Skip to content

cli: --dry-run flag for sb exec (evaluate policy, emit receipt, skip execve) #2

@tomjwxf

Description

@tomjwxf

Context

AGT's GovernanceSkill.check_policy(action, context) is pure evaluation
it returns a PolicyDecision without actually running the action. sb exec
today evaluates and runs. The SbRuntimeSkill shim
currently works around this by reading the receipt the sb binary emits
before it calls execve, which is brittle.

A first-class --dry-run flag would:

  • Evaluate Cedar
  • Emit a signed receipt (marked `dry_run: true` in its context)
  • Exit 0 for allow, 2 for deny
  • Not apply sandbox
  • Not call execve

Acceptance criteria

  • `sb exec --dry-run --policy P -- CMD ARGS...` exits 0/2 based on policy
  • Emitted receipt has `context.dry_run: true`
  • `SbRuntimeSkill` updated to pass `--dry-run` and `SB_DRY_RUN` env
    handling removed
  • Unit test + CI smoke for both allow + deny paths

Release target

v0.1.1.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions