fix: hide /tmp/gh-aw/mcp-config/ from agent containers

[Mossaka]

Summary

Addresses CVE-003 from #197 (MCP Server Compromise Test Results).

PR #706 hid /tmp/gh-aw/mcp-logs/ from agent containers using tmpfs overlay mounts, but missed /tmp/gh-aw/mcp-config/, which may contain MCP server configuration files with tokens and credentials. A compromised MCP server or prompt injection attack could read these files to exfiltrate secrets.

This PR adds the same tmpfs hiding pattern for /tmp/gh-aw/mcp-config/ in both normal and chroot modes, making the directory appear empty inside the agent container.

Changes

• Add tmpfs mounts for /tmp/gh-aw/mcp-config (normal mode) and /host/tmp/gh-aw/mcp-config (chroot mode) alongside the existing mcp-logs mounts

Issue #197 Pentest Findings Status

Finding	Status
CVE-001: API key via /proc/1/environ	Already mitigated (one-shot-token LD_PRELOAD)
CVE-002: HTTP/HTTPS exfiltration	Already mitigated (Squid proxy domain filtering)
CVE-003: MCP config directory exposed	Fixed in this PR
CVE-004: DNS tunneling	Partially mitigated (--dns-servers restriction)

Test plan

• npm run build passes
• npm test passes (743 tests)
• npm run lint passes (0 errors)
• CI passes

🤖 Generated with Claude Code

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests failed Smoke Chroot failed - See logs for details.

[github-actions]

💫 TO BE CONTINUED... Smoke Claude was cancelled! Our hero faces unexpected challenges...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.25%	82.41%	📈 +0.16%
Statements	82.30%	82.46%	📈 +0.16%
Functions	82.14%	82.14%	➡️ +0.00%
Branches	74.70%	74.80%	📈 +0.10%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.5% → 84.2% (+0.67%)	82.9% → 83.6% (+0.65%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR mitigates CVE-003 by preventing agent containers from reading MCP server configuration files under /tmp/gh-aw/mcp-config/, using the same tmpfs “empty overlay” approach already used for /tmp/gh-aw/mcp-logs/.

Changes:

• Add tmpfs overlays for /tmp/gh-aw/mcp-config in normal mode.
• Add tmpfs overlays for /tmp/gh-aw/mcp-config and /host/tmp/gh-aw/mcp-config in chroot mode.
• Update inline documentation around the tmpfs hiding behavior.

Comments suppressed due to low confidence (1)

src/docker-manager.ts:736

• This introduces new security behavior (hiding /tmp/gh-aw/mcp-config) but there are integration tests covering only the mcp-logs tmpfs hiding. Add similar tests to verify mcp-config is hidden in both normal and chroot modes, and that reading a known file path under it fails (tmpfs is empty).

    // Hide /tmp/gh-aw/mcp-logs and /tmp/gh-aw/mcp-config directories using tmpfs
    // (empty in-memory filesystems) to prevent the agent from accessing MCP server
    // logs and configuration (which may contain tokens/credentials).
    // For normal mode: hide /tmp/gh-aw/mcp-logs and /tmp/gh-aw/mcp-config
    // For chroot mode: hide both paths and their /host/ equivalents
    tmpfs: config.enableChroot
      ? [
          '/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
          '/host/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
          '/tmp/gh-aw/mcp-config:rw,noexec,nosuid,size=1m',
          '/host/tmp/gh-aw/mcp-config:rw,noexec,nosuid,size=1m',
        ]
      : [
          '/tmp/gh-aw/mcp-logs:rw,noexec,nosuid,size=1m',
          '/tmp/gh-aw/mcp-config:rw,noexec,nosuid,size=1m',
        ],

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In non-chroot mode with allowFullFilesystemAccess enabled, the host filesystem is mounted at /host, so /host/tmp/gh-aw/mcp-config (and /host/tmp/gh-aw/mcp-logs) would still be readable from inside the agent container. If these directories are meant to be hidden regardless of chroot mode, consider adding tmpfs overlays for the /host/... paths whenever /host is mounted (e.g., when allowFullFilesystemAccess is true), not only when enableChroot is true.

This issue also appears on line 721 of the same file.

[github-actions]

Go Build Test Results ✅

All Go projects built and tested successfully.

Project	Download	Tests	Status
color	✅	1/1	PASS ✅
env	✅	1/1	PASS ✅
uuid	✅	1/1	PASS ✅

Overall: PASS ✅

AI generated by Build Test Go

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat: add release highlights generator agentic workflow #197: feat: add release highlights generator agentic workflow
• feat: hide /tmp/gh-aw/mcp-logs/ from agent containers #706: feat: hide /tmp/gh-aw/mcp-logs/ from agent containers

Test Results:

• ✅ GitHub MCP: Successfully retrieved merged PRs
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Creation: Test file created successfully
• ✅ Bash Tools: File verified with cat

Overall Status: PASS

cc @Mossaka @lpcox

AI generated by Smoke Copilot

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS ✅

All Node.js projects successfully installed dependencies and passed their test suites.

AI generated by Build Test Node.js

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

All Rust projects built successfully and all tests passed.

AI generated by Build Test Rust

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

All .NET projects successfully restored dependencies, built, and executed.

AI generated by Build Test .NET

[github-actions]

Java Build Test Results ✅

All Java projects successfully compiled and tested through AWF firewall.

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS

---

Test Details

gson

• Compile: SUCCESS (3.162s)
• Tests run: 1, Failures: 0, Errors: 0, Skipped: 0

caffeine

• Compile: SUCCESS (0.824s)
• Tests run: 1, Failures: 0, Errors: 0, Skipped: 0

AI generated by Build Test Java

[github-actions]

Chroot tests failed Smoke Chroot failed - See logs for details.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

All Rust projects built and tested successfully.

AI generated by Build Test Rust

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS ✅

All Bun projects built and tested successfully.

AI generated by Build Test Bun

[github-actions]

Smoke Test Results ✅

Last 2 Merged PRs:

• feat: add release highlights generator agentic workflow #197: feat: add release highlights generator agentic workflow
• feat: hide /tmp/gh-aw/mcp-logs/ from agent containers #706: feat: hide /tmp/gh-aw/mcp-logs/ from agent containers

Tests:

• ✅ GitHub MCP (retrieved PR titles)
• ✅ Playwright (verified GitHub homepage title)
• ✅ File write (smoke-test-copilot-21934813738.txt)
• ✅ Bash tool (verified file creation)

Status: PASS

cc @Mossaka

AI generated by Smoke Copilot

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS

All Go projects successfully downloaded dependencies and passed tests.

AI generated by Build Test Go

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

[github-actions]

Build Test: Node.js - Results

Project	Install	Tests	Status
clsx	✅	PASS	✅ PASS
execa	✅	PASS	✅ PASS
p-limit	✅	PASS	✅ PASS

Overall: ✅ PASS

All Node.js projects built and tested successfully.

AI generated by Build Test Node.js

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

All .NET projects built and ran successfully.

AI generated by Build Test .NET

[github-actions]

✅ Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS

All Java projects successfully compiled and tested through the firewall with Maven proxy configuration.

AI generated by Build Test Java