feat: emit [SandboxDebug] fs_deny line for each Seatbelt file-* denial#224
Open
anonx3247 wants to merge 7 commits into
Open
feat: emit [SandboxDebug] fs_deny line for each Seatbelt file-* denial#224anonx3247 wants to merge 7 commits into
anonx3247 wants to merge 7 commits into
Conversation
Adds an opt-in allowAllDomains boolean to NetworkConfigSchema that flips the proxy filter fallback from deny-all to allow-all. Unmatched hosts are permitted unless they appear in deniedDomains, mirroring the filesystem read pattern. Existing configs are unaffected (defaults to false). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Enables `npm install github:anonx3247/sandbox-runtime` to resolve `main` / `bin` without a build step on consumer machines. Removes `dist` from .gitignore and checks in the compiled TypeScript output plus the vendored seccomp sources that prepublishOnly copies. Fork tracks upstream 0.0.48 plus allowAllDomains (5f3ef74). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Without the executable bit, npm install github:anonx3247/sandbox-runtime creates a symlink at node_modules/.bin/srt that shutil.which can't resolve. tsc doesn't preserve +x on emitted files, so we have to set it post-build. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When invoked as `srt -- cmd arg1 arg2 ...`, the CLI built the command
string by joining argv with a single space and then handed the result
to `spawn(cmd, { shell: true })`. Bash then re-parsed that string,
which corrupted any argument containing shell metacharacters
(parentheses, single/double quotes, backticks, `$`, `|`, `;`, etc.).
In practice this broke any caller that forwarded arbitrary user text
as a positional argument — for example, `srt -- claude -p "note (a)
with 'quotes'"` would fail with a bash syntax error rather than
running claude with that prompt.
The fix routes argv through `shellquote.quote`, which is the same
library already used elsewhere in this codebase to produce shell-safe
command strings. Each argv element is individually quoted so bash
re-parses it back to the original value.
The `-c` flag retains its current "no escaping" semantics by design —
that mode is for callers who want shell interpretation.
Regression tests cover parentheses, single quotes, backticks, literal
`$VAR`, and a combined realistic prompt argument.
Companion to the previous commit. The fork commits dist/ so that `npm install github:anonx3247/sandbox-runtime` picks up changes without a build step.
startMacOSSandboxLogMonitor already captures all sandbox violations from the macOS system log, but the callback only stored them in SandboxViolationStore — consumers reading srt's stderr (like cave with SRT_DEBUG=1) never saw fs denials, only network blocks logged separately by the proxy code. After this change, each violation that reaches the callback also calls logForDebugging with a `fs_deny: <violationDetails>` message. The [SandboxDebug] prefix and SRT_DEBUG guard are unchanged — fs denials are gated the same way all other debug output is. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The sandbox log monitor (startMacOSSandboxLogMonitor) was never started by the CLI because enableLogMonitor defaulted to false and was never passed. Gate it on process.env.SRT_DEBUG so it activates alongside all other debug output — callers that set SRT_DEBUG=1 (e.g. cave) now also get [SandboxDebug] fs_deny: lines for Seatbelt file-* denials. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
startMacOSSandboxLogMonitoralready captures all Seatbelt violations (fs + network) from the macOS system log, but the callback only stored them inSandboxViolationStore— consumers reading srt's stderr (e.g. withSRT_DEBUG=1) never saw fs denialslogForDebuggingin the proxy code; this PR brings fs denials to paritycallback(violation), callslogForDebugging(\fs_deny: ${violationDetails}`)so each file-* denial appears as a[SandboxDebug] fs_deny: ...` line on stderrThe
[SandboxDebug]prefix andSRT_DEBUGguard are unchanged — fs denials are gated the same way all other debug output is.Test plan
SRT_DEBUG=1under a restrictive profile and confirm[SandboxDebug] fs_deny:lines appear on stderr for blocked file reads[SandboxDebug] fs_deny:lines appear withoutSRT_DEBUG=1🤖 Generated with Claude Code