ThreeGate/tool-exec/era/README.md

# ERA Integration (TOOL-EXEC Backend)

This directory defines how ThreeGate integrates **ERA** as the TOOL-EXEC backend.

ERA provides microVM-backed execution with a container-like interface and is intended to reduce blast radius compared to running code directly on the host.

This integration is intentionally conservative:
- TOOL-EXEC runs **no-network** by default
- TOOL-EXEC is **ephemeral** by default
- Inputs/outputs are mediated via schemas and validation

---

## Scope

This integration is used only for **human-approved Tool Requests** placed into:

- `/srv/threegate/tool-exec/requests_in/` (host path in the full deployment)
- mounted read-only into the TOOL-EXEC container/service

TOOL-EXEC produces Tool Results into:

- `/srv/threegate/tool-exec/results_out/`
- and validated outputs are moved to CORE inbound

---

## Security Posture (Defaults)

- Network: **disabled**
- Persistence: **disabled**
- Guest volumes: **disabled** (`AGENT_ENABLE_GUEST_VOLUMES=0`)
- Output only to `/out` (as mediated by TOOL-EXEC runner)

If you must enable guest volumes:
- treat it as a security change
- use explicit allowlists of mounted paths
- prefer read-only mounts
- ensure deterministic hashes in request schema

---

## Operational Requirements

ERA typically requires:
- the `agent` CLI available (ERA)
- a backend capable of microVM execution (krunvm)
- host support (often KVM via `/dev/kvm`)

**Do not enable /dev/kvm passthrough** to containers until you have reviewed:
- host kernel patching state
- Docker daemon security posture
- whether TOOL-EXEC should run directly on the host instead of inside a container

This repo provides wrapper scripts that can be used either:
- within a TOOL-EXEC container (with careful device exposure), or
- as host-level tooling invoked by a systemd service (often simpler/safer)

---

## Reference

ERA upstream:
- https://github.com/BinSquare/ERA

This repository does not vendor ERA.