Skip to content

Gate workspace sidecar definitions on first-run approval#9

Merged
CrypticSwarm merged 2 commits into
masterfrom
tongs-phase-5-first-run-approval
Jun 17, 2026
Merged

Gate workspace sidecar definitions on first-run approval#9
CrypticSwarm merged 2 commits into
masterfrom
tongs-phase-5-first-run-approval

Conversation

@CrypticSwarm

Copy link
Copy Markdown
Owner

Summary

The host launcher discovers sidecar (tong) definitions across four layers. The
user, org, and Swarmforge-repo layers are installed deliberately and are
trusted, but the workspace layer is whatever repo you happened to clone. A
workspace definition can request secrets, host mounts, or docker-socket access,
so running the launcher inside a hostile repo must not silently grant those
privileges.

This adds a first-run approval gate. Before the anvil starts, each
workspace-sourced definition is shown as a privilege summary and the user is
asked to approve it; trusted layers and the no-definition case skip the gate
entirely, so a launch with no workspace definitions is byte-identical to a
direct docker run.

Changes

  • Gate workspace-sourced definitions in scripts/run_anvil.py:
    • Print a privilege summary — image, secret references, mounts, networks, and
      an explicit docker-socket callout — and prompt for approval on the host
      before the anvil starts.
    • Key approvals by workspace root + definition name + a hash of the merged
      definition, persisted to the user-layer approvals store, so any change to a
      definition re-prompts.
    • Fail closed: the scripted --no-prompt mode, a closed stdin, a decline, and
      a missing workspace path all refuse the launch rather than auto-approving,
      and the launcher does not exec the anvil.
    • Resolve the approvals store path from the user assets dir, matching the
      Makefile default so behavior is identical whether or not Make passes it.
  • Add --workspace, --approvals, and --no-prompt launcher options and route
    the parsed launcher options through a small LauncherOptions record.
  • Wire the run macro in the Makefile to pass the checkout root and the
    user-layer approvals store to the launcher.
  • Extend scripts/test_run_anvil.py with coverage for the privilege-summary
    rendering, the gate (accept/decline/EOF/already-approved/changed-definition/
    trusted-skip/missing-workspace), the fail-closed --no-prompt path end to end,
    the approvals-store default resolution, and the preserved passthrough invariant.

The user, org, and Swarmforge-repo definition layers are installed
deliberately and are trusted, but the workspace layer is whatever repo
you happened to clone. A workspace tong can request secrets, host
mounts, or docker-socket access, so running the launcher in a hostile
repo must not silently hand it those privileges.

Before the anvil starts, gate every workspace-sourced tong: print a
privilege summary (image, secret references, mounts, networks, and an
explicit docker-socket callout) and ask the user to approve it.
Approval is keyed by workspace root + tong name + a hash of the merged
definition and persisted in the user-layer approvals store, so any
change to the definition re-prompts. The scripted --no-prompt mode and
a closed stdin both fail closed rather than auto-approving, and a
declined or unapproved tong stops the launch before exec.

Trusted-layer tongs and the zero-tong case skip the gate entirely, so a
launch with no workspace tongs is byte-identical to a direct docker run.
Wire the run macro to hand the launcher the checkout root and the
user-layer approvals store, so the approval gate can key workspace-tong
approvals by workspace and persist them where the user layer lives. The
store path mirrors the launcher's own default, so behavior is identical
whether or not Make passes it.
@CrypticSwarm CrypticSwarm merged commit ef168fe into master Jun 17, 2026
1 check passed
@CrypticSwarm CrypticSwarm deleted the tongs-phase-5-first-run-approval branch June 17, 2026 03:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant