#23811: Config: fail closed when exec host=sandbox but sandbox mode is off
docker
size: S
trusted-contributor
Cluster:
Sandbox Enhancements and Fixes
## Summary
Describe the problem and fix in 2–5 bullets:
- Problem:
- Why it matters:
- What changed:
- What did NOT change (scope boundary):
## Change Type (select all)
- [ ] Bug fix
- [ ] Feature
- [ ] Refactor
- [ ] Docs
- [ ] Security hardening
- [ ] Chore/infra
## Scope (select all touched areas)
- [ ] Gateway / orchestration
- [ ] Skills / tool execution
- [ ] Auth / tokens
- [ ] Memory / storage
- [ ] Integrations
- [ ] API / contracts
- [ ] UI / DX
- [ ] CI/CD / infra
## Linked Issue/PR
- Closes #
- Related #
## User-visible / Behavior Changes
List user-visible changes (including defaults/config).
If none, write `None`.
## Security Impact (required)
- New permissions/capabilities? (`Yes/No`)
- Secrets/tokens handling changed? (`Yes/No`)
- New/changed network calls? (`Yes/No`)
- Command/tool execution surface changed? (`Yes/No`)
- Data access scope changed? (`Yes/No`)
- If any `Yes`, explain risk + mitigation:
## Repro + Verification
### Environment
- OS:
- Runtime/container:
- Model/provider:
- Integration/channel (if any):
- Relevant config (redacted):
### Steps
1.
2.
3.
### Expected
-
### Actual
-
## Evidence
Attach at least one:
- [ ] Failing test/log before + passing after
- [ ] Trace/log snippets
- [ ] Screenshot/recording
- [ ] Perf numbers (if relevant)
## Human Verification (required)
What you personally verified (not just CI), and how:
- Verified scenarios:
- Edge cases checked:
- What you did **not** verify:
## Compatibility / Migration
- Backward compatible? (`Yes/No`)
- Config/env changes? (`Yes/No`)
- Migration needed? (`Yes/No`)
- If yes, exact upgrade steps:
## Failure Recovery (if this breaks)
- How to disable/revert this change quickly:
- Files/config to restore:
- Known bad symptoms reviewers should watch for:
## Risks and Mitigations
List only real risks for this PR. Add/remove entries as needed. If none, write `None`.
- Risk:
- Mitigation:
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Added config-time validation to fail closed when `tools.exec.host="sandbox"` is configured but sandbox mode is `"off"`. This prevents runtime errors by catching the misconfiguration early during config validation.
- Validates both global `tools.exec.host` and per-agent `agents.list[].tools.exec.host` settings
- Correctly defaults sandbox mode to `"off"` when not explicitly configured
- Uses fallback logic for per-agent validation (agent-specific mode falls back to default mode)
- Test coverage includes global rejection, global acceptance, and per-agent rejection scenarios
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with no identified issues
- The change is a pure security hardening that prevents misconfigurations. The validation logic is straightforward, follows existing patterns in the codebase, and has comprehensive test coverage. No breaking changes to existing valid configurations.
- No files require special attention
<sub>Last reviewed commit: a2003b4</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#4897: fix: config logic issues (#4689, #4654)
by lailoo · 2026-01-30
81.0%
#7851: feat: secure sandbox defaults for new installs
by ichbinlucaskim · 2026-02-03
79.0%
#20477: fix(cron): prevent sandbox config clobbering in hook/cron agent path
by olyashok · 2026-02-19
78.9%
#17402: fix:sandbox path issue
by luckylhb90 · 2026-02-15
78.4%
#9200: Fix: Strip dangerous env vars from baseEnv in host execution
by vishaltandale00 · 2026-02-05
78.4%
#16922: fix: remove incorrect sandbox file tool guidance
by carrotRakko · 2026-02-15
77.6%
#20991: fix(sandbox): fall back to gateway UID:GID when no user is configur...
by cluster2600 · 2026-02-19
77.3%
#4022: fix: apply sandbox tools denials in /tools/invoke
by davidbors-snyk · 2026-01-29
77.1%
#20435: fix(exec): prioritize user 'always allow' config over tool defaults...
by ChisomUma · 2026-02-18
76.8%
#21562: fix: exec host error message shows configuredHost instead of reques...
by TopangaLudwitt · 2026-02-20
76.2%