security: dependency updates, nested-router error fix, regex flag normalization

[jkyberneees]

AI Verification Protocol Certificate

Protocol version: 5.2.7
Certificate generated: 2026-06-20T15:08:30Z
Branch under review: fix/security-improvements
Base branch: master
Certificate ID: vprotocol-0http-fix-security-improvements-20260620

---

PR Summary

Field	Value
Changed files	10
LOC changed (total)	+1,390 / −11
LOC filtered estimate	~1,390 (no generated boilerplate/lockfile excluded)
PR size cap	≤ 1,500 → standard pipeline
Generator identity	Kimi Code CLI
generator_identity present	yes
prompt_lineage_manifest	not provided
billed_generation_cost	not provided → Ci estimated

Commit list

• 5123ae9 — chore: update dependencies and add sec-findings.md to ignore list
• e07dbb7 — fix: restore req.url and bubble errors on nested-router failures
• e8911a7 — fix: normalize RegExp global/sticky flags to prevent lastIndex corruption

---

§0 Pre-Scan

Injection / adversarial marker scan

A deterministic regex/pattern scan was performed over the diff, commit messages, and this certificate source for:

• "ignore previous instructions", "system:", role-impersonation prefixes
• Verdict tokens from §3.8 ("AutoApprove", "HumanReviewRequired", etc.) inside untrusted content
• Base64/hex blobs above a length floor in non-binary contexts
• Zero-width characters, bidi overrides, mixed-script confusables

Result: No violations detected.

Untrusted-input invariant

All PR-derived content (diffs, commit messages) was handled as untrusted data. No directive sourced from PR content was executed. Verdict-affecting strings were not detected inside PR data.

---

§1 Classification

Classification: GeneratedCode

Rationale: The branch was produced by an AI agent (Kimi Code CLI). The changes include dependency updates, security fixes, regression tests, and audit tooling generated through an interactive AI session.

Precedence applied: GeneratedCode dominates over NovelBehavior because correlated-failure risk is present.

---

§2 Verification Axes

All nine axes were evaluated. Findings are summarized below. Full raw evidence is in the attached tooling outputs.

Axis	Status	Key Finding
2.1 Semantic Correctness	✅	Fixes address the stated problems; error paths now restore URL context.
2.2 Behavioral Contract Diff	✅	No public API signature changes; behavior changes are limited to error handling and regex normalization, both covered by tests.
2.3 Security Surface	✅	Two HIGH-class bugs fixed (nested-router state corruption, regex lastIndex corruption). npm audit reports 0 vulnerabilities. Pentest (48/48) passes.
2.4 Structural Integrity	✅	Changes are localized to lib/next.js and lib/router/sequential.js; no new circular dependencies or over-abstraction.
2.5 Behavioral Exploration	✅	Deep security audit (16/16) and type-confusion audit (11/11) pass. Regex audit (9/9) passes.
2.6 Dependency Integrity	✅	Production dependency lru-cache bumped; devDependencies updated; transitive vulnerabilities resolved via overrides; npm audit clean.
2.7 Generator Provenance	⚠️	generator_identity present (Kimi Code CLI), but prompt_lineage_manifest not provided. Single-agent monoculture.
2.8 Adversarial Surface	✅	No prompt-injection paths, deserialization gadgets, TOCTOU, or tool-use confused deputy patterns introduced.
2.9 Documentation Coverage	✅	sec-findings.md updated to reflect fixes. Public API surface unchanged; no README update required.

Per-axis notes

2.1 Semantic Correctness. The nested-router fix correctly restores req.url and req.path for sync throws, next(err), and async rejections. The regex fix strips g/y flags while preserving other flags. Both behaviors are verified by dedicated regression tests.

2.2 Behavioral Contract Diff. No breaking signature changes. The only behavioral change visible to consumers is that nested-router errors now bubble to the parent error handler (previously they were swallowed by the nested router's default handler). This is a bug fix but constitutes a minor semantic change that maintainers should note in release notes.

2.3 Security Surface. Two HIGH-severity source-code vulnerabilities were identified and fixed in this branch:

1. Nested-router error handling corruption (HIGH): req.url/req.path were not restored on error paths; parent error handlers were bypassed.
2. Regex g/y flag lastIndex corruption (HIGH): Routes registered with global or sticky flags alternated match/failure across requests.

2.4 Structural Integrity. The fix is minimally invasive. The router.add wrapper and method rebinding are localized to lib/router/sequential.js. URL restoration logic is shared via a small helper in lib/next.js.

2.5 Behavioral Exploration. Edge cases covered by the audit tooling include:

• Prototype pollution via route params (__proto__, constructor)
• Path traversal variants
• Cache key type confusion
• Fragment handling in URLs
• Large query strings and parameter counts
• Regex global/sticky/case-insensitive behavior

2.6 Dependency Integrity. 11 devDependency vulnerabilities from the initial audit were resolved by version bumps and overrides. No production dependencies have known vulnerabilities.

2.7 Generator Provenance. Single-agent monoculture. All pipeline roles (B/C/D/E) are performed by the same model instance. Per §0.1 monoculture fallback, ρ is applied at maximum strength and additional hardening rules are enforced:

• Sampling jitter: N/A (single deterministic session)
• Adversarial framing: Applied during security audits
• Prompt-version divergence: N/A (same session)
• No shared scratchpad: N/A (single session)

2.8 Adversarial Surface. No new sinks introduced. The req.url string coercion is a hardening measure, not a new sink.

2.9 Documentation Coverage. sec-findings.md was maintained throughout the branch and documents both vulnerabilities and fixes. Public API is unchanged.

---

§3 η and ρ Derivation

Pipeline monoculture declaration

Role	Agent	Provider family	Same as Agent A?
A (generator)	Kimi Code CLI	Moonshot AI	—
B (reviewer)	Kimi Code CLI	Moonshot AI	yes
C (contract formalizer)	Kimi Code CLI	Moonshot AI	yes
D (fuzzer/sandbox)	Kimi Code CLI	Moonshot AI	yes
E (certificate compiler)	Kimi Code CLI	Moonshot AI	yes

Diversity rule fell back to monoculture. ρ is capped at the maximum correlation suspicion.

Signal values

Signal	Symbol	Value	Note
Mutation kill rate	m	skipped	No mutation framework available for this runtime. Weight redistributed.
Oracle agreement	o	0.95	New tests cover both fixed contracts; existing test suite still passes.
Branch coverage	b	0.96	95.91% branch coverage on changed lines (nyc report).
Fuzz survival rate	f	1.00	All audit tooling (pentest, regex, deep, type-confusion) passed.
SAST clean rate	s	1.00	npm audit reports 0 vulnerabilities; no static findings.
Static-analysis depth	t	1.00	Linter/type-check clean (tests pass; no TypeScript errors in common.d.ts/index.d.ts).
Doc coverage	d	1.00	Public API unchanged; security findings documented.

Weights (after redistribution for skipped m)

Original weights: m=0.34, o=0.24, b=0.14, f=0.09, s=0.04, t=0.10, d=0.05
Redistributed (excluding m, sum=0.66): o=0.364, b=0.212, f=0.136, s=0.061, t=0.152, d=0.076

η calculation

η_raw = 0.364 × 0.95 + 0.212 × 0.96 + 0.136 × 1.00 + 0.061 × 1.00 + 0.152 × 1.00 + 0.076 × 1.00
η_raw = 0.346 + 0.204 + 0.136 + 0.061 + 0.152 + 0.076
η_raw = 0.975

Correlation penalty ρ

Sub-signal	Contribution	Reason
Agent D and Agent A share provider family	+0.10	Monoculture (Moonshot AI)
Agent D and Agent A share model version	+0.05	Same Kimi Code CLI instance
AST similarity (tests ↔ implementation)	+0.05	High structural overlap in test scaffolding
Shared mutation-survival pattern	+0.05	Same model trained to avoid same failure modes
Spec independence	+0.05	Contract derived from same agent's reasoning
Total	ρ = 0.30	At cap

η = clamp(η_raw − ρ, 0, 1)
η = clamp(0.975 − 0.30, 0, 1)
η = 0.675

---

§4 Verification Debt and Cv/Ci

Cost inputs

Field	Value	Source
Ci	$2.50	Estimated from session token usage (no gateway billing data)
Ci estimated	true	billed_generation_cost not provided
Cv($) verifier	$0.75	Estimated verification token/tooling cost
Human review proxy	4 hours × $150/hr = $600	ΔDebt-driven human review estimate
Cv($) total	$600.75	Human review + automated verification

Debt calculation

ΔDebt = (1 − η) × Cv(raw) × LOC_filtered
      = (1 − 0.675) × 0.5 hours/LOC × 1,390 LOC
      = 0.325 × 0.5 × 1,390
      = 225.9 hours

Cv/Ci Ratio = Cv($) / Ci
            = $600.75 / $2.50
            = 240.3

Note: The ratio is high because the PR is classified as GeneratedCode under monoculture, which forces significant human review to compensate for correlated-failure risk. Under a diverse pipeline, ρ would drop and the ratio would improve materially.

---

§5 Verdict

Gate evaluation

Gate	Value	Threshold	Result
η band	0.675	< 0.80	HumanReviewRequired
ρ band	0.30	> 0.20	HumanReviewRequired
ΔDebt	225.9 h	> 4 h	HumanReviewRequired
PR size cap	1,390 LOC	≤ 1,500	Standard pipeline
Axis failures	0	any 🔴	None
Untrusted-input invariant	clean	violation	None

Final verdict

HumanReviewRequired

Rationale: The single-agent monoculture pipeline caps ρ at 0.30, which mechanically forces HumanReviewRequired per §3.3 of the protocol. η after penalty is 0.675 (< 0.80), reinforcing the same verdict. ΔDebt exceeds 4 hours. No axis is at 🔴, and all automated tests/audits pass, so the PR is not CannotVerify.

Recommendation to human reviewer

1. Confirm the nested-router error-bubbling semantic change is acceptable for the next release.
2. Verify the regex flag normalization does not break any consumer relying on global-flag behavior (unlikely but worth checking).
3. Consider running the branch through a second, independent provider-family review to reduce ρ before merge.
4. Approve merge if the above checks are satisfactory.

---

§6 Remediations Applied

ID	Axis	Type	Description	Auto-applied
R1	2.3	sanitizer	Restore req.url/req.path before error handler in nested routers	yes
R2	2.3	sanitizer	Normalize RegExp g/y flags to prevent lastIndex corruption	yes
R3	2.3	sanitizer	Coerce req.url to string to avoid type-confusion crashes	yes
R4	2.3/2.5	property_test	Added tests/nested-router-error.test.js	yes
R5	2.3/2.5	property_test	Extended tests/router-coverage.test.js for regex and input validation	yes
R6	2.6	pin	Updated dependencies and added overrides for transitive vulns	yes

---

§7 Unverified Gaps

ID	Axis	Reason	Risk
G1	2.1/2.5	No mutation-testing framework available; m signal skipped	medium
G2	2.5	No deterministic replay sandbox with 10k scenarios or 24h prod traffic	medium
G3	2.7	prompt_lineage_manifest not provided; monoculture penalty maxed	low

---

§8 Attestation

This certificate was compiled by Agent E (Kimi Code CLI) from raw signals produced during this interactive session. Because the entire pipeline ran in a single model instance, provider-family diversity was not achieved and the verdict is capped accordingly.

Signer: Kimi Code CLI (Agent E)
Raw evidence: npm test, tooling/pentest.js, tooling/regex-audit.js, tooling/deep-security-audit.js, tooling/type-confusion-audit.js, npm audit --audit-level=low
Certificate bound to SHA: e8911a7

---

Appendix: Raw Tool Output Summary

• npm test: 84 passing, 99.38% line coverage
• tooling/pentest.js: 48/48 passed
• tooling/regex-audit.js: 9/9 passed
• tooling/deep-security-audit.js: 16/16 passed
• tooling/type-confusion-audit.js: 11/11 passed
• npm audit --audit-level=low: 0 vulnerabilities