Conversation
Acquire __rwx_sandbox_lock_requested__ before executing commands and release with __rwx_sandbox_lock_released__ after the full exec+sync cycle completes. This lets the agent serialize concurrent clients on the same sandbox (Layer 2 from RFC 159). The lock is always released regardless of command exit code or sync errors, preventing other clients from being blocked indefinitely.
Use flock to serialize concurrent CLI processes around sandbox resolution in ExecSandbox (Layer 0 from RFC 159). The lock is released as soon as a run ID is determined so the actual SSH exec can proceed concurrently, serialized by the agent-side lock. All other storage-writing commands (StartSandbox, StopSandbox, ResetSandbox, ListSandboxes) also acquire the lock so advisory locking is cooperative across all writers.
da5fe96 to
a6ae6fc
Compare
| sessionRunURL = activeSessions[0].RunURL | ||
| found = true | ||
| } else if len(activeSessions) > 1 { | ||
| UnlockSandboxStorage(lockFile) |
Member
There was a problem hiding this comment.
Is it possible to use defer instead of placing this all over?
Member
There was a problem hiding this comment.
Or are there bits of this that we don't want to hold a lock?
Contributor
Author
There was a problem hiding this comment.
Yeah so we need to explicitly unlock before calling StartSandbox, because it also locks. This ensures we don't have nested attempts to lock that would result in a deadlock.
kylekthompson
approved these changes
Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Blocked by https://github.com/rwx-cloud/mint/pull/3616
Summary
Implements sandbox command locking per RFC 159.
__rwx_sandbox_lock_requested__/__rwx_sandbox_lock_released__SSH directives to serialize concurrent clients on the same sandbox.flock-based file locking around sandbox storage reads/writes to prevent duplicate sandbox creation by concurrent CLI processes. Lock is scoped to the resolution phase inExecSandbox, and all other storage-mutating commands (StartSandbox,StopSandbox,ResetSandbox,ListSandboxes) also acquire the lock.Test plan
go test ./internal/... ./cmd/...)