Harden Oz git credential setup: avoid persistent --global writes and plaintext credential files

[jasonkeung]

Summary

The Oz cloud-agent driver configures git/GitHub auth at runtime in app/src/ai/agent_sdk/driver/git_credentials.rs. setup_git_config() issues persistent git config --global writes (the url.<host>.insteadOf SSH->HTTPS rewrites, credential.helper store, and user identity), and the module also writes plaintext credential files directly under $HOME (~/.git-credentials, ~/.config/gh/hosts.yml). These are documented as one-time config with no cleanup.

Problem

On host-based / self-hosted execution (the oz-agent-worker direct backend, e.g. oz-local), these writes land in and persist in the real home directory: the insteadOf rewrites mutate ~/.gitconfig, and short-lived tokens are written in plaintext to ~/.git-credentials and ~/.config/gh/hosts.yml. In container backends this is harmless (ephemeral home), but on a host it pollutes and can clobber the real git/gh configuration. After warpdotdev/warp-agent-docker#109 lands, the driver becomes the sole writer of these entries across all backends.

Mitigation already in place

oz-agent-worker now sets GIT_CONFIG_GLOBAL to a per-task file for the direct backend, keeping the git config writes (including insteadOf) out of the real ~/.gitconfig: warpdotdev/oz-agent-worker#77. That mitigation intentionally does not cover the plaintext credential files, which still follow $HOME.

Proposed hardening

Move runtime auth to a git credential-helper mode (per the REMOTE-1370 specs) so the driver supplies/refreshes tokens on demand instead of writing persistent --global config and plaintext credential files. This would eliminate both the persistent global writes and the plaintext token files across all execution paths.

References

• Driver: app/src/ai/agent_sdk/driver/git_credentials.rs (setup_git_config, write_git_credentials)
• Worker mitigation: Redirect direct backend git global config to an isolated per-task file oz-agent-worker#77
• Entrypoint cleanup: warpdotdev/warp-agent-docker#109
• Spec: REMOTE-1370 (PRODUCT.md / TECH.md)

Filed via Oz.

[oz-for-oss]

@jasonkeung

Here's what I found while triaging this issue:

Current code confirms that Oz agent Git/GitHub credential setup can persist credential material under the agent user's home directory and relies on global Git configuration. The existing direct/self-hosted backend mitigation appears to cover Git config redirection but not the credential files, so this is actionable hardening work.

Maintainer details

I concluded that oz agent git credential setup currently persists global git configuration and plaintext credential files in the agent user's home directory, which is unsafe for host-based/self-hosted execution..

Triage summary

This is a confirmed Oz agent credential-hardening issue. The current driver uses global git configuration and home-directory credential files for Git/GitHub auth, which can persist beyond a task when host-based or self-hosted execution uses a real home directory.

Evidence

• app/src/ai/agent_sdk/driver/git_credentials.rs writes ~/.git-credentials and ~/.config/gh/hosts.yml using dirs::home_dir(), and the refresh loop overwrites those files periodically.
• The same module calls git config --global for credential.helper store, SSH-to-HTTPS url.*.insteadOf rewrites, and git user identity.
• app/src/ai/agent_sdk/mod.rs fetches task git credentials at setup time, then invokes setup_git_config, configure_git_identity, and write_git_credentials when GitCredentialRefresh is enabled.
• The reported worker-side mitigation can redirect global git config through GIT_CONFIG_GLOBAL, but it does not affect files written directly under $HOME.

Duplicate check

I checked all open issues in warpdotdev/warp plus issues closed in the last 7 days. I did not find two or more existing issues with the same Oz git credential persistence behavior, so this should remain a distinct issue.

Suggested next step

Route this to the Oz/agent runtime owners for a credential-helper based design that avoids persistent global git mutations and plaintext token files in host homes.

This is my automated analysis and may be incorrect. A maintainer will verify the details.

Powered by Oz