From a6bd4cf5029db65a5b1c27be8dde2d196436c7b5 Mon Sep 17 00:00:00 2001
From: damocles <damocles@hyperhive>
Date: Fri, 22 May 2026 10:57:13 +0200
Subject: [PATCH] harness: document sandbox threat model and credential
 permission requirements

---
 nix/templates/harness-base.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/nix/templates/harness-base.nix b/nix/templates/harness-base.nix
index 62fa305..7cf31eb 100644
--- a/nix/templates/harness-base.nix
+++ b/nix/templates/harness-base.nix
@@ -353,6 +353,19 @@
     # fail inside the container. Enable sandbox-fallback so builds that
     # can't set up the sandbox (no user-namespaces in nspawn) fall back
     # to unsandboxed local builds rather than failing outright.
+    #
+    # Security note (issue #240): unsandboxed builds run as `nixbld` users
+    # (non-root) and can read any world-readable file in the container.
+    # Mitigations in place:
+    #   - /root/.claude (claude session) is mode 700, root-owned - nixbld
+    #     users cannot access it.
+    #   - /state/forge-token (Forgejo API token) is written at mode 0600 by
+    #     hive-c0re/src/forge.rs - nixbld users cannot access it.
+    # All future credential files written to agent state dirs MUST be mode
+    # 0600 or stricter. Do NOT create world-readable secret files.
+    # Long-term fix: enable user namespaces in nspawn containers
+    # (--private-users=inherit) so the nix sandbox actually works and
+    # sandbox-fallback becomes a true last resort.
     nix.settings.sandbox-fallback = true;
 
     # `claude-code` is unfree. Each per-agent container's nixosConfiguration