Conversation
- Generate en_US.UTF-8 locale to prevent setlocale warnings at startup - Add retry loop (5 attempts) for npm global installs to handle flaky network - Verify CLI tools by invoking binaries directly instead of npm list - Add set -eux for stricter error handling in user npm install step
- Add -Q/--quick flag for bare mode: no config mounts, no .deva, implies --rm - Backup credentials to tmpdir when auth override active, restore on exit - Include config hash in container name for explicit --config-home - Skip ~/.config/deva and ~/.cache/deva when -c is explicit (isolation) - Warn when explicit config-home has empty auth directories - Skip filesystem operations during --dry-run - Redact secrets in debug output
- Add ANTHROPIC_AUTH_TOKEN and ANTHROPIC_BASE_URL env var support - Replace mv/restore credential backup with overlay file mounting - Filter sensitive files (.credentials.json, auth.json) from home mounts - Extract should_mount_home_item() for cleaner mount logic
- formalize the repo with MIT, SECURITY, and CONTRIBUTING docs - rewrite README and fix installer module drift - ship auth token forwarding and safer credential overlays
- Add comprehensive docs pages (quick-start, auth, troubleshooting, etc.) - Add GitHub Pages workflow and CI docs build job - Streamline README by moving detailed content to docs site
|
Claude finished @lroolle's task in 2m 2s —— View job Security Audit CompleteI've performed a thorough security audit of this PR focusing on container boundaries, authentication flows, shell entrypoints, and privilege escalation vectors. Todo List
🔴 BLOCKING SECURITY ISSUES1. Command Injection in Volume Hash ComputationFile: config_hash=$(printf '%s' "$config_hash_source" | md5sum | cut -c1-6)
creds_hash=$(printf '%s' "$CUSTOM_CREDENTIALS_FILE" | md5sum | cut -c1-8)Impact: User-controlled paths in 2. Unsafe Command Substitution PatternFile: raw="$(expand_tilde "$raw")"
dir="$(pwd)"
abs_src=$(cd "$(dirname "$src")" 2>/dev/null && pwd)/$(basename "$src")Impact: If input paths contain command injection chars, could lead to RCE 3. Privileged Docker Socket Access by DefaultFile:
4. Password-less Sudo in ContainerFile: echo "$DEVA_USER ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$DEVA_USER"Impact: Any command execution as 🟠 HIGH-RISK FINDINGS5. Unvalidated Environment Variable ProcessingFile: 6. Authentication Token Exposure RiskFile: cmd+=(--github-token "${GH_TOKEN:-${GITHUB_TOKEN}}")Risk: Tokens visible in process list, docker inspect output 7. Insecure Download in Install ScriptFile: curl -fsSL "$GITHUB_RAW/$path" -o "$dest"Risk: MITM attacks, supply chain compromise (though over HTTPS) 8. Unsafe Copilot API InstallationFile: 🟡 MEDIUM-RISK FINDINGS9. Weak File Permission ValidationFile: 10. Race Condition in Container SelectionFile: ✅ POSITIVE SECURITY IMPROVEMENTSGood Security Practices Found:
REQUIRED TESTS BEFORE MERGE
RECOMMENDATIONSImmediate (Pre-merge):
Short-term:
Long-term:
Overall Assessment: This PR improves security with better input validation and credential handling, but contains several injection vulnerabilities that must be fixed before merge. The Docker socket auto-mount significantly weakens the "container as sandbox" model. |
There was a problem hiding this comment.
Pull request overview
This PR prepares the repo for an OSS-style release by adding a MkDocs documentation site, polishing project metadata (README/license/security/contributing), and tightening auth/config handling in the deva.sh launcher (including --dry-run side-effect fixes and container identity changes).
Changes:
- Add MkDocs configuration, docs pages, and CI/Pages workflows to build and publish the documentation site.
- Update installer + release workflow docs to reflect
deva.shas the primary entrypoint and to install the full agent set. - Refine
deva.shauth/config behavior (quick mode, credential overlays, container naming, dry-run behavior) and extend agent auth support (e.g.,ANTHROPIC_AUTH_TOKEN).
Reviewed changes
Copilot reviewed 25 out of 26 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| workflows/RELEASE.md | Updates release instructions to use deva.sh as version source. |
| mkdocs.yml | Adds MkDocs Material site config + navigation. |
| install.sh | Refreshes installer for multi-agent + fallback image behavior. |
| docs/index.md | Adds docs landing page. |
| docs/quick-start.md | Adds quick start guide for install + basic usage. |
| docs/how-it-works.md | Documents startup/config/auth/mount/runtime model. |
| docs/authentication.md | Documents per-agent auth modes and mounting behavior. |
| docs/advanced-usage.md | Documents .deva, profiles, risk knobs, advanced workflows. |
| docs/troubleshooting.md | Adds troubleshooting playbook and diagnostic commands. |
| docs-requirements.txt | Pins MkDocs + theme dependencies for CI build. |
| deva.sh | Version bump + quick mode + container identity/auth overlay + dry-run safety improvements. |
| agents/shared_auth.sh | Extends Anthropic token validation to include ANTHROPIC_AUTH_TOKEN. |
| agents/claude.sh | Adds ANTHROPIC_AUTH_TOKEN support and avoids proxy start/model probing during --dry-run. |
| agents/codex.sh | Avoids proxy start/model probing during --dry-run. |
| agents/gemini.sh | Adjusts gemini mounts + settings writes (now gated by DRY_RUN). |
| README.md | Rewrites README into concise landing page + docs links. |
| CHANGELOG.md | Adds 0.9.2 release notes and updates product name. |
| DEV-LOGS.md | Adds dev log entries describing OSS/docs/auth work. |
| CONTRIBUTING.md | Adds contribution workflow + local checks guidance. |
| SECURITY.md | Adds vulnerability reporting policy. |
| LICENSE | Adds MIT license file. |
| Dockerfile | Adds locale generation + npm install retry + CLI version sanity checks. |
| .gitignore | Ignores MkDocs site/ output. |
| .github/workflows/ci.yml | Adds MkDocs build job to CI. |
| .github/workflows/pages.yml | Adds GitHub Pages workflow to build/deploy docs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| mkdir -p "$state_dir" | ||
| cp "$claude_json" "$state_dir/.claude.json.bak" |
There was a problem hiding this comment.
backup_claude_json copies .claude.json into $XDG_STATE_HOME/.../deva/backups but doesn’t enforce restrictive permissions on the backup. Since .claude.json can contain auth/session material, the backup should be written with 0600 (and ideally atomically) to avoid accidentally making it more widely readable than the original.
| mkdir -p "$state_dir" | |
| cp "$claude_json" "$state_dir/.claude.json.bak" | |
| local backup_path tmp_backup | |
| backup_path="$state_dir/.claude.json.bak" | |
| # Ensure backup directory exists and is owner-only. | |
| mkdir -p "$state_dir" | |
| chmod 700 "$state_dir" 2>/dev/null || true | |
| # Create a temporary file with restrictive permissions, then atomically move. | |
| tmp_backup="$(mktemp "$state_dir/.claude.json.bak.XXXXXX")" | |
| chmod 600 "$tmp_backup" 2>/dev/null || true | |
| if ! cp "$claude_json" "$tmp_backup"; then | |
| rm -f "$tmp_backup" | |
| return 1 | |
| fi | |
| mv -f "$tmp_backup" "$backup_path" |
| fi | ||
| DOCKER_ARGS+=("-v" "$overlay_file:$target_path") |
There was a problem hiding this comment.
append_auth_credential_overlay bind-mounts the generated blank overlay file without :ro. Since this file exists on the host under $XDG_STATE_HOME, mounting it read-write allows the container/agent to modify host state. Mount the overlay as read-only (and consider writing it with restrictive perms) so the overlay can’t be mutated from inside the container.
| fi | |
| DOCKER_ARGS+=("-v" "$overlay_file:$target_path") | |
| chmod 600 "$overlay_file" | |
| fi | |
| DOCKER_ARGS+=("-v" "$overlay_file:$target_path:ro") |
| @@ -86,9 +93,10 @@ setup_gemini_auth() { | |||
| } | |||
| } | |||
| EOF | |||
| echo "Created gemini settings with API key auth: $settings_file" >&2 | |||
| else | |||
| echo "Using existing gemini settings: $settings_file" >&2 | |||
| echo "Created gemini settings with API key auth: $settings_file" >&2 | |||
| else | |||
| echo "Using existing gemini settings: $settings_file" >&2 | |||
| fi | |||
| fi | |||
There was a problem hiding this comment.
In --auth-with api-key for Gemini, this code still writes to a host-side $HOME/.gemini (mkdir/rm/settings.json) when neither CONFIG_HOME nor CONFIG_ROOT is set. In -Q/--quick bare mode, this means a run can unexpectedly mutate the user’s real home config even though bare mode is intended to avoid host config mounts/state. Consider short-circuiting these writes when QUICK_MODE=true (or require an explicit config home) to keep -Q side-effect-free on the host.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a69ce81b86
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| for d in "$CONFIG_ROOT"/*; do | ||
| [ -d "$d" ] || continue | ||
| [ "$(basename "$d")" = "_shared" ] && continue | ||
| mount_dir_contents_into_home "$d" |
There was a problem hiding this comment.
When --config-home is a root containing multiple agent folders, this loop mounts every agent directory into the container even under non-default auth (for example, claude --auth-with api-key). The new overlay logic only blanks the active agent credential path, so inactive credentials like /home/deva/.codex/auth.json remain mounted and writable, reintroducing credential exposure/corruption risk in the mode that is supposed to isolate from OAuth files.
Useful? React with 👍 / 👎.
| gemini_config_dir="$HOME/.gemini" | ||
| fi | ||
|
|
||
| mkdir -p "$gemini_config_dir" | ||
| rm -f "$gemini_config_dir/mcp-oauth-tokens-v2.json" | ||
| if [ "${DRY_RUN:-false}" != true ]; then |
There was a problem hiding this comment.
In -Q/--quick runs, deva.sh clears CONFIG_HOME/CONFIG_ROOT, so this fallback resolves to $HOME/.gemini and then writes host config (mkdir, token cleanup, settings.json) for API-key auth. That breaks quick mode’s bare/no-config expectation and the written settings are not mounted into the container anyway, so the auth-mode preparation can be ineffective for the actual run while still mutating host state.
Useful? React with 👍 / 👎.
- publish docs with docs.deva.sh domain metadata and site links - share tool version resolution across nightly and tagged releases
|
Claude finished @lroolle's task in 2m 50s —— View job Security Audit CompleteI've performed a thorough security audit of this PR focusing on container boundaries, authentication flows, shell entrypoints, and privilege escalation vectors. Todo List
🔴 BLOCKING SECURITY ISSUES1. Command Injection in Volume Hash ComputationFile: config_hash=$(printf '%s' "$config_hash_source" | md5sum | cut -c1-6)
creds_hash=$(printf '%s' "$CUSTOM_CREDENTIALS_FILE" | md5sum | cut -c1-8)Impact: User-controlled paths in 2. Unsafe Command Substitution PatternFile: raw="$(expand_tilde "$raw")"
dir="$(pwd)"
abs_src=$(cd "$(dirname "$src")" 2>/dev/null && pwd)/$(basename "$src")Impact: If input paths contain command injection chars, could lead to RCE 3. Privileged Docker Socket Access by DefaultFile:
4. Password-less Sudo in ContainerFile: echo "$DEVA_USER ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$DEVA_USER"Impact: Any command execution as 🟠 HIGH-RISK FINDINGS5. Unvalidated Environment Variable ProcessingFile: 6. Authentication Token Exposure RiskFile: cmd+=(--github-token "${GH_TOKEN:-${GITHUB_TOKEN}}")Risk: Tokens visible in process list, docker inspect output 7. Insecure Download in Install ScriptFile: curl -fsSL "$GITHUB_RAW/$path" -o "$dest"Risk: MITM attacks, supply chain compromise (though over HTTPS) 8. Unsafe Copilot API InstallationFile: 🟡 MEDIUM-RISK FINDINGS9. Weak File Permission ValidationFile: 10. Race Condition in Container SelectionFile: ✅ POSITIVE SECURITY IMPROVEMENTSGood Security Practices Found:
REQUIRED TESTS BEFORE MERGE
RECOMMENDATIONSImmediate (Pre-merge):
Short-term:
Long-term:
Overall Assessment: This PR improves security with better input validation and credential handling, but contains several injection vulnerabilities that must be fixed before merge. The Docker socket auto-mount significantly weakens the "container as sandbox" model. |
No description provided.