@agentsh/secure-sandbox 0.1.5 → 0.1.7

package/dist/index-TyzWAIUD.d.ts

@@ -0,0 +1,60 @@
+import { vercel } from './adapters/vercel.js';
+import { e2b } from './adapters/e2b.js';
+import { daytona } from './adapters/daytona.js';
+import { cloudflare } from './adapters/cloudflare.js';
+import { blaxel } from './adapters/blaxel.js';
+import { S as SandboxAdapter, a as SecureConfig } from './types-DFMGk2GV.js';
+
+declare function sprites(sprite: any): SandboxAdapter;
+/**
+ * Returns Sprites-optimized defaults for SecureConfig.
+ * Spread into your secureSandbox() call:
+ *
+ *   secureSandbox(sprites(s), { ...spritesDefaults(), ...yourOverrides })
+ */
+declare function spritesDefaults(): Partial<SecureConfig>;
+
+/**
+ * Wraps a Modal Sandbox object into a SandboxAdapter.
+ *
+ * Modal sandboxes run on gVisor which lacks seccomp user-notify and
+ * full FUSE support. Use `modalDefaults()` to get ptrace-optimized
+ * configuration that works on gVisor.
+ *
+ * The `sandbox` parameter is typed as `any` to avoid a hard dependency
+ * on the Modal SDK — pass any object whose `.exec()` accepts variadic
+ * string arguments and returns a process with `.stdout.read()`,
+ * `.stderr.read()`, `.returncode`, and `.wait()`.
+ */
+declare function modal(sandbox: any): SandboxAdapter;
+/**
+ * Returns Modal-optimized defaults for SecureConfig.
+ *
+ * Key differences from other providers:
+ * - ptrace enabled (gVisor blocks seccomp user-notify)
+ * - seccomp_prefilter disabled (gVisor blocks BPF injection)
+ * - FUSE deferred (may not be available on gVisor)
+ * - unix_sockets disabled (mutually exclusive with ptrace)
+ * - cgroups disabled (Modal handles resource limits)
+ * - allow_degraded enabled (graceful fallback for FUSE/seccomp)
+ *
+ * Spread into your secureSandbox() call:
+ *
+ *   secureSandbox(modal(sb), { ...modalDefaults(), ...yourOverrides })
+ */
+declare function modalDefaults(): Partial<SecureConfig>;
+
+declare const index_blaxel: typeof blaxel;
+declare const index_cloudflare: typeof cloudflare;
+declare const index_daytona: typeof daytona;
+declare const index_e2b: typeof e2b;
+declare const index_modal: typeof modal;
+declare const index_modalDefaults: typeof modalDefaults;
+declare const index_sprites: typeof sprites;
+declare const index_spritesDefaults: typeof spritesDefaults;
+declare const index_vercel: typeof vercel;
+declare namespace index {
+  export { index_blaxel as blaxel, index_cloudflare as cloudflare, index_daytona as daytona, index_e2b as e2b, index_modal as modal, index_modalDefaults as modalDefaults, index_sprites as sprites, index_spritesDefaults as spritesDefaults, index_vercel as vercel };
+}
+
+export { modalDefaults as a, spritesDefaults as b, index as i, modal as m, sprites as s };

package/dist/index.d.ts

@@ -1,8 +1,8 @@
-import { S as SandboxAdapter, a as SecureConfig, b as SecuredSandbox, T as ThreatFeedsConfig } from './types-CUqsllMs.js';
-export { E as ExecResult, I as InstallStrategy, L as LicenseSpdxMatch, P as PackageChecksConfig, c as PackageMatch, d as PackageRule, e as ProviderConfig, R as ReadFileResult, f as SecurityMode, g as ThreatFeed, W as WriteFileResult } from './types-CUqsllMs.js';
-export { P as PolicyDefinition, i as policies } from './index-Nmlhw9oj.js';
+import { S as SandboxAdapter, a as SecureConfig, b as SecuredSandbox } from './types-DFMGk2GV.js';
+export { E as ExecResult, I as InstallStrategy, L as LicenseSpdxMatch, P as PackageChecksConfig, c as PackageMatch, d as PackageRule, e as ProviderConfig, R as ReadFileResult, f as SecurityMode, T as ThreatFeed, g as ThreatFeedsConfig, W as WriteFileResult, h as defaultThreatFeeds } from './types-DFMGk2GV.js';
+export { P as PolicyDefinition, i as policies } from './index-CedRtlB6.js';
 import { ZodIssue } from 'zod';
-export { i as adapters } from './index-aQ1TVPtG.js';
+export { i as adapters } from './index-TyzWAIUD.js';
 import './adapters/vercel.js';
 import './adapters/e2b.js';
 import './adapters/daytona.js';
@@ -11,12 +11,6 @@ import './adapters/blaxel.js';
 
 declare function secureSandbox(adapter: SandboxAdapter, config?: SecureConfig): Promise<SecuredSandbox>;
 
