github · osaurus01a1194ae8e3

Evidence

"path": "/health",

                    "methods": ["GET"],

                    "description": "Health check endpoint",

                    "auth": "none"

                  }

                ]

              }

RemediationAI

The health check endpoint in ToolsCreate.swift explicitly sets `"auth": "none"`, allowing unauthenticated access to a sensitive endpoint. Change the manifest entry to `"auth": "bearer"` and implement Bearer token validation in the handler using a middleware that extracts and validates the Authorization header before processing the request. This ensures only authenticated clients can reach the health endpoint. Verify by attempting a request without an Authorization header—it should return 401 Unauthorized.

Evidence

"path": "/callback",

        "methods": ["GET"],

        "description": "OAuth 2.0 callback handler",

        "auth": "none"

      },

      {

        "id": "webhook",

RemediationAI

The OAuth callback handler in PLUGIN_AUTHORING.md documentation example declares `"auth": "none"`, which is unsafe for a callback endpoint that processes sensitive OAuth state. Replace `"auth": "none"` with `"auth": "oauth"` and implement CSRF token validation and state parameter verification in the callback handler. This prevents attackers from forging callback requests. Test by sending a callback request without valid state/CSRF tokens—it should reject the request.

Evidence

"path": "/callback",

                            "methods": ["GET"],

                            "description": "OAuth callback",

                            "auth": "none"

                        },

                        {

                            "id": "webhook",

RemediationAI

The OAuth callback endpoint in PluginTests.swift test fixture declares `"auth": "none"`, leaving the callback vulnerable in test scenarios that may be copy-pasted into production. Update the test manifest to use `"auth": "oauth"` and mock the OAuth state validation in the test setup. This ensures tests validate authentication logic rather than bypassing it. Run the test and confirm it fails if the mocked OAuth state is invalid.

Evidence

"path": "/callback",

        "methods": ["GET"],

        "description": "OAuth 2.0 callback handler",

        "auth": "none"

      },

      {

        "id": "webhook",

RemediationAI

The OAuth callback handler documentation example in PLUGIN_AUTHORING.md repeats the `"auth": "none"` pattern, which could mislead plugin authors to deploy insecure endpoints. Update all documentation examples to show `"auth": "oauth"` with accompanying code snippets demonstrating state parameter and CSRF token validation. This sets the correct security baseline for developers. Verify by reviewing the updated docs to ensure no examples show disabled auth for sensitive endpoints.

Evidence

"path": "/health",

                            "methods": ["GET"],

                            "description": "Health check endpoint",

                            "auth": "none"

                          }

                        ]

                      }

RemediationAI

The health check endpoint in ToolsCreate.swift again declares `"auth": "none"`, allowing any caller to probe the server. Change `"auth": "none"` to `"auth": "bearer"` and add a Bearer token check in the health endpoint handler. For health checks, consider using a separate internal-only endpoint or requiring a valid API key. Test by calling the endpoint without credentials—it should return 401.

Evidence

FROM alpine:latest

RUN mkdir -p /run /tmp

RemediationAI

The Dockerfile uses `FROM alpine:latest`, which pulls an unpinned image that can change unexpectedly and breaks reproducibility. Replace `FROM alpine:latest` with a specific pinned version like `FROM alpine:3.18.4` (check the current stable release). This ensures consistent builds and allows signature verification. Verify by running `docker build` twice and confirming the image digest is identical both times.

Evidence

print("[SpeechService] Setting input device to AudioDeviceID: \(deviceId)")

                Self.setInputDevice(deviceId, for: inputNode)

            } else {

                print("[SpeechService] Using system default input device")

            }

            let hwFormat = inputNode.inputFormat(forBus: 0)

RemediationAI

The SpeechService.swift prints the user-controlled `deviceId` variable directly without sanitizing ANSI escape sequences, allowing injection attacks. Replace `print("[SpeechService] Setting input device to AudioDeviceID: \(deviceId)")` with a sanitized version: `print("[SpeechService] Setting input device to AudioDeviceID: \(deviceId.replacingOccurrences(of: "\u{1B}", with: ""))")` or use a logging library with built-in sanitization. This prevents terminal manipulation. Test by passing a deviceId containing escape sequences (e.g., `\u{1B}[2J`) and verify the output is not interpreted as a control sequence.

Evidence

voiceInputState = .recording

                        lastVoiceActivityTime = Date()

                        resetPauseDetectionForRecording()

                        print("[FloatingInputCard] Recording confirmed - voice input ready")

                    } else if voiceInputState == .idle {

                        print("[FloatingInputCard] External recording detected. Overlay: \(showVoiceOverlay)")

                        voiceInputState = .recording

RemediationAI

FloatingInputCard.swift prints a static string without sanitizing any user-controlled data in the surrounding context. While this specific print is safe, audit the function for any user input (e.g., `voiceInputState` values) being interpolated. If user data is printed, sanitize it: `print("[FloatingInputCard] Recording confirmed - voice input ready")` (keep static) or sanitize dynamic values before printing. Verify by checking that all print statements in the function contain only static strings or sanitized variables.

Evidence

let vadConfig = VADConfigurationStore.load()

            if vadConfig.autoStartVoiceInput {

                try? await Task.sleep(nanoseconds: 200_000_000)  // 200ms - fast handoff

                print("[AppDelegate] Triggering voice input in chat for window \(targetWindowId)")

                NotificationCenter.default.post(

                    name: .startVoiceInputInChat,

                    object: targetWindowId  // Target specific window

RemediationAI

AppDelegate.swift prints `targetWindowId` without sanitization, which could contain ANSI escape sequences if derived from user input. Replace `print("[AppDelegate] Triggering voice input in chat for window \(targetWindowId)")` with sanitized output: `let safeWindowId = String(targetWindowId).replacingOccurrences(of: "\u{1B}", with: ""); print("[AppDelegate] Triggering voice input in chat for window \(safeWindowId)")`. This prevents terminal injection. Test by passing a windowId with escape sequences and confirm the output is literal text.

Evidence

}

    private func transferToTextInput() {

        print("[FloatingInputCard] Transferring to text input - disabling continuous mode")

        // Transfer transcription to text input and close overlay

        let transcribedText = [

            speechService.confirmedTranscription,

RemediationAI

FloatingInputCard.swift prints a static message but may interpolate user-controlled transcription data elsewhere in the function. Audit the `transferToTextInput()` function for any print statements that include `transcribedText` or other user input. If found, sanitize before printing: `let safeTrans = transcribedText.replacingOccurrences(of: "\u{1B}", with: ""); print("Text: \(safeTrans)")`. Verify by checking all print statements in the function for user-controlled interpolations.

Evidence

}

            let hwFormat = inputNode.inputFormat(forBus: 0)

            print(

                "[SpeechService] Hardware input format: \(hwFormat.sampleRate)Hz, \(hwFormat.channelCount) channels"

            )

            guard hwFormat.sampleRate > 0, hwFormat.channelCount > 0 else {

RemediationAI

SpeechService.swift prints hardware format details (sampleRate, channelCount) which are system values, but the pattern is unsafe if these values come from untrusted sources. Ensure `hwFormat.sampleRate` and `hwFormat.channelCount` are always from the audio system API (trusted). If these could be user-influenced, sanitize: `print("[SpeechService] Hardware input format: \(Int(hwFormat.sampleRate))Hz, \(Int(hwFormat.channelCount)) channels")` with explicit type casting. Verify by confirming the values originate from AVAudioFormat system APIs.

Evidence

context.write(NIOAny(HTTPServerResponsePart.body(.byteBuffer(buffer))), promise: nil)

            context.flush()

        } catch {

            print("Error encoding Open Responses SSE event: \(error)")

            context.close(promise: nil)

        }

    }

RemediationAI

ResponseWriters.swift prints the `error` object directly without sanitization, which could contain user-controlled error messages with ANSI codes. Replace `print("Error encoding Open Responses SSE event: \(error)")` with `print("Error encoding Open Responses SSE event: \(error.localizedDescription.replacingOccurrences(of: "\u{1B}", with: ""))")`. This sanitizes error messages before display. Test by triggering an encoding error with a crafted error message containing escape sequences.

Evidence

print("[FloatingInputCard] Silence timeout with content - triggering auto-send")

                voiceInputState = .paused(remaining: voiceConfig.confirmationDelay)

            } else if !hasContent {

                print("[FloatingInputCard] Silence timeout without content - closing voice input")

                stopVoiceInputFromTimeout()

            }

        }

RemediationAI

FloatingInputCard.swift prints a static message without user input, but audit the surrounding context for any user-controlled data. The current print is safe, but ensure no user input (e.g., voice config values) is interpolated in nearby prints. Verify by reviewing all print statements in the silence timeout handler for user-controlled variables.

Evidence

// lastVoiceActivityTime is reset in onChange(of: isRecording)

            } catch {

                print("[FloatingInputCard] Failed to start voice input: \(error)")

                await MainActor.run {

                    voiceInputState = .idle

                    showVoiceOverlay = false

RemediationAI

FloatingInputCard.swift prints the `error` object directly, which may contain user-influenced error text with ANSI sequences. Replace `print("[FloatingInputCard] Failed to start voice input: \(error)")` with `print("[FloatingInputCard] Failed to start voice input: \(error.localizedDescription.replacingOccurrences(of: "\u{1B}", with: ""))")`. This sanitizes error output. Test by triggering a voice input failure with a crafted error message.

Evidence

if status != noErr {

            print("[SpeechService] Failed to set input device: \(status). Error code: \(status)")

        } else {

            print("[SpeechService] Successfully set input device to AudioDeviceID: \(deviceId)")

        }

    }

RemediationAI

SpeechService.swift prints the `status` error code directly, which is a system value and safe, but the pattern should be consistent. Ensure all error code prints use explicit formatting: `print("[SpeechService] Failed to set input device: \(Int(status)). Error code: \(Int(status))")` to prevent any potential injection. Verify by confirming status is always an OSStatus system type.

Evidence

print("[ClipboardService] copySelection() call returned: \(posted)")

        if !posted {

            print("[ClipboardService] FAILED to post Cmd+C event. Likely missing accessibility permissions.")

            return nil

        }

RemediationAI

ClipboardService.swift prints the `posted` boolean and a static message, which is safe. However, audit the function for any user-controlled clipboard data being printed. If clipboard content is logged, sanitize it: `let safeContent = clipboardData.replacingOccurrences(of: "\u{1B}", with: ""); print("[ClipboardService] Content: \(safeContent)")`. Verify by checking all print statements in the function.

Evidence

)

        if status != noErr {

            print("[SpeechService] Failed to set input device: \(status). Error code: \(status)")

        } else {

            print("[SpeechService] Successfully set input device to AudioDeviceID: \(deviceId)")

        }

RemediationAI

SpeechService.swift repeats the pattern of printing `status` error codes, which are system values. Ensure consistency by using explicit type casting: `print("[SpeechService] Failed to set input device: \(Int(status)). Error code: \(Int(status))")`. This prevents any potential injection from error code representation. Verify by confirming status is always from the audio system API.

Evidence

}

    private func cancelVoiceInput() {

        print("[FloatingInputCard] User cancelled voice input - disabling continuous mode")

        hasDetectedSpeechThisTurn = false

        lastConfirmedLength = 0

        isContinuousVoiceMode = false

RemediationAI

FloatingInputCard.swift prints a static message without user input, which is safe. Verify by reviewing the entire `cancelVoiceInput()` function to ensure no user-controlled data (e.g., voice state values) is interpolated in any print statements.

Evidence

// Check if voice input is active AND overlay is visible

                if SpeechService.shared.isRecording && session.showVoiceOverlay {

                    // Stage 1: Cancel voice input

                    print("[ChatView] Esc pressed: Cancelling voice input")

                    Task {

                        // Stop streaming and clear transcription

                        _ = await SpeechService.shared.stopStreamingTranscription()

RemediationAI

ChatView.swift prints a static message without user input, which is safe. However, audit the entire escape key handler for any user-controlled data being printed (e.g., session state, window IDs). If found, sanitize before printing. Verify by reviewing all print statements in the escape key handler.

Evidence

if installStatus == noErr {

            eventHandlerRef = refHandler

        } else {

            print("[TranscriptionHotKeyManager] Failed to install event handler: \(installStatus)")

        }

    }

}

RemediationAI

TranscriptionHotKeyManager.swift prints the `installStatus` error code, which is a system value and safe. Ensure consistency by using explicit type casting: `print("[TranscriptionHotKeyManager] Failed to install event handler: \(Int(installStatus))")`. Verify by confirming installStatus is always from the system API.

Evidence

return false

        }

        print("[KeyboardSimulationService] Posting Cmd+C event...")

        Self.typeKeyCode(UInt16(kVK_ANSI_C), modifiers: .maskCommand)

        return true

    }

RemediationAI

KeyboardSimulationService.swift prints a static message without user input, which is safe. Verify by reviewing the entire function to ensure no user-controlled data is interpolated in print statements.

Evidence

let inputNode = engine.inputNode

            if let deviceId = targetDeviceId {

                print("[SpeechService] Setting input device to AudioDeviceID: \(deviceId)")

                Self.setInputDevice(deviceId, for: inputNode)

            } else {

                print("[SpeechService] Using system default input device")

RemediationAI

SpeechService.swift prints `deviceId` without sanitization, allowing ANSI injection if deviceId is user-influenced. Replace `print("[SpeechService] Setting input device to AudioDeviceID: \(deviceId)")` with `print("[SpeechService] Setting input device to AudioDeviceID: \(String(deviceId).replacingOccurrences(of: "\u{1B}", with: ""))")`. This sanitizes the device ID. Test by passing a deviceId with escape sequences.

Evidence

await context.start(prompt: request.prompt)

        let reattachNote = reattach == nil ? "" : " (reattached to session \(context.id))"

        print("[BackgroundTaskManager] Dispatched chat task: \(request.title ?? "untitled")\(reattachNote)")

        // Return the resolved task id (may differ from request.id after a

        // reattach) so callers awaiting completion poll the actual live task.

        return DispatchHandle(id: context.id, request: request)

RemediationAI

BackgroundTaskManager.swift prints `request.title` without sanitization, which is user-controlled and could contain ANSI sequences. Replace `print("[BackgroundTaskManager] Dispatched chat task: \(request.title ?? "untitled")\(reattachNote)")` with `let safeTitle = (request.title ?? "untitled").replacingOccurrences(of: "\u{1B}", with: ""); print("[BackgroundTaskManager] Dispatched chat task: \(safeTitle)\(reattachNote)")`. This sanitizes the task title. Test by passing a title with escape sequences.

Evidence

context.write(NIOAny(HTTPServerResponsePart.body(.byteBuffer(buffer))), promise: nil)

            context.flush()

        } catch {

            print("Error encoding Anthropic SSE event: \(error)")

            context.close(promise: nil)

        }

    }

RemediationAI

ResponseWriters.swift repeats the pattern of printing error objects without sanitization. Replace `print("Error encoding Anthropic SSE event: \(error)")` with `print("Error encoding Anthropic SSE event: \(error.localizedDescription.replacingOccurrences(of: "\u{1B}", with: ""))")`. This sanitizes error messages. Test by triggering an encoding error with a crafted message.

Evidence

}

  console.log("Osaurus at", inst.url, "LAN:", !!inst.exposeToNetwork);

  // Example request (Node 18+ has global fetch in Electron; otherwise use axios/node-fetch)

  const resp = await fetch(new URL("/v1/models", inst.url));

  const models = await resp.json();

  console.log(models);

}

RemediationAI

The fetch call in SHARED_CONFIGURATION_GUIDE.md documentation lacks a timeout, allowing a hung server to block indefinitely. Replace `const resp = await fetch(new URL("/v1/models", inst.url));` with `const resp = await fetch(new URL("/v1/models", inst.url), { signal: AbortSignal.timeout(5000) });` (requires Node 17+) or use a manual timeout wrapper. This enforces a 5-second timeout. Verify by testing with a server that never responds—the request should abort after 5 seconds.

Evidence

The frontend can use these values for API calls:

```javascript

const res = await fetch(`${window.__osaurus.baseUrl}/api/widgets`);

```

### Plugin Skills (SKILL.md)

RemediationAI

The fetch call in PLUGIN_AUTHORING.md documentation lacks a timeout. Replace `const res = await fetch(\`${window.__osaurus.baseUrl}/api/widgets\`);` with `const res = await fetch(\`${window.__osaurus.baseUrl}/api/widgets\`, { signal: AbortSignal.timeout(5000) });`. This adds a 5-second timeout. Test by calling a non-responsive endpoint and confirming the request times out.

Evidence

// MARK: - Submission

    /// Tokenize the chat + tools, fetch (or create) the per-model

    /// `BatchEngine`, and submit one request via `engine.generate`. Returns

    /// the resulting `Generation` stream wrapped with cancellation plumbing.

    static func generate(

RemediationAI

The MLXBatchAdapter.swift generate function lacks explicit timeout documentation for the `engine.generate()` call, which could hang indefinitely. Add a timeout wrapper: `let timeoutTask = Task { try await Task.sleep(nanoseconds: 30_000_000_000); throw TimeoutError() }; let result = try await withThrowingTaskGroup(...) { ... }` or use a library like `async-timeout`. This enforces a 30-second timeout. Verify by testing with a model that hangs—the request should timeout.

Evidence

"description": "Execute AppleScript commands",

  "parameters": {

    "type": "object",

    "properties": { "script": { "type": "string" } }

  },

  "requirements": ["automation"],

  "permission_policy": "ask"

RemediationAI

The AppleScript tool in PLUGIN_AUTHORING.md documentation accepts an unconstrained `script` string parameter, allowing arbitrary code execution. Add schema constraints: `"script": { "type": "string", "maxLength": 10000, "pattern": "^[a-zA-Z0-9\\s\\-\\(\\)\\"\\':.,]*$" }` to restrict to safe characters, or use an enum of pre-approved scripts. This limits the blast radius. Test by attempting to pass a script with shell metacharacters—it should be rejected.

Evidence

{

              "type": "object",

              "properties": {

                "query": {

                  "type": "string",

                  "description": "Search query text"

                },

                "limit": {

                  "type": "integer",

                  "description": "Maximum results to return",

RemediationAI

The search tool in ToolsCreate.swift accepts an unconstrained `query` string parameter. Add schema constraints: `"query": { "type": "string", "maxLength": 500, "pattern": "^[a-zA-Z0-9\\s\\-]*$" }` to restrict length and character set. This prevents injection attacks and resource exhaustion. Test by passing a very long query or special characters—it should be rejected.

Evidence

FROM alpine:latest

RUN mkdir -p /run /tmp

RUN apk add --no-cache \

    bash \

    python3 python3-dev py3-pip \

    nodejs npm \

    build-base cmake \

    git patch \

    curl wget openssh-client ca-certificates \

    jq tar gzip zip unzip findutils coreutils grep sed less vim \

    file tree ripgrep \

    sqlite sqlite-dev \

    libstdc++ libffi-dev openssl-dev \

    tzdata

RemediationAI

The sandbox/Dockerfile runs as root by default, giving any RCE full privileges. Add `USER 1000` before the final CMD/ENTRYPOINT: `RUN addgroup -g 1000 sandbox && adduser -D -u 1000 -G sandbox sandbox` followed by `USER 1000`. This runs the container as a non-root user. Verify by running `docker run <image> id`—it should show uid=1000 instead of uid=0.

Evidence

# API Endpoints Guide

This guide explains how to use the API endpoints in Osaurus, including OpenAI-compatible, Anthropic-compatible, and Open Responses formats.

## Available Endpoints

### 1. List Models - `GET /models` (also available at `GET /v1/models`)

Returns a list of available models that are currently downloaded and ready to use.

```bash

curl http://127.0.0.1:1337/models

```

Example response:

```json

{

  "object": "list",

  "data": [

    {

      "id": "llama-3.2-3b-instruct",

RemediationAI

The OpenAI_API_GUIDE.md documentation describes API endpoints but does not declare an authentication mechanism. Add explicit auth documentation: "All endpoints require Bearer token authentication via the `Authorization: Bearer <token>` header. Tokens are issued via the `/auth/token` endpoint." This clarifies the security model. Verify by reviewing the updated docs to ensure all endpoints list their auth requirements.

Evidence

# Sandbox

Run agent code in an isolated Linux virtual machine — safely, locally, and with full dev environment capabilities.

The Sandbox is a shared Linux container powered by Apple's [Containerization](https://developer.apple.com/documentation/containerization) framework. It gives every Osaurus agent access to a real Linux environment with shell, package managers, compilers, and file system access — all running natively on Apple Silicon with zero risk to your Mac.

---

## Why Sandbox?

### S

RemediationAI

The SANDBOX.md documentation describes the sandbox feature but does not declare authentication. Add explicit auth documentation: "The sandbox container is isolated and accessed only by authenticated Osaurus instances. Communication uses mTLS with certificate pinning." This clarifies the security boundary. Verify by reviewing the updated docs.

Evidence

{

  "id": "preflight.music.spotify-play",

  "domain": "preflight",

  "label": "music • spotify pick (multi-plugin smoke)",

  "query": "play some lo-fi beats on spotify",

  "fixtures": {

    "preflightMode": "balanced"

  },

  "expect": {

    "tools": {

      "mustNotInclude": ["browser_navigate"]

    }

  }

}

RemediationAI

The music-spotify.json eval fixture does not declare authentication for the tools it tests. Add an `"auth"` field to the fixture metadata: `"auth": "oauth"` to indicate that Spotify tools require OAuth. This clarifies the security model for test reviewers. Verify by checking that the fixture documentation lists auth requirements.

Evidence

# Developer Tools

Osaurus includes built-in developer tools for debugging, monitoring, and testing your integration. Access them via the Management window (`⌘ Shift M`).

---

## Insights

The **Insights** tab provides real-time monitoring of all API requests flowing through Osaurus.

### Accessing Insights

1. Open the Management window (`⌘ Shift M`)

2. Click **Insights** in the sidebar

### Features

#### Request Logging

Every API request is logged with:

| Field        | Description        

RemediationAI

The DEVELOPER_TOOLS.md documentation describes the Insights tab and API access but does not declare authentication. Add explicit auth documentation: "The Insights API requires Bearer token authentication. All requests must include the `Authorization: Bearer <token>` header." This clarifies the security model. Verify by reviewing the updated docs.

Evidence

{

  "id": "preflight.no-match.gibberish",

  "domain": "preflight",

  "label": "gibberish • abstain on nonsense",

  "query": "zzz_completely_nonexistent_capability_xyz_12345 ablubblub",

  "fixtures": {

    "preflightMode": "balanced"

  },

  "expect": {

    "tools": {

      "mustNotInclude": [

        "browser_navigate",

        "sandbox_exec",

        "render_chart"

      ]

    }

  }

}

RemediationAI

The no-match-abstain.json eval fixture does not declare authentication. Add an `"auth"` field to the fixture metadata or add a note in the fixture documentation clarifying that this is a test fixture and authentication is not required for test scenarios. This prevents confusion about production security. Verify by reviewing the fixture documentation.

Evidence

{

  "id": "preflight.sandbox.plugin-creator-noise-floor",

  "domain": "preflight",

  "label": "sandbox • picker doesn't pick non-existent plugin tools",

  "query": "I need a tool to call the AcmeWidgets API",

  "fixtures": {

    "preflightMode": "balanced"

  },

  "expect": {

    "tools": {

      "mustNotInclude": [

        "acmewidgets_api",

        "acmewidgets_call"

      ]

    }

  }

}

RemediationAI

The sandbox-plugin-creator.json eval fixture does not declare authentication. Add an `"auth"` field to the fixture metadata: `"auth": "bearer"` to indicate that plugin creation requires authentication. This clarifies the security model. Verify by checking the fixture documentation.

Evidence

# OsaurusEvals

Catalog-driven behaviour / integration tests for Osaurus that hit a real model (Foundation, MLX, remote provider).

These evals are deliberately **off the CI path**. They burn LLM tokens, depend on local plugin installs, and exist to help us tune capabilities and triage new models — not to gate every commit.

## Structure

```

Packages/OsaurusEvals/

  Package.swift

  README.md (this file)

  Sources/

    OsaurusEvalsKit/    — library (case schema, runner, scorers, model override)

RemediationAI

The OsaurusEvals README.md does not declare authentication for the eval framework. Add explicit documentation: "Evals run against real models and require authentication via API keys or OAuth tokens. See AUTHENTICATION.md for setup." This clarifies the security model. Verify by reviewing the updated README.

Evidence

//

//  Skill.swift

//  osaurus

//

//  Defines a Skill - markdown instructions that guide AI behavior.

//  Skills are stored as directories with SKILL.md files following the Agent Skills spec.

//  See: https://agentskills.io/specification

//

import Foundation

/// Represents a file within a skill's references or assets directory

public struct SkillFile: Codable, Identifiable, Sendable, Equatable {

    public var id: String { name }

    public let name: String

    public let relativePath: String

RemediationAI

The Skill.swift model file does not declare authentication for skills. Add documentation in the file: `/// Skills are accessed via authenticated API endpoints. See SKILL_AUTH.md for details.` This clarifies the security model. Verify by reviewing the updated file documentation.

Evidence

{

  "id": "preflight.browser.amazon-orders",

  "domain": "preflight",

  "label": "browser • amazon orders",

  "query": "can you help me check my orders on amazon?",

  "fixtures": {

    "preflightMode": "balanced",

    "requirePlugins": ["osaurus.browser"]

  },

  "expect": {

    "tools": {

      "mustInclude": ["browser_navigate"]

    },

    "companions": {

      "skills": ["Osaurus Browser"],

      "siblings": {

        "minOverlap": 2,

        "candidates": [

          "browser_open_login",

RemediationAI

The browser-amazon-orders.json eval fixture does not declare authentication. Add an `"auth"` field to the fixture metadata: `"auth": "oauth"` to indicate that Amazon tools require OAuth. This clarifies the security model. Verify by checking the fixture documentation.

Evidence

{

  "id": "preflight.browser.login-flow",

  "domain": "preflight",

  "label": "browser • login picks open_login directly",

  "query": "can you sign me in to my github account?",

  "fixtures": {

    "preflightMode": "balanced",

    "requirePlugins": ["osaurus.browser"]

  },

  "expect": {

    "tools": {

      "mustInclude": ["browser_open_login"]

    },

    "companions": {

      "skills": ["Osaurus Browser"]

    }

  }

}

RemediationAI

The browser-login-flow.json eval fixture does not declare authentication. Add an `"auth"` field to the fixture metadata: `"auth": "oauth"` to indicate that login flows require OAuth. This clarifies the security model. Verify by checking the fixture documentation.

Evidence

<p align="center">

<img width="865" height="677" alt="Screenshot 2026-03-19 at 3 42 04 PM" src="https://github.com/user-attachments/assets/c16ee8bb-7f31-4659-9c2c-6eaaf8441c26" />

</p>

<h1 align="center">Osaurus</h1>

<p align="center">

  <strong>Own your AI.</strong><br>

  Agents, memory, tools, and identity that live on your Mac. Built purely in Swift. Fully offline. Open source.

</p>

<p align="center">

  <a href="https://github.com/osaurus-ai/osaurus/releases/latest"><img src="https://img.s

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

{

  "id": "preflight.smalltalk.thanks",

  "domain": "preflight",

  "label": "smalltalk • abstain (NONE) regression",

  "query": "thanks, that's perfect",

  "fixtures": {

    "preflightMode": "balanced"

  },

  "expect": {

    "tools": {

      "mustNotInclude": [

        "browser_navigate",

        "sandbox_exec"

      ]

    }

  }

}

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

//

//  AnthropicAPITests.swift

//  osaurusTests

//

//  Tests for Anthropic Messages API compatibility.

//

import Foundation

import Testing

@testable import OsaurusCore

struct AnthropicAPITests {

    // MARK: - Request Parsing Tests

    @Test func parseSimpleAnthropicRequest() throws {

        let json = """

            {

                "model": "claude-3-5-sonnet-20241022",

                "max_tokens": 1024,

                "messages": [

                    {"role": "user", "content": "He

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

{"model":"foundation","messages":[{"role":"user","content":"Using tools if available, get weather for city=San Francisco."}],"tools":[{"type":"function","function":{"name":"get_weather","description":"Get weather by city","parameters":{"type":"object","properties":{"city":{"type":"string"}},"required":["city"]}}}],"tool_choice":"auto","stream":true,"temperature":0,"max_tokens":64}

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

import Foundation

import Testing

@testable import OsaurusCore

/// These tests boot an Apple Containerization Linux VM and run real

/// `pip install`, `npm`, and `go test` workloads inside the sandbox. They

/// take minutes and require Containerization tooling, so they are gated by

/// `OSAURUS_RUN_SANDBOX_INTEGRATION_TESTS=1` and reported as `Disabled`

/// in CI rather than silently passing.

private let isSandboxIntegrationEnabled =

    ProcessInfo.processInfo.environment["OSAURUS_RUN_SANDBOX_

Remediation

Apply CSRF middleware at the route or router level: - Express: `app.use(csurf())` / `csrf-csrf` package - FastAPI: `fastapi-csrf-protect` with `Depends(...)` - Flask: `CSRFProtect(app)` from `flask_wtf.csrf` Or move to bearer-token auth and set `SameSite=Strict` / `SameSite=Lax` on any session cookies. Document the choice in the project README so reviewers can confirm intent.

Evidence

timeout-minutes: 10

    steps:

      - name: Checkout code

        uses: actions/checkout@v5

      - name: Install shellcheck

        run: sudo apt-get update && sudo apt-get install -y shellcheck

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - uses: actions/checkout@v4

      - uses: docker/setup-qemu-action@v3

      - uses: docker/setup-buildx-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v5

      - name: Set up Xcode ${{ env.XCODE_VERSION }}

        uses: maxim-lobanov/setup-xcode@v1

        with:

          xcode-version: ${{ env.XCODE_VERSION }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

pull-requests: write

    runs-on: ubuntu-latest

    steps:

      - uses: release-drafter/release-drafter@v6

        env:

          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

# Always restore so `cache-primary-key` is populated for the save

        # step at the bottom (the wipe step below handles forced cold

        # builds without preventing main from repopulating the cache).

        uses: actions/cache/restore@v5

        with:

          path: ~/Library/Developer/Xcode/DerivedData

          # Include vendored C sources (currently the SQLCipher amalgamation

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

# same key. To intentionally invalidate every cache, bump CACHE_SALT.

      - name: Save DerivedData cache

        if: ${{ github.ref == 'refs/heads/main' && success() && steps.dd-cache.outputs.cache-primary-key != '' }}

        uses: actions/cache/save@v5

        with:

          path: ~/Library/Developer/Xcode/DerivedData

          key: ${{ steps.dd-cache.outputs.cache-primary-key }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - name: Checkout code

        uses: actions/checkout@v4

        with:

          fetch-depth: 0 # Fetch all history for changelog generation

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

run: bash scripts/release/generate_and_deploy_appcast.sh

      - name: Upload artifacts

        uses: actions/upload-artifact@v4

        with:

          name: osaurus-release-${{ env.VERSION }}

          path: |

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - uses: docker/setup-qemu-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

XCRESULT_PATH: build/Tests.xcresult

    steps:

      - name: Checkout code

        uses: actions/checkout@v5

      - name: Set up Xcode ${{ env.XCODE_VERSION }}

        uses: maxim-lobanov/setup-xcode@v1

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - name: Checkout code

        uses: actions/checkout@v4

        with:

          token: ${{ secrets.GITHUB_TOKEN }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

# step above: on a wall-timeout the xcresult bundle may be

        # partially populated and is still useful for postmortem.

        if: ${{ failure() || cancelled() }}

        uses: actions/upload-artifact@v5

        with:

          name: test-core-xcresult-${{ github.run_attempt }}

          path: ${{ env.XCRESULT_PATH }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: docker/setup-buildx-action@v3

      - uses: docker/login-action@v3

        with:

          registry: ghcr.io

          username: ${{ github.actor }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

timeout-minutes: 10

    steps:

      - name: Checkout code

        uses: actions/checkout@v5

      # OsaurusCLI's Package.swift requires `swift-tools-version: 6.2`, which

      # ships with the pinned Xcode. The runner's default `swift` may be older

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

token: ${{ secrets.GITHUB_TOKEN }}

      - name: Label merged PR

        uses: actions/github-script@v7

        with:

          script: |

            const {owner, repo} = context.repo;

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

fetch-depth: 0 # Fetch all history for changelog generation

      - name: Set up Xcode

        uses: maxim-lobanov/setup-xcode@v1

        with:

          # Pin to a specific Xcode (was `latest-stable`) so the same

          # commit always builds against the same toolchain. Bump

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

timeout-minutes: 10

    steps:

      - name: Checkout code

        uses: actions/checkout@v5

      - name: Install SwiftLint

        run: brew install swiftlint

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

runs-on: ubuntu-latest

    steps:

      - name: Checkout repo

        uses: actions/checkout@v4

        with:

          token: ${{ secrets.GITHUB_TOKEN }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

username: ${{ github.actor }}

          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: docker/build-push-action@v6

        with:

          context: sandbox

          platforms: linux/arm64

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

run: brew install xcbeautify

      - name: Cache SPM packages

        uses: actions/cache@v5

        with:

          path: ${{ env.SPM_CACHE }}

          key: spm-${{ runner.os }}-${{ env.CACHE_SALT }}-xcode${{ env.XCODE_VERSION }}-${{ hashFiles('osaurus.xcworkspace/xcshareddata/swiftpm/Package.resolved') }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: docker/setup-qemu-action@v3

      - uses: docker/setup-buildx-action@v3

      - uses: docker/login-action@v3

        with:

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

func body(content: Content) -> some View {

        content

            .onChange(of: speechService.microphonePermissionGranted) { _, granted in

                print("[VoiceDebug] microphonePermissionGranted → \(granted)")

                voiceDebugLog(

                    trigger: "micPermission",

                    enabled: SpeechConfigurationStore.load().voiceInputEnabled,

Remediation

Mask the value before logging or move it to a structured field the log shipper strips. Per-language idioms: Python: `logger.info("login %s", redact(email))` Node: `console.log("login", maskEmail(email))` For unavoidable diagnostic logging, use a per-tenant pseudonym — `tokenize(email)` returns a stable hash; logs still group per-user without leaking the underlying address.