Skip to content

fix: keep provider secrets out of agent sandbox#73

Open
LIghtJUNction wants to merge 1 commit into
mainfrom
codex/fix-provider-secrets-exposure-issue
Open

fix: keep provider secrets out of agent sandbox#73
LIghtJUNction wants to merge 1 commit into
mainfrom
codex/fix-provider-secrets-exposure-issue

Conversation

@LIghtJUNction

@LIghtJUNction LIghtJUNction commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Prevent accidental exposure of system provider API secrets to untrusted agent processes and their bubblewrap sandbox by removing the path/materialization and avoiding forwarding secret env entries into agent execution environments.

Description

  • Stop opening and injecting provider system secret metadata into the socket-activated agent runtime by removing the open_provider_system_secret_for_model usage in the agent runtime and no longer extending runtime_env with secret metadata.
  • Remove CTX_PROVIDER_SECRET_PATH from ProviderSystemSecretHandle::env() and drop the stored path field so the handle only reports the inherited fd/provider/slot identifiers.
  • Filter all CTX_PROVIDER_SECRET_* variables out of apply_agent_executable_socket_env and the bubblewrap --setenv argument builder, and remove the --ro-bind-data secret materialization path by deleting bwrap_provider_secret_bind_args and adding is_provider_secret_env helper.
  • Update the unit test agent_executable_socket_bwrap_args_apply_agent_sandbox to assert provider secret fd/path are not set in --setenv and are not materialized with --ro-bind-data.

Testing

  • Ran cargo fmt --check which succeeded.
  • Ran cargo check --locked -p cortexfs --all-targets --all-features which succeeded.
  • Ran targeted unit tests cargo test -p cortexfs agent_executable_socket_bwrap_args_apply_agent_sandbox -- --nocapture and cargo test -p cortexfs provider_secret_from_inherited_fd_reads_regular_secret_file -- --nocapture, both of which passed.
  • Ran a broader cargo test -p cortexfs --lib; many tests passed but some unrelated, environment-sensitive root_bootstrap_* ownership assertions failed and one long-running cancel test exceeded the timeout, so the full suite was not completed to termination in this environment.

Codex Task

Summary by Sourcery

防止提供方系统机密被暴露给代理运行时和沙箱环境。

Bug Fixes:

  • 确保在代理运行时和 bubblewrap 沙箱环境中排除提供方机密相关的环境变量。

Enhancements:

  • 从沙箱设置中移除提供方机密路径处理和 bind-data/物化逻辑,仅保留 fd/provider/slot 标识符。
  • 更新代理运行时,停止在代理执行环境中打开并注入提供方系统机密。
  • 调整单元测试,以断言提供方机密不再通过环境变量传递或在沙箱中被物化。

Tests:

  • 扩展代理沙箱测试,以验证提供方机密环境变量和 bind-data 参数被省略。
Original summary in English

Summary by Sourcery

Prevent provider system secrets from being exposed to agent runtime and sandbox environments.

Bug Fixes:

  • Ensure provider secret environment variables are excluded from agent runtime and bubblewrap sandbox environments.

Enhancements:

  • Remove provider secret path handling and bind-data/materialization from the sandbox setup, keeping only fd/provider/slot identifiers.
  • Update agent runtime to stop opening and injecting provider system secrets into the agent execution environment.
  • Adjust unit tests to assert that provider secrets are no longer passed via environment or materialized in the sandbox.

Tests:

  • Extend agent sandbox tests to verify provider secret env vars and bind-data arguments are omitted.

@sourcery-ai

sourcery-ai Bot commented Jun 30, 2026

Copy link
Copy Markdown

审阅者指南(Reviewer's Guide)

此 PR 移除了将 provider 系统机密(provider system secrets)传播和物化到 agent 运行时及其 bubblewrap sandbox 中的逻辑。现在会过滤掉所有与 provider 机密相关的环境变量,并移除对 ro-bind/ro-bind-data 机密路径的使用,同时简化 provider secret handle,仅暴露文件描述符(fd)和标识符元数据。

Agent sandbox 中过滤后的 provider secret 环境变量时序图

sequenceDiagram
    actor Operator
    participant AgentRuntime as cortexfs_agent_runtime
    participant CortexfsLib as cortexfs
    participant Sandbox as bubblewrap

    Operator->>AgentRuntime: run(args)
    AgentRuntime->>AgentRuntime: view.env() -> runtime_env
    AgentRuntime->>AgentRuntime: runtime_env.push(CTX_AGENT_MODEL_OVERRIDE)
    AgentRuntime->>CortexfsLib: serve_agent_executable_socket_listener_once(listener, agent_executable, runtime_env, policy)
    CortexfsLib->>CortexfsLib: apply_agent_executable_socket_env(runtime)
    CortexfsLib->>CortexfsLib: is_provider_secret_env(name) [filter CTX_PROVIDER_SECRET_*]
    CortexfsLib->>CortexfsLib: agent_executable_socket_bwrap_args(request)
    CortexfsLib->>CortexfsLib: is_provider_secret_env(name) [filter CTX_PROVIDER_SECRET_*]
    CortexfsLib->>Sandbox: exec agent with bwrap args
    Sandbox-->>Operator: agent runs without provider secrets in env or ro-bind-data
Loading

