sandboxbox 2.0.7 → 2.0.9

package/CLAUDE.md

@@ -132,7 +132,60 @@ exec claude  # Changes save directly to local repo
 ### Path resolution issues
 **Solution**: Use explicit REPO_PATH environment variable
 
+## Command Isolation Principles
+
+### Unified Architecture - All Commands Use Isolation
+- **`run` command**: Creates isolated temporary environment - changes DO NOT affect host
+- **`claude` command**: Creates isolated temporary environment - changes DO NOT affect host
+- **`shell` command**: Creates isolated temporary environment - changes DO NOT affect host
+
+### Isolation Workflow
+1. Copy project to temporary directory (including hidden files like .git)
+2. Mount temporary directory as /workspace in container
+3. Run commands in isolated environment
+4. Clean up temporary directory on exit
+5. Changes are persisted via git commands (commit/push) if needed
+
+### Shared Isolation Utility (utils/isolation.js)
+```javascript
+// All commands use the same isolation pattern
+import { createIsolatedEnvironment, setupCleanupHandlers } from './utils/isolation.js';
+
+// Create isolated environment
+const { tempProjectDir, cleanup } = createIsolatedEnvironment(projectDir);
+
+// Set up cleanup handlers
+setupCleanupHandlers(cleanup);
+
+// Run command with isolated directory
+execSync(`podman run --rm -it -v "${tempProjectDir}:/workspace:rw" -w /workspace sandboxbox:latest ${cmd}`, {
+  stdio: 'inherit',
+  shell: process.platform === 'win32'
+});
+
+// Clean up on completion
+cleanup();
+```
+
+### Container Naming and Cleanup
+- Use random short names: `sandboxbox-run-${Math.random().toString(36).substr(2, 9)}`
+- Force cleanup: `podman rm -f container-name`
+- Automatic cleanup handlers for all exit scenarios
+- Cross-platform signal handling (SIGINT, SIGTERM)
+
+### Cross-Platform Path Handling
+```javascript
+// Normalize Windows paths for podman cp command
+const normalizedProjectDir = projectDir.replace(/\\/g, '/');
+```
+
 ## Version Management
 - Publish new version when fixing critical Windows issues
 - Clear npm cache: `npm cache clean --force`
-- Use specific version: `npx sandboxbox@latest`
+- Use specific version: `npx sandboxbox@latest`
+
+## File Cleanup Requirements
+- All temporary containers auto-cleanup on exit
+- All temporary directories auto-cleanup on exit
+- Error handling for cleanup failures (ignore errors)
+- Signal handlers ensure cleanup on interrupts

package/Dockerfile.simple

@@ -0,0 +1,18 @@
+FROM node:20
+
+# Install basic development tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    bash \
+    curl \
+    nano \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Create workspace directory
+WORKDIR /workspace
+
+# Set up non-root user
+USER node
+
+# Install Claude Code
+RUN npm install -g @anthropic-ai/claude-code@latest

package/cli.js

@@ -15,6 +15,7 @@ import { fileURLToPath } from 'url';
 import { color } from './utils/colors.js';
 import { checkPodman, getPodmanPath } from './utils/podman.js';
 import { buildClaudeContainerCommand, createClaudeDockerfile } from './utils/claude-workspace.js';
+import { createIsolatedEnvironment, setupCleanupHandlers } from './utils/isolation.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -85,20 +86,32 @@ function runClaudeWorkspace(projectDir, command = 'claude') {
     return false;
   }
 
-  console.log(color('blue', '🚀 Starting Claude Code with local repository...'));
+  console.log(color('blue', '🚀 Starting Claude Code in isolated environment...'));
   console.log(color('yellow', `Project: ${projectDir}`));
-  console.log(color('yellow', `Command: ${command}\n`));
+  console.log(color('yellow', `Command: ${command}`));
+  console.log(color('cyan', '📦 Note: Changes will be isolated and will NOT affect the original repository\n'));
 
   const podmanPath = checkPodman();
   if (!podmanPath) return false;
 
   try {
-    const containerCommand = buildClaudeContainerCommand(projectDir, podmanPath, command);
+    // Create isolated environment
+    const { tempProjectDir, cleanup } = createIsolatedEnvironment(projectDir);
+
+    // Set up cleanup handlers
+    setupCleanupHandlers(cleanup);
+
+    // Build container command with isolated project directory
+    const containerCommand = buildClaudeContainerCommand(tempProjectDir, podmanPath, command);
     execSync(containerCommand, {
       stdio: 'inherit',
       shell: process.platform === 'win32'
     });
-    console.log(color('green', '\n✅ Claude Code session completed!'));
+
+    // Clean up the temporary directory
+    cleanup();
+
+    console.log(color('green', '\n✅ Claude Code session completed! (Isolated - no host changes)'));
     return true;
   } catch (error) {
     console.log(color('red', `\n❌ Claude Code failed: ${error.message}`));
@@ -161,19 +174,31 @@ async function main() {
         process.exit(1);
       }
 
-      console.log(color('blue', '🚀 Running project in container...'));
+      console.log(color('blue', '🚀 Running project in isolated container...'));
       console.log(color('yellow', `Project: ${projectDir}`));
       console.log(color('yellow', `Command: ${cmd}\n`));
+      console.log(color('cyan', '📦 Note: Changes will NOT affect host files (isolated environment)'));
 
       const runPodman = checkPodman();
       if (!runPodman) process.exit(1);
 
       try {
-        execSync(`"${runPodman}" run --rm -it -v "${projectDir}:/workspace" -w /workspace sandboxbox:latest ${cmd}`, {
+        // Create isolated environment
+        const { tempProjectDir, cleanup } = createIsolatedEnvironment(projectDir);
+
+        // Set up cleanup handlers
+        setupCleanupHandlers(cleanup);
+
+        // Run the command in isolated container with temporary directory
+        execSync(`"${runPodman}" run --rm -it -v "${tempProjectDir}:/workspace:rw" -w /workspace sandboxbox:latest ${cmd}`, {
           stdio: 'inherit',
           shell: process.platform === 'win32'
         });
-        console.log(color('green', '\n✅ Container execution completed!'));
+
+        // Clean up the temporary directory
+        cleanup();
+
+        console.log(color('green', '\n✅ Container execution completed! (Isolated - no host changes)'));
       } catch (error) {
         console.log(color('red', `\n❌ Run failed: ${error.message}`));
         process.exit(1);
@@ -194,17 +219,28 @@ async function main() {
         process.exit(1);
       }
 
-      console.log(color('blue', '🐚 Starting interactive shell...'));
+      console.log(color('blue', '🐚 Starting interactive shell in isolated container...'));
       console.log(color('yellow', `Project: ${shellProjectDir}\n`));
+      console.log(color('cyan', '📦 Note: Changes will NOT affect host files (isolated environment)'));
 
       const shellPodman = checkPodman();
       if (!shellPodman) process.exit(1);
 
       try {
-        execSync(`"${shellPodman}" run --rm -it -v "${shellProjectDir}:/workspace" -w /workspace sandboxbox:latest /bin/bash`, {
+        // Create isolated environment
+        const { tempProjectDir, cleanup } = createIsolatedEnvironment(shellProjectDir);
+
+        // Set up cleanup handlers
+        setupCleanupHandlers(cleanup);
+
+        // Start interactive shell in isolated container with temporary directory
+        execSync(`"${shellPodman}" run --rm -it -v "${tempProjectDir}:/workspace:rw" -w /workspace sandboxbox:latest /bin/bash`, {
           stdio: 'inherit',
           shell: process.platform === 'win32'
         });
+
+        // Clean up the temporary directory
+        cleanup();
       } catch (error) {
         console.log(color('red', `\n❌ Shell failed: ${error.message}`));
         process.exit(1);

package/file.txt

@@ -0,0 +1 @@
+'modified in container' 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sandboxbox",
-  "version": "2.0.7",
+  "version": "2.0.9",
   "description": "Portable container runner with Podman - Claude Code & Playwright support. Works on Windows, macOS, and Linux.",
   "type": "module",
   "main": "cli.js",

package/utils/claude-workspace.js

@@ -22,12 +22,11 @@ export function buildClaudeContainerCommand(projectPath, podmanPath, command = '
   const homeDir = process.platform === 'win32' ? process.env.USERPROFILE : process.env.HOME;
 
   return `${podmanPath} run --rm -it \
-    -v "${projectPath}:/project:rw" \
+    -v "${projectPath}:/workspace:rw" \
     -v "${homeDir}/.claude:/root/.claude" \
     -v "${homeDir}/.ssh:/root/.ssh:ro" \
     -v "${homeDir}/.gitconfig:/root/.gitconfig:ro" \
     ${envArgs} \
-    --env REPO_PATH=/project \
     --env HOME=/root \
     sandboxbox-local:latest \
     ${command}`;
@@ -46,32 +45,27 @@ WORKDIR /workspace
 # Install Claude Code
 RUN npm install -g @anthropic-ai/claude-code@latest
 
-# Create local workspace script
+# Create isolated workspace script
 RUN echo '#!/bin/bash
 set -e
 
-REPO_PATH=\${REPO_PATH:-"/project"}
-WORKSPACE_DIR="/workspace/project"
+echo "🚀 Starting SandboxBox with Claude Code in isolated environment..."
+echo "📁 Working directory: /workspace"
+echo "🎯 This is an isolated copy of your repository"
 
-echo "🚀 Starting SandboxBox with Claude Code..."
-echo "📁 Working with local repository: \$REPO_PATH"
-echo "🎯 Workspace: \$WORKSPACE_DIR"
-
-if [ -d "\$REPO_PATH" ] && [ -d "\$REPO_PATH/.git" ]; then
-    echo "📂 Creating workspace symlink to local repository..."
-    ln -sf "\$REPO_PATH" "\$WORKSPACE_DIR"
-    cd "\$WORKSPACE_DIR"
-    echo "✅ Workspace linked successfully!"
+if [ -d "/workspace/.git" ]; then
+    echo "✅ Git repository detected in workspace"
     echo "📋 Current status:"
     git status
     echo ""
     echo "🔧 Starting Claude Code..."
-    echo "💡 Changes will be saved directly to the local repository"
+    echo "💡 Changes will be isolated and will NOT affect the original repository"
+    echo "📝 To save changes, use git commands to commit and push before exiting"
     exec claude
 else
-    echo "❌ Error: \$REPO_PATH is not a valid git repository"
+    echo "❌ Error: /workspace is not a valid git repository"
     exit 1
-fi' > /usr/local/bin/start-local-sandbox.sh && chmod +x /usr/local/bin/start-local-sandbox.sh
+fi' > /usr/local/bin/start-isolated-sandbox.sh && chmod +x /usr/local/bin/start-isolated-sandbox.sh
 
-CMD ["/usr/local/bin/start-local-sandbox.sh"]`;
+CMD ["/usr/local/bin/start-isolated-sandbox.sh"]`;
 }

package/utils/isolation.js

@@ -0,0 +1,74 @@
+import { mkdtempSync, rmSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { execSync } from 'child_process';
+
+/**
+ * Creates an isolated temporary environment for running commands
+ * @param {string} projectDir - Source project directory
+ * @returns {Object} - Contains tempDir, tempProjectDir, and cleanup function
+ */
+export function createIsolatedEnvironment(projectDir) {
+  const tempDir = mkdtempSync(join(tmpdir(), 'sandboxbox-'));
+  const projectName = projectDir.split(/[\\\/]/).pop() || 'project';
+  const tempProjectDir = join(tempDir, projectName);
+
+  // Copy project to temporary directory (creates isolation)
+  // First create the directory (cross-platform)
+  if (process.platform === 'win32') {
+    execSync(`powershell -Command "New-Item -ItemType Directory -Path '${tempProjectDir}' -Force"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+  } else {
+    execSync(`mkdir -p "${tempProjectDir}"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+  }
+
+  if (process.platform === 'win32') {
+    // Windows approach - include hidden files like .git
+    execSync(`powershell -Command "Copy-Item -Path '${projectDir}\\*' -Destination '${tempProjectDir}' -Recurse -Force -Exclude 'node_modules'"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+    // Also copy hidden files separately
+    execSync(`powershell -Command "Get-ChildItem -Path '${projectDir}' -Force -Name | Where-Object { $_ -like '.*' } | ForEach-Object { Copy-Item -Path (Join-Path '${projectDir}' $_) -Destination '${tempProjectDir}' -Recurse -Force }"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+  } else {
+    // Unix approach - include hidden files
+    execSync(`cp -r "${projectDir}"/.* "${tempProjectDir}/" 2>/dev/null || true`, {
+      stdio: 'pipe',
+      shell: true
+    });
+    execSync(`cp -r "${projectDir}"/* "${tempProjectDir}/"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+  }
+
+  // Ensure cleanup on exit
+  const cleanup = () => {
+    try {
+      rmSync(tempDir, { recursive: true, force: true });
+    } catch (cleanupError) {
+      // Ignore cleanup errors
+    }
+  };
+
+  return { tempDir, tempProjectDir, cleanup };
+}
+
+/**
+ * Sets up cleanup handlers for process signals
+ * @param {Function} cleanup - Cleanup function to call
+ */
+export function setupCleanupHandlers(cleanup) {
+  // Set up cleanup handlers
+  process.on('exit', cleanup);
+  process.on('SIGINT', () => { cleanup(); process.exit(130); });
+  process.on('SIGTERM', () => { cleanup(); process.exit(143); });
+}