npm - isol8 - Versions diffs - 0.6.1 → 0.7.0 - Mend

isol8 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +23 -16
package/dist/cli.js +201 -34
package/dist/docker/Dockerfile +4 -2
package/dist/docker/seccomp-profile.json +67 -0
package/dist/index.js +106 -10
package/dist/src/config.d.ts.map +1 -1
package/dist/src/engine/docker.d.ts +3 -0
package/dist/src/engine/docker.d.ts.map +1 -1
package/dist/src/engine/pool.d.ts +3 -2
package/dist/src/engine/pool.d.ts.map +1 -1
package/dist/src/server/index.d.ts +2 -0
package/dist/src/server/index.d.ts.map +1 -1
package/dist/src/types.d.ts +20 -0
package/dist/src/types.d.ts.map +1 -1
package/package.json +2 -1
package/schema/isol8.config.schema.json +20 -0

package/dist/docker/Dockerfile CHANGED Viewed

@@ -1,6 +1,7 @@
 # ── Base ──────────────────────────────────────────────────────────────
 FROM alpine:3.21 AS base
-RUN apk add --no-cache tini curl ca-certificates
+RUN apk add --no-cache tini curl ca-certificates \
+    && addgroup -S sandbox && adduser -S sandbox -G sandbox -h /sandbox
 COPY proxy.mjs /usr/local/bin/proxy.mjs
 RUN chmod +x /usr/local/bin/proxy.mjs
 WORKDIR /sandbox
@@ -26,7 +27,8 @@ CMD ["bun"]
 # ── Deno ──────────────────────────────────────────────────────────────
 FROM denoland/deno:alpine AS deno
-RUN apk add --no-cache tini curl ca-certificates
+RUN apk add --no-cache tini curl ca-certificates \
+    && addgroup -S sandbox && adduser -S sandbox -G sandbox -h /sandbox
 COPY proxy.mjs /usr/local/bin/proxy.mjs
 RUN chmod +x /usr/local/bin/proxy.mjs
 WORKDIR /sandbox

package/dist/docker/seccomp-profile.json ADDED Viewed

@@ -0,0 +1,67 @@
+{
+  "defaultAction": "SCMP_ACT_ALLOW",
+  "architectures": [
+    "SCMP_ARCH_X86_64",
+    "SCMP_ARCH_X86",
+    "SCMP_ARCH_X32",
+    "SCMP_ARCH_AARCH64"
+  ],
+  "syscalls": [
+    {
+      "names": [
+        "acct",
+        "add_key",
+        "bpf",
+        "clock_adjtime",
+        "clock_settime",
+        "create_module",
+        "delete_module",
+        "finit_module",
+        "get_mempolicy",
+        "init_module",
+        "ioperm",
+        "iopl",
+        "kcmp",
+        "kexec_file_load",
+        "kexec_load",
+        "keyctl",
+        "lookup_dcookie",
+        "mbind",
+        "mount",
+        "move_pages",
+        "name_to_handle_at",
+        "open_by_handle_at",
+        "perf_event_open",
+        "pivot_root",
+        "process_vm_readv",
+        "process_vm_writev",
+        "ptrace",
+        "query_module",
+        "quotactl",
+        "reboot",
+        "request_key",
+        "set_mempolicy",
+        "setns",
+        "settimeofday",
+        "stime",
+        "swapon",
+        "swapoff",
+        "sysfs",
+        "syslog",
+        "umount",
+        "umount2",
+        "unshare",
+        "uselib",
+        "userfaultfd",
+        "ustat",
+        "vm86",
+        "vm86old"
+      ],
+      "action": "SCMP_ACT_ERRNO",
+      "args": [],
+      "comment": "",
+      "includes": {},
+      "excludes": {}
+    }
+  ]
+}

