isol8 0.8.0 → 0.8.2

package/README.md

@@ -15,6 +15,7 @@ Secure code execution engine for AI agents. Run untrusted Python, Node.js, Bun,
 - **Fast** — warm container pool for sub-100ms execution latency
 - **Security first** — read-only rootfs, `no-new-privileges`, PID/memory/CPU limits
 - **Network control** — `none` (default), `host`, or `filtered` (HTTP/HTTPS proxy with regex whitelist/blacklist)
+- **Secure File I/O** — streaming file content avoids process argument leaks
 - **File I/O** — upload files into and download files from sandboxes
 -   **Runtime packages** — install pip/npm/bun packages on-the-fly (`--install`)
 -   **Modern Node.js** — defaults to ESM (`.mjs`), supports CommonJS (`.cjs`)
@@ -275,6 +276,8 @@ const isol8 = new DockerIsol8({
 });
 ```
 
+In `filtered` mode, iptables rules are applied at the kernel level to ensure the `sandbox` user can **only** reach the internal filtering proxy (`127.0.0.1:8118`). All other outbound traffic from the sandbox user is dropped, preventing bypass via raw sockets or non-HTTP protocols.
+
 ## Configuration
 
 Create `isol8.config.json` in your project root or `~/.isol8/config.json`.

package/dist/cli.js

@@ -55088,7 +55088,11 @@ class ContainerPool {
     }
     try {
       const killExec = await container.exec({
-        Cmd: ["sh", "-c", "pkill -9 -u sandbox 2>/dev/null; true"]
+        Cmd: [
+          "sh",
+          "-c",
+          "pkill -9 -u sandbox 2>/dev/null; /usr/sbin/iptables -F OUTPUT 2>/dev/null; true"
+        ]
       });
       await killExec.start({ Detach: true });
       let killInfo = await killExec.inspect();
@@ -55279,25 +55283,31 @@ var exports_docker = {};
 __export(exports_docker, {
   DockerIsol8: () => DockerIsol8
 });
+import { spawn } from "node:child_process";
 import { randomUUID } from "node:crypto";
 import { existsSync as existsSync2, readFileSync as readFileSync2 } from "node:fs";
 import { PassThrough } from "node:stream";
 async function writeFileViaExec(container, filePath, content) {
   const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
-  const b64 = data.toString("base64");
-  const exec = await container.exec({
-    Cmd: ["sh", "-c", `printf '%s' '${b64}' | base64 -d > ${filePath}`],
-    User: "sandbox"
+  return new Promise((resolve2, reject) => {
+    const child = spawn("docker", ["exec", "-i", "-u", "sandbox", container.id, "sh", "-c", `cat > ${filePath}`], {
+      stdio: ["pipe", "ignore", "pipe"]
+    });
+    child.on("error", (err) => {
+      reject(new Error(`Failed to spawn docker exec: ${err.message}`));
+    });
+    let stderr = "";
+    child.stderr.on("data", (chunk) => stderr += chunk.toString());
+    child.stdin.write(data);
+    child.stdin.end();
+    child.on("close", (code) => {
+      if (code !== 0) {
+        reject(new Error(`Failed to write file ${filePath}: ${stderr} (exit code ${code})`));
+      } else {
+        resolve2();
+      }
+    });
   });
-  await exec.start({ Detach: true });
-  let info2 = await exec.inspect();
-  while (info2.Running) {
-    await new Promise((r) => setTimeout(r, 50));
-    info2 = await exec.inspect();
-  }
-  if (info2.ExitCode !== 0) {
-    throw new Error(`Failed to write file ${filePath} in container (exit code ${info2.ExitCode})`);
-  }
 }
 async function readFileViaExec(container, filePath) {
   const exec = await container.exec({
@@ -55334,7 +55344,7 @@ async function startProxy(container, networkFilter) {
   }
   const envPrefix = envParts.length > 0 ? `${envParts.join(" ")} ` : "";
   const startExec = await container.exec({
-    Cmd: ["sh", "-c", `${envPrefix}node /usr/local/bin/proxy.mjs &`]
+    Cmd: ["sh", "-c", `${envPrefix}bash /usr/local/bin/proxy.sh &`]
   });
   await startExec.start({ Detach: true });
   const deadline = Date.now() + PROXY_STARTUP_TIMEOUT_MS;
@@ -55357,6 +55367,27 @@ async function startProxy(container, networkFilter) {
   }
   throw new Error("Proxy failed to start within timeout");
 }
+async function setupIptables(container) {
+  const rules = [
+    "/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT",
+    "/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
+    `/usr/sbin/iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport ${PROXY_PORT} -m owner --uid-owner 100 -j ACCEPT`,
+    "/usr/sbin/iptables -A OUTPUT -m owner --uid-owner 100 -j DROP"
+  ].join(" && ");
+  const exec = await container.exec({
+    Cmd: ["sh", "-c", rules]
+  });
+  await exec.start({ Detach: true });
+  let info2 = await exec.inspect();
+  while (info2.Running) {
+    await new Promise((r) => setTimeout(r, 50));
+    info2 = await exec.inspect();
+  }
+  if (info2.ExitCode !== 0) {
+    throw new Error(`Failed to set up iptables rules (exit code ${info2.ExitCode})`);
+  }
+  logger.debug("[Filtered] iptables rules applied — sandbox user restricted to proxy only");
+}
 function wrapWithTimeout(cmd, timeoutSec) {
   return ["timeout", "-s", "KILL", String(timeoutSec), ...cmd];
 }
@@ -55543,6 +55574,7 @@ class DockerIsol8 {
         await container.start();
         if (this.network === "filtered") {
           await startProxy(container, this.networkFilter);
+          await setupIptables(container);
         }
         const ext = req.fileExtension ?? adapter.getFileExtension();
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
@@ -55623,6 +55655,7 @@ class DockerIsol8 {
     try {
       if (this.network === "filtered") {
         await startProxy(container, this.networkFilter);
+        await setupIptables(container);
       }
       const ext = req.fileExtension ?? adapter.getFileExtension();
       const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
@@ -55782,6 +55815,7 @@ class DockerIsol8 {
     await this.container.start();
     if (this.network === "filtered") {
       await startProxy(this.container, this.networkFilter);
+      await setupIptables(this.container);
     }
     this.persistentRuntime = adapter;
   }
@@ -55802,6 +55836,7 @@ class DockerIsol8 {
     };
     if (this.network === "filtered") {
       config.NetworkMode = "bridge";
+      config.CapAdd = ["NET_ADMIN"];
     } else if (this.network === "host") {
       config.NetworkMode = "host";
     }
@@ -55861,9 +55896,11 @@ class DockerIsol8 {
         env2.push(`${key}=${value}`);
       }
     }
-    if (this.network === "filtered" && this.networkFilter) {
-      env2.push(`ISOL8_WHITELIST=${JSON.stringify(this.networkFilter.whitelist)}`);
-      env2.push(`ISOL8_BLACKLIST=${JSON.stringify(this.networkFilter.blacklist)}`);
+    if (this.network === "filtered") {
+      if (this.networkFilter) {
+        env2.push(`ISOL8_WHITELIST=${JSON.stringify(this.networkFilter.whitelist)}`);
+        env2.push(`ISOL8_BLACKLIST=${JSON.stringify(this.networkFilter.blacklist)}`);
+      }
       env2.push(`HTTP_PROXY=http://127.0.0.1:${PROXY_PORT}`);
       env2.push(`HTTPS_PROXY=http://127.0.0.1:${PROXY_PORT}`);
       env2.push(`http_proxy=http://127.0.0.1:${PROXY_PORT}`);
@@ -55938,11 +55975,16 @@ class DockerIsol8 {
       let stderr = "";
       let truncated = false;
       let settled = false;
+      let stdoutEnded = false;
+      let stderrEnded = false;
       const timer = setTimeout(() => {
         if (settled) {
           return;
         }
         settled = true;
+        if (stream.destroy) {
+          stream.destroy();
+        }
         resolve2({ stdout, stderr: `${stderr}
 --- EXECUTION TIMED OUT ---`, truncated });
       }, timeoutMs);
@@ -55965,13 +56007,23 @@ class DockerIsol8 {
           truncated = true;
         }
       });
-      stream.on("end", () => {
+      const checkDone = () => {
         if (settled) {
           return;
         }
-        settled = true;
-        clearTimeout(timer);
-        resolve2({ stdout, stderr, truncated });
+        if (stdoutEnded && stderrEnded) {
+          settled = true;
+          clearTimeout(timer);
+          resolve2({ stdout, stderr, truncated });
+        }
+      };
+      stdoutStream.on("end", () => {
+        stdoutEnded = true;
+        checkDone();
+      });
+      stderrStream.on("end", () => {
+        stderrEnded = true;
+        checkDone();
       });
       stream.on("error", (err) => {
         if (settled) {
@@ -55981,6 +56033,18 @@ class DockerIsol8 {
         clearTimeout(timer);
         reject(err);
       });
+      stream.on("end", () => {
+        if (settled) {
+          return;
+        }
+        setTimeout(() => {
+          if (!settled) {
+            stdoutEnded = true;
+            stderrEnded = true;
+            checkDone();
+          }
+        }, 100);
+      });
     });
   }
   postProcessOutput(output, _truncated) {
@@ -56025,7 +56089,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "isol8",
-    version: "0.7.0",
+    version: "0.8.1",
     description: "Secure code execution engine for AI agents",
     author: "Illusion47586",
     license: "MIT",
@@ -61371,7 +61435,7 @@ async function buildBaseImages(docker, onProgress) {
     const target = adapter.name;
     onProgress?.({ runtime: target, status: "building" });
     try {
-      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: ["Dockerfile", "proxy.mjs"] }, {
+      const stream = await docker.buildImage({ context: DOCKERFILE_DIR, src: ["Dockerfile", "proxy.sh", "proxy-handler.sh"] }, {
         t: adapter.image,
         target,
         dockerfile: "Dockerfile"
@@ -62032,4 +62096,4 @@ if (!process.argv.slice(2).length) {
 }
 program2.parse();
 
-//# debugId=BD6BAC9840A8A53E64756E2164756E21
+//# debugId=2B71A68DA2ABDB9664756E2164756E21

package/dist/docker/Dockerfile

@@ -1,9 +1,10 @@
 # ── Base ──────────────────────────────────────────────────────────────
 FROM alpine:3.21 AS base
-RUN apk add --no-cache tini curl ca-certificates \
+RUN apk add --no-cache tini curl ca-certificates iptables bash \
     && addgroup -S sandbox && adduser -S sandbox -G sandbox -h /sandbox
-COPY proxy.mjs /usr/local/bin/proxy.mjs
-RUN chmod +x /usr/local/bin/proxy.mjs
+COPY proxy.sh /usr/local/bin/proxy.sh
+COPY proxy-handler.sh /usr/local/bin/proxy-handler.sh
+RUN chmod +x /usr/local/bin/proxy.sh /usr/local/bin/proxy-handler.sh
 WORKDIR /sandbox
 ENTRYPOINT ["/sbin/tini", "--"]
 
@@ -19,7 +20,7 @@ CMD ["node"]
 
 # ── Bun ───────────────────────────────────────────────────────────────
 FROM base AS bun
-RUN apk add --no-cache bash unzip libstdc++ libgcc \
+RUN apk add --no-cache unzip libstdc++ libgcc \
     && curl -fsSL https://bun.sh/install | bash \
     && mv /root/.bun/bin/bun /usr/local/bin/bun \
     && ln -s /usr/local/bin/bun /usr/local/bin/bunx
@@ -27,15 +28,15 @@ CMD ["bun"]
 
 # ── Deno ──────────────────────────────────────────────────────────────
 FROM denoland/deno:alpine AS deno
-RUN apk add --no-cache tini curl ca-certificates \
+RUN apk add --no-cache tini curl ca-certificates iptables bash \
     && addgroup -S sandbox && adduser -S sandbox -G sandbox -h /sandbox
-COPY proxy.mjs /usr/local/bin/proxy.mjs
-RUN chmod +x /usr/local/bin/proxy.mjs
+COPY proxy.sh /usr/local/bin/proxy.sh
+COPY proxy-handler.sh /usr/local/bin/proxy-handler.sh
+RUN chmod +x /usr/local/bin/proxy.sh /usr/local/bin/proxy-handler.sh
 WORKDIR /sandbox
 ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["deno"]
 
 # ── Bash ──────────────────────────────────────────────────────────────
 FROM base AS bash
-RUN apk add --no-cache bash
 CMD ["bash"]

package/dist/docker/proxy-handler.sh

@@ -0,0 +1,134 @@
+#!/bin/bash
+# isol8 proxy handler — handles a single proxied connection.
+#
+# Invoked by: nc -lk -e proxy-handler.sh
+# stdin/stdout are wired to the client socket by nc.
+#
+# Env vars (inherited from proxy.sh launcher):
+#   ISOL8_WHITELIST_FILE - Path to file with whitelist regex patterns
+#   ISOL8_BLACKLIST_FILE - Path to file with blacklist regex patterns
+#
+# Supports:
+#   - HTTPS CONNECT tunneling (bidirectional relay via exec nc)
+#   - HTTP forwarding (GET/POST/etc via bash /dev/tcp)
+
+WL="${ISOL8_WHITELIST_FILE:-}"
+BL="${ISOL8_BLACKLIST_FILE:-}"
+
+is_allowed() {
+  local host="$1"
+
+  # Check blacklist first
+  if [ -n "$BL" ] && [ -s "$BL" ]; then
+    if echo "$host" | grep -qEf "$BL" 2>/dev/null; then
+      return 1
+    fi
+  fi
+
+  # If whitelist is empty or missing, allow all
+  if [ -z "$WL" ] || [ ! -s "$WL" ]; then
+    return 0
+  fi
+
+  # Must match at least one whitelist pattern
+  if echo "$host" | grep -qEf "$WL" 2>/dev/null; then
+    return 0
+  fi
+
+  return 1
+}
+
+# Read the request line
+# e.g. "CONNECT host:443 HTTP/1.1" or "GET http://host/path HTTP/1.1"
+read -r request_line || exit 0
+request_line="${request_line%%$'\r'}"
+
+method="${request_line%% *}"
+rest="${request_line#* }"
+target="${rest%% *}"
+
+# Read and store all headers until blank line
+headers=""
+content_length=0
+while IFS= read -r hline; do
+  hline="${hline%%$'\r'}"
+  [ -z "$hline" ] && break
+  headers="${headers}${hline}"$'\n'
+  # Extract Content-Length
+  case "$hline" in
+    [Cc]ontent-[Ll]ength:*)
+      content_length="${hline#*: }"
+      content_length="${content_length// /}"
+      ;;
+  esac
+done
+
+# ── CONNECT (HTTPS tunneling) ──────────────────────────────────────────
+if [ "$method" = "CONNECT" ]; then
+  host="${target%%:*}"
+  port="${target##*:}"
+  [ "$port" = "$host" ] && port=443
+
+  if ! is_allowed "$host"; then
+    msg="isol8: CONNECT to ${host} blocked by network filter"
+    printf "HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nContent-Length: %d\r\n\r\n%s" \
+      "${#msg}" "$msg"
+    exit 0
+  fi
+
+  # Send 200 then replace this process with nc for bidirectional relay.
+  # nc inherits the client socket on stdin/stdout from the nc -lk -e parent.
+  printf "HTTP/1.1 200 Connection Established\r\n\r\n"
+  exec nc "$host" "$port"
+fi
+
+# ── HTTP forwarding ────────────────────────────────────────────────────
+# Proxy HTTP requests use absolute URLs: GET http://host:port/path HTTP/1.1
+url_rest="${target#*://}"
+hostport="${url_rest%%/*}"
+path="/${url_rest#*/}"
+# Handle URLs with no path component
+[ "$path" = "/${url_rest}" ] && path="/"
+
+host="${hostport%%:*}"
+port="${hostport##*:}"
+[ "$port" = "$host" ] && port=80
+
+if ! is_allowed "$host"; then
+  msg="isol8: request to ${host} blocked by network filter"
+  printf "HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\nContent-Length: %d\r\n\r\n%s" \
+    "${#msg}" "$msg"
+  exit 0
+fi
+
+# Open TCP connection via bash /dev/tcp
+if ! exec 3<>/dev/tcp/"$host"/"$port" 2>/dev/null; then
+  msg="isol8: proxy error: connection to ${host}:${port} failed"
+  printf "HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain\r\nContent-Length: %d\r\n\r\n%s" \
+    "${#msg}" "$msg"
+  exit 0
+fi
+
+# Send request line with relative path (not absolute URL)
+printf "%s %s HTTP/1.1\r\n" "$method" "$path" >&3
+
+# Forward headers, skipping Proxy-* headers
+while IFS= read -r h; do
+  [ -z "$h" ] && continue
+  case "$h" in
+    Proxy-*|proxy-*) continue ;;
+  esac
+  printf "%s\r\n" "$h" >&3
+done <<< "$headers"
+printf "\r\n" >&3
+
+# Forward request body if present
+if [ "$content_length" -gt 0 ] 2>/dev/null; then
+  head -c "$content_length" >&3
+fi
+
+# Relay response back to client
+cat <&3
+
+exec 3>&-
+exit 0

package/dist/docker/proxy.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+# isol8 proxy launcher — parses env vars and starts the proxy listener.
+#
+# Env vars:
+#   ISOL8_WHITELIST  - JSON array of regex strings (allow these)
+#   ISOL8_BLACKLIST  - JSON array of regex strings (block these)
+#   ISOL8_PROXY_PORT - Port to listen on (default: 8118)
+#
+# This script:
+#   1. Parses ISOL8_WHITELIST/BLACKLIST JSON arrays into grep-compatible pattern files
+#   2. Starts nc -lk -e /usr/local/bin/proxy-handler.sh on the specified port
+#
+# The pattern files are stored in /tmp/isol8-proxy/ and exported as env vars
+# so the handler (forked by nc -e) can access them via inherited environment.
+
+PORT="${ISOL8_PROXY_PORT:-8118}"
+PROXY_DIR="/tmp/isol8-proxy"
+mkdir -p "$PROXY_DIR"
+
+WL_FILE="$PROXY_DIR/whitelist"
+BL_FILE="$PROXY_DIR/blacklist"
+
+# Parse JSON array of regex strings into a file with one ERE pattern per line.
+# Input: JSON like '["^example\\.com$","^api\\."]'
+# Output: file with one grep -E compatible pattern per line
+parse_patterns() {
+  local json="$1" outfile="$2"
+  : > "$outfile"
+  if [ -z "$json" ] || [ "$json" = "[]" ]; then
+    return
+  fi
+  # Strip brackets, split on ","  → one quoted pattern per line
+  # Then strip quotes and unescape doubled backslashes from JSON encoding
+  echo "$json" \
+    | sed 's/^\[//; s/\]$//' \
+    | sed 's/","/"\n"/g' \
+    | sed 's/^"//; s/"$//' \
+    | sed 's/\\\\/\\/g' \
+    > "$outfile"
+}
+
+parse_patterns "${ISOL8_WHITELIST:-}" "$WL_FILE"
+parse_patterns "${ISOL8_BLACKLIST:-}" "$BL_FILE"
+
+# Export paths so the handler (forked by nc -e) can find them
+export ISOL8_WHITELIST_FILE="$WL_FILE"
+export ISOL8_BLACKLIST_FILE="$BL_FILE"
+
+echo "isol8 proxy listening on 127.0.0.1:${PORT}"
+
+# Start listening — nc -lk provides a persistent server that forks
+# a handler for each connection with stdin/stdout wired to the socket
+exec nc -lk -s 127.0.0.1 -p "$PORT" -e /usr/local/bin/proxy-handler.sh

package/dist/index.js

@@ -264,7 +264,11 @@ class ContainerPool {
     }
     try {
       const killExec = await container.exec({
-        Cmd: ["sh", "-c", "pkill -9 -u sandbox 2>/dev/null; true"]
+        Cmd: [
+          "sh",
+          "-c",
+          "pkill -9 -u sandbox 2>/dev/null; /usr/sbin/iptables -F OUTPUT 2>/dev/null; true"
+        ]
       });
       await killExec.start({ Detach: true });
       let killInfo = await killExec.inspect();
@@ -447,26 +451,32 @@ var exports_docker = {};
 __export(exports_docker, {
   DockerIsol8: () => DockerIsol8
 });
+import { spawn } from "node:child_process";
 import { randomUUID } from "node:crypto";
 import { existsSync as existsSync2, readFileSync as readFileSync2 } from "node:fs";
 import { PassThrough } from "node:stream";
 import Docker from "dockerode";
 async function writeFileViaExec(container, filePath, content) {
   const data = typeof content === "string" ? Buffer.from(content, "utf-8") : content;
-  const b64 = data.toString("base64");
-  const exec = await container.exec({
-    Cmd: ["sh", "-c", `printf '%s' '${b64}' | base64 -d > ${filePath}`],
-    User: "sandbox"
+  return new Promise((resolve2, reject) => {
+    const child = spawn("docker", ["exec", "-i", "-u", "sandbox", container.id, "sh", "-c", `cat > ${filePath}`], {
+      stdio: ["pipe", "ignore", "pipe"]
+    });
+    child.on("error", (err) => {
+      reject(new Error(`Failed to spawn docker exec: ${err.message}`));
+    });
+    let stderr = "";
+    child.stderr.on("data", (chunk) => stderr += chunk.toString());
+    child.stdin.write(data);
+    child.stdin.end();
+    child.on("close", (code) => {
+      if (code !== 0) {
+        reject(new Error(`Failed to write file ${filePath}: ${stderr} (exit code ${code})`));
+      } else {
+        resolve2();
+      }
+    });
   });
-  await exec.start({ Detach: true });
-  let info = await exec.inspect();
-  while (info.Running) {
-    await new Promise((r) => setTimeout(r, 50));
-    info = await exec.inspect();
-  }
-  if (info.ExitCode !== 0) {
-    throw new Error(`Failed to write file ${filePath} in container (exit code ${info.ExitCode})`);
-  }
 }
 async function readFileViaExec(container, filePath) {
   const exec = await container.exec({
@@ -503,7 +513,7 @@ async function startProxy(container, networkFilter) {
   }
   const envPrefix = envParts.length > 0 ? `${envParts.join(" ")} ` : "";
   const startExec = await container.exec({
-    Cmd: ["sh", "-c", `${envPrefix}node /usr/local/bin/proxy.mjs &`]
+    Cmd: ["sh", "-c", `${envPrefix}bash /usr/local/bin/proxy.sh &`]
   });
   await startExec.start({ Detach: true });
   const deadline = Date.now() + PROXY_STARTUP_TIMEOUT_MS;
@@ -526,6 +536,27 @@ async function startProxy(container, networkFilter) {
   }
   throw new Error("Proxy failed to start within timeout");
 }
+async function setupIptables(container) {
+  const rules = [
+    "/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT",
+    "/usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
+    `/usr/sbin/iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport ${PROXY_PORT} -m owner --uid-owner 100 -j ACCEPT`,
+    "/usr/sbin/iptables -A OUTPUT -m owner --uid-owner 100 -j DROP"
+  ].join(" && ");
+  const exec = await container.exec({
+    Cmd: ["sh", "-c", rules]
+  });
+  await exec.start({ Detach: true });
+  let info = await exec.inspect();
+  while (info.Running) {
+    await new Promise((r) => setTimeout(r, 50));
+    info = await exec.inspect();
+  }
+  if (info.ExitCode !== 0) {
+    throw new Error(`Failed to set up iptables rules (exit code ${info.ExitCode})`);
+  }
+  logger.debug("[Filtered] iptables rules applied — sandbox user restricted to proxy only");
+}
 function wrapWithTimeout(cmd, timeoutSec) {
   return ["timeout", "-s", "KILL", String(timeoutSec), ...cmd];
 }
@@ -712,6 +743,7 @@ class DockerIsol8 {
         await container.start();
         if (this.network === "filtered") {
           await startProxy(container, this.networkFilter);
+          await setupIptables(container);
         }
         const ext = req.fileExtension ?? adapter.getFileExtension();
         const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
@@ -792,6 +824,7 @@ class DockerIsol8 {
     try {
       if (this.network === "filtered") {
         await startProxy(container, this.networkFilter);
+        await setupIptables(container);
       }
       const ext = req.fileExtension ?? adapter.getFileExtension();
       const filePath = `${SANDBOX_WORKDIR}/main${ext}`;
@@ -951,6 +984,7 @@ class DockerIsol8 {
     await this.container.start();
     if (this.network === "filtered") {
       await startProxy(this.container, this.networkFilter);
+      await setupIptables(this.container);
     }
     this.persistentRuntime = adapter;
   }
@@ -971,6 +1005,7 @@ class DockerIsol8 {
     };
     if (this.network === "filtered") {
       config.NetworkMode = "bridge";
+      config.CapAdd = ["NET_ADMIN"];
     } else if (this.network === "host") {
       config.NetworkMode = "host";
     }
@@ -1030,9 +1065,11 @@ class DockerIsol8 {
         env.push(`${key}=${value}`);
       }
     }
-    if (this.network === "filtered" && this.networkFilter) {
-      env.push(`ISOL8_WHITELIST=${JSON.stringify(this.networkFilter.whitelist)}`);
-      env.push(`ISOL8_BLACKLIST=${JSON.stringify(this.networkFilter.blacklist)}`);
+    if (this.network === "filtered") {
+      if (this.networkFilter) {
+        env.push(`ISOL8_WHITELIST=${JSON.stringify(this.networkFilter.whitelist)}`);
+        env.push(`ISOL8_BLACKLIST=${JSON.stringify(this.networkFilter.blacklist)}`);
+      }
       env.push(`HTTP_PROXY=http://127.0.0.1:${PROXY_PORT}`);
       env.push(`HTTPS_PROXY=http://127.0.0.1:${PROXY_PORT}`);
       env.push(`http_proxy=http://127.0.0.1:${PROXY_PORT}`);
@@ -1107,11 +1144,16 @@ class DockerIsol8 {
       let stderr = "";
       let truncated = false;
       let settled = false;
+      let stdoutEnded = false;
+      let stderrEnded = false;
       const timer = setTimeout(() => {
         if (settled) {
           return;
         }
         settled = true;
+        if (stream.destroy) {
+          stream.destroy();
+        }
         resolve2({ stdout, stderr: `${stderr}
 --- EXECUTION TIMED OUT ---`, truncated });
       }, timeoutMs);
@@ -1134,13 +1176,23 @@ class DockerIsol8 {
           truncated = true;
         }
       });
-      stream.on("end", () => {
+      const checkDone = () => {
         if (settled) {
           return;
         }
-        settled = true;
-        clearTimeout(timer);
-        resolve2({ stdout, stderr, truncated });
+        if (stdoutEnded && stderrEnded) {
+          settled = true;
+          clearTimeout(timer);
+          resolve2({ stdout, stderr, truncated });
+        }
+      };
+      stdoutStream.on("end", () => {
+        stdoutEnded = true;
+        checkDone();
+      });
+      stderrStream.on("end", () => {
+        stderrEnded = true;
+        checkDone();
       });
       stream.on("error", (err) => {
         if (settled) {
@@ -1150,6 +1202,18 @@ class DockerIsol8 {
         clearTimeout(timer);
         reject(err);
       });
+      stream.on("end", () => {
+        if (settled) {
+          return;
+        }
+        setTimeout(() => {
+          if (!settled) {
+            stdoutEnded = true;
+            stderrEnded = true;
+            checkDone();
+          }
+        }, 100);
+      });
     });
   }
   postProcessOutput(output, _truncated) {
@@ -1393,7 +1457,7 @@ init_logger();
 // package.json
 var package_default = {
   name: "isol8",
-  version: "0.7.0",
+  version: "0.8.1",
   description: "Secure code execution engine for AI agents",
   author: "Illusion47586",
   license: "MIT",
@@ -1728,4 +1792,4 @@ export {
   BunAdapter
 };
 
