@anthropic-ai/sandbox-runtime 0.0.1 → 0.0.3

package/dist/sandbox/sandbox-schemas.d.ts

@@ -1,4 +1,3 @@
-import { z } from 'zod';
 export interface FsReadRestrictionConfig {
     denyOnly: string[];
 }
@@ -15,79 +14,4 @@ export type NetworkHostPattern = {
     port: number | undefined;
 };
 export type SandboxAskCallback = (params: NetworkHostPattern) => Promise<boolean>;
-export declare function generateHostListSchema(allowedOrDenied: 'allowed' | 'denied'): z.ZodEffects<z.ZodArray<z.ZodString, "many">, string[], string[]>;
-/**
- * Safely parse a network restriction pattern.
- * Returns the parsed pattern or an Error.
- */
-export declare function safeParseRestrictionPattern(pattern: string): NetworkHostPattern | Error;
-/**
- * Schema for command-specific sandbox violation ignore patterns.
- * Maps command patterns to lists of filesystem paths to ignore violations for.
- * The special key "*" matches all commands.
- *
- * Example:
- * {
- *   "*": ["/usr/bin", "/System"],           // Ignore for all commands
- *   "git push": ["/usr/bin/nc"],            // Ignore nc errors when running git push
- *   "npm": ["/private/tmp"],                // Ignore tmp access for npm commands
- * }
- */
-export declare const IgnoreViolationsSchema: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>;
-export type IgnoreViolationsConfig = z.infer<typeof IgnoreViolationsSchema>;
-export declare const NetworkConfigSchema: z.ZodOptional<z.ZodObject<{
-    allowUnixSockets: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    allowLocalBinding: z.ZodOptional<z.ZodBoolean>;
-    httpProxyPort: z.ZodOptional<z.ZodNumber>;
-    socksProxyPort: z.ZodOptional<z.ZodNumber>;
-}, "strip", z.ZodTypeAny, {
-    allowUnixSockets?: string[] | undefined;
-    allowLocalBinding?: boolean | undefined;
-    httpProxyPort?: number | undefined;
-    socksProxyPort?: number | undefined;
-}, {
-    allowUnixSockets?: string[] | undefined;
-    allowLocalBinding?: boolean | undefined;
-    httpProxyPort?: number | undefined;
-    socksProxyPort?: number | undefined;
-}>>;
-export declare const SandboxConfigSchema: z.ZodObject<{
-    network: z.ZodOptional<z.ZodObject<{
-        allowUnixSockets: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-        allowLocalBinding: z.ZodOptional<z.ZodBoolean>;
-        httpProxyPort: z.ZodOptional<z.ZodNumber>;
-        socksProxyPort: z.ZodOptional<z.ZodNumber>;
-    }, "strip", z.ZodTypeAny, {
-        allowUnixSockets?: string[] | undefined;
-        allowLocalBinding?: boolean | undefined;
-        httpProxyPort?: number | undefined;
-        socksProxyPort?: number | undefined;
-    }, {
-        allowUnixSockets?: string[] | undefined;
-        allowLocalBinding?: boolean | undefined;
-        httpProxyPort?: number | undefined;
-        socksProxyPort?: number | undefined;
-    }>>;
-    ignoreViolations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
-    enableWeakerNestedSandbox: z.ZodOptional<z.ZodBoolean>;
-}, "strip", z.ZodTypeAny, {
-    network?: {
-        allowUnixSockets?: string[] | undefined;
-        allowLocalBinding?: boolean | undefined;
-        httpProxyPort?: number | undefined;
-        socksProxyPort?: number | undefined;
-    } | undefined;
-    ignoreViolations?: Record<string, string[]> | undefined;
-    enableWeakerNestedSandbox?: boolean | undefined;
-}, {
-    network?: {
-        allowUnixSockets?: string[] | undefined;
-        allowLocalBinding?: boolean | undefined;
-        httpProxyPort?: number | undefined;
-        socksProxyPort?: number | undefined;
-    } | undefined;
-    ignoreViolations?: Record<string, string[]> | undefined;
-    enableWeakerNestedSandbox?: boolean | undefined;
-}>;
-export type SandboxConfig = z.infer<typeof SandboxConfigSchema>;
 //# sourceMappingURL=sandbox-schemas.d.ts.map

package/dist/sandbox/sandbox-schemas.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sandbox-schemas.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,MAAM,EAAE,CAAA;IACnB,eAAe,EAAE,MAAM,EAAE,CAAA;CAC1B;AAGD,MAAM,WAAW,wBAAwB;IACvC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CACvB;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,GAAG,SAAS,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,CAC/B,MAAM,EAAE,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAAC,CAAA;AAErB,wBAAgB,sBAAsB,CAAC,eAAe,EAAE,SAAS,GAAG,QAAQ,qEAiB3E;AAqKD;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,MAAM,GACd,kBAAkB,GAAG,KAAK,CA2B5B;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,2DAWhC,CAAA;AAEH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA;AAO3E,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;GAiCnB,CAAA;AAGb,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAW9B,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA"}
+{"version":3,"file":"sandbox-schemas.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":"AACA,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,MAAM,EAAE,CAAA;IACnB,eAAe,EAAE,MAAM,EAAE,CAAA;CAC1B;AAGD,MAAM,WAAW,wBAAwB;IACvC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CACvB;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,GAAG,SAAS,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,CAC/B,MAAM,EAAE,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAAC,CAAA"}

package/dist/sandbox/sandbox-schemas.js

@@ -1,231 +1,2 @@
-import { isIP } from 'node:net';
-import { z } from 'zod';
-export function generateHostListSchema(allowedOrDenied) {
-    return z
-        .array(z.string())
-        .describe(`List of automatically ${allowedOrDenied} network hosts (e.g., ["github.com:443", "api.example.com"])`)
-        .transform((patterns) => {
-        // Parse and validate each host pattern
-        return patterns.map(pattern => {
-            const parsed = safeParseRestrictionPattern(pattern);
-            if (parsed instanceof Error) {
-                throw new Error(`Invalid network host pattern: ${parsed.message}`);
-            }
-            // Return the original validated string, not the parsed pattern
-            return pattern;
-        });
-    });
-}
-// Port number schema
-const portNumberSchema = z
-    .string()
-    .regex(/^\d+$/)
-    .transform(val => parseInt(val, 10))
-    .refine(port => port >= 1 && port <= 65535, 'Port must be between 1 and 65535');
-// Schema for IPv6 addresses without port
-// Examples: "::1" (IPv6 loopback), "2001:db8::1", "fe80::1"
-const ipv6Schema = z
-    .string()
-    .refine(val => isIP(val) === 6 && !val.includes('[') && !val.includes(']'))
-    .transform((val) => ({
-    host: val,
-    port: undefined,
-}));
-// Schema for IPv6 addresses with port (requires bracket notation)
-// Examples: "[::1]:8080", "[2001:db8::1]:443", "[fe80::1]:22"
-const ipv6WithPortSchema = z
-    .string()
-    .regex(/^\[([^\]]+)\]:(\d+)$/)
-    .transform((val) => {
-    const match = val.match(/^\[([^\]]+)\]:(\d+)$/);
-    const host = match[1];
-    const portStr = match[2];
-    // Validate that the host part is actually an IPv6 address
-    if (isIP(host) !== 6) {
-        throw new Error('Invalid IPv6 address in bracket notation');
-    }
-    // Parse and validate port
-    const portResult = portNumberSchema.safeParse(portStr);
-    if (!portResult.success) {
-        throw new Error('Invalid port number');
-    }
-    const port = portResult.data;
-    return { host, port };
-});
-// Schema for IPv4 addresses without port
-// Examples: "192.168.1.1", "127.0.0.1", "10.0.0.1"
-const ipv4Schema = z
-    .string()
-    .refine(val => isIP(val) === 4)
-    .transform((val) => ({
-    host: val,
-    port: undefined,
-}));
-// Schema for IPv4 addresses with port
-// Examples: "192.168.1.1:8080", "127.0.0.1:443", "10.0.0.1:22"
-const ipv4WithPortSchema = z
-    .string()
-    .regex(/^(\d+\.\d+\.\d+\.\d+):(\d+)$/)
-    .transform((val) => {
-    const match = val.match(/^(\d+\.\d+\.\d+\.\d+):(\d+)$/);
-    const host = match[1];
-    const portStr = match[2];
-    // Validate that the host part is actually an IPv4 address
-    if (isIP(host) !== 4) {
-        throw new Error('Invalid IPv4 address format');
-    }
-    // Parse and validate port
-    const portResult = portNumberSchema.safeParse(portStr);
-    if (!portResult.success) {
-        throw new Error('Invalid port number');
-    }
-    const port = portResult.data;
-    return { host, port };
-});
-// Base schema for validating domain names (not IP addresses)
-// Examples: "example.com", "localhost", "*.example.com", "sub.domain.com"
-const domainNameSchema = z.string().refine(val => {
-    // Basic format checks
-    if (val.length === 0 ||
-        val.includes(':') || // No colons (would indicate port or IPv6)
-        val.includes('/') || // No paths or protocol prefixes
-        val.includes('?') || // No query strings
-        val.includes('#') || // No fragments
-        isIP(val) // Not an IP address
-    ) {
-        return false;
-    }
-    // Special case: localhost is always valid
-    if (val === 'localhost') {
-        return true;
-    }
-    // Wildcard domains: *.example.com (must have dot after wildcard)
-    if (val.startsWith('*.')) {
-        const domainPart = val.slice(2);
-        return (domainPart.includes('.') &&
-            !domainPart.startsWith('.') &&
-            !domainPart.endsWith('.'));
-    }
-    // Regular domains: must contain at least one dot and not start/end with dot
-    return val.includes('.') && !val.startsWith('.') && !val.endsWith('.');
-});
-// Schema for domain name without port
-// Examples: "example.com", "*.example.com", "localhost"
-const hostnameSchema = domainNameSchema.transform((val) => ({
-    host: val,
-    port: undefined,
-}));
-// Schema for domain name with port
-// Examples: "example.com:8080", "localhost:3000", "*.example.com:443"
-const hostnameWithPortSchema = z
-    .string()
-    .regex(/^([^:]+):(\d+)$/)
-    .transform((val) => {
-    const match = val.match(/^([^:]+):(\d+)$/);
-    const host = match[1];
-    const portStr = match[2];
-    // Validate that the host part is a valid domain name
-    const hostResult = domainNameSchema.safeParse(host);
-    if (!hostResult.success) {
-        throw new Error('Invalid domain name');
-    }
-    // Parse and validate port
-    const portResult = portNumberSchema.safeParse(portStr);
-    if (!portResult.success) {
-        throw new Error('Invalid port number');
-    }
-    const port = portResult.data;
-    return { host, port };
-});
-// Combined schema that tries each pattern in order
-const hostPatternSchema = z.union([
-    ipv6WithPortSchema,
-    ipv6Schema,
-    ipv4WithPortSchema,
-    ipv4Schema,
-    hostnameWithPortSchema,
-    hostnameSchema,
-]);
-/**
- * Safely parse a network restriction pattern.
- * Returns the parsed pattern or an Error.
- */
-export function safeParseRestrictionPattern(pattern) {
-    const result = hostPatternSchema.safeParse(pattern);
-    if (!result.success) {
-        // Provide helpful error messages for common mistakes
-        if (pattern.startsWith('http://') || pattern.startsWith('https://')) {
-            return Error(`Invalid network restriction: "${pattern}" - remove the protocol (http:// or https://)`);
-        }
-        if (pattern.includes('/')) {
-            return Error(`Invalid network restriction: "${pattern}" - paths are not allowed, only hosts`);
-        }
-        if (pattern === '') {
-            return Error(`Invalid network restriction: empty string - please provide a host`);
-        }
-        if (pattern.endsWith(':')) {
-            return Error(`Invalid network restriction: "${pattern}" - incomplete port specification`);
-        }
-        return Error(`Invalid network restriction: "${pattern}"`);
-    }
-    return result.data;
-}
-/**
- * Schema for command-specific sandbox violation ignore patterns.
- * Maps command patterns to lists of filesystem paths to ignore violations for.
- * The special key "*" matches all commands.
- *
- * Example:
- * {
- *   "*": ["/usr/bin", "/System"],           // Ignore for all commands
- *   "git push": ["/usr/bin/nc"],            // Ignore nc errors when running git push
- *   "npm": ["/private/tmp"],                // Ignore tmp access for npm commands
- * }
- */
-export const IgnoreViolationsSchema = z
-    .record(z.string(), z
-    .array(z.string())
-    .describe('List of filesystem paths to ignore sandbox violations for when this command pattern matches'))
-    .describe('Map of command patterns to filesystem paths to ignore violations for. Use "*" to match all commands');
-// ============================================================================
-// COMBINED SCHEMAS
-// ============================================================================
-// Network restriction schemas
-export const NetworkConfigSchema = z
-    .object({
-    allowUnixSockets: z
-        .array(z.string())
-        .optional()
-        .describe('Allow Unix domain sockets for local IPC (SSH agent, Docker, etc.). Provide an array of specific paths. Defaults to blocking if not specified'),
-    allowLocalBinding: z
-        .boolean()
-        .optional()
-        .describe('Allow binding to local network addresses (e.g., localhost ports). Defaults to false if not specified'),
-    httpProxyPort: z
-        .number()
-        .int()
-        .min(1)
-        .max(65535)
-        .optional()
-        .describe('HTTP proxy port to use for network filtering. If not specified, a proxy server will be started automatically'),
-    socksProxyPort: z
-        .number()
-        .int()
-        .min(1)
-        .max(65535)
-        .optional()
-        .describe('SOCKS proxy port to use for network filtering. If not specified, a proxy server will be started automatically'),
-})
-    .optional();
-// Complete sandbox config schema
-export const SandboxConfigSchema = z.object({
-    network: NetworkConfigSchema,
-    ignoreViolations: IgnoreViolationsSchema.optional(),
-    enableWeakerNestedSandbox: z
-        .boolean()
-        .optional()
-        .describe('Enable weaker sandbox mode for unprivileged docker environments where --proc mounting fails. ' +
-        'This significantly reduces the strength of the sandbox and should only be used when this risk is acceptable.' +
-        'Default: false (secure).'),
-});
+export {};
 //# sourceMappingURL=sandbox-schemas.js.map

package/dist/sandbox/sandbox-schemas.js.map

@@ -1 +1 @@
-{"version":3,"file":"sandbox-schemas.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,UAAU,CAAA;AAC/B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AA2BvB,MAAM,UAAU,sBAAsB,CAAC,eAAqC;IAC1E,OAAO,CAAC;SACL,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,CACP,yBAAyB,eAAe,8DAA8D,CACvG;SACA,SAAS,CAAC,CAAC,QAAQ,EAAY,EAAE;QAChC,uCAAuC;QACvC,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE;YAC5B,MAAM,MAAM,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAA;YACnD,IAAI,MAAM,YAAY,KAAK,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;YACpE,CAAC;YACD,+DAA+D;YAC/D,OAAO,OAAO,CAAA;QAChB,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACN,CAAC;AAED,qBAAqB;AACrB,MAAM,gBAAgB,GAAG,CAAC;KACvB,MAAM,EAAE;KACR,KAAK,CAAC,OAAO,CAAC;KACd,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;KACnC,MAAM,CACL,IAAI,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,KAAK,EAClC,kCAAkC,CACnC,CAAA;AAEH,yCAAyC;AACzC,4DAA4D;AAC5D,MAAM,UAAU,GAAG,CAAC;KACjB,MAAM,EAAE;KACR,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;KAC1E,SAAS,CACR,CAAC,GAAG,EAAsB,EAAE,CAAC,CAAC;IAC5B,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,SAAS;CAChB,CAAC,CACH,CAAA;AAEH,kEAAkE;AAClE,8DAA8D;AAC9D,MAAM,kBAAkB,GAAG,CAAC;KACzB,MAAM,EAAE;KACR,KAAK,CAAC,sBAAsB,CAAC;KAC7B,SAAS,CAAC,CAAC,GAAG,EAAsB,EAAE;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,sBAAsB,CAAE,CAAA;IAChD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IAEzB,0DAA0D;IAC1D,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAA;IAC7D,CAAC;IAED,0BAA0B;IAC1B,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAA;IAE5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;AACvB,CAAC,CAAC,CAAA;AAEJ,yCAAyC;AACzC,mDAAmD;AACnD,MAAM,UAAU,GAAG,CAAC;KACjB,MAAM,EAAE;KACR,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KAC9B,SAAS,CACR,CAAC,GAAG,EAAsB,EAAE,CAAC,CAAC;IAC5B,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,SAAS;CAChB,CAAC,CACH,CAAA;AAEH,sCAAsC;AACtC,+DAA+D;AAC/D,MAAM,kBAAkB,GAAG,CAAC;KACzB,MAAM,EAAE;KACR,KAAK,CAAC,8BAA8B,CAAC;KACrC,SAAS,CAAC,CAAC,GAAG,EAAsB,EAAE;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,8BAA8B,CAAE,CAAA;IACxD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IAEzB,0DAA0D;IAC1D,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;IAChD,CAAC;IAED,0BAA0B;IAC1B,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAA;IAE5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;AACvB,CAAC,CAAC,CAAA;AAEJ,6DAA6D;AAC7D,0EAA0E;AAC1E,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;IAC/C,sBAAsB;IACtB,IACE,GAAG,CAAC,MAAM,KAAK,CAAC;QAChB,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,0CAA0C;QAC/D,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,gCAAgC;QACrD,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,mBAAmB;QACxC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,eAAe;QACpC,IAAI,CAAC,GAAG,CAAC,CAAC,oBAAoB;MAC9B,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,0CAA0C;IAC1C,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;QACxB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,iEAAiE;IACjE,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QAC/B,OAAO,CACL,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC;YACxB,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC;YAC3B,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAC1B,CAAA;IACH,CAAC;IAED,4EAA4E;IAC5E,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;AACxE,CAAC,CAAC,CAAA;AAEF,sCAAsC;AACtC,wDAAwD;AACxD,MAAM,cAAc,GAAG,gBAAgB,CAAC,SAAS,CAC/C,CAAC,GAAG,EAAsB,EAAE,CAAC,CAAC;IAC5B,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,SAAS;CAChB,CAAC,CACH,CAAA;AAED,mCAAmC;AACnC,sEAAsE;AACtE,MAAM,sBAAsB,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,KAAK,CAAC,iBAAiB,CAAC;KACxB,SAAS,CAAC,CAAC,GAAG,EAAsB,EAAE;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAE,CAAA;IAC3C,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAE,CAAA;IAEzB,qDAAqD;IACrD,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;IACnD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IAED,0BAA0B;IAC1B,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACtD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAA;IACxC,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAA;IAE5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;AACvB,CAAC,CAAC,CAAA;AAEJ,mDAAmD;AACnD,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC;IAChC,kBAAkB;IAClB,UAAU;IACV,kBAAkB;IAClB,UAAU;IACV,sBAAsB;IACtB,cAAc;CACf,CAAC,CAAA;AAEF;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,OAAe;IAEf,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IACnD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,qDAAqD;QACrD,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpE,OAAO,KAAK,CACV,iCAAiC,OAAO,+CAA+C,CACxF,CAAA;QACH,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,KAAK,CACV,iCAAiC,OAAO,uCAAuC,CAChF,CAAA;QACH,CAAC;QACD,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;YACnB,OAAO,KAAK,CACV,mEAAmE,CACpE,CAAA;QACH,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,KAAK,CACV,iCAAiC,OAAO,mCAAmC,CAC5E,CAAA;QACH,CAAC;QACD,OAAO,KAAK,CAAC,iCAAiC,OAAO,GAAG,CAAC,CAAA;IAC3D,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAA;AACpB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC;KACpC,MAAM,CACL,CAAC,CAAC,MAAM,EAAE,EACV,CAAC;KACE,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KACjB,QAAQ,CACP,6FAA6F,CAC9F,CACJ;KACA,QAAQ,CACP,qGAAqG,CACtG,CAAA;AAIH,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E,8BAA8B;AAC9B,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC;KACjC,MAAM,CAAC;IACN,gBAAgB,EAAE,CAAC;SAChB,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;SACV,QAAQ,CACP,8IAA8I,CAC/I;IACH,iBAAiB,EAAE,CAAC;SACjB,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CACP,sGAAsG,CACvG;IACH,aAAa,EAAE,CAAC;SACb,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,KAAK,CAAC;SACV,QAAQ,EAAE;SACV,QAAQ,CACP,8GAA8G,CAC/G;IACH,cAAc,EAAE,CAAC;SACd,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,KAAK,CAAC;SACV,QAAQ,EAAE;SACV,QAAQ,CACP,+GAA+G,CAChH;CACJ,CAAC;KACD,QAAQ,EAAE,CAAA;AAEb,iCAAiC;AACjC,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,mBAAmB;IAC5B,gBAAgB,EAAE,sBAAsB,CAAC,QAAQ,EAAE;IACnD,yBAAyB,EAAE,CAAC;SACzB,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CACP,+FAA+F;QAC7F,8GAA8G;QAC9G,0BAA0B,CAC7B;CACJ,CAAC,CAAA"}
+{"version":3,"file":"sandbox-schemas.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":""}

package/dist/sandbox/sandbox-utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAyCA;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAO9D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAEpE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CA8BnE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAc/C;AAED;;;;GAIG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAqKrE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,aAAa,CAAC,EAAE,MAAM,EACtB,cAAc,CAAC,EAAE,MAAM,GACtB,MAAM,EAAE,CA6FV;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE"}
+{"version":3,"file":"sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAyCA;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAO9D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAEpE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAiDnE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAiB/C;AAED;;;;GAIG;AACH,wBAAsB,2BAA2B,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAqKrE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,aAAa,CAAC,EAAE,MAAM,EACtB,cAAc,CAAC,EAAE,MAAM,GACtB,MAAM,EAAE,CA6FV;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE"}

package/dist/sandbox/sandbox-utils.js

@@ -80,8 +80,27 @@ export function normalizePathForSandbox(pathPattern) {
         // Handle other relative paths (e.g., ".", "..", "foo/bar")
         normalizedPath = path.resolve(cwd, pathPattern);
     }
-    // For glob patterns, don't try to resolve symlinks (they don't exist as literal paths)
+    // For glob patterns, resolve symlinks for the directory portion only
     if (containsGlobChars(normalizedPath)) {
+        // Extract the static directory prefix before glob characters
+        const staticPrefix = normalizedPath.split(/[*?\[\]]/)[0];
+        if (staticPrefix && staticPrefix !== '/') {
+            // Get the directory containing the glob pattern
+            // If staticPrefix ends with /, remove it to get the directory
+            const baseDir = staticPrefix.endsWith('/')
+                ? staticPrefix.slice(0, -1)
+                : path.dirname(staticPrefix);
+            // Try to resolve symlinks for the base directory
+            try {
+                const resolvedBaseDir = fs.realpathSync(baseDir);
+                // Reconstruct the pattern with the resolved directory
+                const patternSuffix = normalizedPath.slice(baseDir.length);
+                return resolvedBaseDir + patternSuffix;
+            }
+            catch {
+                // If directory doesn't exist or can't be resolved, keep the original pattern
+            }
+        }
         return normalizedPath;
     }
     // Resolve symlinks to real paths to avoid bwrap issues
@@ -109,7 +128,10 @@ export function getDefaultWritePaths() {
         '/dev/tty',
         '/dev/dtracehelper',
         '/dev/autofs_nowait',
+        '/tmp/claude',
+        '/private/tmp/claude',
         path.join(homeDir, '.npm/_logs'),
+        path.join(homeDir, '.claude/debug'),
         '.',
     ];
     return recommendedPaths;
@@ -258,8 +280,8 @@ export async function getMandatoryDenyWithinAllow() {
  * Generate proxy environment variables for sandboxed processes
  */
 export function generateProxyEnvVars(httpProxyPort, socksProxyPort) {
-    const envVars = [`SANDBOX_RUNTIME=1`];
-    // If no proxy ports provided, return empty array
+    const envVars = [`SANDBOX_RUNTIME=1`, `TMPDIR=/tmp/claude`];
+    // If no proxy ports provided, return minimal env vars
     if (!httpProxyPort && !socksProxyPort) {
         return envVars;
     }

package/dist/sandbox/sandbox-utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAA;AAC5B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAE7C;;;GAGG;AACH,MAAM,eAAe,GAAG;IACtB,YAAY;IACZ,aAAa;IACb,SAAS;IACT,eAAe;IACf,QAAQ;IACR,WAAW;IACX,UAAU;IACV,YAAY;IACZ,WAAW;CACH,CAAA;AAEV;;;GAGG;AACH,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAU,CAAA;AAEnE;;;;;;;;GAQG;AACH,SAAS,0BAA0B,CAAC,OAAe;IACjD,OAAO,OAAO,CAAC,WAAW,EAAE,CAAA;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,OAAO,CACL,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAC1B,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAAmB;IAC1D,OAAO,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;AAC3C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,IAAI,cAAc,GAAG,WAAW,CAAA;IAEhC,6BAA6B;IAC7B,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxB,cAAc,GAAG,OAAO,EAAE,CAAA;IAC5B,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,cAAc,GAAG,OAAO,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IACnD,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACzE,kEAAkE;QAClE,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;SAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACzC,2DAA2D;QAC3D,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;IAED,uFAAuF;IACvF,IAAI,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,uDAAuD;IACvD,IAAI,CAAC;QACH,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;IACzE,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,OAAO,GAAG,OAAO,EAAE,CAAA;IACzB,MAAM,gBAAgB,GAAG;QACvB,aAAa;QACb,aAAa;QACb,WAAW;QACX,UAAU;QACV,mBAAmB;QACnB,oBAAoB;QACpB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;QAChC,GAAG;KACJ,CAAA;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IAEzB,4CAA4C;IAC5C,0BAA0B;IAC1B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAChE,6BAA6B;IAC7B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAC7D,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC,CAAA;IAEnE,2CAA2C;IAC3C,MAAM,cAAc,GAAG,CAAC,GAAG,eAAe,CAAC,CAAA;IAE3C,mEAAmE;IACnE,sGAAsG;IACtG,qFAAqF;IACrF,MAAM,oBAAoB,GAAG;QAC3B,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAClD,kBAAkB;QAClB,gBAAgB;KACjB,CAAA;IAED,mDAAmD;IACnD,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAA;IAE7C,gDAAgD;IAChD,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;QACtC,4EAA4E;QAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QAC/C,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAE3B,mFAAmF;QACnF,IAAI,CAAC;YACH,qEAAqE;YACrE,8DAA8D;YAC9D,6CAA6C;YAC7C,gCAAgC;YAChC,0EAA0E;YAC1E,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,QAAQ;gBACR,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YACD,2CAA2C;YAC3C,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;YACtE,SAAS,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAA;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,mEAAmE;YACnE,MAAM,IAAI,KAAK,CACb,sCAAsC,QAAQ,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7G,CAAA;QACH,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,iFAAiF;QACjF,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC7C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAE1B,wFAAwF;QACxF,IAAI,CAAC;YACH,qDAAqD;YACrD,+EAA+E;YAC/E,uCAAuC;YACvC,MAAM,OAAO,GAAG,MAAM,OAAO,KAAK,CAAA;YAClC,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,OAAO;gBACP,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YAED,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAA;YAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;gBAC7C,8DAA8D;gBAC9D,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC7C,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;gBAC7D,uDAAuD;gBACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CACjC,OAAO,CAAC,EAAE,CAAC,0BAA0B,CAAC,OAAO,CAAC,KAAK,iBAAiB,CACrE,CAAA;gBACD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;oBACpB,+DAA+D;oBAC/D,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAC9D,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;gBACvB,CAAC;YACH,CAAC;YACD,SAAS,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAA;QAC7B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yEAAyE;YACzE,MAAM,IAAI,KAAK,CACb,2CAA2C,OAAO,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjH,CAAA;QACH,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,0EAA0E;IAC1E,MAAM,iBAAiB,GAAG;QACxB,YAAY,EAAE,+DAA+D;QAC7E,aAAa,EAAE,4EAA4E;KAC5F,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,gDAAgD;QAChD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAClD,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAE/B,4EAA4E;QAC5E,sDAAsD;QACtD,IAAI,CAAC;YACH,8EAA8E;YAC9E,MAAM,YAAY,GAAG,MAAM,OAAO,CAChC;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,cAAc;gBACd,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YAED,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;gBACvC,8BAA8B;gBAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;gBAExC,oDAAoD;gBACpD,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;oBAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;oBAC5C,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;gBAC3B,CAAC;qBAAM,IAAI,OAAO,KAAK,aAAa,EAAE,CAAC;oBACrC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;oBAC9C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qEAAqE;YACrE,MAAM,IAAI,KAAK,CACb,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAA;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAAsB,EACtB,cAAuB;IAEvB,MAAM,OAAO,GAAa,CAAC,mBAAmB,CAAC,CAAA;IAE/C,iDAAiD;IACjD,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,8EAA8E;IAC9E,MAAM,gBAAgB,GAAG;QACvB,WAAW;QACX,WAAW;QACX,KAAK;QACL,SAAS;QACT,QAAQ;QACR,gBAAgB,EAAE,aAAa;QAC/B,YAAY,EAAE,kBAAkB;QAChC,eAAe,EAAE,kBAAkB;QACnC,gBAAgB,EAAE,kBAAkB;KACrC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAC5C,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAE5C,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;QAC7D,uDAAuD;QACvD,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,yDAAyD;QACzD,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,gEAAgE;QAChE,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,yBAAyB;YACzB,OAAO,CAAC,IAAI,CACV,8DAA8D,cAAc,UAAU,CACvF,CAAA;QACH,CAAC;QAED,mEAAmE;QACnE,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,sBAAsB;QACtB,OAAO,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAA;QAEvD,+EAA+E;QAC/E,qFAAqF;QAErF,mCAAmC;QACnC,+DAA+D;QAC/D,OAAO,CAAC,IAAI,CACV,sCAAsC,aAAa,IAAI,cAAc,EAAE,CACxE,CAAA;QACD,OAAO,CAAC,IAAI,CACV,uCAAuC,aAAa,IAAI,cAAc,EAAE,CACzE,CAAA;QAED,iDAAiD;QACjD,0DAA0D;QAE1D,4DAA4D;QAC5D,6DAA6D;QAE7D,iDAAiD;QACjD,kDAAkD;QAClD,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACzC,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;YAChD,OAAO,CAAC,IAAI,CAAC,uBAAuB,aAAa,EAAE,CAAC,CAAA;QACtD,CAAC;QAED,+BAA+B;QAC/B,4DAA4D;QAE5D,kDAAkD;QAClD,uEAAuE;QAEvE,6CAA6C;QAC7C,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;QAChE,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;IAClE,CAAC;IAED,8FAA8F;IAC9F,4FAA4F;IAC5F,mGAAmG;IAEnG,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,cAAsB;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AAC/D,CAAC"}
