Skip to content

ONE-1299: Stamp Generated source through sandbox write traps#288

Merged
olety merged 3 commits into
mainfrom
codex/one-1299-generated-source-stamp-write-trap
Jul 4, 2026
Merged

ONE-1299: Stamp Generated source through sandbox write traps#288
olety merged 3 commits into
mainfrom
codex/one-1299-generated-source-stamp-write-trap

Conversation

@olety

@olety olety commented Jul 4, 2026

Copy link
Copy Markdown
Member

Summary

  • Force code-run sandbox write trap gate checks to pass the host-stamped claim source into evaluate_gate.
  • Keep non-sandbox write paths on the existing source-trust input behavior.
  • Add fixtures proving guest-smuggled source is ignored and G2/source-trust sees Generated for put-claim, edge, and supersede traps.

Test plan

  • rtk proxy cargo fmt --all --check
  • rtk proxy cargo clippy --workspace --all-targets --all-features -- -D warnings
  • rtk proxy cargo nextest run --workspace --all-features --profile full (2228 passed)
  • rtk proxy cargo test --doc --workspace --exclude oneiron-bench --all-features (1 doctest passed; Cargo warns cdylib doctests are unsupported for oneiron-napi)
  • rtk proxy env RUSTDOCFLAGS="-D warnings" cargo doc --workspace --all-features --no-deps
  • rtk proxy cargo nextest run -p oneiron --features sync --profile full (1834 passed, 1 leaky)

Linear: ONE-1299

Copilot AI review requested due to automatic review settings July 4, 2026 03:20
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 37 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ff27b52b-0d77-4594-be57-db20e37a967f

📥 Commits

Reviewing files that changed from the base of the PR and between 57080c1 and e53d268.

📒 Files selected for processing (4)
  • crates/oneiron/src/batch.rs
  • crates/oneiron/src/code_run.rs
  • crates/oneiron/src/gate.rs
  • crates/oneiron/src/vault.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/one-1299-generated-source-stamp-write-trap

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@olety olety marked this pull request as ready for review July 4, 2026 03:23
@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

ONE-1299: Stamp Generated source through sandbox write traps

🐞 Bug fix ✨ Enhancement 🧪 Tests 🕐 20-40 Minutes

Grey Divider

AI Description

• Adds include_source_in_gate_input flag to GateWriteMode to control whether the host-stamped
 ClaimSource is forwarded into evaluate_gate during write gate checks.
• Sets include_source_in_gate_input: true for sandbox (code-run) write traps (HostSelfDispatcher
 and Vault::check_code_run_write_gate_in_txn), ensuring the host-assigned Generated source is
 visible to G2 policy evaluation.
• Sets include_source_in_gate_input: false for all non-sandbox write paths (batch.rs preflight
 and apply_put), preserving existing source-trust behavior.
• Adds tests verifying that guest-smuggled source values are ignored, and that G2/source-trust sees
 Generated for put-claim, edge, and supersede traps.
Diagram

graph TD
    A["Guest Code (Sandbox)"] -->|"SelfCall (put/edge/supersede)"| B["HostSelfDispatcher"]
    B -->|"stamps source = Generated"| C["check_write_gate\ninclude_source=true"]
    C --> D["claim_gate_input"]
    D -->|"source forwarded"| E["G2 evaluate_gate\n(source_trust check)"]

    F["Batch / Non-sandbox Write"] -->|"apply_put / preflight"| G["check_claim_policy_for_write\ninclude_source=false"]
    G --> D

    H["Vault code-run path"] -->|"check_code_run_write_gate_in_txn\ninclude_source=true"| D

    subgraph Legend
      direction LR
      _ext["External caller"] ~~~ _svc["Internal function"] ~~~ _gate["Gate evaluator"]
    end
Loading
High-Level Assessment

The PR's approach of adding a single boolean flag to GateWriteMode is optimal for this change. The alternative of deriving source inclusion from the write context (e.g., by inspecting the envelope's actor class or a separate enum variant) would add complexity without benefit, since the call sites already know whether they are sandbox paths. The boolean flag is explicit, minimal, and easy to audit at each call site.

Files changed (4) +199 / -3

Enhancement (2) +194 / -3
gate.rsAdd 'include_source_in_gate_input' flag to GateWriteMode and wire it into claim_gate_input +14/-2

Add 'include_source_in_gate_input' flag to GateWriteMode and wire it into claim_gate_input

• Adds the 'include_source_in_gate_input' boolean field to 'GateWriteMode'. Threads this flag through 'check_claim_policy_for_write' into 'claim_gate_input', where it extends the condition for including 'source' and 'sensitivity_band' in the 'GateEvaluatorInput' (previously only included for 'Auto'-approved claims). Also passes 'false' explicitly to 'check_edge_provenance_claim_policy''s internal call, and adds a '#[cfg(feature = "sync")]' guard to 'authority_log_blob' in tests.

crates/oneiron/src/gate.rs

code_run.rsEnable source forwarding in sandbox write gate checks and add source-trust fixture tests +180/-1

Enable source forwarding in sandbox write gate checks and add source-trust fixture tests

• Sets 'include_source_in_gate_input: true' in 'HostSelfDispatcher::check_write_gate', ensuring the host-stamped 'Generated' source is passed to G2 for sandbox write traps. Refactors 'install_self_memory_allow_policy' to delegate to a new 'install_self_memory_policy_trusting_source' helper that accepts a configurable 'ClaimSource'. Adds two new tests: one verifying guest-smuggled source is ignored and G2 sees 'Generated' for put-claim traps, and one verifying edge and supersede traps also force 'Generated' source into G2 evaluation.

crates/oneiron/src/code_run.rs

Bug fix (1) +1 / -0
vault.rsSet include_source_in_gate_input: true for Vault code-run write gate path +1/-0

Set include_source_in_gate_input: true for Vault code-run write gate path

• Sets 'include_source_in_gate_input: true' in 'Vault::check_code_run_write_gate_in_txn', aligning the vault-level sandbox write gate path with the dispatcher-level change to forward the host-stamped source into gate evaluation.

crates/oneiron/src/vault.rs

Other (1) +4 / -0
batch.rsSet include_source_in_gate_input: false for all batch write gate paths +4/-0

Set include_source_in_gate_input: false for all batch write gate paths

• Adds 'include_source_in_gate_input: false' to all four 'GateWriteMode' instantiations in 'batch.rs' (two in 'preflight_standalone_gate_decisions', two in 'apply_put'), preserving the existing source-trust behavior for non-sandbox write paths.

crates/oneiron/src/batch.rs

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3ac812434c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread crates/oneiron/src/code_run.rs
@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

Qodo Logo

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e986955696

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread crates/oneiron/src/gate.rs
Copilot AI review requested due to automatic review settings July 4, 2026 04:02

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@olety olety merged commit 2c3b145 into main Jul 4, 2026
8 of 9 checks passed
@olety olety deleted the codex/one-1299-generated-source-stamp-write-trap branch July 4, 2026 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants