From 8046b62fd650833d402d7eaa133030aabb00a442 Mon Sep 17 00:00:00 2001
From: kmckiern <keri.a.mckiernan@gmail.com>
Date: Fri, 23 Jan 2026 14:59:37 -0800
Subject: [PATCH] Avoid non-tty stdout panics and improve proxy logs

---
 CHANGELOG.md               |  5 +++++
 package-lock.json          |  4 ++--
 package.json               |  2 +-
 src/cli.ts                 |  7 ++++++-
 src/sandbox/http-proxy.ts  | 26 ++++++++++++++++----------
 src/sandbox/socks-proxy.ts |  4 ++--
 6 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2516367a..8ae33aeb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,3 +8,8 @@ All notable changes to this Voratiq-maintained fork are documented here.
 - Updated fork package metadata and documentation for the Voratiq-maintained release line.
 - Allowed macOS sandbox to query `configd` for DNS resolution.
 - Added network/fs observability events with scrubbing and spawn‑scoped callbacks.
+
+## 0.0.29-voratiq1 - 2026-01-23
+
+- Avoid non-blocking stdout panics by piping child output when stdout is not a TTY.
+- Add host/port context to proxy socket error logs for easier debugging.
diff --git a/package-lock.json b/package-lock.json
index 9554dc4f..bee12390 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@voratiq/sandbox-runtime",
-  "version": "0.0.29-voratiq0",
+  "version": "0.0.29-voratiq1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@voratiq/sandbox-runtime",
-      "version": "0.0.29-voratiq0",
+      "version": "0.0.29-voratiq1",
       "license": "Apache-2.0",
       "dependencies": {
         "@pondwader/socks5-server": "^1.0.10",
diff --git a/package.json b/package.json
index a84cced4..170e1a39 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@voratiq/sandbox-runtime",
-  "version": "0.0.29-voratiq0",
+  "version": "0.0.29-voratiq1",
   "description": "(Voratiq-maintained fork of the) Anthropic Sandbox Runtime (ASRT) - A general-purpose tool for wrapping security boundaries around arbitrary processes",
   "type": "module",
   "main": "./dist/index.js",
diff --git a/src/cli.ts b/src/cli.ts
index 0fd510a7..271f3736 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -168,10 +168,15 @@ async function main(): Promise<void> {
           const sandboxedCommand = await SandboxManager.wrapWithSandbox(command)
 
           // Execute the sandboxed command
+          const shouldPipe = !process.stdout.isTTY
           const child = spawn(sandboxedCommand, {
             shell: true,
-            stdio: 'inherit',
+            stdio: shouldPipe ? ['inherit', 'pipe', 'pipe'] : 'inherit',
           })
+          if (shouldPipe && child.stdout && child.stderr) {
+            child.stdout.pipe(process.stdout)
+            child.stderr.pipe(process.stderr)
+          }
 
           // Handle process exit
           child.on('exit', (code, signal) => {
diff --git a/src/sandbox/http-proxy.ts b/src/sandbox/http-proxy.ts
index f012fd96..ace05b08 100644
--- a/src/sandbox/http-proxy.ts
+++ b/src/sandbox/http-proxy.ts
@@ -42,7 +42,10 @@ export function createHttpProxyServer(options: HttpProxyServerOptions): Server {
   server.on('connect', async (req, socket) => {
     // Attach error handler immediately to prevent unhandled errors
     socket.on('error', err => {
-      logForDebugging(`Client socket error: ${err.message}`, { level: 'error' })
+      logForDebugging(
+        `Client socket error (CONNECT ${req.url}): ${err.message}`,
+        { level: 'error' },
+      )
     })
 
     try {
@@ -149,9 +152,10 @@ export function createHttpProxyServer(options: HttpProxyServerOptions): Server {
         })
 
         socket.on('error', err => {
-          logForDebugging(`Client socket error: ${err.message}`, {
-            level: 'error',
-          })
+          logForDebugging(
+            `Client socket error (MITM CONNECT ${hostname}:${port}): ${err.message}`,
+            { level: 'error' },
+          )
           mitmSocket.destroy()
         })
 
@@ -166,16 +170,18 @@ export function createHttpProxyServer(options: HttpProxyServerOptions): Server {
         })
 
         serverSocket.on('error', err => {
-          logForDebugging(`CONNECT tunnel failed: ${err.message}`, {
-            level: 'error',
-          })
+          logForDebugging(
+            `CONNECT tunnel failed to ${hostname}:${port} - ${err.message}`,
+            { level: 'error' },
+          )
           socket.end('HTTP/1.1 502 Bad Gateway\r\n\r\n')
         })
 
         socket.on('error', err => {
-          logForDebugging(`Client socket error: ${err.message}`, {
-            level: 'error',
-          })
+          logForDebugging(
+            `Client socket error (CONNECT ${hostname}:${port}): ${err.message}`,
+            { level: 'error' },
+          )
           serverSocket.destroy()
         })
 
diff --git a/src/sandbox/socks-proxy.ts b/src/sandbox/socks-proxy.ts
index 415881f1..6a758216 100644
--- a/src/sandbox/socks-proxy.ts
+++ b/src/sandbox/socks-proxy.ts
@@ -56,13 +56,13 @@ export function createSocksProxyServer(
       })
 
       if (!filterResult.allowed) {
-        logForDebugging(`Connection blocked to ${hostname}:${port}`, {
+        logForDebugging(`Connection blocked to ${hostname}:${port} (SOCKS)`, {
           level: 'error',
         })
         return false
       }
 
-      logForDebugging(`Connection allowed to ${hostname}:${port}`)
+      logForDebugging(`Connection allowed to ${hostname}:${port} (SOCKS)`)
       return true
     } catch (error) {
       logForDebugging(`Error validating connection: ${error}`, {