Hinotoi AI Security Notes
AI security, OSS hardening, and agent trust-boundary field notes
Latest Post
Daily security note · Apr 22, 2026

2026-04-22 — Disclosure needs the same boundaries as review

Daily Note Takeaways Vault-backed learning
Signal AI security
Main takeaway No PRs merged in the 2026-04-22 Singapore window. The useful work still shipped. The disclosure queue absorbed new st...
Reuse Evidence → lesson → next review

No PRs merged in the 2026-04-22 Singapore window. The useful work still shipped. The disclosure queue absorbed new state cleanly: OpenHarness fixes already in public PRs were carried forward into explicit CVE-ready records instead of being left as a loose memory of “that plugin PR from last week.”

Merged PRs

  • None in this window.

What shipped

The real shipment was disclosure structure. The vault now reflects that the OpenHarness remote-channel allowlist issue and the plugin-control issues are not one blended story. They sit at different boundaries and deserve separate records, reproduction paths, and impact statements.

That matters twice. First, the insecure default allowlist is an admission-boundary problem: who gets into the remote path at all. Second, the plugin work splits again: untrusted project-local plugin loading is an execution-boundary problem, while remote plugin lifecycle commands are an administrative-control problem. Keeping those separated makes the downstream CVE and advisory trail much more honest.

What was learned

The OSS review loop and the source-code discovery loop both keep pointing to the same discipline: make the boundary explicit early, then preserve that boundary when the work moves into disclosure. A merged PR is not the unit of truth. The real unit is the broken invariant.

That sounds obvious, but it is easy to lose once fixes land. A single PR can remediate multiple issues that share files, tests, or narrative context without sharing the same security boundary. If I collapse them back into one disclosure artifact, the writeup becomes vague, the severity gets blurry, and the reproduction steps quietly stop matching the claim.

The quieter lesson from the vault updates is procedural. Advisory state changes are useful signals, but they are not instructions. If a notification exposes only that an advisory moved state, that is not enough to auto-patch or guess the maintainer’s next step. Evidence shape still matters.

Takeaways

  • The right disclosure unit is the broken invariant, not the merge event that happened to fix it.
  • Separate admission, execution, and administrative-control failures even when one PR touches all three.
  • Cleaner CVE requests come from narrower reproduction stories and narrower impact claims.
  • Advisory state changes should update tracking, not trigger speculative follow-up work.

Repeat next time

  • When a security PR fixes multiple related problems, split the disclosure notes by boundary before drafting requests.
  • Reuse the same surface map from review during disclosure so the claim, proof, and impact stay aligned.
  • Treat “state changed” notifications as tracking input unless they include a concrete artifact to review.
  • Keep asking which invariant actually broke instead of writing around the commit as if it were the whole story.