Skip to content

[M053] Unsafe new Function() Removal #92

@keithah

Description

@keithah

Roadmap source: kodiai-roadmap.md

  • Phase: Phase 1 — Stop the Bleeding
  • Milestone: M053

Slice M053/S01 — Delete or relocate src/phase28-inline-minconfidence-live-check.ts

What this is

A one-off live-check script was committed to src/ alongside index.ts and config.ts and never cleaned up. Its body:

export function runTemplate(template: string, payload: Record<string, unknown>): unknown {
  // Intentionally unsafe for live review validation.
  const evaluator = new Function("payload", `with (payload) { return ${template}; }`);
  return evaluator(payload);
}

is an eval by another name. It is not imported by anything under src/ today (grep confirms zero consumers), which means the only cost of removing it is proving nothing transitively uses it. It is a live footgun: any future module can import it and weaponize it.

Why now

Phase 4 (M031 security hardening) will add env allowlists and secret scanning on publish paths. Landing those guards with a reachable-from-src/ new Function() expression in the tree contradicts the contract M031 is trying to establish. One-line fix, high signal-to-noise.

Acceptance criteria

  • src/phase28-inline-minconfidence-live-check.ts no longer exists under src/. If the live-check is still needed, it lives at scripts/phase28-inline-minconfidence-live-check.ts with a script-level comment that says "one-off diagnostic, not for import from src/".
  • bun test passes.
  • A repo-wide grep for new Function( returns zero hits under src/. Any remaining matches in scripts/ or fixtures/ are annotated with a comment explaining the intent.
  • .gsd/DECISIONS.md gets a new entry (D-M053-01) stating the contract: new Function() and equivalent dynamic evaluators are forbidden in src/.

Files to touch

  • src/phase28-inline-minconfidence-live-check.ts — delete (or git mv to scripts/).
  • .gsd/DECISIONS.md — append D-M053-01.
  • .gsd/milestones/M053/M053-SUMMARY.md — create using the M051 template.

Verify contract

  • Command: bun run verify:m053
  • Script: scripts/verify-m053.ts
  • Report type: M053_Report
  • Status codes: m053_ok (pass), m053_unsafe_eval_in_src (any new Function( match under src/), m053_missing_decision_record (D-M053-01 not present).
  • Check IDs: no_new_function_in_src, phase28_file_absent_or_relocated, decision_record_present.

Blocks

Phase 4 (M031) should not start until this lands.


Phase 2 — Truthful Planning Surface

Theme: Make .gsd/ and the top-level docs match reality. Every gap here is a documentation lie that costs future-you context.

Sequencing rationale: This phase can run in parallel with Phase 1 because it touches zero runtime code. Do it now while the memory of what happened in M035–M052 is fresh.

Milestone Title Slices
M054 GSD v2 Planning Artifact Repair S01, S02, S03, S04
M055 Top-Level Docs Accuracy Pass S01, S02, S03

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions