feat: mount /usr/lib shared libraries for AWF container utilities

[Copilot]

Warning

GitHub's Secret Scanning detected potential secrets in the added content. We attempted to remediate the issue by updating the code or redacting.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Implement selective /usr/lib mounting for shared libraries</issue_title>
<issue_description>## Objective

Design and implement a mechanism to mount essential shared libraries from /usr/lib into the agent container to support utilities that depend on system libraries.

Context

The agent container currently mounts specific binaries from /usr/bin, but many utilities depend on shared libraries in /usr/lib and /usr/lib/x86_64-linux-gnu. Without these libraries, some utilities may fail with "library not found" errors.

Approach

1. Identify which mounted /usr/bin utilities require shared libraries (use ldd command)
2. Create a helper function to determine library dependencies for a given binary
3. Design a mounting strategy:
   • Option A: Mount entire /usr/lib (simple but large)
   • Option B: Mount only required library directories (more selective)
   • Option C: Copy required libraries to a shared location
4. Implement the chosen strategy in the engine files (copilot_engine_execution.go, claude_engine.go, codex_engine.go)
5. Add tests to verify library mounting works correctly

Files to Modify

• Modify: pkg/workflow/copilot_engine_execution.go (add library mounts)
• Modify: pkg/workflow/claude_engine.go (add library mounts)
• Modify: pkg/workflow/codex_engine.go (add library mounts)
• Create: pkg/workflow/library_mounts.go (shared library mounting logic)
• Create: pkg/workflow/library_mounts_test.go (test library detection)

Acceptance Criteria

• Shared library dependencies are correctly identified for all mounted binaries
• Library mounting mechanism works across all engine types (copilot, claude, codex)
• Tests verify that mounted binaries can execute successfully
• Documentation explains the library mounting approach and tradeoffs
• Implementation minimizes security surface area (avoid mounting unnecessary libraries)
  Related to epic: build/test environment for agentic workflow #11970

AI generated by Plan Command for #11970

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Implement selective /usr/lib mounting for shared libraries #11972

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: high | Priority: 45/100

Scores Breakdown

• Impact: 30/50 - New feature - enhances capabilities
• Urgency: 5/30 - Recent PR
• Quality: 10/20 - CI status unknown

📋 Recommended Action: batch_review

This PR mounts essential shared libraries (/usr/lib and /lib) into the AWF agent container to support utilities that depend on system libraries.

Implementation:

• New library_mounts.go module with centralized mount configuration
• Updates all three engines (Copilot, Claude, Codex)
• Read-only selective directory mounting for security

Risk: High due to scope (142 files changed) and security implications of library mounting, but necessary for utility functionality.

Related PRs: Builds on #12062 (binary mounting) and enables #12130 (parity tests).

---

Triaged by PR Triage Agent on 2026-01-28T00:34:49Z

AI generated by PR Triage Agent

[Mossaka]

@copilot merge origin/main and regenerate

[Copilot]

Pull request overview

This PR ensures mounted /usr/bin utilities (e.g., curl, jq, grep) work inside AWF containers by also mounting the host shared-library directories they depend on.

Changes:

• Added centralized helper functions to provide consistent binary + shared-library mount args.
• Updated Copilot/Claude/Codex engines to use the centralized mount configuration.
• Updated generated workflow “lock” YAMLs to include the new shared-library mounts in AWF invocations.

Reviewed changes

Copilot reviewed 142 out of 142 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/workflow/library_mounts.go	Introduces shared helper functions for /usr/bin and library-directory mounts.
pkg/workflow/copilot_engine_execution.go	Replaces inline utility mounts with centralized helper output.
pkg/workflow/claude_engine.go	Adds centralized utility + library mounts for Claude engine AWF execution.
pkg/workflow/codex_engine.go	Adds centralized utility + library mounts for Codex engine AWF execution.
.github/workflows/workflow-health-manager.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/workflow-generator.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/terminal-stylist.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/technical-doc-writer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/super-linter.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/sub-issue-closer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/smoke-codex.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/security-review.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/security-fix-pr.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/security-compliance.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/secret-scanning-triage.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/repository-quality-improver.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/repo-tree-map.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/repo-audit-analyzer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/q.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/pr-triage-agent.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/pr-nitpick-reviewer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/portfolio-analyst.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/poem-bot.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/plan.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/pdf-summary.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/notion-issue-summary.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/metrics-collector.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/issue-triage-agent.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/issue-monster.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/issue-arborist.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/grumpy-reviewer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/example-permissions-warning.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/example-custom-error-patterns.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/duplicate-code-detector.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/dictation-prompt.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/dev.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/dependabot-go-checker.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/dependabot-bundler.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/deep-report.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-team-status.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-semgrep-scan.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-secrets-analysis.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-regulatory.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-performance-summary.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-observability-report.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-issues-report.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-firewall-report.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-fact.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/daily-assign-issue-to-user.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/craft.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/copilot-pr-merged-report.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/codex-github-remote-mcp-test.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/code-simplifier.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/code-scanning-fixer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/ci-doctor.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/ci-coach.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/chroma-issue-indexer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/changeset.lock.yml	Adds /usr/bin/* and shared-library mounts to AWF command in locked workflow.
.github/workflows/brave.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/archie.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/ai-moderator.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/agent-persona-explorer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.
.github/workflows/agent-performance-analyzer.lock.yml	Adds shared-library mounts to AWF command in locked workflow.

Comments suppressed due to low confidence (5)

pkg/workflow/library_mounts.go:1

• These mount paths are hard-coded for Debian/Ubuntu x86_64 multiarch layouts. On other architectures (e.g., arm64) or distros (e.g., lib64 layouts), these directories may not exist, causing mounted utilities to still fail (or the container invocation to fail if AWF requires the source path to exist). Consider selecting library directories based on runtime.GOARCH/platform conventions and/or making the mounted library roots configurable (e.g., via a config/env override), while defaulting to the current Ubuntu runner paths.
  pkg/workflow/library_mounts.go:1
• These mount paths are hard-coded for Debian/Ubuntu x86_64 multiarch layouts. On other architectures (e.g., arm64) or distros (e.g., lib64 layouts), these directories may not exist, causing mounted utilities to still fail (or the container invocation to fail if AWF requires the source path to exist). Consider selecting library directories based on runtime.GOARCH/platform conventions and/or making the mounted library roots configurable (e.g., via a config/env override), while defaulting to the current Ubuntu runner paths.
  pkg/workflow/library_mounts.go:1
• Building the mount arg list via many append calls is verbose and easy to drift when updating the list. Consider defining the mount specs in a []string (or a small table of paths) and generating the []string{\"--mount\", spec, ...} output in a short loop, or returning a []string literal directly. This reduces duplication and makes future edits less error-prone.
  pkg/workflow/library_mounts.go:1
• Mounting entire system library directories into the sandbox increases the exposed host surface area compared to mounting only the specific .so files required by the mounted utilities. If the intent is to keep mounts as selective as possible, consider deriving a minimal allowlist of required shared libraries (e.g., from the known mounted binaries’ dependency graph) and mounting only those files (still read-only), rather than whole directories.
  pkg/workflow/library_mounts.go:1
• Mounting entire system library directories into the sandbox increases the exposed host surface area compared to mounting only the specific .so files required by the mounted utilities. If the intent is to keep mounts as selective as possible, consider deriving a minimal allowlist of required shared libraries (e.g., from the known mounted binaries’ dependency graph) and mounting only those files (still read-only), rather than whole directories.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@copilot merge origin/main and regenerate

Merged origin/main and regenerated all lock files. The commit 13b65ae includes the merge with all 141 workflows recompiled with the library mounts.

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: high | Priority: 42/100

Scores Breakdown

• Impact: 30/50 - New feature enhances AWF container capabilities with shared library mounting
• Urgency: 5/30 - PR is 11 hours old, standard urgency
• Quality: 7/20 - Draft status, large changeset (24,049 lines changed across 239 files)

📋 Recommended Action: defer

Rationale: This is a high-risk PR that implements selective /usr/lib mounting for shared libraries needed by container utilities. The massive changeset (15,422 additions, 8,627 deletions across 239 files) requires careful review. Should remain deferred until out of draft and CI validation is complete. Security implications of library mounting need thorough assessment.

Next steps: Mark as ready for review when CI is stable, security review is complete, and the scope of file changes is explained.

---

Triaged by PR Triage Agent on 2026-01-28

AI generated by PR Triage Agent

[github-actions]

🔍 PR Triage Results

Category: feature | Risk: high | Priority: 47/100

Scores Breakdown

• Impact: 35/50 - Container infrastructure improvement with significant technical impact
• Urgency: 7/30 - Standard feature development timeline
• Quality: 5/20 - Needs comprehensive description and testing documentation

📋 Recommended Action: batch_review

This PR is part of batch-feature-high (6 PRs) - high-risk feature additions requiring careful review. Container modifications need thorough security and compatibility review.

Batch PRs: #12322, #12321, #12320, #12311, #12130, #12085

---

Triaged by PR Triage Agent on 2026-01-28T18:16:26Z

AI generated by PR Triage Agent

[github-actions]

🛡️ Security Posture Analysis

This PR contains changes that expand the security boundary of the AWF container. Please review the following concern:

🟠 High: Sandbox Weakening - Broad Library Directory Mounting

Location: pkg/workflow/library_mounts.go:36-41

Change Detected:

+func GetLibraryMountArgs() []string {
+	var args []string
+
+	// Mount the primary x86_64 library directory (contains most shared libraries)
+	args = append(args, "--mount", "/usr/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:ro")
+	args = append(args, "--mount", "/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu:ro")
+
+	return args
+}

Security Impact: This change mounts two entire library directories into the AWF container, significantly expanding the attack surface:

1. Increased Attack Surface: Instead of mounting only the specific binaries needed (as was done before), this now exposes potentially hundreds of shared libraries (.so files) to the agent container
2. Untrusted Code Exposure: These directories contain system libraries that were not designed to be exposed to potentially untrusted agent code
3. Scope Creep: While the stated goal is to support specific utilities (curl, grep, sed, jq), mounting entire directories provides access to far more libraries than necessary
4. Read-Only is Insufficient: While the :ro flag prevents modification, malicious agents could still:
   • Discover and exploit vulnerabilities in exposed libraries
   • Use libraries for unintended purposes (e.g., network libraries, crypto libraries)
   • Perform reconnaissance on the host system's library versions

Applied to All Engines: This change affects copilot, claude, and codex engines (see copilot_engine_execution.go:282, claude_engine.go:314, codex_engine.go:228)

Recommendation: Consider a more selective approach:

1. Option A - Selective Library Mounting: Use ldd to identify the exact libraries needed by the mounted binaries and mount only those specific files

   # Example: Identify curl dependencies
   ldd /usr/bin/curl
   # Then mount only: libcurl.so.4, libz.so.1, etc.

2. Option B - Copy Libraries: Copy only required libraries to a dedicated directory (e.g., /tmp/gh-aw/libs/) instead of mounting the entire system library directories

3. Option C - Justification: If the broad mounting is intentional and necessary, add clear documentation explaining:

   • Why selective mounting was not feasible
   • What security analysis was performed
   • What compensating controls are in place

---

Summary

Category	Severity	Count
Sandbox Weakening	🟠 High	1

Note: This is an automated security analysis. The change may be justified for operational reasons, but it does represent a measurable expansion of the security boundary. Please ensure this tradeoff has been reviewed and approved by the security team.

AI generated by Security Guard Agent 🛡️

[github-actions]

🛡️ Security Posture Analysis

This PR contains changes that expand the security boundary of the AWF sandbox. Please review the following concern:

🟠 Sandbox Boundary Expansion: Library Directory Mounts

Location: pkg/workflow/library_mounts.go:32-42

Change Detected:

+func GetLibraryMountArgs() []string {
+	var args []string
+
+	// Mount the primary x86_64 library directory (contains most shared libraries)
+	// This includes libraries like libcurl.so, libz.so, libpcre.so, libjq.so, etc.
+	args = append(args, "--mount", "/usr/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:ro")
+
+	// Mount the alternative library location for core system libraries
+	// Some utilities may link against libraries in this directory
+	args = append(args, "--mount", "/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu:ro")
+
+	return args
+}

Security Impact:

This change mounts entire system library directories into the AWF container, significantly expanding the attack surface:

1. Massive exposure increase: Instead of mounting specific required libraries, this exposes ALL shared libraries in /usr/lib/x86_64-linux-gnu and /lib/x86_64-linux-gnu (potentially thousands of .so files)

2. Principle of least privilege violation: The mounted binaries (cat, curl, grep, jq, etc.) only need a subset of libraries, but this approach grants access to the entire library ecosystem

3. Exploitable library surface: Any vulnerability in ANY library in these directories becomes potentially exploitable, not just those actively used by mounted utilities

4. Differs from binary approach: The binary mounts use an explicit allowlist (curated list of 20 essential utilities), but library mounts expose everything

Mitigating factors:

• ✅ All library mounts are read-only (:ro flag)
• ✅ Binary access is still explicitly controlled
• ✅ Comprehensive test coverage included
• ✅ Change addresses a real issue ([plan] Implement selective /usr/lib mounting for shared libraries #11972 - utilities failing with "library not found")

Recommendation:

Consider a more selective approach that aligns with the security philosophy used for binaries:

Option A - Selective library mounting (Preferred):

• Use ldd to determine exact library dependencies of mounted binaries
• Mount only those specific library files (similar to how binaries are handled)
• Example: --mount /usr/lib/x86_64-linux-gnu/libcurl.so.4:/usr/lib/x86_64-linux-gnu/libcurl.so.4:ro

Option B - Document and justify (Acceptable if Option A is impractical):

• Add explicit security documentation explaining why full directory mounting is necessary
• Document the tradeoffs between functionality and security surface area
• Consider adding a comment about future selective mounting if tooling improves

---

Summary

Category	Severity	Count
Sandbox Boundary Expansion	🟠 High	1

Note: This is an automated security analysis. The change addresses a legitimate need (library dependencies for utilities), but the implementation approach warrants discussion about whether a more selective mounting strategy would be feasible while maintaining functionality.

AI generated by Security Guard Agent 🛡️

[lpcox]

@Mossaka I can see in the conversation a good discussion of identifying shared libraries using 'ldd' but I can't see how this is put into practice. What happens if a host utility's dependencies change, e.g., 'ldd /usr/bin/jq' returns a different set of shared libraries than before? Would it be too slow to run 'ldd' at runtime for each utility, collect all of the shared libraries and then either mount them invidvidually or find a smaller set of directories that cover all of them?