diff --git a/.gitattributes b/.gitattributes index 79e7af9c..78b56857 100644 --- a/.gitattributes +++ b/.gitattributes @@ -7,4 +7,4 @@ python/openshell/_proto/*_pb2_grpc.py linguist-generated python/openshell/_proto/*_pb2.pyi linguist-generated # Generated Rust protobuf code (excludes hand-written mod.rs) -crates/navigator-core/src/proto/navigator.*.rs linguist-generated +crates/openshell-core/src/proto/openshell.*.rs linguist-generated diff --git a/architecture/sandbox-providers.md b/architecture/sandbox-providers.md index d5ca1985..dca36c59 100644 --- a/architecture/sandbox-providers.md +++ b/architecture/sandbox-providers.md @@ -274,7 +274,7 @@ for (key, value) in provider_env { This uses `tokio::process::Command`. The `.env()` call adds each variable to the child's inherited environment without clearing it. The spawn path also explicitly removes -`NEMOCLAW_SSH_HANDSHAKE_SECRET` so the handshake secret does not leak into the agent +`OPENSHELL_SSH_HANDSHAKE_SECRET` so the handshake secret does not leak into the agent entrypoint process. After provider env vars, proxy env vars (`HTTP_PROXY`, `HTTPS_PROXY`, `ALL_PROXY`, @@ -370,7 +370,7 @@ Providers are stored with `object_type = "provider"` in the shared object store. provider store and are fetched at runtime by the sandbox supervisor. - Child processes never receive the raw provider secret values; they only receive placeholders, and the supervisor resolves those placeholders during outbound proxying. -- `NEMOCLAW_SSH_HANDSHAKE_SECRET` is required by the supervisor/SSH server path but is +- `OPENSHELL_SSH_HANDSHAKE_SECRET` is required by the supervisor/SSH server path but is explicitly kept out of spawned sandbox child-process environments. ## Test Strategy diff --git a/crates/openshell-sandbox/src/process.rs b/crates/openshell-sandbox/src/process.rs index 635bcbcf..cb10b8ca 100644 --- a/crates/openshell-sandbox/src/process.rs +++ b/crates/openshell-sandbox/src/process.rs @@ -22,7 +22,7 @@ use std::process::Stdio; use tokio::process::{Child, Command}; use tracing::{debug, warn}; -const SSH_HANDSHAKE_SECRET_ENV: &str = "NEMOCLAW_SSH_HANDSHAKE_SECRET"; +const SSH_HANDSHAKE_SECRET_ENV: &str = "OPENSHELL_SSH_HANDSHAKE_SECRET"; fn inject_provider_env(cmd: &mut Command, provider_env: &HashMap) { for (key, value) in provider_env { diff --git a/crates/openshell-sandbox/src/ssh.rs b/crates/openshell-sandbox/src/ssh.rs index 619fa6a0..5c4ef862 100644 --- a/crates/openshell-sandbox/src/ssh.rs +++ b/crates/openshell-sandbox/src/ssh.rs @@ -30,7 +30,7 @@ use tracing::{info, warn}; const PREFACE_MAGIC: &str = "NSSH1"; #[cfg(test)] -const SSH_HANDSHAKE_SECRET_ENV: &str = "NEMOCLAW_SSH_HANDSHAKE_SECRET"; +const SSH_HANDSHAKE_SECRET_ENV: &str = "OPENSHELL_SSH_HANDSHAKE_SECRET"; /// A time-bounded set of nonces used to detect replayed NSSH1 handshakes. /// Each entry records the `Instant` it was inserted; a background reaper task diff --git a/e2e/python/test_sandbox_providers.py b/e2e/python/test_sandbox_providers.py index b16df758..899b6e46 100644 --- a/e2e/python/test_sandbox_providers.py +++ b/e2e/python/test_sandbox_providers.py @@ -194,7 +194,7 @@ def test_ssh_handshake_secret_not_visible_in_exec_environment( def read_handshake_secret() -> str: import os - return os.environ.get("NEMOCLAW_SSH_HANDSHAKE_SECRET", "NOT_SET") + return os.environ.get("OPENSHELL_SSH_HANDSHAKE_SECRET", "NOT_SET") with sandbox(delete_on_exit=True) as sb: result = sb.exec_python(read_handshake_secret)