toph/claudebox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claudebox/.planning/STATE.md
Christopher Mühl ee70f08909 fix(planning): restore v2.0 state after executor regression in 6465da8 
Commit 6465da8 (phase 04-01 executor) was made from a stale worktree
predating v1.0 completion (ee686a3), accidentally reverting:
  - ROADMAP.md from v2.0 (phases 4-7) back to pre-v1.0 structure
  - STATE.md from milestone v2.0/active back to v1.0/executing
  - Deleted .planning/milestones/ (v1.0 archive files)

This commit restores the correct state:
  - ROADMAP.md: v2.0 structure with v1.0 archived + phase 04 marked complete
  - STATE.md: milestone v2.0, phase 04 complete (1/4 phases, 25%)
  - milestones/: v1.0-ROADMAP.md + v1.0-REQUIREMENTS.md restored
  - MILESTONES.md + RETROSPECTIVE.md: restored from v1.0 completion
  - phases/01-03/: staged deletions of v1.0 phase artifacts (cleaned up)
  - v1.0-MILESTONE-AUDIT.md: audit report documenting the corruption

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 12:44:41 +00:00

62 lines
2.5 KiB
Markdown
Raw Blame History

---
gsd_state_version: 1.0
milestone: v2.0
milestone_name: Network Isolation & Profiles
status: active
stopped_at: null
last_updated: "2026-04-10T12:41:00Z"
last_activity: 2026-04-10 - Phase 04 auth-passthrough complete and verified
progress:
total_phases: 4
completed_phases: 1
total_plans: 1
completed_plans: 1
percent: 25
---
# Project State
## Project Reference
See: .planning/PROJECT.md (updated 2026-04-10)
**Core value:** Secrets never enter the Claude Code environment. If a secret is accessible inside the sandbox, it's a bug.
**Current focus:** Phase 4 — Auth Passthrough
## Current Position
Phase: 4 of 7 (Auth Passthrough) — COMPLETE
Plan: 1 of 1 complete
Status: Phase 04 verified (7/7); ready to start Phase 05
Last activity: 2026-04-10 — Phase 04 auth-passthrough complete and verified
Progress: [█░░░░░░░░░] 25% (v1.0 complete; v2.0 phase 04 done; phases 05-07 not started)
## Accumulated Context
### Decisions
- [Phase 01]: Claude Code provided via nix-claude-code flake (ryoppippi/nix-claude-code), not host PATH
- [Phase 01]: readlink -f required to resolve NixOS profile symlinks to real nix store paths for bwrap visibility
- [Phase 01]: SANDBOX_PATH built via makeBinPath in flake.nix to prevent host PATH leakage
- [Phase 01]: SHELL set to nix store bash path, not /bin/bash (doesn't exist in tmpfs root)
- [Phase 01]: SSL cert verification failure is a host-level NixOS issue, not sandbox-specific
- [v2.0 planning]: Auth mount must be read-write — OAuth token refresh writes back to .credentials.json; ro-bind causes silent EACCES
- [v2.0 planning]: Profile format will be JSON (not bash-sourced) to prevent code injection
- [v2.0 planning]: Attempt pasta sidecar first for inet tier; fall back to slirp4netns if integration is difficult
### Pending Todos
None.
### Blockers/Concerns
- [Phase 6]: pasta vs slirp4netns final decision deferred to Phase 6 planning — exact CLI flags need live verification
- [Phase 6]: inet tier requires exec-to-wait refactor (background bwrap, coordinate with sidecar via --ready-fd/--exit-fd)
- SSL cert verification fails system-wide (host + sandbox) — NixOS/OpenSSL issue, not claudebox
### Quick Tasks Completed
| # | Description | Date | Commit | Directory |
|---|-------------|------|--------|-----------|
| 260410-d4u | on non-nixos hosts, bwrap fails because /etc/static does not exist | 2026-04-10 | 97c10f8 | [260410-d4u-on-non-nixos-hosts-bwrap-fails-because-e](./quick/260410-d4u-on-non-nixos-hosts-bwrap-fails-because-e/) |
Reference in a new issue View git blame Copy permalink