Skip to content

feat(sandbox): run gh outside the sandbox so keyring auth works#706

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/gh-outside-sandbox
Jul 3, 2026
Merged

feat(sandbox): run gh outside the sandbox so keyring auth works#706
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/gh-outside-sandbox

Conversation

@potiuk

@potiuk potiuk commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

  • gh authenticates via the OS keyring, which the in-process sandbox blocks —
    so sandboxed gh calls fail with keyring / "not logged in" errors. This adds
    sandbox.excludedCommands: ["gh *"] to the shipped Claude baseline so gh
    runs against the real host auth.
  • The blast radius stays contained by the existing layers: gh write/destructive
    subcommands remain gated by permissions.ask, and gh auth token /
    gh auth refresh stay in permissions.deny so the token can't be dumped.
  • OpenCode needs no config change (see Notes) — it's covered by its existing model.

Type of change

  • Python package (tools/*/ with pyproject.toml) — sandbox-lint validator
  • Cross-cutting (RFC, AGENTS.md, sandbox, privacy-LLM)
  • Documentation (docs/, README.md, CONTRIBUTING.md)

Test plan

  • prek run --files <changed> passes (markdownlint, typos, lychee, ruff, mypy, workspace pytest, spec-validate)
  • uv run --project tools/sandbox-lint pytest — 64 passed (2 new: baseline excludes gh; excludedCommands set-semantics)
  • sandbox-lint reports the framework's own settings match the updated baseline

RFC-AI-0004 compliance

  • HITLgh mutations stay gated on permissions.ask; no new auto-approved mutation
  • Write-access discipline — no autonomous outbound messages introduced

Linked issues

Notes for reviewers

  • Sandbox principle, stated honestly: this deliberately grants gh host access
    outside the sandbox. That is the point — gh cannot reach the OS keyring while
    sandboxed. The trade-off is bounded by (a) gh auth token/refresh denied,
    (b) all gh writes behind ask, (c) credentials.envVars still deny GH_TOKEN/
    GITHUB_TOKEN for other sandboxed commands. The existing credentials comment
    in secure-agent-setup.md already assumed "gh is sandbox-bypassed"; this makes
    that true.
  • Why config, not a new hook: agent-guard is deny-only and can't express
    "ask + run-outside-sandbox"; excludedCommands is the idiomatic, harness-enforced
    (deterministic) mechanism. Confirmation stays as the existing curated ask list
    rather than a blanket gh * ask, which would prompt on every gh pr view in the
    pr-management skills.
  • OpenCode parity: no per-command sandbox exclusion exists there (isolation is
    the OS-level clean-env sandbox, which already runs gh with the host keyring), and
    sandbox-lint --opencode already requires permission.bash to default to
    ask/deny, so gh writes prompt by default. Documented rather than adding a
    knob that doesn't exist.

Generated-by: Claude Code (Opus 4.8)

gh authenticates via the OS keyring, which the in-process sandbox blocks, so gh commands failed with keyring / "not logged in" errors. Excluding gh from the sandbox lets it use the real host auth.

Confirmation is safe-by-default: permissions.ask matches Bash(gh *) so every gh command prompts unless a more-specific read-only allow rule (gh pr view, gh * list, ...) exempts it — so every destructive or unknown gh subcommand is confirmed. gh auth token / gh auth refresh stay denied so the token cannot be dumped.

Generated-by: Claude Code (Opus 4.8)
@potiuk potiuk force-pushed the feat/gh-outside-sandbox branch from a05abdb to b44c02f Compare July 3, 2026 16:45
@potiuk potiuk marked this pull request as ready for review July 3, 2026 16:53
@potiuk potiuk merged commit 889da29 into apache:main Jul 3, 2026
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant