Add selectable sandbox backends design TODO#5
Merged
Conversation
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Co-authored-by: Amp <amp@ampcode.com>
donbeave
added a commit
that referenced
this pull request
Apr 20, 2026
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Co-authored-by: Amp <amp@ampcode.com>
donbeave
added a commit
that referenced
this pull request
Apr 21, 2026
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Co-authored-by: Amp <amp@ampcode.com>
donbeave
added a commit
that referenced
this pull request
Apr 21, 2026
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Co-authored-by: Amp <amp@ampcode.com>
donbeave
added a commit
that referenced
this pull request
Apr 21, 2026
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Co-authored-by: Amp <amp@ampcode.com>
donbeave
added a commit
that referenced
this pull request
Apr 21, 2026
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Co-authored-by: Amp <amp@ampcode.com>
donbeave
added a commit
that referenced
this pull request
Apr 24, 2026
Add `agent_allow` module with `allows_all_agents` and `agent_is_effectively_allowed` helpers that capture the "empty allowed_agents list = every agent is allowed" shorthand. Replace the open-coded `is_empty()` / `contains` checks across the editor, details pane, and save-confirm summary. Also pick up a few follow-on clippy fixes to the `ManagerListRow` helpers introduced in the previous commit (const fn where possible, and a cleaner `from_config` selected-row computation). No behavior change. Addresses finding #5 of the PR #166 review. Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
donbeave
added a commit
that referenced
this pull request
Apr 24, 2026
…ounts module `resolve_github_mounts_for_workspace` is a workspace query -- inspect each mount's source and project out the ones with resolvable GitHub web URLs. It lived in `input.rs` because the `o` key on the workspace list was its first caller, but `render.rs` also needs it to decide whether to show the "O open in GitHub" footer hint, creating a render -> input dependency for what is really a mount-info query. Move it to a dedicated `github_mounts` module under `launch/manager` with a shorter `resolve_for_workspace` name. Both input and render now call the neutral helper. No behavior change. Addresses finding #5 of the PR #166 current-branch review. Co-authored-by: Claude <noreply@anthropic.com> Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com>
donbeave
added a commit
that referenced
this pull request
Apr 24, 2026
…d helper
CreatePreludeState flagged completion as "pending_name.is_some()",
but the dispatcher then called `build_workspace().expect("prelude
complete")` — the two invariants drifted independently.
Add `CreatePreludeState::completed() -> Option<(String,
WorkspaceConfig)>` that checks every required field together and
returns the owned pair the dispatcher needs. The `expect`/`unwrap`
in the production path goes away; the dispatcher now transitions
only on `Some`.
Addresses finding #5 of the first-pass review (carried into the
second-pass review as well).
Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Co-authored-by: Amp <amp@ampcode.com> Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Codex <codex@openai.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Amp <amp@ampcode.com>
donbeave
added a commit
that referenced
this pull request
May 7, 2026
Amp-Thread-ID: https://ampcode.com/threads/T-019d5ef0-2cdb-76cc-a188-97faf1f3ec3e Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Amp <amp@ampcode.com>
donbeave
added a commit
that referenced
this pull request
Jun 4, 2026
… failures, tests, comments ## Critical: NET_ADMIN/NET_RAW not injected with no explicit grants When locked/hardened profile launches with no config or workspace grants, `resolve_effective_grants(Locked, None, None)` returned `profile_base_grants(Locked)` unchanged — `apply_grants` was never called, so the implicit NET_ADMIN/NET_RAW injection that lives in `apply_grants` never fired. The iptables allowlist (`init-firewall.sh`) requires these caps; without them it fails silently and the container runs with open egress while advertising `JACKIN_NETWORK_ENFORCEMENT=full`. Fix: added `apply_implicit_grants()` called unconditionally at the end of `resolve_effective_grants`. Handles the no-grants path that `apply_grants` never reaches. New test: `resolve_effective_grants_no_grants_still_gets_implicit_caps` ## Critical: Remove dead `to_docker_flags` and `to_host_config_fields` + `HostConfigFields` Both had zero callers. `to_docker_flags` doc comment listed items "the caller still handles" that the function itself was handling. `to_host_config_fields` described a tuple return when it returned a struct. Deleted all three. ## Silent failures fixed - `detect_apparmor`: `unwrap_or_default()` swallowed docker info errors, returning `available=false` indistinguishably from "Docker not running". Now returns `profile="probe-failed"` on error and logs via debug_log. - `detect_cgroup_version`: bare `Err(_) => "unknown"` dropped the error. Now logs via debug_log before returning "unknown". - `eject_role`: `.ok().flatten()` discarded manifest read errors, silently defaulting to "DinD was started". Now logs at debug level. ## Tests added (6 new, 2304 total) - validate_effective_grants_catches_cross_source_root_and_sudo - validate_effective_grants_catches_cross_source_reservation_exceeds_memory - validate_effective_grants_passes_when_invariants_hold - resolve_effective_grants_no_grants_still_gets_implicit_caps - role_dind_none_suppresses_dind_under_standard_profile - role_invalid_capabilities_add_is_rejected ## Comment/doc fixes - `no_new_privileges` field doc: removed "Currently schema-only / enforcement deferred" (was accurate at introduction, false now; enforcement IS active) - `MINIMUM_CAPABILITIES` doc: removed "when DinD is disabled" qualifier (caps are always emitted; the DinD-circumventable note belongs in a parenthetical) - `parse_memory_bytes`: removed wrong `# Errors` section; function returns Option not Result; added T/TB suffix and clearer None conditions - launch.rs:965: replaced unregistered `#5` issue reference with a description of the actual constraint (setuid-root + no-new-privileges kernel interaction) - launch.rs:764: replaced unregistered `TODO Phase 3:` with proper `TODO(docker-security-profile-rootless-dind)` and added TODO.md entry - launch.rs:2421: tightened the "invalid strings silently skipped" comment to name only the specific hazard (memory sizes), not all validation types - TODO.md: updated `docker-security-profile-default` marker status (was "none in code yet" — marker was placed in this PR) ## Schema-versions.mdx: fix stale field name `network_allow` → `allowed_hosts`, added `capabilities_add` to the manifest v1alpha5 timeline entry. `network_allow` was renamed in commit 8bb30e2. ## init-firewall.sh: IPv6 + IP:port detection - IPv4/IPv6 detection now handles plain IPv6 addresses (not just CIDRs) via `'^[0-9a-fA-F:]+(/[0-9]+)?$'` instead of the /prefix-only pattern - IP:port entries now add `$host` (port-stripped) to the ipset instead of `$entry` (with port), which hash:net would reject Signed-off-by: Alexey Zhokhov <alexey@zhokhov.com> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Testing