[IMP] Make bubble wrap less agressive for binding#27
Open
poma-odoo wants to merge 3 commits into
Open
Conversation
Contributor
|
@sea-odoo you played with bwrap more than I did, I'll let you review it |
sea-odoo
previously approved these changes
Jun 3, 2026
Author
|
Should I target main or beta? (or something else?) @sea-odoo |
Contributor
Beta please |
* [FIX] postgres: spawn ephemeral cluster in its own process group
`start_new_session=True` makes the ephemeral `postgres` leader head its own
process group so callers can kill the whole tree via `os.killpg()`. Without
it, postgres' worker backends survive a SIGTERM to the leader and linger
after the parent exits — which compounded over Ctrl+C'd `odev ai` runs into
half a dozen orphan postgres processes per session.
* [IMP] commands: hard-fail when chosen AI CLI binary is missing
Previously, if the chosen CLI (claude/gemini/copilot/opencode-cli) wasn't
on PATH, the agent was launched inside the sandbox anyway and either
crashed silently or returned an opaque "command not found". Detect the
missing binary up front and surface a clear install hint so the user can
recover without digging through sandbox logs.
* [ADD] Sandboxing support for macOS
Extracts the AI sandbox layer into a backend-agnostic abstraction and adds
a macOS Seatbelt (sandbox-exec) backend alongside the existing Linux bwrap
backend. The right backend is selected automatically by sys.platform.
Layout:
- common/sandbox/base.py - Sandbox ABC + ExecutionSpec dataclass
- common/sandbox/bwrap.py - Linux backend (moved from common/bwrap.py)
- common/sandbox/seatbelt.py - macOS backend (new)
- common/sandbox/__init__.py - get_sandbox() factory by sys.platform
Sandbox policy on macOS:
- Permissive baseline (matches Codex CLI's model). Strict deny-default
causes Cocoa-using apps (claude, gemini, node tools) to silently
hang on mach_msg to system daemons. The security boundary is enforced
on file WRITES via two module-level constants in seatbelt.py:
- DENY_SYSTEM_SUBPATHS - the OS, Apple frameworks, Homebrew, etc.
- DENY_USER_SECRETS_RELATIVE - ~/.ssh, ~/.aws, ~/.gnupg, Library/Cookies, ...
ALWAYS_RW_SUBPATHS / ALWAYS_RW_LITERALS list the paths that always
remain writable (sandbox tmp, /tmp, /dev/null & friends).
- Reads are allowed everywhere — Seatbelt cannot truly hide files
anyway; non-allowed paths only return EPERM.
Other adjustments needed for parity with the Linux backend:
- common/postgres.py: pg_bin discovery extended for macOS (Homebrew
postgresql@N formulae, Postgres.app); host socket dir discovery
extended to /tmp & /private/tmp; setup() decoupled from bwrap argv
(caller exposes proxy_dir to the sandbox).
- common/postgres.py: PostgresSandbox.cleanup_orphans() reaps leftover
ephemeral clusters from previous Ctrl+C'd runs at the start of each
agent.run().
- common/agent.py: AgentCLI no longer extends BwrapSandbox; composes a
Sandbox backend and feeds it an ExecutionSpec.
- common/mixins.py: get_ai_agent() runs Sandbox.check_support() up
front so unsupported hosts get a clear error before any setup runs.
Linux behaviour is unchanged: bwrap argv assembly is bit-for-bit the
same, just relocated into common/sandbox/bwrap.py.
Co-authored-by: Ahmad Khater <81505568+akr-odoo@users.noreply.github.com>
* [IMP] core: improve sandbox infrastructure visibility and grouping\n\n- Group sibling paths under shared parent directories in warning display\n- Surface Odoo filestore and active virtual environment paths\n- Standardize styling with purple coloration for infra paths\n- Refactor complex display logic into helper methods\n\nAssisted-by: gemini-3-flash <noreply@google.com> * [IMP] test: delegate failure resolution rules to test_skill Replace inline RULE 1/2/3 block in the AI prompt with a reference to the test_skill skill, keeping the prompt concise and the rules centrally maintained. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [IMP] mixins: add -y flag to npx and extend skill check to test command Use npx -y to avoid interactive prompts. Also warn when the test_skill skill is missing when running the test command, alongside the existing odev skill check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [IMP] sandbox: fix cwd, DB env message and order primary dirs in display Use sandbox_dirs[0] as the working directory inside the sandbox instead of falling back to any primary bind. Clarify the DB environment message to distinguish between cloned and empty databases. Pass primary_dirs through to the warning display so the listed paths are shown in the same order as they were provided. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * [IMP] agent: improve sandbox path mounting and path deduplication - Pre-create system bind points (.fonts, .local/share, etc.) in playground to prevent mount failures. - Remove redundant whole-directory .local and .npm mounts to favor fine-grained bounds. - Deduplicate mounted directories and files while preserving order. - Filter candidate paths to primary binds only. * [IMP] agent: pre-create system bind points and refine npm/local mounts - Pre-create system bind points (.fonts, .local/share, etc.) in playground to prevent mount failures. - Remove redundant whole-directory .npm mount to favor fine-grained bounds. * [IMP] bwrap: forward DISPLAY, WAYLAND socket, and Xauthority to sandbox - Bind X11 socket and set DISPLAY environment variable when available. - Bind Wayland socket and set WAYLAND_DISPLAY environment variable when available. - Bind Xauthority file to enable GUI authentication. - Bind host's claude config directory as read-only. * [IMP] bwrap: customize confirmation prompt based on active AI agent - Display the specific model and CLI name (Claude, Gemini, Copilot, etc.) with inquirer styles inside the confirmation prompt. * [IMP] bwrap: use subprocess.run directly to preserve interactive stdin - Inherit system stdin directly by using subprocess.run instead of bash.run wrapper. * [REF] bwrap: simplify AI agent execution confirmation prompt - Use a standard plain string prompt instead of a styled list of tuples, avoiding inquirer patching requirements in odev. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
It allows it to install on more distros
poma-odoo
force-pushed
the
arch-install-poma
branch
from
f2286b7 to
e75f8d1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It allows it to install on more distros
Compliance
docsdirectoryrequirements.txtfile, if any