bench: orchestrator / agent spawn runtime

[antfleet-ops]

Manual file pick from rennf93/roboco — runtime spawn manifest, agent_sdk drivers/server, orchestrator HTTP route, bash-guard hook (9 files, ~81KB).

Note: runtime/orchestrator.py (360KB) exceeds review-gate per-file cap and is excluded.

Two-model security review (Claude Opus 4.7 + GPT-5).

Methodology: https://github.com/AntFleet/bench-roboco

[antfleet]

AntFleet · 3 findings

Both reviewers flagged the items below on the changed files. AntFleet posts only what two independent frontier models agree on.

---

Security · High — Bash guard strips executable command substitutions before checking denied git ops
docker/scripts/bash-guard-hook.sh:40-43

The guard assumes echo/printf arguments and heredoc bodies are never executed, then removes them before applying the shell-git deny rule. In Bash, command substitutions in arguments and unquoted heredocs are executed by the shell before echo/cat runs, so commands such as echo $(git fetch origin) or cat <<EOF\n$(git push)\nEOF can execute denied git operations while the skeleton seen by the deny regex no longer contains git fetch/git push. This directly bypasses the stated network/auth/b…

Fix: Do not strip echo/printf/heredoc text until after parsing enough shell syntax to distinguish literal data from expansions, or add a conservative pre-check that denies git deny-list patterns inside $(), backticks, and expandable heredoc bodies. Treat quoted heredocs differently from unquoted hered…

---

Data-loss · High — Transcript retention can prune non-agent sessions with matching path prefixes
roboco/runtime/transcript_retention.py:34-37

Claude project directory encoding is prefix-sensitive here. For workspaces_root='/data/workspaces', encoded_root becomes -data-workspaces, so a non-agent project such as a user cwd /data/workspaces-old/foo encoded as -data-workspaces-old-foo is treated as agent-owned and its old .jsonl transcripts are selected for pruning. The module explicitly promises to never delete operator sessions, so this can delete unrelated transcripts with similarly prefixed paths.

Fix: Match only the exact root or children under the root, e.g. compare against (workspaces_root.rstrip('/') + '/').replace('/', '-') for descendants and optionally encoded_root for the exact root. Add tests for sibling prefixes like /data/workspaces-old and /data/workspaces2.

---

Security · Medium — Orchestrator lifecycle routes have no visible authorization guard
roboco/api/routes/orchestrator.py:132-145

The router exposes lifecycle controls that can spawn, stop, resolve, and mark agents waiting. In this file the APIRouter has no authentication/authorization dependencies and the handlers accept requests directly. If this router is mounted on a reachable API surface without external protection, any caller can disrupt or create agent containers. Because the mounting/middleware policy is outside the reviewed file, the severity depends on intended deployment design.

Fix: Require an admin/service credential or explicit role check on these endpoints. If protection is supplied globally, add a local dependency or code comment/test that asserts this router is mounted behind that protection so future refactors do not expose it accidentally.

—

_{Review c2b87ca9 · claude-opus-4-7 + gpt-5.5 (unanimous) · 135s · ~$0.40}