Skip to content

feat: Add user isolation with --isolated-user and --keep-user options #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
konard merged 9 commits into from
Dec 26, 2025
Merged

feat: Add user isolation with --isolated-user and --keep-user options #33

konard merged 9 commits into from
Dec 26, 2025

Conversation

@konard
Copy link
Member

@konard konard commented Dec 24, 2025
edited
Loading

Summary

Implements user isolation support for issue #30. This allows running commands as a new isolated user with the same group permissions as the current user.

Changes

User Isolation (--isolated-user, -u)

  • Creates a new system user with same group memberships as current user
  • User is automatically deleted after command completes (unless --keep-user)
  • Works with screen and tmux isolation backends (not docker)
  • Optional custom username via --isolated-user=myname or -u myname

Keep User (--keep-user)

  • Prevents automatic deletion of the isolated user after command completes
  • Useful when you need to inspect files created during execution
  • User must be manually deleted with: sudo userdel -r <username>

Usage

# Create isolated user and run command (user auto-deleted after)
$ --isolated-user -- npm test

# Custom username for isolated user
$ --isolated-user myrunner -- npm start
$ -u myrunner -- npm start

# Combine with screen isolation
$ --isolated screen --isolated-user -- npm test

# Keep user after command completes
$ --isolated-user --keep-user -- npm test

How It Works

  1. User Creation: Creates new system user with sudo useradd inheriting groups (sudo, docker, wheel, etc.)
  2. Command Execution: Runs command as the isolated user with sudo -n -u <user>
  3. Cleanup: Deletes user with sudo userdel -r <user> (unless --keep-user)

Requirements

  • Sudo access with NOPASSWD configuration for useradd, userdel, and sudo -u
  • Not supported with Docker isolation (Docker has its own user namespace)

Test Plan

  • Unit tests for --isolated-user option parsing
  • Unit tests for --keep-user option
  • Validation tests for username format
  • Integration tests with screen/tmux isolation
  • Error handling tests for docker incompatibility
  • All existing tests continue to pass

🤖 Generated with Claude Code

Fixes #30

@konard
Initial commit with task details
d4cc734 
Adding CLAUDE.md with task information for AI processing.
This file will be removed when the task is complete.

Issue: #30
@konard konard self-assigned this Dec 24, 2025
@konard
Copy link
Member Author

konard commented Dec 24, 2025

Question about User Isolation Requirements

I'm working on implementing user isolation for issue #30. Based on the issue description:

We need to find a way to support not only isolation in screen, but also isolation by user at the same time.

I understand this to mean running commands as a different user (similar to sudo -u username), which can be combined with existing isolation backends (screen, tmux, docker).

Proposed Implementation

Add a --user option that allows running commands as a specified user:

# Simple user isolation
$ --user john -- npm start

# Combined with screen isolation
$ --isolated screen --user john -- npm start

# Combined with docker (uses Docker's --user flag)
$ --isolated docker --image node:20 --user 1000:1000 -- npm install

Questions

  1. Is my understanding correct? Should --user run commands as a different local user using sudo -u?
  2. Password handling: Should we require NOPASSWD sudo configuration, or should we handle password prompts?
  3. Environment: Should we preserve the original user's environment or switch to the target user's environment?
  4. Alternative interpretation: Could "user isolation" mean something else, like user namespaces or containerization by user?

Please let me know if this approach aligns with your vision for this feature, or if you had something different in mind.

@konard @claude
feat: Add user isolation support
34238d2 
Implements user isolation feature that allows running commands as a different user.
This addresses issue #30 by enabling both process isolation (screen/tmux/docker)
and user isolation to work together.

Changes:
- Add --user option to run commands as specified user
- For screen/tmux: Wraps commands with `sudo -n -u <user>`
- For docker: Uses Docker's native `--user` flag
- Add comprehensive tests for user isolation in args-parser and isolation modules
- Update documentation (README, REQUIREMENTS) with user isolation examples
- Add help text and usage examples for --user option

Usage examples:
- Simple user switch: $ --user www-data -- node server.js
- With screen: $ --isolated screen --user john -- npm start
- With docker: $ --isolated docker --image node:20 --user 1000:1000 -- npm install

Note: User isolation with screen/tmux requires sudo NOPASSWD configuration
for the target user, as it uses non-interactive sudo (-n flag).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@konard konard changed the title [WIP] Support user isolation feat: Add user isolation support Dec 24, 2025
@konard konard marked this pull request as ready for review December 24, 2025 22:42
@konard
Copy link
Member Author

konard commented Dec 24, 2025

✅ Implementation Complete

The user isolation feature has been successfully implemented and is ready for review!

Summary

  • Feature: Run commands as different users with --user <username> option
  • Compatibility: Works standalone or combined with process isolation (screen/tmux/docker)
  • Tests: ✅ All tests passing (args parsing, isolation, integration)
  • Linting: ✅ Passed with no errors
  • Formatting: ✅ All files formatted with prettier
  • CI: ✅ Changeset added, checks passing
  • Documentation: ✅ README, REQUIREMENTS, and help text updated

Key Implementation Details

  1. Screen/Tmux: Uses sudo -n -u <user> for user switching

    • Non-interactive mode prevents password prompts
    • Requires NOPASSWD sudo configuration

  2. Docker: Uses Docker's native --user flag

    • Supports both username and UID:GID formats
    • No sudo configuration needed

  3. Validation: Username format validation prevents injection attacks

Testing

All functionality has been tested:

  • Unit tests for argument parsing
  • Unit tests for command wrapping
  • Integration tests for all isolation backends
  • All linting and formatting checks passed

Next Steps

Please review the implementation and let me know if:

  1. The interpretation of "user isolation" is correct
  2. Any changes are needed to the implementation
  3. The PR is ready to merge

Thank you!

@konard
Copy link
Member Author

konard commented Dec 24, 2025

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

  • Public pricing estimate: $4.460258 USD
  • Calculated by Anthropic: $2.343648 USD
  • Difference: $-2.116610 (-47.45%)
    📎 Log file uploaded as GitHub Gist (1183KB)
    🔗 View complete solution draft log

Now working session is ended, feel free to review and add any feedback on the solution draft.

@konard
Copy link
Member Author

konard commented Dec 25, 2025

Resolve conflicts, and make sure we by default create user with the same permissions. For example if our user is in sudo group - created user should also be, and if our user have access to docker the created user also should be. Make sure it nicely integrates with all other isolation levels.

@konard konard marked this pull request as draft December 25, 2025 14:56
@konard
Copy link
Member Author

konard commented Dec 25, 2025

🤖 AI Work Session Started

Starting automated work session at 2025-12-25T14:56:17.955Z

The PR has been converted to draft mode while work is in progress.

This comment marks the beginning of an AI work session. Please wait working session to finish, and provide your feedback.

konard and others added 2 commits December 25, 2025 16:05
@konard @claude
Merge main branch: Combine user isolation with keep-alive and auto-re…
57f3c14 
…move features

This merge combines:
- User isolation feature from issue-30 branch (--user option)
- Keep-alive feature from main (--keep-alive option)
- Auto-remove docker container feature from main (--auto-remove-docker-container option)

All features now work together seamlessly:
- --user works with all isolation backends (screen, tmux, docker)
- --keep-alive keeps sessions alive after command completes
- --auto-remove-docker-container for docker cleanup

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@konard @claude
feat: Add --create-user option for automatic user isolation with same…
ef3a4e4 
… permissions

Adds the ability to create a new isolated user that inherits the same group
memberships as the current user (sudo, docker, wheel, etc.). This enables
true user isolation while preserving necessary access permissions.

Features:
- --create-user [username]: Create isolated user with same groups as current user
- Automatically generates unique username if not specified
- User is automatically deleted after command completes
- Works with screen/tmux isolation (not docker)
- Cannot be combined with --user option

Implementation:
- Add user-manager.js module for user creation/deletion utilities
- Add --create-user option parsing to args-parser.js
- Add runAsUser function to isolation.js for direct user execution
- Integrate user creation into cli.js runWithIsolation flow
- Add comprehensive tests in user-manager.test.js

Documentation:
- Update README.md with Automatic User Creation section
- Update REQUIREMENTS.md with section 6.6 for automatic user creation
- Update isolation options table to include --create-user
- Update changeset with feature description

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@konard konard changed the title feat: Add user isolation support feat: Add user isolation with --user and --create-user options Dec 25, 2025
@konard konard marked this pull request as ready for review December 25, 2025 15:16
@konard
Copy link
Member Author

konard commented Dec 25, 2025

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

  • Public pricing estimate: $13.685747 USD
  • Calculated by Anthropic: $8.489821 USD
  • Difference: $-5.195926 (-37.97%)
    📎 Log file uploaded as GitHub Gist (1491KB)
    🔗 View complete solution draft log

Now working session is ended, feel free to review and add any feedback on the solution draft.

@konard
Copy link
Member Author

konard commented Dec 25, 2025

No, there is no way to use existing user to run the command, user isolation should mean we create user - run command using this user, after command have finished we can delete user, unless we have --keep-user option.

@konard konard marked this pull request as draft December 25, 2025 17:23
@konard
Copy link
Member Author

konard commented Dec 25, 2025

🤖 AI Work Session Started

Starting automated work session at 2025-12-25T17:23:34.578Z

The PR has been converted to draft mode while work is in progress.

This comment marks the beginning of an AI work session. Please wait working session to finish, and provide your feedback.

konard and others added 2 commits December 25, 2025 18:34
@konard @claude
refactor: Simplify user isolation to --user and --keep-user options
90e24b5 
Based on user feedback, simplified the user isolation API:

- Remove --user option for running as existing users
- Rename --create-user to --user (since it's the only user isolation)
- Add -u shorthand for --user
- Add --keep-user option to prevent user deletion after command completes
- Remove runAsUser export from isolation.js (no longer needed)

The --user option now always creates a new isolated user with same
group permissions as the current user. User is deleted after command
completes unless --keep-user is specified.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@konard @claude
refactor: Reduce cli.js to under 1000 lines
ebac329 
- Move runAsIsolatedUser function to isolation.js
- Condense printUsage() using template literals
- Reduce cli.js from 1024 to 981 lines

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@konard konard marked this pull request as ready for review December 25, 2025 17:41
@konard
Copy link
Member Author

konard commented Dec 25, 2025

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

  • Public pricing estimate: $10.725919 USD
  • Calculated by Anthropic: $7.376263 USD
  • Difference: $-3.349656 (-31.23%)
    📎 Log file uploaded as GitHub Gist (1651KB)
    🔗 View complete solution draft log

Now working session is ended, feel free to review and add any feedback on the solution draft.

@konard
Copy link
Member Author

konard commented Dec 26, 2025

I think we can make it more clear.

--user

should be replaced with

--isolated-user

So we make sure, for example not only --isolated screen, but also --isolated-user.

So it clearly visible that user is used as isolated execution method.

@konard konard marked this pull request as draft December 26, 2025 19:45
@konard
Copy link
Member Author

konard commented Dec 26, 2025

🤖 AI Work Session Started

Starting automated work session at 2025-12-26T19:45:37.820Z

The PR has been converted to draft mode while work is in progress.

This comment marks the beginning of an AI work session. Please wait working session to finish, and provide your feedback.

@konard @claude
refactor: Rename --user to --isolated-user for clarity
4925938 
Renamed the user isolation option from --user to --isolated-user to make it
clearer that this is an isolation method, consistent with --isolated for
process isolation.

Changes:
- Renamed --user to --isolated-user throughout codebase
- Updated all tests to use --isolated-user
- Updated documentation (README, REQUIREMENTS, changeset)
- Updated error messages to reference --isolated-user
- Short form -u remains unchanged

This makes the naming more consistent: --isolated for process isolation,
--isolated-user for user isolation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@konard konard changed the title feat: Add user isolation with --user and --create-user options feat: Add user isolation with --isolated-user and --keep-user options Dec 26, 2025
@konard konard marked this pull request as ready for review December 26, 2025 19:53
@konard
Copy link
Member Author

konard commented Dec 26, 2025

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

  • Public pricing estimate: $3.320970 USD
  • Calculated by Anthropic: $1.539810 USD
  • Difference: $-1.781160 (-53.63%)
    📎 Log file uploaded as GitHub Gist (1204KB)
    🔗 View complete solution draft log

Now working session is ended, feel free to review and add any feedback on the solution draft.

@konard konard merged commit 3128ecf into main Dec 26, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@konard konard

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support user isolation

2 participants

@konard