fix(security): force sandbox browser hash migration and audit stale labels

2026-05-09 05:07:38 +00:00 · 2026-02-21 13:25:35 +01:00
parent b2d84528f8
commit 1835dec200
12 changed files with 254 additions and 6 deletions
--- a/src/agents/sandbox/config-hash.test.ts
+++ b/src/agents/sandbox/config-hash.test.ts
@@ -115,6 +115,7 @@ describe("computeSandboxBrowserConfigHash", () => {
        headless: false,
        enableNoVnc: true,
      },
+      securityEpoch: "epoch-v1",
      workspaceAccess: "rw" as const,
      workspaceDir: "/tmp/workspace",
      agentWorkspaceDir: "/tmp/workspace",
@@ -133,4 +134,29 @@ describe("computeSandboxBrowserConfigHash", () => {
    });
    expect(left).not.toBe(right);
  });
+
+  it("changes when security epoch changes", () => {
+    const shared = {
+      docker: createDockerConfig(),
+      browser: {
+        cdpPort: 9222,
+        vncPort: 5900,
+        noVncPort: 6080,
+        headless: false,
+        enableNoVnc: true,
+      },
+      workspaceAccess: "rw" as const,
+      workspaceDir: "/tmp/workspace",
+      agentWorkspaceDir: "/tmp/workspace",
+    };
+    const left = computeSandboxBrowserConfigHash({
+      ...shared,
+      securityEpoch: "epoch-v1",
+    });
+    const right = computeSandboxBrowserConfigHash({
+      ...shared,
+      securityEpoch: "epoch-v2",
+    });
+    expect(left).not.toBe(right);
+  });
 });