Expand description
The executor allowlist (spec §5.1, invariant I15).
Injecting a high/prod secret into a child process is only a containment
boundary if the executable is outside the agent’s control — a process the
agent authored can read its own environment and print it (last-mile, §16).
So high/prod injection is restricted to a configured allowlist of
reviewed executables (e.g. a versioned ./deploy.sh, a Makefile target);
ad-hoc commands the agent improvises are not eligible.
Matching is on the resolved program path, canonicalized (symlinks and
relative components resolved) so ./deploy.sh, deploy.sh, and the absolute
path all compare equal when they name the same reviewed file.
Structs§
- Allowlist
- A set of reviewed executable paths eligible to receive
high/prodinjection. An empty allowlist refuses everyhigh/prodcommand (fails safe);low/mediumnon-prod injection never consults it (§5.1).
Functions§
- resolve_
program - Resolve
programto the exact canonical path the allowlist matches against, so a caller can execute the same file it vetted (I15). The allowlist check canonicalizes (resolving symlinks and..), but if the spawn used the raw, un-canonicalized path the OS would re-resolve it atexectime — letting an allowlisted symlink be repointed during the confirmation window (TOCTOU). Spawning this resolved path instead binds the decision to the execution. Falls back to the path as-given when it cannot be resolved (then the gate has already refused it, since it cannot match a real reviewed file).