feat: Additional VS Code hardening

[jakub-bochenski]

• Prevent VS Code from copying host .gitconfig
• Block container extensions from opening a host-side terminal

#103

[jakub-bochenski]

Apparently devcontainer.json is actually JSONC, so you can have comments.

[greptile-apps]

Greptile Summary

This PR applies additional VS Code Dev Container hardening across all three agent templates (claude, codex, copilot) by clearing credential-related environment variables (SSH_AUTH_SOCK, GPG_AGENT_INFO, GIT_ASKPASS) via remoteEnv, disabling .gitconfig copying (dev.containers.copyGitConfig: false), and blocking host-side terminal access from container extensions (terminal.integrated.allowLocalTerminal: false).

• The terminal.integrated.allowLocalTerminal: false and dev.containers.copyGitConfig: false additions are sound in intent, and the comments correctly note they also need to be set in host VS Code user settings to be reliably enforced.
• The remoteEnv approach for credential sockets provides only partial protection: clearing SSH_AUTH_SOCK prevents environment-based auto-discovery, but the underlying socket remains mounted in the container. A process that scans /tmp/ or other common socket paths can still reach the SSH agent directly. Addressing this properly requires preventing the socket from being mounted at all (e.g., in docker-compose.yml), rather than just unsetting the pointer to it.
• All three template files receive identical changes, which is good for consistency.

Confidence Score: 3/5

• Safe to merge as an incremental improvement, but the socket-mount gap means SSH agent protection is incomplete and should be followed up.
• The changes add meaningful defense-in-depth, but the remoteEnv clearing of SSH_AUTH_SOCK is acknowledged (in the comment itself) to be insufficient on its own — the socket is still mounted and accessible to any process that discovers the path. This leaves a real residual risk in the adversarial-agent context this sandbox is designed for.
• All three devcontainer.json files share the same incomplete remoteEnv socket protection; the corresponding docker-compose.yml files (not changed in this PR) should be reviewed to assess whether the socket mounts can be removed.

Important Files Changed

Filename	Overview
cli/templates/claude/devcontainer/devcontainer.json	Adds remoteEnv clearing for SSH_AUTH_SOCK/GPG_AGENT_INFO/GIT_ASKPASS, dev.containers.copyGitConfig: false, and terminal.integrated.allowLocalTerminal: false. The env-var clearing provides incomplete protection since the underlying socket is still mounted.
cli/templates/codex/devcontainer/devcontainer.json	Same hardening changes as the claude template — same incomplete socket-mount protection concern applies.
cli/templates/copilot/devcontainer/devcontainer.json	Same hardening changes as the claude template — same incomplete socket-mount protection concern applies.

_{Last reviewed commit: 2fe4004}

[greptile-apps]

dev.containers.copyGitConfig may be ineffective in this location

The dev.containers.copyGitConfig setting controls a host-side action performed by the Dev Containers extension: copying .gitconfig into the container during startup. This copying happens on the host before the container's VS Code settings (from customizations.vscode.settings) are applied. As a result, placing this setting inside devcontainer.json's settings block may not actually prevent the gitconfig from being copied.

In contrast, the comment on terminal.integrated.allowLocalTerminal below correctly calls out the need to also set it in host user settings. The dev.containers.copyGitConfig setting likely needs the same treatment — it should be set in the host VS Code user settings (settings.json) to be reliably effective.

Consider updating the comment to reflect this limitation, similar to the note on terminal.integrated.allowLocalTerminal:

Suggested change

	// Prevent VS Code from copying host .gitconfig into the
	// container, which can leak credential helpers and signing
	// key references.
	"dev.containers.copyGitConfig": false,
	// Prevent VS Code from copying host .gitconfig into the
	// container, which can leak credential helpers and signing
	// key references. NOTE: for this to take effect, this must
	// also be set in your host user settings, as the copy occurs
	// before container settings are applied.
	"dev.containers.copyGitConfig": false,

This same concern applies to cli/templates/codex/devcontainer/devcontainer.json (line 14–17) and cli/templates/copilot/devcontainer/devcontainer.json (line 14–17).

Prompt To Fix With AI

This is a comment left during a code review.
Path: cli/templates/claude/devcontainer/devcontainer.json
Line: 14-17

Comment:
**`dev.containers.copyGitConfig` may be ineffective in this location**

The `dev.containers.copyGitConfig` setting controls a host-side action performed by the Dev Containers extension: copying `.gitconfig` into the container during startup. This copying happens on the **host** before the container's VS Code settings (from `customizations.vscode.settings`) are applied. As a result, placing this setting inside `devcontainer.json`'s settings block may not actually prevent the gitconfig from being copied.

In contrast, the comment on `terminal.integrated.allowLocalTerminal` below correctly calls out the need to also set it in host user settings. The `dev.containers.copyGitConfig` setting likely needs the same treatment — it should be set in the **host VS Code user settings** (`settings.json`) to be reliably effective.

Consider updating the comment to reflect this limitation, similar to the note on `terminal.integrated.allowLocalTerminal`:

```suggestion
			// Prevent VS Code from copying host .gitconfig into the
			// container, which can leak credential helpers and signing
			// key references. NOTE: for this to take effect, this must
			// also be set in your host user settings, as the copy occurs
			// before container settings are applied.
			"dev.containers.copyGitConfig": false,
```

This same concern applies to `cli/templates/codex/devcontainer/devcontainer.json` (line 14–17) and `cli/templates/copilot/devcontainer/devcontainer.json` (line 14–17).

How can I resolve this? If you propose a fix, please make it concise.

[mattolson]

@jakub-bochenski What do you think? At the least, we should update the comment. We also need to followup with #107

[jakub-bochenski]

@greptile

[mattolson]

This needs to be rebased and updated to the new layered file layout.

[mattolson]

@jakub-bochenski What do you think? At the least, we should update the comment. We also need to followup with #107

[mattolson]

Update the comment to remove references to WireGuard

[jakub-bochenski]

I’ve had limited time to work on this project recently. I'll update this ASAP