Sandbox Capability Detection & Downgrade Logic

[fentz26]

Objective

Harden Jermator-AI into a safe, deterministic, and production-trustworthy command repair system by reducing LLM risk surface, enforcing structural safety guarantees, and improving observability and rule reliability — without requiring a full architectural rewrite.

Problem

Current sandbox model (workspace copy) does not isolate:

• System-level operations (package manager, services, permissions)
• Global filesystem changes

This creates a false sense of safety.

Goal

Ensure sandbox behavior is explicitly capability-aware.

Scope

Introduce sandbox capability classification:

• Workspace-safe
• System-affecting
• Non-sandboxable

For non-sandboxable fixes:

• Force dry-run
• Require explicit user approval
• Display clear warning: "Cannot be safely sandboxed"

Acceptance Criteria

• No system-level command executes in workspace-only sandbox
• Sandbox limitations are transparent to the user
• Executor automatically downgrades execution mode when required

Deliverables

• Sandbox capability detector
• Execution mode downgrade logic
• User-facing warning messages

Epic

Production Safety Hardening