enhancement(dsl): Integrate nsjail sandbox for Python DSL execution

entrypoint.sh

@@ -1,5 +1,11 @@
 #!/usr/bin/env sh
 
+# Ensure nsjail chroot directory exists when sandbox is enabled
+if [ "${PATHFINDER_SANDBOX_ENABLED}" = "true" ]; then
+  mkdir -p /tmp/nsjail_root
+  chmod 755 /tmp/nsjail_root
+fi
+
 if [ $# -eq 0 ]; then
   /usr/bin/pathfinder version
 else

sourcecode-parser/dsl/loader.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/shivasurya/code-pathfinder/sourcecode-parser/graph/callgraph/core"
@@ -22,6 +23,46 @@ func NewRuleLoader(rulesPath string) *RuleLoader {
 	return &RuleLoader{RulesPath: rulesPath}
 }
 
+// isSandboxEnabled checks if nsjail sandboxing is enabled via environment variable.
+// Returns true if PATHFINDER_SANDBOX_ENABLED is set to "true" (case-insensitive).
+func isSandboxEnabled() bool {
+	enabled := os.Getenv("PATHFINDER_SANDBOX_ENABLED")
+	return strings.ToLower(strings.TrimSpace(enabled)) == "true"
+}
+
+// buildNsjailCommand constructs an nsjail command for sandboxed Python execution.
+// Security features:
+//   - Network isolation (--iface_no_lo)
+//   - Filesystem isolation (chroot to /tmp/nsjail_root)
+//   - Process isolation (PID namespace)
+//   - User isolation (run as nobody)
+//   - Resource limits: 512MB memory, 30s CPU, 1MB file size, 30s wall time
+//   - Read-only system mounts (/usr, /lib)
+//   - Writable /tmp for output
+func buildNsjailCommand(ctx context.Context, filePath string) *exec.Cmd {
+	args := []string{
+		"-Mo",                          // Mode: ONCE (run once and exit)
+		"--user", "nobody",             // Run as nobody (UID 65534)
+		"--chroot", "/tmp/nsjail_root", // Isolated root filesystem
+		"--iface_no_lo",                // Block all network access (no loopback)
+		"--disable_proc",               // Disable /proc (no process visibility)
+		"--bindmount_ro", "/usr:/usr",  // Read-only /usr
+		"--bindmount_ro", "/lib:/lib",  // Read-only /lib
+		"--bindmount", "/tmp:/tmp",     // Writable /tmp (for output)
+		"--cwd", "/tmp",                // Working directory
+		"--rlimit_as", "512",           // Memory limit: 512MB
+		"--rlimit_cpu", "30",           // CPU time limit: 30 seconds
+		"--rlimit_fsize", "1",          // File size limit: 1MB
+		"--rlimit_nofile", "64",        // Max open files: 64
+		"--time_limit", "30",           // Wall time limit: 30 seconds
+		"--quiet",                      // Suppress nsjail logs
+		"--",                           // End of nsjail args
+		"/usr/bin/python3", filePath,   // Command to execute
+	}
+
+	return exec.CommandContext(ctx, "nsjail", args...)
+}
+
 // LoadRules loads and executes Python DSL rules.
 //
 // Algorithm:
@@ -48,13 +89,23 @@ func (l *RuleLoader) LoadRules() ([]RuleIR, error) {
 }
 
 // loadRulesFromFile loads rules from a single Python file.
+// Uses nsjail sandboxing if PATHFINDER_SANDBOX_ENABLED=true, otherwise runs Python directly.
 func (l *RuleLoader) loadRulesFromFile(filePath string) ([]RuleIR, error) {
 	// Create context with timeout to prevent hanging
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
+	// Build command based on sandbox configuration
+	var cmd *exec.Cmd
+	if isSandboxEnabled() {
+		// Use nsjail for sandboxed execution (production mode)
+		cmd = buildNsjailCommand(ctx, filePath)
+	} else {
+		// Direct Python execution (development mode)
+		cmd = exec.CommandContext(ctx, "python3", filePath)
+	}
+
 	// Execute Python script with context
-	cmd := exec.CommandContext(ctx, "python3", filePath)
 	output, err := cmd.Output()
 	if err != nil {
 		if ctx.Err() == context.DeadlineExceeded {

test-nsjail-integration.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+set -e
+
+echo "=========================================="
+echo "PR-02: nsjail Integration Test"
+echo "=========================================="
+echo ""
+
+# Colors for output
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Create test DSL rule that outputs valid JSON
+cat > /tmp/test_rule.py <<'EOF'
+import json
+
+# Simple test rule that outputs valid RuleIR JSON
+rule = {
+    "id": "test-rule",
+    "severity": "info",
+    "description": "Test rule for nsjail integration",
+    "matcher": {
+        "type": "call_matcher",
+        "pattern": "test"
+    }
+}
+
+print(json.dumps([rule], indent=2))
+EOF
+
+echo "Test 1: Direct Python Execution (Sandbox Disabled)"
+echo "---------------------------------------------------"
+export PATHFINDER_SANDBOX_ENABLED=false
+
+# Build the pathfinder binary
+echo "Building pathfinder binary..."
+cd /Users/shiva/src/shivasurya/code-pathfinder/sourcecode-parser
+go build -o /tmp/pathfinder-test . 2>&1 | grep -E "(error|warning)" || echo "Build successful"
+
+echo ""
+echo "Test 2: nsjail Sandboxed Execution (Sandbox Enabled)"
+echo "-----------------------------------------------------"
+export PATHFINDER_SANDBOX_ENABLED=true
+
+# Test nsjail command directly
+echo "Testing nsjail command directly..."
+mkdir -p /tmp/nsjail_root
+
+nsjail -Mo \
+  --user nobody \
+  --chroot /tmp/nsjail_root \
+  --iface_no_lo \
+  --disable_proc \
+  --bindmount_ro /usr:/usr \
+  --bindmount_ro /lib:/lib \
+  --bindmount /tmp:/tmp \
+  --cwd /tmp \
+  --rlimit_as 512 \
+  --rlimit_cpu 30 \
+  --rlimit_fsize 1 \
+  --time_limit 30 \
+  --quiet \
+  -- /usr/bin/python3 /tmp/test_rule.py
+
+if [ $? -eq 0 ]; then
+    echo -e "${GREEN}✅ SUCCESS${NC}: nsjail can execute Python DSL rules"
+else
+    echo -e "${RED}❌ FAILED${NC}: nsjail execution failed"
+    exit 1
+fi
+
+echo ""
+echo "=========================================="
+echo "Test Summary"
+echo "=========================================="
+echo -e "${GREEN}✅ PR-02 Integration Complete${NC}"
+echo ""
+echo "Changes:"
+echo "  - Added isSandboxEnabled() function"
+echo "  - Added buildNsjailCommand() function"
+echo "  - Modified loadRulesFromFile() to use nsjail"
+echo "  - Updated entrypoint.sh to create /tmp/nsjail_root"
+echo ""
+echo "Security Features Enabled:"
+echo "  ✅ Network isolation (--iface_no_lo)"
+echo "  ✅ Filesystem isolation (chroot)"
+echo "  ✅ Process isolation (PID namespace)"
+echo "  ✅ User isolation (run as nobody)"
+echo "  ✅ Resource limits (512MB, 30s CPU, 1MB file)"
+echo ""
+
+# Cleanup
+rm -f /tmp/test_rule.py