security(#300): trust-gate self-improve issues; sandbox build/test env

[nolanmak]

Closes #300.

Self-improve issue bodies are attacker-controllable (public repo) yet flowed raw into a Write/Edit/Bash reasoner and a host-side cargo/npm gate that executes build.rs/proc-macros/npm postinstall. This adds two additive guards without removing the feature:

• Trust-gate issue selection: only issues authored by the repo owner, a write-access collaborator (authorAssociation OWNER/MEMBER/COLLABORATOR), or an AUGMENTAGENT_SELFIMPROVE_TRUSTED_AUTHORS login auto-select. Untrusted-authored issues are refused before any worktree, reasoner call, build, or branch push (owner must opt them in). Default-deny.
• Sandbox the gate env: the build/test child now spawns with env_clear() + provider/API secrets stripped by name (OPENAI/ANTHROPIC/COMPOSIO/GH_TOKEN/…), so a hostile build script can't exfiltrate keys. Behavior-preserving — honest builds don't need those keys.
• is_blast_radius kept as defense-in-depth. Owner-authored issues run end-to-end unchanged (minus secrets in the build child).

Only crates/augmentagent-cli/src/self_improve.rs changed (+337/−10).

Verification: cargo check -p augmentagent-cli passes. cargo test … self_improve = 7 pass / 1 fail, where the failure (workspace_overlapping_deploy_checkout_is_refused) also fails on unmodified HEAD~1 — a pre-existing /tmp-symlink test-isolation flake, not introduced here. 3 new tests pass.

Honest limitation: network egress is not blocked in-process (no host mechanism); defense is layered (untrusted issues never reach the single-repo gate; multi-repo runs in an ephemeral clone behind owner approval). A container/network-namespace sandbox would close this fully — follow-up.

🤖 swarm-authored, human-review-required (draft).

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7af70422-e596-4b97-b37d-fe2c2f76a3d1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sec/300-selfimprove-sandbox

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}