refactor(sandbox): remove OS-level write restrictions, shift to permission-gated model#101
Merged
yishuiliunian merged 2 commits intomainfrom Apr 15, 2026
Merged
Conversation
…ssion-gated model The seatbelt/bwrap file-write restrictions added no real security for Bash commands (process-exec was already unrestricted) but broke every CLI tool that writes to $HOME config dirs (lark-cli, npm, cargo, etc.). DefaultWrite mode now allows all file writes at the OS level. File tools keep fine-grained protection via app-level path_checker + deny_write_globs (RequiresApproval → user approval). Bash commands are gated solely by the permission system. - Rename WorkspaceWrite → DefaultWrite (serde alias for compat) - Add $HOME to baseline writable_paths (app-level path_checker) - Add deny_write_globs for shell configs, authorized_keys, LaunchAgents - Extract env patterns to env_patterns.rs (200-line limit) - Fix stale comments across permission.rs, seatbelt_base.sbpl, README
yishuiliunian
added a commit
that referenced
this pull request
Apr 15, 2026
Background tasks were invisible in the TUI because the agent process and TUI process had separate BackgroundTaskStore instances (noted as "future: sync from agent via IPC" in multiprocess.rs). Replace the polling-based reporter with event-driven sync matching the ToolProgress pattern: - BackgroundTaskStore emits SpawnNotification on insert, carrying Arc handles for per-task monitoring - bg_task_bridge subscribes and spawns per-task select! monitors: output sampler (2s delta) + completion watcher (await watch_rx) - Three protocol events: BgTaskSpawned, BgTaskOutput, BgTaskCompleted - Session state builds incrementally from events (IndexMap for O(1)) - TUI reads from session state; panel shows all tasks; Enter opens full-screen log viewer SubPage with auto-follow Removes TUI dependency on loopal-tool-background (bg_store was always empty in the TUI process).
yishuiliunian
added a commit
that referenced
this pull request
Apr 15, 2026
Background tasks were invisible in the TUI because the agent process and TUI process had separate BackgroundTaskStore instances (noted as "future: sync from agent via IPC" in multiprocess.rs). Replace the polling-based reporter with event-driven sync matching the ToolProgress pattern: - BackgroundTaskStore emits SpawnNotification on insert, carrying Arc handles for per-task monitoring - bg_task_bridge subscribes and spawns per-task select! monitors: output sampler (2s delta) + completion watcher (await watch_rx) - Three protocol events: BgTaskSpawned, BgTaskOutput, BgTaskCompleted - Session state builds incrementally from events (IndexMap for O(1)) - TUI reads from session state; panel shows all tasks; Enter opens full-screen log viewer SubPage with auto-follow Removes TUI dependency on loopal-tool-background (bg_store was always empty in the TUI process).
yishuiliunian
added a commit
that referenced
this pull request
Apr 15, 2026
* feat(tui): event-driven background task sync and log viewer (#101) Background tasks were invisible in the TUI because the agent process and TUI process had separate BackgroundTaskStore instances (noted as "future: sync from agent via IPC" in multiprocess.rs). Replace the polling-based reporter with event-driven sync matching the ToolProgress pattern: - BackgroundTaskStore emits SpawnNotification on insert, carrying Arc handles for per-task monitoring - bg_task_bridge subscribes and spawns per-task select! monitors: output sampler (2s delta) + completion watcher (await watch_rx) - Three protocol events: BgTaskSpawned, BgTaskOutput, BgTaskCompleted - Session state builds incrementally from events (IndexMap for O(1)) - TUI reads from session state; panel shows all tasks; Enter opens full-screen log viewer SubPage with auto-follow Removes TUI dependency on loopal-tool-background (bg_store was always empty in the TUI process). * fix: rustfmt formatting in new test and source files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
$HOMEconfig dirs (lark-cli, npm, cargo, etc.)path_checker+deny_write_globs(soft deny with approval flow)Changes
platform/macos.rs: WorkspaceWrite seatbelt profile →(allow file-write*)instead of per-path rulesplatform/linux.rs: WorkspaceWrite bwrap →--bind / /(rw root) instead of--ro-bind+ per-path bindssandbox.rs(config): RenameWorkspaceWrite→DefaultWritewithserde(alias)for backward compatpolicy.rs: Add$HOMEto baselinewritable_paths(app-level path_checker only)sensitive_patterns.rs: Add deny_write_globs for shell configs (.bashrc/.zshrc), authorized_keys, LaunchAgents/LaunchDaemonsenv_patterns.rs(new): Extract env variable patterns from sensitive_patterns (200-line limit)permission.rs: Fix stale "Sandbox still blocks" comment on Bypass modeseatbelt_base.sbpl,README.md: Update stale references to old modelTest plan
bazel test //crates/loopal-sandbox:loopal-sandbox_testpassesbazel test //crates/loopal-backend:loopal-backend_testpassesbazel build //... --config=clippyzero warnings