fix(security): persist voice-call replay protection

2026-04-03 05:12:15 +00:00 · 2026-03-13 00:44:11 +00:00
parent fc6682d525
commit 520d2129be
6 changed files with 199 additions and 12 deletions
--- a/src/agents/bash-tools.exec.ts
+++ b/src/agents/bash-tools.exec.ts
@@ -293,10 +293,11 @@ export function createExecTool(
      }

      const baseEnv = coerceEnv(process.env);
+      const isHostExecution = !sandbox || host === "gateway" || host === "node";

-      // Logic: Sandbox gets raw env. Host (gateway/node) must pass validation.
-      // We validate BEFORE merging to prevent any dangerous vars from entering the stream.
-      if (host !== "sandbox" && params.env) {
+      // When sandboxing is disabled, host=sandbox still executes on the gateway host.
+      // Validate dangerous env overrides on every real host execution path.
+      if (isHostExecution && params.env) {
        validateHostEnv(params.env);
      }