fix(security): bind node system.run approvals to env

src/infra/exec-approval-forwarder.ts

@@ -175,6 +175,9 @@ function buildRequestMessage(request: ExecApprovalRequest, nowMs: number) {
   if (request.request.nodeId) {
     lines.push(`Node: ${request.request.nodeId}`);
   }
+  if (Array.isArray(request.request.envKeys) && request.request.envKeys.length > 0) {
+    lines.push(`Env overrides: ${request.request.envKeys.join(", ")}`);
+  }
   if (request.request.host) {
     lines.push(`Host: ${request.request.host}`);
   }

src/infra/exec-approvals.ts

@@ -14,6 +14,8 @@ export type ExecAsk = "off" | "on-miss" | "always";
 export type ExecApprovalRequestPayload = {
   command: string;
   commandArgv?: string[];
+  envHash?: string | null;
+  envKeys?: string[];
   cwd?: string | null;
   nodeId?: string | null;
   host?: string | null;

src/infra/host-env-security-policy.json

@@ -10,6 +10,7 @@
     "RUBYOPT",
     "BASH_ENV",
     "ENV",
+    "GIT_EXTERNAL_DIFF",
     "SHELL",
     "SHELLOPTS",
     "PS4",

src/infra/host-env-security.test.ts

@@ -16,6 +16,7 @@ describe("isDangerousHostEnvVarName", () => {
     expect(isDangerousHostEnvVarName("BASH_ENV")).toBe(true);
     expect(isDangerousHostEnvVarName("bash_env")).toBe(true);
     expect(isDangerousHostEnvVarName("SHELL")).toBe(true);
+    expect(isDangerousHostEnvVarName("GIT_EXTERNAL_DIFF")).toBe(true);
     expect(isDangerousHostEnvVarName("SHELLOPTS")).toBe(true);
     expect(isDangerousHostEnvVarName("ps4")).toBe(true);
     expect(isDangerousHostEnvVarName("DYLD_INSERT_LIBRARIES")).toBe(true);
@@ -32,6 +33,7 @@ describe("sanitizeHostExecEnv", () => {
       baseEnv: {
         PATH: "/usr/bin:/bin",
         BASH_ENV: "/tmp/pwn.sh",
+        GIT_EXTERNAL_DIFF: "/tmp/pwn.sh",
         LD_PRELOAD: "/tmp/pwn.so",
         OK: "1",
       },