Skip to content

Compiler: stop injecting sudo and --enable-host-access, support --legacy-security #45344

Description

@lpcox

Summary

The gh-aw compiler needs to be updated to support AWF's strict security default. Today the compiler auto-injects flags that are incompatible with strict security into generated .lock.yml files.

Strict security is the default — the compiler should simply stop emitting sudo and host-access flags. Only workflows that genuinely need legacy behavior should opt in via legacy-security: enable.

Current Behavior

When the compiler processes workflow .md files with runtime: gvisor and sudo: true in frontmatter, it injects:

  1. sudo -E prefix on the awf command (via AWFDefaultCommand constant)
  2. --enable-host-access flag
  3. --allow-host-ports 80,443,8080 flag
  4. --enable-api-proxy (no longer needed — API proxy is always on)

For workflows with a services: block, it also injects:
5. --allow-host-service-ports with dynamic port expressions

Required Changes

1. Change AWFDefaultCommand from "sudo -E awf" to "awf"

In pkg/constants/constants.go:

const AWFDefaultCommand = "awf"  // was: "sudo -E awf"

2. Stop injecting --enable-host-access and --allow-host-ports

In pkg/workflow/awf_helpers.go (around line 675-698): remove the branch that adds --enable-host-access and --allow-host-ports. These are incompatible with strict security.

3. Stop emitting --enable-api-proxy

The API proxy is always enabled in AWF now. The compiler should not emit --enable-api-proxy in the config file (AWFAPIProxyConfig.Enabled should be removed or always true without emitting the flag).

4. Add legacy-security: enable frontmatter support

Add a new field to AgentSandboxConfig:

LegacySecurity bool `yaml:"legacy-security,omitempty"`

When legacy-security: enable is set in frontmatter, the compiler should emit:

  • sudo -E awf (override command prefix)
  • --legacy-security flag
  • --enable-host-access --allow-host-ports 80,443,8080

5. GetAWFCommandPrefix logic change

In pkg/workflow/awf_helpers.go:

  • Default: return "awf" (no sudo)
  • When legacy-security: enable: return "sudo -E awf"
  • Remove the isAWFNetworkIsolationEnabled gating (network isolation is now always on in strict mode)

6. Workflows requiring legacy security

Only workflows that use --allow-host-service-ports (i.e., those with a services: block that need to reach host-bound service ports) should use legacy-security: enable. All others use strict security (the default).

Key Files to Modify

  • pkg/constants/constants.goAWFDefaultCommand
  • pkg/workflow/awf_helpers.goGetAWFCommandPrefix(), BuildAWFArgs() (host-access logic)
  • pkg/workflow/awf_config.goAWFAPIProxyConfig (stop requiring enabled: true)
  • pkg/workflow/sandbox.goAgentSandboxConfig (add LegacySecurity field)
  • pkg/workflow/frontmatter_extraction_security.go — parse legacy-security from frontmatter

Dependency

This is blocked on the AWF release containing --legacy-security (github/gh-aw-firewall#6207). Once that ships, the compiler can be updated and lock files regenerated.

Related

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions