Add PlantUML sequence diagrams for Linux and macOS implementations

Adds comprehensive sequence diagrams showing:
- Linux: Network namespace isolation with iptables redirection
- macOS: Process group isolation with PF rules
- Complete request flow from process execution to cleanup
- Platform-specific implementation details and differences

Co-authored-by: bcpeinhardt <[email protected]>

Author: blink-so[bot]

diagrams/README.md

@@ -0,0 +1,61 @@
+# Jail Architecture Diagrams
+
+This directory contains PlantUML sequence diagrams that illustrate how the jail network isolation tool works on different platforms.
+
+## Diagrams
+
+### Linux Implementation (`linux-sequence.puml`)
+
+Shows the complete flow of process isolation and proxy communication on Linux using:
+- **Network Namespaces**: Complete network isolation for the target process
+- **veth pairs**: Virtual ethernet interfaces connecting host and namespace (192.168.100.1/24 ↔ 192.168.100.2/24)
+- **iptables**: DNAT rules to redirect HTTP/HTTPS traffic to proxy ports
+- **DNS Configuration**: Namespace-specific `/etc/netns/{namespace}/resolv.conf` with public DNS servers
+
+### macOS Implementation (`macos-sequence.puml`)
+
+Shows the complete flow of process isolation and proxy communication on macOS using:
+- **Process Groups**: Target process runs with specific group membership
+- **PF (Packet Filter)**: Rules to route traffic from specific group through loopback interface
+- **Traffic Redirection**: PF redirect rules on loopback send traffic to proxy ports
+- **Group Management**: Uses `dscl`/`dseditgroup` to create and manage network groups
+
+## Key Differences
+
+| Aspect | Linux | macOS |
+|--------|-------|-------|
+| **Isolation Method** | Network namespaces | Process groups |
+| **Traffic Redirection** | iptables DNAT rules | PF route-to + rdr rules |
+| **Network Setup** | veth pair with private subnet | Loopback interface routing |
+| **Process Execution** | `ip netns exec` | `exec.Command` with group credentials |
+| **DNS Configuration** | Namespace-specific resolv.conf | Inherits host DNS |
+| **Cleanup** | Remove namespace + iptables rules | Flush PF anchor + remove temp files |
+
+## Common Components
+
+Both implementations share:
+- **Proxy Server**: HTTP/HTTPS proxy that intercepts and evaluates requests
+- **Rule Engine**: Wildcard pattern matching for allow/deny decisions
+- **TLS Manager**: Dynamic certificate generation for HTTPS interception
+- **Request Flow**: Rule evaluation → Allow/Deny → Forward/Block response
+
+## Viewing the Diagrams
+
+To render these PlantUML diagrams:
+
+1. **Online**: Copy the content to [PlantUML Online Server](http://www.plantuml.com/plantuml/uml/)
+2. **VS Code**: Install the PlantUML extension
+3. **Command Line**: Use `plantuml` command with Java
+4. **IntelliJ/PyCharm**: Built-in PlantUML support
+
+## Architecture Flow
+
+Both diagrams show the complete lifecycle:
+1. **Setup Phase**: Create isolation environment and start proxy
+2. **Execution Phase**: Run target process with network redirection
+3. **Request Interception**: Capture HTTP/HTTPS traffic through proxy
+4. **Rule Evaluation**: Apply allow/deny rules to requests
+5. **Response Handling**: Forward allowed requests, block denied ones
+6. **Cleanup Phase**: Remove isolation environment and proxy
+
+The diagrams demonstrate how jail provides secure, auditable network access control for arbitrary processes across different operating systems.

diagrams/linux-sequence.puml

@@ -0,0 +1,74 @@
+@startuml Linux Process Isolation and Proxy Communication
+
+title Linux Network Isolation with Network Namespaces
+
+participant "User" as User
+participant "jail main" as Main
+participant "LinuxJail" as Linux
+participant "ProxyServer" as Proxy
+participant "RuleEngine" as Rules
+participant "TLS Manager" as TLS
+participant "Network Namespace" as NetNS
+participant "iptables" as IPTables
+participant "Target Process" as Process
+participant "External Server" as Server
+
+User -> Main: jail --allow "github.com" -- curl https://github.com
+Main -> Rules: ParseAllowSpecs(["github.com"])
+Rules -> Main: Return allow rules
+Main -> TLS: NewCertificateManager()
+TLS -> Main: Return cert manager + CA cert
+Main -> Linux: NewJail(config, logger)
+Linux -> Main: Return LinuxJail instance
+
+Main -> Linux: Setup(httpPort=8040, httpsPort=8043)
+Linux -> Linux: setupDNS()
+note right: Creates /etc/netns/{namespace}/resolv.conf\nwith public DNS servers (8.8.8.8, etc.)
+Linux -> Linux: createNamespace()
+Linux -> NetNS: ip netns add {namespace}
+NetNS -> Linux: Namespace created
+Linux -> Linux: setupNetworking()
+Linux -> NetNS: ip link add veth_h_{id} type veth peer name veth_n_{id}
+Linux -> NetNS: ip link set veth_n_{id} netns {namespace}
+Linux -> NetNS: ip addr add 192.168.100.1/24 dev veth_h_{id}
+Linux -> NetNS: ip netns exec {namespace} ip addr add 192.168.100.2/24 dev veth_n_{id}
+Linux -> NetNS: ip netns exec {namespace} ip route add default via 192.168.100.1
+Linux -> Linux: setupIptables()
+Linux -> IPTables: iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
+Linux -> IPTables: ip netns exec {namespace} iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.100.1:8040
+Linux -> IPTables: ip netns exec {namespace} iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 192.168.100.1:8043
+Linux -> Main: Setup complete
+
+Main -> Proxy: NewProxyServer(config)
+Proxy -> Main: Return proxy instance
+Main -> Proxy: Start(ctx)
+Proxy -> Proxy: Start HTTP server on :8040
+Proxy -> Proxy: Start HTTPS server on :8043 with TLS config
+
+Main -> Linux: Execute(["curl", "https://github.com"], extraEnv)
+Linux -> Process: ip netns exec {namespace} curl https://github.com
+note right: Process runs inside network namespace\nwith CA cert environment variables
+
+Process -> NetNS: Connect to github.com:443
+NetNS -> IPTables: Traffic hits OUTPUT chain
+IPTables -> IPTables: DNAT rule redirects to 192.168.100.1:8043
+NetNS -> Proxy: HTTPS request to 192.168.100.1:8043
+Proxy -> TLS: Generate certificate for github.com
+TLS -> Proxy: Return certificate
+Proxy -> Process: TLS handshake with generated cert
+Process -> Proxy: HTTPS request (decrypted)
+Proxy -> Rules: Evaluate("GET", "https://github.com")
+Rules -> Proxy: Allow (matches "github.com" rule)
+Proxy -> Server: Forward HTTPS request to real github.com
+Server -> Proxy: HTTPS response
+Proxy -> Process: Forward response (re-encrypted)
+Process -> Linux: Exit with status code
+Linux -> Main: Command completed
+
+Main -> Linux: Cleanup()
+Linux -> IPTables: Remove iptables rules
+Linux -> NetNS: ip netns del {namespace}
+Linux -> Linux: Remove /etc/netns/{namespace}
+Linux -> Main: Cleanup complete
+
+@enduml

