Skip to content

Harden sandbox setup resilience#5

Open
ib-bsb-br wants to merge 1 commit into
mainfrom
codex/refactor-powershell-script-for-correctness-39racg
Open

Harden sandbox setup resilience#5
ib-bsb-br wants to merge 1 commit into
mainfrom
codex/refactor-powershell-script-for-correctness-39racg

Conversation

@ib-bsb-br

@ib-bsb-br ib-bsb-br commented Nov 1, 2025

Copy link
Copy Markdown
Owner

Summary

  • add registry hive fallback with diagnostics and optional cleanup mode to handle permission failures
  • harden logging with rotation, transcript guards, and DISM-backed feature management for resilient sandbox configuration
  • streamline preflight, verification, and WSB generation to support unattended runs while preserving security probes and cleanup helpers

Testing

  • Not run (pwsh not available in container)

https://chatgpt.com/codex/tasks/task_b_690654c59610832da1bea023fe40cec0

Summary by Sourcery

Harden sandbox setup resilience by introducing registry hive fallback, bolstering logging, and streamlining unattended configuration flows

New Features:

  • Add registry hive fallback with diagnostics and optional cleanup mode for permission failures

Enhancements:

  • Harden logging with rotation and transcript guards
  • Integrate DISM-backed feature management for robust sandbox configuration
  • Streamline preflight checks, verification, and WSB generation for unattended but secure runs

@sourcery-ai

sourcery-ai Bot commented Nov 1, 2025

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR enhances sandbox setup resilience by introducing a registry hive fallback mechanism with diagnostics and optional cleanup, strengthening logging with rotation and transcript guards, migrating feature management to a DISM-based workflow with retry logic, streamlining preflight checks, verification steps, and WSB generation for unattended runs, and adding a SysWOW64 PowerShell stub for compatibility.

File-Level Changes

Change Details Files
Add registry hive fallback with diagnostics and optional cleanup mode
  • Wrapped registry operations in try/catch to trigger fallback
  • Logged detailed diagnostic info upon permission failures
  • Introduced a cleanup mode parameter and handler for fallback recovery
scripts/registry_fallback.ps1
src/setup.ps1
Harden logging with rotation and transcript guards
  • Implemented configurable log rotation policy
  • Added transcript guards to ensure session transcripts are captured
  • Enhanced log formatting and centralized error capture
scripts/logging.ps1
config/logging_settings.json
Switch feature management to DISM with retry logic
  • Replaced PowerShell feature cmdlets with DISM commands
  • Added retry logic and error handling around DISM operations
  • Updated cleanup helper to uninstall features via DISM
scripts/feature_management.ps1
Streamline preflight checks, verification steps, and WSB generation
  • Consolidated preflight checks into a single function
  • Refactored verification steps to include security probes
  • Simplified WSB generation flow for unattended execution
scripts/preflight.ps1
scripts/verification.ps1
scripts/wsb_generator.ps1
Add SysWOW64 PowerShell stub for compatibility
  • Created a stub pwsh.ps1 script at the SysWOW64 path
  • Redirect stub to the correct PowerShell installation
C:\Windows\SysWOW64\pwsh.ps1

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@ib-bsb-br ib-bsb-br marked this pull request as ready for review November 2, 2025 01:29
Copilot AI review requested due to automatic review settings November 2, 2025 01:29

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes and they look great!


Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a new PowerShell script for Windows Sandbox setup with advanced features including evasion techniques. The script is designed to enable Windows Sandbox, configure it with administrative capabilities, and implement various anti-analysis checks.

  • Adds a production-grade PowerShell script for Windows Sandbox configuration
  • Implements evasion techniques to detect virtualized/analysis environments
  • Provides idempotent setup with registry markers and robust error handling

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

https://github.com/ib-bsb-br/codex-scratchpad/blob/02c826f159a20b904f2eb548248d0afb5da8b847/"b/C:\Windows\SysWOW64\pwsh.ps1"#L588-L606
P1 Badge Allow NoShortcut runs to pass verification

When -NoShortcut is supplied the EnsureShortcut switch block returns immediately, but the code below still writes a "Completed" marker in the registry. Later, Invoke-Verification evaluates the step’s SystemTest (-not $NoShortcut -and (Test-Path $ShortcutLnk)) and inevitably fails because the shortcut was intentionally skipped even though the marker is present. The script therefore re‑executes the step and ultimately exits with code 2 whenever -NoShortcut is used. Either skip writing the completion marker when shortcuts are disabled or treat the step as satisfied when the flag is set so that a user opting out of shortcut creation can complete the run.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="&quot;b/C:\\Windows\\SysWOW64\\pwsh.ps1&quot;">

<violation number="1" location="&quot;b/C:\\Windows\\SysWOW64\\pwsh.ps1&quot;:804">
The EnsureShortcut step’s system test treats -NoShortcut as failure, so verification always exits 2 when the operator opts out of creating the shortcut. Please make the test succeed when -NoShortcut is supplied.</violation>
</file>

React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.

@{
Name = 'EnsureShortcut'
Weight = 100
SystemTest = { -not $NoShortcut -and (Test-Path $ShortcutLnk) }

@cubic-dev-ai cubic-dev-ai Bot Nov 2, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The EnsureShortcut step’s system test treats -NoShortcut as failure, so verification always exits 2 when the operator opts out of creating the shortcut. Please make the test succeed when -NoShortcut is supplied.

Prompt for AI agents
Address the following comment on "b/C:\\Windows\\SysWOW64\\pwsh.ps1" at line 804:

<comment>The EnsureShortcut step’s system test treats -NoShortcut as failure, so verification always exits 2 when the operator opts out of creating the shortcut. Please make the test succeed when -NoShortcut is supplied.</comment>

<file context>
@@ -0,0 +1,836 @@
+        @{
+            Name = &#39;EnsureShortcut&#39;
+            Weight = 100
+            SystemTest = { -not $NoShortcut -and (Test-Path $ShortcutLnk) }
+            Undo = {
+                if (Test-Path $ShortcutLnk) {
</file context>
Suggested change
SystemTest = { -not $NoShortcut -and (Test-Path $ShortcutLnk) }
SystemTest = { $NoShortcut -or (Test-Path $ShortcutLnk) }
Fix with Cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants