chore: add carranca CI config and PR review workflow

[pboueke]

Per carranca ci doc

[github-actions]

Carranca AI Review

⚠️ The automated review did not produce output. The agent may have failed or timed out.

See the workflow run for details.

---

Automated review by carranca sandbox

[github-actions]

Carranca AI Review

⚠️ The automated review did not produce output. The agent may have failed or timed out.

See the workflow run for details.

---

Automated review by carranca sandbox

[github-actions]

Carranca AI Review

⚠️ The automated review did not produce output. The agent may have failed or timed out.

See the workflow run for details.

---

Automated review by carranca sandbox

[github-actions]

Carranca AI Review

Summary

This PR adds carranca (an AI agent sandbox) configuration and a GitHub Actions workflow for automated PR reviews using a sandboxed AI reviewer. The changes include configuration files, container build artifacts, shell scripts for event logging, and workflow automation, with version bump to 1.0.4.

Findings

• Critical: Command injection vulnerability in .carranca/shell-wrapper.sh:334 - uses eval "$AGENT_COMMAND" without input validation. While the command comes from .carranca.yml (operator-controlled), if an agent can modify this file at runtime (e.g., through watched_paths), arbitrary code execution is possible in the container.

• High: Container runs as root in .carranca/Containerfile:116. No USER directive sets a non-privileged user, which violates security best practices for containerized applications.

• High: Unrestricted network access in .carranca.yml:53 - network: true allows all outbound connections. Combined with cap_add comments and iptables installation, this could enable network abuse. The commented fine-grained policy shows awareness but doesn't implement restrictions.

• High: Dangerous watched_paths in .carranca.yml:97-100 includes .env and secrets/ which could expose sensitive file contents. Agents should not have write access to secrets directories.

• Medium: Incomplete secret passthrough in .carranca.yml:94-95 - only OPENAI_API_KEY is configured for passthrough, but the PR review workflow expects it. While functional, this is brittle and doesn't account for other potential API keys.

• Medium: No tests for new carranca configuration or PR review workflow. The workflow has conditional execution (if: github.event.pull_request.user.login == 'pboueke') which should be tested, and shell scripts in .carranca/ have no test coverage.

• Medium: TypeScript version unspecified in .carranca/Containerfile:132 - installs Node.js/npm but no explicit TypeScript package, despite the review prompt mentioning TypeScript as a focus area.

• Low: Version bump to 1.0.4 for CI/infra changes. This should have been a minor version bump (1.1.0) since it adds new functionality, or potentially no bump at all if considered developer-tooling only.

• Low: GitHub Actions workflow only runs for pboueke user in .github/workflows/pr-review.yml:391. This severely limits utility and should be either removed or expanded to trusted maintainers.

• Info: The JSON escaping implementation in .carranca/lib/json.sh is thorough and follows RFC 8259, which is good practice for security.

Verdict

REQUEST_CHANGES - The security issues with eval, root user, unrestricted network access, and watched_paths need to be addressed before merging. The lack of test coverage for new infrastructure code is also concerning.carranca bound zai-coding-plan/glm-4.6

---

Automated review by carranca sandbox