Agent-preset egress drift fixes, Claude workflows, and a laundering-host gap#20
Open
Pyronewbic wants to merge 4 commits into
Open
Agent-preset egress drift fixes, Claude workflows, and a laundering-host gap#20Pyronewbic wants to merge 4 commits into
Pyronewbic wants to merge 4 commits into
Conversation
Found by the audit-egress workflow, each verified against upstream source: - amp: @sourcegraph/amp -> @ampcode/cli (old name is now a thin alias that depends on the new package; new pkg keeps the `amp` bin) - crush: catwalk.charm.sh -> catwalk.charm.land (Charm domain migration; the stale SNI was silently blocking Crush's model catalog) - aider: avoid two off-allowlist runtime fetches without widening the allowlist - LITELLM_LOCAL_MODEL_COST_MAP=True (use litellm's bundled price map) and --no-check-update (skip aider's pypi.org version ping) - cursor: add the api5 agent fleet (.api5.cursor.sh) + auth hosts, drop the unused api.cursor.com (not used by the CLI per Cursor's network doc) - codex: correct a misleading comment - Codex's default Statsig telemetry to ab.chatgpt.com stays blocked by design, not allowlisted - opencode: autoupdate:false pins the baked version against opencode's launch-time self-upgrade (which would drift from `sluice lock`)
…st (claude) Follow-up to the egress-drift pass, verified against upstream: - gemini: note that usage-stats telemetry (Clearcut, play.googleapis.com) is left blocked; privacy.usageStatisticsEnabled=false silences the per-run warning - claude: re-add statsig.anthropic.com - commit 6cc6077 dropped it as dead, but upstream init-firewall.sh still allowlists it alongside statsig.com; both are feature-flag/metrics hosts whose flags can affect behavior. sentry.io error reporting stays blocked.
… findings Add .claude/workflows/ - Claude Code multi-agent orchestration scripts (not GitHub Actions): - review-launcher: review src/*.sh across security / bash-3.2 / docker-podman portability, each finding adversarially verified - audit-egress: audit each agents/*.config.sh preset's egress against the allowlist + THREAT_MODEL.md, then verify each finding against upstream source - triage-tests: run the bats suites, cluster failures, root-cause per cluster Apply the audit-egress findings (all verified against upstream) to the remaining presets: - amp: add auth.ampcode.com + production.ampworkers.com - the auth handshake and the Amp client's WebSocket were blocked at runtime (both per ampcode.com/security) - crush: note that Crush's default PostHog telemetry to data.charm.land is left blocked - qwen: note that the inherited Gemini-CLI Clearcut telemetry to play.googleapis.com is left blocked - cursor: attribute the model/agent stream to the .api5 agent hosts, not bare cursor.sh
raw.githubusercontent.com serves arbitrary bytes from any user's repo/branch, so an allowlisted box can launder data out through it (THREAT_MODEL item 2). laundering_host() already flagged gist.githubusercontent.com but missed its sibling. Surgical add, not *.githubusercontent.com - a wildcard would noisily flag the base-allowlisted objects.githubusercontent.com (release assets) on every run. Regression test added (Docker-free).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes egress drift across the nine agent presets (surfaced and verified via a new
audit-egressworkflow), adds three Claude Code multi-agent workflows, and closes a laundering-host heuristic gap in the launcher. Every host, package, and flag change was verified against upstream source/docs before editing.Agent presets
@sourcegraph/ampto@ampcode/cli; addedauth.ampcode.comandproduction.ampworkers.com(the auth handshake and the Amp client WebSocket were blocked at runtime; both per ampcode.com/security).catwalk.charm.shis nowcatwalk.charm.land(Charm domain migration; the stale SNI silently blocked the model catalog); noted the default PostHog telemetry todata.charm.landstays blocked.LITELLM_LOCAL_MODEL_COST_MAP=True(bundled price map) and--no-check-update(skips the pypi.org version ping)..api5agent fleet and auth hosts (scoped leading-dot wildcards), dropped the unusedapi.cursor.com.statsig.anthropic.com(a prior commit dropped it as dead, but it is still in upstream's init-firewall alongsidestatsig.com).Workflows (
.claude/workflows/)Claude Code multi-agent orchestration scripts (not GitHub Actions):
review-launcher— reviewssrc/*.shacross security / bash-3.2 / docker-podman portability, adversarially verifying each finding.audit-egress— audits each preset's egress against the allowlist + THREAT_MODEL, then verifies each finding against upstream (this is what found the drift above).triage-tests— runs the bats suites, clusters failures, root-causes each cluster.Launcher
laundering_host()now flagsraw.githubusercontent.com— it serves arbitrary bytes from any repo, a write-capable exfil channel (THREAT_MODEL item 2). Surgical add rather than a*.githubusercontent.comwildcard, which would noisily flag the base-allowlistedobjects.githubusercontent.com.Test plan
make build-checkgreen (bin/sluice in sync with src/)shellcheck -S warning bin/sluicecleantest/verify-security-laundering.bats5/5 (including a newraw.githubusercontent.comregression case)🤖 Generated with Claude Code