You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Emit structured capability-audit events at every capability boundary so sandboxed agent runs are observable.
Why
Observability of what a sandboxed script attempts is core to the sandbox-for-AI vision, but there is no structured-event or audit mechanism today — every capability decision is an ad-hoc synchronous throw, and successful uses are invisible. A host cannot tell what a script tried to access.
Current behavior
Decision points, all unobserved: fetch host allow/deny throws TypeError pre-promise (Goccia.Builtins.GlobalFetch.pas:135); FFI install is gated by --unsafe-ffi (the global is simply absent when off); FFI.open is otherwise ungated; the Function constructor and ShadowRealm gates throw or are absent; sandbox VFS escapes are silently clamped at root. The only tap is console.LogCallback (Goccia.Builtins.Console.pas:20), which carries only (method, line) text.
Expected behavior
Decided (grill): emit structured events for both denied AND permitted capability use — fetch (host check + dispatch), FFI.open, the Function-constructor and ShadowRealm gates, and blocked VFS access — to a host-provided sink, with an optional --audit-log file output:
Instrument the success paths (e.g. FetchManager dispatch, FFIOpen after load), not only the throwing denial paths.
Scope notes
New capability-event seam — console.LogCallback is text-only and insufficient.
The fetch worker thread means some allow-path emission is off-thread (sync vs queued decision). Note the FFI.open per-library gap (any path once --unsafe-ffi is on) and the silent VFS clamp (needs a hook that does not exist). Parent Reproducible and observable agent runs (deterministic mode + audit log) #828.
Summary
Emit structured capability-audit events at every capability boundary so sandboxed agent runs are observable.
Why
Observability of what a sandboxed script attempts is core to the sandbox-for-AI vision, but there is no structured-event or audit mechanism today — every capability decision is an ad-hoc synchronous throw, and successful uses are invisible. A host cannot tell what a script tried to access.
Current behavior
Decision points, all unobserved: fetch host allow/deny throws
TypeErrorpre-promise (Goccia.Builtins.GlobalFetch.pas:135); FFI install is gated by--unsafe-ffi(the global is simply absent when off);FFI.openis otherwise ungated; the Function constructor and ShadowRealm gates throw or are absent; sandbox VFS escapes are silently clamped at root. The only tap isconsole.LogCallback(Goccia.Builtins.Console.pas:20), which carries only(method, line)text.Expected behavior
Decided (grill): emit structured events for both denied AND permitted capability use — fetch (host check + dispatch),
FFI.open, the Function-constructor and ShadowRealm gates, and blocked VFS access — to a host-provided sink, with an optional--audit-logfile output:FetchManagerdispatch,FFIOpenafter load), not only the throwing denial paths.Scope notes
console.LogCallbackis text-only and insufficient.FFI.openper-library gap (any path once--unsafe-ffiis on) and the silent VFS clamp (needs a hook that does not exist). Parent Reproducible and observable agent runs (deterministic mode + audit log) #828.