[Fix] Checkpoint resume: allowlist gate + stopped scan visibility in -e list

[Fix] _lifecycle_continue: eval replaced with printf -v; checkpoint options
  now gated through _build_co_allowed_pattern (rejects PATH, IFS, LD_PRELOAD,
  inspath, etc. from tampered checkpoint files)
[New] -e list: stopped/checkpointed scans now visible between active scans
  and scan history — text table shows SCANID, STAGE, FILES, HITS, WKRS,
  STOPPED, PATH with resume hint; JSON list emits "stopped" array
[New] 10 tests: 5 adversarial allowlist rejection (PATH, IFS, LD_PRELOAD,
  inspath, BASH_ENV), 5 _lifecycle_list_stopped (empty, no-checkpoint,
  populated, column headers, running-only)

Author: rfxn

CHANGELOG

@@ -135,6 +135,10 @@ v2.0.1 | Mar 25 2026:
 [Fix] -L/--list-active: elapsed time showed 0h 00m for running scans; now
       computed live from scan start epoch instead of reading the completed-only
       meta field
+[Fix] Checkpoint resume: eval replaced with printf -v and options gated through
+      -co allowlist; rejects PATH, IFS, LD_PRELOAD from tampered checkpoint files
+[New] -e list: stopped/checkpointed scans now visible between active and history
+      sections (text and JSON); shows stage, hits, workers, stopped time, resume hint
 
 [Fix] JSON report list hang: index-first hybrid eliminates O(N) per-file glob on servers
       without session.index; legacy plaintext sessions preserved

CHANGELOG.RELEASE

@@ -135,6 +135,10 @@ v2.0.1 | Mar 25 2026:
 [Fix] -L/--list-active: elapsed time showed 0h 00m for running scans; now
       computed live from scan start epoch instead of reading the completed-only
       meta field
+[Fix] Checkpoint resume: eval replaced with printf -v and options gated through
+      -co allowlist; rejects PATH, IFS, LD_PRELOAD from tampered checkpoint files
+[New] -e list: stopped/checkpointed scans now visible between active and history
+      sections (text and JSON); shows stage, hits, workers, stopped time, resume hint
 
 [Fix] JSON report list hang: index-first hybrid eliminates O(N) per-file glob on servers
       without session.index; legacy plaintext sessions preserved

files/internals/lmd_alert.sh

@@ -765,6 +765,29 @@ _lmd_render_json_list() {
 		esac
 	done
 
+	printf '\n  ],\n  "stopped": ['
+
+	# Enumerate stopped scans with valid checkpoints (resumable)
+	local _first_stopped=1 _jl_stopped_meta _jl_stopped_sid _jl_stopped_state
+	for _jl_stopped_meta in "$sessdir"/scan.meta.*; do
+		[ -f "$_jl_stopped_meta" ] || continue
+		_jl_stopped_sid="${_jl_stopped_meta##*scan.meta.}"
+		case "$_jl_stopped_sid" in *.tmp) continue ;; esac
+		_jl_stopped_state=$(_lifecycle_detect_state "$_jl_stopped_sid" 2>/dev/null) || continue  # safe: skip unreadable
+		if [ "$_jl_stopped_state" = "stopped" ] && [ -f "$sessdir/scan.checkpoint.$_jl_stopped_sid" ]; then
+			_lifecycle_read_meta "$_jl_stopped_sid" || continue
+			[ "$_first_stopped" != "1" ] && printf ","
+			_first_stopped=0
+			local _jl_sp="${_meta_path//\\/\\\\}"
+			_jl_sp="${_jl_sp//\"/\\\"}"
+			local _jl_sfiles="${_meta_total_files:-0}"; [ "$_jl_sfiles" = "-" ] && _jl_sfiles=0
+			local _jl_shits="${_meta_hits:-0}"; [ "$_jl_shits" = "-" ] && _jl_shits=0
+			printf '\n    {"scan_id": "%s", "stage": "%s", "total_files": %s, "hits": %s, "workers": "%s", "stopped_hr": "%s", "path": "%s"}' \
+				"$_jl_stopped_sid" "${_meta_stage:--}" "$_jl_sfiles" "$_jl_shits" \
+				"${_meta_workers:--}" "${_meta_stopped_hr:-unknown}" "$_jl_sp"
+		fi
+	done
+
 	printf '\n  ],\n  "reports": ['
 	local _first=1
 	local _index_file="$sessdir/session.index"

files/internals/lmd_lifecycle.sh

@@ -362,6 +362,59 @@ _lifecycle_render_text_active() {
 	return 0
 }
 
+##
+# _lifecycle_list_stopped()
+#   Enumerates stopped scans that have a valid checkpoint (resumable).
+#   Returns 0 if any found (and prints text table), 1 if none.
+#   Stopped scans are those with scan.meta.* state=stopped AND a matching
+#   scan.checkpoint.* file — these can be resumed with --continue.
+##
+_lifecycle_list_stopped() {
+	local _scanid _state _found=0
+	local _stopped_ids=""
+
+	local _meta_file
+	for _meta_file in "$sessdir"/scan.meta.*; do
+		[ -f "$_meta_file" ] || continue
+		_scanid="${_meta_file##*scan.meta.}"
+		case "$_scanid" in *.tmp) continue ;; esac
+		_state=$(_lifecycle_detect_state "$_scanid" 2>/dev/null) || continue  # safe: skip unreadable meta
+		if [ "$_state" = "stopped" ] && [ -f "$sessdir/scan.checkpoint.$_scanid" ]; then
+			if [ -z "$_stopped_ids" ]; then
+				_stopped_ids="$_scanid"
+			else
+				_stopped_ids="$_stopped_ids"$'\n'"$_scanid"
+			fi
+			_found=1
+		fi
+	done
+
+	if [ "$_found" -eq 0 ]; then
+		return 1
+	fi
+
+	local _count
+	_count=$(printf '%s\n' "$_stopped_ids" | command grep -c '^.' || echo 0)
+	printf 'Stopped scans (%s):\n' "$_count"
+	printf ' %-22s %-10s %-10s %-6s %-6s %-20s %s\n' \
+		"SCANID" "STAGE" "FILES" "HITS" "WKRS" "STOPPED" "PATH"
+
+	while IFS= read -r _scanid; do
+		[ -z "$_scanid" ] && continue
+		_lifecycle_read_meta "$_scanid" || continue
+
+		local _stopped_display
+		_stopped_display=$(echo "${_meta_stopped_hr:-unknown}" | awk '{print $1,$2,$3,$4}')
+		printf ' %-22s %-10s %-10s %-6s %-6s %-20s %s\n' \
+			"$_scanid" "${_meta_stage:--}" "${_meta_total_files:--}" \
+			"${_meta_hits:-0}" "${_meta_workers:--}" \
+			"$_stopped_display" "${_meta_path:--}"
+	done <<< "$_stopped_ids"
+
+	printf '  (resume: maldet --continue SCANID)\n'
+	return 0
+}
+
 ##
 # _lifecycle_render_json_active(scanids_newline_separated)
 #   JSON array output. Build manually with printf (no jq dependency).
@@ -1410,19 +1463,22 @@ _lifecycle_continue() {
 		eout "{lifecycle} warning: signature version changed since checkpoint (was: $_ckpt_sig_version, now: $_cur_sig_ver)" 1
 	fi
 
-	# Apply checkpoint options as config overrides
+	# Apply checkpoint options as config overrides (gated by -co allowlist)
 	if [ -n "$_ckpt_options" ]; then
-		local _opt
+		local _opt _co_allowed_pat
+		_build_co_allowed_pattern _co_allowed_pat
 		local _saved_ifs="$IFS"
 		IFS=','
 		for _opt in $_ckpt_options; do
 			IFS="$_saved_ifs"
 			# Each _opt is "key=value" — apply to shell environment
 			local _opt_key="${_opt%%=*}"
 			local _opt_val="${_opt#*=}"
-			# Validate key is a safe identifier (word chars only) to prevent eval injection
-			if [ -n "$_opt_key" ] && [[ "$_opt_key" =~ ^[a-zA-Z_][a-zA-Z0-9_]*$ ]]; then
-				eval "$_opt_key=\"\$_opt_val\""
+			# Validate key against -co allowlist (rejects PATH, IFS, LD_PRELOAD, etc.)
+			if [ -n "$_opt_key" ] && [[ "$_opt_key" =~ $_co_allowed_pat ]]; then
+				printf -v "$_opt_key" '%s' "$_opt_val"
+			else
+				eout "{lifecycle} warning: rejected unknown checkpoint option: $_opt_key" 1
 			fi
 		done
 		IFS="$_saved_ifs"

files/internals/lmd_session.sh

@@ -354,6 +354,10 @@ view_report() {
 		if _lifecycle_list_active "text" "0" 2>/dev/null; then
 			echo
 		fi
+		# Show stopped/checkpointed scans that can be resumed
+		if _lifecycle_list_stopped 2>/dev/null; then  # safe: stderr "No stopped scans." suppressed on empty result
+			echo
+		fi
 		tmpf=$(mktemp "$tmpdir/.areps.XXXXXX")
 		local _index_file="$sessdir/session.index"
 		local _seen_ids=""

tests/39-lifecycle-list.bats

@@ -449,3 +449,71 @@ EOF
     first_line=$(echo "$output" | head -1)
     [[ "$first_line" == Active* ]]
 }
+
+# ========================================================================
+# _lifecycle_list_stopped — no stopped scans
+# ========================================================================
+
+@test "lifecycle list_stopped: returns 1 when no meta files exist" {
+    _source_lmd_stack
+    rm -f "$sessdir"/scan.meta.* "$sessdir"/scan.checkpoint.*
+    run _lifecycle_list_stopped
+    [ "$status" -eq 1 ]
+    [ -z "$output" ]
+}
+
+@test "lifecycle list_stopped: returns 1 when only running scans exist" {
+    _source_lmd_stack
+    rm -f "$sessdir"/scan.meta.* "$sessdir"/scan.checkpoint.*
+    _create_meta_file "260328-1900.$$" "$$" "running" "/home"
+    run _lifecycle_list_stopped
+    [ "$status" -eq 1 ]
+}
+
+@test "lifecycle list_stopped: returns 1 when stopped scan has no checkpoint file" {
+    _source_lmd_stack
+    rm -f "$sessdir"/scan.meta.* "$sessdir"/scan.checkpoint.*
+    _create_meta_file "260328-1901.99999" "99999" "stopped" "/home"
+    # No checkpoint file created — should not appear
+    run _lifecycle_list_stopped
+    [ "$status" -eq 1 ]
+}
+
+# ========================================================================
+# _lifecycle_list_stopped — with stopped scans
+# ========================================================================
+
+@test "lifecycle list_stopped: shows stopped scan with checkpoint" {
+    _source_lmd_stack
+    rm -f "$sessdir"/scan.meta.* "$sessdir"/scan.checkpoint.*
+    local scanid="260328-1910.99999"
+    _create_meta_file "$scanid" "99999" "stopped" "/home/user" "5000" "4"
+    # Add stopped metadata
+    echo "stopped=$(date +%s)" >> "$sessdir/scan.meta.$scanid"
+    echo "stopped_hr=$(date '+%b %d %Y %H:%M:%S %z')" >> "$sessdir/scan.meta.$scanid"
+    echo "stage=hex" >> "$sessdir/scan.meta.$scanid"
+    # Create checkpoint file
+    printf '#LMD_CHECKPOINT:v1\nscanid=%s\nstage=hex\n' "$scanid" > "$sessdir/scan.checkpoint.$scanid"
+    run _lifecycle_list_stopped
+    [ "$status" -eq 0 ]
+    assert_output --partial "Stopped scans (1):"
+    assert_output --partial "$scanid"
+    assert_output --partial "resume: maldet --continue"
+}
+
+@test "lifecycle list_stopped: shows correct column headers" {
+    _source_lmd_stack
+    rm -f "$sessdir"/scan.meta.* "$sessdir"/scan.checkpoint.*
+    local scanid="260328-1911.99999"
+    _create_meta_file "$scanid" "99999" "stopped" "/var/www"
+    echo "stage=md5" >> "$sessdir/scan.meta.$scanid"
+    printf '#LMD_CHECKPOINT:v1\nscanid=%s\nstage=md5\n' "$scanid" > "$sessdir/scan.checkpoint.$scanid"
+    run _lifecycle_list_stopped
+    [ "$status" -eq 0 ]
+    assert_output --partial "SCANID"
+    assert_output --partial "STAGE"
+    assert_output --partial "FILES"
+    assert_output --partial "HITS"
+    assert_output --partial "STOPPED"
+    assert_output --partial "PATH"
+}

tests/42-lifecycle-stop.bats

@@ -692,3 +692,58 @@ _source_lmd_stack() {
     found=$(grep -A5 '_engine_type="clamav"' "$scan_src" | grep -c 'clamdscan' || echo 0)
     [ "$found" -gt 0 ]
 }
+
+# ========================================================================
+# _lifecycle_continue — allowlist rejection (security)
+# ========================================================================
+
+@test "lifecycle_continue: rejects PATH in checkpoint options" {
+    _source_lmd_stack
+    local scanid="260328-4050.$$"
+    printf '#LMD_CHECKPOINT:v1\nscanid=%s\nstage=hex\nsig_version=2026032601\nworkers=4\ntotal_files=100\nhits_so_far=0\noptions=PATH=/evil/bin,scan_yara=0\nstopped=1774588200\nstopped_hr=Mar 27 2026 20:30:00 +0000\n' "$scanid" > "$sessdir/scan.checkpoint.$scanid"
+    echo "2026032601" > "$sigdir/maldet.sigs.ver"
+    run _lifecycle_continue "$scanid"
+    [ "$status" -eq 0 ]
+    assert_output --partial "rejected unknown checkpoint option: PATH"
+}
+
+@test "lifecycle_continue: rejects IFS in checkpoint options" {
+    _source_lmd_stack
+    local scanid="260328-4051.$$"
+    printf '#LMD_CHECKPOINT:v1\nscanid=%s\nstage=hex\nsig_version=2026032601\nworkers=4\ntotal_files=100\nhits_so_far=0\noptions=IFS=x,scan_clamscan=0\nstopped=1774588200\nstopped_hr=Mar 27 2026 20:30:00 +0000\n' "$scanid" > "$sessdir/scan.checkpoint.$scanid"
+    echo "2026032601" > "$sigdir/maldet.sigs.ver"
+    run _lifecycle_continue "$scanid"
+    [ "$status" -eq 0 ]
+    assert_output --partial "rejected unknown checkpoint option: IFS"
+}
+
+@test "lifecycle_continue: rejects LD_PRELOAD in checkpoint options" {
+    _source_lmd_stack
+    local scanid="260328-4052.$$"
+    printf '#LMD_CHECKPOINT:v1\nscanid=%s\nstage=hex\nsig_version=2026032601\nworkers=4\ntotal_files=100\nhits_so_far=0\noptions=LD_PRELOAD=/evil.so,quarantine_hits=1\nstopped=1774588200\nstopped_hr=Mar 27 2026 20:30:00 +0000\n' "$scanid" > "$sessdir/scan.checkpoint.$scanid"
+    echo "2026032601" > "$sigdir/maldet.sigs.ver"
+    run _lifecycle_continue "$scanid"
+    [ "$status" -eq 0 ]
+    assert_output --partial "rejected unknown checkpoint option: LD_PRELOAD"
+}
+
+@test "lifecycle_continue: rejects inspath in checkpoint options" {
+    _source_lmd_stack
+    local scanid="260328-4053.$$"
+    printf '#LMD_CHECKPOINT:v1\nscanid=%s\nstage=hex\nsig_version=2026032601\nworkers=4\ntotal_files=100\nhits_so_far=0\noptions=inspath=/tmp/evil\nstopped=1774588200\nstopped_hr=Mar 27 2026 20:30:00 +0000\n' "$scanid" > "$sessdir/scan.checkpoint.$scanid"
+    echo "2026032601" > "$sigdir/maldet.sigs.ver"
+    run _lifecycle_continue "$scanid"
+    [ "$status" -eq 0 ]
+    assert_output --partial "rejected unknown checkpoint option: inspath"
+}
+
+@test "lifecycle_continue: accepts allowlisted option alongside rejected one" {
+    _source_lmd_stack
+    local scanid="260328-4054.$$"
+    printf '#LMD_CHECKPOINT:v1\nscanid=%s\nstage=hex\nsig_version=2026032601\nworkers=4\ntotal_files=100\nhits_so_far=0\noptions=scan_clamscan=1,BASH_ENV=/evil,quarantine_hits=0\nstopped=1774588200\nstopped_hr=Mar 27 2026 20:30:00 +0000\n' "$scanid" > "$sessdir/scan.checkpoint.$scanid"
+    echo "2026032601" > "$sigdir/maldet.sigs.ver"
+    run _lifecycle_continue "$scanid"
+    [ "$status" -eq 0 ]
+    assert_output --partial "rejected unknown checkpoint option: BASH_ENV"
+    assert_output --partial "resuming scan"
+}