@agentsh/secure-sandbox 0.1.5 → 0.1.7

package/README.md

@@ -1,6 +1,6 @@
 # @agentsh/secure-sandbox
 
-Runtime security for AI agent sandboxes. Drop-in protection against prompt injection, secret exfiltration, and sandbox escape — works with [Vercel](https://vercel.com/sandbox), [E2B](https://e2b.dev/), [Daytona](https://www.daytona.io/), [Cloudflare Containers](https://developers.cloudflare.com/containers/), and [Blaxel](https://blaxel.ai/sandbox). Powered by [agentsh](https://www.agentsh.org).
+Runtime security for AI agent sandboxes. Drop-in protection against prompt injection, secret exfiltration, and sandbox escape — works with [Vercel](https://vercel.com/sandbox), [E2B](https://e2b.dev/), [Daytona](https://www.daytona.io/), [Cloudflare Containers](https://developers.cloudflare.com/containers/), [Blaxel](https://blaxel.ai/sandbox), [Sprites](https://sprites.dev), and [Modal](https://modal.com). Powered by [agentsh](https://www.agentsh.org).
 
 ```bash
 npm install @agentsh/secure-sandbox
@@ -94,25 +94,46 @@ When you call `secureSandbox()`, the library:
 3. **Writes your policy** as YAML and starts the agentsh server
 4. **Returns a `SecuredSandbox`** where every `exec()`, `writeFile()`, and `readFile()` is mediated
 
-Enforcement happens at the **syscall level** — seccomp intercepts process execution, FUSE intercepts file I/O, and a network proxy filters outbound connections. There's no way for the agent to bypass it from userspace.
+Enforcement happens at the **kernel level** — Landlock restricts filesystem access, a network proxy filters outbound connections, and the shell shim mediates every command. On platforms that support it, **seccomp** intercepts process execution and **FUSE** intercepts file I/O at the syscall level. On gVisor-based platforms (like Modal), **ptrace** provides equivalent enforcement by intercepting `execve`, `openat`, `connect`, and signal syscalls. There's no way for the agent to bypass it from userspace.
 
 | Capability | What It Does |
 |------------|-------------|
-| **seccomp** | Intercepts process execution at the syscall level — blocks `sudo`, `env`, `nc` before they run |
 | **Landlock** | Kernel-level filesystem restrictions — denies access to paths like `~/.ssh`, `~/.aws` |
-| **FUSE** | Virtual filesystem layer — intercepts every file open/read/write, enables soft-delete quarantine |
 | **Network Proxy** | Filters outbound connections by domain and port — blocks exfiltration to unauthorized hosts |
+| **Shell Shim** | Replaces `/bin/bash` — mediates every command through the policy engine |
+| **seccomp** | Intercepts process execution at the syscall level — blocks `sudo`, `env`, `nc` before they run (opt-in) |
+| **ptrace** | Syscall-level interception via `PTRACE_SEIZE` — enforces exec, file, network, and signal policies on gVisor platforms where seccomp user-notify is unavailable |
+| **FUSE** | Virtual filesystem layer — intercepts every file open/read/write, enables soft-delete quarantine (opt-in) |
 | **DLP** | Detects and redacts secrets (API keys, tokens) in command output |
 
 ## Supported Platforms
 
-| Provider | seccomp | Landlock | FUSE | Network Proxy | DLP | Security Mode |
-|----------|---------|----------|------|---------------|-----|---------------|
-| [**Vercel**](https://vercel.com/sandbox) | ✅ | ✅ | ❌ | ✅ | ✅ | `landlock` |
-| [**E2B**](https://e2b.dev/) | ✅ | ✅ | ✅ | ✅ | ✅ | `full` |
-| [**Daytona**](https://www.daytona.io/) | ✅ | ✅ | ✅ | ✅ | ✅ | `full` |
-| [**Cloudflare**](https://developers.cloudflare.com/containers/) | ✅ | ✅ | ❌ | ✅ | ✅ | `landlock` |
-| [**Blaxel**](https://blaxel.ai/sandbox) | ✅ | ✅ | ✅ | ✅ | ✅ | `full` |
+Every provider gets the same protections — the enforcement mechanism adapts to what the kernel supports:
+
+| Protection | Vercel | E2B | Daytona | Cloudflare | Blaxel | Sprites | Modal |
+|------------|--------|-----|---------|------------|--------|---------|-------|
+| **File access control** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| **Network filtering** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| **Command mediation** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| **Secret filtering** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| **Threat intelligence** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| **DLP** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+
+Different platforms use different kernel mechanisms to achieve these protections:
+
+| Provider | Primary Enforcement | Security Mode |
+|----------|-------------------|---------------|
+| [**Vercel**](https://vercel.com/sandbox) | Landlock + network proxy + shell shim | `landlock` |
+| [**E2B**](https://e2b.dev/) | Landlock + network proxy + shell shim | `full` |
+| [**Daytona**](https://www.daytona.io/) | Landlock + network proxy + shell shim | `full` |
+| [**Cloudflare**](https://developers.cloudflare.com/containers/) | Landlock + network proxy + shell shim | `landlock` |
+| [**Blaxel**](https://blaxel.ai/sandbox) | Landlock + network proxy + shell shim | `full` |
+| [**Sprites**](https://sprites.dev) | Landlock + network proxy + shell shim | `full` |
+| [**Modal**](https://modal.com) | ptrace (execve + openat + connect + signal) + network proxy | `ptrace` |
+
+> **Optional hardening:** seccomp and FUSE are available but disabled by default for compatibility. seccomp adds syscall-level command interception; FUSE adds a virtual filesystem layer with soft-delete quarantine. Enable via `serverConfig: { seccompDetails: { execve: true } }` or `serverConfig: { fuse: { deferred: true } }`.
+>
+> **Modal:** gVisor doesn't support seccomp user-notify or Landlock. ptrace provides equivalent enforcement by intercepting syscalls via `PTRACE_SEIZE`.
 
 ```typescript
 // E2B
@@ -131,6 +152,19 @@ const sandbox = await secureSandbox(adapters.cloudflare(getSandbox(env.Sandbox,
 // Blaxel
 import { SandboxInstance } from '@blaxel/core';
 const sandbox = await secureSandbox(adapters.blaxel(await SandboxInstance.create({ name: 'my-sandbox' })));
+
+// Sprites (Fly.io Firecracker microVMs)
+import { SpritesClient } from '@fly/sprites';
+import { sprites } from '@agentsh/secure-sandbox/adapters/sprites';
+const client = new SpritesClient(process.env.SPRITES_TOKEN);
+const sandbox = await secureSandbox(sprites(client.sprite('my-sprite')));
+
+// Modal (gVisor sandboxes with ptrace enforcement)
+import { modal, modalDefaults } from '@agentsh/secure-sandbox/adapters/modal';
+const sandbox = await secureSandbox(modal(modalSandbox), {
+  ...modalDefaults(),
+  // your overrides
+});
 ```
 
 ## Default Policy

package/dist/adapters/blaxel.d.ts

@@ -1,4 +1,4 @@
-import { S as SandboxAdapter } from '../types-CUqsllMs.js';
+import { S as SandboxAdapter } from '../types-DFMGk2GV.js';
 
 declare function blaxel(sandbox: any): SandboxAdapter;
 

package/dist/adapters/cloudflare.d.ts

@@ -1,4 +1,4 @@
-import { S as SandboxAdapter } from '../types-CUqsllMs.js';
+import { S as SandboxAdapter } from '../types-DFMGk2GV.js';
 
 declare function cloudflare(sandbox: any): SandboxAdapter;
 

package/dist/adapters/daytona.d.ts

@@ -1,4 +1,4 @@
-import { S as SandboxAdapter } from '../types-CUqsllMs.js';
+import { S as SandboxAdapter } from '../types-DFMGk2GV.js';
 
 declare function daytona(sandbox: any): SandboxAdapter;
 

package/dist/adapters/e2b.d.ts

@@ -1,4 +1,4 @@
-import { S as SandboxAdapter } from '../types-CUqsllMs.js';
+import { S as SandboxAdapter } from '../types-DFMGk2GV.js';
 
 declare function e2b(sandbox: any): SandboxAdapter;
 

package/dist/adapters/index.d.ts

@@ -3,4 +3,5 @@ export { e2b } from './e2b.js';
 export { daytona } from './daytona.js';
 export { cloudflare } from './cloudflare.js';
 export { blaxel } from './blaxel.js';
-import '../types-CUqsllMs.js';
+export { m as modal, a as modalDefaults, s as sprites, b as spritesDefaults } from '../index-TyzWAIUD.js';
+import '../types-DFMGk2GV.js';

package/dist/adapters/index.js

@@ -1,4 +1,9 @@
-import "../chunk-L4KFLVNU.js";
+import {
+  modal,
+  modalDefaults,
+  sprites,
+  spritesDefaults
+} from "../chunk-5IG6ABIZ.js";
 import {
   blaxel
 } from "../chunk-UYEAO27E.js";
@@ -15,12 +20,17 @@ import "../chunk-OANLKSOD.js";
 import {
   vercel
 } from "../chunk-JY5ERJTX.js";
+import "../chunk-LNDICGZU.js";
 import "../chunk-PZ5AY32C.js";
 export {
   blaxel,
   cloudflare,
   daytona,
   e2b,
+  modal,
+  modalDefaults,
+  sprites,
+  spritesDefaults,
   vercel
 };
 //# sourceMappingURL=index.js.map

package/dist/adapters/vercel.d.ts

@@ -1,4 +1,4 @@
-import { S as SandboxAdapter } from '../types-CUqsllMs.js';
+import { S as SandboxAdapter } from '../types-DFMGk2GV.js';
 
 declare function vercel(sandbox: any): SandboxAdapter;
 

package/dist/chunk-4FJHYLAB.js

@@ -0,0 +1,251 @@
+import {
+  PolicyDefinitionSchema,
+  agentDefault,
+  agentSandbox,
+  ciStrict,
+  devSafe,
+  merge,
+  mergePrepend,
+  validatePolicy
+} from "./chunk-LNDICGZU.js";
+import {
+  __export
+} from "./chunk-PZ5AY32C.js";
+
+// src/policies/index.ts
+var policies_exports = {};
+__export(policies_exports, {
+  PolicyDefinitionSchema: () => PolicyDefinitionSchema,
+  agentDefault: () => agentDefault,
+  agentSandbox: () => agentSandbox,
+  ciStrict: () => ciStrict,
+  devSafe: () => devSafe,
+  merge: () => merge,
+  mergePrepend: () => mergePrepend,
+  serializePolicy: () => serializePolicy,
+  systemPolicyYaml: () => systemPolicyYaml,
+  validatePolicy: () => validatePolicy
+});
+
+// src/policies/serialize.ts
+import yaml from "js-yaml";
+function toArray(value) {
+  return Array.isArray(value) ? value : [value];
+}
+var FILE_DECISION_KEYS = [
+  "allow",
+  "deny",
+  "redirect",
+  "audit",
+  "softDelete"
+];
+var SIMPLE_DECISION_KEYS = ["allow", "deny", "redirect"];
+function findDecision(rule, keys) {
+  for (const k of keys) {
+    if (k in rule) {
+      return { key: k, value: rule[k] };
+    }
+  }
+  throw new Error(`No decision key found in rule: ${JSON.stringify(rule)}`);
+}
+function yamlDecision(key) {
+  return key === "softDelete" ? "soft_delete" : key;
+}
+function serializeFileRules(rules) {
+  return rules.map((rule, i) => {
+    const r = rule;
+    const { key, value } = findDecision(r, FILE_DECISION_KEYS);
+    const paths = toArray(value);
+    const out = {
+      name: `file-rule-${i}`,
+      paths
+    };
+    if ("ops" in r && r.ops) {
+      out.operations = r.ops;
+    }
+    out.decision = yamlDecision(key);
+    if (key === "redirect" && "to" in r) {
+      out.redirect_to = r.to;
+    }
+    return out;
+  });
+}
+function serializeNetworkRules(rules) {
+  return rules.map((rule, i) => {
+    const r = rule;
+    const { key, value } = findDecision(r, SIMPLE_DECISION_KEYS);
+    const domains = toArray(value);
+    const out = {
+      name: `network-rule-${i}`,
+      domains,
+      decision: key
+    };
+    if ("ports" in r && r.ports) {
+      out.ports = r.ports;
+    }
+    if (key === "redirect" && "to" in r) {
+      out.redirect_to = r.to;
+    }
+    return out;
+  });
+}
+function serializeCommandRules(rules) {
+  return rules.map((rule, i) => {
+    const r = rule;
+    const { key, value } = findDecision(r, SIMPLE_DECISION_KEYS);
+    const commands = toArray(value);
+    const out = {
+      name: `command-rule-${i}`,
+      commands,
+      decision: key
+    };
+    if (key === "redirect" && "to" in r) {
+      const to = r.to;
+      if (typeof to === "string") {
+        out.redirect_to = to;
+      } else if (typeof to === "object" && to !== null) {
+        const target = to;
+        out.redirect_to = { command: target.cmd, args: target.args };
+      }
+    }
+    return out;
+  });
+}
+function serializeEnvRules(rules) {
+  return rules.map((rule, i) => {
+    const out = {
+      name: `env-rule-${i}`,
+      commands: rule.commands
+    };
+    if (rule.allow) {
+      out.allow = rule.allow;
+    }
+    if (rule.deny) {
+      out.deny = rule.deny;
+    }
+    return out;
+  });
+}
+function serializeDnsRedirects(redirects) {
+  return redirects.map((r) => ({
+    match: r.match,
+    resolve_to: r.resolveTo
+  }));
+}
+function serializeConnectRedirects(redirects) {
+  return redirects.map((r) => ({
+    match: r.match,
+    redirect_to: r.redirectTo
+  }));
+}
+function serializePackageRules(rules) {
+  return rules.map((rule) => {
+    const match = {};
+    if (rule.match.packages) {
+      match.packages = rule.match.packages;
+    }
+    if (rule.match.namePatterns) {
+      match.name_patterns = rule.match.namePatterns;
+    }
+    if (rule.match.findingType) {
+      match.finding_type = rule.match.findingType;
+    }
+    if (rule.match.severity !== void 0) {
+      match.severity = rule.match.severity;
+    }
+    if (rule.match.reasons) {
+      match.reasons = rule.match.reasons;
+    }
+    if (rule.match.licenseSpdx) {
+      match.license_spdx = rule.match.licenseSpdx;
+    }
+    if (rule.match.ecosystem) {
+      match.ecosystem = rule.match.ecosystem;
+    }
+    if (rule.match.options) {
+      match.options = rule.match.options;
+    }
+    const out = {
+      match,
+      action: rule.action
+    };
+    if (rule.reason) {
+      out.reason = rule.reason;
+    }
+    return out;
+  });
+}
+function serializePolicy(policy) {
+  const doc = {
+    version: 1,
+    name: "secure-sandbox-policy"
+  };
+  if (policy.file && policy.file.length > 0) {
+    doc.file_rules = serializeFileRules(policy.file);
+  }
+  if (policy.network && policy.network.length > 0) {
+    doc.network_rules = serializeNetworkRules(policy.network);
+  }
+  if (policy.commands && policy.commands.length > 0) {
+    doc.command_rules = serializeCommandRules(policy.commands);
+  }
+  if (policy.env && policy.env.length > 0) {
+    doc.env_rules = serializeEnvRules(policy.env);
+  }
+  if (policy.dns && policy.dns.length > 0) {
+    doc.dns_redirects = serializeDnsRedirects(policy.dns);
+  }
+  if (policy.connect && policy.connect.length > 0) {
+    doc.connect_redirects = serializeConnectRedirects(policy.connect);
+  }
+  if (policy.packageRules && policy.packageRules.length > 0) {
+    doc.package_rules = serializePackageRules(policy.packageRules);
+  }
+  return yaml.dump(doc, { lineWidth: -1 });
+}
+function systemPolicyYaml() {
+  const doc = {
+    version: 1,
+    name: "_system-protection",
+    file_rules: [
+      {
+        name: "_system-protect-config",
+        paths: ["/etc/agentsh/**"],
+        operations: ["write", "create", "delete"],
+        decision: "deny",
+        message: "Policy files are immutable during agent execution"
+      },
+      {
+        name: "_system-protect-binary",
+        paths: ["/usr/local/bin/agentsh*", "/usr/bin/agentsh*"],
+        operations: ["write", "create", "delete"],
+        decision: "deny",
+        message: "agentsh binary is immutable during agent execution"
+      },
+      {
+        name: "_system-protect-shim-files",
+        paths: ["/usr/bin/agentsh-shell-shim", "/bin/bash", "/bin/sh"],
+        operations: ["write", "create", "delete"],
+        decision: "deny",
+        message: "Shell and shim binaries are immutable during agent execution"
+      }
+    ],
+    command_rules: [
+      {
+        name: "_system-protect-process",
+        commands: ["kill", "killall", "pkill"],
+        args_match: ["agentsh"],
+        decision: "deny",
+        message: "Cannot terminate agentsh processes"
+      }
+    ]
+  };
+  return yaml.dump(doc, { lineWidth: -1 });
+}
+
+export {
+  serializePolicy,
+  systemPolicyYaml,
+  policies_exports
+};
+//# sourceMappingURL=chunk-4FJHYLAB.js.map

package/dist/chunk-4FJHYLAB.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/policies/index.ts","../src/policies/serialize.ts"],"sourcesContent":["export { PolicyDefinitionSchema, validatePolicy } from './schema.js';\nexport type { PolicyDefinition, FileRule, NetworkRule, CommandRule, EnvRule, DnsRedirect, ConnectRedirect } from './schema.js';\nexport { agentDefault, devSafe, ciStrict, agentSandbox } from './presets.js';\nexport { merge, mergePrepend } from './merge.js';\nexport { serializePolicy, systemPolicyYaml } from './serialize.js';\n","import yaml from 'js-yaml';\nimport type {\n  PolicyDefinition,\n  FileRule,\n  NetworkRule,\n  CommandRule,\n  EnvRule,\n  DnsRedirect,\n  ConnectRedirect,\n  PackageRule,\n} from './schema.js';\n\n// ─── Helpers ────────────────────────────────────────────────\n\n/** Normalize a string-or-array value to always be an array. */\nfunction toArray(value: string | string[]): string[] {\n  return Array.isArray(value) ? value : [value];\n}\n\n/** Detect the decision key from a rule object. */\ntype DecisionKey = 'allow' | 'deny' | 'redirect' | 'audit' | 'softDelete';\n\nconst FILE_DECISION_KEYS: DecisionKey[] = [\n  'allow',\n  'deny',\n  'redirect',\n  'audit',\n  'softDelete',\n];\n\nconst SIMPLE_DECISION_KEYS: DecisionKey[] = ['allow', 'deny', 'redirect'];\n\nfunction findDecision(\n  rule: Record<string, unknown>,\n  keys: DecisionKey[],\n): { key: DecisionKey; value: unknown } {\n  for (const k of keys) {\n    if (k in rule) {\n      return { key: k, value: rule[k] };\n    }\n  }\n  throw new Error(`No decision key found in rule: ${JSON.stringify(rule)}`);\n}\n\n/** Map softDelete → soft_delete for YAML output. */\nfunction yamlDecision(key: DecisionKey): string {\n  return key === 'softDelete' ? 'soft_delete' : key;\n}\n\n// ─── File rules ─────────────────────────────────────────────\n\nfunction serializeFileRules(rules: FileRule[]): Record<string, unknown>[] {\n  return rules.map((rule, i) => {\n    const r = rule as Record<string, unknown>;\n    const { key, value } = findDecision(r, FILE_DECISION_KEYS);\n    const paths = toArray(value as string | string[]);\n\n    const out: Record<string, unknown> = {\n      name: `file-rule-${i}`,\n      paths,\n    };\n\n    if ('ops' in r && r.ops) {\n      out.operations = r.ops;\n    }\n\n    out.decision = yamlDecision(key);\n\n    if (key === 'redirect' && 'to' in r) {\n      out.redirect_to = r.to;\n    }\n\n    return out;\n  });\n}\n\n// ─── Network rules ──────────────────────────────────────────\n\nfunction serializeNetworkRules(\n  rules: NetworkRule[],\n): Record<string, unknown>[] {\n  return rules.map((rule, i) => {\n    const r = rule as Record<string, unknown>;\n    const { key, value } = findDecision(r, SIMPLE_DECISION_KEYS);\n    const domains = toArray(value as string | string[]);\n\n    const out: Record<string, unknown> = {\n      name: `network-rule-${i}`,\n      domains,\n      decision: key,\n    };\n\n    if ('ports' in r && r.ports) {\n      out.ports = r.ports;\n    }\n\n    if (key === 'redirect' && 'to' in r) {\n      out.redirect_to = r.to;\n    }\n\n    return out;\n  });\n}\n\n// ─── Command rules ──────────────────────────────────────────\n\nfunction serializeCommandRules(\n  rules: CommandRule[],\n): Record<string, unknown>[] {\n  return rules.map((rule, i) => {\n    const r = rule as Record<string, unknown>;\n    const { key, value } = findDecision(r, SIMPLE_DECISION_KEYS);\n    const commands = toArray(value as string | string[]);\n\n    const out: Record<string, unknown> = {\n      name: `command-rule-${i}`,\n      commands,\n      decision: key,\n    };\n\n    if (key === 'redirect' && 'to' in r) {\n      const to = r.to;\n      if (typeof to === 'string') {\n        out.redirect_to = to;\n      } else if (typeof to === 'object' && to !== null) {\n        const target = to as { cmd: string; args: string[] };\n        out.redirect_to = { command: target.cmd, args: target.args };\n      }\n    }\n\n    return out;\n  });\n}\n\n// ─── Env rules ──────────────────────────────────────────────\n\nfunction serializeEnvRules(rules: EnvRule[]): Record<string, unknown>[] {\n  return rules.map((rule, i) => {\n    const out: Record<string, unknown> = {\n      name: `env-rule-${i}`,\n      commands: rule.commands,\n    };\n    if (rule.allow) {\n      out.allow = rule.allow;\n    }\n    if (rule.deny) {\n      out.deny = rule.deny;\n    }\n    return out;\n  });\n}\n\n// ─── DNS redirects ──────────────────────────────────────────\n\nfunction serializeDnsRedirects(\n  redirects: DnsRedirect[],\n): Record<string, unknown>[] {\n  return redirects.map((r) => ({\n    match: r.match,\n    resolve_to: r.resolveTo,\n  }));\n}\n\n// ─── Connect redirects ──────────────────────────────────────\n\nfunction serializeConnectRedirects(\n  redirects: ConnectRedirect[],\n): Record<string, unknown>[] {\n  return redirects.map((r) => ({\n    match: r.match,\n    redirect_to: r.redirectTo,\n  }));\n}\n\n// ─── Package rules ───────────────────────────────────────────\n\nfunction serializePackageRules(\n  rules: PackageRule[],\n): Record<string, unknown>[] {\n  return rules.map((rule) => {\n    const match: Record<string, unknown> = {};\n\n    if (rule.match.packages) {\n      match.packages = rule.match.packages;\n    }\n    if (rule.match.namePatterns) {\n      match.name_patterns = rule.match.namePatterns;\n    }\n    if (rule.match.findingType) {\n      match.finding_type = rule.match.findingType;\n    }\n    if (rule.match.severity !== undefined) {\n      match.severity = rule.match.severity;\n    }\n    if (rule.match.reasons) {\n      match.reasons = rule.match.reasons;\n    }\n    if (rule.match.licenseSpdx) {\n      match.license_spdx = rule.match.licenseSpdx;\n    }\n    if (rule.match.ecosystem) {\n      match.ecosystem = rule.match.ecosystem;\n    }\n    if (rule.match.options) {\n      match.options = rule.match.options;\n    }\n\n    const out: Record<string, unknown> = {\n      match,\n      action: rule.action,\n    };\n\n    if (rule.reason) {\n      out.reason = rule.reason;\n    }\n\n    return out;\n  });\n}\n\n// ─── Public API ─────────────────────────────────────────────\n\n/**\n * Converts a PolicyDefinition to agentsh YAML format.\n *\n * Omits empty categories from output.\n */\nexport function serializePolicy(policy: PolicyDefinition): string {\n  const doc: Record<string, unknown> = {\n    version: 1,\n    name: 'secure-sandbox-policy',\n  };\n\n  if (policy.file && policy.file.length > 0) {\n    doc.file_rules = serializeFileRules(policy.file);\n  }\n\n  if (policy.network && policy.network.length > 0) {\n    doc.network_rules = serializeNetworkRules(policy.network);\n  }\n\n  if (policy.commands && policy.commands.length > 0) {\n    doc.command_rules = serializeCommandRules(policy.commands);\n  }\n\n  if (policy.env && policy.env.length > 0) {\n    doc.env_rules = serializeEnvRules(policy.env);\n  }\n\n  if (policy.dns && policy.dns.length > 0) {\n    doc.dns_redirects = serializeDnsRedirects(policy.dns);\n  }\n\n  if (policy.connect && policy.connect.length > 0) {\n    doc.connect_redirects = serializeConnectRedirects(policy.connect);\n  }\n\n  if (policy.packageRules && policy.packageRules.length > 0) {\n    doc.package_rules = serializePackageRules(policy.packageRules);\n  }\n\n  return yaml.dump(doc, { lineWidth: -1 });\n}\n\n/**\n * Returns the fixed system policy YAML from the spec (Section 9.4).\n *\n * This static set of rules protects agentsh's own configuration, binaries,\n * and processes from tampering by the agent. These rules are written to a\n * separate system policy directory evaluated before user policy.\n */\nexport function systemPolicyYaml(): string {\n  const doc = {\n    version: 1,\n    name: '_system-protection',\n    file_rules: [\n      {\n        name: '_system-protect-config',\n        paths: ['/etc/agentsh/**'],\n        operations: ['write', 'create', 'delete'],\n        decision: 'deny',\n        message: 'Policy files are immutable during agent execution',\n      },\n      {\n        name: '_system-protect-binary',\n        paths: ['/usr/local/bin/agentsh*', '/usr/bin/agentsh*'],\n        operations: ['write', 'create', 'delete'],\n        decision: 'deny',\n        message: 'agentsh binary is immutable during agent execution',\n      },\n      {\n        name: '_system-protect-shim-files',\n        paths: ['/usr/bin/agentsh-shell-shim', '/bin/bash', '/bin/sh'],\n        operations: ['write', 'create', 'delete'],\n        decision: 'deny',\n        message: 'Shell and shim binaries are immutable during agent execution',\n      },\n    ],\n    command_rules: [\n      {\n        name: '_system-protect-process',\n        commands: ['kill', 'killall', 'pkill'],\n        args_match: ['agentsh'],\n        decision: 'deny',\n        message: 'Cannot terminate agentsh processes',\n      },\n    ],\n  };\n\n  return yaml.dump(doc, { lineWidth: -1 });\n}\n"],"mappings":";;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,OAAO,UAAU;AAejB,SAAS,QAAQ,OAAoC;AACnD,SAAO,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC,KAAK;AAC9C;AAKA,IAAM,qBAAoC;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAEA,IAAM,uBAAsC,CAAC,SAAS,QAAQ,UAAU;AAExE,SAAS,aACP,MACA,MACsC;AACtC,aAAW,KAAK,MAAM;AACpB,QAAI,KAAK,MAAM;AACb,aAAO,EAAE,KAAK,GAAG,OAAO,KAAK,CAAC,EAAE;AAAA,IAClC;AAAA,EACF;AACA,QAAM,IAAI,MAAM,kCAAkC,KAAK,UAAU,IAAI,CAAC,EAAE;AAC1E;AAGA,SAAS,aAAa,KAA0B;AAC9C,SAAO,QAAQ,eAAe,gBAAgB;AAChD;AAIA,SAAS,mBAAmB,OAA8C;AACxE,SAAO,MAAM,IAAI,CAAC,MAAM,MAAM;AAC5B,UAAM,IAAI;AACV,UAAM,EAAE,KAAK,MAAM,IAAI,aAAa,GAAG,kBAAkB;AACzD,UAAM,QAAQ,QAAQ,KAA0B;AAEhD,UAAM,MAA+B;AAAA,MACnC,MAAM,aAAa,CAAC;AAAA,MACpB;AAAA,IACF;AAEA,QAAI,SAAS,KAAK,EAAE,KAAK;AACvB,UAAI,aAAa,EAAE;AAAA,IACrB;AAEA,QAAI,WAAW,aAAa,GAAG;AAE/B,QAAI,QAAQ,cAAc,QAAQ,GAAG;AACnC,UAAI,cAAc,EAAE;AAAA,IACtB;AAEA,WAAO;AAAA,EACT,CAAC;AACH;AAIA,SAAS,sBACP,OAC2B;AAC3B,SAAO,MAAM,IAAI,CAAC,MAAM,MAAM;AAC5B,UAAM,IAAI;AACV,UAAM,EAAE,KAAK,MAAM,IAAI,aAAa,GAAG,oBAAoB;AAC3D,UAAM,UAAU,QAAQ,KAA0B;AAElD,UAAM,MAA+B;AAAA,MACnC,MAAM,gBAAgB,CAAC;AAAA,MACvB;AAAA,MACA,UAAU;AAAA,IACZ;AAEA,QAAI,WAAW,KAAK,EAAE,OAAO;AAC3B,UAAI,QAAQ,EAAE;AAAA,IAChB;AAEA,QAAI,QAAQ,cAAc,QAAQ,GAAG;AACnC,UAAI,cAAc,EAAE;AAAA,IACtB;AAEA,WAAO;AAAA,EACT,CAAC;AACH;AAIA,SAAS,sBACP,OAC2B;AAC3B,SAAO,MAAM,IAAI,CAAC,MAAM,MAAM;AAC5B,UAAM,IAAI;AACV,UAAM,EAAE,KAAK,MAAM,IAAI,aAAa,GAAG,oBAAoB;AAC3D,UAAM,WAAW,QAAQ,KAA0B;AAEnD,UAAM,MAA+B;AAAA,MACnC,MAAM,gBAAgB,CAAC;AAAA,MACvB;AAAA,MACA,UAAU;AAAA,IACZ;AAEA,QAAI,QAAQ,cAAc,QAAQ,GAAG;AACnC,YAAM,KAAK,EAAE;AACb,UAAI,OAAO,OAAO,UAAU;AAC1B,YAAI,cAAc;AAAA,MACpB,WAAW,OAAO,OAAO,YAAY,OAAO,MAAM;AAChD,cAAM,SAAS;AACf,YAAI,cAAc,EAAE,SAAS,OAAO,KAAK,MAAM,OAAO,KAAK;AAAA,MAC7D;AAAA,IACF;AAEA,WAAO;AAAA,EACT,CAAC;AACH;AAIA,SAAS,kBAAkB,OAA6C;AACtE,SAAO,MAAM,IAAI,CAAC,MAAM,MAAM;AAC5B,UAAM,MAA+B;AAAA,MACnC,MAAM,YAAY,CAAC;AAAA,MACnB,UAAU,KAAK;AAAA,IACjB;AACA,QAAI,KAAK,OAAO;AACd,UAAI,QAAQ,KAAK;AAAA,IACnB;AACA,QAAI,KAAK,MAAM;AACb,UAAI,OAAO,KAAK;AAAA,IAClB;AACA,WAAO;AAAA,EACT,CAAC;AACH;AAIA,SAAS,sBACP,WAC2B;AAC3B,SAAO,UAAU,IAAI,CAAC,OAAO;AAAA,IAC3B,OAAO,EAAE;AAAA,IACT,YAAY,EAAE;AAAA,EAChB,EAAE;AACJ;AAIA,SAAS,0BACP,WAC2B;AAC3B,SAAO,UAAU,IAAI,CAAC,OAAO;AAAA,IAC3B,OAAO,EAAE;AAAA,IACT,aAAa,EAAE;AAAA,EACjB,EAAE;AACJ;AAIA,SAAS,sBACP,OAC2B;AAC3B,SAAO,MAAM,IAAI,CAAC,SAAS;AACzB,UAAM,QAAiC,CAAC;AAExC,QAAI,KAAK,MAAM,UAAU;AACvB,YAAM,WAAW,KAAK,MAAM;AAAA,IAC9B;AACA,QAAI,KAAK,MAAM,cAAc;AAC3B,YAAM,gBAAgB,KAAK,MAAM;AAAA,IACnC;AACA,QAAI,KAAK,MAAM,aAAa;AAC1B,YAAM,eAAe,KAAK,MAAM;AAAA,IAClC;AACA,QAAI,KAAK,MAAM,aAAa,QAAW;AACrC,YAAM,WAAW,KAAK,MAAM;AAAA,IAC9B;AACA,QAAI,KAAK,MAAM,SAAS;AACtB,YAAM,UAAU,KAAK,MAAM;AAAA,IAC7B;AACA,QAAI,KAAK,MAAM,aAAa;AAC1B,YAAM,eAAe,KAAK,MAAM;AAAA,IAClC;AACA,QAAI,KAAK,MAAM,WAAW;AACxB,YAAM,YAAY,KAAK,MAAM;AAAA,IAC/B;AACA,QAAI,KAAK,MAAM,SAAS;AACtB,YAAM,UAAU,KAAK,MAAM;AAAA,IAC7B;AAEA,UAAM,MAA+B;AAAA,MACnC;AAAA,MACA,QAAQ,KAAK;AAAA,IACf;AAEA,QAAI,KAAK,QAAQ;AACf,UAAI,SAAS,KAAK;AAAA,IACpB;AAEA,WAAO;AAAA,EACT,CAAC;AACH;AASO,SAAS,gBAAgB,QAAkC;AAChE,QAAM,MAA+B;AAAA,IACnC,SAAS;AAAA,IACT,MAAM;AAAA,EACR;AAEA,MAAI,OAAO,QAAQ,OAAO,KAAK,SAAS,GAAG;AACzC,QAAI,aAAa,mBAAmB,OAAO,IAAI;AAAA,EACjD;AAEA,MAAI,OAAO,WAAW,OAAO,QAAQ,SAAS,GAAG;AAC/C,QAAI,gBAAgB,sBAAsB,OAAO,OAAO;AAAA,EAC1D;AAEA,MAAI,OAAO,YAAY,OAAO,SAAS,SAAS,GAAG;AACjD,QAAI,gBAAgB,sBAAsB,OAAO,QAAQ;AAAA,EAC3D;AAEA,MAAI,OAAO,OAAO,OAAO,IAAI,SAAS,GAAG;AACvC,QAAI,YAAY,kBAAkB,OAAO,GAAG;AAAA,EAC9C;AAEA,MAAI,OAAO,OAAO,OAAO,IAAI,SAAS,GAAG;AACvC,QAAI,gBAAgB,sBAAsB,OAAO,GAAG;AAAA,EACtD;AAEA,MAAI,OAAO,WAAW,OAAO,QAAQ,SAAS,GAAG;AAC/C,QAAI,oBAAoB,0BAA0B,OAAO,OAAO;AAAA,EAClE;AAEA,MAAI,OAAO,gBAAgB,OAAO,aAAa,SAAS,GAAG;AACzD,QAAI,gBAAgB,sBAAsB,OAAO,YAAY;AAAA,EAC/D;AAEA,SAAO,KAAK,KAAK,KAAK,EAAE,WAAW,GAAG,CAAC;AACzC;AASO,SAAS,mBAA2B;AACzC,QAAM,MAAM;AAAA,IACV,SAAS;AAAA,IACT,MAAM;AAAA,IACN,YAAY;AAAA,MACV;AAAA,QACE,MAAM;AAAA,QACN,OAAO,CAAC,iBAAiB;AAAA,QACzB,YAAY,CAAC,SAAS,UAAU,QAAQ;AAAA,QACxC,UAAU;AAAA,QACV,SAAS;AAAA,MACX;AAAA,MACA;AAAA,QACE,MAAM;AAAA,QACN,OAAO,CAAC,2BAA2B,mBAAmB;AAAA,QACtD,YAAY,CAAC,SAAS,UAAU,QAAQ;AAAA,QACxC,UAAU;AAAA,QACV,SAAS;AAAA,MACX;AAAA,MACA;AAAA,QACE,MAAM;AAAA,QACN,OAAO,CAAC,+BAA+B,aAAa,SAAS;AAAA,QAC7D,YAAY,CAAC,SAAS,UAAU,QAAQ;AAAA,QACxC,UAAU;AAAA,QACV,SAAS;AAAA,MACX;AAAA,IACF;AAAA,IACA,eAAe;AAAA,MACb;AAAA,QACE,MAAM;AAAA,QACN,UAAU,CAAC,QAAQ,WAAW,OAAO;AAAA,QACrC,YAAY,CAAC,SAAS;AAAA,QACtB,UAAU;AAAA,QACV,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAEA,SAAO,KAAK,KAAK,KAAK,EAAE,WAAW,GAAG,CAAC;AACzC;","names":[]}