Skip to content

Disable sandbox.agent: false in strict mode for copilot engine#6903

Merged
pelikhan merged 3 commits intomainfrom
copilot/disable-sandbox-agent-flag-again
Dec 19, 2025
Merged

Disable sandbox.agent: false in strict mode for copilot engine#6903
pelikhan merged 3 commits intomainfrom
copilot/disable-sandbox-agent-flag-again

Conversation

Copy link
Contributor

Copilot AI commented Dec 18, 2025
edited
Loading

  • Modify validateStrictFirewall in pkg/workflow/strict_mode_validation.go to reject sandbox.agent: false in strict mode for all engines (not just copilot)
  • Fix strict mode re-evaluation ordering in compiler_parse.go to ensure strict mode is properly evaluated before validateStrictFirewall is called
  • Add tests for new validation behavior (strict mode refuses sandbox.agent: false for all engines, allows in non-strict mode)
  • Update existing workflows (smoke-copilot.md, smoke-copilot-playwright.md) that use sandbox.agent: false to set strict: false
  • Run tests to verify changes
  • Run code review and address comments
  • Run codeql_checker for security validation - no issues found
Original prompt

disable "sandbox: agent: false" in strict mode for copilot engine

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Mossaka
feat: disable sandbox.agent: false in strict mode for copilot engine
b2e50d8 
This change adds validation to reject `sandbox.agent: false` in strict
mode for the copilot engine because it disables the firewall, which is
a security concern in production workflows.

Changes:
- Modified validateStrictFirewall to return an error when sandbox.agent:
  false is used with copilot engine in strict mode
- Fixed strict mode re-evaluation ordering in compiler_parse.go
- Updated tests to reflect the new behavior
- Updated smoke workflows to use strict: false

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Disable 'sandbox: agent: false' in strict mode Disable sandbox.agent: false in strict mode for copilot engine Dec 19, 2025
Copilot AI requested a review from Mossaka December 19, 2025 00:22
@pelikhan pelikhan marked this pull request as ready for review December 19, 2025 00:29
@pelikhan pelikhan added the smoke label Dec 19, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025
edited
Loading

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025
edited
Loading

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025
edited
Loading

💀 Blimey! Smoke Copilot Safe Inputs failed and walked the plank! No treasure today, matey! ☠️

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025
edited
Loading

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025
edited by agentic-workflows-dev bot
Loading

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025

Smoke Test Results

Last 2 Merged PRs:

Test Results:

  • ✅ GitHub MCP: Retrieved PR information
  • ✅ File Write: Created test file successfully
  • ✅ Bash Tool: Read file back confirmed
  • ✅ Playwright: Page title contains "GitHub"
  • ✅ Safe Input gh: Listed 3 issues

Overall: PASS

🤖 DIAGNOSTIC REPORT GENERATED BY Smoke Copilot No Firewall fer issue #6903 🗺️

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025

Smoke Test Results for Run 20355906441

Recent PRs:

Tests:

  • ✅ GitHub MCP (retrieved last 2 merged PRs)
  • ✅ File writing (/tmp/gh-aw/agent/smoke-test-copilot-20355906441.txt)
  • ✅ Bash tool verification
  • ✅ GitHub MCP default toolset (get_me correctly unavailable)
  • ✅ Cache memory (/tmp/gh-aw/cache-memory/smoke-test-20355906441.txt)

Status: ✅ PASS

CC: @Copilot @Mossaka

📰 BREAKING: Report filed by Smoke Copilot fer issue #6903 🗺️

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025

PRs (last 2 merged):

  • Refactor update_command.go: Split 1,331-line file into 8 focused modules
  • enable firewall for safe inputs agent
    Tests: ✅ GitHub MCP; ✅ file write/verify (/tmp/gh-aw/agent/smoke-test-codex-20355906446.txt); ✅ Playwright title check; ✅ cache memory write/verify; ❌ safeinputs-gh (tool unavailable)
    Overall: FAIL

🔮 The oracle has spoken through Smoke Codex fer issue #6903 🗺️

@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025

Smoke Test Results (Claude Engine)

Last 2 merged PRs:

Test Results:

  • ✅ GitHub MCP - Fetched recent PRs
  • ✅ File Writing - Created test file
  • ✅ Bash Tool - Verified file creation
  • ✅ Playwright MCP - Navigated to GitHub, title verified
  • ✅ Cache Memory - Created and verified cache file
  • ❌ Safe Input gh Tool - Tool not available

Overall Status: PASS (5/6 tests successful)

💥 [THE END] — Illustrated by Smoke Claude fer issue #6903 🗺️

@pelikhan
Copy link
Contributor

pelikhan commented Dec 19, 2025

@copilot strict mode should be enforced for all agents, not just copilot.

@pelikhan
refactor: apply sandbox.agent: false restriction to all engines in st…
afc0ef9 
…rict mode

Per review feedback, the strict mode validation for sandbox.agent: false
now applies to all engines, not just copilot. This ensures consistent
security enforcement across all agent engines.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 19, 2025

@copilot strict mode should be enforced for all agents, not just copilot.

Updated in afc0ef9 - the sandbox.agent: false validation now applies to all engines in strict mode, not just copilot.

Copilot AI requested a review from pelikhan December 19, 2025 01:03
@pelikhan pelikhan merged commit 08e112b into main Dec 19, 2025
4 checks passed
@pelikhan pelikhan deleted the copilot/disable-sandbox-agent-flag-again branch December 19, 2025 01:17
This was referenced Dec 19, 2025
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

smoke smoke-claude smoke-copilot smoke-copilot-no-firewall

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan @Mossaka