docs: egress jail as a security layer + daemon fail-fast troubleshooting#160
Merged
Conversation
…troubleshooting README: add the contained-mode egress jail (INV-9) to the "drydock's security layers" list — deny-by-default L4 domain allowlist via a per-session proxy sidecar, no socket, no host network — with an honest residual-gaps pointer. docs/troubleshooting.md: new section for the "Docker daemon is not responding" fail-fast — restart Docker Desktop or native Docker Engine, the DRYDOCK_DOCKER_PROBE_TIMEOUT knob, and the 'docker ps' verify step.
Fact-checked against the live sandbox docs (code.claude.com/docs/en/sandboxing). Two accuracy fixes and two nuances: - Network: the Claude sandbox allowlist is SESSION-WIDE (shared across all Bash commands; new domains prompt on first use), not "per-command" as stated. Dropped drydock's now-moot "not per-command" contrast; framed it as static vs prompt-on-use. - Filesystem: the sandbox leaves credential files (~/.ssh/, ~/.aws/credentials) readable by default unless denyRead is set — noted, since it sharpens the contrast with drydock not mounting them at all. - What it is: enable via the /sandbox panel or sandbox.enabled in settings (not only "/sandbox"). - What it's for: prompt reduction applies in auto-allow mode. Mechanism (Seatbelt/bubblewrap), per-Bash-command scope, the no-TLS-inspection note, and the user-namespaces prose were verified correct and left unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Honest doc updates reflecting work on
dev, plus a fact-check of the existingClaude Code sandbox comparison table.
1. Surface the egress jail (README)
The contained-mode egress jail (INV-9) was missing from "drydock's security
layers". Added it: deny-by-default L4 domain allowlist via a per-session proxy
sidecar, no Docker socket, no host network — with a pointer to the named residual
gaps in
docs/security.md(no over-claim).2. Daemon fail-fast troubleshooting (docs/troubleshooting.md)
New section for the "Docker daemon is not responding" fail-fast (PR #159):
restart Docker Desktop or native Docker Engine, the
DRYDOCK_DOCKER_PROBE_TIMEOUTknob, and the
docker psverify step.3. Correct the Claude Code sandbox comparison table (README)
Fact-checked against the live docs (code.claude.com/docs/en/sandboxing):
"per-command"; new domains prompt on first use. Dropped drydock's now-moot
"not per-command" contrast.
~/.ssh/,~/.aws/credentials) readable by default unlessdenyReadis set (noted —it sharpens the contrast with drydock not mounting them at all).
/sandboxpanel orsandbox.enabledinsettings (not only
/sandbox).note, and the user-namespaces prose were verified correct and left unchanged.
Honest framing preserved
Does not claim "secure"/"done"/"at parity with X" — the egress jail is
implemented but not yet validated in runtime (gates G1/G2 pending). Forbidden-phrase
grep clean (0). Docs-only.