Skip to content

Releases: codize-dev/sandbox

v0.1.0

06 Mar 14:18
@codize-release-please codize-release-please
v0.1.0
b22392c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.1.0 Latest
Latest

0.1.0 (2026-03-06)

Features

  • add structured logging with slog and fix silent error handling (5d5ddb3)

Bug Fixes

  • modernize (bb0a299)
  • remove hardcoded serve subcommand from ENTRYPOINT (bfd4a32)
  • trigger version bump on Dockerfile dependency updates via Renovate (8de6a26)
  • use 137 exit code for output limit exceeded instead of -1 (26aee35)
Assets 2
Loading

v0.0.1

06 Mar 12:02
@codize-release-please codize-release-please
v0.0.1
a7622e3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.0.1

0.0.1 (2026-03-06)

Features

Loading

v0.0.0

06 Mar 11:45
@codize-release-please codize-release-please
v0.0.0
aecfafd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.0.0

0.0.0 (2026-03-06)

Features

  • add --max-body-size flag to limit HTTP request body size (304f580)
  • add --max-file-size flag to limit individual file size per request (345f0d7)
  • add --max-files flag to limit the number of files per request (a2cc8d2)
  • add /bin to PATH for all runtimes to match user expectations (79b4ed1)
  • add /usr/bin to PATH and /bin symlink for command accessibility (a9d5e6e)
  • add 255-byte file name length validation (1cb7f9b)
  • add arch field to E2E framework and split architecture-dependent tests (0cedefb)
  • add bash runtime support for shell script execution (0d88644)
  • add basic Echo v5 HTTP server (6802819)
  • add cgroup CPU throttle to limit sandbox CPU usage per core (04162fb)
  • add cgroup memory limit and swap restriction for sandbox OOM protection (68b0075)
  • add cgroup pids limit and separate Rlimits from Cgroups for type safety (4364238)
  • add Docker Compose configuration with privileged mode (61600e9)
  • add Go runtime support with compile-then-run execution model (6adfca8)
  • add GOCACHEPROG read-only cache helper for Go sandbox compilation (fdc20bc)
  • add mise to runtime image via musl static binary (07de470)
  • add multi-stage Dockerfile with nsjail runtime (4f57bba)
  • add nosuid and nodev mount flags to /tmp tmpfs via protobuf config (a7d1633)
  • add nsjail --detect_cgroupv2 for cgroup v2 auto-detection (ce815ce)
  • add nsjail --rlimit_cpu to limit per-process CPU time (a1f3496)
  • add nsjail rlimit hardening for memlock, rtprio, msgqueue, nproc, and stack (0e82ef2)
  • add path traversal protection with file name validation and e2e tests (d5f9c02)
  • add pre-installed golang.org/x/text package for Go sandbox (9b7157f)
  • add requests array and fill file type to E2E test framework (2232015)
  • add Ruby runtime support to /v1/run endpoint (d6e524d)
  • add seccomp-bpf syscall filtering policy for sandbox hardening (b5c488a)
  • add signal field to API response for detecting signal-terminated processes (10503a1)
  • add YAML-driven E2E test framework with build tag isolation (f4b4b27)
  • detect nsjail timeout via log pipe and add status field to response (f13d16e)
  • disable loopback interface inside sandbox via iface_no_lo (41aea7f)
  • enforce 1 MiB output limit and kill sandbox process on excess (afc51b2)
  • explicitly set clone_newnet in nsjail config for clarity (fd9291e)
  • install ca-certificates and gpg in runtime image (16045f5)
  • install curl, wget, and mawk in sandbox environment (af93855)
  • make execution timeout configurable via SANDBOX_RUN_TIMEOUT env var (2a374da)
  • map sandbox UID/GID to nobody (65534) for non-root process isolation (02d5b3d)
  • preinstall Node.js 24 via mise and add gpg-agent (91b8524)
  • reject user-submitted restricted files per runtime (go.mod, go.sum) (ccd2684)
  • Release v0.0.0 (9616bfd)
  • replace --addr flag with --port and support PORT env var (75e43c6)
  • replace /tmp host bind mount with in-sandbox tmpfs (64 MiB) (f4fd905)
  • restrict sandbox CPU affinity to one core via max_cpus (2ca4e57)
  • return status "SIGNAL" when process is terminated by a signal (a997959)
  • separate compile and run timeouts for independent nsjail time limits (e13f7d7)
  • tune per-runtime nsjail rlimit values for tighter resource isolation (6239f56)
  • use poll(2) for deterministic combined output ordering (184c1a0)

Bug Fixes

  • accept both ENOTDIR and EROFS for /lib64 write test across architectures (f02a2b2)
  • add cgroup host mode to compose for cgroup v2 compatibility (5877703)
  • add noexec to /tmp and nosuid/nodev to bind mounts for defense-in-depth (286424d)
  • add nosuid/nodev to /code mount and block Landlock syscalls (ea4626a)
  • add nosuid/nodev to /etc/alternatives mount and block pidfd_getfd syscall (a10a600)
  • adjust large_file e2e test to respect max-file-size limit (51f879d)
  • block 6 additional syscalls in seccomp policy (S-4 through S-8) (754fa7f)
  • block clone/clone3 namespace creation to prevent unshare bypass (5d6dbe7)
  • block fanotify_init and fanotify_mark syscalls to prevent filesystem event snooping (0779d4b)
  • block name_to_handle_at syscall to prevent host filesystem layout leak (e475396)
  • improve UID/GID mapping comment accuracy and harden SUID e2e tests (e1fa2ee)
  • pin alpine base image to digest for reproducible builds (8149085)
  • set rlimit_nproc to soft to avoid cross-sandbox interference (aa5fb11)
  • suppress errcheck warnings for deferred os.RemoveAll calls (33c890f)
  • Update base image (c0b3acd)
Loading