@agentsh/secure-sandbox 0.1.6 → 0.1.7

package/dist/chunk-KXCR2ZML.js

@@ -1,129 +0,0 @@
-import {
-  blaxel
-} from "./chunk-UYEAO27E.js";
-import {
-  cloudflare
-} from "./chunk-LMN3KM53.js";
-import {
-  daytona
-} from "./chunk-45FKFVMC.js";
-import {
-  e2b
-} from "./chunk-2P37YGN7.js";
-import {
-  envPrefix,
-  shellEscape
-} from "./chunk-OANLKSOD.js";
-import {
-  vercel
-} from "./chunk-JY5ERJTX.js";
-import {
-  __export
-} from "./chunk-PZ5AY32C.js";
-
-// src/adapters/index.ts
-var adapters_exports = {};
-__export(adapters_exports, {
-  blaxel: () => blaxel,
-  cloudflare: () => cloudflare,
-  daytona: () => daytona,
-  e2b: () => e2b,
-  sprites: () => sprites,
-  spritesDefaults: () => spritesDefaults,
-  vercel: () => vercel
-});
-
-// src/adapters/sprites.ts
-function sprites(sprite) {
-  function sh(cmd, opts) {
-    if (opts) return sprite.execFile("sh", ["-c", cmd], opts);
-    return sprite.execFile("sh", ["-c", cmd]);
-  }
-  return {
-    async exec(cmd, args, opts) {
-      const command = `${envPrefix(opts?.env)}${shellEscape(cmd, args)}`;
-      const fullCmd = opts?.sudo ? `sudo ${command}` : command;
-      try {
-        if (opts?.detached) {
-          sh(`nohup ${fullCmd} > /dev/null 2>&1 &`).catch(() => {
-          });
-          return { stdout: "", stderr: "", exitCode: 0 };
-        }
-        const result = await sh(fullCmd, { cwd: opts?.cwd });
-        return {
-          stdout: result.stdout ?? "",
-          stderr: result.stderr ?? "",
-          exitCode: 0
-        };
-      } catch (err) {
-        return {
-          stdout: err.stdout ?? "",
-          stderr: err.stderr ?? err.message ?? "",
-          exitCode: err.exitCode ?? err.code ?? 1
-        };
-      }
-    },
-    async writeFile(path, content) {
-      const buf = Buffer.isBuffer(content) ? content : Buffer.from(content);
-      const b64 = buf.toString("base64");
-      try {
-        await sh(`printf '%s' '${b64}' | base64 -d > '${path.replace(/'/g, "'\\''")}'`);
-      } catch (err) {
-        throw new Error(`writeFile failed (exit ${err.exitCode ?? err.code ?? 1}): ${err.stderr ?? err.message ?? ""}`);
-      }
-    },
-    async readFile(path) {
-      try {
-        const result = await sh(`cat '${path.replace(/'/g, "'\\''")}'`);
-        return result.stdout ?? "";
-      } catch (err) {
-        throw new Error(`readFile failed (exit ${err.exitCode ?? err.code ?? 1}): ${err.stderr ?? err.message ?? ""}`);
-      }
-    },
-    async stop() {
-      await sprite.delete();
-    }
-  };
-}
-function spritesDefaults() {
-  const serverConfig = {
-    grpc: { addr: "0.0.0.0:50051" },
-    logging: { level: "info", format: "json", output: "stdout" },
-    sessions: {
-      defaultTimeout: "30m",
-      idleTimeout: "10m",
-      cleanupInterval: "5m"
-    },
-    audit: { enabled: true, sqlitePath: "/var/lib/agentsh/audit.db" },
-    sandboxLimits: { maxMemoryMb: 512, maxCpuPercent: 90, maxProcesses: 100 },
-    fuse: { deferred: true },
-    networkIntercept: { interceptMode: "tproxy", proxyListenAddr: "127.0.0.1:8888" },
-    seccompDetails: {
-      execve: true,
-      fileMonitor: { enabled: true, enforceWithoutFuse: true }
-    },
-    cgroups: { enabled: true },
-    unixSockets: { enabled: true },
-    proxy: { mode: "mitm", port: 8080 },
-    dlp: {
-      mode: "redact",
-      patterns: { credit_card: true, ssn: true, api_key: true }
-    },
-    approvals: { enabled: false },
-    metrics: { enabled: true, path: "/metrics" },
-    health: { path: "/healthz", readinessPath: "/readyz" },
-    development: { disableAuth: false, verboseErrors: false }
-  };
-  return {
-    installStrategy: "preinstalled",
-    realPaths: true,
-    serverConfig
-  };
-}
-
-export {
-  sprites,
-  spritesDefaults,
-  adapters_exports
-};
-//# sourceMappingURL=chunk-KXCR2ZML.js.map

package/dist/chunk-KXCR2ZML.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/adapters/index.ts","../src/adapters/sprites.ts"],"sourcesContent":["export { vercel } from './vercel.js';\nexport { e2b } from './e2b.js';\nexport { daytona } from './daytona.js';\nexport { cloudflare } from './cloudflare.js';\nexport { blaxel } from './blaxel.js';\nexport { sprites, spritesDefaults } from './sprites.js';\n","import type { SandboxAdapter, SecureConfig } from '../core/types.js';\nimport type { ServerConfigOpts } from '../core/config.js';\nimport { shellEscape, envPrefix } from '../core/shell.js';\n\nexport function sprites(sprite: any): SandboxAdapter {\n  // sprite.exec() does a naive split(/\\s+/) — no shell parsing.\n  // Use sprite.execFile('sh', ['-c', cmd]) for shell features (env, pipes, quotes).\n  function sh(cmd: string, opts?: Record<string, unknown>) {\n    if (opts) return sprite.execFile('sh', ['-c', cmd], opts);\n    return sprite.execFile('sh', ['-c', cmd]);\n  }\n\n  return {\n    async exec(cmd, args, opts) {\n      const command = `${envPrefix(opts?.env)}${shellEscape(cmd, args)}`;\n      const fullCmd = opts?.sudo ? `sudo ${command}` : command;\n\n      try {\n        if (opts?.detached) {\n          sh(`nohup ${fullCmd} > /dev/null 2>&1 &`).catch(() => {});\n          return { stdout: '', stderr: '', exitCode: 0 };\n        }\n\n        const result = await sh(fullCmd, { cwd: opts?.cwd });\n        return {\n          stdout: result.stdout ?? '',\n          stderr: result.stderr ?? '',\n          exitCode: 0,\n        };\n      } catch (err: any) {\n        return {\n          stdout: err.stdout ?? '',\n          stderr: err.stderr ?? err.message ?? '',\n          exitCode: err.exitCode ?? err.code ?? 1,\n        };\n      }\n    },\n    async writeFile(path, content) {\n      const buf = Buffer.isBuffer(content) ? content : Buffer.from(content);\n      const b64 = buf.toString('base64');\n      try {\n        await sh(`printf '%s' '${b64}' | base64 -d > '${path.replace(/'/g, \"'\\\\''\")}'`);\n      } catch (err: any) {\n        throw new Error(`writeFile failed (exit ${err.exitCode ?? err.code ?? 1}): ${err.stderr ?? err.message ?? ''}`);\n      }\n    },\n    async readFile(path) {\n      try {\n        const result = await sh(`cat '${path.replace(/'/g, \"'\\\\''\")}'`);\n        return result.stdout ?? '';\n      } catch (err: any) {\n        throw new Error(`readFile failed (exit ${err.exitCode ?? err.code ?? 1}): ${err.stderr ?? err.message ?? ''}`);\n      }\n    },\n    async stop() {\n      await sprite.delete();\n    },\n  };\n}\n\n/**\n * Returns Sprites-optimized defaults for SecureConfig.\n * Spread into your secureSandbox() call:\n *\n *   secureSandbox(sprites(s), { ...spritesDefaults(), ...yourOverrides })\n */\nexport function spritesDefaults(): Partial<SecureConfig> {\n  const serverConfig: Omit<ServerConfigOpts, 'watchtower' | 'realPaths' | 'threatFeeds' | 'packageChecks'> = {\n    grpc: { addr: '0.0.0.0:50051' },\n    logging: { level: 'info', format: 'json', output: 'stdout' },\n    sessions: {\n      defaultTimeout: '30m',\n      idleTimeout: '10m',\n      cleanupInterval: '5m',\n    },\n    audit: { enabled: true, sqlitePath: '/var/lib/agentsh/audit.db' },\n    sandboxLimits: { maxMemoryMb: 512, maxCpuPercent: 90, maxProcesses: 100 },\n    fuse: { deferred: true },\n    networkIntercept: { interceptMode: 'tproxy', proxyListenAddr: '127.0.0.1:8888' },\n    seccompDetails: {\n      execve: true,\n      fileMonitor: { enabled: true, enforceWithoutFuse: true },\n    },\n    cgroups: { enabled: true },\n    unixSockets: { enabled: true },\n    proxy: { mode: 'mitm', port: 8080 },\n    dlp: {\n      mode: 'redact',\n      patterns: { credit_card: true, ssn: true, api_key: true },\n    },\n    approvals: { enabled: false },\n    metrics: { enabled: true, path: '/metrics' },\n    health: { path: '/healthz', readinessPath: '/readyz' },\n    development: { disableAuth: false, verboseErrors: false },\n  };\n\n  return {\n    installStrategy: 'preinstalled',\n    realPaths: true,\n    serverConfig,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACIO,SAAS,QAAQ,QAA6B;AAGnD,WAAS,GAAG,KAAa,MAAgC;AACvD,QAAI,KAAM,QAAO,OAAO,SAAS,MAAM,CAAC,MAAM,GAAG,GAAG,IAAI;AACxD,WAAO,OAAO,SAAS,MAAM,CAAC,MAAM,GAAG,CAAC;AAAA,EAC1C;AAEA,SAAO;AAAA,IACL,MAAM,KAAK,KAAK,MAAM,MAAM;AAC1B,YAAM,UAAU,GAAG,UAAU,MAAM,GAAG,CAAC,GAAG,YAAY,KAAK,IAAI,CAAC;AAChE,YAAM,UAAU,MAAM,OAAO,QAAQ,OAAO,KAAK;AAEjD,UAAI;AACF,YAAI,MAAM,UAAU;AAClB,aAAG,SAAS,OAAO,qBAAqB,EAAE,MAAM,MAAM;AAAA,UAAC,CAAC;AACxD,iBAAO,EAAE,QAAQ,IAAI,QAAQ,IAAI,UAAU,EAAE;AAAA,QAC/C;AAEA,cAAM,SAAS,MAAM,GAAG,SAAS,EAAE,KAAK,MAAM,IAAI,CAAC;AACnD,eAAO;AAAA,UACL,QAAQ,OAAO,UAAU;AAAA,UACzB,QAAQ,OAAO,UAAU;AAAA,UACzB,UAAU;AAAA,QACZ;AAAA,MACF,SAAS,KAAU;AACjB,eAAO;AAAA,UACL,QAAQ,IAAI,UAAU;AAAA,UACtB,QAAQ,IAAI,UAAU,IAAI,WAAW;AAAA,UACrC,UAAU,IAAI,YAAY,IAAI,QAAQ;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,IACA,MAAM,UAAU,MAAM,SAAS;AAC7B,YAAM,MAAM,OAAO,SAAS,OAAO,IAAI,UAAU,OAAO,KAAK,OAAO;AACpE,YAAM,MAAM,IAAI,SAAS,QAAQ;AACjC,UAAI;AACF,cAAM,GAAG,gBAAgB,GAAG,oBAAoB,KAAK,QAAQ,MAAM,OAAO,CAAC,GAAG;AAAA,MAChF,SAAS,KAAU;AACjB,cAAM,IAAI,MAAM,0BAA0B,IAAI,YAAY,IAAI,QAAQ,CAAC,MAAM,IAAI,UAAU,IAAI,WAAW,EAAE,EAAE;AAAA,MAChH;AAAA,IACF;AAAA,IACA,MAAM,SAAS,MAAM;AACnB,UAAI;AACF,cAAM,SAAS,MAAM,GAAG,QAAQ,KAAK,QAAQ,MAAM,OAAO,CAAC,GAAG;AAC9D,eAAO,OAAO,UAAU;AAAA,MAC1B,SAAS,KAAU;AACjB,cAAM,IAAI,MAAM,yBAAyB,IAAI,YAAY,IAAI,QAAQ,CAAC,MAAM,IAAI,UAAU,IAAI,WAAW,EAAE,EAAE;AAAA,MAC/G;AAAA,IACF;AAAA,IACA,MAAM,OAAO;AACX,YAAM,OAAO,OAAO;AAAA,IACtB;AAAA,EACF;AACF;AAQO,SAAS,kBAAyC;AACvD,QAAM,eAAqG;AAAA,IACzG,MAAM,EAAE,MAAM,gBAAgB;AAAA,IAC9B,SAAS,EAAE,OAAO,QAAQ,QAAQ,QAAQ,QAAQ,SAAS;AAAA,IAC3D,UAAU;AAAA,MACR,gBAAgB;AAAA,MAChB,aAAa;AAAA,MACb,iBAAiB;AAAA,IACnB;AAAA,IACA,OAAO,EAAE,SAAS,MAAM,YAAY,4BAA4B;AAAA,IAChE,eAAe,EAAE,aAAa,KAAK,eAAe,IAAI,cAAc,IAAI;AAAA,IACxE,MAAM,EAAE,UAAU,KAAK;AAAA,IACvB,kBAAkB,EAAE,eAAe,UAAU,iBAAiB,iBAAiB;AAAA,IAC/E,gBAAgB;AAAA,MACd,QAAQ;AAAA,MACR,aAAa,EAAE,SAAS,MAAM,oBAAoB,KAAK;AAAA,IACzD;AAAA,IACA,SAAS,EAAE,SAAS,KAAK;AAAA,IACzB,aAAa,EAAE,SAAS,KAAK;AAAA,IAC7B,OAAO,EAAE,MAAM,QAAQ,MAAM,KAAK;AAAA,IAClC,KAAK;AAAA,MACH,MAAM;AAAA,MACN,UAAU,EAAE,aAAa,MAAM,KAAK,MAAM,SAAS,KAAK;AAAA,IAC1D;AAAA,IACA,WAAW,EAAE,SAAS,MAAM;AAAA,IAC5B,SAAS,EAAE,SAAS,MAAM,MAAM,WAAW;AAAA,IAC3C,QAAQ,EAAE,MAAM,YAAY,eAAe,UAAU;AAAA,IACrD,aAAa,EAAE,aAAa,OAAO,eAAe,MAAM;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL,iBAAiB;AAAA,IACjB,WAAW;AAAA,IACX;AAAA,EACF;AACF;","names":[]}

