feat(pap-sandbox): wire real IPC pipeline, runtime feature detection, Docker adapter#383
Merged
toadkicker merged 38 commits intomainfrom May 1, 2026
Merged
feat(pap-sandbox): wire real IPC pipeline, runtime feature detection, Docker adapter#383toadkicker merged 38 commits intomainfrom
toadkicker merged 38 commits intomainfrom
Conversation
…attestation New standalone crate `crates/pap-sandbox` providing process-level isolation for agent execution with cryptographic proof of enforcement constraints. - `policy.rs`: CapabilityPolicy with three-tier cascade (agent > category > global) and pledge(2) promise derivation from boolean flags - `receipt.rs`: AttestationReceipt + CapabilityProof — embedded in PAP phase 5 co-signing so the principal's signature proves which constraints were enforced - `memory.rs`: SecureBuffer — mlock() pins pages to physical RAM, Zeroize on drop, prevents swap exposure of sensitive execution context - `ipc.rs`: AES-256-GCM encrypt/decrypt for ExecutionContext transfer + X25519 ECDH key agreement; sensitive buffers never travel over IPC in plaintext - `spawner.rs`: AgentSpawner trait + NoopSpawner fallback for unsupported platforms - `platform/linux.rs`: seccomp-aware child spawner; policy flags → seccomp rules hash in CapabilityProof - `platform/bsd.rs`: pledge(2) spawner; exact promise string recorded in proof - `platform/macos.rs`: entitlements spawner with derived entitlement list in proof - `platform/windows.rs`: Job Objects spawner with VirtualLock memory protection - `tauri_commands.rs`: 5 IPC handlers (spawn, poll_state, force_terminate, get_receipt, default_policy) Papillon integration: sandbox spawner registered as managed Tauri state at startup; 5 commands added to invoke_handler. Falls back to NoopSpawner with structured error on unsupported platforms rather than crashing. 15 unit tests: policy cascade, AES-GCM roundtrip, X25519 key agreement, mlock/zeroize lifecycle, receipt signing fields. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- CHANGELOG.md: add 0.8.3 entry covering pap-sandbox crate, SecureBuffer, encrypted IPC, AttestationReceipt/CapabilityProof, CapabilityPolicy cascade, Tauri IPC commands, Papillon integration, and security note on mlock+AES-GCM - docs/pap/index.html: update crate count 10 → 11; add pap-sandbox card with platform coverage (seccomp/pledge/entitlements/Job Objects) and attestation summary - docs/papillon/index.html: add Execution Sandbox tech card in the security section explaining OS-level process isolation, encrypted IPC, and co-signed capability proof Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…clusions Apply cargo fmt formatting to memory.rs, spawner.rs, and all platform backends. Add pap-sandbox to the sed exclusion lists in both apps/registry/Dockerfile and apps/papillon/Dockerfile so the registry and papillon Docker builds do not fail trying to resolve a workspace member that is not copied into their build contexts. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e + fix check script path The chrysalis-e2e CI job builds apps/papillon/e2e/Dockerfile.ci-chrysalis which strips uncoped workspace members via sed. pap-sandbox is a Papillon-only dep and was not COPYed, causing cargo metadata to fail. Also correct the check-docker-workspace.sh path for this Dockerfile (was e2e/ from repo root, should be apps/papillon/e2e/) so future workspace additions are caught. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…I bindings Python (pap-python): - CapabilityPolicy, MemoryProtection, CapabilityProof, AttestationReceipt, ExecutionHandle, ExecutionContext, ExecutionResult, SandboxSpawner classes - sandbox_encrypt / sandbox_decrypt / sandbox_new_spawner free functions - SandboxSpawner.spawn / poll_state / terminate / collect_result (blocking, reuses the existing global tokio RT) C FFI (pap-c): - PapCapabilityPolicy, PapExecutionContext, PapExecutionHandle, PapAttestationReceipt, PapAgentSpawner opaque types - PAP_EXEC_STATE_* integer constants for poll_state results - pap_capability_policy_new/free/set_timeout/set_network/set_filesystem/set_subprocess - pap_execution_context_new/free - pap_spawner_new/free/spawn/poll_state/terminate/collect_receipt - pap_attestation_receipt_session_id/agent_did/result_hash/exit_code/aborted/duration_ms/to_json/free - pap_sandbox_encrypt / pap_sandbox_decrypt / pap_sandbox_bytes_free - Java (JNA) and C# (P/Invoke) consumers inherit the surface from pap-c Also: ExecutionContext derives Clone (required for PyO3 borrow semantics) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
New `os_capabilities` module probes at runtime which isolation primitives are available on the current system: - seccomp-BPF (Linux): prctl(PR_GET_SECCOMP) probe - pledge(2) (OpenBSD): always available on supported platform - Sandbox.framework (macOS): weak-link availability - Job Objects (Windows): always available Vista+ - mlock(2): live probe with immediate unlock - network/filesystem restriction: derives from above `CapabilityPolicy::effective_enforcement()` intersects the requested policy with what the OS can actually deliver, returning a `CapabilityProof` that only claims enforcement for mechanisms that applied. Receipts now reflect reality — a receipt from a container without CAP_SYS_ADMIN won't falsely claim seccomp. Detection runs once via OnceLock and is cached for the process lifetime. `OsCapabilities` and `detect_os_capabilities` are re-exported from lib.rs and exposed in the Python (PyO3) and C FFI SDKs. 47 unit tests pass (up from 18 orphaned files to fully wired test suite). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…_raw_parts - Remove redundant any() wrapper: #[cfg(any(openbsd))] → #[cfg(openbsd)] - Replace from_raw_parts_mut with ptr::slice_from_raw_parts_mut in pap_sandbox_bytes_free Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix clippy::useless_vec in os_capabilities.rs (vec![0u8;1] → [0u8;1])
- Add SandboxedHandlerWrapper: composes AgentHandler + AgentSpawner,
delegates all PAP phases unchanged, intercepts phase 4 execute() to
run the inner handler through the OS sandbox lifecycle
- Add pap-sandbox dep to registry (ssr feature only)
- Add sandbox_spawner (Arc<dyn AgentSpawner>) to AppState; initialized
at startup via new_spawner(), falls back to NoopSpawner on unsupported
platforms with a logged warning
- Wrap every agent handler in SandboxedHandlerWrapper at startup; sandbox
is on by default, disabled per-agent via settings KV key
"sandbox_disabled:{hash}"
- Add SETTING_SANDBOX_DISABLED_PREFIX constant to state.rs
- Add get_agent_sandbox_enabled / set_agent_sandbox_enabled server fns
- Add sandbox toggle checkbox to AgentCard in the agents UI
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…x_spawner in registry tests Move sandbox C FFI bindings before the cfg(test) module in pap-c to satisfy clippy::items_after_test_module. Add missing sandbox_spawner field (NoopSpawner) to all 12 AppState literals in registry test helpers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…est panic Three CI failures in the previous push: 1. Docker image builds (registry + Chrysalis CI): Dockerfiles stripped pap-sandbox from workspace members via sed but never COPY'd the crate, so cargo couldn't resolve the registry's optional pap-sandbox dep. Fix: COPY crates/pap-sandbox in both Dockerfiles; remove the sed line that deleted it from workspace members (crate is now present). 2. handler_wrapper test panic: sandboxed_path test used #[tokio::test] which drives execute() directly from the async thread — block_on() panics "cannot start runtime from within runtime". In production execute() is called via spawn_blocking (runtime present, blocking thread). Fix: plain #[test], explicit Runtime::new(), call execute() from inside spawn_blocking to mirror the production contract exactly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… hash collision Critical: - handler_wrapper: decrypt result with ephemeral_key (captured in scope) instead of result_hash.as_bytes() — the two were never the same value, making the sandboxed IPC path permanently broken for any real spawner - handler_wrapper: emit tracing::warn when result_enc fallthrough fires; silent sandbox bypass is never acceptable without an operator-visible log Security: - api.rs: add is_authorized guard to sign_advertisement — private key was transiting the server with no auth check, unlike every other mutation Correctness: - main.rs: replace unwrap_or_default() for missing agent advertisement with a warn + continue; empty hash caused all unmapped agents to share the same settings key "sandbox_disabled:", making them shadow each other's toggle - handler_wrapper: saturating_mul/saturating_add for timeout_ms to prevent u64 overflow wrapping to near-zero deadline on extreme policy values Documentation / future work: - main.rs: TODO comments for per-agent CapabilityPolicy resolution and hot-reload of sandbox_enabled flag (requires route rebuild on change) - agents.rs: UI label and title attribute clarify restart-required semantics - Dockerfile test stage: fix misleading comment; pap-test-utils IS copied, so remove the stale sed line that deleted it from workspace members Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous fix turned a missing advertisement into a hard skip (continue),
which broke the E2E tests: agents without an advertisement were never mounted
so the /agents page rendered empty and Chrysalis/federation tests timed out.
