let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: sync skills into sandbox workspace

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-09 00:30:51 +01:00
parent 561fa99d95
commit e09708e82d
4 changed files with 123 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/gateway/sandboxing.md
View File

@@ -45,6 +45,10 @@ Not sandboxed:
- `"rw"`: mounts the agent workspace read/write at `/workspace`. - `"rw"`: mounts the agent workspace read/write at `/workspace`.
Inbound media is copied into the active sandbox workspace (`media/inbound/*`). Inbound media is copied into the active sandbox workspace (`media/inbound/*`).
Skills note: the `read` tool is sandbox-rooted. With `workspaceAccess: "none"`,
Clawdbot mirrors eligible skills into the sandbox workspace (`.../skills`) so
they can be read. With `"rw"`, workspace skills are readable from
`/workspace/skills`.
## Images + setup ## Images + setup
Default image: `clawdbot-sandbox:bookworm-slim` Default image: `clawdbot-sandbox:bookworm-slim`

27
src/agents/sandbox.ts
View File

@@ -19,6 +19,7 @@ import { STATE_DIR_CLAWDBOT } from "../config/config.js";
import { defaultRuntime } from "../runtime.js"; import { defaultRuntime } from "../runtime.js";
import { resolveUserPath } from "../utils.js"; import { resolveUserPath } from "../utils.js";
import { resolveAgentIdFromSessionKey } from "./agent-scope.js"; import { resolveAgentIdFromSessionKey } from "./agent-scope.js";
import { syncSkillsToWorkspace } from "./skills.js";
import { import {
DEFAULT_AGENT_WORKSPACE_DIR, DEFAULT_AGENT_WORKSPACE_DIR,
DEFAULT_AGENTS_FILENAME, DEFAULT_AGENTS_FILENAME,
@@ -1048,6 +1049,19 @@ export async function resolveSandboxContext(params: {
agentWorkspaceDir, agentWorkspaceDir,
params.config?.agent?.skipBootstrap, params.config?.agent?.skipBootstrap,
); );
if (cfg.workspaceAccess === "none") {
try {
await syncSkillsToWorkspace({
sourceWorkspaceDir: agentWorkspaceDir,
targetWorkspaceDir: sandboxWorkspaceDir,
config: params.config,
});
} catch (error) {
const message =
error instanceof Error ? error.message : JSON.stringify(error);
defaultRuntime.error?.(`Sandbox skill sync failed: ${message}`);
}
}
} else { } else {
await fs.mkdir(workspaceDir, { recursive: true }); await fs.mkdir(workspaceDir, { recursive: true });
} }
@@ -1109,6 +1123,19 @@ export async function ensureSandboxWorkspaceForSession(params: {
agentWorkspaceDir, agentWorkspaceDir,
params.config?.agent?.skipBootstrap, params.config?.agent?.skipBootstrap,
); );
if (cfg.workspaceAccess === "none") {
try {
await syncSkillsToWorkspace({
sourceWorkspaceDir: agentWorkspaceDir,
targetWorkspaceDir: sandboxWorkspaceDir,
config: params.config,
});
} catch (error) {
const message =
error instanceof Error ? error.message : JSON.stringify(error);
defaultRuntime.error?.(`Sandbox skill sync failed: ${message}`);
}
}
} else { } else {
await fs.mkdir(workspaceDir, { recursive: true }); await fs.mkdir(workspaceDir, { recursive: true });
} }

