horizon-code 0.1.0

package/src/strategy/sandbox.ts

@@ -0,0 +1,137 @@
+// Sandbox for isolated Python execution
+// Runs strategy code in a temp directory with stripped environment
+
+import { mkdtemp, writeFile, rm } from "fs/promises";
+import { join } from "path";
+import { tmpdir } from "os";
+import { mkdirSync as mkdirSyncFs, existsSync } from "fs";
+import { listEncryptedEnvNames, getDecryptedEnv } from "../platform/config.ts";
+
+interface SandboxResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number | null;
+  timedOut: boolean;
+}
+
+interface SandboxOptions {
+  code: string;
+  timeout?: number;        // ms, default 30000
+  cwd?: string;            // override temp dir
+}
+
+// Minimal env for backtesting — NO secrets, NO exchange keys
+// Used by runInSandbox (backtest, validation)
+function backtestEnv(): Record<string, string> {
+  const env: Record<string, string> = {};
+  const allow = ["PATH", "HOME", "LANG", "LC_ALL", "TERM", "PYTHONPATH", "VIRTUAL_ENV", "CONDA_PREFIX"];
+  for (const key of allow) {
+    if (process.env[key]) env[key] = process.env[key]!;
+  }
+  env.PYTHONUNBUFFERED = "1";
+  env.PYTHONDONTWRITEBYTECODE = "1";
+  return env;
+}
+
+// Full env for live/paper execution — includes exchange keys
+// Used by spawnInSandbox (run_strategy) — user has explicitly chosen to run
+function liveEnv(): Record<string, string> {
+  const env = backtestEnv();
+  // Add SDK keys needed for hz.run() to connect to exchanges
+  const secrets = ["HORIZON_API_KEY", "HORIZON_PRIVATE_KEY", "POLYMARKET_PRIVATE_KEY", "PK", "CLOB_API_KEY", "CLOB_SECRET", "CLOB_PASSPHRASE"];
+  for (const key of secrets) {
+    if (process.env[key]) env[key] = process.env[key]!;
+  }
+  // Pass HORIZON_ prefixed vars
+  for (const [key, val] of Object.entries(process.env)) {
+    if (key.startsWith("HORIZON_") && val && !env[key]) env[key] = val;
+  }
+  // Inject encrypted env vars from /env command
+  try {
+    for (const name of listEncryptedEnvNames()) {
+      if (!env[name]) {
+        const val = getDecryptedEnv(name);
+        if (val) env[name] = val;
+      }
+    }
+  } catch {}
+  return env;
+}
+
+/**
+ * Run Python code in an isolated sandbox.
+ * - Creates a temp directory
+ * - Writes code to a file (avoids shell escaping issues with -c)
+ * - Runs with stripped environment
+ * - Enforces timeout
+ * - Cleans up temp directory
+ */
+export async function runInSandbox(opts: SandboxOptions): Promise<SandboxResult> {
+  const timeout = opts.timeout ?? 30000;
+  const dir = opts.cwd ?? await mkdtemp(join(tmpdir(), "horizon-sandbox-"));
+  const scriptPath = join(dir, "strategy.py");
+
+  try {
+    await writeFile(scriptPath, opts.code, "utf-8");
+
+    const pythonPath = process.env.HORIZON_PYTHON ?? process.env.PYTHON_PATH ?? "python3";
+    const proc = Bun.spawn([pythonPath, "-u", scriptPath], {
+      stdout: "pipe",
+      stderr: "pipe",
+      cwd: dir,
+      env: backtestEnv(), // No secrets — backtesting doesn't need exchange keys
+    });
+
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      proc.kill();
+    }, timeout);
+
+    const stdout = await new Response(proc.stdout).text();
+    const stderr = await new Response(proc.stderr).text();
+    await proc.exited;
+    clearTimeout(timer);
+
+    return { stdout, stderr, exitCode: proc.exitCode, timedOut };
+  } finally {
+    // Clean up temp directory
+    if (!opts.cwd) {
+      rm(dir, { recursive: true, force: true }).catch(() => {});
+    }
+  }
+}
+
+/**
+ * Run Python code as a background process in sandbox.
+ * Returns the process and temp dir for cleanup.
+ */
+export function spawnInSandbox(code: string, dir?: string): {
+  proc: ReturnType<typeof Bun.spawn>;
+  dir: string;
+  cleanup: () => Promise<void>;
+} {
+  const sandboxDir = dir ?? join(tmpdir(), `horizon-sandbox-${Date.now()}`);
+  if (!existsSync(sandboxDir)) mkdirSyncFs(sandboxDir, { recursive: true });
+  const scriptPath = join(sandboxDir, "strategy.py");
+
+  // Sync write since we need it before spawn
+  Bun.write(scriptPath, code);
+
+  const pythonPath = process.env.HORIZON_PYTHON ?? process.env.PYTHON_PATH ?? "python3";
+  const proc = Bun.spawn([pythonPath, "-u", scriptPath], {
+    stdout: "pipe",
+    stderr: "pipe",
+    cwd: sandboxDir,
+    env: liveEnv(), // Live execution — includes exchange keys for hz.run()
+  });
+
+  return {
+    proc,
+    dir: sandboxDir,
+    cleanup: async () => {
+      try { proc.kill(); } catch {}
+      rm(sandboxDir, { recursive: true, force: true }).catch(() => {});
+    },
+  };
+}