v4.4.16

v4.4.16 — Read-anywhere with deny-list for filesystem tools

Filesystem tools may now READ anywhere on the host, with a built-in deny-list to protect sensitive paths. Writes are unchanged.

Why

Agents need access to system wordlists (/usr/share/seclists/, /usr/share/wordlists/rockyou.txt), payload directories, /etc/services, etc. The previous policy rejected every read outside the workspace, forcing agents to copy assets into the workspace before use.

What changed

• Reads outside allow_list succeed by default.
• A built-in deny-list still rejects sensitive paths:
  • User secrets: ~/.ssh, ~/.gnupg, ~/.aws, ~/.azure, ~/.config/gcloud, ~/.kube, ~/.docker, ~/.netrc, ~/.pgpass, ~/.bash_history, ~/.zsh_history
  • System secrets: /etc/shadow, /etc/gshadow, /etc/sudoers, /etc/sudoers.d, /etc/ssh, /root/.ssh, /root/.aws, /root/.gnupg
  • Process / kernel: /proc/kcore, /proc/kallsyms
  • Encrypted volume keys: /etc/luks
• Writes are unchanged. CheckResolve still enforces the workspace + ~/.xalgorix/ + /tmp/ Allow_List.

Operator-facing additions

• XALGORIX_READ_DENY_LIST (colon-separated) extends the default deny-list.
• read_deny field on /api/status exposes the active deny-list alongside allow_list.

First caller

• fileedit view routes through the new CheckRead so wordlists, /etc/services, etc. are reachable while sensitive paths are still denied.

Verification

• go vet ./... clean
• go build ./... clean
• go test ./... -count=1 — all 26 packages pass
• go test -race on sandbox/web/fileedit — no races
• WebUI build clean

Changes

• 8589265 feat(sandbox): read-anywhere with deny-list for filesystem tools
• 9dc6b2b release: v4.4.16