Thanks to visit codestin.com
Credit goes to github.com

Skip to content

test: add sandbox workflow e2e coverage#131

Closed
paudley wants to merge 8 commits into
mainfrom
codex/sandbox-e2e-workflows
Closed

test: add sandbox workflow e2e coverage#131
paudley wants to merge 8 commits into
mainfrom
codex/sandbox-e2e-workflows

Conversation

@paudley

@paudley paudley commented May 17, 2026

Copy link
Copy Markdown
Owner

Closes #129.

Replaces #130, which was closed because this checkout had an incorrect local Git identity for its commits. This branch contains the same implementation as a correctly authored commit.

Summary

  • add real managed ruff sandbox E2E coverage for trace, SARIF, and required-mode denial evidence
  • keep coverage-instrumented E2E on the built managed toolchain instead of falling back to uv
  • bind the managed executable into bubblewrap when hidden home mounts would otherwise mask it
  • normalize required-mode cgroup setup failures as runtime.sandbox_denial evidence

Verification

  • go test ./internal/e2e -run 'Sandbox' -count=1\n- go test ./internal/e2e ./internal/sandbox ./internal/managedcapture -count=1\n- go test ./... -coverprofile=/tmp/coding-ethos-replacement.out\n- make build\n\n## Coverage\n- total Go coverage remained 80.3%\n- internal/e2e increased from 77.4% to 78.3%\n- internal/sandbox increased from 55.6% to 57.3%\n\n## Notes\n- bubblewrap remains a required dependency for the real sandbox workflow path; tests do not fake the sandbox backend or linter.

Copilot AI review requested due to automatic review settings May 17, 2026 03:27
@paudley paudley requested a review from ErinAudley as a code owner May 17, 2026 03:27

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds real bubblewrap-backed E2E coverage for the managed sandbox workflow (trace, SARIF, required-mode denial), plus supporting changes so the sandbox can locate the managed tool executable and so required-mode cgroup failures surface as structured runtime.sandbox_denial evidence.

Changes:

  • Bind the managed tool executable (with its parent dirs) into bubblewrap and resolve symlinks during request normalization.
  • Treat required-mode cgroup setup errors as sandbox.Denied evidence and rewrite captured diagnostics into a sandbox denial when so marked.
  • Add CodingEthosRunWithEnv/RunWithEnv plumbing, symlink .venv into the instrumented runtime when present, and add three sandbox workflow E2E tests.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
TODO.md Marks the sandbox E2E TODO item as completed.
go/internal/sandbox/sandbox.go Adds --ro-bind for the tool executable and EvalSymlinks of the executable path.
go/internal/sandbox/sandbox_test.go Updates plan ordering check to compare against the last occurrence of the executable arg.
go/internal/managedcapture/capture.go Marks cgroup-failed required runs as denied and synthesizes sandbox-denial diagnostics.
go/internal/e2e/scenario.go Adds env-override command helpers and .venv symlinking in the instrumented runtime.
go/internal/e2e/sandbox_workflow_test.go New sandbox workflow E2E tests for trace, SARIF, and required-mode denial.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements sandbox workflow tests and improves sandbox enforcement by handling denials more explicitly. Key changes include the addition of comprehensive end-to-end tests for sandboxed tool execution, the introduction of environment override support in the test harness, and logic to ensure tool executables are correctly bound within the sandbox. A review comment identifies that the new capturedExecutionDiagnostics function makes existing denial-handling logic in capturedOutcomeFindings and capturedSandboxFinding redundant, suggesting a cleanup to avoid dead code.

Comment thread go/internal/managedcapture/capture.go
Copilot AI review requested due to automatic review settings May 17, 2026 03:57

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

Copilot AI review requested due to automatic review settings May 17, 2026 04:15

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated no new comments.

Copilot AI review requested due to automatic review settings May 17, 2026 04:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated no new comments.

@paudley

paudley commented May 17, 2026

Copy link
Copy Markdown
Owner Author

Closing in favor of signed replacement PR #133. The original branch contains unsigned commits and history-rewrite policy correctly blocks force-replacing it.

@paudley paudley closed this May 17, 2026
paudley added a commit that referenced this pull request May 17, 2026
## Summary
- adds required-mode sandbox E2E coverage with Bubblewrap as a hard
dependency
- verifies write-scope behavior and SARIF policy id coverage
- enforces signed git commits and blocks unsigned outgoing commits while
keeping push certificates optional for GitHub compatibility

Supersedes #131, whose branch contained unsigned commits and could not
be force-replaced under history-rewrite policy.

Closes #129.

## Verification
- go test ./... -count=1
- make build
- git log --format="%h %G? %s" origin/main..HEAD shows every branch
commit as G
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[test] Add sandbox workflow E2E coverage

2 participants