Skip to content

Resolve named policies before sandbox spawn#200

Merged
seanwevans merged 2 commits into
mainfrom
codex/add-policy-resolution-system
May 13, 2026
Merged

Resolve named policies before sandbox spawn#200
seanwevans merged 2 commits into
mainfrom
codex/add-policy-resolution-system

Conversation

@seanwevans
Copy link
Copy Markdown
Owner

@seanwevans seanwevans commented May 13, 2026

Motivation

  • Ensure public policy strings map to concrete runtime restrictions instead of allowing unconstrained sandboxes when a name/path is provided.
  • Provide a single resolver to accept str, dict, compiled policy objects, SandboxPolicy, and Policy inputs for consistent behavior across APIs.

Description

  • Add resolve_policy(...) in pyisolate/policy/__init__.py that: resolves file paths and registered public names under policy/, parses compiled or dict policy inputs, converts SandboxPolicy/CompiledPolicy to runtime Policy, and raises PolicyCompilerError for unknown named strings. (pyisolate/policy/__init__.py)
  • Wire the resolver into sandbox construction by calling policy = resolve_policy(policy) early in Supervisor.spawn so SandboxThread always receives a runtime Policy object. (pyisolate/supervisor.py)
  • Update SDK helpers to resolve policy in the @sandbox decorator and in Pipeline stages before calling spawn. (pyisolate/sdk.py)
  • Add repository-level named policy templates under policy/ and document supported public names and resolution semantics in POLICY.md (examples: stdlib.readonly, ml-inference, readonly-fs).
  • Export resolve_policy from the package API and include SandboxPolicy/CompiledPolicy types where needed.

Testing

  • Ran targeted unit tests: pytest -q tests/test_policy.py::test_resolve_unknown_policy_fails_closed tests/test_policy.py::test_named_policy_applies_runtime_restrictions tests/test_sdk.py and these tests passed.
  • Ran a subset: pytest -q tests/test_policy.py tests/test_policy_enforcement.py tests/test_sdk.py and these suites passed.
  • Verified bytecode/formatting: python -m py_compile pyisolate/policy/__init__.py pyisolate/supervisor.py pyisolate/sdk.py and ran black on changed files; both succeeded.
  • Full test run (pytest -q) was attempted but the run failed due to an unrelated test that injects a stubbed pyisolate.bpf.manager into sys.modules that does not accept the mode= signature used by the supervisor; this is a test-environment interaction and not caused by the resolver changes. All added tests for policy resolution passed.

Codex Task

@seanwevans seanwevans merged commit 082f6e3 into main May 13, 2026
1 of 19 checks passed
@seanwevans seanwevans deleted the codex/add-policy-resolution-system branch May 13, 2026 13:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seanwevans