Skip to content

Remove support for top-level sandbox: false and sandbox.gateway/mcp: false#13370

Closed
Copilot wants to merge 10 commits intomainfrom
copilot/remove-mcp-gateway-disable
Closed

Remove support for top-level sandbox: false and sandbox.gateway/mcp: false#13370
Copilot wants to merge 10 commits intomainfrom
copilot/remove-mcp-gateway-disable

Conversation

Copy link
Contributor

Copilot AI commented Feb 3, 2026
edited
Loading

Summary: Remove sandbox: false (top-level) and sandbox.gateway/mcp: false

Per the original requirements, this PR removes support for:

  • sandbox: false (top-level boolean - NOT supported, rejected by schema)
  • sandbox.gateway: false (NOT supported, rejected by custom validation)
  • sandbox.mcp: false (NOT supported, rejected by schema)

But KEEPS support for:

  • sandbox.agent: false (SUPPORTED - disables AWF firewall)

Changes Made

JSON Schema Updates

  • Removed boolean type from top-level sandbox field (only string/object allowed)
  • Added boolean option (const: false) to sandbox.agent field (allows disabling AWF)
  • Schema validation now catches sandbox: false early before custom validation

Validation

  • Added validateUnsupportedSandboxSyntax() for additional checks on sandbox.gateway: false
  • Clear error messages guide users to use sandbox.agent: false instead of sandbox: false

Code

  • Kept Disabled field in AgentSandboxConfig struct (needed for sandbox.agent: false)
  • Kept all logic that checks Disabled field throughout codebase (~150 lines)
  • isSandboxDisabled() checks for sandbox.agent: false
  • All localhost/host.docker.internal logic works correctly with disabled agent

Tests

  • Kept sandbox_disabled_test.go (tests sandbox.agent: false functionality)
  • All test files work with Disabled field references

Documentation

  • Updated frontmatter-full.md to show sandbox.agent: false as supported option
  • Clarified that top-level sandbox: false is not supported

Examples

Not Supported:

---
sandbox: false           # ❌ Error: rejected by schema (not a valid type)
---
---
sandbox:
  gateway: false         # ❌ Error: rejected by custom validation
  mcp: false            # ❌ Error: rejected by schema
---

Supported:

---
sandbox:
  agent: false          # ✅ Disables AWF firewall
---
---
sandbox:
  agent: awf            # ✅ Default (enables AWF firewall)
---

Build & Test Status

✅ Build successful
✅ Code formatted
✅ Validation tests pass
✅ Schema correctly rejects unsupported syntaxes

Original prompt

Remove the ability to disable the MCP gateway

sandbox.gateway: false # not supported

also remove top level syntax to disable sandbox as a whole

sandbox: false # not supported

Only the sandbox.agent: false is supported.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 7 commits February 3, 2026 01:24
@pelikhan
Remove sandbox.gateway: false and sandbox: false support from code
60b7bba 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add validation to reject unsupported sandbox syntaxes
12d53bd 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Update tests to remove Disabled field references
e2079ec 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix firewall default enablement tests
d94b544 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Update documentation to remove sandbox:false references
0f23339 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Final cleanup: remove test-result.json
ac9e77c 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Address code review feedback
a6b0a81 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Remove ability to disable MCP gateway and sandbox Remove support for disabling sandbox and MCP gateway Feb 3, 2026
Copilot AI requested a review from pelikhan February 3, 2026 01:35
@pelikhan
Copy link
Contributor

pelikhan commented Feb 3, 2026

@copilot must be able to disable agent firewall:

sandbox:
agent: false # awf disabled this is supported

@pelikhan
Restore support for sandbox.agent: false to disable AWF firewall
3817aca 
- Restored Disabled field in AgentSandboxConfig struct
- Restored all code that checks Disabled field (150+ lines)
- Restored sandbox_disabled_test.go and other test files
- Updated JSON schema to allow boolean false for sandbox.agent
- Added validation that ONLY rejects:
  * sandbox: false (top-level)
  * sandbox.gateway: false
  * sandbox.mcp: false
- sandbox.agent: false IS NOW SUPPORTED to disable AWF firewall
- Updated documentation to clarify supported syntax

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 3, 2026

@copilot must be able to disable agent firewall:

sandbox:
...

Fixed in commit 3817aca. The sandbox.agent: false syntax is now supported to disable the AWF firewall.

What was changed:

  • Restored the Disabled field and all related logic
  • Updated validation to only reject sandbox: false (top-level) while allowing sandbox.agent: false
  • Updated JSON schema to accept boolean false for the agent field
  • Restored all tests for disabled sandbox functionality

The PR now correctly implements the original requirements: remove top-level sandbox: false and sandbox.gateway: false, but keep sandbox.agent: false to disable the firewall.

Copilot AI changed the title Remove support for disabling sandbox and MCP gateway Remove support for top-level sandbox: false and sandbox.gateway/mcp: false Feb 3, 2026
pelikhan
pelikhan reviewed Feb 3, 2026
View reviewed changes
pkg/parser/schemas/main_workflow_schema.json Outdated
Copy link
Contributor

@pelikhan pelikhan Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot remove this entry, sandbox: boolean is not supported anymore

Copy link
Contributor Author

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in commit d0c363f. Removed the boolean type from the top-level sandbox field's oneOf array in the JSON schema. Top-level sandbox: false is now rejected by schema validation, while sandbox.agent: false remains supported.

Copy link
Contributor Author

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in commit d0c363f. Removed the boolean type entry from the top-level sandbox field in the JSON schema. The schema now only accepts string or object types for the top-level sandbox field, rejecting sandbox: false at schema validation time.

@pelikhan
Remove boolean type from top-level sandbox schema
d0c363f 
- Removed boolean option from sandbox field's oneOf array
- Top-level sandbox: false now rejected by schema validation
- sandbox.agent: false still supported (has its own boolean option)
- Schema validation will catch sandbox: false early with clear error

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan February 3, 2026 02:13
@pelikhan pelikhan closed this Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan