Skip to content

Commit 9aab9fa

Browse files
committed
ci(sandbox): use docker_isolation.mode (global key) + assert sandbox actually resolved
CodexReviewer caught the probe was vacuous: the config used a top-level "isolation" key, but the GLOBAL isolation mode is docker_isolation.mode (per-server isolation is the only 'isolation' key). The wrong key was silently ignored, so the server started with isolation_mode=none — the 'sandbox' probe never tested sandbox. - workflow + harness: isolation -> docker_isolation for the global mode - workflow: assert the server log shows isolation_mode=sandbox (fail if not), so a future wrong-key regression can't pass vacuously - harness positive case now actually runs the stdio 'everything' server under Landlock (inherits global sandbox); negative baseline under docker (AppArmor) Related #71
1 parent 9c84400 commit 9aab9fa

2 files changed

Lines changed: 12 additions & 4 deletions

File tree

.github/workflows/sandbox-integration.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ jobs:
9696
"listen": "127.0.0.1:19237",
9797
"api_key": "qa-sandbox-ci-test",
9898
"enable_web_ui": false,
99-
"isolation": { "mode": "sandbox" },
99+
"docker_isolation": { "mode": "sandbox" },
100100
"mcpServers": []
101101
}
102102
EOF
@@ -137,7 +137,15 @@ jobs:
137137
cat /tmp/mcp3236-ci/server.log
138138
exit 1
139139
fi
140-
echo "Server healthy (/readyz) with isolation.mode=sandbox"
140+
# Prove the server actually resolved SANDBOX mode (the global key is
141+
# docker_isolation.mode — a wrong key silently falls back to "none",
142+
# which would make this probe vacuous).
143+
if ! grep -i "isolation_mode" /tmp/mcp3236-ci/server.log | grep -qi "sandbox"; then
144+
echo "ERROR: server did not start in sandbox mode (expected isolation_mode=sandbox)"
145+
grep -i "isolation_mode" /tmp/mcp3236-ci/server.log || echo "(no isolation_mode log line found)"
146+
exit 1
147+
fi
148+
echo "Server healthy (/readyz) and confirmed isolation_mode=sandbox"
141149
142150
- name: macOS/non-Linux graceful-degrade probe (build check)
143151
run: |

docs/development/sandbox-snap-docker-harness.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ cat > /tmp/harness-docker/mcp_config.json <<'EOF'
4444
"listen": "127.0.0.1:18080",
4545
"api_key": "harness-key",
4646
"enable_web_ui": false,
47-
"isolation": { "mode": "docker" },
47+
"docker_isolation": { "mode": "docker" },
4848
"mcpServers": [
4949
{
5050
"name": "everything",
@@ -99,7 +99,7 @@ cat > /tmp/harness-sandbox/mcp_config.json <<'EOF'
9999
"listen": "127.0.0.1:18081",
100100
"api_key": "harness-key",
101101
"enable_web_ui": false,
102-
"isolation": { "mode": "sandbox" },
102+
"docker_isolation": { "mode": "sandbox" },
103103
"mcpServers": [
104104
{
105105
"name": "everything",

0 commit comments

Comments
 (0)