Skip to content

fix: enforce agent session safety contracts#104

Open
andrei-hasna wants to merge 6 commits into
mainfrom
fix/agent-safety-contract-7ec3b0fb
Open

fix: enforce agent session safety contracts#104
andrei-hasna wants to merge 6 commits into
mainfrom
fix/agent-safety-contract-7ec3b0fb

Conversation

@andrei-hasna

Copy link
Copy Markdown
Contributor

Summary

  • persist an explicit agent-session safety contract, reason, enforcement mode, sandbox, routing context, and break-glass state
  • require both manualBreakGlass=true and a non-empty safety reason for relaxed Codewith/Codex and Cursor sandboxes
  • expose the contract through stdin prompts, execution environment metadata, and claim-fenced workflow audit events
  • keep tool and command restrictions honest: they are advisory metadata only and are explicitly marked providerEnforced=false
  • preserve provider argv/env behavior, tenant/auth route policy, runner claim fencing, and non-root execution boundaries

Task evidence

  • Todos task: 7ec3b0fb-fcff-4895-bf3f-cd45c2e927fb
  • Parent task: 06ed0e1d-3899-4c25-a57b-a954432018d5
  • Exact baseline: b9bc058bc208b27a449f8b368c9b524342c6e5a0

Validation

  • bun test: 861 passed, 26 expected live-Postgres skips, 0 failed; 887 tests, 11 snapshots
  • bun run typecheck: passed
  • bun run build: passed
  • bun run test:boundary: passed
  • bun run check:contracts: passed
  • git diff --cached --check: passed before commit
  • staged Gitleaks scan: no leaks
  • commit-range Gitleaks scan: 1 commit scanned, no leaks
  • adversarial self-review: reconciled; no landing blocker found

Safety and scope

No provider, deployment, database, release, payment, or credential mutations were performed. This PR only pushes the task feature branch and does not merge it.

@andrei-hasna
andrei-hasna marked this pull request as draft July 17, 2026 11:23
@andrei-hasna

Copy link
Copy Markdown
Contributor Author

Adversarial exact-head review: NO-GO despite green CI. Required P1 fixes before re-review: (1) reject provider-managed/security-sensitive extraArgs overrides, including split and --flag=value forms; (2) include Claude/Cursor/AICopilot/OpenCode bypass modes in break-glass + non-empty safetyReason + persisted contract enforcement; (3) fix route-policy validation so safetyReason is a non-empty string rather than boolean true; (4) derive/validate runner agent_session_contract server-side and reject command-step, mismatch, duplicate, or fabricated events; (5) define fail-closed compatibility/migration behavior for pre-change stored records and older clients. P2: correct OpenAPI/docs typed guidance and direct-loop versus workflow-event claims. Remediation is currently blocked by @hasna/hooks worktree-guard v0.1.0 rejecting mandatory apply_patch inside valid ~/.hasna managed leases; tracked in Todos 57d2d144-6ae7-425a-9981-e848a41f803c. Do not merge until a new exact head passes two fresh independent reviews.

@andrei-hasna

Copy link
Copy Markdown
Contributor Author

Remediation pushed at exact head de50226. This closes the prior P1 contract findings: protected provider-managed execution options including split/equal/attached aliases; consistent manual break-glass plus non-empty reason handling; server-derived and atomically deduplicated workflow contract events; fail-closed legacy-run backfill and recovery; public typed event validation across source/OpenAPI/SDK; and corrected route defaults/docs. Evidence: stable full suite 872 pass, 27 expected opt-in live-Postgres skips, 0 fail before the final parser-only delta; post-delta focused 49/0; independent final verifier 70/0 and GO; typecheck, build/declarations, boundary, storage contracts, SDK generation, diff, Gitleaks, high-confidence credential, and CoAuth scans clean. A real two-connection PostgreSQL race regression is included in the opt-in suite and will be exercised by hosted PostgreSQL CI. Keep draft until exact-head hosted checks complete; no merge/publish/deploy/install performed.

@andrei-hasna

Copy link
Copy Markdown
Contributor Author

Exact-head hosted CI is green (Ubuntu, macOS, PostgreSQL including the two-connection race regression, runner image), but the second independent readiness review is NO-GO. Remaining corrective scope: complete the documented protected-option aliases; prevent legacy idempotent runs from deriving contracts from a mutable current workflow definition; make new-run creation plus complete contract persistence atomic; and require explicit break-glass evidence on the route-policy-evidence path. PR remains draft. No merge/publish/deploy/install.

@andrei-hasna

Copy link
Copy Markdown
Contributor Author

Corrective commit pushed at exact head 800e307. It resolves the second readiness NO-GO: complete evidenced provider aliases, explicit manual-break-glass route evidence, immutable workflow-definition provenance, atomic run+contract creation, legacy/mutated/corrupt retry conflicts, PostgreSQL concurrent first-create winner handling, and rollback after a prior contract insert. Evidence: 177 focused pass/28 opt-in live-Postgres skips/0 fail; typecheck/build/SDK/contracts/boundary/diff/credential scans green; fresh adversarial GO with no P0/P1/P3. PR remains draft until all exact-head hosted checks, especially PostgreSQL, pass.

@andrei-hasna
andrei-hasna marked this pull request as ready for review July 18, 2026 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant