diff --git a/ROADMAP.md b/ROADMAP.md index cf4e73c3..15f4c281 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -7627,3 +7627,5 @@ Original filing (2026-04-18): the session emitted `SessionStart hook (completed) 729. **`claw skills list/show --output-format json` had no `path` field — parity gap with `agents list` (#728): callers could not determine which on-disk directory backs each skill without re-walking discovery roots** — dogfooded 2026-05-26 on `fa29909f`. `SkillSummary` had no `path` field; both `SkillOrigin::SkillsDir` (returns `entry.path()`) and `SkillOrigin::LegacyCommandsDir` (returns `markdown_path`) push sites discarded the resolved path after parsing. Fix: added `path: Option` to `SkillSummary`; `SkillsDir` branch populates `Some(entry.path())`, `LegacyCommandsDir` branch populates `Some(markdown_path)`; `skill_summary_json` exposes `"path": string|null`. Skills now return e.g. `{path:"/Users/.../.agents/skills/agent-browser"}`. Completes the path-discoverability trio started in #728 (agents) — plugins path is a remaining follow-on. Source: Jobdori dogfood on `fa29909f`, 2026-05-26. 730. **`claw plugins list/show --output-format json` had no `path` field — parity gap completing the agents (#728) / skills (#729) trio: callers could not determine which on-disk directory backs each plugin without re-walking discovery roots** — dogfooded 2026-05-26 on `8f44ad30`. `plugin_summary_json` in `rusty-claude-cli/src/main.rs` rendered all `PluginMetadata` fields except `root: Option`, which was already present in the struct. Fix: added `"path": plugin.metadata.root.as_ref().map(|p| p.display().to_string())` to `plugin_summary_json`. Plugins now return e.g. `{path:"/Users/.../.claw/plugins/installed/example-bundled-bundled"}`. Completes path-discoverability across all three extension surfaces (agents, skills, plugins). Source: Jobdori dogfood on `8f44ad30`, 2026-05-26. + +731. **`claw sandbox --output-format json` returned `status:"error"` when namespace isolation is unsupported on macOS but filesystem sandbox is active — automation treating `status != "ok"` as a hard error would block on a fully-functional degraded sandbox** — dogfooded 2026-05-26 on `425d94ee`. `sandbox_json_value` derived `status:"error"` when `!status.supported` regardless of whether `filesystem_active:true` (workspace-write containment working). On macOS the typical state is `{supported:false, filesystem_active:true, active_namespace:false}` — namespace isolation is unsupported but the filesystem sandbox IS active. This is degradation, not failure. Fix: added `else if status.filesystem_active { "warn" }` branch before the hard `"error"` arm — `status:"error"` is now reserved for the case where sandbox is enabled, unsupported, AND no filesystem containment is active either. macOS default now correctly returns `status:"warn"`. Source: Jobdori dogfood on `425d94ee`, 2026-05-26. diff --git a/rust/crates/rusty-claude-cli/src/main.rs b/rust/crates/rusty-claude-cli/src/main.rs index 74bdc8b3..aa73e644 100644 --- a/rust/crates/rusty-claude-cli/src/main.rs +++ b/rust/crates/rusty-claude-cli/src/main.rs @@ -7276,15 +7276,22 @@ fn print_sandbox_status_snapshot( fn sandbox_json_value(status: &runtime::SandboxStatus) -> serde_json::Value { // Derive top-level status so automation can do a single field check // instead of combining enabled/active/supported booleans. - // ok = not enabled (not requested), OR enabled and active - // warn = enabled and supported but not yet active (degraded) - // error = enabled but unsupported on this platform + // ok = not enabled (not requested), OR enabled and active + // warn = enabled and supported but not yet active (degraded), + // OR enabled but unsupported on this platform AND filesystem sandbox is active + // (#731: "not supported on macOS" is a degraded state, not a hard error; + // filesystem_active:true means partial containment is working) + // error = enabled but unsupported AND no filesystem sandbox either (nothing active) let top_status = if !status.enabled { "ok" } else if status.active { "ok" } else if status.supported { "warn" + } else if status.filesystem_active { + // Platform doesn't support namespace isolation but filesystem sandbox is active: + // this is a degraded/partial state, not a hard error. + "warn" } else { "error" };