@openparachute/agent 0.1.2 → 0.2.0

package/src/sandbox/egress.ts

@@ -0,0 +1,123 @@
+/**
+ * Network egress composition (design §3.3, §4.4).
+ *
+ * Egress is the load-bearing control for a session fed foreign-authored channel
+ * input: every allowlisted host is an exfiltration path, not just a fetch path.
+ * So the policy is:
+ *
+ *   - DENY all egress by default (the sandbox-runtime's `allowedDomains: []`
+ *     means no network — see its README "Network Isolation (allow-only)").
+ *   - A NON-REMOVABLE BASE allowlist of `{ the Anthropic API host(s), the
+ *     hub/vault origin }` is ALWAYS included — what every arm needs to think and
+ *     to do its scoped work.
+ *   - The spec's `egress[]` is ADDITIVE only. A spec cannot drop the base or
+ *     override it away; it can only widen with hosts of its own.
+ *
+ * The base is anchored in code, not config, precisely so a spec (which may be
+ * generated from foreign-influenced input down the line) can never quietly strip
+ * the host's own control-plane reachability or — worse — replace the Anthropic
+ * host with an attacker endpoint.
+ */
+
+/**
+ * The Anthropic API hosts every arm needs to reach to run `claude`. Includes the
+ * wildcard so regional/edge subdomains resolve; the bare apex covers the canonical
+ * host. Held in code as part of the non-removable base.
+ */
+export const ANTHROPIC_EGRESS_HOSTS: readonly string[] = [
+  "api.anthropic.com",
+  "*.anthropic.com",
+] as const;
+
+/** A hostname (no scheme/port/path) extracted from an origin or passed through. */
+export type EgressHost = string;
+
+/**
+ * Reduce an origin (`https://host:port`) or a bare host to the hostname the
+ * sandbox-runtime allowlist matches on. The runtime matches on domain, not
+ * scheme or port, so we strip both. A bare hostname passes through unchanged.
+ * Returns null for an unparseable/empty input (callers skip nulls).
+ */
+export function hostFromOrigin(originOrHost: string | undefined | null): EgressHost | null {
+  if (!originOrHost) return null;
+  const trimmed = originOrHost.trim();
+  if (trimmed.length === 0) return null;
+  // If it parses as a URL, take its hostname. Otherwise treat the whole thing as
+  // a host (possibly with a :port we strip).
+  try {
+    const u = new URL(trimmed.includes("://") ? trimmed : `https://${trimmed}`);
+    const h = u.hostname;
+    return h.length > 0 ? h : null;
+  } catch {
+    const noPort = trimmed.replace(/:\d+$/, "");
+    return noPort.length > 0 ? noPort : null;
+  }
+}
+
+export interface EgressBaseInput {
+  /**
+   * The hub origin (also the vault origin in the co-located deploy — the vault is
+   * reached under the hub's path-proxy). Origin or bare host; reduced to a host.
+   */
+  hubOrigin: string;
+  /**
+   * Optional distinct vault origin, if the vault is reached at a different host
+   * than the hub. Usually omitted (co-located). Origin or bare host.
+   */
+  vaultOrigin?: string;
+  /**
+   * Override the Anthropic hosts (tests). Defaults to {@link ANTHROPIC_EGRESS_HOSTS}.
+   */
+  anthropicHosts?: readonly string[];
+}
+
+/**
+ * Build the NON-REMOVABLE base egress allowlist: the Anthropic API host(s) plus
+ * the hub/vault origin host(s). This is what every arm gets regardless of spec.
+ * Deduped, loopback/local hosts preserved (a co-located dev hub is loopback).
+ */
+export function baseEgressAllowlist(input: EgressBaseInput): EgressHost[] {
+  const anthropic = input.anthropicHosts ?? ANTHROPIC_EGRESS_HOSTS;
+  const hosts: EgressHost[] = [...anthropic];
+  const hub = hostFromOrigin(input.hubOrigin);
+  if (hub) hosts.push(hub);
+  const vault = hostFromOrigin(input.vaultOrigin);
+  if (vault) hosts.push(vault);
+  return dedupePreserveOrder(hosts);
+}
+
+/**
+ * Compose the final egress allowlist: the non-removable base UNIONED with the
+ * spec's additive `egress[]`. The base is always present and always first; spec
+ * hosts are appended. Because we recompute the base from code on every call and
+ * union (never start from the spec), a spec that tries to omit or "override" the
+ * base still gets it — the contract the test in egress.test.ts pins.
+ *
+ * Each spec host is normalized through {@link hostFromOrigin} so an arm may
+ * declare either bare hosts (`registry.npmjs.org`) or full origins
+ * (`https://registry.npmjs.org`) and they land the same.
+ */
+export function composeEgressAllowlist(
+  base: EgressBaseInput,
+  specEgress: readonly string[] | undefined,
+): EgressHost[] {
+  const baseHosts = baseEgressAllowlist(base);
+  const additions: EgressHost[] = [];
+  for (const e of specEgress ?? []) {
+    const h = hostFromOrigin(e);
+    if (h) additions.push(h);
+  }
+  return dedupePreserveOrder([...baseHosts, ...additions]);
+}
+
+function dedupePreserveOrder(xs: readonly string[]): string[] {
+  const seen = new Set<string>();
+  const out: string[] = [];
+  for (const x of xs) {
+    if (!seen.has(x)) {
+      seen.add(x);
+      out.push(x);
+    }
+  }
+  return out;
+}

package/src/sandbox/index.ts

@@ -0,0 +1,180 @@
+/**
+ * The `Sandbox` adapter — the constant contract, the per-platform mechanism
+ * behind it (design §3.1).
+ *
+ * v1 mechanism: Anthropic's `@anthropic-ai/sandbox-runtime` (Seatbelt on macOS,
+ * bubblewrap on Linux). We reach it by **library link** — never PATH resolution
+ * (design Q4 decision: a poisoned PATH entry would execute *before* the sandbox
+ * is established). The `SandboxManager` singleton is imported at module load, so
+ * the trust boundary is anchored to the pinned, library-resolved artifact.
+ *
+ * The adapter wraps the singleton so callers depend on this small surface — not
+ * on the runtime's full API — and so the escalation rung (§3.4) can become a
+ * second backend behind the same contract later. `SandboxManager` being a
+ * process-global singleton (one set of host proxies) means launches serialize
+ * through `initialize` → wrap → reset; the adapter makes that explicit.
+ */
+
+// `@anthropic-ai/sandbox-runtime` is pinned EXACT (not `^`) in package.json — it's
+// an anthropic-experimental research preview whose config/API may evolve between
+// patch releases, and it is the load-bearing isolation engine. Treat a version
+// bump as an upgrade-gate: only raise the pin behind a green run of the sandbox
+// test suite (esp. the LIVE Seatbelt assertions in `live-seatbelt.test.ts`, which
+// prove the real boundary still holds against the new version). On a bump, also
+// re-check `SANDBOX_ENV_ALLOWLIST` (spawn-agent.ts) against the runtime's
+// `generateProxyEnvVars` — a new proxy/launch var the engine emits must be added
+// there or egress silently breaks on Windows (where those vars ride in the env dict).
+import { SandboxManager as RealSandboxManager } from "@anthropic-ai/sandbox-runtime";
+import type { SandboxRuntimeConfig } from "@anthropic-ai/sandbox-runtime";
+import type { AgentSpec, BaseBinds, SandboxPlatform } from "./types.ts";
+import { buildSandboxConfig, currentSandboxPlatform } from "./config.ts";
+import type { EgressBaseInput } from "./egress.ts";
+
+export type {
+  AgentSpec,
+  AgentMount,
+  AgentVaultSpec,
+  AgentChannel,
+  AgentChannelSpec,
+  OtherMcpSpec,
+  BaseBinds,
+  MountMode,
+  SandboxPlatform,
+} from "./types.ts";
+export { normalizeChannel } from "./types.ts";
+export {
+  composeEgressAllowlist,
+  baseEgressAllowlist,
+  hostFromOrigin,
+  ANTHROPIC_EGRESS_HOSTS,
+  type EgressBaseInput,
+} from "./egress.ts";
+export {
+  composeFilesystemView,
+  homeTreeDenyRoot,
+  sharedMounts,
+  type FilesystemView,
+} from "./mounts.ts";
+export { buildSandboxConfig, currentSandboxPlatform, type BuildSandboxConfigInput } from "./config.ts";
+
+/**
+ * The minimal slice of the sandbox-runtime singleton the adapter uses. Pinned
+ * here so a test can inject a fake without depending on the full runtime API,
+ * and so a drift in the runtime's surface fails the typecheck loudly.
+ */
+export interface SandboxEngine {
+  isSupportedPlatform(): boolean;
+  isSandboxingEnabled(): boolean;
+  initialize(config: SandboxRuntimeConfig): Promise<void>;
+  /** Wrap a shell command string; returns the argv + env to spawn. */
+  wrapWithSandboxArgv(
+    command: string,
+  ): Promise<{ argv: string[]; env: Record<string, string | undefined> }>;
+  reset(): Promise<void>;
+}
+
+/** The real engine, library-linked (never via PATH). */
+export const defaultEngine: SandboxEngine = RealSandboxManager as unknown as SandboxEngine;
+
+export interface WrapInput {
+  spec: AgentSpec;
+  baseBinds: BaseBinds;
+  egressBase: EgressBaseInput;
+  /** The shell command to run sandboxed (e.g. the `claude …` invocation). */
+  command: string;
+  platform?: SandboxPlatform;
+  allowPty?: boolean;
+  ripgrep?: { command: string; args?: string[] };
+}
+
+export interface WrappedCommand {
+  /** argv to spawn (Seatbelt/bubblewrap wrapper + the command). */
+  argv: string[];
+  /** env the wrapper needs (proxy vars, sandbox markers). */
+  env: Record<string, string | undefined>;
+  /** The config the engine was initialized with (for assertion/audit/logging). */
+  config: SandboxRuntimeConfig;
+}
+
+/**
+ * The `Sandbox` — initialize the engine with the spec's config, then wrap the
+ * command. The returned `{argv, env}` is what the spawn step launches in tmux.
+ *
+ * Serialization caveat: the engine is a process-global singleton (it starts host
+ * egress proxies on `initialize` and tears them down on `reset`). v1 launches one
+ * sandboxed session at a time through this path; concurrent launches must
+ * serialize. The injectable `engine` keeps this unit-testable + lets a future
+ * per-session backend (§3.4) slot in.
+ */
+export class Sandbox {
+  private readonly engine: SandboxEngine;
+
+  constructor(engine: SandboxEngine = defaultEngine) {
+    this.engine = engine;
+  }
+
+  /** Whether this host can sandbox at all (Seatbelt present / bubblewrap deps). */
+  isSupportedPlatform(): boolean {
+    return this.engine.isSupportedPlatform();
+  }
+
+  /**
+   * Build the config from the spec, initialize the engine, and wrap the command.
+   * The config is returned so callers can assert/log the exact allowlist + binds.
+   */
+  async wrap(input: WrapInput): Promise<WrappedCommand> {
+    const config = buildSandboxConfig({
+      spec: input.spec,
+      baseBinds: input.baseBinds,
+      egressBase: input.egressBase,
+      ...(input.platform ? { platform: input.platform } : {}),
+      ...(input.allowPty !== undefined ? { allowPty: input.allowPty } : {}),
+      ...(input.ripgrep ? { ripgrep: input.ripgrep } : {}),
+    });
+    // Reset the process-global singleton BEFORE re-initializing. Without this, a
+    // prior spawn's network config leaks into this wrap: most visibly, an OPEN
+    // (no-proxy) session inherits a prior RESTRICTED session's `HTTP(S)_PROXY` env
+    // (baked into the wrapped argv), so claude routes to a now-wrong/absent proxy
+    // and dies with "An unknown error occurred (Unexpected)". Reset → initialize →
+    // wrap runs inside the caller's spawn lock, so each spawn produces a wrap that
+    // reflects ONLY its own config. (Caveat: because the singleton's host proxies
+    // are global, resetting here tears down a concurrently-running RESTRICTED
+    // session's proxy on the next spawn — a known v1 limitation of the singleton
+    // backend; OPEN sessions use no proxy and are unaffected. The escalation rung
+    // §3.4 is a per-session backend that removes this.)
+    try {
+      await this.engine.reset();
+    } catch {
+      // Any reset error is ignored: on the first-ever wrap there's nothing to tear
+      // down, and a later teardown fault must not block the (re-)initialize that
+      // follows. The fresh initialize() below re-establishes a clean state regardless.
+    }
+    await this.engine.initialize(config);
+    const { argv, env } = await this.engine.wrapWithSandboxArgv(input.command);
+    return { argv, env, config };
+  }
+
+  /** Tear down the engine's host proxies. Call on session death. */
+  async reset(): Promise<void> {
+    await this.engine.reset();
+  }
+}
+
+/** Convenience: just build the config (no engine init) — used in tests + audits. */
+export function configForSpec(input: {
+  spec: AgentSpec;
+  baseBinds: BaseBinds;
+  egressBase: EgressBaseInput;
+  platform?: SandboxPlatform;
+  allowPty?: boolean;
+}): SandboxRuntimeConfig {
+  return buildSandboxConfig({
+    spec: input.spec,
+    baseBinds: input.baseBinds,
+    egressBase: input.egressBase,
+    ...(input.platform ? { platform: input.platform } : {}),
+    ...(input.allowPty !== undefined ? { allowPty: input.allowPty } : {}),
+  });
+}
+
+export { currentSandboxPlatform as platform };

package/src/sandbox/live-seatbelt.test.ts

@@ -0,0 +1,277 @@
+/**
+ * LIVE sandbox-runtime assertions on this host (Seatbelt on macOS).
+ *
+ * These run a REAL sandboxed process and assert it is genuinely confined:
+ *   - egress to a non-allowlisted host is DENIED;
+ *   - egress to an allowlisted host is permitted to ATTEMPT (proxy admits it);
+ *   - a read OUTSIDE the declared binds is DENIED;
+ *   - a read INSIDE a bind is permitted.
+ *
+ * The sandbox-runtime singleton starts host proxies on `initialize` and tears
+ * them down on `reset`; it is process-global, so these cases serialize (one
+ * describe block, sequential `initialize`→wrap→reset per case). Sandboxed in a
+ * fresh temp workspace — NEVER the operator's live ~/.parachute.
+ *
+ * Skipped automatically when the platform can't sandbox (`isSupportedPlatform()`
+ * false) or its deps aren't satisfied — so CI on an unsupported runner stays
+ * green while a capable host (this Mac) exercises the real boundary. The
+ * config-shape tests (egress/mounts/config.test.ts) ALWAYS run regardless.
+ */
+import { describe, test, expect, afterEach } from "bun:test";
+import { mkdtempSync, writeFileSync, mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir, homedir } from "node:os";
+import { SandboxManager } from "@anthropic-ai/sandbox-runtime";
+import { buildSandboxConfig } from "./config.ts";
+import type { AgentSpec, BaseBinds } from "./types.ts";
+
+const CAN_SANDBOX =
+  SandboxManager.isSupportedPlatform() && SandboxManager.checkDependencies().errors.length === 0;
+
+// A positive control: prove the harness can actually run a sandboxed process at
+// all before asserting on denials (negative-scans-need-positive-controls).
+const d = CAN_SANDBOX ? describe : describe.skip;
+
+async function runSandboxed(
+  cfg: ReturnType<typeof buildSandboxConfig>,
+  command: string,
+): Promise<{ code: number; stdout: string; stderr: string }> {
+  await SandboxManager.initialize(cfg);
+  try {
+    const { argv, env } = await SandboxManager.wrapWithSandboxArgv(command);
+    const proc = Bun.spawn(argv, {
+      env: env as Record<string, string>,
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+    const [stdout, stderr, code] = await Promise.all([
+      new Response(proc.stdout as ReadableStream<Uint8Array>).text(),
+      new Response(proc.stderr as ReadableStream<Uint8Array>).text(),
+      proc.exited,
+    ]);
+    return { code, stdout, stderr };
+  } finally {
+    await SandboxManager.reset();
+  }
+}
+
+let workspace: string;
+
+afterEach(() => {
+  if (workspace) rmSync(workspace, { recursive: true, force: true });
+});
+
+d("LIVE Seatbelt — network egress", () => {
+  test("positive control: the harness can run a trivial sandboxed command", async () => {
+    workspace = mkdtempSync(join(tmpdir(), "sbx-live-pos-"));
+    const spec: AgentSpec = { name: "pos", channels: ["c"], network: "restricted", egress: [] };
+    const cfg = buildSandboxConfig({
+      spec,
+      baseBinds: { workspace, runtimeReadOnly: [] },
+      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+      platform: "darwin",
+    });
+    const r = await runSandboxed(cfg, "echo sandbox-alive");
+    expect(r.code).toBe(0);
+    expect(r.stdout).toContain("sandbox-alive");
+  }, 60_000);
+
+  test("DENIED: curl to a host NOT in the allowlist is blocked", async () => {
+    workspace = mkdtempSync(join(tmpdir(), "sbx-live-deny-"));
+    // Allowlist the base only (anthropic + the loopback hub). example.com is NOT on it.
+    const spec: AgentSpec = { name: "deny", channels: ["c"], network: "restricted", egress: [] };
+    const cfg = buildSandboxConfig({
+      spec,
+      baseBinds: { workspace, runtimeReadOnly: [] },
+      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+      platform: "darwin",
+    });
+    const r = await runSandboxed(
+      cfg,
+      "curl -sS -m 8 -o /dev/null -w '%{http_code}' https://example.com",
+    );
+    // The egress proxy refuses a non-allowlisted host: curl exits non-zero
+    // (commonly 56 "CONNECT tunnel failed, response 403"). The key assertion is
+    // that the request did NOT succeed with a 2xx.
+    expect(r.code).not.toBe(0);
+    expect(r.stdout).not.toMatch(/^2\d\d$/);
+  }, 60_000);
+
+  test("a spec that adds an egress host gets that host on the allowlist (additive)", async () => {
+    workspace = mkdtempSync(join(tmpdir(), "sbx-live-add-"));
+    const spec: AgentSpec = { name: "add", channels: ["c"], network: "restricted", egress: ["example.com"] };
+    const cfg = buildSandboxConfig({
+      spec,
+      baseBinds: { workspace, runtimeReadOnly: [] },
+      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+      platform: "darwin",
+    });
+    // We assert the CONFIG carries the host (a live fetch to example.com would be
+    // a network-flaky external dependency; the denial test above is the live
+    // boundary proof). The base floor is also present.
+    expect(cfg.network.allowedDomains).toContain("example.com");
+    expect(cfg.network.allowedDomains).toContain("api.anthropic.com");
+  }, 60_000);
+});
+
+d("LIVE Seatbelt — filesystem read confinement", () => {
+  test("DENIED: reading a file OUTSIDE the declared binds fails", async () => {
+    workspace = mkdtempSync(join(tmpdir(), "sbx-live-read-"));
+    // A secret OUTSIDE the workspace, under a sibling temp dir we do NOT bind.
+    const secretDir = mkdtempSync(join(tmpdir(), "sbx-live-secret-"));
+    const secretFile = join(secretDir, "secret.txt");
+    writeFileSync(secretFile, "TOPSECRET-do-not-read");
+    try {
+      const spec: AgentSpec = { name: "read", channels: ["c"], network: "restricted", egress: [] };
+      const cfg = buildSandboxConfig({
+        spec,
+        baseBinds: { workspace, runtimeReadOnly: [] },
+        egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+        platform: "darwin",
+      });
+      // Deny the temp root so the unbound secret dir is unreadable; re-allow only
+      // the workspace. (buildSandboxConfig denies /Users; the macOS temp dir lives
+      // under /var/folders, so we additionally deny the secret's parent to make the
+      // confinement assertion robust regardless of where the OS placed the tmp dir.)
