From RedTeam pass 4 on PR #176 (#157), filed as a non-blocking follow-up.
The two hostile-filesystem tests in tests/commands/scrub-archive.test.ts (mode-444 unwritable surface; unwritable-backup-dir / ENOTDIR) rely on POSIX permission bits to force EACCES/ENOTDIR. Root ignores mode bits, so under a root UID these tests would silently no-op-pass (false green) instead of exercising the write-failure guard.
Today this is covered: CI runs the full suite non-root on macos-latest, so the permission bits are honored and the tests are meaningful. The risk is latent — if the full bun test is ever added to a root-container Ubuntu leg, these would false-green.
Harden: add a process.getuid?.() === 0 skip-guard (skip + log when root) or an fs.access precondition assertion that fails loudly if the hostile precondition isn't actually in force. Low priority.
From RedTeam pass 4 on PR #176 (#157), filed as a non-blocking follow-up.
The two hostile-filesystem tests in
tests/commands/scrub-archive.test.ts(mode-444 unwritable surface; unwritable-backup-dir / ENOTDIR) rely on POSIX permission bits to forceEACCES/ENOTDIR. Root ignores mode bits, so under a root UID these tests would silently no-op-pass (false green) instead of exercising the write-failure guard.Today this is covered: CI runs the full suite non-root on
macos-latest, so the permission bits are honored and the tests are meaningful. The risk is latent — if the fullbun testis ever added to a root-container Ubuntu leg, these would false-green.Harden: add a
process.getuid?.() === 0skip-guard (skip + log when root) or anfs.accessprecondition assertion that fails loudly if the hostile precondition isn't actually in force. Low priority.