@agentick/sandbox-local 0.2.1

package/README.md

@@ -0,0 +1,211 @@
+# @agentick/sandbox-local
+
+Local sandbox provider for Agentick. Executes commands on the host machine with OS-level security rails.
+
+## Quick Start
+
+```typescript
+import { localProvider } from "@agentick/sandbox-local";
+
+const provider = localProvider();
+const sandbox = await provider.create({ workspace: true });
+
+const result = await sandbox.exec("echo hello");
+console.log(result.stdout); // "hello\n"
+
+await sandbox.writeFile("test.txt", "content");
+const content = await sandbox.readFile("test.txt");
+
+await sandbox.destroy();
+```
+
+## Sandbox Strategies
+
+The provider automatically selects the best available isolation strategy:
+
+| Strategy   | Platform | Isolation                                                     |
+| ---------- | -------- | ------------------------------------------------------------- |
+| `seatbelt` | macOS    | Apple Sandbox (`sandbox-exec`) with SBPL profiles             |
+| `bwrap`    | Linux    | Bubblewrap with namespace isolation                           |
+| `unshare`  | Linux    | `unshare` with user namespaces                                |
+| `none`     | Any      | No OS sandboxing (workspace isolation + path validation only) |
+
+```typescript
+// Auto-detect (default)
+const provider = localProvider();
+
+// Force a specific strategy
+const provider = localProvider({ strategy: "seatbelt" });
+const provider = localProvider({ strategy: "none" }); // For testing
+```
+
+## Platform Detection
+
+```typescript
+import { detectCapabilities } from "@agentick/sandbox-local";
+
+const caps = await detectCapabilities();
+// {
+//   platform: "darwin",
+//   arch: "arm64",
+//   hasSandboxExec: true,
+//   recommended: "seatbelt",
+//   ...
+// }
+```
+
+## Network Rules
+
+Control sandbox network access with fine-grained rules.
+
+```typescript
+const sandbox = await provider.create({
+  workspace: true,
+  permissions: {
+    net: [
+      { action: "allow", domain: "api.github.com" },
+      { action: "allow", domain: "*.npmjs.org" },
+      { action: "deny", domain: "*.evil.com" },
+      { action: "allow", port: 443, methods: ["GET"] },
+    ],
+  },
+});
+```
+
+Rules are evaluated in order. First match wins. Default action is **deny**.
+
+When `NetworkRule[]` is provided, a transparent HTTP proxy is started. HTTPS connections are filtered at the CONNECT level (domain allow/block without TLS termination).
+
+## Permissions
+
+```typescript
+const sandbox = await provider.create({
+  workspace: true,
+  permissions: {
+    fs: true, // Filesystem access (default: true)
+    net: false, // Network access (default: false)
+    childProcess: true, // Fork processes (default: true)
+    inheritEnv: false, // Inherit host env vars (default: false)
+  },
+});
+```
+
+## Mounts
+
+Map host directories into the sandbox.
+
+```typescript
+const sandbox = await provider.create({
+  workspace: true,
+  mounts: [
+    { host: "/data/shared", sandbox: "/mnt/shared", mode: "ro" },
+    { host: "/data/output", sandbox: "/mnt/output", mode: "rw" },
+  ],
+});
+```
+
+## Resource Limits
+
+```typescript
+const sandbox = await provider.create({
+  workspace: true,
+  limits: {
+    memory: 512 * 1024 * 1024, // 512MB
+    cpu: 0.5, // Half a core
+    timeout: 30000, // 30s global timeout
+    disk: 100 * 1024 * 1024, // 100MB workspace
+    maxProcesses: 10,
+  },
+});
+```
+
+Resource limits use cgroups v2 on Linux. On macOS, timeout and disk limits are enforced; memory/CPU are advisory.
+
+## Streaming Output
+
+```typescript
+const result = await sandbox.exec("npm install", {
+  onOutput: (chunk) => {
+    process.stdout.write(`[${chunk.stream}] ${chunk.data}`);
+  },
+});
+```
+
+## With Agentick Components
+
+```tsx
+import { Sandbox, Shell, ReadFile, WriteFile } from "@agentick/sandbox";
+import { localProvider } from "@agentick/sandbox-local";
+
+const MyAgent = () => (
+  <Sandbox provider={localProvider()} workspace={true}>
+    <Shell />
+    <ReadFile />
+    <WriteFile />
+  </Sandbox>
+);
+```
+
+## Testing
+
+```typescript
+import { createTestProvider, isDarwin } from "@agentick/sandbox-local/testing";
+
+const provider = createTestProvider(); // strategy: "none"
+const sandbox = await provider.create({ workspace: true });
+
+// Platform-gated tests
+describe.skipIf(!isDarwin)("seatbelt tests", () => { ... });
+```
+
+## Security Model
+
+**Safe by default.** The sandbox denies access to sensitive resources unless explicitly allowed.
+
+### macOS Seatbelt (reads)
+
+Sandboxed processes can read system libraries and executables (required for bash/node), but **cannot** read:
+
+| Denied Path               | Contains                                                           |
+| ------------------------- | ------------------------------------------------------------------ |
+| `/Users`                  | Home directories — SSH keys, `.env`, browser profiles, credentials |
+| `/private/var/root`       | Root's home directory                                              |
+| `/Volumes`                | Mounted drives, encrypted volumes, network shares                  |
+| `/Network`                | Network-mounted resources                                          |
+| `/Library/Keychains`      | System-level keychains and certificates                            |
+| `/private/var/db/dslocal` | Local directory service (user account data)                        |
+
+The workspace and any configured mounts are re-allowed via SBPL specificity rules (more-specific subpath allows override broader denies).
+
+### Write restrictions
+
+All strategies restrict writes to:
+
+- The workspace directory
+- Configured read-write mounts
+- `/tmp` and `/dev`
+
+### Additional protections
+
+| Threat              | Mitigation                                                     |
+| ------------------- | -------------------------------------------------------------- |
+| Path traversal      | `realpath()` + bounds check                                    |
+| Symlink escape      | Follow symlinks before validation                              |
+| Null byte injection | Reject null bytes in all paths                                 |
+| Output OOM          | 10MB cap per stream                                            |
+| Env var injection   | Blocklist for `LD_PRELOAD`, `DYLD_*`                           |
+| Process orphans     | Kill process group (`detached` + `-pid`), SIGTERM then SIGKILL |
+| Zombie sandbox      | `destroyed` flag prevents use-after-destroy                    |
+| Disk bomb           | Polling monitor kills processes on exceed                      |
+
+### Platform requirements
+
+**macOS**: `/usr/bin/sandbox-exec` (ships with macOS, no install needed).
+
+**Linux**: One of:
+
+- `bwrap` (bubblewrap) — install via `apt install bubblewrap` or equivalent
+- `unshare` with unprivileged user namespaces enabled (`sysctl kernel.unprivileged_userns_clone=1`)
+- cgroups v2 for memory/CPU/process limits (writable `/sys/fs/cgroup`)
+
+**All platforms**: Falls back to `strategy: "none"` (workspace isolation + path validation only, no OS-level sandboxing) when no sandbox tooling is available.

