fix(#337): Enable Docker sandbox by default and warn when disabled

- Sandbox now enabled by default for security - Logs prominent warning when explicitly disabled - Agents run in containers unless SANDBOX_ENABLED=false Refs #337 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 15:43:00 -06:00
parent 65df2bbdd3
commit 949d0d0ead
4 changed files with 136 additions and 2 deletions
--- a/apps/orchestrator/src/config/orchestrator.config.spec.ts
+++ b/apps/orchestrator/src/config/orchestrator.config.spec.ts
@@ -0,0 +1,86 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { orchestratorConfig } from "./orchestrator.config";
+
+describe("orchestratorConfig", () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = { ...originalEnv };
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  describe("sandbox.enabled", () => {
+    it("should be enabled by default when SANDBOX_ENABLED is not set", () => {
+      delete process.env.SANDBOX_ENABLED;
+
+      const config = orchestratorConfig();
+
+      expect(config.sandbox.enabled).toBe(true);
+    });
+
+    it("should be enabled when SANDBOX_ENABLED is set to 'true'", () => {
+      process.env.SANDBOX_ENABLED = "true";
+
+      const config = orchestratorConfig();
+
+      expect(config.sandbox.enabled).toBe(true);
+    });
+
+    it("should be disabled only when SANDBOX_ENABLED is explicitly set to 'false'", () => {
+      process.env.SANDBOX_ENABLED = "false";
+
+      const config = orchestratorConfig();
+
+      expect(config.sandbox.enabled).toBe(false);
+    });
+
+    it("should be enabled for any other value of SANDBOX_ENABLED", () => {
+      process.env.SANDBOX_ENABLED = "yes";
+
+      const config = orchestratorConfig();
+
+      expect(config.sandbox.enabled).toBe(true);
+    });
+
+    it("should be enabled when SANDBOX_ENABLED is empty string", () => {
+      process.env.SANDBOX_ENABLED = "";
+
+      const config = orchestratorConfig();
+
+      expect(config.sandbox.enabled).toBe(true);
+    });
+  });
+
+  describe("other config values", () => {
+    it("should use default port when ORCHESTRATOR_PORT is not set", () => {
+      delete process.env.ORCHESTRATOR_PORT;
+
+      const config = orchestratorConfig();
+
+      expect(config.port).toBe(3001);
+    });
+
+    it("should use provided port when ORCHESTRATOR_PORT is set", () => {
+      process.env.ORCHESTRATOR_PORT = "4000";
+
+      const config = orchestratorConfig();
+
+      expect(config.port).toBe(4000);
+    });
+
+    it("should use default valkey config when not set", () => {
+      delete process.env.VALKEY_HOST;
+      delete process.env.VALKEY_PORT;
+      delete process.env.VALKEY_URL;
+
+      const config = orchestratorConfig();
+
+      expect(config.valkey.host).toBe("localhost");
+      expect(config.valkey.port).toBe(6379);
+      expect(config.valkey.url).toBe("redis://localhost:6379");
+    });
+  });
+});
--- a/apps/orchestrator/src/config/orchestrator.config.ts
+++ b/apps/orchestrator/src/config/orchestrator.config.ts
@@ -22,7 +22,7 @@ export const orchestratorConfig = registerAs("orchestrator", () => ({
    enabled: process.env.KILLSWITCH_ENABLED === "true",
  },
  sandbox: {
-    enabled: process.env.SANDBOX_ENABLED === "true",
+    enabled: process.env.SANDBOX_ENABLED !== "false",
    defaultImage: process.env.SANDBOX_DEFAULT_IMAGE ?? "node:20-alpine",
    defaultMemoryMB: parseInt(process.env.SANDBOX_DEFAULT_MEMORY_MB ?? "512", 10),
    defaultCpuLimit: parseFloat(process.env.SANDBOX_DEFAULT_CPU_LIMIT ?? "1.0"),