@anthropic-ai/sandbox-runtime 0.0.1

package/dist/sandbox/http-proxy.js

@@ -0,0 +1,118 @@
+import { createServer } from 'node:http';
+import { request as httpRequest } from 'node:http';
+import { request as httpsRequest } from 'node:https';
+import { connect } from 'node:net';
+import { URL } from 'node:url';
+import { logForDebugging } from '../utils/debug.js';
+export function createHttpProxyServer(options) {
+    const server = createServer();
+    // Handle CONNECT requests for HTTPS traffic
+    server.on('connect', async (req, socket) => {
+        // Attach error handler immediately to prevent unhandled errors
+        socket.on('error', err => {
+            logForDebugging(`Client socket error: ${err.message}`, { level: 'error' });
+        });
+        try {
+            const [hostname, portStr] = req.url.split(':');
+            const port = portStr === undefined ? undefined : parseInt(portStr, 10);
+            if (!hostname || !port) {
+                logForDebugging(`Invalid CONNECT request: ${req.url}`, {
+                    level: 'error',
+                });
+                socket.end('HTTP/1.1 400 Bad Request\r\n\r\n');
+                return;
+            }
+            const allowed = await options.filter(port, hostname, socket);
+            if (!allowed) {
+                logForDebugging(`Connection blocked to ${hostname}:${port}`, {
+                    level: 'error',
+                });
+                socket.end('HTTP/1.1 403 Forbidden\r\n' +
+                    'Content-Type: text/plain\r\n' +
+                    'X-Proxy-Error: blocked-by-allowlist\r\n' +
+                    '\r\n' +
+                    'Connection blocked by network allowlist');
+                return;
+            }
+            const serverSocket = connect(port, hostname, () => {
+                socket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+                serverSocket.pipe(socket);
+                socket.pipe(serverSocket);
+            });
+            serverSocket.on('error', err => {
+                logForDebugging(`CONNECT tunnel failed: ${err.message}`, {
+                    level: 'error',
+                });
+                socket.end('HTTP/1.1 502 Bad Gateway\r\n\r\n');
+            });
+            socket.on('error', err => {
+                logForDebugging(`Client socket error: ${err.message}`, {
+                    level: 'error',
+                });
+                serverSocket.destroy();
+            });
+            socket.on('end', () => serverSocket.end());
+            serverSocket.on('end', () => socket.end());
+        }
+        catch (err) {
+            logForDebugging(`Error handling CONNECT: ${err}`, { level: 'error' });
+            socket.end('HTTP/1.1 500 Internal Server Error\r\n\r\n');
+        }
+    });
+    // Handle regular HTTP requests
+    server.on('request', async (req, res) => {
+        try {
+            const url = new URL(req.url);
+            const hostname = url.hostname;
+            const port = url.port
+                ? parseInt(url.port, 10)
+                : url.protocol === 'https:'
+                    ? 443
+                    : 80;
+            const allowed = await options.filter(port, hostname, req.socket);
+            if (!allowed) {
+                logForDebugging(`HTTP request blocked to ${hostname}:${port}`, {
+                    level: 'error',
+                });
+                res.writeHead(403, {
+                    'Content-Type': 'text/plain',
+                    'X-Proxy-Error': 'blocked-by-allowlist',
+                });
+                res.end('Connection blocked by network allowlist');
+                return;
+            }
+            // Choose http or https module
+            const requestFn = url.protocol === 'https:' ? httpsRequest : httpRequest;
+            const proxyReq = requestFn({
+                hostname,
+                port,
+                path: url.pathname + url.search,
+                method: req.method,
+                headers: {
+                    ...req.headers,
+                    host: url.host,
+                },
+            }, proxyRes => {
+                res.writeHead(proxyRes.statusCode, proxyRes.headers);
+                proxyRes.pipe(res);
+            });
+            proxyReq.on('error', err => {
+                logForDebugging(`Proxy request failed: ${err.message}`, {
+                    level: 'error',
+                });
+                if (!res.headersSent) {
+                    res.writeHead(502, { 'Content-Type': 'text/plain' });
+                    res.end('Bad Gateway');
+                }
+            });
+            req.pipe(proxyReq);
+        }
+        catch (err) {
+            logForDebugging(`Error handling HTTP request: ${err}`, { level: 'error' });
+            res.writeHead(500, { 'Content-Type': 'text/plain' });
+            res.end('Internal Server Error');
+        }
+    });
+    return server;
+}
+//# sourceMappingURL=http-proxy.js.map

package/dist/sandbox/http-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-proxy.js","sourceRoot":"","sources":["../../src/sandbox/http-proxy.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAA;AACxC,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAA;AAClD,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,YAAY,CAAA;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAA;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAA;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAUnD,MAAM,UAAU,qBAAqB,CAAC,OAA+B;IACnE,MAAM,MAAM,GAAG,YAAY,EAAE,CAAA;IAE7B,4CAA4C;IAC5C,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE;QACzC,+DAA+D;QAC/D,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;YACvB,eAAe,CAAC,wBAAwB,GAAG,CAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;QAC5E,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,GAAG,CAAC,GAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/C,MAAM,IAAI,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;YAEtE,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;gBACvB,eAAe,CAAC,4BAA4B,GAAG,CAAC,GAAG,EAAE,EAAE;oBACrD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,MAAM,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAA;gBAC9C,OAAM;YACR,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAA;YAC5D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,eAAe,CAAC,yBAAyB,QAAQ,IAAI,IAAI,EAAE,EAAE;oBAC3D,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,MAAM,CAAC,GAAG,CACR,4BAA4B;oBAC1B,8BAA8B;oBAC9B,yCAAyC;oBACzC,MAAM;oBACN,yCAAyC,CAC5C,CAAA;gBACD,OAAM;YACR,CAAC;YAED,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE;gBAChD,MAAM,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAA;gBAC3D,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;gBACzB,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;YAC3B,CAAC,CAAC,CAAA;YAEF,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;gBAC7B,eAAe,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE,EAAE;oBACvD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,MAAM,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;YAEF,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;gBACvB,eAAe,CAAC,wBAAwB,GAAG,CAAC,OAAO,EAAE,EAAE;oBACrD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,YAAY,CAAC,OAAO,EAAE,CAAA;YACxB,CAAC,CAAC,CAAA;YAEF,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,EAAE,CAAC,CAAA;YAC1C,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,2BAA2B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;YACrE,MAAM,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;QAC1D,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,+BAA+B;IAC/B,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACtC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAI,CAAC,CAAA;YAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI;gBACnB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;gBACxB,CAAC,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ;oBACzB,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,EAAE,CAAA;YAER,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CAAA;YAChE,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,eAAe,CAAC,2BAA2B,QAAQ,IAAI,IAAI,EAAE,EAAE;oBAC7D,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;oBACjB,cAAc,EAAE,YAAY;oBAC5B,eAAe,EAAE,sBAAsB;iBACxC,CAAC,CAAA;gBACF,GAAG,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAA;gBAClD,OAAM;YACR,CAAC;YAED,8BAA8B;YAC9B,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAA;YAExE,MAAM,QAAQ,GAAG,SAAS,CACxB;gBACE,QAAQ;gBACR,IAAI;gBACJ,IAAI,EAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM;gBAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,OAAO,EAAE;oBACP,GAAG,GAAG,CAAC,OAAO;oBACd,IAAI,EAAE,GAAG,CAAC,IAAI;iBACf;aACF,EACD,QAAQ,CAAC,EAAE;gBACT,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAW,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAA;gBACrD,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACpB,CAAC,CACF,CAAA;YAED,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;gBACzB,eAAe,CAAC,yBAAyB,GAAG,CAAC,OAAO,EAAE,EAAE;oBACtD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;oBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAA;oBACpD,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;gBACxB,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,gCAAgC,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;YAC1E,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAA;YACpD,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;QAClC,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/sandbox/linux-sandbox-utils.d.ts

@@ -0,0 +1,60 @@
+import type { ChildProcess } from 'node:child_process';
+import type { FsReadRestrictionConfig, FsWriteRestrictionConfig } from './sandbox-schemas.js';
+export interface LinuxNetworkBridgeContext {
+    httpSocketPath: string;
+    socksSocketPath: string;
+    httpBridgeProcess: ChildProcess;
+    socksBridgeProcess: ChildProcess;
+    httpProxyPort: number;
+    socksProxyPort: number;
+}
+export interface LinuxSandboxParams {
+    command: string;
+    hasNetworkRestrictions: boolean;
+    hasFilesystemRestrictions: boolean;
+    httpSocketPath?: string;
+    socksSocketPath?: string;
+    httpProxyPort?: number;
+    socksProxyPort?: number;
+    readConfig?: FsReadRestrictionConfig;
+    writeConfig?: FsWriteRestrictionConfig;
+    enableWeakerNestedSandbox?: boolean;
+}
+/**
+ * Check if Linux sandbox dependencies are available (synchronous)
+ * Returns true if bwrap, socat, and rg are installed, false otherwise
+ * Cached to avoid repeated system calls
+ */
+export declare function hasLinuxSandboxDependenciesSync(): boolean;
+/**
+ * Initialize the Linux network bridge for sandbox networking
+ *
+ * ARCHITECTURE NOTE:
+ * Linux network sandboxing uses bwrap --unshare-net which creates a completely isolated
+ * network namespace with NO network access. To enable network access, we:
+ *
+ * 1. Host side: Run socat bridges that listen on Unix sockets and forward to host proxy servers
+ *    - HTTP bridge: Unix socket -> host HTTP proxy (for HTTP/HTTPS traffic)
+ *    - SOCKS bridge: Unix socket -> host SOCKS5 proxy (for SSH/git traffic)
+ *
+ * 2. Sandbox side: Bind the Unix sockets into the isolated namespace and run socat listeners
+ *    - HTTP listener on port 3128 -> HTTP Unix socket -> host HTTP proxy
+ *    - SOCKS listener on port 1080 -> SOCKS Unix socket -> host SOCKS5 proxy
+ *
+ * 3. Configure environment:
+ *    - HTTP_PROXY=http://localhost:3128 for HTTP/HTTPS tools
+ *    - GIT_SSH_COMMAND with socat for SSH through SOCKS5
+ *
+ * LIMITATION: Unlike macOS sandbox which can enforce domain-based allowlists at the kernel level,
+ * Linux's --unshare-net provides only all-or-nothing network isolation. Domain filtering happens
+ * at the host proxy level, not the sandbox boundary. This means network restrictions on Linux
+ * depend on the proxy's filtering capabilities.
+ *
+ * DEPENDENCIES: Requires bwrap (bubblewrap) and socat
+ */
+export declare function initializeLinuxNetworkBridge(httpProxyPort: number, socksProxyPort: number): Promise<LinuxNetworkBridgeContext>;
+/**
+ * Wrap a command with sandbox restrictions on Linux
+ */
+export declare function wrapCommandWithSandboxLinux(params: LinuxSandboxParams): Promise<string>;
+//# sourceMappingURL=linux-sandbox-utils.d.ts.map

package/dist/sandbox/linux-sandbox-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"linux-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAQtD,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAE7B,MAAM,WAAW,yBAAyB;IACxC,cAAc,EAAE,MAAM,CAAA;IACtB,eAAe,EAAE,MAAM,CAAA;IACvB,iBAAiB,EAAE,YAAY,CAAA;IAC/B,kBAAkB,EAAE,YAAY,CAAA;IAChC,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,sBAAsB,EAAE,OAAO,CAAA;IAC/B,yBAAyB,EAAE,OAAO,CAAA;IAClC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,UAAU,CAAC,EAAE,uBAAuB,CAAA;IACpC,WAAW,CAAC,EAAE,wBAAwB,CAAA;IACtC,yBAAyB,CAAC,EAAE,OAAO,CAAA;CACpC;AAKD;;;;GAIG;AACH,wBAAgB,+BAA+B,IAAI,OAAO,CA4BzD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,yBAAyB,CAAC,CAqGpC;AA4ID;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CAgHjB"}

package/dist/sandbox/linux-sandbox-utils.js

@@ -0,0 +1,333 @@
+import shellquote from 'shell-quote';
+import { logForDebugging } from '../utils/debug.js';
+import { randomBytes } from 'node:crypto';
+import * as fs from 'fs';
+import { spawn, spawnSync } from 'node:child_process';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { generateProxyEnvVars, normalizePathForSandbox, getMandatoryDenyWithinAllow, } from './sandbox-utils.js';
+// Cache for Linux sandbox dependencies check
+let linuxDepsCache;
+/**
+ * Check if Linux sandbox dependencies are available (synchronous)
+ * Returns true if bwrap, socat, and rg are installed, false otherwise
+ * Cached to avoid repeated system calls
+ */
+export function hasLinuxSandboxDependenciesSync() {
+    if (linuxDepsCache !== undefined) {
+        return linuxDepsCache;
+    }
+    try {
+        const bwrapResult = spawnSync('which', ['bwrap'], {
+            stdio: 'ignore',
+            timeout: 1000,
+        });
+        const socatResult = spawnSync('which', ['socat'], {
+            stdio: 'ignore',
+            timeout: 1000,
+        });
+        const rgResult = spawnSync('which', ['rg'], {
+            stdio: 'ignore',
+            timeout: 1000,
+        });
+        linuxDepsCache =
+            bwrapResult.status === 0 &&
+                socatResult.status === 0 &&
+                rgResult.status === 0;
+        return linuxDepsCache;
+    }
+    catch {
+        linuxDepsCache = false;
+        return false;
+    }
+}
+/**
+ * Initialize the Linux network bridge for sandbox networking
+ *
+ * ARCHITECTURE NOTE:
+ * Linux network sandboxing uses bwrap --unshare-net which creates a completely isolated
+ * network namespace with NO network access. To enable network access, we:
+ *
+ * 1. Host side: Run socat bridges that listen on Unix sockets and forward to host proxy servers
+ *    - HTTP bridge: Unix socket -> host HTTP proxy (for HTTP/HTTPS traffic)
+ *    - SOCKS bridge: Unix socket -> host SOCKS5 proxy (for SSH/git traffic)
+ *
+ * 2. Sandbox side: Bind the Unix sockets into the isolated namespace and run socat listeners
+ *    - HTTP listener on port 3128 -> HTTP Unix socket -> host HTTP proxy
+ *    - SOCKS listener on port 1080 -> SOCKS Unix socket -> host SOCKS5 proxy
+ *
+ * 3. Configure environment:
+ *    - HTTP_PROXY=http://localhost:3128 for HTTP/HTTPS tools
+ *    - GIT_SSH_COMMAND with socat for SSH through SOCKS5
+ *
+ * LIMITATION: Unlike macOS sandbox which can enforce domain-based allowlists at the kernel level,
+ * Linux's --unshare-net provides only all-or-nothing network isolation. Domain filtering happens
+ * at the host proxy level, not the sandbox boundary. This means network restrictions on Linux
+ * depend on the proxy's filtering capabilities.
