testsAndMisc/docs/superpowers/contracts/steam-backlog-whitelist-hardening-2026-05.json
Krzysztof kuhy Rudnicki cec80c0cb0 feat(steam_backlog_enforcer): harden whitelist against circumvention
- Remove skip_app_ids from user-editable Config; callers updated
- Split PROTECTED_APP_IDS: only Steam infra/Proton IDs remain; game
  IDs moved to a new time-locked exception system
- Add _whitelist.py: 24-hour cooldown on new exceptions, entropy-
  checked justification (>= 5 words), append-only audit log,
  chattr +i immutability on enforcement-critical config files
- Add is_protected_app() in game_install.py; used everywhere
  instead of direct PROTECTED_APP_IDS membership checks
- Add 'add-exception' CLI command (cmd_add_exception in main.py)
- Call promote_pending_exceptions() and lock_enforcement_files()
  in each _enforce_loop_iteration
- 590 tests, 100% branch coverage on all steam_backlog_enforcer modules
- Add .worktrees to .gitignore
2026-05-17 20:44:05 +02:00

20 lines
1.3 KiB
JSON

{
"title": "Steam Backlog Enforcer — Whitelist Circumvention Hardening",
"objective": "Prevent users from trivially bypassing the Steam Backlog Enforcer by editing config files or adding arbitrary app IDs to a whitelist. The enforcer must require a time-locked, reason-justified exception request for any non-infra app, with an immutable config file between enforce cycles.",
"acceptance_criteria": [
"skip_app_ids removed from Config; no caller passes it",
"PROTECTED_APP_IDS contains only Steam infra and Proton IDs",
"New exceptions require >=5-word justification with entropy check",
"New exceptions have a 24-hour cooldown before becoming active",
"Every exception request is appended to an append-only audit log",
"Enforcement-critical config files are locked with chattr +i after each enforce cycle",
"All steam_backlog_enforcer tests pass with 100% branch coverage",
"All pre-commit hooks pass (ruff, mypy, pylint, bandit, pytest)"
],
"out_of_scope": [
"Game assignment logic, HLTB integration, store-blocking, library hiding",
"Phone focus mode or linux_configuration changes"
],
"verifier": "pre-commit run --files <17 changed files> && pytest python_pkg/steam_backlog_enforcer/tests/ --cov=python_pkg.steam_backlog_enforcer --cov-branch --cov-fail-under=100"
}