Skip to content

feat: default to strict security mode, stop injecting sudo and --enable-host-access#45360

Open
lpcox wants to merge 6 commits into
mainfrom
feat/legacy-security-compiler
Open

feat: default to strict security mode, stop injecting sudo and --enable-host-access#45360
lpcox wants to merge 6 commits into
mainfrom
feat/legacy-security-compiler

Conversation

@lpcox

@lpcox lpcox commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

Implements the compiler-side changes for the strict security mode migration. The AWF firewall CLI (v0.27.32) now defaults to strict mode and this PR updates the compiler to match.

Changes

  • Default command: AWFDefaultCommand changed from sudo -E awf to awf
  • Legacy opt-in: Added AWFLegacySecurityCommand = "sudo -E awf" for workflows that explicitly need legacy mode
  • Frontmatter support: legacy-security: enable in workflow frontmatter opts into legacy behavior
  • BuildAWFArgs(): Only emits --legacy-security, --enable-host-access, --allow-host-ports when LegacySecurity is true
  • Version bump: DefaultFirewallVersion → v0.27.32 (the first release with --legacy-security flag)

Companion PR

Migration

Existing workflows continue to work unchanged (strict mode is the secure default). Workflows that need legacy behavior must add legacy-security: enable to their frontmatter.

Note on CI

Container pin tests (TestApplyContainerPins_DefaultFirewallVersion, etc.) will fail until make build && make recompile && make recompile is run with registry access to resolve v0.27.32 SHA digests. Lock files also need regeneration.

Closes #45344


Generated by 👨‍🍳 PR Sous Chef · 12.8 AIC · ⌖ 5.92 AIC · ⊞ 7.5K ·
Comment /souschef to run again

- Change AWFDefaultCommand from 'sudo -E awf' to 'awf' (strict mode)
- Add AWFLegacySecurityCommand for explicit legacy mode opt-in
- Add LegacySecurity field to AgentSandboxConfig (frontmatter: legacy-security: enable)
- GetAWFCommandPrefix() returns 'awf' by default, 'sudo -E awf' only for legacy
- BuildAWFArgs() only emits --legacy-security, --enable-host-access, --allow-host-ports
  when LegacySecurity is true
- Bump DefaultFirewallVersion to v0.27.32 (requires --legacy-security flag)
- Update all test assertions for new default behavior
- Update golden files for strict-mode output

Note: Container pin tests will fail until 'make build && make recompile && make recompile'
is run with registry access to resolve v0.27.32 SHA digests.

Closes #45344

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
Copilot AI review requested due to automatic review settings July 14, 2026 02:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the compiler for AWF v0.27.32’s strict-security default and introduces legacy-security opt-in behavior.

Changes:

  • Removes sudo and host-access flags from default AWF execution.
  • Adds legacy-security: enable handling and legacy command arguments.
  • Bumps AWF to v0.27.32 and refreshes tests/golden outputs.
Show a summary per file
File Description
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden Updates AWF fixture version.
pkg/workflow/testdata/TestWasmGolden_AllEngines/pi.golden Updates Pi AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/gemini.golden Updates Gemini AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden Updates Copilot AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/codex.golden Updates Codex AWF output.
pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden Updates Claude AWF output.
pkg/workflow/sandbox.go Adds legacy-security state.
pkg/workflow/sandbox_mounts_test.go Updates AWF command assertions.
pkg/workflow/gh_cli_mount_test.go Updates AWF command assertions.
pkg/workflow/frontmatter_extraction_security.go Extracts legacy-security configuration.
pkg/workflow/firewall_workflow_test.go Updates firewall command assertion.
pkg/workflow/firewall_args_test.go Updates firewall argument assertions.
pkg/workflow/compiled_lock_files_test.go Updates compiled-command assertion.
pkg/workflow/claude_engine_network_test.go Updates Claude network assertions.
pkg/workflow/awf_helpers.go Implements strict and legacy command behavior.
pkg/workflow/awf_helpers_test.go Tests strict and legacy behavior.
pkg/workflow/awf_config.go Documents unconditional API proxy behavior.
pkg/workflow/awf_config_test.go Updates generated-command assertions.
pkg/workflow/agentic_output_test.go Updates AWF wrapper assertions.
pkg/constants/version_constants.go Bumps AWF and adds compatibility boundary.
pkg/constants/spec_test.go Updates documented default-command test.
pkg/constants/constants.go Defines strict and legacy commands.
pkg/constants/constants_test.go Updates constant expectations.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 26/26 changed files
  • Comments generated: 3
  • Review effort level: Medium

Comment thread pkg/workflow/frontmatter_extraction_security.go
Comment thread pkg/workflow/awf_helpers.go
Comment thread pkg/workflow/awf_helpers.go Outdated
1. Schema: Add legacy-security field (enum: ['enable']) to sandbox.agent
   object in main_workflow_schema.json so frontmatter passes validation.

2. Service ports: Gate --allow-host-service-ports on LegacySecurity mode.
   Strict mode no longer emits host-access flags for service ports.

3. Version guard: Only emit --legacy-security flag when AWF version >= v0.27.32.
   Older AWF versions default to legacy mode and don't recognize the flag.
   --enable-host-access is still emitted for backward compat with older AWF.

4. Tests: Full-compilation tests validating legacy-security: enable passes
   schema validation and produces expected output. Unit tests for version
   guard and service port gating.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

Copilot AI and others added 2 commits July 14, 2026 03:44
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

pr-sous-chef
@copilot please run the pr-finisher skill, address these unresolved review comments, and rerun checks once finished:

Addressed in a29dcc3.

Local checks rerun:

  • make fmt
  • make lint
  • go test -tags=integration ./pkg/cli -run 'TestCompileServicePorts'
  • go test ./pkg/workflow -run 'TestBuildAWFCommand_ServicePortsRequireLegacy|TestCompileWorkflow_LegacySecurityFromFrontmatter|TestCompileWorkflow_StrictSecurityDefault'
  • make test-unit / make test still hit the pre-existing AWF v0.27.32 pinning failures already noted in the PR description (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion).

I also recompiled .github/workflows/smoke-service-ports.md; CI on this new HEAD still needs a maintainer-triggered rerun because agent pushes do not start workflows.

Copilot AI requested a review from gh-aw-bot July 14, 2026 03:57
@lpcox

lpcox commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot revert all .lock.yml updates to main

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@copilot revert all .lock.yml updates to main

Addressed in 8c420f9.

I reverted the incidental .lock.yml churn back to the pre-change/main state. I kept .github/workflows/smoke-service-ports.lock.yml aligned with its updated .md source, because reverting that one also reintroduces the lockfile hash-consistency failure.

Copilot finished work on behalf of lpcox July 14, 2026 04:41
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 12.8 AIC · ⌖ 5.92 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

pr-sous-chef
@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.
...

No additional code changes were needed; the unresolved review items are already addressed on this branch in 946e5aa and a29dcc3, and I replied on each review thread.

Reran local validation:

  • make fmt
  • make lint
  • go test ./pkg/workflow -run 'TestBuildAWFArgs_LegacySecurityVersionGuard|TestBuildAWFCommand_ServicePortsRequireLegacy|TestCompileWorkflow_LegacySecurityFromFrontmatter|TestCompileWorkflow_StrictSecurityDefault'
  • go test -tags=integration ./pkg/cli -run 'TestCompileServicePorts'
  • make test ❌ still hits the known AWF v0.27.32 pinning failures already called out in the PR (TestBuildAWFImageTagWithDigests, TestCompileWorkflow_FirewallImagesPinnedForDefaultVersion, TestCompileWorkflow_BuildToolsImagePinnedForArcDind, TestApplyContainerPins_DefaultFirewallVersion).

Branch is already up to date with main; CI on this HEAD still needs a maintainer-triggered rerun because agent pushes do not start workflows.

strict: true
sandbox:
agent:
legacy-security: enable

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lpcox don't we have a "sudo" mode already?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compiler: stop injecting sudo and --enable-host-access, support --legacy-security

5 participants