diagrams/macos-sequence.puml

@@ -0,0 +1,78 @@
+@startuml macOS Process Isolation and Proxy Communication
+
+title macOS Network Isolation with PF Rules and Process Groups
+
+participant "User" as User
+participant "jail main" as Main
+participant "MacOSJail" as MacOS
+participant "ProxyServer" as Proxy
+participant "RuleEngine" as Rules
+participant "TLS Manager" as TLS
+participant "dscl/dseditgroup" as Groups
+participant "PF (Packet Filter)" as PF
+participant "Target Process" as Process
+participant "External Server" as Server
+
+User -> Main: jail --allow "github.com" -- curl https://github.com
+Main -> Rules: ParseAllowSpecs(["github.com"])
+Rules -> Main: Return allow rules
+Main -> TLS: NewCertificateManager()
+TLS -> Main: Return cert manager + CA cert
+Main -> MacOS: NewJail(config, logger)
+MacOS -> Main: Return MacOSJail instance
+
+Main -> MacOS: Setup(httpPort=8040, httpsPort=8043)
+MacOS -> MacOS: ensureGroup()
+MacOS -> Groups: dscl . -read /Groups/network PrimaryGroupID
+alt Group exists
+    Groups -> MacOS: Return existing GID
+else Group doesn't exist
+    MacOS -> Groups: dseditgroup -o create network
+    Groups -> MacOS: Group created
+    MacOS -> Groups: dscl . -read /Groups/network PrimaryGroupID
+    Groups -> MacOS: Return new GID
+end
+MacOS -> MacOS: setupPFRules()
+MacOS -> MacOS: getDefaultInterface()
+MacOS -> MacOS: route -n get default
+MacOS -> MacOS: createPFRules() - Generate PF rules for group
+note right: Creates rules to redirect traffic from group {GID}\nto loopback interface, then to proxy ports
+MacOS -> PF: Write rules to /tmp/{name}.pf
+MacOS -> PF: pfctl -a network -f /tmp/{name}.pf
+MacOS -> PF: pfctl -E (enable PF)
+MacOS -> PF: pfctl -f /tmp/{name}_main.pf (load main ruleset)
+MacOS -> Main: Setup complete
+
+Main -> Proxy: NewProxyServer(config)
+Proxy -> Main: Return proxy instance
+Main -> Proxy: Start(ctx)
+Proxy -> Proxy: Start HTTP server on :8040
+Proxy -> Proxy: Start HTTPS server on :8043 with TLS config
+
+Main -> MacOS: Execute(["curl", "https://github.com"], extraEnv)
+MacOS -> Process: exec.Command with SysProcAttr.Credential.Gid = {groupID}
+note right: Process runs with network group membership\nand CA cert environment variables
+
+Process -> PF: Connect to github.com:443
+PF -> PF: Match group {GID} traffic rule
+PF -> PF: route-to (lo0 127.0.0.1) for port 443
+PF -> PF: rdr pass on lo0 port 443 -> 127.0.0.1:8043
+Process -> Proxy: HTTPS request to 127.0.0.1:8043
+Proxy -> TLS: Generate certificate for github.com
+TLS -> Proxy: Return certificate
+Proxy -> Process: TLS handshake with generated cert
+Process -> Proxy: HTTPS request (decrypted)
+Proxy -> Rules: Evaluate("GET", "https://github.com")
+Rules -> Proxy: Allow (matches "github.com" rule)
+Proxy -> Server: Forward HTTPS request to real github.com
+Server -> Proxy: HTTPS response
+Proxy -> Process: Forward response (re-encrypted)
+Process -> MacOS: Exit with status code
+MacOS -> Main: Command completed
+
+Main -> MacOS: Cleanup()
+MacOS -> PF: pfctl -a network -F all (flush anchor)
+MacOS -> MacOS: Remove /tmp/{name}.pf and /tmp/{name}_main.pf
+MacOS -> Main: Cleanup complete
+
+@enduml