toph/claudebox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claudebox/.planning/STATE.md

2.6 KiB
Raw Blame History

gsd_state_version milestone milestone_name status stopped_at last_updated last_activity resume_file progress
1.0 v2.0 Network Isolation & Profiles active Phase 5 context gathered (assumptions mode) 2026-04-10T12:50:00Z 2026-04-10 - Phase 5 context gathered (assumptions mode) .planning/phases/05-per-project-instance-isolation/05-CONTEXT.md
total_phases completed_phases total_plans completed_plans percent
4 1 1 1 25

Project State

Project Reference

See: .planning/PROJECT.md (updated 2026-04-10)

Core value: Secrets never enter the Claude Code environment. If a secret is accessible inside the sandbox, it's a bug. Current focus: Phase 4 — Auth Passthrough

Current Position

Phase: 4 of 7 (Auth Passthrough) — COMPLETE Plan: 1 of 1 complete Status: Phase 04 verified (7/7); ready to start Phase 05 Last activity: 2026-04-10 — Phase 04 auth-passthrough complete and verified

Progress: [█░░░░░░░░░] 25% (v1.0 complete; v2.0 phase 04 done; phases 05-07 not started)

Accumulated Context

Decisions

  • [Phase 01]: Claude Code provided via nix-claude-code flake (ryoppippi/nix-claude-code), not host PATH
  • [Phase 01]: readlink -f required to resolve NixOS profile symlinks to real nix store paths for bwrap visibility
  • [Phase 01]: SANDBOX_PATH built via makeBinPath in flake.nix to prevent host PATH leakage
  • [Phase 01]: SHELL set to nix store bash path, not /bin/bash (doesn't exist in tmpfs root)
  • [Phase 01]: SSL cert verification failure is a host-level NixOS issue, not sandbox-specific
  • [v2.0 planning]: Auth mount must be read-write — OAuth token refresh writes back to .credentials.json; ro-bind causes silent EACCES
  • [v2.0 planning]: Profile format will be JSON (not bash-sourced) to prevent code injection
  • [v2.0 planning]: Attempt pasta sidecar first for inet tier; fall back to slirp4netns if integration is difficult

Pending Todos

None.

Blockers/Concerns

  • [Phase 6]: pasta vs slirp4netns final decision deferred to Phase 6 planning — exact CLI flags need live verification
  • [Phase 6]: inet tier requires exec-to-wait refactor (background bwrap, coordinate with sidecar via --ready-fd/--exit-fd)
  • SSL cert verification fails system-wide (host + sandbox) — NixOS/OpenSSL issue, not claudebox

Quick Tasks Completed

# Description Date Commit Directory
260410-d4u on non-nixos hosts, bwrap fails because /etc/static does not exist 2026-04-10 97c10f8 260410-d4u-on-non-nixos-hosts-bwrap-fails-because-e