fix(provisioning): tighten service principal policy

Author: onutc

api/main.go

@@ -330,6 +330,9 @@ func (s *server) createSpritz(c echo.Context) error {
 	if err != nil {
 		return writeError(c, http.StatusBadRequest, err.Error())
 	}
+	if principal.isService() && len(userConfigKeys) > 0 {
+		return writeError(c, http.StatusBadRequest, "userConfig is not allowed for service principals")
+	}
 	var normalizedUserConfig json.RawMessage
 	if len(userConfigKeys) > 0 {
 		normalized, err := normalizeUserConfig(s.userConfigPolicy, userConfigKeys, userConfigPayload)
@@ -343,6 +346,12 @@ func (s *server) createSpritz(c echo.Context) error {
 		}
 		normalizedUserConfig = encodedUserConfig
 		applyUserConfig(&body.Spec, userConfigKeys, userConfigPayload)
+		if _, ok := userConfigKeys["image"]; ok {
+			requestedImage = strings.TrimSpace(body.Spec.Image) != ""
+		}
+		if _, ok := userConfigKeys["repo"]; ok {
+			requestedRepo = body.Spec.Repo != nil || len(body.Spec.Repos) > 0
+		}
 	}
 
 	if body.Spec.Image == "" {
@@ -403,7 +412,7 @@ func (s *server) createSpritz(c echo.Context) error {
 		if !nameProvided {
 			fingerprintName = ""
 		}
-		fingerprint, err := s.validateProvisionerCreate(c.Request().Context(), principal, namespace, &body, normalizedUserConfig, requestedImage, requestedRepo, requestedNamespace, fingerprintName)
+		fingerprint, err := s.validateProvisionerCreate(c.Request().Context(), principal, namespace, &body, normalizedUserConfig, userConfigKeys, requestedImage, requestedRepo, requestedNamespace, fingerprintName)
 		if err != nil {
 			if errors.Is(err, errForbidden) {
 				return writeError(c, http.StatusForbidden, "forbidden")

api/main_create_owner_test.go

@@ -470,3 +470,67 @@ func TestCreateSpritzRetriesGeneratedServiceNameAfterAlreadyExists(t *testing.T)
 		t.Fatalf("expected second generated name after race, got %#v", name)
 	}
 }
+
+func TestCreateSpritzRejectsProvisionerLowLevelSpecFields(t *testing.T) {
+	s := newCreateSpritzTestServer(t)
+	configureProvisionerTestServer(s)
+	e := echo.New()
+	secured := e.Group("", s.authMiddleware())
+	secured.POST("/api/spritzes", s.createSpritz)
+
+	body := []byte(`{
+		"presetId":"openclaw",
+		"ownerId":"user-123",
+		"idempotencyKey":"discord-low-level",
+		"spec":{
+			"env":[{"name":"SHOULD_NOT_PASS","value":"1"}]
+		}
+	}`)
+	req := httptest.NewRequest(http.MethodPost, "/api/spritzes", bytes.NewReader(body))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	req.Header.Set("X-Spritz-User-Id", "zenobot")
+	req.Header.Set("X-Spritz-Principal-Type", "service")
+	req.Header.Set("X-Spritz-Principal-Scopes", "spritz.instances.create,spritz.instances.assign_owner")
+	rec := httptest.NewRecorder()
+
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Fatalf("expected status 400, got %d: %s", rec.Code, rec.Body.String())
+	}
+	if !strings.Contains(rec.Body.String(), "spec.env is not allowed") {
+		t.Fatalf("expected low-level spec validation error, got %s", rec.Body.String())
+	}
+}
+
+func TestCreateSpritzRejectsProvisionerUserConfigOverrides(t *testing.T) {
+	s := newCreateSpritzTestServer(t)
+	configureProvisionerTestServer(s)
+	e := echo.New()
+	secured := e.Group("", s.authMiddleware())
+	secured.POST("/api/spritzes", s.createSpritz)
+
+	body := []byte(`{
+		"presetId":"openclaw",
+		"ownerId":"user-123",
+		"idempotencyKey":"discord-user-config",
+		"userConfig":{
+			"repo":{"url":"https://example.com/private.git"}
+		}
+	}`)
+	req := httptest.NewRequest(http.MethodPost, "/api/spritzes", bytes.NewReader(body))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	req.Header.Set("X-Spritz-User-Id", "zenobot")
+	req.Header.Set("X-Spritz-Principal-Type", "service")
+	req.Header.Set("X-Spritz-Principal-Scopes", "spritz.instances.create,spritz.instances.assign_owner")
+	rec := httptest.NewRecorder()
+
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Fatalf("expected status 400, got %d: %s", rec.Code, rec.Body.String())
+	}
+	if !strings.Contains(rec.Body.String(), "userConfig is not allowed") {
+		t.Fatalf("expected service userConfig validation error, got %s", rec.Body.String())
+	}
+}

api/provisioning.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"reflect"
 	"sort"
 	"strings"
 	"time"
@@ -148,6 +149,58 @@ func normalizeCreateOwner(body *createRequest, principal principal, authEnabled
 	return owner, nil
 }
 
+func validateProvisionerRequestSurface(body *createRequest, userConfigKeys map[string]json.RawMessage) error {
+	if body == nil {
+		return nil
+	}
+	if len(userConfigKeys) > 0 {
+		return fmt.Errorf("userConfig is not allowed for service principals")
+	}
+	if body.Spec.Owner.Team != "" {
+		return fmt.Errorf("spec.owner.team is not allowed")
+	}
+	if len(body.Labels) > 0 {
+		return fmt.Errorf("labels are not allowed for service principals")
+	}
+	if len(body.Annotations) > 0 {
+		return fmt.Errorf("annotations are not allowed for service principals")
+	}
+	if len(body.Spec.Labels) > 0 {
+		return fmt.Errorf("spec.labels are not allowed")
+	}
+	if len(body.Spec.Annotations) > 0 {
+		return fmt.Errorf("spec.annotations are not allowed")
+	}
+	if len(body.Spec.Env) > 0 {
+		return fmt.Errorf("spec.env is not allowed")
+	}
+	if len(body.Spec.Repos) > 0 {
+		return fmt.Errorf("spec.repos is not allowed")
+	}
+	if body.Spec.Repo != nil && body.Spec.Repo.Auth != nil {
+		return fmt.Errorf("spec.repo.auth is not allowed")
+	}
+	if len(body.Spec.SharedMounts) > 0 {
+		return fmt.Errorf("spec.sharedMounts is not allowed")
+	}
+	if !reflect.DeepEqual(body.Spec.Resources, corev1.ResourceRequirements{}) {
+		return fmt.Errorf("spec.resources is not allowed")
+	}
+	if body.Spec.Features != nil {
+		return fmt.Errorf("spec.features is not allowed")
+	}
+	if body.Spec.SSH != nil {
+		return fmt.Errorf("spec.ssh is not allowed")
+	}
+	if len(body.Spec.Ports) > 0 {
+		return fmt.Errorf("spec.ports is not allowed")
+	}
+	if body.Spec.Ingress != nil {
+		return fmt.Errorf("spec.ingress is not allowed")
+	}
+	return nil
+}
+
 func provisionerSource(body *createRequest) string {
 	source := strings.TrimSpace(body.Source)
 	if source == "" {
@@ -182,7 +235,7 @@ func (p provisionerPolicy) validatePreset(presetID string) error {
 	return fmt.Errorf("preset is not allowed: %s", presetID)
 }
 
-func (s *server) validateProvisionerCreate(ctx context.Context, principal principal, namespace string, body *createRequest, userConfig json.RawMessage, requestedImage, requestedRepo, requestedNamespace bool, nameForFingerprint string) (string, error) {
+func (s *server) validateProvisionerCreate(ctx context.Context, principal principal, namespace string, body *createRequest, userConfig json.RawMessage, userConfigKeys map[string]json.RawMessage, requestedImage, requestedRepo, requestedNamespace bool, nameForFingerprint string) (string, error) {
 	if !principalCanUseProvisionerFlow(principal) {
 		return "", errForbidden
 	}
@@ -192,6 +245,11 @@ func (s *server) validateProvisionerCreate(ctx context.Context, principal princi
 	if err := authorizeServiceAction(principal, scopeInstancesAssignOwner, true); err != nil {
 		return "", err
 	}
+	if principal.isService() {
+		if err := validateProvisionerRequestSurface(body, userConfigKeys); err != nil {
+			return "", err
+		}
+	}
 	if requestedNamespace && !s.provisioners.allowNamespaceOverride {
 		return "", fmt.Errorf("namespace override is not allowed")
 	}

api/terminal.go

@@ -27,11 +27,12 @@ import (
 )
 
 type terminalConfig struct {
-	enabled        bool
-	containerName  string
-	command        []string
-	allowedOrigins map[string]struct{}
-	sessionMode    terminalSessionMode
+	enabled          bool
+	containerName    string
+	command          []string
+	allowedOrigins   map[string]struct{}
+	sessionMode      terminalSessionMode
+	activityDebounce time.Duration
 }
 
 type terminalSessionMode string
@@ -43,11 +44,12 @@ const (
 
 func newTerminalConfig() terminalConfig {
 	return terminalConfig{
-		enabled:        parseBoolEnv("SPRITZ_TERMINAL_ENABLED", true),
-		containerName:  envOrDefault("SPRITZ_TERMINAL_CONTAINER", "spritz"),
-		command:        splitCommand(envOrDefault("SPRITZ_TERMINAL_COMMAND", "bash -l")),
-		allowedOrigins: splitSet(os.Getenv("SPRITZ_TERMINAL_ORIGINS")),
-		sessionMode:    parseTerminalSessionMode(os.Getenv("SPRITZ_TERMINAL_SESSION_MODE")),
+		enabled:          parseBoolEnv("SPRITZ_TERMINAL_ENABLED", true),
+		containerName:    envOrDefault("SPRITZ_TERMINAL_CONTAINER", "spritz"),
+		command:          splitCommand(envOrDefault("SPRITZ_TERMINAL_COMMAND", "bash -l")),
+		allowedOrigins:   splitSet(os.Getenv("SPRITZ_TERMINAL_ORIGINS")),
+		sessionMode:      parseTerminalSessionMode(os.Getenv("SPRITZ_TERMINAL_SESSION_MODE")),
+		activityDebounce: parseDurationEnv("SPRITZ_TERMINAL_ACTIVITY_DEBOUNCE", 5*time.Second),
 	}
 }
 
@@ -233,16 +235,17 @@ func (s *server) streamTerminal(ctx context.Context, namespace, name string, pod
 	stdinReader, stdinWriter := io.Pipe()
 	sizeQueue := newTerminalSizeQueue()
 	wsWriter := &terminalWSWriter{conn: conn}
+	reportActivity := debounceTerminalActivity(s.terminal.activityDebounce, func() {
+		refreshCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if err := s.markSpritzActivity(refreshCtx, namespace, name, time.Now()); err != nil {
+			log.Printf("spritz terminal: failed to refresh activity name=%s namespace=%s pod=%s err=%v", name, namespace, pod.Name, err)
+		}
+	})
 
 	readErr := make(chan error, 1)
 	go func() {
-		readErr <- readTerminalInput(ctx, conn, stdinWriter, sizeQueue, func() {
-			refreshCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
-			defer cancel()
-			if err := s.markSpritzActivity(refreshCtx, namespace, name, time.Now()); err != nil {
-				log.Printf("spritz terminal: failed to refresh activity name=%s namespace=%s pod=%s err=%v", name, namespace, pod.Name, err)
-			}
-		})
+		readErr <- readTerminalInput(ctx, conn, stdinWriter, sizeQueue, reportActivity)
 	}()
 
 	streamErr := executor.StreamWithContext(ctx, remotecommand.StreamOptions{
@@ -303,6 +306,28 @@ func readTerminalInput(ctx context.Context, conn *websocket.Conn, stdin *io.Pipe
 	}
 }
 
+func debounceTerminalActivity(interval time.Duration, report func()) func() {
+	if report == nil {
+		return func() {}
+	}
+	if interval <= 0 {
+		return report
+	}
+	var mu sync.Mutex
+	var last time.Time
+	return func() {
+		now := time.Now()
+		mu.Lock()
+		if !last.IsZero() && now.Sub(last) < interval {
+			mu.Unlock()
+			return
+		}
+		last = now
+		mu.Unlock()
+		report()
+	}
+}
+
 func handleResize(payload []byte, sizeQueue *terminalSizeQueue) bool {
 	var msg resizeMessage
 	if err := json.Unmarshal(payload, &msg); err != nil {

api/terminal_test.go

@@ -85,3 +85,23 @@ func TestReadTerminalInputInvokesActivityCallbackOnInput(t *testing.T) {
 		t.Fatal("timed out waiting for terminal reader to exit")
 	}
 }
+
+func TestDebounceTerminalActivityCoalescesRapidInput(t *testing.T) {
+	var callbacks atomic.Int32
+	report := debounceTerminalActivity(50*time.Millisecond, func() {
+		callbacks.Add(1)
+	})
+
+	report()
+	report()
+	report()
+	if callbacks.Load() != 1 {
+		t.Fatalf("expected rapid calls to coalesce into one activity write, got %d", callbacks.Load())
+	}
+
+	time.Sleep(60 * time.Millisecond)
+	report()
+	if callbacks.Load() != 2 {
+		t.Fatalf("expected a second activity write after debounce window, got %d", callbacks.Load())
+	}
+}

helm/spritz/templates/api-deployment.yaml

@@ -209,6 +209,10 @@ spec:
             - name: SPRITZ_TERMINAL_ORIGINS
               value: {{ join "," .Values.api.terminal.origins | quote }}
             {{- end }}
+            {{- if .Values.api.terminal.activityDebounce }}
+            - name: SPRITZ_TERMINAL_ACTIVITY_DEBOUNCE
+              value: {{ .Values.api.terminal.activityDebounce | quote }}
+            {{- end }}
             {{- end }}
             - name: SPRITZ_ACP_ENABLED
               value: {{ .Values.acp.enabled | quote }}

helm/spritz/values.yaml

@@ -162,7 +162,7 @@ api:
         - scope
         - scopes
         - scp
-      defaultType: human
+      defaultType: service
   provisioners:
     defaultPresetId: ""
     allowedPresetIds: []
@@ -196,6 +196,7 @@ api:
     container: spritz
     command: "bash -l"
     origins: []
+    activityDebounce: 5s
   acp:
     origins: []
   sshGateway:

scripts/verify-helm.sh

@@ -85,8 +85,11 @@ expect_contains "${acp_network_policy_render}" "name: spritz-acp" "ACP network p
 expect_contains "${default_render}" 'resources: ["spritzes/status", "spritzconversations/status"]' "status RBAC for spritz conversations"
 expect_contains "${default_render}" "name: SPRITZ_AUTH_HEADER_TYPE" "principal type auth header wiring"
 expect_contains "${default_render}" "name: SPRITZ_AUTH_BEARER_SCOPES_PATHS" "bearer scope path wiring"
+expect_contains "${default_render}" "name: SPRITZ_AUTH_BEARER_DEFAULT_TYPE" "bearer default type wiring"
+expect_contains "${default_render}" "value: \"service\"" "service default bearer principal type in chart render"
 expect_contains "${default_render}" "name: SPRITZ_PROVISIONER_DEFAULT_IDLE_TTL" "default provisioner idle ttl wiring"
 expect_contains "${default_render}" "name: SPRITZ_PROVISIONER_DEFAULT_TTL" "default provisioner ttl wiring"
+expect_contains "${default_render}" "name: SPRITZ_TERMINAL_ACTIVITY_DEBOUNCE" "terminal activity debounce wiring"
 expect_contains "${default_render}" 'resources: ["configmaps"]' "configmap RBAC for idempotency reservations"
 
 expect_failure \