Skip to content

fix(agent): provision agent VMs without public NAT#9261

Draft
Git-on-my-level wants to merge 3 commits into
mainfrom
fix/agent-vm-private-network
Draft

fix(agent): provision agent VMs without public NAT#9261
Git-on-my-level wants to merge 3 commits into
mainfrom
fix/agent-vm-private-network

Conversation

@Git-on-my-level

@Git-on-my-level Git-on-my-level commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Merge order & dependencies

PR Dependencies
9250 None — merge first (unblocks CI)
9252 None — parallel with #9253, #9254
9253 None — parallel with #9252, #9254
9254 None — parallel with #9252, #9253; #9255 should merge after this
9255 Merge after #9254 (registers teardown tests). Merge after #9250 recommended.
9256 Independent code PR; PR6b prod deploy after merge. Related #9255 not blocking.
9257 Draft. Merge after #9255 (workflow contract CI).
9258 Draft. Independent; merge after wave 1.
9260 Draft. Independent; merge after wave 1.
9261 Draft. Merge after wave 1; PR10c proxy routing follow-up optional.

Summary

  • Remove accessConfigs / ONE_TO_ONE_NAT from GCE agent VM provisioning in agent.rs.
  • Add firewall IaC for tag omi-agent-vm and Rust contract test ensuring provision JSON has no public NAT.

Related: #6611

Optional follow-up (PR10c): route desktop upload/sync through agent-proxy in a separate PR if scope grows; not required for this change.

Test plan

cd desktop/macos/Backend-Rust && cargo test provision
# 1 passed (contract_create_gce_vm_provision_json_has_no_public_nat)

Merge with a regular merge (no squash).

Closes #7326

Made with Cursor

Review in cubic

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f5ad7e46dc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread desktop/macos/Backend-Rust/src/routes/agent.rs

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 issues found across 6 files

Confidence score: 2/5

  • In desktop/macos/Backend-Rust/src/routes/agent.rs, removing accessConfigs means create_gce_vm can no longer produce an external IP while its Result<String> contract and downstream consumers still treat it as reachable over public network; merging as-is is likely to break agent provisioning/reachability flows — either restore external IP assignment or change the return contract and all callers before merging.
  • AGENTS.md describes agent-vm-firewall as denying only public tcp:8080, but backend/charts/agent-vm-firewall/firewall-rule.yaml uses sourceRanges: [0.0.0.0/0] on a DENY ingress rule, which effectively blocks that port from everywhere and can cut off intended internal access paths — align the rule or documentation to the intended policy and verify expected traffic still works.
  • backend/scripts/agent-vm-reachability-check.sh relies on Python assert for firewall contract checks, and backend/scripts/apply-agent-vm-firewall.sh validates only DENY while not enforcing full contract fields (like ingress/public source ranges), so CI/deploy validation can silently pass unsafe or incorrect rules in some environments — replace assert with explicit runtime checks and enforce all security-critical fields before merging.

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread desktop/macos/Backend-Rust/src/routes/agent.rs
Comment thread AGENTS.md Outdated
Comment thread backend/scripts/agent-vm-reachability-check.sh Outdated
Comment thread backend/scripts/apply-agent-vm-firewall.sh Outdated
@Git-on-my-level Git-on-my-level marked this pull request as draft July 8, 2026 02:13
Git-on-my-level and others added 3 commits July 8, 2026 14:55
Remove ONE_TO_ONE_NAT accessConfigs from GCE insert payload so new
agent VMs are private-network only. Add Rust contract test guarding
the provision JSON shape.

Verification: cd desktop/macos/Backend-Rust && cargo test provision

Related #7326

Co-authored-by: Cursor <cursoragent@cursor.com>
Add GCP firewall IaC for tag omi-agent-vm that denies public tcp:8080,
with apply/reachability scripts and hermetic contract tests. Extend the
Rust provision JSON contract to assert omi-agent-vm tagging and no public
IP fields in the insert payload.

Verification:
  cd desktop/macos/Backend-Rust && cargo test provision
  cd backend && python3 -m pytest tests/unit/test_agent_vm_firewall_contract.py -v
  backend/scripts/agent-vm-reachability-check.sh

Closes #7326

Related #6611

Co-authored-by: Cursor <cursoragent@cursor.com>
@Git-on-my-level Git-on-my-level force-pushed the fix/agent-vm-private-network branch from f5ad7e4 to d77624e Compare July 8, 2026 08:03
@Git-on-my-level

Copy link
Copy Markdown
Collaborator Author

Monitor follow-up for PR #9261:

  • Updated agent VM readiness/restart recovery to store the VM's private networkIP instead of falling back to missing public natIP / unknown after removing NAT.
  • Split the firewall contract into a higher-priority private tcp:8080 ALLOW plus public 0.0.0.0/0 DENY so agent-proxy/VPC traffic remains reachable.
  • Replaced optimized-away live-check assert statements with explicit SystemExit failures and expanded apply-time firewall contract validation.
  • Resolved the five addressed review threads.

Verification passed:

  • backend/scripts/agent-vm-reachability-check.sh under PYTHONOPTIMIZE=1: 6 passed
  • cargo test agent: 2 passed
  • cargo fmt --check
  • git diff --check
  • post-push GitHub checks all completed successfully or skipped as expected
  • post-push trusted-thread re-scan found no unresolved trusted bot threads

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

omi-agent VM Public IP Exposure & Storage Cost Leak

1 participant