@agenshield/sandbox 0.4.4 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/directories.d.ts.map +1 -1
- package/guarded-shell.d.ts +2 -2
- package/guarded-shell.d.ts.map +1 -1
- package/index.d.ts +1 -1
- package/index.d.ts.map +1 -1
- package/index.js +242 -41
- package/launchdaemon.d.ts.map +1 -1
- package/macos.d.ts.map +1 -1
- package/migration.d.ts.map +1 -1
- package/package.json +2 -2
- package/security.d.ts.map +1 -1
- package/shield-exec.d.ts +1 -1
- package/shield-exec.d.ts.map +1 -1
- package/wrappers.d.ts +41 -1
- package/wrappers.d.ts.map +1 -1
package/directories.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"directories.d.ts","sourceRoot":"","sources":["../src/directories.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK/D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAC5C,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;CAC5C;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,kBAAkB,
|
|
1
|
+
{"version":3,"file":"directories.d.ts","sourceRoot":"","sources":["../src/directories.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK/D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAC5C,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;CAC5C;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,kBAAkB,CA+HhF;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,WAAW,CAalE;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE;IACP,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf,EACD,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAAC,eAAe,CAAC,CA6B1B;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAUvH;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAsB/G;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CActH;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAKpH;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC;IACpE,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACnD,CAAC,CA8DD;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,CAyBxF;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/D,MAAM,EAAE,OAAO,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,IAAI,CAAC,CAcR;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CA2C1F"}
|
package/guarded-shell.d.ts
CHANGED
|
@@ -25,10 +25,10 @@ export declare const GUARDED_SHELL_CONTENT = "#!/bin/zsh\n# guarded-shell: launc
|
|
|
25
25
|
* ZDOTDIR .zshenv — runs after /etc/zshenv (which calls path_helper on macOS).
|
|
26
26
|
* Overrides PATH to only include $HOME/bin.
|
|
27
27
|
*/
|
|
28
|
-
export declare const ZDOT_ZSHENV_CONTENT = "# AgenShield restricted .zshenv\n# Runs AFTER /etc/zshenv \u2014 overrides path_helper's full system PATH.\n\n# ALWAYS set HOME based on actual user, never inherit\nexport HOME=\"/Users/$(id -un)\"\nexport HISTFILE=\"$HOME/.zsh_history\"\n\n# Suppress locale to prevent /etc/zshrc from calling locale command\nexport LC_ALL=C LANG=C\n\nexport PATH=\"$HOME/bin\"\nexport SHELL=\"/usr/local/bin/guarded-shell\"\n\n# Clear any leftover env tricks\nunset DYLD_LIBRARY_PATH DYLD_FALLBACK_LIBRARY_PATH DYLD_INSERT_LIBRARIES\nunset PYTHONPATH NODE_PATH RUBYLIB PERL5LIB\nunset SSH_ASKPASS LD_PRELOAD\n";
|
|
28
|
+
export declare const ZDOT_ZSHENV_CONTENT = "# AgenShield restricted .zshenv\n# Runs AFTER /etc/zshenv \u2014 overrides path_helper's full system PATH.\n\n# ALWAYS set HOME based on actual user, never inherit\nexport HOME=\"/Users/$(id -un)\"\nexport HISTFILE=\"$HOME/.zsh_history\"\n\n# Suppress locale to prevent /etc/zshrc from calling locale command\nexport LC_ALL=C LANG=C\n\nexport PATH=\"$HOME/bin\"\nexport SHELL=\"/usr/local/bin/guarded-shell\"\n\n# Clear any leftover env tricks\nunset DYLD_LIBRARY_PATH DYLD_FALLBACK_LIBRARY_PATH DYLD_INSERT_LIBRARIES\nunset PYTHONPATH NODE_PATH RUBYLIB PERL5LIB\nunset SSH_ASKPASS LD_PRELOAD\n\n# Skip system rc files (/etc/zprofile, /etc/zshrc, /etc/zlogin)\n# They may call commands not in our restricted PATH (e.g. locale).\n# ZDOTDIR files (.zshrc) are still read.\nsetopt NO_GLOBAL_RCS\n";
|
|
29
29
|
/**
|
|
30
30
|
* ZDOTDIR .zshrc — interactive shell restrictions.
|
|
31
31
|
* Applies RESTRICTED mode, locks variables, disables builtins, installs hooks.
|
|
32
32
|
*/
|
|
33
|
-
export declare const ZDOT_ZSHRC_CONTENT = "# AgenShield restricted .zshrc\n# Applied to every interactive shell for the agent user.\n\nemulate -LR zsh\n\n# Re-set HISTFILE (safety: ensure it points to agent's home, not ZDOTDIR)\nHISTFILE=\"$HOME/.zsh_history\"\n\n# ---- Shell options ----\n# Note: NOT using setopt RESTRICTED as it disables cd entirely.\n# Instead we use preexec hooks and builtin disable for enforcement.\nsetopt NO_CASE_GLOB\nsetopt NO_BEEP\n\n# ---- Lock critical variables (readonly) ----\ntypeset -r PATH HOME SHELL HISTFILE\n\n# ---- Enforcement helpers ----\ndeny() {\n print -r -- \"Denied by policy\"\n return 126\n}\n\nis_allowed_cmd() {\n local cmd=\"$1\"\n\n # Allow zsh reserved words (if, for, while, [[, case, etc.)\n [[ \"$(whence -w \"$cmd\" 2>/dev/null)\" == *\": reserved\" ]] && return 0\n\n # Allow shell builtins we explicitly permit\n case \"$cmd\" in\n cd|pwd|echo|printf|test|true|false|exit|return|break|continue|shift|set|unset|export|typeset|local|declare|readonly|let|read|print|pushd|popd|dirs|jobs|fg|bg|kill|wait|times|ulimit|umask|history|fc|type|whence|which|where|rehash)\n return 0\n ;;\n esac\n\n # Deny path execution outright\n [[ \"$cmd\" == */* ]] && return 1\n\n # Resolve command path\n local resolved\n resolved=\"$(whence -p -- \"$cmd\" 2>/dev/null)\" || return 1\n\n # Must live under HOME/bin exactly\n [[ \"$resolved\" == \"$HOME/bin/\"* ]] && return 0\n return 1\n}\n\n# ---- Block dangerous builtins ----\ndisable -r builtin command exec eval hash nohup setopt source unfunction functions alias unalias 2>/dev/null || true\n\n# ---- Intercept every interactive command before execution ----\npreexec() {\n
|
|
33
|
+
export declare const ZDOT_ZSHRC_CONTENT = "# AgenShield restricted .zshrc\n# Applied to every interactive shell for the agent user.\n\nemulate -LR zsh\n\n# Re-set HISTFILE (safety: ensure it points to agent's home, not ZDOTDIR)\nHISTFILE=\"$HOME/.zsh_history\"\n\n# Re-set PATH (only ~/bin \u2014 override anything that may have been added)\nPATH=\"$HOME/bin\"\n\n# ---- Shell options ----\n# Note: NOT using setopt RESTRICTED as it disables cd entirely.\n# Instead we use preexec hooks and builtin disable for enforcement.\nsetopt NO_CASE_GLOB\nsetopt NO_BEEP\n\n# ---- Lock critical variables (readonly) ----\ntypeset -r PATH HOME SHELL HISTFILE\n\n# ---- Enforcement helpers ----\ndeny() {\n print -r -- \"Denied by policy\"\n return 126\n}\n\nis_allowed_cmd() {\n local cmd=\"$1\"\n\n # Allow zsh reserved words (if, for, while, [[, case, etc.)\n [[ \"$(whence -w \"$cmd\" 2>/dev/null)\" == *\": reserved\" ]] && return 0\n\n # Allow shell builtins we explicitly permit\n case \"$cmd\" in\n cd|pwd|echo|printf|test|true|false|exit|return|break|continue|shift|set|unset|export|typeset|local|declare|readonly|let|read|print|pushd|popd|dirs|jobs|fg|bg|kill|wait|times|ulimit|umask|history|fc|type|whence|which|where|rehash)\n return 0\n ;;\n esac\n\n # Deny path execution outright\n [[ \"$cmd\" == */* ]] && return 1\n\n # Resolve command path\n local resolved\n resolved=\"$(whence -p -- \"$cmd\" 2>/dev/null)\" || return 1\n\n # Must live under HOME/bin exactly\n [[ \"$resolved\" == \"$HOME/bin/\"* ]] && return 0\n return 1\n}\n\n# ---- Block dangerous builtins ----\ndisable -r builtin command exec eval hash nohup setopt source unfunction functions alias unalias 2>/dev/null || true\n\n# ---- Intercept every interactive command before execution ----\npreexec() {\n # Enforcement handled by TRAPDEBUG (which can cancel execution via return 126).