package/dist/index.js CHANGED Viewed

@@ -263,6 +263,15 @@ class ContainerPool {
       return;
     }
     try {
+      const killExec = await container.exec({
+        Cmd: ["sh", "-c", "pkill -9 -u sandbox 2>/dev/null; true"]
+      });
+      await killExec.start({ Detach: true });
+      let killInfo = await killExec.inspect();
+      while (killInfo.Running) {
+        await new Promise((r) => setTimeout(r, 5));
+        killInfo = await killExec.inspect();
+      }
       const cleanExec = await container.exec({
         Cmd: ["sh", "-c", "rm -rf /sandbox/* /sandbox/.[!.]* 2>/dev/null; true"]
       });
@@ -439,13 +448,15 @@ __export(exports_docker, {
   DockerIsol8: () => DockerIsol8
 });
 import { randomUUID } from "node:crypto";
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "node:fs";
 import { PassThrough } from "node:stream";
 import Docker from "dockerode";
 async function writeFileViaExec(container, filePath, content) {
   const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
   const b64 = data.toString("base64");
   const exec = await container.exec({
-    Cmd: ["sh", "-c", `printf '%s' '${b64}' | base64 -d > ${filePath}`]
+    Cmd: ["sh", "-c", `printf '%s' '${b64}' | base64 -d > ${filePath}`],
+    User: "sandbox"
   });
   await exec.start({ Detach: true });
   let info = await exec.inspect();
@@ -461,7 +472,8 @@ async function readFileViaExec(container, filePath) {
   const exec = await container.exec({
     Cmd: ["base64", filePath],
     AttachStdout: true,
-    AttachStderr: true
+    AttachStderr: true,
+    User: "sandbox"
   });
   const stream = await exec.start({ Tty: false });
   const chunks = [];
@@ -556,7 +568,8 @@ async function installPackages(container, runtime, packages) {
     Cmd: cmd,
     AttachStdout: true,
     AttachStderr: true,
-    Env: env
+    Env: env,
+    User: runtime === "bash" ? "root" : "sandbox"
   });
   const stream = await exec.start({ Detach: false, Tty: false });
   return new Promise((resolve2, reject) => {
@@ -599,6 +612,7 @@ class DockerIsol8 {
   semaphore;
   sandboxSize;
   tmpSize;
+  security;
   persist;
   container = null;
   persistentRuntime = null;
@@ -620,6 +634,7 @@ class DockerIsol8 {
     this.sandboxSize = options.sandboxSize ?? "512m";
     this.tmpSize = options.tmpSize ?? "256m";
     this.persist = options.persist ?? false;
+    this.security = options.security ?? { seccomp: "strict" };
     if (options.debug) {
       logger.setDebug(true);
     }
@@ -725,7 +740,8 @@ class DockerIsol8 {
           Env: this.buildEnv(req.env),
           AttachStdout: true,
           AttachStderr: true,
-          WorkingDir: SANDBOX_WORKDIR
+          WorkingDir: SANDBOX_WORKDIR,
+          User: "sandbox"
         });
         const execStream = await exec.start({ Tty: false });
         yield* this.streamExecOutput(execStream, exec, container, timeoutMs);
@@ -804,7 +820,8 @@ class DockerIsol8 {
         Env: this.buildEnv(req.env),
         AttachStdout: true,
         AttachStderr: true,
-        WorkingDir: SANDBOX_WORKDIR
+        WorkingDir: SANDBOX_WORKDIR,
+        User: "sandbox"
       });
       const start = performance.now();
       const execStream = await exec.start({ Tty: false });
@@ -877,7 +894,8 @@ class DockerIsol8 {
       Env: execEnv,
       AttachStdout: true,
       AttachStderr: true,
-      WorkingDir: SANDBOX_WORKDIR
+      WorkingDir: SANDBOX_WORKDIR,
+      User: "sandbox"
     });
     const start = performance.now();
     const execStream = await exec.start({ Tty: false });
@@ -947,9 +965,9 @@ class DockerIsol8 {
       ReadonlyRootfs: this.readonlyRootFs,
       Tmpfs: {
         "/tmp": `rw,noexec,nosuid,nodev,size=${this.tmpSize}`,
-        [SANDBOX_WORKDIR]: `rw,exec,nosuid,nodev,size=${this.sandboxSize}`
+        [SANDBOX_WORKDIR]: `rw,exec,nosuid,nodev,size=${this.sandboxSize},uid=100,gid=101`
       },
-      SecurityOpt: ["no-new-privileges"]
+      SecurityOpt: this.buildSecurityOpts()
     };
     if (this.network === "filtered") {
       config.NetworkMode = "bridge";
@@ -958,6 +976,43 @@ class DockerIsol8 {
     }
     return config;
   }
+  buildSecurityOpts() {
+    const opts = ["no-new-privileges"];
+    if (this.security.seccomp === "unconfined") {
+      opts.push("seccomp=unconfined");
+      return opts;
+    }
+    if (this.security.seccomp === "custom" && this.security.customProfilePath) {
+      try {
+        const profile = readFileSync2(this.security.customProfilePath, "utf-8");
+        opts.push(`seccomp=${profile}`);
+      } catch (e) {
+        logger.error(`Failed to load custom seccomp profile: ${e}`);
+      }
+      return opts;
+    }
+    try {
+      const profile = this.loadDefaultSeccompProfile();
+      if (profile) {
+        opts.push(`seccomp=${profile}`);
+      }
+    } catch (e) {
+      logger.error(`Failed to load default seccomp profile: ${e}`);
+    }
+    return opts;
+  }
+  loadDefaultSeccompProfile() {
+    const devPath = new URL("../../docker/seccomp-profile.json", import.meta.url);
+    if (existsSync2(devPath)) {
+      return readFileSync2(devPath, "utf-8");
+    }
+    const prodPath = new URL("./docker/seccomp-profile.json", import.meta.url);
+    if (existsSync2(prodPath)) {
+      return readFileSync2(prodPath, "utf-8");
+    }
+    logger.warn("Could not locate default seccomp profile. Running without seccomp filter.");
+    return null;
+  }
   buildEnv(extra) {
     const env = [
       "PYTHONUNBUFFERED=1",
@@ -1282,6 +1337,9 @@ var DEFAULT_CONFIG = {
     maxContainerAgeMs: 3600000
   },
   dependencies: {},
+  security: {
+    seccomp: "strict"
+  },
   debug: false
 };
 function loadConfig(cwd) {
@@ -1317,6 +1375,10 @@ function mergeConfig(defaults, overrides) {
       ...defaults.dependencies,
       ...overrides.dependencies
     },
+    security: {
+      seccomp: overrides.security?.seccomp ?? defaults.security.seccomp,
+      customProfilePath: overrides.security?.customProfilePath ?? defaults.security.customProfilePath
+    },
     debug: overrides.debug ?? defaults.debug
   };
 }
@@ -1327,10 +1389,11 @@ init_runtime();
 // src/server/index.ts
 import { Hono } from "hono";
+init_logger();
 // package.json
 var package_default = {
   name: "isol8",
-  version: "0.6.0",
+  version: "0.6.2",
   description: "Secure code execution engine for AI agents",
   author: "Illusion47586",
   license: "MIT",
@@ -1392,6 +1455,7 @@ var package_default = {
   devDependencies: {
     "@biomejs/biome": "^2.3.15",
     "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/exec": "^7.1.0",
     "@semantic-release/git": "^10.0.1",
     "@semantic-release/github": "^12.0.6",
     "@semantic-release/npm": "^13.1.4",
@@ -1462,13 +1526,21 @@ var sessions = new Map;
 async function createServer(options) {
   const { DockerIsol8: DockerIsol82 } = await Promise.resolve().then(() => (init_docker(), exports_docker));
   await Promise.resolve().then(() => (init_runtime(), exports_runtime));
+  if (options.debug) {
+    logger.setDebug(true);
+  }
   const config = loadConfig();
+  logger.debug("[Server] Config loaded");
+  logger.debug(`[Server] Max concurrent: ${config.maxConcurrent}`);
+  logger.debug(`[Server] Auto-prune: ${config.cleanup.autoPrune}`);
   const app = new Hono;
   const globalSemaphore = new Semaphore(config.maxConcurrent);
   app.use("*", authMiddleware(options.apiKey));
   app.get("/health", (c) => c.json({ status: "ok", version: VERSION }));
   app.post("/execute", async (c) => {
     const body = await c.req.json();
+    logger.debug(`[Server] POST /execute runtime=${body.request.runtime} sessionId=${body.sessionId ?? "ephemeral"}`);
+    logger.debug(`[Server] Code length: ${body.request.code.length} chars`);
     const engineOptions = {
       network: config.defaults.network,
       memoryLimit: config.defaults.memoryLimit,
@@ -1483,36 +1555,45 @@ async function createServer(options) {
     if (body.sessionId) {
       const session = sessions.get(body.sessionId);
       if (session) {
+        logger.debug(`[Server] Reusing existing session: ${body.sessionId}`);
         engine = session.engine;
         session.lastAccessedAt = Date.now();
       } else {
+        logger.debug(`[Server] Creating new session: ${body.sessionId}`);
         engine = new DockerIsol82(engineOptions, config.maxConcurrent);
         await engine.start();
         sessions.set(body.sessionId, { engine, lastAccessedAt: Date.now() });
       }
     } else {
+      logger.debug("[Server] Creating ephemeral engine");
       engine = new DockerIsol82(engineOptions, config.maxConcurrent);
       await engine.start();
     }
     try {
+      logger.debug("[Server] Acquiring semaphore for /execute");
       await globalSemaphore.acquire();
       try {
         const result = await engine.execute(body.request);
