From 4c30d0701febbd2b3ab221b02882b03a669bb0f4 Mon Sep 17 00:00:00 2001
From: Alexander Slesarenko <avslesarenko@gmail.com>
Date: Sat, 14 Mar 2026 01:21:18 +0000
Subject: [PATCH] fix: restrict Gmail credential mount to main group only

Non-main group containers were receiving the owner's Gmail OAuth
credentials (~/.gmail-mcp), allowing any group's agent to read/send
email. Gate the mount on isMain to preserve sandbox isolation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/container-runner.ts | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/container-runner.ts b/src/container-runner.ts
index ee877e2..8b15572 100644
--- a/src/container-runner.ts
+++ b/src/container-runner.ts
@@ -164,15 +164,18 @@ function buildVolumeMounts(
     readonly: false,
   });
 
-  // Gmail credentials directory (for Gmail MCP inside the container)
-  const homeDir = os.homedir();
-  const gmailDir = path.join(homeDir, '.gmail-mcp');
-  if (fs.existsSync(gmailDir)) {
-    mounts.push({
-      hostPath: gmailDir,
-      containerPath: '/home/node/.gmail-mcp',
-      readonly: false, // MCP may need to refresh OAuth tokens
-    });
+  // Gmail credentials directory — main group only (non-main groups
+  // should not have access to the owner's email account).
+  if (isMain) {
+    const homeDir = os.homedir();
+    const gmailDir = path.join(homeDir, '.gmail-mcp');
+    if (fs.existsSync(gmailDir)) {
+      mounts.push({
+        hostPath: gmailDir,
+        containerPath: '/home/node/.gmail-mcp',
+        readonly: false, // MCP may need to refresh OAuth tokens
+      });
+    }
   }
 
   // Per-group IPC namespace: each group gets its own IPC directory