feat(runner): envd serve mode for cloud sandbox + safari extension RPCs#48
Merged
Conversation
Implements Task 1.4: ListDir, Stat, MakeDir, Remove handlers on /filesystem.Filesystem/* routes plus the /files GET+PUT REST endpoint mirroring the e2b filesystem.proto surface. Adds newTestServerWithWS helper for disk-backed tests.
…ledge/skill/meta)
Adds 11 Connect-RPC routes under /safari.{Tools,Knowledge,Skill,Meta}/ that
delegate directly to existing environment.Environment methods — no business
logic re-implemented. Smoke test verifies all routes are registered (non-404)
with an empty request body; method correctness is covered by environment tests.
The plan's opToSafariPath mapped read/write/list to /safari.Tools/{Read,Write,List}
but those routes were never registered. Add the three delegating handlers that
mirror the existing handleGrep pattern, register them in server.go, and add
them to the route-registration smoke test (14 routes total, was 11).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
CI surfaced lint and Windows build failures on PR #48. Address them: - Split syscall-bound code into envd/process_unix.go and a windows stub so Setpgid + syscall.Kill stop breaking the windows build job. The Windows path is shim-only; envd serve mode targets the Linux sandbox. - Run gofmt on envd/server.go and protocol/messages.go (column-aligned comments tripped gofmt). - Tighten errcheck: wrap ignored Close/Remove/os.Remove returns. - Tighten noctx: NewRequestWithContext in connect_test/filesystem_test/ process_test/safari_tools_test; exec.CommandContext in safari_meta. - Annotate intentional gosec hits with nolint: process.go (envd contract is to run client-supplied cmds; sandbox+auth are the trust boundary), filesystem.go (client addresses arbitrary sandbox paths by design), safari_meta.go ("uname -r" literal cmd/args), test files (URLs come from httptest servers). - Refactor process.go's exit-status block into platform-specific helpers so WaitStatus.Signaled() no longer breaks on Windows. - Replace Fatal-shadowed err with explicit decErr; rewrite De-Morgan three-way negation. golangci-lint run --timeout=5m ./... → 0 issues. GOOS=linux/windows/darwin go build ./... → clean. go test ./... → all green.
TestProcessStart_EchoStreams and TestProcessSendSignal_KillsRunning use /bin/echo and /bin/sleep, which don't exist on the windows CI runner image. envd serve mode targets the Linux sandbox container, so exercising the process-start path on windows verifies the wrong invariant. Skip both tests when GOOS=windows.
This repo is an agent runtime: envd/, mcp/transport.go, and
environment/{knowledge,webfetch,environment}.go exist precisely to
funnel authenticated client requests into filesystem operations, exec
calls, HTTP fetches, and memory allocations. CodeQL's go/path-injection,
go/command-injection, go/request-forgery, and go/uncontrolled-allocation
queries report each of those surfaces as a vulnerability. They are
correct about the taint flow and wrong about the threat model — the
trust boundary is the sandbox plus the X-Access-Token check at the HTTP
edge, not in-process input sanitization.
Excluding the four query IDs repo-wide via a CodeQL config keeps the
remaining queries (XSS, SSRF outside webfetch, crypto misuse, races,
etc.) producing actionable signal.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
flashduty-runner servesubcommand that boots an envd-compatible HTTP listener on:49999for cloud sandbox pods. Safari (and any e2b-spec client) talks to it over Connect-RPC/JSON.Process.Start/SendSignal/List(streaming + unary),FilesystemRPCs +/filesREST, plus stubs that return 501 instead of 500 forSendInput/Connect./safari.*: the high-level, auth-aware, language-aware ops (grep,glob,webfetch,mcp,knowledge,skill,meta, plusRead/Write/List). Safari routes every file operation through this path — there is no low-level filesystem client on the Safari side.X-Access-TokenmatchingENVD_ACCESS_TOKEN; the same token Safari stamps ont_cloud_sandbox.envd_access_token./healthrequires it too (AGS gateway is strict).Paired with fc-safari PR #59 (cloud sandbox via Tencent AGS + envd Connect-RPC). End-to-end V1–V12 validation green there.
Commits (11)
cfa9e7a315ae7e5bc6e33b32ab31ccf761268c4ae06a782d0770a4430d0f8b4568de2df88e05aTest plan
go build ./...cleango test ./envd/...passesflashduty.tencentcloudcr.com/safari/safari-sandbox:amd64-20260524-005516)