fix: use granular workspace mounting instead of entire HOME directory

containers/agent/one-shot-token/one-shot-token.c

@@ -290,6 +290,8 @@ char *getenv(const char *name) {
     } else {
         /* Already accessed - return cached value */
         result = token_cache[token_idx];
+        fprintf(stderr, "[one-shot-token] Token %s accessed (cached value: %s)\n", 
+                name, format_token_value(result));
     }
 
     pthread_mutex_unlock(&token_mutex);
@@ -318,16 +320,22 @@ char *secure_getenv(const char *name) {
         return getenv(name);
     }
 
+    /* Initialize token list on first call (thread-safe) */
+    pthread_mutex_lock(&token_mutex);
+    if (!tokens_initialized) {
+        init_token_list();
+    }
+
+    /* Get token index while holding mutex to avoid race with initialization */
     int token_idx = get_token_index(name);
 
-    /* Not a sensitive token - pass through to real secure_getenv */
+    /* Not a sensitive token - release mutex and pass through to real secure_getenv */
     if (token_idx < 0) {
+        pthread_mutex_unlock(&token_mutex);
         return real_secure_getenv(name);
     }
 
-    /* Sensitive token - handle cached access with secure_getenv semantics */
-    pthread_mutex_lock(&token_mutex);
-
+    /* Sensitive token - handle cached access with secure_getenv semantics (mutex already held) */
     char *result = NULL;
 
     if (!token_accessed[token_idx]) {
@@ -354,6 +362,8 @@ char *secure_getenv(const char *name) {
     } else {
         /* Already accessed - return cached value */
         result = token_cache[token_idx];
+        fprintf(stderr, "[one-shot-token] Token %s accessed (cached value: %s) (via secure_getenv)\n", 
+                name, format_token_value(result));
     }
 
     pthread_mutex_unlock(&token_mutex);

docs/selective-mounting.md

@@ -2,7 +2,23 @@
 
 ## Overview
 
-AWF implements **selective mounting** to protect against credential exfiltration via prompt injection attacks. Instead of mounting the entire host filesystem (`/:/host:rw`), only essential directories are mounted, and sensitive credential files are explicitly hidden.
+AWF implements **granular selective mounting** to protect against credential exfiltration via prompt injection attacks. Instead of mounting the entire host filesystem or home directory, only the workspace directory and essential paths are mounted, and sensitive credential files are explicitly hidden.
+
+## Security Fix (v0.14.1)
+
+**Previous Vulnerability**: The initial selective mounting implementation (v0.13.0-v0.14.0) mounted the entire `$HOME` directory and attempted to hide credentials using `/dev/null` overlays. This approach had critical flaws:
+- Overlays only work if the credential file exists on the host
+- Non-standard credential locations were not protected
+- Any new credential files would be accessible by default
+- Subdirectories with credentials (e.g., `~/.config/hub/config`) were fully accessible
+
+**Fixed Implementation**: As of v0.14.1, AWF uses **granular mounting**:
+- Mount **only** the workspace directory (`$GITHUB_WORKSPACE` or current working directory)
+- Mount `~/.copilot/logs` separately for Copilot CLI logging
+- Apply `/dev/null` overlays as defense-in-depth
+- Never mount the entire `$HOME` directory
+
+This eliminates the root cause by ensuring credential files in `$HOME` are never mounted at all.
 
 ## Threat Model: Prompt Injection Attacks
 
@@ -65,17 +81,16 @@ The agent's legitimate tools (Read, Bash) become attack vectors when credentials
 // Essential directories only
 const agentVolumes = [
   '/tmp:/tmp:rw',                                    // Temporary files
-  `${HOME}:${HOME}:rw`,                             // User home (includes workspace)
+  `${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw`,     // Workspace directory only (not entire HOME)
   `${workDir}/agent-logs:${HOME}/.copilot/logs:rw`, // Copilot CLI logs
 ];
-// Note: $GITHUB_WORKSPACE is typically a subdirectory of $HOME
-// (e.g., /home/runner/work/repo/repo), so it's accessible via the HOME mount.
+// Note: $HOME itself is NOT mounted, preventing access to ~/.docker/, ~/.npmrc, ~/.config/gh/, etc.
 ```
 
-**What gets hidden:**
+**What gets hidden (defense-in-depth):**
 
 ```typescript
-// Credential files are mounted as /dev/null (empty file)
+// Credential files are mounted as /dev/null (empty file) as an additional security layer
 const hiddenCredentials = [
   '/dev/null:~/.docker/config.json:ro',           // Docker Hub tokens
   '/dev/null:~/.npmrc:ro',                        // NPM tokens
@@ -94,7 +109,9 @@ const hiddenCredentials = [
 ];
 ```
 
-**Result:** Even if an attacker successfully injects a command like `cat ~/.docker/config.json`, the file will be empty (reads from `/dev/null`).
+**Primary security mechanism**: Credential files are never mounted because `$HOME` is not mounted. The `/dev/null` overlays provide defense-in-depth in case a credential file somehow exists in the workspace directory.
+
+**Result:** Commands like `cat ~/.docker/config.json` will fail with "No such file or directory" because the home directory is not mounted.
 
 ### Chroot Mode (with --enable-chroot)
 
@@ -112,7 +129,7 @@ const chrootVolumes = [
   '/sys:/host/sys:ro',                        // System information
   '/dev:/host/dev:ro',                        // Device nodes
   '/tmp:/host/tmp:rw',                        // Temporary files
-  `${HOME}:/host${HOME}:rw`,                  // User home at /host path
+  `${GITHUB_WORKSPACE}:/host${GITHUB_WORKSPACE}:rw`,  // Workspace only (not entire HOME)
 
   // Minimal /etc (no /etc/shadow)
   '/etc/ssl:/host/etc/ssl:ro',
@@ -121,12 +138,13 @@ const chrootVolumes = [
   '/etc/passwd:/host/etc/passwd:ro',
   '/etc/group:/host/etc/group:ro',
 ];
+// Note: $HOME itself is NOT mounted, preventing access to credential directories
 ```
 
 **What gets hidden:**
 
 ```typescript
-// Same credentials, but at /host paths
+// Same credentials, but at /host paths (defense-in-depth)
 const chrootHiddenCredentials = [
   '/dev/null:/host/home/runner/.docker/config.json:ro',
   '/dev/null:/host/home/runner/.npmrc:ro',
@@ -148,6 +166,7 @@ const chrootHiddenCredentials = [
 **Additional security:**
 - Docker socket hidden: `/dev/null:/host/var/run/docker.sock:ro`
 - Prevents `docker run` firewall bypass
+- Primary security: `$HOME` is not mounted at `/host` path
 
 ## Usage Examples
 
@@ -190,48 +209,72 @@ sudo awf --allow-full-filesystem-access --allow-domains github.com -- my-command
 
 ## Comparison: Before vs After
 
-### Before (Blanket Mount)
+### Before Fix (v0.13.0-v0.14.0 - Vulnerable)
 
 ```yaml
 # docker-compose.yml
 services:
   agent:
     volumes:
-      - /:/host:rw  # ❌ Everything exposed
+      - /home/runner:/home/runner:rw  # ❌ Entire HOME exposed
+      - /dev/null:/home/runner/.docker/config.json:ro  # Attempted to hide with overlay
 ```
 
-**Attack succeeds:**
+**Attack succeeded:**
 ```bash
 # Inside agent container
-$ cat ~/.docker/config.json
-{
-    "auths": {
-        "https://index.docker.io/v1/": {
-            "auth": "Z2l0aHViYWN0aW9uczozZDY0NzJiOS0zZDQ5LTRkMTctOWZjOS05MGQyNDI1ODA0M2I="
-        }
-    }
-}
-# ❌ Credentials exposed!
+$ cat ~/.config/hub/config  # Non-standard location, not in hardcoded overlay list
+oauth_token: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+# ❌ Credentials exposed! (file in HOME but not overlaid)
+
+$ ls ~/.docker/
+config.json  # exists but empty (overlaid)
+$ cat ~/.npmrc
+# (empty - overlaid)
+$ cat ~/.config/gh/hosts.yml
+# (empty - overlaid)
+
+# But other locations are accessible:
+$ cat ~/.netrc
+machine github.com
+  login my-username
+  password my-personal-access-token
+# ❌ Credentials exposed! (not in hardcoded overlay list)
 ```
 
-### After (Selective Mount)
+### After Fix (v0.14.1+ - Secure)
 
 ```yaml
 # docker-compose.yml
 services:
   agent:
     volumes:
-      - /tmp:/tmp:rw
-      - /home/runner:/home/runner:rw
-      - /dev/null:/home/runner/.docker/config.json:ro  # ✓ Hidden
+      - /home/runner/work/repo/repo:/home/runner/work/repo/repo:rw  # ✓ Only workspace
+      - /dev/null:/home/runner/.docker/config.json:ro  # Defense-in-depth
 ```
 
 **Attack fails:**
 ```bash
 # Inside agent container
 $ cat ~/.docker/config.json
-# (empty file - reads from /dev/null)
-# ✓ Credentials protected!
+cat: /home/runner/.docker/config.json: No such file or directory
+# ✓ Credentials protected! ($HOME not mounted)
+
+$ cat ~/.config/hub/config
+cat: /home/runner/.config/hub/config: No such file or directory
+# ✓ Credentials protected! ($HOME not mounted)
+
+$ cat ~/.npmrc
+cat: /home/runner/.npmrc: No such file or directory
+# ✓ Credentials protected! ($HOME not mounted)
+
+$ cat ~/.netrc
+cat: /home/runner/.netrc: No such file or directory
+# ✓ Credentials protected! ($HOME not mounted)
+
+$ ls ~/
+ls: cannot access '/home/runner/': No such file or directory
+# ✓ HOME directory not mounted at all!
 ```
 
 ## Testing Security

src/docker-manager.test.ts

@@ -628,7 +628,7 @@ describe('docker-manager', () => {
       expect(volumes).toContain('/dev/null:/host/run/docker.sock:ro');
     });
 
-    it('should mount user home directory under /host when enableChroot is true', () => {
+    it('should mount workspace directory under /host when enableChroot is true', () => {
       const configWithChroot = {
         ...mockConfig,
         enableChroot: true
@@ -637,9 +637,9 @@ describe('docker-manager', () => {
       const agent = result.services.agent;
       const volumes = agent.volumes as string[];
 
-      // Should mount home directory under /host for chroot access (read-write)
-      const homeDir = process.env.HOME || '/root';
-      expect(volumes).toContain(`${homeDir}:/host${homeDir}:rw`);
+      // SECURITY FIX: Should mount only workspace directory under /host for chroot access (not entire HOME)
+      const workspaceDir = process.env.GITHUB_WORKSPACE || process.cwd();
+      expect(volumes).toContain(`${workspaceDir}:/host${workspaceDir}:rw`);
     });
 
     it('should add SYS_CHROOT and SYS_ADMIN capabilities when enableChroot is true', () => {

src/docker-manager.ts

@@ -431,10 +431,17 @@ export function generateDockerCompose(
   // Build volumes list for agent execution container
   // For chroot mode, use the real user's home (not /root when running with sudo)
   const effectiveHome = config.enableChroot ? getRealUserHome() : (process.env.HOME || '/root');
+
+  // SECURITY FIX: Use granular mounting instead of blanket HOME directory mount
+  // Only mount the workspace directory ($GITHUB_WORKSPACE or current working directory)
+  // to prevent access to credential files in $HOME
+  const workspaceDir = process.env.GITHUB_WORKSPACE || process.cwd();
   const agentVolumes: string[] = [
     // Essential mounts that are always included
     '/tmp:/tmp:rw',
-    `${effectiveHome}:${effectiveHome}:rw`,
+    // Mount only the workspace directory (not entire HOME)
+    // This prevents access to ~/.docker/, ~/.config/gh/, ~/.npmrc, etc.
+    `${workspaceDir}:${workspaceDir}:rw`,
     // Mount agent logs directory to workDir for persistence
     `${config.workDir}/agent-logs:${effectiveHome}/.copilot/logs:rw`,
   ];
@@ -472,17 +479,36 @@ export function generateDockerCompose(
       '/dev:/host/dev:ro',             // Read-only device nodes (needed by some runtimes)
     );
 
-    // User home directory for project files and Rust/Cargo (read-write)
-    // Note: $HOME is already mounted at the container level, this adds it under /host
-    // Use getRealUserHome() to get the actual user's home (not /root when running with sudo)
-    const userHome = getRealUserHome();
-    agentVolumes.push(`${userHome}:/host${userHome}:rw`);
+    // SECURITY FIX: Mount only workspace directory instead of entire user home
+    // This prevents access to credential files in $HOME
+    // Mount workspace directory at /host path for chroot
+    agentVolumes.push(`${workspaceDir}:/host${workspaceDir}:rw`);
 
     // /tmp is needed for chroot mode to write:
     // - Temporary command scripts: /host/tmp/awf-cmd-$$.sh
     // - One-shot token LD_PRELOAD library: /host/tmp/awf-lib/one-shot-token.so
     agentVolumes.push('/tmp:/host/tmp:rw');
 
+    // Mount ~/.copilot for GitHub Copilot CLI (package extraction, config, logs)
+    // This is safe as ~/.copilot contains only Copilot CLI state, not credentials
+    agentVolumes.push(`${effectiveHome}/.copilot:/host${effectiveHome}/.copilot:rw`);
+
+    // Mount ~/.cache, ~/.config, ~/.local for CLI tool state management (Claude Code, etc.)
+    // These directories are safe to mount as they contain application state, not credentials
+    // Note: Specific credential files within ~/.config (like ~/.config/gh/hosts.yml) are
+    // still blocked via /dev/null overlays applied later in the code
+    agentVolumes.push(`${effectiveHome}/.cache:/host${effectiveHome}/.cache:rw`);
+    agentVolumes.push(`${effectiveHome}/.config:/host${effectiveHome}/.config:rw`);
+    agentVolumes.push(`${effectiveHome}/.local:/host${effectiveHome}/.local:rw`);
+
+    // Mount ~/.anthropic for Claude Code state and configuration
+    // This is safe as ~/.anthropic contains only Claude-specific state, not credentials
+    agentVolumes.push(`${effectiveHome}/.anthropic:/host${effectiveHome}/.anthropic:rw`);
+
+    // Mount ~/.claude for Claude CLI state and configuration
+    // This is safe as ~/.claude contains only Claude-specific state, not credentials
+    agentVolumes.push(`${effectiveHome}/.claude:/host${effectiveHome}/.claude:rw`);
+
     // Minimal /etc - only what's needed for runtime
     // Note: /etc/shadow is NOT mounted (contains password hashes)
     agentVolumes.push(
@@ -601,25 +627,40 @@ export function generateDockerCompose(
   //    - Encode data (base64, hex)
   //    - Exfiltrate via allowed HTTP domains (if attacker controls one)
   //
-  // **Mitigation: Selective Mounting**
+  // **Mitigation: Granular Selective Mounting (FIXED)**
   //
-  // Instead of mounting the entire filesystem (/:/host:rw), we:
-  // 1. Mount ONLY directories needed for legitimate operation
-  // 2. Hide credential files by mounting /dev/null over them
-  // 3. Provide escape hatch (--allow-full-filesystem-access) for edge cases
+  // Instead of mounting the entire $HOME directory (which contained credentials), we now:
+  // 1. Mount ONLY the workspace directory ($GITHUB_WORKSPACE or cwd)
+  // 2. Mount ~/.copilot/logs separately for Copilot CLI logging
+  // 3. Hide credential files by mounting /dev/null over them (defense-in-depth)
+  // 4. Provide escape hatch (--allow-full-filesystem-access) for edge cases
+  // 5. Allow users to add specific mounts via --mount flag
   //
-  // This defense-in-depth approach ensures that even if prompt injection succeeds,
-  // the attacker cannot access credentials because they're simply not mounted.
+  // This ensures that credential files in $HOME are never mounted, making them
+  // inaccessible even if prompt injection succeeds.
   //
   // **Implementation Details**
   //
   // Normal mode (without --enable-chroot):
-  // - Mount: $HOME (for workspace, including $GITHUB_WORKSPACE when it resides under $HOME), /tmp, ~/.copilot/logs
-  // - Hide: credential files (Docker, NPM, Cargo, Composer, GitHub CLI, SSH keys, AWS, Azure, GCP, k8s)
+  // - Mount: $GITHUB_WORKSPACE (or cwd), /tmp, ~/.copilot/logs
+  // - Hide: credential files via /dev/null overlays (defense-in-depth)
+  // - Does NOT mount: entire $HOME directory
   //
   // Chroot mode (with --enable-chroot):
-  // - Mount: $HOME at /host$HOME (for chroot environment), system paths at /host
-  // - Hide: Same credentials at /host paths
+  // - Mount: $GITHUB_WORKSPACE at /host path, system paths at /host
+  // - Hide: Same credentials at /host paths (defense-in-depth)
+  // - Does NOT mount: entire /host$HOME directory
+  //
+  // **Previous Vulnerability (FIXED)**
+  //
+  // The previous implementation mounted the entire $HOME directory and relied solely
+  // on /dev/null overlays to hide credentials. This had several problems:
+  // - Overlays only work if the credential file exists on the host
+  // - Non-standard credential locations were not protected
+  // - Any new credential files would be accessible by default
+  // - Subdirectories with credentials were fully accessible
+  //
+  // The fix eliminates the root cause by never mounting $HOME at all.
   //
   // ================================================================