+      cfg.filesystem.denyRead = [...cfg.filesystem.denyRead, secretDir];
+      const r = await runSandboxed(cfg, `cat ${secretFile}`);
+      expect(r.code).not.toBe(0);
+      expect(r.stdout).not.toContain("TOPSECRET");
+    } finally {
+      rmSync(secretDir, { recursive: true, force: true });
+    }
+  }, 60_000);
+
+  test("PRODUCTION PATH: the spec-derived /Users deny blocks a read of a real home-dir file (no manual patch)", async () => {
+    // The §4.5 scoped-read property is "an arm cannot read the operator's home."
+    // Prove it through the PRODUCTION config — secret under the REAL home dir,
+    // workspace also under home (so the re-allow path is exercised against the
+    // real `/Users` deny), and NO manual `denyRead` patch. This is the test that
+    // proves the deployed `denyRead:["/Users"]` actually confines reads.
+    const home = homedir();
+    workspace = mkdtempSync(join(home, ".sbx-live-ws-"));
+    const secretDir = mkdtempSync(join(home, ".sbx-live-secret-"));
+    const secretFile = join(secretDir, "home-secret.txt");
+    writeFileSync(secretFile, "HOME-TOPSECRET-do-not-read");
+    try {
+      const spec: AgentSpec = { name: "homeread", channels: ["c"], network: "restricted", egress: [] };
+      // buildSandboxConfig with platform "darwin" → denyRead:["/Users"],
+      // allowRead:[workspace]. We pass the config THROUGH unmodified.
+      const cfg = buildSandboxConfig({
+        spec,
+        baseBinds: { workspace, runtimeReadOnly: [] },
+        egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+        platform: "darwin",
+      });
+      expect(cfg.filesystem.denyRead).toEqual(["/Users"]);
+      expect(cfg.filesystem.allowRead).toContain(workspace);
+      // The secret sits under /Users/<me>/… and is NOT in any bind → blocked.
+      const r = await runSandboxed(cfg, `cat ${secretFile}`);
+      expect(r.code).not.toBe(0);
+      expect(r.stdout).not.toContain("HOME-TOPSECRET");
+
+      // Positive control on the SAME production config: a file inside the
+      // workspace (also under /Users, but re-allowed by allowRead) IS readable —
+      // proving the deny didn't just break all reads.
+      const insideFile = join(workspace, "inside.txt");
+      writeFileSync(insideFile, "HOME-WORKSPACE-readable");
+      const ok = await runSandboxed(cfg, `cat ${insideFile}`);
+      expect(ok.code).toBe(0);
+      expect(ok.stdout).toContain("HOME-WORKSPACE-readable");
+    } finally {
+      rmSync(secretDir, { recursive: true, force: true });
+    }
+  }, 60_000);
+
+  test("DEFAULT POSTURE: ~/.parachute (operator.token's dir) is UNREADABLE, the workspace IS readable, network is OPEN", async () => {
+    // The security guarantee Aaron asked for: the DEFAULT spawn (no filesystem/no
+    // network knob) must (a) be unable to read the operator's secrets — modelled by
+    // a decoy planted in the REAL ~/.parachute, exactly where operator.token lives —
+    // while (b) still having the workspace readable and (c) the network fully OPEN.
+    // Reads scoped by default; internet open by default.
+    const home = homedir();
+    workspace = mkdtempSync(join(home, ".sbx-live-default-ws-"));
+    const decoy = join(home, ".parachute", `.sbx-live-decoy-${process.pid}.txt`);
+    writeFileSync(decoy, "OPERATOR-TOKEN-DECOY-do-not-read");
+    try {
+      // DEFAULT spec: neither filesystem nor network set → workspace-scoped reads + open net.
+      const spec: AgentSpec = { name: "deflt", channels: ["c"] };
+      const cfg = buildSandboxConfig({
+        spec,
+        baseBinds: { workspace, runtimeReadOnly: [] },
+        egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+        platform: "darwin",
+      });
+      // Defaults: scoped reads (/Users denied) + OPEN network (no allowedDomains).
+      expect(cfg.filesystem.denyRead).toEqual(["/Users"]);
+      expect((cfg.network as { allowedDomains?: string[] }).allowedDomains).toBeUndefined();
+
+      // (a) the decoy in ~/.parachute is DENIED — operator.token is equally unreadable.
+      const blocked = await runSandboxed(cfg, `cat ${decoy}`);
+      expect(blocked.code).not.toBe(0);
+      expect(blocked.stdout).not.toContain("OPERATOR-TOKEN-DECOY");
+
+      // (b) positive control: a workspace file IS readable under the SAME config.
+      const inside = join(workspace, "inside.txt");
+      writeFileSync(inside, "WORKSPACE-readable-by-default");
+      const ok = await runSandboxed(cfg, `cat ${inside}`);
+      expect(ok.code).toBe(0);
+      expect(ok.stdout).toContain("WORKSPACE-readable-by-default");
+    } finally {
+      rmSync(decoy, { force: true });
+    }
+  }, 60_000);
+
+  test("ALLOWED: reading a file INSIDE the workspace bind succeeds", async () => {
+    workspace = mkdtempSync(join(tmpdir(), "sbx-live-read-ok-"));
+    const f = join(workspace, "inside.txt");
+    writeFileSync(f, "READABLE-inside-workspace");
+    const spec: AgentSpec = { name: "readok", channels: ["c"], network: "restricted", egress: [] };
+    const cfg = buildSandboxConfig({
+      spec,
+      baseBinds: { workspace, runtimeReadOnly: [] },
+      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+      platform: "darwin",
+    });
+    const r = await runSandboxed(cfg, `cat ${f}`);
+    expect(r.code).toBe(0);
+    expect(r.stdout).toContain("READABLE-inside-workspace");
+  }, 60_000);
+
+  test("DENIED: writing OUTSIDE the workspace fails (write confinement)", async () => {
+    workspace = mkdtempSync(join(tmpdir(), "sbx-live-write-"));
+    const outsideDir = mkdtempSync(join(tmpdir(), "sbx-live-outside-"));
+    const target = join(outsideDir, "should-not-exist.txt");
+    try {
+      const spec: AgentSpec = { name: "write", channels: ["c"], network: "restricted", egress: [] };
+      const cfg = buildSandboxConfig({
+        spec,
+        baseBinds: { workspace, runtimeReadOnly: [] },
+        egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+        platform: "darwin",
+      });
+      const r = await runSandboxed(cfg, `echo pwned > ${target}`);
+      expect(r.code).not.toBe(0);
+      // The file must not have been created (write was blocked at the OS level).
+      expect(await Bun.file(target).exists()).toBe(false);
+    } finally {
+      rmSync(outsideDir, { recursive: true, force: true });
+    }
+  }, 60_000);
+
+  test("ALLOWED: writing INSIDE the workspace succeeds", async () => {
+    workspace = mkdtempSync(join(tmpdir(), "sbx-live-write-ok-"));
+    const target = join(workspace, "out.txt");
+    const spec: AgentSpec = { name: "writeok", channels: ["c"], network: "restricted", egress: [] };
+    const cfg = buildSandboxConfig({
+      spec,
+      baseBinds: { workspace, runtimeReadOnly: [] },
+      egressBase: { hubOrigin: "http://127.0.0.1:1939" },
+      platform: "darwin",
+    });
+    const r = await runSandboxed(cfg, `echo written-inside > ${target}`);
+    expect(r.code).toBe(0);
+    const written = await Bun.file(target).text();
+    expect(written).toContain("written-inside");
+  }, 60_000);
+});