@agenshield/sandbox 0.5.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/directories.d.ts.map +1 -1
- package/guarded-shell.d.ts +1 -1
- package/guarded-shell.d.ts.map +1 -1
- package/index.d.ts +1 -1
- package/index.d.ts.map +1 -1
- package/index.js +224 -36
- package/launchdaemon.d.ts.map +1 -1
- package/migration.d.ts.map +1 -1
- package/package.json +2 -2
- package/security.d.ts.map +1 -1
- package/shield-exec.d.ts +1 -1
- package/shield-exec.d.ts.map +1 -1
- package/wrappers.d.ts +41 -1
- package/wrappers.d.ts.map +1 -1
package/directories.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"directories.d.ts","sourceRoot":"","sources":["../src/directories.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK/D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAC5C,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;CAC5C;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,kBAAkB,
|
|
1
|
+
{"version":3,"file":"directories.d.ts","sourceRoot":"","sources":["../src/directories.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK/D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;IAC5C,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;CAC5C;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,kBAAkB,CA+HhF;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,WAAW,CAalE;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE;IACP,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf,EACD,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAAC,eAAe,CAAC,CA6B1B;AAED;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAUvH;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAsB/G;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CActH;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CAKpH;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC;IACpE,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACnD,CAAC,CA8DD;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,CAyBxF;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/D,MAAM,EAAE,OAAO,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,IAAI,CAAC,CAcR;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CA2C1F"}
|
package/guarded-shell.d.ts
CHANGED
|
@@ -30,5 +30,5 @@ export declare const ZDOT_ZSHENV_CONTENT = "# AgenShield restricted .zshenv\n# R
|
|
|
30
30
|
* ZDOTDIR .zshrc — interactive shell restrictions.
|
|
31
31
|
* Applies RESTRICTED mode, locks variables, disables builtins, installs hooks.
|
|
32
32
|
*/
|
|
33
|
-
export declare const ZDOT_ZSHRC_CONTENT = "# AgenShield restricted .zshrc\n# Applied to every interactive shell for the agent user.\n\nemulate -LR zsh\n\n# Re-set HISTFILE (safety: ensure it points to agent's home, not ZDOTDIR)\nHISTFILE=\"$HOME/.zsh_history\"\n\n# Re-set PATH (only ~/bin \u2014 override anything that may have been added)\nPATH=\"$HOME/bin\"\n\n# ---- Shell options ----\n# Note: NOT using setopt RESTRICTED as it disables cd entirely.\n# Instead we use preexec hooks and builtin disable for enforcement.\nsetopt NO_CASE_GLOB\nsetopt NO_BEEP\n\n# ---- Lock critical variables (readonly) ----\ntypeset -r PATH HOME SHELL HISTFILE\n\n# ---- Enforcement helpers ----\ndeny() {\n print -r -- \"Denied by policy\"\n return 126\n}\n\nis_allowed_cmd() {\n local cmd=\"$1\"\n\n # Allow zsh reserved words (if, for, while, [[, case, etc.)\n [[ \"$(whence -w \"$cmd\" 2>/dev/null)\" == *\": reserved\" ]] && return 0\n\n # Allow shell builtins we explicitly permit\n case \"$cmd\" in\n cd|pwd|echo|printf|test|true|false|exit|return|break|continue|shift|set|unset|export|typeset|local|declare|readonly|let|read|print|pushd|popd|dirs|jobs|fg|bg|kill|wait|times|ulimit|umask|history|fc|type|whence|which|where|rehash)\n return 0\n ;;\n esac\n\n # Deny path execution outright\n [[ \"$cmd\" == */* ]] && return 1\n\n # Resolve command path\n local resolved\n resolved=\"$(whence -p -- \"$cmd\" 2>/dev/null)\" || return 1\n\n # Must live under HOME/bin exactly\n [[ \"$resolved\" == \"$HOME/bin/\"* ]] && return 0\n return 1\n}\n\n# ---- Block dangerous builtins ----\ndisable -r builtin command exec eval hash nohup setopt source unfunction functions alias unalias 2>/dev/null || true\n\n# ---- Intercept every interactive command before execution ----\npreexec() {\n
|
|
33
|
+
export declare const ZDOT_ZSHRC_CONTENT = "# AgenShield restricted .zshrc\n# Applied to every interactive shell for the agent user.\n\nemulate -LR zsh\n\n# Re-set HISTFILE (safety: ensure it points to agent's home, not ZDOTDIR)\nHISTFILE=\"$HOME/.zsh_history\"\n\n# Re-set PATH (only ~/bin \u2014 override anything that may have been added)\nPATH=\"$HOME/bin\"\n\n# ---- Shell options ----\n# Note: NOT using setopt RESTRICTED as it disables cd entirely.\n# Instead we use preexec hooks and builtin disable for enforcement.\nsetopt NO_CASE_GLOB\nsetopt NO_BEEP\n\n# ---- Lock critical variables (readonly) ----\ntypeset -r PATH HOME SHELL HISTFILE\n\n# ---- Enforcement helpers ----\ndeny() {\n print -r -- \"Denied by policy\"\n return 126\n}\n\nis_allowed_cmd() {\n local cmd=\"$1\"\n\n # Allow zsh reserved words (if, for, while, [[, case, etc.)\n [[ \"$(whence -w \"$cmd\" 2>/dev/null)\" == *\": reserved\" ]] && return 0\n\n # Allow shell builtins we explicitly permit\n case \"$cmd\" in\n cd|pwd|echo|printf|test|true|false|exit|return|break|continue|shift|set|unset|export|typeset|local|declare|readonly|let|read|print|pushd|popd|dirs|jobs|fg|bg|kill|wait|times|ulimit|umask|history|fc|type|whence|which|where|rehash)\n return 0\n ;;\n esac\n\n # Deny path execution outright\n [[ \"$cmd\" == */* ]] && return 1\n\n # Resolve command path\n local resolved\n resolved=\"$(whence -p -- \"$cmd\" 2>/dev/null)\" || return 1\n\n # Must live under HOME/bin exactly\n [[ \"$resolved\" == \"$HOME/bin/\"* ]] && return 0\n return 1\n}\n\n# ---- Block dangerous builtins ----\ndisable -r builtin command exec eval hash nohup setopt source unfunction functions alias unalias 2>/dev/null || true\n\n# ---- Intercept every interactive command before execution ----\npreexec() {\n # Enforcement handled by TRAPDEBUG (which can cancel execution via return 126).\n # preexec cannot prevent execution, so we don't enforce here.\n return 0\n}\n\n# ---- Also intercept non-interactive \\`zsh -c\\` cases ----\ntypeset -gi __ash_guard=0\n\nTRAPDEBUG() {\n # Prevent recursion when our own checks invoke whence/is_allowed_cmd\n (( __ash_guard )) && return 0\n\n local line=\"${ZSH_DEBUG_CMD:-$1}\"\n local cmd=\"${line%%[[:space:]]*}\"\n [[ -z \"$cmd\" ]] && return 0\n\n # Skip variable assignments (e.g. resolved=\"$(whence ...)\")\n [[ \"$cmd\" == *=* ]] && return 0\n\n # Skip zsh reserved words ([[, if, for, while, case, etc.)\n __ash_guard=1\n [[ \"$(whence -w \"$cmd\" 2>/dev/null)\" == *\": reserved\" ]] && { __ash_guard=0; return 0; }\n\n [[ \"$cmd\" == */* ]] && { __ash_guard=0; print -r -- \"Denied: direct path execution\"; return 126; }\n is_allowed_cmd \"$cmd\" || { __ash_guard=0; print -r -- \"Denied: $cmd\"; return 126; }\n __ash_guard=0\n return 0\n}\n\n# ---- Ensure accessible working directory ----\ncd \"$HOME\" 2>/dev/null || cd /\n";
|
|
34
34
|
//# sourceMappingURL=guarded-shell.d.ts.map
|
package/guarded-shell.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"guarded-shell.d.ts","sourceRoot":"","sources":["../src/guarded-shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,eAAO,MAAM,kBAAkB,iCAAiC,CAAC;AACjE,eAAO,MAAM,QAAQ,yBAAyB,CAAC;AAE/C;;;GAGG;AACH,eAAO,MAAM,qBAAqB,0jBAgBjC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,8xBAsB/B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,
|
|
1
|
+
{"version":3,"file":"guarded-shell.d.ts","sourceRoot":"","sources":["../src/guarded-shell.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,eAAO,MAAM,kBAAkB,iCAAiC,CAAC;AACjE,eAAO,MAAM,QAAQ,yBAAyB,CAAC;AAE/C;;;GAGG;AACH,eAAO,MAAM,qBAAqB,0jBAgBjC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,8xBAsB/B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,qyFAuF9B,CAAC"}
|
package/index.d.ts
CHANGED
|
@@ -18,7 +18,7 @@ export * from './detect';
|
|
|
18
18
|
export * from './backup';
|
|
19
19
|
export * from './restore';
|
|
20
20
|
export { SHIELD_EXEC_CONTENT, SHIELD_EXEC_PATH, PROXIED_COMMANDS, } from './shield-exec';
|
|
21
|
-
export { WRAPPERS, WRAPPER_DEFINITIONS, installWrapper, installWrappers, installSpecificWrappers, installWrapperWithSudo, uninstallWrapper, uninstallWrappers, verifyWrappers, installGuardedShell, installAllWrappers, installShieldExec, deployInterceptor, copyNodeBinary, copyBrokerBinary, installPresetBinaries, installBasicCommands, BASIC_SYSTEM_COMMANDS, type PresetInstallResult, getAvailableWrappers, getWrapperDefinition, generateWrapperContent, getDefaultWrapperConfig, wrapperUsesSeatbelt, wrapperUsesInterceptor, addDynamicWrapper, removeDynamicWrapper, updateWrapper, type WrapperResult, type WrapperDefinition, type WrapperConfig, } from './wrappers';
|
|
21
|
+
export { WRAPPERS, WRAPPER_DEFINITIONS, installWrapper, installWrappers, installSpecificWrappers, installWrapperWithSudo, uninstallWrapper, uninstallWrappers, verifyWrappers, installGuardedShell, installAllWrappers, installShieldExec, deployInterceptor, copyNodeBinary, copyBrokerBinary, copyShieldClient, installAgentNvm, type NvmInstallResult, installPresetBinaries, installBasicCommands, BASIC_SYSTEM_COMMANDS, type PresetInstallResult, getAvailableWrappers, getWrapperDefinition, generateWrapperContent, getDefaultWrapperConfig, wrapperUsesSeatbelt, wrapperUsesInterceptor, addDynamicWrapper, removeDynamicWrapper, updateWrapper, type WrapperResult, type WrapperDefinition, type WrapperConfig, } from './wrappers';
|
|
22
22
|
export { generateAgentProfile, generateOperationProfile, installProfiles, installSeatbeltProfiles, verifyProfile, getInstalledProfiles, type ProfileResult, } from './seatbelt';
|
|
23
23
|
export { generateBrokerPlist, generateBrokerPlistLegacy, installLaunchDaemon, loadLaunchDaemon, unloadLaunchDaemon, uninstallLaunchDaemon, isDaemonRunning, getDaemonStatus, restartDaemon, fixSocketPermissions, type DaemonResult, } from './launchdaemon';
|
|
24
24
|
export { getPreset, listPresets, listAutoDetectablePresets, autoDetectPreset, formatPresetList, openclawPreset, devHarnessPreset, customPreset, PRESETS, type TargetPreset, type PresetDetectionResult, type MigrationContext, type MigrationDirectories, type PresetMigrationResult, } from './presets';
|
package/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,kBAAkB,IAAI,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAG7H,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,WAAW,EACX,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,uBAAuB,EACvB,WAAW,EACX,UAAU,EACV,YAAY,EACZ,WAAW,EACX,uBAAuB,EACvB,WAAW,EACX,UAAU,EACV,WAAW,EACX,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,KAAK,YAAY,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,wBAAwB,EACxB,iBAAiB,EACjB,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,oBAAoB,EACpB,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,GACrB,MAAM,eAAe,CAAC;AAGvB,cAAc,aAAa,CAAC;AAG5B,cAAc,YAAY,CAAC;AAG3B,cAAc,UAAU,CAAC;AAGzB,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC;AAG1B,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,EACd,mBAAmB,EACnB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,mBAAmB,EAExB,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,aAAa,EACb,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,EACf,uBAAuB,EACvB,aAAa,EACb,oBAAoB,EACpB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,mBAAmB,EACnB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,KAAK,YAAY,GAClB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAEL,SAAS,EACT,WAAW,EACX,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAEhB,cAAc,EACd,gBAAgB,EAChB,YAAY,EACZ,OAAO,EAEP,KAAK,YAAY,EACjB,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,uBAAuB,EACvB,YAAY,EACZ,kBAAkB,EAClB,KAAK,oBAAoB,GAC1B,MAAM,kBAAkB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,kBAAkB,IAAI,yBAAyB,EAAE,MAAM,SAAS,CAAC;AAG7H,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,WAAW,EACX,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,WAAW,EACX,uBAAuB,EACvB,WAAW,EACX,UAAU,EACV,YAAY,EACZ,WAAW,EACX,uBAAuB,EACvB,WAAW,EACX,UAAU,EACV,WAAW,EACX,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,KAAK,YAAY,GAClB,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,wBAAwB,EACxB,iBAAiB,EACjB,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,EACpB,iBAAiB,EACjB,eAAe,EACf,oBAAoB,EACpB,gBAAgB,EAChB,oBAAoB,EACpB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,GACrB,MAAM,eAAe,CAAC;AAGvB,cAAc,aAAa,CAAC;AAG5B,cAAc,YAAY,CAAC;AAG3B,cAAc,UAAU,CAAC;AAGzB,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC;AAG1B,OAAO,EACL,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,uBAAuB,EACvB,sBAAsB,EACtB,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,EACd,mBAAmB,EACnB,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,KAAK,gBAAgB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,mBAAmB,EAExB,oBAAoB,EACpB,oBAAoB,EACpB,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,aAAa,EACb,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,oBAAoB,EACpB,wBAAwB,EACxB,eAAe,EACf,uBAAuB,EACvB,aAAa,EACb,oBAAoB,EACpB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,mBAAmB,EACnB,gBAAgB,EAChB,kBAAkB,EAClB,qBAAqB,EACrB,eAAe,EACf,eAAe,EACf,aAAa,EACb,oBAAoB,EACpB,KAAK,YAAY,GAClB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAEL,SAAS,EACT,WAAW,EACX,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAEhB,cAAc,EACd,gBAAgB,EAChB,YAAY,EACZ,OAAO,EAEP,KAAK,YAAY,EACjB,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,GAC3B,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,aAAa,EACb,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,uBAAuB,EACvB,YAAY,EACZ,kBAAkB,EAClB,KAAK,oBAAoB,GAC1B,MAAM,kBAAkB,CAAC"}
|
package/index.js
CHANGED
|
@@ -119,20 +119,9 @@ disable -r builtin command exec eval hash nohup setopt source unfunction functio
|
|
|
119
119
|
|
|
120
120
|
# ---- Intercept every interactive command before execution ----
|
|
121
121
|
preexec() {
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
# Empty / whitespace lines
|
|
126
|
-
[[ -z "$cmd" ]] && return 0
|
|
127
|
-
|
|
128
|
-
# Deny anything with slash in the command token (direct path execution)
|
|
129
|
-
[[ "$cmd" == */* ]] && { print -r -- "Denied: direct path execution"; kill -KILL $$; }
|
|
130
|
-
|
|
131
|
-
# Deny anything not allowed
|
|
132
|
-
if ! is_allowed_cmd "$cmd"; then
|
|
133
|
-
print -r -- "Denied: $cmd (not in $HOME/bin)"
|
|
134
|
-
kill -KILL $$
|
|
135
|
-
fi
|
|
122
|
+
# Enforcement handled by TRAPDEBUG (which can cancel execution via return 126).
|
|
123
|
+
# preexec cannot prevent execution, so we don't enforce here.
|
|
124
|
+
return 0
|
|
136
125
|
}
|
|
137
126
|
|
|
138
127
|
# ---- Also intercept non-interactive \\\`zsh -c\\\` cases ----
|
|
@@ -300,7 +289,7 @@ var init_shield_exec = __esm({
|
|
|
300
289
|
process.exit(1);
|
|
301
290
|
});
|
|
302
291
|
}
|
|
303
|
-
SHIELD_EXEC_CONTENT = `#!/
|
|
292
|
+
SHIELD_EXEC_CONTENT = `#!/opt/agenshield/bin/node-bin
|
|
304
293
|
import path from 'node:path';
|
|
305
294
|
import net from 'node:net';
|
|
306
295
|
|
|
@@ -1217,17 +1206,17 @@ function createDirectoryStructure(config) {
|
|
|
1217
1206
|
group: "wheel"
|
|
1218
1207
|
},
|
|
1219
1208
|
"/opt/agenshield/config": {
|
|
1220
|
-
mode:
|
|
1209
|
+
mode: 509,
|
|
1221
1210
|
owner: brokerUsername,
|
|
1222
1211
|
group: socketGroupName
|
|
1223
1212
|
},
|
|
1224
1213
|
"/opt/agenshield/policies": {
|
|
1225
|
-
mode:
|
|
1214
|
+
mode: 509,
|
|
1226
1215
|
owner: brokerUsername,
|
|
1227
1216
|
group: socketGroupName
|
|
1228
1217
|
},
|
|
1229
1218
|
"/opt/agenshield/policies/custom": {
|
|
1230
|
-
mode:
|
|
1219
|
+
mode: 509,
|
|
1231
1220
|
owner: brokerUsername,
|
|
1232
1221
|
group: socketGroupName
|
|
1233
1222
|
},
|
|
@@ -1326,6 +1315,11 @@ function createDirectoryStructure(config) {
|
|
|
1326
1315
|
mode: 493,
|
|
1327
1316
|
owner: agentUsername,
|
|
1328
1317
|
group: socketGroupName
|
|
1318
|
+
},
|
|
1319
|
+
[`${agentHome}/.nvm`]: {
|
|
1320
|
+
mode: 493,
|
|
1321
|
+
owner: agentUsername,
|
|
1322
|
+
group: socketGroupName
|
|
1329
1323
|
}
|
|
1330
1324
|
}
|
|
1331
1325
|
};
|
|
@@ -1567,7 +1561,7 @@ function createOpenClawWrapper(user, dirs, method) {
|
|
|
1567
1561
|
entryPath = path.resolve(dirs.packageDir, binEntry);
|
|
1568
1562
|
} catch {
|
|
1569
1563
|
}
|
|
1570
|
-
const wrapperContent = `#!/
|
|
1564
|
+
const wrapperContent = `#!/bin/bash
|
|
1571
1565
|
set -euo pipefail
|
|
1572
1566
|
# Avoid getcwd errors when cwd is inaccessible
|
|
1573
1567
|
cd ~ 2>/dev/null || cd /
|
|
@@ -1699,10 +1693,32 @@ function injectSkillWatcherSetting(configDir) {
|
|
|
1699
1693
|
}
|
|
1700
1694
|
function createNodeWrapper(user, dirs) {
|
|
1701
1695
|
let nodePath;
|
|
1702
|
-
|
|
1703
|
-
|
|
1704
|
-
|
|
1705
|
-
|
|
1696
|
+
const sandboxNodeBin = "/opt/agenshield/bin/node-bin";
|
|
1697
|
+
if (fs3.existsSync(sandboxNodeBin)) {
|
|
1698
|
+
nodePath = sandboxNodeBin;
|
|
1699
|
+
} else {
|
|
1700
|
+
const nvmVersionsDir = path.join(user.homeDir, ".nvm", "versions", "node");
|
|
1701
|
+
let nvmNode;
|
|
1702
|
+
try {
|
|
1703
|
+
const versions = fs3.readdirSync(nvmVersionsDir).sort();
|
|
1704
|
+
for (const v of versions.reverse()) {
|
|
1705
|
+
const candidate = path.join(nvmVersionsDir, v, "bin", "node");
|
|
1706
|
+
if (fs3.existsSync(candidate)) {
|
|
1707
|
+
nvmNode = candidate;
|
|
1708
|
+
break;
|
|
1709
|
+
}
|
|
1710
|
+
}
|
|
1711
|
+
} catch {
|
|
1712
|
+
}
|
|
1713
|
+
if (nvmNode) {
|
|
1714
|
+
nodePath = nvmNode;
|
|
1715
|
+
} else {
|
|
1716
|
+
try {
|
|
1717
|
+
nodePath = execSync2("which node", { encoding: "utf-8" }).trim();
|
|
1718
|
+
} catch {
|
|
1719
|
+
return { success: false, error: "Node.js not found (checked /opt/agenshield/bin/node-bin, agent NVM, and system PATH)" };
|
|
1720
|
+
}
|
|
1721
|
+
}
|
|
1706
1722
|
}
|
|
1707
1723
|
const wrapperPath = path.join(dirs.binDir, "node");
|
|
1708
1724
|
const wrapperContent = `#!/bin/bash
|
|
@@ -1730,6 +1746,7 @@ import * as os from "node:os";
|
|
|
1730
1746
|
import * as fs4 from "node:fs";
|
|
1731
1747
|
import { execSync as execSync3 } from "node:child_process";
|
|
1732
1748
|
init_guarded_shell();
|
|
1749
|
+
var SANDBOX_USERS = ["openclaw", "ash_default_agent"];
|
|
1733
1750
|
var SECRET_PATTERNS = [
|
|
1734
1751
|
/^TWILIO_/i,
|
|
1735
1752
|
/^OPENAI_/i,
|
|
@@ -1793,19 +1810,19 @@ function checkSecurityStatus(options) {
|
|
|
1793
1810
|
const warnings = [];
|
|
1794
1811
|
const critical = [];
|
|
1795
1812
|
const recommendations = [];
|
|
1796
|
-
const sandboxUserExists = userExists(
|
|
1813
|
+
const sandboxUserExists = SANDBOX_USERS.some((u) => userExists(u));
|
|
1797
1814
|
const guardedShellInstalled = isGuardedShellInstalled();
|
|
1798
1815
|
const processes = getOpenClawProcesses();
|
|
1799
|
-
const isolatedProcesses = processes.filter((p) => p.user
|
|
1800
|
-
const unIsolatedProcesses = processes.filter((p) => p.user
|
|
1801
|
-
const isIsolated = sandboxUserExists &&
|
|
1816
|
+
const isolatedProcesses = processes.filter((p) => SANDBOX_USERS.includes(p.user));
|
|
1817
|
+
const unIsolatedProcesses = processes.filter((p) => !SANDBOX_USERS.includes(p.user));
|
|
1818
|
+
const isIsolated = sandboxUserExists && unIsolatedProcesses.length === 0;
|
|
1802
1819
|
const exposedSecrets = checkExposedSecrets(options?.env);
|
|
1803
1820
|
if (runningAsRoot) {
|
|
1804
1821
|
critical.push("DANGER: Running as root! OpenClaw should never run as root.");
|
|
1805
1822
|
recommendations.push("Run AgenShield setup to isolate OpenClaw in unprivileged sandbox");
|
|
1806
1823
|
}
|
|
1807
1824
|
if (!sandboxUserExists) {
|
|
1808
|
-
warnings.push(
|
|
1825
|
+
warnings.push("No sandbox user found (checked: " + SANDBOX_USERS.join(", ") + ")");
|
|
1809
1826
|
recommendations.push('Run "agenshield setup" to create isolated sandbox user');
|
|
1810
1827
|
}
|
|
1811
1828
|
if (unIsolatedProcesses.length > 0) {
|
|
@@ -2135,7 +2152,8 @@ var OperationTypeSchema = z2.enum([
|
|
|
2135
2152
|
"open_url",
|
|
2136
2153
|
"secret_inject",
|
|
2137
2154
|
"ping",
|
|
2138
|
-
"policy_check"
|
|
2155
|
+
"policy_check",
|
|
2156
|
+
"events_batch"
|
|
2139
2157
|
]);
|
|
2140
2158
|
var HttpRequestParamsSchema = z2.object({
|
|
2141
2159
|
url: z2.string().url(),
|
|
@@ -4646,20 +4664,99 @@ PKGJSONEOF`
|
|
|
4646
4664
|
};
|
|
4647
4665
|
}
|
|
4648
4666
|
}
|
|
4649
|
-
async function
|
|
4667
|
+
async function copyShieldClient(userConfig) {
|
|
4668
|
+
const targetPath = "/opt/agenshield/bin/shield-client";
|
|
4669
|
+
const socketGroupName = userConfig?.groups?.socket?.name || "ash_socket";
|
|
4670
|
+
try {
|
|
4671
|
+
const brokerPkgPath = require2.resolve("@agenshield/broker/package.json");
|
|
4672
|
+
const brokerDir = path6.dirname(brokerPkgPath);
|
|
4673
|
+
const brokerPkg = JSON.parse(await fs9.readFile(brokerPkgPath, "utf-8"));
|
|
4674
|
+
const clientEntry = typeof brokerPkg.bin === "object" ? brokerPkg.bin["shield-client"] : null;
|
|
4675
|
+
const srcPath = path6.resolve(brokerDir, clientEntry || "./dist/client/shield-client.js");
|
|
4676
|
+
await fs9.access(srcPath);
|
|
4677
|
+
let content = await fs9.readFile(srcPath, "utf-8");
|
|
4678
|
+
content = content.replace(
|
|
4679
|
+
/^#!\/usr\/bin\/env node/,
|
|
4680
|
+
"#!/opt/agenshield/bin/node-bin"
|
|
4681
|
+
);
|
|
4682
|
+
const tmpPath = "/tmp/shield-client-install";
|
|
4683
|
+
await fs9.writeFile(tmpPath, content, { mode: 493 });
|
|
4684
|
+
await execAsync4("sudo mkdir -p /opt/agenshield/bin");
|
|
4685
|
+
await execAsync4(`sudo mv "${tmpPath}" "${targetPath}"`);
|
|
4686
|
+
await execAsync4(`sudo chmod 755 "${targetPath}"`);
|
|
4687
|
+
await execAsync4(`sudo chown root:${socketGroupName} "${targetPath}"`);
|
|
4688
|
+
return {
|
|
4689
|
+
success: true,
|
|
4690
|
+
name: "shield-client",
|
|
4691
|
+
path: targetPath,
|
|
4692
|
+
message: `Shield-client installed to ${targetPath}`
|
|
4693
|
+
};
|
|
4694
|
+
} catch (error) {
|
|
4695
|
+
return {
|
|
4696
|
+
success: false,
|
|
4697
|
+
name: "shield-client",
|
|
4698
|
+
path: targetPath,
|
|
4699
|
+
message: `Failed to install shield-client: ${error.message}`,
|
|
4700
|
+
error
|
|
4701
|
+
};
|
|
4702
|
+
}
|
|
4703
|
+
}
|
|
4704
|
+
async function copyNodeDylibs(srcBinaryPath, socketGroupName) {
|
|
4705
|
+
const copied = [];
|
|
4706
|
+
const errors = [];
|
|
4707
|
+
try {
|
|
4708
|
+
const { stdout } = await execAsync4(`/usr/bin/otool -L "${srcBinaryPath}"`);
|
|
4709
|
+
const lines = stdout.split("\n");
|
|
4710
|
+
for (const line of lines) {
|
|
4711
|
+
const match = line.match(
|
|
4712
|
+
/\s+(@loader_path|@rpath)(\/[^\s]+\/)(libnode[^\s(]+)/
|
|
4713
|
+
);
|
|
4714
|
+
if (!match) continue;
|
|
4715
|
+
const prefix = match[1];
|
|
4716
|
+
const relPath = match[2];
|
|
4717
|
+
const dylibName = match[3];
|
|
4718
|
+
let resolvedPath;
|
|
4719
|
+
if (prefix === "@loader_path") {
|
|
4720
|
+
resolvedPath = path6.resolve(path6.dirname(srcBinaryPath), relPath, dylibName);
|
|
4721
|
+
} else {
|
|
4722
|
+
resolvedPath = path6.resolve(path6.dirname(srcBinaryPath), "..", "lib", dylibName);
|
|
4723
|
+
}
|
|
4724
|
+
try {
|
|
4725
|
+
await fs9.access(resolvedPath);
|
|
4726
|
+
} catch {
|
|
4727
|
+
errors.push(`dylib not found on disk: ${resolvedPath}`);
|
|
4728
|
+
continue;
|
|
4729
|
+
}
|
|
4730
|
+
const targetPath = `/opt/agenshield/lib/${dylibName}`;
|
|
4731
|
+
try {
|
|
4732
|
+
await execAsync4(`sudo cp "${resolvedPath}" "${targetPath}"`);
|
|
4733
|
+
await execAsync4(`sudo chown root:${socketGroupName} "${targetPath}"`);
|
|
4734
|
+
await execAsync4(`sudo chmod 755 "${targetPath}"`);
|
|
4735
|
+
copied.push(dylibName);
|
|
4736
|
+
} catch (err) {
|
|
4737
|
+
errors.push(`Failed to copy ${dylibName}: ${err.message}`);
|
|
4738
|
+
}
|
|
4739
|
+
}
|
|
4740
|
+
} catch {
|
|
4741
|
+
}
|
|
4742
|
+
return { copied, errors };
|
|
4743
|
+
}
|
|
4744
|
+
async function copyNodeBinary(userConfig, sourcePath) {
|
|
4650
4745
|
const targetPath = "/opt/agenshield/bin/node-bin";
|
|
4651
4746
|
const socketGroupName = userConfig?.groups?.socket?.name || "ash_socket";
|
|
4652
4747
|
try {
|
|
4653
|
-
const srcPath = process.execPath;
|
|
4748
|
+
const srcPath = sourcePath || process.execPath;
|
|
4654
4749
|
await fs9.access(srcPath);
|
|
4655
4750
|
await execAsync4(`sudo cp "${srcPath}" "${targetPath}"`);
|
|
4656
4751
|
await execAsync4(`sudo chown root:${socketGroupName} "${targetPath}"`);
|
|
4657
4752
|
await execAsync4(`sudo chmod 755 "${targetPath}"`);
|
|
4753
|
+
const dylibs = await copyNodeDylibs(srcPath, socketGroupName);
|
|
4754
|
+
const dylibInfo = dylibs.copied.length > 0 ? ` (dylibs: ${dylibs.copied.join(", ")})` : "";
|
|
4658
4755
|
return {
|
|
4659
4756
|
success: true,
|
|
4660
4757
|
name: "node-bin",
|
|
4661
4758
|
path: targetPath,
|
|
4662
|
-
message: `Copied node binary from ${srcPath} to ${targetPath}`
|
|
4759
|
+
message: `Copied node binary from ${srcPath} to ${targetPath}${dylibInfo}`
|
|
4663
4760
|
};
|
|
4664
4761
|
} catch (error) {
|
|
4665
4762
|
return {
|
|
@@ -4671,6 +4768,73 @@ async function copyNodeBinary(userConfig) {
|
|
|
4671
4768
|
};
|
|
4672
4769
|
}
|
|
4673
4770
|
}
|
|
4771
|
+
var NVM_INSTALL_URL = "https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh";
|
|
4772
|
+
async function installAgentNvm(options) {
|
|
4773
|
+
const { agentHome, agentUsername, socketGroupName, verbose } = options;
|
|
4774
|
+
const nodeVersion = options.nodeVersion || "24";
|
|
4775
|
+
const nvmDir = `${agentHome}/.nvm`;
|
|
4776
|
+
const log = (msg) => verbose && process.stderr.write(`[SETUP] ${msg}
|
|
4777
|
+
`);
|
|
4778
|
+
const empty = {
|
|
4779
|
+
success: false,
|
|
4780
|
+
nvmDir,
|
|
4781
|
+
nodeVersion,
|
|
4782
|
+
nodeBinaryPath: "",
|
|
4783
|
+
message: ""
|
|
4784
|
+
};
|
|
4785
|
+
try {
|
|
4786
|
+
log(`Creating NVM directory at ${nvmDir}`);
|
|
4787
|
+
await execAsync4(`sudo mkdir -p "${nvmDir}"`);
|
|
4788
|
+
await execAsync4(`sudo chown ${agentUsername}:${socketGroupName} "${nvmDir}"`);
|
|
4789
|
+
await execAsync4(`sudo chmod 755 "${nvmDir}"`);
|
|
4790
|
+
log("Downloading and installing NVM");
|
|
4791
|
+
const installCmd = [
|
|
4792
|
+
`export HOME="${agentHome}"`,
|
|
4793
|
+
`export NVM_DIR="${nvmDir}"`,
|
|
4794
|
+
`/usr/bin/curl -o- "${NVM_INSTALL_URL}" | PROFILE=/dev/null /bin/bash`
|
|
4795
|
+
].join(" && ");
|
|
4796
|
+
await execAsync4(`sudo -u ${agentUsername} /bin/bash -c '${installCmd}'`, { timeout: 6e4 });
|
|
4797
|
+
log(`Installing Node.js v${nodeVersion} via NVM`);
|
|
4798
|
+
const nvmInstallCmd = [
|
|
4799
|
+
`export HOME="${agentHome}"`,
|
|
4800
|
+
`export NVM_DIR="${nvmDir}"`,
|
|
4801
|
+
`source "${nvmDir}/nvm.sh"`,
|
|
4802
|
+
`nvm install ${nodeVersion}`
|
|
4803
|
+
].join(" && ");
|
|
4804
|
+
await execAsync4(`sudo -u ${agentUsername} /bin/bash -c '${nvmInstallCmd}'`, { timeout: 12e4 });
|
|
4805
|
+
log("Resolving installed node binary path");
|
|
4806
|
+
const whichCmd = [
|
|
4807
|
+
`export HOME="${agentHome}"`,
|
|
4808
|
+
`export NVM_DIR="${nvmDir}"`,
|
|
4809
|
+
`source "${nvmDir}/nvm.sh"`,
|
|
4810
|
+
`nvm which ${nodeVersion}`
|
|
4811
|
+
].join(" && ");
|
|
4812
|
+
const { stdout } = await execAsync4(`sudo -u ${agentUsername} /bin/bash -c '${whichCmd}'`);
|
|
4813
|
+
const nodeBinaryPath = stdout.trim();
|
|
4814
|
+
if (!nodeBinaryPath) {
|
|
4815
|
+
return { ...empty, message: "NVM installed but could not resolve node binary path" };
|
|
4816
|
+
}
|
|
4817
|
+
log(`Verifying node binary at ${nodeBinaryPath}`);
|
|
4818
|
+
const { stdout: versionOut } = await execAsync4(
|
|
4819
|
+
`sudo -u ${agentUsername} /bin/bash -c '"${nodeBinaryPath}" --version'`
|
|
4820
|
+
);
|
|
4821
|
+
const actualVersion = versionOut.trim();
|
|
4822
|
+
log(`Node.js ${actualVersion} installed successfully`);
|
|
4823
|
+
return {
|
|
4824
|
+
success: true,
|
|
4825
|
+
nvmDir,
|
|
4826
|
+
nodeVersion: actualVersion,
|
|
4827
|
+
nodeBinaryPath,
|
|
4828
|
+
message: `Installed Node.js ${actualVersion} via NVM at ${nodeBinaryPath}`
|
|
4829
|
+
};
|
|
4830
|
+
} catch (error) {
|
|
4831
|
+
return {
|
|
4832
|
+
...empty,
|
|
4833
|
+
message: `NVM installation failed: ${error.message}`,
|
|
4834
|
+
error
|
|
4835
|
+
};
|
|
4836
|
+
}
|
|
4837
|
+
}
|
|
4674
4838
|
var BASIC_SYSTEM_COMMANDS = [
|
|
4675
4839
|
"ls",
|
|
4676
4840
|
"cat",
|
|
@@ -4750,10 +4914,30 @@ async function installPresetBinaries(options) {
|
|
|
4750
4914
|
const installedWrappers = [];
|
|
4751
4915
|
let seatbeltInstalled = false;
|
|
4752
4916
|
if (requiredBins.includes("node")) {
|
|
4753
|
-
|
|
4754
|
-
const
|
|
4755
|
-
|
|
4756
|
-
|
|
4917
|
+
const agentHome = userConfig.agentUser.home;
|
|
4918
|
+
const agentUsername = userConfig.agentUser.username;
|
|
4919
|
+
log("Installing NVM + Node.js for agent user");
|
|
4920
|
+
const nvmResult = await installAgentNvm({
|
|
4921
|
+
agentHome,
|
|
4922
|
+
agentUsername,
|
|
4923
|
+
socketGroupName,
|
|
4924
|
+
nodeVersion: options.nodeVersion,
|
|
4925
|
+
verbose
|
|
4926
|
+
});
|
|
4927
|
+
if (nvmResult.success) {
|
|
4928
|
+
log(`NVM installed Node.js ${nvmResult.nodeVersion} at ${nvmResult.nodeBinaryPath}`);
|
|
4929
|
+
log("Copying NVM node binary to /opt/agenshield/bin/node-bin");
|
|
4930
|
+
const nodeResult = await copyNodeBinary(userConfig, nvmResult.nodeBinaryPath);
|
|
4931
|
+
if (!nodeResult.success) {
|
|
4932
|
+
errors.push(`Node binary (from NVM): ${nodeResult.message}`);
|
|
4933
|
+
}
|
|
4934
|
+
} else {
|
|
4935
|
+
log(`NVM install failed: ${nvmResult.message}. Falling back to host node binary.`);
|
|
4936
|
+
log("Copying node binary to /opt/agenshield/bin/node-bin");
|
|
4937
|
+
const nodeResult = await copyNodeBinary(userConfig);
|
|
4938
|
+
if (!nodeResult.success) {
|
|
4939
|
+
errors.push(`Node binary: ${nodeResult.message}`);
|
|
4940
|
+
}
|
|
4757
4941
|
}
|
|
4758
4942
|
}
|
|
4759
4943
|
const needsInterceptor = requiredBins.some(
|
|
@@ -4876,6 +5060,8 @@ function generateBrokerPlist(config, options) {
|
|
|
4876
5060
|
<string>${configPath}</string>
|
|
4877
5061
|
<key>AGENSHIELD_SOCKET</key>
|
|
4878
5062
|
<string>${socketPath}</string>
|
|
5063
|
+
<key>AGENSHIELD_AGENT_HOME</key>
|
|
5064
|
+
<string>${config.agentUser.home}</string>
|
|
4879
5065
|
<key>NODE_ENV</key>
|
|
4880
5066
|
<string>production</string>
|
|
4881
5067
|
</dict>
|
|
@@ -6153,6 +6339,7 @@ export {
|
|
|
6153
6339
|
classifyDirectory,
|
|
6154
6340
|
copyBrokerBinary,
|
|
6155
6341
|
copyNodeBinary,
|
|
6342
|
+
copyShieldClient,
|
|
6156
6343
|
createAgenCoSymlink,
|
|
6157
6344
|
createAgentDirectories,
|
|
6158
6345
|
createAgentUser,
|
|
@@ -6204,6 +6391,7 @@ export {
|
|
|
6204
6391
|
getWrapperDefinition,
|
|
6205
6392
|
groupExists,
|
|
6206
6393
|
injectAgenCoSkill,
|
|
6394
|
+
installAgentNvm,
|
|
6207
6395
|
installAllWrappers,
|
|
6208
6396
|
installBasicCommands,
|
|
6209
6397
|
installGuardedShell,
|
package/launchdaemon.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"launchdaemon.d.ts","sourceRoot":"","sources":["../src/launchdaemon.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAWH;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,OAAO,iBAAiB,EAAE,UAAU,EAC5C,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACA,MAAM,
|
|
1
|
+
{"version":3,"file":"launchdaemon.d.ts","sourceRoot":"","sources":["../src/launchdaemon.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAWH;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,OAAO,iBAAiB,EAAE,UAAU,EAC5C,OAAO,CAAC,EAAE;IACR,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACA,MAAM,CAiER;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,CAAC,EAAE;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,MAAM,CA2DT;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;AACvF;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAClD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;AA+C1B;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,YAAY,CAAC,CAe9D;AAED;;GAEG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,YAAY,CAAC,CAuBhE;AAED;;GAEG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,YAAY,CAAC,CAmBnE;AAED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CAOxD;AAED;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC/C,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC,CA6CD;AAED;;GAEG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,YAAY,CAAC,CAgB3D;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,MAAM,CAAC,EAAE,OAAO,iBAAiB,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC,CA+C/G"}
|
package/migration.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../src/migration.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,yBAAyB;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,QAAQ,CAAC,EAAE;QACT,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAmFD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAqDjB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAuDjB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAMjB;AAyBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,kBAAkB,GAAG;IAC9E,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,
|
|
1
|
+
{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../src/migration.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,yBAAyB;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,QAAQ,CAAC,EAAE;QACT,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH;AAmFD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAqDjB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAuDjB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,WAAW,EACjB,IAAI,EAAE,kBAAkB,GACvB,eAAe,CAMjB;AAyBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,kBAAkB,GAAG;IAC9E,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAyDA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@agenshield/sandbox",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.6.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "User isolation and sandboxing utilities for AgenShield",
|
|
6
6
|
"main": "./index.js",
|
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
},
|
|
16
16
|
"license": "MIT",
|
|
17
17
|
"dependencies": {
|
|
18
|
-
"@agenshield/skills": "0.
