Deferred findings from the 2026-06-01 weekly deep audit (silent-failure-hunter). These were left out of the non-Windows fix batch (PR following #46) because they only compile under the windows-appcontainer feature and need a Windows host to verify.
Findings
-
HIGH crates/agent-guard-sandbox/src/windows_appcontainer.rs:262 — let _ = GetExitCodeProcess(...) discards the Win32 return value; on failure exit_code stays 0, so the sandbox reports a successful exit for a process whose status was never read.
- remediation: check the return value and return
SandboxError::ExecutionFailed instead of defaulting to exit code 0.
-
HIGH crates/agent-guard-sandbox/src/windows_appcontainer.rs:76 — let _ = CreateAppContainerProfile(...) discards all Win32 errors, including ones that are not "already exists"; a real failure surfaces later as a misleading SID-derivation error that hides the root cause.
- remediation: check the HRESULT, allow only
ERROR_ALREADY_EXISTS, and return a descriptive error for any other code.
-
MEDIUM crates/agent-guard-sandbox/src/windows_appcontainer.rs:265-266 — t1.join().unwrap_or_default() / t2.join().unwrap_or_default() replace stdout/stderr with empty strings on thread panic, making a failed read indistinguishable from no output and masking I/O errors from the audit record.
- remediation: match on
Err, propagate SandboxError::ExecutionFailed (or log the panic payload) before substituting an empty string.
Context
Source: docs/audits/2026-06-01.md. The CRITICAL + top HIGH findings (bash.rs path-traversal / flag-form write targets) were closed in #46; the non-Windows HIGH/MEDIUM findings (anomaly poison, ledger error, SSRF deny-list, content-filter parse, decision-type hardening) are addressed in the follow-up branch fix/audit-2026-06-01-remaining.
Deferred findings from the 2026-06-01 weekly deep audit (silent-failure-hunter). These were left out of the non-Windows fix batch (PR following #46) because they only compile under the
windows-appcontainerfeature and need a Windows host to verify.Findings
HIGH
crates/agent-guard-sandbox/src/windows_appcontainer.rs:262—let _ = GetExitCodeProcess(...)discards the Win32 return value; on failureexit_codestays0, so the sandbox reports a successful exit for a process whose status was never read.SandboxError::ExecutionFailedinstead of defaulting to exit code 0.HIGH
crates/agent-guard-sandbox/src/windows_appcontainer.rs:76—let _ = CreateAppContainerProfile(...)discards all Win32 errors, including ones that are not "already exists"; a real failure surfaces later as a misleading SID-derivation error that hides the root cause.ERROR_ALREADY_EXISTS, and return a descriptive error for any other code.MEDIUM
crates/agent-guard-sandbox/src/windows_appcontainer.rs:265-266—t1.join().unwrap_or_default()/t2.join().unwrap_or_default()replace stdout/stderr with empty strings on thread panic, making a failed read indistinguishable from no output and masking I/O errors from the audit record.Err, propagateSandboxError::ExecutionFailed(or log the panic payload) before substituting an empty string.Context
Source:
docs/audits/2026-06-01.md. The CRITICAL + top HIGH findings (bash.rs path-traversal / flag-form write targets) were closed in #46; the non-Windows HIGH/MEDIUM findings (anomaly poison, ledger error, SSRF deny-list, content-filter parse, decision-type hardening) are addressed in the follow-up branchfix/audit-2026-06-01-remaining.