ADR-0027: opensandbox_execd Emission Channel#750
Merged
Conversation
ojongerius
force-pushed
the
claude/affectionate-pascal-DIOSd
branch
from
eb5315f to
7ca9943
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds ADR-0026 to document a proposed opensandbox_execd emission channel for integrating Agent Receipts with OpenSandbox’s execd HTTP daemon, describing how agent actions can be observed via a proxy, relayed host-side, then signed/chained/persisted by the daemon.
Changes:
- Introduces the
opensandbox_execdchannel definition, including placement options and threat-model mapping. - Specifies endpoint→taxonomy mappings and hashing/signing/chaining behavior at a design level.
- Documents transport (in-sandbox proxy → host relay → daemon), trust model, and follow-up implementation work.
ojongerius
force-pushed
the
claude/affectionate-pascal-DIOSd
branch
2 times, most recently
from
a8768a1 to
d1a6c89
Compare
ojongerius
changed the title
Design note for attesting OpenSandbox-mediated agent actions via an execd emit hook. Covers threat-model-mapped placements (execd-side vs ingress/egress), action type mapping for all five execd endpoints, per-sandbox sub-chain anchoring, emit hook vs OTLP exporter placement, and the mTLS transport to the host-side AR daemon.
Ten findings from the post-write review, all fixed: - C1+C5 (arch): replace "execd post-action middleware" with an in-sandbox AR proxy binary (no execd source changes required), and introduce a host relay that bridges the proxy's mTLS outbound to the daemon's existing Unix socket — no new daemon mode needed. - C2 (ADR-0025): add Drop-counter handling section; proxy surfaces transport failures through its Go error channel and increments the in-memory drop counter (fire-and-forget per ADR-0020, not silent). - C3 (normative): soften "Anchoring is required" to "SHOULD carry parentChainRef"; anchoring is aspirational until the field is defined in the daemon IPC contract (follow-up item 3). - C4 (drop counter): add drop_count to all five IPC field tables and the new Drop-counter handling section (ADR-0010 in-memory path). - C6 (stale ref): fix "/code gap → ADR-0019 O3" to ADR-0020 § "At-least-once delivery and the WAL". - C7 (schema drift): add paragraph explaining intentional coverage block divergence from ADR-0014 (dropped enforcement + sandbox, added placement). - C8 (Placement B): add network.egress.observed emit payload schema for Placement B receipts. - C9 (undefined term): define incomplete_session inline; note it does not yet exist in the verifier framework (follow-up item 4). - C10 (naming): add Correlator naming paragraph justifying why `correlator` is used instead of `tool_use_id` for PTY pairing. Also fix: pty.close parameters_hash now hashes the meaningful close parameters (exit_code, signal) rather than the correlator; fix the threat-table row on network exfiltration (Placement A does produce receipts for curl-via-/command); add Trust model section; add host relay as a new cost/follow-up item.
ojongerius
force-pushed
the
claude/affectionate-pascal-DIOSd
branch
from
5cb89d3 to
b5b7d01
Compare
Comment on lines
+51
to
+53
| The Ed25519 signing key MUST NOT reside inside the sandbox. The sandbox is an | ||
| arbitrary-code environment for the agent; a key-in-sandbox is the CI-guide | ||
| colocation antipattern — signing from within the environment being audited. |
| TLS handshake failure, write deadline exceeded), the proxy increments an | ||
| in-memory counter rather than silently swallowing the failure. On the next | ||
| successful send, the counter is included as `drop_count` in the IPC frame; | ||
| the daemon synthesizes an `events_dropped` receipt into the chain exactly as |
This was referenced Jun 10, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add ADR-0027 documenting the
opensandbox_execdemission channel for Agent Receipts integration with OpenSandbox. This design note specifies how AR observes and records all agent actions within an OpenSandbox sandbox through the execd HTTP daemon, with tamper-evident receipts signed and chained host-side.Why
OpenSandbox provides a single chokepoint (the execd daemon) through which all agent-initiated actions flow. This makes it an ideal instrumentation surface for Agent Receipts — full coverage without per-tool integration work. The existing OTLP metrics from execd are sampled and lossy; AR provides a complete, ordered, tamper-evident record of every action.
This ADR establishes:
opensandbox_execdChecklist
Security