Skip to content

[AAASM-4766] 🐛 (examples): fix compose uid mismatch that fails-closed all calls#326

Merged
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-4766/fix/compose_uid
Jul 17, 2026
Merged

[AAASM-4766] 🐛 (examples): fix compose uid mismatch that fails-closed all calls#326
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-4766/fix/compose_uid

Conversation

@Chisanan232

Copy link
Copy Markdown
Contributor

What changed

The live-core-enforcement scenario's agent container ran as uid 10001 while the published aa-runtime image runs as uid 65532 (distroless nonroot). The runtime creates its SDK IPC socket /tmp/aa-runtime-<agent_id>.sock as mode 0600 owned by 65532 and rejects any connecting peer whose uid != 65532 (peer-uid gating — a deliberate security control). With the uid mismatch the agent could never complete the handshake, so every governed call fell back to deny "runtime unreachable; failing closed under enforce" — including read_file, which the policy allows. No allow path was reachable out of the box; it only worked with an undocumented --user 65532.

This aligns the agent's uid to the runtime's by changing python-agent/Dockerfile useradd --uid 10001--uid 65532, with a WHY comment explaining the peer-uid constraint. The socket is intentionally not loosened to 0666 — peer-uid gating is preserved.

Related ticket

Closes AAASM-4766 — https://lightning-dust-mite.atlassian.net/browse/AAASM-4766

How to verify

Brought the stack up out-of-the-box (no --user override) with the published rc.6 images and SDK, exactly as the ticket's repro:

cd scenarios/live-core-enforcement
# aa-runtime:v0.0.1-rc.6 + aa-gateway:v0.0.1-rc.6, agent built from python-agent/Dockerfile
#   (python:3.12-slim + agent-assembly==0.0.1rc6)
bash scripts/start.sh

Observed (previously all-deny fail-closed):

  → read_file(path='/data/report.csv')
  [GATEWAY] decision=allow
    ✓ allowed — tool would execute

  → delete_file(path='/data/important.csv')
  [GATEWAY] decision=deny    reason=tool denied by policy
    ✗ blocked — tool did NOT execute

Total tool calls: 2  |  blocked by policy: 1

Agent exited 0; the gateway wrote ToolCallIntercepted + PolicyViolation audit records. Enforcement semantics (allow / deny / audit / fail-closed) are unchanged — only the uid alignment differs, which is exactly what J52 verified once uids match.

Note: the two secondary findings on the ticket (stale gateway-image docs, documenting the fail-closed behavior) are documentation and are owned by the docs lane, not this PR.

Checklist

  • PR title follows [AAASM-XXXX] <GitEmoji> (<scope>): <summary>
  • No secrets, API keys, or .env files committed
  • Example sub-projects include their own README.md with prerequisites and run instructions
  • SDK/runtime version dependencies are documented or pinned

@sonarqubecloud

Copy link
Copy Markdown

@Chisanan232

Copy link
Copy Markdown
Contributor Author

🤖 Claude Code — PR review

CI: Green. All required checks SUCCESS (Verify Scenarios policy-enforcement/approval-gates/smoke/validate across py/node/go, CodeQL, SonarCloud, metadata-drift, structure). The single non-success is live: live-core-enforcement (real gateway) = SKIPPED (expected — the live job is gated off on PRs). mergeable=true; mergeStateStatus=blocked is solely REVIEW_REQUIRED (≥1 Pioneer approval), which is acceptable, not a red gate. No real failure → no code fix pushed.

Scope: Matches AAASM-4766 exactly. Single-line change useradd --uid 10001--uid 65532 in scenarios/live-core-enforcement/python-agent/Dockerfile, +9-line WHY comment. Aligns the agent uid to aa-runtime distroless nonroot (65532) so the peer-uid-gated 0600 IPC socket /tmp/aa-runtime-<agent_id>.sock is reachable and the documented compose enforces out of the box (no undocumented --user 65532 override). Confirmed the socket is not loosened to 0666 — peer-uid gating preserved. The three secondary ticket findings (stale gateway-image docs, fail-closed documentation, non-idempotent registration) are docs/robustness and correctly out of this PR’s scope.

Side-effects: None. Build-safe — python:3.12-slim (Debian) leaves uid 65532 free (nobody is 65534), so useradd --uid 65532 succeeds. Change is confined to one scenario’s agent Dockerfile; no other scenario, compose, or script touched. Security model strengthened toward correct enforcement, not weakened.

FE: Playwright N/A — no frontend surface.

Verdict: ✅ Approve-quality. Minimal, correct, CI-green fix that restores out-of-the-box enforcement while preserving the peer-uid security control. Ready to merge once a Pioneer reviewer approves. (Not merging per review-only scope.)

@Chisanan232
Chisanan232 merged commit 8a88b35 into master Jul 17, 2026
25 checks passed
@Chisanan232
Chisanan232 deleted the v0.0.1/AAASM-4766/fix/compose_uid branch July 17, 2026 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant