Skip to content

feat: default to strict security mode, stop injecting sudo and --enable-host-access#45360

Merged
lpcox merged 24 commits into
mainfrom
feat/legacy-security-compiler
Jul 16, 2026
Merged

feat: default to strict security mode, stop injecting sudo and --enable-host-access#45360
lpcox merged 24 commits into
mainfrom
feat/legacy-security-compiler

Conversation

@lpcox

@lpcox lpcox commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Overview

This PR changes the default AWF execution mode from legacy security to strict security. Compiled workflows now default to running awf rootlessly without injected host-access flags. Legacy behavior remains available as an explicit opt-in through workflow frontmatter.

What changed

  • Changed the default AWF command from sudo -E awf to awf
  • Added AWFLegacySecurityCommand = "sudo -E awf"
  • Added AWFLegacySecurityMinVersion = "v0.27.32" for --legacy-security support
  • Added sandbox.agent.legacy-security to the workflow schema as a string enum with supported value "enable"
  • Parsed legacy-security: enable from sandbox.agent into AgentSandboxConfig.LegacySecurity
  • Added LegacySecurity bool to AgentSandboxConfig
  • Updated AWF command generation to use sudo -E awf only in legacy mode; strict mode skips all host-access flags
  • Added an AWF version guard for --legacy-security (requires AWF >= v0.27.32)
  • Kept apiProxy.enabled emission for backward compatibility; --enable-api-proxy is deprecated in AWF v0.27.32+
  • Opted smoke-service-ports.md and test-service-ports.md into legacy security because service-port forwarding requires host access
  • Updated compiled lock files and golden files; AWF image bumped from 0.27.31 to 0.27.35

Key details

  • Default is strict security when sandbox.agent.legacy-security is omitted
  • GetAWFCommandPrefix selects awf (strict) or sudo -E awf (legacy)
  • BuildAWFArgs emits --legacy-security, --enable-host-access, --allow-host-ports only in legacy mode, with version gating for --legacy-security
  • BuildAWFCommand gates --allow-host-service-ports on legacy mode
  • Tests cover version gating, service-port behavior, frontmatter extraction, and end-to-end compilation in both modes

Breaking/migration notes

Workflows that previously relied on implicit sudo, host access, or host service ports now run in strict mode by default.

To opt into legacy security:

sandbox:
  agent:
    id: awf
    legacy-security: enable

Generated by PR Description Updater for #45360 · 82.7 AIC · ⌖ 4.49 AIC · ⊞ 4.7K ·

- Change AWFDefaultCommand from 'sudo -E awf' to 'awf' (strict mode)
- Add AWFLegacySecurityCommand for explicit legacy mode opt-in
- Add LegacySecurity field to AgentSandboxConfig (frontmatter: legacy-security: enable)
- GetAWFCommandPrefix() returns 'awf' by default, 'sudo -E awf' only for legacy
- BuildAWFArgs() only emits --legacy-security, --enable-host-access, --allow-host-ports
  when LegacySecurity is true
- Bump DefaultFirewallVersion to v0.27.32 (requires --legacy-security flag)
- Update all test assertions for new default behavior
- Update golden files for strict-mode output

Note: Container pin tests will fail until 'make build && make recompile && make recompile'
is run with registry access to resolve v0.27.32 SHA digests.

Closes #45344

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
Copilot AI review requested due to automatic review settings July 14, 2026 02:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the compiler for AWF v0.27.32’s strict-security default and introduces legacy-security opt-in behavior.

Changes:

  • Removes sudo and host-access flags from default AWF execution.
  • Adds legacy-security: enable handling and legacy command arguments.
  • Bumps AWF to v0.27.32 and refreshes tests/golden outputs.
Show a summary per file
File Description
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Updates Pi AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden Updates Gemini AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Updates Copilot AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Updates Codex AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Updates Claude AWF output.
pkg/workflow/sandbox.go Adds legacy-security state.
pkg/workflow/sandbox_mounts_test.go Updates AWF command assertions.
pkg/workflow/gh_cli_mount_test.go Updates AWF command assertions.
pkg/workflow/frontmatter_extraction_security.go Extracts legacy-security configuration.
pkg/workflow/firewall_workflow_test.go Updates firewall command assertion.
pkg/workflow/firewall_args_test.go Updates firewall argument assertions.
pkg/workflow/compiled_lock_files_test.go Updates compiled-command assertion.
pkg/workflow/claude_engine_network_test.go Updates Claude network assertions.
pkg/workflow/awf_helpers.go Implements strict and legacy command behavior.
pkg/workflow/awf_helpers_test.go Tests strict and legacy behavior.
pkg/workflow/awf_config.go Documents unconditional API proxy behavior.
pkg/workflow/awf_config_test.go Updates generated-command assertions.
pkg/workflow/agentic_output_test.go Updates AWF wrapper assertions.
pkg/constants/version_constants.go Bumps AWF and adds compatibility boundary.
pkg/constants/spec_test.go Updates documented default-command test.
pkg/constants/constants.go Defines strict and legacy commands.
pkg/constants/constants_test.go Updates constant expectations.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 26/26 changed files
  • Comments generated: 3
  • Review effort level: Medium

Comment thread pkg/workflow/frontmatter_extraction_security.go
Comment thread pkg/workflow/awf_helpers.go
Comment thread pkg/workflow/awf_helpers.go Outdated
1. Schema: Add legacy-security field (enum: ['enable']) to sandbox.agent
   object in main_workflow_schema.json so frontmatter passes validation.

2. Service ports: Gate --allow-host-service-ports on LegacySecurity mode.
   Strict mode no longer emits host-access flags for service ports.

3. Version guard: Only emit --legacy-security flag when AWF version >= v0.27.32.
   Older AWF versions default to legacy mode and don't recognize the flag.
   --enable-host-access is still emitted for backward compat with older AWF.

4. Tests: Full-compilation tests validating legacy-security: enable passes
   schema validation and produces expected output. Unit tests for version
   guard and service port gating.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

Copilot AI and others added 2 commits July 14, 2026 03:44
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

pr-sous-chef
@copilot please run the pr-finisher skill, address these unresolved review comments, and rerun checks once finished:

Addressed in a29dcc3.

Local checks rerun:

  • make fmt
  • make lint
  • go test -tags=integration ./pkg/cli -run 'TestCompileServicePorts'
  • go test ./pkg/workflow -run 'TestBuildAWFCommand_ServicePortsRequireLegacy|TestCompileWorkflow_LegacySecurityFromFrontmatter|TestCompileWorkflow_StrictSecurityDefault'
  • make test-unit / make test still hit the pre-existing AWF v0.27.32 pinning failures already noted in the PR description (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion).

I also recompiled .github/workflows/smoke-service-ports.md; CI on this new HEAD still needs a maintainer-triggered rerun because agent pushes do not start workflows.

Copilot AI requested a review from gh-aw-bot July 14, 2026 03:57
@lpcox

lpcox commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot revert all .lock.yml updates to main

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@copilot revert all .lock.yml updates to main

Addressed in 8c420f9.

I reverted the incidental .lock.yml churn back to the pre-change/main state. I kept .github/workflows/smoke-service-ports.lock.yml aligned with its updated .md source, because reverting that one also reintroduces the lockfile hash-consistency failure.

Copilot finished work on behalf of lpcox July 14, 2026 04:41
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 12.8 AIC · ⌖ 5.92 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

pr-sous-chef
@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.
...

No additional code changes were needed; the unresolved review items are already addressed on this branch in 946e5aa and a29dcc3, and I replied on each review thread.

Reran local validation:

  • make fmt
  • make lint
  • go test ./pkg/workflow -run 'TestBuildAWFArgs_LegacySecurityVersionGuard|TestBuildAWFCommand_ServicePortsRequireLegacy|TestCompileWorkflow_LegacySecurityFromFrontmatter|TestCompileWorkflow_StrictSecurityDefault'
  • go test -tags=integration ./pkg/cli -run 'TestCompileServicePorts'
  • make test ❌ still hits the known AWF v0.27.32 pinning failures already called out in the PR (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion).

Branch is already up to date with main; CI on this HEAD still needs a maintainer-triggered rerun because agent pushes do not start workflows.

Comment thread .github/workflows/smoke-service-ports.md
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address unresolved review feedback, refresh this branch for the latest base branch state if needed, and rerun checks when complete.

Generated by 👨‍🍳 PR Sous Chef · 7.67 AIC · ⌖ 5.51 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI and others added 3 commits July 14, 2026 18:58
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
…compiler

# Conflicts:
#	.github/workflows/daily-multi-device-docs-tester.lock.yml
#	.github/workflows/dependabot-repair.lock.yml
#	.github/workflows/impeccable-skills-reviewer.lock.yml
#	.github/workflows/mattpocock-skills-reviewer.lock.yml
#	.github/workflows/pr-code-quality-reviewer.lock.yml
#	.github/workflows/pr-sous-chef.lock.yml
#	.github/workflows/semantic-function-refactor.lock.yml
#	.github/workflows/sighthound-security-scan.lock.yml
#	.github/workflows/smoke-copilot.lock.yml
#	.github/workflows/smoke-crush.lock.yml
#	.github/workflows/smoke-opencode.lock.yml

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@copilot please run the pr-finisher skill, address unresolved review feedback, refresh this branch for the latest base branch state if needed, and rerun checks when complete.

