Merge remote-tracking branch 'origin/main' into codex/issue-77-20260308

# Conflicts:
# Dockerfile
# README.md
# src/open_range/server/runtime.py

Dockerfile

@@ -86,10 +86,8 @@ ENV PYTHONPATH="/app/env/src:/app/env"
 ENV OPENRANGE_EXECUTION_MODE=subprocess
 # Enable the managed runtime so reset() boots real services from the manifest
 ENV OPENRANGE_RUNTIME_MANIFEST=manifests/tier1_basic.yaml
-# This all-in-one image runs in subprocess mode (no nested Docker daemon), so
-# it opts out of strict live admission explicitly.
-ENV OPENRANGE_RUNTIME_VALIDATOR_PROFILE=offline
-ENV OPENRANGE_ALLOW_OFFLINE_ADMISSION=1
+ENV OPENRANGE_RUNTIME_VALIDATOR_PROFILE=training
+ENV OPENRANGE_ENABLE_LIVE_ADMISSION=1
 ENV OPENRANGE_SNAPSHOT_POOL_SIZE=1
 # Enable the OpenEnv Gradio web interface at /web
 ENV ENABLE_WEB_INTERFACE=true

README.md

@@ -100,14 +100,19 @@ uv run pytest tests/ -v --tb=short
 
 The deployed package exposes the standard OpenEnv `reset()`, `step()`, and `state()` contract through `server.app:app`, which is the entrypoint referenced by `openenv.yaml`.
 
-**Validator** — Admission gate for candidate snapshots. Managed runtime defaults to strict live admission (`OPENRANGE_RUNTIME_VALIDATOR_PROFILE=training`), which runs graph checks plus container-backed build/exploit/patch/evidence/reward/isolation/difficulty/NPC/realism checks before storing a snapshot. Non-live admission (`offline`) is allowed only as an explicit opt-out via `OPENRANGE_ALLOW_OFFLINE_ADMISSION=1`, and the runtime logs a startup warning when this mode is used.
+**Validator** — Admission gate for candidate snapshots. The shipped runtime enforces manifest compliance plus graph-native checks such as graph consistency, path solvability, evidence sufficiency, and reward grounding before structural/task checks. With the `training` profile, the runtime boots rendered bundles, applies payload files, constructs a real `ContainerSet`, and runs live build/exploit/patch/evidence/reward/isolation/difficulty/NPC/realism checks before admission.
 
-| Validator Profile | Included Checks | Operational Guarantee | Intended Use |
-|-------------------|-----------------|-----------------------|--------------|
-| `training` (default) | Graph + structural + task + build/boot + exploitability + patchability + evidence + reward grounding + isolation + difficulty + NPC consistency + realism review | Strict live/container-backed admission | Managed/production runtime |
-| `offline` | Graph + structural + task feasibility only | No live exploit/patch/evidence/reward validation | Local fallback only (must set `OPENRANGE_ALLOW_OFFLINE_ADMISSION=1`) |
+Validator profile matrix:
 
-`OPENRANGE_ENABLE_LIVE_ADMISSION=1` is an additional artifact-level boot validation pass after a candidate snapshot is admitted.
+| Profile | Checks | Guarantees |
+|---------|--------|------------|
+| `offline` | Graph + structural/task checks only (no live containers) | Fast static admission only; no live exploitability/patchability guarantee |
+| `training` | `offline` checks + live/container-backed checks | Full admission guarantees for managed training/runtime use |
+
+Managed runtime defaults and safety behavior:
+- `OPENRANGE_RUNTIME_VALIDATOR_PROFILE` defaults to `training`.
+- `OPENRANGE_ENABLE_LIVE_ADMISSION` defaults to `1`.
+- If managed runtime is configured non-live (`offline` profile and/or live admission disabled), startup raises an error unless you explicitly opt out with `OPENRANGE_ALLOW_NON_LIVE_ADMISSION=1` (legacy alias: `OPENRANGE_ALLOW_OFFLINE_ADMISSION=1`), in which case a warning is emitted.
 
 **Environment** — `RangeEnvironment(Environment)` following the OpenEnv contract. `reset()` asks the shared runtime for a frozen admitted snapshot. `step(action)` routes commands to the appropriate container — Red runs on the attacker box, Blue runs on the SIEM. No artificial command allowlists; the container's installed tools are the constraint.
 

src/open_range/server/runtime.py

@@ -59,7 +59,11 @@ from open_range.validator.validator import ValidationResult, ValidatorGate
 logger = logging.getLogger(__name__)
 
 _DEFAULT_MANIFEST = ("manifests", "tier1_basic.yaml")
-_DEFAULT_VALIDATOR_PROFILE = "training"
+_DEFAULT_MANAGED_VALIDATOR_PROFILE = "training"
+_DEFAULT_MANAGED_LIVE_ADMISSION = True
+_ALLOW_NON_LIVE_ADMISSION_ENV = "OPENRANGE_ALLOW_NON_LIVE_ADMISSION"
+_ALLOW_OFFLINE_ADMISSION_ENV = "OPENRANGE_ALLOW_OFFLINE_ADMISSION"
+_DEFAULT_VALIDATOR_PROFILE = _DEFAULT_MANAGED_VALIDATOR_PROFILE
 _VALIDATOR_PROFILE_ALIASES = {
     "light": "offline",
     "static": "offline",
@@ -67,7 +71,6 @@ _VALIDATOR_PROFILE_ALIASES = {
     "strict": "training",
 }
 _LIVE_VALIDATOR_PROFILES = {"training"}
-_ALLOW_OFFLINE_ADMISSION_ENV = "OPENRANGE_ALLOW_OFFLINE_ADMISSION"
 _PERSISTED_SNAPSHOT_VALIDATION_ALIASES = {
     "none": "trust",
     "disabled": "trust",
@@ -91,6 +94,21 @@ def _env_int(name: str, default: int) -> int:
     return int(raw)
 
 
+def _non_live_opt_out_enabled() -> bool:
+    return _env_flag(_ALLOW_NON_LIVE_ADMISSION_ENV, default=False) or _env_flag(
+        _ALLOW_OFFLINE_ADMISSION_ENV,
+        default=False,
+    )
+
+
+def _non_live_opt_out_env_name() -> str | None:
+    if _env_flag(_ALLOW_NON_LIVE_ADMISSION_ENV, default=False):
+        return _ALLOW_NON_LIVE_ADMISSION_ENV
+    if _env_flag(_ALLOW_OFFLINE_ADMISSION_ENV, default=False):
+        return _ALLOW_OFFLINE_ADMISSION_ENV
+    return None
+
+
 def _candidate_roots() -> list[Path]:
     roots: list[Path] = []
     cwd = Path.cwd()
@@ -377,6 +395,19 @@ def _build_validator(profile: str, manifest: dict[str, Any]) -> ValidatorGate:
     )
 
 
+def _strict_admission_enabled(profile: str, live_admission_enabled: bool) -> bool:
+    return profile in _LIVE_VALIDATOR_PROFILES and live_admission_enabled
+
+
+def _managed_admission_failure_message(profile: str, live_admission_enabled: bool) -> str:
+    return (
+        "Managed runtime requires strict live admission "
+        f"(validator_profile='training', live_admission_enabled=1). "
+        f"Current configuration: validator_profile={profile!r}, "
+        f"live_admission_enabled={live_admission_enabled!r}."
+    )
+
+
 def _default_live_validator(*, include_patchability: bool = False) -> ValidatorGate:
     checks = [
         BuildBootCheck(),
@@ -428,7 +459,7 @@ class ManagedSnapshotRuntime:
         self.mutation_policy = mutation_policy or PopulationMutationPolicy()
         self.mutator = Mutator(self.builder, policy=self.mutation_policy)
         self.allow_insecure_offline_profile = (
-            _env_flag(_ALLOW_OFFLINE_ADMISSION_ENV, default=False)
+            _non_live_opt_out_enabled()
             if allow_insecure_offline_profile is None
             else bool(allow_insecure_offline_profile)
         )
@@ -474,27 +505,42 @@ class ManagedSnapshotRuntime:
 
     @classmethod
     def from_env(cls) -> "ManagedSnapshotRuntime":
+        profile = _normalize_validator_profile(
+            os.getenv(
+                "OPENRANGE_RUNTIME_VALIDATOR_PROFILE",
+                _DEFAULT_MANAGED_VALIDATOR_PROFILE,
+            )
+        )
+        live_admission_enabled = _env_flag(
+            "OPENRANGE_ENABLE_LIVE_ADMISSION",
+            default=_DEFAULT_MANAGED_LIVE_ADMISSION,
+        )
+        if not _strict_admission_enabled(profile, live_admission_enabled):
+            message = _managed_admission_failure_message(profile, live_admission_enabled)
+            opt_out_env = _non_live_opt_out_env_name()
+            if opt_out_env:
+                logger.warning(
+                    "%s Explicit opt-out enabled via %s=1.",
+                    message,
+                    opt_out_env,
+                )
+            else:
+                raise RuntimeError(
+                    f"{message} Set {_ALLOW_NON_LIVE_ADMISSION_ENV}=1 to explicitly opt out."
+                )
+
         return cls(
             manifest_path=os.getenv("OPENRANGE_RUNTIME_MANIFEST"),
             store_dir=os.getenv("OPENRANGE_SNAPSHOT_DIR"),
-            validator_profile=os.getenv(
-                "OPENRANGE_RUNTIME_VALIDATOR_PROFILE",
-                _DEFAULT_VALIDATOR_PROFILE,
-            ),
-            allow_insecure_offline_profile=_env_flag(
-                _ALLOW_OFFLINE_ADMISSION_ENV,
-                default=False,
-            ),
+            validator_profile=profile,
+            allow_insecure_offline_profile=_non_live_opt_out_enabled(),
             pool_size=_env_int("OPENRANGE_SNAPSHOT_POOL_SIZE", 3),
             selection_strategy=os.getenv("OPENRANGE_SNAPSHOT_SELECTION", "random"),
             parent_selection_strategy=os.getenv("OPENRANGE_PARENT_SELECTION", "policy"),
             refill_enabled=_env_flag("OPENRANGE_ENABLE_MANAGED_REFILL", default=False),
             refill_interval_s=float(os.getenv("OPENRANGE_REFILL_INTERVAL_S", "2.0")),
             generation_retries=_env_int("OPENRANGE_GENERATION_RETRIES", 3),
-            live_admission_enabled=_env_flag(
-                "OPENRANGE_ENABLE_LIVE_ADMISSION",
-                default=False,
-            ),
+            live_admission_enabled=live_admission_enabled,
             teardown_booted_projects=not _env_flag(
                 "OPENRANGE_KEEP_BOOTED_VALIDATION_STACKS",
                 default=False,
@@ -523,12 +569,13 @@ class ManagedSnapshotRuntime:
             raise RuntimeError(
                 warning
                 + " Set OPENRANGE_RUNTIME_VALIDATOR_PROFILE=training for strict admission, "
-                + f"or set {_ALLOW_OFFLINE_ADMISSION_ENV}=1 to explicitly opt out."
+                + "or set OPENRANGE_ALLOW_NON_LIVE_ADMISSION=1 "
+                + "(legacy alias: OPENRANGE_ALLOW_OFFLINE_ADMISSION=1) "
+                + "to explicitly opt out."
             )
         logger.warning(
-            "%s Running with explicit opt-out (%s=1).",
+            "%s Running with explicit opt-out.",
             warning,
-            _ALLOW_OFFLINE_ADMISSION_ENV,
         )
 
     @staticmethod

src/open_range/validator/isolation.py

@@ -2,6 +2,8 @@
 
 from __future__ import annotations
 
+import shlex
+
 from open_range.protocols import CheckResult, ContainerSet, SnapshotSpec
 