|
|
18
|
+
"@agenshield/skills": "0.6.0",
|
|
19
19
|
"yaml": "^2.7.1"
|
|
20
20
|
},
|
|
21
21
|
"devDependencies": {
|
package/security.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAAA;;GAEG;
|
|
1
|
+
{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,2DAA2D;IAC3D,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,4CAA4C;IAC5C,UAAU,EAAE,OAAO,CAAC;IACpB,kCAAkC;IAClC,qBAAqB,EAAE,OAAO,CAAC;IAC/B,2CAA2C;IAC3C,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,wBAAwB;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,sBAAsB;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,6BAA6B;IAC7B,KAAK,EAAE,QAAQ,GAAG,SAAS,GAAG,aAAa,GAAG,UAAU,CAAC;CAC1D;AAuBD;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEpD;AA2DD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gEAAgE;IAChE,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAC1C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE,oBAAoB,GAAG,cAAc,CAwElF"}
|
package/shield-exec.d.ts
CHANGED
|
@@ -16,5 +16,5 @@ export declare const PROXIED_COMMANDS: readonly ["curl", "wget", "git", "ssh", "
|
|
|
16
16
|
/**
|
|
17
17
|
* The content of shield-exec as a string, for installation
|
|
18
18
|
*/
|
|
19
|
-
export declare const SHIELD_EXEC_CONTENT = "#!/
|
|
19
|
+
export declare const SHIELD_EXEC_CONTENT = "#!/opt/agenshield/bin/node-bin\nimport path from 'node:path';\nimport net from 'node:net';\n\nconst DEFAULT_SOCKET_PATH = '/var/run/agenshield/agenshield.sock';\n\nfunction sendRequest(socketPath, request) {\n return new Promise((resolve, reject) => {\n const socket = net.createConnection(socketPath, () => {\n socket.write(JSON.stringify(request) + '\\n');\n });\n let data = '';\n socket.on('data', (chunk) => {\n data += chunk.toString();\n const idx = data.indexOf('\\n');\n if (idx >= 0) {\n try {\n const resp = JSON.parse(data.slice(0, idx));\n socket.end();\n resolve(resp);\n } catch (e) {\n socket.end();\n reject(new Error('Invalid JSON response: ' + e.message));\n }\n }\n });\n socket.on('error', (err) => reject(new Error('Socket error: ' + err.message)));\n socket.on('end', () => {\n if (data.trim()) {\n try { resolve(JSON.parse(data.trim())); }\n catch { reject(new Error('Connection closed before response')); }\n } else {\n reject(new Error('Connection closed without response'));\n }\n });\n socket.setTimeout(30000, () => {\n socket.destroy();\n reject(new Error('Request timed out'));\n });\n });\n}\n\nasync function main() {\n const socketPath = process.env.AGENSHIELD_SOCKET || DEFAULT_SOCKET_PATH;\n const invoked = path.basename(process.argv[1] || 'shield-exec');\n const args = process.argv.slice(2);\n const commandName = invoked === 'shield-exec' ? (args.shift() || '') : invoked;\n\n if (!commandName) {\n process.stderr.write('Usage: shield-exec <command> [args...]\\n');\n process.exit(1);\n }\n\n const request = {\n jsonrpc: '2.0',\n id: 'shield-exec-' + Date.now() + '-' + Math.random().toString(36).slice(2, 8),\n method: 'exec',\n params: { command: commandName, args: args, cwd: process.cwd() },\n };\n\n try {\n const response = await sendRequest(socketPath, request);\n if (response.error) {\n process.stderr.write('Error: ' + response.error.message + '\\n');\n process.exit(1);\n }\n const result = response.result;\n if (!result) { process.stderr.write('Error: Empty response\\n'); process.exit(1); }\n if (!result.success) {\n process.stderr.write('Error: ' + (result.error?.message || 'Unknown error') + '\\n');\n process.exit(1);\n }\n const data = result.data;\n if (!data) process.exit(0);\n if (data.stdout) process.stdout.write(data.stdout);\n if (data.stderr) process.stderr.write(data.stderr);\n process.exit(data.exitCode ?? 0);\n } catch (err) {\n process.stderr.write('shield-exec error: ' + err.message + '\\n');\n process.exit(1);\n }\n}\n\nmain().catch((err) => { process.stderr.write('Fatal: ' + err.message + '\\n'); process.exit(1); });\n";
|
|
20
20
|
//# sourceMappingURL=shield-exec.d.ts.map
|
package/shield-exec.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"shield-exec.d.ts","sourceRoot":"","sources":["../src/shield-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,0CAA0C;AAC1C,eAAO,MAAM,gBAAgB,oCAAoC,CAAC;AAKlE,4EAA4E;AAC5E,eAAO,MAAM,gBAAgB,iIAInB,CAAC;AAsKX;;GAEG;AACH,eAAO,MAAM,mBAAmB,
|
|
1
|
+
{"version":3,"file":"shield-exec.d.ts","sourceRoot":"","sources":["../src/shield-exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,0CAA0C;AAC1C,eAAO,MAAM,gBAAgB,oCAAoC,CAAC;AAKlE,4EAA4E;AAC5E,eAAO,MAAM,gBAAgB,iIAInB,CAAC;AAsKX;;GAEG;AACH,eAAO,MAAM,mBAAmB,kzFAoF/B,CAAC"}
|
package/wrappers.d.ts
CHANGED
|
@@ -179,11 +179,50 @@ export declare function deployInterceptor(userConfig?: UserConfig): Promise<Wrap
|
|
|
179
179
|
* The broker is the privileged daemon that handles socket communication.
|
|
180
180
|
*/
|
|
181
181
|
export declare function copyBrokerBinary(userConfig?: UserConfig): Promise<WrapperResult>;
|
|
182
|
+
/**
|
|
183
|
+
* Copy the shield-client binary to /opt/agenshield/bin/
|
|
184
|
+
* Shield-client is the CLI used by wrapper scripts (curl, git, etc.) to route
|
|
185
|
+
* operations through the broker.
