feat(sbx): Docker Sandboxes mixin kit (v1, shim tier)

.goreleaser.yml

@@ -130,6 +130,19 @@ builds:
     ldflags:
       - -s -w
 
+  - id: sbx-bootstrap-linux
+    main: ./cmd/agentsh-sbx-bootstrap
+    binary: agentsh-sbx-bootstrap
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w -X main.version={{.Version}}
+
   # unixwrap: seccomp wrapper for Linux amd64 (requires CGO + libseccomp)
   - id: unixwrap-linux-amd64
     main: ./cmd/agentsh-unixwrap
@@ -307,10 +320,12 @@ nfpms:
       - unixwrap-linux-amd64
       - unixwrap-linux-arm64
       - stub-linux
+      - sbx-bootstrap-linux    # NEW: bootstrap binary lands in /usr/bin
     formats:
       - deb
       - rpm
       - archlinux
+      - apk
     bindir: /usr/bin
     vendor: AgentSH
     homepage: https://github.com/agentsh/agentsh
@@ -361,6 +376,72 @@ nfpms:
         dst: /usr/lib/agentsh/bash_startup.sh
         file_info:
           mode: 0755
+      # Auto-wrap agent harness (paired with the Docker Sandboxes mixin kit).
+      - src: packaging/agent-wrap.sh
+        dst: /usr/lib/agentsh/agent-wrap
+        file_info:
+          mode: 0755
+      - src: packaging/install-agent-wrappers.sh
+        dst: /usr/lib/agentsh/install-agent-wrappers.sh
+        file_info:
+          mode: 0755
+      # Coding-agent policy template for Docker Sandboxes mixin bootstrap.
+      # Installed read-only — the bootstrap writes the merged result to
+      # /etc/agentsh/policies/default.yaml on each sandbox start.
+      - src: configs/policies/coding-agent.yaml
+        dst: /usr/share/agentsh/coding-agent.template.yaml
+        file_info:
+          mode: 0644
+
+      # Shim directory + symlinks (Docker Sandboxes mixin support).
+      # /usr/lib/agentsh/shims is prepended to PATH inside sandboxes via
+      # /etc/profile.d/agentsh.sh (written by the mixin kit's initFiles).
+      - dst: /usr/lib/agentsh/shims
+        type: dir
+        file_info:
+          mode: 0755
+      - dst: /usr/lib/agentsh/shims/bash
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/sh
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/curl
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/wget
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/pip
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/pip3
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/npm
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/node
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/git
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/python
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/python3
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+      - dst: /usr/lib/agentsh/shims/rm
+        src: /usr/bin/agentsh-shell-shim
+        type: symlink
+
+      # Packaged policy reference (also lives in repo at docs/policy-reference.md).
+      - src: docs/policy-reference.md
+        dst: /usr/share/doc/agentsh/policy-reference.md
+        file_info:
+          mode: 0644
       # Policy files
       - src: configs/policies/*.yaml
         dst: /etc/agentsh/policies/
@@ -388,6 +469,9 @@ nfpms:
 release:
   draft: false
   prerelease: auto
+  extra_files:
+    - glob: scripts/install-agentsh.sh
+      name_template: install.sh
 
 # Homebrew cask is published by the publish-homebrew-cask job in release.yml
 # (not managed by GoReleaser — the cask installs the signed DMG, not raw binaries)

Makefile

@@ -58,6 +58,9 @@ dns-test:
 	docker build -f Dockerfile.dns-test -t agentsh-dns-test .
 	docker run --rm --cap-add SYS_PTRACE agentsh-dns-test
 
+sbx-e2e:
+	bash docker/sbx-kit/tests/run-e2e.sh
+
 seccomp-probe:
 	mkdir -p build
 	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o build/seccomp-probe ./cmd/seccomp-probe/

cmd/agentsh-sbx-bootstrap/daemon.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+)
+
+// spawnDaemon fork-execs `bin args...` with stdout/stderr appended to logPath.
+// The child is detached; the returned *exec.Cmd lets the caller signal it if
+// needed (in normal flow the bootstrap exits after probing and the daemon
+// keeps running, reparented to PID 1).
+func spawnDaemon(bin string, args []string, logPath string) (*exec.Cmd, error) {
+	if err := os.MkdirAll(filepath.Dir(logPath), 0o755); err != nil {
+		return nil, fmt.Errorf("mkdir log dir: %w", err)
+	}
+	logF, err := os.OpenFile(logPath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
+	if err != nil {
+		return nil, fmt.Errorf("open log: %w", err)
+	}
+	cmd := exec.Command(bin, args...)
+	cmd.Stdout = logF
+	cmd.Stderr = logF
+	cmd.Env = os.Environ()
+	if err := cmd.Start(); err != nil {
+		logF.Close()
+		return nil, fmt.Errorf("start %s: %w", bin, err)
+	}
+	// Release the parent's reference to the log file FD now that exec(2) has
+	// dup'd stdio into the child. The child keeps its own dup'd FD.
+	_ = logF.Close()
+	return cmd, nil
+}
+
+// waitForSocket polls for a filesystem entry at sockPath, returning nil as
+// soon as it exists. Returns an error if the deadline elapses first.
+//
+// We check existence rather than `Dial` because the daemon may use a
+// different socket type (gRPC vs HTTP) and a successful Dial isn't required
+// to confirm "the daemon has started writing its socket" — only that the
+// file exists.
+func waitForSocket(sockPath string, deadline time.Duration) error {
+	end := time.Now().Add(deadline)
+	for time.Now().Before(end) {
+		if _, err := os.Stat(sockPath); err == nil {
+			return nil
+		} else if !errors.Is(err, os.ErrNotExist) {
+			return fmt.Errorf("stat socket %q: %w", sockPath, err)
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+	return fmt.Errorf("socket %q did not appear within %s", sockPath, deadline)
+}

cmd/agentsh-sbx-bootstrap/daemon_test.go

@@ -0,0 +1,69 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestSpawnDaemonAndWait_SocketAppears(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("unix sockets only")
+	}
+	dir := t.TempDir()
+	sock := filepath.Join(dir, "agentsh.sock")
+
+	// Fake "daemon": a shell script that writes the socket file after a small
+	// delay. The bootstrap should observe it within the 2s window.
+	fakeBin := filepath.Join(dir, "fake-agentsh")
+	script := "#!/bin/sh\n(sleep 0.1; touch '" + sock + "') &\nexec sleep 5\n"
+	if err := os.WriteFile(fakeBin, []byte(script), 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	logPath := filepath.Join(dir, "bootstrap.log")
+	cmd, err := spawnDaemon(fakeBin, []string{"server"}, logPath)
+	if err != nil {
+		t.Fatalf("spawnDaemon: %v", err)
+	}
+	t.Cleanup(func() { _ = cmd.Process.Kill() })
+
+	if err := waitForSocket(sock, 2*time.Second); err != nil {
+		t.Fatalf("waitForSocket: %v", err)
+	}
+}
+
+func TestWaitForSocket_TimesOut(t *testing.T) {
+	dir := t.TempDir()
+	sock := filepath.Join(dir, "nope.sock")
+	start := time.Now()
+	err := waitForSocket(sock, 200*time.Millisecond)
+	if err == nil {
+		t.Fatal("expected timeout error")
+	}
+	if elapsed := time.Since(start); elapsed > 1*time.Second {
+		t.Errorf("waitForSocket overshot deadline: %v", elapsed)
+	}
+}
+
+func TestWaitForSocket_NonExistError(t *testing.T) {
+	// A path under a path component that is a regular file (not a directory)
+	// makes os.Stat return ENOTDIR, not ENOENT — exercises the new
+	// non-ErrNotExist branch.
+	dir := t.TempDir()
+	notADir := filepath.Join(dir, "file")
+	if err := os.WriteFile(notADir, []byte("x"), 0o644); err != nil {
+		t.Fatal(err)
+	}
+	sock := filepath.Join(notADir, "agentsh.sock") // /tmp/.../file/agentsh.sock — ENOTDIR
+	err := waitForSocket(sock, 200*time.Millisecond)
+	if err == nil {
+		t.Fatal("expected non-nil error for non-existent parent")
+	}
+	if !strings.Contains(err.Error(), "stat socket") {
+		t.Errorf("expected wrapped stat error, got: %v", err)
+	}
+}

