Skip to content

[compiler-threat-spec] spec: update CTR-004 for sandbox.agent:false breaking change (v1.0.9)#32731

Merged
pelikhan merged 1 commit into
mainfrom
spec/ctr-004-sandbox-agent-false-update-f8f1b1a5f1b7813e
May 17, 2026
Merged

[compiler-threat-spec] spec: update CTR-004 for sandbox.agent:false breaking change (v1.0.9)#32731
pelikhan merged 1 commit into
mainfrom
spec/ctr-004-sandbox-agent-false-update-f8f1b1a5f1b7813e

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 17, 2026

Summary

Daily compiler threat spec optimizer run for 2026-05-17.

Threats Reviewed

  • Reviewed all CTR-001 through CTR-018 rules against current compiler implementation
  • Inspected recent changesets, including the breaking change removing top-level sandbox: false in favor of sandbox.agent: false

Already-Covered Threats

All CTR-001 through CTR-018 rules remain implemented. No new threat classes were discovered requiring new rules.

Spec Corrections Required (CTR-004)

The breaking change in .changeset/minor-disable-agent-sandbox-only.md removed the top-level sandbox: false field. That field now triggers a schema validation error rather than being detected via CTR-004. The spec had not been updated to reflect this.

Changes made:

Item Change
T-CTR-004 detection trigger Updated from sandbox: false (removed field) to sandbox.agent: false in strict mode
Section 7.1 CTR-004 mapping Added strict_mode_permissions_validation.go — the concrete enforcement site for sandbox.agent: false rejection
Spec-to-implementation sync table Added 1.0.9 row noting the sandbox field change
Version Bumped to 1.0.9
Publication date Updated to 2026-05-17
Section 7.2 mapping audit Updated timestamp and audit notes

Rule IDs Changed

  • CTR-004 — T-CTR-004 test entry and Section 7.1 mapping corrected

Files Changed

  • specs/compiler-threat-detection-spec.md

References:

Generated by 🔒 Daily Compiler Threat Spec Optimizer · ● 24.6M ·

  • expires on May 24, 2026, 3:35 AM UTC

@github-actions
spec: update CTR-004 for sandbox.agent:false breaking change (v1.0.9)
37cee0b 
- T-CTR-004 detection trigger updated from removed 'sandbox: false' field
  to 'sandbox.agent: false' in strict mode; clarifies that the old top-level
  'sandbox: false' now fails schema validation, not CTR-004 detection
- CTR-004 Section 7.1 mapping extended with strict_mode_permissions_validation.go,
  the concrete enforcement site for sandbox.agent:false rejection in strict mode
- Spec-to-implementation sync table updated with 1.0.9 row noting the field change
- Version bumped to 1.0.9, publication date updated to 2026-05-17

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented May 17, 2026

@copilot review all comments
Please address the unresolved review feedback on the temporary-id regex/docs mismatch.

Generated by 👨‍🍳 PR Sous Chef ·

@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented May 17, 2026

Please summarize the remaining blockers and rerun validation after the review feedback is handled.

Generated by 👨‍🍳 PR Sous Chef ·

@pelikhan pelikhan merged commit c4877bc into main May 17, 2026
@pelikhan pelikhan deleted the spec/ctr-004-sandbox-agent-false-update-f8f1b1a5f1b7813e branch May 17, 2026 03:53
@github-actions github-actions Bot mentioned this pull request May 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation compiler security specification

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pelikhan