This repository was archived by the owner on May 4, 2026. It is now read-only.
TCK-00549: Bounded executor rewrite: replace bash bounded runner with Rust streaming executor (policy-driven env + caps)#707
Merged
Conversation
…bounded executor Remove SYSTEMD_SETENV_ALLOWLIST_EXACT and SYSTEMD_SETENV_ALLOWLIST_PREFIXES constants and the collect_inherited_setenv_pairs / is_allowlisted_setenv_key / build_systemd_setenv_pairs helper functions from bounded_test_runner.rs. Replace with build_policy_setenv_pairs() which accepts pre-computed FacPolicyV1 environment from build_job_environment() and applies: - MAX_SETENV_PAIRS (256) bound for command-line growth control - Defense-in-depth RUSTC_WRAPPER/SCCACHE_* stripping (INV-ENV-008) - Empty-value filtering - BTreeMap deterministic ordering (INV-EXEC-005) The build_bounded_test_command 4th parameter semantically changes from ad-hoc filtered extra_setenv to policy-driven env, preserving the &[(String, String)] type for caller compatibility. Both callers (gates.rs and evidence.rs) already pass policy-computed environments, so no call-site changes are needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Collaborator
Author
# apm2-review-verdict:v1
schema: apm2.review.verdict.v1
pr: 707
sha: 2211d7ea6253b7ca88923ec726916be8144544b2
updated_at: 2026-02-16T21:40:10Z
dimensions:
code-quality:
decision: approve
reason: 'PASS: no blocker or major findings'
set_by: ubuntu
set_at: 2026-02-16T21:39:12Z
security:
decision: approve
reason: 'PASS: Implements policy-driven environment filtering (TCK-00549) with defense-in-depth sccache stripping and resource limits. One MINOR finding regarding secret leakage via systemd-run args.'
set_by: ubuntu
set_at: 2026-02-16T21:40:10Z
findings:
- finding_id: f-707-security-1771278004084037-0
type: security
severity: MINOR
summary: Missing defense-in-depth against secret leakage via systemd-run args
risk: systemd-run exposes --setenv arguments in the process list. Removing the hardcoded allowlist increases the risk that a permissive FacPolicyV1 could accidentally forward secrets (e.g. GITHUB_TOKEN) to the transient unit, leaking them to local users via /proc.
impact: Secrets could be scraped from the process list during test execution.
location: crates/apm2-cli/src/commands/fac_review/bounded_test_runner.rs
body: Implement defense-in-depth filtering in build_policy_setenv_pairs to unconditionally strip keys matching standard secret patterns (*_TOKEN, *_KEY, *_SECRET, *_PASSWORD, *_CREDENTIAL), similar to the existing RUSTC_WRAPPER strip. Alternatively, migrate to using the EnvironmentFile property with systemd-run to avoid CLI argument leakage entirely.
evidence_digest: 896d7f1a0fc1965e512fc8390bac93e4ce90497cb32a9040ebfc10ecadede53d
evidence_pointer: none
timestamp: 2026-02-16T21:40:04Z |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
FAC Gate Status