Simplify implementation: Remove enhanced APIs, update existing APIs directly

- Remove all Enhanced* structs and NewEnhanced functions
- Add Unprivileged field directly to existing Config struct
- Update existing New() function to handle unprivileged mode
- Simplify CLI to use standard jail.New() instead of conditional logic
- Remove JailInterface abstraction - use concrete *jail.Jail type
- Much cleaner and simpler for experimental feature

Author: blink-so[bot]

cli/cli.go

@@ -137,26 +137,13 @@ func Run(ctx context.Context, config Config, args []string) error {
 	}
 
 	// Create jail instance
-	var jailInstance JailInterface
-	if config.Unprivileged {
-		// Use enhanced jail with unprivileged mode
-		enhancedConfig := jail.EnhancedConfig{
-			RuleEngine:   ruleEngine,
-			Auditor:      auditor,
-			CertManager:  certManager,
-			Logger:       logger,
-			Unprivileged: true,
-		}
-		jailInstance, err = jail.NewEnhanced(ctx, enhancedConfig)
-	} else {
-		// Use regular jail (privileged mode)
-		jailInstance, err = jail.New(ctx, jail.Config{
-			RuleEngine:  ruleEngine,
-			Auditor:     auditor,
-			CertManager: certManager,
-			Logger:      logger,
-		})
-	}
+	jailInstance, err := jail.New(ctx, jail.Config{
+		RuleEngine:   ruleEngine,
+		Auditor:      auditor,
+		CertManager:  certManager,
+		Logger:       logger,
+		Unprivileged: config.Unprivileged,
+	})
 	if err != nil {
 		return fmt.Errorf("failed to create jail instance: %v", err)
 	}
@@ -298,13 +285,6 @@ func getConfigDir(homeDir string) string {
 	return filepath.Join(homeDir, ".config", "coder_jail")
 }
 
-// JailInterface defines the common interface for both jail types
-type JailInterface interface {
-	Start() error
-	Command(command []string) *exec.Cmd
-	Close() error
-}
-
 // validateUnprivilegedMode checks if the system supports unprivileged mode
 func validateUnprivilegedMode(logger *slog.Logger) error {
 	// Check if we're on Linux

jail

@@ -16,19 +16,11 @@ import (
 )
 
 type Config struct {
-	RuleEngine  rules.Evaluator
-	Auditor     audit.Auditor
-	CertManager tls.Manager
-	Logger      *slog.Logger
-}
-
-// EnhancedConfig extends Config with unprivileged mode support
-type EnhancedConfig struct {
 	RuleEngine   rules.Evaluator
 	Auditor      audit.Auditor
 	CertManager  tls.Manager
 	Logger       *slog.Logger
-	Unprivileged bool // If true, use user namespace instead of privileged namespaces
+	Unprivileged bool // Enable unprivileged mode (user namespace + iptables)
 }
 
 type Jail struct {
@@ -40,6 +32,11 @@ type Jail struct {
 }
 
 func New(ctx context.Context, config Config) (*Jail, error) {
+	// Validate unprivileged mode if requested
+	if config.Unprivileged && runtime.GOOS != "linux" {
+		return nil, fmt.Errorf("unprivileged mode only supports Linux, got: %s", runtime.GOOS)
+	}
+
 	// Setup TLS config and write CA certificate to file
 	tlsConfig, caCertPath, configDir, err := config.CertManager.SetupTLSAndWriteCACert()
 	if err != nil {
@@ -71,61 +68,6 @@ func New(ctx context.Context, config Config) (*Jail, error) {
 			"REQUESTS_CA_BUNDLE":  caCertPath, // Python requests
 			"NODE_EXTRA_CA_CERTS": caCertPath, // Node.js
 		},
-	})
-	if err != nil {
-		return nil, fmt.Errorf("failed to create commander: %v", err)
-	}
-
-	// Create cancellable context for jail
-	ctx, cancel := context.WithCancel(ctx)
-
-	return &Jail{
-		commander:   commander,
-		proxyServer: proxyServer,
-		logger:      config.Logger,
-		ctx:         ctx,
-		cancel:      cancel,
-	}, nil
-}
-
-// NewEnhanced creates a jail that can run in either privileged or unprivileged mode
-func NewEnhanced(ctx context.Context, config EnhancedConfig) (*Jail, error) {
-	config.Logger.Debug("Creating enhanced jail", "unprivileged", config.Unprivileged)
-
-	// Validate platform support for unprivileged mode
-	if config.Unprivileged && runtime.GOOS != "linux" {
-		return nil, fmt.Errorf("unprivileged mode only supports Linux, got: %s", runtime.GOOS)
-	}
-
-	// Setup TLS config and write CA certificate to file
-	tlsConfig, caCertPath, configDir, err := config.CertManager.SetupTLSAndWriteCACert()
-	if err != nil {
-		return nil, fmt.Errorf("failed to setup TLS and CA certificate: %v", err)
-	}
-
-	// Create proxy server
-	proxyServer := proxy.NewProxyServer(proxy.Config{
-		HTTPPort:   8080,
-		HTTPSPort:  8443,
-		Auditor:    config.Auditor,
-		RuleEngine: config.RuleEngine,
-		Logger:     config.Logger,
-		TLSConfig:  tlsConfig,
-	})
-
-	// Create appropriate commander based on configuration
-	commander, err := newEnhancedNamespaceCommander(namespace.Config{
-		Logger:         config.Logger,
-		HttpProxyPort:  8080,
-		HttpsProxyPort: 8443,
-		Env: map[string]string{
-			"SSL_CERT_FILE":       caCertPath,
-			"SSL_CERT_DIR":        configDir,
-			"CURL_CA_BUNDLE":      caCertPath,
-			"GIT_SSL_CAINFO":      caCertPath,
-			"REQUESTS_CA_BUNDLE":  caCertPath,
-			"NODE_EXTRA_CA_CERTS": caCertPath,
-		},
 	}, config.Unprivileged)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create commander: %v", err)
@@ -182,19 +124,7 @@ func (j *Jail) Close() error {
 }
 
 // newNamespaceCommander creates a new namespace instance for the current platform
-func newNamespaceCommander(config namespace.Config) (namespace.Commander, error) {
-	switch runtime.GOOS {
-	case "darwin":
-		return namespace.NewMacOS(config)
-	case "linux":
-		return namespace.NewLinux(config)
-	default:
-		return nil, fmt.Errorf("unsupported platform: %s", runtime.GOOS)
-	}
-}
-
-// newEnhancedNamespaceCommander creates the appropriate commander based on mode and platform
-func newEnhancedNamespaceCommander(config namespace.Config, unprivileged bool) (namespace.Commander, error) {
+func newNamespaceCommander(config namespace.Config, unprivileged bool) (namespace.Commander, error) {
 	switch runtime.GOOS {
 	case "darwin":
 		if unprivileged {