fix(agents,workspace,proxy): phase 3 security hardening

- Sandbox kill_processes now takes a typed KillSignal enum (Term|Kill)
  instead of a raw i32, constraining callers to SIGTERM/SIGKILL. Stops
  a future caller from smuggling arbitrary signals (SIGSTOP, SIGUSR1,
  etc.) through the sandbox exec boundary. Unit tests cover the
  enum-to-signum mapping and Copy-ness.
- PreviewAuthLimiter's failure map is now hard-capped at 65_536
  entries with opportunistic expired-entry eviction + oldest-entry
  fallback. Closes the unbounded-memory-growth vector where an
  attacker sprays unique (ip, session_id) pairs to OOM the proxy.
  Test sprays 70k unique keys and asserts the map stays within cap.

Author: dviejokfs

crates/temps-agents/src/sandbox/docker.rs

@@ -1122,21 +1122,22 @@ impl SandboxProvider for DockerSandboxProvider {
         &self,
         handle: &SandboxHandle,
         pattern: &str,
-        signal: i32,
+        signal: super::KillSignal,
     ) -> Result<(), AgentError> {
         // Fresh exec running pkill. pkill exits 0 if something was killed,
         // 1 if nothing matched — both are success from our POV. Bounded by
         // a 10s timeout so we never replicate the phantom-stream hang.
         //
         // Use `pgrep` + `kill` instead of `pkill -f` to handle both busybox
         // and util-linux pkill variants uniformly.
+        let sig_num = signal.as_number();
         let cmd = vec![
             "sh".to_string(),
             "-c".to_string(),
             format!(
                 "pgrep -f {pattern_q} 2>/dev/null | xargs -r kill -{sig} 2>/dev/null; exit 0",
                 pattern_q = shell_quote(pattern),
-                sig = signal,
+                sig = sig_num,
             ),
         ];
 
@@ -1145,7 +1146,7 @@ impl SandboxProvider for DockerSandboxProvider {
             Ok(Ok(_)) => {
                 tracing::debug!(
                     "kill_processes: sent signal {} to '{}' in {}",
-                    signal,
+                    sig_num,
                     pattern,
                     handle.sandbox_name
                 );

crates/temps-agents/src/sandbox/local.rs

@@ -153,11 +153,11 @@ impl SandboxProvider for LocalSandboxProvider {
         &self,
         handle: &SandboxHandle,
         pattern: &str,
-        signal: i32,
+        signal: super::KillSignal,
     ) -> Result<(), AgentError> {
         // Best-effort pkill on the host. Scoped to the current user so we
         // don't accidentally kill other things.
-        let sig_flag = format!("-{}", signal);
+        let sig_flag = format!("-{}", signal.as_number());
         let _ = tokio::process::Command::new("pkill")
             .arg(&sig_flag)
             .arg("-f")

crates/temps-agents/src/sandbox/mod.rs

@@ -9,6 +9,30 @@ use std::time::Duration;
 use crate::ai_cli::OnEventCallback;
 use crate::error::AgentError;
 
+/// Unix signal to send to processes inside a sandbox. Constrained on purpose
+/// — the only two signals the workspace ever needs are SIGTERM (graceful
+/// shutdown, give the CLI a chance to flush state) and SIGKILL (hard kill
+/// after a grace period). Passing arbitrary integers across the provider
+/// boundary would invite untrusted callers to stuff anything from SIGSTOP
+/// to SIGUSR1 into the sandbox exec.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum KillSignal {
+    /// SIGTERM (15) — graceful termination. The process may trap it.
+    Term,
+    /// SIGKILL (9) — immediate kill. Cannot be trapped.
+    Kill,
+}
+
+impl KillSignal {
+    /// Unix signal number used by `kill(1)` / `pkill -<n>`.
+    pub fn as_number(self) -> i32 {
+        match self {
+            KillSignal::Term => 15,
+            KillSignal::Kill => 9,
+        }
+    }
+}
+
 /// A handle to an active sandbox. Opaque to callers — the internal fields
 /// are provider-specific (Docker container ID, Vercel sandbox ID, etc.).
 #[derive(Debug, Clone)]
@@ -98,18 +122,18 @@ pub trait SandboxProvider: Send + Sync {
 
