Skip to content

ci(sandbox): MCP-3236 integration tests + workflow + snap-docker harness (MCP-34.5)#782

Merged
Dumbris merged 5 commits into
mainfrom
qa-mcp3236-sandbox-it
Jun 29, 2026
Merged

ci(sandbox): MCP-3236 integration tests + workflow + snap-docker harness (MCP-34.5)#782
Dumbris merged 5 commits into
mainfrom
qa-mcp3236-sandbox-it

Conversation

@Dumbris

@Dumbris Dumbris commented Jun 29, 2026

Copy link
Copy Markdown
Member

Lands the MCP-34.5 sandbox-integration verification artifacts that QATester produced for [MCP-3236] but which were left on the local checkout, never pushed. No production code — CI workflow + docs + QA report.

Changes

  • .github/workflows/sandbox-integration.yml — dedicated CI job on ubuntu-latest (Landlock ABI 3): runs the sandbox package tests, upstream/core wrapper integration tests, scanner isolation-mode degradation tests, a binary build, and a server-startup probe with isolation.mode=sandbox.
  • docs/development/sandbox-snap-docker-harness.md — manual harness for Ubuntu snap-docker hosts (negative baseline mode=docker → AppArmor failure reproducing GH Process compose option #71; positive mode=sandbox → Landlock confinement + scanner graceful degradation).
  • docs/qa/mcpproxy-qa-mcp3236-2026-06-29.html — QA report (10/11 pass, 1 skip — linux-only Landlock tests skip on darwin by design).

Closes the last exit criterion (#4) of the MCP-34 non-Docker sandbox isolation epic, so the CI gate that validates the sandbox feature ships alongside it (#768 launcher + #781 scanner parity).

Related #71

…arness

- .github/workflows/sandbox-integration.yml: dedicated CI job on ubuntu-latest
  (kernel 6.8, Landlock ABI 3) — runs sandbox package tests, upstream/core
  wrapper integration tests, scanner isolation-mode degradation tests, binary
  build, and server startup probe with isolation.mode=sandbox

- docs/development/sandbox-snap-docker-harness.md: manual harness for Ubuntu
  snap-docker hosts — negative baseline (mode=docker → AppArmor failure
  reproducing GH #71) and positive case (mode=sandbox → Landlock confinement,
  scanner graceful degradation)

- docs/qa/mcpproxy-qa-mcp3236-2026-06-29.html: HTML QA report (10/11 pass,
  1 skip — linux-only Landlock tests skip on darwin as designed)

Satisfies exit criterion #4 of MCP-34 (MCP-3236).
@Dumbris Dumbris changed the title qa(sandbox): MCP-3236 integration tests + CI workflow + snap-docker harness (MCP-34.5) ci(sandbox): MCP-3236 integration tests + workflow + snap-docker harness (MCP-34.5) Jun 29, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 29, 2026

Copy link
Copy Markdown

Deploying mcpproxy-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 9aab9fa
Status: ✅  Deploy successful!
Preview URL: https://c6419a20.mcpproxy-docs.pages.dev
Branch Preview URL: https://qa-mcp3236-sandbox-it.mcpproxy-docs.pages.dev

View logs

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

📦 Build Artifacts

Workflow Run: View Run
Branch: qa-mcp3236-sandbox-it

Available Artifacts

  • archive-darwin-amd64 (28 MB)
  • archive-darwin-arm64 (25 MB)
  • archive-linux-amd64 (16 MB)
  • archive-linux-arm64 (14 MB)
  • archive-windows-amd64 (28 MB)
  • archive-windows-arm64 (25 MB)
  • frontend-dist-pr (0 MB)
  • installer-dmg-darwin-amd64 (21 MB)
  • installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

  1. Go to the workflow run page linked above
  2. Scroll to the bottom "Artifacts" section
  3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 28358437321 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

Dumbris added 4 commits June 29, 2026 10:13
…tup race)

The 'Verify server health' step checked /api/v1/status once, immediately after
the start step's readiness loop broke on the first HTTP-200 — but the server
responds to /status before it finishes warming up (Bleve index, capability
registration), so 'running' was still False and the step failed on CI.

Retry for running:True up to 30s before failing.

Related #71
The health probe checked d.get('running') in /api/v1/status, but the response
shape is {"status": {"phase": "Ready"}} — there is no top-level 'running'
field, so the check was always False even though the server was up and serving.
Poll for status.phase == Ready instead.

Related #71
Parsing /api/v1/status JSON was fragile (the status object is nested and the
healthy phase is 'Running', not 'Ready'). /readyz is the canonical readiness
endpoint — controller-backed, returns 200 when IsReady() is true — so poll it
for 200 instead. Structure-independent and idiomatic.

Related #71
…actually resolved

CodexReviewer caught the probe was vacuous: the config used a top-level
"isolation" key, but the GLOBAL isolation mode is docker_isolation.mode
(per-server isolation is the only 'isolation' key). The wrong key was silently
ignored, so the server started with isolation_mode=none — the 'sandbox' probe
never tested sandbox.

- workflow + harness: isolation -> docker_isolation for the global mode
- workflow: assert the server log shows isolation_mode=sandbox (fail if not),
  so a future wrong-key regression can't pass vacuously
- harness positive case now actually runs the stdio 'everything' server under
  Landlock (inherits global sandbox); negative baseline under docker (AppArmor)

Related #71

@mcpproxy-gatekeeper mcpproxy-gatekeeper Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gatekeeper approval — Codex review verdict: ACCEPT.

This approval is posted automatically by the MCPProxy Gatekeeper App on behalf of the Codex reviewer (verdict of record lives in the Paperclip review thread). Author≠approver satisfied; QA + CI gates enforced separately.

Auto-approved per Model B (MCP-1249).

@Dumbris Dumbris merged commit 1615b89 into main Jun 29, 2026
56 of 59 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants