Make sandbox isolation behavior explicit and inspectable

This adds a small runtime sandbox policy/status layer, threads sandbox options through the bash tool, and exposes `/sandbox` status reporting in the CLI. Linux namespace/network isolation is best-effort and intentionally reported as requested vs active so the feature does not overclaim guarantees on unsupported hosts or nested container environments. Constraint: No new dependencies for isolation support Constraint: Must keep filesystem restriction claims honest unless hard mount isolation succeeds Rejected: External sandbox/container wrapper | too heavy for this workspace and request Rejected: Inline bash-only changes without shared status model | weaker testability and poorer CLI visibility Confidence: medium Scope-risk: moderate Reversibility: clean Directive: Treat this as observable best-effort isolation, not a hard security boundary, unless stronger mount enforcement is added later Tested: cargo fmt --all; cargo clippy --workspace --all-targets --all-features -- -D warnings; cargo test --workspace Not-tested: Manual `/sandbox` REPL run on a real nested-container host
2026-04-03 01:01:52 +08:00 · 2026-04-01 01:14:38 +00:00
parent d6341d54c1
commit 2d09bf9961
9 changed files with 720 additions and 22 deletions
--- a/rust/crates/runtime/src/conversation.rs
+++ b/rust/crates/runtime/src/conversation.rs
@@ -408,7 +408,7 @@ mod tests {
                .sum::<i32>();
            Ok(total.to_string())
        });
-        let permission_policy = PermissionPolicy::new(PermissionMode::Prompt);
+        let permission_policy = PermissionPolicy::new(PermissionMode::WorkspaceWrite);
        let system_prompt = SystemPromptBuilder::new()
            .with_project_context(ProjectContext {
                cwd: PathBuf::from("/tmp/project"),
@@ -487,7 +487,7 @@ mod tests {
            Session::new(),
            SingleCallApiClient,
            StaticToolExecutor::new(),
-            PermissionPolicy::new(PermissionMode::Prompt),
+            PermissionPolicy::new(PermissionMode::WorkspaceWrite),
            vec!["system".to_string()],
        );

@@ -536,7 +536,7 @@ mod tests {
            session,
            SimpleApi,
            StaticToolExecutor::new(),
-            PermissionPolicy::new(PermissionMode::Allow),
+            PermissionPolicy::new(PermissionMode::DangerFullAccess),
            vec!["system".to_string()],
        );

@@ -563,7 +563,7 @@ mod tests {
            Session::new(),
            SimpleApi,
            StaticToolExecutor::new(),
-            PermissionPolicy::new(PermissionMode::Allow),
+            PermissionPolicy::new(PermissionMode::DangerFullAccess),
            vec!["system".to_string()],
        );
        runtime.run_turn("a", None).expect("turn a");