fix(jail-bootstrap): pin pkgs to host versions + validate inputs #97

Merged

clawdie merged 1 commit from fix/agent-jail-bootstrap-harden into main 2026-06-20 08:08:17 +02:00

Conversation 0 Commits 1 Files changed 1 +61 -8

clawdie commented 2026-06-20 08:04:28 +02:00

Owner

Copy link

What

Hardens packaging/freebsd/agent-jail-bootstrap.sh (added in #96) per review.

Changes

1. Pin packages to the host's exact version. Instead of pkg install python312 node24 … (which pins only the major), query the host's installed version (pkg query '%v' <name>) and install that exact name-version into the jail from the host's mounted cache. The comment "versions pinned to match host" is now true. If the host lacks a package, fail loudly rather than pulling a different version into the jail.
2. Input validation (path-trust). set -eu; reject empty/odd jail_name (allow [A-Za-z0-9_-] only) so it can't escape /usr/local/bastille/jails/<name>/root; assert the jail root exists before touching it. (Sibling to the canonicalization concern in #92.)
3. Guard host sources. Every copied binary / npm module is checked for existence first, so a missing source fails clearly instead of producing a half-bootstrapped jail.

Relies on

The existing host pkg-cache reachability from the jail (offline pkg -c install) — unchanged.

Notes for follow-up (not in this PR)

• npm-node24 vs npm: the canonical clawdie-iso/packages/pkg-list-jails.txt uses npm (+ node24); this script keeps npm-node24. The version-pin + loud-fail surfaces a wrong name immediately, but the two lists should be reconciled.
• Agent-jail package set isn't in pkg-list-jails.txt (no python312 there). Worth adding an agent-jail section to that canonical list so the set has one source of truth.

Tests

sh -n clean (FreeBSD pkg paths can't be exercised off-host).

🤖 Generated with Claude Code

## What Hardens `packaging/freebsd/agent-jail-bootstrap.sh` (added in #96) per review. ## Changes 1. **Pin packages to the host's exact version.** Instead of `pkg install python312 node24 …` (which pins only the *major*), query the host's installed version (`pkg query '%v' <name>`) and install that exact `name-version` into the jail from the host's mounted cache. The comment "versions pinned to match host" is now true. If the host lacks a package, **fail loudly** rather than pulling a different version into the jail. 2. **Input validation (path-trust).** `set -eu`; reject empty/odd `jail_name` (allow `[A-Za-z0-9_-]` only) so it can't escape `/usr/local/bastille/jails/<name>/root`; assert the jail root exists before touching it. (Sibling to the canonicalization concern in #92.) 3. **Guard host sources.** Every copied binary / npm module is checked for existence first, so a missing source fails clearly instead of producing a half-bootstrapped jail. ## Relies on The existing host pkg-cache reachability from the jail (offline `pkg -c` install) — unchanged. ## Notes for follow-up (not in this PR) - **`npm-node24` vs `npm`:** the canonical `clawdie-iso/packages/pkg-list-jails.txt` uses `npm` (+ `node24`); this script keeps `npm-node24`. The version-pin + loud-fail surfaces a wrong name immediately, but the two lists should be reconciled. - **Agent-jail package set isn't in `pkg-list-jails.txt`** (no `python312` there). Worth adding an `agent-jail` section to that canonical list so the set has one source of truth. ## Tests `sh -n` clean (FreeBSD `pkg` paths can't be exercised off-host). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

clawdie added 1 commit 2026-06-20 08:04:31 +02:00

fix(jail-bootstrap): pin pkgs to host versions + validate inputs ... 9aaa1c4705

Tighten agent-jail-bootstrap.sh per review of #96:
- pin each package to the host's EXACT installed version (pkg query '%v' ->
  install name-version from the host's mounted cache); fail loudly if the host
  lacks it, instead of pulling a different version into the jail
- set -eu; validate jail name ([A-Za-z0-9_-], non-empty) so it can't escape the
  bastille jails root; assert the jail root exists before touching it
- guard every host source (binaries, npm modules) so a missing source fails
  clearly rather than producing a half-bootstrapped jail

Relies on the existing host pkg-cache reachability from the jail (offline install).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

clawdie referenced this pull request 2026-06-20 08:05:30 +02:00

jail bootstrap: reconcile npm package name (npm-node24 vs npm) with pkg-list-jails.txt #98

clawdie merged commit 8933623fda into main 2026-06-20 08:08:17 +02:00

clawdie referenced this pull request from a commit 2026-06-20 08:08:19 +02:00

Merge pull request 'fix(jail-bootstrap): pin pkgs to host versions + validate inputs' (#97) from fix/agent-jail-bootstrap-harden into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

first-proof blocker

gates the first proven end-to-end

  

hardening

security/robustness follow-up, not a first-proof gate

No labels

first-proof blocker

hardening

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#97

No description provided.