🛡️ Sentinel: [HIGH] Enforce centralized process environment isolation

[fritzprix]

🛡️ Sentinel: Enforce centralized process environment isolation

🚨 Severity: HIGH
💡 Vulnerability: Scattered manual environment clearing and looping over whitelist variables could lead to bypasses of the central isolation logic, exposing host secrets (e.g. OPENAI_API_KEY) to child processes.
🎯 Impact: Untrusted code or tools could access environment variables if the manual isolation logic diverges from the centralized rules.
🔧 Fix: Replaced all scattered implementations with the standardized crate::utils::env::apply_isolated_env and apply_isolated_env_async helpers.
✅ Verification: Ran cargo check and cargo test --tests to verify successful compilation and that process behavior remains functionally correct while adhering to the new code requirement.

---

PR created automatically by Jules for task 125451657414619863 started by @fritzprix

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[Copilot]

Pull request overview

Centralizes subprocess environment isolation across the Rust backend by replacing scattered env_clear() + whitelist loops with the standardized crate::utils::env::apply_isolated_env / apply_isolated_env_async helpers, reducing the risk of future divergence that could leak host secrets to child processes.

Changes:

• Replaced manual env scrubbing/whitelisting with apply_isolated_env / apply_isolated_env_async in multiple process-spawning paths.
• Updated the stdio manager “design verification” test to assert usage of the centralized helper.
• Documented the new enforcement rule in .jules/sentinel.md.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src-tauri/src/utils/platform.rs	Uses centralized env isolation when probing command existence.
src-tauri/src/mcp/session_isolation/stdio_manager/tests.rs	Updates test expectation to look for apply_isolated_env_async.
src-tauri/src/mcp/session_isolation/stdio_manager/lifecycle.rs	Uses centralized async env isolation before applying per-server env.
src-tauri/src/mcp/server/lifecycle.rs	Uses centralized async env isolation in stdio server startup.
src-tauri/src/mcp/builtin/workspace/persistent_shell/session.rs	Uses centralized async env isolation for persistent shell spawn.
src-tauri/src/mcp/builtin/bootstrap/platform.rs	Uses centralized env isolation for tool/version/path detection commands.
.jules/sentinel.md	Adds a Sentinel entry documenting the centralized isolation enforcement rule.

[Copilot]

The test is now only checking source.contains("apply_isolated_env_async"), which can produce false positives (e.g., if the string appears in a comment or unrelated code). Since this test is meant to prevent security regressions, make the assertion more specific (e.g., require crate::utils::env::apply_isolated_env_async and/or the exact call on cmd) and update the test name/message to match the new expectation (it no longer verifies env_clear).