mirror of
https://github.com/coleam00/Archon
synced 2026-04-21 13:37:41 +00:00
a1e8a16b82
* fix(env): detect and refuse target-repo .env with sensitive keys (#1034) Bun auto-loads .env from subprocess CWD regardless of the clean env passed to Bun.spawn, silently overriding OAuth auth and billing the wrong API account. This adds a consent-based gate at registration time and a pre-spawn safety net in both Claude and Codex clients. Changes: - Add env-leak-scanner utility that checks 6 auto-loaded .env filenames for 7 sensitive keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.) - Add allow_env_keys boolean column to codebases table (migration 021) - Gate registerRepoAtPath to reject codebases with sensitive .env keys unless explicitly consented via allowEnvKeys flag - Add pre-spawn check in ClaudeClient and CodexClient sendQuery methods - Return 422 from POST /api/codebases on env leak detection - Surface env leak error in web UI with "Allow env keys" checkbox - Classify EnvLeakError as FATAL in workflow executor Fixes #1034 * fix: address review findings for env leak scanner PR - Fix FATAL_PATTERNS 'env leak' pattern that never matched EnvLeakError.message; now checks error.name === 'EnvLeakError' directly (immune to message rewording) - Fix pre-spawn consent lookup for worktree paths: add findCodebaseByPathPrefix() and use it as fallback when exact match returns null; prevents opt-in from being silently ineffective for workflow-based runs - Add allow_env_keys column to 000_combined.sql CREATE TABLE and idempotent ALTER section to fix fresh PostgreSQL installs - Remove non-existent --allow-env-keys CLI flag from error message; replace with web UI-only instruction - Narrow isEnvLeakError check from error.message.includes('env') to startsWith('Cannot add codebase') - Distinguish ENOENT (skip) from EACCES/other errors in scanner catch block; unreadable files now surface as findings to avoid silently bypassing the gate - Use cross-platform grep command instead of macOS-specific sed -i '' syntax - Add audit log (log.warn) when 422 EnvLeakError is returned from API - Add pre-spawn gate tests to claude.test.ts and codex.test.ts (4 tests each) - Add env leak gate tests to clone.test.ts (2 tests) - Add 422 and allowEnvKeys passthrough tests to api.codebases.test.ts * simplify: reduce complexity in changed files |
||
|---|---|---|
| .. | ||
| 000_combined.sql | ||
| 001_initial_schema.sql | ||
| 002_command_templates.sql | ||
| 003_add_worktree.sql | ||
| 004_worktree_sharing.sql | ||
| 005_isolation_abstraction.sql | ||
| 006_isolation_environments.sql | ||
| 007_drop_legacy_columns.sql | ||
| 008_workflow_runs.sql | ||
| 009_workflow_last_activity.sql | ||
| 010_immutable_sessions.sql | ||
| 011_partial_unique_constraint.sql | ||
| 012_workflow_events.sql | ||
| 013_conversation_titles.sql | ||
| 014_message_history.sql | ||
| 015_background_dispatch.sql | ||
| 016_session_ended_reason.sql | ||
| 017_drop_command_templates.sql | ||
| 018_fix_workflow_status_default.sql | ||
| 019_workflow_resume_path.sql | ||
| 020_codebase_env_vars.sql | ||
| 021_add_allow_env_keys_to_codebases.sql | ||