npm - @anthropic-ai/sandbox-runtime - Versions diffs - 0.0.1 → 0.0.2 - Mend

@anthropic-ai/sandbox-runtime 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/LICENSE +201 -0
package/README.md +173 -88
package/dist/cli.js +72 -7
package/dist/cli.js.map +1 -1
package/dist/index.d.ts +6 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +5 -0
package/dist/index.js.map +1 -1
package/dist/sandbox/generate-seccomp-filter.d.ts +64 -0
package/dist/sandbox/generate-seccomp-filter.d.ts.map +1 -0
package/dist/sandbox/generate-seccomp-filter.js +447 -0
package/dist/sandbox/generate-seccomp-filter.js.map +1 -0
package/dist/sandbox/linux-sandbox-utils.d.ts +49 -3
package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -1
package/dist/sandbox/linux-sandbox-utils.js +247 -84
package/dist/sandbox/linux-sandbox-utils.js.map +1 -1
package/dist/sandbox/macos-sandbox-utils.d.ts +3 -1
package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -1
package/dist/sandbox/macos-sandbox-utils.js +12 -22
package/dist/sandbox/macos-sandbox-utils.js.map +1 -1
package/dist/sandbox/sandbox-config.d.ts +122 -0
package/dist/sandbox/sandbox-config.d.ts.map +1 -0
package/dist/sandbox/sandbox-config.js +75 -0
package/dist/sandbox/sandbox-config.js.map +1 -0
package/dist/sandbox/sandbox-manager.d.ts +3 -3
package/dist/sandbox/sandbox-manager.d.ts.map +1 -1
package/dist/sandbox/sandbox-manager.js +143 -236
package/dist/sandbox/sandbox-manager.js.map +1 -1
package/dist/sandbox/sandbox-schemas.d.ts +0 -76
package/dist/sandbox/sandbox-schemas.d.ts.map +1 -1
package/dist/sandbox/sandbox-schemas.js +1 -230
package/dist/sandbox/sandbox-schemas.js.map +1 -1
package/dist/sandbox/sandbox-utils.d.ts.map +1 -1
package/dist/sandbox/sandbox-utils.js +5 -2
package/dist/sandbox/sandbox-utils.js.map +1 -1
package/dist/vendor/seccomp/arm64/unix-block.bpf +0 -0
package/dist/vendor/seccomp/x64/unix-block.bpf +0 -0
package/dist/vendor/seccomp-src/apply-seccomp-and-exec.py +111 -0
package/dist/vendor/seccomp-src/seccomp-unix-block.c +97 -0
package/package.json +10 -4
package/vendor/seccomp/arm64/unix-block.bpf +0 -0
package/vendor/seccomp/x64/unix-block.bpf +0 -0
package/vendor/seccomp-src/apply-seccomp-and-exec.py +111 -0
package/vendor/seccomp-src/seccomp-unix-block.c +97 -0
package/dist/utils/exec.d.ts +0 -13
package/dist/utils/exec.d.ts.map +0 -1
package/dist/utils/exec.js +0 -38
package/dist/utils/exec.js.map +0 -1
package/dist/utils/settings.d.ts +0 -147
package/dist/utils/settings.d.ts.map +0 -1
package/dist/utils/settings.js +0 -244
package/dist/utils/settings.js.map +0 -1

package/dist/sandbox/sandbox-schemas.d.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import { z } from 'zod';
 export interface FsReadRestrictionConfig {
     denyOnly: string[];
 }
@@ -15,79 +14,4 @@ export type NetworkHostPattern = {
     port: number | undefined;
 };
 export type SandboxAskCallback = (params: NetworkHostPattern) => Promise<boolean>;
-export declare function generateHostListSchema(allowedOrDenied: 'allowed' | 'denied'): z.ZodEffects<z.ZodArray<z.ZodString, "many">, string[], string[]>;
-/**
- * Safely parse a network restriction pattern.
- * Returns the parsed pattern or an Error.
- */
-export declare function safeParseRestrictionPattern(pattern: string): NetworkHostPattern | Error;
-/**
- * Schema for command-specific sandbox violation ignore patterns.
- * Maps command patterns to lists of filesystem paths to ignore violations for.
- * The special key "*" matches all commands.
- *
- * Example:
- * {
- *   "*": ["/usr/bin", "/System"],           // Ignore for all commands
- *   "git push": ["/usr/bin/nc"],            // Ignore nc errors when running git push
- *   "npm": ["/private/tmp"],                // Ignore tmp access for npm commands
- * }
- */
-export declare const IgnoreViolationsSchema: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>;
-export type IgnoreViolationsConfig = z.infer<typeof IgnoreViolationsSchema>;
-export declare const NetworkConfigSchema: z.ZodOptional<z.ZodObject<{
-    allowUnixSockets: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    allowLocalBinding: z.ZodOptional<z.ZodBoolean>;
-    httpProxyPort: z.ZodOptional<z.ZodNumber>;
-    socksProxyPort: z.ZodOptional<z.ZodNumber>;
-}, "strip", z.ZodTypeAny, {
-    allowUnixSockets?: string[] | undefined;
-    allowLocalBinding?: boolean | undefined;
-    httpProxyPort?: number | undefined;
-    socksProxyPort?: number | undefined;
-}, {
-    allowUnixSockets?: string[] | undefined;
-    allowLocalBinding?: boolean | undefined;
-    httpProxyPort?: number | undefined;
-    socksProxyPort?: number | undefined;
-}>>;
-export declare const SandboxConfigSchema: z.ZodObject<{
-    network: z.ZodOptional<z.ZodObject<{
-        allowUnixSockets: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        allowLocalBinding: z.ZodOptional<z.ZodBoolean>;
-        httpProxyPort: z.ZodOptional<z.ZodNumber>;
-        socksProxyPort: z.ZodOptional<z.ZodNumber>;
-    }, "strip", z.ZodTypeAny, {
-        allowUnixSockets?: string[] | undefined;
-        allowLocalBinding?: boolean | undefined;
-        httpProxyPort?: number | undefined;
-        socksProxyPort?: number | undefined;
-    }, {
-        allowUnixSockets?: string[] | undefined;
-        allowLocalBinding?: boolean | undefined;
-        httpProxyPort?: number | undefined;
-        socksProxyPort?: number | undefined;
-    }>>;
-    ignoreViolations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
-    enableWeakerNestedSandbox: z.ZodOptional<z.ZodBoolean>;
-}, "strip", z.ZodTypeAny, {
-    network?: {
-        allowUnixSockets?: string[] | undefined;
-        allowLocalBinding?: boolean | undefined;
-        httpProxyPort?: number | undefined;
-        socksProxyPort?: number | undefined;
-    } | undefined;
-    ignoreViolations?: Record<string, string[]> | undefined;
-    enableWeakerNestedSandbox?: boolean | undefined;
-}, {
-    network?: {
-        allowUnixSockets?: string[] | undefined;
-        allowLocalBinding?: boolean | undefined;
-        httpProxyPort?: number | undefined;
-        socksProxyPort?: number | undefined;
-    } | undefined;
-    ignoreViolations?: Record<string, string[]> | undefined;
-    enableWeakerNestedSandbox?: boolean | undefined;
-}>;
-export type SandboxConfig = z.infer<typeof SandboxConfigSchema>;
 //# sourceMappingURL=sandbox-schemas.d.ts.map

package/dist/sandbox/sandbox-schemas.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sandbox-schemas.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":"AACA,~~OAAO,EAAE,CAAC,EAAE,~~MAAM,~~KAAK,CAAA;AAGvB,MAAM,~~WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,MAAM,EAAE,CAAA;IACnB,eAAe,EAAE,MAAM,EAAE,CAAA;CAC1B;AAGD,MAAM,WAAW,wBAAwB;IACvC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CACvB;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,GAAG,SAAS,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,CAC/B,MAAM,EAAE,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAAC,CAAA;AAErB,wBAAgB,sBAAsB,CAAC,eAAe,EAAE,SAAS,GAAG,QAAQ,qEAiB3E;AAqKD;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,MAAM,GACd,kBAAkB,GAAG,KAAK,CA2B5B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,2DAWhC,CAAA;AAEH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA;AAO3E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;GAiCnB,CAAA;AAGb,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAW9B,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA"}
1	+ {"version":3,"file":"sandbox-schemas.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":"AACA,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,MAAM,EAAE,CAAA;IACnB,eAAe,EAAE,MAAM,EAAE,CAAA;CAC1B;AAGD,MAAM,WAAW,wBAAwB;IACvC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CACvB;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,GAAG,SAAS,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,CAC/B,MAAM,EAAE,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAAC,CAAA"}

package/dist/sandbox/sandbox-schemas.js CHANGED Viewed

@@ -1,231 +1,2 @@
-import { isIP } from 'node:net';
-import { z } from 'zod';
-export function generateHostListSchema(allowedOrDenied) {
-    return z
-        .array(z.string())
-        .describe(`List of automatically ${allowedOrDenied} network hosts (e.g., ["github.com:443", "api.example.com"])`)
-        .transform((patterns) => {
-        // Parse and validate each host pattern
-        return patterns.map(pattern => {
-            const parsed = safeParseRestrictionPattern(pattern);
-            if (parsed instanceof Error) {
-                throw new Error(`Invalid network host pattern: ${parsed.message}`);
-            }
-            // Return the original validated string, not the parsed pattern
-            return pattern;
-        });
-    });
-}
-// Port number schema
-const portNumberSchema = z
-    .string()
-    .regex(/^\d+$/)
-    .transform(val => parseInt(val, 10))
-    .refine(port => port >= 1 && port <= 65535, 'Port must be between 1 and 65535');
-// Schema for IPv6 addresses without port
-// Examples: "::1" (IPv6 loopback), "2001:db8::1", "fe80::1"
-const ipv6Schema = z
-    .string()
-    .refine(val => isIP(val) === 6 && !val.includes('[') && !val.includes(']'))
-    .transform((val) => ({
-    host: val,
-    port: undefined,
-}));
-// Schema for IPv6 addresses with port (requires bracket notation)
-// Examples: "[::1]:8080", "[2001:db8::1]:443", "[fe80::1]:22"
-const ipv6WithPortSchema = z
-    .string()
-    .regex(/^\[([^\]]+)\]:(\d+)$/)
-    .transform((val) => {
-    const match = val.match(/^\[([^\]]+)\]:(\d+)$/);
-    const host = match[1];
-    const portStr = match[2];
-    // Validate that the host part is actually an IPv6 address
-    if (isIP(host) !== 6) {
-        throw new Error('Invalid IPv6 address in bracket notation');
-    }
-    // Parse and validate port
-    const portResult = portNumberSchema.safeParse(portStr);
-    if (!portResult.success) {
-        throw new Error('Invalid port number');
-    }
-    const port = portResult.data;
-    return { host, port };
-});
-// Schema for IPv4 addresses without port
-// Examples: "192.168.1.1", "127.0.0.1", "10.0.0.1"
-const ipv4Schema = z
-    .string()
-    .refine(val => isIP(val) === 4)
-    .transform((val) => ({
-    host: val,
-    port: undefined,
-}));
-// Schema for IPv4 addresses with port
-// Examples: "192.168.1.1:8080", "127.0.0.1:443", "10.0.0.1:22"
-const ipv4WithPortSchema = z
-    .string()
-    .regex(/^(\d+\.\d+\.\d+\.\d+):(\d+)$/)
-    .transform((val) => {
-    const match = val.match(/^(\d+\.\d+\.\d+\.\d+):(\d+)$/);
-    const host = match[1];
-    const portStr = match[2];
-    // Validate that the host part is actually an IPv4 address
-    if (isIP(host) !== 4) {
-        throw new Error('Invalid IPv4 address format');
-    }
-    // Parse and validate port
-    const portResult = portNumberSchema.safeParse(portStr);
-    if (!portResult.success) {
-        throw new Error('Invalid port number');
-    }
-    const port = portResult.data;
-    return { host, port };
-});
-// Base schema for validating domain names (not IP addresses)
-// Examples: "example.com", "localhost", "*.example.com", "sub.domain.com"
-const domainNameSchema = z.string().refine(val => {
-    // Basic format checks
-    if (val.length === 0 ||
-        val.includes(':') || // No colons (would indicate port or IPv6)
-        val.includes('/') || // No paths or protocol prefixes
-        val.includes('?') || // No query strings
-        val.includes('#') || // No fragments
-        isIP(val) // Not an IP address
-    ) {
-        return false;
-    }
-    // Special case: localhost is always valid
-    if (val === 'localhost') {
-        return true;
-    }
-    // Wildcard domains: *.example.com (must have dot after wildcard)
-    if (val.startsWith('*.')) {
-        const domainPart = val.slice(2);
-        return (domainPart.includes('.') &&
-            !domainPart.startsWith('.') &&
-            !domainPart.endsWith('.'));
-    }
-    // Regular domains: must contain at least one dot and not start/end with dot
-    return val.includes('.') && !val.startsWith('.') && !val.endsWith('.');
-});
-// Schema for domain name without port
-// Examples: "example.com", "*.example.com", "localhost"
-const hostnameSchema = domainNameSchema.transform((val) => ({
-    host: val,
-    port: undefined,
-}));
-// Schema for domain name with port
-// Examples: "example.com:8080", "localhost:3000", "*.example.com:443"
-const hostnameWithPortSchema = z
-    .string()
-    .regex(/^([^:]+):(\d+)$/)
-    .transform((val) => {
-    const match = val.match(/^([^:]+):(\d+)$/);
-    const host = match[1];
-    const portStr = match[2];
-    // Validate that the host part is a valid domain name
-    const hostResult = domainNameSchema.safeParse(host);
-    if (!hostResult.success) {
-        throw new Error('Invalid domain name');
-    }
-    // Parse and validate port
-    const portResult = portNumberSchema.safeParse(portStr);
-    if (!portResult.success) {
-        throw new Error('Invalid port number');
-    }
-    const port = portResult.data;
-    return { host, port };
-});
-// Combined schema that tries each pattern in order
-const hostPatternSchema = z.union([
-    ipv6WithPortSchema,
-    ipv6Schema,
-    ipv4WithPortSchema,
-    ipv4Schema,
-    hostnameWithPortSchema,
-    hostnameSchema,
-]);
-/**
- * Safely parse a network restriction pattern.
- * Returns the parsed pattern or an Error.
- */
-export function safeParseRestrictionPattern(pattern) {
-    const result = hostPatternSchema.safeParse(pattern);
-    if (!result.success) {
-        // Provide helpful error messages for common mistakes
-        if (pattern.startsWith('http://') || pattern.startsWith('https://')) {
-            return Error(`Invalid network restriction: "${pattern}" - remove the protocol (http:// or https://)`);
-        }
-        if (pattern.includes('/')) {
-            return Error(`Invalid network restriction: "${pattern}" - paths are not allowed, only hosts`);
-        }
-        if (pattern === '') {
-            return Error(`Invalid network restriction: empty string - please provide a host`);
-        }
-        if (pattern.endsWith(':')) {
-            return Error(`Invalid network restriction: "${pattern}" - incomplete port specification`);
-        }
-        return Error(`Invalid network restriction: "${pattern}"`);
-    }
-    return result.data;
-}
-/**
- * Schema for command-specific sandbox violation ignore patterns.
- * Maps command patterns to lists of filesystem paths to ignore violations for.
- * The special key "*" matches all commands.
- *
- * Example:
- * {
- *   "*": ["/usr/bin", "/System"],           // Ignore for all commands
- *   "git push": ["/usr/bin/nc"],            // Ignore nc errors when running git push
- *   "npm": ["/private/tmp"],                // Ignore tmp access for npm commands
- * }
- */
-export const IgnoreViolationsSchema = z
-    .record(z.string(), z
-    .array(z.string())
-    .describe('List of filesystem paths to ignore sandbox violations for when this command pattern matches'))
-    .describe('Map of command patterns to filesystem paths to ignore violations for. Use "*" to match all commands');
-// ============================================================================
-// COMBINED SCHEMAS
-// ============================================================================
-// Network restriction schemas
-export const NetworkConfigSchema = z
-    .object({
-    allowUnixSockets: z
-        .array(z.string())
-        .optional()
-        .describe('Allow Unix domain sockets for local IPC (SSH agent, Docker, etc.). Provide an array of specific paths. Defaults to blocking if not specified'),
-    allowLocalBinding: z
-        .boolean()
-        .optional()
-        .describe('Allow binding to local network addresses (e.g., localhost ports). Defaults to false if not specified'),
-    httpProxyPort: z
-        .number()
-        .int()
-        .min(1)
-        .max(65535)
-        .optional()
-        .describe('HTTP proxy port to use for network filtering. If not specified, a proxy server will be started automatically'),
-    socksProxyPort: z
-        .number()
-        .int()
-        .min(1)
-        .max(65535)
-        .optional()
-        .describe('SOCKS proxy port to use for network filtering. If not specified, a proxy server will be started automatically'),
-})
-    .optional();
-// Complete sandbox config schema
-export const SandboxConfigSchema = z.object({
-    network: NetworkConfigSchema,
-    ignoreViolations: IgnoreViolationsSchema.optional(),
-    enableWeakerNestedSandbox: z
-        .boolean()
-        .optional()
-        .describe('Enable weaker sandbox mode for unprivileged docker environments where --proc mounting fails. ' +
-        'This significantly reduces the strength of the sandbox and should only be used when this risk is acceptable.' +
-        'Default: false (secure).'),
-});
+export {};
 //# sourceMappingURL=sandbox-schemas.js.map

package/dist/sandbox/sandbox-schemas.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sandbox-schemas.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAA;AAC/B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AA2BvB,MAAM,UAAU,sBAAsB,CAAC,eAAqC;IAC1E,OAAO,CAAC;SACL,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,CACP,yBAAyB,eAAe,8DAA8D,CACvG;SACA,SAAS,CAAC,CAAC,QAAQ,EAAY,EAAE;QAChC,uCAAuC;QACvC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE;YAC5B,MAAM,MAAM,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAA;YACnD,IAAI,MAAM,YAAY,KAAK,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;YACpE,CAAC;YACD,+DAA+D;YAC/D,OAAO,OAAO,CAAA;QAChB,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACN,CAAC;AAED,qBAAqB;AACrB,MAAM,gBAAgB,GAAG,CAAC;KACvB,MAAM,EAAE;KACR,KAAK,CAAC,OAAO,CAAC;KACd,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;KACnC,MAAM,CACL,IAAI,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,KAAK,EAClC,kCAAkC,CACnC,CAAA;AAEH,yCAAyC;AACzC,4DAA4D;AAC5D,MAAM,UAAU,GAAG,CAAC;KACjB,MAAM,EAAE;KACR,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;KAC1E,SAAS,CACR,CAAC,GAAG,EAAsB,EAAE,CAAC,CAAC;IAC5B,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,SAAS;CAChB,CAAC,CACH,CAAA;AAEH,kEAAkE;AAClE,8DAA8D;AAC9D,MAAM,kBAAkB,GAAG,CAAC;KACzB,MAAM,EAAE;KACR,KAAK,CAAC,sBAAsB,CAAC;KAC7B,SAAS,CAAC,CAAC,GAAG,EAAsB,EAAE;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,sBAAsB,CAAE,CAAA;IAChD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IAEzB,0DAA0D;IAC1D,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;IAC7D,CAAC;IAED,0BAA0B;IAC1B,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAA;IAE5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;AACvB,CAAC,CAAC,CAAA;AAEJ,yCAAyC;AACzC,mDAAmD;AACnD,MAAM,UAAU,GAAG,CAAC;KACjB,MAAM,EAAE;KACR,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KAC9B,SAAS,CACR,CAAC,GAAG,EAAsB,EAAE,CAAC,CAAC;IAC5B,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,SAAS;CAChB,CAAC,CACH,CAAA;AAEH,sCAAsC;AACtC,+DAA+D;AAC/D,MAAM,kBAAkB,GAAG,CAAC;KACzB,MAAM,EAAE;KACR,KAAK,CAAC,8BAA8B,CAAC;KACrC,SAAS,CAAC,CAAC,GAAG,EAAsB,EAAE;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,8BAA8B,CAAE,CAAA;IACxD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IAEzB,0DAA0D;IAC1D,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;IAChD,CAAC;IAED,0BAA0B;IAC1B,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAA;IAE5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;AACvB,CAAC,CAAC,CAAA;AAEJ,6DAA6D;AAC7D,0EAA0E;AAC1E,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;IAC/C,sBAAsB;IACtB,IACE,GAAG,CAAC,MAAM,KAAK,CAAC;QAChB,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,0CAA0C;QAC/D,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,gCAAgC;QACrD,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,mBAAmB;QACxC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,eAAe;QACpC,IAAI,CAAC,GAAG,CAAC,CAAC,oBAAoB;MAC9B,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,0CAA0C;IAC1C,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;QACxB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,iEAAiE;IACjE,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QAC/B,OAAO,CACL,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC;YACxB,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC;YAC3B,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAC1B,CAAA;IACH,CAAC;IAED,4EAA4E;IAC5E,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;AACxE,CAAC,CAAC,CAAA;AAEF,sCAAsC;AACtC,wDAAwD;AACxD,MAAM,cAAc,GAAG,gBAAgB,CAAC,SAAS,CAC/C,CAAC,GAAG,EAAsB,EAAE,CAAC,CAAC;IAC5B,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,SAAS;CAChB,CAAC,CACH,CAAA;AAED,mCAAmC;AACnC,sEAAsE;AACtE,MAAM,sBAAsB,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,KAAK,CAAC,iBAAiB,CAAC;KACxB,SAAS,CAAC,CAAC,GAAG,EAAsB,EAAE;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAE,CAAA;IAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IAEzB,qDAAqD;IACrD,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;IACnD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IAED,0BAA0B;IAC1B,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAA;IAE5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;AACvB,CAAC,CAAC,CAAA;AAEJ,mDAAmD;AACnD,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC;IAChC,kBAAkB;IAClB,UAAU;IACV,kBAAkB;IAClB,UAAU;IACV,sBAAsB;IACtB,cAAc;CACf,CAAC,CAAA;AAEF;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAe;IAEf,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACnD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,qDAAqD;QACrD,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpE,OAAO,KAAK,CACV,iCAAiC,OAAO,+CAA+C,CACxF,CAAA;QACH,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,KAAK,CACV,iCAAiC,OAAO,uCAAuC,CAChF,CAAA;QACH,CAAC;QACD,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;YACnB,OAAO,KAAK,CACV,mEAAmE,CACpE,CAAA;QACH,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,KAAK,CACV,iCAAiC,OAAO,mCAAmC,CAC5E,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,iCAAiC,OAAO,GAAG,CAAC,CAAA;IAC3D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC;KACpC,MAAM,CACL,CAAC,CAAC,MAAM,EAAE,EACV,CAAC;KACE,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACjB,QAAQ,CACP,6FAA6F,CAC9F,CACJ;KACA,QAAQ,CACP,qGAAqG,CACtG,CAAA;AAIH,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,8BAA8B;AAC9B,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC;KACjC,MAAM,CAAC;IACN,gBAAgB,EAAE,CAAC;SAChB,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;SACV,QAAQ,CACP,8IAA8I,CAC/I;IACH,iBAAiB,EAAE,CAAC;SACjB,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CACP,sGAAsG,CACvG;IACH,aAAa,EAAE,CAAC;SACb,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,KAAK,CAAC;SACV,QAAQ,EAAE;SACV,QAAQ,CACP,8GAA8G,CAC/G;IACH,cAAc,EAAE,CAAC;SACd,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,KAAK,CAAC;SACV,QAAQ,EAAE;SACV,QAAQ,CACP,+GAA+G,CAChH;CACJ,CAAC;KACD,QAAQ,EAAE,CAAA;AAEb,iCAAiC;AACjC,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,mBAAmB;IAC5B,gBAAgB,EAAE,sBAAsB,CAAC,QAAQ,EAAE;IACnD,yBAAyB,EAAE,CAAC;SACzB,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CACP,+FAA+F;QAC7F,8GAA8G;QAC9G,0BAA0B,CAC7B;CACJ,CAAC,CAAA"}
1	+ {"version":3,"file":"sandbox-schemas.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":""}

package/dist/sandbox/sandbox-utils.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAyCA;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAO9D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAEpE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CA8BnE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,~~CAc~~/C;AAED;;;;GAIG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAqKrE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,aAAa,CAAC,EAAE,MAAM,EACtB,cAAc,CAAC,EAAE,MAAM,GACtB,MAAM,EAAE,CA6FV;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE"}
1	+ {"version":3,"file":"sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAyCA;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAO9D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAEpE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CA8BnE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAiB/C;AAED;;;;GAIG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAqKrE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,aAAa,CAAC,EAAE,MAAM,EACtB,cAAc,CAAC,EAAE,MAAM,GACtB,MAAM,EAAE,CA6FV;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE"}

package/dist/sandbox/sandbox-utils.js CHANGED Viewed

@@ -109,7 +109,10 @@ export function getDefaultWritePaths() {
         '/dev/tty',
         '/dev/dtracehelper',
         '/dev/autofs_nowait',
+        '/tmp/claude',
+        '/private/tmp/claude',
         path.join(homeDir, '.npm/_logs'),
+        path.join(homeDir, '.claude/debug'),
         '.',
     ];
     return recommendedPaths;
@@ -258,8 +261,8 @@ export async function getMandatoryDenyWithinAllow() {
  * Generate proxy environment variables for sandboxed processes
  */
 export function generateProxyEnvVars(httpProxyPort, socksProxyPort) {
-    const envVars = [`SANDBOX_RUNTIME=1`];
-    // If no proxy ports provided, return empty array
+    const envVars = [`SANDBOX_RUNTIME=1`, `TMPDIR=/tmp/claude`];
+    // If no proxy ports provided, return minimal env vars
     if (!httpProxyPort && !socksProxyPort) {
         return envVars;
     }

package/dist/sandbox/sandbox-utils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAA;AAC5B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAE7C;;;GAGG;AACH,MAAM,eAAe,GAAG;IACtB,YAAY;IACZ,aAAa;IACb,SAAS;IACT,eAAe;IACf,QAAQ;IACR,WAAW;IACX,UAAU;IACV,YAAY;IACZ,WAAW;CACH,CAAA;AAEV;;;GAGG;AACH,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAU,CAAA;AAEnE;;;;;;;;GAQG;AACH,SAAS,0BAA0B,CAAC,OAAe;IACjD,OAAO,OAAO,CAAC,WAAW,EAAE,CAAA;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,OAAO,CACL,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAC1B,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAAmB;IAC1D,OAAO,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;AAC3C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,IAAI,cAAc,GAAG,WAAW,CAAA;IAEhC,6BAA6B;IAC7B,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxB,cAAc,GAAG,OAAO,EAAE,CAAA;IAC5B,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,cAAc,GAAG,OAAO,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IACnD,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACzE,kEAAkE;QAClE,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;SAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACzC,2DAA2D;QAC3D,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;IAED,uFAAuF;IACvF,IAAI,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,uDAAuD;IACvD,IAAI,CAAC;QACH,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;IACzE,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,OAAO,GAAG,OAAO,EAAE,CAAA;IACzB,MAAM,gBAAgB,GAAG;QACvB,aAAa;QACb,aAAa;QACb,WAAW;QACX,UAAU;QACV,mBAAmB;QACnB,oBAAoB;QACpB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;QAChC,GAAG;KACJ,CAAA;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IAEzB,4CAA4C;IAC5C,0BAA0B;IAC1B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAChE,6BAA6B;IAC7B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAC7D,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC,CAAA;IAEnE,2CAA2C;IAC3C,MAAM,cAAc,GAAG,CAAC,GAAG,eAAe,CAAC,CAAA;IAE3C,mEAAmE;IACnE,sGAAsG;IACtG,qFAAqF;IACrF,MAAM,oBAAoB,GAAG;QAC3B,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAClD,kBAAkB;QAClB,gBAAgB;KACjB,CAAA;IAED,mDAAmD;IACnD,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAA;IAE7C,gDAAgD;IAChD,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;QACtC,4EAA4E;QAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QAC/C,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAE3B,mFAAmF;QACnF,IAAI,CAAC;YACH,qEAAqE;YACrE,8DAA8D;YAC9D,6CAA6C;YAC7C,gCAAgC;YAChC,0EAA0E;YAC1E,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,QAAQ;gBACR,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YACD,2CAA2C;YAC3C,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;YACtE,SAAS,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAA;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,mEAAmE;YACnE,MAAM,IAAI,KAAK,CACb,sCAAsC,QAAQ,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7G,CAAA;QACH,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,iFAAiF;QACjF,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC7C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAE1B,wFAAwF;QACxF,IAAI,CAAC;YACH,qDAAqD;YACrD,+EAA+E;YAC/E,uCAAuC;YACvC,MAAM,OAAO,GAAG,MAAM,OAAO,KAAK,CAAA;YAClC,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,OAAO;gBACP,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YAED,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAA;YAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;gBAC7C,8DAA8D;gBAC9D,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC7C,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;gBAC7D,uDAAuD;gBACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CACjC,OAAO,CAAC,EAAE,CAAC,0BAA0B,CAAC,OAAO,CAAC,KAAK,iBAAiB,CACrE,CAAA;gBACD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;oBACpB,+DAA+D;oBAC/D,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAC9D,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;gBACvB,CAAC;YACH,CAAC;YACD,SAAS,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAA;QAC7B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yEAAyE;YACzE,MAAM,IAAI,KAAK,CACb,2CAA2C,OAAO,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjH,CAAA;QACH,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,0EAA0E;IAC1E,MAAM,iBAAiB,GAAG;QACxB,YAAY,EAAE,+DAA+D;QAC7E,aAAa,EAAE,4EAA4E;KAC5F,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,gDAAgD;QAChD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAClD,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAE/B,4EAA4E;QAC5E,sDAAsD;QACtD,IAAI,CAAC;YACH,8EAA8E;YAC9E,MAAM,YAAY,GAAG,MAAM,OAAO,CAChC;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,cAAc;gBACd,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YAED,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;gBACvC,8BAA8B;gBAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;gBAExC,oDAAoD;gBACpD,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;oBAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;oBAC5C,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;gBAC3B,CAAC;qBAAM,IAAI,OAAO,KAAK,aAAa,EAAE,CAAC;oBACrC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;oBAC9C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qEAAqE;YACrE,MAAM,IAAI,KAAK,CACb,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAA;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAAsB,EACtB,cAAuB;IAEvB,MAAM,OAAO,GAAa,CAAC,mBAAmB,CAAC,CAAA;~~IAE/C~~,~~iDAAiD~~;~~IACjD~~,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,8EAA8E;IAC9E,MAAM,gBAAgB,GAAG;QACvB,WAAW;QACX,WAAW;QACX,KAAK;QACL,SAAS;QACT,QAAQ;QACR,gBAAgB,EAAE,aAAa;QAC/B,YAAY,EAAE,kBAAkB;QAChC,eAAe,EAAE,kBAAkB;QACnC,gBAAgB,EAAE,kBAAkB;KACrC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAC5C,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAE5C,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;QAC7D,uDAAuD;QACvD,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,yDAAyD;QACzD,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,gEAAgE;QAChE,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,yBAAyB;YACzB,OAAO,CAAC,IAAI,CACV,8DAA8D,cAAc,UAAU,CACvF,CAAA;QACH,CAAC;QAED,mEAAmE;QACnE,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,sBAAsB;QACtB,OAAO,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAA;QAEvD,+EAA+E;QAC/E,qFAAqF;QAErF,mCAAmC;QACnC,+DAA+D;QAC/D,OAAO,CAAC,IAAI,CACV,sCAAsC,aAAa,IAAI,cAAc,EAAE,CACxE,CAAA;QACD,OAAO,CAAC,IAAI,CACV,uCAAuC,aAAa,IAAI,cAAc,EAAE,CACzE,CAAA;QAED,iDAAiD;QACjD,0DAA0D;QAE1D,4DAA4D;QAC5D,6DAA6D;QAE7D,iDAAiD;QACjD,kDAAkD;QAClD,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACzC,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;YAChD,OAAO,CAAC,IAAI,CAAC,uBAAuB,aAAa,EAAE,CAAC,CAAA;QACtD,CAAC;QAED,+BAA+B;QAC/B,4DAA4D;QAE5D,kDAAkD;QAClD,uEAAuE;QAEvE,6CAA6C;QAC7C,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;QAChE,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;IAClE,CAAC;IAED,8FAA8F;IAC9F,4FAA4F;IAC5F,mGAAmG;IAEnG,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,cAAsB;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AAC/D,CAAC"}
1	+ {"version":3,"file":"sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAA;AAC5B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAE7C;;;GAGG;AACH,MAAM,eAAe,GAAG;IACtB,YAAY;IACZ,aAAa;IACb,SAAS;IACT,eAAe;IACf,QAAQ;IACR,WAAW;IACX,UAAU;IACV,YAAY;IACZ,WAAW;CACH,CAAA;AAEV;;;GAGG;AACH,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAU,CAAA;AAEnE;;;;;;;;GAQG;AACH,SAAS,0BAA0B,CAAC,OAAe;IACjD,OAAO,OAAO,CAAC,WAAW,EAAE,CAAA;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,OAAO,CACL,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAC1B,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAAmB;IAC1D,OAAO,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;AAC3C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,IAAI,cAAc,GAAG,WAAW,CAAA;IAEhC,6BAA6B;IAC7B,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxB,cAAc,GAAG,OAAO,EAAE,CAAA;IAC5B,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,cAAc,GAAG,OAAO,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IACnD,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACzE,kEAAkE;QAClE,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;SAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACzC,2DAA2D;QAC3D,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;IAED,uFAAuF;IACvF,IAAI,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,uDAAuD;IACvD,IAAI,CAAC;QACH,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;IACzE,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,OAAO,GAAG,OAAO,EAAE,CAAA;IACzB,MAAM,gBAAgB,GAAG;QACvB,aAAa;QACb,aAAa;QACb,WAAW;QACX,UAAU;QACV,mBAAmB;QACnB,oBAAoB;QACpB,aAAa;QACb,qBAAqB;QACrB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC;QACnC,GAAG;KACJ,CAAA;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IAEzB,4CAA4C;IAC5C,0BAA0B;IAC1B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAChE,6BAA6B;IAC7B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAC7D,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC,CAAA;IAEnE,2CAA2C;IAC3C,MAAM,cAAc,GAAG,CAAC,GAAG,eAAe,CAAC,CAAA;IAE3C,mEAAmE;IACnE,sGAAsG;IACtG,qFAAqF;IACrF,MAAM,oBAAoB,GAAG;QAC3B,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAClD,kBAAkB;QAClB,gBAAgB;KACjB,CAAA;IAED,mDAAmD;IACnD,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAA;IAE7C,gDAAgD;IAChD,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;QACtC,4EAA4E;QAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QAC/C,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAE3B,mFAAmF;QACnF,IAAI,CAAC;YACH,qEAAqE;YACrE,8DAA8D;YAC9D,6CAA6C;YAC7C,gCAAgC;YAChC,0EAA0E;YAC1E,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,QAAQ;gBACR,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YACD,2CAA2C;YAC3C,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;YACtE,SAAS,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAA;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,mEAAmE;YACnE,MAAM,IAAI,KAAK,CACb,sCAAsC,QAAQ,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7G,CAAA;QACH,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,iFAAiF;QACjF,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC7C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAE1B,wFAAwF;QACxF,IAAI,CAAC;YACH,qDAAqD;YACrD,+EAA+E;YAC/E,uCAAuC;YACvC,MAAM,OAAO,GAAG,MAAM,OAAO,KAAK,CAAA;YAClC,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,OAAO;gBACP,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YAED,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAA;YAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;gBAC7C,8DAA8D;gBAC9D,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC7C,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;gBAC7D,uDAAuD;gBACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CACjC,OAAO,CAAC,EAAE,CAAC,0BAA0B,CAAC,OAAO,CAAC,KAAK,iBAAiB,CACrE,CAAA;gBACD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;oBACpB,+DAA+D;oBAC/D,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAC9D,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;gBACvB,CAAC;YACH,CAAC;YACD,SAAS,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAA;QAC7B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yEAAyE;YACzE,MAAM,IAAI,KAAK,CACb,2CAA2C,OAAO,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjH,CAAA;QACH,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,0EAA0E;IAC1E,MAAM,iBAAiB,GAAG;QACxB,YAAY,EAAE,+DAA+D;QAC7E,aAAa,EAAE,4EAA4E;KAC5F,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,gDAAgD;QAChD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAClD,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAE/B,4EAA4E;QAC5E,sDAAsD;QACtD,IAAI,CAAC;YACH,8EAA8E;YAC9E,MAAM,YAAY,GAAG,MAAM,OAAO,CAChC;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,cAAc;gBACd,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YAED,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;gBACvC,8BAA8B;gBAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;gBAExC,oDAAoD;gBACpD,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;oBAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;oBAC5C,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;gBAC3B,CAAC;qBAAM,IAAI,OAAO,KAAK,aAAa,EAAE,CAAC;oBACrC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;oBAC9C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qEAAqE;YACrE,MAAM,IAAI,KAAK,CACb,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAA;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAAsB,EACtB,cAAuB;IAEvB,MAAM,OAAO,GAAa,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAA;IAErE,sDAAsD;IACtD,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,8EAA8E;IAC9E,MAAM,gBAAgB,GAAG;QACvB,WAAW;QACX,WAAW;QACX,KAAK;QACL,SAAS;QACT,QAAQ;QACR,gBAAgB,EAAE,aAAa;QAC/B,YAAY,EAAE,kBAAkB;QAChC,eAAe,EAAE,kBAAkB;QACnC,gBAAgB,EAAE,kBAAkB;KACrC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAC5C,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAE5C,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;QAC7D,uDAAuD;QACvD,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,yDAAyD;QACzD,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,gEAAgE;QAChE,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,yBAAyB;YACzB,OAAO,CAAC,IAAI,CACV,8DAA8D,cAAc,UAAU,CACvF,CAAA;QACH,CAAC;QAED,mEAAmE;QACnE,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,sBAAsB;QACtB,OAAO,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAA;QAEvD,+EAA+E;QAC/E,qFAAqF;QAErF,mCAAmC;QACnC,+DAA+D;QAC/D,OAAO,CAAC,IAAI,CACV,sCAAsC,aAAa,IAAI,cAAc,EAAE,CACxE,CAAA;QACD,OAAO,CAAC,IAAI,CACV,uCAAuC,aAAa,IAAI,cAAc,EAAE,CACzE,CAAA;QAED,iDAAiD;QACjD,0DAA0D;QAE1D,4DAA4D;QAC5D,6DAA6D;QAE7D,iDAAiD;QACjD,kDAAkD;QAClD,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACzC,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;YAChD,OAAO,CAAC,IAAI,CAAC,uBAAuB,aAAa,EAAE,CAAC,CAAA;QACtD,CAAC;QAED,+BAA+B;QAC/B,4DAA4D;QAE5D,kDAAkD;QAClD,uEAAuE;QAEvE,6CAA6C;QAC7C,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;QAChE,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;IAClE,CAAC;IAED,8FAA8F;IAC9F,4FAA4F;IAC5F,mGAAmG;IAEnG,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,cAAsB;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AAC/D,CAAC"}

package/dist/vendor/seccomp/arm64/unix-block.bpf ADDED Viewed

Binary file

package/dist/vendor/seccomp/x64/unix-block.bpf ADDED Viewed

Binary file

package/dist/vendor/seccomp-src/apply-seccomp-and-exec.py ADDED Viewed

@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+"""
+Apply seccomp filter and exec command
+This helper script loads a compiled seccomp BPF filter, applies it to the
+current process using prctl, and then execs the specified command. This enables
+two-stage seccomp application: infrastructure code runs without the filter,
+then the user command runs with the filter active.
+Usage:
+  ./apply-seccomp-and-exec.py <filter-file> -- <command> [args...]
+The filter file should contain a compiled BPF program (struct sock_fprog).
+"""
+import sys
+import os
+import ctypes
+import ctypes.util
+# Constants
+PR_SET_NO_NEW_PRIVS = 38
+PR_SET_SECCOMP = 22
+SECCOMP_MODE_FILTER = 2
+# Define sock_filter structure (8 bytes)
+class sock_filter(ctypes.Structure):
+    _fields_ = [
+        ("code", ctypes.c_uint16),
+        ("jt", ctypes.c_uint8),
+        ("jf", ctypes.c_uint8),
+        ("k", ctypes.c_uint32),
+    ]
+# Define sock_fprog structure
+class sock_fprog(ctypes.Structure):
+    _fields_ = [
+        ("len", ctypes.c_uint16),
+        ("filter", ctypes.POINTER(sock_filter)),
+    ]
+def load_filter(path):
+    """Load BPF filter from file"""
+    try:
+        with open(path, 'rb') as f:
+            data = f.read()
+    except IOError as e:
+        print(f"Error: Failed to open filter file {path}: {e}", file=sys.stderr)
+        sys.exit(1)
+    # Verify size is valid
+    filter_size = ctypes.sizeof(sock_filter)
+    if len(data) == 0 or len(data) % filter_size != 0:
+        print(f"Error: Invalid filter file size: {len(data)}", file=sys.stderr)
+        sys.exit(1)
+    # Parse filter data into array
+    num_filters = len(data) // filter_size
+    filter_array = (sock_filter * num_filters)()
+    ctypes.memmove(filter_array, data, len(data))
+    # Create fprog structure
+    prog = sock_fprog()
+    prog.len = num_filters
+    prog.filter = ctypes.cast(filter_array, ctypes.POINTER(sock_filter))
+    return prog, filter_array  # Keep array alive
+def main():
+    if len(sys.argv) < 4:
+        print(f"Usage: {sys.argv[0]} <filter-file> -- <command> [args...]", file=sys.stderr)
+        print("\nApplies seccomp filter and execs the command", file=sys.stderr)
+        sys.exit(1)
+    # Check for separator
+    if sys.argv[2] != '--':
+        print("Error: Expected '--' as second argument", file=sys.stderr)
+        sys.exit(1)
+    filter_path = sys.argv[1]
+    command_argv = sys.argv[3:]
+    # Load the BPF filter
+    prog, filter_array = load_filter(filter_path)
+    # Load libc
+    libc = ctypes.CDLL(ctypes.util.find_library('c'), use_errno=True)
+    # Set no_new_privs (required for unprivileged processes)
+    ret = libc.prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
+    if ret < 0:
+        errno = ctypes.get_errno()
+        print(f"Error: Failed to set no_new_privs: {os.strerror(errno)}", file=sys.stderr)
+        sys.exit(1)
+    # Apply the seccomp filter
+    ret = libc.prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ctypes.byref(prog), 0, 0)
+    if ret < 0:
+        errno = ctypes.get_errno()
+        print(f"Error: Failed to apply seccomp filter: {os.strerror(errno)}", file=sys.stderr)
+        sys.exit(1)
+    # Filter is now active - exec the command
+    try:
+        os.execvp(command_argv[0], command_argv)
+    except OSError as e:
+        print(f"Error: Failed to exec {command_argv[0]}: {e}", file=sys.stderr)
+        sys.exit(1)
+if __name__ == '__main__':
+    main()

package/dist/vendor/seccomp-src/seccomp-unix-block.c ADDED Viewed

@@ -0,0 +1,97 @@
+/*
+ * Seccomp BPF filter generator to block Unix domain socket creation
+ *
+ * This program generates a seccomp-bpf filter that blocks the socket() syscall
+ * when called with AF_UNIX as the domain argument. This prevents creation of
+ * Unix domain sockets while allowing all other socket types (AF_INET, AF_INET6, etc.)
+ * and all other syscalls.
+ *
+ * The filter is exported in a format compatible with bubblewrap's --seccomp flag.
+ *
+ * SECURITY LIMITATION - 32-bit x86 (ia32):
+ * TODO: This filter does NOT block socketcall() syscall, which is a security issue
+ * on 32-bit x86 systems. On ia32, the socket() syscall doesn't exist - instead,
+ * all socket operations are multiplexed through socketcall():
+ *   - socketcall(SYS_SOCKET, [AF_UNIX, ...]) - can bypass this filter
+ *   - socketcall(SYS_SOCKETPAIR, [AF_UNIX, ...]) - can bypass this filter
+ *
+ * To fix this, we need to add conditional rules that:
+ * 1. Check if socketcall() exists on the current architecture (32-bit x86 only)
+ * 2. Block socketcall(SYS_SOCKET, ...) when first arg of sub-call is AF_UNIX
+ * 3. Block socketcall(SYS_SOCKETPAIR, ...) when first arg of sub-call is AF_UNIX
+ *
+ * This requires inspecting the arguments passed to socketcall, which is more
+ * complex BPF logic. For now, 32-bit x86 is not supported.
+ *
+ * Compilation:
+ *   gcc -o seccomp-unix-block seccomp-unix-block.c -lseccomp
+ *
+ * Usage:
+ *   ./seccomp-unix-block <output-file>
+ *
+ * Dependencies:
+ *   - libseccomp (libseccomp-dev package on Debian/Ubuntu)
+ */
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+int main(int argc, char *argv[]) {
+    scmp_filter_ctx ctx;
+    int rc;
+    if (argc != 2) {
+        fprintf(stderr, "Usage: %s <output-file>\n", argv[0]);
+        return 1;
+    }
+    const char *output_file = argv[1];
+    /* Create seccomp context with default action ALLOW */
+    ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (ctx == NULL) {
+        fprintf(stderr, "Error: Failed to initialize seccomp context\n");
+        return 1;
+    }
+    /* Add rule to block socket(AF_UNIX, ...) */
+    /* socket() syscall signature: int socket(int domain, int type, int protocol) */
+    /* arg0 = domain (AF_UNIX = 1) */
+    rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 1,
+                          SCMP_A0(SCMP_CMP_EQ, AF_UNIX));
+    if (rc < 0) {
+        fprintf(stderr, "Error: Failed to add seccomp rule: %s\n", strerror(-rc));
+        seccomp_release(ctx);
+        return 1;
+    }
+    /* Export the filter to a file */
+    int fd = open(output_file, O_CREAT | O_WRONLY | O_TRUNC, 0600);
+    if (fd < 0) {
+        fprintf(stderr, "Error: Failed to open output file: %s\n", strerror(errno));
+        seccomp_release(ctx);
+        return 1;
+    }
+    rc = seccomp_export_bpf(ctx, fd);
+    if (rc < 0) {
+        fprintf(stderr, "Error: Failed to export seccomp filter: %s\n", strerror(-rc));
+        close(fd);
+        seccomp_release(ctx);
+        return 1;
+    }
+    /* Clean up */
+    close(fd);
+    seccomp_release(ctx);
+    return 0;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@anthropic-ai/sandbox-runtime",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "Anthropic Sandbox Runtime (ASRT) - A general-purpose tool for wrapping security boundaries around arbitrary processes",
   "type": "module",
   "main": "./dist/index.js",
@@ -13,7 +13,12 @@
   },
   "scripts": {
     "build": "tsc",
+    "postbuild": "[ -d vendor ] && cp -r vendor dist/ || true",
+    "build:seccomp": "scripts/build-seccomp-binaries.sh",
     "clean": "rm -rf dist",
+    "test": "bun test",
+    "test:unit": "bun test test/config-validation.test.ts test/sandbox/seccomp-filter.test.ts",
+    "test:integration": "bun test test/sandbox/integration.test.ts",
     "typecheck": "tsc --noEmit",
     "lint": "eslint 'src/**/*.ts' --fix --cache --cache-location=node_modules/.cache/.eslintcache",
     "lint:check": "eslint 'src/**/*.ts' --cache --cache-location=node_modules/.cache/.eslintcache",
@@ -45,6 +50,7 @@
   },
   "files": [
     "dist",
+    "vendor",
     "README.md",
     "LICENSE"
   ],
@@ -63,10 +69,10 @@
   "license": "Apache-2.0",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/anthropics/sandbox-runtime.git"
+    "url": "git+https://github.com/anthropic-experimental/sandbox-runtime.git"
   },
   "bugs": {
-    "url": "https://github.com/anthropics/sandbox-runtime/issues"
+    "url": "https://github.com/anthropic-experimental/sandbox-runtime/issues"
   },
-  "homepage": "https://github.com/anthropics/sandbox-runtime#readme"
+  "homepage": "https://github.com/anthropic-experimental/sandbox-runtime#readme"
 }