Make oz runs publicly viewable

[seemeroland]

Specify this config when creating the oz agent run:

"session_sharing": {
    "public_access": "VIEWER"
  }

Depending on the server and client PRs implementing the tech and product spec for app-3762

Testing

Only checked that this produces the correct payload. Will have to test e2e in staging.

Tested the payload itself e2e with all relevant PRs:

• https://github.com/warpdotdev/warp-server/pull/10526
• Add SessionSharingConfig to AmbientAgentConfig oz-agent-worker#53
• https://github.com/warpdotdev/warp-external/pull/854

https://www.loom.com/share/4848563ff61d46af829f90d42d2be792

[oz-for-oss-staging]

@seemeroland

I'm starting a first review of this pull request.

You can view the conversation on Warp.

I completed the review and posted feedback on this pull request.

Powered by Oz

[oz-for-oss-staging]

Overview

Adds session_sharing.public_access to every Oz agent run launched from the shared build_agent_config, defaulting to VIEWER so anyone with the run's session link can view the session. Introduces WARP_SESSION_SHARING_PUBLIC_ACCESS to override the level (VIEWER/EDITOR) or disable public sharing (NONE/OFF/DISABLED/FALSE/0). Includes good unit coverage for default, EDITOR opt-in, case-insensitivity, disable values, and unknown-value fallback.

Concerns

• build_agent_config is shared across every workflow entrypoint (issue triage, spec creation, implementation, PR review, comment-response, etc.), so this flips the default posture for every run in every consuming repo to "anyone with link can view". The module docstring states this is intentional for OSS workflows — calling it out so it is not merged by accident. Consumers who vendor these workflows into non-OSS settings should be explicitly notified.
• Docs: README.md lists the optional repo variables that influence agent behavior (WARP_AGENT_MODEL, WARP_AGENT_MCP, WARP_ENVIRONMENT_ID) but does not mention the new WARP_SESSION_SHARING_PUBLIC_ACCESS knob. Since README.md is outside this PR diff, adding it to that table in a follow-up (or here) would make the opt-out discoverable for operators. Leaving in summary because the file is not part of the PR diff.

Security

• Session sharing is a privacy/security posture change: agent transcripts (prompts, tool calls, shell output, retrieved file contents) become viewable by anyone who has the link. This appears intentional for OSS repos, but is a significant behavior change worth explicit reviewer attention.
• EDITOR is accepted as a public-access level, which would let any anonymous visitor with the link edit/steer the live agent session. It is opt-in via WARP_SESSION_SHARING_PUBLIC_ACCESS=EDITOR and the server presumably validates, so not a critical risk, but worth confirming that accepting EDITOR on the public knob is intended (as opposed to EDITOR only being meaningful for team-scoped sharing).
• Fail-open on misconfiguration: an unrecognized env value falls back to the public default (VIEWER). An operator intending to opt out via a typo would still publicly share sessions with only a GitHub Actions warning. Consider failing closed; see inline comment.

Verdict

Found: 0 critical, 0 important, 2 suggestions

Approve with nits

Powered by Oz

[captainsafia]

LGTM but I agree with addressing the agent's feedback here.