Slipstream/auto_review
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 27 Packages Activity Actions

fix(review): rescope normal sandbox runtime #67

Merged
jwilger merged 6 commits from issue-46-sandbox-rescope into main 2026-05-03 21:42:31 -07:00
Conversation 5 Commits 6 Files changed 82 +726 -10934
jwilger commented 2026-05-03 19:42:35 -07:00
Owner
Copy link

Summary

  • Complete the issue #46 sandbox rescope: normal review runtime reports sandbox: "not-used", ignores legacy AR_SANDBOX_IMAGE, and documents remaining workspace access paths.
  • Harden workspace Git clone/fetch/checkout by routing Git through a hermetic command wrapper that ignores ambient config, templates/hooks, object/worktree/index overrides, askpass helpers, terminal prompts, and SSH command overrides.
  • Update threat model, ADR, operator docs, quickstart, README, systemd env example, ar-sandbox README, and changelog.

Verification

  • nix develop -c cargo fmt --all -- --check
  • nix develop -c cargo clippy --workspace --all-targets -- -D warnings
  • nix develop -c cargo nextest run -p ar-review git_helper_ignores hermetic_git_command_removes
  • nix develop -c cargo nextest run -p ar-gateway normal_review_runtime
  • nix develop -c env -u FORGEJO_BASE_URL -u AR_FORGEJO_TOKEN -u FORGEJO_TOKEN -u LLM_REASONING_MODEL -u LLM_API_KEY -u LLM_BASE_URL cargo nextest run --workspace --no-tests=pass

Closes #46.

## Summary - Complete the issue #46 sandbox rescope: normal review runtime reports `sandbox: "not-used"`, ignores legacy `AR_SANDBOX_IMAGE`, and documents remaining workspace access paths. - Harden workspace Git clone/fetch/checkout by routing Git through a hermetic command wrapper that ignores ambient config, templates/hooks, object/worktree/index overrides, askpass helpers, terminal prompts, and SSH command overrides. - Update threat model, ADR, operator docs, quickstart, README, systemd env example, ar-sandbox README, and changelog. ## Verification - `nix develop -c cargo fmt --all -- --check` - `nix develop -c cargo clippy --workspace --all-targets -- -D warnings` - `nix develop -c cargo nextest run -p ar-review git_helper_ignores hermetic_git_command_removes` - `nix develop -c cargo nextest run -p ar-gateway normal_review_runtime` - `nix develop -c env -u FORGEJO_BASE_URL -u AR_FORGEJO_TOKEN -u FORGEJO_TOKEN -u LLM_REASONING_MODEL -u LLM_API_KEY -u LLM_BASE_URL cargo nextest run --workspace --no-tests=pass` Closes #46.
fix(review): rescope normal sandbox runtime
All checks were successful
auto_review auto_review: no findings
CI / Nix flake check (pull_request) Successful in 1m58s
Details
de8079827a
auto-review approved these changes 2026-05-03 19:42:53 -07:00
Dismissed
auto-review left a comment
Copy link

This PR addresses issue #46 by rescoping the normal sandbox runtime, removing the need for a sandbox image in the normal review runtime, and hardening Git operations. The changes appear well-documented and tested, making the PR safe to merge.

