Skip to content

feat: default to strict security mode, stop injecting sudo and --enable-host-access#45360

Open
lpcox wants to merge 10 commits into
mainfrom
feat/legacy-security-compiler
Open

feat: default to strict security mode, stop injecting sudo and --enable-host-access#45360
lpcox wants to merge 10 commits into
mainfrom
feat/legacy-security-compiler

Conversation

@lpcox

@lpcox lpcox commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

Implements the compiler-side changes for the strict security mode migration. The AWF firewall CLI (v0.27.32) now defaults to strict mode and this PR updates the compiler to match.

Changes

  • Default command: AWFDefaultCommand changed from sudo -E awf to awf
  • Legacy opt-in: Added AWFLegacySecurityCommand = "sudo -E awf" for workflows that explicitly need legacy mode
  • Frontmatter support: legacy-security: enable in workflow frontmatter opts into legacy behavior
  • BuildAWFArgs(): Only emits --legacy-security, --enable-host-access, --allow-host-ports when LegacySecurity is true
  • Version bump: DefaultFirewallVersion → v0.27.32 (the first release with --legacy-security flag)

Companion PR

Migration

Existing workflows continue to work unchanged (strict mode is the secure default). Workflows that need legacy behavior must add legacy-security: enable to their frontmatter.

Note on CI

Container pin tests (TestApplyContainerPins_DefaultFirewallVersion, etc.) will fail until make build && make recompile && make recompile is run with registry access to resolve v0.27.32 SHA digests. Lock files also need regeneration.

Closes #45344


Generated by 👨‍🍳 PR Sous Chef · 12.8 AIC · ⌖ 5.92 AIC · ⊞ 7.5K ·
Comment /souschef to run again

- Change AWFDefaultCommand from 'sudo -E awf' to 'awf' (strict mode)
- Add AWFLegacySecurityCommand for explicit legacy mode opt-in
- Add LegacySecurity field to AgentSandboxConfig (frontmatter: legacy-security: enable)
- GetAWFCommandPrefix() returns 'awf' by default, 'sudo -E awf' only for legacy
- BuildAWFArgs() only emits --legacy-security, --enable-host-access, --allow-host-ports
  when LegacySecurity is true
- Bump DefaultFirewallVersion to v0.27.32 (requires --legacy-security flag)
- Update all test assertions for new default behavior
- Update golden files for strict-mode output

Note: Container pin tests will fail until 'make build && make recompile && make recompile'
is run with registry access to resolve v0.27.32 SHA digests.

Closes #45344

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
Copilot AI review requested due to automatic review settings July 14, 2026 02:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the compiler for AWF v0.27.32’s strict-security default and introduces legacy-security opt-in behavior.

Changes:

  • Removes sudo and host-access flags from default AWF execution.
  • Adds legacy-security: enable handling and legacy command arguments.
  • Bumps AWF to v0.27.32 and refreshes tests/golden outputs.
Show a summary per file
File Description
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Updates Pi AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden Updates Gemini AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Updates Copilot AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Updates Codex AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Updates Claude AWF output.
pkg/workflow/sandbox.go Adds legacy-security state.
pkg/workflow/sandbox_mounts_test.go Updates AWF command assertions.
pkg/workflow/gh_cli_mount_test.go Updates AWF command assertions.
pkg/workflow/frontmatter_extraction_security.go Extracts legacy-security configuration.
pkg/workflow/firewall_workflow_test.go Updates firewall command assertion.
pkg/workflow/firewall_args_test.go Updates firewall argument assertions.
pkg/workflow/compiled_lock_files_test.go Updates compiled-command assertion.
pkg/workflow/claude_engine_network_test.go Updates Claude network assertions.
pkg/workflow/awf_helpers.go Implements strict and legacy command behavior.
pkg/workflow/awf_helpers_test.go Tests strict and legacy behavior.
pkg/workflow/awf_config.go Documents unconditional API proxy behavior.
pkg/workflow/awf_config_test.go Updates generated-command assertions.
pkg/workflow/agentic_output_test.go Updates AWF wrapper assertions.
pkg/constants/version_constants.go Bumps AWF and adds compatibility boundary.
pkg/constants/spec_test.go Updates documented default-command test.
pkg/constants/constants.go Defines strict and legacy commands.
pkg/constants/constants_test.go Updates constant expectations.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 26/26 changed files
  • Comments generated: 3
  • Review effort level: Medium

Comment thread pkg/workflow/frontmatter_extraction_security.go
Comment thread pkg/workflow/awf_helpers.go
Comment thread pkg/workflow/awf_helpers.go Outdated
1. Schema: Add legacy-security field (enum: ['enable']) to sandbox.agent
   object in main_workflow_schema.json so frontmatter passes validation.

2. Service ports: Gate --allow-host-service-ports on LegacySecurity mode.
   Strict mode no longer emits host-access flags for service ports.

3. Version guard: Only emit --legacy-security flag when AWF version >= v0.27.32.
   Older AWF versions default to legacy mode and don't recognize the flag.
   --enable-host-access is still emitted for backward compat with older AWF.

4. Tests: Full-compilation tests validating legacy-security: enable passes
   schema validation and produces expected output. Unit tests for version
   guard and service port gating.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

Copilot AI and others added 2 commits July 14, 2026 03:44
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

pr-sous-chef
@copilot please run the pr-finisher skill, address these unresolved review comments, and rerun checks once finished:

Addressed in a29dcc3.

Local checks rerun:

  • make fmt
  • make lint
  • go test -tags=integration ./pkg/cli -run 'TestCompileServicePorts'
  • go test ./pkg/workflow -run 'TestBuildAWFCommand_ServicePortsRequireLegacy|TestCompileWorkflow_LegacySecurityFromFrontmatter|TestCompileWorkflow_StrictSecurityDefault'
  • make test-unit / make test still hit the pre-existing AWF v0.27.32 pinning failures already noted in the PR description (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion).

I also recompiled .github/workflows/smoke-service-ports.md; CI on this new HEAD still needs a maintainer-triggered rerun because agent pushes do not start workflows.

Copilot AI requested a review from gh-aw-bot July 14, 2026 03:57
@lpcox

lpcox commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot revert all .lock.yml updates to main

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@copilot revert all .lock.yml updates to main

Addressed in 8c420f9.

I reverted the incidental .lock.yml churn back to the pre-change/main state. I kept .github/workflows/smoke-service-ports.lock.yml aligned with its updated .md source, because reverting that one also reintroduces the lockfile hash-consistency failure.

Copilot finished work on behalf of lpcox July 14, 2026 04:41
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 12.8 AIC · ⌖ 5.92 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

pr-sous-chef
@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.
...

No additional code changes were needed; the unresolved review items are already addressed on this branch in 946e5aa and a29dcc3, and I replied on each review thread.

Reran local validation:

  • make fmt
  • make lint
  • go test ./pkg/workflow -run 'TestBuildAWFArgs_LegacySecurityVersionGuard|TestBuildAWFCommand_ServicePortsRequireLegacy|TestCompileWorkflow_LegacySecurityFromFrontmatter|TestCompileWorkflow_StrictSecurityDefault'
  • go test -tags=integration ./pkg/cli -run 'TestCompileServicePorts'
  • make test ❌ still hits the known AWF v0.27.32 pinning failures already called out in the PR (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion).

Branch is already up to date with main; CI on this HEAD still needs a maintainer-triggered rerun because agent pushes do not start workflows.

strict: true
sandbox:
agent:
legacy-security: enable

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lpcox don't we have a "sudo" mode already?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes — this is using the existing sudo/host-access path. legacy-security: enable is the workflow-side opt-in that selects sudo -E awf plus the host-access flags for service-port passthrough; strict mode stays on the plain awf path by default.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address unresolved review feedback, refresh this branch for the latest base branch state if needed, and rerun checks when complete.

Generated by 👨‍🍳 PR Sous Chef · 7.67 AIC · ⌖ 5.51 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI and others added 3 commits July 14, 2026 18:58
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
…compiler

# Conflicts:
#	.github/workflows/daily-multi-device-docs-tester.lock.yml
#	.github/workflows/dependabot-repair.lock.yml
#	.github/workflows/impeccable-skills-reviewer.lock.yml
#	.github/workflows/mattpocock-skills-reviewer.lock.yml
#	.github/workflows/pr-code-quality-reviewer.lock.yml
#	.github/workflows/pr-sous-chef.lock.yml
#	.github/workflows/semantic-function-refactor.lock.yml
#	.github/workflows/sighthound-security-scan.lock.yml
#	.github/workflows/smoke-copilot.lock.yml
#	.github/workflows/smoke-crush.lock.yml
#	.github/workflows/smoke-opencode.lock.yml

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@copilot please run the pr-finisher skill, address unresolved review feedback, refresh this branch for the latest base branch state if needed, and rerun checks when complete.

...

Addressed in 3965642 and 3ce6ce6.

  • Refreshed the branch from main and resolved the generated .lock.yml merge conflicts by taking the current main versions.
  • Fixed the merged-head unit failure in pkg/workflow/behavior_defined_engine_harness_test.go by asserting on strict-mode AWF invocation (awf --config) instead of sudo.

Local validation on the updated head:

  • make fmt
  • make lint
  • go test ./pkg/workflow -run 'TestBehaviorDefinedEngineHarnessScript'
  • make test-unit ❌ only the known AWF v0.27.32 pinning failures remain (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion)
  • make test ❌ same known pinning failures
  • make agent-report-progress ❌ same known pinning failures

CI on this pushed head is still unverified until a maintainer re-triggers it, since agent pushes do not start workflows.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 5.11 AIC · ⌖ 13.1 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is up to date.

...

No additional code changes were needed on this head. I replied on the remaining unresolved review thread to clarify that legacy-security: enable is the existing sudo/host-access mode expressed through workflow frontmatter.

Reran local validation on the current branch:

  • make fmt
  • make lint
  • go test ./pkg/workflow -run 'TestBuildAWFArgs_LegacySecurityVersionGuard|TestBuildAWFCommand_ServicePortsRequireLegacy|TestCompileWorkflow_LegacySecurityFromFrontmatter|TestCompileWorkflow_StrictSecurityDefault|TestBehaviorDefinedEngineHarnessScript'
  • go test -tags=integration ./pkg/cli -run 'TestCompileServicePorts'
  • make test-unit / make test ❌ still reproduce only the known AWF v0.27.32 pinning failures (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion)

The branch already contains the PR base SHA, so it is up to date enough for review. CI on the current agent-pushed head remains unverified until a maintainer re-triggers workflows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compiler: stop injecting sudo and --enable-host-access, support --legacy-security

5 participants