Fix network examples and add real assertions

The network demos across all backends were silently failing — every
example printed success regardless of whether HTTP requests actually
succeeded. This hid two real bugs:

- AnyPollable::block() polled with a tight yield_now() loop capped at
  100k iterations. Real HTTPS requests take hundreds of milliseconds,
  but 100k yields complete in microseconds, so the guest always gave up
  before the response arrived. Remove the iteration cap and keep the
  yield so the loop waits as long as the request needs.

- The HyperlightJS sandbox eval-based handler couldn't support await.
  The handler ran guest code through synchronous eval(), so
  'await fetch(...)' created an unresolved promise that crashed outside
  the try/catch. Wrap the code in AsyncFunction to make top-level await
  work. Additionally, denied HTTP requests now return proper HTTP
  responses (403/500/502 status codes) instead of throwing JS exceptions
  via json_error.

All network demos now have real assertions that will fail CI if anything
regresses. An HTTPS integration test against httpbin.org covers TLS
end-to-end.

Signed-off-by: James Sturtevant <jsturtevant@gmail.com>

Author: jsturtevant

src/hyperlight_sandbox/tests/http_integration.rs

@@ -118,3 +118,24 @@ fn chunked_body_streams_correctly() {
     }
     .block_on();
 }
+
+#[test]
+fn send_https_get_request() {
+    async {
+        let req = HttpRequest {
+            url: url::Url::parse("https://httpbin.org/get").unwrap(),
+            method: "GET".to_string(),
+            headers: vec![],
+            body: HttpRequest::body_from_bytes(None),
+        };
+
+        let resp = http::send_http_request(req)
+            .await
+            .expect("HTTPS GET to httpbin.org failed — TLS or DNS issue");
+        assert_eq!(resp.status, 200);
+
+        let echo: serde_json::Value = serde_json::from_slice(&resp.body).unwrap();
+        assert!(echo["url"].as_str().unwrap().contains("httpbin.org"));
+    }
+    .block_on();
+}

src/javascript_sandbox/examples/network_demo.rs

@@ -25,59 +25,68 @@ fn main() {
     let result = sandbox
         .run(
             r#"
-try {
-    const resp = await fetch('https://notallowed.example');
-    console.log('Got response: ' + resp.status);
-} catch (e) {
-    console.log('Network blocked: ' + e.message);
+const resp = await fetch('https://notallowed.example');
+if (resp.status === 403) {
+    console.log('Network blocked: status ' + resp.status);
     console.log('  (notallowed.example is not in the allowlist — correct!)');
+} else {
+    console.log('Got response: ' + resp.status);
 }
 "#,
         )
         .expect("test 1 failed");
     print!("{}", result.stdout);
+    assert!(
+        result.stdout.contains("Network blocked"),
+        "test 1: expected network access to be blocked"
+    );
 
     separator("Test 2: Network access to allowed domain");
     let result = sandbox
         .run(
             r#"
-const resp = await fetch('https://httpbin.org/get');
+const resp = await fetch('https://httpbin.org/json', { headers: { 'accept': 'application/json' } });
 const body = await resp.text();
 console.log('HTTP status: ' + resp.status);
-console.log('Response body (first 200 chars):');
-console.log(body.slice(0, 200));
+console.log(body);
 "#,
         )
         .expect("test 2 failed");
     print!("{}", result.stdout);
-    if result.exit_code == 0 {
-        println!("Network access to allowed domain works!");
-    } else {
-        eprintln!("Network access failed");
-        eprintln!("stderr: {}", &result.stderr[..result.stderr.len().min(300)]);
-    }
+    assert_eq!(
+        result.exit_code,
+        0,
+        "test 2: network access to allowed domain failed\nstderr: {}",
+        &result.stderr[..result.stderr.len().min(300)]
+    );
 
     separator("Test 3: Method filtering — GET allowed, POST blocked");
     let result = sandbox
         .run(
             r#"
-try {
-    const resp = await fetch('https://httpbin.org/get');
-    console.log('GET allowed: status ' + resp.status);
-} catch (e) {
-    console.log('GET result: ' + e.message);
+const getResp = await fetch('https://httpbin.org/get');
+if (getResp.status === 200) {
+    const body = await getResp.text();
+    console.log('GET allowed: status ' + getResp.status);
+    console.log(body);
+} else {
+    console.log('GET failed: status ' + getResp.status);
 }
-try {
-    const resp = await fetch('https://httpbin.org/post', { method: 'POST' });
-    console.log('POST allowed: status ' + resp.status);
-} catch (e) {
-    console.log('POST blocked: ' + e.message);
+const postResp = await fetch('https://httpbin.org/post', { method: 'POST' });
+if (postResp.status === 403) {
+    console.log('POST blocked: status ' + postResp.status);
     console.log('  (httpbin.org only allows GET — correct!)');
+} else {
+    console.log('POST allowed: status ' + postResp.status);
 }
 "#,
         )
         .expect("test 3 failed");
     print!("{}", result.stdout);
+    assert!(
+        result.stdout.contains("POST blocked"),
+        "test 3: expected POST to be blocked"
+    );
 
     separator("All tests passed!");
 }

src/javascript_sandbox/src/lib.rs

@@ -86,9 +86,11 @@ Object.defineProperty(globalThis, "fetch", { value: function(url, init = {}) {
     });
 }, writable: false, configurable: false });
 
-function handler(event) {
+async function handler(event) {
     try {
-        (0, eval)(event);
+        const AsyncFunction = Object.getPrototypeOf(async function(){}).constructor;
+        const fn_ = new AsyncFunction(event);
+        await fn_();
         return { stderr: "", exit_code: 0 };
     } catch (error) {
         const msg = __stringify(error && error.stack ? error.stack : error);
@@ -304,13 +306,18 @@ impl JsGuestSandbox {
 
                     {
                         let Ok(network) = http_state.network.lock() else {
-                            return json_error("network mutex poisoned");
+                            return json_response(serde_json::json!({
+                                "status": 500,
+                                "headers": {},
+                                "body": "network mutex poisoned",
+                            }));
                         };
                         if !network.is_allowed(&parsed_url, &method) {
-                            return json_error(format!(
-                                "HTTP request denied for {} {}",
-                                method, parsed_url
-                            ));
+                            return json_response(serde_json::json!({
+                                "status": 403,
+                                "headers": {},
+                                "body": format!("HTTP request denied for {} {}", method, parsed_url),
+                            }));
                         }
                     }
 
@@ -329,7 +336,13 @@ impl JsGuestSandbox {
 
                     let resp = match sandbox_http::send_http_request(http_req).block_on() {
                         Ok(r) => r,
-                        Err(error) => return json_error(error),
+                        Err(error) => {
+                            return json_response(serde_json::json!({
+                                "status": 502,
+                                "headers": {},
+                                "body": format!("{error}"),
+                            }));
+                        }
                     };
 
                     let body = match String::from_utf8(resp.body) {

src/sdk/python/core/examples/javascript_network_demo.py

@@ -22,15 +22,16 @@
 print("Test 1: Network access denied without permissions")
 print("═" * 60)
 result = sandbox.run("""
-try {
-    const resp = await fetch('https://notallowed.example');
-    console.log('Got response: ' + resp.status);
-} catch (e) {
-    console.log('Network blocked: ' + e.message);
+const resp = await fetch('https://notallowed.example');
+if (resp.status === 403) {
+    console.log('Network blocked: status ' + resp.status);
     console.log('  (notallowed.example is not in the allowlist — correct!)');
+} else {
+    console.log('Got response: ' + resp.status);
 }
 """)
 print(result.stdout)
+assert "Network blocked" in result.stdout, "test 1: expected network access to be blocked"
 
 # ═══════════════════════════════════════════════════════════════════
 # Test 2: Network access — allowed domain
@@ -47,11 +48,7 @@
 console.log(body.slice(0, 200));
 """)
 print(result.stdout)
-if result.success:
-    print("✅ Network access to allowed domain works!")
-else:
-    print("⚠️ Network access failed")
-    print(f"stderr: {result.stderr[:300]}")
+assert result.success, f"test 2: network access to allowed domain failed\nstderr: {result.stderr[:300]}"
 
 # ═══════════════════════════════════════════════════════════════════
 # Test 3: Method filtering — GET allowed, POST blocked
@@ -61,21 +58,24 @@
 print("Test 3: Method filtering — GET allowed, POST blocked")
 print("═" * 60)
 result = sandbox.run("""
-try {
-    const resp = await fetch('https://httpbin.org/get');
-    console.log('GET allowed: status ' + resp.status);
-} catch (e) {
-    console.log('GET result: ' + e.message);
+const getResp = await fetch('https://httpbin.org/get');
+if (getResp.status === 200) {
+    const body = await getResp.text();
+    console.log('GET allowed: status ' + getResp.status);
+    console.log(body);
+} else {
+    console.log('GET failed: status ' + getResp.status);
 }
-try {
-    const resp = await fetch('https://httpbin.org/post', { method: 'POST' });
-    console.log('POST allowed: status ' + resp.status);
-} catch (e) {
-    console.log('POST blocked: ' + e.message);
-    console.log('  (httpbin.org only allows GET \u2014 correct!)');
+const postResp = await fetch('https://httpbin.org/post', { method: 'POST' });
+if (postResp.status === 403) {
+    console.log('POST blocked: status ' + postResp.status);
+    console.log('  (httpbin.org only allows GET — correct!)');
+} else {
+    console.log('POST allowed: status ' + postResp.status);
 }
 """)
 print(result.stdout)
+assert "POST blocked" in result.stdout, "test 3: expected POST to be blocked"
 
 print("═" * 60)
 print("✅ All tests passed!")

src/sdk/python/core/examples/jswasm_network_demo.py

@@ -28,6 +28,7 @@
 }
 """)
 print(result.stdout)
+assert "Network blocked" in result.stdout, "test 1: expected network access to be blocked"
 
 # ═══════════════════════════════════════════════════════════════════
 # Test 2: Network access to allowed domain (WASI-HTTP)
@@ -44,11 +45,7 @@
 console.log(body.slice(0, 200));
 """)
 print(result.stdout)
-if result.success:
-    print("✅ Network access to allowed domain works via WASI-HTTP!")
-else:
-    print("⚠️ Network access failed")
-    print(f"stderr: {result.stderr[:300]}")
+assert result.success, f"test 2: network access to allowed domain failed\nstderr: {result.stderr[:300]}"
 
 # ═══════════════════════════════════════════════════════════════════
 # Test 3: Method filtering — GET allowed, POST blocked
@@ -73,6 +70,7 @@
 }
 """)
 print(result.stdout)
+assert "POST blocked" in result.stdout, "test 3: expected POST to be blocked"
 
 print("═" * 60)
 print("✅ All tests passed!")

src/sdk/python/core/examples/python_network_demo.py

@@ -27,8 +27,7 @@
     print("  (notallowed.example is not in the allowlist — correct!)")
 """)
 print(result.stdout)
-if not result.success:
-    print("(Network access correctly denied — sandbox terminated)")
+assert "Network blocked" in result.stdout, "test 1: expected network access to be blocked"
 
 # ═══════════════════════════════════════════════════════════════════
 # Test 2: Network access to allowed domain (WASI-HTTP)
@@ -44,11 +43,7 @@
 print(resp['body'][:200])
 """)
 print(result.stdout)
-if result.success:
-    print("✅ Network access to allowed domain works via WASI-HTTP!")
-else:
-    print("⚠️ Network access failed")
-    print(f"stderr: {result.stderr[:300]}")
+assert result.success, f"test 2: network access to allowed domain failed\nstderr: {result.stderr[:300]}"
 
 # ═══════════════════════════════════════════════════════════════════
 # Test 3: Method filtering — GET allowed, POST blocked
@@ -72,6 +67,7 @@
     print("  (httpbin.org only allows GET \u2014 correct!)")
 """)
 print(result.stdout)
+assert "POST blocked" in result.stdout, "test 3: expected POST to be blocked"
 
 print("═" * 60)
 print("✅ All tests passed!")