fix(sandbox): unblock git fetch/commit/add under the write-restricted sandbox#2
fix(sandbox): unblock git fetch/commit/add under the write-restricted sandbox#2euxaristia wants to merge 1 commit into
Conversation
…rites The sandbox denied every write under .git for shell-executed commands, so any git operation that touches its own metadata (fetch, commit, add, pull, merge, stash) failed under the default sandbox. Narrow the block to .git/hooks (auto-executing scripts) and .git/config (remote URLs, credential.helper, core.hooksPath), the two subpaths that are actually dangerous to write; the rest of .git stays writable to git subprocesses since those writes go through git's own invariants. The app-level auto-allow gate for direct file-tool writes (write_file, edit_file, apply_patch) is unaffected and still treats all of .git as protected, since hand-editing git's internals bypasses those invariants.
|
Opened against upstream instead: Gitlawb#654 |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (5)
WalkthroughThe sandbox permission profile now allows general ChangesGit metadata protection
Sequence Diagram(s)sequenceDiagram
participant PermissionProfileFromPolicy
participant SeatbeltProfile
participant sandbox-exec
participant GitWorkspace
PermissionProfileFromPolicy->>SeatbeltProfile: configure writable root and Git carve-outs
SeatbeltProfile->>sandbox-exec: generate deny rules for hooks and config
sandbox-exec->>GitWorkspace: allow .git metadata write
GitWorkspace-->>sandbox-exec: create FETCH_HEAD
sandbox-exec->>GitWorkspace: deny .git/hooks and .git/config writes
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Zero automated PR reviewVerdict: No blockers found Blockers
Validation
ScopeHead: This deterministic review checks validation status and basic diff hygiene. A human reviewer still owns product judgment and design quality. |
* feat(providers): add AI/ML API preset * fix(providers): relocate aimlapi preset and drop referral header Addresses the two review asks on Gitlawb#402: - Move the AI/ML API descriptor out of catalog slot #2 (it sat above the first-party OpenAI/Anthropic/Google entries) down next to openrouter in the aggregator cluster. Re-sync expectedCatalogIDs and the TransportOpenAICompat order-list to match. - Drop the always-on X-AIMLAPI-Partner-ID / Integration-Repo / Integration-Version attribution headers. There's no partner arrangement behind the preset, so a non-overridable referral tag on every user's request isn't something to ship on a community preset. aimlapi now rides through plain CopyHeaders like every other provider. Removes HeadersForCatalog (it existed only for this special-case), reverts the factory and discovery call sites to CopyHeaders, and drops the header test. The factory/discovery tests now assert the endpoint, auth, and the user's own custom headers survive while no attribution header is sent. * fix(providers): address CodeRabbit review on Gitlawb#621 - Document AIMLAPIID for docstring coverage. - Apply providerio.CopyHeaders for Anthropic and Google provider paths, matching the OpenAI path introduced for aimlapi header isolation. Co-authored-by: Cursor <cursoragent@cursor.com> * fix(providers): gofmt factory.go to unblock CI smoke Remove mixed tab/space indentation in the openai.New options block so ubuntu-latest fmt-check passes. --------- Co-authored-by: Dmitry Tumanov <d1m7asis@gmail.com> Co-authored-by: Vasanthdev2004 <vasanth.dev2004@gmail.com> Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: KRATOS <kratos@KRATOSs-Mac-mini.local>
Summary
.gitfor shell-executed commands, sogit fetch,commit,add,pull,merge, andstashall failed under the default sandbox since they need to writeFETCH_HEAD, the index, objects, and refs..git/hooks(auto-executing scripts) and.git/config(remote URLs,credential.helper,core.hooksPath), the two subpaths that are actually dangerous to write. The rest of.gitis now writable to git subprocesses, since those writes go through git's own consistency checks.write_file,edit_file,apply_patch) is untouched and still treats all of.gitas protected, since a raw byte-level write to.gitbypasses git's invariants in a way a git subprocess write does not.Test plan
go test ./...passesTestSeatbeltProfileAllowsGitWritesExceptHooksAndConfigverifying the generated seatbelt profile no longer blanket-denies.gitand still denies.git/hooks/.git/configTestSeatbeltAllowsGitMetadataWritesExceptHooksAndConfig, a realsandbox-execintegration test proving a write to.git/FETCH_HEADsucceeds while writes to.git/hooks/*and.git/configare kernel-deniedgit fetch originon a real clone succeeds end to end through the sandbox enginezero sandbox policy --jsonSummary by CodeRabbit
.git/hooksand.git/configprotected..zeroand.agents.