isol8 0.7.0 → 0.8.1

package/README.md

@@ -1,5 +1,10 @@
 # isol8
 
+[![CI](https://github.com/Illusion47586/isol8/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/Illusion47586/isol8/actions/workflows/ci.yml)
+[![Coverage](https://raw.githubusercontent.com/Illusion47586/isol8/main/coverage/coverage-badge.svg)](https://github.com/Illusion47586/isol8/actions)
+[![npm](https://img.shields.io/npm/v/isol8)](https://www.npmjs.com/package/isol8)
+[![license](https://img.shields.io/npm/l/isol8)](./LICENSE)
+
 Secure code execution engine for AI agents. Run untrusted Python, Node.js, Bun, Deno, and Bash code inside locked-down Docker containers with network filtering, resource limits, and output controls.
 
 ## Features
@@ -270,6 +275,8 @@ const isol8 = new DockerIsol8({
 });
 ```
 
+In `filtered` mode, iptables rules are applied at the kernel level to ensure the `sandbox` user can **only** reach the internal filtering proxy (`127.0.0.1:8118`). All other outbound traffic from the sandbox user is dropped, preventing bypass via raw sockets or non-HTTP protocols.
+
 ## Configuration
 
 Create `isol8.config.json` in your project root or `~/.isol8/config.json`.

package/dist/cli.js

@@ -6316,23 +6316,12 @@ var require_bcrypt_pbkdf = __commonJS((exports, module) => {
   };
 });
 
-// node_modules/cpu-features/build/Release/cpufeatures.node
-var require_cpufeatures = __commonJS((exports, module) => {
-  module.exports = __require("./cpufeatures-tjjrgpt7.node");
-});
-
-// node_modules/cpu-features/lib/index.js
-var require_lib2 = __commonJS((exports, module) => {
-  var binding = require_cpufeatures();
-  module.exports = binding.getCPUInfo;
-});
-
 // node_modules/ssh2/lib/protocol/constants.js
 var require_constants = __commonJS((exports, module) => {
   var crypto = __require("crypto");
   var cpuInfo;
   try {
-    cpuInfo = require_lib2()();
+    cpuInfo = (()=>{throw new Error("Cannot require module "+"cpu-features");})()();
   } catch {}
   var { bindingAvailable, CIPHER_INFO, MAC_INFO } = require_crypto();
   var eddsaSupported = (() => {
@@ -20975,7 +20964,7 @@ var require_keygen = __commonJS((exports, module) => {
 });
 
 // node_modules/ssh2/lib/index.js
-var require_lib3 = __commonJS((exports, module) => {
+var require_lib2 = __commonJS((exports, module) => {
   var {
     AgentProtocol,
     BaseAgent,
@@ -21021,7 +21010,7 @@ var require_lib3 = __commonJS((exports, module) => {
 
 // node_modules/docker-modem/lib/ssh.js
 var require_ssh = __commonJS((exports, module) => {
-  var Client = require_lib3().Client;
+  var Client = require_lib2().Client;
   var http = __require("http");
   module.exports = function(opt) {
     var conn = new Client;
@@ -55088,7 +55077,11 @@ class ContainerPool {
     }
     try {
       const killExec = await container.exec({
-        Cmd: ["sh", "-c", "pkill -9 -u sandbox 2>/dev/null; true"]
+        Cmd: [
+          "sh",
+          "-c",
+          "pkill -9 -u sandbox 2>/dev/null; /usr/sbin/iptables -F OUTPUT 2>/dev/null; true"
+        ]
       });
       await killExec.start({ Detach: true });
       let killInfo = await killExec.inspect();
@@ -55334,7 +55327,7 @@ async function startProxy(container, networkFilter) {
   }
   const envPrefix = envParts.length > 0 ? `${envParts.join(" ")} ` : "";
   const startExec = await container.exec({
-    Cmd: ["sh", "-c", `${envPrefix}node /usr/local/bin/proxy.mjs &`]
+    Cmd: ["sh", "-c", `${envPrefix}bash /usr/local/bin/proxy.sh &`]
   });