+ *
+ * DEPENDENCIES: Requires bwrap (bubblewrap) and socat
+ */
+export async function initializeLinuxNetworkBridge(httpProxyPort, socksProxyPort) {
+    const socketId = randomBytes(8).toString('hex');
+    const httpSocketPath = join(tmpdir(), `claude-http-${socketId}.sock`);
+    const socksSocketPath = join(tmpdir(), `claude-socks-${socketId}.sock`);
+    // Start HTTP bridge
+    const httpSocatArgs = [
+        `UNIX-LISTEN:${httpSocketPath},fork,reuseaddr`,
+        `TCP:localhost:${httpProxyPort},keepalive,keepidle=10,keepintvl=5,keepcnt=3`,
+    ];
+    logForDebugging(`Starting HTTP bridge: socat ${httpSocatArgs.join(' ')}`);
+    const httpBridgeProcess = spawn('socat', httpSocatArgs, {
+        stdio: 'ignore',
+    });
+    if (!httpBridgeProcess.pid) {
+        throw new Error('Failed to start HTTP bridge process');
+    }
+    // Start SOCKS bridge
+    const socksSocatArgs = [
+        `UNIX-LISTEN:${socksSocketPath},fork,reuseaddr`,
+        `TCP:localhost:${socksProxyPort},keepalive,keepidle=10,keepintvl=5,keepcnt=3`,
+    ];
+    logForDebugging(`Starting SOCKS bridge: socat ${socksSocatArgs.join(' ')}`);
+    const socksBridgeProcess = spawn('socat', socksSocatArgs, {
+        stdio: 'ignore',
+    });
+    if (!socksBridgeProcess.pid) {
+        // Clean up HTTP bridge
+        if (httpBridgeProcess.pid) {
+            try {
+                process.kill(httpBridgeProcess.pid, 'SIGTERM');
+            }
+            catch {
+                // Ignore errors
+            }
+        }
+        throw new Error('Failed to start SOCKS bridge process');
+    }
+    // Wait for both sockets to be ready
+    const maxAttempts = 5;
+    for (let i = 0; i < maxAttempts; i++) {
+        if (!httpBridgeProcess.pid ||
+            httpBridgeProcess.killed ||
+            !socksBridgeProcess.pid ||
+            socksBridgeProcess.killed) {
+            throw new Error('Linux bridge process died unexpectedly');
+        }
+        try {
+            // fs already imported
+            if (fs.existsSync(httpSocketPath) && fs.existsSync(socksSocketPath)) {
+                logForDebugging(`Linux bridges ready after ${i + 1} attempts`);
+                break;
+            }
+        }
+        catch (err) {
+            logForDebugging(`Error checking sockets (attempt ${i + 1}): ${err}`, {
+                level: 'error',
+            });
+        }
+        if (i === maxAttempts - 1) {
+            // Clean up both processes
+            if (httpBridgeProcess.pid) {
+                try {
+                    process.kill(httpBridgeProcess.pid, 'SIGTERM');
+                }
+                catch {
+                    // Ignore errors
+                }
+            }
+            if (socksBridgeProcess.pid) {
+                try {
+                    process.kill(socksBridgeProcess.pid, 'SIGTERM');
+                }
+                catch {
+                    // Ignore errors
+                }
+            }
+            throw new Error(`Failed to create bridge sockets after ${maxAttempts} attempts`);
+        }
+        await new Promise(resolve => setTimeout(resolve, i * 100));
+    }
+    return {
+        httpSocketPath,
+        socksSocketPath,
+        httpBridgeProcess,
+        socksBridgeProcess,
+        httpProxyPort,
+        socksProxyPort,
+    };
+}
+/**
+ * Build the command that runs inside the sandbox.
