Gate workspace sidecar definitions on first-run approval#9
Merged
Conversation
The user, org, and Swarmforge-repo definition layers are installed deliberately and are trusted, but the workspace layer is whatever repo you happened to clone. A workspace tong can request secrets, host mounts, or docker-socket access, so running the launcher in a hostile repo must not silently hand it those privileges. Before the anvil starts, gate every workspace-sourced tong: print a privilege summary (image, secret references, mounts, networks, and an explicit docker-socket callout) and ask the user to approve it. Approval is keyed by workspace root + tong name + a hash of the merged definition and persisted in the user-layer approvals store, so any change to the definition re-prompts. The scripted --no-prompt mode and a closed stdin both fail closed rather than auto-approving, and a declined or unapproved tong stops the launch before exec. Trusted-layer tongs and the zero-tong case skip the gate entirely, so a launch with no workspace tongs is byte-identical to a direct docker run.
Wire the run macro to hand the launcher the checkout root and the user-layer approvals store, so the approval gate can key workspace-tong approvals by workspace and persist them where the user layer lives. The store path mirrors the launcher's own default, so behavior is identical whether or not Make passes it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The host launcher discovers sidecar (tong) definitions across four layers. The
user, org, and Swarmforge-repo layers are installed deliberately and are
trusted, but the workspace layer is whatever repo you happened to clone. A
workspace definition can request secrets, host mounts, or docker-socket access,
so running the launcher inside a hostile repo must not silently grant those
privileges.
This adds a first-run approval gate. Before the anvil starts, each
workspace-sourced definition is shown as a privilege summary and the user is
asked to approve it; trusted layers and the no-definition case skip the gate
entirely, so a launch with no workspace definitions is byte-identical to a
direct
docker run.Changes
scripts/run_anvil.py:an explicit docker-socket callout — and prompt for approval on the host
before the anvil starts.
definition, persisted to the user-layer approvals store, so any change to a
definition re-prompts.
--no-promptmode, a closed stdin, a decline, anda missing workspace path all refuse the launch rather than auto-approving,
and the launcher does not exec the anvil.
Makefile default so behavior is identical whether or not Make passes it.
--workspace,--approvals, and--no-promptlauncher options and routethe parsed launcher options through a small
LauncherOptionsrecord.Makefileto pass the checkout root and theuser-layer approvals store to the launcher.
scripts/test_run_anvil.pywith coverage for the privilege-summaryrendering, the gate (accept/decline/EOF/already-approved/changed-definition/
trusted-skip/missing-workspace), the fail-closed
--no-promptpath end to end,the approvals-store default resolution, and the preserved passthrough invariant.