55
src/agents/skills.test.ts
View File

@@ -10,6 +10,7 @@ import {
buildWorkspaceSkillSnapshot, buildWorkspaceSkillSnapshot,
buildWorkspaceSkillsPrompt, buildWorkspaceSkillsPrompt,
loadWorkspaceSkillEntries, loadWorkspaceSkillEntries,
syncSkillsToWorkspace,
} from "./skills.js"; } from "./skills.js";
import { buildWorkspaceSkillStatus } from "./skills-status.js"; import { buildWorkspaceSkillStatus } from "./skills-status.js";
@@ -130,6 +131,60 @@ describe("buildWorkspaceSkillsPrompt", () => {
expect(prompt).toContain(path.join(skillDir, "SKILL.md")); expect(prompt).toContain(path.join(skillDir, "SKILL.md"));
}); });
it("syncs merged skills into a target workspace", async () => {
const sourceWorkspace = await fs.mkdtemp(
path.join(os.tmpdir(), "clawdbot-"),
);
const targetWorkspace = await fs.mkdtemp(
path.join(os.tmpdir(), "clawdbot-"),
);
const extraDir = path.join(sourceWorkspace, ".extra");
const bundledDir = path.join(sourceWorkspace, ".bundled");
const managedDir = path.join(sourceWorkspace, ".managed");
await writeSkill({
dir: path.join(extraDir, "demo-skill"),
name: "demo-skill",
description: "Extra version",
});
await writeSkill({
dir: path.join(bundledDir, "demo-skill"),
name: "demo-skill",
description: "Bundled version",
});
await writeSkill({
dir: path.join(managedDir, "demo-skill"),
name: "demo-skill",
description: "Managed version",
});
await writeSkill({
dir: path.join(sourceWorkspace, "skills", "demo-skill"),
name: "demo-skill",
description: "Workspace version",
});
await syncSkillsToWorkspace({
sourceWorkspaceDir: sourceWorkspace,
targetWorkspaceDir: targetWorkspace,
config: { skills: { load: { extraDirs: [extraDir] } } },
bundledSkillsDir: bundledDir,
managedSkillsDir: managedDir,
});
const prompt = buildWorkspaceSkillsPrompt(targetWorkspace, {
bundledSkillsDir: path.join(targetWorkspace, ".bundled"),
managedSkillsDir: path.join(targetWorkspace, ".managed"),
});
expect(prompt).toContain("Workspace version");
expect(prompt).not.toContain("Managed version");
expect(prompt).not.toContain("Bundled version");
expect(prompt).not.toContain("Extra version");
expect(prompt).toContain(
path.join(targetWorkspace, "skills", "demo-skill", "SKILL.md"),
);
});
it("filters skills based on env/config gates", async () => { it("filters skills based on env/config gates", async () => {
const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-")); const workspaceDir = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-"));
const skillDir = path.join(workspaceDir, "skills", "nano-banana-pro"); const skillDir = path.join(workspaceDir, "skills", "nano-banana-pro");

37
src/agents/skills.ts
View File

@@ -11,6 +11,8 @@ import {
import type { ClawdbotConfig, SkillConfig } from "../config/config.js"; import type { ClawdbotConfig, SkillConfig } from "../config/config.js";
import { CONFIG_DIR, resolveUserPath } from "../utils.js"; import { CONFIG_DIR, resolveUserPath } from "../utils.js";
const fsp = fs.promises;
export type SkillInstallSpec = { export type SkillInstallSpec = {
id?: string; id?: string;
kind: "brew" | "node" | "go" | "uv"; kind: "brew" | "node" | "go" | "uv";
@@ -619,6 +621,41 @@ export function loadWorkspaceSkillEntries(
return loadSkillEntries(workspaceDir, opts); return loadSkillEntries(workspaceDir, opts);
} }
export async function syncSkillsToWorkspace(params: {
sourceWorkspaceDir: string;
targetWorkspaceDir: string;
config?: ClawdbotConfig;
managedSkillsDir?: string;
bundledSkillsDir?: string;
}) {
const sourceDir = resolveUserPath(params.sourceWorkspaceDir);
const targetDir = resolveUserPath(params.targetWorkspaceDir);
if (sourceDir === targetDir) return;
const targetSkillsDir = path.join(targetDir, "skills");
const entries = loadSkillEntries(sourceDir, {
config: params.config,
managedSkillsDir: params.managedSkillsDir,
bundledSkillsDir: params.bundledSkillsDir,
});
await fsp.rm(targetSkillsDir, { recursive: true, force: true });
await fsp.mkdir(targetSkillsDir, { recursive: true });
for (const entry of entries) {
const dest = path.join(targetSkillsDir, entry.skill.name);
try {
await fsp.cp(entry.skill.baseDir, dest, { recursive: true, force: true });
} catch (error) {
const message =
error instanceof Error ? error.message : JSON.stringify(error);
console.warn(
`[skills] Failed to copy ${entry.skill.name} to sandbox: ${message}`,
);
}
}
}
export function filterWorkspaceSkillEntries( export function filterWorkspaceSkillEntries(
entries: SkillEntry[], entries: SkillEntry[],
config?: ClawdbotConfig, config?: ClawdbotConfig,