+ * Sets up HTTP proxy on port 3128 and SOCKS proxy on port 1080
+ */
+function buildSandboxCommand(httpSocketPath, socksSocketPath, userCommand) {
+    // Use a single trap that kills all jobs on EXIT
+    // This avoids issues with $! variable expansion through shellquote
+    const innerScript = [
+        `socat TCP-LISTEN:3128,fork,reuseaddr UNIX-CONNECT:${httpSocketPath} >/dev/null 2>&1 &`,
+        `socat TCP-LISTEN:1080,fork,reuseaddr UNIX-CONNECT:${socksSocketPath} >/dev/null 2>&1 &`,
+        'trap "kill %1 %2 2>/dev/null; exit" EXIT',
+        `eval ${shellquote.quote([userCommand])}`,
+    ].join('\n');
+    return `bash -c ${shellquote.quote([innerScript])}`;
+}
+/**
+ * Generate filesystem bind mount arguments for bwrap
+ */
+async function generateFilesystemArgs(readConfig, writeConfig) {
+    const args = [];
+    // fs already imported
+    // Determine initial root mount based on write restrictions
+    if (writeConfig) {
+        // Write restrictions: Start with read-only root, then allow writes to specific paths
+        args.push('--ro-bind', '/', '/');
+        // Collect normalized allowed write paths for later checking
+        const allowedWritePaths = [];
+        // Allow writes to specific paths
+        for (const pathPattern of writeConfig.allowOnly || []) {
+            const normalizedPath = normalizePathForSandbox(pathPattern);
+            logForDebugging(`[Sandbox Linux] Processing write path: ${pathPattern} -> ${normalizedPath}`);
+            // Skip /dev/* paths since --dev /dev already handles them
+            if (normalizedPath.startsWith('/dev/')) {
+                logForDebugging(`[Sandbox Linux] Skipping /dev path: ${normalizedPath}`);
+                continue;
+            }
+            if (!fs.existsSync(normalizedPath)) {
+                logForDebugging(`[Sandbox Linux] Skipping non-existent write path: ${normalizedPath}`);
+                continue;
+            }
+            args.push('--bind', normalizedPath, normalizedPath);
+            allowedWritePaths.push(normalizedPath);
+        }
+        // Deny writes within allowed paths (user-specified + mandatory denies)
+        const denyPaths = [
+            ...(writeConfig.denyWithinAllow || []),
+            ...(await getMandatoryDenyWithinAllow()),
+        ];
+        for (const pathPattern of denyPaths) {
+            const normalizedPath = normalizePathForSandbox(pathPattern);
+            // Skip /dev/* paths since --dev /dev already handles them
+            if (normalizedPath.startsWith('/dev/')) {
+                continue;
+            }
+            // Skip non-existent paths
+            if (!fs.existsSync(normalizedPath)) {
+                logForDebugging(`[Sandbox Linux] Skipping non-existent deny path: ${normalizedPath}`);
+                continue;
+            }
+            // Only add deny binding if this path is within an allowed write path
+            // Otherwise it's already read-only from the initial --ro-bind / /
+            const isWithinAllowedPath = allowedWritePaths.some(allowedPath => normalizedPath.startsWith(allowedPath + '/') ||
+                normalizedPath === allowedPath);
+            if (isWithinAllowedPath) {
+                args.push('--ro-bind', normalizedPath, normalizedPath);
+            }
+            else {
+                logForDebugging(`[Sandbox Linux] Skipping deny path not within allowed paths: ${normalizedPath}`);
+            }
+        }
+    }
+    else {
+        // No write restrictions: Allow all writes
+        args.push('--bind', '/', '/');
+    }
+    // Handle read restrictions by mounting tmpfs over denied paths
+    const readDenyPaths = [...(readConfig?.denyOnly || [])];
+    // Always hide /etc/ssh/ssh_config.d to avoid permission issues with OrbStack
+    // SSH is very strict about config file permissions and ownership, and they can
+    // appear wrong inside the sandbox causing "Bad owner or permissions" errors
+    if (fs.existsSync('/etc/ssh/ssh_config.d')) {
+        readDenyPaths.push('/etc/ssh/ssh_config.d');
+    }
+    for (const pathPattern of readDenyPaths) {
+        const normalizedPath = normalizePathForSandbox(pathPattern);
+        if (!fs.existsSync(normalizedPath)) {
+            logForDebugging(`[Sandbox Linux] Skipping non-existent read deny path: ${normalizedPath}`);
+            continue;
+        }
+        const readDenyStat = fs.statSync(normalizedPath);
+        if (readDenyStat.isDirectory()) {
+            args.push('--tmpfs', normalizedPath);
+        }
+        else {
+            // For files, bind /dev/null instead of tmpfs
+            args.push('--ro-bind', '/dev/null', normalizedPath);
+        }
+    }
+    return args;
+}
+/**
+ * Wrap a command with sandbox restrictions on Linux
+ */
+export async function wrapCommandWithSandboxLinux(params) {
+    const { command, hasNetworkRestrictions, hasFilesystemRestrictions, httpSocketPath, socksSocketPath, httpProxyPort, socksProxyPort, readConfig, writeConfig, enableWeakerNestedSandbox, } = params;
+    // Check if we need any sandboxing
+    if (!hasNetworkRestrictions && !hasFilesystemRestrictions) {
+        return command;
+    }
+    const bwrapArgs = [];
+    // By default, always unshare PID namespace and mount fresh /proc.
+    // If we don't have --unshare-pid, it is possible to escape the sandbox.
+    // If we don't have --proc, it is possible to read host /proc and leak information about code running
+    // outside the sandbox. But, --proc is not available when running in unprivileged docker containers
+    // so we support running without it if explicitly requested.
+    bwrapArgs.push('--unshare-pid');
+    if (!enableWeakerNestedSandbox) {
+        // Mount fresh /proc if PID namespace is isolated (secure mode)
+        bwrapArgs.push('--proc', '/proc');
+    }
+    // ========== NETWORK RESTRICTIONS ==========
+    if (hasNetworkRestrictions) {
+        // Only sandbox if we have network config and Linux bridges
+        if (!httpSocketPath || !socksSocketPath) {
+            throw new Error('Linux network sandboxing was requested but bridge socket paths are not available');
+        }
+        bwrapArgs.push('--unshare-net');
+        // Bind both sockets into the sandbox
+        bwrapArgs.push('--bind', httpSocketPath, httpSocketPath);
+        bwrapArgs.push('--bind', socksSocketPath, socksSocketPath);
+        // Add proxy environment variables
+        // HTTP_PROXY points to the socat listener inside the sandbox (port 3128)
+        // which forwards to the Unix socket that bridges to the host's proxy server
+        const proxyEnv = generateProxyEnvVars(3128, // Internal HTTP listener port
+        1080);
+        bwrapArgs.push(...proxyEnv.flatMap((env) => {
+            const firstEq = env.indexOf('=');
+            const key = env.slice(0, firstEq);
+            const value = env.slice(firstEq + 1);
+            return ['--setenv', key, value];
+        }));
+        // Add host proxy port environment variables for debugging/transparency
+        // These show which host ports the Unix socket bridges connect to
+        if (httpProxyPort !== undefined) {
+            bwrapArgs.push('--setenv', 'CLAUDE_CODE_HOST_HTTP_PROXY_PORT', String(httpProxyPort));
+        }
+        if (socksProxyPort !== undefined) {
+            bwrapArgs.push('--setenv', 'CLAUDE_CODE_HOST_SOCKS_PROXY_PORT', String(socksProxyPort));
+        }
+    }
+    // ========== FILESYSTEM RESTRICTIONS ==========
+    const fsArgs = await generateFilesystemArgs(readConfig, writeConfig);
+    bwrapArgs.push(...fsArgs);
+    // Always bind /dev
+    bwrapArgs.push('--dev', '/dev');
+    // ========== COMMAND ==========
+    bwrapArgs.push('--', 'bash', '-c');
+    // If we have network restrictions, use the network bridge setup
+    // Otherwise, just run the command directly
+    if (hasNetworkRestrictions && httpSocketPath && socksSocketPath) {
+        bwrapArgs.push(buildSandboxCommand(httpSocketPath, socksSocketPath, command));
+    }
+    else {
+        bwrapArgs.push(command);
+    }
+    const wrappedCommand = shellquote.quote(['bwrap', ...bwrapArgs]);
+    const restrictions = [];
+    if (hasNetworkRestrictions)
+        restrictions.push('network');
+    if (hasFilesystemRestrictions)
+        restrictions.push('filesystem');
+    logForDebugging(`[Sandbox Linux] Wrapped command with bwrap (${restrictions.join(', ')} restrictions)`);
+    return wrappedCommand;
+}
+//# sourceMappingURL=linux-sandbox-utils.js.map

package/dist/sandbox/linux-sandbox-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"linux-sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAErD,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,oBAAoB,CAAA;AA4B3B,6CAA6C;AAC7C,IAAI,cAAmC,CAAA;AAEvC;;;;GAIG;AACH,MAAM,UAAU,+BAA+B;IAC7C,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QACF,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QACF,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE;YAC1C,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QAEF,cAAc;YACZ,WAAW,CAAC,MAAM,KAAK,CAAC;gBACxB,WAAW,CAAC,MAAM,KAAK,CAAC;gBACxB,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAA;QACvB,OAAO,cAAc,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,cAAc,GAAG,KAAK,CAAA;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,aAAqB,EACrB,cAAsB;IAEtB,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,QAAQ,OAAO,CAAC,CAAA;IACrE,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,QAAQ,OAAO,CAAC,CAAA;IAEvE,oBAAoB;IACpB,MAAM,aAAa,GAAG;QACpB,eAAe,cAAc,iBAAiB;QAC9C,iBAAiB,aAAa,8CAA8C;KAC7E,CAAA;IAED,eAAe,CAAC,+BAA+B,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAEzE,MAAM,iBAAiB,GAAG,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE;QACtD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,qBAAqB;IACrB,MAAM,cAAc,GAAG;QACrB,eAAe,eAAe,iBAAiB;QAC/C,iBAAiB,cAAc,8CAA8C;KAC9E,CAAA;IAED,eAAe,CAAC,gCAAgC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAE3E,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,EAAE,cAAc,EAAE;QACxD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC;QAC5B,uBAAuB;QACvB,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB;YAClB,CAAC;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IACzD,CAAC;IAED,oCAAoC;IACpC,MAAM,WAAW,GAAG,CAAC,CAAA;