feat(picod): implement two-stage secure initialization to isolate sandbox sessions

[Abhinav-kodes]

feat(picod): implement two-stage secure initialization to isolate sandbox sessions

What type of PR is this?

/kind feature
/kind security

---

What this PR does / why we need it

This PR implements Two-Stage Secure Initialization for PicoD to resolve a critical security vulnerability regarding cross-sandbox token replays, while incorporating defense-in-depth, encrypted key storage, and performance optimizations.

Previously, under the Plain Authentication design, all PicoD sandboxes verified JWTs using the same shared public key injected via the PICOD_AUTH_PUBLIC_KEY environment variable. This meant a valid JWT issued for one sandbox could theoretically be replayed against another sandbox, breaking tenant isolation.

This PR introduces a cryptographically isolated two-stage handshake:

1. Bootstrap Stage: The Workload Manager generates a static RSA-2048 Bootstrap Key Pair on startup, stores it in the agentcube-bootstrap-identity Kubernetes Secret/ConfigMap (renamed from picod-router-identity / picod-router-public-key), and injects PICOD_BOOTSTRAP_PUBLIC_KEY along with a unique PICOD_SESSION_ID into each PicoD container environment. PicoD loads the bootstrap key at startup and waits in an uninitialized state.

2. Session Stage (POST /init): The Workload Manager generates a per-sandbox ECDSA (P-256) Session Key Pair. It calls the new POST /init endpoint on PicoD with a short-lived bootstrap JWT (RS256, signed by the Bootstrap Private Key, scoped by sub = PICOD_SESSION_ID) containing the session_public_key claim. On success, PicoD stores the ECDSA public key and transitions to initialized. All subsequent user requests must be signed with the ECDSA Session Private Key (ES256).

---

Files Changed

File	Change
cmd/picod/main.go	Pass context.Background() to NewServer to enable lifecycle-aware goroutines
cmd/workload-manager/main.go	Reorder init to pass server.GetBootstrapPublicKeyPEM into CodeInterpreterReconciler after server construction
pkg/picod/auth.go	Refactored AuthManager: split into bootstrapPublicKey (RSA) + sessionPublicKey (ECDSA); added VerifyBootstrapJWT, SetSessionPublicKey, JTI replay-protection via sync.Map, background JTI eviction goroutine
pkg/picod/server.go	Added POST /init route with per-endpoint rate limiter (2 req/s, burst 5); InitHandler verifies bootstrap JWT and sets session key; API routes return 503 DAEMON_NOT_INITIALIZED until session is established
pkg/router/jwt.go	Renamed secret/configmap to agentcube-bootstrap-identity; added LRU key cache (keyCacheMaxSize=1000) for per-session ECDSA private keys; added GenerateTokenWithKey and GetCachedKey helpers
pkg/router/handlers.go	generateSandboxJWT fetches per-session ECDSA private key from store (with ErrKeyNotCached fallback); returns 503 SESSION_PRIVATE_KEY_NOT_FOUND if key is missing
pkg/router/server.go	Set IdleConnTimeout: 85s and MaxIdleConnsPerHost: 100 on HTTP transport; pass storeClient to TryStoreOrLoadJWTKeySecret
pkg/store/interface.go	Added StoreSessionPrivateKey, GetSessionPrivateKey, SetEncryptionKey to Store interface
pkg/store/crypto.go (new)	AES-256-GCM Crypto helper for at-rest encryption of session private keys
pkg/store/keys.go (new)	Centralized sessionPrivKeyPrefix constant shared by Redis and Valkey backends
pkg/store/store_redis.go	Implemented StoreSessionPrivateKey / GetSessionPrivateKey (AES-GCM + base64); updated DeleteSandboxBySessionID to use non-transactional Pipeline() for cluster-safe deletion
pkg/store/store_valkey.go	Same as Redis backend; DeleteSandboxBySessionID uses bare DoMulti for cluster-safe deletion
pkg/common/types/sandbox.go	Added SessionPrivateKey (excluded from JSON, persisted separately) and AuthMode fields to SandboxInfo
docs/design/PicoD-Plain-Authentication-Design.md	Added migration warning; renamed ConfigMap/Secret references; updated pod spec YAML and sequence diagrams
docs/design/auth-proposal.md	Updated Router→PicoD description to reflect RSA/ECDSA dual-key scheme and new env var names
docs/agentcube/blog/release-v0.1.0/index.md	Updated JWT security chain section to describe two-stage trust chain and ES256 token signing
pkg/picod/auth_test.go, picod_test.go, execute_test.go, server_test.go	Full test suite updated: RSA→ECDSA test helpers, new TestInitHandler covering success/conflict/invalid-token cases, TestAuthMiddleware_ValidToken
pkg/router/session_manager_test.go	Added stub implementations for new store interface methods
pkg/workloadmanager/server.go	Added PicoInitTimeout, bootstrap auth manager wiring, GetBootstrapPublicKeyPEM, and store encryption key setup
pkg/workloadmanager/workload_builder.go	Removed the old public-key cache flow and switched sandbox builds to use AuthMode defaults from the new model

---

Key Security Hardening & Optimizations Included

• ECDSA Migration: Session tokens switched from RS256 (2048-bit RSA) to ES256 (ECDSA P-256), reducing CPU overhead during high-throughput sandbox initialization.
• Defense-in-Depth (PICOD_SESSION_ID): PicoD validates the sub claim in the bootstrap JWT against PICOD_SESSION_ID when set (on-demand pods). Warm pool pods that are pre-created before a session is assigned skip this check; replay protection is still enforced via the JTI guard.
• JTI Replay Protection: AuthManager tracks seen JTIs via sync.Map with a background 1-minute cleanup goroutine; bootstrap JTIs older than 3 minutes are evicted.
• One-Shot Initialization: SetSessionPublicKey returns ErrAlreadyInitialized on second call; InitHandler responds 409 Conflict to prevent session key hijacking via re-initialization.
• At-Rest Encryption: Session ECDSA private keys stored in Redis/Valkey are encrypted with AES-256-GCM (pkg/store/crypto.go) before persistence.
• Cluster-Safe Key Deletion: DeleteSandboxBySessionID uses a non-transactional Pipeline() (Redis) / bare DoMulti (Valkey) to delete sandbox metadata and the private key safely in clustered deployments.
• Rate Limiting on /init: A token-bucket rate limiter (2 req/s, burst 5) guards the /init endpoint against spam during the startup window.
• HTTP Transport Hardening: IdleConnTimeout set to 85s (aligned with AWS ALB 60s timeout) and MaxIdleConnsPerHost=100 to prevent stale-connection race conditions.
• PicoInitTimeout: Workload Manager now uses a dedicated timeout for the /init handshake so sandbox initialization does not block indefinitely.
• Auth Mode Plumbing: SandboxInfo and CreateSandboxResponse now carry AuthMode, allowing the Router to distinguish picod sandboxes from none-auth sandboxes.
• Backwards Compatibility: PICOD_AUTH_PUBLIC_KEY is still accepted as a fallback; deployments should migrate to PICOD_BOOTSTRAP_PUBLIC_KEY.

---

Which issue(s) this PR fixes

Fixes #

---

Special notes for your reviewer

This implementation realizes the architecture outlined in docs/design/agentcube-proposal.md under section 5.2 (Picod Workflow). The relevant design documents (docs/design/PicoD-Plain-Authentication-Design.md and auth-proposal.md) have been fully updated within this PR to accurately document the new PICOD_BOOTSTRAP_PUBLIC_KEY, PICOD_SESSION_ID, and the two-stage ECDSA handshake.

⚠️ Operator Migration Required
The Kubernetes ConfigMap picod-router-public-key has been renamed to agentcube-bootstrap-identity. The Kubernetes Secret picod-router-identity has been renamed to agentcube-bootstrap-identity. Secret data keys have been renamed from private.pem/public.pem → bootstrap-private.pem/bootstrap-public.pem. Operators upgrading from the old schema must migrate these resources before deploying.

The initialization order in cmd/workload-manager/main.go was intentionally changed: CodeInterpreterReconciler is now constructed after NewServer so it can receive server.GetBootstrapPublicKeyPEM as a live function reference rather than a nil pointer.

---

Does this PR introduce a user-facing change?

Implemented two-stage secure initialization for PicoD. Sandboxes are now cryptographically isolated using dynamic ECDSA (P-256) session keys to prevent cross-sandbox token replay vulnerabilities. Session private keys are now encrypted at rest in Redis/Valkey using AES-256-GCM. The PICOD_AUTH_PUBLIC_KEY env var is deprecated in favor of PICOD_BOOTSTRAP_PUBLIC_KEY.

[volcano-sh-bot]

@Abhinav-kodes: The label(s) kind/security cannot be applied, because the repository doesn't have them.

Details

In response to this:

What type of PR is this?

/kind feature
/kind security

What this PR does / why we need it:
This PR implements Two-Stage Secure Initialization for PicoD to resolve a critical security vulnerability regarding cross-sandbox token replays.

Previously, under the Plain Authentication design, all PicoD sandboxes verified JWTs using the same shared public key injected via the PICOD_AUTH_PUBLIC_KEY environment variable. This meant a valid JWT issued for one sandbox could theoretically be replayed against another sandbox, breaking tenant isolation.

This PR introduces a cryptographically isolated two-stage handshake:

1. Bootstrap Stage: Workload Manager generates a Bootstrap Key Pair and injects the PICOD_BOOTSTRAP_PUBLIC_KEY into the PicoD container environment. PicoD loads this at startup.
2. Session Stage (Initialization): Workload Manager generates a dynamically unique Session Key Pair. It calls the new POST /init endpoint on PicoD with an init_jwt (signed by the Bootstrap Private Key) that contains the session_public_key claim. PicoD extracts and permanently stores this session key.

All subsequent user requests to that sandbox must be signed by the unique Session Private Key. This guarantees strict cryptographic isolation between sandboxes while maintaining our fast-startup serverless architecture.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
This implementation realizes the architecture outlined in docs/design/agentcube-proposal.md under section 5.2 (Picod Workflow). Note that the older PicoD-Plain-Authentication-Design.md document is now slightly outdated regarding this specific bootstrap flow.

Does this PR introduce a user-facing change?:

Implemented two-stage secure initialization for PicoD. Sandboxes are now cryptographically isolated using dynamic session keys to prevent cross-sandbox token replay vulnerabilities.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[gemini-code-assist]

Code Review

This pull request implements a two-stage authentication mechanism for PicoD sandboxes by introducing an /init endpoint and bootstrap key generation. The reviewer identified a critical security flaw where the router's shared key is incorrectly reused for session initialization instead of a unique session key. Additionally, the review points out that the session key can be overwritten, suggests refactoring duplicated PEM parsing logic, highlights the need for comprehensive unit tests for the new initialization flow, and recommends making the HTTP client timeout configurable.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 52.23421% with 310 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.32%. Comparing base (524e55e) to head (80d4075).
⚠️ Report is 119 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/workloadmanager/bootstrap_auth.go	23.23%	72 Missing and 4 partials ⚠️
pkg/router/jwt.go	57.95%	33 Missing and 4 partials ⚠️
pkg/picod/auth.go	67.61%	23 Missing and 11 partials ⚠️
pkg/router/handlers.go	0.00%	29 Missing ⚠️
pkg/workloadmanager/sandbox_helper.go	65.33%	17 Missing and 9 partials ⚠️
pkg/workloadmanager/handlers.go	55.76%	18 Missing and 5 partials ⚠️
pkg/store/store_redis.go	56.86%	12 Missing and 10 partials ⚠️
pkg/store/store_valkey.go	60.78%	11 Missing and 9 partials ⚠️
pkg/store/crypto.go	44.00%	7 Missing and 7 partials ⚠️
pkg/workloadmanager/server.go	18.75%	13 Missing ⚠️
... and 4 more
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #352      +/-   ##
==========================================
+ Coverage   47.57%   57.32%   +9.75%     
==========================================
  Files          30       36       +6     
  Lines        2819     3677     +858     
==========================================
+ Hits         1341     2108     +767     
+ Misses       1338     1325      -13     
- Partials      140      244     +104     

Flag	Coverage Δ
unittests	57.32% <52.23%> (+9.75%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Abhinav-kodes]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements a two-stage authentication and initialization workflow for PicoD. It introduces bootstrap keys to verify an initial setup phase that establishes unique session-specific keys for each sandbox. The workload manager has been updated to generate these ephemeral keys and perform remote initialization of PicoD instances, while the router now supports signing JWTs with per-session private keys. Reviewer feedback identifies performance bottlenecks related to frequent RSA key parsing and redundant HTTP client instantiation, and provides corrections for the golang-jwt/jwt/v5 library usage to ensure proper claim enforcement.

[Abhinav-kodes]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements a two-stage authentication and initialization flow for PicoD, introducing a bootstrap public key and an /init endpoint for session-specific key registration. The changes include updates to the Workload Manager to generate and distribute these keys, and modifications to the Router to support session-specific JWT signing. Feedback includes concerns regarding a potential memory leak in the JWTManager due to an unbounded cache, the use of global variables in bootstrap_auth.go which hinders testability and thread safety, and a recommendation to improve security by verifying the issuer claim in the bootstrap JWT.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Abhinav-kodes]

/gemini review

[Abhinav-kodes]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces a two-stage secure initialization trust chain between the Router, Workload Manager, and PicoD. It replaces the static RSA key pair model with a bootstrap RSA key pair used to verify an /init handshake, which dynamically establishes a unique, per-session ECDSA (P-256) key pair. The session private key is encrypted via AES-GCM and stored in Redis/Valkey. Feedback on the changes points out a compilation error in pkg/picod/auth.go due to the use of an invalid JWT parser option (jwt.WithIssuedAt), and suggests improving responsiveness to context cancellation in pkg/router/jwt.go by replacing time.Sleep with a select block.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Abhinav-kodes]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements a two-stage secure initialization trust chain for PicoD, transitioning from a static RSA key pair to a dynamic ECDSA session key pair established via an /init handshake. It also introduces AES-GCM encryption for storing session private keys in Redis/Valkey. The review feedback highlights several critical issues: a strict session ID check that breaks the warm pool feature, fragile PEM-string hashing for encryption keys that should use raw DER bytes instead, Redis/Valkey cluster compatibility issues due to transactional multi-key operations (CROSSSLOT errors), and a potential goroutine leak in PicoD's background cleanup task due to uncanceled contexts.

[Abhinav-kodes]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements a two-stage secure initialization trust chain between the Router, Workload Manager, and PicoD to mitigate cross-sandbox token replay vulnerabilities. Instead of a single static RSA key pair, it introduces a bootstrap RSA key pair used only for an /init handshake, which dynamically establishes a unique ECDSA (P-256) session key pair for each sandbox instance. Subsequent requests are signed using ES256 JWTs. The changes span PicoD, Workload Manager, Router, and store packages, adding symmetric encryption (AES-GCM) for storing session private keys in Redis/Valkey. The reviewer identified two key issues: first, treating 409 Conflict as a successful initialization during /init retries is dangerous because a new key pair is generated on each retry, leading to a mismatch between the stored private key and PicoD's registered public key; second, the initialization context timeout is hardcoded to 5 seconds, ignoring the configured PicoInitTimeout value.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Abhinav-kodes]

cc @hzxuzhonghu

[Copilot]

Pull request overview

Copilot reviewed 37 out of 37 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (3)

pkg/workloadmanager/sandbox_helper.go:1

• The comment at lines 259–261 contradicts the logic above: 409 is explicitly treated as an error, not as success. Update the comment to match the actual behavior (e.g., “ONLY after confirmed 200 OK”) to avoid future incorrect changes that could accidentally persist a mismatched private key.
  pkg/workloadmanager/sandbox_helper.go:1
• When httpClient.Do returns a non-nil resp alongside an err (which can happen in some HTTP failure cases), the current code does not close resp.Body, potentially leaking connections and degrading performance under retries. Consider closing/discarding resp.Body on the error path when resp != nil before the next retry.
  pkg/workloadmanager/sandbox_helper_test.go:1
• This file previously contained broader table-driven tests for placeholder/info building logic, but the diff removes them and replaces them with PicoD init tests only. Since buildSandboxInfo and placeholder TTL/expiry behavior are still critical to API correctness, consider reintroducing equivalent coverage (in this file or a new one) to avoid regressions in expiry/entrypoint formatting or lifecycle handling.

[Copilot]

Pull request overview

Copilot reviewed 37 out of 37 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

pkg/workloadmanager/sandbox_helper.go:1

• The comment at lines 259–261 says “200 OK or 409”, but the preceding block explicitly treats 409 as a terminal error (non-200 => error). Please update the comment to match the implemented behavior (or, if 409 should be handled as success, adjust the code accordingly). This inconsistency is likely to confuse future maintainers during incident/debugging.

[Copilot]

Pull request overview

Copilot reviewed 39 out of 39 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (2)

pkg/workloadmanager/sandbox_helper.go:1

• When Do(req) returns a non-nil resp alongside an err, the response body can remain open across retries, leaking connections. Close resp.Body (when resp != nil) before continuing to the next retry attempt.
  pkg/workloadmanager/sandbox_helper.go:1
• The comment at line 259 contradicts the implementation and the preceding explanation: 409 Conflict is explicitly not treated as success, but the comment says keys are assigned after 200 OK or 409. Update the comment to reflect actual behavior (assignment only after 200 OK) to avoid misleading future changes.

[Copilot]

Pull request overview

Copilot reviewed 40 out of 40 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (3)

pkg/workloadmanager/sandbox_helper.go:1

• The jitter uses the global math/rand source but this file doesn’t seed it, so across processes the jitter sequence is deterministic (default seed = 1), which undermines the “avoid thundering herd” goal. Use a per-Server rand.Rand seeded from time (or crypto/rand-derived seed), or switch to a standard backoff/jitter helper (e.g., wait.JitterUntil / wait.Backoff) to ensure real divergence between replicas.
  pkg/workloadmanager/sandbox_helper.go:1
• The comment on line 259 says the key is assigned after “200 OK or 409”, but the implementation explicitly treats 409 as a terminal error (and never assigns the key). Update the comment to match the actual behavior (200 OK only), or adjust the logic if 409 is intended to be handled as success.
  pkg/workloadmanager/sandbox_helper_test.go:1
• This file previously covered buildSandboxPlaceHolder(...) and buildSandboxInfo(...) with table-driven tests, but those tests were removed in this change. Since those functions still exist and are pivotal for persisted sandbox metadata, consider restoring equivalent coverage (either reintroduce the table-driven cases here or add focused tests elsewhere) to avoid regressions in expiry/status/entrypoint formatting behavior.