-//# debugId=94A90BFCC4E9D3A764756E2164756E21
+//# debugId=3E8DBF80E2D1D77264756E2164756E21

package/dist/src/engine/docker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,WAAW,EAEX,YAAY,EAIZ,WAAW,EACZ,MAAM,UAAU,CAAC;AAoPlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAEjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAElC,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAE1C;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IAwBhE;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAK5B,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAW9D;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAqFzD,YAAY;YAcZ,gBAAgB;YAyGhB,iBAAiB;YA8FjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA2BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAsBvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IAyBjC,OAAO,CAAC,QAAQ;YAmCD,gBAAgB;YA8EjB,iBAAiB;IA8D/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}
+{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../src/engine/docker.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,MAAM,MAAM,WAAW,CAAC;AAG/B,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,WAAW,EAEX,YAAY,EAIZ,WAAW,EACZ,MAAM,UAAU,CAAC;AAiTlB,2HAA2H;AAC3H,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,oFAAoF;IACpF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,WAAY,YAAW,WAAW;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAY;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAsB;IACrD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAU;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;IACjD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;IAC1C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAEjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAElC,OAAO,CAAC,SAAS,CAAiC;IAClD,OAAO,CAAC,iBAAiB,CAA+B;IACxD,OAAO,CAAC,IAAI,CAA8B;IAE1C;;;OAGG;gBACS,OAAO,GAAE,kBAAuB,EAAE,aAAa,SAAK;IAwBhE;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAK5B,kFAAkF;IAC5E,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB3B;;;OAGG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAW9D;;;;;;;OAOG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAYpE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmB5C,6GAA6G;IAC7G,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED;;;OAGG;IACI,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAAC,WAAW,CAAC;YAsFzD,YAAY;YAcZ,gBAAgB;YA0GhB,iBAAiB;YA8FjB,aAAa;YAkBb,oBAAoB;YASpB,wBAAwB;IA4BtC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,yBAAyB;IAyBjC,OAAO,CAAC,QAAQ;YAwCD,gBAAgB;YA8EjB,iBAAiB;IAiG/B,OAAO,CAAC,iBAAiB;IAYzB;;;;;;;;;;;;;;;;;;;;OAoBG;WACU,OAAO,CAClB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CA2BlE"}

package/dist/src/engine/pool.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../../../src/engine/pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,MAAM,MAAM,WAAW,CAAC;AAGpC,4CAA4C;AAC5C,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,OAAO,CAAC,CAAC;CAC7D;AAOD;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA+C;IAC7E,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAA4B;gBAEtD,OAAO,EAAE,WAAW;IAMhC;;;;OAIG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;IAcvD;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA8CxE;;;OAGG;IACG,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBxC;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAgBd,eAAe;IAW7B,2DAA2D;IAC3D,OAAO,CAAC,SAAS;CAuClB"}
+{"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../../../src/engine/pool.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,MAAM,MAAM,WAAW,CAAC;AAGpC,4CAA4C;AAC5C,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,OAAO,CAAC,CAAC;CAC7D;AAOD;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA+C;IAC7E,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAqB;IAClD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAA4B;gBAEtD,OAAO,EAAE,WAAW;IAMhC;;;;OAIG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;IAcvD;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkDxE;;;OAGG;IACG,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBxC;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAgBd,eAAe;IAW7B,2DAA2D;IAC3D,OAAO,CAAC,SAAS;CAuClB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "isol8",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "description": "Secure code execution engine for AI agents",
   "author": "Illusion47586",
   "license": "MIT",

package/dist/docker/proxy.mjs

@@ -1,127 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * isol8 network proxy — lightweight HTTP/HTTPS filtering proxy.
- *
- * Reads whitelist/blacklist regex patterns from env vars and blocks
- * non-matching outbound requests with 403.
- *
- * Env vars:
- *   ISOL8_WHITELIST - JSON array of regex strings (allow these)
- *   ISOL8_BLACKLIST - JSON array of regex strings (block these)
- *   ISOL8_PROXY_PORT - Port to listen on (default: 8118)
- *
- * Logic:
- *   1. If blacklist matches → BLOCK
- *   2. If whitelist is non-empty and hostname doesn't match → BLOCK
- *   3. Otherwise → ALLOW
- */
-
-import http from "node:http";
-import net from "node:net";
-
-const port = Number.parseInt(process.env.ISOL8_PROXY_PORT || "8118", 10);
-
-const whitelist = parsePatterns(process.env.ISOL8_WHITELIST);
-const blacklist = parsePatterns(process.env.ISOL8_BLACKLIST);
-
-function parsePatterns(envVar) {
-  if (!envVar) {
-    return [];
-  }
-  try {
-    const arr = JSON.parse(envVar);
-    return arr.map((p) => new RegExp(p));
-  } catch {
-    return [];
-  }
-}
-
-function isAllowed(hostname) {
-  // Check blacklist first
-  for (const re of blacklist) {
-    if (re.test(hostname)) {
-      return false;
-    }
-  }
-
-  // If whitelist is empty, allow all (only blacklist applies)
-  if (whitelist.length === 0) {
-    return true;
-  }
-
-  // Otherwise, must match at least one whitelist pattern
-  for (const re of whitelist) {
-    if (re.test(hostname)) {
-      return true;
-    }
-  }
-
-  return false;
-}
-
-const server = http.createServer((req, res) => {
-  const url = new URL(req.url, `http://${req.headers.host}`);
-  const hostname = url.hostname;
-
-  if (!isAllowed(hostname)) {
-    res.writeHead(403, { "Content-Type": "text/plain" });
-    res.end(`isol8: request to ${hostname} blocked by network filter`);
-    return;
-  }
-
-  // Forward HTTP request
-  const proxyReq = http.request(
-    {
-      hostname: url.hostname,
-      port: url.port || 80,
-      path: url.pathname + url.search,
-      method: req.method,
-      headers: req.headers,
-    },
-    (proxyRes) => {
-      res.writeHead(proxyRes.statusCode, proxyRes.headers);
-      proxyRes.pipe(res);
-    }
-  );
-
-  proxyReq.on("error", (err) => {
-    res.writeHead(502, { "Content-Type": "text/plain" });
-    res.end(`isol8: proxy error: ${err.message}`);
-  });
-
-  req.pipe(proxyReq);
-});
-
-// Handle HTTPS CONNECT tunneling
-server.on("connect", (req, clientSocket, head) => {
-  const [hostname, port] = req.url.split(":");
-
-  if (!isAllowed(hostname)) {
-    clientSocket.write(
-      "HTTP/1.1 403 Forbidden\r\nContent-Type: text/plain\r\n\r\n" +
-        `isol8: CONNECT to ${hostname} blocked by network filter`
-    );
-    clientSocket.end();
-    return;
-  }
-
-  const serverSocket = net.connect(Number.parseInt(port || "443", 10), hostname, () => {
-    clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
-    serverSocket.write(head);
-    serverSocket.pipe(clientSocket);
-    clientSocket.pipe(serverSocket);
-  });
-
-  serverSocket.on("error", (err) => {
-    clientSocket.write(
-      "HTTP/1.1 502 Bad Gateway\r\nContent-Type: text/plain\r\n\r\n" +
-        `isol8: tunnel error: ${err.message}`
-    );
-    clientSocket.end();
-  });
-});
-
-server.listen(port, "127.0.0.1", () => {
-  console.log(`isol8 proxy listening on 127.0.0.1:${port}`);
-});