\n # preexec cannot prevent execution, so we don't enforce here.\n return 0\n}\n\n# ---- Also intercept non-interactive \\`zsh -c\\` cases ----\ntypeset -gi __ash_guard=0\n\nTRAPDEBUG() {\n # Prevent recursion when our own checks invoke whence/is_allowed_cmd\n (( __ash_guard )) && return 0\n\n local line=\"${ZSH_DEBUG_CMD:-$1}\"\n local cmd=\"${line%%[[:space:]]*}\"\n [[ -z \"$cmd\" ]] && return 0\n\n # Skip variable assignments (e.g. resolved=\"$(whence ...)\")\n [[ \"$cmd\" == *=* ]] && return 0\n\n # Skip zsh reserved words ([[, if, for, while, case, etc.)\n __ash_guard=1\n [[ \"$(whence -w \"$cmd\" 2>/dev/null)\" == *\": reserved\" ]] && { __ash_guard=0; return 0; }\n\n [[ \"$cmd\" == */* ]] && { __ash_guard=0; print -r -- \"Denied: direct path execution\"; return 126; }\n is_allowed_cmd \"$cmd\" || { __ash_guard=0; print -r -- \"Denied: $cmd\"; return 126; }\n __ash_guard=0\n return 0\n}\n\n# ---- Ensure accessible working directory ----\ncd \"$HOME\" 2>/dev/null || cd /\n";
|
|
34
34
|
//# sourceMappingURL=guarded-shell.d.ts.map
|
package/guarded-shell.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"guarded-shell.d.ts","sourceRoot":"","sources":["../src/guarded-shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,eAAO,MAAM,kBAAkB,iCAAiC,CAAC;AACjE,eAAO,MAAM,QAAQ,yBAAyB,CAAC;AAE/C;;;GAGG;AACH,eAAO,MAAM,qBAAqB,0jBAgBjC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,
|
|
1
|
+
{"version":3,"file":"guarded-shell.d.ts","sourceRoot":"","sources":["../src/guarded-shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,eAAO,MAAM,kBAAkB,iCAAiC,CAAC;AACjE,eAAO,MAAM,QAAQ,yBAAyB,CAAC;AAE/C;;;GAGG;AACH,eAAO,MAAM,qBAAqB,0jBAgBjC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,8xBAsB/B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,qyFAuF9B,CAAC"}
|
package/index.d.ts
CHANGED
|
@@ -18,7 +18,7 @@ export * from './detect';
|
|
|
18
18
|
export * from './backup';
|
|
19
19
|
export * from './restore';
|
|
20
20
|
export { SHIELD_EXEC_CONTENT, SHIELD_EXEC_PATH, PROXIED_COMMANDS, } from './shield-exec';
|
|
21
|
-
export { WRAPPERS, WRAPPER_DEFINITIONS, installWrapper, installWrappers, installSpecificWrappers, installWrapperWithSudo, uninstallWrapper, uninstallWrappers, verifyWrappers, installGuardedShell, installAllWrappers, installShieldExec, deployInterceptor, copyNodeBinary, copyBrokerBinary, installPresetBinaries, installBasicCommands, BASIC_SYSTEM_COMMANDS, type PresetInstallResult, getAvailableWrappers, getWrapperDefinition, generateWrapperContent, getDefaultWrapperConfig, wrapperUsesSeatbelt, wrapperUsesInterceptor, addDynamicWrapper, removeDynamicWrapper, updateWrapper, type WrapperResult, type WrapperDefinition, type WrapperConfig, } from './wrappers';
|
|
21
|
+
export { WRAPPERS, WRAPPER_DEFINITIONS, installWrapper, installWrappers, installSpecificWrappers, installWrapperWithSudo, uninstallWrapper, uninstallWrappers, verifyWrappers, installGuardedShell, installAllWrappers, installShieldExec, deployInterceptor, copyNodeBinary, copyBrokerBinary, copyShieldClient, installAgentNvm, type NvmInstallResult, installPresetBinaries, installBasicCommands, BASIC_SYSTEM_COMMANDS, type PresetInstallResult, getAvailableWrappers, getWrapperDefinition, generateWrapperContent, getDefaultWrapperConfig, wrapperUsesSeatbelt, wrapperUsesInterceptor, addDynamicWrapper, removeDynamicWrapper, updateWrapper, type WrapperResult, type WrapperDefinition, type WrapperConfig, } from './wrappers';
|
|
22
22
|
export { generateAgentProfile, generateOperationProfile, installProfiles, installSeatbeltProfiles, verifyProfile, getInstalledProfiles, type ProfileResult, } from './seatbelt';
|
|
23
23
|
export { generateBrokerPlist, generateBrokerPlistLegacy, installLaunchDaemon, loadLaunchDaemon, unloadLaunchDaemon, uninstallLaunchDaemon, isDaemonRunning, getDaemonStatus, restartDaemon, fixSocketPermissions, type DaemonResult, } from './launchdaemon';
|
|
24
24
|
export { getPreset, listPresets, listAutoDetectablePresets, autoDetectPreset, formatPresetList, openclawPreset, devHarnessPreset, customPreset, PRESETS, type TargetPreset, type PresetDetectionResult, type MigrationContext, type MigrationDirectories, type PresetMigrationResult, } from './presets';
|
package/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,kBAAkB,IAAI,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAG7H,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,WAAW,EACX,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,uBAAuB,EACvB,WAAW,EACX,UAAU,EACV,YAAY,EACZ,WAAW,EACX,uBAAuB,EACvB,WAAW,EACX,UAAU,EACV,WAAW,EACX,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,KAAK,YAAY,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,wBAAwB,EACxB,iBAAiB,EACjB,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,oBAAoB,EACpB,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,GACrB,MAAM,eAAe,CAAC;AAGvB,cAAc,aAAa,CAAC;AAG5B,cAAc,YAAY,CAAC;AAG3B,cAAc,UAAU,CAAC;AAGzB,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC;AAG1B,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,EACd,mBAAmB,EACnB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,mBAAmB,EAExB,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,aAAa,EACb,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,EACf,uBAAuB,EACvB,aAAa,EACb,oBAAoB,EACpB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,mBAAmB,EACnB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,KAAK,YAAY,GAClB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAEL,SAAS,EACT,WAAW,EACX,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAEhB,cAAc,EACd,gBAAgB,EAChB,YAAY,EACZ,OAAO,EAEP,KAAK,YAAY,EACjB,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,uBAAuB,EACvB,YAAY,EACZ,kBAAkB,EAClB,KAAK,oBAAoB,GAC1B,MAAM,kBAAkB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,kBAAkB,IAAI,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAG7H,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,WAAW,EACX,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,uBAAuB,EACvB,WAAW,EACX,UAAU,EACV,YAAY,EACZ,WAAW,EACX,uBAAuB,EACvB,WAAW,EACX,UAAU,EACV,WAAW,EACX,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,KAAK,YAAY,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,wBAAwB,EACxB,iBAAiB,EACjB,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,oBAAoB,EACpB,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,GACrB,MAAM,eAAe,CAAC;AAGvB,cAAc,aAAa,CAAC;AAG5B,cAAc,YAAY,CAAC;AAG3B,cAAc,UAAU,CAAC;AAGzB,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC;AAG1B,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,EACd,mBAAmB,EACnB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,KAAK,gBAAgB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,mBAAmB,EAExB,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,aAAa,EACb,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,EACf,uBAAuB,EACvB,aAAa,EACb,oBAAoB,EACpB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,mBAAmB,EACnB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,KAAK,YAAY,GAClB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAEL,SAAS,EACT,WAAW,EACX,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAEhB,cAAc,EACd,gBAAgB,EAChB,YAAY,EACZ,OAAO,EAEP,KAAK,YAAY,EACjB,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,uBAAuB,EACvB,YAAY,EACZ,kBAAkB,EAClB,KAAK,oBAAoB,GAC1B,MAAM,kBAAkB,CAAC"}
|
package/index.js
CHANGED
|
@@ -57,6 +57,11 @@ export SHELL="/usr/local/bin/guarded-shell"
|
|
|
57
57
|
unset DYLD_LIBRARY_PATH DYLD_FALLBACK_LIBRARY_PATH DYLD_INSERT_LIBRARIES
|
|
58
58
|
unset PYTHONPATH NODE_PATH RUBYLIB PERL5LIB
|
|
59
59
|
unset SSH_ASKPASS LD_PRELOAD
|
|
60
|
+
|
|
61
|
+
# Skip system rc files (/etc/zprofile, /etc/zshrc, /etc/zlogin)
|
|
62
|
+
# They may call commands not in our restricted PATH (e.g. locale).
|
|
63
|
+
# ZDOTDIR files (.zshrc) are still read.
|
|
64
|
+
setopt NO_GLOBAL_RCS
|
|
60
65
|
`;
|
|
61
66
|
ZDOT_ZSHRC_CONTENT = `# AgenShield restricted .zshrc
|
|
62
67
|
# Applied to every interactive shell for the agent user.
|
|
@@ -66,6 +71,9 @@ emulate -LR zsh
|
|
|
66
71
|
# Re-set HISTFILE (safety: ensure it points to agent's home, not ZDOTDIR)
|
|
67
72
|
HISTFILE="$HOME/.zsh_history"
|
|
68
73
|
|
|
74
|
+
# Re-set PATH (only ~/bin \u2014 override anything that may have been added)
|
|
75
|
+
PATH="$HOME/bin"
|
|
76
|
+
|
|
69
77
|
# ---- Shell options ----
|
|
70
78
|
# Note: NOT using setopt RESTRICTED as it disables cd entirely.
|
|
71
79
|
# Instead we use preexec hooks and builtin disable for enforcement.
|
|
@@ -111,20 +119,9 @@ disable -r builtin command exec eval hash nohup setopt source unfunction functio
|
|
|
111
119
|
|
|
112
120
|
# ---- Intercept every interactive command before execution ----
|
|
113
121
|
preexec() {
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
# Empty / whitespace lines
|
|
118
|
-
[[ -z "$cmd" ]] && return 0
|
|
119
|
-
|
|
120
|
-
# Deny anything with slash in the command token (direct path execution)
|
|
121
|
-
[[ "$cmd" == */* ]] && { print -r -- "Denied: direct path execution"; kill -KILL $$; }
|
|
122
|
-
|
|
123
|
-
# Deny anything not allowed
|
|
124
|
-
if ! is_allowed_cmd "$cmd"; then
|
|
125
|
-
print -r -- "Denied: $cmd (not in $HOME/bin)"
|
|
126
|
-
kill -KILL $$
|
|
127
|
-
fi
|
|
122
|
+
# Enforcement handled by TRAPDEBUG (which can cancel execution via return 126).
|
|
123
|
+
# preexec cannot prevent execution, so we don't enforce here.
|
|
124
|
+
return 0
|
|
128
125
|
}
|
|
129
126
|
|
|
130
127
|
# ---- Also intercept non-interactive \\\`zsh -c\\\` cases ----
|
|
@@ -292,11 +289,9 @@ var init_shield_exec = __esm({
|
|
|
292
289
|
process.exit(1);
|
|
293
290
|
});
|
|
294
291
|
}
|
|
295
|
-
SHIELD_EXEC_CONTENT = `#!/
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
const path = require('path');
|
|
299
|
-
const net = require('net');
|
|
292
|
+
SHIELD_EXEC_CONTENT = `#!/opt/agenshield/bin/node-bin
|
|
293
|
+
import path from 'node:path';
|
|
294
|
+
import net from 'node:net';
|
|
300
295
|
|
|
301
296
|
const DEFAULT_SOCKET_PATH = '/var/run/agenshield/agenshield.sock';
|
|
302
297
|
|
|
@@ -1211,17 +1206,17 @@ function createDirectoryStructure(config) {
|
|
|
1211
1206
|
group: "wheel"
|
|
1212
1207
|
},
|
|
1213
1208
|
"/opt/agenshield/config": {
|
|
1214
|
-
mode:
|
|
1209
|
+
mode: 509,
|
|
1215
1210
|
owner: brokerUsername,
|
|
1216
1211
|
group: socketGroupName
|
|
1217
1212
|
},
|
|
1218
1213
|
"/opt/agenshield/policies": {
|
|
1219
|
-
mode:
|
|
1214
|
+
mode: 509,
|
|
1220
1215
|
owner: brokerUsername,
|
|
1221
1216
|
group: socketGroupName
|
|
1222
1217
|
},
|
|
1223
1218
|
"/opt/agenshield/policies/custom": {
|
|
1224
|
-
mode:
|
|
1219
|
+
mode: 509,
|
|
1225
1220
|
owner: brokerUsername,
|
|
1226
1221
|
group: socketGroupName
|
|
1227
1222
|
},
|
|
@@ -1320,6 +1315,11 @@ function createDirectoryStructure(config) {
|
|
|
1320
1315
|
mode: 493,
|
|
1321
1316
|
owner: agentUsername,
|
|
1322
1317
|
group: socketGroupName
|
|
1318
|
+
},
|
|
1319
|
+
[`${agentHome}/.nvm`]: {
|
|
1320
|
+
mode: 493,
|
|
1321
|
+
owner: agentUsername,
|
|
1322
|
+
group: socketGroupName
|
|
1323
1323
|
}
|
|
1324
1324
|
}
|
|
1325
1325
|
};
|
|
@@ -1561,7 +1561,7 @@ function createOpenClawWrapper(user, dirs, method) {
|
|
|
1561
1561
|
entryPath = path.resolve(dirs.packageDir, binEntry);
|
|
1562
1562
|
} catch {
|
|
1563
1563
|
}
|
|
1564
|
-
const wrapperContent = `#!/
|
|
1564
|
+
const wrapperContent = `#!/bin/bash
|
|
1565
1565
|
set -euo pipefail
|
|
1566
1566
|
# Avoid getcwd errors when cwd is inaccessible
|
|
1567
1567
|
cd ~ 2>/dev/null || cd /
|
|
@@ -1693,10 +1693,32 @@ function injectSkillWatcherSetting(configDir) {
|
|
|
1693
1693
|
}
|
|
1694
1694
|
function createNodeWrapper(user, dirs) {
|
|
1695
1695
|
let nodePath;
|
|
1696
|
-
|
|
1697
|
-
|
|
1698
|
-
|
|
1699
|
-
|
|
1696
|
+
const sandboxNodeBin = "/opt/agenshield/bin/node-bin";
|
|
1697
|
+
if (fs3.existsSync(sandboxNodeBin)) {
|
|
1698
|
+
nodePath = sandboxNodeBin;
|
|
1699
|
+
} else {
|
|
1700
|
+
const nvmVersionsDir = path.join(user.homeDir, ".nvm", "versions", "node");
|
|
1701
|
+
let nvmNode;
|
|
1702
|
+
try {
|
|
1703
|
+
const versions = fs3.readdirSync(nvmVersionsDir).sort();
|
|
1704
|
+
for (const v of versions.reverse()) {
|
|
1705
|
+
const candidate = path.join(nvmVersionsDir, v, "bin", "node");
|
|
1706
|
+
if (fs3.existsSync(candidate)) {
|
|
1707
|
+
nvmNode = candidate;
|
|
1708
|
+
break;
|
|
1709
|
+
}
|
|
1710
|
+
}
|
|
1711
|
+
} catch {
|
|
1712
|
+
}
|
|
1713
|
+
if (nvmNode) {
|
|
1714
|
+
nodePath = nvmNode;
|
|
1715
|
+
} else {
|
|
1716
|
+
try {
|
|
1717
|
+
nodePath = execSync2("which node", { encoding: "utf-8" }).trim();
|
|
1718
|
+
} catch {
|
|
1719
|
+
return { success: false, error: "Node.js not found (checked /opt/agenshield/bin/node-bin, agent NVM, and system PATH)" };
|
|
1720
|
+
}
|
|
1721
|
+
}
|
|
1700
1722
|
}
|
|
1701
1723
|
const wrapperPath = path.join(dirs.binDir, "node");
|
|
1702
1724
|
const wrapperContent = `#!/bin/bash
|
|
@@ -1724,6 +1746,7 @@ import * as os from "node:os";
|
|
|
1724
1746
|
import * as fs4 from "node:fs";
|
|
1725
1747
|
import { execSync as execSync3 } from "node:child_process";
|
|
1726
1748
|
init_guarded_shell();
|
|
1749
|
+
var SANDBOX_USERS = ["openclaw", "ash_default_agent"];
|
|
1727
1750
|
var SECRET_PATTERNS = [
|
|
1728
1751
|
/^TWILIO_/i,
|
|
1729
1752
|
/^OPENAI_/i,
|
|
@@ -1787,19 +1810,19 @@ function checkSecurityStatus(options) {
|
|
|
1787
1810
|
const warnings = [];
|
|
1788
1811
|
const critical = [];
|
|
1789
1812
|
const recommendations = [];
|
|
1790
|
-
const sandboxUserExists = userExists(
|
|
1813
|
+
const sandboxUserExists = SANDBOX_USERS.some((u) => userExists(u));
|
|
1791
1814
|
const guardedShellInstalled = isGuardedShellInstalled();
|
|
1792
1815
|
const processes = getOpenClawProcesses();
|
|
1793
|
-
const isolatedProcesses = processes.filter((p) => p.user
|
|
1794
|
-
const unIsolatedProcesses = processes.filter((p) => p.user
|
|
1795
|
-
const isIsolated = sandboxUserExists &&
|
|
1816
|
+
const isolatedProcesses = processes.filter((p) => SANDBOX_USERS.includes(p.user));
|
|
1817
|
+
const unIsolatedProcesses = processes.filter((p) => !SANDBOX_USERS.includes(p.user));
|
|
1818
|
+
const isIsolated = sandboxUserExists && unIsolatedProcesses.length === 0;
|
|
1796
1819
|
const exposedSecrets = checkExposedSecrets(options?.env);
|
|
1797
1820
|
if (runningAsRoot) {
|
|
1798
1821
|
critical.push("DANGER: Running as root! OpenClaw should never run as root.");
|
|
1799
1822
|
recommendations.push("Run AgenShield setup to isolate OpenClaw in unprivileged sandbox");
|
|
1800
1823
|
}
|
|
1801
1824
|
if (!sandboxUserExists) {
|
|
1802
|
-
warnings.push(
|
|
1825
|
+
warnings.push("No sandbox user found (checked: " + SANDBOX_USERS.join(", ") + ")");
|
|
1803
1826
|
recommendations.push('Run "agenshield setup" to create isolated sandbox user');
|
|
1804
1827
|
}
|
|
1805
1828
|
if (unIsolatedProcesses.length > 0) {
|
|
@@ -2129,7 +2152,8 @@ var OperationTypeSchema = z2.enum([
|
|
|
2129
2152
|
"open_url",
|
|
2130
2153
|
"secret_inject",
|
|
2131
2154
|
"ping",
|
|
2132
|
-
"policy_check"
|
|
2155
|
+
"policy_check",
|
|
2156
|
+
"events_batch"
|
|
2133
2157
|
]);
|
|
2134
2158
|
var HttpRequestParamsSchema = z2.object({
|
|
2135
2159
|
url: z2.string().url(),
|
|
@@ -4617,6 +4641,13 @@ async function copyBrokerBinary(userConfig) {
|
|
|
4617
4641
|
await execAsync4(`sudo cp "${srcPath}" "${targetPath}"`);
|
|
4618
4642
|
await execAsync4(`sudo chmod 755 "${targetPath}"`);
|
|
4619
4643
|
await execAsync4(`sudo chown root:${socketGroupName} "${targetPath}"`);
|
|
4644
|
+
await execAsync4(
|
|
4645
|
+
`sudo tee /opt/agenshield/package.json > /dev/null << 'PKGJSONEOF'
|
|
4646
|
+
{"type":"module"}
|
|
4647
|
+
PKGJSONEOF`
|
|
4648
|
+
);
|
|
4649
|
+
await execAsync4(`sudo chown root:wheel /opt/agenshield/package.json`);
|
|
4650
|
+
await execAsync4(`sudo chmod 644 /opt/agenshield/package.json`);
|
|
4620
4651
|
return {
|
|
4621
4652
|
success: true,
|
|
4622
4653
|
name: "agenshield-broker",
|
|
@@ -4633,20 +4664,99 @@ async function copyBrokerBinary(userConfig) {
|
|
|
4633
4664
|
};
|
|
4634
4665
|
}
|
|
4635
4666
|
}
|
|
4636
|
-
async function
|
|
4667
|
+
async function copyShieldClient(userConfig) {
|
|
4668
|
+
const targetPath = "/opt/agenshield/bin/shield-client";
|
|
4669
|
+
const socketGroupName = userConfig?.groups?.socket?.name || "ash_socket";
|
|
4670
|
+
try {
|
|
4671
|
+
const brokerPkgPath = require2.resolve("@agenshield/broker/package.json");
|
|
4672
|
+
const brokerDir = path6.dirname(brokerPkgPath);
|
|
4673
|
+
const brokerPkg = JSON.parse(await fs9.readFile(brokerPkgPath, "utf-8"));
|
|
4674
|
+
const clientEntry = typeof brokerPkg.bin === "object" ? brokerPkg.bin["shield-client"] : null;
|
|
4675
|
+
const srcPath = path6.resolve(brokerDir, clientEntry || "./dist/client/shield-client.js");
|
|
4676
|
+
await fs9.access(srcPath);
|
|
4677
|
+
let content = await fs9.readFile(srcPath, "utf-8");
|
|
4678
|
+
content = content.replace(
|
|
4679
|
+
/^#!\/usr\/bin\/env node/,
|
|
4680
|
+
"#!/opt/agenshield/bin/node-bin"
|
|
4681
|
+
);
|
|
4682
|
+
const tmpPath = "/tmp/shield-client-install";
|
|
4683
|
+
await fs9.writeFile(tmpPath, content, { mode: 493 });
|
|
4684
|
+
await execAsync4("sudo mkdir -p /opt/agenshield/bin");
|
|
4685
|
+
await execAsync4(`sudo mv "${tmpPath}" "${targetPath}"`);
|
|
4686
|
+
await execAsync4(`sudo chmod 755 "${targetPath}"`);
|
|
4687
|
+
await execAsync4(`sudo chown root:${socketGroupName} "${targetPath}"`);
|
|
4688
|
+
return {
|
|
4689
|
+
success: true,
|
|
4690
|
+
name: "shield-client",
|
|
4691
|
+
path: targetPath,
|
|
4692
|
+
message: `Shield-client installed to ${targetPath}`
|
|
4693
|
+
};
|
|
4694
|
+
} catch (error) {
|
|
4695
|
+
return {
|
|
4696
|
+
success: false,
|
|
4697
|
+
name: "shield-client",
|
|
4698
|
+
path: targetPath,
|
|
4699
|
+
message: `Failed to install shield-client: ${error.message}`,
|
|
4700
|
+
error
|
|
4701
|
+
};
|
|
4702
|
+
}
|
|
4703
|
+
}
|
|
4704
|
+
async function copyNodeDylibs(srcBinaryPath, socketGroupName) {
|
|
4705
|
+
const copied = [];
|
|
4706
|
+
const errors = [];
|
|
4707
|
+
try {
|
|
4708
|
+
const { stdout } = await execAsync4(`/usr/bin/otool -L "${srcBinaryPath}"`);
|
|
4709
|
+
const lines = stdout.split("\n");
|
|
4710
|
+
for (const line of lines) {
|
|
4711
|
+
const match = line.match(
|
|
4712
|
+
/\s+(@loader_path|@rpath)(\/[^\s]+\/)(libnode[^\s(]+)/
|
|
4713
|
+
);
|
|
4714
|
+
if (!match) continue;
|
|
4715
|
+
const prefix = match[1];
|
|
4716
|
+
const relPath = match[2];
|
|
4717
|
+
const dylibName = match[3];
|
|
4718
|
+
let resolvedPath;
|
|
4719
|
+
if (prefix === "@loader_path") {
|
|
4720
|
+
resolvedPath = path6.resolve(path6.dirname(srcBinaryPath), relPath, dylibName);
|
|
4721
|
+
} else {
|
|
4722
|
+
resolvedPath = path6.resolve(path6.dirname(srcBinaryPath), "..", "lib", dylibName);
|
|
4723
|
+
}
|
|
4724
|
+
try {
|
|
4725
|
+
await fs9.access(resolvedPath);
|
|
4726
|
+
} catch {
|
|
4727
|
+
errors.push(`dylib not found on disk: ${resolvedPath}`);
|
|
4728
|
+
continue;
|
|
4729
|
+
}
|
|
4730
|
+
const targetPath = `/opt/agenshield/lib/${dylibName}`;
|
|
4731
|
+
try {
|
|
4732
|
+
await execAsync4(`sudo cp "${resolvedPath}" "${targetPath}"`);
|
|
4733
|
+
await execAsync4(`sudo chown root:${socketGroupName} "${targetPath}"`);
|
|
4734
|
+
await execAsync4(`sudo chmod 755 "${targetPath}"`);
|
|
4735
|
+
copied.push(dylibName);
|
|
4736
|
+
} catch (err) {
|
|
4737
|
+
errors.push(`Failed to copy ${dylibName}: ${err.message}`);
|
|
4738
|
+
}
|
|
4739
|
+
}
|
|
4740
|
+
} catch {
|
|
4741
|
+
}
|
|
4742
|
+
return { copied, errors };
|
|
4743
|
+
}
|
|
4744
|
+
async function copyNodeBinary(userConfig, sourcePath) {
|
|
4637
4745
|
const targetPath = "/opt/agenshield/bin/node-bin";
|
|
4638
4746
|
const socketGroupName = userConfig?.groups?.socket?.name || "ash_socket";
|
|
4639
4747
|
try {
|
|
4640
|
-
const srcPath = process.execPath;
|
|
4748
|
+
const srcPath = sourcePath || process.execPath;
|
|
4641
4749
|
await fs9.access(srcPath);
|
|
4642
4750
|
await execAsync4(`sudo cp "${srcPath}" "${targetPath}"`);
|
|
4643
4751
|
await execAsync4(`sudo chown root:${socketGroupName} "${targetPath}"`);
|
|
4644
4752
|
await execAsync4(`sudo chmod 755 "${targetPath}"`);
|
|
4753
|
+
const dylibs = await copyNodeDylibs(srcPath, socketGroupName);
|
|
4754
|
+
const dylibInfo = dylibs.copied.length > 0 ? ` (dylibs: ${dylibs.copied.join(", ")})` : "";
|
|
4645
4755
|
return {
|
|
4646
4756
|
success: true,
|
|
4647
4757
|
name: "node-bin",
|
|
4648
4758
|
path: targetPath,
|
|
4649
|
-
message: `Copied node binary from ${srcPath} to ${targetPath}`
|
|
4759
|
+
message: `Copied node binary from ${srcPath} to ${targetPath}${dylibInfo}`
|
|
4650
4760
|
};
|
|
4651
4761
|
} catch (error) {
|
|
4652
4762
|
return {
|
|
@@ -4658,6 +4768,73 @@ async function copyNodeBinary(userConfig) {
|
|
|
4658
4768
|
};
|
|
4659
4769
|
}
|
|
4660
4770
|
}
|
|
4771
|
+
var NVM_INSTALL_URL = "https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh";
|
|
4772
|
+
async function installAgentNvm(options) {
|
|
4773
|
+
const { agentHome, agentUsername, socketGroupName, verbose } = options;
|
|
4774
|
+
const nodeVersion = options.nodeVersion || "24";
|
|
4775
|
+
const nvmDir = `${agentHome}/.nvm`;
|
|
4776
|
+
const log = (msg) => verbose && process.stderr.write(`[SETUP] ${msg}
|
|
4777
|
+
`);
|
|
4778
|
+
const empty = {
|
|
4779
|
+
success: false,
|
|
4780
|
+
nvmDir,
|
|
4781
|
+
nodeVersion,
|
|
4782
|
+
nodeBinaryPath: "",
|
|
4783
|
+
message: ""
|
|
4784
|
+
};
|
|
4785
|
+
try {
|
|
4786
|
+
log(`Creating NVM directory at ${nvmDir}`);
|
|
4787
|
+
await execAsync4(`sudo mkdir -p "${nvmDir}"`);
|
|
4788
|
+
await execAsync4(`sudo chown ${agentUsername}:${socketGroupName} "${nvmDir}"`);
|
|
4789
|
+
await execAsync4(`sudo chmod 755 "${nvmDir}"`);
|
|
4790
|
+
log("Downloading and installing NVM");
|
|
4791
|
+
const installCmd = [
|
|
4792
|
+
`export HOME="${agentHome}"`,
|
|
4793
|
+
`export NVM_DIR="${nvmDir}"`,
|
|
4794
|
+
`/usr/bin/curl -o- "${NVM_INSTALL_URL}" | PROFILE=/dev/null /bin/bash`
|
|
4795
|
+
].join(" && ");
|
|
4796
|
+
await execAsync4(`sudo -u ${agentUsername} /bin/bash -c '${installCmd}'`, { timeout: 6e4 });
|
|
4797
|
+
log(`Installing Node.js v${nodeVersion} via NVM`);
|
|
4798
|
+
const nvmInstallCmd = [
|
|
4799
|
+
`export HOME="${agentHome}"`,
|
|
4800
|
+
`export NVM_DIR="${nvmDir}"`,
|
|
4801
|
+
`source "${nvmDir}/nvm.sh"`,
|
|
4802
|
+
`nvm install ${nodeVersion}`
|
|
4803
|
+
].join(" && ");
|
|
4804
|
+
await execAsync4(`sudo -u ${agentUsername} /bin/bash -c '${nvmInstallCmd}'`, { timeout: 12e4 });
|
|
4805
|
+
log("Resolving installed node binary path");
|
|
4806
|
+
const whichCmd = [
|
|
4807
|
+
`export HOME="${agentHome}"`,
|
|
4808
|
+
`export NVM_DIR="${nvmDir}"`,
|
|
4809
|
+
`source "${nvmDir}/nvm.sh"`,
|
|
4810
|
+
`nvm which ${nodeVersion}`
|
|
4811
|
+
].join(" && ");
|
|
4812
|
+
const { stdout } = await execAsync4(`sudo -u ${agentUsername} /bin/bash -c '${whichCmd}'`);
|
|
4813
|
+
const nodeBinaryPath = stdout.trim();
|
|
4814
|
+
if (!nodeBinaryPath) {
|
|
4815
|
+
return { ...empty, message: "NVM installed but could not resolve node binary path" };
|
|
4816
|
+
}
|
|
4817
|
+
log(`Verifying node binary at ${nodeBinaryPath}`);
|
|
4818
|
+
const { stdout: versionOut } = await execAsync4(
|
|
4819
|
+
`sudo -u ${agentUsername} /bin/bash -c '"${nodeBinaryPath}" --version'`
|
|
4820
|
+
);
|
|
4821
|
+
const actualVersion = versionOut.trim();
|
|
4822
|
+
log(`Node.js ${actualVersion} installed successfully`);
|
|
4823
|
+
return {
|
|
4824
|
+
success: true,
|
|
4825
|
+
nvmDir,
|
|
4826
|
+
nodeVersion: actualVersion,
|
|
4827
|
+
nodeBinaryPath,
|
|
4828
|
+
message: `Installed Node.js ${actualVersion} via NVM at ${nodeBinaryPath}`
|
|
4829
|
+
};
|
|
4830
|
+
} catch (error) {
|
|
4831
|
+
return {
|
|
4832
|
+
...empty,
|
|
4833
|
+
message: `NVM installation failed: ${error.message}`,
|
|
4834
|
+
error
|
|
4835
|
+
};
|
|
4836
|
+
}
|
|
4837
|
+
}
|
|
4661
4838
|
var BASIC_SYSTEM_COMMANDS = [
|
|
4662
4839
|
"ls",
|
|
4663
4840
|
"cat",
|
|
@@ -4737,10 +4914,30 @@ async function installPresetBinaries(options) {
|
|
|
4737
4914
|
const installedWrappers = [];
|
|
4738
4915
|
let seatbeltInstalled = false;
|
|
4739
4916
|
if (requiredBins.includes("node")) {
|
|
4740
|
-
|
|
4741
|
-
const
|
|
4742
|
-
|
|
4743
|
-
|
|
4917
|
+
const agentHome = userConfig.agentUser.home;
|
|
4918
|
+
const agentUsername = userConfig.agentUser.username;
|
|
4919
|
+
log("Installing NVM + Node.js for agent user");
|
|
4920
|
+
const nvmResult = await installAgentNvm({
|
|
4921
|
+
agentHome,
|
|
4922
|
+
agentUsername,
|
|
4923
|
+
socketGroupName,
|
|
4924
|
+
nodeVersion: options.nodeVersion,
|
|
4925
|
+
verbose
|
|
4926
|
+
});
|
|
4927
|
+
if (nvmResult.success) {
|
|
4928
|
+
log(`NVM installed Node.js ${nvmResult.nodeVersion} at ${nvmResult.nodeBinaryPath}`);
|
|
4929
|
+
log("Copying NVM node binary to /opt/agenshield/bin/node-bin");
|
|
4930
|
+
const nodeResult = await copyNodeBinary(userConfig, nvmResult.nodeBinaryPath);
|
|
4931
|
+
if (!nodeResult.success) {
|
|
4932
|
+
errors.push(`Node binary (from NVM): ${nodeResult.message}`);
|
|
4933
|
+
}
|
|
4934
|
+
} else {
|
|
4935
|
+
log(`NVM install failed: ${nvmResult.message}. Falling back to host node binary.`);
|
|
4936
|
+
log("Copying node binary to /opt/agenshield/bin/node-bin");
|
|
4937
|
+
const nodeResult = await copyNodeBinary(userConfig);
|
|
4938
|
+
if (!nodeResult.success) {
|
|
4939
|
+
errors.push(`Node binary: ${nodeResult.message}`);
|
|
4940
|
+
}
|
|
4744
4941
|
}
|
|
4745
4942
|
}
|
|
4746
4943
|
const needsInterceptor = requiredBins.some(
|
|
@@ -4863,6 +5060,8 @@ function generateBrokerPlist(config, options) {
|
|
|
4863
5060
|
<string>${configPath}</string>
|
|
4864
5061
|
<key>AGENSHIELD_SOCKET</key>
|
|
4865
5062
|
<string>${socketPath}</string>
|
|
5063
|
+
<key>AGENSHIELD_AGENT_HOME</key>
|
|
5064
|
+
<string>${config.agentUser.home}</string>
|
|
4866
5065
|
<key>NODE_ENV</key>
|
|
4867
5066
|
<string>production</string>
|
|
4868
5067
|
</dict>
|
|
@@ -5099,7 +5298,7 @@ async function fixSocketPermissions(config) {
|
|
|
5099
5298
|
message: "Broker socket not created after 10s \u2014 check /var/log/agenshield/broker.error.log"
|
|
5100
5299
|
};
|
|
5101
5300
|
}
|
|
5102
|
-
await execAsync5(`sudo chmod
|
|
5301
|
+
await execAsync5(`sudo chmod 666 "${socketPath}"`);
|
|
5103
5302
|
await execAsync5(`sudo chown ${brokerUsername}:${socketGroupName} "${socketPath}"`);
|
|
5104
5303
|
return {
|
|
5105
5304
|
success: true,
|
|
@@ -6140,6 +6339,7 @@ export {
|
|
|
6140
6339
|
classifyDirectory,
|
|
6141
6340
|
copyBrokerBinary,
|
|
6142
6341
|
copyNodeBinary,
|
|
6342
|
+
copyShieldClient,
|
|
6143
6343
|
createAgenCoSymlink,
|
|
6144
6344
|
createAgentDirectories,
|
|
6145
6345
|
createAgentUser,
|
|
@@ -6191,6 +6391,7 @@ export {
|
|
|
6191
6391
|
getWrapperDefinition,
|
|
6192
6392
|
groupExists,
|
|
6193
6393
|
injectAgenCoSkill,
|
|
6394
|
+
installAgentNvm,
|
|
6194
6395
|
installAllWrappers,
|
|
6195
6396
|
installBasicCommands,
|
|
6196
6397
|
installGuardedShell,
|
package/launchdaemon.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"launchdaemon.d.ts","sourceRoot":"","sources":["../src/launchdaemon.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAWH;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,OAAO,iBAAiB,EAAE,UAAU,EAC5C,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACA,MAAM,
|
|
1
|
+
{"version":3,"file":"launchdaemon.d.ts","sourceRoot":"","sources":["../src/launchdaemon.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAWH;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,OAAO,iBAAiB,EAAE,UAAU,EAC5C,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACA,MAAM,CAiER;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,CAAC,EAAE;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,MAAM,CA2DT;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;AACvF;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;AA+C1B;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,YAAY,CAAC,CAe9D;AAED;;GAEG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,YAAY,CAAC,CAuBhE;AAED;;GAEG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,YAAY,CAAC,CAmBnE;AAED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CAOxD;AAED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC/C,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC,CA6CD;AAED;;GAEG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,YAAY,CAAC,CAgB3D;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,CAAC,EAAE,OAAO,iBAAiB,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CA+C/G"}
|
package/macos.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"macos.d.ts","sourceRoot":"","sources":["../src/macos.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAuBhG;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAMpD;AAiBD;;GAEG;AACH,wBAAgB,kBAAkB,IAAI;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBzE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,OAAO,CAAC,aAAa,CAAM,GAAG,gBAAgB,CA6FvF;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,WAAW,GAAG;IAC3D,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,kBAAkB,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,
|
|
1
|
+
{"version":3,"file":"macos.d.ts","sourceRoot":"","sources":["../src/macos.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAuBhG;;GAEG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAMpD;AAiBD;;GAEG;AACH,wBAAgB,kBAAkB,IAAI;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBzE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,OAAO,CAAC,aAAa,CAAM,GAAG,gBAAgB,CA6FvF;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,WAAW,GAAG;IAC3D,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,kBAAkB,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAoCA;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAO,GACxC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAyCtC"}
|
package/migration.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../src/migration.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,yBAAyB;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,QAAQ,CAAC,EAAE;QACT,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAmFD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAqDjB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAuDjB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAMjB;AAyBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,kBAAkB,GAAG;IAC9E,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,