   await startExec.start({ Detach: true });
   const deadline = Date.now() + PROXY_STARTUP_TIMEOUT_MS;
@@ -55357,6 +55350,27 @@ async function startProxy(container, networkFilter) {
   }
   throw new Error("Proxy failed to start within timeout");
 }
+async function setupIptables(container) {
+  const rules = [
+    "/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT",
+    "/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
+    `/usr/sbin/iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport ${PROXY_PORT} -m owner --uid-owner 100 -j ACCEPT`,
+    "/usr/sbin/iptables -A OUTPUT -m owner --uid-owner 100 -j DROP"
+  ].join(" && ");
+  const exec = await container.exec({
+    Cmd: ["sh", "-c", rules]
+  });
+  await exec.start({ Detach: true });
+  let info2 = await exec.inspect();
+  while (info2.Running) {
+    await new Promise((r) => setTimeout(r, 50));
+    info2 = await exec.inspect();
+  }
+  if (info2.ExitCode !== 0) {
+    throw new Error(`Failed to set up iptables rules (exit code ${info2.ExitCode})`);
+  }
+  logger.debug("[Filtered] iptables rules applied — sandbox user restricted to proxy only");
+}
 function wrapWithTimeout(cmd, timeoutSec) {
   return ["timeout", "-s", "KILL", String(timeoutSec), ...cmd];
 }
@@ -55543,6 +55557,7 @@ class DockerIsol8 {
         await container.start();
         if (this.network === "filtered") {
           await startProxy(container, this.networkFilter);
+          await setupIptables(container);
         }
         const ext = req.fileExtension ?? adapter.getFileExtension();
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
@@ -55623,6 +55638,7 @@ class DockerIsol8 {
     try {
       if (this.network === "filtered") {
         await startProxy(container, this.networkFilter);
+        await setupIptables(container);
       }
       const ext = req.fileExtension ?? adapter.getFileExtension();
       const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
@@ -55782,6 +55798,7 @@ class DockerIsol8 {
     await this.container.start();
     if (this.network === "filtered") {
       await startProxy(this.container, this.networkFilter);
+      await setupIptables(this.container);
     }
     this.persistentRuntime = adapter;
   }
@@ -55802,6 +55819,7 @@ class DockerIsol8 {
     };
     if (this.network === "filtered") {
       config.NetworkMode = "bridge";
+      config.CapAdd = ["NET_ADMIN"];
     } else if (this.network === "host") {
       config.NetworkMode = "host";
     }
@@ -55861,9 +55879,11 @@ class DockerIsol8 {
         env2.push(`${key}=${value}`);
       }
     }
-    if (this.network === "filtered" && this.networkFilter) {
-      env2.push(`ISOL8_WHITELIST=${JSON.stringify(this.networkFilter.whitelist)}`);
-      env2.push(`ISOL8_BLACKLIST=${JSON.stringify(this.networkFilter.blacklist)}`);
+    if (this.network === "filtered") {
+      if (this.networkFilter) {
+        env2.push(`ISOL8_WHITELIST=${JSON.stringify(this.networkFilter.whitelist)}`);
+        env2.push(`ISOL8_BLACKLIST=${JSON.stringify(this.networkFilter.blacklist)}`);
+      }
       env2.push(`HTTP_PROXY=http://127.0.0.1:${PROXY_PORT}`);
       env2.push(`HTTPS_PROXY=http://127.0.0.1:${PROXY_PORT}`);
       env2.push(`http_proxy=http://127.0.0.1:${PROXY_PORT}`);
@@ -56025,7 +56045,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "isol8",
-    version: "0.6.2",
+    version: "0.8.0",
     description: "Secure code execution engine for AI agents",
     author: "Illusion47586",
     license: "MIT",
@@ -56086,6 +56106,8 @@ var init_package = __esm(() => {
     },
     devDependencies: {
       "@biomejs/biome": "^2.3.15",
+      "@commitlint/cli": "^20.4.1",
+      "@commitlint/config-conventional": "^20.4.1",
       "@semantic-release/changelog": "^6.0.3",
       "@semantic-release/exec": "^7.1.0",
       "@semantic-release/git": "^10.0.1",
@@ -56118,7 +56140,8 @@ var init_package = __esm(() => {
       }
     ],
     "simple-git-hooks": {
-      "pre-commit": "bun run lint-staged"
+      "pre-commit": "bun run lint-staged",
+      "commit-msg": "bunx commitlint --edit $1"
     },
     "lint-staged": {
       "*.{ts,tsx}": [
@@ -56128,6 +56151,9 @@ var init_package = __esm(() => {
       "src/types.ts": [
         "bash -c 'bun run schema'",
         "git add schema/isol8.config.schema.json"
+      ],
+      "*.{yaml,yml,json}": [
+        "ultracite fix"
       ]
     }
   };
@@ -61365,7 +61391,7 @@ async function buildBaseImages(docker, onProgress) {
     const target = adapter.name;
     onProgress?.({ runtime: target, status: "building" });
     try {
-      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: ["Dockerfile", "proxy.mjs"] }, {
+      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: ["Dockerfile", "proxy.sh", "proxy-handler.sh"] }, {
         t: adapter.image,
         target,
         dockerfile: "Dockerfile"
@@ -62026,4 +62052,4 @@ if (!process.argv.slice(2).length) {
 }
 program2.parse();
 
-//# debugId=F86C7DBAE803AC0664756E2164756E21
+//# debugId=F5B0FBC3FF234CB364756E2164756E21

package/dist/docker/Dockerfile

@@ -1,9 +1,10 @@
 # ── Base ──────────────────────────────────────────────────────────────
 FROM alpine:3.21 AS base
-RUN apk add --no-cache tini curl ca-certificates \
+RUN apk add --no-cache tini curl ca-certificates iptables bash \
     && addgroup -S sandbox && adduser -S sandbox -G sandbox -h /sandbox
-COPY proxy.mjs /usr/local/bin/proxy.mjs
-RUN chmod +x /usr/local/bin/proxy.mjs
+COPY proxy.sh /usr/local/bin/proxy.sh
+COPY proxy-handler.sh /usr/local/bin/proxy-handler.sh
+RUN chmod +x /usr/local/bin/proxy.sh /usr/local/bin/proxy-handler.sh
 WORKDIR /sandbox
 ENTRYPOINT ["/sbin/tini", "--"]
 
@@ -19,7 +20,7 @@ CMD ["node"]
 
 # ── Bun ───────────────────────────────────────────────────────────────
 FROM base AS bun
-RUN apk add --no-cache bash unzip libstdc++ libgcc \
+RUN apk add --no-cache unzip libstdc++ libgcc \
     && curl -fsSL https://bun.sh/install | bash \
     && mv /root/.bun/bin/bun /usr/local/bin/bun \
     && ln -s /usr/local/bin/bun /usr/local/bin/bunx
@@ -27,15 +28,15 @@ CMD ["bun"]
 
 # ── Deno ──────────────────────────────────────────────────────────────
 FROM denoland/deno:alpine AS deno
-RUN apk add --no-cache tini curl ca-certificates \
+RUN apk add --no-cache tini curl ca-certificates iptables bash \
     && addgroup -S sandbox && adduser -S sandbox -G sandbox -h /sandbox
-COPY proxy.mjs /usr/local/bin/proxy.mjs
-RUN chmod +x /usr/local/bin/proxy.mjs
+COPY proxy.sh /usr/local/bin/proxy.sh
+COPY proxy-handler.sh /usr/local/bin/proxy-handler.sh
+RUN chmod +x /usr/local/bin/proxy.sh /usr/local/bin/proxy-handler.sh
 WORKDIR /sandbox
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["deno"]
 
 # ── Bash ──────────────────────────────────────────────────────────────
 FROM base AS bash
-RUN apk add --no-cache bash
 CMD ["bash"]

package/dist/docker/proxy-handler.sh

@@ -0,0 +1,134 @@
+#!/bin/bash
+# isol8 proxy handler — handles a single proxied connection.
+#
+# Invoked by: nc -lk -e proxy-handler.sh
+# stdin/stdout are wired to the client socket by nc.
+#
+# Env vars (inherited from proxy.sh launcher):
+#   ISOL8_WHITELIST_FILE - Path to file with whitelist regex patterns
+#   ISOL8_BLACKLIST_FILE - Path to file with blacklist regex patterns
+#
+# Supports:
+#   - HTTPS CONNECT tunneling (bidirectional relay via exec nc)
+#   - HTTP forwarding (GET/POST/etc via bash /dev/tcp)
+
+WL="${ISOL8_WHITELIST_FILE:-}"
+BL="${ISOL8_BLACKLIST_FILE:-}"
+
+is_allowed() {
+  local host="$1"
+
+  # Check blacklist first
+  if [ -n "$BL" ] && [ -s "$BL" ]; then
+    if echo "$host" | grep -qEf "$BL" 2>/dev/null; then
+      return 1
+    fi
+  fi
+
+  # If whitelist is empty or missing, allow all
+  if [ -z "$WL" ] || [ ! -s "$WL" ]; then
+    return 0
+  fi
+
+  # Must match at least one whitelist pattern
+  if echo "$host" | grep -qEf "$WL" 2>/dev/null; then
+    return 0
+  fi
+
+  return 1
+}
+
+# Read the request line
+# e.g. "CONNECT host:443 HTTP/1.1" or "GET http://host/path HTTP/1.1"
+read -r request_line || exit 0
+request_line="${request_line%%$'\r'}"
+
+method="${request_line%% *}"
+rest="${request_line#* }"
+target="${rest%% *}"
+
+# Read and store all headers until blank line
+headers=""
+content_length=0
+while IFS= read -r hline; do
+  hline="${hline%%$'\r'}"
+  [ -z "$hline" ] && break
+  headers="${headers}${hline}"$'\n'
+  # Extract Content-Length
+  case "$hline" in
+    [Cc]ontent-[Ll]ength:*)
+      content_length="${hline#*: }"
+      content_length="${content_length// /}"
+      ;;
+  esac
+done
+
+# ── CONNECT (HTTPS tunneling) ──────────────────────────────────────────
+if [ "$method" = "CONNECT" ]; then
+  host="${target%%:*}"
+  port="${target##*:}"
+  [ "$port" = "$host" ] && port=443
+
+  if ! is_allowed "$host"; then
+    msg="isol8: CONNECT to ${host} blocked by network filter"
+    printf "HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nContent-Length: %d\r\n\r\n%s" \
+      "${#msg}" "$msg"
+    exit 0
+  fi
+
+  # Send 200 then replace this process with nc for bidirectional relay.
+  # nc inherits the client socket on stdin/stdout from the nc -lk -e parent.
+  printf "HTTP/1.1 200 Connection Established\r\n\r\n"
+  exec nc "$host" "$port"
+fi
+
+# ── HTTP forwarding ────────────────────────────────────────────────────
+# Proxy HTTP requests use absolute URLs: GET http://host:port/path HTTP/1.1
+url_rest="${target#*://}"
+hostport="${url_rest%%/*}"
+path="/${url_rest#*/}"
+# Handle URLs with no path component
+[ "$path" = "/${url_rest}" ] && path="/"
+
+host="${hostport%%:*}"
+port="${hostport##*:}"
+[ "$port" = "$host" ] && port=80
+
+if ! is_allowed "$host"; then
+  msg="isol8: request to ${host} blocked by network filter"
+  printf "HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nContent-Length: %d\r\n\r\n%s" \
+    "${#msg}" "$msg"
+  exit 0
+fi
+
+# Open TCP connection via bash /dev/tcp
+if ! exec 3<>/dev/tcp/"$host"/"$port" 2>/dev/null; then
+  msg="isol8: proxy error: connection to ${host}:${port} failed"
+  printf "HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain\r\nContent-Length: %d\r\n\r\n%s" \
+    "${#msg}" "$msg"
+  exit 0
+fi
+
+# Send request line with relative path (not absolute URL)
+printf "%s %s HTTP/1.1\r\n" "$method" "$path" >&3
+
+# Forward headers, skipping Proxy-* headers
+while IFS= read -r h; do
+  [ -z "$h" ] && continue
+  case "$h" in
+    Proxy-*|proxy-*) continue ;;
+  esac
+  printf "%s\r\n" "$h" >&3
+done <<< "$headers"
+printf "\r\n" >&3
+
+# Forward request body if present
+if [ "$content_length" -gt 0 ] 2>/dev/null; then
+  head -c "$content_length" >&3
+fi
+
+# Relay response back to client
+cat <&3
+
+exec 3>&-
+exit 0

package/dist/docker/proxy.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# isol8 proxy launcher — parses env vars and starts the proxy listener.
+#
+# Env vars:
+#   ISOL8_WHITELIST  - JSON array of regex strings (allow these)
+#   ISOL8_BLACKLIST  - JSON array of regex strings (block these)
+#   ISOL8_PROXY_PORT - Port to listen on (default: 8118)
+#
+# This script:
+#   1. Parses ISOL8_WHITELIST/BLACKLIST JSON arrays into grep-compatible pattern files
+#   2. Starts nc -lk -e /usr/local/bin/proxy-handler.sh on the specified port
+#
+# The pattern files are stored in /tmp/isol8-proxy/ and exported as env vars
+# so the handler (forked by nc -e) can access them via inherited environment.
+
+PORT="${ISOL8_PROXY_PORT:-8118}"
+PROXY_DIR="/tmp/isol8-proxy"
+mkdir -p "$PROXY_DIR"
+
+WL_FILE="$PROXY_DIR/whitelist"
+BL_FILE="$PROXY_DIR/blacklist"
+
+# Parse JSON array of regex strings into a file with one ERE pattern per line.
+# Input: JSON like '["^example\\.com$","^api\\."]'
+# Output: file with one grep -E compatible pattern per line
+parse_patterns() {
+  local json="$1" outfile="$2"
+  : > "$outfile"
+  if [ -z "$json" ] || [ "$json" = "[]" ]; then
+    return
+  fi
+  # Strip brackets, split on ","  → one quoted pattern per line
+  # Then strip quotes and unescape doubled backslashes from JSON encoding
+  echo "$json" \
+    | sed 's/^\[//; s/\]$//' \
+    | sed 's/","/"\n"/g' \
+    | sed 's/^"//; s/"$//' \
+    | sed 's/\\\\/\\/g' \
+    > "$outfile"
+}
+
+parse_patterns "${ISOL8_WHITELIST:-}" "$WL_FILE"
+parse_patterns "${ISOL8_BLACKLIST:-}" "$BL_FILE"
+
+# Export paths so the handler (forked by nc -e) can find them
+export ISOL8_WHITELIST_FILE="$WL_FILE"
+export ISOL8_BLACKLIST_FILE="$BL_FILE"
+
+echo "isol8 proxy listening on 127.0.0.1:${PORT}"
+
+# Start listening — nc -lk provides a persistent server that forks
+# a handler for each connection with stdin/stdout wired to the socket
+exec nc -lk -s 127.0.0.1 -p "$PORT" -e /usr/local/bin/proxy-handler.sh

package/dist/index.js

@@ -264,7 +264,11 @@ class ContainerPool {
     }
     try {
       const killExec = await container.exec({
-        Cmd: ["sh", "-c", "pkill -9 -u sandbox 2>/dev/null; true"]
+        Cmd: [
+          "sh",
+          "-c",
+          "pkill -9 -u sandbox 2>/dev/null; /usr/sbin/iptables -F OUTPUT 2>/dev/null; true"
+        ]
       });
       await killExec.start({ Detach: true });
       let killInfo = await killExec.inspect();
@@ -503,7 +507,7 @@ async function startProxy(container, networkFilter) {
   }
   const envPrefix = envParts.length > 0 ? `${envParts.join(" ")} ` : "";
   const startExec = await container.exec({
-    Cmd: ["sh", "-c", `${envPrefix}node /usr/local/bin/proxy.mjs &`]
+    Cmd: ["sh", "-c", `${envPrefix}bash /usr/local/bin/proxy.sh &`]
   });
   await startExec.start({ Detach: true });
   const deadline = Date.now() + PROXY_STARTUP_TIMEOUT_MS;
@@ -526,6 +530,27 @@ async function startProxy(container, networkFilter) {
   }
   throw new Error("Proxy failed to start within timeout");
 }
+async function setupIptables(container) {
+  const rules = [
+    "/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT",
+    "/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
+    `/usr/sbin/iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport ${PROXY_PORT} -m owner --uid-owner 100 -j ACCEPT`,
+    "/usr/sbin/iptables -A OUTPUT -m owner --uid-owner 100 -j DROP"
+  ].join(" && ");
+  const exec = await container.exec({
+    Cmd: ["sh", "-c", rules]
+  });
+  await exec.start({ Detach: true });
+  let info = await exec.inspect();
+  while (info.Running) {
+    await new Promise((r) => setTimeout(r, 50));
+    info = await exec.inspect();
+  }
+  if (info.ExitCode !== 0) {
+    throw new Error(`Failed to set up iptables rules (exit code ${info.ExitCode})`);
+  }
+  logger.debug("[Filtered] iptables rules applied — sandbox user restricted to proxy only");
+}
 function wrapWithTimeout(cmd, timeoutSec) {
   return ["timeout", "-s", "KILL", String(timeoutSec), ...cmd];
 }
@@ -712,6 +737,7 @@ class DockerIsol8 {
         await container.start();
         if (this.network === "filtered") {
           await startProxy(container, this.networkFilter);
+          await setupIptables(container);
         }
         const ext = req.fileExtension ?? adapter.getFileExtension();
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
@@ -792,6 +818,7 @@ class DockerIsol8 {
     try {
       if (this.network === "filtered") {
         await startProxy(container, this.networkFilter);
+        await setupIptables(container);
       }
       const ext = req.fileExtension ?? adapter.getFileExtension();
       const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
@@ -951,6 +978,7 @@ class DockerIsol8 {
     await this.container.start();
     if (this.network === "filtered") {
       await startProxy(this.container, this.networkFilter);
+      await setupIptables(this.container);
     }
     this.persistentRuntime = adapter;
   }
@@ -971,6 +999,7 @@ class DockerIsol8 {
     };
     if (this.network === "filtered") {
       config.NetworkMode = "bridge";
+      config.CapAdd = ["NET_ADMIN"];
     } else if (this.network === "host") {
       config.NetworkMode = "host";
     }
@@ -1030,9 +1059,11 @@ class DockerIsol8 {
         env.push(`${key}=${value}`);
       }
     }
-    if (this.network === "filtered" && this.networkFilter) {
-      env.push(`ISOL8_WHITELIST=${JSON.stringify(this.networkFilter.whitelist)}`);
-      env.push(`ISOL8_BLACKLIST=${JSON.stringify(this.networkFilter.blacklist)}`);
+    if (this.network === "filtered") {
+      if (this.networkFilter) {
+        env.push(`ISOL8_WHITELIST=${JSON.stringify(this.networkFilter.whitelist)}`);
+        env.push(`ISOL8_BLACKLIST=${JSON.stringify(this.networkFilter.blacklist)}`);
+      }
       env.push(`HTTP_PROXY=http://127.0.0.1:${PROXY_PORT}`);
       env.push(`HTTPS_PROXY=http://127.0.0.1:${PROXY_PORT}`);
       env.push(`http_proxy=http://127.0.0.1:${PROXY_PORT}`);
@@ -1393,7 +1424,7 @@ init_logger();
 // package.json
 var package_default = {
   name: "isol8",
-  version: "0.6.2",
+  version: "0.8.0",
   description: "Secure code execution engine for AI agents",
   author: "Illusion47586",
   license: "MIT",
@@ -1454,6 +1485,8 @@ var package_default = {
   },
   devDependencies: {
     "@biomejs/biome": "^2.3.15",
+    "@commitlint/cli": "^20.4.1",
+    "@commitlint/config-conventional": "^20.4.1",
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/exec": "^7.1.0",
     "@semantic-release/git": "^10.0.1",
@@ -1486,7 +1519,8 @@ var package_default = {
     }
   ],
   "simple-git-hooks": {
-    "pre-commit": "bun run lint-staged"
+    "pre-commit": "bun run lint-staged",
+    "commit-msg": "bunx commitlint --edit $1"
   },
   "lint-staged": {
     "*.{ts,tsx}": [
@@ -1496,6 +1530,9 @@ var package_default = {
     "src/types.ts": [
       "bash -c 'bun run schema'",
       "git add schema/isol8.config.schema.json"
+    ],
+    "*.{yaml,yml,json}": [
+      "ultracite fix"
     ]
   }
 };
@@ -1722,4 +1759,4 @@ export {
   BunAdapter
 };
 
-//# debugId=1AFCD54347509D5A64756E2164756E21
+//# debugId=90624257FBE4C46A64756E2164756E21

package/dist/src/engine/docker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,WAAW,EAEX,YAAY,EAIZ,WAAW,EACZ,MAAM,UAAU,CAAC;AAoPlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAEjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAElC,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAE1C;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IAwBhE;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAK5B,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAW9D;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAqFzD,YAAY;YAcZ,gBAAgB;YAyGhB,iBAAiB;YA8FjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA2BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAsBvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IAyBjC,OAAO,CAAC,QAAQ;YAmCD,gBAAgB;YA8EjB,iBAAiB;IA8D/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}
+{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,WAAW,EAEX,YAAY,EAIZ,WAAW,EACZ,MAAM,UAAU,CAAC;AAqSlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAEjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAElC,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAE1C;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IAwBhE;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAK5B,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAW9D;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAsFzD,YAAY;YAcZ,gBAAgB;YA0GhB,iBAAiB;YA8FjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA4BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IAyBjC,OAAO,CAAC,QAAQ;YAwCD,gBAAgB;YA8EjB,iBAAiB;IA8D/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}

package/dist/src/engine/pool.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../../../src/engine/pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,MAAM,MAAM,WAAW,CAAC;AAGpC,4CAA4C;AAC5C,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,OAAO,CAAC,CAAC;CAC7D;AAOD;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA+C;IAC7E,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAA4B;gBAEtD,OAAO,EAAE,WAAW;IAMhC;;;;OAIG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;IAcvD;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA8CxE;;;OAGG;IACG,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBxC;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAgBd,eAAe;IAW7B,2DAA2D;IAC3D,OAAO,CAAC,SAAS;CAuClB"}
+{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../../../src/engine/pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,MAAM,MAAM,WAAW,CAAC;AAGpC,4CAA4C;AAC5C,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,OAAO,CAAC,CAAC;CAC7D;AAOD;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA+C;IAC7E,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAA4B;gBAEtD,OAAO,EAAE,WAAW;IAMhC;;;;OAIG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;IAcvD;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkDxE;;;OAGG;IACG,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBxC;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAgBd,eAAe;IAW7B,2DAA2D;IAC3D,OAAO,CAAC,SAAS;CAuClB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "isol8",
-  "version": "0.7.0",
+  "version": "0.8.1",
   "description": "Secure code execution engine for AI agents",
   "author": "Illusion47586",
   "license": "MIT",
@@ -61,6 +61,8 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^2.3.15",
+    "@commitlint/cli": "^20.4.1",
+    "@commitlint/config-conventional": "^20.4.1",
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/exec": "^7.1.0",
     "@semantic-release/git": "^10.0.1",
@@ -93,7 +95,8 @@
     }
   ],
   "simple-git-hooks": {
-    "pre-commit": "bun run lint-staged"
+    "pre-commit": "bun run lint-staged",
+    "commit-msg": "bunx commitlint --edit $1"
   },
   "lint-staged": {
     "*.{ts,tsx}": [
@@ -103,6 +106,9 @@
     "src/types.ts": [
       "bash -c 'bun run schema'",
       "git add schema/isol8.config.schema.json"
+    ],
+    "*.{yaml,yml,json}": [
+      "ultracite fix"
     ]
   }
 }

package/dist/docker/proxy.mjs

@@ -1,127 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * isol8 network proxy — lightweight HTTP/HTTPS filtering proxy.
- *
- * Reads whitelist/blacklist regex patterns from env vars and blocks
- * non-matching outbound requests with 403.
- *
- * Env vars:
- *   ISOL8_WHITELIST - JSON array of regex strings (allow these)
- *   ISOL8_BLACKLIST - JSON array of regex strings (block these)
- *   ISOL8_PROXY_PORT - Port to listen on (default: 8118)
- *
- * Logic:
- *   1. If blacklist matches → BLOCK
- *   2. If whitelist is non-empty and hostname doesn't match → BLOCK
- *   3. Otherwise → ALLOW
- */
-
-import http from "node:http";
-import net from "node:net";
-
-const port = Number.parseInt(process.env.ISOL8_PROXY_PORT || "8118", 10);
-
-const whitelist = parsePatterns(process.env.ISOL8_WHITELIST);
-const blacklist = parsePatterns(process.env.ISOL8_BLACKLIST);
-
-function parsePatterns(envVar) {
-  if (!envVar) {
-    return [];
-  }
-  try {
-    const arr = JSON.parse(envVar);
-    return arr.map((p) => new RegExp(p));
-  } catch {
-    return [];
-  }
-}
-
-function isAllowed(hostname) {
-  // Check blacklist first
-  for (const re of blacklist) {
-    if (re.test(hostname)) {
-      return false;
-    }
-  }
-
-  // If whitelist is empty, allow all (only blacklist applies)
-  if (whitelist.length === 0) {
-    return true;
-  }
-
-  // Otherwise, must match at least one whitelist pattern
-  for (const re of whitelist) {
-    if (re.test(hostname)) {
-      return true;
-    }
-  }
-
-  return false;
-}
-
-const server = http.createServer((req, res) => {
-  const url = new URL(req.url, `http://${req.headers.host}`);
-  const hostname = url.hostname;
-
-  if (!isAllowed(hostname)) {
-    res.writeHead(403, { "Content-Type": "text/plain" });
-    res.end(`isol8: request to ${hostname} blocked by network filter`);
-    return;
-  }
-
-  // Forward HTTP request
-  const proxyReq = http.request(
-    {
-      hostname: url.hostname,
-      port: url.port || 80,
-      path: url.pathname + url.search,
-      method: req.method,
-      headers: req.headers,
-    },
-    (proxyRes) => {
-      res.writeHead(proxyRes.statusCode, proxyRes.headers);
-      proxyRes.pipe(res);
-    }
-  );
-
-  proxyReq.on("error", (err) => {
-    res.writeHead(502, { "Content-Type": "text/plain" });
-    res.end(`isol8: proxy error: ${err.message}`);
-  });
-
-  req.pipe(proxyReq);
-});
-
-// Handle HTTPS CONNECT tunneling
-server.on("connect", (req, clientSocket, head) => {
-  const [hostname, port] = req.url.split(":");
-
-  if (!isAllowed(hostname)) {
-    clientSocket.write(
-      "HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\n\r\n" +
-        `isol8: CONNECT to ${hostname} blocked by network filter`
-    );
-    clientSocket.end();
-    return;
-  }
-
-  const serverSocket = net.connect(Number.parseInt(port || "443", 10), hostname, () => {
-    clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
-    serverSocket.write(head);
-    serverSocket.pipe(clientSocket);
-    clientSocket.pipe(serverSocket);
-  });
-
-  serverSocket.on("error", (err) => {
-    clientSocket.write(
-      "HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain\r\n\r\n" +
-        `isol8: tunnel error: ${err.message}`
-    );
-    clientSocket.end();
-  });
-});
-
-server.listen(port, "127.0.0.1", () => {
-  console.log(`isol8 proxy listening on 127.0.0.1:${port}`);
-});