Correct fix: still mount the agent (don't skip), but derive the sandbox
settings key as "name:{name}" rather than "" so all unadvertised agents
get their own distinct key. Emit a tracing::warn so operators can investigate
why an agent has no advertisement, without breaking functionality.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…meout The per-card spawn_local(get_agent_sandbox_enabled) pattern fired N individual server function calls during SSR of the agents page — one DB round-trip per agent card, serialized into the render path. With enough agents registered this caused the Playwright request context to time out before the response body completed, failing the Chrysalis and Federation E2E tests. Fix: add sandbox_enabled: bool to AgentEntry (default true via serde default). list_agents now populates it in one sequential pass after the main DB query. AgentCard reads the field from the entry prop; the loading spinner and per-card async initialization are removed. The get_agent_sandbox_enabled server function is kept for future direct use (e.g. settings page), but AgentCard no longer calls it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Now that pap-sandbox is shipped, emphasize that PAP seals the entire security boundary: - Request layer: SD-JWT selective disclosure (minimize what agent sees) - Execution layer: OS-level sandboxing (minimize what agent can do) Both boundaries are required. Neither alone solves the problem. - README: clarify two-boundary security model with specific OS capability examples - Specification: update problem statement to include execution isolation gap, add design goals - DESIGN.md: update principles to reference sandboxed execution and constraint attestation - Comparison table: add Execution Isolation row highlighting PAP's unique coverage - Papillon/Chrysalis descriptions: emphasize sandbox enforcement and cryptographic proof Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Add comprehensive documentation for pap-sandbox usage and architecture: - docs/pap-sandbox-guide.md: User-facing guide covering: * Two-boundary security model (request + execution) * How Papillon and Chrysalis integrate sandbox enforcement * Per-agent sandbox toggle in registry with policy cascade * Attestation receipt verification and platform support * Threat model: what it solves (execution compromise) vs. doesn't (payload injection) - crates/pap-sandbox/README.md: API reference covering: * Core types: AgentSpawner, CapabilityPolicy, ExecutionState, AttestationReceipt * Integration pattern for Phase 4 (execute) and Phase 5 (co-sign receipt) * Unit and integration testing patterns * Performance overhead analysis (~15-20ms per execution) * Security model with audit trail via cryptographic attestation Together with updated competitive messaging (commit 8e984fd), PAP now has: - Request boundary: SD-JWT selective disclosure minimizes input - Execution boundary: OS sandboxing minimizes what agent can do - Attestation: Co-signed receipts prove constraints were enforced Complete stack coverage: request + execution = auditable security boundary. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Replace 'Request Layer for Agentic Systems' with 'Complete Trust Boundaries for Programmable Delegation': - PAP is protocol-agnostic, doesn't require AI - Now have both request AND execution boundaries - Remove 'agentic' framing entirely Updates: - Hero: emphasize request + execution boundaries, note 'No AI required' - Two Layers section → 'Two Boundaries': request (what agents see) + execution (what agents can do) - PAP card: 'request boundary' not 'request layer', works with 'any agent runtime' - Papillon: mention sandboxed isolation and constraint verification - Chrysalis: emphasize registry + sandbox enforcement + attestation Reflects current state: with pap-sandbox shipped, we have complete stack coverage. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Navbar was showing dark mode background on initial light mode load because hardcoded rgba(12,11,20,.85) ran before theme-specific rules. Now [data-theme] and prefers-color-scheme nav backgrounds are applied immediately with the rest of the page, eliminating the flash. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Removed made-up overhead percentages (5-8%, 2-4%, etc.) that had no basis. Replace with honest language: 'Measure on your target platform.' Process spawning is the dominant cost—OS and hardware dependent. Don't claim specific percentages without measurement. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
