feat: Auth, sandbox egress, file handling, and bash batch execution

.env.example

@@ -6,6 +6,28 @@
 API_KEY=your-secure-api-key-here-change-this-in-production
 # API_KEYS=key1,key2,key3  # Additional API keys (comma-separated)
 # MASTER_API_KEY=your-secure-master-key  # Required for admin dashboard CLI
+#
+# AUTH_ENABLED=true        # Set to false to disable x-api-key/Basic auth checks
+#                          # on user endpoints. Use only when running behind a
+#                          # trusted network boundary. /api/v1/admin/* still
+#                          # requires MASTER_API_KEY regardless.
+#
+# Three ways clients can authenticate when AUTH_ENABLED=true:
+#   1. x-api-key: <key>                                 (recommended for proxies)
+#   2. Authorization: Basic base64("<key>:")            (LibreChat URL credentials)
+#      e.g. LIBRECHAT_CODE_BASEURL=https://<key>@your-api/v1
+#   3. (none, when AUTH_ENABLED=false)
+
+# ── Sandbox network access (skill installs) ───────────────────
+# When ENABLE_SANDBOX_NETWORK=true, sandboxes can reach the internet but only
+# through an inline allowlist proxy that permits PyPI, npm, Go modules, and
+# crates.io. Required for skills that pip/npm/go install dependencies at
+# runtime. Off by default (sandboxes are isolated).
+#
+# ENABLE_SANDBOX_NETWORK=false
+# SANDBOX_EGRESS_PORT=18443                       # local-only, sandbox -> proxy
+# SANDBOX_EGRESS_ALLOWLIST=                       # comma-separated extra hosts
+# SKILL_DEPS_PATH=/opt/skill-deps                 # backing volume mount
 
 # ── Redis ───────────────────────────────────────────────────────
 REDIS_HOST=localhost

Dockerfile

@@ -26,6 +26,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     flex bison \
     curl wget ca-certificates gnupg software-properties-common \
     libssl-dev libffi-dev libxml2-dev libxslt-dev zlib1g-dev \
+    jq iptables \
     && rm -rf /var/lib/apt/lists/*
 
 RUN git clone https://github.com/google/nsjail.git /tmp/nsjail && \
@@ -51,6 +52,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     portaudio19-dev flac ffmpeg \
     libpulse-dev libsdl2-dev libsdl2-mixer-dev libsdl2-image-dev libsdl2-ttf-dev \
     antiword unrtf \
+    libreoffice-impress libreoffice-writer libreoffice-calc libreoffice-common \
     && rm -rf /var/lib/apt/lists/*
 
 COPY docker/requirements/python-core.txt /tmp/python-core.txt
@@ -276,8 +278,9 @@ WORKDIR /app
 # Keep the application layer thin so app-only changes do not invalidate runtime stages.
 COPY docker/repl_server.py /opt/repl_server.py
 COPY docker/ptc_server.py /opt/ptc_server.py
+COPY docker/ptc_bash_server.py /opt/ptc_bash_server.py
 COPY docker/entrypoint.sh /opt/entrypoint.sh
-RUN chmod +x /opt/repl_server.py /opt/ptc_server.py /opt/entrypoint.sh
+RUN chmod +x /opt/repl_server.py /opt/ptc_server.py /opt/ptc_bash_server.py /opt/entrypoint.sh
 
 COPY requirements.txt /tmp/requirements.txt
 RUN --mount=type=cache,target=/root/.cache/pip \

docker-compose.local-test.yml

@@ -0,0 +1,4 @@
+services:
+  api:
+    image: code-interpreter:nsjail-librechat-compat
+    pull_policy: never

docker-compose.prod.yml

@@ -7,6 +7,10 @@ services:
     init: true
     cap_add:
       - SYS_ADMIN
+      # NET_ADMIN required to install iptables egress rules for sandbox uid
+      # when ENABLE_SANDBOX_NETWORK=true. Restricts sandbox traffic to the
+      # inline allowlist proxy and prevents SSRF to Redis/MinIO/etc.
+      - NET_ADMIN
     security_opt:
       - apparmor:unconfined
     ports:
@@ -18,6 +22,10 @@ services:
       - MINIO_ENDPOINT=minio:9000
     volumes:
       - sandbox-data:/var/lib/code-interpreter/sandboxes
+      # Persistent skill-deps cache: pip/npm/go/cargo install here when
+      # ENABLE_SANDBOX_NETWORK=true so future executions reuse the install.
+      # Survives container restarts; purge with POST /api/v1/admin/skill-deps/purge.
+      - skill-deps:/opt/skill-deps
       # SSL_CERTS_PATH is a host path; SSL_CERT_FILE and SSL_KEY_FILE must point
       # to the mounted files inside the container under /app/ssl.
       - ${SSL_CERTS_PATH:-./ssl}:/app/ssl:ro
@@ -92,5 +100,6 @@ services:
 
 volumes:
   sandbox-data:
+  skill-deps:
   redis-data:
   minio-data:

docker-compose.yml

@@ -13,6 +13,7 @@ services:
     # nsjail requires these capabilities to create namespaces and cgroups
     cap_add:
       - SYS_ADMIN
+      - NET_ADMIN
     security_opt:
       - apparmor:unconfined
     ports: