[Security] Mount host filesystem as read-only with isolate.sh fallback

[Mossaka]

Background

PR #394 proposed mounting the host filesystem as read-only for improved security, with an isolate.sh utility to run host binaries via chroot when not available in container PATH.

Proposed Changes

1. Read-only host mount: Change default mount from /:/host:rw to /:/host:ro in docker-manager.ts
2. isolate.sh script: Add to agent container at /usr/local/bin/isolate.sh
   • Falls back to chroot into /host when binary not found in container PATH
   • Handles both absolute paths and relative commands
   • Validates /host exists before chroot attempt
3. Automatic command wrapping: Modify entrypoint.sh to wrap all user commands with isolate.sh

Security Benefits

• Prevents accidental or malicious writes to the host filesystem
• Maintains ability to execute host binaries when needed

---

Issue created from PR #394 during backlog cleanup

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[Mossaka]

Closing as this appears to have been resolved in main. The host filesystem is now mounted with selective ro/rw designations rather than the blanket /:/host:rw originally proposed. Key paths like /usr, /bin, /sbin, /lib, /sys are mounted :ro; only specific writable paths (/tmp, home directory, workspace) are :rw. The PRD task 074 is marked COMPLETED: 'already implemented on main via selective path mounts with ro/rw designations in PRs #700, #1056; more restrictive than spec's proposed /:/host:ro'.