Add AST-based security middleware and enforcement wiring

2026-02-23 14:21:22 -05:00
parent 9b4216dda9
commit ef2a25b5fb
28 changed files with 1936 additions and 37 deletions
--- a/.env.example
+++ b/.env.example
@@ -31,3 +31,13 @@ AGENT_PORT_BLOCK_COUNT=512
 AGENT_PORT_PRIMARY_OFFSET=0
 AGENT_PORT_LOCK_DIR=.ai_ops/locks/ports
 AGENT_DISCOVERY_FILE_RELATIVE_PATH=.agent-context/resources.json
+
+# Security middleware
+AGENT_SECURITY_VIOLATION_MODE=hard_abort
+AGENT_SECURITY_ALLOWED_BINARIES=git,npm,node,cat,ls,pwd,echo,bash,sh
+AGENT_SECURITY_COMMAND_TIMEOUT_MS=120000
+AGENT_SECURITY_AUDIT_LOG_PATH=.ai_ops/security/command-audit.ndjson
+AGENT_SECURITY_ENV_INHERIT=PATH,HOME,TMPDIR,TMP,TEMP,LANG,LC_ALL
+AGENT_SECURITY_ENV_SCRUB=
+AGENT_SECURITY_DROP_UID=
+AGENT_SECURITY_DROP_GID=