Expand description
The executor allowlist (spec §5.1, invariant I15).
Injecting a high/prod secret into a child process is only a containment
boundary if the executable is outside the agent’s control — a process the
agent authored can read its own environment and print it (last-mile, §16).
So high/prod injection is restricted to a configured allowlist of
reviewed executables (e.g. a versioned ./deploy.sh, a Makefile target);
ad-hoc commands the agent improvises are not eligible.
Matching is on the resolved program path, canonicalized (symlinks and
relative components resolved) so ./deploy.sh, deploy.sh, and the absolute
path all compare equal when they name the same reviewed file.
Structs§
- Allowlist
- A set of reviewed executable paths eligible to receive
high/prodinjection. An empty allowlist refuses everyhigh/prodcommand (fails safe);low/mediumnon-prod injection never consults it (§5.1).