feat: add package-lock.json to node-typescript restricted files and use npm ci

Add package-lock.json as a default embedded file and restrict user
submission to ensure consistency with the pre-installed node_modules.
Switch Dockerfile from npm install to npm ci for deterministic builds.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: koki-develop

Dockerfile

@@ -30,8 +30,8 @@ RUN apt-get update && \
 # Node.js
 ENV PATH="/mise/installs/node/24.14.0/bin:$PATH"
 RUN mise use -g node@24.14.0
-COPY internal/sandbox/defaults/node-typescript/package.json /mise/ts-node-modules/package.json
-RUN cd /mise/ts-node-modules && npm install
+COPY internal/sandbox/defaults/node-typescript/package.json internal/sandbox/defaults/node-typescript/package-lock.json /mise/ts-node-modules/
+RUN cd /mise/ts-node-modules && npm ci
 
 # Ruby
 ENV PATH="/mise/installs/ruby/3.4.8/bin:$PATH"

e2e/tests/runtime/node-typescript.yml

@@ -263,6 +263,29 @@ tests:
                 - path: ["files", 1, "name"]
                   message: "not allowed for this runtime"
 
+  - name: "restricted file - package-lock.json"
+    requests:
+      - input:
+          runtime: node-typescript
+          files:
+            - name: index.ts
+              type: plain
+              content: |
+                console.log("hello");
+            - name: package-lock.json
+              type: plain
+              content: |
+                {}
+        output:
+          status: 400
+          body:
+            error:
+              code: VALIDATION_ERROR
+              message: "request validation failed"
+              errors:
+                - path: ["files", 1, "name"]
+                  message: "not allowed for this runtime"
+
   - name: "interfaces and generics"
     requests:
       - input:

internal/sandbox/CLAUDE.md

@@ -8,5 +8,8 @@ Core sandbox execution engine, split across three files:
 - **configs/nsjail.cfg** — Static protobuf-format nsjail configuration loaded via `-C /etc/nsjail/nsjail.cfg`. Defines execution mode (`ONCE`), Seccomp-BPF policy file reference, logging (`log_fd: 3`), working directory, static rlimits, and filesystem mounts (system libraries, device nodes, tmpfs, procfs, symlinks). Per-invocation settings (runtime bind mounts, resource limits, timeout, env vars) are passed as CLI flags.
 - **configs/seccomp.kafel** — Seccomp-BPF syscall filtering policy written in Kafel. Uses a blacklist approach (DEFAULT ALLOW) blocking dangerous syscalls (io_uring, bpf, userfaultfd, mount, ptrace, etc.) as a defense-in-depth layer. Referenced from nsjail.cfg via `seccomp_policy_file` and copied to `/etc/nsjail/seccomp.kafel` in Docker.
 - **defaults/go/** — Embedded `go.mod.tmpl` and `go.sum.tmpl` templates applied as default files for Go runtime execution.
+- **defaults/node-typescript/** — Embedded `package.json`, `package-lock.json`, and `tsconfig.json` applied as default files for Node-TypeScript runtime execution.
 
 Go runtime rejects user-submitted `go.mod`, `go.sum`, and `main` files (HTTP 400) to enforce use of defaults and prevent overwriting the compiled binary.
+
+Node-TypeScript runtime rejects user-submitted `package.json` and `package-lock.json` files (HTTP 400) to ensure consistency with the pre-installed `node_modules` bind mount.

internal/sandbox/defaults/node-typescript/package-lock.json

@@ -630,10 +630,11 @@ func (nodeTypeScriptRuntime) Limits() Limits {
 	}
 }
 
-// RestrictedFiles prevents users from overriding package.json, which must
-// match the pre-installed node_modules bind mount (contains typescript and @types/node).
+// RestrictedFiles prevents users from overriding package.json and
+// package-lock.json, which must match the pre-installed node_modules
+// bind mount (contains typescript and @types/node).
 func (nodeTypeScriptRuntime) RestrictedFiles() []string {
-	return []string{"package.json"}
+	return []string{"package.json", "package-lock.json"}
 }
 
 // --- Bash ---

internal/sandbox/runtime.go

@@ -291,16 +291,17 @@ func Test_readDefaultFiles(t *testing.T) {
 		assert.Empty(t, files)
 	})
 
-	t.Run("node-typescript has tsconfig.json and package.json", func(t *testing.T) {
+	t.Run("node-typescript has package.json, package-lock.json, and tsconfig.json", func(t *testing.T) {
 		t.Parallel()
 		files, err := readDefaultFiles(RuntimeNodeTypeScript)
 		require.NoError(t, err)
-		require.Len(t, files, 2)
+		require.Len(t, files, 3)
 		// Files are returned in directory order (lexicographic by embedded FS)
-		assert.Equal(t, "package.json", files[0].Name)
-		assert.Contains(t, string(files[0].Content), `"@types/node"`)
-		assert.Equal(t, "tsconfig.json", files[1].Name)
-		assert.Contains(t, string(files[1].Content), `"skipLibCheck": true`)
+		assert.Equal(t, "package-lock.json", files[0].Name)
+		assert.Equal(t, "package.json", files[1].Name)
+		assert.Contains(t, string(files[1].Content), `"@types/node"`)
+		assert.Equal(t, "tsconfig.json", files[2].Name)
+		assert.Contains(t, string(files[2].Content), `"skipLibCheck": true`)
 	})
 
 	t.Run("unknown runtime has no defaults", func(t *testing.T) {
@@ -394,10 +395,10 @@ func TestRuntime_RestrictedFiles(t *testing.T) {
 		assert.ElementsMatch(t, []string{"main"}, rt.RestrictedFiles())
 	})
 
-	t.Run("node-typescript restricts package.json", func(t *testing.T) {
+	t.Run("node-typescript restricts package.json and package-lock.json", func(t *testing.T) {
 		t.Parallel()
 		rt, err := LookupRuntime(RuntimeNodeTypeScript)
 		require.NoError(t, err)
-		assert.ElementsMatch(t, []string{"package.json"}, rt.RestrictedFiles())
+		assert.ElementsMatch(t, []string{"package.json", "package-lock.json"}, rt.RestrictedFiles())
 	})
 }