feat: Shell sandbox with flanksource/sandbox-runtime

[adityathebe]

Summary by CodeRabbit

• New Features

  • Added support for running commands inside optional isolated sandbox environments.

• Chores

  • Updated Go dependencies (crypto, networking, system/term, text) and added a sandbox runtime dependency for improved security and stability.

[github-actions]

Benchstat

Base: 628ae53dc3d61ebca5be31a783932c39fd3ae645
Head: 0aad002058254f592bda417d18043565900de08e

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                                │ bench-base.txt │          bench-head.txt           │
                                                │     sec/op     │   sec/op     vs base              │
Main/Sample-15000/catalog_changes/Without_RLS-4      5.262m ± 7%   5.344m ± 1%       ~ (p=0.394 n=6)
Main/Sample-15000/catalog_changes/With_RLS-4         127.5m ± 0%   130.6m ± 1%  +2.43% (p=0.002 n=6)
Main/Sample-15000/config_changes/Without_RLS-4       5.245m ± 2%   5.292m ± 1%       ~ (p=0.093 n=6)
Main/Sample-15000/config_changes/With_RLS-4          127.4m ± 2%   130.8m ± 1%  +2.70% (p=0.002 n=6)
Main/Sample-15000/config_detail/Without_RLS-4        3.926m ± 1%   3.886m ± 2%  -1.02% (p=0.041 n=6)
Main/Sample-15000/config_detail/With_RLS-4           126.7m ± 2%   124.3m ± 1%  -1.94% (p=0.004 n=6)
Main/Sample-15000/config_names/Without_RLS-4         13.21m ± 2%   12.95m ± 2%       ~ (p=0.065 n=6)
Main/Sample-15000/config_names/With_RLS-4            125.0m ± 1%   125.3m ± 1%       ~ (p=0.485 n=6)
Main/Sample-15000/config_summary/Without_RLS-4       62.40m ± 1%   62.92m ± 2%       ~ (p=0.065 n=6)
Main/Sample-15000/config_summary/With_RLS-4          732.5m ± 1%   737.9m ± 1%       ~ (p=0.180 n=6)
Main/Sample-15000/configs/Without_RLS-4              7.247m ± 4%   7.241m ± 2%       ~ (p=0.937 n=6)
Main/Sample-15000/configs/With_RLS-4                 124.8m ± 2%   124.1m ± 1%       ~ (p=0.065 n=6)
Main/Sample-15000/analysis_types/Without_RLS-4       3.919m ± 2%   3.914m ± 1%       ~ (p=0.699 n=6)
Main/Sample-15000/analysis_types/With_RLS-4          3.939m ± 3%   3.913m ± 2%       ~ (p=0.065 n=6)
Main/Sample-15000/analyzer_types/Without_RLS-4       3.718m ± 2%   3.723m ± 2%       ~ (p=0.589 n=6)
Main/Sample-15000/analyzer_types/With_RLS-4          3.746m ± 4%   3.744m ± 0%       ~ (p=0.485 n=6)
Main/Sample-15000/change_types/Without_RLS-4         5.307m ± 1%   5.402m ± 3%  +1.79% (p=0.004 n=6)
Main/Sample-15000/change_types/With_RLS-4            5.339m ± 3%   5.334m ± 3%       ~ (p=0.937 n=6)
Main/Sample-15000/config_classes/Without_RLS-4       3.265m ± 2%   3.278m ± 2%       ~ (p=0.240 n=6)
Main/Sample-15000/config_classes/With_RLS-4          123.1m ± 1%   123.5m ± 0%       ~ (p=0.065 n=6)
Main/Sample-15000/config_types/Without_RLS-4         3.919m ± 0%   3.924m ± 1%       ~ (p=0.180 n=6)
Main/Sample-15000/config_types/With_RLS-4            124.8m ± 2%   124.1m ± 1%  -0.54% (p=0.015 n=6)
geomean                                              19.26m        19.30m       +0.23%

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 30fbeab and 0aad002.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod
• shell/interpreter.go
• shell/shell.go

🚧 Files skipped from review as they are similar to previous changes (2)

• shell/shell.go
• go.mod

---

Walkthrough

Adds optional sandboxed command execution: the Exec struct gains a Sandbox field and createCommandFromScript accepts a *sandbox.Sandbox. When provided, commands are created via sandbox.Command(...); otherwise the code falls back to exec.CommandContext(...). go.mod updated to include sandbox-runtime and X module bumps.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Added github.com/flanksource/sandbox-runtime v1.0.1; bumped golang.org/x/crypto and updated several indirect golang.org/x/* modules.
Shell runtime shell/interpreter.go, shell/shell.go	Added import of github.com/flanksource/sandbox-runtime/sandbox; createCommandFromScript signature now accepts sb *sandbox.Sandbox; Exec struct gains Sandbox *sandbox.Sandbox; Run passes the sandbox into command creation; code path creates commands via sb.Command(...) when sandbox provided, else uses exec.CommandContext(...).

Sequence Diagram(s)

sequenceDiagram
  participant Caller as Exec.Run
  participant Resolver as createCommandFromScript
  participant Sandbox as Sandbox Runtime
  participant OS as OS (exec.Command)

  Caller->>Resolver: call createCommandFromScript(ctx, script, envs, setup, runID, sb)
  alt sb != nil (sandbox provided)
    Resolver->>Sandbox: sb.Command(ctx, resolved, args...)
    Sandbox-->>Resolver: sandboxed Cmd
    Resolver->>Resolver: apply envs to Cmd
    Resolver-->>Caller: return sandboxed Cmd
  else sb == nil (no sandbox)
    Resolver->>OS: exec.CommandContext(ctx, resolved, args...)
    OS-->>Resolver: os Cmd
    Resolver->>Resolver: apply envs to Cmd
    Resolver-->>Caller: return os Cmd
  end

Loading

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding shell sandbox functionality using the flanksource/sandbox-runtime library.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/sandbox

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}