+function parseRows(html) {
+  const rows = [];
+  const liRe = /<li\b[^>]*class="[^"]*Box-row[^"]*"[^>]*>([\s\S]*?)<\/li>/gi;
+  let m;
+  while ((m = liRe.exec(html)) !== null) {
+    const block = m[1];
+
+    const idM = block.match(/href="\/[^"]+\/security\/advisories\/(GHSA-[a-z0-9-]+)"/i);
+    if (!idM) continue;
+    const ghsa = idM[1];
+
+    const titleM = block.match(
+      /<a\b[^>]*href="\/[^"]+\/security\/advisories\/GHSA-[a-z0-9-]+"[^>]*class="[^"]*Link--primary[^"]*"[^>]*>([\s\S]*?)<\/a>/i,
+    );
+    const title = titleM ? stripTags(titleM[1]) : '(no title)';
+
+    const statusM = block.match(/aria-label="([A-Za-z]+) advisory"/i);
+    const status = statusM ? statusM[1] : null;
+
+    const sevM = block.match(/title="Severity:\s*([^"]+)"/i);
+    const severity = sevM ? sevM[1] : null;
+
+    const dateM = block.match(/<relative-time\b[^>]*datetime="([^"]+)"/i);
+    const date = dateM ? dateM[1] : null;
+
+    const verbM = block.match(/<span\b[^>]*class="opened-by"[^>]*>\s*([A-Za-z]+)\s*<relative-time/i);
+    const verb = verbM ? verbM[1] : null;
+
+    const authorM = block.match(/<a\b[^>]*class="author[^"]*"[^>]*href="\/([A-Za-z0-9-]+)"/i)
+      || block.match(/data-hovercard-url="\/users\/([A-Za-z0-9-]+)\/hovercard"/i);
+    const author = authorM ? authorM[1] : null;
+
+    // Fine-grained sub-status label (e.g. "Triage", "Draft") sits in a small
+    // <span title="X" class="Label Label--secondary">X</span> next to severity.
+    const subM = block.match(/<span\b[^>]*title="([^"]+)"[^>]*class="Label Label--secondary"/i);
+    const subStatus = subM ? subM[1] : null;
+
+    rows.push({ ghsa, title, status, subStatus, severity, verb, date, author });
+  }
+  return rows;
+}
+
+function parseNextPage(html, currentUrl) {
+  const m = html.match(/<a\b[^>]*aria-label="Next page"[^>]*href="([^"]+)"/i)
+    || html.match(/<a\b[^>]*href="([^"]+)"[^>]*aria-label="Next page"/i);
+  if (!m) return null;
+  return new URL(decodeEntities(m[1]), currentUrl).toString();
+}
+
+async function fetchAll(stateParam, cookie) {
+  const base = `https://github.com/${OWNER}/${REPO}/security/advisories`;
+  let url = stateParam ? `${base}?state=${stateParam}` : base;
+  const all = [];
+  const seen = new Set();
+  while (url) {
+    const html = await fetchPage(url, cookie);
+    const rows = parseRows(html);
+    for (const r of rows) {
+      if (seen.has(r.ghsa)) continue;
+      seen.add(r.ghsa);
+      all.push(r);
+    }
+    const next = parseNextPage(html, url);
+    if (!next || next === url) break;
+    url = next;
+  }
+  return all;
+}
+
+function fmtDate(iso) {
+  if (!iso) return '';
+  return iso.replace('T', ' ').replace(/\.\d+Z$/, 'Z');
+}
+
+function renderTable(rows) {
+  if (rows.length === 0) return '_No advisories matched._';
+  const lines = [];
+  lines.push('| GHSA | Title | Status | Severity | Opened | By |');
+  lines.push('|------|-------|--------|----------|--------|----|');
+  for (const r of rows) {
+    const status = r.subStatus || r.status || '?';
+    const sev = r.severity || '?';
+    const title = r.title.replace(/\|/g, '\\|');
+    const opened = fmtDate(r.date);
+    const verb = r.verb ? ` (${r.verb})` : '';
+    lines.push(`| ${r.ghsa} | ${title} | ${status} | ${sev} | ${opened}${verb} | ${r.author ? '@' + r.author : ''} |`);
+  }
+  return lines.join('\n');
+}
+
+async function main() {
+  const args = process.argv.slice(2);
+  let mode = 'non-published';
+  if (args.includes('--all')) mode = 'all';
+  else if (args.includes('--published')) mode = 'published';
+
+  const cookie = loadCookie();
+
+  let rows = [];
+  if (mode === 'published') {
+    rows = await fetchAll('published', cookie);
+  } else if (mode === 'all') {
+    const a = await fetchAll('triage', cookie);
+    const b = await fetchAll('published', cookie);
+    rows = [...a, ...b];
+  } else {
+    rows = await fetchAll('triage', cookie);
+  }
+
+  // Sort newest first.
+  rows.sort((a, b) => (b.date || '').localeCompare(a.date || ''));
+
+  const heading = mode === 'published'
+    ? `Published advisories — ${OWNER}/${REPO}`
+    : mode === 'all'
+      ? `All advisories — ${OWNER}/${REPO}`
+      : `Non-published advisories — ${OWNER}/${REPO}`;
+
+  process.stdout.write(`# ${heading}\n\n`);
+  process.stdout.write(`Total: ${rows.length}\n\n`);
+  process.stdout.write(renderTable(rows) + '\n');
+}
+
+main().catch((e) => die(e.stack || String(e)));