package/dist/executor/base.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Base (unsandboxed) executor.
+ *
+ * Plain child_process.spawn — no OS-level sandboxing.
+ * Still benefits from workspace isolation, path validation, and timeout enforcement
+ * provided by LocalSandbox.
+ */
+import type { ChildProcess } from "node:child_process";
+import type { CommandExecutor, SpawnOptions } from "./types";
+import type { SandboxStrategy } from "../platform/types";
+export declare class BaseExecutor implements CommandExecutor {
+    readonly strategy: SandboxStrategy;
+    spawn(command: string, options: SpawnOptions): ChildProcess;
+}
+//# sourceMappingURL=base.d.ts.map

package/dist/executor/base.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../src/executor/base.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEzD,qBAAa,YAAa,YAAW,eAAe;IAClD,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAU;IAE5C,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,YAAY;CAQ5D"}

package/dist/executor/base.js

@@ -0,0 +1,20 @@
+/**
+ * Base (unsandboxed) executor.
+ *
+ * Plain child_process.spawn — no OS-level sandboxing.
+ * Still benefits from workspace isolation, path validation, and timeout enforcement
+ * provided by LocalSandbox.
+ */
+import { spawn } from "node:child_process";
+export class BaseExecutor {
+    strategy = "none";
+    spawn(command, options) {
+        return spawn("sh", ["-c", command], {
+            cwd: options.cwd,
+            env: options.env,
+            stdio: ["pipe", "pipe", "pipe"],
+            detached: true,
+        });
+    }
+}
+//# sourceMappingURL=base.js.map

package/dist/executor/base.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.js","sourceRoot":"","sources":["../../src/executor/base.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAK3C,MAAM,OAAO,YAAY;IACd,QAAQ,GAAoB,MAAM,CAAC;IAE5C,KAAK,CAAC,OAAe,EAAE,OAAqB;QAC1C,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE;YAClC,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/executor/darwin.d.ts

@@ -0,0 +1,16 @@
+/**
+ * macOS Seatbelt Executor
+ *
+ * Generates a seatbelt profile from SpawnOptions, writes it to a temp file,
+ * and spawns the command under sandbox-exec.
+ */
+import type { ChildProcess } from "node:child_process";
+import type { CommandExecutor, SpawnOptions } from "./types";
+import type { SandboxStrategy } from "../platform/types";
+export declare class DarwinExecutor implements CommandExecutor {
+    readonly strategy: SandboxStrategy;
+    private readonly profileDir;
+    constructor();
+    spawn(command: string, options: SpawnOptions): ChildProcess;
+}
+//# sourceMappingURL=darwin.d.ts.map

package/dist/executor/darwin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"darwin.d.ts","sourceRoot":"","sources":["../../src/executor/darwin.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGzD,qBAAa,cAAe,YAAW,eAAe;IACpD,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAc;IAChD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;;IAQpC,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,YAAY;CAyB5D"}

package/dist/executor/darwin.js

@@ -0,0 +1,44 @@
+/**
+ * macOS Seatbelt Executor
+ *
+ * Generates a seatbelt profile from SpawnOptions, writes it to a temp file,
+ * and spawns the command under sandbox-exec.
+ */
+import { spawn } from "node:child_process";
+import { writeFileSync, unlinkSync, mkdirSync } from "node:fs";
+import { join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { tmpdir } from "node:os";
+import { compileSeatbeltProfile } from "../seatbelt/profile";
+export class DarwinExecutor {
+    strategy = "seatbelt";
+    profileDir;
+    constructor() {
+        // Per-instance temp dir for profile files
+        this.profileDir = join(tmpdir(), `agentick-seatbelt-${randomBytes(6).toString("hex")}`);
+        mkdirSync(this.profileDir, { recursive: true, mode: 0o700 });
+    }
+    spawn(command, options) {
+        const profile = compileSeatbeltProfile(options);
+        // Write profile to temp file with restricted permissions
+        const profilePath = join(this.profileDir, `profile-${randomBytes(4).toString("hex")}.sb`);
+        writeFileSync(profilePath, profile, { mode: 0o600 });
+        const child = spawn("sandbox-exec", ["-f", profilePath, "/bin/bash", "-c", command], {
+            cwd: options.cwd,
+            env: options.env,
+            stdio: ["pipe", "pipe", "pipe"],
+            detached: true,
+        });
+        // Clean up profile after process starts
+        child.on("exit", () => {
+            try {
+                unlinkSync(profilePath);
+            }
+            catch {
+                // Best-effort cleanup
+            }
+        });
+        return child;
+    }
+}
+//# sourceMappingURL=darwin.js.map

package/dist/executor/darwin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"darwin.js","sourceRoot":"","sources":["../../src/executor/darwin.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAIjC,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAE7D,MAAM,OAAO,cAAc;IAChB,QAAQ,GAAoB,UAAU,CAAC;IAC/B,UAAU,CAAS;IAEpC;QACE,0CAA0C;QAC1C,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,qBAAqB,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACxF,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,OAAqB;QAC1C,MAAM,OAAO,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAEhD,yDAAyD;QACzD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1F,aAAa,CAAC,WAAW,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAErD,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE;YACnF,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;QAEH,wCAAwC;QACxC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;YACpB,IAAI,CAAC;gBACH,UAAU,CAAC,WAAW,CAAC,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/executor/linux.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Linux Executor (bubblewrap / unshare)
+ *
+ * Spawns commands under bwrap or unshare for namespace-based isolation.
+ */
+import type { ChildProcess } from "node:child_process";
+import type { CommandExecutor, SpawnOptions } from "./types";
+import type { SandboxStrategy } from "../platform/types";
+import type { CgroupManager } from "../linux/cgroup";
+export declare class BwrapExecutor implements CommandExecutor {
+    readonly strategy: SandboxStrategy;
+    private cgroup?;
+    constructor(cgroup?: CgroupManager);
+    spawn(command: string, options: SpawnOptions): ChildProcess;
+}
+export declare class UnshareExecutor implements CommandExecutor {
+    readonly strategy: SandboxStrategy;
+    private cgroup?;
+    constructor(cgroup?: CgroupManager);
+    spawn(command: string, options: SpawnOptions): ChildProcess;
+}
+//# sourceMappingURL=linux.d.ts.map

