The GitHub Actions job "prek" on airflow-steward.git/fix-197-sandbox-project-roots has failed. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: b8ffc45526425b9a0c8b47c714707b5f0a95aaa9 / Jarek Potiuk <[email protected]> fix(#197): empirically verify sandbox protection + close Edit-tool bypass Verified the project-local design's security claim empirically: `echo >> .claude/settings.local.json` from inside a sandboxed session fails with "operation not permitted". Claude Code's built-in sandbox denyWithinAllow set covers .claude/settings.{json,local.json} and .claude/skills/ at the bubblewrap/Seatbelt syscall layer — not user-configurable, owned by the harness. So a sandboxed Bash cannot mutate the file the fix writes to. Three follow-on changes: - Edit/Write/MultiEdit agent tools bypass the sandbox (they're agent-direct, not Bash-subprocess). The dogfooded .claude/settings.json now includes Edit/Write/MultiEdit(.claude/settings.{json,local.json}) deny rules so the agent can't take the Edit-tool route either. - The same protection blocks the framework's own helper when invoked from inside a sandboxed agent session. adopt / upgrade / worktree-init now invoke the helper with dangerouslyDisableSandbox: true after proposing the bypass to the operator, so sandbox-bypass-warn.sh fires as a backstop and every write is operator-approved. The post-checkout hook fired from a user terminal works without bypass (not sandboxed). All three paths are auditable. - docs/setup/secure-agent-setup.md → Security rationale subsection rewritten to ground the claim in the empirical test result and to document the harness-owned protection + the Edit-tool deny rules + the bypass-on-invocation flow. Closes #197. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> Report URL: https://github.com/apache/airflow-steward/actions/runs/25997653963 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
