fix(sandbox): add SIGKILL enforcement, timeoutSeconds validation, and exit code 137 handling#3203
Conversation
… exit code 137 handling - Store SandboxConfig per session and retrieve in executeCode - Use coreutils timeout with --signal=SIGKILL --kill-after=5s for in-container enforcement - Validate timeoutSeconds: clamp to >=1, reject NaN - Treat exit codes 124 (SIGTERM timeout) and 137 (SIGKILL) as timedOut - Map killReason: 'timeout' for timedOut, 'signal' for killed by other signal - Outer execFile timeout set to (timeoutSeconds + 5) * 1000 as safety net - Added regression test for custom timeoutSeconds Signed-off-by: jlaportebot <jlaportebot@gmail.com>
🤖 AI Agent: docs-sync-checker — Docs Sync
Docs Sync
|
🤖 AI Agent: test-generator — `agent-governance-typescript/src/sandbox.ts`
|
🤖 AI Agent: code-reviewer — View details
TL;DR: 0 blockers, 1 warning. Changes improve sandbox security but require further review for potential edge cases.
Action items: None (no blockers identified). Warnings:
|
🤖 AI Agent: breaking-change-detector — API Compatibility
API Compatibility
|
🤖 AI Agent: security-scanner — Security Review
Security Review
|
|
🔴 Contributor Check: HIGH
Automated check by AGT Contributor Check. |
PR Review Summary
Verdict: AI review comments are untrusted advisory output. The summary reports workflow-generated completion status only, not model-authored pass/fail claims. |
Fixes #3118
Changes
Testing
AI Disclosure
This PR was developed with AI assistance.