From c1d2e39b0905b0146749db1dbe48a044e6b8d029 Mon Sep 17 00:00:00 2001
From: Username <user@mymx.me>
Date: Fri, 26 Dec 2025 00:17:11 +0100
Subject: [PATCH] docs: complete penetration testing status update

All pentest items now complete:
- CLI security audit (clipboard, permissions)
- DoS memory exhaustion (fixed lookup rate limit)
- Race conditions (all protected by locks)
---
 documentation/security-testing-status.md | 34 ++++++++++++++++++++----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/documentation/security-testing-status.md b/documentation/security-testing-status.md
index e0907f5..9537f8b 100644
--- a/documentation/security-testing-status.md
+++ b/documentation/security-testing-status.md
@@ -119,13 +119,34 @@ Not tested (no signature defined):
 
 ```
 [x] Race condition: Burn-after-read via HEAD then GET (SAFE)
-[ ] Race condition: Content hash deduplication counter
-[ ] DoS: Memory exhaustion via unique IP rate limits
-[ ] DoS: Anti-flood list growth under load
-[ ] CLI: Clipboard command injection validation
-[ ] CLI: Certificate file permission exposure
+[x] Race condition: Content hash deduplication counter (SAFE - locked)
+[x] DoS: Memory exhaustion via unique IP rate limits (FIXED)
+[x] DoS: Anti-flood list growth under load (SAFE - bounded)
+[x] CLI: Clipboard command injection validation (SAFE)
+[x] CLI: Certificate file permission exposure (SAFE - 0o600)
 ```
 
+### CLI Security Audit (2025-12-26)
+
+| Check | Status |
+|-------|--------|
+| Trusted clipboard path validation | PASS |
+| PATH injection prevention | PASS |
+| Subprocess safety (no shell=True) | PASS |
+| Config permission warnings | PASS |
+| Key file permissions (0o600) | PASS |
+| Symlink attacks | LOW RISK |
+
+### Memory Exhaustion Tests (2025-12-26)
+
+| Component | Protection | Status |
+|-----------|------------|--------|
+| Anti-flood list | ANTIFLOOD_MAX_ENTRIES (10000) | PASS |
+| Rate limit dict | RATE_LIMIT_MAX_ENTRIES (10000) | PASS |
+| Lookup rate limit | LOOKUP_RATE_LIMIT_MAX_ENTRIES (10000) | FIXED |
+| Content dedup | Database + PoW | PASS |
+| Concurrent access | Thread-safe with locks | PASS |
+
 ### Documentation
 
 ```
@@ -173,6 +194,9 @@ python /tmp/prod_fuzz.py
 | Constant-time password check | PBKDF2 600k iterations | Yes |
 | Burn-after-read race condition | HEAD triggers deletion | Yes |
 | RIFF container detection | Subtype check (WEBP/AVI/WAVE) | Yes |
+| Clipboard command injection | Trusted path validation | Yes |
+| Memory exhaustion prevention | Max entries on all dicts | Yes |
+| Race condition protection | Threading locks on counters | Yes |
 
 ---