sandboxbox 2.0.8 → 2.0.9

package/CLAUDE.md

@@ -134,51 +134,37 @@ exec claude  # Changes save directly to local repo
 
 ## Command Isolation Principles
 
-### Critical Architecture Distinction
+### Unified Architecture - All Commands Use Isolation
 - **`run` command**: Creates isolated temporary environment - changes DO NOT affect host
-- **`claude` command**: Mounts local repository directly - changes DO affect host
+- **`claude` command**: Creates isolated temporary environment - changes DO NOT affect host
 - **`shell` command**: Creates isolated temporary environment - changes DO NOT affect host
 
-### Isolation Implementation (run/shell commands)
+### Isolation Workflow
+1. Copy project to temporary directory (including hidden files like .git)
+2. Mount temporary directory as /workspace in container
+3. Run commands in isolated environment
+4. Clean up temporary directory on exit
+5. Changes are persisted via git commands (commit/push) if needed
+
+### Shared Isolation Utility (utils/isolation.js)
 ```javascript
-// Creates temporary directory with copied project
-const tempDir = mkdtempSync(join(tmpdir(), 'sandboxbox-'));
-const tempProjectDir = join(tempDir, projectName);
-
-// Cross-platform file copying with hidden files (.git, etc.)
-if (process.platform === 'win32') {
-  execSync(`powershell -Command "Copy-Item -Path '${projectDir}\\*' -Destination '${tempProjectDir}' -Recurse -Force"`, {
-    stdio: 'pipe',
-    shell: true
-  });
-  // Copy hidden files separately
-  execSync(`powershell -Command "Get-ChildItem -Path '${projectDir}' -Force -Name | Where-Object { $_ -like '.*' } | ForEach-Object { Copy-Item -Path (Join-Path '${projectDir}' $_) -Destination '${tempProjectDir}' -Recurse -Force }"`, {
-    stdio: 'pipe',
-    shell: true
-  });
-} else {
-  execSync(`cp -r "${projectDir}"/.* "${tempProjectDir}/" 2>/dev/null || true`, {
-    stdio: 'pipe',
-    shell: true
-  });
-  execSync(`cp -r "${projectDir}"/* "${tempProjectDir}/"`, {
-    stdio: 'pipe',
-    shell: true
-  });
-}
+// All commands use the same isolation pattern
+import { createIsolatedEnvironment, setupCleanupHandlers } from './utils/isolation.js';
 
-// Automatic cleanup on exit
-const cleanup = () => {
-  try {
-    rmSync(tempDir, { recursive: true, force: true });
-  } catch (cleanupError) {
-    // Ignore cleanup errors
-  }
-};
+// Create isolated environment
+const { tempProjectDir, cleanup } = createIsolatedEnvironment(projectDir);
+
+// Set up cleanup handlers
+setupCleanupHandlers(cleanup);
+
+// Run command with isolated directory
+execSync(`podman run --rm -it -v "${tempProjectDir}:/workspace:rw" -w /workspace sandboxbox:latest ${cmd}`, {
+  stdio: 'inherit',
+  shell: process.platform === 'win32'
+});
 
-process.on('exit', cleanup);
-process.on('SIGINT', () => { cleanup(); process.exit(130); });
-process.on('SIGTERM', () => { cleanup(); process.exit(143); });
+// Clean up on completion
+cleanup();
 ```
 
 ### Container Naming and Cleanup

package/cli.js

@@ -7,15 +7,15 @@
  * Works on Windows, macOS, and Linux
  */
 
-import { readFileSync, existsSync, writeFileSync, mkdtempSync, rmSync } from 'fs';
+import { readFileSync, existsSync, writeFileSync } from 'fs';
 import { execSync } from 'child_process';
-import { resolve, dirname, join } from 'path';
+import { resolve, dirname } from 'path';
 import { fileURLToPath } from 'url';
-import { tmpdir } from 'os';
 
 import { color } from './utils/colors.js';
 import { checkPodman, getPodmanPath } from './utils/podman.js';
 import { buildClaudeContainerCommand, createClaudeDockerfile } from './utils/claude-workspace.js';
+import { createIsolatedEnvironment, setupCleanupHandlers } from './utils/isolation.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -86,20 +86,32 @@ function runClaudeWorkspace(projectDir, command = 'claude') {
     return false;
   }
 
-  console.log(color('blue', '🚀 Starting Claude Code with local repository...'));
+  console.log(color('blue', '🚀 Starting Claude Code in isolated environment...'));
   console.log(color('yellow', `Project: ${projectDir}`));
-  console.log(color('yellow', `Command: ${command}\n`));
+  console.log(color('yellow', `Command: ${command}`));
+  console.log(color('cyan', '📦 Note: Changes will be isolated and will NOT affect the original repository\n'));
 
   const podmanPath = checkPodman();
   if (!podmanPath) return false;
 
   try {
-    const containerCommand = buildClaudeContainerCommand(projectDir, podmanPath, command);
+    // Create isolated environment
+    const { tempProjectDir, cleanup } = createIsolatedEnvironment(projectDir);
+
+    // Set up cleanup handlers
+    setupCleanupHandlers(cleanup);
+
+    // Build container command with isolated project directory
+    const containerCommand = buildClaudeContainerCommand(tempProjectDir, podmanPath, command);
     execSync(containerCommand, {
       stdio: 'inherit',
       shell: process.platform === 'win32'
     });
-    console.log(color('green', '\n✅ Claude Code session completed!'));
+
+    // Clean up the temporary directory
+    cleanup();
+
+    console.log(color('green', '\n✅ Claude Code session completed! (Isolated - no host changes)'));
     return true;
   } catch (error) {
     console.log(color('red', `\n❌ Claude Code failed: ${error.message}`));
@@ -171,54 +183,11 @@ async function main() {
       if (!runPodman) process.exit(1);
 
       try {
-        // Create a temporary directory for isolation
-        const tempDir = mkdtempSync(join(tmpdir(), 'sandboxbox-'));
-        const projectName = projectDir.split(/[\\\/]/).pop() || 'project';
-        const tempProjectDir = join(tempDir, projectName);
-
-        // Copy project to temporary directory (creates isolation)
-        // First create the directory
-        execSync(`mkdir -p "${tempProjectDir}"`, {
-          stdio: 'pipe',
-          shell: true
-        });
-
-        if (process.platform === 'win32') {
-          // Windows approach - include hidden files like .git
-          execSync(`powershell -Command "Copy-Item -Path '${projectDir}\\*' -Destination '${tempProjectDir}' -Recurse -Force -Exclude 'node_modules'"`, {
-            stdio: 'pipe',
-            shell: true
-          });
-          // Also copy hidden files separately
-          execSync(`powershell -Command "Get-ChildItem -Path '${projectDir}' -Force -Name | Where-Object { $_ -like '.*' } | ForEach-Object { Copy-Item -Path (Join-Path '${projectDir}' $_) -Destination '${tempProjectDir}' -Recurse -Force }"`, {
-            stdio: 'pipe',
-            shell: true
-          });
-        } else {
-          // Unix approach - include hidden files
-          execSync(`cp -r "${projectDir}"/.* "${tempProjectDir}/" 2>/dev/null || true`, {
-            stdio: 'pipe',
-            shell: true
-          });
-          execSync(`cp -r "${projectDir}"/* "${tempProjectDir}/"`, {
-            stdio: 'pipe',
-            shell: true
-          });
-        }
-
-        // Ensure cleanup on exit
-        const cleanup = () => {
-          try {
-            rmSync(tempDir, { recursive: true, force: true });
-          } catch (cleanupError) {
-            // Ignore cleanup errors
-          }
-        };
+        // Create isolated environment
+        const { tempProjectDir, cleanup } = createIsolatedEnvironment(projectDir);
 
         // Set up cleanup handlers
-        process.on('exit', cleanup);
-        process.on('SIGINT', () => { cleanup(); process.exit(130); });
-        process.on('SIGTERM', () => { cleanup(); process.exit(143); });
+        setupCleanupHandlers(cleanup);
 
         // Run the command in isolated container with temporary directory
         execSync(`"${runPodman}" run --rm -it -v "${tempProjectDir}:/workspace:rw" -w /workspace sandboxbox:latest ${cmd}`, {
@@ -258,46 +227,19 @@ async function main() {
       if (!shellPodman) process.exit(1);
 
       try {
-        // Create a temporary container with copied project (isolated environment)
-        const tempShellContainerName = `sandboxbox-shell-${Math.random().toString(36).substr(2, 9)}`;
-
-        // Ensure cleanup on exit
-        const cleanup = () => {
-          try {
-            execSync(`"${shellPodman}" rm -f "${tempShellContainerName}"`, {
-              stdio: 'pipe',
-              shell: process.platform === 'win32'
-            });
-          } catch (cleanupError) {
-            // Ignore cleanup errors
-          }
-        };
+        // Create isolated environment
+        const { tempProjectDir, cleanup } = createIsolatedEnvironment(shellProjectDir);
 
         // Set up cleanup handlers
-        process.on('exit', cleanup);
-        process.on('SIGINT', () => { cleanup(); process.exit(130); });
-        process.on('SIGTERM', () => { cleanup(); process.exit(143); });
+        setupCleanupHandlers(cleanup);
 
-        // Copy project into container (isolated)
-        execSync(`"${shellPodman}" create --name "${tempShellContainerName}" -w /workspace -it sandboxbox:latest /bin/bash`, {
-          stdio: 'pipe',
-          shell: process.platform === 'win32'
-        });
-
-        // Copy project files into isolated container - use proper path handling
-        const normalizedShellProjectDir = shellProjectDir.replace(/\\/g, '/');
-        execSync(`"${shellPodman}" cp "${normalizedShellProjectDir}" "${tempShellContainerName}:/workspace"`, {
-          stdio: 'pipe',
-          shell: process.platform === 'win32'
-        });
-
-        // Start interactive shell in the isolated container
-        execSync(`"${shellPodman}" start -i "${tempShellContainerName}"`, {
+        // Start interactive shell in isolated container with temporary directory
+        execSync(`"${shellPodman}" run --rm -it -v "${tempProjectDir}:/workspace:rw" -w /workspace sandboxbox:latest /bin/bash`, {
           stdio: 'inherit',
           shell: process.platform === 'win32'
         });
 
-        // Clean up the temporary container
+        // Clean up the temporary directory
         cleanup();
       } catch (error) {
         console.log(color('red', `\n❌ Shell failed: ${error.message}`));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sandboxbox",
-  "version": "2.0.8",
+  "version": "2.0.9",
   "description": "Portable container runner with Podman - Claude Code & Playwright support. Works on Windows, macOS, and Linux.",
   "type": "module",
   "main": "cli.js",

package/utils/claude-workspace.js

@@ -22,12 +22,11 @@ export function buildClaudeContainerCommand(projectPath, podmanPath, command = '
   const homeDir = process.platform === 'win32' ? process.env.USERPROFILE : process.env.HOME;
 
   return `${podmanPath} run --rm -it \
-    -v "${projectPath}:/project:rw" \
+    -v "${projectPath}:/workspace:rw" \
     -v "${homeDir}/.claude:/root/.claude" \
     -v "${homeDir}/.ssh:/root/.ssh:ro" \
     -v "${homeDir}/.gitconfig:/root/.gitconfig:ro" \
     ${envArgs} \
-    --env REPO_PATH=/project \
     --env HOME=/root \
     sandboxbox-local:latest \
     ${command}`;
@@ -46,32 +45,27 @@ WORKDIR /workspace
 # Install Claude Code
 RUN npm install -g @anthropic-ai/claude-code@latest
 
-# Create local workspace script
+# Create isolated workspace script
 RUN echo '#!/bin/bash
 set -e
 
-REPO_PATH=\${REPO_PATH:-"/project"}
-WORKSPACE_DIR="/workspace/project"
+echo "🚀 Starting SandboxBox with Claude Code in isolated environment..."
+echo "📁 Working directory: /workspace"
+echo "🎯 This is an isolated copy of your repository"
 
-echo "🚀 Starting SandboxBox with Claude Code..."
-echo "📁 Working with local repository: \$REPO_PATH"
-echo "🎯 Workspace: \$WORKSPACE_DIR"
-
-if [ -d "\$REPO_PATH" ] && [ -d "\$REPO_PATH/.git" ]; then
-    echo "📂 Creating workspace symlink to local repository..."
-    ln -sf "\$REPO_PATH" "\$WORKSPACE_DIR"
-    cd "\$WORKSPACE_DIR"
-    echo "✅ Workspace linked successfully!"
+if [ -d "/workspace/.git" ]; then
+    echo "✅ Git repository detected in workspace"
     echo "📋 Current status:"
     git status
     echo ""
     echo "🔧 Starting Claude Code..."
-    echo "💡 Changes will be saved directly to the local repository"
+    echo "💡 Changes will be isolated and will NOT affect the original repository"
+    echo "📝 To save changes, use git commands to commit and push before exiting"
     exec claude
 else
-    echo "❌ Error: \$REPO_PATH is not a valid git repository"
+    echo "❌ Error: /workspace is not a valid git repository"
     exit 1
-fi' > /usr/local/bin/start-local-sandbox.sh && chmod +x /usr/local/bin/start-local-sandbox.sh
+fi' > /usr/local/bin/start-isolated-sandbox.sh && chmod +x /usr/local/bin/start-isolated-sandbox.sh
 
-CMD ["/usr/local/bin/start-local-sandbox.sh"]`;
+CMD ["/usr/local/bin/start-isolated-sandbox.sh"]`;
 }

package/utils/isolation.js

@@ -0,0 +1,74 @@
+import { mkdtempSync, rmSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { execSync } from 'child_process';
+
+/**
+ * Creates an isolated temporary environment for running commands
+ * @param {string} projectDir - Source project directory
+ * @returns {Object} - Contains tempDir, tempProjectDir, and cleanup function
+ */
+export function createIsolatedEnvironment(projectDir) {
+  const tempDir = mkdtempSync(join(tmpdir(), 'sandboxbox-'));
+  const projectName = projectDir.split(/[\\\/]/).pop() || 'project';
+  const tempProjectDir = join(tempDir, projectName);
+
+  // Copy project to temporary directory (creates isolation)
+  // First create the directory (cross-platform)
+  if (process.platform === 'win32') {
+    execSync(`powershell -Command "New-Item -ItemType Directory -Path '${tempProjectDir}' -Force"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+  } else {
+    execSync(`mkdir -p "${tempProjectDir}"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+  }
+
+  if (process.platform === 'win32') {
+    // Windows approach - include hidden files like .git
+    execSync(`powershell -Command "Copy-Item -Path '${projectDir}\\*' -Destination '${tempProjectDir}' -Recurse -Force -Exclude 'node_modules'"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+    // Also copy hidden files separately
+    execSync(`powershell -Command "Get-ChildItem -Path '${projectDir}' -Force -Name | Where-Object { $_ -like '.*' } | ForEach-Object { Copy-Item -Path (Join-Path '${projectDir}' $_) -Destination '${tempProjectDir}' -Recurse -Force }"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+  } else {
+    // Unix approach - include hidden files
+    execSync(`cp -r "${projectDir}"/.* "${tempProjectDir}/" 2>/dev/null || true`, {
+      stdio: 'pipe',
+      shell: true
+    });
+    execSync(`cp -r "${projectDir}"/* "${tempProjectDir}/"`, {
+      stdio: 'pipe',
+      shell: true
+    });
+  }
+
+  // Ensure cleanup on exit
+  const cleanup = () => {
+    try {
+      rmSync(tempDir, { recursive: true, force: true });
+    } catch (cleanupError) {
+      // Ignore cleanup errors
+    }
+  };
+
+  return { tempDir, tempProjectDir, cleanup };
+}
+
+/**
+ * Sets up cleanup handlers for process signals
+ * @param {Function} cleanup - Cleanup function to call
+ */
+export function setupCleanupHandlers(cleanup) {
+  // Set up cleanup handlers
+  process.on('exit', cleanup);
+  process.on('SIGINT', () => { cleanup(); process.exit(130); });
+  process.on('SIGTERM', () => { cleanup(); process.exit(143); });
+}