Skip to content

v0.1.91 — lend sandbox fail-closed (#42)

Latest

Choose a tag to compare

@KalLee-SI KalLee-SI released this 03 Jul 04:04

settlemesh 0.1.91

Security fix release (audit #42, HIGH).

worker lend / worker start --kind command now fail closed when the host has no filesystem-confining sandbox backend. Previously, on Linux without bubblewrap (user namespaces disabled), a lent coding agent or command could run with no filesystem/network confinement behind only a one-line stderr warning — its injected login credential and the lender's files (~/.ssh, ~/.aws) were reachable and could be returned to the caller via the job result.

Now:

  • Registration is refused when no sandbox-exec (macOS) / bwrap with user namespaces (Linux) backend is available.
  • A credential-injecting job is refused at exec time unless confinement is in place — credentials never touch disk unconfined.
  • The only opt-out is the explicit, at-your-own-risk --i-accept-no-sandbox flag.

Install / upgrade:

npm install -g settlemesh@latest

The npm tarball bundles all six static binaries; these release assets are a download fallback.