Skip to content

Remove support for top-level sandbox: false and sandbox.gateway/mcp: false #13370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 10 commits into from
Closed

Remove support for top-level sandbox: false and sandbox.gateway/mcp: false #13370

Copilot wants to merge 10 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Feb 3, 2026
edited
Loading

Summary: Remove sandbox: false (top-level) and sandbox.gateway/mcp: false

Per the original requirements, this PR removes support for:

  • sandbox: false (top-level boolean - NOT supported, rejected by schema)
  • sandbox.gateway: false (NOT supported, rejected by custom validation)
  • sandbox.mcp: false (NOT supported, rejected by schema)

But KEEPS support for:

  • sandbox.agent: false (SUPPORTED - disables AWF firewall)

Changes Made

JSON Schema Updates

  • Removed boolean type from top-level sandbox field (only string/object allowed)
  • Added boolean option (const: false) to sandbox.agent field (allows disabling AWF)
  • Schema validation now catches sandbox: false early before custom validation

Validation

  • Added validateUnsupportedSandboxSyntax() for additional checks on sandbox.gateway: false
  • Clear error messages guide users to use sandbox.agent: false instead of sandbox: false

Code

  • Kept Disabled field in AgentSandboxConfig struct (needed for sandbox.agent: false)
  • Kept all logic that checks Disabled field throughout codebase (~150 lines)
  • isSandboxDisabled() checks for sandbox.agent: false
  • All localhost/host.docker.internal logic works correctly with disabled agent

Tests

  • Kept sandbox_disabled_test.go (tests sandbox.agent: false functionality)
  • All test files work with Disabled field references

Documentation

  • Updated frontmatter-full.md to show sandbox.agent: false as supported option
  • Clarified that top-level sandbox: false is not supported

Examples

Not Supported:

---
sandbox: false           # ❌ Error: rejected by schema (not a valid type)
---
---
sandbox:
  gateway: false         # ❌ Error: rejected by custom validation
  mcp: false            # ❌ Error: rejected by schema
---

Supported:

---
sandbox:
  agent: false          # ✅ Disables AWF firewall
---
---
sandbox:
  agent: awf            # ✅ Default (enables AWF firewall)
---

Build & Test Status

✅ Build successful
✅ Code formatted
✅ Validation tests pass
✅ Schema correctly rejects unsupported syntaxes

Original prompt

Remove the ability to disable the MCP gateway

sandbox.gateway: false # not supported

also remove top level syntax to disable sandbox as a whole

sandbox: false # not supported

Only the sandbox.agent: false is supported.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 7 commits February 3, 2026 01:24
@pelikhan
Remove sandbox.gateway: false and sandbox: false support from code
60b7bba 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add validation to reject unsupported sandbox syntaxes
12d53bd 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Update tests to remove Disabled field references
e2079ec 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix firewall default enablement tests
d94b544 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Update documentation to remove sandbox:false references
0f23339 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Final cleanup: remove test-result.json
ac9e77c 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Address code review feedback
a6b0a81 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Remove ability to disable MCP gateway and sandbox Remove support for disabling sandbox and MCP gateway Feb 3, 2026
Copilot AI requested a review from pelikhan February 3, 2026 01:35
@pelikhan
Copy link
Contributor

pelikhan commented Feb 3, 2026

@copilot must be able to disable agent firewall:

sandbox:
agent: false # awf disabled this is supported

@pelikhan
Restore support for sandbox.agent: false to disable AWF firewall
3817aca 
- Restored Disabled field in AgentSandboxConfig struct
- Restored all code that checks Disabled field (150+ lines)
- Restored sandbox_disabled_test.go and other test files
- Updated JSON schema to allow boolean false for sandbox.agent
- Added validation that ONLY rejects:
  * sandbox: false (top-level)
  * sandbox.gateway: false
  * sandbox.mcp: false
- sandbox.agent: false IS NOW SUPPORTED to disable AWF firewall
- Updated documentation to clarify supported syntax

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 3, 2026

@copilot must be able to disable agent firewall:

sandbox:
...

Fixed in commit 3817aca. The sandbox.agent: false syntax is now supported to disable the AWF firewall.

What was changed:

  • Restored the Disabled field and all related logic
  • Updated validation to only reject sandbox: false (top-level) while allowing sandbox.agent: false
  • Updated JSON schema to accept boolean false for the agent field
  • Restored all tests for disabled sandbox functionality

The PR now correctly implements the original requirements: remove top-level sandbox: false and sandbox.gateway: false, but keep sandbox.agent: false to disable the firewall.

Copilot AI changed the title Remove support for disabling sandbox and MCP gateway Remove support for top-level sandbox: false and sandbox.gateway/mcp: false Feb 3, 2026
pelikhan
pelikhan reviewed Feb 3, 2026
View reviewed changes
pkg/parser/schemas/main_workflow_schema.json Outdated
Copy link
Contributor

@pelikhan pelikhan Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot remove this entry, sandbox: boolean is not supported anymore

Copy link
Contributor Author

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in commit d0c363f. Removed the boolean type from the top-level sandbox field's oneOf array in the JSON schema. Top-level sandbox: false is now rejected by schema validation, while sandbox.agent: false remains supported.

Copy link
Contributor Author

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in commit d0c363f. Removed the boolean type entry from the top-level sandbox field in the JSON schema. The schema now only accepts string or object types for the top-level sandbox field, rejecting sandbox: false at schema validation time.

@pelikhan
Remove boolean type from top-level sandbox schema
d0c363f 
- Removed boolean option from sandbox field's oneOf array
- Top-level sandbox: false now rejected by schema validation
- sandbox.agent: false still supported (has its own boolean option)
- Schema validation will catch sandbox: false early with clear error

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan February 3, 2026 02:13
@pelikhan pelikhan closed this Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan