Merge branch 'main' into add-frontend-ci

Author: jamiepine

.github/workflows/release.yml

@@ -115,27 +115,15 @@ jobs:
         id: platform
         run: echo "pair=$(echo ${{ matrix.platform }} | tr '/' '-')" >> "$GITHUB_OUTPUT"
 
-      - name: Build and push slim
+      - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: .
-          target: slim
           platforms: ${{ matrix.platform }}
           push: true
-          tags: ${{ env.IMAGE }}:slim-${{ steps.platform.outputs.pair }}
-          cache-from: type=gha,scope=slim-${{ steps.platform.outputs.pair }}
-          cache-to: type=gha,mode=max,scope=slim-${{ steps.platform.outputs.pair }}
-
-      - name: Build and push full
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          target: full
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: ${{ env.IMAGE }}:full-${{ steps.platform.outputs.pair }}
-          cache-from: type=gha,scope=full-${{ steps.platform.outputs.pair }}
-          cache-to: type=gha,mode=max,scope=full-${{ steps.platform.outputs.pair }}
+          tags: ${{ env.IMAGE }}:build-${{ steps.platform.outputs.pair }}
+          cache-from: type=gha,scope=build-${{ steps.platform.outputs.pair }}
+          cache-to: type=gha,mode=max,scope=build-${{ steps.platform.outputs.pair }}
 
   merge-docker:
     needs: build-docker
@@ -155,22 +143,13 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Create slim multi-arch manifest
-        run: |
-          docker buildx imagetools create \
-            --tag ${{ env.IMAGE }}:${{ needs.build-docker.outputs.version }}-slim \
-            --tag ${{ env.IMAGE }}:slim \
-            ${{ env.IMAGE }}:slim-linux-amd64 \
-            ${{ env.IMAGE }}:slim-linux-arm64
-
-      - name: Create full multi-arch manifest
+      - name: Create multi-arch manifest
         run: |
           docker buildx imagetools create \
-            --tag ${{ env.IMAGE }}:${{ needs.build-docker.outputs.version }}-full \
-            --tag ${{ env.IMAGE }}:full \
+            --tag ${{ env.IMAGE }}:${{ needs.build-docker.outputs.version }} \
             --tag ${{ env.IMAGE }}:latest \
-            ${{ env.IMAGE }}:full-linux-amd64 \
-            ${{ env.IMAGE }}:full-linux-arm64
+            ${{ env.IMAGE }}:build-linux-amd64 \
+            ${{ env.IMAGE }}:build-linux-arm64
 
       - name: Log in to Fly registry
         if: github.repository_owner == 'spacedriveapp'

AGENTS.md

@@ -10,6 +10,17 @@ Single binary. No server dependencies. Runs on tokio. All data lives in embedded
 
 **Stack:** Rust (edition 2024), tokio, Rig (v0.30.0, agentic loop framework), SQLite (sqlx), LanceDB (embedded vector + FTS), redb (embedded key-value).
 
+## JavaScript Tooling (Critical)
+
+- For UI work in `spacebot/interface/`, use `bun` for all JS/TS package management and scripts.
+- **NEVER** use `npm`, `pnpm`, or `yarn` in this repo unless the user explicitly asks for one.
+- Standard commands:
+  - `bun install`
+  - `bun run dev`
+  - `bun run build`
+  - `bun run test`
+  - `bunx <tool>` (instead of `npx <tool>`)
+
 ## Migration Safety
 
 - **NEVER edit an existing migration file in place** once it has been committed or applied in any environment.

Cargo.lock

@@ -61,6 +61,7 @@ notify = "7"
 # Cryptography (for secrets)
 aes-gcm = "0.10"
 sha2 = "0.10"
+argon2 = "0.5"
 rand = "0.9"
 
 # UUID generation
@@ -131,7 +132,7 @@ arrow-array = "57.3.0"
 arrow-schema = "57.3.0"
 
 # Browser automation
-chromiumoxide = { version = "0.8", features = ["tokio-runtime"], default-features = false }
+chromiumoxide = { version = "0.8", features = ["tokio-runtime", "_fetcher-rustls-tokio"], default-features = false }
 chromiumoxide_cdp = "0.8"
 
 # Templating for prompts
@@ -165,6 +166,10 @@ unimplemented = "deny"
 [dev-dependencies]
 tokio-test = "0.4"
 
+# OS keystore (macOS Keychain for master key storage)
+[target.'cfg(target_os = "macos")'.dependencies]
+security-framework = "3"
+
 [profile.release]
 lto = "thin"
 strip = true

Cargo.toml

@@ -43,38 +43,21 @@ RUN SPACEBOT_SKIP_FRONTEND_BUILD=1 cargo build --release \
     && mv /build/target/release/spacebot /usr/local/bin/spacebot \
     && cargo clean -p spacebot --release --target-dir /build/target
 
-# ---- Slim stage ----
-# Minimal runtime with just the binary. No browser.
-FROM debian:bookworm-slim AS slim
+# ---- Runtime stage ----
+# Minimal runtime with Chrome runtime libraries for fetcher-downloaded Chromium.
+# Chrome itself is downloaded on first browser tool use and cached on the volume.
+FROM debian:bookworm-slim
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     libsqlite3-0 \
     curl \
     gh \
     bubblewrap \
-    && rm -rf /var/lib/apt/lists/*
-
-COPY --from=builder /usr/local/bin/spacebot /usr/local/bin/spacebot
-COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
-RUN chmod +x /usr/local/bin/docker-entrypoint.sh
-
-ENV SPACEBOT_DIR=/data
-ENV SPACEBOT_DEPLOYMENT=docker
-EXPOSE 19898 18789
-
-HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
-    CMD curl -f http://localhost:19898/api/health || exit 1
-
-ENTRYPOINT ["docker-entrypoint.sh"]
-CMD ["spacebot", "start", "--foreground"]
-
-# ---- Full stage ----
-# Slim + Chromium for browser workers.
-FROM slim AS full
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    chromium \
+    openssh-server \
+    # Chrome runtime dependencies — required whether Chrome is system-installed
+    # or downloaded by the built-in fetcher. The fetcher provides the browser
+    # binary; these are the shared libraries it links against.
     fonts-liberation \
     libnss3 \
     libatk-bridge2.0-0 \
@@ -91,5 +74,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libxtst6 \
     && rm -rf /var/lib/apt/lists/*
 
-ENV CHROME_PATH=/usr/bin/chromium
-ENV CHROME_FLAGS="--no-sandbox --disable-dev-shm-usage --disable-gpu"
+COPY --from=builder /usr/local/bin/spacebot /usr/local/bin/spacebot
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+ENV SPACEBOT_DIR=/data
+ENV SPACEBOT_DEPLOYMENT=docker
+EXPOSE 19898 18789
+
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
+    CMD curl -f http://localhost:19898/api/health || exit 1
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["spacebot", "start", "--foreground"]

Dockerfile

@@ -242,20 +242,35 @@ headers = { Authorization = "Bearer ${SENTRY_TOKEN}" }
 
 ### Security
 
-Workers execute arbitrary shell commands and subprocesses on your behalf. Spacebot uses defense-in-depth to contain what those processes can do:
+Spacebot runs autonomous LLM processes that execute arbitrary shell commands and spawn subprocesses. Security isn't an add-on — it's a layered system designed so that no single failure exposes credentials or breaks containment.
 
-- **Process sandbox** — shell and exec tools run inside OS-level filesystem containment. On Linux, [bubblewrap](https://github.com/containers/bubblewrap) creates a mount namespace where the entire filesystem is read-only except the agent's workspace and any explicitly configured writable paths. On macOS, `sandbox-exec` enforces equivalent restrictions via SBPL profiles. No amount of LLM creativity can write outside the sandbox — it's kernel-enforced, not string-filtered
-- **Workspace isolation** — file tools canonicalize all paths and reject anything outside the agent's workspace. Symlinks that escape the workspace are blocked
+#### Credential Isolation
+
+Secrets are split into two categories: **system** (LLM API keys, messaging tokens — never exposed to subprocesses) and **tool** (CLI credentials like `GH_TOKEN` — injected as env vars into workers). The category is auto-assigned based on the secret name, or set explicitly.
+
+- **Environment sanitization** — every subprocess starts with a clean environment (`--clearenv` on Linux, `env_clear()` everywhere else). Only safe baseline vars (`PATH`, `HOME`, `LANG`), tool-category secrets, and explicit `passthrough_env` entries are present. System secrets never enter any subprocess
+- **Secret store** — credentials live in a dedicated redb database, not in `config.toml`. Config references secrets by alias (`anthropic_key = "secret:ANTHROPIC_API_KEY"`), so the config file is safe to display, screenshot, or `cat`
+- **Encryption at rest** — optional AES-256-GCM encryption with a master key derived via Argon2id. The master key lives in the OS credential store (macOS Keychain, Linux kernel keyring) — never on disk, never in an env var, never accessible to worker subprocesses
+- **Keyring isolation** — on Linux, workers are spawned with a fresh empty session keyring via `pre_exec`. Even without the sandbox, workers cannot access the parent's kernel keyring where the master key lives
+- **Output scrubbing** — all tool secret values are redacted from worker output before it reaches channels or LLM context. A rolling buffer handles secrets split across stream chunks. Channels see `[REDACTED]`, never raw values
+- **Worker secret management** — workers can store credentials they obtain (API keys from account creation, OAuth tokens) via the `secret_set` tool. Stored secrets are immediately available to future workers
+
+#### Process Containment
+
+- **Process sandbox** — shell and exec tools run inside OS-level filesystem containment. On Linux, [bubblewrap](https://github.com/containers/bubblewrap) creates a mount namespace where the entire filesystem is read-only except the agent's workspace and configured writable paths. On macOS, `sandbox-exec` enforces equivalent restrictions via SBPL profiles. Kernel-enforced, not string-filtered
+- **Dynamic sandbox mode** — sandbox settings are hot-reloadable. Toggle via the dashboard or API without restarting the agent
+- **Workspace isolation** — file tools canonicalize all paths and reject anything outside the agent's workspace. Symlinks that escape are blocked
 - **Leak detection** — a hook scans every tool argument before execution and every tool result after execution for secret patterns (API keys, tokens, PEM private keys) across plaintext, URL-encoded, base64, and hex encodings. Leaked secrets in arguments skip the tool call; leaked secrets in output terminate the agent
 - **Library injection blocking** — the exec tool blocks dangerous environment variables (`LD_PRELOAD`, `DYLD_INSERT_LIBRARIES`, `NODE_OPTIONS`, etc.) that could hijack child process loading
 - **SSRF protection** — the browser tool blocks requests to cloud metadata endpoints, private IPs, loopback, and link-local addresses
 - **Identity file protection** — writes to `SOUL.md`, `IDENTITY.md`, and `USER.md` are blocked at the application level
-- **Secret encryption** — credentials stored via the secrets system are encrypted at rest with AES-256-GCM
+- **Durable binary storage** — `tools/bin` directory on PATH survives hosted rollouts. Workers are instructed to install binaries there instead of ephemeral package manager locations
 
 ```toml
 [agents.sandbox]
 mode = "enabled"                              # "enabled" (default) or "disabled"
 writable_paths = ["/home/user/projects/myapp"] # additional writable dirs beyond workspace
+passthrough_env = ["CUSTOM_VAR"]              # forward specific env vars to workers
 ```
 
 ---
@@ -505,6 +520,8 @@ No server dependencies. Single binary. All data lives in embedded databases in a
 | [Cortex](docs/content/docs/(core)/cortex.mdx)                    | Memory bulletin and system observation                   |
 | [Cron Jobs](docs/content/docs/(features)/cron.mdx)               | Scheduled recurring tasks                                |
 | [Routing](docs/content/docs/(core)/routing.mdx)                  | Model routing and fallback chains                        |
+| [Secrets](docs/content/docs/(configuration)/secrets.mdx)         | Credential storage, encryption, and output scrubbing     |
+| [Sandbox](docs/content/docs/(configuration)/sandbox.mdx)         | Process containment and environment sanitization         |
 | [Messaging](docs/content/docs/(messaging)/messaging.mdx)         | Adapter architecture (Discord, Slack, Telegram, Twitch, Webchat, webhook) |
 | [Discord Setup](docs/content/docs/(messaging)/discord-setup.mdx) | Discord bot setup guide                                  |
 | [Browser](docs/content/docs/(features)/browser.mdx)              | Headless Chrome for workers                              |