Skip to content

fix(sandbox): unblock git fetch/commit/add under the write-restricted sandbox#2

Closed
euxaristia wants to merge 1 commit into
mainfrom
fix/sandbox-git-metadata-write
Closed

fix(sandbox): unblock git fetch/commit/add under the write-restricted sandbox#2
euxaristia wants to merge 1 commit into
mainfrom
fix/sandbox-git-metadata-write

Conversation

@euxaristia

@euxaristia euxaristia commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

  • The sandbox denied every write under .git for shell-executed commands, so git fetch, commit, add, pull, merge, and stash all failed under the default sandbox since they need to write FETCH_HEAD, the index, objects, and refs.
  • Narrows the write block to .git/hooks (auto-executing scripts) and .git/config (remote URLs, credential.helper, core.hooksPath), the two subpaths that are actually dangerous to write. The rest of .git is now writable to git subprocesses, since those writes go through git's own consistency checks.
  • The separate app-level auto-allow gate for direct file-tool writes (write_file, edit_file, apply_patch) is untouched and still treats all of .git as protected, since a raw byte-level write to .git bypasses git's invariants in a way a git subprocess write does not.

Test plan

  • go test ./... passes
  • Added TestSeatbeltProfileAllowsGitWritesExceptHooksAndConfig verifying the generated seatbelt profile no longer blanket-denies .git and still denies .git/hooks / .git/config
  • Added TestSeatbeltAllowsGitMetadataWritesExceptHooksAndConfig, a real sandbox-exec integration test proving a write to .git/FETCH_HEAD succeeds while writes to .git/hooks/* and .git/config are kernel-denied
  • Manually verified git fetch origin on a real clone succeeds end to end through the sandbox engine
  • Updated the CLI golden JSON fixture for zero sandbox policy --json

Summary by CodeRabbit

  • Bug Fixes
    • Improved workspace sandbox permissions to allow safe Git metadata updates while keeping .git/hooks and .git/config protected.
    • Strengthened protection for sensitive metadata directories, including .zero and .agents.
    • Improved consistency of filesystem restrictions across sandbox environments.

…rites

The sandbox denied every write under .git for shell-executed commands,
so any git operation that touches its own metadata (fetch, commit, add,
pull, merge, stash) failed under the default sandbox. Narrow the block
to .git/hooks (auto-executing scripts) and .git/config (remote URLs,
credential.helper, core.hooksPath), the two subpaths that are actually
dangerous to write; the rest of .git stays writable to git subprocesses
since those writes go through git's own invariants.

The app-level auto-allow gate for direct file-tool writes (write_file,
edit_file, apply_patch) is unaffected and still treats all of .git as
protected, since hand-editing git's internals bypasses those invariants.
@euxaristia

Copy link
Copy Markdown
Owner Author

Opened against upstream instead: Gitlawb#654

@euxaristia euxaristia closed this Jul 10, 2026
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 0170878e-362a-4ff5-94b9-3b9a8fb5c1ba

📥 Commits

Reviewing files that changed from the base of the PR and between aa73a76 and 05719be.

📒 Files selected for processing (5)
  • internal/cli/testdata/sandbox_policy_windows_unavailable.golden.json
  • internal/sandbox/manager_test.go
  • internal/sandbox/profile.go
  • internal/sandbox/runner_test.go
  • internal/sandbox/seatbelt_integration_darwin_test.go

Walkthrough

The sandbox permission profile now allows general .git metadata writes while protecting .git/hooks, .git/config, .zero, and .agents. Unit, golden-file, Seatbelt profile, and Darwin integration tests cover the updated behavior.

Changes

Git metadata protection

Layer / File(s) Summary
Profile carve-outs
internal/sandbox/profile.go, internal/sandbox/manager_test.go, internal/cli/testdata/sandbox_policy_windows_unavailable.golden.json
Workspace write roots now use fully protected metadata names and Git-specific read-only subpaths for .git/hooks and .git/config; profile and golden-file expectations are updated.
Seatbelt enforcement validation
internal/sandbox/runner_test.go, internal/sandbox/seatbelt_integration_darwin_test.go
Tests verify general Git metadata writes succeed while hook and config writes are denied.
Estimated code review effort: 3 (Moderate) ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant PermissionProfileFromPolicy
  participant SeatbeltProfile
  participant sandbox-exec
  participant GitWorkspace
  PermissionProfileFromPolicy->>SeatbeltProfile: configure writable root and Git carve-outs
  SeatbeltProfile->>sandbox-exec: generate deny rules for hooks and config
  sandbox-exec->>GitWorkspace: allow .git metadata write
  GitWorkspace-->>sandbox-exec: create FETCH_HEAD
  sandbox-exec->>GitWorkspace: deny .git/hooks and .git/config writes
Loading
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/sandbox-git-metadata-write

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown

Zero automated PR review

Verdict: No blockers found

Blockers

  • None found.

Validation

  • [pass] Diff hygiene: git diff --check
  • [pass] Tests: go test ./...
  • [pass] Build: go run ./cmd/zero-release build
  • [pass] Smoke build: go run ./cmd/zero-release smoke

Scope

Head: 05719beabeb5
Changed files (5): internal/cli/testdata/sandbox_policy_windows_unavailable.golden.json, internal/sandbox/manager_test.go, internal/sandbox/profile.go, internal/sandbox/runner_test.go, internal/sandbox/seatbelt_integration_darwin_test.go

This deterministic review checks validation status and basic diff hygiene. A human reviewer still owns product judgment and design quality.

euxaristia pushed a commit that referenced this pull request Jul 16, 2026
* feat(providers): add AI/ML API preset

* fix(providers): relocate aimlapi preset and drop referral header

Addresses the two review asks on Gitlawb#402:

- Move the AI/ML API descriptor out of catalog slot #2 (it sat above the
  first-party OpenAI/Anthropic/Google entries) down next to openrouter in
  the aggregator cluster. Re-sync expectedCatalogIDs and the
  TransportOpenAICompat order-list to match.
- Drop the always-on X-AIMLAPI-Partner-ID / Integration-Repo /
  Integration-Version attribution headers. There's no partner arrangement
  behind the preset, so a non-overridable referral tag on every user's
  request isn't something to ship on a community preset. aimlapi now rides
  through plain CopyHeaders like every other provider. Removes
  HeadersForCatalog (it existed only for this special-case), reverts the
  factory and discovery call sites to CopyHeaders, and drops the header
  test. The factory/discovery tests now assert the endpoint, auth, and the
  user's own custom headers survive while no attribution header is sent.

* fix(providers): address CodeRabbit review on Gitlawb#621

- Document AIMLAPIID for docstring coverage.
- Apply providerio.CopyHeaders for Anthropic and Google provider paths,
  matching the OpenAI path introduced for aimlapi header isolation.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(providers): gofmt factory.go to unblock CI smoke

Remove mixed tab/space indentation in the openai.New options block so
ubuntu-latest fmt-check passes.

---------

Co-authored-by: Dmitry Tumanov <d1m7asis@gmail.com>
Co-authored-by: Vasanthdev2004 <vasanth.dev2004@gmail.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: KRATOS <kratos@KRATOSs-Mac-mini.local>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant