@vellumai/credential-executor 0.4.55 → 0.4.56

package/src/commands/executor.ts

@@ -16,21 +16,27 @@
  * 4. **Workspace staging** — Stage declared workspace inputs into a
  *    CES-private scratch directory.
  *
- * 5. **Auth materialization** — Materialize the credential through the
- *    declared auth adapter (env_var, temp_file, or credential_process).
+ * 5. **Credential materialization** — Materialize the raw credential
+ *    value from the credential store.
  *
  * 6. **Egress proxy startup** — Start a CES-owned egress proxy session
  *    (when egressMode is `proxy_required`) to enforce network target
- *    allowlists.
+ *    allowlists. This happens BEFORE the auth adapter runs so that
+ *    credential_process helpers also execute under egress control.
  *
- * 7. **Command execution** — Run the command with clean config dirs,
+ * 7. **Auth adapter construction** — Build the credential environment
+ *    through the declared auth adapter (env_var, temp_file, or
+ *    credential_process). For credential_process, the helper runs
+ *    with proxy env vars injected.
+ *
+ * 8. **Command execution** — Run the command with clean config dirs,
  *    materialized credential env vars, and proxy env vars. The command
  *    runs in the scratch directory, never in the assistant workspace.
  *
- * 8. **Output copyback** — After exit, validate and copy declared output
+ * 9. **Output copyback** — After exit, validate and copy declared output
  *    files from the scratch directory back into the workspace.
  *
- * 9. **Cleanup** — Stop the egress proxy session, remove temp files, and
+ * 10. **Cleanup** — Stop the egress proxy session, remove temp files, and
  *    clean up the scratch directory.
  *
  * The executor is fail-closed: bundle mismatches, missing grants,
@@ -38,9 +44,9 @@
  * violations all result in command rejection before or after execution.
  */
 
-import { createHash, randomUUID } from "node:crypto";
-import { dirname, join } from "node:path";
-import { mkdirSync, writeFileSync, unlinkSync, rmSync } from "node:fs";
+import { randomUUID } from "node:crypto";
+import { dirname, join, resolve } from "node:path";
+import { mkdirSync, writeFileSync, unlinkSync, rmSync, realpathSync } from "node:fs";
 import { tmpdir } from "node:os";
 import {
   SessionStore,
@@ -56,7 +62,7 @@ import { readPublishedManifest, getBundleContentPath, isBundlePublished } from "
 import { getCesToolStoreDir, type CesMode } from "../paths.js";
 import type { SecureCommandManifest, CommandProfile } from "./profiles.js";
 import { isDeniedBinary, EgressMode } from "./profiles.js";
-import { validateCommand, type CommandValidationResult } from "./validator.js";
+import { validateCommand, extractShellBinary, containsShellMetacharacters, type CommandValidationResult } from "./validator.js";
 import type { AuthAdapterConfig } from "./auth-adapters.js";
 import { AuthAdapterType, validateAuthAdapterConfig } from "./auth-adapters.js";
 import {
@@ -68,8 +74,12 @@ import {
   type WorkspaceOutput,
   type CopybackResult,
 } from "./workspace.js";
+import { hashProposal, type AuditRecordSummary, type CommandGrantProposal } from "@vellumai/ces-contracts";
+
+import type { AuditStore } from "../audit/store.js";
 import type { PersistentGrantStore } from "../grants/persistent-store.js";
 import type { TemporaryGrantStore } from "../grants/temporary-store.js";
+import type { SessionIdRef } from "../server.js";
 
 // ---------------------------------------------------------------------------
 // Types
@@ -97,10 +107,8 @@ export interface ExecuteCommandRequest {
   purpose: string;
   /** Explicit grant ID to consume, if the caller holds one. */
   grantId?: string;
-  /** Conversation ID for thread-scoped temporary grants. */
+  /** Conversation ID for conversation-scoped temporary grants. */
   conversationId?: string;
-  /** Session ID for the egress proxy. */
-  sessionId?: string;
 }
 
 /**
@@ -121,6 +129,19 @@ export interface ExecuteCommandResult {
   error?: string;
   /** Audit-relevant metadata. */
   auditId?: string;
+  /**
+   * When the failure reason is a missing grant, this field contains the
+   * proposal metadata needed by the approval bridge. Present only when
+   * the error is an approval-required grant failure.
+   */
+  approvalRequired?: {
+    credentialHandle: string;
+    bundleId: string;
+    bundleDigest: string;
+    profileName: string;
+    command: string;
+    purpose: string;
+  };
 }
 
 /**
@@ -148,6 +169,10 @@ export interface CommandExecutorDeps {
   temporaryStore: TemporaryGrantStore;
   /** Credential materializer function. */
   materializeCredential: MaterializeCredentialFn;
+  /** Audit store for persisting token-free audit records. */
+  auditStore?: AuditStore;
+  /** Mutable reference to the session ID for audit records. Updated to the handshake session ID once the RPC handshake completes. */
+  sessionId?: SessionIdRef;
   /** CES operating mode (for toolstore path resolution). */
   cesMode?: CesMode;
   /** Egress proxy session start hooks (for creating the proxy server). */
@@ -228,6 +253,14 @@ export async function executeAuthenticatedCommand(
       success: false,
       error: grantResult.error,
       auditId,
+      approvalRequired: {
+        credentialHandle: request.credentialHandle,
+        bundleId: manifest.bundleId,
+        bundleDigest: request.bundleDigest,
+        profileName: request.profileName,
+        command: `${request.bundleDigest}/${request.profileName} ${request.argv.join(" ")}`.trim(),
+        purpose: request.purpose,
+      },
     };
   }
 
@@ -269,33 +302,17 @@ export async function executeAuthenticatedCommand(
     secrets: secretSet,
   };
 
-  // -- 6. Build auth adapter environment ------------------------------------
-  let adapterEnv: Record<string, string>;
-  let tempFilePath: string | undefined;
-  try {
-    const adapterResult = await buildAuthAdapterEnv(
-      manifest.authAdapter,
-      matResult.value,
-    );
-    adapterEnv = adapterResult.env;
-    tempFilePath = adapterResult.tempFilePath;
-  } catch (err) {
-    cleanupScratchDir(scratchDir);
-    return {
-      success: false,
-      error: `Auth adapter materialization failed: ${err instanceof Error ? err.message : String(err)}`,
-      auditId,
-    };
-  }
-
-  // -- 7. Start egress proxy (if proxy_required) ----------------------------
+  // -- 6. Start egress proxy (if proxy_required) ----------------------------
+  // The egress proxy must be started BEFORE the auth adapter runs, so that
+  // credential_process helpers execute under egress control (not in an
+  // uncontrolled network state).
   let proxyEnv: ProxyEnvVars | undefined;
   let proxySessionId: string | undefined;
   const sessionStore = deps.egressSessionStore ?? new SessionStore();
 
   if (manifest.egressMode === EgressMode.ProxyRequired) {
     if (!deps.egressHooks) {
-      cleanupAll(scratchDir, tempFilePath);
+      cleanupScratchDir(scratchDir);
       return {
         success: false,
         error: "Egress mode is proxy_required but no egress hooks were provided. " +
@@ -306,10 +323,19 @@ export async function executeAuthenticatedCommand(
 
     try {
       const conversationId = request.conversationId ?? `ces-cmd-${auditId}`;
+      // Carry the profile's allowedNetworkTargets into the session config
+      // so the egress proxy can enforce the allowlist.
+      const profile = manifest.commandProfiles[request.profileName];
+      const allowedTargets = profile?.allowedNetworkTargets?.map((t) => ({
+        host: t.hostPattern,
+        ...(t.ports ? { ports: t.ports } : {}),
+        ...(t.protocols ? { protocols: t.protocols } : {}),
+      }));
       const session = createSession(
         sessionStore,
         conversationId,
         [request.credentialHandle],
+        { allowedTargets },
       );
       const started = await startSession(
         sessionStore,
@@ -319,7 +345,7 @@ export async function executeAuthenticatedCommand(
       proxySessionId = started.id;
       proxyEnv = getSessionEnv(sessionStore, started.id);
     } catch (err) {
-      cleanupAll(scratchDir, tempFilePath);
+      cleanupScratchDir(scratchDir);
       return {
         success: false,
         error: `Egress proxy startup failed: ${err instanceof Error ? err.message : String(err)}`,
@@ -328,17 +354,148 @@ export async function executeAuthenticatedCommand(
     }
   }
 
+  // For no_network mode, block all outbound by pointing proxy vars at a
+  // non-existent address. This prevents subprocesses from making direct
+  // connections even without a running egress proxy.
+  let noNetworkEnv: Record<string, string> | undefined;
+  if (manifest.egressMode === EgressMode.NoNetwork) {
+    const blockedProxy = "http://127.0.0.1:0";
+    noNetworkEnv = {
+      HTTP_PROXY: blockedProxy,
+      HTTPS_PROXY: blockedProxy,
+      http_proxy: blockedProxy,
+      https_proxy: blockedProxy,
+      NO_PROXY: "",
+      no_proxy: "",
+    };
+  }
+
+  // -- 7. Build auth adapter environment ------------------------------------
+  // Pass proxy/no-network env vars so credential_process helpers also run
+  // under egress control.
+  let adapterEnv: Record<string, string>;
+  let tempFilePath: string | undefined;
+  try {
+    const adapterResult = await buildAuthAdapterEnv(
+      manifest.authAdapter,
+      matResult.value,
+      proxyEnv,
+      noNetworkEnv,
+    );
+    adapterEnv = adapterResult.env;
+    tempFilePath = adapterResult.tempFilePath;
+  } catch (err) {
+    // Stop the proxy session before returning — it may already be running
+    if (proxySessionId) {
+      try {
+        await stopSession(proxySessionId, sessionStore);
+      } catch {
+        // Best-effort proxy cleanup
+      }
+    }
+    cleanupScratchDir(scratchDir);
+    return {
+      success: false,
+      error: `Auth adapter materialization failed: ${err instanceof Error ? err.message : String(err)}`,
+      auditId,
+    };
+  }
+
   // -- 8. Build the execution environment -----------------------------------
-  const entrypointPath = join(
-    getBundleContentPath(toolstoreDir, request.bundleDigest),
-    "..",
-    manifest.entrypoint,
-  );
+  const bundleDir = dirname(getBundleContentPath(toolstoreDir, request.bundleDigest));
+  const entrypointPath = resolve(bundleDir, manifest.entrypoint);
+
+  // Containment check: entrypoint must resolve inside the bundle directory
+  // (lexical check for path traversal via ../)
+  if (!entrypointPath.startsWith(bundleDir + "/") && entrypointPath !== bundleDir) {
+    // Stop the proxy session before returning — it may already be running
+    if (proxySessionId) {
+      try {
+        await stopSession(proxySessionId, sessionStore);
+      } catch {
+        // Best-effort proxy cleanup
+      }
+    }
+    cleanupAll(scratchDir, tempFilePath);
+    return {
+      success: false,
+      error: `Entrypoint "${manifest.entrypoint}" resolves outside the bundle directory. ` +
+        `Path traversal is not allowed.`,
+      auditId,
+    };
+  }
+
+  // Symlink escape check: follow symlinks and verify the real path is
+  // still inside the bundle directory. A symlink entrypoint like
+  // `bin/tool -> /usr/bin/curl` passes the lexical check above but
+  // executes outside the bundle boundary.
+  let realEntrypointPath: string;
+  try {
+    realEntrypointPath = realpathSync(entrypointPath);
+  } catch {
+    // realpathSync fails if the file doesn't exist or is a broken symlink
+    if (proxySessionId) {
+      try {
+        await stopSession(proxySessionId, sessionStore);
+      } catch {
+        // Best-effort proxy cleanup
+      }
+    }
+    cleanupAll(scratchDir, tempFilePath);
+    return {
+      success: false,
+      error: `Entrypoint "${manifest.entrypoint}" could not be resolved (broken symlink or missing file).`,
+      auditId,
+    };
+  }
+  const realBundleDir = realpathSync(bundleDir);
+  if (!realEntrypointPath.startsWith(realBundleDir + "/") && realEntrypointPath !== realBundleDir) {
+    if (proxySessionId) {
+      try {
+        await stopSession(proxySessionId, sessionStore);
+      } catch {
+        // Best-effort proxy cleanup
+      }
+    }
+    cleanupAll(scratchDir, tempFilePath);
+    return {
+      success: false,
+      error: `Entrypoint "${manifest.entrypoint}" is a symlink that resolves to "${realEntrypointPath}", ` +
+        `which is outside the bundle directory. Symlink escape is not allowed.`,
+      auditId,
+    };
+  }
+
+  // Generate HOME path before buildCommandEnv so we have a known-safe value
+  // for cleanup. buildCommandEnv sets HOME after spreading adapterEnv to
+  // prevent auth adapters from overriding the isolated home directory.
+  const generatedHomeDir = join(tmpdir(), `ces-home-${randomUUID()}`);
+
+  // Create the HOME directory and enforce cleanConfigDirs before building env
+  try {
+    mkdirSync(generatedHomeDir, { recursive: true });
+    enforceCleanConfigDirs(manifest, generatedHomeDir);
+  } catch (err) {
+    if (proxySessionId) {
+      try {
+        await stopSession(proxySessionId, sessionStore);
+      } catch {
+        // Best-effort proxy cleanup
+      }
+    }
+    cleanupAll(scratchDir, tempFilePath, generatedHomeDir);
+    return {
+      success: false,
+      error: `Clean config dirs setup failed: ${err instanceof Error ? err.message : String(err)}`,
+      auditId,
+    };
+  }
 
   const commandEnv = buildCommandEnv(
     adapterEnv,
     proxyEnv,
-    manifest.cleanConfigDirs,
+    noNetworkEnv,
+    generatedHomeDir,
   );
 
   // -- 9. Execute the command -----------------------------------------------
@@ -400,7 +557,23 @@ export async function executeAuthenticatedCommand(
     }
   }
 
-  cleanupAll(scratchDir, tempFilePath);
+  cleanupAll(scratchDir, tempFilePath, generatedHomeDir);
+
+  // -- 12. Persist audit record -----------------------------------------------
+  if (deps.auditStore) {
+    const auditRecord: AuditRecordSummary = {
+      auditId,
+      grantId: grantResult.grantId ?? "unknown",
+      credentialHandle: request.credentialHandle,
+      toolName: "command",
+      target: `${request.bundleDigest}/${request.profileName}`,
+      sessionId: deps.sessionId?.current ?? "unknown",
+      success: execResult.success,
+      ...(execResult.error ? { errorMessage: execResult.error } : {}),
+      timestamp: new Date().toISOString(),
+    };
+    try { deps.auditStore.append(auditRecord); } catch { /* audit persistence must not block execution */ }
+  }
 
   return execResult;
 }
@@ -529,13 +702,25 @@ function checkGrant(
   persistentStore: PersistentGrantStore,
   temporaryStore: TemporaryGrantStore,
 ): GrantCheckResult {
-  // If an explicit grantId is provided, check it directly
+  // Build the full legacy command string for exact matching against legacy grants.
+  const legacyCommand = `${request.bundleDigest}/${profileName} ${request.argv.join(" ")}`.trim();
+
+  // If an explicit grantId is provided, check it directly — but verify
+  // that the grant's scope matches the current request. Without this
+  // check, an agent with a valid grant for one command/credential could
+  // reuse the grantId for a different command/credential (authorization
+  // bypass).
   if (request.grantId) {
     const grant = persistentStore.getById(request.grantId);
-    if (grant) {
+    if (
+      grant &&
+      grant.tool === "command" &&
+      grant.scope === request.credentialHandle &&
+      grantMatchesCommand(grant.pattern, request.credentialHandle, request.bundleDigest, profileName, legacyCommand)
+    ) {
       return { ok: true, grantId: grant.id };
     }
-    // Explicit grant not found — fall through to pattern matching
+    // Explicit grant not found or does not match this request — fall through to pattern matching
   }
 
   // Check persistent grants for a matching command grant
@@ -544,18 +729,23 @@ function checkGrant(
     if (
       grant.tool === "command" &&
       grant.scope === request.credentialHandle &&
-      grantMatchesCommand(grant.pattern, manifest.bundleId, profileName)
+      grantMatchesCommand(grant.pattern, request.credentialHandle, request.bundleDigest, profileName, legacyCommand)
     ) {
       return { ok: true, grantId: grant.id };
     }
   }
 
