<feed xmlns='http://www.w3.org/2005/Atom'>
<title>claudomator.git/internal/sandbox/dockersandbox_test.go, branch fix/dockersandbox-gitpush-host-security</title>
<subtitle>claudomator — task automation server
</subtitle>
<id>https://git.terst.org/claudomator.git/atom?h=fix%2Fdockersandbox-gitpush-host-security</id>
<link rel='self' href='https://git.terst.org/claudomator.git/atom?h=fix%2Fdockersandbox-gitpush-host-security'/>
<link rel='alternate' type='text/html' href='https://git.terst.org/claudomator.git/'/>
<updated>2026-07-03T09:21:32+00:00</updated>
<entry>
<title>feat(sandbox): add DockerSandbox + pre-tool-use guardrail hooks (Phase 3)</title>
<updated>2026-07-03T09:21:32+00:00</updated>
<author>
<name>Claude Sonnet 5</name>
<email>noreply@anthropic.com</email>
</author>
<published>2026-07-03T09:21:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.terst.org/claudomator.git/commit/?id=767ddade57f189827fa956ff8081ca47404a4798'/>
<id>urn:sha1:767ddade57f189827fa956ff8081ca47404a4798</id>
<content type='text'>
Gives native-API-driven agents (currently just the Phase 2 Anthropic
adapter) real container isolation, decoupled from model invocation --
the model call happens in the Go process via provider.Provider, only tool
execution happens in the container, unlike the CLI-subprocess ContainerRunner
(left completely untouched) where the claude/gemini CLI runs inside the
container.

- internal/sandbox/dockersandbox.go: Sandbox via a long-lived
  `docker run -d ... sleep infinity` container (started once per execution,
  not per tool call), host-side git clone + bind-mount matching
  ContainerRunner's existing pattern, docker exec for read/write/bash/glob.
  Reuses images/agent-base (claudomator-agent:latest) rather than
  standing up a second image. WorkDir()/resume persists the host bind-mount
  directory (matching HostSandbox's contract); a resumed sandbox lazily
  starts a fresh container against that directory rather than trying to
  reattach to a possibly-gone one.
- internal/sandbox/guard.go, hooks.go: Hook interface (CheckBash/CheckWrite),
  Guarded wrapper, DenylistBashHook (rm -rf /, force-push, curl|sh, sudo,
  chmod 777, dd if=) and ProtectedPathHook (.git/**, .env*, credentials/,
  .github/workflows/**). A rejection returns *RejectionError, which
  agentloop/tools.go now recognizes and feeds back to the model as a normal
  (non-fatal) tool-error result instead of aborting the run.
- NativeRunner wraps whichever Sandbox it builds (Host or Docker) in
  Guarded{Hooks: DefaultHooks()} uniformly. The "anthropic" runner now uses
  DockerSandbox; "local" stays on HostSandbox by design (local models are
  the harness's more-trusted, lower-stakes-to-run tier).

Docker is not installed in this dev environment (no docker/podman/containerd
on PATH), so DockerSandbox's real container-lifecycle behavior is verified
via mocked-command unit tests only -- go test -race ./... passes throughout,
with the two real-daemon integration tests gated behind a dockerAvailable(t)
check and skipping here. Live verification against an actual Docker host is
a follow-up before relying on the "anthropic" agent type in production.

Co-Authored-By: Claude Sonnet 5 &lt;noreply@anthropic.com&gt;
Claude-Session: https://claude.ai/code/session_01V1moSNCJRcP6kykA4tyUSs
</content>
</entry>
</feed>