package/dist/executor/linux.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"linux.d.ts","sourceRoot":"","sources":["../../src/executor/linux.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGzD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAErD,qBAAa,aAAc,YAAW,eAAe;IACnD,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAW;IAC7C,OAAO,CAAC,MAAM,CAAC,CAAgB;gBAEnB,MAAM,CAAC,EAAE,aAAa;IAIlC,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,YAAY;CAgB5D;AAED,qBAAa,eAAgB,YAAW,eAAe;IACrD,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAa;IAC/C,OAAO,CAAC,MAAM,CAAC,CAAgB;gBAEnB,MAAM,CAAC,EAAE,aAAa;IAIlC,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,YAAY;CAiB5D"}

package/dist/executor/linux.js

@@ -0,0 +1,50 @@
+/**
+ * Linux Executor (bubblewrap / unshare)
+ *
+ * Spawns commands under bwrap or unshare for namespace-based isolation.
+ */
+import { spawn } from "node:child_process";
+import { buildBwrapArgs } from "../linux/bwrap";
+import { buildUnshareArgs } from "../linux/unshare";
+export class BwrapExecutor {
+    strategy = "bwrap";
+    cgroup;
+    constructor(cgroup) {
+        this.cgroup = cgroup;
+    }
+    spawn(command, options) {
+        const args = buildBwrapArgs(options);
+        args.push("sh", "-c", command);
+        const child = spawn("bwrap", args, {
+            env: options.env,
+            stdio: ["pipe", "pipe", "pipe"],
+            detached: true,
+        });
+        if (this.cgroup && child.pid) {
+            this.cgroup.addProcess(child.pid).catch(() => { });
+        }
+        return child;
+    }
+}
+export class UnshareExecutor {
+    strategy = "unshare";
+    cgroup;
+    constructor(cgroup) {
+        this.cgroup = cgroup;
+    }
+    spawn(command, options) {
+        const args = buildUnshareArgs(options);
+        args.push("sh", "-c", command);
+        const child = spawn("unshare", args, {
+            cwd: options.cwd,
+            env: options.env,
+            stdio: ["pipe", "pipe", "pipe"],
+            detached: true,
+        });
+        if (this.cgroup && child.pid) {
+            this.cgroup.addProcess(child.pid).catch(() => { });
+        }
+        return child;
+    }
+}
+//# sourceMappingURL=linux.js.map

package/dist/executor/linux.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"linux.js","sourceRoot":"","sources":["../../src/executor/linux.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAI3C,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAGpD,MAAM,OAAO,aAAa;IACf,QAAQ,GAAoB,OAAO,CAAC;IACrC,MAAM,CAAiB;IAE/B,YAAY,MAAsB;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,OAAqB;QAC1C,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAE/B,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE;YACjC,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;QAEH,IAAI,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED,MAAM,OAAO,eAAe;IACjB,QAAQ,GAAoB,SAAS,CAAC;IACvC,MAAM,CAAiB;IAE/B,YAAY,MAAsB;QAChC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,OAAqB;QAC1C,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAE/B,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE;YACnC,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;QAEH,IAAI,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/executor/select.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Executor factory — select executor based on platform capabilities.
+ */
+import type { SandboxStrategy } from "../platform/types";
+import type { CommandExecutor } from "./types";
+import type { CgroupManager } from "../linux/cgroup";
+/**
+ * Create a CommandExecutor for the given strategy.
+ * Optionally accepts a CgroupManager for Linux executors.
+ */
+export declare function selectExecutor(strategy: SandboxStrategy, cgroup?: CgroupManager): CommandExecutor;
+//# sourceMappingURL=select.d.ts.map

package/dist/executor/select.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"select.d.ts","sourceRoot":"","sources":["../../src/executor/select.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAI/C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAErD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,eAAe,EAAE,MAAM,CAAC,EAAE,aAAa,GAAG,eAAe,CAWjG"}

package/dist/executor/select.js

@@ -0,0 +1,23 @@
+/**
+ * Executor factory — select executor based on platform capabilities.
+ */
+import { BaseExecutor } from "./base";
+import { DarwinExecutor } from "./darwin";
+import { BwrapExecutor, UnshareExecutor } from "./linux";
+/**
+ * Create a CommandExecutor for the given strategy.
+ * Optionally accepts a CgroupManager for Linux executors.
+ */
+export function selectExecutor(strategy, cgroup) {
+    switch (strategy) {
+        case "seatbelt":
+            return new DarwinExecutor();
+        case "bwrap":
+            return new BwrapExecutor(cgroup);
+        case "unshare":
+            return new UnshareExecutor(cgroup);
+        case "none":
+            return new BaseExecutor();
+    }
+}
+//# sourceMappingURL=select.js.map

package/dist/executor/select.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"select.js","sourceRoot":"","sources":["../../src/executor/select.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAGzD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,QAAyB,EAAE,MAAsB;IAC9E,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU;YACb,OAAO,IAAI,cAAc,EAAE,CAAC;QAC9B,KAAK,OAAO;YACV,OAAO,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;QACnC,KAAK,SAAS;YACZ,OAAO,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC;QACrC,KAAK,MAAM;YACT,OAAO,IAAI,YAAY,EAAE,CAAC;IAC9B,CAAC;AACH,CAAC"}

package/dist/executor/types.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Command executor types.
+ */
+import type { ChildProcess } from "node:child_process";
+import type { SandboxStrategy } from "../platform/types";
+import type { NetworkRule } from "@agentick/sandbox";
+export interface CommandExecutor {
+    readonly strategy: SandboxStrategy;
+    spawn(command: string, options: SpawnOptions): ChildProcess;
+}
+export interface SpawnOptions {
+    cwd: string;
+    env: Record<string, string>;
+    workspacePath: string;
+    mounts: ResolvedMount[];
+    permissions: ResolvedPermissions;
+}
+export interface ResolvedPermissions {
+    readPaths: string[];
+    writePaths: string[];
+    network: boolean | NetworkRule[];
+    childProcess: boolean;
+}
+export interface ResolvedMount {
+    hostPath: string;
+    sandboxPath: string;
+    mode: "ro" | "rw";
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/executor/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/executor/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,YAAY,CAAC;CAC7D;AAED,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,aAAa,EAAE,CAAC;IACxB,WAAW,EAAE,mBAAmB,CAAC;CAClC;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,OAAO,EAAE,OAAO,GAAG,WAAW,EAAE,CAAC;IACjC,YAAY,EAAE,OAAO,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;CACnB"}

package/dist/executor/types.js

@@ -0,0 +1,4 @@
+/**
+ * Command executor types.
+ */
+//# sourceMappingURL=types.js.map

package/dist/executor/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/executor/types.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @agentick/sandbox-local — Local sandbox provider
+ *
+ * OS-level process isolation using macOS seatbelt and Linux bubblewrap/unshare.
+ */
+export { localProvider } from "./provider";
+export type { LocalProviderConfig } from "./provider";
+export { detectCapabilities } from "./platform/detect";
+export type { PlatformCapabilities, SandboxStrategy } from "./platform/types";
+export { NetworkProxyServer } from "./network/proxy";
+export type { ProxyServerConfig } from "./network/proxy";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,YAAY,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAGtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,YAAY,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAG9E,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACrD,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/index.js

@@ -0,0 +1,12 @@
+/**
+ * @agentick/sandbox-local — Local sandbox provider
+ *
+ * OS-level process isolation using macOS seatbelt and Linux bubblewrap/unshare.
+ */
+// ── Provider ────────────────────────────────────────────────────────────────
+export { localProvider } from "./provider";
+// ── Platform Detection ──────────────────────────────────────────────────────
+export { detectCapabilities } from "./platform/detect";
+// ── Network Proxy ───────────────────────────────────────────────────────────
+export { NetworkProxyServer } from "./network/proxy";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,+EAA+E;AAC/E,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAG3C,+EAA+E;AAC/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAGvD,+EAA+E;AAC/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC"}

package/dist/linux/bwrap.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Bubblewrap argument builder.
+ *
+ * Constructs the bwrap command-line arguments from SpawnOptions.
+ */
+import type { SpawnOptions } from "../executor/types";
+/**
+ * Build bubblewrap argument array for a given set of spawn options.
+ */
+export declare function buildBwrapArgs(options: SpawnOptions): string[];
+//# sourceMappingURL=bwrap.d.ts.map

package/dist/linux/bwrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bwrap.d.ts","sourceRoot":"","sources":["../../src/linux/bwrap.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAKtD;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,YAAY,GAAG,MAAM,EAAE,CA0C9D"}

package/dist/linux/bwrap.js

@@ -0,0 +1,46 @@
+/**
+ * Bubblewrap argument builder.
+ *
+ * Constructs the bwrap command-line arguments from SpawnOptions.
+ */
+/** System directories to mount read-only into the sandbox. */
+const SYSTEM_RO_BINDS = ["/usr", "/lib", "/lib64", "/bin", "/sbin", "/etc"];
+/**
+ * Build bubblewrap argument array for a given set of spawn options.
+ */
+export function buildBwrapArgs(options) {
+    const args = [];
+    // Namespace isolation
+    args.push("--unshare-all");
+    // Re-share network if allowed
+    const net = options.permissions.network;
+    if (net === true || (Array.isArray(net) && net.length > 0)) {
+        args.push("--share-net");
+    }
+    // System directories (read-only)
+    for (const dir of SYSTEM_RO_BINDS) {
+        args.push("--ro-bind", dir, dir);
+    }
+    // Proc, dev, tmp
+    args.push("--proc", "/proc");
+    args.push("--dev", "/dev");
+    args.push("--tmpfs", "/tmp");
+    // Workspace (read-write)
+    args.push("--bind", options.workspacePath, options.workspacePath);
+    // User mounts
+    for (const mount of options.mounts) {
+        if (mount.mode === "ro") {
+            args.push("--ro-bind", mount.hostPath, mount.sandboxPath);
+        }
+        else {
+            args.push("--bind", mount.hostPath, mount.sandboxPath);
+        }
+    }
+    // Safety
+    args.push("--die-with-parent");
+    args.push("--new-session");
+    // Working directory
+    args.push("--chdir", options.cwd);
+    return args;
+}
+//# sourceMappingURL=bwrap.js.map

package/dist/linux/bwrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bwrap.js","sourceRoot":"","sources":["../../src/linux/bwrap.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,8DAA8D;AAC9D,MAAM,eAAe,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAE5E;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAqB;IAClD,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,sBAAsB;IACtB,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAE3B,8BAA8B;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC;IACxC,IAAI,GAAG,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC3B,CAAC;IAED,iCAAiC;IACjC,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,iBAAiB;IACjB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IAE7B,yBAAyB;IACzB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;IAElE,cAAc;IACd,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,SAAS;IACT,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC/B,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAE3B,oBAAoB;IACpB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAElC,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/linux/cgroup.d.ts

@@ -0,0 +1,27 @@
+/**
+ * cgroups v2 Resource Limit Manager
+ *
+ * Creates a cgroup under /sys/fs/cgroup/ for enforcing memory, CPU, and
+ * process limits. Degrades gracefully if the cgroup directory is not writable.
+ */
+import type { ResourceLimits } from "@agentick/sandbox";
+export declare class CgroupManager {
+    private readonly id;
+    private readonly cgroupPath;
+    private created;
+    constructor(id: string);
+    /**
+     * Create the cgroup directory and apply resource limits.
+     * No-op if cgroups v2 is not available or not writable.
+     */
+    create(limits: ResourceLimits): Promise<void>;
+    /**
+     * Add a process to this cgroup.
+     */
+    addProcess(pid: number): Promise<void>;
+    /**
+     * Destroy the cgroup directory.
+     */
+    destroy(): Promise<void>;
+}
+//# sourceMappingURL=cgroup.d.ts.map

package/dist/linux/cgroup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cgroup.d.ts","sourceRoot":"","sources":["../../src/linux/cgroup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAIxD,qBAAa,aAAa;IAIZ,OAAO,CAAC,QAAQ,CAAC,EAAE;IAH/B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,OAAO,CAAS;gBAEK,EAAE,EAAE,MAAM;IAIvC;;;OAGG;IACG,MAAM,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAgCnD;;OAEG;IACG,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAU5C;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAU/B"}