feat: default to strict security mode, stop injecting sudo and --enable-host-access#45360
Conversation
- Change AWFDefaultCommand from 'sudo -E awf' to 'awf' (strict mode) - Add AWFLegacySecurityCommand for explicit legacy mode opt-in - Add LegacySecurity field to AgentSandboxConfig (frontmatter: legacy-security: enable) - GetAWFCommandPrefix() returns 'awf' by default, 'sudo -E awf' only for legacy - BuildAWFArgs() only emits --legacy-security, --enable-host-access, --allow-host-ports when LegacySecurity is true - Bump DefaultFirewallVersion to v0.27.32 (requires --legacy-security flag) - Update all test assertions for new default behavior - Update golden files for strict-mode output Note: Container pin tests will fail until 'make build && make recompile && make recompile' is run with registry access to resolve v0.27.32 SHA digests. Closes #45344 Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
There was a problem hiding this comment.
Pull request overview
Updates the compiler for AWF v0.27.32’s strict-security default and introduces legacy-security opt-in behavior.
Changes:
- Removes sudo and host-access flags from default AWF execution.
- Adds
legacy-security: enablehandling and legacy command arguments. - Bumps AWF to v0.27.32 and refreshes tests/golden outputs.
Show a summary per file
| File | Description |
|---|---|
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden |
Updates AWF fixture version. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden |
Updates AWF fixture version. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden |
Updates AWF fixture version. |
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden |
Updates AWF fixture version. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden |
Updates Pi AWF output. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden |
Updates Gemini AWF output. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden |
Updates Copilot AWF output. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden |
Updates Codex AWF output. |
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden |
Updates Claude AWF output. |
pkg/workflow/sandbox.go |
Adds legacy-security state. |
pkg/workflow/sandbox_mounts_test.go |
Updates AWF command assertions. |
pkg/workflow/gh_cli_mount_test.go |
Updates AWF command assertions. |
pkg/workflow/frontmatter_extraction_security.go |
Extracts legacy-security configuration. |
pkg/workflow/firewall_workflow_test.go |
Updates firewall command assertion. |
pkg/workflow/firewall_args_test.go |
Updates firewall argument assertions. |
pkg/workflow/compiled_lock_files_test.go |
Updates compiled-command assertion. |
pkg/workflow/claude_engine_network_test.go |
Updates Claude network assertions. |
pkg/workflow/awf_helpers.go |
Implements strict and legacy command behavior. |
pkg/workflow/awf_helpers_test.go |
Tests strict and legacy behavior. |
pkg/workflow/awf_config.go |
Documents unconditional API proxy behavior. |
pkg/workflow/awf_config_test.go |
Updates generated-command assertions. |
pkg/workflow/agentic_output_test.go |
Updates AWF wrapper assertions. |
pkg/constants/version_constants.go |
Bumps AWF and adds compatibility boundary. |
pkg/constants/spec_test.go |
Updates documented default-command test. |
pkg/constants/constants.go |
Defines strict and legacy commands. |
pkg/constants/constants_test.go |
Updates constant expectations. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 26/26 changed files
- Comments generated: 3
- Review effort level: Medium
1. Schema: Add legacy-security field (enum: ['enable']) to sandbox.agent object in main_workflow_schema.json so frontmatter passes validation. 2. Service ports: Gate --allow-host-service-ports on LegacySecurity mode. Strict mode no longer emits host-access flags for service ports. 3. Version guard: Only emit --legacy-security flag when AWF version >= v0.27.32. Older AWF versions default to legacy mode and don't recognize the flag. --enable-host-access is still emitted for backward compat with older AWF. 4. Tests: Full-compilation tests validating legacy-security: enable passes schema validation and produces expected output. Unit tests for version guard and service port gating. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
|
Run: https://github.com/github/gh-aw/actions/runs/29303664684
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed in Local checks rerun:
I also recompiled |
|
@copilot revert all .lock.yml updates to main |
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Addressed in I reverted the incidental |
|
|
No additional code changes were needed; the unresolved review items are already addressed on this branch in Reran local validation:
Branch is already up to date with |
|
@copilot please run the
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
…compiler # Conflicts: # .github/workflows/daily-multi-device-docs-tester.lock.yml # .github/workflows/dependabot-repair.lock.yml # .github/workflows/impeccable-skills-reviewer.lock.yml # .github/workflows/mattpocock-skills-reviewer.lock.yml # .github/workflows/pr-code-quality-reviewer.lock.yml # .github/workflows/pr-sous-chef.lock.yml # .github/workflows/semantic-function-refactor.lock.yml # .github/workflows/sighthound-security-scan.lock.yml # .github/workflows/smoke-copilot.lock.yml # .github/workflows/smoke-crush.lock.yml # .github/workflows/smoke-opencode.lock.yml Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Addressed in
Local validation on the updated head:
CI on this pushed head is still unverified until a maintainer re-triggers it, since agent pushes do not start workflows. |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results
Overall status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment.
|
There was a problem hiding this comment.
Smoke review done.
📰 BREAKING: Report filed by Smoke Copilot · 89.1 AIC · ⌖ 3.78 AIC · ⊞ 19K
Comment /smoke-copilot to run again
Add label smoke to run again
|
PRs:
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude · 98.8 AIC · ⌖ 14 AIC · ⊞ 8.4K
Comment /smoke-claude to run again
| "digest": "sha256:58fee05c1c54ba5ca1e7056b3aaea30281841d5899093002e2c650710c50540f", | ||
| "pinned_image": "ghcr.io/github/gh-aw-firewall/agent-act:0.27.31@sha256:58fee05c1c54ba5ca1e7056b3aaea30281841d5899093002e2c650710c50540f" | ||
| }, | ||
| "ghcr.io/github/gh-aw-firewall/agent-act:0.27.34": { |
There was a problem hiding this comment.
Smoke test review: new pinned image entry looks correctly formatted with digest.
There was a problem hiding this comment.
Confirmed on the current head (1d8c322): no change was needed here; the pinned image entry remains correctly formatted with its digest.
| "digest": "sha256:84d861cb6da723ac10b7a00dddf778be681b8cd74b2091f18ce1d67fe4b3e7a1", | ||
| "pinned_image": "ghcr.io/github/gh-aw-firewall/agent:0.27.31@sha256:84d861cb6da723ac10b7a00dddf778be681b8cd74b2091f18ce1d67fe4b3e7a1" | ||
| }, | ||
| "ghcr.io/github/gh-aw-firewall/agent:0.27.34": { |
There was a problem hiding this comment.
Smoke test review: agent image version bump entry is consistent with the firewall entry above.
There was a problem hiding this comment.
Confirmed on the current head (1d8c322): no change was needed here; the agent image version bump remains aligned with the firewall entry.
|
@copilot please run the
|
|
@copilot bump the awf/firewall container versions to https://github.com/github/gh-aw-firewall/releases/tag/v0.27.35 |
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Addressed in |
Overview
This PR changes the default AWF execution mode from legacy security to strict security. Compiled workflows now default to running
awfrootlessly without injected host-access flags. Legacy behavior remains available as an explicit opt-in through workflow frontmatter.What changed
sudo -E awftoawfAWFLegacySecurityCommand = "sudo -E awf"AWFLegacySecurityMinVersion = "v0.27.32"for--legacy-securitysupportsandbox.agent.legacy-securityto the workflow schema as a string enum with supported value"enable"legacy-security: enablefromsandbox.agentintoAgentSandboxConfig.LegacySecurityLegacySecurity booltoAgentSandboxConfigsudo -E awfonly in legacy mode; strict mode skips all host-access flags--legacy-security(requires AWF >= v0.27.32)apiProxy.enabledemission for backward compatibility;--enable-api-proxyis deprecated in AWF v0.27.32+smoke-service-ports.mdandtest-service-ports.mdinto legacy security because service-port forwarding requires host access0.27.31to0.27.35Key details
sandbox.agent.legacy-securityis omittedGetAWFCommandPrefixselectsawf(strict) orsudo -E awf(legacy)BuildAWFArgsemits--legacy-security,--enable-host-access,--allow-host-portsonly in legacy mode, with version gating for--legacy-securityBuildAWFCommandgates--allow-host-service-portson legacy modeBreaking/migration notes
Workflows that previously relied on implicit
sudo, host access, or host service ports now run in strict mode by default.To opt into legacy security: