Merge pull request #4 from magaransoft/hotfix-sbt-sandbox-exec-policy

hotfix(sbt): both sbt modes require dangerouslyDisableSandbox on macOS + /health childrenAlive

Author: Blanquitoh

README.md

@@ -267,11 +267,21 @@ Why each sandbox write is needed:
   extracts JNI native libraries here on first jdtls start. One-time
   write, then read-only. Standard Eclipse-tooling path; same dir
   VSCode-Java, IntelliJ Eclipse plugin, etc. write to.
-- `/private/var/folders/**/.sbt/**`, `~/.sbt/**`, `~/.ivy2/**`,
-  `~/.coursier/**` — only for `sbt-direct`. sbt's BootServerSocket is
-  created under the macOS per-user tmpdir regardless of `$TMPDIR` env,
-  and Ivy/Coursier cache dependency jars here on first resolve. Native
-  sbt behavior; same dirs any Scala toolchain writes to.
+- `/private/var/folders/**/T/.sbt*/**`, `/private/var/folders/**/.sbt/**`,
+  `~/.sbt/**`, `~/.ivy2/**`, `~/.coursier/**` — for `sbt-direct`
+  dependency-cache writes (Ivy/Coursier resolve on first build) and
+  per-invocation sbt tmpdirs (`.sbt<digits>/`). **Neither oneshot nor
+  bsp mode runs under Claude's Bash sandbox on macOS**: both dlopen a
+  native dylib at runtime (bsp → `libsbtipcsocket*.dylib`, oneshot →
+  `libswoval-files*.dylib` via sbt's `FileTreeRepository`), and macOS
+  governs dylib load via `process-exec*` policy — orthogonal to
+  `file-write*` allowWrite globs. The realpath-twin prefix
+  (`/var/folders/**/...` alongside `/private/var/folders/**/...`) was
+  tested 2026-04-22 and also RED. For either mode, call `sbt-direct`
+  with `dangerouslyDisableSandbox: true`. Verified GREEN 2026-04-22
+  with Claude Bash `/sandbox disabled`: oneshot boots cleanly, no
+  "Operation not permitted", no swoval dylib denial; sbt resolves
+  project + runner versions as expected. See `docs/per-language/sbt.md`.
 - `/private/var/folders/**/.scala-build/**` — only for Scala CLI /
   scala-cli users; safe no-op if you don't use it.
 

bin/sbt-direct

@@ -83,6 +83,15 @@ cmd_start() {
     i=$((i+1))
     [ "$i" -ge "$timeout" ] && { kill "$pid" 2>/dev/null; die "coordinator did not bind port $port within ${timeout}s — check $dir/log"; }
   done
+  # /health reports childrenAlive — catches coordinator binding its HTTP port
+  # before the child sbt JVM died (bsp mode). oneshot has no persistent child
+  # so childrenAlive is trivially true on empty list.
+  local health
+  health="$(curl -fsS -m 2 "http://127.0.0.1:$port/health" 2>/dev/null || true)"
+  if [ -n "$health" ] && [ "$(echo "$health" | jq -r '.childrenAlive // true')" = "false" ]; then
+    kill "$pid" 2>/dev/null
+    die "coordinator bound port $port but child exited — check $dir/log (health: $health)"
+  fi
   echo "started: workspace=$ws port=$port pid=$pid state=$dir"
 }
 

bin/tool-harness.js

@@ -54,11 +54,15 @@ function freePort() {
 // serveHttp — loopback HTTP server exposing GET /health and POST
 // /call (canonical) + POST /lsp (back-compat alias for existing
 // wrappers). The caller supplies onCall({method, params}) → Promise<any>.
-function serveHttp(port, { onCall, meta }) {
+function serveHttp(port, { onCall, meta, statusFn }) {
   const server = http.createServer((req, res) => {
     if (req.method === 'GET' && req.url === '/health') {
+      let extra = {};
+      if (typeof statusFn === 'function') {
+        try { extra = statusFn() || {}; } catch (e) { extra = { statusError: e.message }; }
+      }
       res.writeHead(200, { 'Content-Type': 'application/json' });
-      res.end(JSON.stringify({ ok: true, ...(meta || {}) }));
+      res.end(JSON.stringify({ ok: true, ...(meta || {}), ...extra }));
       return;
     }
     if (req.method === 'POST' && (req.url === '/call' || req.url === '/lsp')) {

