From 9107de20b247b978e84eb49395d6e3036fde10ec Mon Sep 17 00:00:00 2001
From: Antonio Nuno Monteiro <anmonteiro@gmail.com>
Date: Wed, 11 Feb 2026 23:36:34 -0800
Subject: [PATCH 1/2] feat(melange): sandbox rules by default

Signed-off-by: Antonio Nuno Monteiro <anmonteiro@gmail.com>
---
 src/dune_rules/compilation_context.ml   |  6 +++++-
 src/dune_rules/melange/melange_rules.ml | 12 ++++++++++++
 src/dune_rules/module_compilation.ml    |  6 +++++-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/dune_rules/compilation_context.ml b/src/dune_rules/compilation_context.ml
index bdb8427a8da..b629d7874d3 100644
--- a/src/dune_rules/compilation_context.ml
+++ b/src/dune_rules/compilation_context.ml
@@ -193,7 +193,11 @@ let create
     | None -> Resolve.Memo.return []
     | Some parameters -> parameters_main_modules parameters
   in
-  let sandbox = Sandbox_config.no_special_requirements in
+  let sandbox =
+    match for_ with
+    | Compilation_mode.Ocaml -> Sandbox_config.no_special_requirements
+    | Compilation_mode.Melange -> Sandbox_config.needs_sandboxing
+  in
   let modes =
     let default = { Lib_mode.Map.ocaml = Mode.Dict.make_both true; melange = false } in
     Option.value ~default modes
diff --git a/src/dune_rules/melange/melange_rules.ml b/src/dune_rules/melange/melange_rules.ml
index c4d75e5681a..cb0ab16043b 100644
--- a/src/dune_rules/melange/melange_rules.ml
+++ b/src/dune_rules/melange/melange_rules.ml
@@ -356,6 +356,10 @@ let build_js
           Action_builder.dyn_paths_unit paths >>> command)
       | None -> command
     in
+    let build =
+      let open Action_builder.With_targets.O in
+      build >>| Action.Full.add_sandbox Sandbox_config.needs_sandboxing
+    in
     Super_context.add_rule sctx ~dir ~loc ~mode build)
 ;;
 
@@ -594,6 +598,10 @@ let setup_runtime_assets_rules
         | Some (Ok false) | Some (Error _) | None ->
           Left dst, Action_builder.copy ~src ~dst
       in
+      let builder =
+        let open Action_builder.With_targets.O in
+        builder >>| Action.Full.add_sandbox Sandbox_config.needs_sandboxing
+      in
       let+ () = Super_context.add_rule ~loc ~dir ~mode sctx builder in
       dst
     | Some directory_target_ancestor ->
@@ -603,6 +611,10 @@ let setup_runtime_assets_rules
         Path.Build.relative dst rel
       in
       let builder = Action_builder.symlink_dir ~src:new_src ~dst in
+      let builder =
+        let open Action_builder.With_targets.O in
+        builder >>| Action.Full.add_sandbox Sandbox_config.needs_sandboxing
+      in
       let+ () = Super_context.add_rule ~loc ~dir ~mode sctx builder in
       Right dst)
   >>| List.partition_map ~f:Fun.id
diff --git a/src/dune_rules/module_compilation.ml b/src/dune_rules/module_compilation.ml
index 67b967109d4..2335e2ef11f 100644
--- a/src/dune_rules/module_compilation.ml
+++ b/src/dune_rules/module_compilation.ml
@@ -186,7 +186,11 @@ let build_cm
   let ctx = Super_context.context sctx in
   let mode = Lib_mode.of_cm_kind cm_kind in
   let sandbox =
-    let default = Compilation_context.sandbox cctx in
+    let default =
+      match mode with
+      | Melange -> Sandbox_config.needs_sandboxing
+      | Ocaml _ -> Compilation_context.sandbox cctx
+    in
     match Module.kind m with
     | Root ->
       (* This is need to guarantee that no local modules shadow the modules

From 6af199f3905e4f800a94c0dc0907368d08ceff51 Mon Sep 17 00:00:00 2001
From: Antonio Nuno Monteiro <anmonteiro@gmail.com>
Date: Wed, 11 Feb 2026 23:46:49 -0800
Subject: [PATCH 2/2] chore: add changelog entry

Signed-off-by: Antonio Nuno Monteiro <anmonteiro@gmail.com>
---
 doc/changes/changed/13619.md | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 doc/changes/changed/13619.md

diff --git a/doc/changes/changed/13619.md b/doc/changes/changed/13619.md
new file mode 100644
index 00000000000..253c1479a4e
--- /dev/null
+++ b/doc/changes/changed/13619.md
@@ -0,0 +1,3 @@
+- Start sandboxing Melange rules by default in the `(library ..)` and 
+  `(melange.emit ..)` stanzas (#13619, @anmonteiro)
+