fix: make strict replay sandbox survive docker-compose service starts#228
fix: make strict replay sandbox survive docker-compose service starts#228
Conversation
![tusk-dev[bot]](https://avatars.githubusercontent.com/u/149351948?s=60&v=4){kind=small}
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 6 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="go.mod">
<violation number="1" location="go.mod:128">
P1: Committed local `replace` directive points to `../fence`, which will break builds outside your local workspace.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
|
Tip New to Tusk? Learn more here. Code ReviewTusk Review: No issues foundUnit TestsGenerated 5 tests - 5 passedTest Summary
ResultsTusk's tests all pass. The test suite validates the core changes: Avg +48% line coverage gain across 2 files
Coverage is calculated by running tests directly associated with each source file, learn more here. Last run on 60efd38. Comment View check history
Was Tusk helpful? Give feedback by reacting with 👍 or 👎 |
There was a problem hiding this comment.
1 issue found across 8 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="internal/runner/sandbox_unix.go">
<violation number="1" location="internal/runner/sandbox_unix.go:41">
P1: The docstring promises error-path cleanup but none of the error returns after `fence.NewManager()` call `mgr.Cleanup()`. If `ExposeHostPath` or `Initialize` fails, any resources already allocated by the manager will leak. Add a deferred cleanup that is cancelled on success.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
2 participants
Summary
Consume fence's new
SetService/ExposeHostPathAPI to unblock strict-sandbox runs whose service start command isdocker compose up(or any daemon-delegated command).Companion to Use-Tusk/fence#139.
Changes
internal/runner/service.go: swapSetExposedPorts->SetService(ServiceOptions{..., ExecutionModel: ...}); setServiceBindsOnHostwhen the start command is docker/podman-shaped, so fence skips the reverse socat bridge that would otherwise collide with dockerd's host-port bind. Register the replay compose env-override file viaExposeHostPath, making it visible inside the sandbox despite fence's--tmpfs /tmp.internal/runner/server.go+server_test.go: renameisDockerCommand->serviceDelegatesToHostDaemonwith a docstring naming its two call sites (communication-type auto-detection + fence execution model). No behavior change; removes the duplication implied by two unnamed usages of the same predicate.internal/runner/compose_replay.go: keepos.CreateTemp("", ...)(i.e./tmp) and add a comment pointing at theExposeHostPathcall site - callers no longer need to route around fence's mount plan.