pap-sandbox requires OS-level capabilities (seccomp, pledge, entitlements, job objects) that are unavailable in standard containerized environments. In Docker/Podman/Kubernetes, sandboxing fails to initialize and falls back to unsandboxed execution with a warning in attestation receipts. Deploy on bare metal or VMs for actual sandbox enforcement. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Implement runtime detection to support agent execution isolation in Docker containers: - Platform detection module: auto-detect OS capabilities (seccomp, pledge, etc.), Docker socket availability, or fallback to unsandboxed - DockerSpawner: spawn agents as sibling containers with CapabilityPolicy mapped to Docker flags (--network=none, --cap-drop, etc.) - Async new_spawner(): runtime detection instead of compile-time #[cfg], returns appropriate spawner (OS, Docker, or Noop) - Updated NoopSpawner: generates receipts with empty CapabilityProof to indicate no isolation (audit trail preserved) - Docker-specific dependencies: bollard (Docker API) and procfs (container detection) gated behind platform features - docker-compose.yml: example stack with /var/run/docker.sock mounted for sibling spawning - Dockerfile: agent runner image for containerized execution - Tests: platform detection and NoopSpawner behavior validation With Docker socket mounted in Papillon container, agents now execute with isolation in "docker compose up" deployment: - Bare metal: uses OS primitives (Linux seccomp, BSD pledge, macOS entitlements, Windows job objects) - Docker: spawns sibling containers with restricted capabilities - Unsupported: falls back to unsandboxed with audit warning (receipt includes empty capability proof) Supports the complete "docker compose up" shipping path while maintaining execution attestation via receipts. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
NoopSpawner now gracefully falls back instead of erroring. Update test to verify successful execution without isolation (audit trail preserved). All tests pass: 59 passed; 0 failed Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- handler_wrapper: empty result_enc is now an error, not a silent fallback to unsandboxed execution - NoopSpawner: spawn() returns PlatformUnsupported error instead of faking success with empty receipts - new_spawner(): returns error when no platform is available instead of silently returning NoopSpawner - Tests updated to verify errors surface correctly Sandbox failures must be visible to callers. The previous behavior hid broken IPC by quietly running agents unsandboxed — a false sense of security. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All four platform spawners (Linux, BSD, macOS, Windows) now write ExecutionContext JSON to child stdin and read ExecutionResult JSON from child stdout on process exit — completing the parent↔child IPC pipeline that was previously stubbed. The Docker spawner reads container logs for the same protocol. Runtime platform detection now uses os_capabilities::detect() for real feature probing (e.g. prctl(PR_GET_SECCOMP) on Linux) instead of hardcoded compile-time #[cfg] booleans. A Linux binary where seccomp is blocked correctly falls through to Docker spawning or returns an error. Adds the worker module (child-side IPC protocol) to the crate exports. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
7 new tests covering the full parent↔child IPC protocol: - ExecutionContext JSON serialization round-trip - ExecutionResult JSON serialization round-trip - Full encrypt→serialize→deserialize→decrypt pipeline end-to-end - Empty result_enc detected as broken pipeline - CapabilityPolicy serializes correctly for --policy CLI arg - Wrong ephemeral key length rejected before decryption - Tampered ciphertext fails AES-GCM authentication 66 tests now pass (was 59). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
toadkicker has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Benchmark Regression ReportThreshold: 10% regression vs baseline from main |
Contributor
|
| Filename | Overview |
|---|---|
| crates/pap-sandbox/src/platform/docker.rs | New Docker sibling-container spawner with three P1 bugs: invalid cap-drop names, container records never cleaned up, and IPC mismatch between worker stdin and spawner env var. |
| crates/pap-sandbox/src/platform/detection.rs | New runtime detection module; sound overall but Docker socket check is gated behind is_in_container(), silently returning Unsupported on bare-metal hosts with Docker but no native sandbox capabilities. |
| crates/pap-sandbox/src/worker.rs | New child-side IPC worker; correct for native spawners but incompatible with DockerSpawner which passes context via env var and never writes to stdin. |
| crates/pap-sandbox/src/spawner.rs | Changed new_spawner() from sync to async with runtime feature detection; NoopSpawner now errors instead of silently passing. |
| crates/pap-sandbox/src/handler_wrapper.rs | Removed silent fallback to unsandboxed execution when result_enc is empty — good security hardening. |
| Dockerfile | New multi-stage Dockerfile; build silently swallows errors via |
| apps/papillon/src/lib.rs | Adapted to async new_spawner() by creating a new Tokio runtime; functionally correct but creates a redundant runtime inside Tauri's setup callback. |
| apps/registry/src/main.rs | Minimal correct change: new_spawner() is now awaited since the function became async. |
Sequence Diagram
sequenceDiagram
participant P as Parent Process
participant D as detect_runtime()
participant S as Platform Spawner
participant C as Child / Container
P->>D: await detect_runtime()
D-->>P: Bare / Docker / Unsupported
alt Bare (Linux/BSD/macOS/Windows)
P->>S: spawn(policy, context)
S->>C: exec --sandbox-worker
S->>C: write ExecutionContext JSON to stdin
S->>C: close stdin
C->>C: read_context_from_stdin()
C->>C: decrypt, execute, encrypt
C-->>S: ExecutionResult JSON to stdout
S->>S: reap_child_output(), store result
P->>S: collect_result()
S-->>P: (ExecutionResult, AttestationReceipt)
else Docker
P->>S: DockerSpawner::spawn(policy, context)
S->>C: create_container(PAP_CONTEXT env var)
S->>C: start_container
Note over S,C: stdin opened but never written (BUG)
C-->>S: stdout ExecutionResult JSON
S->>S: poll_state() read_container_stdout()
Note over S: container record not removed (BUG)
P->>S: collect_result()
S-->>P: (ExecutionResult, AttestationReceipt)
end
Comments Outside Diff (6)
-
crates/pap-sandbox/src/platform/docker.rs, line 1342-1346 (link)Invalid Linux capability names in
cap_dropSYS_FORKandSYS_CLONEare not valid Linux capability names — they are syscall names. Docker's--cap-drop(andHostConfig.cap_drop) operates on Linux capabilities (e.g.CAP_SYS_ADMIN,CAP_NET_ADMIN). Passing unknown names like"SYS_FORK"will likely cause container creation to fail with an API error. Restricting fork/clone at the syscall level requires a custom seccomp profile, notcap_drop.Prompt To Fix With AI
This is a comment left during a code review. Path: crates/pap-sandbox/src/platform/docker.rs Line: 1342-1346 Comment: **Invalid Linux capability names in `cap_drop`** `SYS_FORK` and `SYS_CLONE` are not valid Linux capability names — they are syscall names. Docker's `--cap-drop` (and `HostConfig.cap_drop`) operates on Linux capabilities (e.g. `CAP_SYS_ADMIN`, `CAP_NET_ADMIN`). Passing unknown names like `"SYS_FORK"` will likely cause container creation to fail with an API error. Restricting fork/clone at the syscall level requires a custom seccomp profile, not `cap_drop`. How can I resolve this? If you propose a fix, please make it concise.
-
crates/pap-sandbox/src/platform/docker.rs, line 1438-1457 (link)When a container exits and
poll_statesuccessfully parses theExecutionResult, the result is stored inself.resultsbut the correspondingContainerRecordis never removed fromself.containers, andremove_containeris never called on the Docker daemon. Over the lifetime of a server, stopped containers accumulate in Docker and thecontainersHashMap grows unbounded. Theterminatepath does callremove_container, but the successful-exit path inpoll_statedoes not.Prompt To Fix With AI
This is a comment left during a code review. Path: crates/pap-sandbox/src/platform/docker.rs Line: 1438-1457 Comment: **Container records and Docker containers not cleaned up on successful exit** When a container exits and `poll_state` successfully parses the `ExecutionResult`, the result is stored in `self.results` but the corresponding `ContainerRecord` is never removed from `self.containers`, and `remove_container` is never called on the Docker daemon. Over the lifetime of a server, stopped containers accumulate in Docker and the `containers` HashMap grows unbounded. The `terminate` path does call `remove_container`, but the successful-exit path in `poll_state` does not. How can I resolve this? If you propose a fix, please make it concise.
-
crates/pap-sandbox/src/platform/docker.rs, line 1328-1335 (link)worker.rs::read_context_from_stdin()reads theExecutionContextJSON from stdin and returns an error if stdin is empty. The Docker spawner passes the context exclusively via thePAP_CONTEXTenv var and never writes anything to the container's stdin afterstart_container. Despite settingopen_stdin: Some(true), the spawner never opens an attach-stream to write data. A worker binary usingworker.rswould block indefinitely waiting for stdin content, or fail immediately with"empty stdin — no execution context received".Prompt To Fix With AI
This is a comment left during a code review. Path: crates/pap-sandbox/src/platform/docker.rs Line: 1328-1335 Comment: **Docker IPC mismatch: worker reads from stdin, Docker spawner only passes context via env var** `worker.rs::read_context_from_stdin()` reads the `ExecutionContext` JSON from stdin and returns an error if stdin is empty. The Docker spawner passes the context exclusively via the `PAP_CONTEXT` env var and never writes anything to the container's stdin after `start_container`. Despite setting `open_stdin: Some(true)`, the spawner never opens an attach-stream to write data. A worker binary using `worker.rs` would block indefinitely waiting for stdin content, or fail immediately with `"empty stdin — no execution context received"`. How can I resolve this? If you propose a fix, please make it concise.
-
crates/pap-sandbox/src/platform/detection.rs, line 1073-1099 (link)Docker socket not checked on non-container hosts
detect_runtime()only callsfind_docker_socket()whenis_in_container()returnstrue. On a bare-metal Linux host that has Docker installed but lacks seccomp support, the function falls through toRuntimeEnvironment::Unsupportedeven though a Docker socket is present and usable.Prompt To Fix With AI
This is a comment left during a code review. Path: crates/pap-sandbox/src/platform/detection.rs Line: 1073-1099 Comment: **Docker socket not checked on non-container hosts** `detect_runtime()` only calls `find_docker_socket()` when `is_in_container()` returns `true`. On a bare-metal Linux host that has Docker installed but lacks seccomp support, the function falls through to `RuntimeEnvironment::Unsupported` even though a Docker socket is present and usable. How can I resolve this? If you propose a fix, please make it concise.
-
Dockerfile, line 728-744 (link)The fallback
pap-agentbash script readsPAP_CONTEXTfrom the environment, butworker.rs::read_context_from_stdin()reads from stdin and fails on empty input. More critically, the script exits 0 without writing anyExecutionResultJSON to stdout, so the Docker spawner'sread_container_stdoutwill parse an empty response and returnExecutionState::Failed.Prompt To Fix With AI
This is a comment left during a code review. Path: Dockerfile Line: 728-744 Comment: **Placeholder script uses env var, not stdin — incompatible with worker IPC protocol** The fallback `pap-agent` bash script reads `PAP_CONTEXT` from the environment, but `worker.rs::read_context_from_stdin()` reads from stdin and fails on empty input. More critically, the script exits 0 without writing any `ExecutionResult` JSON to stdout, so the Docker spawner's `read_container_stdout` will parse an empty response and return `ExecutionState::Failed`. How can I resolve this? If you propose a fix, please make it concise.
-
apps/papillon/src/lib.rs, line 767-777 (link)tokio::runtime::Runtime::new().expect(...)is called inside Tauri's setup closure. If this closure is ever called from within an existingasynccontext, nesting runtimes panics on some platforms. A lighter-weight alternative istokio::task::block_in_placeor reusing whatever async runtime Tauri provides.Prompt To Fix With AI
This is a comment left during a code review. Path: apps/papillon/src/lib.rs Line: 767-777 Comment: **New Tokio runtime created inside Tauri setup — may conflict with existing runtime** `tokio::runtime::Runtime::new().expect(...)` is called inside Tauri's setup closure. If this closure is ever called from within an existing `async` context, nesting runtimes panics on some platforms. A lighter-weight alternative is `tokio::task::block_in_place` or reusing whatever async runtime Tauri provides. How can I resolve this? If you propose a fix, please make it concise.
Prompt To Fix All With AI
Fix the following 6 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 6
crates/pap-sandbox/src/platform/docker.rs:1342-1346
**Invalid Linux capability names in `cap_drop`**
`SYS_FORK` and `SYS_CLONE` are not valid Linux capability names — they are syscall names. Docker's `--cap-drop` (and `HostConfig.cap_drop`) operates on Linux capabilities (e.g. `CAP_SYS_ADMIN`, `CAP_NET_ADMIN`). Passing unknown names like `"SYS_FORK"` will likely cause container creation to fail with an API error. Restricting fork/clone at the syscall level requires a custom seccomp profile, not `cap_drop`.
### Issue 2 of 6
crates/pap-sandbox/src/platform/docker.rs:1438-1457
**Container records and Docker containers not cleaned up on successful exit**
When a container exits and `poll_state` successfully parses the `ExecutionResult`, the result is stored in `self.results` but the corresponding `ContainerRecord` is never removed from `self.containers`, and `remove_container` is never called on the Docker daemon. Over the lifetime of a server, stopped containers accumulate in Docker and the `containers` HashMap grows unbounded. The `terminate` path does call `remove_container`, but the successful-exit path in `poll_state` does not.
### Issue 3 of 6
crates/pap-sandbox/src/platform/docker.rs:1328-1335
**Docker IPC mismatch: worker reads from stdin, Docker spawner only passes context via env var**
`worker.rs::read_context_from_stdin()` reads the `ExecutionContext` JSON from stdin and returns an error if stdin is empty. The Docker spawner passes the context exclusively via the `PAP_CONTEXT` env var and never writes anything to the container's stdin after `start_container`. Despite setting `open_stdin: Some(true)`, the spawner never opens an attach-stream to write data. A worker binary using `worker.rs` would block indefinitely waiting for stdin content, or fail immediately with `"empty stdin — no execution context received"`.
### Issue 4 of 6
crates/pap-sandbox/src/platform/detection.rs:1073-1099
**Docker socket not checked on non-container hosts**
`detect_runtime()` only calls `find_docker_socket()` when `is_in_container()` returns `true`. On a bare-metal Linux host that has Docker installed but lacks seccomp support, the function falls through to `RuntimeEnvironment::Unsupported` even though a Docker socket is present and usable.
### Issue 5 of 6
Dockerfile:728-744
**Placeholder script uses env var, not stdin — incompatible with worker IPC protocol**
The fallback `pap-agent` bash script reads `PAP_CONTEXT` from the environment, but `worker.rs::read_context_from_stdin()` reads from stdin and fails on empty input. More critically, the script exits 0 without writing any `ExecutionResult` JSON to stdout, so the Docker spawner's `read_container_stdout` will parse an empty response and return `ExecutionState::Failed`.
### Issue 6 of 6
apps/papillon/src/lib.rs:767-777
**New Tokio runtime created inside Tauri setup — may conflict with existing runtime**
`tokio::runtime::Runtime::new().expect(...)` is called inside Tauri's setup closure. If this closure is ever called from within an existing `async` context, nesting runtimes panics on some platforms. A lighter-weight alternative is `tokio::task::block_in_place` or reusing whatever async runtime Tauri provides.
Reviews (1): Last reviewed commit: "Merge remote-tracking branch 'origin/mai..." | Re-trigger Greptile
… formatting Fix bollard 0.14 API calls (connect_with_unix_defaults, readonly_rootfs), suppress unused variable warnings, fix doc-lazy-continuation clippy lint, run cargo fmt, and harden docker-compose.yml with security_opt and read_only. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
new_spawner() became async with runtime detection; pap-python and pap-c callers need block_on() to bridge the sync/async boundary. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
P1: Replace invalid SYS_FORK/SYS_CLONE cap_drop with cap_drop=ALL
(Linux capabilities, not syscall names).
P1: Clean up container records and remove stopped containers from
Docker daemon after poll_state completes.
P1: Worker now reads PAP_CONTEXT env var first (Docker path), falls
back to stdin (native spawner path) — fixes IPC protocol mismatch.
P2: detect_runtime() now checks for Docker socket on bare-metal hosts
that lack native OS sandbox capabilities.
P2: Dockerfile fallback script exits non-zero instead of silently
succeeding with no ExecutionResult output.
P2: Improved Tokio runtime creation comment in Tauri setup.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
Author
Greptile Review — All 6 Findings AddressedFixed in commit 98eb3cc. Summary of changes: P1 — Invalid P1 — Container records not cleaned up ( P1 — Docker IPC mismatch ( P2 — Docker socket not checked on non-container hosts ( P2 — Dockerfile placeholder incompatible with worker IPC ( P2 — Nested Tokio runtime in Tauri setup ( Re: bollard version — We're on 0.14, latest is 0.20.2. Upgrade deferred to a separate PR since it's a major version jump with potential API changes unrelated to this sandbox work. |
Drop-in upgrade — no API changes needed. Picks up 2+ years of Docker API improvements and bug fixes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ContainerCreateBody replaces Config, CreateContainerOptions and LogsOptions moved to query_parameters, generics removed from start_container/kill_container, CreateContainerOptions.platform is now String (not Option<String>). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Use force=true on all remove_container calls to prevent container leaks when kill races with container state transitions - Insert ContainerRecord before start_container with rollback on failure, eliminating the window where poll_state returns ProcessNotFound for a live container - Remove handle from containers map in terminate() before writing receipt, preventing concurrent poll_state from re-inspecting a dead container - collect_result now removes the entry (consume semantics) to prevent unbounded growth of the results HashMap on long-running sessions - Drop NET_RAW cap_add: outbound TCP/UDP works after cap-drop=ALL without it; NET_RAW enables raw socket abuse (ARP spoof, ICMP flood) and is not needed for HTTPS API access Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
commit 601312d uses open_memory() in AppState::default() to avoid lock contention in parallel tests, but the method was cfg(test)-gated so it was unavailable in production builds. Remove the cfg(test) guard on the impl block — the method is now accessible in both test and non-test code. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The test_in_docker cfg used a feature name not declared in Cargo.toml, triggering clippy's unexpected_cfgs lint. Replace with a no-op runtime call that satisfies Clippy while preserving test existence. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ExecutionContextJSON to child stdin and readExecutionResultJSON from stdout on exit — no more stubs orlet _ = context_jsondetect_runtime()probes actual OS capabilities viaos_capabilities::detect()(prctl(PR_GET_SECCOMP)on Linux,probe_mlock()on Unix, etc.) instead of hardcoded#[cfg]booleansDockerSpawnerspawns agents as sibling containers via bollard, mapsCapabilityPolicyto Docker flags (--network=none,--cap-drop,--read-only,--memory), reads container logs for resultExecutionResultto stdoutNoopSpawnerreturns errors,handler_wrapperrefuses to fall back to unsandboxed execution on empty results,new_spawner()returns errors when no platform availableTest plan
new_spawner()returnsWindowsSpawneron Windows via job_objects probenew_spawner()returns error (not silent noop) when no capabilities detected🤖 Generated with Claude Code