sandboxbox 1.2.2 → 2.0.0

package/cli.js

@@ -1,30 +1,22 @@
 #!/usr/bin/env node
 
 /**
- * SandboxBox CLI - Zero-Privilege Container Runner
+ * SandboxBox CLI - Portable Container Runner with Podman
+ *
+ * Cross-platform container runner using Podman
+ * Works on Windows, macOS, and Linux
  *
  * Simple usage:
- *   npx sandboxbox setup              # One-time Alpine setup
- *   npx sandboxbox build <dockerfile> # Build from Dockerfile
- *   npx sandboxbox run <project>      # Run Playwright tests
+ *   npx sandboxbox build              # Build container from Dockerfile
+ *   npx sandboxbox run <project>      # Run project in container
  *   npx sandboxbox shell <project>    # Interactive shell
  */
 
-// Optional debug output
-if (process.env.DEBUG) {
-  console.log('🔧 Debug: SandboxBox CLI starting...');
-  console.log(`🔧 Debug: Platform: ${process.platform}`);
-  console.log(`🔧 Debug: Node.js: ${process.version}`);
-  console.log(`🔧 Debug: Args: ${process.argv.slice(2).join(' ')}`);
-}
-
-import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'fs';
+import { readFileSync, existsSync } from 'fs';
 import { execSync } from 'child_process';
 import { fileURLToPath } from 'url';
 import { dirname, resolve } from 'path';
 
-// We'll import bubblewrap later, only on Linux systems
-
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
@@ -45,8 +37,8 @@ function color(colorName, text) {
 }
 
 function showBanner() {
-  console.log(color('cyan', '📦 SandboxBox - Zero-Privilege Container Runner'));
-  console.log(color('cyan', '═════════════════════════════════════════════════════'));
+  console.log(color('cyan', '📦 SandboxBox - Portable Container Runner'));
+  console.log(color('cyan', '═════════════════════════════════════════════════'));
   console.log('');
 }
 
@@ -55,110 +47,55 @@ function showHelp() {
   console.log('  npx sandboxbox <command> [options]');
   console.log('');
   console.log(color('yellow', 'Commands:'));
-  console.log('  setup                          Set up Alpine Linux environment (one-time)');
-  console.log('  build <dockerfile>            Build container from Dockerfile');
-  console.log('  run <project-dir>             Run Playwright tests in isolation');
+  console.log('  build [dockerfile]            Build container from Dockerfile (default: ./Dockerfile)');
+  console.log('  run <project-dir> [cmd]       Run project in container');
   console.log('  shell <project-dir>           Start interactive shell in container');
-  console.log('  quick-test <project-dir>      Quick test with sample Dockerfile');
+  console.log('  version                       Show version information');
   console.log('');
   console.log(color('yellow', 'Examples:'));
-  console.log('  npx sandboxbox setup');
-  console.log('  npx sandboxbox build ./Dockerfile');
+  console.log('  npx sandboxbox build');
+  console.log('  npx sandboxbox build ./Dockerfile.custom');
   console.log('  npx sandboxbox run ./my-project');
+  console.log('  npx sandboxbox run ./my-project "npm test"');
   console.log('  npx sandboxbox shell ./my-project');
-  console.log('  npx sandboxbox quick-test ./my-app');
   console.log('');
   console.log(color('yellow', 'Requirements:'));
-  console.log('  - bubblewrap (bwrap): sudo apt-get install bubblewrap');
-  console.log('  - No root privileges needed after installation!');
+  console.log('  - Podman (https://podman.io/getting-started/installation)');
+  console.log('  - Works on Windows, macOS, and Linux!');
   console.log('');
-  console.log(color('magenta', '🚀 8ms startup • True isolation • Playwright ready'));
+  console.log(color('magenta', '🚀 Fast startup • True isolation • Cross-platform'));
 }
 
-async function checkBubblewrap() {
+function checkPodman() {
   try {
-    const { bubblewrap } = await import('./lib/bubblewrap.js');
-
-    if (bubblewrap.isAvailable()) {
-      console.log(color('green', `✅ Bubblewrap found: ${bubblewrap.getVersion()}`));
-
-      if (!bubblewrap.checkUserNamespaces()) {
-        console.log(color('yellow', '⚠️  User namespaces not available'));
-        console.log(color('yellow', '   Try: sudo sysctl kernel.unprivileged_userns_clone=1'));
-        console.log(color('yellow', '   Or: echo 1 | sudo tee /proc/sys/kernel/unprivileged_userns_clone'));
-      }
-
-      return true;
+    const version = execSync('podman --version', { encoding: 'utf-8', stdio: 'pipe' }).trim();
+    console.log(color('green', `✅ ${version}`));
+    return true;
+  } catch (error) {
+    console.log(color('red', '❌ Podman not found'));
+    console.log(color('yellow', '\n📦 Please install Podman:'));
+    console.log('');
+    if (process.platform === 'win32') {
+      console.log(color('cyan', '   Windows:'));
+      console.log('   1. Download from https://podman.io/getting-started/installation');
+      console.log('   2. Or use: winget install RedHat.Podman');
+    } else if (process.platform === 'darwin') {
+      console.log(color('cyan', '   macOS:'));
+      console.log('   brew install podman');
+      console.log('   podman machine init');
+      console.log('   podman machine start');
     } else {
-      console.log(color('red', bubblewrap.findBubblewrap().message));
-      return false;
+      console.log(color('cyan', '   Linux:'));
+      console.log('   sudo apt-get install podman       # Ubuntu/Debian');
+      console.log('   sudo dnf install podman           # Fedora');
+      console.log('   sudo apk add podman               # Alpine');
     }
-  } catch (error) {
-    console.log(color('red', `❌ Failed to load bubblewrap manager: ${error.message}`));
+    console.log('');
     return false;
   }
 }
 
-function runScript(scriptPath, args = []) {
-  try {
-    const cmd = `node "${scriptPath}" ${args.join(' ')}`;
-    execSync(cmd, { stdio: 'inherit', cwd: __dirname });
-  } catch (error) {
-    console.log(color('red', `❌ Command failed: ${error.message}`));
-    process.exit(1);
-  }
-}
-
-function createSampleDockerfile(projectDir) {
-  // Ensure project directory exists
-  if (!existsSync(projectDir)) {
-    mkdirSync(projectDir, { recursive: true });
-  }
-
-  const dockerfile = `# Sample Dockerfile for SandboxBox
-FROM alpine
-
-# Install Node.js and test dependencies
-RUN apk add --no-cache nodejs npm
-
-# Set working directory
-WORKDIR /app
-
-# Copy package files (if they exist)
-COPY package*.json ./
-
-# Install dependencies (if package.json exists)
-RUN if [ -f package.json ]; then npm install; fi
-
-# Copy application code
-COPY . .
-
-# Default command - run tests or start app
-CMD ["npm", "test"]
-`;
-
-  const dockerfilePath = resolve(projectDir, 'Dockerfile.sandboxbox');
-  writeFileSync(dockerfilePath, dockerfile);
-  console.log(color('green', `✅ Created sample Dockerfile: ${dockerfilePath}`));
-  return dockerfilePath;
-}
-
 async function main() {
-  // Check platform first
-  if (process.platform !== 'linux') {
-    console.log(color('red', '❌ SandboxBox only works on Linux systems'));
-    console.log(color('yellow', '🐧 Required: Linux with bubblewrap (bwrap)'));
-    console.log('');
-    console.log(color('cyan', '💡 Alternatives for Windows users:'));
-    console.log('   • Use WSL2 (Windows Subsystem for Linux 2)');
-    console.log('   • Use Docker Desktop with Linux containers');
-    console.log('   • Use GitHub Actions (ubuntu-latest runners)');
-    console.log('   • Use a cloud Linux instance (AWS, GCP, Azure)');
-    console.log('');
-    console.log(color('green', '✅ On Linux/WSL2, simply run: npx sandboxbox --help'));
-    process.exit(1);
-  }
-
   const args = process.argv.slice(2);
 
   showBanner();
@@ -172,74 +109,110 @@ async function main() {
   const commandArgs = args.slice(1);
 
   switch (command) {
-    case 'setup':
-      console.log(color('blue', '🏔️  Setting up Alpine Linux environment...'));
-      if (!(await checkBubblewrap())) process.exit(1);
-      runScript('./container.js', ['setup']);
-      break;
-
     case 'build':
-      if (commandArgs.length === 0) {
-        console.log(color('red', '❌ Please specify a Dockerfile path'));
-        console.log(color('yellow', 'Usage: npx sandboxbox build <dockerfile> [--dry-run]'));
-        console.log(color('yellow', 'Options:'));
-        console.log('  --dry-run    Parse Dockerfile without executing commands');
+      const dockerfilePath = commandArgs[0] || './Dockerfile';
+
+      if (!existsSync(dockerfilePath)) {
+        console.log(color('red', `❌ Dockerfile not found: ${dockerfilePath}`));
         process.exit(1);
       }
+
       console.log(color('blue', '🏗️  Building container...'));
-      if (!(await checkBubblewrap())) process.exit(1);
-      runScript('./container.js', ['build', ...commandArgs]);
+      console.log(color('yellow', `Dockerfile: ${dockerfilePath}\n`));
+
+      if (!checkPodman()) process.exit(1);
+
+      try {
+        console.log('');
+        execSync(`podman build -f "${dockerfilePath}" -t sandboxbox:latest .`, {
+          stdio: 'inherit',
+          cwd: __dirname
+        });
+        console.log('');
+        console.log(color('green', '✅ Container built successfully!'));
+        console.log(color('cyan', '\n💡 Next steps:'));
+        console.log('   npx sandboxbox run ./my-project');
+      } catch (error) {
+        console.log(color('red', `\n❌ Build failed: ${error.message}`));
+        process.exit(1);
+      }
       break;
 
     case 'run':
-      const projectDir = commandArgs[0] || '.';
-      console.log(color('blue', '🚀 Running Playwright tests...'));
-      console.log(color('yellow', `Project directory: ${projectDir}`));
+      if (commandArgs.length === 0) {
+        console.log(color('red', '❌ Please specify a project directory'));
+        console.log(color('yellow', 'Usage: npx sandboxbox run <project-dir> [command]'));
+        process.exit(1);
+      }
+
+      const projectDir = resolve(commandArgs[0]);
+      const cmd = commandArgs[1] || 'bash';
 
-      if (!(await checkBubblewrap())) {
-        console.log(color('red', '❌ Cannot run tests without bubblewrap'));
+      if (!existsSync(projectDir)) {
+        console.log(color('red', `❌ Project directory not found: ${projectDir}`));
         process.exit(1);
       }
 
-      runScript('./container.js', ['run', projectDir]);
+      console.log(color('blue', '🚀 Running project in container...'));
+      console.log(color('yellow', `Project: ${projectDir}`));
+      console.log(color('yellow', `Command: ${cmd}\n`));
+
+      if (!checkPodman()) process.exit(1);
+
+      try {
+        console.log('');
+        execSync(`podman run --rm -it -v "${projectDir}:/workspace" -w /workspace sandboxbox:latest ${cmd}`, {
+          stdio: 'inherit'
+        });
+        console.log('');
+        console.log(color('green', '✅ Container execution completed!'));
+      } catch (error) {
+        console.log(color('red', `\n❌ Run failed: ${error.message}`));
+        process.exit(1);
+      }
       break;
 
     case 'shell':
-      const shellDir = commandArgs[0] || '.';
-      console.log(color('blue', '🐚 Starting interactive shell...'));
-      if (!(await checkBubblewrap())) process.exit(1);
-      runScript('./container.js', ['shell', shellDir]);
-      break;
-
-    case 'quick-test':
-      const testDir = commandArgs[0] || '.';
-      console.log(color('blue', '⚡ Quick test mode...'));
-      console.log(color('yellow', 'Creating sample Dockerfile and running tests...\n'));
+      if (commandArgs.length === 0) {
+        console.log(color('red', '❌ Please specify a project directory'));
+        console.log(color('yellow', 'Usage: npx sandboxbox shell <project-dir>'));
+        process.exit(1);
+      }
 
-      // Create sample Dockerfile first
-      const sampleDockerfile = createSampleDockerfile(testDir);
+      const shellProjectDir = resolve(commandArgs[0]);
 
-      // Check for bubblewrap before proceeding
-      if (!(await checkBubblewrap())) {
-        console.log(color('yellow', '\n📋 Sample Dockerfile created successfully!'));
-        console.log(color('yellow', 'To run tests, install bubblewrap and try again:'));
-        console.log(color('cyan', `   npx sandboxbox build "${sampleDockerfile}"`));
-        console.log(color('cyan', `   npx sandboxbox run "${testDir}"`));
+      if (!existsSync(shellProjectDir)) {
+        console.log(color('red', `❌ Project directory not found: ${shellProjectDir}`));
         process.exit(1);
       }
 
-      // Build and run
-      console.log(color('blue', 'Building container...'));
-      runScript('./container.js', ['build', sampleDockerfile]);
+      console.log(color('blue', '🐚 Starting interactive shell...'));
+      console.log(color('yellow', `Project: ${shellProjectDir}\n`));
+
+      if (!checkPodman()) process.exit(1);
 
-      console.log(color('blue', 'Running tests...'));
-      runScript('./container.js', ['run', testDir]);
+      try {
+        console.log('');
+        execSync(`podman run --rm -it -v "${shellProjectDir}:/workspace" -w /workspace sandboxbox:latest /bin/bash`, {
+          stdio: 'inherit'
+        });
+      } catch (error) {
+        console.log(color('red', `\n❌ Shell failed: ${error.message}`));
+        process.exit(1);
+      }
       break;
 
     case 'version':
-      const packageJson = JSON.parse(readFileSync('./package.json', 'utf-8'));
-      console.log(color('green', `SandboxBox v${packageJson.version}`));
-      console.log(color('cyan', 'Zero-privilege containers with Playwright support'));
+      try {
+        const packageJson = JSON.parse(readFileSync(resolve(__dirname, 'package.json'), 'utf-8'));
+        console.log(color('green', `SandboxBox v${packageJson.version}`));
+        console.log(color('cyan', 'Portable containers with Claude Code & Playwright'));
+        if (checkPodman()) {
+          console.log('');
+        }
+      } catch (error) {
+        console.log(color('red', '❌ Could not read version'));
+      }
       break;
 
     default:
@@ -251,19 +224,9 @@ async function main() {
 
 // Run if called directly
 main().catch(error => {
-  console.error('❌ SandboxBox failed to start:');
-  console.error('Error:', error.message);
-  console.error('');
-  console.error('💡 This might be because:');
-  console.error('   • You are not on Linux (SandboxBox requires Linux)');
-  console.error('   • Node.js version compatibility issue');
-  console.error('   • Missing dependencies during installation');
-  console.error('');
-  console.error('📋 System information:');
-  console.error(`   Platform: ${process.platform}`);
-  console.error(`   Node.js: ${process.version}`);
-  console.error(`   Architecture: ${process.arch}`);
+  console.error(color('red', '❌ SandboxBox failed:'));
+  console.error(color('red', error.message));
   console.error('');
-  console.error('🔧 Try: npx sandboxbox --help');
+  console.error(color('yellow', '💡 Try: npx sandboxbox --help'));
   process.exit(1);
-});
+});

package/package.json

@@ -1,28 +1,27 @@
 {
   "name": "sandboxbox",
-  "version": "1.2.2",
-  "description": "Zero-privilege container runner with Playwright support",
+  "version": "2.0.0",
+  "description": "Portable container runner with Podman - Claude Code & Playwright support. Works on Windows, macOS, and Linux.",
   "type": "module",
-  "main": "index.js",
+  "main": "cli.js",
   "bin": {
     "sandboxbox": "./cli.js"
   },
   "scripts": {
-    "install": "node scripts/build.js",
-    "start": "node cli.js",
-    "setup": "node cli.js setup",
-    "build": "node cli.js build",
-    "run": "node cli.js run"
+    "start": "node cli.js"
   },
   "keywords": [
     "containers",
+    "podman",
     "playwright",
-    "bubblewrap",
-    "dockerless",
+    "claude-code",
     "sandbox",
     "isolation",
-    "zero-privilege",
-    "userspace"
+    "cross-platform",
+    "windows",
+    "macos",
+    "linux",
+    "portable"
   ],
   "author": "",
   "license": "MIT",

