docs/Security/Sandboxes/vscode/README.md
Related files at this repo .vscode at this commit.
Install Debian with username wekan, so that WeKan repo here, only directory where VSCode will have access:
/home/wekan/repos/wekan
sudo apt install flatpak
sudo apt install gnome-software-plugin-flatpak
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
sudo reboot
flatpak install flathub com.visualstudio.code
nano ~/.local/share/applications/wekan-vscode.desktop
Content:
[Desktop Entry]
Name=VS Code - WeKan
Comment=Open the WeKan project with Flatpak
Exec=flatpak run com.visualstudio.code /home/wekan/repos/wekan
Icon=com.visualstudio.code
Terminal=false
Type=Application
Categories=Development;IDE;
StartupWMClass=code
This setting is also added as git commit to VSCode settings.
This is the most important step. If this is "native", it will use the operating system window that sees everything.
Ctrl + , (options).Files: Simple Dialog setting to on (check the box).Run these two commands (the first clears everything, the second sets limits):
# Reset previous attempts
sudo flatpak override --reset com.visualstudio.code
# Block EVERYTHING except the display and the wekan folder
sudo flatpak override com.visualstudio.code \
--nofilesystem=home \
--nofilesystem=host \
--nofilesystem=xdg-run/gvfs \
--nofilesystem=xdg-run/gvfsd \
--filesystem=~/repos/wekan:rw \
--device=all \
--socket=wayland \
--socket=x11 \
--share=network
If you have already set wrong Chrome sandbox env earlier, remove it:
sudo flatpak override --unset-env=CHROME_DEVEL_SANDBOX com.visualstudio.code
Why: inside this Flatpak, /usr/sbin/chrome-devel-sandbox does not exist, and Chromium aborts immediately if that env points there.
Now when you go to File -> Open Folder:
~/repos/wekan.These were found already present in this sandboxed setup:
/home/wekan/repos/wekan/.tools/node-v22.13.1-linux-x64/bin/node/home/wekan/repos/wekan/.tools/node-v22.13.1-linux-x64/bin/npm/home/wekan/repos/wekan/.tools/node-v22.13.1-linux-x64/bin/npx/home/wekan/.meteor/meteor/home/wekan/.var/app/com.visualstudio.code/cache/ms-playwright/chromium-1223/chrome-linux64/chrome/app/extra/vscode/chrome-sandboxOpen VS Code integrated terminal and run:
cd /home/wekan/repos/wekan
# 1) Use repo-local Node/npm/npx
export PATH="$PWD/.tools/node-v22.13.1-linux-x64/bin:$PATH"
# 2) Use Meteor CLI installed at ~/.meteor (if present)
export PATH="/home/wekan/.meteor:$PATH"
# 3) IMPORTANT: avoid bad host path inherited from old overrides
unset CHROME_DEVEL_SANDBOX
# 4) Keep Playwright browsers in Flatpak-private cache
export PLAYWRIGHT_BROWSERS_PATH="/home/wekan/.var/app/com.visualstudio.code/cache/ms-playwright"
Quick checks:
node -v
npm -v
npx playwright --version
meteor --version
If meteor is missing first time, bootstrap it from local Node:
cd /home/wekan/repos/wekan
export PATH="$PWD/.tools/node-v22.13.1-linux-x64/bin:$PATH"
npx -y meteor
export PATH="/home/wekan/.meteor:$PATH"
If you keep --nofilesystem=home, allow Meteor directory explicitly:
sudo flatpak override com.visualstudio.code --filesystem=~/.meteor:rw
Install Playwright deps and run Chromium-only tests:
cd /home/wekan/repos/wekan/tests/playwright
export PATH="/home/wekan/repos/wekan/.tools/node-v22.13.1-linux-x64/bin:$PATH"
unset CHROME_DEVEL_SANDBOX
export PLAYWRIGHT_BROWSERS_PATH="/home/wekan/.var/app/com.visualstudio.code/cache/ms-playwright"
npm install
npx playwright test --project=chromium
This runs headless browser tests inside Flatpak sandboxed VS Code terminal (no external/native browser window needed).
cd /home/wekan/repos/wekan/tests/playwright
export PATH="/home/wekan/repos/wekan/.tools/node-v22.13.1-linux-x64/bin:$PATH"
unset CHROME_DEVEL_SANDBOX
node -e "(async()=>{const {chromium}=require('playwright');const b=await chromium.launch({headless:true,args:['--no-sandbox']});const p=await b.newPage();await p.goto('about:blank');console.log('PW_OK');await b.close();})().catch(e=>{console.error(e);process.exit(1);});"
If output is PW_OK, headless Chromium launch is working inside sandbox.