feat(satellite): add env var sanitization to prevent code injection attacks

Block dangerous environment variables (LD_PRELOAD, NODE_OPTIONS, PYTHONSTARTUP, etc.)
from being passed to nsjail-spawned MCP server processes. This prevents malicious
MCP servers from exploiting library injection or code execution vulnerabilities.

- Add BLOCKED_ENV_VARS set with ~30 dangerous vars for Linux/Node/Python/Shell
- Add sanitizeEnvVars() method to filter and log blocked vars
- Log blocked vars at WARN level for security auditing

Author: Lasim

services/satellite/src/config/nsjail.ts

@@ -36,3 +36,54 @@ export const nsjailConfig = {
  * Falls back to /opt/deploystack if HOME is not set
  */
 export const mcpCacheBaseDir = process.env.HOME || '/opt/deploystack';
+
+/**
+ * Blocked Environment Variables
+ * These env vars are stripped from user-provided config before passing to nsjail.
+ * They can be exploited for code injection, library hijacking, or privilege escalation.
+ */
+export const BLOCKED_ENV_VARS = new Set([
+  // Linux dynamic linker (affects ALL processes)
+  'LD_PRELOAD',           // Shared library injection - most dangerous
+  'LD_LIBRARY_PATH',      // Library search path hijacking
+  'LD_AUDIT',             // Audit library injection
+  'LD_DEBUG',             // Debug output manipulation
+  'LD_DEBUG_OUTPUT',      // Debug output file
+  'LD_PROFILE',           // Profiling library injection
+  'LD_SHOW_AUXV',         // Auxiliary vector exposure
+  'LD_DYNAMIC_WEAK',      // Weak symbol manipulation
+
+  // Node.js specific
+  'NODE_OPTIONS',         // Can inject --require, --inspect, etc.
+  'NODE_REPL_EXTERNAL_MODULE', // External module loading
+  'NODE_EXTRA_CA_CERTS',  // Could point to malicious CA cert
+  'NODE_PATH',            // Module resolution hijacking
+  'NODE_REDIRECT_WARNINGS', // Warning output redirection
+
+  // Python specific
+  'PYTHONSTARTUP',        // Executes script on Python interpreter start
+  'PYTHONPATH',           // Module resolution hijacking
+  'PYTHONHOME',           // Python installation path hijacking
+  'PYTHONWARNINGS',       // Warning behavior manipulation
+  'PYTHONDEBUG',          // Debug mode enabling
+  'PYTHONINSPECT',        // Forces interactive mode after script
+  'PYTHONUSERSITE',       // User site-packages manipulation
+  'PYTHONEXECUTABLE',     // Executable path override
+  'PYTHONHASHSEED',       // Hash randomization control
+
+  // Shell injection (if any subprocess spawns shell)
+  'BASH_ENV',             // Executed on non-interactive bash start
+  'ENV',                  // Executed on sh start
+  'ZDOTDIR',              // Zsh config directory override
+  'SHELL',                // Default shell override
+
+  // Path and temp manipulation (already set by nsjail)
+  'PATH',                 // Already controlled by nsjail
+  'HOME',                 // Already set by nsjail
+  'TMPDIR',               // Could redirect temp to attacker location
+  'TMP',                  // Windows-style temp
+  'TEMP',                 // Windows-style temp
+
+  // Misc dangerous
+  'IFS',                  // Shell word splitting manipulation
+]);

services/satellite/src/process/manager.ts

@@ -7,7 +7,7 @@ import { existsSync } from 'fs';
 import { MCPServerConfig, ProcessInfo } from './types';
 import type { EventBus } from '../services/event-bus';
 import type { RuntimeState } from './runtime-state';
-import { nsjailConfig, mcpCacheBaseDir } from '../config/nsjail';
+import { nsjailConfig, mcpCacheBaseDir, BLOCKED_ENV_VARS } from '../config/nsjail';
 
 /**
  * Process Manager for MCP server subprocesses
@@ -140,6 +140,39 @@ export class ProcessManager extends EventEmitter {
     this.backendStatusCallback = callback;
   }
 
+  /**
+   * Sanitize environment variables by removing dangerous entries
+   * Prevents library injection (LD_PRELOAD), code injection (NODE_OPTIONS, PYTHONSTARTUP), etc.
+   * @param env - User-provided environment variables
+   * @param installationName - For logging blocked vars
+   * @returns Array of nsjail -E arguments with safe env vars only
+   */
+  private sanitizeEnvVars(env: Record<string, string>, installationName: string): string[] {
+    const sanitized: string[] = [];
+    const blocked: string[] = [];
+
+    for (const [key, value] of Object.entries(env)) {
+      // Check against blocklist (case-insensitive for safety)
+      if (BLOCKED_ENV_VARS.has(key) || BLOCKED_ENV_VARS.has(key.toUpperCase())) {
+        blocked.push(key);
+        continue;
+      }
+      sanitized.push('-E', `${key}=${value}`);
+    }
+
+    // Log blocked vars for security auditing
+    if (blocked.length > 0) {
+      this.logger.warn({
+        operation: 'env_vars_blocked',
+        installation_name: installationName,
+        blocked_vars: blocked,
+        blocked_count: blocked.length
+      }, `Blocked ${blocked.length} dangerous env var(s) for security: ${blocked.join(', ')}`);
+    }
+
+    return sanitized;
+  }
+
   /**
    * Resolve command to full path for nsjail execution
    * nsjail has limited PATH, so we need full paths for common commands
@@ -1271,8 +1304,8 @@ export class ProcessManager extends EventEmitter {
       '-E', 'NPM_CONFIG_PREFIX=/home/npx/.npm-global', // npm global prefix
       '-E', 'NPM_CONFIG_UPDATE_NOTIFIER=false', // Disable update notifier
       '-E', 'NO_UPDATE_NOTIFIER=1',            // Disable update notifier (alternative)
-      // Inject user-provided environment variables
-      ...Object.entries(config.env).flatMap(([key, value]) => ['-E', `${key}=${value}`]),
+      // Inject user-provided environment variables (sanitized)
+      ...this.sanitizeEnvVars(config.env, config.installation_name),
       '--disable_clone_newnet',                // Allow network access (required for npm downloads)
       '--disable_clone_newcgroup',             // Disable cgroup namespace (causes clone() errors on some kernels)
       '--disable_no_new_privs',                // May be needed for some packages