[ACTP] PAR: redesign rshell allow-list contract (sentinel defaults)

[julesmcrt]

What does this PR do?

Replaces the three-way nil / [] / [X] slice contract for the operator-side allow-lists with a uniform "always intersect" contract using sentinel defaults:

• allowed_paths default is ["/"]. pathContains("/", X) is true for any absolute path, so the intersection passes the backend list through when the operator hasn't narrowed.
• allowed_commands default is ["rshell:*"]. The wildcard token is a special case in the operator-side intersection: when present, every backend entry in the rshell: namespace is admitted (scoped via onlyRshellPrefixedCommands).

The IsConfigured gate and the handler's nil-pass-through bypass are gone. End-user behavior is preserved on every axis:

Operator config	Effective list
Unset (sentinel default)	Backend list as-is
Explicit []	Kill-switch (empty)
Explicit non-empty	Narrowed intersection

Helper extraction

Pure path utilities moved to a new helper.go:

• cleanPathList, reducePathListToBroadest, intersectPathLists, commonPath — containment-aware path matching with normalized canonical forms.
• onlyRshellPrefixedCommands — namespace scoping for the wildcard branch.

Comprehensive unit tests in helper_test.go cover every helper plus property tests (idempotence, order-independence) for reducePathListToBroadest.

Stacked on top of #49948 (PR2 in the split)

This is PR3 of 4 splitting #49825. Base: PR2 branch. Will retarget after PR1+PR2 land.

Describe how you validated your changes

• 425 tests pass across pkg/privateactionrunner/adapters/config, pkg/privateactionrunner/bundles/remoteaction/rshell, and pkg/config/setup. Linter clean.
• New helper_test.go covers: commonPath (every shape), cleanPathList (incl. dot-segment edge cases), reducePathListToBroadest (incl. multi-domination + idempotence + order-independence), intersectPathLists (incl. multi-pair containment regression cases), onlyRshellPrefixedCommands (incl. wildcard token / bare rshell / rshell: alone).
• Updated handler matrices in run_command_test.go use the sentinels for the pass-through case and pin the kill-switch / containment / namespace-required scenarios.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b4ef4305be

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update config docs for sentinel rshell defaults

This changes the user-visible default for private_action_runner.restricted_shell.allowed_paths (and the command default just below), but the generated config documentation/schema was not updated: pkg/config/schema/core_schema.yaml still advertises restricted_shell_allowed_paths with default /var/log and there is no documented allowed_commands sentinel. Operators relying on the generated docs will configure or audit the rshell allow-list against the old contract, so the docs/schema should be updated in the same change.

Useful? React with 👍 / 👎.

[datadog-official]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 50.21% (+0.00%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: b4ef430 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor c1888d89:

Results for datadog-agent_7.80.0~devel.git.265.b4ef430.pipeline.109973441-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor c1888d8
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	+8.0 KiB (0.00% increase)	738.997 → 739.005 → 750.310
✅	agent_msi	+10.5 KiB (0.00% increase)	604.157 → 604.167 → 620.770
✅	agent_rpm_amd64	+8.0 KiB (0.00% increase)	738.980 → 738.988 → 750.280
✅	agent_rpm_arm64	+8.0 KiB (0.00% increase)	717.073 → 717.081 → 724.050
✅	agent_suse_amd64	+8.0 KiB (0.00% increase)	738.980 → 738.988 → 750.280
✅	agent_suse_arm64	+8.0 KiB (0.00% increase)	717.073 → 717.081 → 724.050
✅	docker_agent_amd64	+8.0 KiB (0.00% increase)	799.455 → 799.463 → 805.870
✅	docker_agent_arm64	+8.0 KiB (0.00% increase)	802.357 → 802.365 → 809.730
✅	docker_agent_jmx_amd64	+8.0 KiB (0.00% increase)	990.375 → 990.382 → 996.590
✅	docker_agent_jmx_arm64	+8.01 KiB (0.00% increase)	982.055 → 982.063 → 989.410

21 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_deb_amd64_fips	697.423 MiB
✅	agent_heroku_amd64	309.103 MiB
✅	agent_rpm_amd64_fips	697.407 MiB
✅	agent_rpm_arm64_fips	678.532 MiB
✅	agent_suse_amd64_fips	697.407 MiB
✅	agent_suse_arm64_fips	678.532 MiB
✅	docker_cluster_agent_amd64	206.269 MiB
✅	docker_cluster_agent_arm64	220.383 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	39.347 MiB
✅	docker_dogstatsd_arm64	37.565 MiB
✅	dogstatsd_deb_amd64	30.001 MiB
✅	dogstatsd_deb_arm64	28.142 MiB
✅	dogstatsd_rpm_amd64	30.001 MiB
✅	dogstatsd_suse_amd64	30.001 MiB
✅	iot_agent_deb_amd64	44.372 MiB
✅	iot_agent_deb_arm64	41.361 MiB
✅	iot_agent_deb_armhf	42.097 MiB
✅	iot_agent_rpm_amd64	44.373 MiB
✅	iot_agent_suse_amd64	44.373 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	-43.61 KiB (0.02% reduction)	174.984 → 174.942 → 179.160
✅	agent_deb_amd64_fips	-20.41 KiB (0.01% reduction)	166.645 → 166.625 → 174.440
✅	agent_heroku_amd64	neutral	74.910 MiB → 80.310
✅	agent_msi	+16.0 KiB (0.01% increase)	139.270 → 139.285 → 147.550
✅	agent_rpm_amd64	-17.86 KiB (0.01% reduction)	176.944 → 176.926 → 182.080
✅	agent_rpm_amd64_fips	+48.04 KiB (0.03% increase)	168.007 → 168.053 → 174.140
✅	agent_rpm_arm64	+6.67 KiB (0.00% increase)	159.252 → 159.258 → 163.610
✅	agent_rpm_arm64_fips	-12.68 KiB (0.01% reduction)	151.449 → 151.436 → 156.850
✅	agent_suse_amd64	-17.86 KiB (0.01% reduction)	176.944 → 176.926 → 182.080
✅	agent_suse_amd64_fips	+48.04 KiB (0.03% increase)	168.007 → 168.053 → 174.140
✅	agent_suse_arm64	+6.67 KiB (0.00% increase)	159.252 → 159.258 → 163.610
✅	agent_suse_arm64_fips	-12.68 KiB (0.01% reduction)	151.449 → 151.436 → 156.850
✅	docker_agent_amd64	+20.89 KiB (0.01% increase)	267.115 → 267.135 → 272.990
✅	docker_agent_arm64	+16.4 KiB (0.01% increase)	254.142 → 254.158 → 261.470
✅	docker_agent_jmx_amd64	+16.66 KiB (0.00% increase)	335.778 → 335.794 → 341.610
✅	docker_agent_jmx_arm64	+22.55 KiB (0.01% increase)	318.782 → 318.804 → 326.050
✅	docker_cluster_agent_amd64	+2.84 KiB (0.00% increase)	72.297 → 72.300 → 73.460
✅	docker_cluster_agent_arm64	neutral	67.763 MiB → 68.680
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	15.229 MiB → 15.870
✅	docker_dogstatsd_arm64	-7.4 KiB (0.05% reduction)	14.549 → 14.542 → 14.890
✅	dogstatsd_deb_amd64	neutral	7.935 MiB → 8.830
✅	dogstatsd_deb_arm64	neutral	6.818 MiB → 7.750
✅	dogstatsd_rpm_amd64	neutral	7.945 MiB → 8.840
✅	dogstatsd_suse_amd64	neutral	7.945 MiB → 8.840
✅	iot_agent_deb_amd64	neutral	11.676 MiB → 13.210
✅	iot_agent_deb_arm64	neutral	9.981 MiB → 11.620
✅	iot_agent_deb_armhf	neutral	10.187 MiB → 11.780
✅	iot_agent_rpm_amd64	neutral	11.694 MiB → 13.230
✅	iot_agent_suse_amd64	neutral	11.694 MiB → 13.230