Problem
Forge currently passes ANTHROPIC_API_KEY (or Vertex AI credentials) as environment variables into every container. A compromised container — or a prompt injection that exfiltrates env vars — has access to long-lived API credentials.
Fullsend's model: credentials never cross the sandbox boundary. For Vertex AI, it uses OIDC token refresh (every 4 minutes) via a sidecar on the host.
Proposed solution (phased)
Phase 1: Document the current credential surface as a known risk; add a FORGE_CREDENTIAL_AUDIT=true mode that logs which credentials are present in container env at spawn time.
Phase 2: For Vertex AI mode (USE_VERTEX_AI=true), implement an OIDC refresh sidecar — a background asyncio task in the worker that fetches a fresh short-lived GCP token every 4 minutes and writes it to the running container via podman exec, rather than passing credentials at spawn time.
Phase 3: Evaluate whether the Anthropic API key path can be isolated similarly (API key → gateway → container gets only a scoped session token).
Reference
Learned from fullsend: internal/cli/run.go:runOIDCRefresh() — refreshes OIDC token every 4 minutes and uploads to sandbox. ADR 0017 (credential isolation), ADR 0025 (provider credential delivery).
Problem
Forge currently passes
ANTHROPIC_API_KEY(or Vertex AI credentials) as environment variables into every container. A compromised container — or a prompt injection that exfiltrates env vars — has access to long-lived API credentials.Fullsend's model: credentials never cross the sandbox boundary. For Vertex AI, it uses OIDC token refresh (every 4 minutes) via a sidecar on the host.
Proposed solution (phased)
Phase 1: Document the current credential surface as a known risk; add a
FORGE_CREDENTIAL_AUDIT=truemode that logs which credentials are present in container env at spawn time.Phase 2: For Vertex AI mode (
USE_VERTEX_AI=true), implement an OIDC refresh sidecar — a background asyncio task in the worker that fetches a fresh short-lived GCP token every 4 minutes and writes it to the running container viapodman exec, rather than passing credentials at spawn time.Phase 3: Evaluate whether the Anthropic API key path can be isolated similarly (API key → gateway → container gets only a scoped session token).
Reference
Learned from fullsend:
internal/cli/run.go:runOIDCRefresh()— refreshes OIDC token every 4 minutes and uploads to sandbox. ADR 0017 (credential isolation), ADR 0025 (provider credential delivery).