...

Addressed in 3965642 and 3ce6ce6.

  • Refreshed the branch from main and resolved the generated .lock.yml merge conflicts by taking the current main versions.
  • Fixed the merged-head unit failure in pkg/workflow/behavior_defined_engine_harness_test.go by asserting on strict-mode AWF invocation (awf --config) instead of sudo.

Local validation on the updated head:

  • make fmt
  • make lint
  • go test ./pkg/workflow -run 'TestBehaviorDefinedEngineHarnessScript'
  • make test-unit ❌ only the known AWF v0.27.32 pinning failures remain (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion)
  • make test ❌ same known pinning failures
  • make agent-report-progress ❌ same known pinning failures

CI on this pushed head is still unverified until a maintainer re-triggers it, since agent pushes do not start workflows.

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

@github-actions

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

@github-actions

Copy link
Copy Markdown
Contributor

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.54.0
jq 1.7
yq v4.53.3
curl 8.5.0
gh 2.96.0
node v20.20.2
python3 3.11.15 (PyPy 7.3.23)
go 1.24.13
java 10.0.301
dotnet 10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔧 Tool validation by Agent Container Smoke Test · 12.3 AIC · ⌖ 7.84 AIC · ⊞ 4.5K ·
Comment /smoke-test-tools to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • GitHub MCP Testing: ✅
  • Web Fetch Testing: ✅
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅
  • Build gh-aw: ❌

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Smoke Gemini — Powered by Gemini · 6.54 AIC · ⌖ 6.3 AIC · ⊞ 9.3K ·
Comment /smoke-gemini to run again

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Night bot taps cold keys
Tiny tests drum in cave mist
Green sparks chase sunrise

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

📰 BREAKING: Report filed by Smoke Copilot · 89.1 AIC · ⌖ 3.78 AIC · ⊞ 19K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke review done.

📰 BREAKING: Report filed by Smoke Copilot · 89.1 AIC · ⌖ 3.78 AIC · ⊞ 19K
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

Copy link
Copy Markdown
Contributor

PRs:

🔮 The oracle has spoken through Smoke Codex · 13.3 AIC · ⌖ 1.7 AIC · ⊞ 10.3K ·
Comment /smoke-codex to run again

@github-actions

Copy link
Copy Markdown
Contributor

Comment Memory

Moonlit cache drifts
Steel scripts hum through quiet checks
Smoke clears, logs stay warm

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

🔮 The oracle has spoken through Smoke Codex · 13.3 AIC · ⌖ 1.7 AIC · ⊞ 10.3K ·
Comment /smoke-codex to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude · 98.8 AIC · ⌖ 14 AIC · ⊞ 8.4K
Comment /smoke-claude to run again

"digest": "sha256:58fee05c1c54ba5ca1e7056b3aaea30281841d5899093002e2c650710c50540f",
"pinned_image": "ghcr.io/github/gh-aw-firewall/agent-act:0.27.31@sha256:58fee05c1c54ba5ca1e7056b3aaea30281841d5899093002e2c650710c50540f"
},
"ghcr.io/github/gh-aw-firewall/agent-act:0.27.34": {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test review: new pinned image entry looks correctly formatted with digest.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed on the current head (1d8c322): no change was needed here; the pinned image entry remains correctly formatted with its digest.

"digest": "sha256:84d861cb6da723ac10b7a00dddf778be681b8cd74b2091f18ce1d67fe4b3e7a1",
"pinned_image": "ghcr.io/github/gh-aw-firewall/agent:0.27.31@sha256:84d861cb6da723ac10b7a00dddf778be681b8cd74b2091f18ce1d67fe4b3e7a1"
},
"ghcr.io/github/gh-aw-firewall/agent:0.27.34": {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke test review: agent image version bump entry is consistent with the firewall entry above.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed on the current head (1d8c322): no change was needed here; the agent image version bump remains aligned with the firewall entry.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 3.47 AIC · ⌖ 11.2 AIC · ⊞ 5.1K ·
Comment /souschef to run again

@lpcox

lpcox commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot bump the awf/firewall container versions to https://github.com/github/gh-aw-firewall/releases/tag/v0.27.35

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@copilot bump the awf/firewall container versions to https://github.com/github/gh-aw-firewall/releases/tag/v0.27.35

Addressed in 1c81bc4.

Copilot finished work on behalf of lpcox July 16, 2026 04:07
@lpcox lpcox merged commit 1ac664c into main Jul 16, 2026
29 checks passed
@lpcox lpcox deleted the feat/legacy-security-compiler branch July 16, 2026 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants