fix: keep provider secrets out of agent sandbox#73
Open
LIghtJUNction wants to merge 1 commit into
Open
Conversation
审阅者指南(Reviewer's Guide)此 PR 移除了将 provider 系统机密(provider system secrets)传播和物化到 agent 运行时及其 bubblewrap sandbox 中的逻辑。现在会过滤掉所有与 provider 机密相关的环境变量,并移除对 ro-bind/ro-bind-data 机密路径的使用,同时简化 provider secret handle,仅暴露文件描述符(fd)和标识符元数据。 Agent sandbox 中过滤后的 provider secret 环境变量时序图sequenceDiagram
actor Operator
participant AgentRuntime as cortexfs_agent_runtime
participant CortexfsLib as cortexfs
participant Sandbox as bubblewrap
Operator->>AgentRuntime: run(args)
AgentRuntime->>AgentRuntime: view.env() -> runtime_env
AgentRuntime->>AgentRuntime: runtime_env.push(CTX_AGENT_MODEL_OVERRIDE)
AgentRuntime->>CortexfsLib: serve_agent_executable_socket_listener_once(listener, agent_executable, runtime_env, policy)
CortexfsLib->>CortexfsLib: apply_agent_executable_socket_env(runtime)
CortexfsLib->>CortexfsLib: is_provider_secret_env(name) [filter CTX_PROVIDER_SECRET_*]
CortexfsLib->>CortexfsLib: agent_executable_socket_bwrap_args(request)
CortexfsLib->>CortexfsLib: is_provider_secret_env(name) [filter CTX_PROVIDER_SECRET_*]
CortexfsLib->>Sandbox: exec agent with bwrap args
Sandbox-->>Operator: agent runs without provider secrets in env or ro-bind-data
文件级变更(File-Level Changes)
提示与命令(Tips and commands)与 Sourcery 交互(Interacting with Sourcery)
自定义你的使用体验(Customizing Your Experience)前往你的 dashboard,以便:
获取帮助(Getting Help)Original review guide in EnglishReviewer's GuideThis PR removes propagation and materialization of provider system secrets into the agent runtime and its bubblewrap sandbox, instead filtering out all provider-secret-related env vars and eliminating the ro-bind/ro-bind-data secret path usage, while simplifying the provider secret handle to only expose fd and identifier metadata. Sequence diagram for filtered provider secret env in agent sandboxsequenceDiagram
actor Operator
participant AgentRuntime as cortexfs_agent_runtime
participant CortexfsLib as cortexfs
participant Sandbox as bubblewrap
Operator->>AgentRuntime: run(args)
AgentRuntime->>AgentRuntime: view.env() -> runtime_env
AgentRuntime->>AgentRuntime: runtime_env.push(CTX_AGENT_MODEL_OVERRIDE)
AgentRuntime->>CortexfsLib: serve_agent_executable_socket_listener_once(listener, agent_executable, runtime_env, policy)
CortexfsLib->>CortexfsLib: apply_agent_executable_socket_env(runtime)
CortexfsLib->>CortexfsLib: is_provider_secret_env(name) [filter CTX_PROVIDER_SECRET_*]
CortexfsLib->>CortexfsLib: agent_executable_socket_bwrap_args(request)
CortexfsLib->>CortexfsLib: is_provider_secret_env(name) [filter CTX_PROVIDER_SECRET_*]
CortexfsLib->>Sandbox: exec agent with bwrap args
Sandbox-->>Operator: agent runs without provider secrets in env or ro-bind-data
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - 我在这里给了一些高层次的反馈:
- provider secret 环境变量过滤逻辑在
apply_agent_executable_socket_env和agent_executable_socket_bwrap_args中存在重复;可以考虑把这部分逻辑集中到一个共享的 helper 中,该 helper 接收一个环境变量键值对迭代器并返回过滤后的迭代器,以保持行为一致。 is_provider_secret_env匹配器把当前的 secret 环境变量名写死在代码里了;如果未来增加更多 provider secret 元数据相关的环境变量,把这些名称集中放在一个常量或模块级列表中,同时用于构建和过滤,可能会更安全,避免二者出现偏差。
给 AI 代理的提示
Please address the comments from this code review:
## Overall Comments
- The provider secret env filtering logic is duplicated between `apply_agent_executable_socket_env` and `agent_executable_socket_bwrap_args`; consider centralizing this into a shared helper that takes an iterator of env pairs and returns a filtered iterator to keep behavior consistent.
- The `is_provider_secret_env` matcher hard-codes the current secret env var names; if more provider secret metadata envs are added in the future, it might be safer to group these names in a single constant or module-level list used both for construction and filtering to avoid drift.帮我变得更有用!请在每条评论上点击 👍 或 👎,我会根据你的反馈改进之后的评审。
Original comment in English
Hey - I've left some high level feedback:
- The provider secret env filtering logic is duplicated between
apply_agent_executable_socket_envandagent_executable_socket_bwrap_args; consider centralizing this into a shared helper that takes an iterator of env pairs and returns a filtered iterator to keep behavior consistent. - The
is_provider_secret_envmatcher hard-codes the current secret env var names; if more provider secret metadata envs are added in the future, it might be safer to group these names in a single constant or module-level list used both for construction and filtering to avoid drift.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The provider secret env filtering logic is duplicated between `apply_agent_executable_socket_env` and `agent_executable_socket_bwrap_args`; consider centralizing this into a shared helper that takes an iterator of env pairs and returns a filtered iterator to keep behavior consistent.
- The `is_provider_secret_env` matcher hard-codes the current secret env var names; if more provider secret metadata envs are added in the future, it might be safer to group these names in a single constant or module-level list used both for construction and filtering to avoid drift.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Description
open_provider_system_secret_for_modelusage in the agent runtime and no longer extendingruntime_envwith secret metadata.CTX_PROVIDER_SECRET_PATHfromProviderSystemSecretHandle::env()and drop the storedpathfield so the handle only reports the inherited fd/provider/slot identifiers.CTX_PROVIDER_SECRET_*variables out ofapply_agent_executable_socket_envand the bubblewrap--setenvargument builder, and remove the--ro-bind-datasecret materialization path by deletingbwrap_provider_secret_bind_argsand addingis_provider_secret_envhelper.agent_executable_socket_bwrap_args_apply_agent_sandboxto assert provider secret fd/path are not set in--setenvand are not materialized with--ro-bind-data.Testing
cargo fmt --checkwhich succeeded.cargo check --locked -p cortexfs --all-targets --all-featureswhich succeeded.cargo test -p cortexfs agent_executable_socket_bwrap_args_apply_agent_sandbox -- --nocaptureandcargo test -p cortexfs provider_secret_from_inherited_fd_reads_regular_secret_file -- --nocapture, both of which passed.cargo test -p cortexfs --lib; many tests passed but some unrelated, environment-sensitiveroot_bootstrap_*ownership assertions failed and one long-running cancel test exceeded the timeout, so the full suite was not completed to termination in this environment.Codex Task
Summary by Sourcery
防止提供方系统机密被暴露给代理运行时和沙箱环境。
Bug Fixes:
Enhancements:
Tests:
Original summary in English
Summary by Sourcery
Prevent provider system secrets from being exposed to agent runtime and sandbox environments.
Bug Fixes:
Enhancements:
Tests: