Update docs to align with AWF chroot mode (v0.13.1+) (#13758)

Updates sandbox.md, architecture.mdx, and security-architecture-spec.md
to reflect the --enable-chroot mode introduced in commit 578ac0d:

- Replace explicit volume mount tables with chroot filesystem visibility
- Replace utility mount lists with "all host binaries available"
- Replace environment variable category tables with --env-all explanation
- Add GOROOT special case documentation
- Simplify runtime tools section to explain transparent PATH inheritance
- Add chroot-based transparency subsection to architecture
- Update security spec SI-04 through SI-07 requirements

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: Mossaka

docs/src/content/docs/introduction/architecture.mdx

@@ -160,7 +160,11 @@ The SafeOutputs subsystem provides security by design: the agent never requires
 
 ## Agent Workflow Firewall (AWF)
 
-The Agent Workflow Firewall (AWF) provides network egress control at the substrate level. AWF mediates all outbound network requests from the agent, enforcing a domain allowlist that constrains which external endpoints the agent may contact. This mechanism prevents unauthorized data exfiltration and limits the blast radius of a compromised agent to only those domains explicitly permitted by configuration.
+The Agent Workflow Firewall (AWF) enforces network egress control via a domain allowlist, preventing data exfiltration and containing compromised agents to permitted domains.
+
+AWF separates two concerns:
+- **Filesystem**: All host binaries and runtimes accessible; setup actions work transparently
+- **Network**: All traffic routed through proxy enforcing the domain allowlist
 
 ```mermaid
 flowchart TB

docs/src/content/docs/reference/sandbox.md

@@ -78,121 +78,50 @@ network:
     - "api.example.com"
 ```
 
-#### Default Mounted Volumes
-
-AWF automatically mounts several paths from the host into the container to enable agent functionality:
-
-| Host Path | Container Path | Mode | Purpose |
-|-----------|----------------|------|---------|
-| `/tmp` | `/tmp` | `rw` | Temporary files and cache |
-| `${HOME}/.cache` | `${HOME}/.cache` | `rw` | Build caches (Go, npm, etc.) |
-| `${GITHUB_WORKSPACE}` | `${GITHUB_WORKSPACE}` | `rw` | Repository workspace directory |
-| `/opt/hostedtoolcache` | `/opt/hostedtoolcache` | `ro` | Runtimes (Node.js, Python, Go, Ruby, Java) |
-| `/opt/gh-aw` | `/opt/gh-aw` | `ro` | Script and configuration files |
-| `/usr/local/bin/copilot` | `/usr/local/bin/copilot` | `ro` | Copilot CLI binary |
-| `/home/runner/.copilot` | `/home/runner/.copilot` | `rw` | Copilot configuration and state |
-
-These default mounts ensure the agent has access to essential tools and the repository files. Custom mounts specified via `sandbox.agent.mounts` are added alongside these defaults.
-
-#### Mounted System Utilities
-
-AWF mounts common system utilities from the host into the container as read-only binaries. These utilities are frequently used in workflow scripts and are organized by priority:
-
-**Essential Utilities** (most commonly used):
-
-| Utility | Purpose |
-|---------|---------|
-| `cat` | Display file contents |
-| `curl` | HTTP client for API calls |
-| `date` | Date/time operations |
-| `find` | Locate files by pattern |
-| `gh` | GitHub CLI operations |
-| `grep` | Pattern matching |
-| `jq` | JSON processing |
-| `yq` | YAML processing |
-
-**Common Utilities** (frequently used for file operations):
-
-| Utility | Purpose |
-|---------|---------|
-| `cp` | Copy files |
-| `cut` | Extract text columns |
-| `diff` | Compare files |
-| `head` | Display file start |
-| `ls` | List directory contents |
-| `mkdir` | Create directories |
-| `rm` | Remove files |
-| `sed` | Stream text editing |
-| `sort` | Sort text lines |
-| `tail` | Display file end |
-| `wc` | Count lines/words |
-| `which` | Locate commands |
-
-All utilities are mounted read-only (`:ro`) from `/usr/bin/` on the host. They execute on the read-write workspace directory inside the container.
-
-> [!TIP]
-> Available Utilities
-> Run `which jq` or `jq --version` in your workflow to verify utility availability. The agent has access to all mounted utilities without additional setup.
+#### Chroot Mode
+
+AWF v0.13.1+ uses **chroot mode** (`--enable-chroot`) to provide transparent host filesystem access while maintaining network isolation via iptables. This eliminates explicit volume mounts and environment variable configuration.
+
+```text
+┌─────────────────────────────────────────────┐
+│  AWF Container (chroot)                     │
+│  • Full filesystem visibility               │
+│  • All host binaries available              │
+│  • Network: RESTRICTED via iptables/Squid   │
+└─────────────────────┬───────────────────────┘
+                      ▼
+              Allowed domains only
+```
 
-> [!WARNING]
-> Docker socket access is not supported for security
-> reasons. The agent firewall does not mount
-> `/var/run/docker.sock`, and custom mounts cannot add
-> it, preventing agents from spawning Docker
-> containers.
-
-#### Mirrored Environment Variables
-
-AWF automatically mirrors essential environment variables from the GitHub Actions runner into the agent container. This ensures compatibility with workflows that depend on runner-provided tool paths.
-
-The following environment variables are mirrored (if they exist on the host):
-
-| Category | Environment Variables |
-|----------|----------------------|
-| **Java** | `JAVA_HOME`, `JAVA_HOME_8_X64`, `JAVA_HOME_11_X64`, `JAVA_HOME_17_X64`, `JAVA_HOME_21_X64`, `JAVA_HOME_25_X64` |
-| **Android** | `ANDROID_HOME`, `ANDROID_SDK_ROOT`, `ANDROID_NDK`, `ANDROID_NDK_HOME`, `ANDROID_NDK_ROOT`, `ANDROID_NDK_LATEST_HOME` |
-| **Browsers** | `CHROMEWEBDRIVER`, `EDGEWEBDRIVER`, `GECKOWEBDRIVER`, `SELENIUM_JAR_PATH` |
-| **Package Managers** | `CONDA`, `VCPKG_INSTALLATION_ROOT`, `PIPX_HOME`, `PIPX_BIN_DIR`, `GEM_HOME`, `GEM_PATH` |
-| **Go** | `GOPATH`, `GOROOT` |
-| **.NET** | `DOTNET_ROOT` |
-| **Rust** | `CARGO_HOME`, `RUSTUP_HOME` |
-| **Node.js** | `NVM_DIR` |
-| **Homebrew** | `HOMEBREW_PREFIX`, `HOMEBREW_CELLAR`, `HOMEBREW_REPOSITORY` |
-| **Swift** | `SWIFT_PATH` |
-| **Azure** | `AZURE_EXTENSION_DIR` |
+#### Filesystem Access
 
-> [!NOTE]
-> Environment Variable Handling
-> Variables are only passed to the container if they exist on the host runner. Missing variables are silently ignored, ensuring workflows work across different runner configurations.
+AWF chroot mode makes the host filesystem visible inside the container with appropriate permissions:
 
-#### Runtime Tools (hostedtoolcache)
+| Path Type | Mode | Examples |
+|-----------|------|----------|
+| User paths | Read-write | `$HOME`, `$GITHUB_WORKSPACE`, `/tmp` |
+| System paths | Read-only | `/usr`, `/opt`, `/bin`, `/lib` |
+| Docker socket | Hidden | `/var/run/docker.sock` (security) |
 
-AWF mounts the `/opt/hostedtoolcache` directory from the GitHub Actions runner, providing access to all runtimes installed via `actions/setup-*` steps. This directory contains pre-installed and dynamically-installed versions of popular development tools.
+Custom mounts can still be added via `sandbox.agent.mounts` for paths that need different permissions.
 
-**Available Runtimes:**
+#### Host Binaries
 
-| Runtime | Setup Action | Example Versions |
-|---------|-------------|------------------|
-| **Node.js** | `actions/setup-node` | 18.x, 20.x, 22.x |
-| **Python** | `actions/setup-python` | 3.9, 3.10, 3.11, 3.12, 3.13, 3.14 |
-| **Go** | `actions/setup-go` | 1.22.x, 1.23.x, 1.24.x, 1.25.x |
-| **Ruby** | `ruby/setup-ruby` | 3.2, 3.3, 3.4 |
-| **Java** | `actions/setup-java` | 8, 11, 17, 21, 25 |
+All host binaries are available without explicit mounts: system utilities, `gh`, language runtimes, build tools, and anything installed via `apt-get` or setup actions. Verify with `which <tool>`.
 
-**PATH Integration:**
+> [!WARNING]
+> Docker socket is hidden for security. Agents cannot spawn containers.
 
-All runtime binaries are automatically added to PATH inside the agent container. The PATH is configured using a dynamic `find` command that discovers all `bin` directories within `/opt/hostedtoolcache`:
+#### Environment Variables
 
-```bash
-# PATH includes all hostedtoolcache binaries
-export PATH="$(find /opt/hostedtoolcache -maxdepth 4 -type d -name bin 2>/dev/null | tr '\n' ':')$PATH"
-```
+AWF passes all environment variables via `--env-all`. The host `PATH` is captured as `AWF_HOST_PATH` and restored inside the container, preserving setup action tool paths.
 
-**Version Priority:**
+> [!NOTE]
+> Go's "trimmed" binaries require `GOROOT`—AWF automatically captures it after `actions/setup-go`.
 
-When multiple versions of a runtime are installed, versions configured by `actions/setup-*` take precedence. The agent detects which specific version is active by reading environment variables like `GOROOT`, `JAVA_HOME`, and ensures that version's binaries appear first in PATH.
+#### Runtime Tools
 
-**Using Runtimes in Workflows:**
+Setup actions work transparently. Runtimes update `PATH`, which AWF captures and restores inside the container.
 
 ```yaml wrap
 ---
@@ -207,13 +136,9 @@ jobs:
           python-version: '3.12'
 ---
 
-Use `go build` or `python3` in your workflow - both are available!
+Use `go build` or `python3` - both are available.
 ```
 
-> [!TIP]
-> Verify Runtime Availability
-> Use `node --version`, `python3 --version`, `go version`, or `ruby --version` in your workflow to confirm runtime availability. The agent automatically inherits all runtimes configured by setup actions.
-
 #### Custom AWF Configuration
 
 Use custom commands, arguments, and environment variables to replace the standard AWF installation with a custom setup:

specs/security-architecture-spec.md

@@ -651,26 +651,19 @@ The sandbox isolation layer provides process-level and container-level isolation
 
 **SI-04**: The AWF sandbox MUST provide:
 - Container-based process isolation
-- Network egress control via iptables
-- Domain-based allowlisting
-- Mounted volumes for workspace access
-- Mounted system utilities (read-only)
+- Network egress control via iptables and domain-based allowlisting
+- Chroot-based filesystem transparency (all host binaries accessible, no explicit mounts)
+- Hidden Docker socket for security
+- Automatic environment variable inheritance via `--env-all`
+- Capability drop post-setup (CAP_NET_ADMIN, CAP_SYS_CHROOT)
 
-**SI-05**: AWF MUST mount the following volumes by default:
+**SI-05**: AWF chroot mode MUST enforce this filesystem access model:
 
-| Host Path | Container Path | Mode | Purpose |
-|-----------|----------------|------|---------|
-| `/tmp` | `/tmp` | `rw` | Temporary files |
-| `${HOME}/.cache` | `${HOME}/.cache` | `rw` | Build caches |
-| `${GITHUB_WORKSPACE}` | `${GITHUB_WORKSPACE}` | `rw` | Repository workspace |
-| `/opt/hostedtoolcache` | `/opt/hostedtoolcache` | `ro` | Runtimes (Node, Python, Go) |
-| `/opt/gh-aw` | `/opt/gh-aw` | `ro` | Scripts and configs |
-
-**SI-06**: AWF MUST mount common system utilities as read-only binaries:
-- Essential: `cat`, `curl`, `date`, `find`, `gh`, `grep`, `jq`, `yq`
-- Common: `cp`, `cut`, `diff`, `head`, `ls`, `mkdir`, `rm`, `sed`, `sort`, `tail`, `wc`
-
-**SI-07**: AWF MUST NOT mount Docker socket (`/var/run/docker.sock`) for security reasons.
+| Path Type | Mode | Examples |
+|-----------|------|----------|
+| User paths | Read-write | `$HOME`, `$GITHUB_WORKSPACE`, `/tmp` |
+| System paths | Read-only | `/usr`, `/opt`, `/bin`, `/lib` |
+| Docker socket | Hidden | `/var/run/docker.sock` |
 
 ### 8.4 MCP Server Sandbox
 
@@ -688,23 +681,21 @@ The sandbox isolation layer provides process-level and container-level isolation
 - Be scanned for vulnerabilities
 - Have SBOMs tracked
 
-### 8.5 Environment Variable Mirroring
-
-**SI-11**: The implementation SHOULD mirror essential environment variables from the host to the agent container:
-- Language toolchain paths (JAVA_HOME, GOROOT, etc.)
-- Package manager paths (PIPX_HOME, GEM_HOME, etc.)
-- Browser driver paths (CHROMEWEBDRIVER, etc.)
+### 8.5 Environment Variable Inheritance
 
-**SI-12**: Undefined environment variables MUST be silently ignored (no errors).
+**SI-06**: AWF MUST pass all environment variables via `--env-all` and implement PATH inheritance:
+- Host `PATH` captured as `AWF_HOST_PATH` and restored inside container
+- `GOROOT` explicitly captured after `actions/setup-go` (Go's trimmed binaries require it)
+- Undefined variables silently ignored
 
 ### 8.6 Sandbox Guarantees
 
-**SI-13**: The sandbox isolation layer MUST guarantee:
-- Agent processes cannot access host filesystem outside mounted volumes
-- Agent processes cannot spawn Docker containers
-- Agent processes have network access only to allowed domains
-- MCP servers execute in separate, isolated containers
-- MCP servers have independent network allowlists
+**SI-07**: The sandbox isolation layer MUST guarantee:
+- Read-only system paths, read-write user paths only (`$HOME`, `$GITHUB_WORKSPACE`, `/tmp`)
+- No Docker socket access
+- Network access only to allowed domains (iptables enforcement independent of chroot)
+- MCP servers in isolated containers with independent network allowlists
+- Defense in depth: filesystem visibility (chroot) and network isolation (iptables) remain separate layers
 
 ---
 
@@ -1046,12 +1037,12 @@ A conforming implementation MUST provide a compliance test suite covering all MU
 #### 12.2.5 Sandbox Isolation Tests
 
 - **T-SI-001**: Verify agent sandbox type support (AWF, SRT)
-- **T-SI-002**: Verify AWF default volume mounts
-- **T-SI-003**: Verify AWF system utility mounts
-- **T-SI-004**: Verify Docker socket denial
-- **T-SI-005**: Verify MCP server container isolation
-- **T-SI-006**: Verify MCP server security profile (non-root, dropped caps)
-- **T-SI-007**: Verify environment variable mirroring
+- **T-SI-002**: Verify AWF chroot filesystem visibility and access model
+- **T-SI-003**: Verify Docker socket hidden from chroot
+- **T-SI-004**: Verify `--env-all` and `AWF_HOST_PATH` mechanism
+- **T-SI-005**: Verify GOROOT capture for Go runtime
+- **T-SI-006**: Verify MCP server container isolation
+- **T-SI-007**: Verify network isolation independent of chroot
 
 #### 12.2.6 Threat Detection Tests