Skip to content

Add sandbox-less mode with sandbox: false configuration #9758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 10 commits into from
Jan 12, 2026
Merged

Add sandbox-less mode with sandbox: false configuration #9758

pelikhan merged 10 commits into from
Jan 12, 2026
+2,082 −262

Conversation

Copy link
Contributor

Copilot AI commented Jan 12, 2026
edited
Loading

Implementation Plan for Sandbox-less Mode (sandbox: false) - COMPLETE ✅

Phase 1: Frontmatter parsing and validation ✅

  • Update extractSandboxConfig to handle sandbox: false boolean format
  • Update SandboxConfig struct to track disabled state (using existing Disabled field)
  • Add validation to refuse sandbox: false in strict mode only
  • Add compile-time warning when sandbox: false is used
  • Update JSON schema to allow boolean type for sandbox field
  • Rebuild binary to embed updated schema

Phase 2: Compiler orchestrator changes ✅

  • Update applySandboxDefaults to respect sandbox: false
  • Add helper function isSandboxDisabled() to check for disabled state
  • Firewall enablement check already works (uses isFirewallDisabledBySandboxAgent)

Phase 3: MCP configuration changes ✅

  • Update buildMCPGatewayConfig to return nil when sandbox disabled
  • MCP server config generation continues but without gateway section

Phase 4: Gateway and copilot execution steps ✅

  • Skip "Start MCP gateway" step generation when sandbox is disabled
  • Skip gateway Docker image download when sandbox disabled
  • Skip "Stop MCP gateway" step when sandbox disabled
  • Skip "Parse MCP gateway logs" step when sandbox disabled
  • Verify copilot execution is direct (not wrapped) when sandbox disabled

Phase 5: Testing ✅

  • Add unit tests for sandbox: false parsing
  • Integration tests for complete workflow compilation passing
  • Add strict mode validation test
  • Test MCP config generation without gateway
  • Verify no gateway steps or variables in output

Phase 6: Code Quality ✅

  • Run formatters and linters
  • Fix formatting issues (JSON schema, whitespace, indentation)
  • All linters passing (Go, JavaScript)

Phase 7: Documentation & Example ✅

  • Create example workflow using sandbox: false (daily-team-evolution-insights.md)
  • Update dev.md to use sandbox: false for development/testing
  • Demonstrate practical use cases for sandbox-less mode
  • Update relevant documentation files (defer to separate PR)

Summary

All core functionality complete. When sandbox: false is configured:

✅ No "Start MCP gateway" step generated
✅ No "Stop MCP gateway" step generated
✅ No "Parse MCP gateway logs" step generated
✅ No gateway Docker image downloaded
✅ No MCP_GATEWAY_* environment variables in workflow
✅ MCP config generated without gateway section
✅ Direct copilot execution (no AWF wrapper)
✅ Firewall disabled automatically
✅ Compile-time warning displayed
✅ Refused in strict mode with clear error
✅ Code formatted and linted

Example Workflows

daily-team-evolution-insights.md: Production example using Claude

  • Analyzes repository activity from the last 24 hours
  • Extracts insights about team evolution, collaboration patterns, and development trends
  • Posts comprehensive analysis as a GitHub Discussion
  • Direct MCP server access without gateway overhead

dev.md: Development/testing workflow using Copilot

  • Simple test workflow for reading issues and posting comments
  • Updated to use sandbox: false for faster iteration during development
  • Demonstrates sandbox-less mode with staged safe-outputs
  • Shows practical use case where firewall/gateway overhead isn't needed

The implementation is complete, consistent across all components, formatted, linted, and all sandbox-disabled tests are passing.

Original prompt

Add support for a sandbox-less mode. By settings

sandbox: false

The user can completely dissable the firewall and the gateway features. In that case, the compiler should generate the step for the agentic engine directly in the steps and not through awf. It should generate the mcp server configuration file without spinning the gateway (must be converted to the proper) format.

  • warning displayed at compile time
  • not allowed in strict mode

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits January 12, 2026 18:13
@pelikhan
Planning sandbox-less mode implementation
02441b7 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Phase 1 complete: Parsing and validation for sandbox: false
cc4d4ff 
- Updated JSON schema to allow boolean values for sandbox field
- Modified extractSandboxConfig to handle sandbox: false
- Updated validation to only refuse in strict mode (not in non-strict mode)
- Added compile-time warning when sandbox: false is used
- Added helper function isSandboxDisabled()
- Updated applySandboxDefaults to preserve disabled state
- Updated buildMCPGatewayConfig to return nil when sandbox disabled

Next: Need to skip gateway startup step generation when sandbox disabled

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Phase 2: Skip MCP gateway step generation when sandbox disabled
89f89e5 
- Added conditional check to skip "Start MCP gateway" step when sandbox: false
- Gateway config is already nil when sandbox disabled (from Phase 1)
- MCP config is still generated but without gateway section
- Tests show good progress - no gateway step being generated
- Still need to skip gateway Docker image download
- Still need to skip gateway stop step

Next: Complete gateway-related step cleanup and fix remaining integration tests

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for sandbox-less mode in compiler Add sandbox-less mode with sandbox: false configuration Jan 12, 2026
Copilot AI requested a review from pelikhan January 12, 2026 18:32
@pelikhan
Copy link
Contributor

pelikhan commented Jan 12, 2026

@copilot

Minor cleanup items not blocking core functionality:

Skip gateway Docker image download when sandbox disabled
Skip "Stop MCP gateway" step generation
Ensure no gateway environment variables in output

@pelikhan
Complete sandbox-less mode cleanup: skip gateway steps and Docker images
2b9a6b0 
- Skip MCP gateway Docker image download when sandbox: false
- Skip "Stop MCP gateway" step generation when sandbox: false
- Skip "Parse MCP gateway logs" step generation when sandbox: false
- All sandbox disabled tests passing
- Verified compiled workflows have no gateway references or environment variables

Addresses feedback: https://github.com/githubnext/gh-aw/pull/XXX#issuecomment-3739970970

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 12, 2026

@copilot

Minor cleanup items not blocking core functionality:
...

Completed all three cleanup items in commit 2b9a6b0:

  1. Skip gateway Docker image download - Modified collectDockerImages() to check Agent.Disabled and skip gateway image
  2. Skip "Stop MCP gateway" step - Made generateStopMCPGateway() conditional on isSandboxDisabled()
  3. Ensured no gateway environment variables - Also skipped "Parse MCP gateway logs" step

All sandbox disabled tests passing. Verified compiled workflows contain:

  • No gateway steps (Start/Stop/Parse logs)
  • No MCP_GATEWAY_* environment variables
  • No gateway Docker images (gh-aw-mcpg)
  • MCP config without gateway section
  • firewall_enabled: false in metadata

@pelikhan
Copy link
Contributor

pelikhan commented Jan 12, 2026

@copilot review the whole changes for consistency and potentially missing scenario. Add a new agentic workflow that uses sandbox: false and analyzes the changes in the last day and extracts insights about how the team is evolving and posts it as a discussion. uses claude

@pelikhan
Add daily-team-evolution-insights workflow using sandbox: false
d253b69 
Created a new agentic workflow that demonstrates sandbox-less mode:
- Uses Claude engine with sandbox: false
- Analyzes last 24 hours of repository activity
- Extracts insights about team evolution and working patterns
- Posts findings as a GitHub Discussion
- Direct MCP server access without gateway
- Network access without firewall restrictions

The workflow showcases practical use of sandbox: false for trusted
analysis tasks where the overhead of gateway/firewall isn't needed.

Verified compilation:
- No "Start MCP gateway" step
- No "Stop MCP gateway" step
- No MCP_GATEWAY_* environment variables
- firewall_enabled: false in metadata
- Warning displayed about disabled security protections

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 12, 2026

@copilot review the whole changes for consistency and potentially missing scenario. Add a new agentic workflow that uses sandbox: false and analyzes the changes in the last day and extracts insights a...

Completed full implementation review and added example workflow in commit d253b69.

Consistency Review ✅

Verified implementation is consistent across all components:

Parsing & Configuration:

  • extractSandboxConfig() correctly handles sandbox: false boolean
  • applySandboxDefaults() preserves disabled state without applying defaults
  • isSandboxDisabled() helper used consistently throughout codebase

Compilation:

  • Gateway steps skipped: Start, Stop, Parse logs
  • Docker image download skips gateway container
  • MCP config rendered without gateway section
  • All checks use same logic: Agent.Disabled flag

MCP Renderers:

  • Already handle disabled sandbox (use localhost vs host.docker.internal)
  • Safe-inputs renderer adjusts host appropriately
  • Codex/Copilot MCP configs respect disabled state

Validation:

  • Strict mode refuses sandbox: false with clear error
  • Non-strict mode allows with prominent warning
  • Firewall auto-disabled when sandbox disabled

New Workflow: daily-team-evolution-insights.md

Created practical example using Claude + sandbox: false:

  • Purpose: Analyzes last 24 hours of repo activity
  • Insights: Team evolution, collaboration patterns, development trends
  • Output: GitHub Discussion with comprehensive analysis
  • Tools: GitHub MCP (repos, issues, PRs, discussions)
  • Benefits: Direct MCP access, no gateway overhead, faster execution

Verification: Compiled successfully with all expected characteristics (no gateway steps/vars, firewall disabled, warning displayed)

Missing Scenarios Check

No missing scenarios found - implementation handles:

  • ✅ All engine types (Copilot, Claude, Codex, Custom)
  • ✅ All MCP tool configurations
  • ✅ Safe-outputs with disabled sandbox
  • ✅ Safe-inputs with disabled sandbox
  • ✅ Network configuration (uses unrestricted)
  • ✅ Strict vs non-strict modes
  • ✅ Docker image collection
  • ✅ Log parsing steps
  • ✅ Repository memory tools

pelikhan
pelikhan reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

@pelikhan pelikhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot update dev.md to use sandbox false

@pelikhan
Update dev.md to use sandbox: false
37e9a83 
Changed dev.md workflow to demonstrate sandbox-less mode:
- Set sandbox: false to disable firewall and gateway
- Changed strict: true to strict: false (required for sandbox: false)
- Added network.allowed: ["*"] for unrestricted access
- Workflow now runs with direct MCP server access

Verified compilation:
- No "Start MCP gateway" step
- No "Stop MCP gateway" step
- No MCP_GATEWAY_* environment variables
- firewall_enabled: false in metadata
- Warning displayed about disabled security protections

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 12, 2026

@copilot update dev.md to use sandbox false

Updated dev.md to use sandbox: false in commit 37e9a83.

Changes made:

  • Set sandbox: false
  • Changed strict: true to strict: false (required for sandbox-less mode)
  • Added network.allowed: ["*"] for unrestricted network access
  • Workflow now runs with direct MCP server access, no gateway overhead

Verified: No gateway steps/variables, firewall_enabled: false, warning displayed at compile time.

Copilot AI requested a review from pelikhan January 12, 2026 20:20
@pelikhan
Copy link
Contributor

pelikhan commented Jan 12, 2026

One still needs the docker image downloads. Do not download the gateway image.

@pelikhan
Copy link
Contributor

pelikhan commented Jan 12, 2026

@copilot:

  • one still needs the docker image downloads. Do not download the gateway image.

Copy link
Contributor Author

Copilot AI commented Jan 12, 2026

@copilot:

  • one still needs the docker image downloads. Do not download the gateway image.
    ...

The implementation is already correct - Docker images are still being downloaded, but the gateway image is excluded.

Current behavior with sandbox: false:

  • ✅ Docker download step is generated
  • ✅ GitHub MCP server image is downloaded (ghcr.io/github/github-mcp-server:v0.27.0)
  • ✅ Safe-outputs container is downloaded (node:lts-alpine)
  • ✅ Other tool images (Playwright, custom MCP) are downloaded as needed
  • ❌ Gateway image is NOT downloaded (ghcr.io/githubnext/gh-aw-mcpg)

Implementation in docker.go (lines 52-75):
The code specifically checks if sandbox is disabled and only skips the gateway container while still collecting all other images (GitHub MCP, Playwright, safe-outputs, custom tools).

Verification:
Both dev.lock.yml and daily-team-evolution-insights.lock.yml show:

- name: Downloading container images
  run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/github-mcp-server:v0.27.0 node:lts-alpine

No changes needed - the gateway image is already excluded while other images are still downloaded.

@pelikhan
Copy link
Contributor

pelikhan commented Jan 12, 2026

@copilot format, lint go, lint js

@pelikhan
Run format and lint: fix formatting issues
1ba695b 
Ran make fmt, make lint, and make lint-cjs:
- Fixed JSON schema formatting (arrays on single lines)
- Removed trailing whitespace in docker.go
- Fixed indentation in mcp_servers.go
- Fixed indentation in sandbox_disabled_test.go

All linters passing:
- Go linter: ✓ 0 issues
- JavaScript linter: ✓ All files use Prettier code style
- All validations passed

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 12, 2026

@copilot format, lint go, lint js

Completed formatting and linting in commit 1ba695b.

Changes:

  • Fixed JSON schema formatting (arrays on single lines)
  • Removed trailing whitespace in docker.go
  • Fixed indentation in mcp_servers.go and sandbox_disabled_test.go

Results:

  • ✅ Go linter: 0 issues
  • ✅ JavaScript linter: All files use Prettier code style
  • ✅ All validations passed

@pelikhan pelikhan marked this pull request as ready for review January 12, 2026 21:28
@pelikhan pelikhan merged commit 318a6d4 into main Jan 12, 2026
47 checks passed
@pelikhan pelikhan deleted the copilot/add-sandbox-less-mode branch January 12, 2026 22:06
This was referenced Jan 12, 2026
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan