Commit 9aab9fa
committed
ci(sandbox): use docker_isolation.mode (global key) + assert sandbox actually resolved
CodexReviewer caught the probe was vacuous: the config used a top-level
"isolation" key, but the GLOBAL isolation mode is docker_isolation.mode
(per-server isolation is the only 'isolation' key). The wrong key was silently
ignored, so the server started with isolation_mode=none — the 'sandbox' probe
never tested sandbox.
- workflow + harness: isolation -> docker_isolation for the global mode
- workflow: assert the server log shows isolation_mode=sandbox (fail if not),
so a future wrong-key regression can't pass vacuously
- harness positive case now actually runs the stdio 'everything' server under
Landlock (inherits global sandbox); negative baseline under docker (AppArmor)
Related #711 parent 9c84400 commit 9aab9fa
2 files changed
Lines changed: 12 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
96 | 96 | | |
97 | 97 | | |
98 | 98 | | |
99 | | - | |
| 99 | + | |
100 | 100 | | |
101 | 101 | | |
102 | 102 | | |
| |||
137 | 137 | | |
138 | 138 | | |
139 | 139 | | |
140 | | - | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
141 | 149 | | |
142 | 150 | | |
143 | 151 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
| |||
99 | 99 | | |
100 | 100 | | |
101 | 101 | | |
102 | | - | |
| 102 | + | |
103 | 103 | | |
104 | 104 | | |
105 | 105 | | |
| |||
0 commit comments