NeuroSploit v3.2 - Autonomous AI Penetration Testing Platform

116 modules | 100 vuln types | 18 API routes | 18 frontend pages

Major features:
- VulnEngine: 100 vuln types, 526+ payloads, 12 testers, anti-hallucination prompts
- Autonomous Agent: 3-stream auto pentest, multi-session (5 concurrent), pause/resume/stop
- CLI Agent: Claude Code / Gemini CLI / Codex CLI inside Kali containers
- Validation Pipeline: negative controls, proof of execution, confidence scoring, judge
- AI Reasoning: ReACT engine, token budget, endpoint classifier, CVE hunter, deep recon
- Multi-Agent: 5 specialists + orchestrator + researcher AI + vuln type agents
- RAG System: BM25/TF-IDF/ChromaDB vectorstore, few-shot, reasoning templates
- Smart Router: 20 providers (8 CLI OAuth + 12 API), tier failover, token refresh
- Kali Sandbox: container-per-scan, 56 tools, VPN support, on-demand install
- Full IA Testing: methodology-driven comprehensive pentest sessions
- Notifications: Discord, Telegram, WhatsApp/Twilio multi-channel alerts
- Frontend: React/TypeScript with 18 pages, real-time WebSocket updates

docker/Dockerfile.backend

@@ -0,0 +1,103 @@
+# NeuroSploit v3 - Optimized Multi-Stage Dockerfile
+# Dramatically reduces build time and image size
+# Supports ARM64 (Apple Silicon) and AMD64
+
+# =============================================================================
+# STAGE 1: Go Tools Builder
+# =============================================================================
+FROM golang:1.22-alpine AS go-builder
+
+RUN apk add --no-cache git
+
+WORKDIR /build
+
+# Install Go tools in parallel where possible
+RUN go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest & \
+    go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest & \
+    go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest & \
+    go install -v github.com/tomnomnom/waybackurls@latest & \
+    go install -v github.com/ffuf/ffuf/v2@latest & \
+    wait
+
+RUN go install -v github.com/projectdiscovery/katana/cmd/katana@latest & \
+    go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest & \
+    go install -v github.com/lc/gau/v2/cmd/gau@latest & \
+    go install -v github.com/tomnomnom/gf@latest & \
+    go install -v github.com/tomnomnom/qsreplace@latest & \
+    wait
+
+RUN go install -v github.com/hahwul/dalfox/v2@latest & \
+    go install -v github.com/OJ/gobuster/v3@latest & \
+    go install -v github.com/jaeles-project/gospider@latest & \
+    go install -v github.com/tomnomnom/anew@latest & \
+    wait
+
+# Optional tools (less critical)
+RUN go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest 2>/dev/null || true
+RUN go install -v github.com/hakluke/hakrawler@latest 2>/dev/null || true
+
+# =============================================================================
+# STAGE 2: Python Dependencies
+# =============================================================================
+FROM python:3.11-slim AS python-deps
+
+WORKDIR /app
+
+COPY backend/requirements.txt .
+
+RUN pip install --no-cache-dir --user -r requirements.txt && \
+    pip install --no-cache-dir --user arjun wafw00f
+
+# =============================================================================
+# STAGE 3: Final Runtime Image
+# =============================================================================
+FROM python:3.11-slim AS runtime
+
+# Install only essential runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    wget \
+    git \
+    dnsutils \
+    nmap \
+    sqlmap \
+    jq \
+    ca-certificates \
+    libpcap0.8 \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get clean
+
+WORKDIR /app
+
+# Copy Go binaries from builder (may be partial if some tools failed)
+COPY --from=go-builder /go/bin/ /usr/local/bin/
+
+# Note: Rust tools (feroxbuster) removed for faster builds
+# Install via: cargo install feroxbuster (if needed)
+
+# Copy Python packages
+COPY --from=python-deps /root/.local /root/.local
+ENV PATH=/root/.local/bin:$PATH
+
+# Copy application code
+COPY backend/ ./backend/
+COPY prompts/ ./prompts/
+
+# Create data directories
+RUN mkdir -p data/reports data/scans data/recon /root/.config/nuclei
+
+# Download wordlists (small subset for faster builds)
+RUN mkdir -p /opt/wordlists && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt -O /opt/wordlists/common.txt || true && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt -O /opt/wordlists/subdomains-5000.txt || true
+
+# Update nuclei templates (runs on first startup if needed)
+RUN nuclei -update-templates -silent 2>/dev/null || true
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:8000/api/health || exit 1
+
+EXPOSE 8000
+
+CMD ["python", "-m", "uvicorn", "backend.main:app", "--host", "0.0.0.0", "--port", "8000"]

docker/Dockerfile.backend.lite

@@ -0,0 +1,32 @@
+# NeuroSploit v3 - LITE Dockerfile (Fast Build)
+# Minimal image without external security tools
+# Use this for development or when you don't need the recon tools
+
+FROM python:3.11-slim
+
+# Install minimal dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Install Python dependencies
+COPY backend/requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application code
+COPY backend/ ./backend/
+COPY prompts/ ./prompts/
+
+# Create data directories
+RUN mkdir -p data/reports data/scans data/recon
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:8000/api/health || exit 1
+
+EXPOSE 8000
+
+CMD ["python", "-m", "uvicorn", "backend.main:app", "--host", "0.0.0.0", "--port", "8000"]

docker/Dockerfile.frontend

@@ -0,0 +1,29 @@
+# Build stage
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+# Copy package files
+COPY frontend/package*.json ./
+
+# Install dependencies
+RUN npm install
+
+# Copy source code
+COPY frontend/ ./
+
+# Build the application
+RUN npm run build
+
+# Production stage
+FROM nginx:alpine
+
+# Copy built assets
+COPY --from=builder /app/dist /usr/share/nginx/html
+
+# Copy nginx configuration
+COPY docker/nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 80
+
+CMD ["nginx", "-g", "daemon off;"]

docker/Dockerfile.kali

@@ -0,0 +1,131 @@
+# NeuroSploit v3 - Kali Linux Security Sandbox
+# Per-scan container with essential tools pre-installed + on-demand install support.
+#
+# Build:
+#   docker build -f docker/Dockerfile.kali -t neurosploit-kali:latest docker/
+#
+# Rebuild (no cache):
+#   docker build --no-cache -f docker/Dockerfile.kali -t neurosploit-kali:latest docker/
+#
+# Or via compose:
+#   docker compose -f docker/docker-compose.kali.yml build
+#
+# Design:
+#   - Pre-compile Go tools (nuclei, naabu, httpx, subfinder, katana, dnsx, ffuf,
+#     gobuster, dalfox, waybackurls, uncover) to avoid 60s+ go install per scan
+#   - Pre-install common apt tools (nikto, sqlmap, masscan, whatweb) for instant use
+#   - Include Go, Python, pip, git so on-demand tools can be compiled/installed
+#   - Full Kali apt repos available for on-demand apt-get install of any security tool
+
+# ---- Stage 1: Pre-compile Go security tools ----
+FROM golang:1.24-bookworm AS go-builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git build-essential libpcap-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+# Pre-compile ProjectDiscovery suite + common Go tools
+# Split into separate RUN layers for better Docker cache (if one fails, others cached)
+RUN go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
+RUN go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
+RUN go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
+RUN go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
+RUN go install -v github.com/projectdiscovery/katana/cmd/katana@latest
+RUN go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
+RUN go install -v github.com/projectdiscovery/uncover/cmd/uncover@latest
+RUN go install -v github.com/ffuf/ffuf/v2@latest
+RUN go install -v github.com/OJ/gobuster/v3@v3.7.0
+RUN go install -v github.com/hahwul/dalfox/v2@latest
+RUN go install -v github.com/tomnomnom/waybackurls@latest
+
+# ---- Stage 2: Kali Linux runtime ----
+FROM kalilinux/kali-rolling
+
+LABEL maintainer="NeuroSploit Team"
+LABEL description="NeuroSploit Kali Sandbox - Per-scan isolated tool execution"
+LABEL neurosploit.version="3.0"
+LABEL neurosploit.type="kali-sandbox"
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Layer 1: Core system + build tools (rarely changes, cached)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    bash \
+    curl \
+    wget \
+    git \
+    jq \
+    ca-certificates \
+    openssl \
+    dnsutils \
+    whois \
+    netcat-openbsd \
+    libpcap-dev \
+    python3 \
+    python3-pip \
+    golang-go \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Layer 2: Pre-install common security tools from Kali repos (saves ~30s on-demand each)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    nmap \
+    nikto \
+    sqlmap \
+    masscan \
+    whatweb \
+    && rm -rf /var/lib/apt/lists/*
+
+# Layer 3: VPN + network tools (for terminal agent VPN connections)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openvpn \
+    wireguard-tools \
+    iproute2 \
+    iptables \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy ALL pre-compiled Go binaries from builder
+COPY --from=go-builder /go/bin/nuclei /usr/local/bin/
+COPY --from=go-builder /go/bin/naabu /usr/local/bin/
+COPY --from=go-builder /go/bin/httpx /usr/local/bin/
+COPY --from=go-builder /go/bin/subfinder /usr/local/bin/
+COPY --from=go-builder /go/bin/katana /usr/local/bin/
+COPY --from=go-builder /go/bin/dnsx /usr/local/bin/
+COPY --from=go-builder /go/bin/uncover /usr/local/bin/
+COPY --from=go-builder /go/bin/ffuf /usr/local/bin/
+COPY --from=go-builder /go/bin/gobuster /usr/local/bin/
+COPY --from=go-builder /go/bin/dalfox /usr/local/bin/
+COPY --from=go-builder /go/bin/waybackurls /usr/local/bin/
+
+# Go environment for on-demand tool compilation
+ENV GOPATH=/root/go
+ENV PATH="${PATH}:/root/go/bin"
+
+# Create directories
+RUN mkdir -p /opt/wordlists /opt/output /opt/templates /opt/nuclei-templates
+
+# Download commonly used wordlists (|| true so build doesn't fail on network issues)
+RUN wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt \
+    -O /opt/wordlists/common.txt 2>/dev/null || true && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/directory-list-2.3-medium.txt \
+    -O /opt/wordlists/directory-list-medium.txt 2>/dev/null || true && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt \
+    -O /opt/wordlists/subdomains-5000.txt 2>/dev/null || true && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
+    -O /opt/wordlists/passwords-top1000.txt 2>/dev/null || true
+
+# Update Nuclei templates
+RUN nuclei -update-templates -silent 2>/dev/null || true
+
+# Health check script
+RUN printf '#!/bin/bash\nnuclei -version > /dev/null 2>&1 && naabu -version > /dev/null 2>&1 && echo "OK"\n' \
+    > /opt/healthcheck.sh && chmod +x /opt/healthcheck.sh
+
+HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
+    CMD /opt/healthcheck.sh
+
+WORKDIR /opt/output
+
+ENTRYPOINT ["/bin/bash", "-c"]

