Security Hardening
Runtime boundaries
Section titled “Runtime boundaries”Automatic auth does not make credentials ambient. Junior still keeps command execution, credential minting, and OAuth state handling in separate trust boundaries.
- User-influenced command execution runs in sandboxed environments.
- Harness/runtime resolves target context and decides whether a command receives credentials.
- Credential minting and sandbox command execution stay separate even when injection is automatic.
Credential handling
Section titled “Credential handling”Operators should assume provider access is fetched just in time, not kept as session-wide sandbox state.
- Use short-lived scoped credentials.
- Let registered plugin providers determine which credentials may be injected for matching domains.
- Fetch credentials from the host when sandbox traffic hits a declared provider domain.
- Keep sandbox egress authorization bound to the requester context, sandbox VM session, and forwarded provider domain.
- Mint provider credentials lazily at the egress proxy, not when a plugin loads or a command starts.
- Do not guess provider intent from command text for token scoping; use request-time provider/domain matching.
- Inject scoped auth at the host proxy boundary instead of exposing raw tokens.
OAuth handling
Section titled “OAuth handling”- Deliver auth links privately to requesting users.
- Keep token exchange server-side.
- Store tokens per user/provider scope and resume the blocked request after authorization.
Incident checklist
Section titled “Incident checklist”- Confirm no token values in logs/traces/output.
- Confirm OAuth links were not publicly posted and the callback state matched the requesting user.
- Confirm credential injection happened only for the expected command and target.
- Confirm sandbox session never received raw auth secrets or reusable long-lived tokens.
Next step
Section titled “Next step”Continue with Config & Environment to validate deployment defaults, then use Reliability Runbooks for incident response.