Re-scope sandbox requirements after removing bundled linters #46

New issue

Closed

opened 2026-05-02 19:41:40 -07:00 by jwilger · 0 comments

jwilger commented

2026-05-02 19:41:40 -07:00

Owner

Problem

#10 assumed the gateway must execute arbitrary bundled linters against PR contents and therefore needed a mandatory sandbox image at startup. If #45 removes bundled linter execution, the sandbox boundary should be re-evaluated instead of preserving a linter-driven startup requirement.

Direction

After linter removal, audit the remaining runtime paths that inspect or modify workspaces: semantic review, read/search workspace tools, chat commands such as re-review/autofix/docstring/tests, and any future tool-use. Require isolation only where the remaining threat model demands it.

Acceptance

Enumerate every remaining gateway/orchestrator path that reads, writes, or executes against PR workspace contents.
Decide whether each path needs process/container isolation, pure path confinement, Forgejo-side checkout only, or no sandbox.
Remove AR_SANDBOX_IMAGE as a gateway startup requirement if no remaining default path executes untrusted code.
If any unsafe execution path remains, gate that feature specifically with a clear fail-closed configuration instead of requiring a linter image globally.
Update docs/THREAT-MODEL.md, ADR-0002 if needed, deployment docs, and tests to match the new boundary.

Dependencies

Blocked by: #45.

Supersedes: #10 after the linter-removal architecture lands.

## Problem #10 assumed the gateway must execute arbitrary bundled linters against PR contents and therefore needed a mandatory sandbox image at startup. If #45 removes bundled linter execution, the sandbox boundary should be re-evaluated instead of preserving a linter-driven startup requirement. ## Direction After linter removal, audit the remaining runtime paths that inspect or modify workspaces: semantic review, read/search workspace tools, chat commands such as re-review/autofix/docstring/tests, and any future tool-use. Require isolation only where the remaining threat model demands it. ## Acceptance - Enumerate every remaining gateway/orchestrator path that reads, writes, or executes against PR workspace contents. - Decide whether each path needs process/container isolation, pure path confinement, Forgejo-side checkout only, or no sandbox. - Remove `AR_SANDBOX_IMAGE` as a gateway startup requirement if no remaining default path executes untrusted code. - If any unsafe execution path remains, gate that feature specifically with a clear fail-closed configuration instead of requiring a linter image globally. - Update `docs/THREAT-MODEL.md`, ADR-0002 if needed, deployment docs, and tests to match the new boundary. ## Dependencies Blocked by: #45. Supersedes: #10 after the linter-removal architecture lands.

jwilger referenced this issue from a pull request that will close it,

2026-05-03 19:42:35 -07:00

fix(review): rescope normal sandbox runtime #67

jwilger closed this issue

2026-05-03 21:42:31 -07:00

jwilger referenced this issue from a commit

2026-05-03 21:42:31 -07:00

fix(review): rescope normal sandbox runtime (#67)