-  // Check temporary grants
-  const proposalHash = computeCommandProposalHash(
-    request.credentialHandle,
-    manifest.bundleId,
-    profileName,
-  );
+  // Check temporary grants — build the same proposal shape that the
+  // approval bridge produces, then hash with the canonical algorithm
+  // from `@vellumai/ces-contracts` so the hashes align.
+  const tempProposal: CommandGrantProposal = {
+    type: "command",
+    credentialHandle: request.credentialHandle,
+    command: `${request.bundleDigest}/${profileName} ${request.argv.join(" ")}`.trim(),
+    purpose: request.purpose,
+    allowedCommandPatterns: [`${request.credentialHandle}:${request.bundleDigest}:${profileName}`],
+  };
+  const proposalHash = hashProposal(tempProposal);
   const tempKind = temporaryStore.checkAny(
     proposalHash,
     request.conversationId,
@@ -575,29 +765,38 @@ function checkGrant(
 /**
  * Check if a persistent grant pattern matches a command invocation.
  *
- * Grant patterns for commands use the format: `<bundleId>/<profileName>`.
+ * Grant patterns for commands can be stored in two formats:
+ * 1. Canonical: `<credentialHandle>:<bundleDigest>:<profileName>` (from allowedCommandPatterns)
+ * 2. Legacy:    `<bundleDigest>/<profileName> <argv...>` (from proposal.command fallback)
+ *
+ * The legacy format exists because older grants were persisted using
+ * `proposal.command` before `allowedCommandPatterns` was introduced.
+ * Credential scope is already verified by the caller (`grant.scope === credentialHandle`),
+ * so for legacy patterns we match the full command string (including argv) to prevent
+ * a grant for one argv from authorizing a different argv on the same profile.
  */
 function grantMatchesCommand(
   pattern: string,
-  bundleId: string,
+  credentialHandle: string,
+  bundleDigest: string,
   profileName: string,
+  legacyCommand: string,
 ): boolean {
-  return pattern === `${bundleId}/${profileName}`;
-}
+  // Canonical format: <credentialHandle>:<bundleDigest>:<profileName>
+  if (pattern === `${credentialHandle}:${bundleDigest}:${profileName}`) {
+    return true;
+  }
 
-/**
- * Compute a deterministic hash for temporary grant lookup.
- */
-function computeCommandProposalHash(
-  credentialHandle: string,
-  bundleId: string,
-  profileName: string,
-): string {
-  const parts = ["command", credentialHandle, bundleId, profileName];
-  const canonical = JSON.stringify(parts);
-  return createHash("sha256").update(canonical, "utf8").digest("hex");
+  // Legacy format: <bundleDigest>/<profileName> <argv...>
+  // Match the full legacy command string exactly to prevent approval scope widening.
+  if (pattern === legacyCommand) {
+    return true;
+  }
+
+  return false;
 }
 
+
 // ---------------------------------------------------------------------------
 // Internal: Auth adapter environment construction
 // ---------------------------------------------------------------------------
@@ -612,6 +811,8 @@ interface AuthAdapterEnvResult {
 async function buildAuthAdapterEnv(
   adapter: AuthAdapterConfig,
   credentialValue: string,
+  proxyEnv?: ProxyEnvVars,
+  noNetworkEnv?: Record<string, string>,
 ): Promise<AuthAdapterEnvResult> {
   // Validate adapter config
   const errors = validateAuthAdapterConfig(adapter);
@@ -646,12 +847,16 @@ async function buildAuthAdapterEnv(
     }
 
