Skip to content

feat: split filesystem backend into core and DMZ backends#522

Merged
avoidwork merged 3 commits into
mainfrom
feat/split-filesystem-backend
Jul 3, 2026
Merged

feat: split filesystem backend into core and DMZ backends#522
avoidwork merged 3 commits into
mainfrom
feat/split-filesystem-backend

Conversation

@avoidwork

@avoidwork avoidwork commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

Split the monolithic FilesystemBackend into two specialized backends: a sandboxed core backend and a /tmp-sandboxed DMZ backend for fallback operations.

Changes

  • coreBackend.js: Sandboxed to process.cwd() with virtualMode: true
  • dmzBackend.js (new): Sandboxed to /tmp with virtualMode: false as fallback backend
  • deepAgents.js: Wires both backends via CompositeBackend

Rationale

Separates concerns between the agent's sandboxed workspace (core, rooted at process.cwd()) and a restricted fallback backend (DMZ, rooted at /tmp). The context directory is handled separately via the contextBackend route. This provides clear security boundaries — neither backend has unrestricted root access.

Files Changed

  • src/agent/coreBackend.js (modified)
  • src/agent/deepAgents.js (modified)
  • src/agent/dmzBackend.js (new)

avoidwork added 3 commits July 3, 2026 14:27
- Sandboxed core backend to current working directory with virtual mode
- New DMZ backend for unrestricted root access (context directory)
- Refactor deepAgents to wire both backends via CompositeBackend
@avoidwork avoidwork merged commit bc84e81 into main Jul 3, 2026
2 checks passed
@avoidwork avoidwork deleted the feat/split-filesystem-backend branch July 3, 2026 18:46
@avoidwork avoidwork mentioned this pull request Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant