perf: Add brokered nsjail Claude runtime by daryllimyt · Pull Request #2468 · TracecatHQ/tracecat

daryllimyt · 2026-04-03T02:55:12Z

Summary

add a worker-global brokered Claude runtime path for sandboxed agent execution
fix the brokered nsjail integration details needed for stable resume, shim startup, stderr reporting, and bundled CLI execution
simplify the loopback and activity flow on top of the working broker implementation

Testing

uv run pytest tests/unit/test_agent_executor_loopback.py tests/unit/test_agent_runtime.py tests/unit/test_agent_runtime_services.py tests/unit/test_agent_runtime_broker.py tests/unit/test_agent_sandbox_entrypoint.py tests/unit/test_agent_sandbox_config.py -q
uv run ruff check tracecat/agent/executor/activity.py tracecat/agent/executor/loopback.py tracecat/agent/runtime/claude_code/broker.py tracecat/agent/sandbox/shim_entrypoint.py tests/unit/test_agent_executor_loopback.py
uv run pyright tracecat/agent/executor/activity.py tracecat/agent/executor/loopback.py tracecat/agent/runtime/claude_code/broker.py tracecat/agent/runtime/claude_code/transport.py tracecat/agent/sandbox/shim_entrypoint.py tests/unit/test_agent_executor_loopback.py tests/unit/test_agent_runtime.py tests/unit/test_agent_runtime_broker.py tests/unit/test_agent_sandbox_entrypoint.py tests/unit/test_agent_sandbox_config.py

Summary by cubic

Adds a worker‑global, brokered Claude runtime via a standalone nsjail shim as the only execution path. Startup and shutdown are faster and more reliable with a unified, size‑capped init payload, non‑blocking shim stdin handling, stable per‑session paths, correct transport mode handling, and durable workflows routed through the executor with session control across approval continuation.

New Features
- Broker-managed runtime with concurrent‑turn protection; launches Claude Code via SandboxedCLITransport using orjson for faster I/O.
- Single sandbox entrypoint: stdlib‑only shim derives mode from its path and requires an init payload path for both direct and nsjail modes; fixed LLM socket path.
- Executor worker and runtime services start/stop the broker; durable workflow runs through the agent executor and preserves forked sessions across approvals.
Refactors
- Removed internal LLM proxy lifecycle and legacy HTTP path; ClaudeAgentRuntime now requires a transport_factory.
- Loopback no longer sends init and initializes the stream sink lazily; removed a duplicate event processor; preserves error state on completion.
- More robust startup/cleanup: cap init payload size, avoid process‑wide umask on control sockets, close leaked control server on failure, clean spawned state, mount explicit Claude session dirs, reduce shim mounts, preserve direct‑mode importability, and avoid blocking shim shutdown on stdin.

^{Written for commit f415523. Summary will update on new commits.}

zeropath-ai · 2026-04-03T02:57:57Z

✅ No security or compliance issues detected. Reviewed everything up to f415523.

Security Overview

🔎 Scanned files: 32 changed file(s)
🔗 Scan Link: https://zeropath.com/app/repositories/00dffd6c-8834-4dc9-b6d8-b44cd1622986?scanId=9e7d367e-01f3-44ca-b73a-826fbbe83a24&codeScanTypes=PrScan&tab=issues

Detected Code Changes

The diff is too large to display a summary of code changes.

cubic-dev-ai

4 issues found across 22 files

Confidence score: 2/5

There is a high-confidence race in tracecat/agent/runtime/claude_code/broker.py where run_turn() may create a new session after stop() sets _closed, which can lead to inconsistent lifecycle state and hard-to-reproduce runtime failures.
docker-compose.dev.yml introduces broad privileges (SYS_ADMIN, seccomp:unconfined, /dev/net/tun) for agent-executor unconditionally, which is a meaningful security-risk increase even in a dev profile.
Additional medium-severity reliability issues in tracecat/agent/sandbox/shim_entrypoint.py (stdin broken pipe/reset handling) and tracecat/agent/runtime/claude_code/transport.py (path resolution mismatch skipping jail rewrite) raise concrete regression risk in process execution flows.
Pay close attention to tracecat/agent/runtime/claude_code/broker.py, docker-compose.dev.yml, tracecat/agent/sandbox/shim_entrypoint.py, tracecat/agent/runtime/claude_code/transport.py - fix lifecycle race, privilege escalation defaults, stdin-forwarding robustness, and executable path normalization before merge.

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tracecat/agent/sandbox/shim_entrypoint.py">

<violation number="1" location="tracecat/agent/sandbox/shim_entrypoint.py:124">
P2: Handle broken pipe/reset while forwarding stdin so early child stdin closure doesn't crash the shim.</violation>
</file>

<file name="tracecat/agent/runtime/claude_code/transport.py">

<violation number="1" location="tracecat/agent/runtime/claude_code/transport.py:274">
P2: Resolve `executable` for consistent comparison with the resolved `host_site_packages_root`. Without this, symlinked venvs or CLI paths will silently skip the jail rewrite, and the subprocess will fail to find the CLI binary inside the sandbox.</violation>
</file>

<file name="docker-compose.dev.yml">

<violation number="1" location="docker-compose.dev.yml:295">
P1: `agent-executor` now runs with `SYS_ADMIN` + `seccomp:unconfined` + `/dev/net/tun` unconditionally, which grants broad host-level privileges even when nsjail remains disabled by default.</violation>
</file>

<file name="tracecat/agent/runtime/claude_code/broker.py">

<violation number="1" location="tracecat/agent/runtime/claude_code/broker.py:52">
P1: `run_turn()` can start a new session after `stop()` sets `_closed` due to a check-then-lock race. Re-check `_closed` inside the locked section before registering `_active_turns`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

cubic-dev-ai

1 issue found across 4 files (changes from recent commits).

Prompt for AI agents (unresolved issues)


Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tracecat/agent/sandbox/shim_entrypoint.py">

<violation number="1" location="tracecat/agent/sandbox/shim_entrypoint.py:299">
P2: Use `os.environ.get(VAR) or DEFAULT` instead of `os.environ.get(VAR, DEFAULT)` so an empty-string env var falls back to the default rather than creating `Path("")` (which resolves to cwd).

(Based on your team's feedback about using the `or` fallback pattern for env vars before type conversion.) [FEEDBACK_USED]</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

LiteLLM is managed externally, so start_configured_llm_proxy and stop_configured_llm_proxy were pure ceremony with no actual work.

The transport factory was optional to support a legacy HTTP path that is no longer used in production. Making it required simplifies the runtime by removing conditional env var logic for ANTHROPIC_BASE_URL and HOME, both of which are now handled exclusively by the transport.

cubic-dev-ai · 2026-04-21T21:28:46Z

You're iterating quickly on this pull request. To help protect your rate limits, cubic has paused automatic reviews on new pushes for now—when you're ready for another review, comment @cubic-dev-ai review.

daryllimyt · 2026-04-21T21:40:07Z

@cubic-dev-ai review

daryllimyt · 2026-04-21T21:40:11Z

@codex review

cubic-dev-ai · 2026-04-21T21:41:12Z

@cubic-dev-ai review

@daryllimyt I have started the AI code review. It will take a few minutes to complete.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fc96e0a206

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

daryllimyt temporarily deployed to internal-registry-ci April 3, 2026 02:55 — with GitHub Actions Inactive

daryllimyt marked this pull request as ready for review April 3, 2026 03:09

daryllimyt temporarily deployed to internal-registry-ci April 3, 2026 03:13 — with GitHub Actions Inactive

cubic-dev-ai Bot reviewed Apr 3, 2026

View reviewed changes

Comment thread docker-compose.dev.yml Outdated

Comment thread tracecat/agent/runtime/claude_code/broker.py

Comment thread tracecat/agent/sandbox/shim_entrypoint.py Outdated

Comment thread tracecat/agent/runtime/claude_code/transport.py Outdated

daryllimyt temporarily deployed to internal-registry-ci April 3, 2026 17:36 — with GitHub Actions Inactive

daryllimyt temporarily deployed to internal-registry-ci April 3, 2026 17:37 — with GitHub Actions Inactive

cubic-dev-ai Bot reviewed Apr 3, 2026

View reviewed changes

Comment thread tracecat/agent/sandbox/shim_entrypoint.py Outdated

daryllimyt temporarily deployed to internal-registry-ci April 3, 2026 19:00 — with GitHub Actions Inactive

daryllimyt temporarily deployed to internal-registry-ci April 3, 2026 19:01 — with GitHub Actions Inactive

daryllimyt requested a review from jordan-umusu April 9, 2026 18:03

daryllimyt force-pushed the perf/sandbox-2 branch from 0d19d76 to a720bcd Compare April 20, 2026 21:25

daryllimyt temporarily deployed to internal-registry-ci April 20, 2026 21:25 — with GitHub Actions Inactive

This comment has been minimized.

Sign in to view

daryllimyt temporarily deployed to internal-registry-ci April 20, 2026 23:16 — with GitHub Actions Inactive

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 00:55 — with GitHub Actions Inactive

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 02:53 — with GitHub Actions Inactive

daryllimyt had a problem deploying to internal-registry-ci April 21, 2026 02:54 — with GitHub Actions Failure

This comment has been minimized.

Sign in to view

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 03:14 — with GitHub Actions Inactive

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 03:15 — with GitHub Actions Inactive

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 03:47 — with GitHub Actions Inactive

daryllimyt had a problem deploying to internal-registry-ci April 21, 2026 03:47 — with GitHub Actions Failure

daryllimyt changed the title ~~Add brokered nsjail Claude runtime~~ perf: Add brokered nsjail Claude runtime Apr 21, 2026

daryllimyt force-pushed the perf/sandbox-2 branch from 7b13a2a to 42987ff Compare April 21, 2026 15:29

daryllimyt added 10 commits April 21, 2026 15:51

perf(agent): use orjson for JSON parsing in transport

7f6a1bd

refactor(agent): require brokered runtime execution

bf8b273

refactor(agent): remove no-op LLM proxy lifecycle functions

74eadac

LiteLLM is managed externally, so start_configured_llm_proxy and stop_configured_llm_proxy were pure ceremony with no actual work.

drop execution path

954e9da

Remove runtime LLM proxy URL helper

944a22b

Derive sandbox shim mode from script entrypoint

7f5994e

Run Claude shim as single sandbox entrypoint

a185e56

Fix agent executor worker service tests

bb827a6

Fix agent sandbox transport modes

272765a

daryllimyt force-pushed the perf/sandbox-2 branch from 2cd330b to 272765a Compare April 21, 2026 19:51

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 19:51 — with GitHub Actions Inactive

Add full Claude harness sandbox test

115ea0c

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 20:50 — with GitHub Actions Inactive

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 20:51 — with GitHub Actions Inactive

test: cover durable agent session control plumbing

fc96e0a

daryllimyt temporarily deployed to internal-registry-ci April 21, 2026 21:28 — with GitHub Actions Inactive

chatgpt-codex-connector Bot reviewed Apr 21, 2026

View reviewed changes

Comment thread tracecat/agent/sandbox/shim_entrypoint.py Outdated

Comment thread tracecat/agent/executor/loopback.py

daryllimyt added 2 commits April 21, 2026 21:28

fix: avoid blocking shim shutdown on stdin

b41e633

fix: preserve loopback error state on done

f415523

daryllimyt temporarily deployed to internal-registry-ci April 22, 2026 01:30 — with GitHub Actions Inactive

daryllimyt merged commit 02a8546 into main Apr 22, 2026
16 checks passed

daryllimyt deleted the perf/sandbox-2 branch April 22, 2026 02:13

Conversation

daryllimyt commented Apr 3, 2026 • edited by cubic-dev-ai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Testing

Summary by cubic

Uh oh!

zeropath-ai Bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

cubic-dev-ai Bot commented Apr 21, 2026

Uh oh!

daryllimyt commented Apr 21, 2026

Uh oh!

daryllimyt commented Apr 21, 2026

Uh oh!

cubic-dev-ai Bot commented Apr 21, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

daryllimyt commented Apr 3, 2026 •

edited by cubic-dev-ai Bot

Loading

zeropath-ai Bot commented Apr 3, 2026 •

edited

Loading