@anthropic-ai/sandbox-runtime 0.0.1

package/dist/sandbox/macos-sandbox-utils.js

@@ -0,0 +1,496 @@
+import shellquote from 'shell-quote';
+import { spawn, spawnSync } from 'child_process';
+import { logForDebugging } from '../utils/debug.js';
+import { normalizePathForSandbox, generateProxyEnvVars, getMandatoryDenyWithinAllow, encodeSandboxedCommand, decodeSandboxedCommand, containsGlobChars, } from './sandbox-utils.js';
+// Cache for macOS sandbox dependencies check
+let macosDepsCache;
+/**
+ * Check if macOS sandbox dependencies are available (synchronous)
+ * Returns true if rg (ripgrep) is installed, false otherwise
+ * Cached to avoid repeated system calls
+ */
+export function hasMacOSSandboxDependenciesSync() {
+    if (macosDepsCache !== undefined) {
+        return macosDepsCache;
+    }
+    try {
+        const rgResult = spawnSync('which', ['rg'], {
+            stdio: 'ignore',
+            timeout: 1000,
+        });
+        macosDepsCache = rgResult.status === 0;
+        return macosDepsCache;
+    }
+    catch {
+        macosDepsCache = false;
+        return false;
+    }
+}
+const sessionSuffix = `_${Math.random().toString(36).slice(2, 11)}_SBX`;
+/**
+ * Convert a glob pattern to a regular expression for macOS sandbox profiles
+ *
+ * This implements gitignore-style pattern matching to match the behavior of the
+ * `ignore` library used by the permission system/
+ *
+ * Supported patterns:
+ * - * matches any characters except / (e.g., *.ts matches foo.ts but not foo/bar.ts)
+ * - ** matches any characters including / (e.g., src/** /*.ts matches all .ts files in src/)
+ * - ? matches any single character except / (e.g., file?.txt matches file1.txt)
+ * - [abc] matches any character in the set (e.g., file[0-9].txt matches file3.txt)
+ *
+ * Note: This is designed for macOS sandbox (regex ...) syntax. The resulting regex
+ * will be used in sandbox profiles like: (deny file-write* (regex "pattern"))
+ *
+ * Exported for testing purposes.
+ */
+export function globToRegex(globPattern) {
+    return ('^' +
+        globPattern
+            // Escape regex special characters (except glob chars * ? [ ])
+            .replace(/[.^$+{}()|\\]/g, '\\$&')
+            // Escape unclosed brackets (no matching ])
+            .replace(/\[([^\]]*?)$/g, '\\[$1')
+            // Convert glob patterns to regex (order matters - ** before *)
+            .replace(/\*\*\//g, '__GLOBSTAR_SLASH__') // Placeholder for **/
+            .replace(/\*\*/g, '__GLOBSTAR__') // Placeholder for **
+            .replace(/\*/g, '[^/]*') // * matches anything except /
+            .replace(/\?/g, '[^/]') // ? matches single character except /
+            // Restore placeholders
+            .replace(/__GLOBSTAR_SLASH__/g, '(.*/)?') // **/ matches zero or more dirs
+            .replace(/__GLOBSTAR__/g, '.*') + // ** matches anything including /
+        '$');
+}
+/**
+ * Generate a unique log tag for sandbox monitoring
+ * @param command - The command being executed (will be base64 encoded)
+ */
+function generateLogTag(command) {
+    const encodedCommand = encodeSandboxedCommand(command);
+    return `CMD64_${encodedCommand}_END_${sessionSuffix}`;
+}
+/**
+ * Generate filesystem read rules for sandbox profile
+ */
+function generateReadRules(config, logTag) {
+    if (!config) {
+        return [`(allow file-read*)`];
+    }
+    const rules = [];
+    // Start by allowing everything
+    rules.push(`(allow file-read*)`);
+    // Then deny specific paths
+    for (const pathPattern of config.denyOnly || []) {
+        const normalizedPath = normalizePathForSandbox(pathPattern);
+        if (containsGlobChars(normalizedPath)) {
+            // Use regex matching for glob patterns
+            const regexPattern = globToRegex(normalizedPath);
+            rules.push(`(deny file-read*`, `  (regex ${escapePath(regexPattern)})`, `  (with message "${logTag}"))`);
+        }
+        else {
+            // Use subpath matching for literal paths
+            rules.push(`(deny file-read*`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+        }
+    }
+    return rules;
+}
+/**
+ * Generate filesystem write rules for sandbox profile
+ */
+async function generateWriteRules(config, logTag) {
+    if (!config) {
+        return [`(allow file-write*)`];
+    }
+    const rules = [];
+    // Automatically allow TMPDIR parent on macOS when write restrictions are enabled
+    const tmpdirParents = getTmpdirParentIfMacOSPattern();
+    for (const tmpdirParent of tmpdirParents) {
+        const normalizedPath = normalizePathForSandbox(tmpdirParent);
+        rules.push(`(allow file-write*`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+    }
+    // Generate allow rules
+    for (const pathPattern of config.allowOnly || []) {
+        const normalizedPath = normalizePathForSandbox(pathPattern);
+        if (containsGlobChars(normalizedPath)) {
+            // Use regex matching for glob patterns
+            const regexPattern = globToRegex(normalizedPath);
+            rules.push(`(allow file-write*`, `  (regex ${escapePath(regexPattern)})`, `  (with message "${logTag}"))`);
+        }
+        else {
+            // Use subpath matching for literal paths
+            rules.push(`(allow file-write*`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+        }
+    }
+    // Combine user-specified and mandatory deny rules
+    const denyPaths = [
+        ...(config.denyWithinAllow || []),
+        ...(await getMandatoryDenyWithinAllow()),
+    ];
+    for (const pathPattern of denyPaths) {
+        const normalizedPath = normalizePathForSandbox(pathPattern);
+        if (containsGlobChars(normalizedPath)) {
+            // Use regex matching for glob patterns
+            const regexPattern = globToRegex(normalizedPath);
+            rules.push(`(deny file-write*`, `  (regex ${escapePath(regexPattern)})`, `  (with message "${logTag}"))`);
+        }
+        else {
+            // Use subpath matching for literal paths
+            rules.push(`(deny file-write*`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+        }
+    }
+    return rules;
+}
+/**
+ * Generate complete sandbox profile
+ */
+async function generateSandboxProfile({ readConfig, writeConfig, httpProxyPort, socksProxyPort, needsNetworkRestriction, allowUnixSockets, allowLocalBinding, logTag, }) {
+    const profile = [
+        '(version 1)',
+        `(deny default (with message "${logTag}"))`,
+        '',
+        `; LogTag: ${logTag}`,
+        '',
+        '; Essential permissions - based on Chrome sandbox policy',
+        '; Process permissions',
+        '(allow process-exec)',
+        '(allow process-fork)',
+        '(allow process-info* (target same-sandbox))',
+        '(allow signal (target same-sandbox))',
+        '(allow mach-priv-task-port (target same-sandbox))',
+        '',
+        '; User preferences',
+        '(allow user-preference-read)',
+        '',
+        '; Mach IPC - specific services only (no wildcard)',
+        '(allow mach-lookup',
+        '  (global-name "com.apple.audio.systemsoundserver")',
+        '  (global-name "com.apple.distributed_notifications@Uv3")',
+        '  (global-name "com.apple.FontObjectsServer")',
+        '  (global-name "com.apple.fonts")',
+        '  (global-name "com.apple.logd")',
+        '  (global-name "com.apple.lsd.mapdb")',
+        '  (global-name "com.apple.PowerManagement.control")',
+        '  (global-name "com.apple.system.logger")',
+        '  (global-name "com.apple.system.notification_center")',
+        '  (global-name "com.apple.trustd.agent")',
+        '  (global-name "com.apple.system.opendirectoryd.libinfo")',
+        '  (global-name "com.apple.system.opendirectoryd.membership")',
+        '  (global-name "com.apple.bsd.dirhelper")',
+        '  (global-name "com.apple.securityd.xpc")',
+        '  (global-name "com.apple.coreservices.launchservicesd")',
+        ')',
+        '',
+        '; POSIX IPC - shared memory',
+        '(allow ipc-posix-shm)',
+        '',
+        '; POSIX IPC - semaphores for Python multiprocessing',
+        '(allow ipc-posix-sem)',
+        '',
+        '; IOKit - specific operations only',
+        '(allow iokit-open',
+        '  (iokit-registry-entry-class "IOSurfaceRootUserClient")',
+        '  (iokit-registry-entry-class "RootDomainUserClient")',
+        '  (iokit-user-client-class "IOSurfaceSendRight")',
+        ')',
+        '',
+        '; IOKit properties',
+        '(allow iokit-get-properties)',
+        '',
+        "; Specific safe system-sockets, doesn't allow network access",
+        '(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))',
+        '',
+        '; sysctl - specific sysctls only',
+        '(allow sysctl-read',
+        '  (sysctl-name "hw.activecpu")',
+        '  (sysctl-name "hw.busfrequency_compat")',
+        '  (sysctl-name "hw.byteorder")',
+        '  (sysctl-name "hw.cacheconfig")',
+        '  (sysctl-name "hw.cachelinesize_compat")',
+        '  (sysctl-name "hw.cpufamily")',
+        '  (sysctl-name "hw.cpufrequency")',
+        '  (sysctl-name "hw.cpufrequency_compat")',
+        '  (sysctl-name "hw.cputype")',
+        '  (sysctl-name "hw.l1dcachesize_compat")',
+        '  (sysctl-name "hw.l1icachesize_compat")',
+        '  (sysctl-name "hw.l2cachesize_compat")',
+        '  (sysctl-name "hw.l3cachesize_compat")',
+        '  (sysctl-name "hw.logicalcpu")',
+        '  (sysctl-name "hw.logicalcpu_max")',
+        '  (sysctl-name "hw.machine")',
+        '  (sysctl-name "hw.memsize")',
+        '  (sysctl-name "hw.ncpu")',
+        '  (sysctl-name "hw.nperflevels")',
+        '  (sysctl-name "hw.packages")',
+        '  (sysctl-name "hw.pagesize_compat")',
+        '  (sysctl-name "hw.pagesize")',
+        '  (sysctl-name "hw.physicalcpu")',
+        '  (sysctl-name "hw.physicalcpu_max")',
+        '  (sysctl-name "hw.tbfrequency_compat")',
+        '  (sysctl-name "hw.vectorunit")',
+        '  (sysctl-name "kern.argmax")',
+        '  (sysctl-name "kern.bootargs")',
+        '  (sysctl-name "kern.hostname")',
+        '  (sysctl-name "kern.maxfiles")',
+        '  (sysctl-name "kern.maxfilesperproc")',
+        '  (sysctl-name "kern.maxproc")',
+        '  (sysctl-name "kern.ngroups")',
+        '  (sysctl-name "kern.osproductversion")',
+        '  (sysctl-name "kern.osrelease")',
+        '  (sysctl-name "kern.ostype")',
+        '  (sysctl-name "kern.osvariant_status")',
+        '  (sysctl-name "kern.osversion")',
+        '  (sysctl-name "kern.secure_kernel")',
+        '  (sysctl-name "kern.tcsm_available")',
+        '  (sysctl-name "kern.tcsm_enable")',
+        '  (sysctl-name "kern.usrstack64")',
+        '  (sysctl-name "kern.version")',
+        '  (sysctl-name "kern.willshutdown")',
+        '  (sysctl-name "machdep.cpu.brand_string")',
+        '  (sysctl-name "machdep.ptrauth_enabled")',
+        '  (sysctl-name "security.mac.lockdown_mode_state")',
+        '  (sysctl-name "sysctl.proc_cputype")',
+        '  (sysctl-name "vm.loadavg")',
+        '  (sysctl-name-prefix "hw.optional.arm")',
+        '  (sysctl-name-prefix "hw.optional.arm.")',
+        '  (sysctl-name-prefix "hw.optional.armv8_")',
+        '  (sysctl-name-prefix "hw.perflevel")',
+        '  (sysctl-name-prefix "kern.proc.pgrp.")',
+        '  (sysctl-name-prefix "kern.proc.pid.")',
+        '  (sysctl-name-prefix "machdep.cpu.")',
+        '  (sysctl-name-prefix "net.routetable.")',
+        ')',
+        '',
+        '; V8 thread calculations',
+        '(allow sysctl-write',
+        '  (sysctl-name "kern.tcsm_enable")',
+        ')',
+        '',
+        '; Distributed notifications',
+        '(allow distributed-notification-post)',
+        '',
+        '; Specific mach-lookup permissions for security operations',
+        '(allow mach-lookup (global-name "com.apple.SecurityServer"))',
+        '',
+        '; File I/O on device files',
+        '(allow file-ioctl (literal "/dev/null"))',
+        '(allow file-ioctl (literal "/dev/zero"))',
+        '(allow file-ioctl (literal "/dev/random"))',
+        '(allow file-ioctl (literal "/dev/urandom"))',
+        '(allow file-ioctl (literal "/dev/dtracehelper"))',
+        '(allow file-ioctl (literal "/dev/tty"))',
+        '',
+        '(allow file-ioctl file-read-data file-write-data',
+        '  (require-all',
+        '    (literal "/dev/null")',
+        '    (vnode-type CHARACTER-DEVICE)',
+        '  )',
+        ')',
+        '',
+    ];
+    // Network rules
+    profile.push('; Network');
+    if (!needsNetworkRestriction) {
+        profile.push('(allow network*)');
+    }
+    else {
+        // Allow local binding if requested
+        if (allowLocalBinding) {
+            profile.push('(allow network-bind (local ip "localhost:*"))');
+            profile.push('(allow network-inbound (local ip "localhost:*"))');
+            profile.push('(allow network-outbound (local ip "localhost:*"))');
+        }
+        // Unix domain sockets for local IPC (SSH agent, Docker, etc.)
+        if (allowUnixSockets && allowUnixSockets.length > 0) {
+            // Allow specific Unix socket paths
+            for (const socketPath of allowUnixSockets) {
+                const normalizedPath = normalizePathForSandbox(socketPath);
+                profile.push(`(allow network* (subpath ${escapePath(normalizedPath)}))`);
+            }
+        }
+        // If allowUnixSockets is undefined or empty array, Unix sockets are blocked by default
+        // Allow localhost TCP operations for the HTTP proxy
+        if (httpProxyPort !== undefined) {
+            profile.push(`(allow network-bind (local ip "localhost:${httpProxyPort}"))`);
+            profile.push(`(allow network-inbound (local ip "localhost:${httpProxyPort}"))`);
+            profile.push(`(allow network-outbound (remote ip "localhost:${httpProxyPort}"))`);
+        }
+        // Allow localhost TCP operations for the SOCKS proxy
+        if (socksProxyPort !== undefined) {
+            profile.push(`(allow network-bind (local ip "localhost:${socksProxyPort}"))`);
+            profile.push(`(allow network-inbound (local ip "localhost:${socksProxyPort}"))`);
+            profile.push(`(allow network-outbound (remote ip "localhost:${socksProxyPort}"))`);
+        }
+    }
+    profile.push('');
+    // Read rules
+    profile.push('; File read');
+    profile.push(...generateReadRules(readConfig, logTag));
+    profile.push('');
+    // Write rules
+    profile.push('; File write');
+    profile.push(...(await generateWriteRules(writeConfig, logTag)));
+    return profile.join('\n');
+}
+/**
+ * Escape path for sandbox profile using JSON.stringify for proper escaping
+ */
+function escapePath(pathStr) {
+    return JSON.stringify(pathStr);
+}
+/**
+ * Get TMPDIR parent directory if it matches macOS pattern /var/folders/XX/YYY/T/
+ * Returns both /var/ and /private/var/ versions since /var is a symlink
+ */
+function getTmpdirParentIfMacOSPattern() {
+    const tmpdir = process.env.TMPDIR;
+    if (!tmpdir)
+        return [];
+    const match = tmpdir.match(/^\/(private\/)?var\/folders\/[^/]{2}\/[^/]+\/T\/?$/);
+    if (!match)
+        return [];
+    const parent = tmpdir.replace(/\/T\/?$/, '');
+    // Return both /var/ and /private/var/ versions since /var is a symlink
+    if (parent.startsWith('/private/var/')) {
+        return [parent, parent.replace('/private', '')];
+    }
+    else if (parent.startsWith('/var/')) {
+        return [parent, '/private' + parent];
+    }
+    return [parent];
+}
+/**
+ * Wrap command with macOS sandbox
+ */
+export async function wrapCommandWithSandboxMacOS(params) {
+    const { command, httpProxyPort, socksProxyPort, needsNetworkRestriction, allowUnixSockets, allowLocalBinding, readConfig, writeConfig, } = params;
+    // No sandboxing needed
+    if (!needsNetworkRestriction && !readConfig && !writeConfig) {
+        return command;
+    }
+    const logTag = generateLogTag(command);
+    const profile = await generateSandboxProfile({
+        readConfig,
+        writeConfig,
+        httpProxyPort,
+        socksProxyPort,
+        needsNetworkRestriction,
+        allowUnixSockets,
+        allowLocalBinding,
+        logTag,
+    });
+    // Generate proxy environment variables using shared utility
+    const proxyEnv = `export ${generateProxyEnvVars(httpProxyPort, socksProxyPort).join(' ')} && `;
+    const wrappedCommand = shellquote.quote([
+        'sandbox-exec',
+        '-p',
+        profile,
+        'bash',
+        '-c',
+        proxyEnv + command,
+    ]);
+    logForDebugging(`[Sandbox macOS] Applied restrictions - network: ${!!(httpProxyPort || socksProxyPort)}, read: ${readConfig
+        ? 'allowAllExcept' in readConfig
+            ? 'allowAllExcept'
+            : 'denyAllExcept'
+        : 'none'}, write: ${writeConfig
+        ? 'allowAllExcept' in writeConfig
+            ? 'allowAllExcept'
+            : 'denyAllExcept'
+        : 'none'}`);
+    return wrappedCommand;
+}
+/**
+ * Start monitoring macOS system logs for sandbox violations
+ * Look for sandbox-related kernel deny events ending in {logTag}
+ */
+export function startMacOSSandboxLogMonitor(callback, ignoreViolations) {
+    // Pre-compile regex patterns for better performance
+    const cmdExtractRegex = /CMD64_(.+?)_END/;
+    const sandboxExtractRegex = /Sandbox:\s+(.+)$/;
+    // Pre-process ignore patterns for faster lookup
+    const wildcardPaths = ignoreViolations?.['*'] || [];
+    const commandPatterns = ignoreViolations
+        ? Object.entries(ignoreViolations).filter(([pattern]) => pattern !== '*')
+        : [];
+    // Stream and filter kernel logs for all sandbox violations
+    // We can't filter by specific logTag since it's dynamic per command
+    const logProcess = spawn('log', [
+        'stream',
+        '--predicate',
+        `(eventMessage ENDSWITH "${sessionSuffix}")`,
+        '--style',
+        'compact',
+    ]);
+    logProcess.stdout?.on('data', (data) => {
+        const lines = data.toString().split('\n');
+        // Get violation and command lines
+        const violationLine = lines.find(line => line.includes('Sandbox:') && line.includes('deny'));
+        const commandLine = lines.find(line => line.startsWith('CMD64_'));
+        if (!violationLine)
+            return;
+        // Extract violation details
+        const sandboxMatch = violationLine.match(sandboxExtractRegex);
+        if (!sandboxMatch?.[1])
+            return;
+        const violationDetails = sandboxMatch[1];
+        // Try to get command
+        let command;
+        let encodedCommand;
+        if (commandLine) {
+            const cmdMatch = commandLine.match(cmdExtractRegex);
+            encodedCommand = cmdMatch?.[1];
+            if (encodedCommand) {
+                try {
+                    command = decodeSandboxedCommand(encodedCommand);
+                }
+                catch {
+                    // Failed to decode, continue without command
+                }
+            }
+        }
+        // Always filter out noisey violations
+        if (violationDetails.includes('mDNSResponder') ||
+            violationDetails.includes('mach-lookup com.apple.diagnosticd') ||
+            violationDetails.includes('mach-lookup com.apple.analyticsd')) {
+            return;
+        }
+        // Check if we should ignore this violation
+        if (ignoreViolations && command) {
+            // Check wildcard patterns first
+            if (wildcardPaths.length > 0) {
+                const shouldIgnore = wildcardPaths.some(path => violationDetails.includes(path));
+                if (shouldIgnore)
+                    return;
+            }
+            // Check command-specific patterns
+            for (const [pattern, paths] of commandPatterns) {
+                if (command.includes(pattern)) {
+                    const shouldIgnore = paths.some(path => violationDetails.includes(path));
+                    if (shouldIgnore)
+                        return;
+                }
+            }
+        }
+        // Not ignored - report the violation
+        callback({
+            line: violationDetails,
+            command,
+            encodedCommand,
+            timestamp: new Date(), // We could parse the timestamp from the log but this feels more reliable
+        });
+    });
+    logProcess.stderr?.on('data', (data) => {
+        logForDebugging(`[Sandbox Monitor] Log stream stderr: ${data.toString()}`);
+    });
+    logProcess.on('error', (error) => {
+        logForDebugging(`[Sandbox Monitor] Failed to start log stream: ${error.message}`);
+    });
+    logProcess.on('exit', (code) => {
+        logForDebugging(`[Sandbox Monitor] Log stream exited with code: ${code}`);
+    });
+    return () => {
+        logForDebugging('[Sandbox Monitor] Stopping log monitor');
+        logProcess.kill('SIGTERM');
+    };
+}
+//# sourceMappingURL=macos-sandbox-utils.js.map

package/dist/sandbox/macos-sandbox-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"macos-sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAA;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,2BAA2B,EAC3B,sBAAsB,EACtB,sBAAsB,EACtB,iBAAiB,GAClB,MAAM,oBAAoB,CAAA;AAO3B,6CAA6C;AAC7C,IAAI,cAAmC,CAAA;AAEvC;;;;GAIG;AACH,MAAM,UAAU,+BAA+B;IAC7C,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE;YAC1C,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QAEF,cAAc,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAA;QACtC,OAAO,cAAc,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,cAAc,GAAG,KAAK,CAAA;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAyBD,MAAM,aAAa,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAA;AAEvE;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,WAAW,CAAC,WAAmB;IAC7C,OAAO,CACL,GAAG;QACH,WAAW;YACT,8DAA8D;aAC7D,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAC;YAClC,2CAA2C;aAC1C,OAAO,CAAC,eAAe,EAAE,OAAO,CAAC;YAClC,+DAA+D;aAC9D,OAAO,CAAC,SAAS,EAAE,oBAAoB,CAAC,CAAC,sBAAsB;aAC/D,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,qBAAqB;aACtD,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,8BAA8B;aACtD,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,sCAAsC;YAC9D,uBAAuB;aACtB,OAAO,CAAC,qBAAqB,EAAE,QAAQ,CAAC,CAAC,gCAAgC;aACzE,OAAO,CAAC,eAAe,EAAE,IAAI,CAAC,GAAG,kCAAkC;QACtE,GAAG,CACJ,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,OAAe;IACrC,MAAM,cAAc,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAA;IACtD,OAAO,SAAS,cAAc,QAAQ,aAAa,EAAE,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,MAA2C,EAC3C,MAAc;IAEd,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,oBAAoB,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAA;IAE1B,+BAA+B;IAC/B,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAA;IAEhC,2BAA2B;IAC3B,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QAChD,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAE3D,IAAI,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;YACtC,uCAAuC;YACvC,MAAM,YAAY,GAAG,WAAW,CAAC,cAAc,CAAC,CAAA;YAChD,KAAK,CAAC,IAAI,CACR,kBAAkB,EAClB,YAAY,UAAU,CAAC,YAAY,CAAC,GAAG,EACvC,oBAAoB,MAAM,KAAK,CAChC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,yCAAyC;YACzC,KAAK,CAAC,IAAI,CACR,kBAAkB,EAClB,cAAc,UAAU,CAAC,cAAc,CAAC,GAAG,EAC3C,oBAAoB,MAAM,KAAK,CAChC,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,MAA4C,EAC5C,MAAc;IAEd,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,qBAAqB,CAAC,CAAA;IAChC,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAA;IAE1B,iFAAiF;IACjF,MAAM,aAAa,GAAG,6BAA6B,EAAE,CAAA;IACrD,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,MAAM,cAAc,GAAG,uBAAuB,CAAC,YAAY,CAAC,CAAA;QAC5D,KAAK,CAAC,IAAI,CACR,oBAAoB,EACpB,cAAc,UAAU,CAAC,cAAc,CAAC,GAAG,EAC3C,oBAAoB,MAAM,KAAK,CAChC,CAAA;IACH,CAAC;IAED,uBAAuB;IACvB,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;QACjD,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAE3D,IAAI,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;YACtC,uCAAuC;YACvC,MAAM,YAAY,GAAG,WAAW,CAAC,cAAc,CAAC,CAAA;YAChD,KAAK,CAAC,IAAI,CACR,oBAAoB,EACpB,YAAY,UAAU,CAAC,YAAY,CAAC,GAAG,EACvC,oBAAoB,MAAM,KAAK,CAChC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,yCAAyC;YACzC,KAAK,CAAC,IAAI,CACR,oBAAoB,EACpB,cAAc,UAAU,CAAC,cAAc,CAAC,GAAG,EAC3C,oBAAoB,MAAM,KAAK,CAChC,CAAA;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,SAAS,GAAG;QAChB,GAAG,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC;QACjC,GAAG,CAAC,MAAM,2BAA2B,EAAE,CAAC;KACzC,CAAA;IAED,KAAK,MAAM,WAAW,IAAI,SAAS,EAAE,CAAC;QACpC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAE3D,IAAI,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;YACtC,uCAAuC;YACvC,MAAM,YAAY,GAAG,WAAW,CAAC,cAAc,CAAC,CAAA;YAChD,KAAK,CAAC,IAAI,CACR,mBAAmB,EACnB,YAAY,UAAU,CAAC,YAAY,CAAC,GAAG,EACvC,oBAAoB,MAAM,KAAK,CAChC,CAAA;QACH,CAAC;aAAM,CAAC;YACN,yCAAyC;YACzC,KAAK,CAAC,IAAI,CACR,mBAAmB,EACnB,cAAc,UAAU,CAAC,cAAc,CAAC,GAAG,EAC3C,oBAAoB,MAAM,KAAK,CAChC,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,sBAAsB,CAAC,EACpC,UAAU,EACV,WAAW,EACX,aAAa,EACb,cAAc,EACd,uBAAuB,EACvB,gBAAgB,EAChB,iBAAiB,EACjB,MAAM,GAUP;IACC,MAAM,OAAO,GAAa;QACxB,aAAa;QACb,gCAAgC,MAAM,KAAK;QAC3C,EAAE;QACF,aAAa,MAAM,EAAE;QACrB,EAAE;QACF,0DAA0D;QAC1D,uBAAuB;QACvB,sBAAsB;QACtB,sBAAsB;QACtB,6CAA6C;QAC7C,sCAAsC;QACtC,mDAAmD;QACnD,EAAE;QACF,oBAAoB;QACpB,8BAA8B;QAC9B,EAAE;QACF,mDAAmD;QACnD,oBAAoB;QACpB,qDAAqD;QACrD,2DAA2D;QAC3D,+CAA+C;QAC/C,mCAAmC;QACnC,kCAAkC;QAClC,uCAAuC;QACvC,qDAAqD;QACrD,2CAA2C;QAC3C,wDAAwD;QACxD,0CAA0C;QAC1C,2DAA2D;QAC3D,8DAA8D;QAC9D,2CAA2C;QAC3C,2CAA2C;QAC3C,0DAA0D;QAC1D,GAAG;QACH,EAAE;QACF,6BAA6B;QAC7B,uBAAuB;QACvB,EAAE;QACF,qDAAqD;QACrD,uBAAuB;QACvB,EAAE;QACF,oCAAoC;QACpC,mBAAmB;QACnB,0DAA0D;QAC1D,uDAAuD;QACvD,kDAAkD;QAClD,GAAG;QACH,EAAE;QACF,oBAAoB;QACpB,8BAA8B;QAC9B,EAAE;QACF,8DAA8D;QAC9D,mFAAmF;QACnF,EAAE;QACF,kCAAkC;QAClC,oBAAoB;QACpB,gCAAgC;QAChC,0CAA0C;QAC1C,gCAAgC;QAChC,kCAAkC;QAClC,2CAA2C;QAC3C,gCAAgC;QAChC,mCAAmC;QACnC,0CAA0C;QAC1C,8BAA8B;QAC9B,0CAA0C;QAC1C,0CAA0C;QAC1C,yCAAyC;QACzC,yCAAyC;QACzC,iCAAiC;QACjC,qCAAqC;QACrC,8BAA8B;QAC9B,8BAA8B;QAC9B,2BAA2B;QAC3B,kCAAkC;QAClC,+BAA+B;QAC/B,sCAAsC;QACtC,+BAA+B;QAC/B,kCAAkC;QAClC,sCAAsC;QACtC,yCAAyC;QACzC,iCAAiC;QACjC,+BAA+B;QAC/B,iCAAiC;QACjC,iCAAiC;QACjC,iCAAiC;QACjC,wCAAwC;QACxC,gCAAgC;QAChC,gCAAgC;QAChC,yCAAyC;QACzC,kCAAkC;QAClC,+BAA+B;QAC/B,yCAAyC;QACzC,kCAAkC;QAClC,sCAAsC;QACtC,uCAAuC;QACvC,oCAAoC;QACpC,mCAAmC;QACnC,gCAAgC;QAChC,qCAAqC;QACrC,4CAA4C;QAC5C,2CAA2C;QAC3C,oDAAoD;QACpD,uCAAuC;QACvC,8BAA8B;QAC9B,0CAA0C;QAC1C,2CAA2C;QAC3C,6CAA6C;QAC7C,uCAAuC;QACvC,0CAA0C;QAC1C,yCAAyC;QACzC,uCAAuC;QACvC,0CAA0C;QAC1C,GAAG;QACH,EAAE;QACF,0BAA0B;QAC1B,qBAAqB;QACrB,oCAAoC;QACpC,GAAG;QACH,EAAE;QACF,6BAA6B;QAC7B,uCAAuC;QACvC,EAAE;QACF,4DAA4D;QAC5D,8DAA8D;QAC9D,EAAE;QACF,4BAA4B;QAC5B,0CAA0C;QAC1C,0CAA0C;QAC1C,4CAA4C;QAC5C,6CAA6C;QAC7C,kDAAkD;QAClD,yCAAyC;QACzC,EAAE;QACF,kDAAkD;QAClD,gBAAgB;QAChB,2BAA2B;QAC3B,mCAAmC;QACnC,KAAK;QACL,GAAG;QACH,EAAE;KACH,CAAA;IAED,gBAAgB;IAChB,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IACzB,IAAI,CAAC,uBAAuB,EAAE,CAAC;QAC7B,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAA;IAClC,CAAC;SAAM,CAAC;QACN,mCAAmC;QACnC,IAAI,iBAAiB,EAAE,CAAC;YACtB,OAAO,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAA;YAC7D,OAAO,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAA;YAChE,OAAO,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAA;QACnE,CAAC;QACD,8DAA8D;QAC9D,IAAI,gBAAgB,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpD,mCAAmC;YACnC,KAAK,MAAM,UAAU,IAAI,gBAAgB,EAAE,CAAC;gBAC1C,MAAM,cAAc,GAAG,uBAAuB,CAAC,UAAU,CAAC,CAAA;gBAC1D,OAAO,CAAC,IAAI,CAAC,4BAA4B,UAAU,CAAC,cAAc,CAAC,IAAI,CAAC,CAAA;YAC1E,CAAC;QACH,CAAC;QACD,uFAAuF;QAEvF,oDAAoD;QACpD,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CACV,4CAA4C,aAAa,KAAK,CAC/D,CAAA;YACD,OAAO,CAAC,IAAI,CACV,+CAA+C,aAAa,KAAK,CAClE,CAAA;YACD,OAAO,CAAC,IAAI,CACV,iDAAiD,aAAa,KAAK,CACpE,CAAA;QACH,CAAC;QAED,qDAAqD;QACrD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CACV,4CAA4C,cAAc,KAAK,CAChE,CAAA;YACD,OAAO,CAAC,IAAI,CACV,+CAA+C,cAAc,KAAK,CACnE,CAAA;YACD,OAAO,CAAC,IAAI,CACV,iDAAiD,cAAc,KAAK,CACrE,CAAA;QACH,CAAC;IACH,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAEhB,aAAa;IACb,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;IAC3B,OAAO,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAA;IACtD,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAEhB,cAAc;IACd,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IAC5B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,CAAA;IAEhE,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAC3B,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;AAChC,CAAC;AAED;;;GAGG;AACH,SAAS,6BAA6B;IACpC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAA;IACjC,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAA;IAEtB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CACxB,oDAAoD,CACrD,CAAA;IACD,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAA;IAErB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;IAE5C,uEAAuE;IACvE,IAAI,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QACvC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAA;IACjD,CAAC;SAAM,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAAC,CAAA;IACtC,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,CAAA;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B;IAE1B,MAAM,EACJ,OAAO,EACP,aAAa,EACb,cAAc,EACd,uBAAuB,EACvB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,WAAW,GACZ,GAAG,MAAM,CAAA;IAEV,uBAAuB;IACvB,IAAI,CAAC,uBAAuB,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;QAC5D,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,CAAC,CAAA;IAEtC,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC;QAC3C,UAAU;QACV,WAAW;QACX,aAAa;QACb,cAAc;QACd,uBAAuB;QACvB,gBAAgB;QAChB,iBAAiB;QACjB,MAAM;KACP,CAAC,CAAA;IAEF,4DAA4D;IAC5D,MAAM,QAAQ,GAAG,UAAU,oBAAoB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAA;IAE9F,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC;QACtC,cAAc;QACd,IAAI;QACJ,OAAO;QACP,MAAM;QACN,IAAI;QACJ,QAAQ,GAAG,OAAO;KACnB,CAAC,CAAA;IAEF,eAAe,CACb,mDAAmD,CAAC,CAAC,CAAC,aAAa,IAAI,cAAc,CAAC,WACpF,UAAU;QACR,CAAC,CAAC,gBAAgB,IAAI,UAAU;YAC9B,CAAC,CAAC,gBAAgB;YAClB,CAAC,CAAC,eAAe;QACnB,CAAC,CAAC,MACN,YACE,WAAW;QACT,CAAC,CAAC,gBAAgB,IAAI,WAAW;YAC/B,CAAC,CAAC,gBAAgB;YAClB,CAAC,CAAC,eAAe;QACnB,CAAC,CAAC,MACN,EAAE,CACH,CAAA;IAED,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,QAAkC,EAClC,gBAAyC;IAEzC,oDAAoD;IACpD,MAAM,eAAe,GAAG,iBAAiB,CAAA;IACzC,MAAM,mBAAmB,GAAG,kBAAkB,CAAA;IAE9C,gDAAgD;IAChD,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;IACnD,MAAM,eAAe,GAAG,gBAAgB;QACtC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,OAAO,KAAK,GAAG,CAAC;QACzE,CAAC,CAAC,EAAE,CAAA;IAEN,2DAA2D;IAC3D,oEAAoE;IACpE,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,EAAE;QAC9B,QAAQ;QACR,aAAa;QACb,2BAA2B,aAAa,IAAI;QAC5C,SAAS;QACT,SAAS;KACV,CAAC,CAAA;IAEF,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAEzC,kCAAkC;QAClC,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,CAC9B,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC3D,CAAA;QACD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAA;QAEjE,IAAI,CAAC,aAAa;YAAE,OAAM;QAE1B,4BAA4B;QAC5B,MAAM,YAAY,GAAG,aAAa,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAC7D,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;YAAE,OAAM;QAE9B,MAAM,gBAAgB,GAAG,YAAY,CAAC,CAAC,CAAC,CAAA;QAExC,qBAAqB;QACrB,IAAI,OAA2B,CAAA;QAC/B,IAAI,cAAkC,CAAA;QACtC,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,eAAe,CAAC,CAAA;YACnD,cAAc,GAAG,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAA;YAC9B,IAAI,cAAc,EAAE,CAAC;gBACnB,IAAI,CAAC;oBACH,OAAO,GAAG,sBAAsB,CAAC,cAAc,CAAC,CAAA;gBAClD,CAAC;gBAAC,MAAM,CAAC;oBACP,6CAA6C;gBAC/C,CAAC;YACH,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,IACE,gBAAgB,CAAC,QAAQ,CAAC,eAAe,CAAC;YAC1C,gBAAgB,CAAC,QAAQ,CAAC,mCAAmC,CAAC;YAC9D,gBAAgB,CAAC,QAAQ,CAAC,kCAAkC,CAAC,EAC7D,CAAC;YACD,OAAM;QACR,CAAC;QAED,2CAA2C;QAC3C,IAAI,gBAAgB,IAAI,OAAO,EAAE,CAAC;YAChC,gCAAgC;YAChC,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC7C,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAChC,CAAA;gBACD,IAAI,YAAY;oBAAE,OAAM;YAC1B,CAAC;YAED,kCAAkC;YAClC,KAAK,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,eAAe,EAAE,CAAC;gBAC/C,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC9B,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACrC,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAChC,CAAA;oBACD,IAAI,YAAY;wBAAE,OAAM;gBAC1B,CAAC;YACH,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,QAAQ,CAAC;YACP,IAAI,EAAE,gBAAgB;YACtB,OAAO;YACP,cAAc;YACd,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,yEAAyE;SACjG,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;QAC7C,eAAe,CAAC,wCAAwC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAA;IAC5E,CAAC,CAAC,CAAA;IAEF,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAY,EAAE,EAAE;QACtC,eAAe,CACb,iDAAiD,KAAK,CAAC,OAAO,EAAE,CACjE,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAmB,EAAE,EAAE;QAC5C,eAAe,CAAC,kDAAkD,IAAI,EAAE,CAAC,CAAA;IAC3E,CAAC,CAAC,CAAA;IAEF,OAAO,GAAG,EAAE;QACV,eAAe,CAAC,wCAAwC,CAAC,CAAA;QACzD,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC5B,CAAC,CAAA;AACH,CAAC"}

package/dist/sandbox/sandbox-manager.d.ts

@@ -0,0 +1,34 @@
+import { type Platform } from '../utils/platform.js';
+import type { SandboxAskCallback, IgnoreViolationsConfig, FsReadRestrictionConfig, FsWriteRestrictionConfig, NetworkRestrictionConfig } from './sandbox-schemas.js';
+import { SandboxViolationStore } from './sandbox-violation-store.js';
+/**
+ * Interface for the sandbox manager API
+ */
+export interface ISandboxManager {
+    initialize(sandboxAskCallback?: SandboxAskCallback, enableLogMonitor?: boolean): Promise<void>;
+    isSupportedPlatform(platform: Platform): boolean;
+    isSandboxingEnabled(): boolean;
+    getFsReadConfig(): FsReadRestrictionConfig;
+    getFsWriteConfig(): FsWriteRestrictionConfig;
+    getNetworkRestrictionConfig(): NetworkRestrictionConfig;
+    getAllowUnixSockets(): string[] | undefined;
+    getAllowLocalBinding(): boolean | undefined;
+    getIgnoreViolations(): IgnoreViolationsConfig | undefined;
+    getEnableWeakerNestedSandbox(): boolean | undefined;
+    getProxyPort(): number | undefined;
+    getSocksProxyPort(): number | undefined;
+    getLinuxHttpSocketPath(): string | undefined;
+    getLinuxSocksSocketPath(): string | undefined;
+    waitForNetworkInitialization(): Promise<boolean>;
+    wrapWithSandbox(command: string): Promise<string>;
+    getSandboxViolationStore(): SandboxViolationStore;
+    annotateStderrWithSandboxFailures(command: string, stderr: string): string;
+    getLinuxGlobPatternWarnings(): string[];
+    reset(): Promise<void>;
+}
+/**
+ * Global sandbox manager that handles both network and filesystem restrictions
+ * for this session. This runs outside of the sandbox, on the host machine.
+ */
+export declare const SandboxManager: ISandboxManager;
+//# sourceMappingURL=sandbox-manager.d.ts.map

package/dist/sandbox/sandbox-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-manager.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-manager.ts"],"names":[],"mappings":"AAIA,OAAO,EAAe,KAAK,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AAQjE,OAAO,KAAK,EACV,kBAAkB,EAClB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EACxB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAiB7B,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAA;AA8vBpE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,CACR,kBAAkB,CAAC,EAAE,kBAAkB,EACvC,gBAAgB,CAAC,EAAE,OAAO,GACzB,OAAO,CAAC,IAAI,CAAC,CAAA;IAChB,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAA;IAChD,mBAAmB,IAAI,OAAO,CAAA;IAC9B,eAAe,IAAI,uBAAuB,CAAA;IAC1C,gBAAgB,IAAI,wBAAwB,CAAA;IAC5C,2BAA2B,IAAI,wBAAwB,CAAA;IACvD,mBAAmB,IAAI,MAAM,EAAE,GAAG,SAAS,CAAA;IAC3C,oBAAoB,IAAI,OAAO,GAAG,SAAS,CAAA;IAC3C,mBAAmB,IAAI,sBAAsB,GAAG,SAAS,CAAA;IACzD,4BAA4B,IAAI,OAAO,GAAG,SAAS,CAAA;IACnD,YAAY,IAAI,MAAM,GAAG,SAAS,CAAA;IAClC,iBAAiB,IAAI,MAAM,GAAG,SAAS,CAAA;IACvC,sBAAsB,IAAI,MAAM,GAAG,SAAS,CAAA;IAC5C,uBAAuB,IAAI,MAAM,GAAG,SAAS,CAAA;IAC7C,4BAA4B,IAAI,OAAO,CAAC,OAAO,CAAC,CAAA;IAChD,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACjD,wBAAwB,IAAI,qBAAqB,CAAA;IACjD,iCAAiC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAAA;IAC1E,2BAA2B,IAAI,MAAM,EAAE,CAAA;IACvC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAA;CACvB;AAMD;;;GAGG;AACH,eAAO,MAAM,cAAc,EAAE,eAqBnB,CAAA"}