1.9 KiB
1.9 KiB
ERA Integration (TOOL-EXEC Backend)
This directory defines how ThreeGate integrates ERA as the TOOL-EXEC backend.
ERA provides microVM-backed execution with a container-like interface and is intended to reduce blast radius compared to running code directly on the host.
This integration is intentionally conservative:
- TOOL-EXEC runs no-network by default
- TOOL-EXEC is ephemeral by default
- Inputs/outputs are mediated via schemas and validation
Scope
This integration is used only for human-approved Tool Requests placed into:
/srv/threegate/tool-exec/requests_in/(host path in the full deployment)- mounted read-only into the TOOL-EXEC container/service
TOOL-EXEC produces Tool Results into:
/srv/threegate/tool-exec/results_out/- and validated outputs are moved to CORE inbound
Security Posture (Defaults)
- Network: disabled
- Persistence: disabled
- Guest volumes: disabled (
AGENT_ENABLE_GUEST_VOLUMES=0) - Output only to
/out(as mediated by TOOL-EXEC runner)
If you must enable guest volumes:
- treat it as a security change
- use explicit allowlists of mounted paths
- prefer read-only mounts
- ensure deterministic hashes in request schema
Operational Requirements
ERA typically requires:
- the
agentCLI available (ERA) - a backend capable of microVM execution (krunvm)
- host support (often KVM via
/dev/kvm)
Do not enable /dev/kvm passthrough to containers until you have reviewed:
- host kernel patching state
- Docker daemon security posture
- whether TOOL-EXEC should run directly on the host instead of inside a container
This repo provides wrapper scripts that can be used either:
- within a TOOL-EXEC container (with careful device exposure), or
- as host-level tooling invoked by a systemd service (often simpler/safer)
Reference
ERA upstream:
This repository does not vendor ERA.