Incomex AI Portal
KB-56DA

O11 automation+agent-sandbox bundle — 05 Open-source agent sandbox design

5 min read Revision 1
dieu44iu-cutterv0.6o11automation-agent-sandboxagent-sandbox

O11 Report 05 — Open-source agent sandbox design (BRANCH 4)

  • macro: v0.6-o11-automation-agent-sandbox-program-bundle
  • date_utc: 2026-05-21 · host: Contabo vmi3080463 · gate: BRANCH 4
  • result: PASS — design complete; scaffold judged SAFE and created (BRANCH 8 / Report 09)

1. Goal

Give open-source / external agents (DeepSeek, Qwen, other local models) a place to draft code, write tests, and emit patches for the dot-iu-cutter program — with a security boundary strong enough that a wrong, broken, or hostile agent cannot reach production.

2. Sandbox path

path:   /opt/incomex/dot/iu-cutter-agent-sandbox
why:    sibling of the deployed trees, NOT inside any of them; easy to wipe
        (rm -rf) since it holds only proposals; clearly named.

3. Allowed operations (inside the sandbox only)

ALLOW:
  drafts/      write code drafts (new modules, full-file drafts)
  tests/       write tests for the draft
  patches/     emit  <patch_id>.patch.diff  +  <patch_id>.patch.meta.yaml
  reports/     write <patch_id>.report.md   (what / why / risk)
  run tests / lint / type-check on the DRAFT, in a process pinned to the
  sandbox working dir, importing only the draft + the agent's own stdlib.

4. Forbidden operations — hard boundary (fail-closed)

DENY — production & live state:
  - the production database — any role, any schema, read OR write
  - /opt/incomex/dot/iu-cutter-v0.6   (active deployed tree)
  - /opt/incomex/dot/iu-cutter        (v0.4 skeleton)
  - /var/lib/cutter                   (orchestrator runtime state)
  - /opt/incomex/docker/.env, and any secret / key / token / password
DENY — actions:
  - deploy / copy an artefact into a deployed tree
  - start / stop / restart any service, container, or cron
  - write the KB (knowledge_documents) or any Directus collection
  - flip __execution_enabled__ or author an approval document
  - network egress to the production DB host or any credential store

A sandbox agent that needs a DENY-listed resource must stop and write the exact gap into its report.md — never improvise a workaround.

5. The "patch-as-information-unit" principle

A file in patches/ is information, not action. It describes a proposed change against a named base commit; it does not perform one. Therefore the worst outcome of a misbehaving external agent is a rejected patch. There is no path from the sandbox to production that does not pass a human decision. Metadata contract: O11 Report 06 / PATCH-CONTRACT.md.

6. Isolation requirements for the runner (operator must provision)

filesystem:  the agent process is working-dir-pinned / chrooted to the sandbox;
             the four DENY paths are not mounted and not readable.
network:     no route to the production DB host or the .env secret store.
identity:    a dedicated low-privilege OS user — never root, never any
             cutter_exec / cutter_verify / workflow_admin DB role.
env:         a clean environment — no DOT_CUTTER_*, no BACKUP_GPG_FPR,
             no AGENT_DATA_API_KEY, no PG* variables.

These four properties are an operator step. Until they exist, the scaffold exists but no external agent may be pointed at it (RULES.md §5).

7. Promotion path (the only exit)

external agent  --writes-->  drafts/ tests/ patches/ reports/
       -> Gemini review (advisory)  -> Codex review/revise (in-sandbox only)
       -> Claude promotion gate (recommend only)
       -> human re-creates the change on a Mac feature branch
       -> normal review + commit + O-series macro path

The promotion gate never applies a diff in the sandbox or any deployed tree.

8. Scaffold safety decision

question:  can the filesystem scaffold be created safely now?
analysis:  a new empty directory tree with README + governance docs —
           - touches no DENY path
           - contains no code, no secrets, no DB wiring
           - does not modify the v0.6 active tree or the v0.4 skeleton
           - is trivially reversible (rm -rf the new dir)
decision:  SAFE -> create scaffold now (dirs + README/RULES/contracts only).
           Result recorded in O11 Report 09 (BRANCH 8/9).

9. Verdict

sandbox path:        defined — /opt/incomex/dot/iu-cutter-agent-sandbox
allowed/forbidden:   defined (§3/§4) — fail-closed hard boundary
isolation runner:    specified (§6) — operator step, NOT done by this macro
scaffold:            SAFE — created (Report 09)
branch_4:            PASS
Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/v0.6-o11-automation-agent-sandbox-program-bundle/05-open-source-agent-sandbox-design.md