 # Common service ports to probe for zone isolation violations.
@@ -33,10 +35,14 @@ class IsolationCheck:
                 open_ports: list[int] = []
                 for port in _PROBE_PORTS:
                     try:
+                        probe_cmd = (
+                            "timeout 2 bash -lc 'echo > /dev/tcp/\"$1\"/\"$2\"' _ "
+                            f"{shlex.quote(target_name)} {shlex.quote(str(port))} "
+                            "2>/dev/null && echo OPEN || echo CLOSED"
+                        )
                         output = await containers.exec(
                             attacker_host,
-                            f"timeout 2 bash -c 'echo > /dev/tcp/{target_name}/{port}' "
-                            f"2>/dev/null && echo OPEN || echo CLOSED",
+                            probe_cmd,
                         )
                         if "OPEN" in output:
                             open_ports.append(port)

tests/test_runtime.py

@@ -3,9 +3,11 @@
 from __future__ import annotations
 
 import json
+import logging
 from pathlib import Path
 
 import pytest
+import yaml
 
 from open_range.protocols import CheckResult, ContainerSet, SnapshotSpec
 from open_range.server.compose_runner import BootedSnapshotProject
@@ -15,6 +17,62 @@ from open_range.validator.validator import ValidationResult
 
 
 class TestManagedSnapshotRuntime:
+    def test_from_env_defaults_to_training_and_live(self, tier1_manifest, tmp_path, monkeypatch):
+        manifest_path = tmp_path / "manifest.yaml"
+        manifest_path.write_text(yaml.safe_dump(tier1_manifest), encoding="utf-8")
+
+        monkeypatch.setenv("OPENRANGE_RUNTIME_MANIFEST", str(manifest_path))
+        monkeypatch.setenv("OPENRANGE_SNAPSHOT_DIR", str(tmp_path / "snapshots"))
+        monkeypatch.delenv("OPENRANGE_RUNTIME_VALIDATOR_PROFILE", raising=False)
+        monkeypatch.delenv("OPENRANGE_ENABLE_LIVE_ADMISSION", raising=False)
+        monkeypatch.delenv("OPENRANGE_ALLOW_NON_LIVE_ADMISSION", raising=False)
+
+        runtime = ManagedSnapshotRuntime.from_env()
+        assert runtime.validator_profile == "training"
+        assert runtime.live_admission_enabled is True
+
+    def test_from_env_rejects_non_live_without_explicit_opt_out(
+        self,
+        tier1_manifest,
+        tmp_path,
+        monkeypatch,
+    ):
+        manifest_path = tmp_path / "manifest.yaml"
+        manifest_path.write_text(yaml.safe_dump(tier1_manifest), encoding="utf-8")
+
+        monkeypatch.setenv("OPENRANGE_RUNTIME_MANIFEST", str(manifest_path))
+        monkeypatch.setenv("OPENRANGE_SNAPSHOT_DIR", str(tmp_path / "snapshots"))
+        monkeypatch.setenv("OPENRANGE_RUNTIME_VALIDATOR_PROFILE", "offline")
+        monkeypatch.setenv("OPENRANGE_ENABLE_LIVE_ADMISSION", "0")
+        monkeypatch.delenv("OPENRANGE_ALLOW_NON_LIVE_ADMISSION", raising=False)
+
+        with pytest.raises(RuntimeError, match="OPENRANGE_ALLOW_NON_LIVE_ADMISSION=1"):
+            ManagedSnapshotRuntime.from_env()
+
+    def test_from_env_allows_non_live_with_explicit_opt_out_warning(
+        self,
+        tier1_manifest,
+        tmp_path,
+        monkeypatch,
+        caplog,
+    ):
+        manifest_path = tmp_path / "manifest.yaml"
+        manifest_path.write_text(yaml.safe_dump(tier1_manifest), encoding="utf-8")
+
+        monkeypatch.setenv("OPENRANGE_RUNTIME_MANIFEST", str(manifest_path))
+        monkeypatch.setenv("OPENRANGE_SNAPSHOT_DIR", str(tmp_path / "snapshots"))
+        monkeypatch.setenv("OPENRANGE_RUNTIME_VALIDATOR_PROFILE", "offline")
+        monkeypatch.setenv("OPENRANGE_ENABLE_LIVE_ADMISSION", "0")
+        monkeypatch.setenv("OPENRANGE_ALLOW_NON_LIVE_ADMISSION", "1")
+
+        with caplog.at_level(logging.WARNING):
+            runtime = ManagedSnapshotRuntime.from_env()
+
+        assert runtime.validator_profile == "offline"
+        assert runtime.live_admission_enabled is False
+        assert "strict live admission" in caplog.text
+        assert "OPENRANGE_ALLOW_NON_LIVE_ADMISSION=1" in caplog.text
+
     def test_offline_validator_profile_includes_static_checks(self, tier1_manifest, tmp_path):
         runtime = ManagedSnapshotRuntime(
             manifest=tier1_manifest,

tests/test_validator.py

@@ -8,6 +8,7 @@ import pytest
 from open_range.protocols import (
     CheckResult,
     EvidenceItem,
+    ExecResult,
     ExploitStep,
     FlagSpec,
     GoldenPathStep,
@@ -795,6 +796,36 @@ async def test_evidence_fails_on_nonzero_exit_even_when_output_present(mock_cont
     assert result.details["missing"][0]["location"] == "siem:/var/log/test.log"
 
 
+@pytest.mark.asyncio
+async def test_evidence_quotes_pattern_and_location_path():
+    """Evidence grep command must quote pattern and path from snapshot content."""
+    import shlex
+
+    from open_range.validator.evidence import EvidenceCheck
+
+    class RecordingContainers:
+        def __init__(self) -> None:
+            self.calls: list[tuple[str, str]] = []
+
+        async def exec_run(self, container: str, cmd: str, **kwargs) -> ExecResult:
+            self.calls.append((container, cmd))
+            return ExecResult(stdout="1", exit_code=0)
+
+    containers = RecordingContainers()
+    pattern = "ERR'; touch /tmp/pwn #"
+    path = "/var/log/app; echo PWNED"
+    spec = SnapshotSpec(
+        evidence_spec=[
+            EvidenceItem(type="log_entry", location=f"siem:{path}", pattern=pattern),
+        ],
+    )
+
+    result = await EvidenceCheck().check(spec, containers)  # type: ignore[arg-type]
+    assert result.passed is True
+    assert containers.calls
+    assert containers.calls[0][1] == f"grep -c {shlex.quote(pattern)} {shlex.quote(path)}"
+
+
 # ---------------------------------------------------------------------------
 # Check 5: Reward grounding
 # ---------------------------------------------------------------------------
@@ -1053,7 +1084,7 @@ async def test_isolation_fails_on_non_ssh_port(mock_containers):
     # Only port 3306 is OPEN; everything else CLOSED.
     async def exec_side_effect(container, cmd, **kwargs):
         if container == "attacker" and "/dev/tcp/" in cmd:
-            if "/3306'" in cmd or "/3306}" in cmd:
+            if " 3306 " in cmd:
                 return "OPEN"
             return "CLOSED"
         return ""
@@ -1065,6 +1096,38 @@ async def test_isolation_fails_on_non_ssh_port(mock_containers):
     assert "db" in result.error
 
 
+@pytest.mark.asyncio
+async def test_isolation_uses_argument_safe_tcp_probe_for_target_name():
+    """Target names are passed as positional args, not interpolated into script."""
+    from open_range.validator.isolation import IsolationCheck
+
+    class RecordingContainers:
+        def __init__(self) -> None:
+            self.calls: list[tuple[str, str]] = []
+
+        async def exec(self, container: str, cmd: str, **kwargs) -> str:
+            self.calls.append((container, cmd))
+            return "CLOSED"
+
+    containers = RecordingContainers()
+    target = "db'; touch /tmp/pwn #"
+    spec = SnapshotSpec(
+        topology={"hosts": ["attacker", "db"], "zones": {"internal": [target]}},
+        flags=[],
+        golden_path=[],
+        task=TaskSpec(red_briefing="Go.", blue_briefing="Watch."),
+    )
+
+    result = await IsolationCheck().check(spec, containers)  # type: ignore[arg-type]
+    assert result.passed is True
+    assert containers.calls
+    first_cmd = containers.calls[0][1]
+    script_part, _, arg_part = first_cmd.partition(" _ ")
+    assert "bash -lc 'echo > /dev/tcp/\"$1\"/\"$2\"'" in script_part
+    assert "touch /tmp/pwn" not in script_part
+    assert "touch /tmp/pwn" in arg_part
+
+
 # ---------------------------------------------------------------------------
 # Check 7: Task feasibility
 # ---------------------------------------------------------------------------