You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+51-2Lines changed: 51 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -29,7 +29,7 @@ That distinction is the point of this project. Agent Container gives coding agen
29
29
<palign="center">
30
30
<ahref="#quick-start">Quick Start</a> ·
31
31
<ahref="#why">Why</a> ·
32
-
<a href="#threat-model"</a> ·
32
+
<ahref="#threat-model">Threat Model</a> ·
33
33
<ahref="#how-it-works">How It Works</a> ·
34
34
<ahref="#bindings">Bindings</a> ·
35
35
<ahref="#api">API</a> ·
@@ -145,6 +145,8 @@ Implemented today:
145
145
-`WORKSPACE` supports `readText`, `writeText`, `list`, `stat`, `glob`, `grep`, and `remove`.
146
146
- Workspace mode can be `live` or `shadow`; `shadow` copies the repository to a disposable temp directory.
147
147
- Workspace mounts can expose additional paths as read-only or read-write logical mount points.
148
+
- Workspace reads are env-aware: root `.env*` sources are exposed as filtered dotenv views, and env-like files outside configured env sources are denied.
149
+
-`workspace.denyRead` can deny additional non-env paths from `WORKSPACE.readText` and `WORKSPACE.grep`.
148
150
-`EXEC.run` starts allowlisted host commands with workspace-scoped cwd resolution, timeout handling, and selected env projection.
149
151
-`EXEC.shell` exists, but only works when `allowShell` is enabled.
150
152
-`ENV` exposes public variables and `SECRETS` exposes secret-classified variables.
The workspace controller resolves logical paths against the matching mount and rejects path traversal outside that mount's physical root.
201
203
204
+
Env file reads:
205
+
206
+
```ts
207
+
const container =awaitcreateAgentContainer({
208
+
workspace: { root: process.cwd() },
209
+
env: {
210
+
include: ["PUBLIC_*"],
211
+
processEnv: "none",
212
+
},
213
+
});
214
+
215
+
const envFile =awaitWORKSPACE.readText(".env");
216
+
// PUBLIC_READ_KEY="hello-world"
217
+
```
218
+
219
+
If `env.sources` is omitted, root-level `.env` and `.env.*` files are treated as env sources. Reading one of those files through `WORKSPACE` returns a synthetic dotenv file filtered by the same `env.include` and `env.exclude` rules used by `ENV`.
220
+
221
+
If `env.sources` is provided, only those file sources are readable as filtered env files. Other env-like files, such as `.env.local` when only `.env` is configured, are denied with `Path is not readable: <path>`.
222
+
223
+
Additional read denies:
224
+
225
+
```ts
226
+
const container =awaitcreateAgentContainer({
227
+
workspace: {
228
+
root: process.cwd(),
229
+
denyRead: ["**/*.secret"],
230
+
},
231
+
});
232
+
```
233
+
234
+
`denyRead` applies to non-env file content reads and search. It does not select env sources; use `env.sources` for that. `list`, `stat`, and `glob` may still reveal filenames.
0 commit comments