Walkthrough

  • CHANGELOG.md: Updated to reflect the rescope of the normal runtime sandbox, emphasizing the removal of the sandbox image requirement.
  • QUICKSTART.md: Clarified that no sandbox image is needed for the normal review runtime, aligning with the new operational model.
  • README.md: Updated to indicate the retention of the sandbox abstraction for future features, not for the current runtime.
  • crates/ar-gateway/src/main.rs: Introduced a function to return 'not-used' for the sandbox label, reflecting the new runtime behavior.
  • crates/ar-review/src/workspace.rs: Added a hermetic Git command function to ensure Git operations are isolated from ambient configurations, enhancing security.
  • crates/ar-sandbox/README.md: Revised to reflect the sandbox's status as a retained feature for future execution needs.
  • deploy/systemd/auto_review.env.example: Updated to state that no sandbox image is required for the normal review runtime.
  • docs/ADR-0002-sandbox.md: Comprehensive update to include the issue #46 rescope, detailing the new operational model.
  • docs/OPERATIONS.md: Noted the removal of the sandbox image requirement for the normal review runtime.
  • docs/THREAT-MODEL.md: Updated to include the hermetic Git command wrapper, a critical security measure.
This PR addresses issue #46 by rescoping the normal sandbox runtime, removing the need for a sandbox image in the normal review runtime, and hardening Git operations. The changes appear well-documented and tested, making the PR safe to merge. ## Walkthrough - **CHANGELOG.md**: Updated to reflect the rescope of the normal runtime sandbox, emphasizing the removal of the sandbox image requirement. - **QUICKSTART.md**: Clarified that no sandbox image is needed for the normal review runtime, aligning with the new operational model. - **README.md**: Updated to indicate the retention of the sandbox abstraction for future features, not for the current runtime. - **crates/ar-gateway/src/main.rs**: Introduced a function to return 'not-used' for the sandbox label, reflecting the new runtime behavior. - **crates/ar-review/src/workspace.rs**: Added a hermetic Git command function to ensure Git operations are isolated from ambient configurations, enhancing security. - **crates/ar-sandbox/README.md**: Revised to reflect the sandbox's status as a retained feature for future execution needs. - **deploy/systemd/auto_review.env.example**: Updated to state that no sandbox image is required for the normal review runtime. - **docs/ADR-0002-sandbox.md**: Comprehensive update to include the issue #46 rescope, detailing the new operational model. - **docs/OPERATIONS.md**: Noted the removal of the sandbox image requirement for the normal review runtime. - **docs/THREAT-MODEL.md**: Updated to include the hermetic Git command wrapper, a critical security measure.
jwilger reviewed 2026-05-03 20:27:52 -07:00
jwilger left a comment
Copy link

I don't think we need the leftover sandbox stuff in here at all. We can add it back easily enough if that changes. We really shouldn't need to run any potentially unsafe things in the review aside from git; anything else should be executed in a CI runner.

And also, in deployed usage we should be running the entire review process in some type of sandbox like a docker container or other isolation that wraps the entire ar-gateway. Maybe we should set that up as part of this ticket? I think we already basically have a Docker image defined, right? But we should use Nix to create the docker image so that it is as lightweight and secure as we can possibly get it. Our CI build could create the image via nix and publish the image in our git.johnwilger.com package repo.

I don't think we need the leftover sandbox stuff in here at all. We can add it back easily enough if that changes. We really shouldn't need to run any potentially unsafe things in the review aside from git; anything else should be executed in a CI runner. And also, in deployed usage we should be running the entire review process in some type of sandbox like a docker container or other isolation that wraps the entire ar-gateway. Maybe we should set that up as part of this ticket? I think we already basically have a Docker image defined, right? But we should use Nix to create the docker image so that it is as lightweight and secure as we can possibly get it. Our CI build could create the image via nix and publish the image in our git.johnwilger.com package repo.
QUICKSTART.md Outdated
@ -249,1 +249,4 @@
No sandbox image env var is required for the normal gateway/orchestrator review
runtime. Deterministic linters, tests, and builds run in CI before the semantic
review trigger; `GET /info` reports `sandbox: "not-used"`.
jwilger commented 2026-05-03 19:49:59 -07:00
Author
Owner
Copy link

Why not just remove the concept of "sandbox" entirely here? What is the benefit of keeping it and just saying it isn't used?

Why not just remove the concept of "sandbox" entirely here? What is the benefit of keeping it and just saying it isn't used?
jwilger commented 2026-05-03 21:16:27 -07:00
Author
Owner
Copy link

Reflection: I kept the sandbox field as a compatibility placeholder instead of following the rescope all the way through the public surface. Classification: one-off YAGNI cleanup, not a new guardrail gap. Remediation: removed the normal-runtime sandbox field from gateway /info and CLI status, removed stale chat sandbox wording, and removed the retired linter/sandbox crates from the active workspace. Verification includes focused gateway/CLI tests, workspace nextest with ambient env cleared, clippy, deny, and Nix image build.

Reflection: I kept the `sandbox` field as a compatibility placeholder instead of following the rescope all the way through the public surface. Classification: one-off YAGNI cleanup, not a new guardrail gap. Remediation: removed the normal-runtime sandbox field from gateway `/info` and CLI status, removed stale chat sandbox wording, and removed the retired linter/sandbox crates from the active workspace. Verification includes focused gateway/CLI tests, workspace nextest with ambient env cleared, clippy, deny, and Nix image build.
README.md Outdated
@ -82,2 +82,2 @@
| `ar-tools` | Legacy static-analysis runners retained while runtime linter execution is retired |
| `ar-sandbox` | Sandbox abstraction retained pending issue #46 rescope |
| `ar-tools` | Legacy static-analysis runners retained outside normal review runtime |
| `ar-sandbox` | Sandbox abstraction retained for future execution features and tests |
jwilger commented 2026-05-03 19:50:15 -07:00
Author
Owner
Copy link

YAGNI

YAGNI
jwilger commented 2026-05-03 21:16:40 -07:00
Author
Owner
Copy link

Reflection: I documented a future-facing sandbox abstraction instead of deleting the unused surface. Classification: one-off YAGNI cleanup. Remediation: removed ar-sandbox and the legacy ar-tools runners from the workspace, updated crate tables/docs to stop advertising them, and rewrote ADR-0002 as historical context only.

Reflection: I documented a future-facing sandbox abstraction instead of deleting the unused surface. Classification: one-off YAGNI cleanup. Remediation: removed `ar-sandbox` and the legacy `ar-tools` runners from the workspace, updated crate tables/docs to stop advertising them, and rewrote ADR-0002 as historical context only.
crates/ar-sandbox/README.md Outdated
@ -5,3 +3,1 @@
linters and no longer wire this crate through the gateway. The original
linter-execution use case is preserved as historical context in
ADR-0002.
Sandbox abstraction retained for future features that explicitly need an
jwilger commented 2026-05-03 20:22:54 -07:00
Author
Owner
Copy link

YAGNI

YAGNI
jwilger commented 2026-05-03 21:16:40 -07:00
Author
Owner
Copy link

Reflection: I preserved the crate as speculative future work instead of forcing any future execution feature to reintroduce only what it needs. Classification: one-off YAGNI cleanup. Remediation: deleted the ar-sandbox crate and updated the threat model/ADR/runbooks so no live sandbox crate or escape harness is advertised for normal review runtime.

Reflection: I preserved the crate as speculative future work instead of forcing any future execution feature to reintroduce only what it needs. Classification: one-off YAGNI cleanup. Remediation: deleted the `ar-sandbox` crate and updated the threat model/ADR/runbooks so no live sandbox crate or escape harness is advertised for normal review runtime.
jwilger commented 2026-05-03 21:16:46 -07:00
Author
Owner
Copy link

Addressed the feedback locally:

  • Removed the remaining normal-runtime sandbox public surface from gateway /info, CLI status, and chat docs/metadata.
  • Deleted the retired ar-tools and ar-sandbox crates from the active workspace instead of retaining speculative execution abstractions.
  • Reframed ADR/threat-model/runbook docs around CI-owned deterministic execution and historical linter-sandbox context only.
  • Added a Nix-built .#ar-gateway-image and nix run .#dev-gateway-container watcher that rebuilds, loads, and relaunches the deploy-shaped container locally.

Verification run locally: fmt, clippy, nextest with ambient env cleared, cargo deny licenses/bans/sources, Nix flake eval, and nix build .#ar-gateway-image.

Addressed the feedback locally: - Removed the remaining normal-runtime `sandbox` public surface from gateway `/info`, CLI status, and chat docs/metadata. - Deleted the retired `ar-tools` and `ar-sandbox` crates from the active workspace instead of retaining speculative execution abstractions. - Reframed ADR/threat-model/runbook docs around CI-owned deterministic execution and historical linter-sandbox context only. - Added a Nix-built `.#ar-gateway-image` and `nix run .#dev-gateway-container` watcher that rebuilds, loads, and relaunches the deploy-shaped container locally. Verification run locally: fmt, clippy, nextest with ambient env cleared, cargo deny licenses/bans/sources, Nix flake eval, and `nix build .#ar-gateway-image`.
fix(review): remove retired sandbox runtime
Some checks failed
CI / Nix flake check (pull_request) Has been cancelled
Details
0b5481013e
jwilger dismissed auto-review's review 2026-05-03 21:18:37 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

fix(dev): load image without podman policy
All checks were successful
CI / Nix flake check (pull_request) Successful in 13s
Details
e307cf4782
fix(dev): pass host env to gateway container
All checks were successful
CI / Nix flake check (pull_request) Successful in 6s
Details
7f0757ac2c
fix(dev): bind gateway watcher to dev port
All checks were successful
CI / Nix flake check (pull_request) Successful in 5s
Details
auto_review auto_review: no findings
fb47fa75bf
auto-review approved these changes 2026-05-03 21:29:25 -07:00
Dismissed
auto-review left a comment
Copy link

This PR removes the ar-tools and ar-sandbox components, rescoping the normal sandbox runtime and updating documentation to reflect these changes. It introduces a hermetic Git command to enhance security and reliability. The changes appear well-structured, but ensure thorough testing and documentation updates.

Walkthrough

  • AGENTS.md: Updated to suggest using nix run .#dev-gateway-container for development, removing references to ar-tools and ar-sandbox.
  • CHANGELOG.md: Documents the removal of runtime linter sandbox and updates related to the sandbox rescope.
  • CONTRIBUTING.md: Removed references to ar-tools and ar-sandbox, indicating a shift in project architecture.
  • Cargo.toml: ar-tools and ar-sandbox removed from the project, reflecting their deprecation.
  • QUICKSTART.md: Emphasizes that the gateway does not execute repo-controlled tools, aligning with the new architecture.
  • README.md: Updated to reflect the removal of ar-tools and ar-sandbox, ensuring consistency in documentation.
  • ar-gateway/src/lib.rs, main.rs, webhook.rs: Removed sandbox field from GatewayInfo, indicating a change in sandbox handling.
  • ar-review/src/workspace.rs: Introduced hermetic_git_command to isolate Git command execution from the environment, with new tests to ensure reliability.
This PR removes the `ar-tools` and `ar-sandbox` components, rescoping the normal sandbox runtime and updating documentation to reflect these changes. It introduces a hermetic Git command to enhance security and reliability. The changes appear well-structured, but ensure thorough testing and documentation updates. ## Walkthrough - **AGENTS.md**: Updated to suggest using `nix run .#dev-gateway-container` for development, removing references to `ar-tools` and `ar-sandbox`. - **CHANGELOG.md**: Documents the removal of runtime linter sandbox and updates related to the sandbox rescope. - **CONTRIBUTING.md**: Removed references to `ar-tools` and `ar-sandbox`, indicating a shift in project architecture. - **Cargo.toml**: `ar-tools` and `ar-sandbox` removed from the project, reflecting their deprecation. - **QUICKSTART.md**: Emphasizes that the gateway does not execute repo-controlled tools, aligning with the new architecture. - **README.md**: Updated to reflect the removal of `ar-tools` and `ar-sandbox`, ensuring consistency in documentation. - **ar-gateway/src/lib.rs, main.rs, webhook.rs**: Removed `sandbox` field from `GatewayInfo`, indicating a change in sandbox handling. - **ar-review/src/workspace.rs**: Introduced `hermetic_git_command` to isolate Git command execution from the environment, with new tests to ensure reliability.
fix(dev): map host port to gateway port
All checks were successful
auto_review auto_review: no findings
CI / Nix flake check (pull_request) Successful in 5s
Details
9a19c2a727
jwilger dismissed auto-review's review 2026-05-03 21:33:11 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes 2026-05-03 21:33:37 -07:00
auto-review left a comment
Copy link

This PR removes the ar-tools and ar-sandbox crates, rescoping the sandbox runtime to exclude legacy linter execution. It also hardens Git operations by using a hermetic command wrapper. The changes appear safe to merge, but ensure all dependencies on the removed crates are updated.

Walkthrough

  • Cargo.toml: Removed ar-tools and ar-sandbox from the workspace, reflecting the removal of these crates.
  • crates/ar-review/src/workspace.rs: Introduced a hermetic Git command wrapper to ensure Git operations are isolated from ambient configurations and environment variables.
  • Documentation: Updated various documentation files to reflect the removal of the sandbox and tools crates, and the new Git command handling.
  • Tests: Added tests to ensure the hermetic Git command ignores ambient configurations and environment variables.
This PR removes the `ar-tools` and `ar-sandbox` crates, rescoping the sandbox runtime to exclude legacy linter execution. It also hardens Git operations by using a hermetic command wrapper. The changes appear safe to merge, but ensure all dependencies on the removed crates are updated. ## Walkthrough - **Cargo.toml**: Removed `ar-tools` and `ar-sandbox` from the workspace, reflecting the removal of these crates. - **crates/ar-review/src/workspace.rs**: Introduced a hermetic Git command wrapper to ensure Git operations are isolated from ambient configurations and environment variables. - **Documentation**: Updated various documentation files to reflect the removal of the sandbox and tools crates, and the new Git command handling. - **Tests**: Added tests to ensure the hermetic Git command ignores ambient configurations and environment variables.
jwilger referenced this pull request from a commit 2026-05-05 12:18:07 -07:00
chore: release v0.1.0 (#94)
Sign in to join this conversation.
Reviewers
No reviewers
auto-review
Labels
Clear labels   
bug

   
discussion

   
enhancement
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
bug
discussion
enhancement
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/auto_review!67
No description provided.