npm - sandboxbox - Versions diffs - 1.2.1 → 2.0.0 - Mend

sandboxbox 1.2.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/Dockerfile +80 -24
package/README.md +180 -99
package/cli.js +125 -160
package/package.json +11 -12
package/BUBBLEWRAP-REALITY.md +0 -210
package/USAGE.md +0 -111
package/container.js +0 -608
package/debug-cli.js +0 -15
package/lib/bubblewrap.js +0 -203
package/playwright.sh +0 -183
package/run.sh +0 -12
package/scripts/build.js +0 -303
package/scripts/download-bubblewrap.js +0 -186
package/test-cli.js +0 -72
package/test-project/Dockerfile.sandboxbox +0 -20

package/container.js DELETED Viewed

@@ -1,608 +0,0 @@
-#!/usr/bin/env node
-/**
- * Bubblewrap Container Runner - Playwright + True Isolation
- *
- * This uses bubblewrap for truly rootless container operation
- * Perfect for Playwright with 8ms startup and zero privileged setup
- *
- * Requirements:
- * - bubblewrap (bwrap) - install with: apt-get install bubblewrap
- * - No root access needed after installation
- */
-import { readFileSync, writeFileSync, existsSync, mkdirSync, cpSync } from 'fs';
-import { execSync, spawn } from 'child_process';
-import { join, resolve, dirname } from 'path';
-import { fileURLToPath } from 'url';
-import { bubblewrap } from './lib/bubblewrap.js';
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-class BubblewrapContainer {
-  constructor(options = {}) {
-    this.sandboxDir = options.sandboxDir || './sandboxbox-sandbox';
-    this.alpineRoot = bubblewrap.getAlpineRoot();
-    this.verbose = options.verbose !== false;
-    this.env = { ...process.env };
-    this.workdir = '/workspace';
-  }
-  /**
-   * Check if bubblewrap is available
-   */
-  checkBubblewrap() {
-    if (!bubblewrap.isAvailable()) {
-      throw new Error(bubblewrap.findBubblewrap().message);
-    }
-    return true;
-  }
-  /**
-   * Set up Alpine Linux rootfs with Playwright support
-   */
-  async setupAlpineRootfs() {
-    console.log('🏔️  Setting up Alpine Linux rootfs for Playwright...\n');
-    await bubblewrap.ensureAlpineRoot();
-    console.log('✅ Alpine rootfs ready!\n');
-  }
-  /**
-   * Install required packages in Alpine with Playwright compatibility fixes
-   */
-  async setupAlpinePackages() {
-    console.log('📦 Installing packages in Alpine with Playwright compatibility...');
-    // Create a temporary setup script addressing glibc/musl issues
-    const setupScript = `
-#!/bin/sh
-set -e
-# Setup repositories
-echo 'https://dl-cdn.alpinelinux.org/alpine/v3.20/main' > /etc/apk/repositories
-echo 'https://dl-cdn.alpinelinux.org/alpine/v3.20/community' >> /etc/apk/repositories
-# Update package index
-apk update
-# Install Node.js and required tools for Playwright on Alpine
-# NOTE: Using Alpine's system Chromium to avoid glibc/musl compatibility issues
-apk add --no-cache \\
-    nodejs \\
-    npm \\
-    chromium \\
-    nss \\
-    freetype \\
-    harfbuzz \\
-    ttf-freefont \\
-    ca-certificates \\
-    wget \\
-    curl \\
-    git \\
-    bash \\
-    xvfb \\
-    mesa-gl \\
-    libx11 \\
-    libxrandr \\
-    libxss \\
-    libgcc \\
-    libstdc++ \\
-    expat \\
-    dbus
-# Create workspace directory
-mkdir -p /workspace
-# Install Claude Code CLI
-npm install -g @anthropic-ai/claude-code
-# Create Playwright config for Alpine
-mkdir -p /workspace/playwright-config
-# Create Playwright configuration for Alpine (addresses sandbox conflicts)
-cat > /workspace/playwright.config.js << 'EOF'
-export default defineConfig({
-  use: {
-    // Required: Chromium's sandbox conflicts with bubblewrap's sandbox
-    chromiumSandbox: false,
-    headless: true,
-    // Use Alpine's system Chromium
-    executablePath: '/usr/bin/chromium-browser',
-  },
-  projects: [
-    {
-      name: 'chromium',
-      use: {
-        executablePath: '/usr/bin/chromium-browser',
-      },
-    },
-  ],
-  // Skip browser downloads since we use system Chromium
-  webServer: {
-    command: 'echo "Skipping browser download"',
-  },
-});
-EOF
-# Create test script that handles Chromium sandbox issues
-cat > /workspace/run-playwright.sh << 'EOF'
-#!/bin/sh
-set -e
-# Environment variables for Playwright on Alpine with bubblewrap
-export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
-export PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser
-export DISPLAY=:99
-# Start virtual display for headless operation
-Xvfb :99 -screen 0 1024x768x24 > /dev/null 2>&1 &
-XVFB_PID=$!
-# Give Xvfb time to start
-sleep 2
-# Cleanup function
-cleanup() {
-    if [ ! -z "$XVFB_PID" ]; then
-        kill $XVFB_PID 2>/dev/null || true
-    fi
-}
-# Trap cleanup
-trap cleanup EXIT INT TERM
-echo "🎭 Running Playwright in Alpine with bubblewrap isolation..."
-echo "📁 Workspace: $(pwd)"
-echo "🌐 Display: $DISPLAY"
-echo "🚀 Chromium: $(which chromium-browser)"
-# Run Playwright tests
-exec "$@"
-EOF
-chmod +x /workspace/run-playwright.sh
-echo "✅ Alpine setup complete with Playwright compatibility fixes"
-echo "📋 Installed: Node.js, Chromium, Xvfb, fonts, libraries"
-echo "🎯 Created: Playwright config and wrapper scripts"
-echo "⚠️  Note: Chromium-only (Firefox/WebKit need glibc - use Ubuntu)"
-`;
-    const scriptPath = join(this.sandboxDir, 'setup-alpine.sh');
-    writeFileSync(scriptPath, setupScript, { mode: 0o755 });
-    try {
-      // Run setup inside Alpine using bubblewrap
-      const bwrapCmd = [
-        'bwrap',
-        '--ro-bind', `${this.alpineRoot}`, '/',
-        '--proc', '/proc',
-        '--dev', '/dev',
-        '--tmpfs', '/tmp',
-        '--tmpfs', '/var/tmp',
-        '--tmpfs', '/run',
-        '--bind', `${this.sandboxDir}`, '/host',
-        '--share-net',
-        '--die-with-parent',
-        '--new-session',
-        scriptPath
-      ];
-      console.log('🔧 Running Alpine setup...');
-      execSync(bwrapCmd.join(' '), { stdio: 'inherit' });
-    } catch (error) {
-      throw new Error(`Alpine setup failed: ${error.message}`);
-    }
-  }
-  /**
-   * Run Playwright tests in bubblewrap sandbox with proper sandbox conflict handling
-   */
-  async runPlaywright(options = {}) {
-    this.checkBubblewrap();
-    const {
-      projectDir = '.',
-      testCommand = 'npx playwright test',
-      mountProject = true,
-      headless = true
-    } = options;
-    console.log('🎭 Starting Playwright in bubblewrap sandbox...\n');
-    console.log('🔧 Addressing Alpine/Playwright compatibility issues...\n');
-    // Resolve project directory
-    const resolvedProjectDir = resolve(projectDir);
-    // First, try full namespace isolation
-    try {
-      console.log('🎯 Attempting full namespace isolation...');
-      return await this.runPlaywrightWithNamespaces(options);
-    } catch (error) {
-      console.log(`⚠️  Namespace isolation failed: ${error.message}`);
-      console.log('🔄 Falling back to basic isolation mode...\n');
-      return await this.runPlaywrightBasic(options);
-    }
-  }
-  /**
-   * Run simple container test without Playwright (for testing purposes)
-   */
-  async runSimpleTest(options = {}) {
-    const { projectDir = '.', testCommand = 'echo "Container is working!" && ls -la /workspace' } = options;
-    const resolvedProjectDir = resolve(projectDir);
-    console.log('🧪 Running simple container test...\n');
-    // Try basic isolation first
-    try {
-      console.log('🎯 Attempting basic isolation...');
-      return await this.runBasicTest(options);
-    } catch (error) {
-      console.log(`⚠️  Basic test failed: ${error.message}`);
-      console.log('🔄 Running without isolation...\n');
-      return this.runWithoutIsolation(options);
-    }
-  }
-  /**
-   * Run basic test in container
-   */
-  async runBasicTest(options = {}) {
-    const { projectDir = '.', testCommand = 'echo "Container is working!" && ls -la /workspace' } = options;
-    const resolvedProjectDir = resolve(projectDir);
-    // Simplified bubblewrap command
-    const bwrapCmd = [
-      bubblewrap.findBubblewrap(),
-      '--bind', resolvedProjectDir, '/workspace',
-      '--chdir', '/workspace',
-      '--tmpfs', '/tmp',
-      '/bin/sh', '-c', testCommand
-    ];
-    console.log(`🚀 Running: ${testCommand}`);
-    console.log(`📁 Project directory: ${resolvedProjectDir}`);
-    console.log(`🎯 Sandbox isolation: basic mode\n`);
-    return this.executeCommand(bwrapCmd, resolvedProjectDir);
-  }
-  /**
-   * Run without any isolation (last resort)
-   */
-  async runWithoutIsolation(options = {}) {
-    const { projectDir = '.', testCommand = 'echo "Container is working!" && ls -la' } = options;
-    const resolvedProjectDir = resolve(projectDir);
-    console.log(`🚀 Running without isolation: ${testCommand}`);
-    console.log(`📁 Project directory: ${resolvedProjectDir}`);
-    console.log(`🎯 Sandbox isolation: none\n`);
-    try {
-      execSync(testCommand, { stdio: 'inherit', cwd: resolvedProjectDir });
-      console.log('\n✅ Test completed successfully!');
-      return 0;
-    } catch (error) {
-      throw new Error(`Test failed: ${error.message}`);
-    }
-  }
-  /**
-   * Run Playwright with full namespace isolation (ideal mode)
-   */
-  async runPlaywrightWithNamespaces(options = {}) {
-    const { projectDir = '.', testCommand = 'npx playwright test', mountProject = true } = options;
-    const resolvedProjectDir = resolve(projectDir);
-    // Build bubblewrap command with proper namespace isolation
-    const bwrapCmd = [
-      bubblewrap.findBubblewrap(),
-      // Core filesystem - read-only Alpine rootfs
-      '--ro-bind', `${this.alpineRoot}`, '/',
-      '--proc', '/proc',
-      '--dev', '/dev',
-      // Critical: Bind mount /dev/dri for GPU acceleration (Chrome needs this)
-      '--dev-bind', '/dev/dri', '/dev/dri',
-      // Temporary directories (fresh for each run)
-      '--tmpfs', '/tmp',
-      '--tmpfs', '/var/tmp',
-      '--tmpfs', '/run',
-      '--tmpfs', '/dev/shm',  // Chrome shared memory
-      // Mount project directory
-      ...(mountProject ? [
-        '--bind', resolvedProjectDir, '/workspace',
-        '--chdir', '/workspace'
-      ] : []),
-      // Mount X11 socket for display
-      '--bind', '/tmp/.X11-unix', '/tmp/.X11-unix',
-      // Host directory access
-      '--bind', this.sandboxDir, '/host',
-      // Networking (required for Playwright)
-      '--share-net',
-      // Process isolation - critical for security
-      '--unshare-pid',
-      '--unshare-ipc',
-      '--unshare-uts',
-      '--unshare-cgroup',  // Prevent process group interference
-      // Safety features
-      '--die-with-parent',
-      '--new-session',
-      '--as-pid-1',  // Make bash PID 1 in the namespace
-      // Set hostname for isolation
-      '--hostname', 'playwright-sandbox',
-      // Environment variables for Playwright on Alpine
-      '--setenv', 'PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1',
-      '--setenv', 'PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser',
-      '--setenv', 'DISPLAY=:99',  // Virtual display
-      '--setenv', 'CI=true',
-      '--setenv', 'NODE_ENV=test',
-      // Chrome/Chromium specific variables
-      '--setenv', 'CHROMIUM_FLAGS=--no-sandbox --disable-dev-shm-usage --disable-gpu',
-      '--setenv', 'CHROME_BIN=/usr/bin/chromium-browser',
-      // Preserve important user environment
-      ...Object.entries(this.env)
-        .filter(([key]) => !['PATH', 'HOME', 'DISPLAY'].includes(key))
-        .flatMap(([key, value]) => ['--setenv', key, value])
-    ];
-    // Use the wrapper script that handles Xvfb and Chromium sandbox issues
-    const wrappedCommand = `/workspace/run-playwright.sh ${testCommand}`;
-    const fullCmd = [...bwrapCmd, '/bin/sh', '-c', wrappedCommand];
-    console.log(`🚀 Running: ${testCommand}`);
-    console.log(`📁 Project directory: ${resolvedProjectDir}`);
-    console.log(`🎯 Sandbox isolation: full bubblewrap namespace isolation\n`);
-    return this.executeCommand(fullCmd, resolvedProjectDir);
-  }
-  /**
-   * Run Playwright with basic isolation (fallback mode for limited environments)
-   */
-  async runPlaywrightBasic(options = {}) {
-    const { projectDir = '.', testCommand = 'npx playwright test', mountProject = true } = options;
