moonbridge 0.6.0__py3-none-any.whl → 0.8.0__py3-none-any.whl

moonbridge/__init__.py

@@ -2,7 +2,7 @@
 
 from __future__ import annotations
 
-__version__ = "0.6.0"
+__version__ = "0.8.0"
 
 from .server import main, run, server
 

moonbridge/adapters/codex.py

@@ -50,6 +50,7 @@ class CodexAdapter:
         install_hint="See https://github.com/openai/codex",
         supports_thinking=False,
         known_models=(
+            "gpt-5.3-codex",
             "gpt-5.2-codex",
             "gpt-5.1-codex",
             "gpt-5.1-codex-mini",

moonbridge/sandbox.py

@@ -0,0 +1,252 @@
+"""Copy-on-run sandbox for agent execution."""
+
+from __future__ import annotations
+
+import difflib
+import os
+import shutil
+import tempfile
+import time
+from collections.abc import Callable, Iterator
+from dataclasses import dataclass, replace
+from pathlib import Path
+
+from moonbridge.adapters.base import AgentResult
+
+SANDBOX_IGNORE_DIRS = {
+    ".git",
+    ".venv",
+    ".tox",
+    "__pycache__",
+    ".mypy_cache",
+    ".pytest_cache",
+    ".ruff_cache",
+    "node_modules",
+    "dist",
+    "build",
+}
+SANDBOX_IGNORE_FILES = {".DS_Store"}
+MAX_COPY_BYTES = 500 * 1024 * 1024
+
+
+@dataclass(frozen=True)
+class SandboxResult:
+    diff: str
+    summary: dict[str, int]
+    truncated: bool
+    sandbox_path: str | None
+
+
+def _should_ignore(name: str) -> bool:
+    if name in SANDBOX_IGNORE_DIRS:
+        return True
+    if name in SANDBOX_IGNORE_FILES:
+        return True
+    return name.endswith((".pyc", ".pyo"))
+
+
+def _ignore_names(_dirpath: str, names: list[str]) -> set[str]:
+    return {name for name in names if _should_ignore(name)}
+
+
+def _filtered_walk(root: str) -> Iterator[tuple[str, list[str], list[str]]]:
+    for dirpath, dirnames, filenames in os.walk(root):
+        dirnames[:] = [d for d in dirnames if not _should_ignore(d)]
+        filenames = [f for f in filenames if not _should_ignore(f)]
+        yield dirpath, dirnames, filenames
+
+
+def _collect_files(root: str) -> set[str]:
+    files: set[str] = set()
+    for dirpath, _dirnames, filenames in _filtered_walk(root):
+        rel_dir = os.path.relpath(dirpath, root)
+        for filename in filenames:
+            rel_path = filename if rel_dir == "." else os.path.join(rel_dir, filename)
+            files.add(rel_path)
+    return files
+
+
+def _read_text(path: str) -> str | None:
+    data = Path(path).read_bytes()
+    try:
+        return data.decode("utf-8")
+    except UnicodeDecodeError:
+        return None
+
+
+def _diff_trees(
+    original: str,
+    sandbox: str,
+    max_bytes: int,
+) -> tuple[str, dict[str, int], bool]:
+    original_files = _collect_files(original)
+    sandbox_files = _collect_files(sandbox)
+    all_files = sorted(original_files | sandbox_files)
+    diff_chunks: list[str] = []
+    size = 0
+    truncated = False
+    summary = {"added": 0, "modified": 0, "deleted": 0, "binary": 0}
+
+    def append_chunk(chunk: str) -> None:
+        nonlocal size, truncated
+        if truncated or not chunk:
+            return
+        remaining = max_bytes - size
+        if remaining <= 0:
+            truncated = True
+            return
+        if len(chunk) > remaining:
+            diff_chunks.append(chunk[:remaining])
+            truncated = True
+            size = max_bytes
+            return
+        diff_chunks.append(chunk)
+        size += len(chunk)
+
+    for rel_path in all_files:
+        original_path = os.path.join(original, rel_path)
+        sandbox_path = os.path.join(sandbox, rel_path)
+        original_exists = os.path.exists(original_path)
+        sandbox_exists = os.path.exists(sandbox_path)
+
+        if not original_exists and sandbox_exists:
+            summary["added"] += 1
+            sandbox_text = _read_text(sandbox_path)
+            if sandbox_text is None:
+                summary["binary"] += 1
+                append_chunk(f"Binary files /dev/null and b/{rel_path} differ\n")
+                continue
+            diff = difflib.unified_diff(
+                [],
+                sandbox_text.splitlines(keepends=True),
+                fromfile="/dev/null",
+                tofile=f"b/{rel_path}",
+            )
+            append_chunk("".join(diff))
+            continue
+
+        if original_exists and not sandbox_exists:
+            summary["deleted"] += 1
+            original_text = _read_text(original_path)
+            if original_text is None:
+                summary["binary"] += 1
+                append_chunk(f"Binary files a/{rel_path} and /dev/null differ\n")
+                continue
+            diff = difflib.unified_diff(
+                original_text.splitlines(keepends=True),
+                [],
+                fromfile=f"a/{rel_path}",
+                tofile="/dev/null",
+            )
+            append_chunk("".join(diff))
+            continue
+
+        if not original_exists or not sandbox_exists:
+            continue
+
+        original_bytes = Path(original_path).read_bytes()
+        sandbox_bytes = Path(sandbox_path).read_bytes()
+        if original_bytes == sandbox_bytes:
+            continue
+
+        original_text = None
+        sandbox_text = None
+        try:
+            original_text = original_bytes.decode("utf-8")
+            sandbox_text = sandbox_bytes.decode("utf-8")
+        except UnicodeDecodeError:
+            summary["binary"] += 1
+            append_chunk(f"Binary files a/{rel_path} and b/{rel_path} differ\n")
+            continue
+
+        summary["modified"] += 1
+        diff = difflib.unified_diff(
+            original_text.splitlines(keepends=True),
+            sandbox_text.splitlines(keepends=True),
+            fromfile=f"a/{rel_path}",
+            tofile=f"b/{rel_path}",
+        )
+        append_chunk("".join(diff))
+
+    if truncated:
+        diff_chunks.append("\n... diff truncated ...\n")
+    return ("".join(diff_chunks), summary, truncated)
+
+
+def _estimate_copy_size(root: str, max_bytes: int) -> int:
+    total = 0
+    for dirpath, _dirnames, filenames in _filtered_walk(root):
+        for filename in filenames:
+            path = os.path.join(dirpath, filename)
+            total += os.path.getsize(path)
+            if total > max_bytes:
+                return total
+    return total
+
+
+def _agent_index(fn: Callable[[str], AgentResult]) -> int:
+    value = getattr(fn, "agent_index", 0)
+    return value if isinstance(value, int) else 0
+
+
+def run_sandboxed(
+    fn: Callable[[str], AgentResult],
+    cwd: str,
+    *,
+    max_diff_bytes: int = 500_000,
+    max_copy_bytes: int = MAX_COPY_BYTES,
+    keep: bool = False,
+) -> tuple[AgentResult, SandboxResult | None]:
+    """Run fn in a copy of cwd. Returns (agent_result, sandbox_result).
+
+    On sandbox infrastructure error, returns (error_result, None).
+    """
+    start = time.monotonic()
+    sandbox_root: str | None = None
+    agent_index = _agent_index(fn)
+
+    def error_result(reason: str) -> AgentResult:
+        duration_ms = int((time.monotonic() - start) * 1000)
+        return AgentResult(
+            status="error",
+            output="",
+            stderr=f"sandbox error: {reason}",
+            returncode=-1,
+            duration_ms=duration_ms,
+            agent_index=agent_index,
+        )
+
+    try:
+        total_bytes = _estimate_copy_size(cwd, max_copy_bytes)
+        if total_bytes > max_copy_bytes:
+            return error_result(
+                f"copy size {total_bytes} exceeds max {max_copy_bytes}"
+            ), None
+
+        sandbox_root = tempfile.mkdtemp(prefix="moonbridge-sandbox-")
+        sandbox_cwd = os.path.join(sandbox_root, "workspace")
+        shutil.copytree(cwd, sandbox_cwd, symlinks=False, ignore=_ignore_names)
+
+        result = fn(sandbox_cwd)
+
+        try:
+            diff, summary, truncated = _diff_trees(cwd, sandbox_cwd, max_diff_bytes)
+            sandbox_result = SandboxResult(
+                diff=diff,
+                summary=summary,
+                truncated=truncated,
+                sandbox_path=sandbox_root if keep else None,
+            )
+            return result, sandbox_result
+        except Exception as exc:
+            raw = dict(result.raw or {})
+            sandbox_payload: dict[str, object] = {"enabled": True, "error": str(exc)}
+            if keep:
+                sandbox_payload["path"] = sandbox_root
+            raw["sandbox"] = sandbox_payload
+            return replace(result, raw=raw), None
+    except Exception as exc:
+        return error_result(str(exc)), None
+    finally:
+        if not keep and sandbox_root:
+            shutil.rmtree(sandbox_root, ignore_errors=True)

moonbridge/server.py

@@ -11,6 +11,7 @@ import signal
 import sys
 import time
 import weakref
+from dataclasses import replace
 from subprocess import PIPE, Popen, TimeoutExpired
 from typing import Any
 
@@ -36,6 +37,17 @@ ALLOWED_DIRS = [
     if path
 ]
 MAX_PROMPT_LENGTH = 100_000
+_SANDBOX_ENV = os.environ.get("MOONBRIDGE_SANDBOX", "").strip().lower()
+SANDBOX_MODE = _SANDBOX_ENV in {"1", "true", "yes", "copy"}
+SANDBOX_KEEP = os.environ.get("MOONBRIDGE_SANDBOX_KEEP", "").strip().lower() in {
+    "1",
+    "true",
+    "yes",
+}
+SANDBOX_MAX_DIFF_BYTES = int(os.environ.get("MOONBRIDGE_SANDBOX_MAX_DIFF", "500000"))
+SANDBOX_MAX_COPY_BYTES = int(
+    os.environ.get("MOONBRIDGE_SANDBOX_MAX_COPY", str(500 * 1024 * 1024))
+)
 
 _active_processes: set[weakref.ref[Popen[str]]] = set()
 
@@ -194,6 +206,53 @@ def _auth_error(stderr: str | None, adapter: CLIAdapter) -> bool:
     return any(pattern in lowered for pattern in adapter.config.auth_patterns)
 
 
+def _run_cli_sandboxed(
+    adapter: CLIAdapter,
+    prompt: str,
+    thinking: bool,
+    cwd: str,
+    timeout_seconds: int,
+    agent_index: int,
+    model: str | None = None,
+    reasoning_effort: str | None = None,
+) -> AgentResult:
+    from moonbridge.sandbox import run_sandboxed
+
+    def run_agent(sandbox_cwd: str) -> AgentResult:
+        return _run_cli_sync(
+            adapter,
+            prompt,
+            thinking,
+            sandbox_cwd,
+            timeout_seconds,
+            agent_index,
+            model,
+            reasoning_effort,
+        )
+
+    run_agent.agent_index = agent_index  # type: ignore[attr-defined]
+
+    result, sandbox_result = run_sandboxed(
+        run_agent,
+        cwd,
+        max_diff_bytes=SANDBOX_MAX_DIFF_BYTES,
+        max_copy_bytes=SANDBOX_MAX_COPY_BYTES,
+        keep=SANDBOX_KEEP,
+    )
+    if sandbox_result:
+        raw = dict(result.raw or {})
+        raw["sandbox"] = {
+            "enabled": True,
+            "summary": sandbox_result.summary,
+            "diff": sandbox_result.diff,
+            "truncated": sandbox_result.truncated,
+        }
+        if sandbox_result.sandbox_path:
+            raw["sandbox"]["path"] = sandbox_result.sandbox_path
+        return replace(result, raw=raw)
+    return result
+
+
 def _run_cli_sync(
     adapter: CLIAdapter,
     prompt: str,
@@ -304,6 +363,39 @@ def _run_cli_sync(
         _untrack_process(proc)
 
 
+def _run_cli(
+    adapter: CLIAdapter,
+    prompt: str,
+    thinking: bool,
+    cwd: str,
+    timeout_seconds: int,
+    agent_index: int,
+    model: str | None = None,
+    reasoning_effort: str | None = None,
+) -> AgentResult:
+    if SANDBOX_MODE:
+        return _run_cli_sandboxed(
+            adapter,
+            prompt,
+            thinking,
+            cwd,
+            timeout_seconds,
+            agent_index,
+            model,
+            reasoning_effort,
+        )
+    return _run_cli_sync(
+        adapter,
+        prompt,
+        thinking,
+        cwd,
+        timeout_seconds,
+        agent_index,
+        model,
+        reasoning_effort,
+    )
+
+
 def _json_text(payload: Any) -> list[TextContent]:
     return [TextContent(type="text", text=json.dumps(payload, ensure_ascii=True))]
 
@@ -378,7 +470,7 @@ async def handle_tool(name: str, arguments: dict[str, Any]) -> list[TextContent]
             try:
                 result = await loop.run_in_executor(
                     None,
-                    _run_cli_sync,
+                    _run_cli,
                     adapter,
                     prompt,
                     thinking,
@@ -416,7 +508,7 @@ async def handle_tool(name: str, arguments: dict[str, Any]) -> list[TextContent]
                 tasks.append(
                     loop.run_in_executor(
                         None,
-                        _run_cli_sync,
+                        _run_cli,
                         adapter,
                         prompt,
                         thinking,

{moonbridge-0.6.0.dist-info → moonbridge-0.8.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: moonbridge
-Version: 0.6.0
+Version: 0.8.0
 Summary: MCP server for spawning AI coding agents (Kimi, Codex, and more)
 Project-URL: Homepage, https://github.com/misty-step/moonbridge
 Project-URL: Repository, https://github.com/misty-step/moonbridge
@@ -151,6 +151,7 @@ All tools return JSON with these fields:
 | `duration_ms` | int | Execution time in milliseconds |
 | `agent_index` | int | Agent index (0 for single, 0-N for parallel) |
 | `message` | string? | Human-readable error context (when applicable) |
+| `raw` | object? | Optional structured metadata (e.g., sandbox diff) |
 
 ## Configuration
 
@@ -163,6 +164,10 @@ All tools return JSON with these fields:
 | `MOONBRIDGE_MAX_AGENTS` | Maximum parallel agents |
 | `MOONBRIDGE_ALLOWED_DIRS` | Colon-separated allowlist of working directories |
 | `MOONBRIDGE_STRICT` | Set to `1` to require `ALLOWED_DIRS` (exits if unset) |
+| `MOONBRIDGE_SANDBOX` | Set to `1` to run agents in a temp copy of cwd |
+| `MOONBRIDGE_SANDBOX_KEEP` | Set to `1` to keep sandbox dir for inspection |
+| `MOONBRIDGE_SANDBOX_MAX_DIFF` | Max diff size in bytes (default 500000) |
+| `MOONBRIDGE_SANDBOX_MAX_COPY` | Max sandbox copy size in bytes (default 500MB) |
 | `MOONBRIDGE_LOG_LEVEL` | Set to `DEBUG` for verbose logging |
 
 ## Troubleshooting
@@ -229,6 +234,29 @@ By default, Moonbridge warns at startup if no directory restrictions are configu
 export MOONBRIDGE_ALLOWED_DIRS="/path/to/project:/another/path"
 ```
 
+## Sandbox Mode (Copy-on-Run)
+
+Enable sandbox mode to run agents in a temporary copy of the working directory:
+
+```bash
+export MOONBRIDGE_SANDBOX=1
+```
+
+When enabled:
+- Agents run in a temp copy of `cwd`.
+- Host files stay unchanged by default.
+- A unified diff + summary is included in `raw.sandbox`.
+
+Optional:
+
+```bash
+export MOONBRIDGE_SANDBOX_KEEP=1       # keep temp dir
+export MOONBRIDGE_SANDBOX_MAX_DIFF=200000
+export MOONBRIDGE_SANDBOX_MAX_COPY=300000000
+```
+
+Limitations: this is not OS-level isolation. Agents can still read/write arbitrary host paths if they choose to. Use containers/VMs for strong isolation.
+
 To enforce restrictions (exit instead of warn):
 
 ```bash

moonbridge-0.8.0.dist-info/RECORD

@@ -0,0 +1,15 @@
+moonbridge/__init__.py,sha256=8Yz-_YwybWMK-Sze7iG20GXQGLCNhL7dBjHmblAHULA,198
+moonbridge/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
+moonbridge/sandbox.py,sha256=4-eIu-rURtaxKKg-d3iWwNq_x6MB_uiJBBG2uMwoKcM,7907
+moonbridge/server.py,sha256=FqnoAd-WAWOX-elNgyOQ-vAiFqsGOdsyQCIsnu1e1t0,19469
+moonbridge/tools.py,sha256=uw338Dilrto2t5dL9XbK4O31-JdB7Vh9RqCXHg20gHI,10126
+moonbridge/version_check.py,sha256=VQueK0O_b-2Xc-XjupJsoW3Zs1Kce5q_BgqBhANGXN8,4579
+moonbridge/adapters/__init__.py,sha256=w3pLvjtC2XnUhf9UzNmniQB3oq4rG8gorSH0tWR-BEE,988
+moonbridge/adapters/base.py,sha256=REoEsAcqEvyVQpTgz6ytd9ioxag--nnvX90YBXMQG8Y,1716
+moonbridge/adapters/codex.py,sha256=G0q_A6vP5Usqix3sE8ssrG_qzrCWMeFcO9oWcNKTO3g,2964
+moonbridge/adapters/kimi.py,sha256=ejCxG2OGr0Qr4n0psL6p96_mMJ3lLKMbGcNYWkuC0uA,2189
+moonbridge-0.8.0.dist-info/METADATA,sha256=RiRWB1Hr5IFT3wEpRHVcqIclyBS2CORWE-j90Z4C19U,8305
+moonbridge-0.8.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+moonbridge-0.8.0.dist-info/entry_points.txt,sha256=kgL38HQy3adncDQl_o5sdtPRog56zKdHk6pKKzyR6Ww,54
+moonbridge-0.8.0.dist-info/licenses/LICENSE,sha256=7WMSJoybL2cUot_wb9GUrw5mzfFmtrDzqlMS9ZE709g,1065
+moonbridge-0.8.0.dist-info/RECORD,,

moonbridge-0.6.0.dist-info/RECORD

@@ -1,14 +0,0 @@
-moonbridge/__init__.py,sha256=K5-NRJiYdFbIITQmjIg3_Fkef0UEWhe2hqO3rJ0MZII,198
-moonbridge/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
-moonbridge/server.py,sha256=o-u0J-HsVoa7sxaweWPHo_iHDXJfao16eDFe_9bm6RA,17071
-moonbridge/tools.py,sha256=uw338Dilrto2t5dL9XbK4O31-JdB7Vh9RqCXHg20gHI,10126
-moonbridge/version_check.py,sha256=VQueK0O_b-2Xc-XjupJsoW3Zs1Kce5q_BgqBhANGXN8,4579
-moonbridge/adapters/__init__.py,sha256=w3pLvjtC2XnUhf9UzNmniQB3oq4rG8gorSH0tWR-BEE,988
-moonbridge/adapters/base.py,sha256=REoEsAcqEvyVQpTgz6ytd9ioxag--nnvX90YBXMQG8Y,1716
-moonbridge/adapters/codex.py,sha256=GtU4CrJ4zt0WDcKKaOeN7gH4JFIBAo3L7KAZ99zRjiY,2935
-moonbridge/adapters/kimi.py,sha256=ejCxG2OGr0Qr4n0psL6p96_mMJ3lLKMbGcNYWkuC0uA,2189
-moonbridge-0.6.0.dist-info/METADATA,sha256=nJndtrv2GuSSPeNrV6ryJa6-82viUtankQXduB6Nkn4,7298
-moonbridge-0.6.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-moonbridge-0.6.0.dist-info/entry_points.txt,sha256=kgL38HQy3adncDQl_o5sdtPRog56zKdHk6pKKzyR6Ww,54
-moonbridge-0.6.0.dist-info/licenses/LICENSE,sha256=7WMSJoybL2cUot_wb9GUrw5mzfFmtrDzqlMS9ZE709g,1065
-moonbridge-0.6.0.dist-info/RECORD,,