+        logger.debug(`[Server] Execution completed: exitCode=${result.exitCode} duration=${result.durationMs}ms`);
         return c.json(result);
       } finally {
         globalSemaphore.release();
       }
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
+      logger.debug(`[Server] Execution error: ${message}`);
       return c.json({ error: message }, 500);
     } finally {
       if (!body.sessionId) {
+        logger.debug("[Server] Cleaning up ephemeral engine");
         await engine.stop();
       }
     }
   });
   app.post("/execute/stream", async (c) => {
     const body = await c.req.json();
+    logger.debug(`[Server] POST /execute/stream runtime=${body.request.runtime}`);
+    logger.debug(`[Server] Code length: ${body.request.code.length} chars`);
     const engineOptions = {
       network: config.defaults.network,
       memoryLimit: config.defaults.memoryLimit,
@@ -1529,6 +1610,7 @@ async function createServer(options) {
     const stream = new ReadableStream({
       async start(controller) {
         try {
+          logger.debug("[Server] Acquiring semaphore for /execute/stream");
           await globalSemaphore.acquire();
           try {
             for await (const event of engine.executeStream(body.request)) {
@@ -1537,16 +1619,19 @@ async function createServer(options) {
 `;
               controller.enqueue(encoder.encode(line));
             }
+            logger.debug("[Server] Stream completed");
           } finally {
             globalSemaphore.release();
           }
         } catch (err) {
           const message = err instanceof Error ? err.message : String(err);
+          logger.debug(`[Server] Stream error: ${message}`);
           const errorEvent = `data: ${JSON.stringify({ type: "error", data: message })}
 `;
           controller.enqueue(encoder.encode(errorEvent));
         } finally {
+          logger.debug("[Server] Cleaning up stream engine");
           await engine.stop();
           controller.close();
         }
@@ -1562,35 +1647,45 @@ async function createServer(options) {
   });
   app.post("/file", async (c) => {
     const body = await c.req.json();
+    logger.debug(`[Server] POST /file sessionId=${body.sessionId} path=${body.path}`);
     const session = sessions.get(body.sessionId);
     if (!session) {
+      logger.debug(`[Server] Session not found: ${body.sessionId}`);
       return c.json({ error: "Session not found" }, 404);
     }
     session.lastAccessedAt = Date.now();
     const content = Buffer.from(body.content, "base64");
     await session.engine.putFile(body.path, content);
+    logger.debug(`[Server] File uploaded: ${body.path} (${content.length} bytes)`);
     return c.json({ ok: true });
   });
   app.get("/file", async (c) => {
     const sessionId = c.req.query("sessionId");
     const path = c.req.query("path");
+    logger.debug(`[Server] GET /file sessionId=${sessionId} path=${path}`);
     if (!(sessionId && path)) {
       return c.json({ error: "Missing sessionId or path" }, 400);
     }
     const session = sessions.get(sessionId);
     if (!session) {
+      logger.debug(`[Server] Session not found: ${sessionId}`);
       return c.json({ error: "Session not found" }, 404);
     }
     session.lastAccessedAt = Date.now();
     const content = await session.engine.getFile(path);
+    logger.debug(`[Server] File downloaded: ${path} (${content.length} bytes)`);
     return c.json({ content: content.toString("base64") });
   });
   app.delete("/session/:id", async (c) => {
     const id = c.req.param("id");
+    logger.debug(`[Server] DELETE /session/${id}`);
     const session = sessions.get(id);
     if (session) {
       await session.engine.stop();
       sessions.delete(id);
+      logger.debug(`[Server] Session destroyed: ${id}`);
+    } else {
+      logger.debug(`[Server] Session not found (already cleaned up): ${id}`);
     }
     return c.json({ ok: true });
   });
@@ -1600,6 +1695,7 @@ async function createServer(options) {
       const now = Date.now();
       for (const [id, session] of sessions) {
         if (now - session.lastAccessedAt > maxAge) {
+          logger.debug(`[Server] Auto-pruning stale session: ${id}`);
           await session.engine.stop();
           sessions.delete(id);
         }
@@ -1626,4 +1722,4 @@ export {
   BunAdapter
 };
-//# debugId=BE9F771BA94691E364756E2164756E21
+//# debugId=1AFCD54347509D5A64756E2164756E21

