Mac os sandboxing akr#26
Open
akr-odoo wants to merge 3 commits into
Open
Conversation
`start_new_session=True` makes the ephemeral `postgres` leader head its own process group so callers can kill the whole tree via `os.killpg()`. Without it, postgres' worker backends survive a SIGTERM to the leader and linger after the parent exits — which compounded over Ctrl+C'd `odev ai` runs into half a dozen orphan postgres processes per session.
Previously, if the chosen CLI (claude/gemini/copilot/opencode-cli) wasn't on PATH, the agent was launched inside the sandbox anyway and either crashed silently or returned an opaque "command not found". Detect the missing binary up front and surface a clear install hint so the user can recover without digging through sandbox logs.
Extracts the AI sandbox layer into a backend-agnostic abstraction and adds
a macOS Seatbelt (sandbox-exec) backend alongside the existing Linux bwrap
backend. The right backend is selected automatically by sys.platform.
Layout:
- common/sandbox/base.py - Sandbox ABC + ExecutionSpec dataclass
- common/sandbox/bwrap.py - Linux backend (moved from common/bwrap.py)
- common/sandbox/seatbelt.py - macOS backend (new)
- common/sandbox/__init__.py - get_sandbox() factory by sys.platform
Sandbox policy on macOS:
- Permissive baseline (matches Codex CLI's model). Strict deny-default
causes Cocoa-using apps (claude, gemini, node tools) to silently
hang on mach_msg to system daemons. The security boundary is enforced
on file WRITES via two module-level constants in seatbelt.py:
- DENY_SYSTEM_SUBPATHS - the OS, Apple frameworks, Homebrew, etc.
- DENY_USER_SECRETS_RELATIVE - ~/.ssh, ~/.aws, ~/.gnupg, Library/Cookies, ...
ALWAYS_RW_SUBPATHS / ALWAYS_RW_LITERALS list the paths that always
remain writable (sandbox tmp, /tmp, /dev/null & friends).
- Reads are allowed everywhere — Seatbelt cannot truly hide files
anyway; non-allowed paths only return EPERM.
Other adjustments needed for parity with the Linux backend:
- common/postgres.py: pg_bin discovery extended for macOS (Homebrew
postgresql@N formulae, Postgres.app); host socket dir discovery
extended to /tmp & /private/tmp; setup() decoupled from bwrap argv
(caller exposes proxy_dir to the sandbox).
- common/postgres.py: PostgresSandbox.cleanup_orphans() reaps leftover
ephemeral clusters from previous Ctrl+C'd runs at the start of each
agent.run().
- common/agent.py: AgentCLI no longer extends BwrapSandbox; composes a
Sandbox backend and feeds it an ExecutionSpec.
- common/mixins.py: get_ai_agent() runs Sandbox.check_support() up
front so unsupported hosts get a clear error before any setup runs.
Linux behaviour is unchanged: bwrap argv assembly is bit-for-bit the
same, just relocated into common/sandbox/bwrap.py.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Briefly describe your changes and the reasoning behind them so that other contributors and reviewers can easily grasp the goal of your PR.
Linked Issues
Link the issues that this PR solves, if any:
Compliance
docsdirectoryrequirements.txtfile, if any