docker/Dockerfile.sandbox

@@ -0,0 +1,98 @@
+# NeuroSploit v3 - Security Sandbox Container
+# Kali-based container with real penetration testing tools
+# Provides Nuclei, Naabu, and other ProjectDiscovery tools via isolated execution
+
+FROM golang:1.24-bookworm AS go-builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends git build-essential && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+# Install ProjectDiscovery suite + other Go security tools
+RUN go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest && \
+    go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest && \
+    go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest && \
+    go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest && \
+    go install -v github.com/projectdiscovery/katana/cmd/katana@latest && \
+    go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest && \
+    go install -v github.com/projectdiscovery/uncover/cmd/uncover@latest && \
+    go install -v github.com/ffuf/ffuf/v2@latest && \
+    go install -v github.com/OJ/gobuster/v3@v3.7.0 && \
+    go install -v github.com/hahwul/dalfox/v2@latest && \
+    go install -v github.com/tomnomnom/waybackurls@latest
+
+# Final runtime image - Debian-based for compatibility
+FROM debian:bookworm-slim
+
+LABEL maintainer="NeuroSploit Team"
+LABEL description="NeuroSploit Security Sandbox - Isolated tool execution environment"
+
+# Install runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    bash \
+    curl \
+    wget \
+    nmap \
+    python3 \
+    python3-pip \
+    git \
+    jq \
+    dnsutils \
+    openssl \
+    libpcap-dev \
+    ca-certificates \
+    whois \
+    netcat-openbsd \
+    nikto \
+    masscan \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Python security tools
+RUN pip3 install --no-cache-dir --break-system-packages \
+    sqlmap \
+    wfuzz \
+    dirsearch \
+    arjun \
+    wafw00f \
+    2>/dev/null || pip3 install --no-cache-dir --break-system-packages sqlmap
+
+# Copy Go binaries from builder
+COPY --from=go-builder /go/bin/nuclei /usr/local/bin/
+COPY --from=go-builder /go/bin/naabu /usr/local/bin/
+COPY --from=go-builder /go/bin/httpx /usr/local/bin/
+COPY --from=go-builder /go/bin/subfinder /usr/local/bin/
+COPY --from=go-builder /go/bin/katana /usr/local/bin/
+COPY --from=go-builder /go/bin/dnsx /usr/local/bin/
+COPY --from=go-builder /go/bin/uncover /usr/local/bin/
+COPY --from=go-builder /go/bin/ffuf /usr/local/bin/
+COPY --from=go-builder /go/bin/gobuster /usr/local/bin/
+COPY --from=go-builder /go/bin/dalfox /usr/local/bin/
+COPY --from=go-builder /go/bin/waybackurls /usr/local/bin/
+
+# Create directories
+RUN mkdir -p /opt/wordlists /opt/output /opt/templates /opt/nuclei-templates
+
+# Download wordlists
+RUN wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt \
+    -O /opt/wordlists/common.txt && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/directory-list-2.3-medium.txt \
+    -O /opt/wordlists/directory-list-medium.txt && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt \
+    -O /opt/wordlists/subdomains-5000.txt && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
+    -O /opt/wordlists/passwords-top1000.txt
+
+# Update Nuclei templates (8000+ vulnerability checks)
+RUN nuclei -update-templates -silent 2>/dev/null || true
+
+# Health check script
+RUN echo '#!/bin/bash\nnuclei -version > /dev/null 2>&1 && naabu -version > /dev/null 2>&1 && echo "OK"' > /opt/healthcheck.sh && \
+    chmod +x /opt/healthcheck.sh
+
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 \
+    CMD /opt/healthcheck.sh
+
+WORKDIR /opt/output
+
+ENTRYPOINT ["/bin/bash", "-c"]

docker/Dockerfile.tools

@@ -0,0 +1,92 @@
+# NeuroSploit v3 - Security Tools Runner Container
+# Ephemeral container for running security tools in isolation
+
+FROM golang:1.22-alpine AS go-builder
+
+RUN apk add --no-cache git build-base
+
+WORKDIR /build
+
+# Install essential Go security tools
+RUN go install -v github.com/ffuf/ffuf/v2@latest && \
+    go install -v github.com/OJ/gobuster/v3@latest && \
+    go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest && \
+    go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest && \
+    go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest && \
+    go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest && \
+    go install -v github.com/projectdiscovery/katana/cmd/katana@latest && \
+    go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest && \
+    go install -v github.com/hahwul/dalfox/v2@latest && \
+    go install -v github.com/tomnomnom/waybackurls@latest
+
+# Rust tools builder
+FROM rust:1.75-alpine AS rust-builder
+
+RUN apk add --no-cache musl-dev openssl-dev openssl-libs-static pkgconf
+
+# Install feroxbuster
+RUN cargo install feroxbuster --locked
+
+# Final runtime image
+FROM alpine:3.19
+
+# Install runtime dependencies and tools
+RUN apk add --no-cache \
+    bash \
+    curl \
+    wget \
+    nmap \
+    nmap-scripts \
+    python3 \
+    py3-pip \
+    git \
+    jq \
+    bind-tools \
+    openssl \
+    libpcap \
+    ca-certificates \
+    nikto \
+    && rm -rf /var/cache/apk/*
+
+# Install Python security tools
+RUN pip3 install --no-cache-dir --break-system-packages \
+    sqlmap \
+    wfuzz \
+    dirsearch \
+    arjun \
+    wafw00f \
+    whatweb 2>/dev/null || pip3 install --no-cache-dir --break-system-packages sqlmap wfuzz
+
+# Copy Go binaries
+COPY --from=go-builder /go/bin/* /usr/local/bin/
+
+# Copy Rust binaries
+COPY --from=rust-builder /usr/local/cargo/bin/feroxbuster /usr/local/bin/
+
+# Install dirb
+RUN apk add --no-cache dirb 2>/dev/null || \
+    (wget -q https://downloads.sourceforge.net/project/dirb/dirb/2.22/dirb222.tar.gz && \
+    tar -xzf dirb222.tar.gz && cd dirb222 && ./configure && make && make install && \
+    cd .. && rm -rf dirb222*) || true
+
+# Create wordlists directory
+RUN mkdir -p /opt/wordlists /opt/output
+
+# Download common wordlists
+RUN wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt \
+    -O /opt/wordlists/common.txt && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/directory-list-2.3-medium.txt \
+    -O /opt/wordlists/directory-list-medium.txt && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/raft-large-files.txt \
+    -O /opt/wordlists/raft-files.txt && \
+    wget -q https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-5000.txt \
+    -O /opt/wordlists/subdomains-5000.txt
+
+# Update nuclei templates
+RUN nuclei -update-templates -silent 2>/dev/null || true
+
+# Set working directory
+WORKDIR /opt/output
+
+# Default command
+ENTRYPOINT ["/bin/bash", "-c"]

docker/docker-compose.kali.yml

@@ -0,0 +1,38 @@
+# NeuroSploit v3 - Kali Sandbox Build & Management
+#
+# Build image:
+#   docker compose -f docker/docker-compose.kali.yml build
+#
+# Build (no cache):
+#   docker compose -f docker/docker-compose.kali.yml build --no-cache
+#
+# Test container manually:
+#   docker compose -f docker/docker-compose.kali.yml run --rm kali-sandbox "nuclei -version"
+#
+# Note: In production, containers are managed by ContainerPool (core/container_pool.py).
+#       This compose file is for building the image and manual testing only.
+
+services:
+  kali-sandbox:
+    build:
+      context: .
+      dockerfile: Dockerfile.kali
+    image: neurosploit-kali:latest
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+          cpus: '2.0'
+        reservations:
+          memory: 512M
+          cpus: '0.5'
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+    labels:
+      neurosploit.type: "kali-sandbox"
+      neurosploit.version: "3.0"

docker/docker-compose.sandbox.yml

@@ -0,0 +1,51 @@
+# NeuroSploit v3 - Security Sandbox
+# Isolated container for running real penetration testing tools
+#
+# Usage:
+#   docker compose -f docker-compose.sandbox.yml up -d
+#   docker compose -f docker-compose.sandbox.yml exec sandbox nuclei -u https://target.com
+#   docker compose -f docker-compose.sandbox.yml down
+
+services:
+  sandbox:
+    build:
+      context: .
+      dockerfile: Dockerfile.sandbox
+    image: neurosploit-sandbox:latest
+    container_name: neurosploit-sandbox
+    command: ["sleep infinity"]
+    restart: unless-stopped
+    networks:
+      - sandbox-net
+    volumes:
+      - sandbox-output:/opt/output
+      - sandbox-templates:/opt/nuclei-templates
+    deploy:
+      resources:
+        limits:
+          memory: 2G
+          cpus: '2.0'
+        reservations:
+          memory: 512M
+          cpus: '0.5'
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_RAW      # Required for naabu/nmap raw sockets
+      - NET_ADMIN     # Required for packet capture
+    healthcheck:
+      test: ["CMD", "/opt/healthcheck.sh"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+networks:
+  sandbox-net:
+    driver: bridge
+    internal: false
+
+volumes:
+  sandbox-output:
+  sandbox-templates:

docker/nginx.conf

@@ -0,0 +1,47 @@
+server {
+    listen 80;
+    server_name localhost;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Gzip compression
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
+
+    # API proxy
+    location /api {
+        proxy_pass http://backend:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
+        proxy_connect_timeout 75s;
+    }
+
+    # WebSocket proxy for scan updates
+    location /ws {
+        proxy_pass http://backend:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+    }
+
+    # Frontend routes - serve index.html for SPA
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Cache static assets
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}