Sandbox hardening, structured hook logging, and security test coverage for beta release

[Copilot]

The Lua sandbox lacked explicit defense-in-depth against escape vectors, and timeout events were emitted via raw println! rather than the structured tracing pipeline. Added hardening and test coverage targeting the three beta-testing areas: sandbox isolation, instruction hook reliability, and resource exhaustion.

Changes

Sandbox hardening

• new_sandboxed_lua now explicitly nil-outs require, load, loadfile, dofile, and loadstring after VM creation — propagated with ? so a failure aborts VM construction rather than silently continuing unprotected
• StdLib::BASE was already excluded, but this guarantees protection against future mlua behavior changes

lua.load(
    "require = nil; load = nil; loadfile = nil; dofile = nil; loadstring = nil",
)
.exec()?;

Structured hook logging

• Both instruction hooks (coroutine-level in execute_lua_entry and main-state in install_instruction_guard) replace println! with warn! so timeout events appear in the normal tracing pipeline

New tests

Test	Validates
lua_sandbox_blocks_require	require('os') errors — no module loading
lua_sandbox_blocks_load	load(...) errors — no dynamic code execution
lua_sandbox_blocks_os	os.time() errors — OS stdlib not accessible
lua_sandbox_blocks_io	io.read() errors — I/O stdlib not accessible
lua_memory_limit_blocks_exhaustion	~200 MB allocation attempt is terminated by the 64 MB cap
lua_db_key_length_enforced	Empty and 200-byte keys both return invalid key length

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• parcel.pyke.io
  • Triggering command: /home/REDACTED/work/oxide/oxide/target/debug/build/ort-sys-6f632d9d9b9a35be/build-script-build /home/REDACTED/work/oxide/oxide/target/debug/build/ort-sys-6f632d9d9b9a35be/build-script-build --emit=dep-info,link -C embed-bitcode=no --check-cfg cfg(docsrs,test) --check-cfg 13/src/lib.rs -C metadata=722e518a0d08ddcb -C extra-filename=-e7643e2a8049bf3c 64-u�� 64-REDACTED-linux-gnu/lib/librustc_std_workspace_alloc-93ecc7719c6b3845.rlib 64-REDACTED-linux-gnu/lib/libminiz_oxide-ec844042f1e20091.rlib de/node/bin/cc stup/toolchains/cc stup/toolchains/-m64 pointer stup/toolchains//home/REDACTED/work/oxide/oxide/target/debug/build/rustix-3231706cd93576fb/build_s--json=diagnostic-rendered-ansi,artifacts,future-incompat (dns block)
  • Triggering command: /tmp/codeql-scratch-bd19db0dc3bea8a0/dbs/rust/working/target/debug/build/ort-sys-17fef4162fe333a4/build-script-build /tmp/codeql-scratch-bd19db0dc3bea8a0/dbs/rust/working/target/debug/build/ort-sys-17fef4162fe333a4/build-script-build -I /tmp/codeql-scratch-bd19db0dc3bea8a0/dbs/rust/working/target/debug/build/onig_sy/tmp/codeql-scratch-bd19db0dc3bea8a0/dbs/rust/working/target/debug/deps/libstrsim-b77dc0430764db97.rlib -I oniguruma/src -w -DHAVE_UNISTD_H=1 -DHAVE_SYS_TYPES_H=1 e-f979eae637d3fcba/out -o /tmp/codeql-scratch-bd19db0dc3bea8a0/dbs/rust/working/target/debug/build/onig_sys-49f6a73d1ea41d5a/out/a445302c6d3dcb51-regparse.o -c lib/�� s-49f6a73d1ea41d5a/out/a445302c6d3dcb51-regexec.o lib/rustlib/x86_--deny=clippy::disallowed_methods -1949cf8c6b5b557--deny=clippy::cast_sign_loss tch-bd19db0dc3becc -incompat e6e.e2ysd34ef3p3-ffunction-sections (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>🚀 Seeking Beta Testers: Oxide v0.1.0</issue_title>
<issue_description># 🚀 Seeking Beta Testers: Help us stress-test the AI Automation Kernel!

Hello everyone! 🦀

I've just released the first alpha version of this lightweight, sandboxed AI automation kernel. The system is designed to run automation tasks using Lua-based skills in a secure environment, optimized for LXC containers and Proxmox environments.

We are looking for early adopters and developers to help us stress-test the system before we move toward a stable v1.0.

⚙️ Technical Requirements (AI Gateway)

This project requires an active connection to an LLM (Large Language Model) provider for semantic processing and embeddings.

• AI Proxy: You will need LiteLLM or a similar OpenAI-compatible gateway to manage your API connections (OpenAI, Vertex AI, Anthropic, etc.).
• Configuration: Ensure your gateway is correctly configured and that the system has access to the necessary API keys and endpoints.

🎯 What we need to test:

• Sandbox Security: Try to break out of the Lua environment or trigger resource exhaustion.
• Instruction Hook: Verify that infinite loops or heavy computations are correctly throttled/killed.
• Semantic Reliability: Testing the consistency of the routing and embedding logic via the AI gateway.

🛠️ How to get started:

The easiest way to help is to download the latest release and run a few example skills:

1. Download the Release: Head over to our Releases page and grab the latest tarball.
2. Setup LiteLLM: Ensure your AI gateway is running and reachable.
3. Quick Run:

   tar -xzf <release-archive>.tar.gz
   cd <release-directory>
   ./executable-name

4. Create a Skill: Try writing a simple .lua script in the skills/ folder and see how the system handles it.

🐛 How to report issues:

If something explodes (or doesn't work as expected), please:

1. Open a new issue with the bug label.
2. Include your OS/Kernel version (e.g., Ubuntu 22.04 in LXC).
3. Attach the logs from the terminal and specify your LiteLLM configuration.
   </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes 🚀 Seeking Beta Testers: Oxide v0.1.0 #1

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.