-    const resolvedProjectDir = resolve(projectDir);
-    console.log('🎯 Running in basic isolation mode (limited features)...');
-    // Simplified bubblewrap command without namespaces
-    const bwrapCmd = [
-      bubblewrap.findBubblewrap(),
-      // Basic filesystem
-      '--bind', resolvedProjectDir, '/workspace',
-      '--chdir', '/workspace',
-      '--tmpfs', '/tmp',
-      '--share-net',  // Keep network access
-      // Essential environment variables
-      '--setenv', 'PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1',
-      '--setenv', 'PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser',
-      '--setenv', 'CHROMIUM_FLAGS=--no-sandbox --disable-dev-shm-usage --disable-gpu',
-      // Run command directly without wrapper script
-      '/bin/sh', '-c', testCommand
-    ];
-    console.log(`🚀 Running: ${testCommand}`);
-    console.log(`📁 Project directory: ${resolvedProjectDir}`);
-    console.log(`🎯 Sandbox isolation: basic mode (limited namespaces)\n`);
-    return this.executeCommand(bwrapCmd, resolvedProjectDir);
-  }
-  /**
-   * Execute bubblewrap command with proper error handling
-   */
-  executeCommand(fullCmd, resolvedProjectDir) {
-    try {
-      // Execute with spawn for better control
-      const child = spawn(fullCmd[0], fullCmd.slice(1), {
-        stdio: 'inherit',
-        cwd: resolvedProjectDir,
-        env: this.env
-      });
-      return new Promise((resolve, reject) => {
-        child.on('close', (code) => {
-          if (code === 0) {
-            console.log('\n✅ Playwright tests completed successfully!');
-            resolve(code);
-          } else {
-            console.log(`\n❌ Playwright tests failed with exit code: ${code}`);
-            reject(new Error(`Playwright tests failed with exit code: ${code}`));
-          }
-        });
-        child.on('error', (error) => {
-          reject(new Error(`Failed to start Playwright: ${error.message}`));
-        });
-      });
-    } catch (error) {
-      throw new Error(`Playwright execution failed: ${error.message}`);
-    }
-  }
-  /**
-   * Run interactive shell in sandbox
-   */
-  async runShell(options = {}) {
-    this.checkBubblewrap();
-    const { projectDir = '.' } = options;
-    const resolvedProjectDir = resolve(projectDir);
-    const bwrapCmd = [
-      'bwrap',
-      '--ro-bind', `${this.alpineRoot}`, '/',
-      '--proc', '/proc',
-      '--dev', '/dev',
-      '--tmpfs', '/tmp',
-      '--bind', resolvedProjectDir, '/workspace',
-      '--chdir', '/workspace',
-      '--share-net',
-      '--unshare-pid',
-      '--die-with-parent',
-      '--new-session',
-      '--hostname', 'claudebox-sandbox',
-      '--setenv', 'PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1',
-      '--setenv', 'PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser',
-      '/bin/bash'
-    ];
-    console.log('🐚 Starting interactive shell in sandbox...\n');
-    try {
-      execSync(bwrapCmd.join(' '), { stdio: 'inherit' });
-    } catch (error) {
-      throw new Error(`Shell execution failed: ${error.message}`);
-    }
-  }
-  /**
-   * Build container from Dockerfile
-   */
-  async buildFromDockerfile(dockerfilePath, options = {}) {
-    this.checkBubblewrap();
-    console.log('🐳 Building container with bubblewrap isolation...\n');
-    const content = readFileSync(dockerfilePath, 'utf-8');
-    const lines = content.split('\n')
-      .filter(line => line.trim() && !line.trim().startsWith('#'));
-    let workdir = '/workspace';
-    const buildCommands = [];
-    for (const line of lines) {
-      const trimmed = line.trim();
-      if (trimmed.startsWith('FROM')) {
-        console.log(`📦 FROM ${trimmed.substring(5).trim()}`);
-        console.log('   ✅ Using Alpine Linux base image\n');
-      } else if (trimmed.startsWith('WORKDIR')) {
-        workdir = trimmed.substring(9).trim().replace(/['"]/g, '');