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IACE,CAAC,iBAAiB,CAAC,GAAG;YACtB,iBAAiB,CAAC,MAAM;YACxB,CAAC,kBAAkB,CAAC,GAAG;YACvB,kBAAkB,CAAC,MAAM,EACzB,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,CAAC;YACH,sBAAsB;YACtB,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBACpE,eAAe,CAAC,6BAA6B,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;gBAC9D,MAAK;YACP,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE;gBACnE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,WAAW,GAAG,CAAC,EAAE,CAAC;YAC1B,0BAA0B;YAC1B,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,IAAI,kBAAkB,CAAC,GAAG,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBACjD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yCAAyC,WAAW,WAAW,CAChE,CAAA;QACH,CAAC;QAED,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO;QACL,cAAc;QACd,eAAe;QACf,iBAAiB;QACjB,kBAAkB;QAClB,aAAa;QACb,cAAc;KACf,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAC1B,cAAsB,EACtB,eAAuB,EACvB,WAAmB;IAEnB,gDAAgD;IAChD,mEAAmE;IACnE,MAAM,WAAW,GAAG;QAClB,qDAAqD,cAAc,oBAAoB;QACvF,qDAAqD,eAAe,oBAAoB;QACxF,0CAA0C;QAC1C,QAAQ,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE;KAC1C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEZ,OAAO,WAAW,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;AACrD,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,sBAAsB,CACnC,UAA+C,EAC/C,WAAiD;IAEjD,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,sBAAsB;IAEtB,2DAA2D;IAC3D,IAAI,WAAW,EAAE,CAAC;QAChB,qFAAqF;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;QAEhC,4DAA4D;QAC5D,MAAM,iBAAiB,GAAa,EAAE,CAAA;QAEtC,iCAAiC;QACjC,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,eAAe,CACb,0CAA0C,WAAW,OAAO,cAAc,EAAE,CAC7E,CAAA;YAED,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,eAAe,CAAC,uCAAuC,cAAc,EAAE,CAAC,CAAA;gBACxE,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,qDAAqD,cAAc,EAAE,CACtE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACnD,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxC,CAAC;QAED,uEAAuE;QACvE,MAAM,SAAS,GAAG;YAChB,GAAG,CAAC,WAAW,CAAC,eAAe,IAAI,EAAE,CAAC;YACtC,GAAG,CAAC,MAAM,2BAA2B,EAAE,CAAC;SACzC,CAAA;QAED,KAAK,MAAM,WAAW,IAAI,SAAS,EAAE,CAAC;YACpC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,SAAQ;YACV,CAAC;YAED,0BAA0B;YAC1B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,oDAAoD,cAAc,EAAE,CACrE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,qEAAqE;YACrE,kEAAkE;YAClE,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAChD,WAAW,CAAC,EAAE,CACZ,cAAc,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC;gBAC5C,cAAc,KAAK,WAAW,CACjC,CAAA;YAED,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACxD,CAAC;iBAAM,CAAC;gBACN,eAAe,CACb,gEAAgE,cAAc,EAAE,CACjF,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;IAC/B,CAAC;IAED,+DAA+D;IAC/D,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAA;IAEvD,6EAA6E;IAC7E,+EAA+E;IAC/E,4EAA4E;IAC5E,IAAI,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC3C,aAAa,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAC7C,CAAC;IAED,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE,CAAC;QACxC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,eAAe,CACb,yDAAyD,cAAc,EAAE,CAC1E,CAAA;YACD,SAAQ;QACV,CAAC;QAED,MAAM,YAAY,GAAG,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;QAChD,IAAI,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,cAAc,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B;IAE1B,MAAM,EACJ,OAAO,EACP,sBAAsB,EACtB,yBAAyB,EACzB,cAAc,EACd,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,WAAW,EACX,yBAAyB,GAC1B,GAAG,MAAM,CAAA;IAEV,kCAAkC;IAClC,IAAI,CAAC,sBAAsB,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAC1D,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,SAAS,GAAa,EAAE,CAAA;IAE9B,kEAAkE;IAClE,wEAAwE;IACxE,qGAAqG;IACrG,mGAAmG;IACnG,4DAA4D;IAC5D,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;IAC/B,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAC/B,+DAA+D;QAC/D,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IACnC,CAAC;IAED,6CAA6C;IAC7C,IAAI,sBAAsB,EAAE,CAAC;QAC3B,2DAA2D;QAC3D,IAAI,CAAC,cAAc,IAAI,CAAC,eAAe,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CACb,kFAAkF,CACnF,CAAA;QACH,CAAC;QAED,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAE/B,qCAAqC;QACrC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;QACxD,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,eAAe,CAAC,CAAA;QAE1D,kCAAkC;QAClC,yEAAyE;QACzE,4EAA4E;QAC5E,MAAM,QAAQ,GAAG,oBAAoB,CACnC,IAAI,EAAE,8BAA8B;QACpC,IAAI,CACL,CAAA;QACD,SAAS,CAAC,IAAI,CACZ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,GAAW,EAAE,EAAE;YAClC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;YAChC,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAA;YACjC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;YACpC,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;QACjC,CAAC,CAAC,CACH,CAAA;QAED,uEAAuE;QACvE,iEAAiE;QACjE,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YAChC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,kCAAkC,EAClC,MAAM,CAAC,aAAa,CAAC,CACtB,CAAA;QACH,CAAC;QACD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,mCAAmC,EACnC,MAAM,CAAC,cAAc,CAAC,CACvB,CAAA;QACH,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,MAAM,MAAM,GAAG,MAAM,sBAAsB,CAAC,UAAU,EAAE,WAAW,CAAC,CAAA;IACpE,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAA;IAEzB,mBAAmB;IACnB,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAE/B,gCAAgC;IAChC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAA;IAElC,gEAAgE;IAChE,2CAA2C;IAC3C,IAAI,sBAAsB,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;QAChE,SAAS,CAAC,IAAI,CACZ,mBAAmB,CAAC,cAAc,EAAE,eAAe,EAAE,OAAO,CAAC,CAC9D,CAAA;IACH,CAAC;SAAM,CAAC;QACN,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACzB,CAAC;IAED,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC,CAAA;IAEhE,MAAM,YAAY,GAAG,EAAE,CAAA;IACvB,IAAI,sBAAsB;QAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IACxD,IAAI,yBAAyB;QAAE,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;IAE9D,eAAe,CACb,+CAA+C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CACvF,CAAA;IAED,OAAO,cAAc,CAAA;AACvB,CAAC"}

package/dist/sandbox/macos-sandbox-utils.d.ts

@@ -0,0 +1,53 @@
+import type { IgnoreViolationsConfig, FsReadRestrictionConfig, FsWriteRestrictionConfig } from './sandbox-schemas.js';
+/**
+ * Check if macOS sandbox dependencies are available (synchronous)
+ * Returns true if rg (ripgrep) is installed, false otherwise
+ * Cached to avoid repeated system calls
+ */
+export declare function hasMacOSSandboxDependenciesSync(): boolean;
+export interface MacOSSandboxParams {
+    command: string;
+    httpProxyPort?: number;
+    socksProxyPort?: number;
+    needsNetworkRestriction: boolean;
+    allowUnixSockets?: string[];
+    allowLocalBinding?: boolean;
+    readConfig: FsReadRestrictionConfig | undefined;
+    writeConfig: FsWriteRestrictionConfig | undefined;
+    ignoreViolations?: IgnoreViolationsConfig | undefined;
+}
+export interface SandboxViolationEvent {
+    line: string;
+    command?: string;
+    encodedCommand?: string;
+    timestamp: Date;
+}
+export type SandboxViolationCallback = (violation: SandboxViolationEvent) => void;
+/**
+ * Convert a glob pattern to a regular expression for macOS sandbox profiles
+ *
+ * This implements gitignore-style pattern matching to match the behavior of the
+ * `ignore` library used by the permission system/
+ *
+ * Supported patterns:
+ * - * matches any characters except / (e.g., *.ts matches foo.ts but not foo/bar.ts)
+ * - ** matches any characters including / (e.g., src/** /*.ts matches all .ts files in src/)
+ * - ? matches any single character except / (e.g., file?.txt matches file1.txt)
+ * - [abc] matches any character in the set (e.g., file[0-9].txt matches file3.txt)
+ *
+ * Note: This is designed for macOS sandbox (regex ...) syntax. The resulting regex
+ * will be used in sandbox profiles like: (deny file-write* (regex "pattern"))
+ *
+ * Exported for testing purposes.
+ */
+export declare function globToRegex(globPattern: string): string;
+/**
+ * Wrap command with macOS sandbox
+ */
+export declare function wrapCommandWithSandboxMacOS(params: MacOSSandboxParams): Promise<string>;
+/**
+ * Start monitoring macOS system logs for sandbox violations
+ * Look for sandbox-related kernel deny events ending in {logTag}
+ */
+export declare function startMacOSSandboxLogMonitor(callback: SandboxViolationCallback, ignoreViolations?: IgnoreViolationsConfig): () => void;
+//# sourceMappingURL=macos-sandbox-utils.d.ts.map

package/dist/sandbox/macos-sandbox-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"macos-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox-utils.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EACV,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAK7B;;;;GAIG;AACH,wBAAgB,+BAA+B,IAAI,OAAO,CAiBzD;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,UAAU,EAAE,uBAAuB,GAAG,SAAS,CAAA;IAC/C,WAAW,EAAE,wBAAwB,GAAG,SAAS,CAAA;IACjD,gBAAgB,CAAC,EAAE,sBAAsB,GAAG,SAAS,CAAA;CACtD;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,MAAM,wBAAwB,GAAG,CACrC,SAAS,EAAE,qBAAqB,KAC7B,IAAI,CAAA;AAIT;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAkBvD;AAmYD;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CA2DjB;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,wBAAwB,EAClC,gBAAgB,CAAC,EAAE,sBAAsB,GACxC,MAAM,IAAI,CA8GZ"}