fix(sandbox): cover home credential bind audit

2026-05-05 16:10:24 +00:00 · 2026-04-04 20:24:55 +09:00
parent 3ec0463da9
commit 46cb493ac8
2 changed files with 23 additions and 0 deletions
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -1562,6 +1562,28 @@ describe("security audit", () => {
          { checkId: "sandbox.dangerous_apparmor_profile", severity: "critical" },
        ],
      },
+      {
+        name: "home credential bind is treated as dangerous",
+        cfg: {
+          agents: {
+            defaults: {
+              sandbox: {
+                mode: "all",
+                docker: {
+                  binds: [path.join(isolatedHome, ".docker", "config.json") + ":/mnt/docker:ro"],
+                },
+              },
+            },
+          },
+        } as OpenClawConfig,
+        expectedFindings: [
+          {
+            checkId: "sandbox.dangerous_bind_mount",
+            severity: "critical",
+            title: "Dangerous bind mount in sandbox config",
+          },
+        ],
+      },
      {
        name: "container namespace join network mode",
        cfg: {