文件级变更(File-Level Changes)

Change Details Files
从 agent executable socket 环境和 bubblewrap sandbox 参数中过滤掉 provider 机密相关的环境变量,使机密永远不会到达 agent 进程或其 sandbox。
  • 更新 apply_agent_executable_socket_env,通过新的辅助过滤器跳过 provider 机密环境变量条目。
  • 更新 agent_executable_socket_bwrap_args,仅为非 provider 机密环境变量生成 --setenv 条目。
  • 从 bubblewrap 参数中移除构造 provider 机密相关的 bind 参数,从而不再对机密使用 ro-bind / ro-bind-data
  • 新增 is_provider_secret_env 辅助函数,用于集中检测 provider 机密环境变量。
crates/cortexfs/src/socket_runtime.rs
停止为 agent runtime 打开 provider 系统机密,并阻止通过 provider 机密元数据扩展其环境。
  • 从 agent runtime 启动逻辑中移除对 open_provider_system_secret_for_model 的调用。
  • 在启动 agent 之前,停止将 provider secret handle 的环境元数据扩展到 runtime 环境中。
crates/cortexfs/src/bin/cortexfs-agent-runtime.rs
简化 ProviderSystemSecretHandle,不再跟踪或暴露文件系统路径,并将其环境元数据精简为仅包含机密 fd 和标识符。
  • ProviderSystemSecretHandle 中移除存储的 path 字段以及在 open_provider_system_secret 中的构造逻辑。
  • 调整 ProviderSystemSecretHandle::env,删除 CTX_PROVIDER_SECRET_PATH,从返回四个环境变量改为返回三个。
  • 更新 env 的文档注释,说明现在仅暴露一个 fd 和槽位标识符。
crates/cortexfs/src/provider_name.rs
加强 agent 执行策略单元测试,确保 provider 机密既不会通过 --setenv 导出,也不会通过 bubblewrap bind 参数被物化。
  • 扩展 agent_executable_socket_bwrap_args_apply_agent_sandbox,断言在 --setenv 中不存在 CTX_PROVIDER_SECRET_FDCTX_PROVIDER_SECRET_PATH
  • 更新测试,断言 sandbox 参数中不存在针对 provider 机密 fd/path 的 --ro-bind-data
crates/cortexfs/tests/unit/lib/agent_execution_policy.rs

提示与命令(Tips and commands)

与 Sourcery 交互(Interacting with Sourcery)

  • 触发新的代码审阅: 在 pull request 中评论 @sourcery-ai review
  • 继续讨论: 直接回复 Sourcery 的审阅评论。
  • 从审阅评论生成 GitHub issue: 在审阅评论下回复,请求 Sourcery 从该评论创建 issue。你也可以回复 @sourcery-ai issue 来从该评论创建 issue。
  • 生成 pull request 标题: 在 pull request 标题任意位置写上 @sourcery-ai,即可随时生成标题。你也可以在 pull request 中评论 @sourcery-ai title 来(重新)生成标题。
  • 生成 pull request 摘要: 在 pull request 正文任意位置写上 @sourcery-ai summary,即可在该位置生成 PR 摘要。你也可以在 pull request 中评论 @sourcery-ai summary 来(重新)生成摘要。
  • 生成审阅者指南: 在 pull request 中评论 @sourcery-ai guide,即可随时(重新)生成审阅者指南。
  • 解决所有 Sourcery 评论: 在 pull request 中评论 @sourcery-ai resolve,以解决所有 Sourcery 评论。当你已经解决了所有评论且不想再看到它们时非常有用。
  • 撤销所有 Sourcery 审阅: 在 pull request 中评论 @sourcery-ai dismiss,以撤销所有现有的 Sourcery 审阅。特别适用于你希望在新审阅中重新开始的场景——别忘了再评论 @sourcery-ai review 来触发新的审阅!

自定义你的使用体验(Customizing Your Experience)

前往你的 dashboard,以便:

  • 启用或禁用审阅特性,例如 Sourcery 自动生成的 pull request 摘要、审阅者指南等。
  • 更改审阅语言。
  • 添加、移除或编辑自定义审阅说明。
  • 调整其他审阅设置。

获取帮助(Getting Help)

Original review guide in English

Reviewer's Guide

This PR removes propagation and materialization of provider system secrets into the agent runtime and its bubblewrap sandbox, instead filtering out all provider-secret-related env vars and eliminating the ro-bind/ro-bind-data secret path usage, while simplifying the provider secret handle to only expose fd and identifier metadata.

Sequence diagram for filtered provider secret env in agent sandbox

sequenceDiagram
    actor Operator
    participant AgentRuntime as cortexfs_agent_runtime
    participant CortexfsLib as cortexfs
    participant Sandbox as bubblewrap

    Operator->>AgentRuntime: run(args)
    AgentRuntime->>AgentRuntime: view.env() -> runtime_env
    AgentRuntime->>AgentRuntime: runtime_env.push(CTX_AGENT_MODEL_OVERRIDE)
    AgentRuntime->>CortexfsLib: serve_agent_executable_socket_listener_once(listener, agent_executable, runtime_env, policy)
    CortexfsLib->>CortexfsLib: apply_agent_executable_socket_env(runtime)
    CortexfsLib->>CortexfsLib: is_provider_secret_env(name) [filter CTX_PROVIDER_SECRET_*]
    CortexfsLib->>CortexfsLib: agent_executable_socket_bwrap_args(request)
    CortexfsLib->>CortexfsLib: is_provider_secret_env(name) [filter CTX_PROVIDER_SECRET_*]
    CortexfsLib->>Sandbox: exec agent with bwrap args
    Sandbox-->>Operator: agent runs without provider secrets in env or ro-bind-data
Loading

File-Level Changes

Change Details Files
Filter provider secret environment variables out of the agent executable socket environment and bubblewrap sandbox args so secrets never reach the agent process or its sandbox.
  • Updated apply_agent_executable_socket_env to skip provider secret env entries via a new helper filter.
  • Updated agent_executable_socket_bwrap_args to only generate --setenv entries for non-provider-secret env vars.
  • Removed provider secret bind argument construction from bubblewrap args so no ro-bind / ro-bind-data is used for secrets.
  • Added is_provider_secret_env helper to centralize detection of provider secret env variables.
crates/cortexfs/src/socket_runtime.rs
Stop opening provider system secrets for the agent runtime and prevent extending its environment with provider secret metadata.
  • Removed the call to open_provider_system_secret_for_model in the agent runtime startup.
  • Stopped extending the runtime environment with provider secret handle env metadata before launching the agent.
crates/cortexfs/src/bin/cortexfs-agent-runtime.rs
Simplify ProviderSystemSecretHandle to no longer track or expose a filesystem path and to reduce its env metadata to only the secret fd and identifiers.
  • Removed the stored path field from ProviderSystemSecretHandle and its construction in open_provider_system_secret.
  • Adjusted ProviderSystemSecretHandle::env to drop CTX_PROVIDER_SECRET_PATH and return three env vars instead of four.
  • Updated documentation comment for env to reflect that only an fd and slot identifiers are exposed.
crates/cortexfs/src/provider_name.rs
Strengthen the agent execution policy unit test to assert that provider secrets are neither exported via --setenv nor materialized via bubblewrap bind args.
  • Extended agent_executable_socket_bwrap_args_apply_agent_sandbox to assert absence of CTX_PROVIDER_SECRET_FD and CTX_PROVIDER_SECRET_PATH in --setenv.
  • Updated the test to assert that no --ro-bind-data is present for the provider secret fd/path in the sandbox args.
crates/cortexfs/tests/unit/lib/agent_execution_policy.rs

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - 我在这里给了一些高层次的反馈:

  • provider secret 环境变量过滤逻辑在 apply_agent_executable_socket_envagent_executable_socket_bwrap_args 中存在重复;可以考虑把这部分逻辑集中到一个共享的 helper 中,该 helper 接收一个环境变量键值对迭代器并返回过滤后的迭代器,以保持行为一致。
  • is_provider_secret_env 匹配器把当前的 secret 环境变量名写死在代码里了;如果未来增加更多 provider secret 元数据相关的环境变量,把这些名称集中放在一个常量或模块级列表中,同时用于构建和过滤,可能会更安全,避免二者出现偏差。
给 AI 代理的提示
Please address the comments from this code review:

## Overall Comments
- The provider secret env filtering logic is duplicated between `apply_agent_executable_socket_env` and `agent_executable_socket_bwrap_args`; consider centralizing this into a shared helper that takes an iterator of env pairs and returns a filtered iterator to keep behavior consistent.
- The `is_provider_secret_env` matcher hard-codes the current secret env var names; if more provider secret metadata envs are added in the future, it might be safer to group these names in a single constant or module-level list used both for construction and filtering to avoid drift.

Sourcery 对开源项目是免费的——如果你喜欢我们的评审,请考虑分享给他人 ✨
帮我变得更有用!请在每条评论上点击 👍 或 👎,我会根据你的反馈改进之后的评审。
Original comment in English

Hey - I've left some high level feedback:

  • The provider secret env filtering logic is duplicated between apply_agent_executable_socket_env and agent_executable_socket_bwrap_args; consider centralizing this into a shared helper that takes an iterator of env pairs and returns a filtered iterator to keep behavior consistent.
  • The is_provider_secret_env matcher hard-codes the current secret env var names; if more provider secret metadata envs are added in the future, it might be safer to group these names in a single constant or module-level list used both for construction and filtering to avoid drift.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The provider secret env filtering logic is duplicated between `apply_agent_executable_socket_env` and `agent_executable_socket_bwrap_args`; consider centralizing this into a shared helper that takes an iterator of env pairs and returns a filtered iterator to keep behavior consistent.
- The `is_provider_secret_env` matcher hard-codes the current secret env var names; if more provider secret metadata envs are added in the future, it might be safer to group these names in a single constant or module-level list used both for construction and filtering to avoid drift.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant