all

Author: rubenfiszel

debugger/README.md

@@ -51,8 +51,11 @@ bun run debug/dap_debug_service.ts
 Options:
 - `--port PORT` - Server port (default: 5679)
 - `--host HOST` - Server host (default: 0.0.0.0)
-- `--nsjail` - Enable nsjail sandboxing
+- `--python-path PATH` - Python binary path (default: python3)
+- `--bun-path PATH` - Bun binary path (default: bun)
+- `--nsjail` - Enable nsjail sandboxing for debugger processes
 - `--nsjail-config PATH` - Path to nsjail config file
+- `--nsjail-path PATH` - Path to nsjail binary (default: nsjail)
 
 ### Endpoints
 
@@ -66,10 +69,11 @@ Options:
 |----------|-------------|---------|
 | `DAP_PORT` | Server port | 5679 |
 | `DAP_HOST` | Server host | 0.0.0.0 |
-| `DAP_NSJAIL_ENABLED` | Enable nsjail | false |
-| `DAP_NSJAIL_CONFIG` | nsjail config path | - |
 | `DAP_PYTHON_PATH` | Python binary path | python3 |
 | `DAP_BUN_PATH` | Bun binary path | bun |
+| `DAP_NSJAIL_ENABLED` | Enable nsjail sandboxing | false |
+| `DAP_NSJAIL_PATH` | nsjail binary path | nsjail |
+| `DAP_NSJAIL_CONFIG` | nsjail config file path | - |
 
 ### Frontend Integration
 

debugger/dap_debug_service.ts

@@ -35,7 +35,7 @@ import { tmpdir } from 'node:os'
 import { join } from 'node:path'
 
 // Import the working Bun debug session from the standalone server
-import { DebugSession as BunDebugSessionWorking } from './dap_websocket_server_bun'
+import { DebugSession as BunDebugSessionWorking, type NsjailConfig } from './dap_websocket_server_bun'
 
 // ============================================================================
 // Configuration
@@ -808,14 +808,30 @@ const server = Bun.serve({
 
 			let session: BaseDebugSession
 
+			// Build nsjail config to pass to debuggers
+			const nsjailConfig: NsjailConfig | undefined = config.nsjail.enabled
+				? {
+						enabled: true,
+						binaryPath: config.nsjail.binaryPath,
+						configPath: config.nsjail.configPath,
+						extraArgs: config.nsjail.extraArgs
+					}
+				: undefined
+
 			if (path === '/python') {
 				session = new PythonDebugSession(wsWrapper)
 			} else if (path === '/typescript' || path === '/bun' || path === '/') {
 				// Use the working Bun debug session from dap_websocket_server_bun.ts
-				session = new BunDebugSessionWorking(wsWrapper as unknown as WebSocket) as unknown as BaseDebugSession
+				session = new BunDebugSessionWorking(wsWrapper as unknown as WebSocket, {
+					nsjailConfig,
+					bunPath: config.bunPath
+				}) as unknown as BaseDebugSession
 			} else {
 				logger.warn(`Unknown path: ${path}, defaulting to TypeScript`)
-				session = new BunDebugSessionWorking(wsWrapper as unknown as WebSocket) as unknown as BaseDebugSession
+				session = new BunDebugSessionWorking(wsWrapper as unknown as WebSocket, {
+					nsjailConfig,
+					bunPath: config.bunPath
+				}) as unknown as BaseDebugSession
 			}
 
 			sessions.set(ws, session)

debugger/dap_websocket_server_bun.ts

@@ -108,6 +108,14 @@ const logger = {
 	error: (...args: unknown[]) => console.error('[ERROR]', new Date().toISOString(), ...args)
 }
 
+// Nsjail configuration for sandboxed execution
+export interface NsjailConfig {
+	enabled: boolean
+	binaryPath: string
+	configPath?: string
+	extraArgs?: string[]
+}
+
 /**
  * VLQ (Variable-Length Quantity) decoder for source maps.
  * Returns array of decoded integers from VLQ string.
@@ -290,8 +298,16 @@ export class DebugSession {
 	// Track if current pause is due to a breakpoint (for line number correction)
 	private pausedAtBreakpoint = false
 
-	constructor(ws: WebSocket) {
+	// Nsjail configuration for sandboxed execution
+	private nsjailConfig?: NsjailConfig
+
+	// Custom bun binary path (can be overridden)
+	private bunPath: string = 'bun'
+
+	constructor(ws: WebSocket, options?: { nsjailConfig?: NsjailConfig; bunPath?: string }) {
 		this.ws = ws
+		this.nsjailConfig = options?.nsjailConfig
+		this.bunPath = options?.bunPath || 'bun'
 	}
 
 	private nextSeq(): number {
@@ -965,8 +981,29 @@ export class DebugSession {
 		const inspectPort = 9229 + Math.floor(Math.random() * 1000)
 		const inspectUrl = `127.0.0.1:${inspectPort}`
 
-		// Use --inspect-wait to wait for debugger connection before running
-		logger.info(`Starting Bun with --inspect-wait=${inspectUrl}`)
+		// Build the command - optionally wrapped with nsjail
+		let cmd: string[] = [this.bunPath, `--inspect-wait=${inspectUrl}`, this.scriptPath]
+
+		if (this.nsjailConfig?.enabled) {
+			const nsjailCmd = [this.nsjailConfig.binaryPath]
+
+			if (this.nsjailConfig.configPath) {
+				nsjailCmd.push('--config', this.nsjailConfig.configPath)
+			}
+
+			if (this.nsjailConfig.extraArgs) {
+				nsjailCmd.push(...this.nsjailConfig.extraArgs)
+			}
+
+			nsjailCmd.push('--cwd', cwd)
+			nsjailCmd.push('--')
+			nsjailCmd.push(...cmd)
+
+			cmd = nsjailCmd
+			logger.info(`Starting Bun with nsjail: ${cmd.join(' ')}`)
+		} else {
+			logger.info(`Starting Bun with --inspect-wait=${inspectUrl}`)
+		}
 
 		// Create a promise to wait for the WebSocket URL
 		const wsUrlPromise = new Promise<string>((resolve, reject) => {
@@ -981,7 +1018,7 @@ export class DebugSession {
 		})
 
 		this.process = spawn({
-			cmd: ['bun', `--inspect-wait=${inspectUrl}`, this.scriptPath],
+			cmd,
 			cwd,
 			stdout: 'pipe',
 			stderr: 'pipe',

debugger/test_debug_service.ts

@@ -9,9 +9,16 @@
  *
  * Then run this test:
  *    bun run test_debug_service.ts
+ *
+ * To test with nsjail enabled:
+ *    bun run dap_debug_service.ts --nsjail --nsjail-config /path/to/config.cfg
+ *    bun run test_debug_service.ts --nsjail
  */
 
+import { spawn } from 'bun'
+
 const SERVICE_URL = 'ws://localhost:5679'
+const TEST_NSJAIL = process.argv.includes('--nsjail')
 
 const TS_TEST_CODE = `let counter = 0
 console.log("TS: Starting")
@@ -448,6 +455,16 @@ async function testHealthEndpoint(): Promise<boolean> {
 			return false
 		}
 
+		// If testing nsjail mode, verify nsjail is enabled in health response
+		if (TEST_NSJAIL) {
+			if (data.nsjail !== true) {
+				console.log('  ❌ FAIL: nsjail should be enabled but health shows false')
+				console.log('  → Make sure you started the server with: bun run dap_debug_service.ts --nsjail')
+				return false
+			}
+			console.log('  ✓ nsjail mode confirmed enabled')
+		}
+
 		console.log('  ✓ Health endpoint works!')
 		return true
 	} catch (error) {
@@ -456,9 +473,34 @@ async function testHealthEndpoint(): Promise<boolean> {
 	}
 }
 
+async function checkNsjailAvailable(): Promise<boolean> {
+	try {
+		const proc = spawn({
+			cmd: ['nsjail', '--version'],
+			stdout: 'pipe',
+			stderr: 'pipe'
+		})
+		const exitCode = await proc.exited
+		return exitCode === 0
+	} catch {
+		return false
+	}
+}
+
 async function main() {
 	console.log('='.repeat(60))
 	console.log('DAP Debug Service Tests')
+	if (TEST_NSJAIL) {
+		console.log('Mode: NSJAIL ENABLED')
+		const nsjailAvailable = await checkNsjailAvailable()
+		if (!nsjailAvailable) {
+			console.log('\n⚠️  WARNING: nsjail not found in PATH')
+			console.log('   Tests will verify nsjail configuration is passed correctly,')
+			console.log('   but actual sandboxed execution cannot be tested.')
+		}
+	} else {
+		console.log('Mode: Standard (no nsjail)')
+	}
 	console.log('='.repeat(60))
 
 	let passed = 0