     case AuthAdapterType.CredentialProcess: {
-      // Run the helper command and capture its stdout
+      // Run the helper command and capture its stdout.
+      // Proxy env vars are forwarded so the helper runs under the same
+      // egress control as the main command.
       const timeoutMs = adapter.timeoutMs ?? CREDENTIAL_PROCESS_TIMEOUT_MS;
       const helperResult = await runCredentialProcess(
         adapter.helperCommand,
         credentialValue,
         timeoutMs,
+        proxyEnv,
+        noNetworkEnv,
       );
       if (!helperResult.ok) {
         throw new Error(
@@ -677,23 +882,77 @@ async function buildAuthAdapterEnv(
  */
 async function runCredentialProcess(
   helperCommand: string,
-  _credentialValue: string,
+  credentialValue: string,
   timeoutMs: number,
+  proxyEnv?: ProxyEnvVars,
+  noNetworkEnv?: Record<string, string>,
 ): Promise<{ ok: true; stdout: string } | { ok: false; error: string }> {
+  // Defense-in-depth: re-check denied binary and metacharacters at execution
+  // time, mirroring the validator's static checks. If a manifest was tampered
+  // with after validation, this blocks execution before spawning the shell.
+  if (containsShellMetacharacters(helperCommand)) {
+    return {
+      ok: false,
+      error: `Credential process helperCommand contains shell metacharacters. ` +
+        `Command chaining operators are not allowed.`,
+    };
+  }
+
+  const helperBinary = extractShellBinary(helperCommand);
+  if (isDeniedBinary(helperBinary)) {
+    return {
+      ok: false,
+      error: `Credential process helperCommand starts with denied binary "${helperBinary}". ` +
+        `Generic HTTP clients, interpreters, and shell trampolines cannot be used as credential helpers.`,
+    };
+  }
+
   try {
+    // Build a minimal environment for the helper. No host env is inherited,
+    // but egress proxy or no-network env vars are injected so the helper
+    // runs under the same network controls as the main command.
+    const helperEnv: Record<string, string> = {};
+
+    if (proxyEnv) {
+      helperEnv["HTTP_PROXY"] = proxyEnv.HTTP_PROXY;
+      helperEnv["HTTPS_PROXY"] = proxyEnv.HTTPS_PROXY;
+      helperEnv["NO_PROXY"] = proxyEnv.NO_PROXY;
+      helperEnv["http_proxy"] = proxyEnv.HTTP_PROXY;
+      helperEnv["https_proxy"] = proxyEnv.HTTPS_PROXY;
+      helperEnv["no_proxy"] = proxyEnv.NO_PROXY;
+      if (proxyEnv.NODE_EXTRA_CA_CERTS) {
+        helperEnv["NODE_EXTRA_CA_CERTS"] = proxyEnv.NODE_EXTRA_CA_CERTS;
+      }
+      if (proxyEnv.SSL_CERT_FILE) {
+        helperEnv["SSL_CERT_FILE"] = proxyEnv.SSL_CERT_FILE;
+      }
+    }
+
+    if (noNetworkEnv) {
+      Object.assign(helperEnv, noNetworkEnv);
+    }
+
     const proc = Bun.spawn(["sh", "-c", helperCommand], {
       stdin: "pipe",
       stdout: "pipe",
       stderr: "pipe",
-      env: {}, // Clean environment — no secrets leaked
+      env: helperEnv,
     });
 
-    // Close stdin immediately — the helper reads only from its argv/config
+    // Write the credential value to stdin for the helper to consume
+    proc.stdin.write(credentialValue);
     proc.stdin.end();
 
     const timeoutSignal = AbortSignal.timeout(timeoutMs);
-    const exitCode = await Promise.race([
-      proc.exited,
+
+    // Consume stdout/stderr concurrently with waiting for exit to avoid
+    // pipe buffer deadlocks when the helper produces large output.
+    const [exitCode, stdout, stderr] = await Promise.race([
+      Promise.all([
+        proc.exited,
+        new Response(proc.stdout).text(),
+        new Response(proc.stderr).text(),
+      ]),
       new Promise<never>((_, reject) => {
         timeoutSignal.addEventListener("abort", () => {
           proc.kill();
@@ -702,9 +961,6 @@ async function runCredentialProcess(
       }),
     ]);
 
-    const stdout = await new Response(proc.stdout).text();
-    const stderr = await new Response(proc.stderr).text();
-
     if (exitCode !== 0) {
       return {
         ok: false,
@@ -740,15 +996,17 @@ async function runCredentialProcess(
 function buildCommandEnv(
   adapterEnv: Record<string, string>,
   proxyEnv?: ProxyEnvVars,
-  _cleanConfigDirs?: Record<string, string>,
+  noNetworkEnv?: Record<string, string>,
+  homeDir?: string,
 ): Record<string, string> {
   const env: Record<string, string> = {
-    // Minimal baseline environment
+    // Inject auth adapter env vars first so they cannot override protected keys
+    ...adapterEnv,
+    // PATH, LANG, and HOME are set after adapterEnv spread to prevent auth
+    // adapters from overriding baseline environment invariants.
     PATH: process.env["PATH"] ?? "/usr/local/bin:/usr/bin:/bin",
-    HOME: join(tmpdir(), `ces-home-${randomUUID()}`),
     LANG: "en_US.UTF-8",
-    // Inject auth adapter env vars
-    ...adapterEnv,
+    HOME: homeDir ?? join(tmpdir(), `ces-home-${randomUUID()}`),
   };
 
