[PR] feat(agent-isolation): protect secret env vars via sandbox.credentials [magpie]

Sat, 27 Jun 2026 12:44:56 -0700 


potiuk opened a new pull request, #591:
URL: https://github.com/apache/magpie/pull/591

   ## What
   
   Add a `sandbox.credentials.envVars` block to the dogfooded
   `.claude/settings.json` (and its annotated copy in
   `docs/setup/secure-agent-setup.md`), denying a set of secret environment
   variables to **sandboxed** commands. Uses the `sandbox.credentials` setting
   added in claude-code **2.1.187**.
   
   Vars denied (`mode: "deny"`): `ANTHROPIC_API_KEY`, `ANTHROPIC_AUTH_TOKEN`,
   `CLAUDE_CODE_OAUTH_TOKEN`, `GH_TOKEN`, `GITHUB_TOKEN`, `AWS_ACCESS_KEY_ID`,
   `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `NPM_TOKEN`, `TWINE_PASSWORD`.
   
   ## Why
   
   `sandbox.filesystem.denyRead` and the `permissions.deny[Read(...)]` rules are
   **filesystem-only** — nothing currently stops a sandboxed Bash command from
   reading `$ANTHROPIC_API_KEY` or dumping `env`. `sandbox.credentials.envVars`
   is the only layer that covers environment variables, so this closes a real
   exfiltration gap for a prompt-injection-driven command.
   
   `mode: "deny"` unsets the variable for **sandboxed commands only**: the
   unsandboxed agent process keeps its own auth, and sandbox-bypassed commands
   (e.g. `gh`, which authenticates via `~/.config/gh`) are unaffected. Verified
   the exact schema against the shipped 2.1.193 binary — `credentials` takes
   `files[]` (`{path, mode}`) and `envVars[]` (`{name, mode: "deny"|"mask",
   injectHosts?}`). Credential **files** are already covered by
   `denyRead: ["~/"]`, so only `envVars` is added here. (`mask` + `injectHosts`
   is the keep-usable-for-named-hosts alternative — not needed for these.)
   
   Config + docs only; no skill/tool/mode behaviour change.
   
   ## Note for reviewers
   
   Requires claude-code ≥ 2.1.187 to take effect; older runtimes ignore the
   unknown key. Pairs naturally with the pending pin bump to 2.1.193
   (`chore/bump-claude-code-2.1.193`).
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to