Make sandbox isolation mandatory; remove unsandboxed direct mode #10

New issue

Open

opened 2026-05-01 14:00:04 -07:00 by auto-review · 0 comments

auto-review commented

2026-05-01 14:00:04 -07:00

Collaborator

Every gateway start emits this WARN — visible in our own dogfood logs:

WARN ar_gateway: sandbox: direct (NO ISOLATION). Set AR_SANDBOX_IMAGE for production deploys.

The gateway runs untrusted code (linters, parsers, optional tool-use) against arbitrary PR contents. The "direct mode" fallback when AR_SANDBOX_IMAGE is unset is a footgun: it Just Works for local development, which trains operators to ship without isolation. The threat model in docs/THREAT-MODEL.md and ADR-0002 already classify this as Kudelski-class RCE risk.

Premise: people can't be trusted to do the right thing — make the secure path the only path.

Proposed change:

Remove direct mode in production builds. AR_SANDBOX_IMAGE becomes required at startup; the gateway refuses to start without it (clear error message: "AR_SANDBOX_IMAGE is required; install Docker/Podman and set it to your sandbox image. See deploy/Dockerfile.sandbox.").
Auto-detect the runtime. Try podman first (rootless preferred), fall back to docker. Hard-fail if neither is on $PATH.
Ship a default image. Tag and publish auto_review/sandbox:<version> so operators don't need to build their own. Reference it in QUICKSTART so the lazy/copy-paste path is the secure path.
Keep an opt-out for tests only. AR_DANGEROUSLY_DISABLE_SANDBOX=1 enables direct mode — env-var name carries the warning, gateway logs at error level, and it's documented as test-only. CI for this repo + integration tests can use it; nothing else should.

Touches: crates/ar-sandbox/, crates/ar-gateway/src/lib.rs (env-var validation at startup), docs/OPERATIONS.md, docs/THREAT-MODEL.md, deploy/{Dockerfile.sandbox,helm,systemd}, QUICKSTART.md.

Migration: existing operators get a hard error on first restart after upgrade. The error message links to QUICKSTART. Acceptable break since the unsafe default has always been documented as unsafe.

Every gateway start emits this WARN — visible in our own dogfood logs: ``` WARN ar_gateway: sandbox: direct (NO ISOLATION). Set AR_SANDBOX_IMAGE for production deploys. ``` The gateway runs untrusted code (linters, parsers, optional tool-use) against arbitrary PR contents. The "direct mode" fallback when `AR_SANDBOX_IMAGE` is unset is a footgun: it Just Works for local development, which trains operators to ship without isolation. The threat model in `docs/THREAT-MODEL.md` and ADR-0002 already classify this as Kudelski-class RCE risk. Premise: people can't be trusted to do the right thing — make the secure path the only path. **Proposed change:** 1. **Remove direct mode in production builds.** `AR_SANDBOX_IMAGE` becomes required at startup; the gateway refuses to start without it (clear error message: "AR_SANDBOX_IMAGE is required; install Docker/Podman and set it to your sandbox image. See deploy/Dockerfile.sandbox."). 2. **Auto-detect the runtime.** Try podman first (rootless preferred), fall back to docker. Hard-fail if neither is on `$PATH`. 3. **Ship a default image.** Tag and publish `auto_review/sandbox:<version>` so operators don't need to build their own. Reference it in QUICKSTART so the lazy/copy-paste path is the secure path. 4. **Keep an opt-out for tests only.** `AR_DANGEROUSLY_DISABLE_SANDBOX=1` enables direct mode — env-var name carries the warning, gateway logs at `error` level, and it's documented as test-only. CI for this repo + integration tests can use it; nothing else should. Touches: `crates/ar-sandbox/`, `crates/ar-gateway/src/lib.rs` (env-var validation at startup), `docs/OPERATIONS.md`, `docs/THREAT-MODEL.md`, `deploy/{Dockerfile.sandbox,helm,systemd}`, `QUICKSTART.md`. Migration: existing operators get a hard error on first restart after upgrade. The error message links to QUICKSTART. Acceptable break since the unsafe default has always been documented as unsafe.