feat(cli): add sandbox exec subcommand with TTY support#752
Open
feat(cli): add sandbox exec subcommand with TTY support#752
Conversation
Add a new 'openshell sandbox exec' command that executes commands inside running sandboxes using the gRPC ExecSandbox streaming endpoint (the same endpoint the Python SDK uses). This provides a lightweight alternative to SSH-based execution for non-interactive command runs. Key features: - Real-time stdout/stderr streaming to the terminal - Exit code propagation (CLI exits with the remote command's exit code) - Piped stdin support (automatically detected when stdin is not a TTY) - Environment variable overrides via --env/-e flags - Working directory override via --workdir - Configurable timeout (exit code 124 on timeout, matching Unix convention) - Last-used sandbox fallback when --name is omitted
Add missing --tty/--no-tty flag required by the issue spec, plumbed through proto, CLI, and server-side PTY allocation over SSH. Harden the implementation with a client-side sandbox phase check, a 4 MiB stdin size limit to prevent OOM, and spawn_blocking for stdin reads to avoid blocking the async runtime. Move save_last_sandbox after exec succeeds for consistency. Closes #750
johntmyers
reviewed
Apr 4, 2026
| tokio::task::spawn_blocking(|| { | ||
| let mut buf = Vec::new(); | ||
| std::io::stdin() | ||
| .read_to_end(&mut buf) |
Collaborator
There was a problem hiding this comment.
This is an unbound read into memory before checking the size, could we read MAX_STDIN_PAYLOAD + 1 instead or something?
johntmyers
reviewed
Apr 4, 2026
| } | ||
|
|
||
| // Parse KEY=VALUE environment pairs into a HashMap. | ||
| let environment: HashMap<String, String> = env_pairs |
Collaborator
There was a problem hiding this comment.
What's the behavior of environment variables here? Do they get set as env variables only within the scope of the running process? Would it be possible to replace a global sandbox env (such as an API key?) and start a long running process that exposes sensitive env vars for a long time?
johntmyers
approved these changes
Apr 4, 2026
Collaborator
johntmyers
left a comment
johntmyers
left a comment
There was a problem hiding this comment.
One nit on unbounded read and generally curious if we run any risks on this replacing how long running processes should run esp wrt env var injection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
openshell sandbox execsubcommand that runs a command inside an already-running sandbox via the gRPCExecSandboxstreaming RPC, with full--tty/--no-ttysupport and hardened stdin handling.Related Issue
Closes #750
Changes
proto/openshell.proto: Addbool tty = 7field toExecSandboxRequestfor PTY allocationcrates/openshell-cli/src/main.rs: AddExecvariant toSandboxCommandswith--name,--workdir,--env,--timeout,--tty/--no-ttyflags; add dispatch inmain()crates/openshell-cli/src/run.rs: Implementsandbox_exec_grpc()— resolves sandbox, validates phase is Ready, parses env pairs, reads stdin viaspawn_blockingwith 4 MiB size limit, streams gRPC output to stdout/stderr, returns remote exit codecrates/openshell-server/src/grpc.rs: Plumbttyfield throughstream_exec_over_ssh→run_exec_with_russh; callchannel.request_pty()beforechannel.exec()when TTY is requestedDesign decisions
--nameas flag not positional: The issue spec shows<NAME>as positional, but combining a positional name withtrailing_var_argfor command creates parsing ambiguity when relying on the last-used sandbox fallback. The--name/-nflag resolves this cleanly.SandboxPhase::Ready, but the client now provides a user-friendly error message instead of a raw gRPCFAILED_PRECONDITION.save_last_sandboxafter exec: Other subcommands (e.g.,Connect) save after the operation succeeds. Moved to match that pattern.Testing
mise run pre-commitpasses (license check failure is pre-existing localtmp/file, unrelated)e2e/)Checklist