package/dist/index-D6DG8Lpi.d.ts

@@ -1,28 +0,0 @@
-import { vercel } from './adapters/vercel.js';
-import { e2b } from './adapters/e2b.js';
-import { daytona } from './adapters/daytona.js';
-import { cloudflare } from './adapters/cloudflare.js';
-import { blaxel } from './adapters/blaxel.js';
-import { S as SandboxAdapter, a as SecureConfig } from './types-S_fIEFHD.js';
-
-declare function sprites(sprite: any): SandboxAdapter;
-/**
- * Returns Sprites-optimized defaults for SecureConfig.
- * Spread into your secureSandbox() call:
- *
- *   secureSandbox(sprites(s), { ...spritesDefaults(), ...yourOverrides })
- */
-declare function spritesDefaults(): Partial<SecureConfig>;
-
-declare const index_blaxel: typeof blaxel;
-declare const index_cloudflare: typeof cloudflare;
-declare const index_daytona: typeof daytona;
-declare const index_e2b: typeof e2b;
-declare const index_sprites: typeof sprites;
-declare const index_spritesDefaults: typeof spritesDefaults;
-declare const index_vercel: typeof vercel;
-declare namespace index {
-  export { index_blaxel as blaxel, index_cloudflare as cloudflare, index_daytona as daytona, index_e2b as e2b, index_sprites as sprites, index_spritesDefaults as spritesDefaults, index_vercel as vercel };
-}
-
-export { spritesDefaults as a, index as i, sprites as s };

package/dist/{index-Nmlhw9oj.d.ts → index-CedRtlB6.d.ts}

@@ -363,17 +363,6 @@ declare const PolicyDefinitionSchema: z.ZodObject<{
         reason?: string | undefined;
     }>, "many">>;
 }, "strict", z.ZodTypeAny, {
-    commands?: ({
-        allow: string | string[];
-    } | {
-        deny: string | string[];
-    } | {
-        redirect: string | string[];
-        to: string | {
-            cmd: string;
-            args: string[];
-        };
-    })[] | undefined;
     file?: ({
         allow: string | string[];
         ops?: ("read" | "write" | "create" | "delete")[] | undefined;
@@ -399,6 +388,17 @@ declare const PolicyDefinitionSchema: z.ZodObject<{
         redirect: string;
         to: string;
     })[] | undefined;
+    commands?: ({
+        allow: string | string[];
+    } | {
+        deny: string | string[];
+    } | {
+        redirect: string | string[];
+        to: string | {
+            cmd: string;
+            args: string[];
+        };
+    })[] | undefined;
     env?: {
         commands: string[];
         deny?: string[] | undefined;
@@ -430,17 +430,6 @@ declare const PolicyDefinitionSchema: z.ZodObject<{
         reason?: string | undefined;
     }[] | undefined;
 }, {
-    commands?: ({
-        allow: string | string[];
-    } | {
-        deny: string | string[];
-    } | {
-        redirect: string | string[];
-        to: string | {
-            cmd: string;
-            args: string[];
-        };
-    })[] | undefined;
     file?: ({
         allow: string | string[];
         ops?: ("read" | "write" | "create" | "delete")[] | undefined;
@@ -466,6 +455,17 @@ declare const PolicyDefinitionSchema: z.ZodObject<{
         redirect: string;
         to: string;
     })[] | undefined;
+    commands?: ({
+        allow: string | string[];
+    } | {
+        deny: string | string[];
+    } | {
+        redirect: string | string[];
+        to: string | {
+            cmd: string;
+            args: string[];
+        };
+    })[] | undefined;
     env?: {
         commands: string[];
         deny?: string[] | undefined;