npm - @agenshield/interceptor - Versions diffs - 0.6.1 → 0.7.0 - Mend

@agenshield/interceptor 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/client/sync-client.d.ts +6 -0
package/client/sync-client.d.ts.map +1 -1
package/config.d.ts +10 -0
package/config.d.ts.map +1 -1
package/debug-log.d.ts +1 -0
package/debug-log.d.ts.map +1 -1
package/events/reporter.d.ts.map +1 -1
package/index.js +678 -167
package/installer.d.ts.map +1 -1
package/interceptors/base.d.ts +9 -1
package/interceptors/base.d.ts.map +1 -1
package/interceptors/child-process.d.ts +37 -1
package/interceptors/child-process.d.ts.map +1 -1
package/interceptors/fetch.d.ts +4 -0
package/interceptors/fetch.d.ts.map +1 -1
package/package.json +2 -2
package/policy/evaluator.d.ts +4 -1
package/policy/evaluator.d.ts.map +1 -1
package/register.js +678 -167
package/require.js +678 -167
package/seatbelt/profile-manager.d.ts +36 -0
package/seatbelt/profile-manager.d.ts.map +1 -0

package/installer.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"installer.d.ts","sourceRoot":"","sources":["../src/installer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAOrD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAiBtD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,eAAe,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC3C,IAAI,~~CA6FN~~;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CA6B5C;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,OAAO,CAErC;AAED;;GAEG;AACH,wBAAgB,SAAS,IAAI,WAAW,GAAG,IAAI,CAE9C"}
1	+ {"version":3,"file":"installer.d.ts","sourceRoot":"","sources":["../src/installer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAOrD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAiBtD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,eAAe,CAAC,EAAE,OAAO,CAAC,iBAAiB,CAAC,GAC3C,IAAI,CAuGN;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,IAAI,CA6B5C;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,OAAO,CAErC;AAED;;GAEG;AACH,wBAAgB,SAAS,IAAI,WAAW,GAAG,IAAI,CAE9C"}

package/interceptors/base.d.ts CHANGED Viewed

@@ -6,6 +6,7 @@
 import type { AsyncClient } from '../client/http-client.js';
 import type { PolicyEvaluator } from '../policy/evaluator.js';
 import type { EventReporter } from '../events/reporter.js';
+import type { InterceptorConfig } from '../config.js';
 export interface BaseInterceptorOptions {
     client: AsyncClient;
     policyEvaluator: PolicyEvaluator;
@@ -13,6 +14,8 @@ export interface BaseInterceptorOptions {
     failOpen: boolean;
     /** HTTP port used by the broker (to skip interception of broker traffic) */
     brokerHttpPort?: number;
+    /** Full interceptor config (for seatbelt + context) */
+    config?: InterceptorConfig;
 }
 export declare abstract class BaseInterceptor {
     protected client: AsyncClient;
@@ -20,6 +23,7 @@ export declare abstract class BaseInterceptor {
     protected eventReporter: EventReporter;
     protected failOpen: boolean;
     protected installed: boolean;
+    protected interceptorConfig?: InterceptorConfig;
     private brokerHttpPort;
     constructor(options: BaseInterceptorOptions);
     /**
@@ -38,10 +42,14 @@ export declare abstract class BaseInterceptor {
      * Check if the interceptor is installed
      */
     isInstalled(): boolean;
+    /**
+     * Build execution context from config
+     */
+    protected getBasePolicyExecutionContext(): import('@agenshield/ipc').PolicyExecutionContext | undefined;
     /**
      * Check policy and handle the result
      */
-    protected checkPolicy(operation: string, target: string): Promise<void>;
+    protected checkPolicy(operation: string, target: string, context?: import('@agenshield/ipc').PolicyExecutionContext): Promise<void>;
     /**
      * Log a debug message
      */

package/interceptors/base.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../src/interceptors/base.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;~~AAI3D~~,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,WAAW,CAAC;IACpB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,aAAa,CAAC;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,4EAA4E;IAC5E,cAAc,CAAC,EAAE,MAAM,CAAC;~~CACzB~~;AAED,8BAAsB,eAAe;IACnC,SAAS,CAAC,MAAM,EAAE,WAAW,CAAC;IAC9B,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAC3C,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC;IACvC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC5B,SAAS,CAAC,SAAS,EAAE,OAAO,CAAS;IACrC,OAAO,CAAC,cAAc,CAAS;gBAEnB,OAAO,EAAE,sBAAsB;~~IAQ3C~~;;OAEG;IACH,SAAS,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAe3C;;OAEG;IACH,QAAQ,CAAC,OAAO,IAAI,IAAI;IAExB;;OAEG;IACH,QAAQ,CAAC,SAAS,IAAI,IAAI;IAE1B;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;cACa,WAAW,CACzB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,~~GACb~~,OAAO,CAAC,IAAI,CAAC;IA8ChB;;OAEG;IACH,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;CAGvC"}
1	+ {"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../src/interceptors/base.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAItD,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,WAAW,CAAC;IACpB,eAAe,EAAE,eAAe,CAAC;IACjC,aAAa,EAAE,aAAa,CAAC;IAC7B,QAAQ,EAAE,OAAO,CAAC;IAClB,4EAA4E;IAC5E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,uDAAuD;IACvD,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B;AAED,8BAAsB,eAAe;IACnC,SAAS,CAAC,MAAM,EAAE,WAAW,CAAC;IAC9B,SAAS,CAAC,eAAe,EAAE,eAAe,CAAC;IAC3C,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC;IACvC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC5B,SAAS,CAAC,SAAS,EAAE,OAAO,CAAS;IACrC,SAAS,CAAC,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IAChD,OAAO,CAAC,cAAc,CAAS;gBAEnB,OAAO,EAAE,sBAAsB;IAS3C;;OAEG;IACH,SAAS,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAe3C;;OAEG;IACH,QAAQ,CAAC,OAAO,IAAI,IAAI;IAExB;;OAEG;IACH,QAAQ,CAAC,SAAS,IAAI,IAAI;IAE1B;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;IACH,SAAS,CAAC,6BAA6B,IAAI,OAAO,iBAAiB,EAAE,sBAAsB,GAAG,SAAS;IAWvG;;OAEG;cACa,WAAW,CACzB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,OAAO,iBAAiB,EAAE,sBAAsB,GACzD,OAAO,CAAC,IAAI,CAAC;IA8ChB;;OAEG;IACH,SAAS,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;CAGvC"}

package/interceptors/child-process.d.ts CHANGED Viewed

@@ -1,12 +1,19 @@
 /**
  * Child Process Interceptor
  *
- * Intercepts child_process module calls.
+ * Intercepts child_process module calls with synchronous policy checking
+ * and optional macOS seatbelt (sandbox-exec) wrapping for approved commands.
+ *
+ * ALL methods (spawn, exec, execFile, fork) now perform synchronous policy
+ * checks before execution. Previously, async methods would fire the original
+ * call immediately while the policy check ran in the background.
  */
 import { BaseInterceptor, type BaseInterceptorOptions } from './base.js';
 export declare class ChildProcessInterceptor extends BaseInterceptor {
     private syncClient;
     private _checking;
+    private _executing;
+    private profileManager;
     private originalExec;
     private originalExecSync;
     private originalSpawn;
@@ -16,6 +23,35 @@ export declare class ChildProcessInterceptor extends BaseInterceptor {
     constructor(options: BaseInterceptorOptions);
     install(): void;
     uninstall(): void;
+    /**
+     * Build execution context from config for RPC calls
+     */
+    private getPolicyExecutionContext;
+    /**
+     * Synchronous policy check via SyncClient.
+     * Returns the full policy result (with sandbox config) or null if broker
+     * is unavailable and failOpen is true.
+     */
+    private syncPolicyCheck;
+    /**
+     * Create a restrictive default sandbox config for fail-open scenarios.
+     * No network, minimal fs — better than running completely unsandboxed.
+     */
+    private getFailOpenSandbox;
+    /**
+     * Resolve the sandbox config to use: from policy result, fail-open default, or null.
+     */
+    private resolveSandbox;
+    /**
+     * Wrap a command with sandbox-exec if seatbelt is enabled and sandbox config is present.
+     * Returns modified { command, args, options } for spawn-style calls.
+     */
+    private wrapWithSeatbelt;
+    /**
+     * Wrap a shell command string with sandbox-exec.
+     * For exec/execSync which take a full command string.
+     */
+    private wrapCommandStringWithSeatbelt;
     private createInterceptedExec;
     private createInterceptedExecSync;
     private createInterceptedSpawn;

package/interceptors/child-process.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"child-process.d.ts","sourceRoot":"","sources":["../../src/interceptors/child-process.ts"],"names":[],"mappings":"AAAA~~;;;;GAIG~~;AAGH,OAAO,EAAE,eAAe,EAAE,KAAK,sBAAsB,EAAE,MAAM,WAAW,CAAC;~~AASzE~~,qBAAa,uBAAwB,SAAQ,eAAe;IAC1D,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,YAAY,CAAyC;IAC7D,OAAO,CAAC,gBAAgB,CAA6C;IACrE,OAAO,CAAC,aAAa,CAA0C;IAC/D,OAAO,CAAC,iBAAiB,CAA8C;IACvE,OAAO,CAAC,gBAAgB,CAA6C;IACrE,OAAO,CAAC,YAAY,CAAyC;gBAEjD,OAAO,EAAE,sBAAsB;~~IAU3C~~,OAAO,IAAI,IAAI;IAsBf,SAAS,IAAI,IAAI;IAmBjB,OAAO,CAAC,qBAAqB;~~IAwC7B~~,OAAO,CAAC,yBAAyB;~~IAsDjC~~,OAAO,CAAC,sBAAsB;~~IAkC9B~~,OAAO,CAAC,0BAA0B;~~IA+DlC~~,OAAO,CAAC,yBAAyB;~~IAwBjC~~,OAAO,CAAC,qBAAqB;~~CA2B9B~~"}
1	+ {"version":3,"file":"child-process.d.ts","sourceRoot":"","sources":["../../src/interceptors/child-process.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,eAAe,EAAE,KAAK,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAYzE,qBAAa,uBAAwB,SAAQ,eAAe;IAC1D,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,cAAc,CAA+B;IACrD,OAAO,CAAC,YAAY,CAAyC;IAC7D,OAAO,CAAC,gBAAgB,CAA6C;IACrE,OAAO,CAAC,aAAa,CAA0C;IAC/D,OAAO,CAAC,iBAAiB,CAA8C;IACvE,OAAO,CAAC,gBAAgB,CAA6C;IACrE,OAAO,CAAC,YAAY,CAAyC;gBAEjD,OAAO,EAAE,sBAAsB;IAkB3C,OAAO,IAAI,IAAI;IAsBf,SAAS,IAAI,IAAI;IAmBjB;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAUjC;;;;OAIG;IACH,OAAO,CAAC,eAAe;IAkCvB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAgB1B;;OAEG;IACH,OAAO,CAAC,cAAc;IAWtB;;;OAGG;IACH,OAAO,CAAC,gBAAgB;IA+CxB;;;OAGG;IACH,OAAO,CAAC,6BAA6B;IAsCrC,OAAO,CAAC,qBAAqB;IAsD7B,OAAO,CAAC,yBAAyB;IAwCjC,OAAO,CAAC,sBAAsB;IAiD9B,OAAO,CAAC,0BAA0B;IA0DlC,OAAO,CAAC,yBAAyB;IAoEjC,OAAO,CAAC,qBAAqB;CAyD9B"}

