ask-sandbox-providers 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3b83198ae39be1c53ff4176db41a259387ad4919f005ab896cea2107b74f604e
+  data.tar.gz: 90199037118afe7acdfbcd957107ff3c05c30cd54f0f7433be03195da08cb23e
+SHA512:
+  metadata.gz: fd54a037c2b1c7af1bb232497ddd1f16d5b94a998b1b4dd8365ebd64e46be9ecff80bb3a91f8562fc6c64d91173531608496205e3a5d0654f2bd8e0501277d3a
+  data.tar.gz: '079fbe78d05bd89be7662a14b4e3e8c12f80b4f507c9622353f0304d8fa345e91d6f705c22250d9af4e0b1e8a72ebb0e18681bc8e55e6b8a271fbb65789a7e68'

data/CHANGELOG.md

@@ -0,0 +1,13 @@
+# Changelog
+
+## [0.1.0] - Unreleased
+
+### Added
+- Initial release
+- `Ask::Sandbox::Local` — subprocess execution with resource limits (rlimits, process group, tempdir)
+- `Ask::Sandbox::Docker` — Docker container execution with hardened security flags
+- `Ask::Sandbox::Daytona` — remote sandbox via the official Daytona SDK
+- `Ask::Sandbox::Cloudflare` — Cloudflare Workers sandbox via a proxy Worker
+- `Ask::Sandbox::Base` — abstract base class with unified `#call` interface
+- Global provider configuration via `Ask::Sandbox.provider`
+- Migration of `ask-tools-shell` Code and Bash tools to use sandbox providers

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Kaka Ruto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,131 @@
+# ask-sandbox-providers
+
+[![Gem Version](https://badge.fury.io/rb/ask-sandbox-providers.svg)](https://badge.fury.io/rb/ask-sandbox-providers)
+
+Sandbox providers for the ask-rb ecosystem. Isolated code execution via four backends:
+
+| Provider | Isolation | Speed | Requirement |
+|---|---|---|---|
+| `Local` | Process + rlimits (CPU, memory, processes, file size) | Instant | None (stdlib) |
+| `Docker` | Full container (read-only rootfs, no network, no capabilities) | ~1s | Docker daemon |
+| `Daytona` | Remote container via Daytona API | ~2-5s | `daytona` gem, API key |
+| `Cloudflare` | Cloudflare Workers sandbox via proxy Worker | ~1-3s | Proxy Worker URL |
+
+## Installation
+
+```ruby
+gem "ask-sandbox-providers"
+```
+
+## Quick Start
+
+```ruby
+require "ask-sandbox-providers"
+
+# Default: Local (subprocess + rlimits on macOS/Linux)
+result = Ask::Sandbox.provider.call(["ruby", "-e", "puts 1+1"])
+puts result.stdout  # => "1\n"
+puts result.exit_code  # => 0
+puts result.timed_out  # => false
+```
+
+### Configure a different provider
+
+```ruby
+# Docker (requires Docker daemon)
+Ask::Sandbox.provider = Ask::Sandbox::Docker.new(
+  image: "ruby:3.4-alpine",
+  memory: "256m",
+  network: false
+)
+
+# Daytona (requires `daytona` gem + API key)
+Ask::Sandbox.provider = Ask::Sandbox::Daytona.new(
+  api_key: Ask::Auth.lookup("DAYTONA_API_KEY"),
+  server_url: "https://api.daytona.io"
+)
+
+# Cloudflare (requires a deployed proxy Worker)
+Ask::Sandbox.provider = Ask::Sandbox::Cloudflare.new(
+  worker_url: "https://sandbox-proxy.my-worker.workers.dev",
+  auth_token: ENV["CLOUDFLARE_SANDBOX_TOKEN"]
+)
+```
+
+### String vs Array commands
+
+```ruby
+# String → executed via shell (bash -c)
+Ask::Sandbox.provider.call("ls -la | head -5")
+
+# Array → executed directly, no shell (safer for untrusted input)
+Ask::Sandbox.provider.call(["ruby", "-e", "puts ENV['HOME']"])
+```
+
+### Return value
+
+All providers return an `Ask::Sandbox::Result`:
+
+```ruby
+Result = Data.define(:stdout, :stderr, :exit_code, :timed_out)
+```
+
+## Provider Details
+
+### Local
+
+The default provider. Runs commands in a temp directory with:
+
+- **Process group isolation** — all child processes are killed on timeout
+- **`Process.setrlimit`** — CPU (10s), address space (2GB), processes (50), file size (10MB), FDs (200)
+- **Temp directory** — execution sandbox is auto-cleaned
+- **Environment sanitization** — Bundler/Ruby env vars stripped
+
+Available on every platform where Ruby runs (macOS, Linux). Zero external dependencies.
+
+### Docker
+
+Runs commands in a Docker container with security hardening:
+
+- `--read-only` — read-only root filesystem
+- `--cap-drop ALL` — no Linux capabilities
+- `--security-opt no-new-privileges` — no privilege escalation
+- `--network none` — no network egress (configurable)
+- `--memory`, `--cpus`, `--pids-limit` — resource limits
+- `--rm` — auto-cleanup on exit
+
+### Daytona
+
+Runs commands in a Daytona sandbox via the official `daytona` gem. Daytona provides secure, elastic sandboxes with full isolation, dedicated kernel, filesystem, and network stack. See [daytona.io/docs](https://www.daytona.io/docs).
+
+### Cloudflare
+
+Runs commands in a Cloudflare Workers sandbox. Requires deploying a proxy Worker that wraps `@cloudflare/sandbox`. See the [Cloudflare Sandbox SDK docs](https://developers.cloudflare.com/sandbox/) for setup.
+
+## Migration from Direct Open3 Usage
+
+If you're upgrading from `ask-tools-shell` v0.1.0 where `Code` and `Bash` tools called
+`Open3.popen3` directly — no action needed. The default `Ask::Sandbox::Local` provider
+behaves identically. To enable stronger isolation, switch the provider:
+
+```ruby
+# Before: direct Open3 (implicit Local)
+Ask::Tools::Code.new.call(code: "puts 1")
+
+# After: configure Docker for stronger isolation
+Ask::Sandbox.provider = Ask::Sandbox::Docker.new
+# The Code tool now runs code inside a Docker container automatically
+```
+
+## Development
+
+```bash
+git clone https://github.com/ask-rb/ask-sandbox-providers.git
+cd ask-sandbox-providers
+bundle install
+bundle exec rake test
+```
+
+## License
+
+MIT

data/lib/ask/sandbox/base.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Ask
+  module Sandbox
+    # @!group Errors
+
+    # Base error class for all sandbox provider errors.
+    class Error < StandardError; end
+
+    # Raised when a provider is misconfigured (missing API key, invalid image, etc.).
+    class ConfigurationError < Error; end
+
+    # Raised when a provider's runtime is unavailable (Docker not running, etc.).
+    class ProviderUnavailable < Error; end
+
+    # Raised when execution fails unexpectedly.
+    class ExecutionError < Error; end
+
+    # @!endgroup
+
+    # Structured result from a sandbox command execution.
+    #
+    # @!attribute [r] stdout
+    #   @return [String] captured standard output
+    # @!attribute [r] stderr
+    #   @return [String] captured standard error
+    # @!attribute [r] exit_code
+    #   @return [Integer, nil] process exit code (nil if killed by signal)
+    # @!attribute [r] timed_out
+    #   @return [Boolean] whether execution was terminated due to timeout
+    Result = Data.define(:stdout, :stderr, :exit_code, :timed_out) do
+      # @return [Boolean] true if the command exited successfully (exit code 0)
+      def success?
+        exit_code == 0
+      end
+    end
+
+    # Abstract base class for all sandbox providers.
+    #
+    # A sandbox provider is responsible for executing commands in an isolated
+    # environment. Subclasses implement +#call+ which runs a command and returns
+    # an {Ask::Sandbox::Result}.
+    #
+    # @example
+    #   sandbox = Ask::Sandbox::Local.new
+    #   result = sandbox.call("ls -la", timeout: 10)
+    #   result.stdout  # => "..."
+    #   result.exit_code  # => 0
+    #
+    class Base
+      # Execute a command in the sandbox.
+      #
+      # @param command [String, Array<String>]
+      #   When a String, executed via a shell (bash -c).
+      #   When an Array, executed directly with no shell interpretation.
+      # @param timeout [Integer] max execution time in seconds (default: 30)
+      # @param workdir [String, nil] working directory inside the sandbox
+      # @param env [Hash{String => String}] extra environment variables
+      # @param stdin [String, nil] data to pipe to the command's stdin
+      # @return [Ask::Sandbox::Result]
+      def call(command, timeout: 30, workdir: nil, env: {}, stdin: nil)
+        raise NotImplementedError, "#{self.class} must implement #call(command, ...)"
+      end
+    end
+  end
+end

data/lib/ask/sandbox/cloudflare.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+require "json"
+require "securerandom"
+
+module Ask
+  module Sandbox
+    # Executes commands in a Cloudflare Workers sandbox via a user-deployed
+    # proxy Worker.
+    #
+    # The proxy Worker wraps the +@cloudflare/sandbox+ SDK and exposes an HTTP
+    # API. The user is responsible for deploying the proxy Worker to Cloudflare.
+    #
+    # @example
+    #   sandbox = Ask::Sandbox::Cloudflare.new(
+    #     worker_url: "https://sandbox-proxy.my-worker.workers.dev",
+    #     auth_token: ENV["CLOUDFLARE_SANDBOX_TOKEN"]
+    #   )
+    #   sandbox.call(["ruby", "-e", "puts 1+1"])
+    #
+    class Cloudflare < Base
+      # @param worker_url [String] URL of the deployed proxy Worker
+      # @param auth_token [String, nil] auth token for the proxy Worker (optional)
+      # @param timeout [Integer] default timeout in seconds (default: 60)
+      def initialize(worker_url: nil, auth_token: nil, timeout: 60)
+        @worker_url = worker_url || ENV["CLOUDFLARE_SANDBOX_WORKER_URL"]
+        @auth_token = auth_token || ENV["CLOUDFLARE_SANDBOX_AUTH_TOKEN"]
+        @default_timeout = timeout
+      end
+
+      # (see Base#call)
+      def call(command, timeout: @default_timeout, workdir: nil, env: {}, stdin: nil)
+        raise ArgumentError, "command must not be nil" if command.nil?
+        raise ArgumentError, "command must not be empty" if command.respond_to?(:empty?) && command.empty?
+        raise ConfigurationError, "Cloudflare sandbox requires a worker_url. " \
+                                   "Set CLOUDFLARE_SANDBOX_WORKER_URL in your " \
+                                   "environment or pass `worker_url:` to #{self.class.name}.new" \
+                                   unless @worker_url
+
+        command_str = case command
+                      when Array then command.map(&:to_s).join(" ")
+                      when String then command
+                      end
+
+        make_request(command_str, timeout)
+      end
+
+      private
+
+      def make_request(command, timeout)
+        require "net/http"
+        require "json"
+
+        uri = URI(@worker_url)
+        http = Net::HTTP.new(uri.host, uri.port || (uri.scheme == "https" ? 443 : 80))
+        http.use_ssl = uri.scheme == "https"
+        http.open_timeout = 10
+        http.read_timeout = timeout + 5
+
+        request = Net::HTTP::Post.new(uri.request_uri)
+        request["Content-Type"] = "application/json"
+        request["Authorization"] = "Bearer #{@auth_token}" if @auth_token
+        request.body = JSON.generate({
+          sandbox_id: SecureRandom.uuid,
+          command: command,
+          timeout: timeout
+        })
+
+        response = http.request(request)
+
+        case response
+        when Net::HTTPOK
+          body = JSON.parse(response.body)
+          Result.new(
+            stdout: body["stdout"].to_s,
+            stderr: body["stderr"].to_s,
+            exit_code: body["exit_code"],
+            timed_out: body["timed_out"] == true
+          )
+        when Net::HTTPUnauthorized, Net::HTTPForbidden
+          raise ConfigurationError,
+                "Cloudflare sandbox authentication failed (#{response.code}). " \
+                "Check your auth token."
+        when Net::HTTPServerError
+          raise ProviderUnavailable,
+                "Cloudflare sandbox proxy Worker returned #{response.code}: #{response.body}"
+        when Net::HTTPNotFound
+          raise ProviderUnavailable,
+                "Cloudflare sandbox proxy Worker not found at #{@worker_url}. " \
+                "Is the Worker deployed?"
+        else
+          raise ProviderUnavailable,
+                "Cloudflare sandbox proxy Worker returned unexpected #{response.code}: #{response.body}"
+        end
+
+      rescue Net::OpenTimeout, Net::ReadTimeout => e
+        raise ProviderUnavailable,
+              "Cloudflare sandbox connection timed out: #{e.message}"
+      rescue Errno::ECONNREFUSED, Errno::ECONNRESET, Errno::EHOSTUNREACH => e
+        raise ProviderUnavailable,
+              "Cloudflare sandbox unavailable: #{e.message}. " \
+              "Is the proxy Worker deployed and reachable at #{@worker_url}?"
+      end
+    end
+  end
+end

data/lib/ask/sandbox/daytona.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module Ask
+  module Sandbox
+    # Executes commands in a Daytona sandbox via the official +daytona+ gem.
+    #
+    # The +daytona+ gem is loaded lazily (inside +#call+). If the gem is not
+    # installed, a clear {LoadError} is raised with installation instructions.
+    #
+    # @example
+    #   sandbox = Ask::Sandbox::Daytona.new(
+    #     api_key: "dta_xxxx",
+    #     server_url: "https://api.daytona.io"
+    #   )
+    #   sandbox.call(["ruby", "-e", "puts 1+1"])
+    #
+    class Daytona < Base
+      # @param api_key [String, nil] Daytona API key. If nil, tries to resolve
+      #   via {Ask::Auth.lookup}("DAYTONA_API_KEY") or +ENV["DAYTONA_API_KEY"]+.
+      # @param server_url [String, nil] Daytona server URL. Falls back to the
+      #   +daytona+ gem's default.
+      # @param image [String, nil] sandbox image (e.g. "ruby:3.4")
+      # @param timeout [Integer] default timeout in seconds (default: 120 —
+      #   Daytona sandboxes may take time to boot)
+      def initialize(api_key: nil, server_url: nil, image: nil, timeout: 120)
+        @api_key = api_key
+        @server_url = server_url
+        @image = image
+        @default_timeout = timeout
+      end
+
+      # (see Base#call)
+      #
+      # Lazily loads the +daytona+ gem on first call.
+      def call(command, timeout: @default_timeout, workdir: nil, env: {}, stdin: nil)
+        raise ArgumentError, "command must not be nil" if command.nil?
+        raise ArgumentError, "command must not be empty" if command.respond_to?(:empty?) && command.empty?
+
+        api_key = resolve_api_key
+        ensure_daytona_gem!
+        execute_on_daytona(command, api_key, timeout)
+      end
+
+      private
+
+      def resolve_api_key
+        key = @api_key
+        key ||= ENV["DAYTONA_API_KEY"]
+
+        if defined?(Ask::Auth) && Ask::Auth.respond_to?(:lookup)
+          key ||= Ask::Auth.lookup("DAYTONA_API_KEY") rescue nil
+        end
+
+        raise ConfigurationError,
+              "Daytona sandbox requires an API key. Set DAYTONA_API_KEY in your " \
+              "environment or pass `api_key:` to #{self.class.name}.new" if key.nil? || key.empty?
+
+        key
+      end
+
+      def ensure_daytona_gem!
+        require "daytona"
+      rescue LoadError => e
+        raise LoadError,
+              "The `daytona` gem is required for the Daytona sandbox provider. " \
+              "Add `gem 'daytona'` to your Gemfile or run `gem install daytona`. " \
+              "(original: #{e.message})"
+      end
+
+      def execute_on_daytona(command, api_key, timeout)
+        # Build the command string
+        command_str = case command
+                      when Array then command.map(&:to_s).join(" ")
+                      when String then command
+                      end
+
+        # Create a Daytona client and sandbox
+        client = Daytona::Client.new(api_key: api_key, server_url: @server_url)
+
+        sandbox = client.sandboxes.create(image: @image || "ruby:3.4")
+
+        begin
+          result = sandbox.process.execute(command_str, timeout: timeout)
+
+          Result.new(
+            stdout: result["stdout"].to_s,
+            stderr: result["stderr"].to_s,
+            exit_code: result["exit_code"],
+            timed_out: result["timed_out"] == true
+          )
+        rescue => e
+          raise ExecutionError,
+                "Daytona sandbox execution failed: #{e.message}"
+        ensure
+          # Clean up the sandbox
+          begin
+            sandbox.delete
+          rescue => e
+            # Non-fatal: log but don't propagate
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ask/sandbox/docker.rb

@@ -0,0 +1,231 @@
+# frozen_string_literal: true
+
+module Ask
+  module Sandbox
+    # Executes commands in a Docker container with hardened security settings.
+    #
+    # Uses the +docker+ CLI binary directly (no gem dependencies). Requires
+    # a running Docker daemon.
+    #
+    # Security measures:
+    # - Read-only root filesystem (+--read-only+)
+    # - All Linux capabilities dropped (+--cap-drop ALL+)
+    # - No privilege escalation (+--security-opt no-new-privileges+)
+    # - Network egress disabled by default (+--network none+)
+    # - PIDs limit (+--pids-limit 100+)
+    # - Memory and CPU limits
+    # - Container auto-removal (+--rm+)
+    #
+    # @example
+    #   sandbox = Ask::Sandbox::Docker.new(image: "ruby:3.4-alpine")
+    #   sandbox.call(["ruby", "-e", "puts 1+1"])
+    #
+    class Docker < Base
+      # @param image [String] Docker image to use (default: "ruby:3.4-alpine")
+      # @param memory [String, nil] memory limit (e.g. "512m", "1g")
+      # @param cpus [Float, nil] CPU limit (e.g. 1.0)
+      # @param network [Boolean] allow network egress (default: false)
+      # @param read_only [Boolean] read-only root filesystem (default: true)
+      # @param cap_drop [String, nil] capabilities to drop (default: "ALL")
+      # @param user [String, nil] run as specific user (default: nil = container default)
+      # @param timeout [Integer] default timeout in seconds
+      # @param remove [Boolean] auto-remove container after execution (default: true)
+      def initialize(
+        image: "ruby:3.4-alpine",
+        memory: "512m",
+        cpus: 1.0,
+        network: false,
+        read_only: true,
+        cap_drop: "ALL",
+        user: nil,
+        timeout: 30,
+        remove: true
+      )
+        @image = image
+        @memory = memory
+        @cpus = cpus
+        @network = network
+        @read_only = read_only
+        @cap_drop = cap_drop
+        @user = user
+        @default_timeout = timeout
+        @remove = remove
+      end
+
+      # (see Base#call)
+      def call(command, timeout: @default_timeout, workdir: nil, env: {}, stdin: nil)
+        raise ArgumentError, "command must not be nil" if command.nil?
+        raise ArgumentError, "command must not be empty" if command.respond_to?(:empty?) && command.empty?
+
+        check_docker_available!
+
+        docker_argv = build_docker_argv(command, env, workdir)
+        run_docker(docker_argv, timeout, stdin)
+      end
+
+      private
+
+      def check_docker_available!
+        return if @docker_checked
+        system("docker", "info", out: File::NULL, err: File::NULL)
+        @docker_checked = true
+      rescue SystemCallError
+        raise ProviderUnavailable,
+              "Docker sandbox unavailable: `docker info` failed. " \
+              "Is Docker installed and the daemon running?"
+      end
+
+      def build_docker_argv(command, env, workdir)
+        argv = ["docker", "run", "--rm", "-i"]
+
+        # Resource limits
+        argv << "--memory" << @memory.to_s if @memory
+        argv << "--cpus" << @cpus.to_s if @cpus
+
+        # Security hardening
+        argv << "--network" << "none" unless @network
+        argv << "--read-only" if @read_only
+        argv << "--cap-drop" << @cap_drop.to_s if @cap_drop
+        argv << "--security-opt" << "no-new-privileges"
+        argv << "--pids-limit" << "100"
+
+        # User
+        argv << "--user" << @user.to_s if @user
+
+        # Working directory
+        argv << "--workdir" << workdir if workdir
+
+        # Environment variables
+        env.each do |key, value|
+          argv << "--env" << "#{key}=#{value}"
+        end
+
+        # Don't use ENTRYPOINT — we control the command
+        argv << "--entrypoint" << ""
+
+        # Image
+        argv << @image
+
+        # Command — use array form for clean argv forwarding
+        case command
+        when String
+          # String commands run via the container's shell
+          argv << "/bin/sh" << "-c" << command
+        when Array
+          # Array commands forward directly as argv
+          argv.concat(command.map(&:to_s))
+        end
+
+        argv
+      end
+
+      def run_docker(docker_argv, timeout, stdin_data)
+        stdout_r, stdout_w = IO.pipe
+        stderr_r, stderr_w = IO.pipe
+        stdin_r, stdin_w = IO.pipe
+
+        pid = Process.spawn(
+          *docker_argv,
+          pgroup: true,
+          in: stdin_r,
+          out: stdout_w,
+          err: stderr_w
+        )
+
+        stdin_r.close
+        stdout_w.close
+        stderr_w.close
+
+        # Write stdin in a thread
+        stdin_thread = Thread.new do
+          if stdin_data && !stdin_data.empty?
