harn_hostlib/process/handle.rs
1//! Process abstraction trait used by `tools/proc` and
2//! `tools/long_running`.
3//!
4//! Tier 1C of the de-flake epic (#1057). Production code spawns through
5//! the [`ProcessSpawner`] trait — the default implementation in
6//! `process::real` wraps `std::process::Child` and goes through
7//! `harn_vm::process_sandbox`. Tests install a `MockSpawner` (see
8//! `process::mock`) that returns deterministic [`MockProcess`] handles,
9//! so process-tool tests no longer depend on real subprocess scheduling
10//! or wall-clock timing.
11
12use std::collections::BTreeMap;
13use std::io::{self, Read, Write};
14use std::path::PathBuf;
15use std::sync::Arc;
16use std::time::Duration;
17
18pub use harn_vm::op_interrupt::{ProcessCleanupChild, ProcessCleanupReport};
19
20/// Resolved exit information for a finished process. Mirrors the subset of
21/// `std::process::ExitStatus` that the process-tool builtins surface.
22#[derive(Clone, Copy, Debug, PartialEq, Eq)]
23pub struct ExitStatus {
24 /// Exit code from `exit(2)` / `_exit(2)`. `None` means the process did not
25 /// exit normally (it was terminated by a signal).
26 pub code: Option<i32>,
27 /// Unix signal that terminated the process, when applicable. `None` on
28 /// non-Unix targets or when the process exited normally.
29 pub signal: Option<i32>,
30}
31
32impl ExitStatus {
33 /// Construct a normal exit with the given code.
34 pub fn from_code(code: i32) -> Self {
35 Self {
36 code: Some(code),
37 signal: None,
38 }
39 }
40
41 /// Construct a signal-terminated exit.
42 pub fn from_signal(signal: i32) -> Self {
43 Self {
44 code: None,
45 signal: Some(signal),
46 }
47 }
48}
49
50/// How a spawn should treat the parent's environment. Mirrors the legacy
51/// `EnvMode` from `tools/proc.rs`.
52#[derive(Clone, Copy, Debug, PartialEq, Eq)]
53pub enum EnvMode {
54 /// Inherit the parent's environment, then apply `env` overrides.
55 InheritClean,
56 /// Clear the environment, then apply `env`.
57 Replace,
58 /// Inherit the parent's environment and apply `env` (default behaviour).
59 Patch,
60}
61
62/// Explicit secret-bearing environment variable names that the agent's
63/// `run`/`command_run` tool must never leak into a child process (and thus
64/// into the model context, since the child's stdout is returned to the
65/// model as the tool result). These are matched case-insensitively in
66/// addition to the suffix patterns in [`is_sensitive_env_name`].
67const EXPLICIT_SENSITIVE_ENV_NAMES: &[&str] = &[
68 "GITHUB_TOKEN",
69 "GH_TOKEN",
70 "HARN_CLOUD_API_KEY",
71 "BURIN_ADMIN_TOKEN",
72 "AWS_SECRET_ACCESS_KEY",
73 "AWS_SESSION_TOKEN",
74];
75
76/// Provider-namespace prefixes whose entire family of variables is treated
77/// as secret-bearing (e.g. `ANTHROPIC_API_KEY`, `OPENAI_ORG_ID`). Matched
78/// case-insensitively against the start of the variable name.
79const SENSITIVE_ENV_PREFIXES: &[&str] = &[
80 "ANTHROPIC_",
81 "OPENAI_",
82 "OPENROUTER_",
83 "FIREWORKS_",
84 "TOGETHER_",
85 "XAI_",
86 "GROQ_",
87];
88
89/// Returns `true` when an environment variable name looks like it carries a
90/// secret (provider API key, access token, OAuth client secret, etc.) and so
91/// must be stripped from a child process spawned by the agent's `run` tool.
92///
93/// The check is deliberately conservative about credentials but permissive
94/// about ordinary build/toolchain variables: `PATH`, `HOME`, `LANG`,
95/// `CARGO_HOME`, language toolchain vars, etc. are *not* sensitive and stay
96/// in the child environment so builds and tests still work.
97///
98/// Matching is case-insensitive and covers:
99/// - suffix patterns `_API_KEY`, `_TOKEN`, `_SECRET`, `_KEY`, `_PASSWORD`,
100/// `_PASSWD`, `_CREDENTIALS`;
101/// - the provider prefixes in [`SENSITIVE_ENV_PREFIXES`];
102/// - the explicit names in [`EXPLICIT_SENSITIVE_ENV_NAMES`].
103pub fn is_sensitive_env_name(name: &str) -> bool {
104 let upper = name.to_ascii_uppercase();
105 if EXPLICIT_SENSITIVE_ENV_NAMES.contains(&upper.as_str()) {
106 return true;
107 }
108 if SENSITIVE_ENV_PREFIXES
109 .iter()
110 .any(|prefix| upper.starts_with(prefix))
111 {
112 return true;
113 }
114 // Suffix patterns catch the long tail of provider/service credentials
115 // (`*_API_KEY`, `*_TOKEN`, `*_SECRET`, `*_KEY`, `*_PASSWORD`, `*_PASSWD`,
116 // `*_CREDENTIALS`) without enumerating every vendor. `_KEY` is the broadest;
117 // these suffixes still exclude benign names like `PATH`/`HOME`/`LANG` and
118 // `BUILD_KEYBOARD` that don't end in one of them.
119 upper.ends_with("_API_KEY")
120 || upper.ends_with("_TOKEN")
121 || upper.ends_with("_SECRET")
122 || upper.ends_with("_KEY")
123 || upper.ends_with("_PASSWORD")
124 || upper.ends_with("_PASSWD")
125 || upper.ends_with("_CREDENTIALS")
126}
127
128/// Parameters describing a single spawn. The spawner is responsible for any
129/// sandbox setup (Linux seccomp/landlock, macOS sandbox-exec, etc.) and for
130/// configuring the child's process group when requested.
131#[derive(Clone, Debug)]
132pub struct SpawnSpec {
133 /// Builtin name surfaced in error messages (e.g. `"hostlib_tools_run_command"`).
134 pub builtin: &'static str,
135 /// Program to execute. Must be non-empty (validated by the spawner).
136 pub program: String,
137 /// Arguments to pass to the program.
138 pub args: Vec<String>,
139 /// Working directory for the child. `None` inherits the parent's cwd.
140 pub cwd: Option<PathBuf>,
141 /// Environment overrides to apply (interpretation depends on `env_mode`).
142 pub env: BTreeMap<String, String>,
143 /// Variable names to strip from the inherited environment before `env`
144 /// overrides apply. A key present in both `env_remove` and `env` ends up
145 /// set (explicit overrides win). No effect under `EnvMode::Replace`,
146 /// which already starts from an empty environment.
147 pub env_remove: Vec<String>,
148 /// How to treat the parent's environment.
149 pub env_mode: EnvMode,
150 /// Whether stdin will be written to (`true`) or piped to /dev/null (`false`).
151 pub use_stdin: bool,
152 /// Set the child's process group to its own pid (`setpgid(0, 0)`). Used
153 /// for long-running handles so the kill-by-pgid path works.
154 pub configure_process_group: bool,
155 /// How stdout/stderr should be attached for this child.
156 pub output_capture: OutputCapture,
157}
158
159/// Child stdout/stderr attachment strategy for a spawned process.
160#[derive(Clone, Debug)]
161pub enum OutputCapture {
162 /// Capture stdout/stderr through pipes owned by the parent process.
163 Pipe,
164 /// Capture stdout/stderr through pre-created private files.
165 File {
166 /// Path attached to the child's stdout handle.
167 stdout_path: PathBuf,
168 /// Path attached to the child's stderr handle.
169 stderr_path: PathBuf,
170 },
171}
172
173/// Handle to a running (or finished) process. Used by both the synchronous
174/// `proc::run` path and the long-running waiter thread.
175///
176/// The trait is intentionally small: the legacy code already managed
177/// stdout/stderr drain on dedicated threads, and stdin is written once after
178/// spawn — wrapping those reads/writes via boxed trait objects keeps the
179/// real and mock paths uniform without forcing async into the rest of the
180/// hostlib.