|
|
1
|
+
{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../src/migration.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,yBAAyB;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,QAAQ,CAAC,EAAE;QACT,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAmFD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAqDjB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAuDjB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAMjB;AAyBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,kBAAkB,GAAG;IAC9E,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAyDA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@agenshield/sandbox",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.6.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "User isolation and sandboxing utilities for AgenShield",
|
|
6
6
|
"main": "./index.js",
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
},
|
|
16
16
|
"license": "MIT",
|
|
17
17
|
"dependencies": {
|
|
18
|
-
"@agenshield/skills": "0.
|
|
18
|
+
"@agenshield/skills": "0.6.0",
|
|
19
19
|
"yaml": "^2.7.1"
|
|
20
20
|
},
|
|
21
21
|
"devDependencies": {
|
package/security.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAAA;;GAEG;
|
|
1
|
+
{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,2DAA2D;IAC3D,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,4CAA4C;IAC5C,UAAU,EAAE,OAAO,CAAC;IACpB,kCAAkC;IAClC,qBAAqB,EAAE,OAAO,CAAC;IAC/B,2CAA2C;IAC3C,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,wBAAwB;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,sBAAsB;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,6BAA6B;IAC7B,KAAK,EAAE,QAAQ,GAAG,SAAS,GAAG,aAAa,GAAG,UAAU,CAAC;CAC1D;AAuBD;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEpD;AA2DD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gEAAgE;IAChE,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAC1C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE,oBAAoB,GAAG,cAAc,CAwElF"}
|
package/shield-exec.d.ts
CHANGED
|
@@ -16,5 +16,5 @@ export declare const PROXIED_COMMANDS: readonly ["curl", "wget", "git", "ssh", "
|
|
|
16
16
|
/**
|
|
17
17
|
* The content of shield-exec as a string, for installation
|
|
18
18
|
*/
|
|
19
|
-
export declare const SHIELD_EXEC_CONTENT = "#!/
|
|
19
|
+
export declare const SHIELD_EXEC_CONTENT = "#!/opt/agenshield/bin/node-bin\nimport path from 'node:path';\nimport net from 'node:net';\n\nconst DEFAULT_SOCKET_PATH = '/var/run/agenshield/agenshield.sock';\n\nfunction sendRequest(socketPath, request) {\n return new Promise((resolve, reject) => {\n const socket = net.createConnection(socketPath, () => {\n socket.write(JSON.stringify(request) + '\\n');\n });\n let data = '';\n socket.on('data', (chunk) => {\n data += chunk.toString();\n const idx = data.indexOf('\\n');\n if (idx >= 0) {\n try {\n const resp = JSON.parse(data.slice(0, idx));\n socket.end();\n resolve(resp);\n } catch (e) {\n socket.end();\n reject(new Error('Invalid JSON response: ' + e.message));\n }\n }\n });\n socket.on('error', (err) => reject(new Error('Socket error: ' + err.message)));\n socket.on('end', () => {\n if (data.trim()) {\n try { resolve(JSON.parse(data.trim())); }\n catch { reject(new Error('Connection closed before response')); }\n } else {\n reject(new Error('Connection closed without response'));\n }\n });\n socket.setTimeout(30000, () => {\n socket.destroy();\n reject(new Error('Request timed out'));\n });\n });\n}\n\nasync function main() {\n const socketPath = process.env.AGENSHIELD_SOCKET || DEFAULT_SOCKET_PATH;\n const invoked = path.basename(process.argv[1] || 'shield-exec');\n const args = process.argv.slice(2);\n const commandName = invoked === 'shield-exec' ? (args.shift() || '') : invoked;\n\n if (!commandName) {\n process.stderr.write('Usage: shield-exec <command> [args...]\\n');\n process.exit(1);\n }\n\n const request = {\n jsonrpc: '2.0',\n id: 'shield-exec-' + Date.now() + '-' + Math.random().toString(36).slice(2, 8),\n method: 'exec',\n params: { command: commandName, args: args, cwd: process.cwd() },\n };\n\n try {\n const response = await sendRequest(socketPath, request);\n if (response.error) {\n process.stderr.write('Error: ' + response.error.message + '\\n');\n process.exit(1);\n }\n const result = response.result;\n if (!result) { process.stderr.write('Error: Empty response\\n'); process.exit(1); }\n if (!result.success) {\n process.stderr.write('Error: ' + (result.error?.message || 'Unknown error') + '\\n');\n process.exit(1);\n }\n const data = result.data;\n if (!data) process.exit(0);\n if (data.stdout) process.stdout.write(data.stdout);\n if (data.stderr) process.stderr.write(data.stderr);\n process.exit(data.exitCode ?? 0);\n } catch (err) {\n process.stderr.write('shield-exec error: ' + err.message + '\\n');\n process.exit(1);\n }\n}\n\nmain().catch((err) => { process.stderr.write('Fatal: ' + err.message + '\\n'); process.exit(1); });\n";
|
|
20
20
|
//# sourceMappingURL=shield-exec.d.ts.map
|
package/shield-exec.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"shield-exec.d.ts","sourceRoot":"","sources":["../src/shield-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,0CAA0C;AAC1C,eAAO,MAAM,gBAAgB,oCAAoC,CAAC;AAKlE,4EAA4E;AAC5E,eAAO,MAAM,gBAAgB,iIAInB,CAAC;AAsKX;;GAEG;AACH,eAAO,MAAM,mBAAmB,
|
|
1
|
+
{"version":3,"file":"shield-exec.d.ts","sourceRoot":"","sources":["../src/shield-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,0CAA0C;AAC1C,eAAO,MAAM,gBAAgB,oCAAoC,CAAC;AAKlE,4EAA4E;AAC5E,eAAO,MAAM,gBAAgB,iIAInB,CAAC;AAsKX;;GAEG;AACH,eAAO,MAAM,mBAAmB,kzFAoF/B,CAAC"}
|
package/wrappers.d.ts
CHANGED
|
@@ -179,11 +179,50 @@ export declare function deployInterceptor(userConfig?: UserConfig): Promise<Wrap
|
|
|
179
179
|
* The broker is the privileged daemon that handles socket communication.
|
|
180
180
|
*/
|
|
181
181
|
export declare function copyBrokerBinary(userConfig?: UserConfig): Promise<WrapperResult>;
|
|
182
|
+
/**
|
|
183
|
+
* Copy the shield-client binary to /opt/agenshield/bin/
|
|
184
|
+
* Shield-client is the CLI used by wrapper scripts (curl, git, etc.) to route
|
|
185
|
+
* operations through the broker.
|
|
186
|
+
*
|
|
187
|
+
* IMPORTANT: The shebang is rewritten from #!/usr/bin/env node to
|
|
188
|
+
* #!/opt/agenshield/bin/node-bin so that shield-client runs WITHOUT the
|
|
189
|
+
* interceptor. Otherwise there's an infinite recursion:
|
|
190
|
+
* interceptor → curl wrapper → shield-client → node+interceptor → …
|
|
191
|
+
*/
|
|
192
|
+
export declare function copyShieldClient(userConfig?: UserConfig): Promise<WrapperResult>;
|
|
182
193
|
/**
|
|
183
194
|
* Copy the current Node.js binary to the sandbox so the node wrapper
|
|
184
195
|
* can exec a known-good binary without relying on system PATH.
|
|
185
196
|
*/
|
|
186
|
-
export declare function copyNodeBinary(userConfig?: UserConfig): Promise<WrapperResult>;
|
|
197
|
+
export declare function copyNodeBinary(userConfig?: UserConfig, sourcePath?: string): Promise<WrapperResult>;
|
|
198
|
+
/**
|
|
199
|
+
* Result of NVM + Node.js installation for the agent user
|
|
200
|
+
*/
|
|
201
|
+
export interface NvmInstallResult {
|
|
202
|
+
success: boolean;
|
|
203
|
+
nvmDir: string;
|
|
204
|
+
nodeVersion: string;
|
|
205
|
+
nodeBinaryPath: string;
|
|
206
|
+
message: string;
|
|
207
|
+
error?: Error;
|
|
208
|
+
}
|
|
209
|
+
/**
|
|
210
|
+
* Install NVM and a specific Node.js version for the agent user.
|
|
211
|
+
*
|
|
212
|
+
* Runs as the agent user via `sudo -u` with `/bin/bash` (not guarded-shell).
|
|
213
|
+
* The NVM directory is created under the agent's home so versions can be
|
|
214
|
+
* managed independently of the host system.
|
|
215
|
+
*
|
|
216
|
+
* The installed node binary is then copied to /opt/agenshield/bin/node-bin
|
|
217
|
+
* by the caller via copyNodeBinary(userConfig, nodeBinaryPath).
|
|
218
|
+
*/
|
|
219
|
+
export declare function installAgentNvm(options: {
|
|
220
|
+
agentHome: string;
|
|
221
|
+
agentUsername: string;
|
|
222
|
+
socketGroupName: string;
|
|
223
|
+
nodeVersion?: string;
|
|
224
|
+
verbose?: boolean;
|
|
225
|
+
}): Promise<NvmInstallResult>;
|
|
187
226
|
export interface PresetInstallResult {
|
|
188
227
|
success: boolean;
|
|
189
228
|
installedWrappers: string[];
|
|
@@ -212,6 +251,7 @@ export declare function installPresetBinaries(options: {
|
|
|
212
251
|
userConfig: UserConfig;
|
|
213
252
|
binDir: string;
|
|
214
253
|
socketGroupName: string;
|
|
254
|
+
nodeVersion?: string;
|
|
215
255
|
verbose?: boolean;
|
|
216
256
|
}): Promise<PresetInstallResult>;
|
|
217
257
|
//# sourceMappingURL=wrappers.d.ts.map
|
package/wrappers.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wrappers.d.ts","sourceRoot":"","sources":["../src/wrappers.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAOlD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,oDAAoD;IACpD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qCAAqC;IACrC,QAAQ,EAAE,CAAC,MAAM,EAAE,aAAa,KAAK,MAAM,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,eAAe,EAAE,MAAM,CAAC;IACxB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,aAAa,CAe9E;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAgWjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,QAAQ,EAQhB,MAAM,CAAC,MAAM,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAE9D,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,GAAG,IAAI,CAMf;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CAsBxB;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CA6BxB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,GAAE,MAAsC,EACjD,MAAM,CAAC,EAAE,aAAa,GACrB,OAAO,CAAC,aAAa,EAAE,CAAC,CA2B1B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,aAAa,GACrB,OAAO,CAAC,aAAa,EAAE,CAAC,CAsC1B;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CA8BxB;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,SAAS,GAAE,MAAsC,GAChD,OAAO,CAAC,aAAa,EAAE,CAAC,CAS1B;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,SAAS,GAAE,MAAsC,GAChD,OAAO,CAAC;IACT,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC,CAmBD;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,UAAU,EACtB,WAAW,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACnD,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC,CAkBD;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,CAAC,EAAE,UAAU,EACvB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAiExB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC,CA+FD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAE3E;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGzD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAG5D;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,OAAe,EACxB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAKxB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CAkCxB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CAiBxB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAkCxB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,
|
|
1
|
+
{"version":3,"file":"wrappers.d.ts","sourceRoot":"","sources":["../src/wrappers.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAOlD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,oDAAoD;IACpD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qCAAqC;IACrC,QAAQ,EAAE,CAAC,MAAM,EAAE,aAAa,KAAK,MAAM,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,eAAe,EAAE,MAAM,CAAC;IACxB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,aAAa,CAe9E;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAgWjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,QAAQ,EAQhB,MAAM,CAAC,MAAM,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAE9D,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,GAAG,IAAI,CAMf;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CAsBxB;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CA6BxB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,GAAE,MAAsC,EACjD,MAAM,CAAC,EAAE,aAAa,GACrB,OAAO,CAAC,aAAa,EAAE,CAAC,CA2B1B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,aAAa,GACrB,OAAO,CAAC,aAAa,EAAE,CAAC,CAsC1B;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CA8BxB;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,SAAS,GAAE,MAAsC,GAChD,OAAO,CAAC,aAAa,EAAE,CAAC,CAS1B;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,SAAS,GAAE,MAAsC,GAChD,OAAO,CAAC;IACT,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC,CAmBD;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,UAAU,EACtB,WAAW,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACnD,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC,CAkBD;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,CAAC,EAAE,UAAU,EACvB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAiExB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC,CA+FD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAE3E;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGzD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAG5D;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,OAAe,EACxB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAKxB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CAkCxB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CAiBxB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAkCxB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAqDxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAgDxB;AAwED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,UAAU,CAAC,EAAE,UAAU,EACvB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,CAAC,CAoCxB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAID;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA8E5B;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,eAAO,MAAM,qBAAqB,UAMjC,CAAC;AAEF;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9B,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,EAAE,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CA+BtE;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE;IACnD,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,UAAU,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAiH/B"}
|