fix(sandbox): move skills dirs into default Sandbox.Directories unconditionally#578
Merged
Conversation
infer-bot
Bot
force-pushed
the
fix/skills-sandbox-unconditional
branch
from
2d72d29 to
b766d2b
Compare
infer-bot
Bot
changed the title
edenreich
reviewed
Jun 2, 2026
edenreich
reviewed
Jun 2, 2026
edenreich
reviewed
Jun 2, 2026
edenreich
force-pushed
the
fix/skills-sandbox-unconditional
branch
from
400f1c4 to
bd13080
Compare
…ditionally Skills directories (~/.infer/skills and ./.infer/skills) are a well-known, read-only allowlist. Previously their sandbox visibility was gated on Agent.Skills.Enabled being true, which meant skills reads could fail with default config or before settings propagation. Changes: - DefaultConfig(): include ./.infer/skills and ~/.infer/skills in Sandbox.Directories unconditionally (no flag gating). - ValidatePathInSandbox(): remove the c.Agent.Skills.Enabled-gated isWithinSkillsDir branch from the carveOut expression. The tmp/plans carve-out is preserved as it is orthogonal. - checkProtectedPaths(): add isWithinSkillsDir() short-circuit at the top so that the broader .infer/ protected-path pattern does not deny readable skills files. File-level protections like *.env within skills dirs are also bypassed per option 2 from the issue, since skills dirs are fully trusted. - Tests: rewrite TestValidatePathInSandbox_SkillsCarveOut to verify that skills reads succeed with DefaultConfig() and Skills.Enabled=false, that ~/.infer/config.yaml and conversations.db remain protected, and that skills-evil sibling dirs are still rejected.
Co-authored-by: Eden Reich <eden.reich@gmail.com>
The earlier short-circuit in checkProtectedPaths returned nil for any path inside a skills dir, which also bypassed file-level protections like *.env and .git/ (not just the broader .infer/ directory prefix). It also passed a possibly-relative normalizedPath into isWithinSkillsDir, which builds absolute prefixes, so a relative .infer/skills/... arg silently fell through to the broad .infer/ denial. Fold skills into the existing carveOut mechanism (now: skills OR tmp/plans, computed against absPath). The existing inner-loop continue already skips only the .infer/ directory entry, leaving *.env and .git/ in force. Restore the deleted creds.env-still-denied subtest and add a relative-path allowed subtest to lock in both behaviours.
edenreich
force-pushed
the
fix/skills-sandbox-unconditional
branch
from
bd13080 to
7d80ef6
Compare
inference-gateway-releaser-bot Bot
pushed a commit
that referenced
this pull request
Jun 2, 2026
## [0.117.1](v0.117.0...v0.117.1) (2026-06-02) ### 🐛 Bug Fixes * **sandbox:** move skills dirs into default Sandbox.Directories unconditionally ([#578](#578)) ([e67222e](e67222e)), closes [#577](#577) [#569](#569) [#571](#571) [#569](#569) ### 👷 CI/CD * **infer:** centralize infer.yml + bump infer CLI and sync .infer config ([#575](#575)) ([bcf7ca4](bcf7ca4))
Contributor
|
🎉 This PR is included in version 0.117.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #577
Summary
Follow-up to #569 / #571 (shipped in v0.117.0). The sandbox carve-out for
~/.infer/skillsand./.infer/skillswas conditional onc.Agent.Skills.Enabledbeing true atValidatePathInSandboxtime. When that flag is not set — running with default config, beforeinfer config agent skills enablehas run, or when theINFER_AGENT_SKILLS_ENABLEDoverride has not reached the validator — the carve-out silently did not fire and reads ofSKILL.mdwere denied withoutside configured sandbox directories.Skills directories are a well-known, read-only allowlist under
~/.infer/. Gating their sandbox visibility on a runtime feature flag re-introduces the failure mode #569 was meant to remove.Changes
./.infer/skillsand~/.infer/skillsinSandbox.Directoriesunconditionally (no flag gating).c.Agent.Skills.Enabled-gatedisWithinSkillsDirbranch from thecarveOutexpression. Thetmp/planscarve-out is preserved as it is orthogonal.isWithinSkillsDir()short-circuit at the top so that the broader.infer/protected-path pattern does not deny readable skills files. Skills dirs are fully trusted.TestValidatePathInSandbox_SkillsCarveOutto verify that skills reads succeed withDefaultConfig()andSkills.Enabled=false, that~/.infer/config.yamlandconversations.dbremain protected, and thatskills-evilsibling dirs are still rejected.Why this is better
Sandbox.Directories. No second runtime predicate to keep in sync.agent.skills.enabledgoes back to meaning exactly "load skill metadata into the prompt and offer them to the agent" — purely about discovery/loading, no sandbox semantics.infer-actionor any other consumer.chat,infer agent, channels, and heartbeat — no per-mode flag drift.Follow-up
Once this lands and a new CLI is cut:
inference-gateway/infer-action— bumpinputs.version.defaultinaction.ymlto the new CLI release.inference-gateway/.github— bumpcli-versiondefault in the centralized infer workflow.