-        console.log(`📁 WORKDIR ${workdir}\n`);
-      } else if (trimmed.startsWith('RUN')) {
-        const command = trimmed.substring(4).trim();
-        buildCommands.push(command);
-        console.log(`⚙️  RUN ${command.substring(0, 60)}${command.length > 60 ? '...' : ''}`);
-        console.log('   📝 Added to build script\n');
-      } else if (trimmed.startsWith('CMD')) {
-        console.log(`🎯 CMD ${trimmed.substring(4).trim()}`);
-        console.log('   📝 Default command recorded\n');
-      }
-    }
-    // Create build script
-    const buildScript = buildCommands.join('\n');
-    const scriptPath = join(this.sandboxDir, 'build.sh');
-    writeFileSync(scriptPath, buildScript, { mode: 0o755 });
-    console.log('✅ Container build complete!');
-    console.log(`📝 Build script: ${scriptPath}`);
-    console.log(`🎯 To run: node bubblewrap-container.js --run\n`);
-    return { buildScript: scriptPath, workdir };
-  }
-}
-// Main execution
-async function main() {
-  const args = process.argv.slice(2);
-  if (args.includes('--help') || args.includes('-h')) {
-    console.log(`
-Bubblewrap Container Runner - Playwright + True Isolation
-Usage:
-  node bubblewrap-container.js <command> [options]
-Commands:
-  setup                          Set up Alpine Linux rootfs with Playwright
-  build <dockerfile>            Build from Dockerfile
-  run [project-dir]             Run Playwright tests
-  shell [project-dir]           Start interactive shell
-Examples:
-  node bubblewrap-container.js setup
-  node bubblewrap-container.js build Dockerfile.claudebox
-  node bubblewrap-container.js run ./my-project
-  node bubblewrap-container.js shell ./my-project
-Requirements:
-  - bubblewrap (bwrap): sudo apt-get install bubblewrap
-  - No root privileges needed after installation
-`);
-    process.exit(0);
-  }
-  const container = new BubblewrapContainer({ verbose: true });
-  try {
-    if (args[0] === 'setup') {
-      await container.setupAlpineRootfs();
-    } else if (args[0] === 'build') {
-      const dockerfile = args[1] || './Dockerfile.claudebox';
-      if (!existsSync(dockerfile)) {
-        throw new Error(`Dockerfile not found: ${dockerfile}`);
-      }
-      await container.buildFromDockerfile(dockerfile);
-    } else if (args[0] === 'run') {
-      const projectDir = args[1] || '.';
-      // First try simple test to verify container works
-      console.log('🧪 Testing container functionality...\n');
-      try {
-        await container.runSimpleTest({ projectDir });
-        console.log('✅ Container test successful!\n');
-        // Now try Playwright
-        console.log('🎭 Running Playwright tests...\n');
-        await container.runPlaywright({ projectDir });
-      } catch (error) {
-        console.log(`⚠️  Container test failed: ${error.message}`);
-        console.log('🚫 Skipping Playwright tests due to container issues\n');
-        throw error;
-      }
-    } else if (args[0] === 'shell') {
-      const projectDir = args[1] || '.';
-      await container.runShell({ projectDir });
-    } else {
-      console.error('❌ Unknown command. Use --help for usage.');
-      process.exit(1);
-    }
-  } catch (error) {
-    console.error('❌ Error:', error.message);
-    process.exit(1);
-  }
-}
-// Run if called directly
-if (import.meta.url === `file://${process.argv[1]}`) {
-  main().catch(console.error);
-}
-export default BubblewrapContainer;

package/debug-cli.js DELETED Viewed

@@ -1,15 +0,0 @@
-#!/usr/bin/env node
-console.log('🚀 Debug CLI starting...');
-console.log('Args:', process.argv.slice(2));
-console.log('Platform:', process.platform);
-console.log('CWD:', process.cwd());
-// Test basic output
-console.log('✅ Basic output works');
-// Test if script continues
-setTimeout(() => {
-  console.log('✅ Script completed after timeout');
-  process.exit(0);
-}, 1000);