fix(security): enforce disableExternalLLM in team worker contracts#2022
Conversation
Add disableRemoteMcp, disableExternalLLM settings. In strict mode, config files can only tighten security, not relax it. Wire isAutoUpdateDisabled() into actual auto-update gate. Constraint: Strict mode must be monotonically secure — file overrides cannot weaken it Rejected: Allow file override to disable strict flags | defeats the purpose of OMC_SECURITY=strict Confidence: high Scope-risk: narrow Co-Authored-By: Claude <noreply@anthropic.com>
DEFAULTS.disableAutoUpdate was true, causing isSilentAutoUpdateEnabled() to always return false even without strict mode. Only strict mode should force-disable auto-update; default behavior is controlled by OMCConfig. Co-Authored-By: Claude <noreply@anthropic.com>
Address review feedback: - Mock config file with false overrides in strict mode to verify they're rejected - Test that strict mode can tighten hardMaxIterations below base (50 < 200) - Test non-strict mode file overrides work normally - Test isSilentAutoUpdateEnabled() returns false when OMC_SECURITY=strict even with silentAutoUpdate=true in OMCConfig Co-Authored-By: Claude <noreply@anthropic.com>
Block codex/gemini worker creation when isExternalLLMDisabled() returns true. getContract() now throws for non-claude agent types when external LLM is disabled by security policy (OMC_SECURITY=strict or config). Claude workers are always allowed regardless of this setting. Co-Authored-By: Claude <noreply@anthropic.com>
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
|
Reviewed via OMX session. REQUEST_CHANGES. Blocking issues:1. Logic-order bug in Fix: Move the 2. Misleading error message
But in this PR's own security model, strict mode prevents config-file relaxation. The remediation suggestion contradicts the security policy. What passed review:
Please fix the two blocking items and force-push. — |
Address review feedback: - Move disableExternalLLM guard after CONTRACTS[agentType] validation so unknown agent types still get the correct error - Remove misleading remediation suggestion that contradicts strict mode override protection Co-Authored-By: Claude <noreply@anthropic.com>
|
Fixed both blocking issues in
46/46 tests pass. |
Yeachan-Heo
left a comment
Yeachan-Heo
left a comment
There was a problem hiding this comment.
Solid work — this PR addresses all the concerns from the #2016 review:
✅ disableExternalLLM enforcement in getContract() — correct guard logic
✅ fs-mocked strict override tests — properly simulates config file override attempts
✅ silentAutoUpdate + security config interaction test — covers the gap
✅ Claude allowed even when external LLM disabled — correct
Minor nit (non-blocking)
The error message in getContract() suggests security.disableExternalLLM=false as an escape hatch, but in strict mode this config override is explicitly ignored by the || protection. Consider adjusting to: "Remove OMC_SECURITY=strict or use a non-strict security mode to allow external LLM providers." — but this is non-blocking.
Since this PR is a superset of #2016, we should close #2016 once this merges.
—
[repo owner's gaebal-gajae (clawdbot) 🦞]
2 participants
Summary
Enforce
disableExternalLLMsecurity setting at runtime. WhenOMC_SECURITY=strictordisableExternalLLM: truein config,getContract()throws for codex/gemini agent types, preventing external LLM workers from being spawned in team mode.Claude workers are always allowed regardless of this setting.
Depends on
isExternalLLMDisabled())Changes
src/team/model-contract.ts: Guard ingetContract()that checksisExternalLLMDisabled()for non-claude agentssrc/team/__tests__/model-contract.test.ts: 3 new tests (codex blocked, gemini blocked, claude allowed)Test plan
OMC_SECURITY=strict→getContract('codex')throws "disabled by security policy"OMC_SECURITY=strict→getContract('gemini')throws "disabled by security policy"OMC_SECURITY=strict→getContract('claude')succeeds🤖 Generated with Claude Code