+{"version":3,"file":"sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAA;AAC5B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAE7C;;;GAGG;AACH,MAAM,eAAe,GAAG;IACtB,YAAY;IACZ,aAAa;IACb,SAAS;IACT,eAAe;IACf,QAAQ;IACR,WAAW;IACX,UAAU;IACV,YAAY;IACZ,WAAW;CACH,CAAA;AAEV;;;GAGG;AACH,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAU,CAAA;AAEnE;;;;;;;;GAQG;AACH,SAAS,0BAA0B,CAAC,OAAe;IACjD,OAAO,OAAO,CAAC,WAAW,EAAE,CAAA;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,OAAO,CACL,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAC1B,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAAmB;IAC1D,OAAO,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;AAC3C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,IAAI,cAAc,GAAG,WAAW,CAAA;IAEhC,6BAA6B;IAC7B,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxB,cAAc,GAAG,OAAO,EAAE,CAAA;IAC5B,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,cAAc,GAAG,OAAO,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IACnD,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACzE,kEAAkE;QAClE,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;SAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACzC,2DAA2D;QAC3D,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;IAED,qEAAqE;IACrE,IAAI,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,6DAA6D;QAC7D,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,UAAU,CAAC,CAAE,CAAC,CAAC,CAAA;QACzD,IAAI,YAAY,IAAI,YAAY,KAAK,GAAG,EAAE,CAAC;YACzC,gDAAgD;YAChD,8DAA8D;YAC9D,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;gBACxC,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAC3B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAA;YAE9B,iDAAiD;YACjD,IAAI,CAAC;gBACH,MAAM,eAAe,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;gBAChD,sDAAsD;gBACtD,MAAM,aAAa,GAAG,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;gBAC1D,OAAO,eAAe,GAAG,aAAa,CAAA;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,6EAA6E;YAC/E,CAAC;QACH,CAAC;QACD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,uDAAuD;IACvD,IAAI,CAAC;QACH,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;IACzE,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,OAAO,GAAG,OAAO,EAAE,CAAA;IACzB,MAAM,gBAAgB,GAAG;QACvB,aAAa;QACb,aAAa;QACb,WAAW;QACX,UAAU;QACV,mBAAmB;QACnB,oBAAoB;QACpB,aAAa;QACb,qBAAqB;QACrB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC;QACnC,GAAG;KACJ,CAAA;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B;IAC/C,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IAEzB,4CAA4C;IAC5C,0BAA0B;IAC1B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAChE,6BAA6B;IAC7B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAC7D,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC,CAAA;IAEnE,2CAA2C;IAC3C,MAAM,cAAc,GAAG,CAAC,GAAG,eAAe,CAAC,CAAA;IAE3C,mEAAmE;IACnE,sGAAsG;IACtG,qFAAqF;IACrF,MAAM,oBAAoB,GAAG;QAC3B,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAClD,kBAAkB;QAClB,gBAAgB;KACjB,CAAA;IAED,mDAAmD;IACnD,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAA;IAE7C,gDAAgD;IAChD,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;QACtC,4EAA4E;QAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QAC/C,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAE3B,mFAAmF;QACnF,IAAI,CAAC;YACH,qEAAqE;YACrE,8DAA8D;YAC9D,6CAA6C;YAC7C,gCAAgC;YAChC,0EAA0E;YAC1E,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,QAAQ;gBACR,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YACD,2CAA2C;YAC3C,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;YACtE,SAAS,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAA;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,mEAAmE;YACnE,MAAM,IAAI,KAAK,CACb,sCAAsC,QAAQ,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7G,CAAA;QACH,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,iFAAiF;QACjF,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC7C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAE1B,wFAAwF;QACxF,IAAI,CAAC;YACH,qDAAqD;YACrD,+EAA+E;YAC/E,uCAAuC;YACvC,MAAM,OAAO,GAAG,MAAM,OAAO,KAAK,CAAA;YAClC,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,OAAO;gBACP,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YAED,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAA;YAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;gBAC7C,8DAA8D;gBAC9D,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC7C,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;gBAC7D,uDAAuD;gBACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CACjC,OAAO,CAAC,EAAE,CAAC,0BAA0B,CAAC,OAAO,CAAC,KAAK,iBAAiB,CACrE,CAAA;gBACD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;oBACpB,+DAA+D;oBAC/D,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAC9D,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;gBACvB,CAAC;YACH,CAAC;YACD,SAAS,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAA;QAC7B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yEAAyE;YACzE,MAAM,IAAI,KAAK,CACb,2CAA2C,OAAO,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjH,CAAA;QACH,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,0EAA0E;IAC1E,MAAM,iBAAiB,GAAG;QACxB,YAAY,EAAE,+DAA+D;QAC7E,aAAa,EAAE,4EAA4E;KAC5F,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,gDAAgD;QAChD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAClD,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAE/B,4EAA4E;QAC5E,sDAAsD;QACtD,IAAI,CAAC;YACH,8EAA8E;YAC9E,MAAM,YAAY,GAAG,MAAM,OAAO,CAChC;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,cAAc;gBACd,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,CACvB,CAAA;YAED,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;gBACvC,8BAA8B;gBAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;gBAExC,oDAAoD;gBACpD,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;oBAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;oBAC5C,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;gBAC3B,CAAC;qBAAM,IAAI,OAAO,KAAK,aAAa,EAAE,CAAC;oBACrC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;oBAC9C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qEAAqE;YACrE,MAAM,IAAI,KAAK,CACb,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAA;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAAsB,EACtB,cAAuB;IAEvB,MAAM,OAAO,GAAa,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAA;IAErE,sDAAsD;IACtD,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,8EAA8E;IAC9E,MAAM,gBAAgB,GAAG;QACvB,WAAW;QACX,WAAW;QACX,KAAK;QACL,SAAS;QACT,QAAQ;QACR,gBAAgB,EAAE,aAAa;QAC/B,YAAY,EAAE,kBAAkB;QAChC,eAAe,EAAE,kBAAkB;QACnC,gBAAgB,EAAE,kBAAkB;KACrC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAC5C,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAE5C,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;QAC7D,uDAAuD;QACvD,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,yDAAyD;QACzD,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,gEAAgE;QAChE,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,yBAAyB;YACzB,OAAO,CAAC,IAAI,CACV,8DAA8D,cAAc,UAAU,CACvF,CAAA;QACH,CAAC;QAED,mEAAmE;QACnE,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,sBAAsB;QACtB,OAAO,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAA;QAEvD,+EAA+E;QAC/E,qFAAqF;QAErF,mCAAmC;QACnC,+DAA+D;QAC/D,OAAO,CAAC,IAAI,CACV,sCAAsC,aAAa,IAAI,cAAc,EAAE,CACxE,CAAA;QACD,OAAO,CAAC,IAAI,CACV,uCAAuC,aAAa,IAAI,cAAc,EAAE,CACzE,CAAA;QAED,iDAAiD;QACjD,0DAA0D;QAE1D,4DAA4D;QAC5D,6DAA6D;QAE7D,iDAAiD;QACjD,kDAAkD;QAClD,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACzC,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;YAChD,OAAO,CAAC,IAAI,CAAC,uBAAuB,aAAa,EAAE,CAAC,CAAA;QACtD,CAAC;QAED,+BAA+B;QAC/B,4DAA4D;QAE5D,kDAAkD;QAClD,uEAAuE;QAEvE,6CAA6C;QAC7C,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;QAChE,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;IAClE,CAAC;IAED,8FAA8F;IAC9F,4FAA4F;IAC5F,mGAAmG;IAEnG,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,cAAsB;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AAC/D,CAAC"}

package/dist/vendor/seccomp-src/apply-seccomp.c

@@ -0,0 +1,98 @@
+/*
+ * apply-seccomp.c - Apply seccomp BPF filter and exec command
+ *
+ * Usage: apply-seccomp <filter.bpf> <command> [args...]
+ *
+ * This program reads a pre-compiled BPF filter from a file, applies it
+ * using prctl(PR_SET_SECCOMP), and then execs the specified command.
+ *
+ * The BPF filter must be in the format expected by SECCOMP_MODE_FILTER:
+ * - struct sock_fprog { unsigned short len; struct sock_filter *filter; }
+ * - Each filter instruction is 8 bytes (BPF instruction format)
+ *
+ * Compile: gcc -static -O2 -o apply-seccomp apply-seccomp.c
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/prctl.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+#include <errno.h>
+
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS 38
+#endif
+
+#ifndef SECCOMP_MODE_FILTER
+#define SECCOMP_MODE_FILTER 2
+#endif
+
+#define MAX_FILTER_SIZE 4096  // Maximum BPF filter size in bytes
+
+int main(int argc, char *argv[], char *envp[]) {
+    if (argc < 3) {
+        fprintf(stderr, "Usage: %s <filter.bpf> <command> [args...]\n", argv[0]);
+        return 1;
+    }
+
+    const char *filter_path = argv[1];
+    char **command_argv = &argv[2];
+
+    // Open and read BPF filter file
+    int fd = open(filter_path, O_RDONLY);
+    if (fd < 0) {
+        perror("Failed to open BPF filter file");
+        return 1;
+    }
+
+    // Read filter into memory
+    unsigned char filter_bytes[MAX_FILTER_SIZE];
+    ssize_t filter_size = read(fd, filter_bytes, MAX_FILTER_SIZE);
+    close(fd);
+
+    if (filter_size < 0) {
+        perror("Failed to read BPF filter");
+        return 1;
+    }
+    if (filter_size == 0) {
+        fprintf(stderr, "BPF filter file is empty\n");
+        return 1;
+    }
+    if (filter_size % 8 != 0) {
+        fprintf(stderr, "Invalid BPF filter size: %zd (must be multiple of 8)\n", filter_size);
+        return 1;
+    }
+
+    // Convert bytes to sock_filter instructions
+    unsigned short filter_len = filter_size / 8;
+    struct sock_filter *filter = (struct sock_filter *)filter_bytes;
+
+    // Set up sock_fprog structure
+    struct sock_fprog prog = {
+        .len = filter_len,
+        .filter = filter,
+    };
+
+    // Set NO_NEW_PRIVS to allow seccomp without CAP_SYS_ADMIN
+    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
+        perror("prctl(PR_SET_NO_NEW_PRIVS) failed");
+        return 1;
+    }
+
+    // Apply seccomp filter
+    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) != 0) {
+        perror("prctl(PR_SET_SECCOMP) failed");
+        return 1;
+    }
+
+    // Exec the command with seccomp filter active
+    execvp(command_argv[0], command_argv);
+
+    // If we get here, exec failed
+    perror("execvp failed");
+    return 1;
+}

package/dist/vendor/seccomp-src/seccomp-unix-block.c

@@ -0,0 +1,97 @@
+/*
+ * Seccomp BPF filter generator to block Unix domain socket creation
+ *
+ * This program generates a seccomp-bpf filter that blocks the socket() syscall
+ * when called with AF_UNIX as the domain argument. This prevents creation of
+ * Unix domain sockets while allowing all other socket types (AF_INET, AF_INET6, etc.)
+ * and all other syscalls.
+ *
+ * The filter is exported in a format compatible with bubblewrap's --seccomp flag.
+ *
+ * SECURITY LIMITATION - 32-bit x86 (ia32):
+ * TODO: This filter does NOT block socketcall() syscall, which is a security issue
+ * on 32-bit x86 systems. On ia32, the socket() syscall doesn't exist - instead,
+ * all socket operations are multiplexed through socketcall():
+ *   - socketcall(SYS_SOCKET, [AF_UNIX, ...]) - can bypass this filter
+ *   - socketcall(SYS_SOCKETPAIR, [AF_UNIX, ...]) - can bypass this filter
+ *
+ * To fix this, we need to add conditional rules that:
+ * 1. Check if socketcall() exists on the current architecture (32-bit x86 only)
+ * 2. Block socketcall(SYS_SOCKET, ...) when first arg of sub-call is AF_UNIX
+ * 3. Block socketcall(SYS_SOCKETPAIR, ...) when first arg of sub-call is AF_UNIX
+ *
+ * This requires inspecting the arguments passed to socketcall, which is more
+ * complex BPF logic. For now, 32-bit x86 is not supported.
+ *
+ * Compilation:
+ *   gcc -o seccomp-unix-block seccomp-unix-block.c -lseccomp
+ *
+ * Usage:
+ *   ./seccomp-unix-block <output-file>
+ *
+ * Dependencies:
+ *   - libseccomp (libseccomp-dev package on Debian/Ubuntu)
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <seccomp.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+int main(int argc, char *argv[]) {
+    scmp_filter_ctx ctx;
+    int rc;
+
+    if (argc != 2) {
+        fprintf(stderr, "Usage: %s <output-file>\n", argv[0]);
+        return 1;
+    }
+
+    const char *output_file = argv[1];
+
+    /* Create seccomp context with default action ALLOW */
+    ctx = seccomp_init(SCMP_ACT_ALLOW);
+    if (ctx == NULL) {
+        fprintf(stderr, "Error: Failed to initialize seccomp context\n");
+        return 1;
+    }
+
+    /* Add rule to block socket(AF_UNIX, ...) */
+    /* socket() syscall signature: int socket(int domain, int type, int protocol) */
+    /* arg0 = domain (AF_UNIX = 1) */
+    rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 1,
+                          SCMP_A0(SCMP_CMP_EQ, AF_UNIX));
+    if (rc < 0) {
+        fprintf(stderr, "Error: Failed to add seccomp rule: %s\n", strerror(-rc));
+        seccomp_release(ctx);
+        return 1;
+    }
+
+    /* Export the filter to a file */
+    int fd = open(output_file, O_CREAT | O_WRONLY | O_TRUNC, 0600);
+    if (fd < 0) {
+        fprintf(stderr, "Error: Failed to open output file: %s\n", strerror(errno));
+        seccomp_release(ctx);
+        return 1;
+    }
+
+    rc = seccomp_export_bpf(ctx, fd);
+    if (rc < 0) {
+        fprintf(stderr, "Error: Failed to export seccomp filter: %s\n", strerror(-rc));
+        close(fd);
+        seccomp_release(ctx);
+        return 1;
+    }
+
+    /* Clean up */
+    close(fd);
+    seccomp_release(ctx);
+
+    return 0;
+}