[M053] Unsafe `new Function()` Removal

[keithah]

Roadmap source: kodiai-roadmap.md

• Phase: Phase 1 — Stop the Bleeding
• Milestone: M053

Slice M053/S01 — Delete or relocate src/phase28-inline-minconfidence-live-check.ts

What this is

A one-off live-check script was committed to src/ alongside index.ts and config.ts and never cleaned up. Its body:

export function runTemplate(template: string, payload: Record<string, unknown>): unknown {
  // Intentionally unsafe for live review validation.
  const evaluator = new Function("payload", `with (payload) { return ${template}; }`);
  return evaluator(payload);
}

is an eval by another name. It is not imported by anything under src/ today (grep confirms zero consumers), which means the only cost of removing it is proving nothing transitively uses it. It is a live footgun: any future module can import it and weaponize it.

Why now

Phase 4 (M031 security hardening) will add env allowlists and secret scanning on publish paths. Landing those guards with a reachable-from-src/ new Function() expression in the tree contradicts the contract M031 is trying to establish. One-line fix, high signal-to-noise.

Acceptance criteria

• src/phase28-inline-minconfidence-live-check.ts no longer exists under src/. If the live-check is still needed, it lives at scripts/phase28-inline-minconfidence-live-check.ts with a script-level comment that says "one-off diagnostic, not for import from src/".
• bun test passes.
• A repo-wide grep for new Function( returns zero hits under src/. Any remaining matches in scripts/ or fixtures/ are annotated with a comment explaining the intent.
• .gsd/DECISIONS.md gets a new entry (D-M053-01) stating the contract: new Function() and equivalent dynamic evaluators are forbidden in src/.

Files to touch

• src/phase28-inline-minconfidence-live-check.ts — delete (or git mv to scripts/).
• .gsd/DECISIONS.md — append D-M053-01.
• .gsd/milestones/M053/M053-SUMMARY.md — create using the M051 template.

Verify contract

• Command: bun run verify:m053
• Script: scripts/verify-m053.ts
• Report type: M053_Report
• Status codes: m053_ok (pass), m053_unsafe_eval_in_src (any new Function( match under src/), m053_missing_decision_record (D-M053-01 not present).
• Check IDs: no_new_function_in_src, phase28_file_absent_or_relocated, decision_record_present.

Blocks

Phase 4 (M031) should not start until this lands.

---

Phase 2 — Truthful Planning Surface

Theme: Make .gsd/ and the top-level docs match reality. Every gap here is a documentation lie that costs future-you context.

Sequencing rationale: This phase can run in parallel with Phase 1 because it touches zero runtime code. Do it now while the memory of what happened in M035–M052 is fresh.

Milestone	Title	Slices
M054	GSD v2 Planning Artifact Repair	S01, S02, S03, S04
M055	Top-Level Docs Accuracy Pass	S01, S02, S03

[keithah]

Prioritization note:

• High priority, quick win.
• Run this immediately after the first wiki-defect pair is underway, or in parallel if someone wants a short isolated cleanup.
• This removes the new Function() footgun from src/ before the security hardening work in [Queued] Resolve carried-forward milestones M027, M028, M029, M031, M032 #91 (M031) lands.