Docker-backed sandbox Runtime for Signoff verifiers.
Project description
signoff-runtime-docker
Docker-backed sandbox Runtime for Signoff verifiers. Implements the
signoff.runtime.Runtime protocol per CLAUDE.md §8.2.
Drop-in replacement for LocalRuntime when verifiers need to execute
untrusted content (running tests / linters on AI-generated code is the
motivating case — see signoff-code, which lands next). Each verifier
invocation gets a fresh ephemeral container; the verifier's own Python
logic still runs in the harness process, but every ctx.exec command
routes through docker exec into the container.
from signoff_runtime_docker import DockerRuntime, DockerRuntimeConfig
runtime = DockerRuntime(DockerRuntimeConfig(verify_signatures=False))
# Pass `runtime` to `Harness(..., runtimes=[LocalRuntime(), runtime])`
# or let `Harness.from_config_path` auto-include it when
# signoff-runtime-docker is installed.
Safe by default: network=none, read-only workspace, read-only root
fs, non-root UID (10001), strict capability drop, PID / memory / CPU
limits, cosign signature verification on pulled images. See
docs/runtimes.md and
docs/deployment.md.
Install: pip install signoff-runtime-docker (pulls the docker
Python SDK as a required dep). Requires a reachable Docker daemon at
the usual socket / DOCKER_HOST.
cosign is optional but strongly recommended. When
verify_signatures=True (the default), the runtime invokes cosign verify on every pulled image; missing cosign fails fast at
prepare() time with a clear error. Set verify_signatures=False
(logs a WARNING) if you're running against locally-built images in a
trusted environment.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file signoff_runtime_docker-0.0.1.tar.gz.
File metadata
- Download URL: signoff_runtime_docker-0.0.1.tar.gz
- Upload date:
- Size: 23.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.8 {"installer":{"name":"uv","version":"0.11.8","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ea33371824caeef2d0f5926428689af05137907ee47e8bad7cf033794ca79fbe
|
|
| MD5 |
094e83ee31a491448a51a75cab095fad
|
|
| BLAKE2b-256 |
c62ffe9f58156caba123f0063346df0bb1cb0f0b34f3acabeb1f0f219d229f2a
|
File details
Details for the file signoff_runtime_docker-0.0.1-py3-none-any.whl.
File metadata
- Download URL: signoff_runtime_docker-0.0.1-py3-none-any.whl
- Upload date:
- Size: 18.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.8 {"installer":{"name":"uv","version":"0.11.8","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dd1bcce04d601b29dca95512e56223ae8c3413089eb748e399144b0ea471a178
|
|
| MD5 |
0bc7cbed82237864309c57e5c175e3a1
|
|
| BLAKE2b-256 |
69e9c932b049b08f740541fc83fbce128b0c247cf3130715f8396a2228b3929b
|