181pub trait ProcessHandle: Send {
182 /// OS process id, when available.
183 fn pid(&self) -> Option<u32>;
184
185 /// OS process group id, when available. Falls back to [`Self::pid`] on
186 /// platforms that don't expose process groups.
187 fn process_group_id(&self) -> Option<u32>;
188
189 /// Returns a killer that can terminate the process even after the
190 /// stdout/stderr/wait halves have been moved into the waiter thread.
191 fn killer(&self) -> Arc<dyn ProcessKiller>;
192
193 /// Take ownership of the stdin pipe, if the spawn requested one.
194 fn take_stdin(&mut self) -> Option<Box<dyn Write + Send>>;
195
196 /// Take ownership of the stdout reader.
197 fn take_stdout(&mut self) -> Option<Box<dyn Read + Send>>;
198
199 /// Take ownership of the stderr reader.
200 fn take_stderr(&mut self) -> Option<Box<dyn Read + Send>>;
201
202 /// Wait for the process to exit, optionally with a timeout, while
203 /// polling `interrupt`. On timeout the spawner kills the child process
204 /// tree (SIGKILL, historical semantics) and reports
205 /// [`WaitOutcome::TimedOut`]. When `interrupt` returns `true` (scope
206 /// cancellation, `deadline` expiry — see `harn_vm::op_interrupt`) the
207 /// spawner gracefully terminates the child's process tree (SIGTERM,
208 /// then SIGKILL after `harn_vm::op_interrupt::SUBPROCESS_TERM_GRACE`)
209 /// and reports [`WaitOutcome::Interrupted`].
210 fn wait_with_timeout(
211 &mut self,
212 timeout: Option<Duration>,
213 interrupt: &dyn Fn() -> bool,
214 ) -> io::Result<WaitOutcome>;
215
216 /// Block until the process exits, no timeout, no interrupt polling.
217 /// Used by the background (`background: true`) waiter thread, whose
218 /// children deliberately outlive scope cancellation and deadlines.
219 fn wait(&mut self) -> io::Result<ExitStatus>;
220}
221
222/// How a [`ProcessHandle::wait_with_timeout`] ended.
223#[derive(Clone, Debug, PartialEq, Eq)]
224pub enum WaitOutcome {
225 /// The process exited on its own.
226 Exited(ExitStatus),
227 /// The timeout elapsed; the spawner killed the child process tree.
228 TimedOut(ProcessCleanupReport),
229 /// The interrupt callback fired; the spawner gracefully terminated the
230 /// child's process tree.
231 Interrupted(ProcessCleanupReport),
232}
233
234/// Kill side of a [`ProcessHandle`]. Cloneable via `Arc` so cancellation
235/// works after the waiter thread has taken ownership of the handle itself.
236pub trait ProcessKiller: Send + Sync {
237 /// Send SIGKILL to the process tree/group when applicable.
238 fn kill(&self) -> ProcessCleanupReport;
239}
240
241/// Spawner abstraction: produces [`ProcessHandle`] instances.
242pub trait ProcessSpawner: Send + Sync {
243 /// Spawn the configured process.
244 fn spawn(&self, spec: SpawnSpec) -> Result<Box<dyn ProcessHandle>, ProcessError>;
245}
246
247/// Errors raised by a spawner. These map onto `HostlibError::Backend` /
248/// `HostlibError::InvalidParameter` at the call site so the script-side
249/// surface stays unchanged.
250#[derive(Clone, Debug, thiserror::Error)]
251pub enum ProcessError {
252 /// `argv` was empty or otherwise malformed.
253 #[error("invalid argv: {0}")]
254 InvalidArgv(String),
255 /// Sandbox setup (e.g. landlock policy assembly) failed.
256 #[error("sandbox setup failed: {0}")]
257 SandboxSetup(String),
258 /// Sandbox rejected the supplied cwd.
259 #[error("sandbox cwd rejected: {0}")]
260 SandboxCwd(String),
261 /// Sandbox rejected the spawn at execve time.
262 #[error("sandbox rejected spawn: {0}")]
263 SandboxSpawn(String),
264 /// Generic spawn failure (typically io::Error from `Command::spawn`).
265 #[error("spawn failed: {0}")]
266 Spawn(String),
267 /// A never-approvable UNIVERSAL catastrophic command (machine/disk/data
268 /// destruction) was rejected by the floor BEFORE spawning. Enforced
269 /// unconditionally at [`spawn_process`] — no `command_policy` required —
270 /// so it is universal across every hostlib process tool, embedders, and
271 /// standalone Harn. See
272 /// [`harn_vm::orchestration::universal_catastrophic_reason`].
273 #[error("{0}")]
274 CatastrophicFloor(String),
275}
276
277use std::cell::RefCell;
278
279thread_local! {
280 static THREAD_SPAWNER: RefCell<Option<Arc<dyn ProcessSpawner>>> = const { RefCell::new(None) };
281}
282
283/// Install a per-thread spawner used by `spawn_process` from this thread.
284/// Returns a guard that restores the previous spawner on drop. Tests use
285/// this to install a [`super::mock::MockSpawner`]; production never calls
286/// it (the default real spawner runs whenever no per-thread spawner is
287/// installed).
288///
289/// Thread-local rather than global so parallel test execution is safe.
290/// Process-tool spawns happen on the test's thread; the long-running
291/// waiter threads operate on the handle that was already returned, so
292/// they don't perform spawner lookups themselves.
293pub fn install_spawner(spawner: Arc<dyn ProcessSpawner>) -> SpawnerGuard {
294 let prev = THREAD_SPAWNER.with(|slot| slot.replace(Some(spawner)));
295 SpawnerGuard { prev: Some(prev) }
296}
297
298/// Guard returned by [`install_spawner`]. Restores the previous spawner on
299/// drop so installs nest correctly across tests.
300pub struct SpawnerGuard {
301 // Outer Option distinguishes "guard already restored" (None) from
302 // "guard owes a restore" (Some(_)); inner Option carries the previous
303 // spawner slot value (which can itself be None when no spawner was set).
304 #[allow(clippy::option_option)]
305 prev: Option<Option<Arc<dyn ProcessSpawner>>>,
306}
307
308impl Drop for SpawnerGuard {
309 fn drop(&mut self) {
310 if let Some(prev) = self.prev.take() {
311 THREAD_SPAWNER.with(|slot| {
312 *slot.borrow_mut() = prev;
313 });
314 }
315 }
316}
317
318/// Return the currently installed spawner for this thread, falling back
319/// to the default real spawner.
320pub fn current_spawner() -> Arc<dyn ProcessSpawner> {
321 THREAD_SPAWNER
322 .with(|slot| slot.borrow().clone())
323 .unwrap_or_else(super::real::default_spawner)
324}
325
326/// Spawn a process via the currently installed spawner.
327///
328/// This is the single chokepoint every hostlib process tool funnels through
329/// (`run_command`, `run_test`, `run_build_command`, `manage_packages`, and the
330/// long-running background path). The UNIVERSAL catastrophic-command floor is
331/// enforced HERE, UNCONDITIONALLY — no `command_policy` on the stack is
332/// required — so a machine/disk/data-destroying command (`rm -rf /`, fork bomb,
333/// `mkfs`, `dd of=<device>`, `chmod -R 000`, `truncate -s 0` of a source file,
334/// redirect-over-source, project-root delete) and the textual git-destructive
335/// family (`git reset --hard`, `git clean -fd`, force-push) is rejected before
336/// the child is ever created, on standalone Harn and under every embedder
337/// alike. Structured git builtins remain the reviewed path for legitimate
338/// force-with-lease workflows. The spec's raw `program`/`args` are classified
339/// BEFORE any sandbox wrapper is applied, so a `sandbox-exec`/`bwrap` prefix
340/// can't bury the real command.
341pub fn spawn_process(spec: SpawnSpec) -> Result<Box<dyn ProcessHandle>, ProcessError> {
342 let workspace_roots: Vec<String> = spec
343 .cwd
344 .as_ref()
345 .map(|cwd| vec![cwd.display().to_string()])
346 .unwrap_or_default();
347 if let Some(reason) = harn_vm::orchestration::universal_catastrophic_reason(
348 &spec.program,
349 &spec.args,
350 &workspace_roots,
351 ) {
352 return Err(ProcessError::CatastrophicFloor(reason));
353 }
354 current_spawner().spawn(spec)
355}
356
357#[cfg(test)]
358mod tests {
359 use super::is_sensitive_env_name;
360
361 #[test]
362 fn denies_secret_bearing_names() {
363 // Suffix patterns.
364 assert!(is_sensitive_env_name("ANTHROPIC_API_KEY"));
365 assert!(is_sensitive_env_name("OPENAI_API_KEY"));
366 assert!(is_sensitive_env_name("SOME_VENDOR_TOKEN"));
367 assert!(is_sensitive_env_name("MY_CLIENT_SECRET"));
368 assert!(is_sensitive_env_name("RANDOM_KEY"));
369 assert!(is_sensitive_env_name("DOCKER_PASSWORD"));
370 assert!(is_sensitive_env_name("TWINE_PASSWORD"));
371 assert!(is_sensitive_env_name("DATABASE_PASSWORD"));
372 assert!(is_sensitive_env_name("MYSQL_PASSWD"));
373 assert!(is_sensitive_env_name("GCP_CREDENTIALS"));
374 // Explicit names.
375 assert!(is_sensitive_env_name("GITHUB_TOKEN"));
376 assert!(is_sensitive_env_name("GH_TOKEN"));
377 assert!(is_sensitive_env_name("HARN_CLOUD_API_KEY"));
378 assert!(is_sensitive_env_name("BURIN_ADMIN_TOKEN"));
379 assert!(is_sensitive_env_name("AWS_SECRET_ACCESS_KEY"));
380 assert!(is_sensitive_env_name("AWS_SESSION_TOKEN"));
381 // Provider prefixes (even without a key/token suffix).
382 assert!(is_sensitive_env_name("OPENROUTER_BASE_URL"));
383 assert!(is_sensitive_env_name("FIREWORKS_ACCOUNT"));
384 assert!(is_sensitive_env_name("TOGETHER_ORG"));
385 assert!(is_sensitive_env_name("XAI_REGION"));
386 assert!(is_sensitive_env_name("GROQ_PROJECT"));
387 }
388
389 #[test]
390 fn allows_benign_build_and_toolchain_names() {
391 assert!(!is_sensitive_env_name("PATH"));
392 assert!(!is_sensitive_env_name("HOME"));
393 assert!(!is_sensitive_env_name("CARGO_HOME"));
394 assert!(!is_sensitive_env_name("LANG"));
395 assert!(!is_sensitive_env_name("LC_ALL"));
396 assert!(!is_sensitive_env_name("TERM"));
397 assert!(!is_sensitive_env_name("USER"));
398 assert!(!is_sensitive_env_name("RUSTUP_HOME"));
399 assert!(!is_sensitive_env_name("CARGO_TARGET_DIR"));
400 assert!(!is_sensitive_env_name("SHELL"));
401 // `_KEY`/`_PASSWORD` suffixes match only at the end, so words that
402 // merely embed those substrings are not swept.
403 assert!(!is_sensitive_env_name("BUILD_KEYBOARD"));
404 assert!(!is_sensitive_env_name("PASSWORD_HASH_ROUNDS"));
405 // Bare names without an underscore-prefixed suffix are not caught,
406 // matching the existing convention (bare `TOKEN` is not swept either).
407 assert!(!is_sensitive_env_name("PASSWORD"));
408 assert!(!is_sensitive_env_name("TOKEN"));
409 }
410
411 #[test]
412 fn matches_case_insensitively() {
413 assert!(is_sensitive_env_name("anthropic_api_key"));
414 assert!(is_sensitive_env_name("github_token"));
415 assert!(!is_sensitive_env_name("path"));
416 }
417}