coder
diff --git a/‎.github/workflows/tests.yml
Lines changed: 0 additions & 17 deletions b/‎.github/workflows/tests.yml
Lines changed: 0 additions & 17 deletions
diff --git a/‎CLAUDE.md
Lines changed: 56 additions & 4 deletions b/‎CLAUDE.md
Lines changed: 56 additions & 4 deletions
diff --git a/‎Cargo.lock
Lines changed: 1 addition & 1 deletion b/‎Cargo.lock
Lines changed: 1 addition & 1 deletion
diff --git a/‎Cargo.toml
Lines changed: 7 additions & 1 deletion b/‎Cargo.toml
Lines changed: 7 additions & 1 deletion
diff --git a/‎README.md
Lines changed: 50 additions & 71 deletions b/‎README.md
Lines changed: 50 additions & 71 deletions
diff --git a/‎scripts/ci-scp.sh
Lines changed: 40 additions & 0 deletions b/‎scripts/ci-scp.sh
Lines changed: 40 additions & 0 deletions
diff --git a/‎scripts/ci-ssh.sh
Lines changed: 12 additions & 0 deletions b/‎scripts/ci-ssh.sh
Lines changed: 12 additions & 0 deletions
@@ -32,14 +32,6 @@ jobs:
       - name: Install nextest
         run: cargo install cargo-nextest --locked
 
-      - name: Build httpjail binary
-        run: |
-          cargo build --bin httpjail --target-dir target
-          export HTTPJAIL_BIN="$(pwd)/target/debug/httpjail"
-          echo "Binary built at: ${HTTPJAIL_BIN}"
-          ls -la "${HTTPJAIL_BIN}"
-          echo "HTTPJAIL_BIN=${HTTPJAIL_BIN}" >> $GITHUB_ENV
-
       - name: Run all tests
         run: cargo nextest run --profile ci
 
@@ -94,15 +86,6 @@ jobs:
             sudo chown -R ci:ci target || true
           fi
 
-      - name: Build httpjail binary
-        run: |
-          source ~/.cargo/env
-          cargo build --bin httpjail --target-dir target
-          export HTTPJAIL_BIN="$(pwd)/target/debug/httpjail"
-          echo "Binary built at: ${HTTPJAIL_BIN}"
-          ls -la "${HTTPJAIL_BIN}"
-          echo "HTTPJAIL_BIN=${HTTPJAIL_BIN}" >> $GITHUB_ENV
-
       - name: Run all tests (non-root)
         run: |
           source ~/.cargo/env
 
@@ -10,6 +10,17 @@ protocol), we must establish a timeout for the operation.
 
 Timeouts must not preclude long-running connections such as GRPC or WebSocket.
 
+## Building
+
+For faster builds during development and debugging, use the `fast` profile:
+
+```bash
+cargo build --profile fast
+```
+
+This profile inherits from release mode but uses lower optimization levels and disables LTO
+for significantly faster build times while still providing reasonable performance.
+
 ## Testing
 
 When writing tests, prefer pure rust solutions over shell script wrappers.
@@ -18,6 +29,16 @@ When testing behavior outside of the strong jailing, use `--weak` for an environ
 invocation of the tool. `--weak` works by setting the `HTTP_PROXY` and `HTTPS_PROXY` environment
 variables to the proxy address.
 
+### Integration Tests
+
+The integration tests use the `HTTPJAIL_BIN` environment variable to determine which binary to test.
+Always set this to the most up-to-date binary before running tests:
+
+```bash
+export HTTPJAIL_BIN=/path/to/httpjail
+cargo test --test linux_integration
+```
+
 ## Cargo Cache
 
 Occasionally you will encounter permissions issues due to running the tests under sudo. In these cases,
@@ -60,12 +81,43 @@ In regular operation of the CLI-only jail (non-server mode), info and warn logs
 
 The Linux CI tests run on a self-hosted runner (`ci-1`) in GCP. Only Coder employees can directly SSH into this instance for debugging.
 
-To debug CI failures on Linux:
+The CI workspace is located at `/home/ci/actions-runner/_work/httpjail/httpjail`. **IMPORTANT: Never modify files in this directory directly as it will interfere with running CI jobs.**
+
+### CI Helper Scripts
+
 ```bash
-gcloud --quiet compute ssh root@ci-1 --zone us-central1-f --project httpjail
+# SSH into CI-1 instance (interactive or with commands)
+./scripts/ci-ssh.sh                          # Interactive shell
+./scripts/ci-ssh.sh "ls /tmp/httpjail-*"    # Run command
+
+# SCP files to/from CI-1
+./scripts/ci-scp.sh src/ /tmp/httpjail-docker-run/     # Upload
+./scripts/ci-scp.sh root@ci-1:/path/to/file ./         # Download
 ```
 
-The CI workspace is located at `/home/ci/actions-runner/_work/httpjail/httpjail`. Tests run as the `ci` user, not root. When building manually:
+### Manual Testing on CI
+
 ```bash
-su - ci -c 'cd /home/ci/actions-runner/_work/httpjail/httpjail && cargo test'
+# Set up a fresh workspace for your branch
+BRANCH_NAME="your-branch-name"
+gcloud --quiet compute ssh root@ci-1 --zone us-central1-f --project httpjail -- "
+  rm -rf /tmp/httpjail-$BRANCH_NAME
+  git clone https://github.com/coder/httpjail /tmp/httpjail-$BRANCH_NAME
+  cd /tmp/httpjail-$BRANCH_NAME
+  git checkout $BRANCH_NAME
+"
+
+# Sync local changes to the test workspace
+gcloud compute scp --recurse src/ root@ci-1:/tmp/httpjail-$BRANCH_NAME/ --zone us-central1-f --project httpjail
+gcloud compute scp Cargo.toml root@ci-1:/tmp/httpjail-$BRANCH_NAME/ --zone us-central1-f --project httpjail
+
+# Build and test in the isolated workspace (using shared cargo cache)
+gcloud --quiet compute ssh root@ci-1 --zone us-central1-f --project httpjail -- "
+  cd /tmp/httpjail-$BRANCH_NAME
+  export CARGO_HOME=/home/ci/.cargo
+  /home/ci/.cargo/bin/cargo build --profile fast
+  sudo ./target/fast/httpjail --help
+"
 ```
+
+This ensures you don't interfere with active CI jobs and provides a clean environment for testing.
@@ -1,6 +1,6 @@
 [package]
 name = "httpjail"
-version = "0.1.5"
+version = "0.1.6"
 edition = "2024"
 license = "CC0-1.0"
 description = "Monitor and restrict HTTP/HTTPS requests from processes"
@@ -52,3 +52,9 @@ tempfile = "3.8"
 assert_cmd = "2.0"
 predicates = "3.0"
 serial_test = "3.0"
+
+[profile.fast]
+inherits = "release"
+opt-level = 1
+lto = false
+codegen-units = 16
@@ -51,6 +51,9 @@ httpjail --server --js "true"
 # Server defaults to ports 8080 (HTTP) and 8443 (HTTPS)
 # Configure your application:
 # HTTP_PROXY=http://localhost:8080 HTTPS_PROXY=http://localhost:8443
+
+# Run Docker containers with network isolation (Linux only)
+httpjail --js "r.host === 'api.github.com'" --docker-run -- --rm alpine:latest wget -qO- https://api.github.com
 ```
 
 ## Architecture Overview
@@ -123,39 +126,15 @@ httpjail creates an isolated network environment for the target process, interce
 - macOS 10.15+ (Catalina or later)
 - No special permissions required (runs in weak mode)
 
-## Usage Examples
-
-### Basic Usage
-
-```bash
-# Simple allow/deny rules
-httpjail --js "r.host === 'api.github.com'" -- git pull
-
-# Multiple allow patterns using regex
-httpjail \
-  --js "/github\.com$/.test(r.host) || /githubusercontent\.com$/.test(r.host)" \
-  -- npm install
-
-# Deny telemetry while allowing everything else
-httpjail \
-  --js "!/telemetry\.|analytics\.|sentry\./.test(r.host)" \
-  -- ./application
-
-# Method-specific rules
-httpjail \
-  --js "(r.method === 'GET' && /api\..*\.com$/.test(r.host)) || (r.method === 'POST' && !/telemetry\./.test(r.host)) || r.method !== 'GET' && r.method !== 'POST'" \
-  -- ./application
-```
-
-### Configuration File
+## Configuration File
 
 Create a `rules.js` file with your JavaScript evaluation logic:
 
 ```javascript
 // rules.js
 // Allow GitHub GET requests, block telemetry, allow everything else
-(r.method === 'GET' && /github\.com$/.test(r.host)) ||
-(!/telemetry/.test(r.host))
+(r.method === "GET" && /github\.com$/.test(r.host)) ||
+  !/telemetry/.test(r.host);
 ```
 
 Use the config:
@@ -164,48 +143,7 @@ Use the config:
 httpjail --js-file rules.js -- ./my-application
 ```
 
-### Script-Based Evaluation
-
-Instead of writing JavaScript, you can use a custom script to evaluate each request. The script receives environment variables for each request and returns an exit code to allow (0) or block (non-zero) the request. Any output to stdout becomes additional context in the 403 response.
-
-```bash
-# Simple script example
-#!/bin/bash
-if [ "$HTTPJAIL_HOST" = "github.com" ] && [ "$HTTPJAIL_METHOD" = "GET" ]; then
-    exit 0  # Allow the request
-else
-    exit 1  # Block the request
-fi
-
-# Use the script
-httpjail --sh ./check_request.sh -- curl https://github.com
-
-# Inline script (with spaces, executed via shell)
-httpjail --sh '[ "$HTTPJAIL_HOST" = "github.com" ] && exit 0 || exit 1' -- git pull
-```
-
-If `--sh` has spaces, it's run through `sh`; otherwise it's executed directly.
-
-**Environment variables provided to the script:**
-
-- `HTTPJAIL_URL` - Full URL being requested
-- `HTTPJAIL_METHOD` - HTTP method (GET, POST, etc.)
-- `HTTPJAIL_HOST` - Hostname from the URL
-- `HTTPJAIL_SCHEME` - URL scheme (http or https)
-- `HTTPJAIL_PATH` - Path component of the URL
-- `HTTPJAIL_REQUESTER_IP` - IP address of the client making the request
-
-**Script requirements:**
-
-- Exit code 0 allows the request
-- Any non-zero exit code blocks the request
-- stdout is captured and included in 403 responses as additional context
-- stderr is logged for debugging but not sent to the client
-
-> [!TIP]
-> Script-based evaluation can also be used for custom logging! Your script can log requests to a database, send metrics to a monitoring service, or implement complex audit trails before returning the allow/deny decision.
-
-### JavaScript (V8) Evaluation
+## JavaScript (V8) Evaluation
 
 httpjail includes first-class support for JavaScript-based request evaluation using Google's V8 engine. This provides flexible and powerful rule logic.
 
@@ -232,6 +170,7 @@ httpjail --js "(r.block_message = 'Social media blocked', !r.host.includes('face
 **JavaScript API:**
 
 All request information is available via the `r` object:
+
 - `r.url` - Full URL being requested (string)
 - `r.method` - HTTP method (GET, POST, etc.)
 - `r.host` - Hostname from the URL
@@ -258,8 +197,48 @@ All request information is available via the `r` object:
 > [!NOTE]
 > The `--js` flag conflicts with `--sh` and `--js-file`. Only one evaluation method can be used at a time.
 
-### Advanced Options
+## Script-Based Evaluation
+
+Instead of writing JavaScript, you can use a custom script to evaluate each request. The script receives environment variables for each request and returns an exit code to allow (0) or block (non-zero) the request. Any output to stdout becomes additional context in the 403 response.
+
+```bash
+# Simple script example
+#!/bin/bash
+if [ "$HTTPJAIL_HOST" = "github.com" ] && [ "$HTTPJAIL_METHOD" = "GET" ]; then
+    exit 0  # Allow the request
+else
+    exit 1  # Block the request
+fi
+
+# Use the script
+httpjail --sh ./check_request.sh -- curl https://github.com
+
+# Inline script (with spaces, executed via shell)
+httpjail --sh '[ "$HTTPJAIL_HOST" = "github.com" ] && exit 0 || exit 1' -- git pull
+```
+
+If `--sh` has spaces, it's run through `sh`; otherwise it's executed directly.
+
+**Environment variables provided to the script:**
+
+- `HTTPJAIL_URL` - Full URL being requested
+- `HTTPJAIL_METHOD` - HTTP method (GET, POST, etc.)
+- `HTTPJAIL_HOST` - Hostname from the URL
+- `HTTPJAIL_SCHEME` - URL scheme (http or https)
+- `HTTPJAIL_PATH` - Path component of the URL
+- `HTTPJAIL_REQUESTER_IP` - IP address of the client making the request
+
+**Script requirements:**
+
+- Exit code 0 allows the request
+- Any non-zero exit code blocks the request
+- stdout is captured and included in 403 responses as additional context
+- stderr is logged for debugging but not sent to the client
+
+> [!TIP]
+> Script-based evaluation can also be used for custom logging! Your script can log requests to a database, send metrics to a monitoring service, or implement complex audit trails before returning the allow/deny decision.
 
+## Advanced Options
 ```bash
 # Verbose logging
 httpjail -vvv --js "true" -- curl https://example.com
@@ -276,7 +255,7 @@ HTTPJAIL_HTTP_BIND=3128 HTTPJAIL_HTTPS_BIND=3129 httpjail --server --js "true"
 HTTPJAIL_HTTP_BIND=192.168.1.100:8080 httpjail --server --js "true"
 ```
 
-### Server Mode
+## Server Mode
 
 httpjail can run as a standalone proxy server without executing any commands. This is useful when you want to proxy multiple applications through the same httpjail instance. The server binds to localhost (127.0.0.1) only for security.
 
 
@@ -0,0 +1,40 @@
+#!/bin/bash
+# SCP files to/from the CI-1 instance
+
+set -e
+
+BRANCH_NAME="${BRANCH_NAME:-$(git branch --show-current)}"
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <source> [destination]"
+    echo "  Copy files to CI-1: $0 src/ /tmp/httpjail-\$BRANCH_NAME/"
+    echo "  Copy from CI-1: $0 root@ci-1:/path/to/file local/"
+    echo ""
+    echo "Environment:"
+    echo "  BRANCH_NAME: Target branch directory (default: current git branch)"
+    exit 1
+fi
+
+SOURCE="$1"
+DEST="${2:-/tmp/httpjail-$BRANCH_NAME/}"
+
+# Check if source is remote (contains ci-1:)
+if [[ "$SOURCE" == *"ci-1:"* ]]; then
+    # Downloading from CI-1
+    SOURCE_PATH="${SOURCE#*:}"
+    gcloud compute scp --quiet --recurse \
+        "root@ci-1:$SOURCE_PATH" \
+        "$DEST" \
+        --zone us-central1-f --project httpjail
+else
+    # Uploading to CI-1
+    # If destination doesn't start with root@ci-1:, prepend it
+    if [[ "$DEST" != "root@ci-1:"* ]]; then
+        DEST="root@ci-1:$DEST"
+    fi
+    
+    gcloud compute scp --quiet --recurse \
+        "$SOURCE" \
+        "$DEST" \
+        --zone us-central1-f --project httpjail
+fi
@@ -0,0 +1,12 @@
+#!/bin/bash
+# SSH into the CI-1 instance for debugging
+
+set -e
+
+if [ $# -eq 0 ]; then
+    echo "Connecting to CI-1 instance (interactive)..."
+    gcloud --quiet compute ssh root@ci-1 --zone us-central1-f --project httpjail
+else
+    # Execute command remotely
+    gcloud --quiet compute ssh root@ci-1 --zone us-central1-f --project httpjail -- "$@"
+fi