Avoid host imports during sandbox fn package discovery

[xeophon]

Motivation

• importlib.util.find_spec() can import parent packages while resolving dotted program.fn refs, which lets local __init__.py code run on the host before the sandbox boundary.
• The fix should keep sandbox package discovery for nested local packages without host-side imports.

Description

• Resolve only the top-level module from a dotted program.fn ref with importlib.util.find_spec(). This avoids the parent-import behavior because the name passed to find_spec() is not dotted.
• For nested local refs, compute the immediate parent search path from the top-level package locations and delegate the actual nested lookup to importlib.machinery.PathFinder.find_spec().
• Reject dotted refs below a local non-package module, such as plain_program.child:run, instead of silently treating plain_program.py as the package root.
• Preserve stdlib/built-in/frozen refs such as json, os.path, and collections.abc as no-package cases.
• Cover top-level, nested package, stdlib alias, and invalid local dotted-module refs in regression tests.

Testing

• uv run ruff check --fix .
• uv run ruff format
• uv run ty check verifiers
• uv run pre-commit run semgrep-v1-policy --config .pre-commit-config.yaml --all-files
• uv run pytest tests/test_v1_runtime_lifecycle.py -k sandbox_fn_program
• uv run pre-commit run --all-files

---

Note

Medium Risk
Medium risk because it changes how program.fn dotted module refs are resolved (including new ImportError cases), which can affect which packages get installed into the sandbox and which refs are considered valid.

Overview
Prevents host-side imports during sandbox program.fn package discovery. sandbox_program_package now calls find_spec() only on the top-level module and resolves dotted/nested modules via PathFinder over computed search paths, avoiding executing local __init__.py code on the host.

Tightens resolution behavior by rejecting dotted children of single-file local modules (raising ImportError) while preserving the existing behavior of treating stdlib/built-in/frozen modules (e.g. json, os.path, collections.abc) as no local package to install.

Tests add regression coverage ensuring package discovery does not create side effects (sys.modules entries or marker files) and validating nested-package resolution and new error cases.

^{Reviewed by Cursor Bugbot for commit cad4b9e. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Avoid host imports during sandbox function package discovery

• sandbox_program_package in sandbox_program_utils.py now resolves the root package spec via importlib.util.find_spec without importing it, then uses PathFinder.find_spec to resolve nested dotted paths against the root's search locations.
• module_source_paths now raises ImportError when a dotted child of a local module cannot be resolved, or when resolution yields a mismatched local module.
• Returns an empty path list for stdlib or fully external modules, so sandbox_program_package correctly returns None for those cases.
• Tests are extended to assert that no marker file is created and the package does not appear in sys.modules after resolution, confirming no imports occur.

^{Macroscope summarized cad4b9e.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 99862ae37f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[macroscopeapp]

Approvability

Verdict: Needs human review

Unable to check for correctness in cad4b9e. Changes module resolution logic in sandbox program utilities, introducing new nested module handling with custom path construction and new error conditions. While the intent is to avoid side effects from imports, the complexity of the resolution changes warrants careful review.

^{You can customize Macroscope's approvability policy. Learn more.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1fe20a0076

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4ed235f49e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 7795c22. Configure here.}