Skip to content

feat: Auth, sandbox egress, file handling, and bash batch execution#88

Merged
usnavy13 merged 5 commits into
devfrom
skills-bash-batch-improvements
May 6, 2026
Merged

feat: Auth, sandbox egress, file handling, and bash batch execution#88
usnavy13 merged 5 commits into
devfrom
skills-bash-batch-improvements

Conversation

@usnavy13
Copy link
Copy Markdown
Owner

@usnavy13 usnavy13 commented May 6, 2026

Summary

  • Authentication flexibility: Add AUTH_ENABLED toggle and Basic auth support so the API can run behind trusted proxies without x-api-key headers, while admin endpoints still require MASTER_API_KEY.
  • Sandbox network egress: Introduce an allowlist-based egress proxy (ENABLE_SANDBOX_NETWORK) that lets sandboxes reach PyPI, npm, Go modules, and crates.io for skill dependency installs — all other outbound traffic is blocked.
  • File handling improvements: Enforce read-only file mounts, add per-session upload limits, support nested directory uploads, and normalize tool names in the programmatic API.
  • Bash batch execution: Add ptc_bash_server.py REPL server for bash/shell tool calls, with corresponding routing in the execution runner.

Test plan

  • Unit tests pass: pytest tests/unit/ (new tests added for egress proxy, orchestrator, bash server, tool name normalization, upload read-only, runner nested paths, request helpers, output processor, exec models)
  • Integration tests pass with full Docker Compose stack: pytest tests/integration/ (new auth-enabled/disabled and programmatic API tests)
  • Functional tests pass: pytest tests/functional/
  • Verify AUTH_ENABLED=false disables auth on user endpoints but admin endpoints still require MASTER_API_KEY
  • Verify Basic auth works with LibreChat-style URL credentials (https://<key>@host)
  • Verify ENABLE_SANDBOX_NETWORK=true allows pip/npm installs inside sandboxes and blocks non-allowlisted hosts
  • Verify file uploads with nested directories mount correctly and are read-only inside the sandbox
  • Linting passes: flake8, black --check, mypy, bandit

🤖 Generated with Claude Code

usnavy13 and others added 5 commits April 28, 2026 22:23
@usnavy13
feat: Enhance authentication and file upload capabilities
67d2a18 
- Added AUTH_ENABLED configuration to control API key authentication on user endpoints, with detailed documentation updates.
- Introduced a new batch file upload endpoint to support multi-file uploads, preserving subdirectory structures.
- Implemented a new PTC server for bash execution, allowing users to run bash code with the same JSON protocol as the Python server.
- Updated Dockerfile to include jq for JSON processing in the bash PTC server.
- Enhanced existing endpoints and services to accommodate the new features and ensure proper handling of authentication and file management.
@usnavy13
feat: Introduce sandbox network access for skill installations
9bf6479 
- Added configuration options for enabling sandbox network access, allowing sandboxes to reach the internet through an inline allowlist proxy.
- Implemented egress proxy and firewall to enforce outbound traffic restrictions, preventing SSRF vulnerabilities.
- Updated Docker configurations to support new sandbox features, including persistent skill-deps caching.
- Enhanced API with endpoints to inspect and purge the skill-deps cache, facilitating better management of installed dependencies.
- Refactored execution services to accommodate network-enabled sandboxes, ensuring proper handling of package installations across multiple languages.
@usnavy13
feat(files): Update file upload restrictions and session limits
3b5794b 
- Enhanced file upload logic to skip extension checks for agent files, allowing skill-priming uploads from the LibreChat host.
- Increased the maximum number of files per session from 300 to 1000 to accommodate larger skill bundles and prevent upload errors.
@usnavy13
feat: Enhance tool name normalization and file handling in execution
f9ae8bc 
- Added normalization functions for Python and Bash tool names to ensure compatibility with SDK-generated code.
- Updated file handling in execution services to support new metadata fields, including `inherited`, `modified_from`, and `entity_id`.
- Introduced read-only file handling during uploads, allowing for better management of file permissions in sandbox environments.
- Enhanced unit tests to cover new features and ensure robust validation of file and tool name handling.
@usnavy13 @claude
fix: Resolve 4 CI failures — test mocks, assertions, and bandit suppr…
d9199ad 
…essions

- Egress proxy tunnel test: use IP literal 127.0.0.1 instead of localhost
  to avoid IPv6 resolution mismatch in CI
- Batch upload mock: add missing is_read_only param to fake_store
- Client-replay test: allow inherited file refs in exec response (matches
  LibreChat CodeExecutor.ts contract)
- Bandit B103: suppress intentional 0o1777 chmod on shared skill-deps dir

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@usnavy13 usnavy13 marked this pull request as ready for review May 6, 2026 03:20
@usnavy13 usnavy13 merged commit 48dee34 into dev May 6, 2026
9 checks passed
@usnavy13 usnavy13 deleted the skills-bash-batch-improvements branch May 7, 2026 02:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@usnavy13