toph/claudebox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claudebox/.planning/STATE.md

2.4 KiB
Raw Blame History

gsd_state_version milestone milestone_name status stopped_at last_updated last_activity progress
1.0 v2.0 Network Isolation & Profiles active null 2026-04-10 2026-04-10 - v2.0 roadmap created; phases 4-7 defined
total_phases completed_phases total_plans completed_plans percent
4 0 0 0 0

Project State

Project Reference

See: .planning/PROJECT.md (updated 2026-04-10)

Core value: Secrets never enter the Claude Code environment. If a secret is accessible inside the sandbox, it's a bug. Current focus: Phase 4 — Auth Passthrough

Current Position

Phase: 4 of 7 (Auth Passthrough) Plan: 0 of ? in current phase Status: Ready to plan Last activity: 2026-04-10 — v2.0 roadmap created; phases 4-7 defined

Progress: [███░░░░░░░] 30% (v1.0 complete; v2.0 phases 4-7 not started)

Accumulated Context

Decisions

  • [Phase 01]: Claude Code provided via nix-claude-code flake (ryoppippi/nix-claude-code), not host PATH
  • [Phase 01]: readlink -f required to resolve NixOS profile symlinks to real nix store paths for bwrap visibility
  • [Phase 01]: SANDBOX_PATH built via makeBinPath in flake.nix to prevent host PATH leakage
  • [Phase 01]: SHELL set to nix store bash path, not /bin/bash (doesn't exist in tmpfs root)
  • [Phase 01]: SSL cert verification failure is a host-level NixOS issue, not sandbox-specific
  • [v2.0 planning]: Auth mount must be read-write — OAuth token refresh writes back to .credentials.json; ro-bind causes silent EACCES
  • [v2.0 planning]: Profile format will be JSON (not bash-sourced) to prevent code injection
  • [v2.0 planning]: Attempt pasta sidecar first for inet tier; fall back to slirp4netns if integration is difficult

Pending Todos

None.

Blockers/Concerns

  • [Phase 6]: pasta vs slirp4netns final decision deferred to Phase 6 planning — exact CLI flags need live verification
  • [Phase 6]: inet tier requires exec-to-wait refactor (background bwrap, coordinate with sidecar via --ready-fd/--exit-fd)
  • SSL cert verification fails system-wide (host + sandbox) — NixOS/OpenSSL issue, not claudebox

Quick Tasks Completed

# Description Date Commit Directory
260410-d4u on non-nixos hosts, bwrap fails because /etc/static does not exist 2026-04-10 97c10f8 260410-d4u-on-non-nixos-hosts-bwrap-fails-because-e