feat(sandbox): extend --share-agent-dir to Cursor, Codex, Hermes, and OpenCode#105
Open
mvanhorn wants to merge 1 commit intoInfisical:mainfrom
Open
feat(sandbox): extend --share-agent-dir to Cursor, Codex, Hermes, and OpenCode#105mvanhorn wants to merge 1 commit intoInfisical:mainfrom
mvanhorn wants to merge 1 commit intoInfisical:mainfrom
Conversation
… OpenCode The flag now picks the bind source and container mount point from the command after `--` instead of hardcoding ~/.claude. Unknown commands are rejected with a list of supported bases. knownAgents has two concepts: baseDir is the skills install directory (~/<baseDir>/skills/), stateDir is where the agent stores auth/login state. For Claude/Cursor/Hermes/OpenCode these are the same directory. For Codex they differ: skills at ~/.agents/skills/, state at ~/.codex/. The new stateDir field and effectiveStateDir() helper keep the two concepts separate so --share-agent-dir binds the real state dir. When an agent's baseDir differs from its state dir (Codex today), --share-agent-dir emits a second bind mount (~/.agents -> /home/claude/.agents) so the Agent Vault skill installed by maybeInstallSkills at ~/.agents/skills/agent-vault/SKILL.md stays visible inside the sandbox alongside the state dir. Running a non-Claude agent with --share-agent-dir requires --image: the bundled sandbox image only preinstalls @anthropic-ai/claude-code, so agent-vault now rejects that combination before launching docker run with a clear error instead of letting docker fail with "executable file not found" after the fact. Adds ContainerAgentHome/ContainerAgentConfig helpers and extends sandbox.Config with HostAgentConfig/HostAgentSkillsDir plus matching ContainerAgentDir/ContainerConfig/ContainerAgentSkillsDir fields so the existing Claude path (sibling .claude.json bind, macOS Keychain bridge, reserved-dst protection) stays intact and non-Claude agents get the same treatment without it. reservedContainerDsts now also blocks user --mount over the active skills dir. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
Contributor
|
Thanks for this contribution @mvanhorn. Will take a look at this PR and review shortly :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--share-agent-diralready listed every local agent command inknownAgents, but the container plumbing still hardcoded.claude/.claude.json. This PR wires the flag to the table so the host bind source and container mount point are derived from the command after--. Running it with an unknown command now errors out (previously silently used.claude).claude~/.claude(+~/.claude.jsonsibling, macOS Keychain bridge)/home/claude/.claudecursor/agent~/.cursor/home/claude/.cursorcodex~/.codex+~/.agents/home/claude/.codex+/home/claude/.agentshermes~/.hermes/home/claude/.hermesopencode~/.opencode/home/claude/.opencodeCodex is the one agent where the skills dir (
~/.agents, used bymaybeInstallSkillsfor the Agent Vault skill) and the state dir (~/.codex, auth/config/history) differ. TheknownAgent.stateDirfield plus aneffectiveStateDir()helper keep the two concepts separate, and the container run emits a second bind mount for~/.agentsso the Agent Vault skill stays visible inside the sandbox alongside Codex's login.The bundled sandbox image only preinstalls
@anthropic-ai/claude-code. Running a non-Claude agent on it would fail with "executable file not found" after docker run, so--share-agent-dirwith a non-Claude command now rejects early unless--imageis supplied (docs already covered this; this change moves the failure from docker's exec to a clear CLI error). The existing security invariants from #103 are preserved: Linux uid-0 refusal, HOST_UID/HOST_GID remap,reservedContainerDstscoverage (now extended to block user--mountover the active skills dir too).Pattern follows #101 for extending the agent table.
Type of change
Test plan
make test) — full suite, 16 packages greencmd/run_container_test.go:TestAgentContainerInfo_KnownAgents(covers all 5 agents including the Codex skills-vs-state split),TestAgentContainerInfo_Unknown,TestKnownAgentBases,TestRequireCustomImageForNonClaudeShare(the bundled-image gate)internal/sandbox/docker_test.go:TestBuildRunArgs_HostAgentDirCursorBindMount,TestBuildRunArgs_HostAgentDirBindMount(existing Claude regression, now using the new helpers),TestBuildRunArgs_HostAgentSkillsDirBindMount(the Codex skills dir second mount),TestBuildRunArgs_RejectUserMountActiveAgentDir,TestBuildRunArgs_RejectUserMountActiveSkillsDirgo buildproduces a working binary;./agent-vault vault run --help | grep share-agent-dirshows the updated per-agent flag description (scene 1 of the demo above)Security checklist
--share-agent-dirnow rejects unknown agent commands;BuildRunArgsrejects user--mountthat would override the active state or skills dirknownAgents, plus--imagepresenceThis contribution was developed with AI assistance.