bin/tool-server-proxy.js

@@ -163,6 +163,18 @@ async function createProxy({ adapter, workspace, port, toolName }) {
   let invalidationFiredOnLastCall = false;
   const server = serveHttp(port, {
     meta: { workspace, toolName, adopted },
+    statusFn: () => {
+      const list = Object.entries(children).map(([id, c]) => ({
+        id,
+        pid: c.proc.pid,
+        alive: c.proc.exitCode === null && !c.proc.killed,
+        exitCode: c.proc.exitCode,
+      }));
+      return {
+        children: list,
+        childrenAlive: list.every(c => c.alive),
+      };
+    },
     async onCall({ method, params }) {
       const t0 = Date.now();
       invalidationFiredOnLastCall = false;

docs/per-language/sbt.md

@@ -143,30 +143,43 @@ The JVM uses the macOS per-user tmp dir (`/private/var/folders/.../T/`)
 for sbt's BootServerSocket regardless of shell `$TMPDIR`, and for
 dependency-cache writes during Ivy / Coursier resolution. Claude
 Bash default sandbox denies writes there. `scripts/install.sh` pre-
-allows the minimum set automatically:
+allows the dependency-cache paths automatically:
 
 ```json
 "sandbox": { "filesystem": { "allowWrite": [
+  "/private/var/folders/**/T/.sbt*/**",
   "/private/var/folders/**/.sbt/**",
   "~/.sbt/**",
   "~/.ivy2/**",
   "~/.coursier/**"
 ]}}
 ```
 
-With `install.sh` run, sbt-direct works under Claude Bash without any
-per-call bypass flag. Verified against a real multi-module Play 3 /
-Scala 3 project: `sbt-direct call version` reads the project's
-`build.sbt` correctly; `sbt-direct call task
-{"task":"scalafmtCheckAll"}` runs the sbt-scalafmt plugin end-to-end
-and surfaces per-file formatting diffs.
-
-Users who don't run `install.sh` (stand-alone deployment, bespoke
-sandbox config) can either merge the same entries into their
-`~/.claude/settings.json` manually, or call sbt-direct with
-`dangerouslyDisableSandbox: true`. The coordinator, bash wrapper, and
-adapter are all sandbox-neutral — the socket write is the only
-block, and it's strictly in sbt's own boot code.
+`allowWrite` is **not** sufficient for either mode on macOS. Both
+`bsp` and `oneshot` load a native dylib at runtime:
+
+- `bsp` loads `libsbtipcsocket*.dylib` (ipcsocket for persistent server).
+- `oneshot` loads `libswoval-files*.dylib` (swoval file-watcher used by
+  sbt's `FileTreeRepository` during project load).
+
+Both extractions call `Files.createTempFile` under the per-user tmpdir
+(`/var/folders/.../T/.sbt<digits>/swoval/...` or `.../sbtipcsocket/...`)
+and then `System.load`. macOS sandbox-exec governs `dlopen` via
+`process-exec*` policy, orthogonal to `file-write*`. Adding
+`allowWrite` globs for the tmp path — including the realpath twin
+(`/var/folders/**/T/.sbt*/**` alongside the `/private/var/folders/...`
+prefix) — does NOT rescue the load; denial happens at dylib-exec time,
+not at file-create time. Verified 2026-04-22 — both bsp (prior session) and
+oneshot (this session with twin-prefix glob active) RED at same error
+signature class.
+
+Call sbt-direct with `dangerouslyDisableSandbox: true` for either
+mode. There is no sandbox-compatible sbt path on macOS.
+
+Verified GREEN 2026-04-22 with Claude Bash `/sandbox disabled`:
+`SBT_DIRECT_MODE=oneshot sbt-direct call version '{}' <ws>` against a
+real Play/Scala workspace boots sbt cleanly, resolves project +
+runner versions, no dylib "Operation not permitted" in stderr.
 
 ## State directory