cmd/agentsh-sbx-bootstrap/main.go

@@ -0,0 +1,78 @@
+// agentsh-sbx-bootstrap is the startup entrypoint installed into Docker
+// Sandboxes by the AgentSH mixin kit. It merges the baked coding-agent
+// policy with any user override, spawns the agentsh server, then probes
+// the active enforcement tier and writes /run/agentsh/tier so the agent's
+// SKILL.md can read it.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"time"
+)
+
+const (
+	defaultTemplatePath = "/usr/share/agentsh/coding-agent.template.yaml"
+	defaultOverlayPath  = "/home/agent/.agentsh/policy.yaml"
+	defaultPolicyPath   = "/etc/agentsh/policies/default.yaml"
+	defaultTierPath     = "/run/agentsh/tier"
+	// defaultBootstrapLog: target for the future bootstrap banner / tier probe
+	// log. v1 writes those to stderr; the constant reserves the path so
+	// installers, doc tooling, and Task 5 can reference a single source of truth.
+	defaultBootstrapLog  = "/var/log/agentsh/bootstrap.log"
+	defaultDaemonLog     = "/var/log/agentsh/daemon.log"
+	defaultAgentshBin    = "/usr/bin/agentsh"
+	defaultServerConfig  = "/etc/agentsh/config.yaml"
+	defaultDaemonSocket  = "/run/agentsh/agentsh.sock"
+	defaultSocketTimeout = 2 * time.Second
+	defaultShimDir       = "/usr/lib/agentsh/shims"
+)
+
+func main() {
+	var (
+		tmpl       = flag.String("template", defaultTemplatePath, "Baked policy template path")
+		overlay    = flag.String("overlay", defaultOverlayPath, "User override fragment path")
+		policy     = flag.String("policy", defaultPolicyPath, "Output merged policy path")
+		agentshBin = flag.String("agentsh", defaultAgentshBin, "Path to the agentsh binary")
+		srvConfig  = flag.String("server-config", defaultServerConfig, "Path to the agentsh server config")
+		sock       = flag.String("socket", defaultDaemonSocket, "Daemon socket path to poll for readiness")
+		daemonLog  = flag.String("daemon-log", defaultDaemonLog, "Path to daemon log file")
+	)
+	flag.Parse()
+
+	if err := mergeAndWritePolicy(*tmpl, *overlay, *policy); err != nil {
+		fmt.Fprintf(os.Stderr, "agentsh-sbx-bootstrap: policy merge failed: %v\n", err)
+		os.Exit(1)
+	}
+
+	if _, err := spawnDaemon(*agentshBin, []string{"server", "--config", *srvConfig}, *daemonLog); err != nil {
+		fmt.Fprintf(os.Stderr, "agentsh-sbx-bootstrap: spawn daemon: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := waitForSocket(*sock, defaultSocketTimeout); err != nil {
+		fmt.Fprintf(os.Stderr, "agentsh-sbx-bootstrap: %v (continuing with degraded tier)\n", err)
+		// Don't exit — tier probe will record tier=none.
+	}
+
+	shimDir := defaultShimDir
+	if env := os.Getenv("AGENTSH_SHIM_DIR"); env != "" {
+		shimDir = env
+	}
+
+	tier := "none"
+	if ok, resolved, probeErr := probeShimTier(shimDir); probeErr != nil {
+		fmt.Fprintf(os.Stderr, "agentsh-sbx-bootstrap: shim probe failed: %v\n", probeErr)
+	} else if ok {
+		tier = "shim"
+		fmt.Fprintf(os.Stdout, "agentsh-sbx-bootstrap: shim tier active (curl -> %s)\n", resolved)
+	} else {
+		fmt.Fprintf(os.Stderr, "agentsh-sbx-bootstrap: shim tier NOT active (PATH did not yield %s)\n", shimDir)
+	}
+
+	if err := writeTierFile(defaultTierPath, tier); err != nil {
+		fmt.Fprintf(os.Stderr, "agentsh-sbx-bootstrap: write tier file: %v\n", err)
+		os.Exit(1)
+	}
+}