-/**
- * Default threat feeds: URLhaus (malware) + Phishing.Database (phishing).
- * Both are free, open source, and updated frequently.
- */
-declare const defaultThreatFeeds: ThreatFeedsConfig;
-
 declare class AgentSHError extends Error {
     constructor(message: string);
 }
@@ -74,4 +68,4 @@ declare class RuntimeError extends AgentSHError {
     });
 }
 
-export { AgentSHError, IncompatibleProviderVersionError, IntegrityError, MissingPeerDependencyError, PolicyValidationError, ProvisioningError, RuntimeError, SandboxAdapter, SecureConfig, SecuredSandbox, ThreatFeedsConfig, defaultThreatFeeds, secureSandbox };
+export { AgentSHError, IncompatibleProviderVersionError, IntegrityError, MissingPeerDependencyError, PolicyValidationError, ProvisioningError, RuntimeError, SandboxAdapter, SecureConfig, SecuredSandbox, secureSandbox };

package/dist/index.js

@@ -1,12 +1,17 @@
 import {
   adapters_exports
-} from "./chunk-L4KFLVNU.js";
+} from "./chunk-5IG6ABIZ.js";
 import "./chunk-UYEAO27E.js";
 import "./chunk-LMN3KM53.js";
 import "./chunk-45FKFVMC.js";
 import "./chunk-2P37YGN7.js";
 import "./chunk-OANLKSOD.js";
 import "./chunk-JY5ERJTX.js";
+import {
+  policies_exports,
+  serializePolicy,
+  systemPolicyYaml
+} from "./chunk-4FJHYLAB.js";
 import {
   AgentSHError,
   IncompatibleProviderVersionError,
@@ -16,23 +21,20 @@ import {
   ProvisioningError,
   RuntimeError,
   agentDefault,
-  policies_exports,
-  serializePolicy,
-  systemPolicyYaml,
   validatePolicy
-} from "./chunk-GFPHTJLU.js";
+} from "./chunk-LNDICGZU.js";
 import "./chunk-PZ5AY32C.js";
 
 // src/core/integrity.ts
-var PINNED_VERSION = "0.15.0";
+var PINNED_VERSION = "0.16.2";
 var CHECKSUMS = {
+  "0.16.2": {
+    linux_amd64: "7ff357066a61694626d4c19afa92fdf368318bced9be90391cc2f3808976f995",
+    linux_arm64: "a48b3e4a60804cca98326619a68409e8ee83556d69ee2cf5d574e4361e0c19c6"
+  },
   "0.15.0": {
     linux_amd64: "89f7ebbfd75ffd961245ec62b2602fd0cc387740502ac858dbc39c367c5699c5",
     linux_arm64: "3fabbd749f9e98fb9f96ddfc94c389a6868cda7ed3668daa8440c39ceec85f3b"
-  },
-  "0.14.0": {
-    linux_amd64: "2ab8ba0d6637fe1a5badf840c3db197161a6f9865d721ed216029d229b1b9bbc",
-    linux_arm64: "929d18dd9fe36e9b2fa830d7ae64b4fb481853e743ade8674fcfcdc73470ed53"
   }
 };
 function getChecksum(version, arch, override) {
@@ -128,14 +130,151 @@ function generateServerConfig(opts) {
     },
     sandbox: {
       enabled: true,
-      allow_degraded: true,
-      fuse: { enabled: true },
+      allow_degraded: opts.allowDegraded ?? true,
+      // FUSE disabled by default: when agentsh server runs as root and exec
+      // users are non-root (e.g. E2B, Daytona), the FUSE workspace-mnt is
+      // inaccessible to non-root users causing exec to fail with exit code 2.
+      // File policy is still enforced via landlock. Enable FUSE
+      // explicitly via serverConfig: { fuse: { enabled: true } } if needed.
+      fuse: { enabled: false },
       network: { enabled: true },
-      seccomp: { enabled: true }
+      // Seccomp NOTIFY disabled by default: many container environments
+      // (Daytona, E2B custom images) restrict the seccomp() syscall via their
+      // container seccomp profile, causing "install seccomp filter: operation
+      // canceled" on every exec. Policy is still enforced via landlock and
+      // network rules. When ptrace is enabled, seccomp is also incompatible.
+      seccomp: { enabled: false }
     }
   };
   if (opts.watchtower) config.watchtower = opts.watchtower;
-  if (opts.realPaths) config.sessions = { real_paths: true };
+  if (opts.grpc) {
+    config.server.grpc = { enabled: true, addr: opts.grpc.addr };
+  }
+  if (opts.serverTimeouts) {
+    const http = config.server.http;
+    if (opts.serverTimeouts.readTimeout) http.read_timeout = opts.serverTimeouts.readTimeout;
+    if (opts.serverTimeouts.writeTimeout) http.write_timeout = opts.serverTimeouts.writeTimeout;
+    if (opts.serverTimeouts.maxRequestSize) http.max_request_size = opts.serverTimeouts.maxRequestSize;
+  }
+  if (opts.logging) config.logging = { ...opts.logging };
+  const sessionsObj = {
+    // Default sessions to a writable location outside /etc/agentsh (which is
+    // locked to 555/444 during provisioning). v0.16.2+ resolves workspace mount
+    // symlinks inside the sessions dir, which requires write access.
+    base_dir: "/var/lib/agentsh/sessions"
+  };
+  if (opts.realPaths) sessionsObj.real_paths = true;
+  if (opts.sessions) {
+    if (opts.sessions.baseDir) sessionsObj.base_dir = opts.sessions.baseDir;
+    if (opts.sessions.maxSessions !== void 0) sessionsObj.max_sessions = opts.sessions.maxSessions;
+    if (opts.sessions.defaultTimeout) sessionsObj.default_timeout = opts.sessions.defaultTimeout;
+    if (opts.sessions.idleTimeout) sessionsObj.idle_timeout = opts.sessions.idleTimeout;
+    if (opts.sessions.cleanupInterval) sessionsObj.cleanup_interval = opts.sessions.cleanupInterval;
+  }
+  if (Object.keys(sessionsObj).length > 0) config.sessions = sessionsObj;
+  if (opts.audit) {
+    const auditObj = {};
+    if (opts.audit.enabled !== void 0) auditObj.enabled = opts.audit.enabled;
+    if (opts.audit.sqlitePath) auditObj.sqlite_path = opts.audit.sqlitePath;
+    config.audit = auditObj;
+  }
+  if (opts.sandboxLimits) {
+    config.sandbox.limits = {
+      ...opts.sandboxLimits.maxMemoryMb !== void 0 && { max_memory_mb: opts.sandboxLimits.maxMemoryMb },
+      ...opts.sandboxLimits.maxCpuPercent !== void 0 && { max_cpu_percent: opts.sandboxLimits.maxCpuPercent },
+      ...opts.sandboxLimits.maxProcesses !== void 0 && { max_processes: opts.sandboxLimits.maxProcesses }
+    };
+  }
+  if (opts.fuse) {
+    const fuseObj = config.sandbox.fuse;
+    if (opts.fuse.deferred !== void 0) fuseObj.deferred = opts.fuse.deferred;
+    if (opts.fuse.deferredMarkerFile) fuseObj.deferred_marker_file = opts.fuse.deferredMarkerFile;
+    if (opts.fuse.deferredEnableCommand) fuseObj.deferred_enable_command = opts.fuse.deferredEnableCommand;
+  }
+  if (opts.networkIntercept) {
+    const net = config.sandbox.network;
+    if (opts.networkIntercept.interceptMode) net.intercept_mode = opts.networkIntercept.interceptMode;
+    if (opts.networkIntercept.proxyListenAddr) net.proxy_listen_addr = opts.networkIntercept.proxyListenAddr;
+  }
+  if (opts.seccompDetails) {
+    const sec = config.sandbox.seccomp;
+    if (!opts.ptrace?.enabled) sec.enabled = true;
+    if (opts.seccompDetails.execve !== void 0) sec.execve = opts.seccompDetails.execve;
+    if (opts.seccompDetails.fileMonitor) {
+      sec.file_monitor = {
+        ...opts.seccompDetails.fileMonitor.enabled !== void 0 && { enabled: opts.seccompDetails.fileMonitor.enabled },
+        ...opts.seccompDetails.fileMonitor.enforceWithoutFuse !== void 0 && { enforce_without_fuse: opts.seccompDetails.fileMonitor.enforceWithoutFuse }
+      };
+    }
+  }
+  if (opts.cgroups) {
+    config.sandbox.cgroups = { ...opts.cgroups };
+  }
+  if (opts.unixSockets) {
+    config.sandbox.unix_sockets = { ...opts.unixSockets };
+  }
+  if (opts.ptrace) {
+    const ptraceObj = {};
+    if (opts.ptrace.enabled !== void 0) ptraceObj.enabled = opts.ptrace.enabled;
+    if (opts.ptrace.attachMode) ptraceObj.attach_mode = opts.ptrace.attachMode;
+    if (opts.ptrace.maskTracerPid) ptraceObj.mask_tracer_pid = opts.ptrace.maskTracerPid;
+    if (opts.ptrace.trace) {
+      const traceObj = {};
+      if (opts.ptrace.trace.execve !== void 0) traceObj.execve = opts.ptrace.trace.execve;
+      if (opts.ptrace.trace.file !== void 0) traceObj.file = opts.ptrace.trace.file;
+      if (opts.ptrace.trace.network !== void 0) traceObj.network = opts.ptrace.trace.network;
+      if (opts.ptrace.trace.signal !== void 0) traceObj.signal = opts.ptrace.trace.signal;
+      ptraceObj.trace = traceObj;
+    }
+    if (opts.ptrace.performance) {
+      const perfObj = {};
+      if (opts.ptrace.performance.seccompPrefilter !== void 0) perfObj.seccomp_prefilter = opts.ptrace.performance.seccompPrefilter;
+      if (opts.ptrace.performance.maxTracees !== void 0) perfObj.max_tracees = opts.ptrace.performance.maxTracees;
+      if (opts.ptrace.performance.maxHoldMs !== void 0) perfObj.max_hold_ms = opts.ptrace.performance.maxHoldMs;
+      ptraceObj.performance = perfObj;
+    }
+    if (opts.ptrace.onAttachFailure) ptraceObj.on_attach_failure = opts.ptrace.onAttachFailure;
+    config.sandbox.ptrace = ptraceObj;
+  }
+  if (opts.envInject) {
+    config.sandbox.env_inject = { ...opts.envInject };
+  }
+  if (opts.proxy) {
+    config.proxy = { ...opts.proxy };
+  }
+  if (opts.dlp) {
+    const dlpObj = {};
+    if (opts.dlp.mode) dlpObj.mode = opts.dlp.mode;
+    if (opts.dlp.patterns) dlpObj.patterns = opts.dlp.patterns;
+    if (opts.dlp.customPatterns) {
+      dlpObj.custom_patterns = opts.dlp.customPatterns.map((p) => ({
+        name: p.name,
+        display: p.display,
+        regex: p.regex
+      }));
+    }
+    config.dlp = dlpObj;
+  }
+  if (opts.policiesOverride) {
+    config.policies = {
+      ...opts.policiesOverride.dir && { dir: opts.policiesOverride.dir },
+      ...opts.policiesOverride.defaultPolicy && { default: opts.policiesOverride.defaultPolicy }
+    };
+  }
+  if (opts.approvals) config.approvals = { ...opts.approvals };
+  if (opts.metrics) config.metrics = { ...opts.metrics };
+  if (opts.health) {
+    const healthObj = {};
+    if (opts.health.path) healthObj.path = opts.health.path;
+    if (opts.health.readinessPath) healthObj.readiness_path = opts.health.readinessPath;
+    config.health = healthObj;
+  }
+  if (opts.development) {
+    const devObj = {};
+    if (opts.development.disableAuth !== void 0) devObj.disable_auth = opts.development.disableAuth;
+    if (opts.development.verboseErrors !== void 0) devObj.verbose_errors = opts.development.verboseErrors;
+    config.development = devObj;
+  }
   const feeds = opts.threatFeeds === false ? void 0 : opts.threatFeeds ?? defaultThreatFeeds;
   if (feeds) {
     config.threat_feeds = {
@@ -195,7 +334,8 @@ async function getTraceparent() {
 
 // src/core/provision.ts
 var SECURITY_MODE_RANK = {
-  full: 4,
+  full: 5,
+  ptrace: 4,
   landlock: 3,
   "landlock-only": 2,
   minimal: 1
@@ -240,13 +380,23 @@ async function provision(adapter, config = {}) {
     traceParent,
     policyName = "policy",
     threatFeeds,
-    packageChecks
+    packageChecks,
+    skipShim = false,
+    serverConfig: extendedConfig
   } = config;
   const policy = rawPolicy ? validatePolicy(rawPolicy) : agentDefault();
   let securityMode = "full";
   if (installStrategy === "running") {
     await healthCheck(adapter);
-    securityMode = config.securityMode ?? "full";
+    if (config.securityMode) {
+      securityMode = config.securityMode;
+    } else if (minimumSecurityMode) {
+      throw new ProvisioningError({
+        phase: "install",
+        command: "securityMode check",
+        stderr: `Cannot verify security mode in 'running' strategy \u2014 set securityMode explicitly when using minimumSecurityMode`
+      });
+    }
     if (minimumSecurityMode && isWeakerThan(securityMode, minimumSecurityMode)) {
       throw new ProvisioningError({
         phase: "install",
@@ -278,7 +428,15 @@ async function provision(adapter, config = {}) {
       });
     }
   } else if (installStrategy === "download" || installStrategy === "upload") {
-    if (!exists) {
+    let needsInstall = !exists;
+    if (exists && agentshVersion !== "skip-version-check") {
+      const versionResult = await adapter.exec("agentsh", ["--version"]);
+      const installedVersion = versionResult.stdout.trim().replace(/^v/, "");
+      if (!installedVersion.startsWith(agentshVersion)) {
+        needsInstall = true;
+      }
+    }
+    if (needsInstall) {
       const arch = archOverride ?? await detectArch(adapter);
       if (installStrategy === "download") {
         await downloadBinary(adapter, agentshVersion, arch, agentshBinaryUrl);
@@ -323,28 +481,29 @@ async function provision(adapter, config = {}) {
       stderr: `Detected security mode '${securityMode}' is weaker than required '${minimumSecurityMode}'`
     });
   }
-  const hasFuse = securityMode === "full" || securityMode === "landlock";
-  const realPaths = realPathsOverride ?? hasFuse;
-  const shimResult = await adapter.exec(
-    "agentsh",
-    [
-      "shim",
-      "install-shell",
-      "--root",
-      "/",
-      "--shim",
-      "/usr/bin/agentsh-shell-shim",
-      "--bash",
-      "--i-understand-this-modifies-the-host"
-    ],
-    { sudo: true }
-  );
-  if (shimResult.exitCode !== 0) {
-    throw new ProvisioningError({
-      phase: "install",
-      command: "agentsh shim install-shell",
-      stderr: shimResult.stderr
-    });
+  const realPaths = realPathsOverride ?? false;
+  if (!skipShim) {
+    const shimResult = await adapter.exec(
+      "agentsh",
+      [
+        "shim",
+        "install-shell",
+        "--root",
+        "/",
+        "--shim",
+        "/usr/bin/agentsh-shell-shim",
+        "--bash",
+        "--i-understand-this-modifies-the-host"
+      ],
+      { sudo: true }
+    );
+    if (shimResult.exitCode !== 0) {
+      throw new ProvisioningError({
+        phase: "install",
+        command: "agentsh shim install-shell",
+        stderr: shimResult.stderr
+      });
+    }
   }
   const mkdirResult = await adapter.exec(
     "mkdir",
@@ -373,7 +532,8 @@ async function provision(adapter, config = {}) {
     watchtower,
     realPaths,
     threatFeeds,
-    packageChecks
+    packageChecks,
+    ...extendedConfig
   });
   await adapter.writeFile("/etc/agentsh/config.yml", serverConfig, {
     sudo: true
@@ -414,7 +574,12 @@ async function provision(adapter, config = {}) {
       stderr: chownResult.stderr
     });
   }
-  await adapter.exec("mkdir", ["-p", workspace], { sudo: true });
+  await adapter.exec("mkdir", ["-p", workspace, "/var/lib/agentsh/sessions"], { sudo: true });
+  await adapter.exec("chmod", ["755", "/var/lib/agentsh", "/var/lib/agentsh/sessions"], { sudo: true });
+  await adapter.exec("sh", [
+    "-c",
+    'grep -q user_allow_other /etc/fuse.conf 2>/dev/null || echo "user_allow_other" >> /etc/fuse.conf'
+  ], { sudo: true });
   const serverResult = await adapter.exec(
     "agentsh",
     ["server", "--config", "/etc/agentsh/config.yml"],
@@ -459,6 +624,7 @@ async function provision(adapter, config = {}) {
       });
     }
   }
+  await adapter.exec("chmod", ["-R", "755", "/var/lib/agentsh/sessions/"], { sudo: true });
   const effectiveTraceParent = traceParent ?? await getTraceparent();
   if (effectiveTraceParent) {
     await adapter.exec("curl", [
@@ -605,7 +771,7 @@ async function detectSecurityMode(adapter) {
     });
   }
   const mode = parsed.security_mode;
-  const validModes = ["full", "landlock", "landlock-only", "minimal"];
+  const validModes = ["full", "ptrace", "landlock", "landlock-only", "minimal"];
   if (!validModes.includes(mode)) {
     throw new ProvisioningError({
       phase: "install",