Merge pull request #153 from Firstp1ck/feat/priviliage-improvements

feat: add sudo timestamp setup and security hardening

Author: Firstp1ck

.github/PULL_REQUEST_TEMPLATE.md

@@ -34,6 +34,13 @@ cargo fmt --all
 cargo clippy --all-targets --all-features -- -D warnings
 cargo test -- --test-threads=1
 RUST_LOG=pacsea=debug cargo run -- --dry-run
+
+# Security (mirrors .github/workflows/security.yml where tools are installed)
+./dev/scripts/security-check.sh
+# Individual checks if needed:
+# cargo audit
+# cargo deny check
+# gitleaks detect --source . --no-banner
 ```
 
 ## Screenshots / recordings (if UI changes)
@@ -69,6 +76,12 @@ Include before/after images or a short GIF. Update files in `Images/` if relevan
 - [ ] Code degrades gracefully if `pacman`/`paru`/`yay` are unavailable
 - [ ] No breaking changes (or clearly documented if intentional)
 
+**Security (CI):**
+- [ ] Ran `./dev/scripts/security-check.sh` before opening the PR (local mirror of the Security workflow: rustfmt, clippy, `cargo audit`, `cargo deny check`, gitleaks — skipped steps print install hints)
+- [ ] After adding or updating dependencies: `cargo audit` and `cargo deny check` pass (`deny.toml`); no new high-severity or license issues that would fail GitHub **dependency review** on this PR
+- [ ] No secrets or credential-like placeholders that would trip **gitleaks** (see `.gitleaks.toml` for allowlisted paths if you must add test fixtures)
+- [ ] Follows secure coding rules in `AGENTS.md` / `CLAUDE.md` (shell quoting, credentials, HTTP, paths) — see `dev/SECURITY_REMEDIATION_GUIDE.md` for remediation patterns
+
 **Other:**
 - [ ] Not a packaging change for AUR (otherwise propose in `pacsea-bin` or `pacsea-git` repos)
 

.github/workflows/security.yml

@@ -0,0 +1,117 @@
+name: Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    # Weekly Monday 06:00 UTC — catch new advisories between PRs
+    - cron: "0 6 * * 1"
+
+permissions:
+  contents: read
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+
+  # ── Dependency vulnerability scan ──────────────────────────────────────
+  # Checks Cargo.lock against the RustSec advisory database.
+  # Fails when cargo-audit reports known advisories in dependencies.
+  cargo-audit:
+    name: cargo audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+
+      - name: Run cargo audit
+        run: cargo audit
+
+  # ── Clippy with security-relevant lints ────────────────────────────────
+  # The main rust.yml only runs build + test. Clippy catches:
+  # - unwrap_used (deny) — panic vectors
+  # - pedantic / nursery (deny) — broad safety net
+  # - cognitive_complexity (warn → error via -D warnings)
+  # - missing_docs / missing_docs_in_private_items (warn → error)
+  clippy:
+    name: clippy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+
+      - name: Run clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+  # ── Format check ──────────────────────────────────────────────────────
+  # Ensures no unformatted code slips through.
+  fmt:
+    name: rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+
+  # ── Dependency diff review on PRs ──────────────────────────────────────
+  # Flags new/changed dependencies with known vulnerabilities or
+  # restrictive licenses before they land in main.
+  dependency-review:
+    name: dependency review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          deny-licenses: AGPL-3.0-only, GPL-3.0-only
+          comment-summary-in-pr: on-failure
+
+  # ── Secret scanning ────────────────────────────────────────────────────
+  # Scans commits for accidentally committed secrets (API keys, tokens,
+  # private keys, passwords). Complements GitHub's built-in secret
+  # scanning with broader pattern coverage.
+  secrets:
+    name: secret scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # ── Cargo deny (advisories + license + ban) ────────────────────────────
+  # More comprehensive than cargo-audit alone: also checks licenses and
+  # can ban specific crates. Uses deny.toml for configuration.
+  cargo-deny:
+    name: cargo deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run cargo deny
+        uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check

.gitignore

@@ -50,4 +50,14 @@ __pycache__/
 dev/COMMIT/*
 dev/PR/*
 
-pacsea.log
+pacsea.log
+
+dev/SECURITY_AUDIT_REPORT.md
+
+# Security: prevent accidental secret commits
+.env
+.env.*
+*.pem
+*.key
+credentials.json
+service-account.json

.gitleaks.toml

@@ -0,0 +1,24 @@
+# gitleaks configuration — suppress false positives
+# https://github.com/gitleaks/gitleaks#configuration
+
+[allowlist]
+  description = "Pacsea false positive suppressions"
+
+  # Generated rustdoc JS files contain Rust constant names (KEYCTL_CAPS0_*, FSCRYPT_*)
+  # that trigger generic-api-key due to entropy. These are not secrets.
+  paths = [
+    '''doc/.*\.js$''',
+  ]
+
+  # Test files with intentionally fake API keys / patterns
+  commits = [
+    "c2bc699bf3dddd75dd4d0c64f5b9084fe8806d82",
+    "8c8e90760b773a70d3a6f5358cf901f6123a3db9",
+  ]
+
+  # Placeholder/example VirusTotal key in shipped config template
+  regexTarget = "match"
+  regexes = [
+    '''abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890''',
+    '''b83e91a6ddb14ce20edddd2ad056abac5bd63338eb371becadd08b88fb1b20f4''',
+  ]

AGENTS.md

@@ -159,6 +159,60 @@ If config keys or schema change:
 | Function length | Clippy `too_many_lines` + `clippy.toml` | 150 lines |
 | Data flow / coupling | Manual design review; no lint — match existing module patterns | N/A |
 
+## Security rules
+
+These rules exist to prevent specific vulnerability classes identified in `dev/SECURITY_AUDIT_REPORT.md`. They are **mandatory** — not suggestions.
+
+### Shell command construction
+
+- **Never interpolate package names, file paths, or user input directly into shell command strings.** Always pass them through `shell_single_quote()` from `src/install/utils.rs` first.
+- When building shell commands with multiple package names, quote **each name individually** before joining:
+  ```rust
+  let quoted: Vec<String> = names.iter().map(|n| shell_single_quote(n)).collect();
+  let names_str = quoted.join(" ");
+  ```
+- When adding a new function in `src/install/` that constructs shell commands, verify that **every** variable fragment interpolated into `format!()` is either:
+  1. A constant/static string, **or**
+  2. Passed through `shell_single_quote()`, **or**
+  3. Validated against `^[a-z\d@._+-]+$` before use.
+- **Never use `format!()` with `sh -c` and unsanitized user data.** Prefer `Command::new().arg()` argument passing over string interpolation when possible — `Command` arguments are not interpreted by a shell.
+- On Windows, never pass unescaped strings into `cmd /C` or `cmd /K`. Use PowerShell with proper quoting or escape `&`, `|`, `>`, `<`, `^` for cmd.exe.
+
+### Password and credential handling
+
+- **Never log passwords.** Any function that writes command strings to disk (log files, temp scripts) must redact password pipe patterns (`printf '%s\n' '...' | sudo -S`) before writing. Replace the password with `[REDACTED]`.
+- **Never store passwords in plain `String`.** Use `SecureString` (zeroize-backed) from `src/state/types.rs` for all password fields. If `SecureString` does not exist yet, use `String` but add a `// TODO: migrate to SecureString` comment and a `zeroize` call on the containing struct's `Drop`.
+- When creating files that might contain sensitive data (log files, temp scripts), use `OpenOptions::mode(0o600)` on Unix to prevent world-readable permissions.
+- Never include passwords or credentials in `tracing::info!`, `tracing::debug!`, or `tracing::warn!` output. If you need to log that a password was provided, log `password_provided = true` — never the value.
+
+### Network and HTTP
+
+- All curl invocations must go through `curl_args()` in `src/util/mod.rs`. Do not construct raw curl commands.
+- `curl_args()` must include `--max-filesize 10485760` (10 MB) to prevent memory exhaustion from oversized responses. If this is not yet present, add it.
+- Never disable TLS certificate verification (`-k` / `--insecure`) on Linux builds. The Windows `-k` flag is a known issue tracked for removal.
+- URLs constructed from user input or API data must be validated to start with `http://` or `https://` before passing to curl. See `looks_like_http_url()` in `src/logic/repos/apply_plan.rs` for the pattern.
+
+### File system safety
+
+- **Validate all paths before writing.** Use or extend `is_safe_abs_path()` from `src/logic/repos/apply_plan.rs` for any privileged file write. Reject paths containing `..`.
+- **Create temp files atomically.** Use `OpenOptions::create_new(true).mode(0o700)` instead of `fs::write()` followed by `set_permissions()`. The `create_new` flag prevents symlink-following TOCTOU races.
+- When writing files under `~/.config/pacsea/`, create parent directories with `create_dir_all` but do not set overly permissive modes. Default umask-derived permissions are acceptable for non-sensitive files; use `0o600` for anything that could contain credentials.
+
+### Test environment overrides
+
+- Functions that check `PACSEA_INTEGRATION_TEST` or `PACSEA_TEST_*` environment variables must **not** bypass security checks in release builds. Gate them with `#[cfg(debug_assertions)]` or `#[cfg(test)]` so they compile to no-ops in release mode.
+- Never add new environment-variable-based test overrides that skip authentication, privilege checks, or input validation without a `#[cfg(debug_assertions)]` guard.
+
+### Dependency management
+
+- Run `cargo audit` after adding or updating dependencies. Resolve all **critical** and **high** advisories before merging.
+- Prefer direct dependencies over transitive ones for security-sensitive functionality. If a transitive dependency has an advisory, check if the parent crate can be updated to pull a fixed version.
+- Do not add dependencies that require `unsafe` for their core functionality unless there is no safe alternative and the crate is well-maintained.
+
+### Audit reference
+
+Full findings and remediation steps: `dev/SECURITY_AUDIT_REPORT.md` and `dev/SECURITY_REMEDIATION_GUIDE.md`.
+
 ## General rules
 - No unsolicited `*.md` / wiki / README edits.
 - Preserve dry-run semantics and graceful handling of missing external tools.

CLAUDE.md

@@ -159,6 +159,60 @@ If config keys or schema change:
 | Function length | Clippy `too_many_lines` + `clippy.toml` | 150 lines |
 | Data flow / coupling | Manual design review; no lint — match existing module patterns | N/A |
 
+## Security rules
+
+These rules exist to prevent specific vulnerability classes identified in `dev/SECURITY_AUDIT_REPORT.md`. They are **mandatory** — not suggestions.
+
+### Shell command construction
+
+- **Never interpolate package names, file paths, or user input directly into shell command strings.** Always pass them through `shell_single_quote()` from `src/install/utils.rs` first.
+- When building shell commands with multiple package names, quote **each name individually** before joining:
+  ```rust
+  let quoted: Vec<String> = names.iter().map(|n| shell_single_quote(n)).collect();
+  let names_str = quoted.join(" ");
+  ```
+- When adding a new function in `src/install/` that constructs shell commands, verify that **every** variable fragment interpolated into `format!()` is either:
+  1. A constant/static string, **or**
+  2. Passed through `shell_single_quote()`, **or**
+  3. Validated against `^[a-z\d@._+-]+$` before use.
+- **Never use `format!()` with `sh -c` and unsanitized user data.** Prefer `Command::new().arg()` argument passing over string interpolation when possible — `Command` arguments are not interpreted by a shell.
+- On Windows, never pass unescaped strings into `cmd /C` or `cmd /K`. Use PowerShell with proper quoting or escape `&`, `|`, `>`, `<`, `^` for cmd.exe.
+
+### Password and credential handling
+
+- **Never log passwords.** Any function that writes command strings to disk (log files, temp scripts) must redact password pipe patterns (`printf '%s\n' '...' | sudo -S`) before writing. Replace the password with `[REDACTED]`.
+- **Never store passwords in plain `String`.** Use `SecureString` (zeroize-backed) from `src/state/types.rs` for all password fields. If `SecureString` does not exist yet, use `String` but add a `// TODO: migrate to SecureString` comment and a `zeroize` call on the containing struct's `Drop`.
+- When creating files that might contain sensitive data (log files, temp scripts), use `OpenOptions::mode(0o600)` on Unix to prevent world-readable permissions.
+- Never include passwords or credentials in `tracing::info!`, `tracing::debug!`, or `tracing::warn!` output. If you need to log that a password was provided, log `password_provided = true` — never the value.
+
+### Network and HTTP
+
+- All curl invocations must go through `curl_args()` in `src/util/mod.rs`. Do not construct raw curl commands.
+- `curl_args()` must include `--max-filesize 10485760` (10 MB) to prevent memory exhaustion from oversized responses. If this is not yet present, add it.
+- Never disable TLS certificate verification (`-k` / `--insecure`) on Linux builds. The Windows `-k` flag is a known issue tracked for removal.
+- URLs constructed from user input or API data must be validated to start with `http://` or `https://` before passing to curl. See `looks_like_http_url()` in `src/logic/repos/apply_plan.rs` for the pattern.
+
+### File system safety
+
+- **Validate all paths before writing.** Use or extend `is_safe_abs_path()` from `src/logic/repos/apply_plan.rs` for any privileged file write. Reject paths containing `..`.
+- **Create temp files atomically.** Use `OpenOptions::create_new(true).mode(0o700)` instead of `fs::write()` followed by `set_permissions()`. The `create_new` flag prevents symlink-following TOCTOU races.
+- When writing files under `~/.config/pacsea/`, create parent directories with `create_dir_all` but do not set overly permissive modes. Default umask-derived permissions are acceptable for non-sensitive files; use `0o600` for anything that could contain credentials.
+
+### Test environment overrides
+
+- Functions that check `PACSEA_INTEGRATION_TEST` or `PACSEA_TEST_*` environment variables must **not** bypass security checks in release builds. Gate them with `#[cfg(debug_assertions)]` or `#[cfg(test)]` so they compile to no-ops in release mode.
+- Never add new environment-variable-based test overrides that skip authentication, privilege checks, or input validation without a `#[cfg(debug_assertions)]` guard.
+
+### Dependency management
+
+- Run `cargo audit` after adding or updating dependencies. Resolve all **critical** and **high** advisories before merging.
+- Prefer direct dependencies over transitive ones for security-sensitive functionality. If a transitive dependency has an advisory, check if the parent crate can be updated to pull a fixed version.
+- Do not add dependencies that require `unsafe` for their core functionality unless there is no safe alternative and the crate is well-maintained.
+
+### Audit reference
+
+Full findings and remediation steps: `dev/SECURITY_AUDIT_REPORT.md` and `dev/SECURITY_REMEDIATION_GUIDE.md`.
+
 ## General rules
 - No unsolicited `*.md` / wiki / README edits.
 - Preserve dry-run semantics and graceful handling of missing external tools.

CONTRIBUTING.md

@@ -89,7 +89,13 @@ Before committing, ensure all of the following pass:
    cargo test -- --test-threads=1
    ```
 
-5. **Check complexity (for new code):**
+5. **Run security checks (if tools installed):**
+   ```bash
+   ./dev/scripts/security-check.sh
+   ```
+   This runs `cargo audit`, `cargo deny`, `gitleaks`, and the fmt/clippy checks in one pass. Missing tools are skipped with install instructions.
+
+6. **Check complexity (for new code):**
    ```bash
    # Run complexity tests to ensure new functions meet thresholds
    cargo test complexity -- --nocapture
@@ -274,6 +280,8 @@ Step-by-step testing instructions.
 - [ ] Updated docs if behavior, options, or keybinds changed
 - [ ] For UI changes: included screenshots and updated `Images/` if applicable
 - [ ] Changes respect `--dry-run` and degrade gracefully if `pacman`/`paru`/`yay` are unavailable
+- [ ] `cargo audit` clean (no new high/critical advisories introduced)
+- [ ] Shell commands use `shell_single_quote()` for external data (package names, paths)
 - [ ] If config keys changed: updated README/wiki sections for `settings.conf`, `theme.conf`, and `keybinds.conf`
 - [ ] Not a packaging change for AUR (otherwise propose in `pacsea-bin` or `pacsea-git` repos)
 
@@ -308,6 +316,13 @@ If new config keys were added, document them here.
   - Update README if it's a major feature
   - Ensure backward compatibility when possible
 
+### Security
+- **Shell commands**: Never interpolate external data (package names, paths, user input) directly into shell strings. Use `shell_single_quote()` from `src/install/utils.rs` or pass arguments via `Command::new().arg()`.
+- **Credentials**: Never log passwords or tokens. Redact sensitive values before writing to disk. Use `0o600` permissions for files that could contain credential traces.
+- **Network**: All HTTP requests go through `curl_args()`. Never disable TLS verification on Linux. Validate URLs start with `http://` or `https://` before fetching.
+- **Dependencies**: Run `cargo audit` after adding or updating crates. High/critical advisories block merges.
+- Full rules and rationale: [`CLAUDE.md` → Security rules](CLAUDE.md) and [`dev/SECURITY_REMEDIATION_GUIDE.md`](dev/SECURITY_REMEDIATION_GUIDE.md).
+
 ### Platform behavior
 - **Dry-run**: All commands must respect `--dry-run` flag
 - **Graceful degradation**: Commands must degrade gracefully if `pacman`/`paru`/`yay` are unavailable