Yeachan-Heo 2d09bf9961 Make sandbox isolation behavior explicit and inspectable ... This adds a small runtime sandbox policy/status layer, threads sandbox options through the bash tool, and exposes `/sandbox` status reporting in the CLI. Linux namespace/network isolation is best-effort and intentionally reported as requested vs active so the feature does not overclaim guarantees on unsupported hosts or nested container environments. Constraint: No new dependencies for isolation support Constraint: Must keep filesystem restriction claims honest unless hard mount isolation succeeds Rejected: External sandbox/container wrapper | too heavy for this workspace and request Rejected: Inline bash-only changes without shared status model | weaker testability and poorer CLI visibility Confidence: medium Scope-risk: moderate Reversibility: clean Directive: Treat this as observable best-effort isolation, not a hard security boundary, unless stronger mount enforcement is added later Tested: cargo fmt --all; cargo clippy --workspace --all-targets --all-features -- -D warnings; cargo test --workspace Not-tested: Manual `/sandbox` REPL run on a real nested-container host		2026-04-01 01:14:38 +00:00
..
api	Enable saved OAuth startup auth without breaking local version output	2026-04-01 00:24:55 +00:00
commands	Make sandbox isolation behavior explicit and inspectable	2026-04-01 01:14:38 +00:00
compat-harness	Merge remote-tracking branch 'origin/rcc/cli' into dev/rust	2026-03-31 20:46:07 +00:00
runtime	Make sandbox isolation behavior explicit and inspectable	2026-04-01 01:14:38 +00:00
rusty-claude-cli	Make sandbox isolation behavior explicit and inspectable	2026-04-01 01:14:38 +00:00
tools	Make sandbox isolation behavior explicit and inspectable	2026-04-01 01:14:38 +00:00