package/interceptors/fetch.d.ts CHANGED Viewed

@@ -7,6 +7,10 @@ import { BaseInterceptor, type BaseInterceptorOptions } from './base.js';
 export declare class FetchInterceptor extends BaseInterceptor {
     private originalFetch;
     constructor(options: BaseInterceptorOptions);
+    /**
+     * Build execution context from config
+     */
+    private getPolicyExecutionContext;
     install(): void;
     uninstall(): void;
     private interceptedFetch;

package/interceptors/fetch.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../src/interceptors/fetch.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,KAAK,sBAAsB,EAAE,MAAM,WAAW,CAAC;~~AAGzE~~,qBAAa,gBAAiB,SAAQ,eAAe;IACnD,OAAO,CAAC,aAAa,CAA6B;gBAEtC,OAAO,EAAE,sBAAsB;IAI3C,OAAO,IAAI,IAAI;IAYf,SAAS,IAAI,IAAI;YAQH,gBAAgB;~~CAiG~~/B"}
1	+ {"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../../src/interceptors/fetch.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,KAAK,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAIzE,qBAAa,gBAAiB,SAAQ,eAAe;IACnD,OAAO,CAAC,aAAa,CAA6B;gBAEtC,OAAO,EAAE,sBAAsB;IAI3C;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAWjC,OAAO,IAAI,IAAI;IAYf,SAAS,IAAI,IAAI;YAQH,gBAAgB;CA+C/B"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@agenshield/interceptor",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "type": "module",
   "description": "Node.js runtime interception via ESM loader and CJS preload",
   "main": "./index.js",
@@ -25,7 +25,7 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@agenshield/ipc": "0.6.1"
+    "@agenshield/ipc": "0.7.0"
   },
   "devDependencies": {
     "@types/node": "^24.0.0",

package/policy/evaluator.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@
  * No caching - always checks daemon for up-to-date policy decisions.
  */
 import type { AsyncClient } from '../client/http-client.js';
+import type { SandboxConfig, PolicyExecutionContext } from '@agenshield/ipc';
 export interface PolicyEvaluatorOptions {
     client: AsyncClient;
 }
@@ -12,6 +13,8 @@ export interface PolicyCheckResult {
     allowed: boolean;
     policyId?: string;
     reason?: string;
+    sandbox?: SandboxConfig;
+    executionContext?: PolicyExecutionContext;
 }
 export declare class PolicyEvaluator {
     private client;
@@ -20,6 +23,6 @@ export declare class PolicyEvaluator {
      * Check if an operation is allowed
      * Always queries the daemon for fresh policy decisions
      */
-    check(operation: string, target: string): Promise<PolicyCheckResult>;
+    check(operation: string, target: string, context?: PolicyExecutionContext): Promise<PolicyCheckResult>;
 }
 //# sourceMappingURL=evaluator.d.ts.map

package/policy/evaluator.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"evaluator.d.ts","sourceRoot":"","sources":["../../src/policy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;~~AAE5D~~,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;~~CACjB~~;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAc;gBAEhB,OAAO,EAAE,sBAAsB;IAI3C;;;OAGG;IACG,KAAK,CACT,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,~~GACb~~,OAAO,CAAC,iBAAiB,CAAC;CAgB9B"}
1	+ {"version":3,"file":"evaluator.d.ts","sourceRoot":"","sources":["../../src/policy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,KAAK,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AAE7E,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAc;gBAEhB,OAAO,EAAE,sBAAsB;IAI3C;;;OAGG;IACG,KAAK,CACT,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,iBAAiB,CAAC;CAgB9B"}