Commit dd2d0ef0917f

Vincent Demeester <vincent@sbr.pm>
2026-02-08 22:33:40
docs(pi): documented sandbox limitations and setup requirements
Clarified that sandbox only protects bash commands, not read/write/edit tools. Added requirement for ~/.claude/debug directory creation. Fixed dynamic sandbox operations application in bash tool.
main
1 parent db136df
Changed files (3)
.pi
SETUP.md
dots
pi
agent
extensions
sandbox
index.ts
README.md
.pi/SETUP.md
@@ -216,6 +216,12 @@ Or temporarily:
 nix-shell -p bubblewrap socat ripgrep
 ```
 
+Also create the required directory:
+
+```bash
+mkdir -p ~/.claude/debug
+```
+
 ### Extension statuses not showing in footer
 
 Make sure:
dots/pi/agent/extensions/sandbox/index.ts
@@ -212,7 +212,7 @@ export default function (pi: ExtensionAPI) {
 		uvInterceptEnabled = true;
 	}
 
-	// Create bash tool with spawn hook that combines uv intercept + sandbox
+	// Create bash tool that dynamically uses sandboxed operations based on current state
 	const bashTool = createBashTool(localCwd, {
 		spawnHook: ({ command, cwd, env }) => {
 			let modifiedCommand = command;
@@ -224,9 +224,23 @@ export default function (pi: ExtensionAPI) {
 			
 			return { command: modifiedCommand, cwd, env };
 		},
-		operations: sandboxEnabled && sandboxInitialized ? createSandboxedBashOps() : undefined,
 	});
 
+	// Override the bash tool to dynamically use sandbox operations
+	const originalExecute = bashTool.execute;
+	bashTool.execute = async function (toolCallId, params, signal, onUpdate, ctx) {
+		// If sandbox is enabled, use sandboxed operations
+		if (sandboxEnabled && sandboxInitialized) {
+			const sandboxedTool = createBashTool(localCwd, {
+				spawnHook: bashTool.spawnHook,
+				operations: createSandboxedBashOps(),
+			});
+			return sandboxedTool.execute(toolCallId, params, signal, onUpdate, ctx);
+		}
+		// Otherwise use original (non-sandboxed)
+		return originalExecute.call(bashTool, toolCallId, params, signal, onUpdate, ctx);
+	};
+
 	pi.registerTool(bashTool);
 
 	// For user bash commands (! and !!), provide sandboxed operations
dots/pi/agent/extensions/sandbox/README.md
@@ -29,6 +29,15 @@ Or install manually:
 nix-shell -p bubblewrap socat ripgrep
 ```
 
+**Additional setup:**
+
+The sandbox runtime needs a debug directory:
+```bash
+mkdir -p ~/.claude/debug
+```
+
+This directory is used by `@anthropic-ai/sandbox-runtime` for logging and temporary files.
+
 ### macOS
 
 Uses built-in `sandbox-exec`, no additional packages required.
@@ -106,6 +115,20 @@ The sandbox extension:
 3. Enforces network and filesystem restrictions
 4. Shows status in the footer
 
+**Important Limitations:**
+
+⚠️ **Only `bash` commands are sandboxed.** The `read`, `write`, and `edit` tools bypass the sandbox entirely because they access files directly without going through bash.
+
+- `bash: cat ~/.ssh/config` → ✅ Sandboxed (blocked)
+- `read ~/.ssh/config` → ❌ Not sandboxed (succeeds)
+
+This means the LLM can still read/write files using the built-in tools. The sandbox primarily protects against:
+- Network access from bash commands
+- Bash scripts accessing sensitive files
+- Accidental destructive bash operations
+
+For full file access control, you would need to override the `read`, `write`, and `edit` tools or use `tool_call` event interception.
+
 ### Example
 
 ```bash