Feature/code sandbox security v3

.gitignore

@@ -7,6 +7,8 @@ __pycache__/
 
 # Log files
 *.log
+/logs/
+logs/*
 
 # macOS system files
 .DS_Store
@@ -62,4 +64,6 @@ gemini_models.txt
 # OS-specific files
 Thumbs.db
 ehthumbs.db
-desktop.ini
+desktop.ini
+*.ps1
+*.cmd

CHANGELOG.md

@@ -1,7 +1,85 @@
+## v3.2.2 (2026-04-07)
+- Update interpreter: fix _execute_generated_output language usage, restore sandbox toggle alias, add subprocess security delegation, and increase SAFE mode MAX_TIMEOUT to 300s for more robust long‑running code execution
+- Merge branch 'feature/code-sandbox-security-v3' of https://github.com/haseeb-heaven/code-interpreter into feature/code-sandbox-security-v3
+- fix for watchdog timers issues with sandbox
+- fix: clean up spacing/newlines in execute_code() if/else blocks
+- fix: temp file exec, /unsafe toggle, build_release.sh update
+- Implemented /sandbox command
+- chore: update build_release.sh with gh release fix and cleaner structure
+- Update Indentation formatting
+- fix: use temp file for code exec; add /unsafe toggle; update build_release.sh
+- feat: enhance build_release.sh with robust error handling
+- feat: rename --unsafe to --sandbox/--no-sandbox; sandbox ON by default
+- feat: update build_release.sh with robust helpers, add /unsafe toggle, fix unsafe execution timeout
+- fix: resolve E999 SyntaxError in _WRITE_PATTERNS — replace malformed ['\""] with ['\"] in single-quoted raw strings
+- fix: add missing claude-sonnet-4-6.json config required by TestNewConfigFilesFromPR
+- fix: two test failures — os.remove \b boundary + .write( on read-handle
+- fix(safety): resolve 3 false-positive bugs in safe-mode pattern matching
+- fix(code_interpreter): use safety_manager.unsafe_mode instead of UNSAFE_EXECUTION attr
+- fix(security): resolve all P1/P2 audit issues from PR #26
+- fix(interpreter): use _kill_process_group on timeout + ast.parse for Python detection
+- fix(safety): add system-level destructive commands to safe-mode block list
+- fix: block bare .write() calls on file handles in safe mode
+- fix: allow read-only absolute path access in safe mode
+- fix(security): P0 absolute-path read escape + artifact export symlink escape
+- fix: apply CodeRabbit auto-fixes
+- fix(safety): expand write-mode detection — close binary/pathlib/JS bypasses (Bug #2)
+- fix(#3 #5): add export_artifacts + unquoted POSIX absolute-path block
+- fix(P0): process-group SIGKILL on timeout + Python routing in execute_script
+- fix: apply CodeRabbit auto-fixes
+- 📝 CodeRabbit Chat: Add unit tests
+- fix: apply CodeRabbit auto-fixes
+- Update Version file
+- Bump the version to 3.2.1
+
+
+## v3.2.1 (2026-04-07)
+- Add mode indicator, strict safe-mode blocking, unsafe confirmations, warnings, and improved safety controls for enterprise-grade execution behavior and user awareness
+- Update the Sandbox and Code Execution
+- Refactor execution architecture with python-first model, restore bash compatibility for tests, fix decoding bug, enforce output limits, update versioning, and correct gitignore entries for logs and newline compliance.
+- Overhaul execution architecture with python-first model, sandboxing, and improved safety controls
+- stop tracking history.json
+- Removed /shell command and added Code Execution safety
+- fix(safety): block unquoted absolute-path del command (e.g. del D:\Temp\*.txt)
+- test: add safety checks for quoted wildcard del commands and mocked LLM repair loop for dangerous commands
+- fix: block quoted wildcard del commands and add Windows absolute-path delete patterns
+- feat: enhance safety manager to block absolute-path deletions in various contexts
+- feat: enhance llm_dispatcher to support local endpoints
+- refactor: update configuration files to use JSON format
+- feat: fixed package manager issues with retry circuit logic
+- Update configuration files to use triple backtick separators for code generation
+- Merge pull request #24 from haseeb-heaven/feature/sandbox-safety-v3
+- chore: update changelog, improve README links, and remove deprecated config files
+- Merge branch 'feature/sandbox-safety-v3' of https://github.com/haseeb-heaven/code-interpreter into feature/sandbox-safety-v3
+- fix: update model configurations and improve error handling in code execution
+- fix: apply CodeRabbit auto-fixes
+- feat: update litellm version and add model normalization utility
+- fix: apply CodeRabbit auto-fixes
+- fix: apply CodeRabbit auto-fixes
+- 📝 CodeRabbit Chat: Generate unit tests for PR changes
+- Optimize README: move models to Models.MD, shorten sections
+- release: prepare v3.1.0 assets and docs
+- feat: Add OpenRouter API support with multiple model configurations
+- feat: Introduce execution safety features and self-repair mechanism
+- Add configuration files and terminal UI for model selection
+- Update LLM catalog to newer models and fix model routing bugs
+
 # Changelog
 
 All notable changes to this project are documented in this file.
 
+## v3.2.0 - April 6, 2026
+- Added visual mode indicator in session banner ([SAFE MODE] or [UNSAFE MODE ⚠️])
+- Implemented strict safety blocking: dangerous operations are hard-blocked in SAFE MODE
+- Added confirmation prompts for dangerous operations in UNSAFE MODE
+- Enhanced user awareness of destructive operations with warning messages
+- Improved enterprise-level safety and user control
+
+## v3.1.1 - April 6, 2026
+- Refactored execution architecture to Python-first model (replacing shell-subprocess as default)
+- Enforced 10 KB hard output limit with truncation sentinel
+- Minor fixes for timeout handling, output limits, and version alignment.
+
 ## v3.1.0 - April 5, 2026
 - Added OpenRouter support with multiple paid and free model aliases.
 - Added OpenRouter free defaults and switched `OPENROUTER_API_KEY` auto-selection to `openrouter/free`.
@@ -24,4 +102,4 @@ All notable changes to this project are documented in this file.
 - v2.2.x - Save/Execute commands and scripts, logging fixes, package manager fixes, and command improvements.
 - v2.1.x - Claude-3 models, Groq Gemma, prompt file mode, OS detection improvements, GPT-4o, and file opening improvements.
 - v2.0.x - Groq support plus Claude-2 additions.
-- v1.x - Core interpreter, file analysis, Gemini Vision, interpreter commands, chat mode, and local model support.
+- v1.x - Core interpreter, file analysis, Gemini Vision, interpreter commands, chat mode, and local model support.

README.md

@@ -140,6 +140,39 @@ python interpreter.py -md 'code' -m 'gpt-4o' -dc
 - 🤝 Integrates with HuggingFace, OpenAI, Gemini, etc.
 - 🎯 Versatile tasks: file ops, image/video editing, data analysis
 
+## 🛡️ **Safety Features**
+
+### Mode Indicator
+The interpreter displays the current safety mode in the session banner:
+- **[SAFE MODE]** - Default mode with safety restrictions enabled (green)
+- **[UNSAFE MODE ⚠️]** - Unrestricted mode (red with warning emoji)
+
+To enable unsafe mode, use the `--unsafe` flag:
+```bash
+interpreter --unsafe
+```
+
+### Dangerous Operation Handling
+The interpreter handles dangerous operations with a single confirmation prompt:
+
+**SAFE MODE:**
+- Dangerous operations are **blocked entirely** (no confirmation prompt)
+- You will see: `❌ Dangerous operation blocked in SAFE MODE.`
+- No file deletion or modification operations are allowed
+
+**UNSAFE MODE:**
+- Single prompt for ALL operations (safe or dangerous)
+- Safe operations: `Execute the code? (Y/N):`
+- Dangerous operations: `⚠️ Dangerous operation. Continue? (Y/N):`
+- Operations execute only if you confirm with 'Y'
+
+To enable unsafe mode, use the `--unsafe` flag:
+```bash
+interpreter --unsafe
+```
+
+**Warning:** Use unsafe mode with caution! Dangerous operations can delete or modify your files.
+
 ## 🛠️ **Usage**
 
 To use Code-Interpreter, use the following command options:
@@ -251,6 +284,17 @@ After entering the session, generated code and execution output remain inside th
 
 ![TUI output](resources/interpreter-tui-output.png)
 
+### Sandbox Security
+You can enable or disable sandbox mode directly from the terminal session. This makes it easy to switch between the safer isolated runtime and unrestricted execution when needed.
+
+![TUI sandbox enable](resources/interpreter-sandbox-enable.png)
+
+When sandbox mode is enabled, commands and generated code run with the same safer execution constraints used by the CLI.
+
+![TUI sandbox disable](resources/interpreter-sandbox-disable.png)
+
+When sandbox mode is disabled, execution runs in unsafe mode without sandbox restrictions, intended only for trusted local workflows.
+
 # Interpreter Commands 🖥️
 
 Here are the available commands:
@@ -273,6 +317,7 @@ Here are the available commands:
 - ⏫ `/upgrade` - Upgrade the interpreter.
 - 📁 `/prompt` - Switch the prompt mode _File or Input_ modes.
 - 🐞 `/debug` - Toggle Debug mode for debugging.
+- 📦 `/sandbox` - Toggles secure sandbox System.
 
 
 ## ⚙️ **Settings**
@@ -321,9 +366,11 @@ If you're interested in contributing to **Code-Interpreter**, we'd love to have
 
 ## 📌 **Versioning**
 
-Current version: **3.1.0**
+Current version: **3.2.1**
 
 Quick highlights:
+- **v3.2.1** - Added sandbox security, improved Code Interpreter architecture, fixed execution language routing, restored sandbox toggle compatibility, added subprocess security delegation, and improved safe-mode timeout handling.
+- **v3.2.0** - Added mode indicator ([SAFE MODE] or [UNSAFE MODE ⚠️]) in session banner, implemented strict safety blocking for dangerous operations in SAFE MODE, added single confirmation prompt for operations in UNSAFE MODE.
 - **v3.1.0** - Added OpenRouter free-model aliases, made `openrouter/free` the default OpenRouter selection, improved simple-task code generation, added fresh TUI screenshots, and prepared release packaging assets.
 - **v3.0.0** - Added a default execution safety sandbox, dangerous command/code circuit breaker, bounded ReACT-style repair retries after failures, clearer execution feedback, and polished CLI/TUI runtime output.
 - **v2.4.1** - Added NVIDIA, Z AI, Browser Use, `.env.example`, and `--cli` / `--tui` startup flows.
@@ -351,4 +398,4 @@ Please note the following additional licensing details:
 - A special shout-out to the open-source community. Your continuous support and contributions are invaluable to us.
 
 ## **📝 Author**
-This project is created and maintained by [Haseeb-Heaven](www.github.com/haseeb-heaven).
+This project is created and maintained by [Haseeb-Heaven](www.github.com/haseeb-heaven).

RELEASE_NOTES_v3.2.2.md

@@ -0,0 +1,34 @@
+# Interpreter 3.2.0 Latest
+
+@haseeb-heaven haseeb-heaven released this Apr 7, 2026
+
+**3.2.0**
+
+---
+
+## 🔥 Release highlights:
+
+* Introduced **secure code sandboxing (enabled by default)** with `/sandbox` and `/unsafe` toggles.
+* Strengthened execution safety with **subprocess isolation, watchdog fixes, and process-group termination**.
+* Improved safe-mode detection by eliminating multiple false positives and blocking new unsafe patterns.
+* Enhanced execution reliability with **increased SAFE mode timeout (300s)** for long-running tasks.
+* Refined build and release pipeline with **robust error handling and cleaner scripts**.
+
+---
+
+## 📜 Changelog:
+
+* v3.2.0 - Added sandbox mode (default ON) with `/sandbox` and `/unsafe` toggles, improved subprocess security delegation, increased SAFE timeout to 300s, fixed watchdog timer issues, strengthened safe-mode pattern detection (write bypasses, absolute path escapes, destructive commands), added process-group kill on timeout, improved Python detection via `ast.parse`, cleaned execution flow formatting, and enhanced build_release.sh with robust helpers and error handling.
+* v3.1.x - Fixed syntax errors in safety patterns, resolved test failures, added missing config files, improved unsafe mode handling via `safety_manager`, and applied CodeRabbit auto-fixes and unit tests.
+* v3.0.0 - Introduced execution sandbox, circuit breaker, bounded repair retries, and improved CLI/TUI runtime output.
+
+---
+
+## 📦 Assets:
+
+* interpreter.zip
+* Source code (zip)
+* Source code (tar.gz)
+
+---
+

VERSION

@@ -1 +1 @@
-3.1.0
+3.2.2