fix: address Copilot review round 2 (PR #168)

Five new comments from Copilot's second review:

README.md:
  - Spelled out env var names (AGENTIC_WORKSPACE_PLUGINS / _AGENTS)
    instead of the abbreviated /_PLUGINS / _AGENTS form that could
    cause copy-paste misconfiguration.

docs/workspace.md:
  - inject() example now targets /workspace/CLAUDE.md (parent
    guaranteed by the image) instead of /etc/agentic/workspace/...
    which only exists when the orchestrator bind-mounts it. Added
    a comment explaining why.

providers/workspaces/claude-cli/scripts/entrypoint.sh:
  - Security fix: __inject_safe_filter rejects plugin/agent names
    containing '/' or '..'. Previously a value like
    AGENTIC_WORKSPACE_PLUGINS='../etc' could escape the intended
    /etc/agentic/workspace/plugins/ mount.

lib/python/agentic_isolation/agentic_isolation/workspace_files.py:
  - inject() now explicitly rejects trailing slashes; docstring is
    accurate. Path('/foo/') normalizes to /foo internally, so the
    earlier basename check didn't actually catch this.
  - Renamed test_inject_rejects_empty_basename to
    test_inject_rejects_root_path since the trailing-slash check
    now catches '/' first.
  - New test_inject_rejects_trailing_slash.

docs/superpowers/specs/2026-05-12-workspace-injection-contract-design.md:
  - Spec snippet was showing chmod 644 but impl uses 600 (the change
    we made for round 1). Synced spec → 600 to remove drift.

Tests:
  - 177 Python (+1 for trailing-slash test)
  - 7 integration green
  - ruff check + format clean
  - Image rebuilt and integration tests passed against fresh image.

Author: NeuralEmpowerment

README.md

@@ -254,7 +254,7 @@ just list-providers
 
 `agentic-primitives` ships the workspace image — the controlled boundary every AI agent runs inside. The workspace has three responsibilities:
 
-1. **Inject** orchestrator-supplied context (`CLAUDE.md`, plugins, subagents) via a bind-mount at `/etc/agentic/workspace/` + three optional env vars (`AGENTIC_WORKSPACE_CONTEXT` / `_PLUGINS` / `_AGENTS`).
+1. **Inject** orchestrator-supplied context (`CLAUDE.md`, plugins, subagents) via a bind-mount at `/etc/agentic/workspace/` + three optional env vars (`AGENTIC_WORKSPACE_CONTEXT`, `AGENTIC_WORKSPACE_PLUGINS`, `AGENTIC_WORKSPACE_AGENTS`).
 2. **Isolate** the agent's effects (tmpfs home, read-only context mount, network whitelisting, per-task volumes).
 3. **Observe** what the agent did (git hooks → JSONL on stderr, `--output-format stream-json` on stdout, output artifacts in `/workspace/artifacts/output/`).
 

docs/superpowers/specs/2026-05-12-workspace-injection-contract-design.md

@@ -150,7 +150,7 @@ if [ -d "${INJECT_MOUNT}" ]; then
     ctx_src="${INJECT_MOUNT}/${AGENTIC_WORKSPACE_CONTEXT:-${INJECT_DEFAULT_CONTEXT}}"
     if [ -f "${ctx_src}" ]; then
         cp "${ctx_src}" "${INJECT_TARGET_CONTEXT}"
-        chmod 644 "${INJECT_TARGET_CONTEXT}"
+        chmod 600 "${INJECT_TARGET_CONTEXT}"
     fi
 
     # 2. Per-workspace plugins (appended to existing AGENTIC_PLUGIN_FLAGS

docs/workspace.md

@@ -115,8 +115,15 @@ mount = wf.bind_mount(workspace_dir, "/etc/agentic/workspace", read_only=True)
 container = client.containers.create(image, mounts=[mount], ...)
 
 # Inject mode (generated content)
+# Note: inject() requires the parent dir to already exist inside the
+# container. /workspace and /tmp are guaranteed by the image; arbitrary
+# paths under /etc/agentic/workspace/ are NOT — that path only exists
+# when an orchestrator also bind-mounts it. For generated context, the
+# common pattern is to inject into /workspace/ (which the image creates
+# at build time) and let the entrypoint's section 5.5 leave that copy
+# untouched (since /etc/agentic/workspace/ isn't mounted in this flow).
 container = client.containers.create(image, ...)
-wf.inject(container.id, "/etc/agentic/workspace/CLAUDE.md", composed_bytes)
+wf.inject(container.id, "/workspace/CLAUDE.md", composed_bytes)
 container.start()
 ```
 

lib/python/agentic_isolation/agentic_isolation/workspace_files.py

@@ -75,8 +75,12 @@ def inject(
         directories.
 
         Raises ``ValueError`` if ``container_path`` is not an absolute
-        path or has an empty basename (e.g. ``/`` or trailing slash).
+        path, has an empty basename (e.g. ``/``), or has a trailing
+        slash (which would imply "this is a directory" and is not a
+        valid target for a single-file tar).
         """
+        if container_path.endswith("/"):
+            raise ValueError(f"container_path must not end with '/', got {container_path!r}")
         target = Path(container_path)
         if not target.is_absolute():
             raise ValueError(f"container_path must be absolute, got {container_path!r}")

lib/python/agentic_isolation/tests/test_workspace_files.py

@@ -85,14 +85,28 @@ def test_inject_rejects_relative_path():
         raise AssertionError("expected ValueError")
 
 
-def test_inject_rejects_empty_basename():
-    """inject() raises ValueError on a path whose .name is empty (e.g. /)."""
+def test_inject_rejects_root_path():
+    """inject() raises ValueError on `/` (caught by the trailing-slash
+    check, which also covers the empty-basename case)."""
     from agentic_isolation.workspace_files import WorkspaceFiles
 
     wf = WorkspaceFiles(client=MagicMock())
     try:
         wf.inject("ctr", "/", b"x")
+    except ValueError:
+        pass
+    else:
+        raise AssertionError("expected ValueError")
+
+
+def test_inject_rejects_trailing_slash():
+    """inject() raises ValueError on a path ending with '/'."""
+    from agentic_isolation.workspace_files import WorkspaceFiles
+
+    wf = WorkspaceFiles(client=MagicMock())
+    try:
+        wf.inject("ctr", "/workspace/", b"x")
     except ValueError as e:
-        assert "basename" in str(e)
+        assert "slash" in str(e) or "/" in str(e)
     else:
         raise AssertionError("expected ValueError")

providers/workspaces/claude-cli/scripts/entrypoint.sh

@@ -214,10 +214,23 @@ readonly INJECT_DEFAULT_CONTEXT="CLAUDE.md"
 readonly INJECT_PLUGIN_MANIFEST=".claude-plugin/plugin.json"
 
 # --- Helpers --------------------------------------------------------------
+# Reject any name containing '/' or '..' so plugin/agent names supplied
+# via env can't escape the intended mount via path traversal. Caller
+# pipes a stream of names through this filter.
+__inject_safe_filter() {
+    while IFS= read -r name; do
+        [ -n "${name}" ] || continue
+        case "${name}" in
+            */*|*..*|"") continue ;;
+        esac
+        printf '%s\n' "${name}"
+    done
+}
+
 __inject_names() {
     local explicit="$1" dir="$2" strip_ext="${3:-}"
     if [ -n "${explicit}" ]; then
-        printf '%s\n' "${explicit}" | tr ':' '\n'
+        printf '%s\n' "${explicit}" | tr ':' '\n' | __inject_safe_filter
         return
     fi
     [ -d "${dir}" ] || return