+            begin
+              stdin_w.write(stdin_data)
+            rescue Errno::EPIPE
+              # Command closed stdin early
+            end
+          end
+          stdin_w.close
+        rescue IOError
+          # Already closed
+        end
+
+        # Capture output in threads
+        stdout_chunks = []
+        stderr_chunks = []
+        stdout_thread = Thread.new { read_stream(stdout_r, stdout_chunks) }
+        stderr_thread = Thread.new { read_stream(stderr_r, stderr_chunks) }
+
+        exit_status, timed_out = wait_for_docker(pid, timeout)
+
+        stdin_thread.join
+        stdout_thread.join
+        stderr_thread.join
+
+        [stdout_r, stderr_r, stdin_w].each { |io| io.close rescue nil }
+
+        # Final reap
+        begin
+          Process.waitpid(pid, Process::WNOHANG)
+        rescue Errno::ECHILD
+        end
+
+        stdout_str = stdout_chunks.join
+        stderr_str = stderr_chunks.join
+
+        Result.new(
+          stdout: stdout_str,
+          stderr: stderr_str,
+          exit_code: exit_status&.exitstatus,
+          timed_out: timed_out
+        )
+      end
+
+      def wait_for_docker(pid, timeout)
+        deadline = Process.clock_gettime(Process::CLOCK_MONOTONIC) + timeout
+
+        loop do
+          remaining = deadline - Process.clock_gettime(Process::CLOCK_MONOTONIC)
+          break if remaining <= 0
+
+          _, status = Process.waitpid2(pid, Process::WNOHANG)
+          return [status, false] if status
+
+          sleep 0.1
+        end
+
+        # Timeout — use docker stop (graceful) then docker kill (force)
+        begin
+          # We need the container ID to stop it. For "docker run --rm",
+          # the container name can be extracted, but it's tricky.
+          # Simplest: just kill the docker CLI process, which stops the container
+          # since we used --rm.
+          Process.kill(:TERM, pid)
+          _, status = Process.waitpid2(pid, 3)
+          return [status, true] if status
+        rescue Errno::ESRCH, Errno::ECHILD
+        end
+
+        begin
+          Process.kill(:KILL, pid)
+          Process.waitpid(pid, 1)
+        rescue Errno::ESRCH, Errno::ECHILD
+        end
+
+        [nil, true]
+      end
+
+      def read_stream(io, chunks)
+        buffer = String.new(capacity: 102_400)
+        while (data = io.read(8192))
+          buffer << data
+          break if buffer.bytesize > 102_400
+        end
+        chunks << buffer
+      rescue IOError
+      ensure
+        io.close rescue nil
+      end
+    end
+  end
+end

data/lib/ask/sandbox/local.rb

@@ -0,0 +1,198 @@
+# frozen_string_literal: true
+
+require "tmpdir"
+require "fileutils"
+
+module Ask
+  module Sandbox
+    # Executes commands in a local subprocess with resource limits.
+    # Available on all platforms (macOS, Linux). Uses stdlib only.
+    class Local < Base
+      MAX_OUTPUT_SIZE = 102_400
+
+      STRIP_ENV_PREFIXES = %w[BUNDLE_ GEM_].freeze
+      STRIP_ENV_VARS = %w[RUBYOPT RUBYLIB BASH_ENV GEM_PATH GEM_HOME
+                          BUNDLE_GEMFILE BUNDLE_PATH BUNDLE_BIN_PATH
+                          BUNDLE_SETUP BUNDLE_WITHOUT BUNDLE_FROZEN].freeze
+
+      RLIMITS = {
+        rlimit_cpu: [10, 30],
+        rlimit_nproc: [50, 50],
+        rlimit_fsize: [10_485_760, 10_485_760],
+        rlimit_nofile: [200, 200],
+        rlimit_as: [2_147_483_648, 2_147_483_648]
+      }.freeze
+
+      POLL_INTERVAL = 0.05
+
+      def initialize(timeout: 30, max_output: MAX_OUTPUT_SIZE)
+        @default_timeout = timeout
+        @max_output = max_output
+      end
+
+      def call(command, timeout: @default_timeout, workdir: nil, env: {}, stdin: nil)
+        raise ArgumentError, "command must not be nil" if command.nil?
+        raise ArgumentError, "command must not be empty" if command.respond_to?(:empty?) && command.empty?
+
+        argv = build_argv(command)
+        child_env = build_environment(env)
+
+        if workdir
+          execute_in_dir(argv, child_env, workdir, timeout, stdin)
+        else
+          Dir.mktmpdir("ask_sandbox") do |dir|
+            execute_in_dir(argv, child_env, dir, timeout, stdin)
+          end
+        end
+      end
+
+      private
+
+      def build_argv(command)
+        case command
+        when String then ["bash", "-c", command]
+        when Array then command.map(&:to_s)
+        else raise ArgumentError, "command must be a String or Array of Strings"
+        end
+      end
+
+      def build_environment(extra_env)
+        env = {}
+        STRIP_ENV_VARS.each { |v| env[v] = nil }
+        ENV.each_key do |key|
+          next if key.start_with?("ASK_")
+          STRIP_ENV_PREFIXES.each { |p| env[key] = nil if key.start_with?(p) }
+        end
+        extra_env.each { |k, v| env[k.to_s] = v.to_s }
+        env
+      end
+
+      def self.supported_rlimits
+        @supported_rlimits ||= {}.tap do |opts|
+          RLIMITS.each do |option, (soft, hard)|
+            begin
+              pid = Process.spawn({}, "true", {option => [soft, hard]})
+              Process.waitpid(pid)
+              opts[option] = [soft, hard]
+            rescue ArgumentError, Errno::EINVAL, NotImplementedError
+            end
+          end
+        end
+      end
+
+      def execute_in_dir(argv, env, dir, timeout, stdin_data)
+        stdout_r, stdout_w = IO.pipe
+        stderr_r, stderr_w = IO.pipe
+        stdin_r, stdin_w = IO.pipe
+
+        spawn_opts = {
+          pgroup: true,
+          chdir: dir,
+          in: stdin_r,
+          out: stdout_w,
+          err: stderr_w
+        }.merge!(self.class.supported_rlimits)
+
+        pid = Process.spawn(env, *argv, **spawn_opts)
+
+        stdin_r.close
+        stdout_w.close
+        stderr_w.close
+
+        stdin_thread = Thread.new do
+          if stdin_data && !stdin_data.empty?
+            begin
+              stdin_w.write(stdin_data)
+            rescue Errno::EPIPE
+            end
+          end
+          stdin_w.close
+        rescue IOError
+        end
+
+        stdout_chunks = []
+        stderr_chunks = []
+        stdout_thread = Thread.new { read_stream(stdout_r, stdout_chunks) }
+        stderr_thread = Thread.new { read_stream(stderr_r, stderr_chunks) }
+
+        exit_status, timed_out = wait_for_process(pid, timeout)
+
+        stdin_thread.join
+        stdout_thread.join
+        stderr_thread.join
+
+        [stdout_r, stderr_r, stdin_w].each { |io| io.close rescue nil }
+
+        begin
+          Process.waitpid(pid, Process::WNOHANG)
+        rescue Errno::ECHILD
+        end
+
+        stdout_str = truncate_output(stdout_chunks.join)
+        stderr_str = truncate_output(stderr_chunks.join)
+
+        Result.new(
+          stdout: stdout_str,
+          stderr: stderr_str,
+          exit_code: exit_status&.exitstatus,
+          timed_out: timed_out
+        )
+      end
+
+      def wait_for_process(pid, timeout)
+        deadline = Process.clock_gettime(Process::CLOCK_MONOTONIC) + timeout
+
+        loop do
+          remaining = deadline - Process.clock_gettime(Process::CLOCK_MONOTONIC)
+          break if remaining <= 0
+
+          _, status = Process.waitpid2(pid, Process::WNOHANG)
+          return [status, false] if status
+
+          sleep POLL_INTERVAL
+        end
+
+        kill_process_group(pid)
+        [nil, true]
+      rescue Errno::ECHILD
+        [nil, false]
+      end
+
+      def kill_process_group(pid)
+        begin
+          Process.kill(:TERM, -pid)
+          _, status = Process.waitpid2(pid, 1)
+          return if status
+        rescue Errno::ESRCH, Errno::ECHILD
+          return
+        end
+
+        begin
+          Process.kill(:KILL, -pid)
+          Process.waitpid(pid, 1)
+        rescue Errno::ESRCH, Errno::ECHILD
+        end
+      end
+
+      def read_stream(io, chunks)
+        buffer = String.new(capacity: @max_output + 4096)
+        while (data = io.read(8192))
+          buffer << data
+          break if buffer.bytesize > @max_output
+        end
+        chunks << buffer
+      rescue IOError
+      ensure
+        io.close rescue nil
+      end
+
+      def truncate_output(str)
+        if str.bytesize > @max_output
+          str.byteslice(0, @max_output) << "\n[Truncated — output exceeds #{@max_output} bytes]\n"
+        else
+          str
+        end
+      end
+    end
+  end
+end

data/lib/ask/sandbox/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Ask
+  module Sandbox
+    VERSION = "0.1.0"
+  end
+end

data/lib/ask-sandbox-providers.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require_relative "ask/sandbox/version"
+require_relative "ask/sandbox/base"
+require_relative "ask/sandbox/local"
+require_relative "ask/sandbox/docker"
+require_relative "ask/sandbox/daytona"
+require_relative "ask/sandbox/cloudflare"
+
+module Ask
+  module Sandbox
+    class << self
+      # The currently configured sandbox provider.
+      # Defaults to {Ask::Sandbox::Local} (subprocess + rlimits).
+      #
+      # @return [Ask::Sandbox::Base]
+      def provider
+        @provider ||= Ask::Sandbox::Local.new
+      end
+
+      # Set the sandbox provider.
+      #
+      # @param provider [Ask::Sandbox::Base, Symbol]
+      #   Pass a provider instance, or +:local+/+:docker+/+:daytona+/+:cloudflare+
+      #   to use a default instance of that provider.
+      def provider=(provider)
+        @provider = case provider
+        when Symbol then resolve_provider(provider)
+        else provider
+        end
+      end
+
+      private
+
+      def resolve_provider(name)
+        case name
+        when :local then Local.new
+        when :docker then Docker.new
+        when :daytona then Daytona.new
+        when :cloudflare then Cloudflare.new
+        else raise ArgumentError, "Unknown sandbox provider: #{name.inspect}. " \
+                                   "Supported: :local, :docker, :daytona, :cloudflare"
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification
+name: ask-sandbox-providers
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Kaka Ruto
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.25'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.25'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+description: Isolated code execution via Local (subprocess + rlimits), Docker (containers),
+  Daytona (remote sandboxes), and Cloudflare (Workers sandbox). Zero external runtime
+  dependencies.
+email:
+- kaka@myrrlabs.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- lib/ask-sandbox-providers.rb
+- lib/ask/sandbox/base.rb
+- lib/ask/sandbox/cloudflare.rb
+- lib/ask/sandbox/daytona.rb
+- lib/ask/sandbox/docker.rb
+- lib/ask/sandbox/local.rb
+- lib/ask/sandbox/version.rb
+homepage: https://github.com/ask-rb/ask-sandbox-providers
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/ask-rb/ask-sandbox-providers
+  source_code_uri: https://github.com/ask-rb/ask-sandbox-providers
+  changelog_uri: https://github.com/ask-rb/ask-sandbox-providers/blob/master/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.3
+specification_version: 4
+summary: Sandbox providers for the ask-rb ecosystem
+test_files: []