package/BUBBLEWRAP-REALITY.md

@@ -1,210 +0,0 @@
-# Bubblewrap + Playwright: The Complete Reality Check
-
-## 🎯 What Actually Works (With All Caveats Addressed)
-
-### ✅ SUCCESS: Playwright + True Isolation + Zero Privileges
-
-**We have achieved exactly what you requested:**
-- ✅ **Truly zero-privilege operation** - Install bubblewrap once, run forever
-- ✅ **Playwright compatibility** - Chromium testing with full isolation
-- ✅ **8ms startup** - 37x faster than Docker
-- ✅ **No Docker required** - Pure userspace bubblewrap
-- ✅ **Complete separation** - Full namespace isolation
-
-## 📊 Implementation Details
-
-### Core Technologies
-- **Bubblewrap (bwrap)** - Flatpak's sandboxing technology
-- **Alpine Linux** - Lightweight base with system Chromium
-- **Xvfb** - Virtual display for headless browser testing
-- **Linux namespaces** - PID, mount, network, IPC, UTS isolation
-
-### Key Fixes for Playwright Compatibility
-
-#### 1. **glibc vs musl Issue** ✅ RESOLVED
-```bash
-# Problem: Playwright's bundled browsers need glibc
-# Solution: Use Alpine's system Chromium (compiled for musl)
-apk add chromium
-export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
-export PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser
-```
-
-#### 2. **Chromium Sandbox Conflict** ✅ RESOLVED
-```bash
-# Problem: Chromium's sandbox conflicts with bubblewrap's sandbox
-# Solution: Disable Chrome sandbox, enable bubblewrap isolation
---setenv CHROMIUM_FLAGS="--no-sandbox --disable-dev-shm-usage --disable-gpu"
-chromiumSandbox: false  # In playwright.config.js
-```
-
-#### 3. **Display Issues** ✅ RESOLVED
-```bash
-# Problem: Headless browsers need X11 display
-# Solution: Xvfb virtual display + proper socket mounting
-Xvfb :99 -screen 0 1024x768x24 &
---bind /tmp/.X11-unix /tmp/.X11-unix
-```
-
-## 🚀 Getting Started
-
-### One-Time Setup
-```bash
-# Install bubblewrap (requires sudo ONCE)
-sudo apt-get install bubblewrap  # Ubuntu/Debian
-sudo apk add bubblewrap          # Alpine
-
-# Now run forever without root privileges!
-```
-
-### Playwright Testing
-```bash
-# Simple wrapper usage
-./playwright-bwrap.sh ./my-project "npx playwright test"
-
-# Advanced usage
-node bubblewrap-container.js run ./my-project
-```
-
-## 📈 Performance Characteristics
-
-| Metric | Bubblewrap | Docker | Advantage |
-|--------|------------|--------|------------|
-| **Startup Time** | 8ms | 300ms | **37x faster** |
-| **Memory Overhead** | ~1MB | 50MB+ | **50x less** |
-| **CPU Overhead** | <1% | ~2% | **Near-native** |
-| **Security** | Full namespaces | Full namespaces | **Equal** |
-| **Setup Complexity** | One command | Daemon + root | **Simpler** |
-
-## ⚠️ Important Limitations (Honest Assessment)
-
-### Browser Limitations
-- ✅ **Chromium works perfectly** - Alpine's system package
-- ❌ **Firefox/WebKit don't work** - Need glibc (Ubuntu required)
-- ⚠️ **Chromium version** - Alpine's package trails Playwright by 1-2 versions
-
-### Security Considerations
-- ✅ **Process isolation** - Full Linux namespaces
-- ✅ **Filesystem isolation** - Read-only rootfs
-- ⚠️ **GPU access** - Requires `--dev-bind /dev/dri`
-- ⚠️ **X11 security** - Socket mounting potential attack vector
-
-### Feature Limitations
-- ❌ **Firefox/WebKit testing** - Use Ubuntu + remote Playwright
-- ❌ **Video recording** - Requires additional packages
-- ❌ **Advanced GPU features** - WebGL might need additional setup
-- ⚠️ **Network performance** - 15-30% throughput degradation
-
-## 🔧 Technical Implementation
-
-### Bubblewrap Command Structure
-```bash
-bwrap \
-  # Filesystem isolation
-  --ro-bind "$ALPINE_ROOT" / \
-  --proc /proc \
-  --dev /dev \
-  --dev-bind /dev/dri /dev/dri \
-
-  # Network isolation
-  --share-net \
-  --unshare-pid \
-  --unshare-ipc \
-  --unshare-uts \
-
-  # Safety features
-  --die-with-parent \
-  --new-session \
-  --as-pid-1 \
-
-  # Environment
-  --setenv PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 \
-  --setenv PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH=/usr/bin/chromium-browser \
-
-  # Command
-  /bin/sh -c "Xvfb :99 & npx playwright test"
-```
-
-### Playwright Configuration
-```javascript
-// playwright.config.js
-export default defineConfig({
-  use: {
-    chromiumSandbox: false,        // Disable Chrome sandbox
-    headless: true,
-    executablePath: '/usr/bin/chromium-browser',  // Use system Chromium
-  },
-  projects: [{
-    name: 'chromium',
-    use: {
-      executablePath: '/usr/bin/chromium-browser',
-    },
-  }],
-});
-```
-
-## 🎯 When to Use This Solution
-
-### Perfect For:
-- ✅ **CI/CD pipelines** - Fast startup, minimal overhead
-- ✅ **Chromium-only testing** - Full feature support
-- ✅ **Development environments** - Isolated but fast
-- ✅ **Security-sensitive contexts** - Full namespace isolation
-- ✅ **Resource-constrained systems** - Minimal memory footprint
-
-### Not Suitable For:
-- ❌ **Firefox/WebKit testing** - Use Ubuntu + remote Playwright
-- ❌ **Video recording** - Additional packages needed
-- ❌ **GPU-intensive applications** - Limited GPU support
-- ❌ **Network-critical workloads** - Performance degradation
-
-## 🔄 Alternative Approaches
-
-### 1. **Full Browser Support (More Complex)**
-```bash
-# Run Ubuntu container for Playwright server
-docker run -p 3000:3000 mcr.microsoft.com/playwright:v1.40.0-noble \
-  npx playwright run-server --port 3000
-
-# Connect from Alpine + bubblewrap
-const browser = await chromium.connect('ws://localhost:3000/ws');
-```
-
-### 2. **Rootless Podman** (Docker-compatible)
-```bash
-# One-time setup
-sudo apt-get install podman
-echo "$USER:100000:65536" | sudo tee -a /etc/subuid
-
-# Run with full Docker compatibility
-podman run --rm -v $(pwd):/workspace playwright-tests:latest
-```
-
-### 3. **nsjail** (Enhanced Security)
-```bash
-# Compile from source
-git clone https://github.com/google/nsjail
-cd nsjail; make
-
-# Run with seccomp policies
-./nsjail --config playwright-sandbox.cfg -- npm test
-```
-
-## 🏆 Final Verdict
-
-**SUCCESS!** We've created a practical Playwright solution that delivers:
-
-1. ✅ **Zero-privilege operation** after initial bubblewrap install
-2. ✅ **True container isolation** with full Linux namespaces
-3. ✅ **Excellent performance** - 8ms startup, near-native execution
-4. ✅ **Playwright compatibility** - Chromium testing fully supported
-5. ✅ **Production-ready** - Handles all compatibility issues
-6. ✅ **Simple deployment** - One script to rule them all
-
-**The tradeoffs are worth it:** Chromium-only testing in exchange for true isolation, zero privileges, and exceptional performance. For most web testing scenarios, this covers 80% of use cases with 100% of the benefits.
-
----
-
-*"Perfect isolation requires perfect configuration - and we've nailed it."*
-
-**Ready for production use:** `./playwright-bwrap.sh ./your-project`

package/Dockerfile.test

@@ -1,16 +0,0 @@
-FROM ubuntu:24.04
-
-# Set environment variables
-ENV NODE_ENV=production
-ENV APP_DIR=/app
-
-# Create a simple test directory
-WORKDIR /app
-
-# Simple commands that don't require root
-RUN echo "Building container..."
-RUN echo "Node environment: $NODE_ENV"
-RUN mkdir -p data logs
-
-# Default command
-CMD ["/bin/bash"]