drewstone / rlm-audit-tangle-network-agent-dev-container-879.md

Created April 25, 2026 06:57

RLM Security Audit: tangle-network/agent-dev-container#879

Health: 60/100 | Confidence: 90/100

PR #879 adds confidential sandbox and TEE attestation support. The architecture is sound, but security-critical code has notable gaps: attestation fetch errors are silently swallowed by default, the CLI dereferences unvalidated API response properties, nonce generation is fragile on Node < 19, and sensitive nonces are logged to stdout. In addition, test coverage is limited to happy paths and secure defaults differ between CLI and SDK. The attached change specs harden error handling, remove insecure fallbacks, add a Node crypto fallback, protect secret output, align defaults, and expand unit tests.

1. 🔴 [HIGH] Silent suppression of attestation errors and unsafe property access

File: products/sandbox/sdk/src/confidential.ts

The try/catch around sandbox.getTeeAttestation silently swallows all errors when requireAttestation is false (the SDK default). Additionally, the code unconditionally accesses .a

drewstone / rlm-audit-tangle-network-agent-dev-container-882.md

Created April 25, 2026 06:52

RLM Security Audit: tangle-network/agent-dev-container#882

Health: 60/100 | Confidence: 80/100

PR #882 adds TEE confidential passthrough with solid Zod schema validation and fail-closed driver checking, but it critically lacks authorization gating and uses raw Error instead of structured errors. Any authenticated user can provision expensive TEE sandboxes, and raw Error throws will likely surface as 500s instead of the expected 400 CONFIG_ERROR. Remediate the auth gate and switch to ConfigError before merge. Unit tests should assert on error type, not message strings.

1. 🟣 [CRITICAL] ?

File: products/sandbox/api/src/routes/sandboxes.ts

The PR introduces confidential (TEE) sandbox passthrough without any authorization, tier, or quota check. Any authenticated user can provision a TEE-backed sandbox as long as they set driver.type to 'tangle', bypassing billing and capacity controls.

drewstone / rlm-audit-tangle-network-agent-dev-container-865.md

Created April 25, 2026 03:31

RLM Security Audit: tangle-network/agent-dev-container#865

Health: 55/100 | Confidence: 85/100

PR #865 replaces the 'litellm' provider identifier with 'openai-compat' across the stack. While the rename itself is straightforward, the PR introduces a hard breaking change for any persisted configs or environment variables still using 'litellm', causing them to fail proxy detection and altering API-key enforcement. Additionally, the PR leaves a pre-existing 'trycloudflare.com' auth bypass intact in credentials/providers.ts despite modifying that exact boundary. Test coverage is limited to a string swap in one integration test, leaving the new proxy logic unvalidated. Recommend adding explicit runtime rejection guards for legacy 'litellm' strings, removing trycloudflare.com from the proxy allow-list, and expanding tests to cover proxy key-bypass and legacy rejection paths. This PR introduces a breaking change by removing the 'litellm' provider identifier and native Anthropic SDK path without backward compa

drewstone / rlm-audit-tangle-network-agent-dev-container-867.md

Created April 25, 2026 02:57

RLM Security Audit: tangle-network/agent-dev-container#867

Health: 68/100 | Confidence: 90/100

PR #867 introduces a high-severity race condition in the worker-bundle test that can destroy real build artifacts via a non-atomic recursive deletion of ../web/dist. It also degrades the platform-billing e2e test into a service-layer test, bypassing HTTP auth, validation, and middleware coverage that a security audit depends on. Finally, a missing null guard on a harness return value weakens error diagnosability. The CI workflow addition is benign.

1. 🔴 [HIGH] Recursive cleanup of ../web/dist can delete real build artifacts

File: products/sandbox/api/tests/worker-bundle.test.ts

The test creates a placeholder inside the real web build output directory and then unconditionally runs rmSync(webDistDir, { recursive: true, force: true }) in afterAll. If a concurrent build populates that directory, the test will destroy those artifacts (TOCTOU). Additionally, if writeFileSync throws, `createdWebDis

drewstone / rlm-audit-tangle-network-agent-dev-container-864.md

Created April 25, 2026 02:56

RLM Security Audit: tangle-network/agent-dev-container#864

Health: 70/100 | Confidence: 85/100

PR #864 correctly fixes the billing identity drift by centralizing the tier-sync callback and aligning auth middleware customer IDs with resolveBillingOwnerId. However, the extracted callback preserves a catch-and-swallow pattern that makes database failures silent, which is especially dangerous for Stripe webhooks that will not retry after a 200 OK. The regression suite is comprehensive for happy paths but lacks a negative test for callback failure propagation. Additionally, the callback's read-then-write pattern is non-atomic and could race under rapid or out-of-order webhook delivery; hardening that requires store-level changes not visible in this diff. Finally, the auth middleware changes the contract of c.get('customer').id for all requests; downstream routes must be audited to ensure they no longer assume it is the sandbox-local primary key.

1. 🔴 [HIGH] Tier-sync callback silently swallows database

drewstone / rlm-audit-tangle-network-agent-dev-container-871.md

Created April 25, 2026 02:41

RLM Security Audit: tangle-network/agent-dev-container#871

Health: 68/100 | Confidence: 90/100

PR #871 adds host-level resource alerting to the Health page. Audit found two high-severity correctness issues (unvalidated .toFixed() and unsafe API response traversal), two medium UI/contract issues (silent alert truncation and unmapped label strings), plus architectural redundancy and test gaps. No security or auth regressions were detected in the changed files. Recommended: add finite-number guards, optional-chain the API data, surface truncated alert counts, decouple host provisioning labels from alert severity, and expand boundary/edge-case tests.

1. 🔴 [HIGH] Unsafe .toFixed() on unvalidated metric values

File: apps/admin-portal/src/client/pages/Health.tsx

pushPercentAlert checks value === null, but metrics from the API could be undefined, NaN, or non-finite numbers. Calling .toFixed() on any of these throws a TypeError and crashes the React render. The systemLoad1 alert block ha

drewstone / rlm-audit-tangle-network-agent-dev-container-849.md

Created April 24, 2026 20:36

RLM Security Audit: tangle-network/agent-dev-container#849

Health: 72/100 | Confidence: 82/100

PR #849 improves type safety and deploy reliability, but introduces two high-blast-radius issues: (1) the billing-mode resolver's boolean interface for an env-driven flag makes production dev-mode activation likely when callers coerce strings, and (2) the cross-site OAuth exchange places a new DB lookup after key minting, so transient failures orphan API keys and deny users their credentials. Both have exact, low-risk fixes. The deploy-platform workflow addition is a solid reliability improvement. Overall health is good with critical gaps in env-var parsing and auth-side-effect ordering. PR #849 refactors the billing-mode gate into a pure function with exhaustive tests—a solid security improvement. However, the auth callback changes introduce two material issues: (1) unvalidated email/name from the platform OAuth response are persisted directly to the DB, creating injection and stored-payload risks; and

drewstone / rlm-audit-819.md

Last active April 23, 2026 22:52

RLM Security Audit: tangle-network/agent-dev-container#819

Health: 55/100 | Confidence: 75/100

PR #819 makes a strong architectural improvement by extracting the live-staging sandbox harness from the merge gate (fixing #581). The new post-deploy workflow uses minimal permissions and correct secret references. Three gaps remain in the new workflow: (1) missing environment: staging protection for manual triggers, (2) missing cleanup of local artifacts on the self-hosted runner, and (3) missing concurrency limits that can cause runner contention. Two documented orchestrator fixes (snapshot stale container ID and Docker workspace ownership) were not present in the provided diff context, so their code changes could not be verified. PR #819 adds sandbox egress proxying, env scrubbing, and workspace sanitization, but introduces critical bypasses. The egress CA injection uses ??=, allowing attackers to override CA trust variables and bypass TLS inspection. Workspace sanitization blocks .. and system pat

drewstone / codex-04-track-04-tangle-network-agent-dev-container-819.md

Last active April 23, 2026 08:39

codex — 04-track-04 — tangle-network/agent-dev-container#819

Commit: 06a347b7 Scope: products/sandbox/evals/scenarios/tasks.ts, products/sandbox/evals/src/helpers.test.ts, products/sandbox/evals/src/helpers.ts, products/sandbox/evals/src/record.test.ts, products/sandbox/evals/src/record.ts, products/sandbox/evals/src/runner/index.ts, products/sandbox/sdk/src/client.ts, products/sandbox/sdk/src/collaboration/client.ts…

codex — ❌ FAILED

OpenAI Codex v0.122.0 (research preview)

workdir: /home/drew/company/tools/pr-reviewer/.webhook-state/checkouts/tangle-network-agent-dev-container-pr-819 model: gpt-5.3-codex

drewstone / claude-04-track-04-tangle-network-agent-dev-container-819.md

Created April 23, 2026 08:39

claude — 04-track-04 — tangle-network/agent-dev-container#819

Commit: 06a347b7 Scope: products/sandbox/evals/scenarios/tasks.ts, products/sandbox/evals/src/helpers.test.ts, products/sandbox/evals/src/helpers.ts, products/sandbox/evals/src/record.test.ts, products/sandbox/evals/src/record.ts, products/sandbox/evals/src/runner/index.ts, products/sandbox/sdk/src/client.ts, products/sandbox/sdk/src/collaboration/client.ts…

claude — ❌ FAILED

Not logged in · Please run /login