Reported by the PR-review audit on #555 (against pre-existing main code that the PR's inflated diff pulled into review scope — see the PR thread). Filing separately since it is not part of that PR's contribution.
Vector: prepare_identity chown -R's the workspace roots including .git/ to the candidate uid (bench/pier_agents/process_boundary.py:100-103), so candidate code can write .git/config during run(). Afterwards _restore_profile_and_capture_solution (bench/pier_agents/tangle_candidate.py) runs git reset --mixed / add -A -- . / rm --cached / diff --cached / commit as root with only -c core.hooksPath=/dev/null neutralized. A candidate that sets core.fsmonitor=<script> (or a [filter] clean command + .gitattributes) gets that program executed as root by the evaluator's index refresh.
Precedent in-repo: the TS side already treats this as live — src/candidate-execution/git-materialize.ts:472-478 forces -c core.fsmonitor=false -c core.untrackedCache=false (+ protect flags) on every git invocation against untrusted worktrees. The Python bench evaluator should mirror that neutralization set on all post-run git commands, and candidate_git_env (bench/pier_agents/workspace_boundary.py:111-122) sets safe.directory but never core.fsmonitor.
Related (same trust boundary, from the same audit):
.sidecar metadata in the task root is staged by git add -A -- . into the candidate solution commit (':(exclude).sidecar' missing).
- The isolated-user execution path (setpriv watchdog, uid kill loop, chown, uid-in-use probe) has no test coverage — every e2e test runs
ISOLATE_CANDIDATE_USER=False.
Audit trace: https://gist.github.com/tangletools/ab779794ad57a8eb7b15acbcd7c85834
Reported by the PR-review audit on #555 (against pre-existing main code that the PR's inflated diff pulled into review scope — see the PR thread). Filing separately since it is not part of that PR's contribution.
Vector:
prepare_identitychown -R's the workspace roots including.git/to the candidate uid (bench/pier_agents/process_boundary.py:100-103), so candidate code can write.git/configduringrun(). Afterwards_restore_profile_and_capture_solution(bench/pier_agents/tangle_candidate.py) runsgit reset --mixed/add -A -- ./rm --cached/diff --cached/commitas root with only-c core.hooksPath=/dev/nullneutralized. A candidate that setscore.fsmonitor=<script>(or a[filter]clean command +.gitattributes) gets that program executed as root by the evaluator's index refresh.Precedent in-repo: the TS side already treats this as live —
src/candidate-execution/git-materialize.ts:472-478forces-c core.fsmonitor=false -c core.untrackedCache=false(+ protect flags) on every git invocation against untrusted worktrees. The Python bench evaluator should mirror that neutralization set on all post-run git commands, andcandidate_git_env(bench/pier_agents/workspace_boundary.py:111-122) setssafe.directorybut nevercore.fsmonitor.Related (same trust boundary, from the same audit):
.sidecarmetadata in the task root is staged bygit add -A -- .into the candidate solution commit (':(exclude).sidecar'missing).ISOLATE_CANDIDATE_USER=False.Audit trace: https://gist.github.com/tangletools/ab779794ad57a8eb7b15acbcd7c85834