Summary
Secret values (provider credentials, inference route API keys, SSH handshake secret) are currently injected as plaintext environment variables into sandbox child processes. This means the agent process and anything it spawns has direct access to raw secret material via /proc/<pid>/environ or standard env var access.
We should restructure this so that the supervisor holds all secret values and the sandbox agent process only sees placeholder/reference values. The supervisor would intercept or mediate any operation that requires the real secret, keeping the actual credentials out of the agent's address space.
Current Behavior
-
Provider credentials — Fetched by the supervisor via GetSandboxProviderEnvironment gRPC call, then injected directly as env vars into the child process (cmd.env(key, value) in process.rs:106-109) and SSH sessions (ssh.rs:565-637).
-
Inference route API keys — Fetched via GetSandboxInferenceBundle, stored as ResolvedRoute.api_key in the sandbox process memory, and used by the proxy to replace outgoing Authorization/x-api-key headers.
-
SSH handshake secret — Passed as NEMOCLAW_SSH_HANDSHAKE_SECRET env var in the pod spec, readable by the supervisor (intended) but also technically visible at the pod level.
Proposed Behavior
-
Provider credentials — The supervisor should not inject real credential values into the agent's environment. Instead, inject placeholder values (e.g., ANTHROPIC_API_KEY=nemo-placeholder:provider:anthropic:api_key). The supervisor's proxy layer would intercept outgoing requests and swap placeholders for real values before forwarding.
-
Inference route API keys — Already partially correct since the proxy strips and re-injects auth headers. Ensure the real API key never appears in the agent-accessible proxy config or memory space.
-
SSH handshake secret — Keep this supervisor-only. Ensure it is not exposed to the agent process environment.
Key Files
crates/navigator-sandbox/src/process.rs — Child process env var injectioncrates/navigator-sandbox/src/ssh.rs — SSH session env var injectioncrates/navigator-sandbox/src/lib.rs — Supervisor startup, credential fetch orchestrationcrates/navigator-sandbox/src/grpc_client.rs — gRPC calls to fetch credentialscrates/navigator-sandbox/src/proxy.rs — HTTP CONNECT proxy / inference interceptioncrates/navigator-server/src/sandbox/mod.rs — Pod spec construction, env var injection
Acceptance Criteria
Summary
Secret values (provider credentials, inference route API keys, SSH handshake secret) are currently injected as plaintext environment variables into sandbox child processes. This means the agent process and anything it spawns has direct access to raw secret material via
/proc/<pid>/environor standard env var access.We should restructure this so that the supervisor holds all secret values and the sandbox agent process only sees placeholder/reference values. The supervisor would intercept or mediate any operation that requires the real secret, keeping the actual credentials out of the agent's address space.
Current Behavior
Provider credentials — Fetched by the supervisor via
GetSandboxProviderEnvironmentgRPC call, then injected directly as env vars into the child process (cmd.env(key, value)inprocess.rs:106-109) and SSH sessions (ssh.rs:565-637).Inference route API keys — Fetched via
GetSandboxInferenceBundle, stored asResolvedRoute.api_keyin the sandbox process memory, and used by the proxy to replace outgoingAuthorization/x-api-keyheaders.SSH handshake secret — Passed as
NEMOCLAW_SSH_HANDSHAKE_SECRETenv var in the pod spec, readable by the supervisor (intended) but also technically visible at the pod level.Proposed Behavior
Provider credentials — The supervisor should not inject real credential values into the agent's environment. Instead, inject placeholder values (e.g.,
ANTHROPIC_API_KEY=nemo-placeholder:provider:anthropic:api_key). The supervisor's proxy layer would intercept outgoing requests and swap placeholders for real values before forwarding.Inference route API keys — Already partially correct since the proxy strips and re-injects auth headers. Ensure the real API key never appears in the agent-accessible proxy config or memory space.
SSH handshake secret — Keep this supervisor-only. Ensure it is not exposed to the agent process environment.
Key Files
crates/navigator-sandbox/src/process.rs— Child process env var injectioncrates/navigator-sandbox/src/ssh.rs— SSH session env var injectioncrates/navigator-sandbox/src/lib.rs— Supervisor startup, credential fetch orchestrationcrates/navigator-sandbox/src/grpc_client.rs— gRPC calls to fetch credentialscrates/navigator-sandbox/src/proxy.rs— HTTP CONNECT proxy / inference interceptioncrates/navigator-server/src/sandbox/mod.rs— Pod spec construction, env var injectionAcceptance Criteria