Documentation
¶
Overview ¶
ABOUTME: jailcheck flags direct filesystem-mutation / subprocess calls in ABOUTME: agent/tools that bypass the ExecutionEnvironment seam guarding the writable_paths jail (#272/#275/#283).
Background: agent tools must route every filesystem mutation and subprocess through the exec.ExecutionEnvironment interface (env.WriteFile / env.RemoveFile / env.ExecCommand). When a node sets writable_paths, that seam is the single choke point where Landlock + openat2 (writes) and the __jail-exec CommandWrapper (subprocesses) are wired (see pipeline/handlers/codergen_jail.go). A tool that calls os.WriteFile / os.Remove / os.MkdirAll — or exec.Command, ioutil.WriteFile, a mutating syscall.* — directly bypasses the jail entirely. That is exactly the bug the #275 audit caught in generate_code and write_enriched_sprint.
This analyzer parses every non-test .go file in the target directory (default agent/tools) and reports any reference to a watched mutating function (filesystem write/delete or subprocess spawn) across the os, os/exec, io/ioutil, and syscall packages — resolving aliased imports and flagging dot-imports. The single legal exception is an env==nil fallback path, which can only run when no jail is active and therefore has nothing to bypass; such a function must carry the //jail:allow-unjailed-fallback marker.
Usage: go run ./tools/jailcheck [dir] (exit 1 on any violation)
Full rationale and the per-tool threat model: docs/architecture/agent-tool-jail-checklist.md
Source Files