Open
Conversation
Add a per-request, stateless HTTP proxy sidecar that prevents AI agent data exfiltration by dynamically revoking capabilities when private or untrusted data enters the conversation context. Implementation: - Axum 0.8 HTTP server: /v1/chat/completions proxy + /health endpoint - Taint detection from tool results (has-private-data, has-untrusted-input) - 2x2 revocation matrix mapping taint flags to forbidden capabilities - Three API format normalizers: Chat Completions, Anthropic, Responses API - bash-ast Unix socket client for AST-based command analysis - Recursive bash -c unwrapping with shlex fallback - OS-level sandbox rewriting (unshare --net / sandbox-exec) - Tool analysis pipeline: capability detection, reversibility, URL extraction - User approval flow via X-Ratchet-Approve header - Shadow mode for log-only deployment - Multi-stage Docker build producing a single static binary - 44 unit and integration tests Tech stack matches NemoClaw core: Axum, Tokio, Reqwest, serde, tracing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Aaron Erickson <aerickson@nvidia.com>
Update all references across the repo from the old NemoClaw branding to OpenShell, including Docker image names, CLI commands, config files, documentation, and source code comments. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix all 38 clippy pedantic/nursery warnings (manual_let_else, missing_errors_doc, option_if_let_else, or_fun_call, too_many_lines, significant_drop_tightening, iter_on_single_items, unnecessary_wraps, type_complexity, needless_continue, missing_panics_doc, etc.) - Run cargo fmt across all source files - Fix shellcheck SC2034 warning (unused loop variable in ratchet-start.sh) - Fix grammar: "A OpenShell" → "An OpenShell" in README - Add #[allow(dead_code)] to unused test helper sample_config() - Extract helpers to reduce function line counts (server.rs, normalize.rs) - Use static defaults to avoid or_fun_call with temporary references Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ericksoa
force-pushed
the
feat/sandbox-traits
branch
from
15d2bae to
eca62ed
Compare
- Only force stream:false on tainted requests (non-tainted pass through) - Add force_non_streaming parameter to forward_to_backend - Add X-Ratchet-Stream-Blocked response header when streaming is disabled - Document why the ratchet exists vs Docker --network=none - Add honest Limitations section to README Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ericksoa
force-pushed
the
feat/sandbox-traits
branch
from
eca62ed to
59c7968
Compare
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…aits/ Traits are cross-cutting capabilities you compose into any sandbox — not sandboxes themselves. This moves capability-ratchet from sandboxes/ to traits/ as the first trait, adds the trait.yaml manifest convention, TRAITS.md spec, CI support for building trait images, and updates README.md and CONTRIBUTING.md. Depends on #3. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Update all references across the repo from the old NemoClaw branding to OpenShell, including Docker image names, CLI commands, container registry paths, config files, documentation, and source code comments. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix wrong npm package name in TRAITS.md example (@anthropic/openclaw-cli → openclaw) - Add SPDX license headers to TRAITS.md and traits/capability-ratchet/README.md - Remove redundant knownSafe entries that overlap with tools declarations Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ericksoa
force-pushed
the
feat/sandbox-traits
branch
from
59c7968 to
01a3f6d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
traits/as a top-level directory for cross-cutting capabilities that compose into any sandboxsandboxes/capability-ratchet/→traits/capability-ratchet/(cleangit mv, history preserved)trait.yamlmanifest convention declaring exports, startup, ports, network policy, and inference routingTRAITS.mdspec document with full usage guide and concrete openclaw exampleghcr.io/.../traits/<name>)README.mdandCONTRIBUTING.mdwith traits documentationWhat are traits?
Traits are cross-cutting capabilities you add to any sandbox — not sandboxes themselves. "Give me openclaw with capability ratcheting." Each trait ships as a Docker image; you compose it into your sandbox via
COPY --fromat build time.What this does NOT do
openshell sandbox create --with <trait>(OpenShell core work, future)Test plan
trait.yamlis valid YAMLpython3 scripts/check_license_headers.py --check)R100, not delete + re-add)🤖 Generated with Claude Code