[pitboss] phase 03: M3 — Docker backend + sandbox-escape regression suite

2026-06-09 19:45:13 +02:00 · 2026-05-12 00:05:11 -04:00 · 2026-05-12 00:05:11 -04:00 · a8b9dcd72b
commit a8b9dcd72b
parent 3a4f1b177b
36 changed files with 1778 additions and 27 deletions
--- a/src/cli.rs
+++ b/src/cli.rs
@ -438,6 +438,24 @@ pub enum Commands {
        #[cfg_attr(not(feature = "dynamic"), arg(hide = true))]
        #[arg(long, help_heading = "Dynamic")]
        verify: bool,
+
+        /// Force the process sandbox backend (less isolation, dev use only).
+        ///
+        /// By default `--verify` uses docker when available. This flag
+        /// restricts the backend to the in-process runner. Cannot be combined
+        /// with `--backend docker`.
+        #[cfg_attr(not(feature = "dynamic"), arg(hide = true))]
+        #[arg(long, help_heading = "Dynamic")]
+        unsafe_sandbox: bool,
+
+        /// Sandbox backend to use for dynamic verification.
+        ///
+        /// `auto` (default): docker when available, else process.
+        /// `docker`: require docker; fail if unavailable.
+        /// `process`: in-process runner (same as `--unsafe-sandbox`).
+        #[cfg_attr(not(feature = "dynamic"), arg(hide = true))]
+        #[arg(long, help_heading = "Dynamic", value_name = "BACKEND")]
+        backend: Option<String>,
    },

    /// Submit feedback on a dynamic verification verdict (§21.2).