Skip to content

feat(agent-isolation): expose harness-agnostic agent-iso entry point#764

Merged
potiuk merged 4 commits into
apache:mainfrom
justinmclean:harness-posture-portability
Jul 8, 2026
Merged

feat(agent-isolation): expose harness-agnostic agent-iso entry point#764
potiuk merged 4 commits into
apache:mainfrom
justinmclean:harness-posture-portability

Conversation

@justinmclean

Copy link
Copy Markdown
Member

Summary

The env-isolation core of agent-iso.sh already worked for any CLI; this makes that capability explicit and documented:

  • Add agent-iso() shell function (sourced) and a sub-command mode bash agent-iso.sh agent-iso <cli> [args] (direct exec) so any harness CLI can be launched with the same credential-strip posture that claude-iso and opencode-iso provide. A symlink named agent-iso (no .sh extension) also works — first positional arg is the CLI name.
  • The Claude-specific --settings sandbox allowRead injection continues to be skipped for all non-claude agents (guard was already in place).
  • Change **Harness:** Claude Code, OpenCode**Harness:** agnostic in tools/agent-isolation/README.md; the env-isolation layer is now available for Codex, Cursor, Gemini CLI, Aider, and any future CLI.
  • Update docs/vendor-neutrality.md harness table and harness index to reflect agent-isolation moving from portable to agnostic; the hook regenerates the score section automatically.
  • Update docs/adapters/add-a-harness.md Step 2 and Step 4 to document agent-iso <cli> as the ready-made layer-0 wrapper for runtimes without a built-in hook API.
  • Add tests/test_generic_iso.py covering both the direct-exec and sourced entry points: credential strip, no --settings injection, banner, missing-CLI exit-127, no-CLI-arg usage message, and multiple harness names (codex/cursor/gemini).

All 72 agent-isolation tests pass; vendor-neutrality-score and skill-and-tool-validate both pass.

Generated-by: Claude (claude-sonnet-4-6)

Type of change

  • Skill change (.claude/skills/<name>/) — eval fixtures updated below
  • Tool / bridge contract (tools/<system>/*.md)
  • Python package (tools/*/ with pyproject.toml)
  • Groovy reference impl
  • Cross-cutting (RFC, AGENTS.md, sandbox, privacy-LLM)
  • Documentation (docs/, README.md, CONTRIBUTING.md)
  • Project template (projects/_template/)
  • CI / dev loop (prek, workflows, validators)
  • Other:

Test plan

  • prek run --all-files passes
  • For Python packages touched: uv run pytest / ruff check / mypy passes
  • For Groovy bridges touched: command-line invocation tested end-to-end
  • For skill changes: eval suite passes for the affected skill
    (PYTHONPATH=tools/skill-evals/src python3 -m skill_evals.runner tools/skill-evals/evals/<skill>/)
  • For skill behaviour changes: a new or updated eval fixture is included in this PR
    (a regression test for the bug fixed / the behaviour added — see CONTRIBUTING.md)
  • Other:

@justinmclean justinmclean self-assigned this Jul 6, 2026

@potiuk potiuk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving — a solid, well-tested extension of the isolation launcher to arbitrary harnesses. The credential-strip (env -i allowlist) is sound, the -w control-flag stripping for non-Claude agents is a nice touch, and coverage is strong (both entry points, symlink, strip, SSH_AUTH_SOCK passthrough, exit codes).

A few small fixups to fold in — none blocking:

  • Make the "generic harness = no push gate" posture prominent. The Layer 0 / Layer 3 split is now well-explained in the agent-iso.sh comment, but the net consequence — a runtime with no Layer 3 adapter (codex/aider via agent-iso) gets the live ssh-agent socket with no push gate — deserves top-billing in the README's generic-entry-point section and the PR description, so nobody reads "same credential-strip posture" as "same net protection." (inline)
  • Skip the wasted git resolution for non-Claude -w. (inline suggestion)
  • Add a claude--w-preserved regression test. The suite proves -w is stripped for non-Claude; a mirror asserting it's preserved for claude (and that banner/settings injection stays claude-only) would lock down both sides of the branch.

Thanks @justinmclean.


This review was drafted by an AI-assisted tool and confirmed by a Magpie maintainer. The maintainer approving this PR has read the findings and signed off. If something feels off, please reply on the PR and a maintainer will follow up.

More on how Magpie handles maintainer review: CONTRIBUTING.md.

Comment thread tools/agent-isolation/agent-iso.sh
Comment thread tools/agent-isolation/agent-iso.sh
The env-isolation core of agent-iso.sh already worked for any CLI;
this makes that capability explicit and documented:

- Add `agent-iso()` shell function (sourced) and a sub-command mode
  `bash agent-iso.sh agent-iso <cli> [args]` (direct exec) so any
  harness CLI can be launched with the same credential-strip posture
  that claude-iso and opencode-iso provide.  A symlink named `agent-iso`
  (no .sh extension) also works — first positional arg is the CLI name.
- The Claude-specific --settings sandbox allowRead injection continues
  to be skipped for all non-claude agents (guard was already in place).
- Change `**Harness:** Claude Code, OpenCode` → `**Harness:** agnostic`
  in tools/agent-isolation/README.md; the env-isolation layer is now
  available for Codex, Cursor, Gemini CLI, Aider, and any future CLI.
- Update docs/vendor-neutrality.md harness table and harness index to
  reflect agent-isolation moving from portable to agnostic; the hook
  regenerates the score section automatically.
- Update docs/adapters/add-a-harness.md Step 2 and Step 4 to document
  `agent-iso <cli>` as the ready-made layer-0 wrapper for runtimes
  without a built-in hook API.
- Add tests/test_generic_iso.py covering both the direct-exec and
  sourced entry points: credential strip, no --settings injection,
  banner, missing-CLI exit-127, no-CLI-arg usage message, and multiple
  harness names (codex/cursor/gemini).

All 72 agent-isolation tests pass; vendor-neutrality-score and
skill-and-tool-validate both pass.

Generated-by: Claude (claude-sonnet-4-6)
@potiuk potiuk force-pushed the harness-posture-portability branch from 48bc3ae to 7f7fed8 Compare July 8, 2026 10:41
@potiuk

potiuk commented Jul 8, 2026

Copy link
Copy Markdown
Member

I applied both review fixups directly and rebased onto latest main:

  1. agent-iso.sh now resets has_worktree=0 after stripping -w for non-Claude agents, so the Claude-only main-repo git resolution is skipped (no dead git rev-parse/cd/pwd).
  2. The README now carries a prominent ⚠️ callout that generic harnesses (agent-iso <cli>) get Layer 0 only — the live SSH_AUTH_SOCK with no Layer 3 push gate.

Resolving my threads and merging. Thanks @justinmclean.

@potiuk potiuk merged commit 18026ce into apache:main Jul 8, 2026
9 checks passed
potiuk added a commit to Alexhans/airflow-steward that referenced this pull request Jul 8, 2026
…heck/--exec (apache#765) and agnostic agent-isolation (apache#764); fix CodeQL dual-import in test_kiro
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants