mpfaffenberger
sandbox support
- feat: add comprehensive code execution sandboxing
Implements sandboxing for shell command execution inspired by Anthropic's Claude Code approach. Provides dual-layer isolation: filesystem and network.
Features
Filesystem Isolation:
- Linux: bubblewrap for namespace isolation
- macOS: sandbox-exec with custom profiles
- Restricts access to current working directory
- Blocks sensitive paths (~/.ssh, ~/.aws, ~/.gnupg)
- Configurable allowed read/write paths
Network Isolation:
- HTTP/HTTPS proxy with domain allowlisting
- Pre-approved safe domains (package registries, git hosts)
- Optional user approval for new domains
- Network traffic monitoring and logging
Security:
- Opt-in by default (explicit user control)
- Fail-safe fallback to unsandboxed execution
- Prevents access to SSH keys, cloud credentials
- Limits blast radius of compromised dependencies
Implementation
Core Components:
- code_puppy/sandbox/base.py - Base classes and interfaces
- code_puppy/sandbox/linux_isolator.py - Bubblewrap implementation
- code_puppy/sandbox/macos_isolator.py - sandbox-exec implementation
- code_puppy/sandbox/network_proxy.py - Proxy server
- code_puppy/sandbox/config.py - Configuration management
- code_puppy/sandbox/command_wrapper.py - Main wrapper
Integration:
- Integrated into command_runner.py subprocess execution
- Added /sandbox CLI commands for management
- Configuration stored in ~/.code_puppy/sandbox_config.json
Commands
- /sandbox enable - Enable sandboxing
- /sandbox disable - Disable sandboxing
- /sandbox status - Show configuration
- /sandbox test - Test availability
- /sandbox allow-domain
- Add domain to allowlist - /sandbox allow-path
- Add filesystem path
Testing
- 43 unit and integration tests (100% passing)
- Tests for Linux (bubblewrap) isolation
- Tests for macOS (sandbox-exec) isolation
- Tests for network proxy functionality
- Integration tests for complete sandboxing flow
- All code passes ruff style checks
Documentation
- Comprehensive README section on sandboxing
- Usage examples and security benefits
- Platform-specific installation instructions
- Configuration and command reference
Closes: Add code execution sandboxing feature
- feat: add Claude Code-inspired sandbox enhancements
Implements advanced sandboxing features matching Anthropic's Claude Code implementation for production-ready code execution isolation.
New Features
1. Broad Read Scope (matches Claude Code default)
- Read access: Entire filesystem EXCEPT denied paths
- Write access: Current working directory + allowed paths only
- Configurable via read_scope: "broad" (default) or "restricted"
2. Excluded Commands
- Commands that always run unsandboxed (docker, watchman, podman, systemctl)
- Prevents sandbox incompatibility issues
- Configurable exclusion list
3. Resource Limits (CPU/Memory)
- Linux: systemd-run with MemoryMax and CPUQuota
- macOS: ulimit for memory limits
- Prevents runaway processes
- Configurable: max_memory_mb, max_cpu_percent
4. Retry Handler (dangerouslyDisableSandbox)
- Detects sandbox-related failures
- Prompts user to retry without sandboxing
- Configurable via allow_unsandboxed_commands
- Improves UX for legitimate failures
5. Advanced Proxy Configuration
- Separate HTTP and SOCKS proxy ports
- Configurable: http_proxy_port (9050), socks_proxy_port (9051)
- Better network isolation control
Implementation Details
Updated Files:
- code_puppy/sandbox/base.py - Added read_scope, resource limits to SandboxOptions
- code_puppy/sandbox/config.py - Extended with all new configuration options
- code_puppy/sandbox/linux_isolator.py - Broad read scope + systemd-run resource limits
- code_puppy/sandbox/macos_isolator.py - Broad read scope + ulimit resource limits
- code_puppy/sandbox/command_wrapper.py - Excluded commands check, 3-tuple return
- code_puppy/sandbox/retry_handler.py - NEW: Retry logic for failed commands
- code_puppy/tools/command_runner.py - Handle exclusions, show status messages
Configuration Schema:
{
"read_scope": "broad", // "broad" or "restricted"
"excluded_commands": ["docker", "watchman", "podman", "systemctl"],
"allow_unsandboxed_commands": true,
"http_proxy_port": 9050,
"socks_proxy_port": 9051,
"max_memory_mb": null,
"max_cpu_percent": null,
"denied_read_paths": ["~/.ssh", "~/.aws", "~/.gnupg", ...]
}
Testing
- 43 unit tests passing (100%)
- Fixed tests for new 3-tuple return signature
- Updated tests for broad read scope default
- All ruff style checks passing
Matches Claude Code Features
✅ Two-layer isolation (filesystem + network) ✅ Broad read scope by default ✅ Excluded commands for incompatible tools ✅ Resource limits (Linux with systemd, macOS with ulimit) ✅ Retry mechanism foundation (dangerouslyDisableSandbox) ✅ Configurable proxy ports ✅ Domain-based network filtering
Benefits
- More flexible than initial implementation
- Better compatibility with real-world tools
- Resource protection prevents DoS
- Improved UX with retry mechanism
- Production-ready configuration
Refs: https://code.claude.com/docs/en/sandboxing
Hello! What an interesting contribution. I have a few questions -
Would it be possible to refactor this to be a code_puppy/plugin?
Typically with these kinds of contributions, I ask that folks implement in such a way that no behavior is changed from the default and that the code nearly 100% isolated. The plugin hooks / callbacks can facilitate this. I will totally accept adding additional hooks in various parts of the codebase. But, this principal keeps the codebase very clean and different components isolated.
The other thing I will ask is that the feature is toggled off by default so effectively there is no change in behavior whatsoever when I merge the P/R. Users may opt in by enabling the feature for example /set sandbox_mode = true
Let me know your thoughts and if you think that is feasible.
