Skip to content

feat: support configurable command sandboxing via sandbox-runtime#11773

Draft
roomote[bot] wants to merge 1 commit intomainfrom
feature/command-sandboxing
Draft

feat: support configurable command sandboxing via sandbox-runtime#11773
roomote[bot] wants to merge 1 commit intomainfrom
feature/command-sandboxing

Conversation

@roomote
Copy link
Contributor

@roomote roomote bot commented Feb 26, 2026
edited
Loading

Related GitHub Issue

Closes: #11771

Description

This PR attempts to address Issue #11771 by adding configurable command sandboxing support using Anthropic's sandbox-runtime (srt) CLI tool. Feedback and guidance are welcome.

Key implementation details:

  • SandboxManager (src/integrations/terminal/sandbox/SandboxManager.ts): Singleton that reads VS Code configuration and returns either an SrtSandbox (when sandboxing is enabled) or a NoOpSandbox (passthrough when disabled). Caches the sandbox instance and invalidates when config changes.

  • SrtSandbox (src/integrations/terminal/sandbox/SrtSandbox.ts): Wraps commands with srt exec to provide network/filesystem isolation via Linux namespaces. Uses the srt CLI tool as recommended in the issue discussion (rather than the library), which works for both VSCode shell integration terminals and execa terminals since it wraps at the command string level.

  • NoOpSandbox (src/integrations/terminal/sandbox/NoOpSandbox.ts): Passthrough that returns commands unchanged when sandboxing is disabled.

  • Integration point: executeCommandInTerminal() in ExecuteCommandTool.ts wraps commands through SandboxManager.wrapCommand() before passing them to terminal.runCommand().

Configuration settings added to package.json:

  • commandSandboxEnabled (boolean, default: false) - toggle sandboxing
  • commandSandboxNetworkPolicy ("allow" | "deny", default: "deny") - network access
  • commandSandboxWritePolicy ("allow" | "deny", default: "allow") - filesystem writes
  • commandSandboxAllowedPaths (string[]) - bind-mounted paths
  • commandSandboxDeniedPaths (string[]) - denied paths

Test Procedure

  • 23 new unit tests across 3 test files covering SrtSandbox, NoOpSandbox, and SandboxManager
  • All existing executeCommand tests continue to pass (23 tests)
  • Run tests: cd src && npx vitest run integrations/terminal/sandbox/__tests__/
  • Run existing command tests: cd src && npx vitest run core/tools/__tests__/executeCommand.spec.ts core/tools/__tests__/executeCommandTool.spec.ts

Pre-Submission Checklist

  • Issue Linked: This PR is linked to an approved GitHub Issue (see "Related GitHub Issue" above).
  • Scope: My changes are focused on the linked issue (one major feature/fix per PR).
  • Self-Review: I have performed a thorough self-review of my code.
  • Testing: New and/or updated tests have been added to cover my changes.
  • Documentation Impact: NLS strings added for all new settings. Further docs may be needed for end-user setup instructions (installing srt).
  • Contribution Guidelines: I have read and agree to the Contributor Guidelines.

Documentation Updates

  • English NLS strings added for all 5 new configuration settings
  • Other language NLS files will need translations added in a follow-up

Interactively review PR in Roo Code Cloud

@roomote
feat: add configurable command sandboxing via sandbox-runtime (srt)
2ab8893 
Adds support for running agent commands in an isolated environment
using Anthropic's sandbox-runtime `srt` CLI tool, addressing #11771.

Changes:
- Add sandbox configuration settings to package.json (commandSandboxEnabled,
  commandSandboxNetworkPolicy, commandSandboxWritePolicy,
  commandSandboxAllowedPaths, commandSandboxDeniedPaths)
- Create SandboxManager abstraction with SrtSandbox and NoOpSandbox
  implementations in src/integrations/terminal/sandbox/
- Integrate sandbox command wrapping into executeCommandInTerminal
- Add comprehensive tests (23 tests across 3 test files)
@roomote roomote bot mentioned this pull request Feb 26, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens will be requested when the pull request is marked ready for review mrubens is a code owner

@cte cte Awaiting requested review from cte cte will be requested when the pull request is marked ready for review cte is a code owner

@jr jr Awaiting requested review from jr jr will be requested when the pull request is marked ready for review jr is a code owner

@hannesrudolph hannesrudolph Awaiting requested review from hannesrudolph hannesrudolph will be requested when the pull request is marked ready for review hannesrudolph is a code owner

@daniel-lxs daniel-lxs Awaiting requested review from daniel-lxs daniel-lxs will be requested when the pull request is marked ready for review daniel-lxs is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ENHANCEMENT] Support configurable command sandboxing

1 participant

@roomote