KarpelesLab / bnpm
12%

Repo Added 03 Apr 2026 05:09AM UTC

Token qmODV10O95LueEL76wPgKaQ3EyE7cthQB regen

Build 15 Last

Files 7

Badge

Embed ▾

LAST BUILD ON BRANCH master
branch: SELECT

CHANGE BRANCH
x

Sync Branches

No branch selected

master

Committed 20 May 2026 10:34PM UTC coverage: 11.504% (+2.1%) from 9.364%

Build # 26193907419

Build Type

push

github

Committed by

MagicalTux

Commit Message

Fix CIDR containment in network allow list, add claude-hardened profile

The IP allow list parsed CIDR entries with ParsePrefix but stored only
pfx.Addr() in the same map as bare addresses, so "10.0.0.0/8" matched
only 10.0.0.0 and nothing else in the range. Split prefixes into their
own []netip.Prefix and check with Contains. Add regression test.

Add claude-hardened profile (opt-in via --profile claude-hardened) that
removes attack surface from claude-full:
  - no ~/.ssh bind mount, no SSH_AUTH_SOCK passthrough
  - no ~/.config mount (prevents writing ~/.config/bnpm/config.toml to
    broaden the sandbox on the next run via user-profile precedence)
  - no ~/.npm / ~/.npm-global (no install-cache tampering)
  - drops *.sentry.io, *.google.com, *.googleapis.com, marketplace and
    CDN wildcards that double as TLS-tunneled exfil channels
  - tightens GitHub to non-wildcard hostnames

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Coverage Stats

10 of 12 new or added lines in 1 file covered. (83.33%)

1 existing line in 1 file now uncovered.

130 of 1130 relevant lines covered (11.5%)

1.05 hits per line

Relevant lines Covered

1130 RELEVANT LINES 130 COVERED LINES

1.05 HITS PER LINE

Source Files on master

Recent builds

Builds	Branch	Commit	Type	Ran	Committer	Via	Coverage
26193907419	master	Fix CIDR containment in network allow list, add claude-hardened profile The IP allow list parsed CIDR entries with ParsePrefix but stored only pfx.Addr() in the same map as bare addresses, so "10.0.0.0/8" matched only 10.0.0.0 and nothing else in...	push	20 May 2026 10:35PM UTC	MagicalTux	github	11.5
23980447911	master	Create LICENSE	push	04 Apr 2026 02:04PM UTC	web-flow	github	9.36
23976678702	master	Add sandbox profiles for AI coding agents Profiles for Claude Code, OpenAI Codex, and Gemini CLI. Each agent has two profiles: full network (API + git + npm + supporting services) and API-only (restricted to just the model endpoint). Select the r...	push	04 Apr 2026 10:03AM UTC	MagicalTux	github	9.36
23953563363	master	Switch from TAP (L2) to TUN (L3) with slirp v0.1.3 slirp v0.1.3 is fully L3 — Writer callback receives/sends raw IP packets, no Ethernet framing. This lets us use a TUN device instead of TAP, eliminating all ARP handling and Ethernet frame constr...	push	03 Apr 2026 04:30PM UTC	MagicalTux	github	9.36
23952296653	master	Upgrade slirp to v0.1.2 BuildTCPPacket was made internal; build RST packets inline using the exported checksum functions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	push	03 Apr 2026 03:50PM UTC	MagicalTux	github	8.79
23943041271	master	Upgrade slirp to v0.1.1 Fixes TCP FIN half-close handling and out-of-order packet drops that caused ECONNRESET under heavy concurrent load. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	push	03 Apr 2026 10:24AM UTC	MagicalTux	github	8.91
23935431370	master	Fix Ctrl-C not working in filtered network mode PID 1 in a PID namespace has special signal semantics: the kernel silently drops signals from outside the namespace unless PID 1 has installed a handler. Since we were using unix.Exec() to replace t...	push	03 Apr 2026 05:39AM UTC	MagicalTux	github	8.91
23935307634	master	Remove max_memory feature entirely RLIMIT_AS limits virtual address space, not physical RAM, making it incompatible with V8/Node which reserves huge virtual regions. Proper physical memory limits require cgroup v2 delegation which is not availabl...	push	03 Apr 2026 05:34AM UTC	MagicalTux	github	9.07
23935244488	master	Remove default max_memory from all profiles RLIMIT_AS limits virtual address space, not physical RAM. V8 reserves enormous virtual regions (CodeRange, heap) that never map to real memory, making any RLIMIT_AS cap incompatible with Node-based tool...	push	03 Apr 2026 05:31AM UTC	MagicalTux	github	10.89
23935229272	master	Raise default max_memory to 16G for all profiles RLIMIT_AS limits virtual address space, not RSS. Node/V8 reserves large virtual regions upfront (heap, JIT pages) that far exceed actual memory use. 4G was causing OOM in pnpm install. Co-Authored...	push	03 Apr 2026 05:30AM UTC	MagicalTux	github	10.89

See All Builds (15)

Badge your Repo: bnpm

We detected this repo isn’t badged! Grab the embed code to the right, add it to your repo to show off your code coverage, and when the badge is live hit the refresh button to remove this message.

Embed ▾

Refresh

KarpelesLab / bnpm
12%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH master
branch: SELECT

CHANGE BRANCH
x

Sync Branches

No branch selected

master

CHANGE BRANCH
x

Relevant lines Covered

Source Files on master

Recent builds

Badge your Repo: bnpm

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

KarpelesLab / bnpm 12%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH master branch: SELECT CHANGE BRANCH x Sync Branches No branch selected master

CHANGE BRANCH x

Relevant lines Covered

Source Files on master

Recent builds

Badge your Repo: bnpm

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

KarpelesLab / bnpm
12%

README BADGES
x

LAST BUILD ON BRANCH master
branch: SELECT

CHANGE BRANCH
x

Sync Branches

No branch selected

master

CHANGE BRANCH
x

README BADGES
x