diff --git a/crates/cortexfs/src/bin/cortexfs-agent-runtime.rs b/crates/cortexfs/src/bin/cortexfs-agent-runtime.rs index 56ba586..73d98e7 100644 --- a/crates/cortexfs/src/bin/cortexfs-agent-runtime.rs +++ b/crates/cortexfs/src/bin/cortexfs-agent-runtime.rs @@ -57,16 +57,10 @@ fn run(args: Vec) -> Result<(), String> { "default", PolicyPermission::Connect, ); - let provider_secret = - cortexfs::open_provider_system_secret_for_model(&config.source, view.model()) - .map_err(|_error| format!("provider secret unavailable: {}", view.model()))?; let mut runtime_env = view.env().to_vec(); if runtime_model != view.model() { runtime_env.push(("CTX_AGENT_MODEL_OVERRIDE".to_owned(), runtime_model.clone())); } - if let Some(secret) = provider_secret.as_ref() { - runtime_env.extend(secret.env()); - } let agent_executable = runtime_agent_executable(Path::new(cortexfs::CTX_ROOT), &config.agent); let result = serve_agent_executable_socket_listener_once( &listener, diff --git a/crates/cortexfs/src/provider_name.rs b/crates/cortexfs/src/provider_name.rs index 1c5e774..cd1f43c 100644 --- a/crates/cortexfs/src/provider_name.rs +++ b/crates/cortexfs/src/provider_name.rs @@ -160,7 +160,6 @@ pub fn open_provider_system_secret( Ok(Some(ProviderSystemSecretHandle { provider: provider.to_owned(), account: account.to_owned(), - path, file, })) } @@ -198,7 +197,6 @@ pub enum ProviderSystemSecretError { pub struct ProviderSystemSecretHandle { provider: String, account: String, - path: PathBuf, file: File, } @@ -230,19 +228,15 @@ impl ProviderSystemSecret { impl ProviderSystemSecretHandle { /// Environment metadata for passing this already-open secret fd. /// - /// These variables contain no secret material; they identify only an fd/path + /// These variables contain no secret material; they identify only an fd /// and the provider slot it belongs to. #[must_use] - pub fn env(&self) -> [(String, String); 4] { + pub fn env(&self) -> [(String, String); 3] { [ ( "CTX_PROVIDER_SECRET_FD".to_owned(), self.file.as_raw_fd().to_string(), ), - ( - "CTX_PROVIDER_SECRET_PATH".to_owned(), - self.path.display().to_string(), - ), ( "CTX_PROVIDER_SECRET_PROVIDER".to_owned(), self.provider.clone(), diff --git a/crates/cortexfs/src/socket_runtime.rs b/crates/cortexfs/src/socket_runtime.rs index 9e376af..bae8ac3 100644 --- a/crates/cortexfs/src/socket_runtime.rs +++ b/crates/cortexfs/src/socket_runtime.rs @@ -490,6 +490,7 @@ fn apply_agent_executable_socket_env( runtime .env .iter() + .filter(|env| !is_provider_secret_env(&env.0)) .map(|env| (env.0.as_str(), env.1.as_str())), ) .env("CTX_AGENT", runtime.agent_name) @@ -504,7 +505,12 @@ pub(crate) fn agent_executable_socket_bwrap_args( request: &BwrapAgentExecutableArgs<'_>, ) -> Vec { let mut bwrap = vec!["--clearenv".to_owned()]; - for env in request.runtime.env { + for env in request + .runtime + .env + .iter() + .filter(|env| !is_provider_secret_env(&env.0)) + { bwrap.extend(["--setenv".to_owned(), env.0.clone(), env.1.clone()]); } bwrap.extend([ @@ -559,7 +565,6 @@ pub(crate) fn agent_executable_socket_bwrap_args( if !request.runtime.network_allowed { bwrap.push("--unshare-net".to_owned()); } - bwrap.extend(bwrap_provider_secret_bind_args(request.runtime.env)); bwrap.extend(bwrap_source_root_bind_args(request.runtime.source_root)); if let Some(timing) = request.debug { bwrap.extend([ @@ -603,32 +608,14 @@ fn bwrap_source_root_bind_args(source_root: &Path) -> Vec { args } -fn bwrap_provider_secret_bind_args(env: &[(String, String)]) -> Vec { - let fd = env - .iter() - .find(|entry| entry.0 == "CTX_PROVIDER_SECRET_FD") - .map(|entry| entry.1.as_str()); - let Some(path) = env - .iter() - .find(|entry| entry.0 == "CTX_PROVIDER_SECRET_PATH") - .map(|entry| entry.1.as_str()) - else { - return Vec::new(); - }; - if !path.starts_with('/') { - return Vec::new(); - } - let mut args = bwrap_dir_args_for_parent(path); - if let Some(fd) = fd.filter(|fd| !fd.is_empty() && fd.bytes().all(|byte| byte.is_ascii_digit())) - { - args.push("--ro-bind-data".to_owned()); - args.push(fd.to_owned()); - } else { - args.push("--ro-bind".to_owned()); - args.push(path.to_owned()); - } - args.push(path.to_owned()); - args +fn is_provider_secret_env(name: &str) -> bool { + matches!( + name, + "CTX_PROVIDER_SECRET_FD" + | "CTX_PROVIDER_SECRET_PATH" + | "CTX_PROVIDER_SECRET_PROVIDER" + | "CTX_PROVIDER_SECRET_SLOT" + ) } fn bwrap_dir_args_for_parent(path: &str) -> Vec { diff --git a/crates/cortexfs/tests/unit/lib/agent_execution_policy.rs b/crates/cortexfs/tests/unit/lib/agent_execution_policy.rs index 524cc41..93f2dc3 100644 --- a/crates/cortexfs/tests/unit/lib/agent_execution_policy.rs +++ b/crates/cortexfs/tests/unit/lib/agent_execution_policy.rs @@ -722,7 +722,19 @@ fn agent_executable_socket_bwrap_args_apply_agent_sandbox() { "CTX_AGENT_HISTORY_MESSAGES", "- user: hi" )); - assert!(contains_arg_triplet( + assert!(!contains_arg_triplet( + &args, + "--setenv", + "CTX_PROVIDER_SECRET_FD", + "9" + )); + assert!(!contains_arg_triplet( + &args, + "--setenv", + "CTX_PROVIDER_SECRET_PATH", + "/run/user/1000/cortexfs/credentials/coder-default" + )); + assert!(!contains_arg_triplet( &args, "--ro-bind-data", "9",