sandbox-policy-lint

Static analyzer for sandbox_policy YAML blueprint files. Designed to be invoked from CI to catch over-permissive sandbox configurations before they ship.

Rules

| Code | Level | Description | | ------ | ----- | ------------------------------------------------------------------ | | REQ001 | error | Required field missing (name, filesystem_policy, ...). | | FS001 | error | filesystem_policy.read_only includes a root path (/, /etc). | | FS002 | error | filesystem_policy.read_write includes a root path. | | EG001 | error | egress_policy.allowed_hosts contains a bare wildcard. | | EG002 | warn | egress_policy.allowed_hosts contains a wildcard subdomain. | | RES001 | warn | resource_limits.max_memory_mb not set. | | RES002 | warn | resource_limits.max_cpu_seconds not set. |

Usage (CI)

python -m plugin path/to/policies/        # exits 1 on any error
python -m plugin policy.yaml --warn-as-error

Tier

starter