   // Inject proxy env vars if the egress proxy is active
@@ -767,9 +1025,55 @@ function buildCommandEnv(
     }
   }
 
+  // For no_network mode, inject proxy vars pointing at a dead address to
+  // block direct outbound connections from the subprocess.
+  if (noNetworkEnv) {
+    Object.assign(env, noNetworkEnv);
+  }
+
   return env;
 }
 
+// ---------------------------------------------------------------------------
+// Internal: Clean config dirs enforcement
+// ---------------------------------------------------------------------------
+
+/**
+ * Enforce the manifest's `cleanConfigDirs` contract by creating empty
+ * directories under the temp HOME directory.
+ *
+ * For each entry in `cleanConfigDirs`:
+ * - `~/`-prefixed paths are resolved relative to the temp HOME dir and
+ *   created as empty directories. This ensures the command finds an empty
+ *   config directory instead of reading host config that might contain secrets.
+ * - Absolute paths (not `~/`-prefixed) are skipped for v1 — they would
+ *   require filesystem-level isolation (bind mounts, overlayfs).
+ */
+function enforceCleanConfigDirs(
+  manifest: SecureCommandManifest,
+  homeDir: string,
+): void {
+  const dirs = manifest.cleanConfigDirs;
+  if (!dirs) return;
+
+  for (const dirPath of Object.keys(dirs)) {
+    // Only handle ~/‑prefixed paths for v1
+    if (dirPath.startsWith("~/")) {
+      const relativePath = dirPath.slice(2); // strip "~/"
+      const resolvedPath = resolve(homeDir, relativePath);
+      // Containment check: resolved path must stay inside homeDir
+      if (!resolvedPath.startsWith(homeDir + "/") && resolvedPath !== homeDir) {
+        continue; // Skip paths that escape the home directory
+      }
+      mkdirSync(resolvedPath, { recursive: true });
+    } else if (dirPath === "~") {
+      // "~" alone is just the home dir itself, already created
+      continue;
+    }
+    // Absolute paths are skipped — would require filesystem-level isolation
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Internal: Command execution
 // ---------------------------------------------------------------------------
@@ -795,11 +1099,14 @@ async function runCommand(
     stderr: "pipe",
   });
 
-  const exitCode = await proc.exited;
-
-  // Capture stdout and stderr with size limits
-  const stdoutRaw = await new Response(proc.stdout).text();
-  const stderrRaw = await new Response(proc.stderr).text();
+  // Consume stdout/stderr concurrently with waiting for exit to avoid
+  // pipe buffer deadlocks when the command produces output exceeding the
+  // OS pipe buffer size (~64KB).
+  const [exitCode, stdoutRaw, stderrRaw] = await Promise.all([
+    proc.exited,
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text(),
+  ]);
 
   const stdout = stdoutRaw.length > maxOutputBytes
     ? stdoutRaw.slice(0, maxOutputBytes) + "\n[output truncated]"
@@ -823,7 +1130,7 @@ async function runCommand(
 // Internal: Cleanup helpers
 // ---------------------------------------------------------------------------
 
-function cleanupAll(scratchDir: string, tempFilePath?: string): void {
+function cleanupAll(scratchDir: string, tempFilePath?: string, homeDir?: string): void {
   // Clean up temp auth file
   if (tempFilePath) {
     try {
@@ -835,6 +1142,15 @@ function cleanupAll(scratchDir: string, tempFilePath?: string): void {
     }
   }
 
+  // Clean up per-execution HOME temp directory
+  if (homeDir) {
+    try {
+      rmSync(homeDir, { recursive: true, force: true });
+    } catch {
+      // Best-effort cleanup
+    }
+  }
+
   // Clean up scratch directory
   cleanupScratchDir(scratchDir);
 }