Skip to content

chore(main): release 0.0.0 #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
koki-develop merged 1 commit into from
Mar 6, 2026
Merged

chore(main): release 0.0.0 #5

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Changelog

## 0.0.0 (2026-03-06)


### Features

* add --max-body-size flag to limit HTTP request body size ([304f580](https://github.com/codize-dev/sandbox/commit/304f580b66990e89771c26059b9d4c541ed83cdb))
* add --max-file-size flag to limit individual file size per request ([345f0d7](https://github.com/codize-dev/sandbox/commit/345f0d7ba0db3b54839d44373bf91713e9f17f7a))
* add --max-files flag to limit the number of files per request ([a2cc8d2](https://github.com/codize-dev/sandbox/commit/a2cc8d2f9866027dff3deee10749cd2ccd736a84))
* add /bin to PATH for all runtimes to match user expectations ([79b4ed1](https://github.com/codize-dev/sandbox/commit/79b4ed178e2fd4001d423dbb6af9711ae7994023))
* add /usr/bin to PATH and /bin symlink for command accessibility ([a9d5e6e](https://github.com/codize-dev/sandbox/commit/a9d5e6e1091127007b241093107c9b46ec6847db))
* add 255-byte file name length validation ([1cb7f9b](https://github.com/codize-dev/sandbox/commit/1cb7f9b33753d705f6336db8661ec9ef8ffe3055))
* add arch field to E2E framework and split architecture-dependent tests ([0cedefb](https://github.com/codize-dev/sandbox/commit/0cedefba8708003ff3fea28da034f76f83f502c4))
* add bash runtime support for shell script execution ([0d88644](https://github.com/codize-dev/sandbox/commit/0d88644a5e4ae57aa1920e9302156ce921c9e608))
* add basic Echo v5 HTTP server ([6802819](https://github.com/codize-dev/sandbox/commit/6802819967536f85dcf354d698f35e7812affee3))
* add cgroup CPU throttle to limit sandbox CPU usage per core ([04162fb](https://github.com/codize-dev/sandbox/commit/04162fb82610899ce8d34ff5d0323003e814b00c))
* add cgroup memory limit and swap restriction for sandbox OOM protection ([68b0075](https://github.com/codize-dev/sandbox/commit/68b0075ad1cf8f08aeecc5f54e7813249c2b25f3))
* add cgroup pids limit and separate Rlimits from Cgroups for type safety ([4364238](https://github.com/codize-dev/sandbox/commit/4364238e5a930046714ec323f52aea93654e099e))
* add Docker Compose configuration with privileged mode ([61600e9](https://github.com/codize-dev/sandbox/commit/61600e929a0e7177e4422beeb3e268bf76578ec8))
* add Go runtime support with compile-then-run execution model ([6adfca8](https://github.com/codize-dev/sandbox/commit/6adfca87e32f04274f3327d77c3abcc282e19dda))
* add GOCACHEPROG read-only cache helper for Go sandbox compilation ([fdc20bc](https://github.com/codize-dev/sandbox/commit/fdc20bc74c3a5e07360b6f7c51344dd665621469))
* add mise to runtime image via musl static binary ([07de470](https://github.com/codize-dev/sandbox/commit/07de47007936b24e51989de228bfd64baafc8f1f))
* add multi-stage Dockerfile with nsjail runtime ([4f57bba](https://github.com/codize-dev/sandbox/commit/4f57bba0aec1b877a5c50eb9cdff2332842f6a37))
* add nosuid and nodev mount flags to /tmp tmpfs via protobuf config ([a7d1633](https://github.com/codize-dev/sandbox/commit/a7d163383dffbeed0b21783e76ce2994a7824332))
* add nsjail --detect_cgroupv2 for cgroup v2 auto-detection ([ce815ce](https://github.com/codize-dev/sandbox/commit/ce815cec0ff5aba734a42c7d0e179e90f770587f))
* add nsjail --rlimit_cpu to limit per-process CPU time ([a1f3496](https://github.com/codize-dev/sandbox/commit/a1f34965ca58e740d1dbf6f9fd853ce7e73bb5e5))
* add nsjail rlimit hardening for memlock, rtprio, msgqueue, nproc, and stack ([0e82ef2](https://github.com/codize-dev/sandbox/commit/0e82ef206f3f3688adf25b47019a1975fc31bacf))
* add path traversal protection with file name validation and e2e tests ([d5f9c02](https://github.com/codize-dev/sandbox/commit/d5f9c024446077336200b38f35846028facd6452))
* add pre-installed golang.org/x/text package for Go sandbox ([9b7157f](https://github.com/codize-dev/sandbox/commit/9b7157ff0f952b29669b32b50c79084dea793879))
* add requests array and fill file type to E2E test framework ([2232015](https://github.com/codize-dev/sandbox/commit/223201568404b1428833c49527d78d479bea0a91))
* add Ruby runtime support to /v1/run endpoint ([d6e524d](https://github.com/codize-dev/sandbox/commit/d6e524d865a510dfb6fac6a3ff496269262e2b68))
* add seccomp-bpf syscall filtering policy for sandbox hardening ([b5c488a](https://github.com/codize-dev/sandbox/commit/b5c488a28a241755d821a7f8eb1417701df13ede))
* add signal field to API response for detecting signal-terminated processes ([10503a1](https://github.com/codize-dev/sandbox/commit/10503a1d7bc962cc0baa79a7215e699f1625855d))
* add YAML-driven E2E test framework with build tag isolation ([f4b4b27](https://github.com/codize-dev/sandbox/commit/f4b4b2745bb773868e63592229afe0e735622f0f))
* detect nsjail timeout via log pipe and add status field to response ([f13d16e](https://github.com/codize-dev/sandbox/commit/f13d16e2bec7a68eb775b1516a8502783a1ccf21))
* disable loopback interface inside sandbox via iface_no_lo ([41aea7f](https://github.com/codize-dev/sandbox/commit/41aea7f489db79a1c356d0cca430870b2849d443))
* enforce 1 MiB output limit and kill sandbox process on excess ([afc51b2](https://github.com/codize-dev/sandbox/commit/afc51b269b1f254ea33ae331e37199914fef7bd4))
* explicitly set clone_newnet in nsjail config for clarity ([fd9291e](https://github.com/codize-dev/sandbox/commit/fd9291e7251a8a98071721680847bc5d9087f822))
* install ca-certificates and gpg in runtime image ([16045f5](https://github.com/codize-dev/sandbox/commit/16045f5163166665634d022f257c77fa7ea4d641))
* install curl, wget, and mawk in sandbox environment ([af93855](https://github.com/codize-dev/sandbox/commit/af93855d96a1da190a23fbac871b0823ecb4d1cc))
* make execution timeout configurable via SANDBOX_RUN_TIMEOUT env var ([2a374da](https://github.com/codize-dev/sandbox/commit/2a374dabb699fe603285586fb0c9b2bac3206721))
* map sandbox UID/GID to nobody (65534) for non-root process isolation ([02d5b3d](https://github.com/codize-dev/sandbox/commit/02d5b3d49e6abbdc029de392a77238dc367adf9e))
* preinstall Node.js 24 via mise and add gpg-agent ([91b8524](https://github.com/codize-dev/sandbox/commit/91b8524300b5e3eab108261199a27481aa5fc921))
* reject user-submitted restricted files per runtime (go.mod, go.sum) ([ccd2684](https://github.com/codize-dev/sandbox/commit/ccd26840b6d5e38a8f895656385edba63f96840a))
* Release v0.0.0 ([9616bfd](https://github.com/codize-dev/sandbox/commit/9616bfda97032c588acf0ea128fb6d7dc76a52d1))
* replace --addr flag with --port and support PORT env var ([75e43c6](https://github.com/codize-dev/sandbox/commit/75e43c6e5cab7209ba91de0480cf1ce77df655b4))
* replace /tmp host bind mount with in-sandbox tmpfs (64 MiB) ([f4fd905](https://github.com/codize-dev/sandbox/commit/f4fd905a4e8d9563cda60bdc4a07bfa28fce0709))
* restrict sandbox CPU affinity to one core via max_cpus ([2ca4e57](https://github.com/codize-dev/sandbox/commit/2ca4e5726911d27f53d594b3b78313ba7e9d698c))
* return status "SIGNAL" when process is terminated by a signal ([a997959](https://github.com/codize-dev/sandbox/commit/a9979592c3ce2153236ab6c65d637ad3d987c596))
* separate compile and run timeouts for independent nsjail time limits ([e13f7d7](https://github.com/codize-dev/sandbox/commit/e13f7d7c4253021b5375b269a7a8f0451f7071d3))
* tune per-runtime nsjail rlimit values for tighter resource isolation ([6239f56](https://github.com/codize-dev/sandbox/commit/6239f5648d4c2b35ce9ed457afb04872b44ee929))
* use poll(2) for deterministic combined output ordering ([184c1a0](https://github.com/codize-dev/sandbox/commit/184c1a05acc9b74ef10fa323b928d97fa31f951f))


### Bug Fixes

* accept both ENOTDIR and EROFS for /lib64 write test across architectures ([f02a2b2](https://github.com/codize-dev/sandbox/commit/f02a2b20dec45fa2b5667bcb16b1276703efac7f))
* add cgroup host mode to compose for cgroup v2 compatibility ([5877703](https://github.com/codize-dev/sandbox/commit/58777032667dd9de76766d370bf24f699a896f25))
* add noexec to /tmp and nosuid/nodev to bind mounts for defense-in-depth ([286424d](https://github.com/codize-dev/sandbox/commit/286424dc12634f51936b8c308a226f1b2bd2db07))
* add nosuid/nodev to /code mount and block Landlock syscalls ([ea4626a](https://github.com/codize-dev/sandbox/commit/ea4626aaeadf4ac7b5fee6b7b7028132c03fa1c0))
* add nosuid/nodev to /etc/alternatives mount and block pidfd_getfd syscall ([a10a600](https://github.com/codize-dev/sandbox/commit/a10a6003136379e2ab92fcdc212e475d1e5ae741))
* adjust large_file e2e test to respect max-file-size limit ([51f879d](https://github.com/codize-dev/sandbox/commit/51f879deac2f7bdc627e21da40a5a85db7316ce6))
* block 6 additional syscalls in seccomp policy (S-4 through S-8) ([754fa7f](https://github.com/codize-dev/sandbox/commit/754fa7fba747446d76f49de808e015085517b1f9))
* block clone/clone3 namespace creation to prevent unshare bypass ([5d6dbe7](https://github.com/codize-dev/sandbox/commit/5d6dbe7a6f87ff6f8cbd1ec3faaff49c5ec28dbc))
* block fanotify_init and fanotify_mark syscalls to prevent filesystem event snooping ([0779d4b](https://github.com/codize-dev/sandbox/commit/0779d4b854dc7a659e24141a1d3cba7959873903))
* block name_to_handle_at syscall to prevent host filesystem layout leak ([e475396](https://github.com/codize-dev/sandbox/commit/e4753964ba1729dad78e7896db3007553c5e9e98))
* improve UID/GID mapping comment accuracy and harden SUID e2e tests ([e1fa2ee](https://github.com/codize-dev/sandbox/commit/e1fa2eed8c7fac6b2d2cf7a18d492d16e29e492c))
* pin alpine base image to digest for reproducible builds ([8149085](https://github.com/codize-dev/sandbox/commit/8149085790828c68ddc62b72de1f963a5c1896b3))
* set rlimit_nproc to soft to avoid cross-sandbox interference ([aa5fb11](https://github.com/codize-dev/sandbox/commit/aa5fb1138f1e5a141aa01ad6e4970a7049d7795d))
* suppress errcheck warnings for deferred os.RemoveAll calls ([33c890f](https://github.com/codize-dev/sandbox/commit/33c890f99ebf866a23ba2e7841f1bc5bf4237877))
* Update base image ([c0b3acd](https://github.com/codize-dev/sandbox/commit/c0b3acdedecd1f8c3b34794912e034cd29ecb704))