     /// Kill processes inside the sandbox matching a pgrep/pkill pattern.
     ///
-    /// `signal` is a Unix signal number (15 = SIGTERM, 9 = SIGKILL).
-    /// `pattern` is passed to `pkill -f` — it matches against the full
-    /// command line, so prefer anchored patterns like `^claude ` to avoid
-    /// killing unrelated processes.
+    /// `signal` is constrained to [`KillSignal`] — only SIGTERM/SIGKILL are
+    /// valid. `pattern` is passed to `pkill -f` — it matches against the
+    /// full command line, so prefer anchored patterns like `^claude ` to
+    /// avoid killing unrelated processes.
     ///
     /// Returns Ok(()) whether or not anything was actually killed — the
     /// operation is inherently best-effort.
     async fn kill_processes(
         &self,
         handle: &SandboxHandle,
         pattern: &str,
-        signal: i32,
+        signal: KillSignal,
     ) -> Result<(), AgentError>;
 
     /// Destroy sandbox and clean up its container.
@@ -172,3 +196,28 @@ pub trait SandboxProvider: Send + Sync {
     /// Delete and rebuild the sandbox image. Returns the image name.
     async fn rebuild_image(&self) -> Result<String, AgentError>;
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn kill_signal_term_is_15() {
+        assert_eq!(KillSignal::Term.as_number(), 15);
+    }
+
+    #[test]
+    fn kill_signal_kill_is_9() {
+        assert_eq!(KillSignal::Kill.as_number(), 9);
+    }
+
+    #[test]
+    fn kill_signal_is_copy() {
+        // Guards that KillSignal stays cheap to pass — if someone adds a
+        // String payload later, this stops compiling and forces a review.
+        let s = KillSignal::Term;
+        let a = s;
+        let b = s;
+        assert_eq!(a.as_number(), b.as_number());
+    }
+}

crates/temps-proxy/src/preview_auth.rs

@@ -206,6 +206,12 @@ struct FailureState {
     window_start: Option<Instant>,
 }
 
+/// Hard cap on distinct (ip, session_id) pairs tracked concurrently.
+/// An attacker spraying unique IPs/session_ids can no longer grow this map
+/// without bound — at the cap we sweep expired entries, and if that fails
+/// to free space we drop the oldest entry.
+const MAX_TRACKED_ENTRIES: usize = 65_536;
+
 /// In-memory rate limiter for preview auth failures.
 #[derive(Debug, Default)]
 pub struct PreviewAuthLimiter {
@@ -231,6 +237,27 @@ impl PreviewAuthLimiter {
     }
 
     pub fn record_failure(&self, ip: IpAddr, session_id: i32) {
+        // Cap enforcement: opportunistically evict before insert so the map
+        // cannot be weaponized as an unbounded memory sink.
+        if !self.failures.contains_key(&(ip, session_id))
+            && self.failures.len() >= MAX_TRACKED_ENTRIES
+        {
+            self.evict_expired();
+            if self.failures.len() >= MAX_TRACKED_ENTRIES {
+                // Still full after sweep — drop the single oldest entry.
+                // Picking *an* entry is fine; under attack the whole map
+                // turns over quickly and legit users are re-inserted.
+                if let Some(victim) = self
+                    .failures
+                    .iter()
+                    .min_by_key(|e| e.value().window_start)
+                    .map(|e| *e.key())
+                {
+                    self.failures.remove(&victim);
+                }
+            }
+        }
+
         let mut entry = self.failures.entry((ip, session_id)).or_default();
         let now = Instant::now();
         match entry.window_start {
@@ -247,6 +274,15 @@ impl PreviewAuthLimiter {
     pub fn record_success(&self, ip: IpAddr, session_id: i32) {
         self.failures.remove(&(ip, session_id));
     }
+
+    /// Drop all entries whose window has expired. O(n), but only called when
+    /// we hit the cap — amortized cost is negligible under normal load.
+    fn evict_expired(&self) {
+        self.failures.retain(|_, state| match state.window_start {
+            Some(start) => start.elapsed() <= RATE_LIMIT_WINDOW,
+            None => false,
+        });
+    }
 }
 
 /// Verify a plaintext password against an argon2 PHC hash. Public so the
@@ -437,4 +473,30 @@ mod tests {
         limiter.record_success(ip, 2);
         assert!(!limiter.is_blocked(ip, 2));
     }
+
+    #[test]
+    fn rate_limiter_is_bounded_under_flood() {
+        // Spray far more unique (ip, session) pairs than the cap allows.
+        // The map must never exceed MAX_TRACKED_ENTRIES — this is the
+        // whole point of the eviction logic: an attacker can't use
+        // record_failure to OOM the proxy.
+        let limiter = PreviewAuthLimiter::new();
+        let attacker_count = MAX_TRACKED_ENTRIES + 5_000;
+        for i in 0..attacker_count {
+            // Synthesize distinct IPv4 addrs across the /8, cycling session_id
+            // so each key is unique.
+            let octet_a = ((i >> 16) & 0xff) as u8;
+            let octet_b = ((i >> 8) & 0xff) as u8;
+            let octet_c = (i & 0xff) as u8;
+            let ip: IpAddr = format!("10.{}.{}.{}", octet_a, octet_b, octet_c)
+                .parse()
+                .unwrap();
+            limiter.record_failure(ip, (i % 1024) as i32);
+        }
+        assert!(
+            limiter.failures.len() <= MAX_TRACKED_ENTRIES,
+            "limiter grew beyond cap: {}",
+            limiter.failures.len()
+        );
+    }
 }

crates/temps-workspace/src/services/message_executor.rs

@@ -109,13 +109,22 @@ impl MessageExecutor {
         self.dirty_sessions.write().await.insert(session_id);
         // SIGTERM first — give claude ~2s to flush the current turn to jsonl.
         self.session_manager
-            .kill_session_processes(session_id, "^claude ", 15)
+            .kill_session_processes(
+                session_id,
+                "^claude ",
+                temps_agents::sandbox::KillSignal::Term,
+            )
             .await;
         // Spawn the escalation-to-SIGKILL so we don't block the handler.
         let sm = self.session_manager.clone();
         tokio::spawn(async move {
             tokio::time::sleep(std::time::Duration::from_secs(2)).await;
-            sm.kill_session_processes(session_id, "^claude ", 9).await;
+            sm.kill_session_processes(
+                session_id,
+                "^claude ",
+                temps_agents::sandbox::KillSignal::Kill,
+            )
+            .await;
         });
     }
 
@@ -710,7 +719,11 @@ impl MessageExecutor {
         //    claudes writing to the same jsonl corrupt it. This is always
         //    safe — if there's nothing to kill, pkill is a no-op.
         self.session_manager
-            .kill_session_processes(session_id, "^claude ", 9)
+            .kill_session_processes(
+                session_id,
+                "^claude ",
+                temps_agents::sandbox::KillSignal::Kill,
+            )
             .await;
 
         // 2. Repair pass: if this session is marked dirty (prior cancel or
@@ -922,12 +935,12 @@ impl MessageExecutor {
                 Err(_) => {
                     self.dirty_sessions.write().await.insert(session_id);
                     self.session_manager
-                        .kill_session_processes(session_id, "^claude ", 15)
+                        .kill_session_processes(session_id, "^claude ", temps_agents::sandbox::KillSignal::Term)
                         .await;
                     let sm = self.session_manager.clone();
                     tokio::spawn(async move {
                         tokio::time::sleep(std::time::Duration::from_secs(2)).await;
-                        sm.kill_session_processes(session_id, "^claude ", 9).await;
+                        sm.kill_session_processes(session_id, "^claude ", temps_agents::sandbox::KillSignal::Kill).await;
                     });
                     Err(WorkspaceError::AiCliFailed {
                         session_id,
@@ -1014,7 +1027,11 @@ impl MessageExecutor {
         // Nuke every .jsonl in the claude projects dir for this sandbox.
         // We don't know the exact filename, so shotgun-delete them all.
         self.session_manager
-            .kill_session_processes(session_id, "^claude ", 9)
+            .kill_session_processes(
+                session_id,
+                "^claude ",
+                temps_agents::sandbox::KillSignal::Kill,
+            )
             .await;
         let delete_cmd = vec![
             "sh".to_string(),

crates/temps-workspace/src/services/session_manager.rs

@@ -228,7 +228,12 @@ impl WorkspaceSessionManager {
 
     /// Kill processes inside the session's sandbox matching a pattern.
     /// Best-effort: never returns a hard error, just logs.
-    pub async fn kill_session_processes(&self, session_id: i32, pattern: &str, signal: i32) {
+    pub async fn kill_session_processes(
+        &self,
+        session_id: i32,
+        pattern: &str,
+        signal: temps_agents::sandbox::KillSignal,
+    ) {
         let sessions = self.sessions.read().await;
         if let Some(live) = sessions.get(&session_id) {
             let _ = self
@@ -941,7 +946,7 @@ mod tests {
             &self,
             _handle: &SandboxHandle,
             _pattern: &str,
-            _signal: i32,
+            _signal: temps_agents::sandbox::KillSignal,
         ) -> Result<(), AgentError> {
             Ok(())
         }