Skip to content

MXC sandbox: operator ceiling split(":") shreds Windows drive-letter paths #93

Description

@brandwe

Bug

In run_code (src/entrabot/mcp_server.py, ~line 4955 on feat/mxc-sandbox-integration), the operator ceiling is parsed by splitting env vars on a hard-coded colon:

ceiling_readonly  = os.environ.get("ENTRABOT_SANDBOX_READONLY_PATHS", "").split(":")
ceiling_readwrite = os.environ.get("ENTRABOT_SANDBOX_READWRITE_PATHS", "").split(":")

On Windows a path like C:\\Users\\me\\Documents splits into ["C", "\\Users\\me\\Documents"]. Every ceiling path is shredded by the drive-letter colon, so clamp_to_ceiling() sees garbage and the operator ceiling — the core security primitive (Learning #54) — becomes unusable on Windows. The agent's requested paths get clamped against nonsense, breaking the allow/block decision.

Fix

Use os.pathsep (":" on Unix, ";" on Windows) instead of a literal ":" wherever these ceiling env vars are split. Audit policy.py and any other split sites for the same hard-coded separator.

Tests

  • Regression with a Windows-style ceiling: ENTRABOT_SANDBOX_READWRITE_PATHS=C:\\Users\\me\\out parses to exactly one path, not two.
  • Existing Unix behavior (/a:/b[/a, /b]) still holds under os.pathsep.

Severity

Blocks the Windows port (#92). The demo matrix can't pass while the ceiling is shredded. The colon-split is also a latent correctness smell worth fixing regardless of platform.

Parent: #92 · macOS Phase 1: #86

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions