Skip to content

Sanitize the worker environment and add secret-canary tests #2

Description

@ta2jam

Problem

The worker currently inherits os.environ.copy(). Credentials, proxy configuration, cloud metadata variables, and user-specific paths can therefore cross the worker boundary.

Desired outcome

Build the worker environment from an explicit allowlist. Preserve only variables required by the worker protocol and documented platform execution. Do not forward secrets by pattern-based redaction after the fact.

Acceptance

  • A canary secret in the parent environment is absent from the worker environment.
  • Required Morfeus protocol variables remain available.
  • Locale and executable resolution behavior is deterministic and documented.
  • Tests cover explicit opt-in variables without introducing a wildcard escape.
  • README and security documentation describe the trusted-process limitation accurately.

This issue does not implement a full secret broker; it closes the immediate ambient-environment leak.

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for newcomerspriority:p0Release-blocking safety or correctness issueroadmapTracked in the technical roadmapsecuritySecurity boundary or hardening work

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions