Merged
Conversation
…sh command validation - Add PolicyBuilder class with fluent API and forDevelopment(cwd, options?) static factory that creates policies with allowlisted system paths, compiler toolchains (JVM, GCC, libexec), /usr/include, /usr/share, and ~120 syscalls - Support DevelopmentPolicyOptions for extraExecutePaths and extraReadWritePaths - Convert bashTool to createBashTool(options?) factory with advisory command validation (warns when binary is outside allowed paths; Landlock enforces) - Wire bootstrap to use PolicyBuilder.forDevelopment() and pass allowedCommandPaths to createBuiltinTools - Update docs (architecture, security-model, AGENTS, README) and mark roadmap feature 1 as done - 28 PolicyBuilder tests + 6 bash validation tests (669 total, all passing)
…yBuilder paths Landlock requires LANDLOCK_ACCESS_FS_READ_DIR on directories to traverse them during execve(). Without it, sandboxed commands like gcc failed with EACCES. Also adds /sbin, /usr/sbin, and /usr/lib64 to the development policy for broader system tool and library coverage.
Mirrors /usr structure for /usr/local so compilers and libraries installed from source (or via tools like brew) work inside the sandbox: lib, lib64, libexec as execute; include, share as read-only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a development-friendly sandbox policy system and enhances security and usability for command execution within the agent runtime. The main changes are the addition of a
PolicyBuilderfor constructing robust sandbox policies (especially for development), advisory command validation in the bash tool, and updates to documentation and tests to reflect these improvements.Sandbox Policy System Enhancements
PolicyBuilderwith aforDevelopment(cwd, options?)method to create a development-ready sandbox policy. This policy expands syscall and filesystem access to support compilers, package managers, and dev tools, while maintaining kernel-level security. It supports customization viaDevelopmentPolicyOptionsfor extra allowed paths. [1] [2] [3] [4]PolicyBuilder.forDevelopment()instead ofDEFAULT_POLICY, and passes the resulting allowed command paths to built-in tools for validation. [1] [2] [3] [4]Bash Tool Security Improvements
createBashTool) and is advisory only—Landlock provides the real enforcement. [1] [2] [3]Documentation Updates
Native Sandbox Helper
Testing and Refactoring
These changes collectively make the sandbox more practical for development workflows, improve command execution transparency, and reinforce the security model.