docs: document filesystem policies in sbx policy ls#25388
Draft
dvdksn wants to merge 2 commits into
Draft
Conversation
Filesystem policy rules are now visible in `sbx policy ls` (TYPE shows `filesystem:read`/`filesystem:write`, filterable with `--type filesystem`), and a writable workspace mount requires both read and write access. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The changes accurately document filesystem policy rules ( / ) across three governance pages. No broken commands, missing redirects, vendored-file edits, or markdown issues were found.
Only minor style observations (all LOW severity, no inline comments required):
- monitoring.md line 153: Negative contraction
aren't— style guide prefersare notto avoid informal contractions in disclaimers. - concepts.md line 85: Phrasing
the denial reason names whetheris slightly ambiguous;indicates whetherwould be marginally clearer. - org.md line 74:
allowing read alone permits a read-only mount— minor passive feel;allowing read access alone mounts the workspace read-onlyis more direct.
None of these block the PR.
Point org.md to Policy concepts for the read+write requirement instead of restating it, since the page already links there for filesystem rule syntax. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Surface filesystem policy rules in the CLI policy views and changes how writable workspace mounts are authorized.
Changes:
governance/monitoring.md— Adds a "Filesystem rules" subsection tosbx policy ls, with example output showing thefilesystem:read/filesystem:writeTYPEvalues and the--type filesystemfilter. Updates theTYPEcolumn description. Notes thatsbx policy logstill records network traffic only (filesystem log entries aren't supported yet).governance/concepts.md— Notes in the Filesystem rules section that a writable workspace must be allowed by both areadand awriterule, and that mount denials name which access was missing.governance/org.md— Adds the same read+write requirement to the org-level Filesystem policies section.I did not touch
release-notes.md— that page is auto-generated (<!-- BEGIN GENERATED RELEASES -->) and this change hasn't shipped in a tagged release yet.Related issues
Upstream: docker/sandboxes#3604
🤖 Generated with Claude Code