clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 23

feat(spawner): JailConfig + jail_wrap for jailed agent spawn #35

Merged
clawdie merged 1 commit from feat/spawner-jail-confinement into main 2026-06-13 19:40:38 +02:00
Conversation 0 Commits 1 Files changed 1 +304 -4
clawdie commented 2026-06-13 19:40:19 +02:00
Owner
Copy link

Implements the spawner half of docs/COLIBRI-JAILED-AGENT-SPAWN-DESIGN.md so
Colibri can confine a spawned agent (e.g. pi) in a FreeBSD jail. zot untouched.

  • PrivMode {Mdo, Helper, None}: how the (unprivileged) daemon gets the root that
    jail attach/create needs. Resolved from COLIBRI_JAIL_PRIV_MODE (default mdo —
    the live-USB posture); deployed hosts set helper. Only consulted when a spawn
    requests a jail.
  • JailConfig {name, path, ip4, user}: name enters a persistent jail (jexec,
    precedence); path makes an ephemeral jail -c command= that self-cleans on
    exit. Neither set = no-op. (Refines the design's ephemeral flag into the
    clearer name-vs-path choice.)
  • jail_wrap(): pure (binary,args)->(program,argv) wrapper. No-op without a jail.
    jexec runs without -l so injected COLIBRI_*/provider env is inherited; stdio
    flows through mdo/jexec/jail so glasspane ingestion is unchanged.
  • AgentSpawnConfig gains jail: Option<JailConfig> (#[serde(default)]); spawn()
    resolves PrivMode/helper once and routes the command through jail_wrap.
  • kill(): documented jail teardown semantics + the in-jail process-group reaping
    follow-up.
  • 7 jail_wrap unit tests. Full daemon lib suite (58) green; clippy -D warnings clean.

Not wired through the SpawnAgent socket command yet (it builds AgentSpawnConfig
with jail=None) — that protocol field is the next small step.

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com

Implements the spawner half of docs/COLIBRI-JAILED-AGENT-SPAWN-DESIGN.md so Colibri can confine a spawned agent (e.g. pi) in a FreeBSD jail. zot untouched. - PrivMode {Mdo, Helper, None}: how the (unprivileged) daemon gets the root that jail attach/create needs. Resolved from COLIBRI_JAIL_PRIV_MODE (default mdo — the live-USB posture); deployed hosts set helper. Only consulted when a spawn requests a jail. - JailConfig {name, path, ip4, user}: `name` enters a persistent jail (jexec, precedence); `path` makes an ephemeral `jail -c command=` that self-cleans on exit. Neither set = no-op. (Refines the design's `ephemeral` flag into the clearer name-vs-path choice.) - jail_wrap(): pure (binary,args)->(program,argv) wrapper. No-op without a jail. jexec runs without -l so injected COLIBRI_*/provider env is inherited; stdio flows through mdo/jexec/jail so glasspane ingestion is unchanged. - AgentSpawnConfig gains `jail: Option<JailConfig>` (#[serde(default)]); spawn() resolves PrivMode/helper once and routes the command through jail_wrap. - kill(): documented jail teardown semantics + the in-jail process-group reaping follow-up. - 7 jail_wrap unit tests. Full daemon lib suite (58) green; clippy -D warnings clean. Not wired through the SpawnAgent socket command yet (it builds AgentSpawnConfig with jail=None) — that protocol field is the next small step. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
clawdie added 1 commit 2026-06-13 19:40:24 +02:00
feat(spawner): JailConfig + jail_wrap for jailed agent spawn
Some checks failed
CI / rust (pull_request) Has been cancelled
Details
CI / markdown (pull_request) Has been cancelled
Details
66cbc76a5b 
Implements the spawner half of docs/COLIBRI-JAILED-AGENT-SPAWN-DESIGN.md so
Colibri can confine a spawned agent (e.g. pi) in a FreeBSD jail. zot untouched.

- PrivMode {Mdo, Helper, None}: how the (unprivileged) daemon gets the root that
  jail attach/create needs. Resolved from COLIBRI_JAIL_PRIV_MODE (default mdo —
  the live-USB posture); deployed hosts set helper. Only consulted when a spawn
  requests a jail.
- JailConfig {name, path, ip4, user}: `name` enters a persistent jail (jexec,
  precedence); `path` makes an ephemeral `jail -c command=` that self-cleans on
  exit. Neither set = no-op. (Refines the design's `ephemeral` flag into the
  clearer name-vs-path choice.)
- jail_wrap(): pure (binary,args)->(program,argv) wrapper. No-op without a jail.
  jexec runs without -l so injected COLIBRI_*/provider env is inherited; stdio
  flows through mdo/jexec/jail so glasspane ingestion is unchanged.
- AgentSpawnConfig gains `jail: Option<JailConfig>` (#[serde(default)]); spawn()
  resolves PrivMode/helper once and routes the command through jail_wrap.
- kill(): documented jail teardown semantics + the in-jail process-group reaping
  follow-up.
- 7 jail_wrap unit tests. Full daemon lib suite (58) green; clippy -D warnings clean.

Not wired through the SpawnAgent socket command yet (it builds AgentSpawnConfig
with jail=None) — that protocol field is the next small step.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
clawdie merged commit abc9174caf into main 2026-06-13 19:40:38 +02:00
clawdie deleted branch feat/spawner-jail-confinement 2026-06-13 19:40:39 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
first-proof blocker

gates the first proven end-to-end

  
hardening

security/robustness follow-up, not a first-proof gate

No labels
first-proof blocker
hardening
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#35
No description provided.
Delete branch "feat/spawner-jail-confinement"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?