fix(auth): allowlist the gh runner to read-only commands (isolation by construction)#112
Merged
Merged
Conversation
…y construction) maximal must never affect what gh is signed into / any gh state. Today every gh invocation IS read-only (gh --version, auth status, auth token), but the runner would execute ANY args handed to it — a future caller could slip in a mutating command. Add isReadOnlyGhArgs() and reject in defaultRunner anything that isn't --version / auth status / auth token, turning the prose contract into an enforced gate. +tests asserting login/logout/switch/refresh/setup-git/ config-set/api-POST are all rejected. Confirms the isolation audit verdict (maximal only READS gh, stores its own token copy, sign-out deletes only that copy) and locks it in.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Locks in your requirement: maximal sign-in/out/switch must have no effect on what gh is signed into, on gh, on browser GitHub sessions, or on Copilot-CLI account selection.
Two fanned-out audits confirmed maximal is ISOLATED today — every gh call is read-only (
gh --version,auth status,auth token), no mutating gh command exists anywhere, sign-out unlinks only maximal's own token copy (so gh stays signed in), the only browser URL is the additive device-grant, and maximal's OAuth client_id is distinct from gh's. The audits' one recommendation was to make it isolated by construction, not just by convention.This change
isReadOnlyGhArgs()+ a reject in the gh runner: it will only ever execute--version,auth status, orauth token. Anything else (auth login/logout/switch/refresh/setup-git,config set,api -X POST, …) is refused before exec. So no future caller can make maximal mutate gh state.+tests asserting the mutating/unknown commands are all rejected and the three read-only ones allowed. Full suite green (819);
check:fast+knipclean.(Part of the auth-isolation work alongside the guard-timers #110 and the busybar #111.)