fix(mosaic): close claudex isolation gaps S1 (Bedrock/Vertex bypass) + S2 (fail-open catches)
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
Addresses MS-LEAD secrev REQUEST CHANGES on #806. S1 (CRITICAL — REQ 2 defeated by provider switches + cloud creds): the env sweep did not neutralize AWS Bedrock / GCP Vertex routing. CLAUDE_CODE_USE_BEDROCK / CLAUDE_CODE_USE_VERTEX are routing switches whose mere presence makes Claude Code talk to the real Anthropic API via the ambient cloud credential chain, bypassing ANTHROPIC_BASE_URL (the loopback proxy) entirely — and the cloud credentials (AWS_SECRET_ACCESS_KEY, AWS_BEARER_TOKEN_BEDROCK, GOOGLE_APPLICATION_CREDENTIALS, …) passed straight through. - buildClaudexEnv now force-deletes the routing switches by exact name (CLAUDEX_FORCED_UNSET_ENV) regardless of value — a name pattern is the wrong model for a boolean switch. - CLAUDEX_CREDENTIAL_ENV_RE extended to the cloud-cred families (^AWS_, ^GOOGLE_APPLICATION_CREDENTIALS, ^GOOGLE_CLOUD_, ^GCP_) and the mid-string _KEY$ / _SECRET gap (STRIPE_SECRET_KEY, SSH_PRIVATE_KEY, AWS_SECRET_ACCESS_KEY). - Doc-comment updated to match reality. S2 (HIGH — fail-open contradicts documented fail-closed): defaultCanonicalizeIntended and defaultIsSymlink swallowed ANY fs error. Now they distinguish ENOENT (genuinely absent → safe to continue) from every other errno (ELOOP, EACCES, ENOTDIR, …) which rethrows and fails CLOSED. Tests (TDD red-first, 4 new specs red before the fix): Bedrock/Vertex switches + AWS/GCP creds swept while the loopback proxy stays the only route; mid-string _KEY/_SECRET closed; real-FS ELOOP (canonicalize) and ENOTDIR (isSymlink) fail closed; injected EACCES not swallowed. New-module coverage 100% stmts/lines, 93.75% branch. Full mosaic suite 1169 green; typecheck / lint / format:check green. No --no-verify. Refs #790 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -82,9 +82,14 @@ resolved dir can never be — or live under — the real `~/.claude`. A claudex
|
||||
session therefore cannot mutate your normal Claude Code config.
|
||||
|
||||
**No token leakage.** claudex never reads the proxy's credential file. Claude
|
||||
Code is handed only `ANTHROPIC_AUTH_TOKEN=unused`; the entire credential-bearing
|
||||
env family (`ANTHROPIC_*`, `*_TOKEN`, `*_API_KEY`, `*_SECRET`, …) is stripped
|
||||
from the composed environment. The proxy holds the real OAuth credential.
|
||||
Code is handed only `ANTHROPIC_AUTH_TOKEN=unused` pointed at the loopback proxy;
|
||||
the entire credential-bearing env family (`ANTHROPIC_*`, `AWS_*`, `GOOGLE_CLOUD_*`,
|
||||
`GOOGLE_APPLICATION_CREDENTIALS`, `*_TOKEN`, `*_KEY`, `*_SECRET`, …) is stripped
|
||||
from the composed environment. The Bedrock/Vertex routing switches
|
||||
(`CLAUDE_CODE_USE_BEDROCK`, `CLAUDE_CODE_USE_VERTEX`, and the `_SKIP_*_AUTH`
|
||||
pair) are force-removed regardless of value — otherwise their mere presence
|
||||
would route Claude Code to the real Anthropic API via AWS/GCP and bypass the
|
||||
proxy. The proxy holds the real OAuth credential.
|
||||
|
||||
**Model tiers (override via env).**
|
||||
|
||||
|
||||
Reference in New Issue
Block a user