866fd9476b
The Docker sandbox previously used --read-only on the root filesystem and noexec on /tmp. This broke 30+ skills that need to install packages: - npm install -g (codex, claude-code, mcporter, powerpoint) - pip install (20+ mlops/media/productivity skills) - apt install (minecraft-modpack-server, ml-paper-writing) - Build tools that compile in /tmp (pip wheels, node-gyp) The container is already fully isolated from the host. Industry standard (E2B, Docker Sandboxes, OpenAI Codex) does not use --read-only — the container itself is the security boundary. Retained security hardening: - --cap-drop ALL (zero capabilities) - --security-opt no-new-privileges (no escalation) - --pids-limit 256 (no fork bombs) - Size-limited tmpfs for /tmp, /var/tmp, /run - nosuid on all tmpfs mounts - noexec on /var/tmp and /run (rarely need exec there) - Resource limits (CPU, memory, disk) - Ephemeral containers (destroyed after use) Fixes #189.
10 KiB
10 KiB