Description
validateName() validates the sandbox name format, but the shared validation guidance does not make the maximum length part of the contract. The accepted format is effectively an RFC 1123-style label, and sandbox names are passed through to OpenShell and other runtime paths where very long names can become a problem.
A valid-looking but extremely long name, for example "a".repeat(64 * 1024), should be rejected before it reaches any OpenShell CLI call, filesystem-derived path, socket path, or downstream runtime boundary.
The safest limit seems to be 63 characters, matching the Kubernetes/DNS label limit and the existing convention used elsewhere in the repo.
Reproduction Steps
- Call the CLI runner name validator with a long, otherwise valid sandbox name:
const { validateName } = require("./dist/lib/runner");
validateName("a".repeat(64 * 1024), "sandbox name");
-
Observe that the name can satisfy the lowercase alphanumeric format unless a max-length guard is enforced.
-
Follow a path that uses the validated sandbox name, such as onboarding or a sandbox command, and the oversized value can be carried toward OpenShell/runtime arguments.
Environment
- OS: Any
- Node.js: >= 22.16.0
- Docker: not required to reproduce the validator behavior
- NemoClaw: current
main
Debug Output
N/A. This is a validation edge case and can be reproduced with the shared CLI runner helper.
Logs
Expected behavior:
sandbox name too long (max 63 chars)
The validation should fail before any OpenShell command is spawned.
Checklist
Description
validateName()validates the sandbox name format, but the shared validation guidance does not make the maximum length part of the contract. The accepted format is effectively an RFC 1123-style label, and sandbox names are passed through to OpenShell and other runtime paths where very long names can become a problem.A valid-looking but extremely long name, for example
"a".repeat(64 * 1024), should be rejected before it reaches any OpenShell CLI call, filesystem-derived path, socket path, or downstream runtime boundary.The safest limit seems to be 63 characters, matching the Kubernetes/DNS label limit and the existing convention used elsewhere in the repo.
Reproduction Steps
Observe that the name can satisfy the lowercase alphanumeric format unless a max-length guard is enforced.
Follow a path that uses the validated sandbox name, such as onboarding or a sandbox command, and the oversized value can be carried toward OpenShell/runtime arguments.
Environment
mainDebug Output
N/A. This is a validation edge case and can be reproduced with the shared CLI runner helper.Logs
Expected behavior: sandbox name too long (max 63 chars) The validation should fail before any OpenShell command is spawned.Checklist