test(core,docs): M3.5 — sandbox attack-vector test suite + security-model.md#18
Merged
Conversation
…odel.md
Closes the "M3.5: 75% — missing attack vectors" gap from the morning report.
· packages/core/src/sandbox/attacks.test.ts (17 tests)
- 6 SBPL hostile-input tests: paren/quote/backslash escaping,
deny-after-allow ordering, no implicit network when allowedDomains=[],
no implicit writes to /usr|/System|/Library.
- 3 bwrap arg safety tests: no --share-net, only cwd is bare --bind,
pid/ipc/uts always unshared.
- 4 excluded-command spoofing tests: prefix-only doesn't bypass; pipeline
after-excluded DOES bypass (documented as known M5.2-tracked behavior).
- 2 sandbox-exec e2e tests on macOS: block /usr/local/bin write; profile
parses without syntax error (smoke).
- 2 bwrap e2e tests on Linux: block outside-cwd write; DNS unshared when
allowedDomains=[].
· packages/core/src/sandbox/profile.ts hardened so e2e tests pass:
- Add `(allow file-read* (literal "/"))` and related (literal "/private")
entries so shell getcwd / parent stat succeed under deny-default.
- Add `(allow file-read* (subpath "/private/var/folders"))` for dyld
closure cache (without this, /bin/sh exited with SIGABRT before any
command could run).
- Add `(allow process-info*)`.
· docs/security-model.md (NEW, ~180 lines):
threat model, defence layers (trust → modes → permissions → sandbox →
plugin subprocess → credentials), hostile-input handling, attack-vector
test inventory, explicit list of known gaps (DNS exfil, OS-wrap of plugin
process, pipeline analysis, domain whitelist) with milestone tracking.
Tests: 308/10 pass/skip in core (was 293), 41 in cli unchanged. Total 349 passing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
oratis
added a commit
that referenced
this pull request
May 28, 2026
This session ("继续推进" from v2) added 5 PRs on top of #1-#16:
· #17 M3c-rest tools (TodoWrite + WebFetch + WebSearch)
· #18 M3.5 attack tests + security-model.md
· #19 M8 headless mode (-p / --print)
· #20 M5.2 plugin live wire-up
· #21 system-reminder injector
Test count: 313 → 387 (+74).
Scope completion estimate: 65-70% → 72-78%.
Major remaining items: M6 Mac Electron (still 0%), M7 file panel (depends
on M6), and the M3c-rest/M8/M5.2 leftovers itemized in the body.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the M3.5: 75% — missing attack vectors line item from the morning report. 17 new tests, profile hardened to actually run real commands, security model documented.
packages/core/src/sandbox/attacks.test.ts— 17 tests in 5 buckets (SBPL hostile-input escaping, bwrap arg safety, excluded-command spoofing, macOS e2e undersandbox-exec, Linux e2e underbwrap). Platform-conditional tests useit.runIf().packages/core/src/sandbox/profile.ts— added(literal "/"),(literal "/private"),(subpath "/private/var/folders"), and(allow process-info*)so generated profiles can actually exec/bin/sh -c ...instead of dying with SIGABRT in dyld. The previous tests only validated profile string content, never that sandbox-exec could parse + run it.docs/security-model.md(NEW) — threat model, defence layers, hostile-input handling, attack-vector test inventory, explicit list of known gaps with milestone tracking (DNS exfil, OS-wrap of plugin process, pipeline analysis, domain whitelist).Test plan
pnpm -F @deepcode/core test src/sandbox/— 34 passed / 3 skipped (was 13 pass; +17 attack tests, +2 e2e on macOS runner, 2 skipped Linux e2e)pnpm -r test— 308 + 41 = 349 passingpnpm -F @deepcode/core build— cleanNotable
(literal "/")etc.) is required for ANY sandboxed exec to work on modern macOS — without it/bin/shitself can't start under(deny default). Previously the smoke test only checked profile-text contents, not runtime behavior.🤖 Generated with Claude Code