package/dist/src/config.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAE3C;;;GAGG;AACH,QAAA,MAAM,cAAc,EAAE,~~WAoBrB~~,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,WAAW,CAepD;~~AA8BD~~,OAAO,EAAE,cAAc,EAAE,CAAC"}
1	+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAE3C;;;GAGG;AACH,QAAA,MAAM,cAAc,EAAE,WAuBrB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,WAAW,CAepD;AAmCD,OAAO,EAAE,cAAc,EAAE,CAAC"}

package/dist/src/engine/docker.d.ts CHANGED Viewed

@@ -43,6 +43,7 @@ export declare class DockerIsol8 implements Isol8Engine {
     private readonly semaphore;
     private readonly sandboxSize;
     private readonly tmpSize;
+    private readonly security;
     private readonly persist;
     private container;
     private persistentRuntime;
@@ -96,6 +97,8 @@ export declare class DockerIsol8 implements Isol8Engine {
     private startPersistentContainer;
     private getAdapter;
     private buildHostConfig;
+    private buildSecurityOpts;
+    private loadDefaultSeccompProfile;
     private buildEnv;
     private streamExecOutput;
     private collectExecOutput;

package/dist/src/engine/docker.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;~~AAIH~~,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,WAAW,EAEX,YAAY,~~EAGZ~~,WAAW,EACZ,MAAM,UAAU,CAAC;~~AAgPlB~~,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;~~IACjC~~,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAElC,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAE1C;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;~~IAuBhE~~;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAK5B,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAW9D;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;~~YAoFzD~~,YAAY;YAcZ,gBAAgB;~~YAwGhB~~,iBAAiB;~~YA6FjB~~,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA2BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAsBvB,OAAO,CAAC,QAAQ;YAmCD,gBAAgB;YA8EjB,iBAAiB;IA8D/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}
1	+ {"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,WAAW,EAEX,YAAY,EAIZ,WAAW,EACZ,MAAM,UAAU,CAAC;AAoPlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAEjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAElC,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAE1C;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IAwBhE;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAK5B,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAW9D;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAqFzD,YAAY;YAcZ,gBAAgB;YAyGhB,iBAAiB;YA8FjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA2BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAsBvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IAyBjC,OAAO,CAAC,QAAQ;YAmCD,gBAAgB;YA8EjB,iBAAiB;IA8D/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}

package/dist/src/engine/pool.d.ts CHANGED Viewed

@@ -37,8 +37,9 @@ export declare class ContainerPool {
      */
     acquire(image: string): Promise<Docker.Container>;
     /**
-     * Return a container to the pool after use. The container's /sandbox
-     * tmpfs is wiped clean so it's ready for the next execution.
+     * Return a container to the pool after use. All processes owned by the
+     * `sandbox` user are killed, and the `/sandbox` tmpfs is wiped clean
+     * so the container is ready for the next execution.
      * If the pool is full, the container is destroyed instead.
      */
     release(container: Docker.Container, image: string): Promise<void>;

package/dist/src/engine/pool.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../../../src/engine/pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,MAAM,MAAM,WAAW,CAAC;AAGpC,4CAA4C;AAC5C,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,OAAO,CAAC,CAAC;CAC7D;AAOD;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA+C;IAC7E,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAA4B;gBAEtD,OAAO,EAAE,WAAW;IAMhC;;;;OAIG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;IAcvD~~;;;;OAIG~~;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;~~IA+BxE~~;;;OAGG;IACG,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBxC;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAgBd,eAAe;IAW7B,2DAA2D;IAC3D,OAAO,CAAC,SAAS;CAuClB"}
1	+ {"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../../../src/engine/pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,MAAM,MAAM,WAAW,CAAC;AAGpC,4CAA4C;AAC5C,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,OAAO,CAAC,CAAC;CAC7D;AAOD;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA+C;IAC7E,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAA4B;gBAEtD,OAAO,EAAE,WAAW;IAMhC;;;;OAIG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;IAcvD;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA8CxE;;;OAGG;IACG,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBxC;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAgBd,eAAe;IAW7B,2DAA2D;IAC3D,OAAO,CAAC,SAAS;CAuClB"}

package/dist/src/server/index.d.ts CHANGED Viewed

@@ -12,6 +12,8 @@ export interface ServerOptions {
     port: number;
     /** API key required for Bearer token authentication. */
     apiKey: string;
+    /** Enable debug logging for internal server operations. */
+    debug?: boolean;
 }
 /**
  * Creates and configures the isol8 HTTP server.

package/dist/src/server/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;~~AAQ5B~~,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;~~CAChB~~;AAWD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa;;;;~~GAqMxD~~"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAS5B,+CAA+C;AAC/C,MAAM,WAAW,aAAa;IAC5B,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAWD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa;;;;GA+OxD"}

package/dist/src/types.d.ts CHANGED Viewed

@@ -156,6 +156,8 @@ export interface Isol8Options {
      * @default false
      */
     persist?: boolean;
+    /** Security settings. */
+    security?: SecurityConfig;
 }
 /**
  * The core isol8 engine abstraction. Both {@link DockerIsol8} and {@link RemoteIsol8}
@@ -245,6 +247,20 @@ export interface Isol8Dependencies {
     /** Bash packages to install via apk (Alpine). */
     bash?: string[];
 }
+/**
+ * Security configuration for the execution environment.
+ */
+export interface SecurityConfig {
+    /**
+     * Seccomp profile mode.
+     * - "strict": Use the default strict profile (default).
+     * - "unconfined": Do not apply any seccomp profile.
+     * - "custom": Use the profile at `customProfilePath`.
+     */
+    seccomp?: "strict" | "unconfined" | "custom";
+    /** Path to a custom seccomp profile JSON file. Required if seccomp is "custom". */
+    customProfilePath?: string;
+}
 /**
  * Top-level configuration schema for isol8.
  *
@@ -265,6 +281,8 @@ export interface Isol8Config {
     cleanup: Isol8Cleanup;
     /** Runtime-specific packages to bake into custom Docker images. */
     dependencies: Isol8Dependencies;
+    /** Security settings. */
+    security: SecurityConfig;
     /** Enable debug logging. @default false */
     debug: boolean;
 }
@@ -287,5 +305,7 @@ export interface Isol8UserConfig {
     cleanup?: Partial<Isol8Cleanup>;
     /** Runtime-specific packages to bake into custom Docker images. */
     dependencies?: Isol8Dependencies;
+    /** Security settings. */
+    security?: SecurityConfig;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/src/types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;;;;;;GAQG;AACH,MAAM,MAAM,OAAO,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;AAElE;;;;;;;GAOG;AACH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;AAEvD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IAEb,sEAAsE;IACtE,OAAO,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE7B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,CAAC;IAExC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IAEvB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,mDAAmD;IACnD,MAAM,EAAE,MAAM,CAAC;IAEf,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IAEf,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IAEjB,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IAEnB,0FAA0F;IAC1F,SAAS,EAAE,OAAO,CAAC;IAEnB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC;IAEjB,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAC;IAElB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,wDAAwD;IACxD,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC;IAC7C,0FAA0F;IAC1F,IAAI,EAAE,MAAM,CAAC;CACd;AAID;;;;;;GAMG;AACH,MAAM,MAAM,SAAS,GAAG,WAAW,GAAG,YAAY,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,IAAI,CAAC,EAAE,SAAS,CAAC;IAEjB,2CAA2C;IAC3C,OAAO,CAAC,EAAE,WAAW,CAAC;IAEtB,yFAAyF;IACzF,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC,mFAAmF;IACnF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,mEAAmE;IACnE,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,4DAA4D;IAC5D,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB,6EAA6E;IAC7E,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,iEAAiE;IACjE,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,wIAAwI;IACxI,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,+EAA+E;IAC/E,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;~~CACnB~~;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,gEAAgE;IAChE,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB,kEAAkE;IAClE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtB,0CAA0C;IAC1C,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAEzD;;;;;;OAMG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/D;;;;;;OAMG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEvC;;;;;OAKG;IACH,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;CAClE;AAID;;;;;;;;GAQG;AACH,MAAM,WAAW,mBAAmB;IAClC,2FAA2F;IAC3F,SAAS,EAAE,MAAM,EAAE,CAAC;IAEpB,mGAAmG;IACnG,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAID,oDAAoD;AACpD,MAAM,WAAW,aAAa;IAC5B,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,OAAO,EAAE,WAAW,CAAC;IACrB,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,yDAAyD;AACzD,MAAM,WAAW,YAAY;IAC3B,oEAAoE;IACpE,SAAS,EAAE,OAAO,CAAC;IACnB,kFAAkF;IAClF,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,oDAAoD;IACpD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,qCAAqC;IACrC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,iDAAiD;IACjD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAC;IAEtB,sDAAsD;IACtD,QAAQ,EAAE,aAAa,CAAC;IAExB,4DAA4D;IAC5D,OAAO,EAAE,mBAAmB,CAAC;IAE7B,gDAAgD;IAChD,OAAO,EAAE,YAAY,CAAC;IAEtB,mEAAmE;IACnE,YAAY,EAAE,iBAAiB,CAAC;IAEhC,2CAA2C;IAC3C,KAAK,EAAE,OAAO,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,kFAAkF;IAClF,QAAQ,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAElC,4DAA4D;IAC5D,OAAO,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEvC,4EAA4E;IAC5E,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAEhC,mEAAmE;IACnE,YAAY,CAAC,EAAE,iBAAiB,CAAC;~~CAClC~~"}
1	+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;;;;;;GAQG;AACH,MAAM,MAAM,OAAO,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;AAElE;;;;;;;GAOG;AACH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;AAEvD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IAEb,sEAAsE;IACtE,OAAO,EAAE,OAAO,CAAC;IAEjB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE7B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,CAAC;IAExC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IAEvB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,mDAAmD;IACnD,MAAM,EAAE,MAAM,CAAC;IAEf,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IAEf,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IAEjB,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IAEnB,0FAA0F;IAC1F,SAAS,EAAE,OAAO,CAAC;IAEnB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC;IAEjB,oDAAoD;IACpD,SAAS,EAAE,MAAM,CAAC;IAElB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;OAIG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,wDAAwD;IACxD,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,OAAO,CAAC;IAC7C,0FAA0F;IAC1F,IAAI,EAAE,MAAM,CAAC;CACd;AAID;;;;;;GAMG;AACH,MAAM,MAAM,SAAS,GAAG,WAAW,GAAG,YAAY,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,IAAI,CAAC,EAAE,SAAS,CAAC;IAEjB,2CAA2C;IAC3C,OAAO,CAAC,EAAE,WAAW,CAAC;IAEtB,yFAAyF;IACzF,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC,mFAAmF;IACnF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,mEAAmE;IACnE,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,4DAA4D;IAC5D,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB,6EAA6E;IAC7E,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,iEAAiE;IACjE,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,wIAAwI;IACxI,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,+EAA+E;IAC/E,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB,yBAAyB;IACzB,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,gEAAgE;IAChE,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB,kEAAkE;IAClE,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtB,0CAA0C;IAC1C,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAEzD;;;;;;OAMG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/D;;;;;;OAMG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEvC;;;;;OAKG;IACH,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;CAClE;AAID;;;;;;;;GAQG;AACH,MAAM,WAAW,mBAAmB;IAClC,2FAA2F;IAC3F,SAAS,EAAE,MAAM,EAAE,CAAC;IAEpB,mGAAmG;IACnG,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAID,oDAAoD;AACpD,MAAM,WAAW,aAAa;IAC5B,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,OAAO,EAAE,WAAW,CAAC;IACrB,kEAAkE;IAClE,WAAW,EAAE,MAAM,CAAC;IACpB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,yDAAyD;AACzD,MAAM,WAAW,YAAY;IAC3B,oEAAoE;IACpE,SAAS,EAAE,OAAO,CAAC;IACnB,kFAAkF;IAClF,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,oDAAoD;IACpD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,wCAAwC;IACxC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,qCAAqC;IACrC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,iDAAiD;IACjD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,OAAO,CAAC,EAAE,QAAQ,GAAG,YAAY,GAAG,QAAQ,CAAC;IAC7C,mFAAmF;IACnF,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,WAAW;IAC1B,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAC;IAEtB,sDAAsD;IACtD,QAAQ,EAAE,aAAa,CAAC;IAExB,4DAA4D;IAC5D,OAAO,EAAE,mBAAmB,CAAC;IAE7B,gDAAgD;IAChD,OAAO,EAAE,YAAY,CAAC;IAEtB,mEAAmE;IACnE,YAAY,EAAE,iBAAiB,CAAC;IAEhC,yBAAyB;IACzB,QAAQ,EAAE,cAAc,CAAC;IAEzB,2CAA2C;IAC3C,KAAK,EAAE,OAAO,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,kFAAkF;IAClF,QAAQ,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAElC,4DAA4D;IAC5D,OAAO,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAEvC,4EAA4E;IAC5E,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAEhC,mEAAmE;IACnE,YAAY,CAAC,EAAE,iBAAiB,CAAC;IAEjC,yBAAyB;IACzB,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "isol8",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "description": "Secure code execution engine for AI agents",
   "author": "Illusion47586",
   "license": "MIT",
@@ -62,6 +62,7 @@
   "devDependencies": {
     "@biomejs/biome": "^2.3.15",
     "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/exec": "^7.1.0",
     "@semantic-release/git": "^10.0.1",
     "@semantic-release/github": "^12.0.6",
     "@semantic-release/npm": "^13.1.4",

package/schema/isol8.config.schema.json CHANGED Viewed

@@ -140,6 +140,10 @@
             }
           },
           "type": "object"
+        },
+        "security": {
+          "$ref": "#/definitions/SecurityConfig",
+          "description": "Security settings."
         }
       },
       "type": "object"
@@ -148,6 +152,22 @@
       "description": "Network access mode for isol8 containers.\n\n- `\"none\"` — All network access blocked (default, most secure).\n- `\"host\"` — Full host network access (use with caution).\n- `\"filtered\"` — HTTP/HTTPS traffic routed through a proxy that enforces   whitelist/blacklist regex rules on hostnames.",
       "enum": ["none", "host", "filtered"],
       "type": "string"
+    },
+    "SecurityConfig": {
+      "additionalProperties": false,
+      "description": "Security configuration for the execution environment.",
+      "properties": {
+        "customProfilePath": {
+          "description": "Path to a custom seccomp profile JSON file. Required if seccomp is \"custom\".",
+          "type": "string"
+        },
+        "seccomp": {
+          "description": "Seccomp profile mode.\n- \"strict\": Use the default strict profile (default).\n- \"unconfined\": Do not apply any seccomp profile.\n- \"custom\": Use the profile at `customProfilePath`.",
+          "enum": ["strict", "unconfined", "custom"],
+          "type": "string"
+        }
+      },
+      "type": "object"
     }
   }
 }