Warn on sandbox exec when config file has drifted#401
Merged
Conversation
When a sandbox is started, hash the config file (SHA-256) and store it in the session. On each exec, compare the current hash against the stored one and print a warning if they differ, directing the user to `rwx sandbox reset`. Gracefully handles pre-existing sessions that lack a stored hash by skipping the check entirely.
kylekthompson
approved these changes
Mar 6, 2026
| } | ||
|
|
||
| // Warn if the sandbox definition has changed since this sandbox was started | ||
| if storedConfigHash != "" && configFile != "" { |
Member
There was a problem hiding this comment.
Should this consider whether you're providing different params? Not sure if it even supports --init I guess 😅
Contributor
Author
There was a problem hiding this comment.
rwx sandbox technically does support --init but it's not documented/encouraged - I lean against building in a check for that here for now, what do you think?
Member
There was a problem hiding this comment.
It's sort of odd in tandem with exec anyway I think
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Completes RWX-7
Summary
.rwx/sandboxes/sandboxes.jsonrwx sandbox exec, the current config file is re-hashed and compared against the stored valuerwx sandbox resetAddresses the "changed the definition, didn't get picked up" problem discussed with Kyle — the most common sandbox pain point.
Test plan
TestHashConfigFile— verifies hash consistency, different content produces different hashes, missing file returns emptyTestService_ExecSandbox_DefinitionDrift— verifies warning on drift, no warning when unchanged, no warning when no stored hash (backwards compat)sandbox.yml, exec again — confirm warning appearsManual test