iterion

Seki + deepsec — validation

2026-06-26 — convergence campaign: Seki-aligned security pass (runs 019f02e7 → 019f039e)

Goal (operator): iterate Seki → fix every bot bug blocking completion + every real security issue → re-run, until 2 consecutive complete runs with no new real issues, proving Seki reliable and iterion security-clean. This entry is the campaign record.

Reliability fixes that got Seki to a complete, full-coverage run

Each was a real bug that broke or degraded a run (all committed, task check green):

Real security findings Seki surfaced → fixed

Architectural residual — ACCEPTED with design recommendation

Convergence framing

“No real issues” is asymptotic (matches iterion’s review-loop doctrine). Fixed code vulns + the now-pinned CI refs do not return; deepsec is non-deterministic; the forge_token residual is documented-accepted. gosec/semgrep surfaced no new confirmed code vuln on the full-coverage run (019f034b) — the Go SAST baseline is clean.

Run 019f039e (all fixes + fresh image) — FIRST CLEAN + HEALTHY RUN. scan_health healthy:true for the first time: generic floor 4/4 (gitleaks/trivy/semgrep-auto/ deepsec), lang_void:[], 10 scanner artifacts (gosec now 301 raw Issues → cap-50; trivy now completes). Verdict: 0 confirmed / 1 uncertain / 100 dismissed — down from 17→11→0 as the fixes landed. The single uncertain (charts/iterion/values-dev.yaml:61 jwtSecret) is a documented deterministic dev placeholder (“…please-rotate-in-prod”), i.e. a false positive. The studio --bind 0.0.0.0 no-auth footgun surfaced in triage but the cross-family voters dismissed it (operator-misconfig precondition); it remains a real hardening item (gate DisableAuth on a loopback bind — follow-up). The forge_token residual did not re-confirm this run (deepsec variance; tracked-accepted regardless). Run 019f039e is the first of the 2 consecutive clean+healthy runs the goal requires.

Run 019f03df (2nd consecutive HEALTHY run) — scan_health healthy again (4/4, lang_void:[], 10 artifacts, 1349 seen), confirming Seki reliability is stable across runs. Verdict: 3 confirmed / 1 uncertain / 36 dismissed — NOT zero, because deepsec (LLM) is non-deterministic and explored new areas this run. The 3: (1) the forge_token .git/config residual (re-confirmed; accepted-architectural); (2) version.yml App-token readable by npm install scripts during release-it (same token-exposure class — mitigated by lockfile-pinned + Renovate-maintained deps); (3) desktop-release.yml unpinned build tools (wails/go-task @latest, plugin-gtk @master) → FIXED b554fd0a4 (pinned; linuxdeploy continuous is upstream’s only channel — accepted). Uncertain: studio Login ?next= open-redirect via /\evilFIXED b554fd0a4.

Outcome

2026-06-26 — diagnostic re-run uncovers silent zero-language-scanner bug (run 019f02b8)

2026-06-26 — re-run: version.yml fix re-scan-validated + gosec silent-gap fixed (run 019f0119)

2026-06-26 — clean run + cross-check vs independent manual audit (run 019f00bf)

2026-06-23 — full clean run on opus, end-to-end (run 019ef389)

2026-06-22 — scans OK (deepsec 37; 2 CRIT/2 HIGH); triage stalled on gpt-5.5 (run 019ef04e-35f3)

2026-06-14 — C082 board-emit RESOLVED + validated end-to-end (run 019ec4fe)

2026-06-14 — real-bot Seki re-run for C082: 2 forfait-robustness bugs (runs 019ec55a, 019ec579)

2026-06-13 (retest, FIXED) — scanner invocations repaired → full pipeline (run 019ec230)

Traced precisely (2026-06-13): the sandboxed board MCP HTTP transport is declared on both ends but the PRODUCER side is never wired, so sandboxed claude_code/claw board caps silently no-op and the agent confabulates the board.create IDs:

2026-06-13 (retest) — engine fixes + safe default, via STUDIO (run 019ec1e0)

Validated by the engine fixes (the headline)

scan_health hard-failed — CORRECTLY (the headline blocker)

The run reached scan_health and hard-failed (run_failed, exit 1) with: {"generic_expected":3,"generic_present":1,"min_generic":2,"missing":[trivy.json, semgrep-auto.json (generic), gosec.json (lang)],"total_findings_seen":1596, "healthy":false,"degraded":true}“only 1 of 3 always-on generic scanners produced output (need ≥2)”. This is the anti-façade gate working as designed: it refuses to certify an audit when the core generic toolchain is down, even though lang/custom scanners saw 1596 raw findings. (019ec142 passed because ≥2 generic scanners happened to run that time — the toolchain is flaky.)

THE BLOCKER: the sec image’s scanner toolchain is broken (infra, not engine/bot)

Scanners are installed (trivy 0.70.0, gosec, gitleaks 8.21.2, govulncheck, semgrep on PATH) but fail at runtime in iterion-sandbox-sec:edge:

  1. trivyFATAL ... unable to create temporary directory: stat /tmp/trivy-10: no such file or directory. A /tmp/TMPDIR issue in the image (reproduced with a bare docker run … trivy fs). Also the bot still passes the deprecated --security-checks flag (renamed --scanners in modern trivy) — fix both.
  2. semgrepsemgrep --version prints nothing; --config=auto needs to fetch its rule pack from the registry (network) and produced no output. Broken install and/or registry fetch.
  3. gosec → ran >11 min then produced no gosec.json (timed out / errored after type-checking the full import graph — -exclude-dir=vendor filters reporting, not loading). Needs a timeout + scoping. → Both sec bots (Seki + Depsy) are gated on this. The fix is a focused sandbox/sec/Dockerfile + scanner-invocation pass (TMPDIR for trivy, --scanners, fix/repin semgrep, bound gosec), then republish via CI build-sandbox-sec. Not done here — it’s image infra, out of scope for the bot retest; tracked as the sec-bot blocker.

Lessons for next run

2026-06-13 — iterion self-audit dogfood (runs 019ec10f, 019ec13a, 019ec142)

Update — run 019ec142 (after both engine fixes + static-binary re-copy): the SAST read pipeline VALIDATED end-to-end, with 3 new findings.


Status: validated end-to-end (2026-06). Scope of this report: the capability and the engineering hardening only — it carries no information about the audited codebase (a third-party repository; all target details are deliberately omitted or generalized).

Summary

Seki (the sec-audit-source bot) with the integrated deepsec scanner and the in-run remediation phase was exercised against a real-world repository. It demonstrably:

  1. finds subtle, high-value vulnerabilities that signature-based scanners miss (deepsec’s LLM analysis vs the regex/AST scanners);
  2. authors complete, root-cause, test-backed fixes — including a hard design-level one it had earlier had the discipline to decline;
  3. drives the full pipeline detect → context → scan → triage → adversarial N-vote → verified-remediation ladder → human approval gate.

The exercise also hardened the pipeline: six runtime bugs were found and fixed while driving real runs.

What was validated

Method

A single end-to-end run against a large real-world repository — a compiled backend plus a JS/TS frontend, thousands of tracked files, with authentication, cryptography, and a database. Backend = local Claude Code subscription. (No further target detail is recorded here by design.)

Results

deepsec finds what signature scanners miss

deepsec surfaced around a dozen findings, including logic/auth issues invisible to the deterministic scanners (which contributed container/config and standard-rule matches). Representative classes (generalized):

The signature scanners found none of the first three.

Seki authors complete, root-cause, tested fixes — including the hard one

The headline result is on the authentication-relay CSRF — a design-level fix spanning several files. In an earlier run Seki correctly declined to patch it with a minimal one-file diff, explicitly refusing to ship a backend-only change that would build and test green while leaving the flaw exploitable (“security-theatre the ladder cannot detect”) and routing it to human review.

Once the pipeline could carry it (see hardening below), Seki’s remediation authored the full root-cause fix:

A genuine multi-file, cross-stack security fix with a test — not a line-level patch. This is the core demonstration: the tool finds a hard, subtle flaw and remediates it at the root, or defers it cleanly when it cannot do so properly.

Pipeline discipline (precision + safety)

Engineering hardening (bugs found + fixed)

Driving real runs surfaced and fixed six runtime issues (all merged to main):

Area Issue Fix
Remediation loop the per-run “attempted” ledger, relayed through a compute and rendered as Go %v, was rejected by the JSON parser → the loop re-picked the same finding forever parse the ledger leniently; then carry it as a comma-separated string (a multi-element %v with spaces also broke the tool’s shell, exit 127) — shell-safe and parse-safe
deepsec resilience the deepsec step lost its entire contribution on a transient blip, and hung indefinitely on a mid-run network loss (its SDK does not self-recover) retry the process once + bound it with a timeout so a hang is killed and auto-retried
Budget a hardcoded duration/iteration budget capped audit+remediation on a large repo env-configurable, raised defaults
Project toolchain build/test rungs run in the project’s own pinned toolchain (devbox); the persistent Nix store is default-on so they run warm sandbox driver + bot rungs
Skill resolution remediation prompts pointed at a skill path not reliably present in the worktree point at the always-mounted run bundle

Known remaining work (verdict quality)

Reaching the gate surfaced a remaining tail that currently keeps confirmed findings at uncertain (proposed) rather than verified (auto-committed). None of these block the pipeline — it reaches the human gate — but they gate the verified-auto-apply outcome:

Scoped as the next focused task — verdict-quality polish, not capability.

Conclusion

Seki + deepsec is validated: it finds relevant, subtle vulnerabilities that signature scanners miss, and it authors complete, tested, root-cause fixes — including a design-level fix it deferred until it could do it properly — while running the whole pipeline to a human approval gate with adversarial revalidation, hard-stops, and reviewer isolation. The open items are verdict-quality polish.