You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* fix(sandbox): stop mounting host SSH directory
- Remove the default read-only SSH bind mount from sandbox create.
- Keep GitHub access on the gh/HTTPS token path.
- Cover docker run mounts with a regression test and docs updates.
Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Claude <noreply@anthropic.com>
* test(sandbox): stop SSH mount test after docker run
---------
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Claude <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: docs/en/platform-support.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -100,7 +100,7 @@ docker info
100
100
101
101
Add the `DOCKER_HOST` export to your shell startup file after validation.
102
102
103
-
When rootless Docker is detected, agent-infra builds the sandbox image with `HOST_UID=0` and `HOST_GID=0`. Inside the container the sandbox user can read bind mounts such as `~/.ssh` without relaxing host file permissions. On the host, the daemon and container processes still run under the current user, so this does not grant host root privileges.
103
+
When rootless Docker is detected, agent-infra builds the sandbox image with `HOST_UID=0` and `HOST_GID=0`. Inside the container the sandbox user can read normal bind mounts such as the worktree and `/share/*` directories without relaxing host file permissions. On the host, the daemon and container processes still run under the current user, so this does not grant host root privileges.
104
104
105
105
Known rootless differences:
106
106
@@ -111,7 +111,7 @@ Known rootless differences:
111
111
Troubleshooting:
112
112
113
113
- If `docker info` fails, check `systemctl --user status docker` and confirm `DOCKER_HOST` points at `$XDG_RUNTIME_DIR/docker.sock`.
114
-
- If SSH files are still unreadable inside the sandbox, confirm the shell has not overridden `DOCKER_HOST` or Docker build arguments.
114
+
- If expected bind-mounted project or share files are still unreadable inside the sandbox, confirm the shell has not overridden `DOCKER_HOST` or Docker build arguments.
Copy file name to clipboardExpand all lines: docs/en/sandbox.md
+8-5Lines changed: 8 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,6 +10,8 @@ The default sandbox image also installs the agent-infra CLI npm package, exposin
10
10
11
11
The sandbox image also preinstalls `gh`. When `gh auth token` succeeds on the host, `ai sandbox create` injects the token into the container as `GH_TOKEN`, so `gh` commands work inside the sandbox without extra setup.
12
12
13
+
Host `~/.ssh` is not bind-mounted into the sandbox. GitHub access is expected to use the `gh` / HTTPS token path above; `git@github.com:*` SSH workflows need a separate, explicit setup outside the default sandbox boundary.
14
+
13
15
`ai sandbox rebuild` keeps Docker's build cache by default, so it quickly retags the sandbox image without refreshing every package. Use `ai sandbox rebuild --refresh` when you want to upgrade the image: it passes `--no-cache --pull` to Docker, pulls the current Ubuntu base image, and reruns the apt, tmux build, and global npm install layers. Claude Code updates are disabled inside the container, and OpenCode startup update checks are disabled; `--refresh` is the routine upgrade path for sandbox-managed tools. Manual `opencode upgrade` remains outside this guard. The default `python3` provided by the Ubuntu 24.04 sandbox base is Python 3.12, so scripts that hard-code Python 3.10 paths may need adjustment.
14
16
15
17
`ai sandbox exec` also forwards a small terminal-detection whitelist (`TERM_PROGRAM`, `TERM_PROGRAM_VERSION`, `LC_TERMINAL`, `LC_TERMINAL_VERSION`) into the container. This keeps interactive TUIs aligned with the host terminal for behaviors such as Claude Code's Shift+Enter newline support, without passing through the full host environment.
@@ -50,8 +52,8 @@ to this, `--all` meant the full teardown that `--purge` now performs.
50
52
Use `ai sandbox prune --dry-run` to inspect orphaned per-branch state dirs left
51
53
behind by older versions or interrupted cleanup, then `ai sandbox prune` to
52
54
remove only dirs without an active sandbox container.
53
-
Existing sandboxes pick up these mounts after `ai sandbox rm <branch>` and
54
-
`ai sandbox create <branch>`.
55
+
Existing sandboxes pick up mount changes, including removed mounts, after
56
+
`ai sandbox rm <branch>` and `ai sandbox create <branch>`.
55
57
56
58
On first `ai sandbox create`, agent-infra writes a bilingual `README.md` into
57
59
`~/.agent-infra/share/<project>/common/` and each `branches/<branch>/`
@@ -108,15 +110,16 @@ target.
108
110
> inside the container, but the full preference tree is linked into every
109
111
> project sandbox. Do not place `.ssh/`, `.aws/credentials`, `.netrc`,
110
112
> `.gnupg/`, `.npmrc` files containing `_authToken`, AI tool OAuth/access token
111
-
> files, or `.gitconfig` there. Use the dedicated SSH and credential channels,
112
-
> and prefer `.gitconfig.local` with `[include]` for local Git preferences.
113
+
> files, or `.gitconfig` there. Use the dedicated credential channels; GitHub
114
+
> access uses the `gh` / HTTPS token path. Prefer `.gitconfig.local` with
115
+
> `[include]` for local Git preferences.
113
116
114
117
**Protected paths** are ignored by the hook even if they appear under
115
118
`~/.agent-infra/dotfiles/`:
116
119
117
120
| Path pattern | Reason |
118
121
|---|---|
119
-
|`.ssh/*`| Host SSH credentials are managed by the read-only SSH mount. |
122
+
|`.ssh/*`| Host SSH material is protected and is not imported through the default sandbox. |
120
123
|`.gnupg/*`| GPG private material is managed by `gpg-agent`. |
121
124
|`.claude/*`, `.codex/*`, `.gemini/*`| AI tool credentials use dedicated bind mounts. |
122
125
|`.config/opencode/*`, `.local/share/opencode/*`| OpenCode credentials and data use dedicated bind mounts. |
0 commit comments