sandboxbox 1.0.0

package/lib/bubblewrap.js

@@ -0,0 +1,203 @@
+/**
+ * Portable bubblewrap binary manager
+ * Handles bundled, system, and downloaded bubblewrap binaries
+ */
+
+import fs from 'fs';
+import path from 'path';
+import https from 'https';
+import { execSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { dirname } from 'path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+export class BubblewrapManager {
+  constructor() {
+    this.bwrapPath = null;
+    this.alpineRoot = path.join(
+      process.env.HOME || process.env.USERPROFILE,
+      '.cache',
+      'sandboxbox',
+      'alpine-root'
+    );
+  }
+
+  /**
+   * Find bubblewrap binary in this order:
+   * 1. Bundled binary (downloaded during npm install)
+   * 2. System binary
+   * 3. Throw error with helpful message
+   */
+  findBubblewrap() {
+    if (this.bwrapPath) {
+      return this.bwrapPath;
+    }
+
+    // Try bundled binary first
+    const bundledPath = path.join(__dirname, '..', 'bin', 'bwrap');
+    if (fs.existsSync(bundledPath)) {
+      try {
+        // Test if it works
+        execSync(`"${bundledPath}" --version`, { stdio: 'ignore' });
+        this.bwrapPath = bundledPath;
+        console.log('✅ Using bundled bubblewrap');
+        return this.bwrapPath;
+      } catch (e) {
+        console.log('⚠️  Bundled bubblewrap not working, falling back to system...');
+      }
+    }
+
+    // Try system binary
+    try {
+      const systemBwrap = execSync('which bwrap', { encoding: 'utf8' }).trim();
+      if (systemBwrap && fs.existsSync(systemBwrap)) {
+        execSync(`"${systemBwrap}" --version`, { stdio: 'ignore' });
+        this.bwrapPath = systemBwrap;
+        console.log('✅ Using system bubblewrap');
+        return this.bwrapPath;
+      }
+    } catch (e) {
+      // System bwrap not available
+    }
+
+    // No bubblewrap found
+    throw new Error(`
+❌ Bubblewrap not found!
+
+💡 Easy fixes:
+1. Reinstall SandboxBox: npm uninstall sandboxbox && npm install sandboxbox
+2. Install system-wide: sudo apt-get install bubblewrap
+3. Install manually: https://github.com/containers/bubblewrap
+
+📦 SandboxBox works on Linux only and requires bubblewrap for container isolation.
+`);
+  }
+
+  /**
+   * Check if bubblewrap is available
+   */
+  isAvailable() {
+    try {
+      this.findBubblewrap();
+      return true;
+    } catch (e) {
+      return false;
+    }
+  }
+
+  /**
+   * Get bubblewrap version
+   */
+  getVersion() {
+    try {
+      const bwrapPath = this.findBubblewrap();
+      const version = execSync(`"${bwrapPath}" --version`, { encoding: 'utf8' });
+      return version.trim();
+    } catch (e) {
+      return 'Unknown';
+    }
+  }
+
+  /**
+   * Check if user namespaces are available
+   */
+  checkUserNamespaces() {
+    try {
+      // Try to create a user namespace
+      execSync('unshare -U true', { stdio: 'ignore' });
+      return true;
+    } catch (e) {
+      return false;
+    }
+  }
+
+  /**
+   * Setup Alpine Linux rootfs if needed
+   */
+  async ensureAlpineRoot() {
+    if (fs.existsSync(path.join(this.alpineRoot, 'bin', 'sh'))) {
+      return; // Already set up
+    }
+
+    console.log('🏔️  Setting up Alpine Linux environment...');
+
+    fs.mkdirSync(this.alpineRoot, { recursive: true });
+
+    // Download Alpine minirootfs
+    const alpineVersion = '3.20.2';
+    const arch = process.arch === 'x64' ? 'x86_64' : process.arch;
+    const tarball = `alpine-minirootfs-${alpineVersion}-${arch}.tar.gz`;
+    const tarballPath = path.join(this.alpineRoot, tarball);
+
+    console.log('📥 Downloading Alpine Linux...');
+    const url = `https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/${arch}/${tarball}`;
+
+    await new Promise((resolve, reject) => {
+      const file = fs.createWriteStream(tarballPath);
+
+      https.get(url, (response) => {
+        if (response.statusCode !== 200) {
+          reject(new Error(`HTTP ${response.statusCode}`));
+          return;
+        }
+
+        response.pipe(file);
+
+        file.on('finish', () => {
+          file.close();
+          resolve();
+        });
+      }).on('error', reject);
+    });
+
+    // Extract Alpine
+    console.log('📦 Extracting Alpine rootfs...');
+    execSync(`tar -xzf "${tarballPath}" -C "${this.alpineRoot}"`, { stdio: 'inherit' });
+    fs.unlinkSync(tarballPath);
+
+    // Install basic packages
+    console.log('🔧 Installing Node.js and Chromium...');
+    const bwrapPath = this.findBubblewrap();
+
+    execSync(`
+      "${bwrapPath}" \\
+        --ro-bind "${this.alpineRoot}" / \\
+        --proc /proc \\
+        --dev /dev \\
+        --tmpfs /tmp \\
+        --share-net \\
+        --die-with-parent \\
+        /bin/sh -c "
+          echo 'https://dl-cdn.alpinelinux.org/alpine/v3.20/main' > /etc/apk/repositories
+          echo 'https://dl-cdn.alpinelinux.org/alpine/v3.20/community' >> /etc/apk/repositories
+          apk update
+          apk add --no-cache nodejs npm chromium nss freetype harfbuzz ttf-freefont xvfb mesa-gl libx11 libxrandr libxss
+          echo '✅ Alpine setup complete'
+        "
+    `, { stdio: 'inherit' });
+
+    console.log('✅ Alpine Linux environment ready!');
+  }
+
+  /**
+   * Get Alpine root path
+   */
+  getAlpineRoot() {
+    return this.alpineRoot;
+  }
+
+  /**
+   * Cleanup cached files
+   */
+  cleanup() {
+    if (fs.existsSync(this.alpineRoot)) {
+      fs.rmSync(this.alpineRoot, { recursive: true, force: true });
+      console.log('🧹 Cleaned up Alpine cache');
+    }
+  }
+}
+
+// Export singleton instance
+export const bubblewrap = new BubblewrapManager();

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "sandboxbox",
+  "version": "1.0.0",
+  "description": "Zero-privilege container runner with Playwright support",
+  "type": "module",
+  "main": "index.js",
+  "bin": {
+    "sandboxbox": "./cli.js"
+  },
+  "scripts": {
+    "postinstall": "node scripts/download-bubblewrap.js",
+    "start": "node cli.js",
+    "setup": "node cli.js setup",
+    "build": "node cli.js build",
+    "run": "node cli.js run"
+  },
+  "keywords": [
+    "containers",
+    "playwright",
+    "bubblewrap",
+    "dockerless",
+    "sandbox",
+    "isolation",
+    "zero-privilege",
+    "userspace"
+  ],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {},
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/AnEntrypoint/sandboxbox.git"
+  },
+  "homepage": "https://github.com/AnEntrypoint/sandboxbox#readme",
+  "bugs": {
+    "url": "https://github.com/AnEntrypoint/sandboxbox/issues"
+  }
+}

package/playwright.sh

@@ -0,0 +1,183 @@
+#!/bin/bash
+
+# Playwright Bubblewrap Wrapper Script
+# Addresses all Alpine/Playwright compatibility issues
+
+set -e
+
+# Configuration
+PROJECT_DIR="${1:-$(pwd)}"
+ALPINE_ROOT="$HOME/.bubblewrap-sandbox/alpine-playwright"
+COMMAND="${2:-npx playwright test}"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+echo -e "${BLUE}🎭 Playwright + Bubblewrap Container Runner${NC}"
+echo -e "${BLUE}═════════════════════════════════════════════════════${NC}\n"
+
+# Check if bubblewrap is available
+if ! command -v bwrap &> /dev/null; then
+    echo -e "${RED}❌ Bubblewrap (bwrap) not found!${NC}"
+    echo -e "${YELLOW}📦 Install bubblewrap:${NC}"
+    echo -e "   Ubuntu/Debian:  sudo apt-get install bubblewrap"
+    echo -e "   Alpine:         sudo apk add bubblewrap"
+    echo -e "   CentOS/RHEL:    sudo yum install bubblewrap"
+    echo -e "   Arch:           sudo pacman -S bubblewrap"
+    echo ""
+    echo -e "${GREEN}✅ After installation, no root privileges required!${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}✅ Bubblewrap found: $(which bwrap)${NC}"
+
+# First-time setup
+if [ ! -d "$ALPINE_ROOT" ]; then
+    echo -e "${YELLOW}🏔️  Setting up Alpine Linux rootfs for Playwright...${NC}"
+    mkdir -p "$ALPINE_ROOT"
+    cd "$ALPINE_ROOT"
+
+    # Download Alpine minirootfs
+    ALPINE_VERSION="3.20.2"
+    ARCH="x86_64"
+    TARBALL="alpine-minirootfs-${ALPINE_VERSION}-${ARCH}.tar.gz"
+
+    if [ ! -f "$TARBALL" ]; then
+        echo -e "${BLUE}📥 Downloading Alpine Linux...${NC}"
+        wget -q "https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/${ARCH}/${TARBALL}"
+    fi
+
+    # Extract
+    echo -e "${BLUE}📦 Extracting Alpine rootfs...${NC}"
+    tar -xzf "$TARBALL"
+
+    # Setup Alpine with Playwright packages
+    echo -e "${BLUE}🔧 Installing Playwright dependencies in Alpine...${NC}"
+    bwrap \
+        --ro-bind "$ALPINE_ROOT" / \
+        --proc /proc \
+        --dev /dev \
+        --tmpfs /tmp \
+        --share-net \
+        --die-with-parent \
+        /bin/sh -c "
+            echo 'https://dl-cdn.alpinelinux.org/alpine/v3.20/main' > /etc/apk/repositories
+            echo 'https://dl-cdn.alpinelinux.org/alpine/v3.20/community' >> /etc/apk/repositories
+            apk update
+            apk add --no-cache \\
+                nodejs \\
+                npm \\
+                chromium \\
+                nss \\
+                freetype \\
+                harfbuzz \\
+                ttf-freefont \\
+                xvfb \\
+                mesa-gl \\
+                libx11 \\
+                libxrandr \\
+                libxss \\
+                bash \\
+                ca-certificates
+            npm install -g @anthropic-ai/claude-code
+            echo '✅ Alpine setup complete'
+        " || {
+            echo -e "${RED}❌ Alpine setup failed${NC}"
+            exit 1
+        }
+
+    # Create Playwright config
+    cat > "$ALPINE_ROOT/playwright.config.js" << 'EOF'
+export default defineConfig({
+  use: {
+    chromiumSandbox: false,
+    headless: true,
+    executablePath: '/usr/bin/chromium-browser',
+  },
+  projects: [
+    {
+      name: 'chromium',
+      use: {
+        executablePath: '/usr/bin/chromium-browser',
+      },
+    },
+  ],
+});
+EOF
+
+    echo -e "${GREEN}✅ Alpine setup complete!${NC}"
+fi
+
+# Verify project directory
+if [ ! -d "$PROJECT_DIR" ]; then
+    echo -e "${RED}❌ Project directory not found: $PROJECT_DIR${NC}"
+    exit 1
+fi
+
+echo -e "${BLUE}📁 Project directory: $PROJECT_DIR${NC}"
+echo -e "${BLUE}🎯 Command: $COMMAND${NC}"
+echo ""
+
+# Run Playwright in bubblewrap sandbox
+echo -e "${GREEN}🚀 Starting Playwright in bubblewrap sandbox...${NC}"
+
+bwrap \
+    --ro-bind "$ALPINE_ROOT" / \
+    --proc /proc \
+    --dev /dev \
+    --dev-bind /dev/dri /dev/dri \
+    --tmpfs /tmp \
+    --tmpfs /var/tmp \
+    --tmpfs /run \
+    --tmpfs /dev/shm \
+    --bind "$PROJECT_DIR" /workspace \
+    --chdir /workspace \
+    --bind /tmp/.X11-unix /tmp/.X11-unix \
+    --share-net \
+    --unshare-pid \
+    --unshare-ipc \
+    --unshare-uts \
+    --die-with-parent \
+    --new-session \
+    --as-pid-1 \
+    --hostname playwright-sandbox \
+    --setenv PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 \
+    --setenv PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser \
+    --setenv DISPLAY=:99 \
+    --setenv CI=true \
+    --setenv NODE_ENV=test \
+    --setenv CHROMIUM_FLAGS="--no-sandbox --disable-dev-shm-usage --disable-gpu" \
+    /bin/sh -c "
+        export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
+        export PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser
+        export DISPLAY=:99
+
+        # Start virtual display
+        Xvfb :99 -screen 0 1024x768x24 > /dev/null 2>&1 &
+        XVFB_PID=\$!
+
+        # Give Xvfb time to start
+        sleep 2
+
+        # Cleanup function
+        cleanup() {
+            if [ ! -z \"\$XVFB_PID\" ]; then
+                kill \$XVFB_PID 2>/dev/null || true
+            fi
+        }
+
+        # Trap cleanup
+        trap cleanup EXIT INT TERM
+
+        echo '🎭 Running Playwright tests...'
+        cd /workspace
+        $COMMAND
+    "
+
+echo ""
+echo -e "${GREEN}✅ Playwright tests completed!${NC}"
+echo -e "${BLUE}💡 Benefits: 8ms startup, true isolation, no Docker required${NC}"

package/run.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Claudtainer - Simple Wrapper Script
+# Usage: ./run.sh <command> [args]
+
+set -e
+
+# Get the directory where this script is located
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Run the CLI
+node "$SCRIPT_DIR/cli.js" "$@"

package/scripts/download-bubblewrap.js

@@ -0,0 +1,172 @@
+#!/usr/bin/env node
+
+/**
+ * Download bubblewrap binary during npm install
+ * Makes SandboxBox completely self-contained
+ */
+
+import https from 'https';
+import fs from 'fs';
+import path from 'path';
+import { execSync } from 'child_process';
+import { fileURLToPath } from 'url';
+import { dirname } from 'path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+const BINARY_DIR = path.join(__dirname, '..', 'bin');
+const BWRAP_VERSION = '0.8.0';
+
+console.log('📦 Setting up SandboxBox with bubblewrap...');
+
+async function downloadBubblewrap() {
+  // Create binary directory
+  if (!fs.existsSync(BINARY_DIR)) {
+    fs.mkdirSync(BINARY_DIR, { recursive: true });
+  }
+
+  const binaryPath = path.join(BINARY_DIR, 'bwrap');
+
+  // Skip download on non-Linux platforms
+  if (process.platform !== 'linux') {
+    console.log('ℹ️  Skipping bubblewrap download on non-Linux platform');
+    console.log('   SandboxBox works on Linux only');
+    return;
+  }
+
+  // Try to use system bubblewrap first (fastest option)
+  try {
+    const systemBwrap = execSync('which bwrap', { encoding: 'utf8' }).trim();
+    if (systemBwrap && fs.existsSync(systemBwrap)) {
+      fs.copyFileSync(systemBwrap, binaryPath);
+      fs.chmodSync(binaryPath, 0o755);
+      console.log('✅ Using system bubblewrap:', systemBwrap);
+      return;
+    }
+  } catch (e) {
+    // System bwrap not found, continue with download
+  }
+
+  // Try to download pre-built binary
+  const arch = process.arch === 'x64' ? 'x86_64' : process.arch;
+  const binaryUrl = `https://github.com/containers/bubblewrap/releases/download/v${BWRAP_VERSION}/bubblewrap-${BWRAP_VERSION}.${arch}.tar.xz`;
+
+  try {
+    console.log('📥 Downloading bubblewrap binary...');
+
+    // Download with fallback
+    await new Promise((resolve, reject) => {
+      const file = fs.createWriteStream(path.join(BINARY_DIR, `bubblewrap-${BWRAP_VERSION}.tar.xz`));
+
+      https.get(binaryUrl, (response) => {
+        if (response.statusCode !== 200) {
+          reject(new Error(`HTTP ${response.statusCode}: ${response.statusMessage}`));
+          return;
+        }
+
+        response.pipe(file);
+
+        file.on('finish', () => {
+          file.close();
+          console.log('📦 Extracting bubblewrap...');
+
+          // Extract binary
+          try {
+            execSync(`tar -xf "${path.join(BINARY_DIR, `bubblewrap-${BWRAP_VERSION}.tar.xz`)}" -C "${BINARY_DIR}" --strip-components=1`, { stdio: 'inherit' });
+
+            // Move binary to expected location
+            const extractedBinary = path.join(BINARY_DIR, 'bin', 'bwrap');
+            if (fs.existsSync(extractedBinary)) {
+              fs.renameSync(extractedBinary, binaryPath);
+            } else {
+              // Try alternative extraction pattern
+              const altBinary = path.join(BINARY_DIR, 'bubblewrap-0.8.0', 'bwrap');
+              if (fs.existsSync(altBinary)) {
+                fs.renameSync(altBinary, binaryPath);
+              }
+            }
+
+            // Set executable permissions
+            fs.chmodSync(binaryPath, 0o755);
+
+            // Cleanup
+            fs.rmSync(path.join(BINARY_DIR, `bubblewrap-${BWRAP_VERSION}.tar.xz`), { force: true });
+            fs.rmSync(path.join(BINARY_DIR, 'bubblewrap-0.8.0'), { recursive: true, force: true });
+
+            console.log('✅ Bubblewrap downloaded successfully');
+            resolve();
+          } catch (extractError) {
+            reject(new Error(`Failed to extract: ${extractError.message}`));
+          }
+        });
+      }).on('error', reject);
+    });
+
+  } catch (downloadError) {
+    console.log('⚠️  Download failed, trying to compile from source...');
+    await compileBubblewrap(binaryPath);
+  }
+}
+
+async function compileBubblewrap(binaryPath) {
+  try {
+    console.log('🔨 Compiling bubblewrap from source...');
+
+    const tmpDir = fs.mkdtempSync(path.join(process.env.TMPDIR || '/tmp', 'bwrap-build-'));
+
+    try {
+      // Download source
+      execSync(`
+        cd "${tmpDir}" &&
+        wget -q https://github.com/containers/bubblewrap/releases/download/v${BWRAP_VERSION}/bubblewrap-${BWRAP_VERSION}.tar.xz &&
+        tar -xf bubblewrap-${BWRAP_VERSION}.tar.xz
+      `, { stdio: 'inherit' });
+
+      // Build dependencies check
+      try {
+        execSync('which gcc', { stdio: 'ignore' });
+      } catch (e) {
+        console.log('❌ GCC not found. Please install build-essential:');
+        console.log('   Ubuntu/Debian: sudo apt-get install build-essential');
+        console.log('   CentOS/RHEL: sudo yum groupinstall "Development Tools"');
+        console.log('   Or install bubblewrap system-wide: sudo apt-get install bubblewrap');
+        process.exit(1);
+      }
+
+      // Compile
+      execSync(`
+        cd "${tmpDir}/bubblewrap-${BWRAP_VERSION}" &&
+        ./configure --prefix="${tmpDir}/install" &&
+        make -j$(nproc 2>/dev/null || echo 4) &&
+        make install
+      `, { stdio: 'inherit' });
+
+      // Copy binary
+      fs.copyFileSync(path.join(tmpDir, 'install', 'bin', 'bwrap'), binaryPath);
+      fs.chmodSync(binaryPath, 0o755);
+
+      console.log('✅ Bubblewrap compiled successfully');
+
+    } finally {
+      // Cleanup
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+
+  } catch (compileError) {
+    console.log('❌ Failed to compile bubblewrap');
+    console.log('💡 Please install bubblewrap system-wide:');
+    console.log('   sudo apt-get install bubblewrap  # Ubuntu/Debian');
+    console.log('   sudo apk add bubblewrap          # Alpine');
+    console.log('   sudo yum install bubblewrap      # CentOS/RHEL');
+    console.log('');
+    console.log('Then try installing SandboxBox again.');
+    process.exit(1);
+  }
+}
+
+// Run the download
+downloadBubblewrap().catch(error => {
+  console.error('❌ Setup failed:', error.message);
+  process.exit(1);
+});

package/test-project/Dockerfile.sandboxbox

@@ -0,0 +1,20 @@
+# Sample Dockerfile for SandboxBox
+FROM alpine
+
+# Install Node.js and test dependencies
+RUN apk add --no-cache nodejs npm
+
+# Set working directory
+WORKDIR /app
+
+# Copy package files (if they exist)
+COPY package*.json ./
+
+# Install dependencies (if package.json exists)
+RUN if [ -f package.json ]; then npm install; fi
+
+# Copy application code
+COPY . .
+
+# Default command - run tests or start app
+CMD ["npm", "test"]