Module: Pikuri::Code::Bash::Sandbox

Defined in:

lib/pikuri/code/bash/sandbox.rb

Overview

Filesystem-sandbox seam for the bash tool. Pikuri::Code::Bash runs bash -c <command> unmediated by default (NONE, identity wrap); host binaries that want isolation pass Bubblewrap.new(workspace:)+ to get a bwrap-wrapped subprocess whose filesystem view is constrained to the Workspace‘s readable/writable roots plus a curated OS-runtime baseline.

Why a seam, not a flag on Bash

The pure layered design: Workspace is “what the LLM observes via Read/Write/Edit/Grep/Glob”; Sandbox is “what the executed subprocess sees in its filesystem view.” They overlap on the project + toolchain dirs, but diverge on the OS-runtime baseline (Bubblewrap::ETC_BASELINE — TLS certs, DNS resolver config, tz data, hosts file). The LLM has no need to Read /etc/resolv.conf; the curl subprocess does. Keeping the two concerns in distinct objects lets Workspace stay focused on the LLM-side allowlist while Bubblewrap owns the runtime-side allowlist + the bwrap-specific argv composition.

The contract

A sandbox responds to #wrap(argv) → Array<String>, transforming the timeout … bash -c <cmd> argv that run would have spawned into the actual argv to spawn. NONE returns argv unchanged; Bubblewrap prepends bwrap + its bind/isolation flags.

Defined Under Namespace

Modules: NONE Classes: Bubblewrap