rivet-dev
diff --git a/‎CLAUDE.md‎
Lines changed: 7 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎docs-internal/friction.md‎
Lines changed: 7 additions & 0 deletions b/‎docs-internal/friction.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎docs-internal/todo.md‎
Lines changed: 4 additions & 0 deletions b/‎docs-internal/todo.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎openspec/changes/align-python-env-permissions/design.md‎
Lines changed: 20 additions & 0 deletions b/‎openspec/changes/align-python-env-permissions/design.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎openspec/changes/align-python-env-permissions/proposal.md‎
Lines changed: 15 additions & 0 deletions b/‎openspec/changes/align-python-env-permissions/proposal.md‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎openspec/changes/align-python-env-permissions/specs/python-runtime/spec.md‎
Lines changed: 12 additions & 0 deletions b/‎openspec/changes/align-python-env-permissions/specs/python-runtime/spec.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎openspec/changes/align-python-env-permissions/tasks.md‎
Lines changed: 5 additions & 0 deletions b/‎openspec/changes/align-python-env-permissions/tasks.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/sandboxed-node/tests/projects/rivetkit/fixture.json‎
Lines changed: 0 additions & 4 deletions b/‎packages/sandboxed-node/tests/projects/rivetkit/fixture.json‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎packages/sandboxed-node/tests/projects/rivetkit/package.json‎
Lines changed: 0 additions & 8 deletions b/‎packages/sandboxed-node/tests/projects/rivetkit/package.json‎
Lines changed: 0 additions & 8 deletions
diff --git a/‎packages/sandboxed-node/tests/projects/rivetkit/src/index.js‎
Lines changed: 0 additions & 12 deletions b/‎packages/sandboxed-node/tests/projects/rivetkit/src/index.js‎
Lines changed: 0 additions & 12 deletions
@@ -37,6 +37,13 @@
 - the matrix runs each fixture in host Node and secure-exec and compares normalized `code`, `stdout`, and `stderr`
 - no known-mismatch classification is allowed; parity mismatches stay failing until runtime/bridge behavior is fixed
 
+## Test Structure
+
+- `tests/test-suite/{node,python}.test.ts` are integration suite drivers; `tests/test-suite/{node,python}/` hold the shared suite definitions
+- test suites test generic runtime functionality with any pluggable SystemDriver (exec, run, stdio, env, filesystem, network, timeouts, log buffering); prefer adding tests here because they run against all environments (node, browser, python)
+- `tests/runtime-driver/` tests behavior specific to a single runtime driver (e.g. Node-only `memoryLimit`/`timingMitigation`, Python-only warm state or `secure_exec` hooks) that cannot be expressed through the shared suite context
+- within `test-suite/{node,python}/`, files are named by domain (e.g. `runtime.ts`, `network.ts`)
+
 ## Comment Pattern
 
 Follow the style in `packages/secure-exec/src/index.ts`.
 
@@ -1,5 +1,12 @@
 # Sandboxed Node Friction Log
 
+## 2026-03-09
+
+1. **[resolved]** Python `exec()` env overrides bypassed `permissions.env`.
+   - Symptom: `PyodideRuntimeDriver` filtered constructor-level runtime env, but per-execution `exec(..., { env })` overrides were forwarded into the worker without permission filtering.
+   - Fix: Python `exec()` now filters override keys through the shared `filterEnv(...)` path before applying them in the worker, matching Node runtime behavior.
+   - Follow-up: keep future Python capability additions on the same host-side permission boundary so worker-facing APIs never receive unapproved capability input.
+
 ## 2026-03-03
 
 1. **[resolved]** Python runtime contract split needed explicit cross-runtime `exec()` parity and warm-state guardrails.
 
@@ -64,6 +64,10 @@
 
 ## Security & Hardening
 
+- [x] Filter Python `exec(..., { env })` overrides through `permissions.env`.
+  - Fix: `PyodideRuntimeDriver.exec()` now applies the shared `filterEnv(...)` gate before env overrides reach the worker, and runtime-driver tests cover both denied-by-default and explicitly-allowed cases.
+  - `packages/secure-exec/src/python/driver.ts`, `packages/secure-exec/tests/runtime-driver/python.test.ts`
+
 - [x] Bridge `crypto.getRandomValues` / `randomUUID` to host `node:crypto` instead of `Math.random()`.
   - Fix: runtime now wires host `node:crypto` references from `packages/secure-exec/src/index.ts` into the isolate and uses them in `packages/secure-exec/src/bridge/process.ts`.
   - Fail-closed contract: bridge throws deterministic `crypto.getRandomValues is not supported in sandbox` / `crypto.randomUUID is not supported in sandbox` errors when host entropy hooks are unavailable.
 
@@ -0,0 +1,20 @@
+## Context
+
+`NodeExecutionDriver` already filters per-execution env overrides with `filterEnv(...)` before they reach sandbox code. `PyodideRuntimeDriver` filters constructor-level runtime env, but its `exec()` request path currently passes `options.env` through unchanged.
+
+## Decision
+
+Filter Python `exec()` env overrides with the existing shared `filterEnv(...)` helper before sending them to the worker.
+
+## Rationale
+
+- Keeps Python permission behavior aligned with the Node runtime contract.
+- Reuses the existing `permissions.env` decision model instead of introducing Python-specific policy logic.
+- Fixes the contract at the host boundary, so the worker only sees already-approved env keys.
+
+## Validation
+
+Add Python runtime-driver tests that verify:
+
+1. Env overrides are denied by default.
+2. Env overrides are visible when `permissions.env` explicitly allows them.
@@ -0,0 +1,15 @@
+## Why
+
+The Python runtime is intended to reuse the same permission model as the Node runtime, but the current `PyodideRuntimeDriver.exec()` path forwards `options.env` into the worker without filtering it through `permissions.env`. That makes the active Python change spec ahead of the code and creates a cross-runtime policy mismatch.
+
+## What Changes
+
+- Filter Python `exec()` env overrides through the existing `SystemDriver.permissions.env` gate before applying them in the Pyodide worker.
+- Add regression coverage showing denied env overrides stay hidden by default and allowed env overrides remain available when explicitly permitted.
+- Record the fix in the internal to-do/friction tracking so the repo state matches the code.
+
+## Impact
+
+- Affected code: `packages/secure-exec/src/python/driver.ts`
+- Affected tests: `packages/secure-exec/tests/runtime-driver/python.test.ts`
+- Affected specs: `python-runtime`
@@ -0,0 +1,12 @@
+## ADDED Requirements
+
+### Requirement: Python Exec Env Overrides Must Respect Env Permissions
+Python `exec()` env overrides SHALL be filtered through the configured `SystemDriver.permissions.env` gate before they are applied inside the runtime.
+
+#### Scenario: Python exec env overrides are denied by default
+- **WHEN** a caller passes `exec(..., { env })` to `PythonRuntime` and `permissions.env` does not allow those keys
+- **THEN** the denied env keys MUST NOT become visible inside the Python runtime
+
+#### Scenario: Python exec env overrides are exposed only when permitted
+- **WHEN** a caller passes `exec(..., { env })` to `PythonRuntime` and `permissions.env` explicitly allows a key
+- **THEN** that key MUST be visible inside the Python runtime with the provided value
@@ -0,0 +1,5 @@
+## 1. Python Env Permission Alignment
+
+- [x] 1.1 Filter `PyodideRuntimeDriver.exec()` env overrides through `permissions.env` before dispatching worker requests.
+- [x] 1.2 Add regression coverage for denied-by-default and explicitly-allowed Python env overrides.
+- [x] 1.3 Update internal to-do/friction tracking so the documented follow-up state matches the code.