|
|
186
|
+
*
|
|
187
|
+
* IMPORTANT: The shebang is rewritten from #!/usr/bin/env node to
|
|
188
|
+
* #!/opt/agenshield/bin/node-bin so that shield-client runs WITHOUT the
|
|
189
|
+
* interceptor. Otherwise there's an infinite recursion:
|
|
190
|
+
* interceptor → curl wrapper → shield-client → node+interceptor → …
|
|
191
|
+
*/
|
|
192
|
+
export declare function copyShieldClient(userConfig?: UserConfig): Promise<WrapperResult>;
|
|
182
193
|
/**
|
|
183
194
|
* Copy the current Node.js binary to the sandbox so the node wrapper
|
|
184
195
|
* can exec a known-good binary without relying on system PATH.
|
|
185
196
|
*/
|
|
186
|
-
export declare function copyNodeBinary(userConfig?: UserConfig): Promise<WrapperResult>;
|
|
197
|
+
export declare function copyNodeBinary(userConfig?: UserConfig, sourcePath?: string): Promise<WrapperResult>;
|
|
198
|
+
/**
|
|
199
|
+
* Result of NVM + Node.js installation for the agent user
|
|
200
|
+
*/
|
|
201
|
+
export interface NvmInstallResult {
|
|
202
|
+
success: boolean;
|
|
203
|
+
nvmDir: string;
|
|
204
|
+
nodeVersion: string;
|
|
205
|
+
nodeBinaryPath: string;
|
|
206
|
+
message: string;
|
|
207
|
+
error?: Error;
|
|
208
|
+
}
|
|
209
|
+
/**
|
|
210
|
+
* Install NVM and a specific Node.js version for the agent user.
|
|
211
|
+
*
|
|
212
|
+
* Runs as the agent user via `sudo -u` with `/bin/bash` (not guarded-shell).
|
|
213
|
+
* The NVM directory is created under the agent's home so versions can be
|
|
214
|
+
* managed independently of the host system.
|
|
215
|
+
*
|
|
216
|
+
* The installed node binary is then copied to /opt/agenshield/bin/node-bin
|
|
217
|
+
* by the caller via copyNodeBinary(userConfig, nodeBinaryPath).
|
|
218
|
+
*/
|
|
219
|
+
export declare function installAgentNvm(options: {
|
|
220
|
+
agentHome: string;
|
|
221
|
+
agentUsername: string;
|
|
222
|
+
socketGroupName: string;
|
|
223
|
+
nodeVersion?: string;
|
|
224
|
+
verbose?: boolean;
|
|
225
|
+
}): Promise<NvmInstallResult>;
|
|
187
226
|
export interface PresetInstallResult {
|
|
188
227
|
success: boolean;
|
|
189
228
|
installedWrappers: string[];
|
|
@@ -212,6 +251,7 @@ export declare function installPresetBinaries(options: {
|
|
|
212
251
|
userConfig: UserConfig;
|
|
213
252
|
binDir: string;
|
|
214
253
|
socketGroupName: string;
|
|
254
|
+
nodeVersion?: string;
|
|
215
255
|
verbose?: boolean;
|
|
216
256
|
}): Promise<PresetInstallResult>;
|
|
217
257
|
//# sourceMappingURL=wrappers.d.ts.map
|
package/wrappers.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wrappers.d.ts","sourceRoot":"","sources":["../src/wrappers.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAOlD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,oDAAoD;IACpD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qCAAqC;IACrC,QAAQ,EAAE,CAAC,MAAM,EAAE,aAAa,KAAK,MAAM,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,eAAe,EAAE,MAAM,CAAC;IACxB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,aAAa,CAe9E;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAgWjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,QAAQ,EAQhB,MAAM,CAAC,MAAM,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAE9D,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,GAAG,IAAI,CAMf;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CAsBxB;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CA6BxB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,GAAE,MAAsC,EACjD,MAAM,CAAC,EAAE,aAAa,GACrB,OAAO,CAAC,aAAa,EAAE,CAAC,CA2B1B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,aAAa,GACrB,OAAO,CAAC,aAAa,EAAE,CAAC,CAsC1B;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CA8BxB;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,SAAS,GAAE,MAAsC,GAChD,OAAO,CAAC,aAAa,EAAE,CAAC,CAS1B;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,SAAS,GAAE,MAAsC,GAChD,OAAO,CAAC;IACT,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC,CAmBD;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,UAAU,EACtB,WAAW,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACnD,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC,CAkBD;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,CAAC,EAAE,UAAU,EACvB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAiExB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC,CA+FD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAE3E;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGzD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAG5D;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,OAAe,EACxB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAKxB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CAkCxB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CAiBxB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAkCxB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAqDxB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,UAAU,CAAC,EAAE,UAAU,
|
|
1
|
+
{"version":3,"file":"wrappers.d.ts","sourceRoot":"","sources":["../src/wrappers.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAOlD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,oDAAoD;IACpD,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,qCAAqC;IACrC,QAAQ,EAAE,CAAC,MAAM,EAAE,aAAa,KAAK,MAAM,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,mEAAmE;IACnE,eAAe,EAAE,MAAM,CAAC;IACxB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,aAAa,CAe9E;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAgWjE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,QAAQ,EAQhB,MAAM,CAAC,MAAM,EAAE;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAE9D,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,aAAa,GACrB,MAAM,GAAG,IAAI,CAMf;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CAsBxB;AAED;;GAEG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CA6BxB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,GAAE,MAAsC,EACjD,MAAM,CAAC,EAAE,aAAa,GACrB,OAAO,CAAC,aAAa,EAAE,CAAC,CA2B1B;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,MAAM,EAAE,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,aAAa,GACrB,OAAO,CAAC,aAAa,EAAE,CAAC,CAsC1B;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CA8BxB;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,SAAS,GAAE,MAAsC,GAChD,OAAO,CAAC,aAAa,EAAE,CAAC,CAS1B;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,SAAS,GAAE,MAAsC,GAChD,OAAO,CAAC;IACT,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC,CAmBD;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,UAAU,EACtB,WAAW,EAAE;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACnD,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC,CAkBD;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,UAAU,CAAC,EAAE,UAAU,EACvB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAiExB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC,CA+FD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAE3E;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGzD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAG5D;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,OAAe,EACxB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAKxB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CAkCxB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,GAAE,OAAe,GACvB,OAAO,CAAC,aAAa,CAAC,CAiBxB;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAkCxB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAqDxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,aAAa,CAAC,CAgDxB;AAwED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,UAAU,CAAC,EAAE,UAAU,EACvB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,CAAC,CAoCxB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,KAAK,CAAC;CACf;AAID;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA8E5B;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,iBAAiB,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,eAAO,MAAM,qBAAqB,UAMjC,CAAC;AAEF;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9B,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,EAAE,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CA+BtE;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,OAAO,EAAE;IACnD,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,UAAU,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAiH/B"}
|