feat(cli): surface active security layer status per sandbox #745
Description
Running OpenShell on a Mac Mini M4 (Docker Desktop) to sandbox autonomous agents.
Reading through the policy docs and Landlock compatibility modes, there's no user-facing way to verify which security layers are actually enforced on a running sandbox.
openshell sandbox list shows NAME, PHASE, IMAGE, CREATED. No isolation state. sandbox get and doctor exist but don't surface it either.
On macOS, Landlock, seccomp, and netns all live inside the LinuxKit VM. The Landlock ABI depends on whatever kernel Docker Desktop shipped. Current versions run 6.12.x (ABI V6, full feature set), but older installs could be on 6.10.x (V5) or even 6.6.x (V3, no network isolation). There's no way to tell from the OpenShell CLI. You'd have to SSH into the LinuxKit VM and call landlock_create_ruleset() to find out.
The default best_effort mode makes this worse. If the ABI isn't available, it continues without Landlock. Those warnings go to debug-level logs, not even warning-level. So you get a sandbox that says "Ready" while running without the policy you think is there.
#664 showed how fragile this is. One missing path and the entire Landlock ruleset gets dropped. Fixed, but the visibility is still buried in debug-level logs. #586 proposed surfacing degradation state in openshell status or doctor. Closed as "not planned" because the specific netns concern was already handled, but the broader visibility ask never got picked up.
Right now the trust model is implicit. You have to go digging to prove it exists.
Proposed: surface isolation state directly in the CLI. Either extend sandbox get or add an inspect command:
$ openshell sandbox get my-sandbox --security
Landlock: active (ABI V6, best_effort, 0 paths skipped)
Seccomp: active (default profile)
NetNS: active (veth0 -> bridge)
Platform: Docker Desktop LinuxKit 6.12.72 (macOS arm64)
If this is the safety layer for autonomous agents, it shouldn't be guesswork.