Security: enforce ACP sandbox inheritance for sessions_spawn

[dutifulbob]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: sessions_spawn enforced sandbox inheritance for runtime="subagent", but ACP spawns (runtime="acp") did not enforce equivalent sandbox/runtime constraints.
• Why it matters: a sandboxed requester session could pivot into host-side ACP initialization, violating sandbox boundary expectations.
• What changed: ACP spawn path now fails closed for sandboxed requester sessions and rejects sandbox="require" for runtime="acp"; tool wiring now forwards sandbox intent/context to ACP spawn; sandboxed prompts no longer suggest ACP spawn.
• What did NOT change (scope boundary): ACP thread binding behavior, ACP agent allowlist logic, and subagent runtime behavior remain unchanged.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #

User-visible / Behavior Changes

• sessions_spawn with runtime="acp" now returns forbidden when called from sandboxed requester sessions.
• sessions_spawn with runtime="acp" now returns forbidden when sandbox="require" is set.
• In sandboxed sessions, system prompt guidance no longer recommends ACP harness spawns and explicitly notes ACP spawn is blocked.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:
  • This narrows delegated execution by denying host-side ACP initialization from sandboxed sessions and denying incompatible sandbox="require" ACP requests.
  • Mitigation: fail-closed guardrails with regression tests in ACP spawn path and tool-level parameter/context forwarding.

Repro + Verification

Environment

• OS: Linux
• Runtime/container: Node 22 + Vitest
• Model/provider: N/A
• Integration/channel (if any): N/A (unit-level)
• Relevant config (redacted): sandbox mode enabled for sandboxed-session repro in tests

Steps

1. From a sandboxed requester context, call sessions_spawn with runtime="acp".
2. Observe ACP spawn behavior.
3. Call sessions_spawn with runtime="acp", sandbox="require".

Expected

• ACP spawn is rejected for sandboxed requester sessions.
• ACP spawn is rejected when sandbox="require" is requested.

Actual

• After this patch, both scenarios return forbidden with explicit errors.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • src/agents/acp-spawn.test.ts includes new forbidden cases for sandboxed requester and sandbox="require".
  • src/agents/tools/sessions-spawn-tool.test.ts verifies ACP sandbox/options forwarding.
  • src/agents/system-prompt.test.ts verifies sandboxed prompts suppress ACP spawn guidance and show block note.
• Edge cases checked:
  • Existing ACP session/thread behavior still passes in acp-spawn.test.ts.
  • Existing subagent allowlist/sandbox tests still pass.
• What you did not verify:
  • End-to-end live ACP backend execution in external channels.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly:
  • Revert commit 363d9b2e0.
• Files/config to restore:
  • src/agents/acp-spawn.ts
  • src/agents/tools/sessions-spawn-tool.ts
  • src/agents/system-prompt.ts
  • related tests/changelog entries
• Known bad symptoms reviewers should watch for:
  • Unexpected forbidden on ACP spawn from non-sandboxed sessions.

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: prompt guidance drift (instructions allowing ACP spawn where runtime denies it).
  • Mitigation: added prompt gating for sandboxed contexts + dedicated regression test.
• Risk: ACP call path missing sandbox mode/context propagation.
  • Mitigation: explicit tool forwarding + dedicated unit test.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 363d9b2e08

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Gate ACP tool summary on sandbox runtime

acpHarnessSpawnAllowed is only used for the narrative ACP guidance, but the sessions_spawn tool summary still keys off acpEnabled alone, so sandboxed prompts continue to advertise runtime="acp" as a valid path. In sandboxed sessions this now conflicts with spawnAcpDirect (which always returns forbidden), so the model can be steered into repeated failing tool calls; the tool summary should be conditioned on the same sandbox-aware flag.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

This PR successfully enforces sandbox inheritance for ACP (Agent Control Plane) spawns, addressing a security boundary violation where sandboxed sessions could pivot to host-side ACP initialization.

Key Changes:

• acp-spawn.ts adds two fail-closed security checks: blocks sandboxed requesters and rejects sandbox="require" for ACP runtime
• sessions-spawn-tool.ts forwards both explicit sandbox parameter and sandboxed context to ACP spawn
• system-prompt.ts suppresses ACP harness spawn guidance in sandboxed contexts and adds clear block notification
• subagent-spawn.ts excludes sandboxed subagents from ACP-enabled prompts

Security Implementation:
The implementation follows defense-in-depth principles by checking both explicit context (ctx.sandboxed) and runtime-resolved sandbox status (requesterRuntime.sandboxed). Error messages clearly explain why operations are blocked and suggest alternatives (runtime="subagent").

Test Coverage:
New tests verify both forbidden scenarios (sandboxed requester and sandbox="require"), confirm no backend calls occur on rejection, and validate system prompt changes for sandboxed contexts.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it hardens security boundaries without breaking legitimate use cases
• Score reflects thorough implementation: fail-closed security checks prevent sandbox boundary violations, defense-in-depth approach checks both explicit and runtime-resolved sandbox status, clear error messages guide users to alternatives, comprehensive test coverage validates both forbidden scenarios, and changes are backward compatible (only blocks previously unsafe operations)
• No files require special attention - all changes are well-structured and properly tested

_{Last reviewed commit: 363d9b2}

[osolmaz]

Landed via temp rebase onto main.

• Gate: pnpm lint && pnpm build && pnpm test
• Lint: failed on pre-existing unrelated files (ui/src/ui/views/agents-utils.ts, src/pairing/pairing-store.ts)
• Build: pass
• Test: pass
• Land commit: e8d5a4c
• Merge commit: ac11f0a

Thanks @dutifulbob!

[onutc]

For anyone who might be reading this, this is a temporary stopgap, and we will eventually figure out how to put acpx and harnesses into the sandbox