@anthropic-ai/sandbox-runtime 0.0.2 → 0.0.3

package/README.md

@@ -387,11 +387,6 @@ Watchman accesses files outside the sandbox boundaries, which will trigger permi
   - Ubuntu/Debian: `apt-get install socat`
   - Fedora: `dnf install socat`
   - Arch: `pacman -S socat`
-- **`python3` - REQUIRED for applying seccomp filters** (typically pre-installed on Linux)
-  - Ubuntu/Debian: `apt-get install python3`
-  - Fedora: `dnf install python3`
-  - Arch: `pacman -S python`
-  - **Note:** Python 3 is mandatory for Unix socket blocking security. To disable this security feature, set `allowAllUnixSockets: true` in your configuration.
 - `ripgrep` - Fast search tool for deny path detection
   - Ubuntu/Debian: `apt-get install ripgrep`
   - Fedora: `dnf install ripgrep`
@@ -499,18 +494,18 @@ On Linux, the sandbox uses **seccomp BPF (Berkeley Packet Filter)** to block Uni
 
 3. **Syscall filtering**: The BPF filter intercepts the `socket()` syscall and blocks creation of `AF_UNIX` sockets by returning `EPERM`. This prevents sandboxed code from creating new Unix domain sockets.
 
-4. **Two-stage application using Python helper script**:
+4. **Two-stage application using apply-seccomp binary**:
    - Outer bwrap creates the sandbox with filesystem, network, and PID namespace restrictions
    - Network bridging processes (socat) start inside the sandbox (need Unix sockets)
-   - Python helper script (apply-seccomp-and-exec.py) applies the seccomp filter via `prctl()`
-   - Python script execs the user command with seccomp active
+   - apply-seccomp binary applies the seccomp filter via `prctl()`
+   - apply-seccomp execs the user command with seccomp active
    - User command runs with all sandbox restrictions plus Unix socket creation blocking
 
 **Security limitations**: The filter only blocks `socket(AF_UNIX, ...)` syscalls. It does not prevent operations on Unix socket file descriptors inherited from parent processes or passed via `SCM_RIGHTS`. For most sandboxing scenarios, blocking socket creation is sufficient to prevent unauthorized IPC.
 
-**Minimal runtime dependencies**: Unlike traditional seccomp implementations that require `gcc`, `clang`, and `libseccomp-dev` at runtime, this approach bundles pre-generated BPF filters and uses a Python helper script with standard library `ctypes` to apply them via `prctl()`, eliminating compilation dependencies for end users. Requires Python 3 (typically already installed on Linux systems).
+**Zero runtime dependencies**: Pre-built static apply-seccomp binaries and pre-generated BPF filters are included for x64 and arm64 architectures. No compilation tools or external dependencies required at runtime.
 
-**Fallback mechanism**: If a pre-generated filter isn't available for your platform, the sandbox can fall back to runtime compilation (requires `gcc/clang` and `libseccomp-dev`).
+**Architecture support**: x64 and arm64 are fully supported with pre-built binaries. Other architectures are not currently supported. To use sandboxing without Unix socket blocking on unsupported architectures, set `allowAllUnixSockets: true` in your configuration.
 
 ### Violation Detection and Monitoring
 

package/dist/cli.js

@@ -71,7 +71,7 @@ async function main() {
     program
         .name('srt')
         .description('Run commands in a sandbox with network and filesystem restrictions')
-        .version('1.0.0');
+        .version(process.env.npm_package_version || '1.0.0');
     // Default command - run command in sandbox
     program
         .argument('<command...>', 'command to run in the sandbox')

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,EAAE,0BAA0B,EAA6B,MAAM,6BAA6B,CAAA;AACnG,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AAExB;;GAEG;AACH,SAAS,UAAU,CAAC,QAAgB;IAClC,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAA;QACb,CAAC;QACD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAClD,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAA;QACb,CAAC;QAED,aAAa;QACb,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAElC,2BAA2B;QAC3B,MAAM,MAAM,GAAG,0BAA0B,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;QAE3D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,4BAA4B,QAAQ,GAAG,CAAC,CAAA;YACtD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACjC,OAAO,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;YACF,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,4DAA4D;QAC5D,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;YACjC,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;QAC5E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,8BAA8B,QAAQ,KAAK,KAAK,EAAE,CAAC,CAAA;QACnE,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,oBAAoB,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;QACL,OAAO,EAAE;YACP,cAAc,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE;SAClB;QACD,UAAU,EAAE;YACV,QAAQ,EAAE,EAAE;YACZ,UAAU,EAAE,EAAE;YACd,SAAS,EAAE,EAAE;SACd;KACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAE7B,OAAO;SACJ,IAAI,CAAC,KAAK,CAAC;SACX,WAAW,CACV,oEAAoE,CACrE;SACA,OAAO,CAAC,OAAO,CAAC,CAAA;IAEnB,2CAA2C;IAC3C,OAAO;SACJ,QAAQ,CAAC,cAAc,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,aAAa,EAAE,sBAAsB,CAAC;SAC7C,MAAM,CACL,uBAAuB,EACvB,qDAAqD,CACtD;SACA,kBAAkB,EAAE;SACpB,MAAM,CACL,KAAK,EACH,WAAqB,EACrB,OAA+C,EAC/C,EAAE;QACF,IAAI,CAAC;YACH,oCAAoC;YACpC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,MAAM,CAAA;YAC5B,CAAC;YAED,wBAAwB;YACxB,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,oBAAoB,EAAE,CAAA;YAC7D,IAAI,aAAa,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;YAE1C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,eAAe,CAAC,sBAAsB,UAAU,wBAAwB,CAAC,CAAA;gBACzE,aAAa,GAAG,gBAAgB,EAAE,CAAA;YACpC,CAAC;YAED,iCAAiC;YACjC,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC1C,MAAM,cAAc,CAAC,UAAU,CAAC,aAAa,CAAC,CAAA;YAE9C,sDAAsD;YACtD,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACrC,eAAe,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAA;YAE/C,eAAe,CACb,IAAI,CAAC,SAAS,CACZ,cAAc,CAAC,2BAA2B,EAAE,EAC5C,IAAI,EACJ,CAAC,CACF,CACF,CAAA;YAED,6CAA6C;YAC7C,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;YAEtE,gCAAgC;YAChC,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,EAAE,CAAC,CAAA;YAClC,MAAM,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE;gBACpC,KAAK,EAAE,IAAI;gBACX,KAAK,EAAE,SAAS;aACjB,CAAC,CAAA;YAEF,sBAAsB;YACtB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBAChC,IAAI,MAAM,EAAE,CAAC;oBACX,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;oBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;gBACjB,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;YAEF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE;gBACxB,OAAO,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;gBAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC,CAAC,CAAA;YAEF,8BAA8B;YAC9B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACtB,CAAC,CAAC,CAAA;YAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACzB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACvB,CAAC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnE,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CACF,CAAA;IAEH,OAAO,CAAC,KAAK,EAAE,CAAA;AACjB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,EAAE,0BAA0B,EAA6B,MAAM,6BAA6B,CAAA;AACnG,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AAExB;;GAEG;AACH,SAAS,UAAU,CAAC,QAAgB;IAClC,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAA;QACb,CAAC;QACD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAClD,IAAI,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAA;QACb,CAAC;QAED,aAAa;QACb,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAElC,2BAA2B;QAC3B,MAAM,MAAM,GAAG,0BAA0B,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;QAE3D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,4BAA4B,QAAQ,GAAG,CAAC,CAAA;YACtD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACjC,OAAO,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;YAChD,CAAC,CAAC,CAAA;YACF,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAA;IACpB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,4DAA4D;QAC5D,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;YACjC,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;QAC5E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,8BAA8B,QAAQ,KAAK,KAAK,EAAE,CAAC,CAAA;QACnE,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,oBAAoB,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;QACL,OAAO,EAAE;YACP,cAAc,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE;SAClB;QACD,UAAU,EAAE;YACV,QAAQ,EAAE,EAAE;YACZ,UAAU,EAAE,EAAE;YACd,SAAS,EAAE,EAAE;SACd;KACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAE7B,OAAO;SACJ,IAAI,CAAC,KAAK,CAAC;SACX,WAAW,CACV,oEAAoE,CACrE;SACA,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,OAAO,CAAC,CAAA;IAEtD,2CAA2C;IAC3C,OAAO;SACJ,QAAQ,CAAC,cAAc,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,aAAa,EAAE,sBAAsB,CAAC;SAC7C,MAAM,CACL,uBAAuB,EACvB,qDAAqD,CACtD;SACA,kBAAkB,EAAE;SACpB,MAAM,CACL,KAAK,EACH,WAAqB,EACrB,OAA+C,EAC/C,EAAE;QACF,IAAI,CAAC;YACH,oCAAoC;YACpC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,MAAM,CAAA;YAC5B,CAAC;YAED,wBAAwB;YACxB,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,oBAAoB,EAAE,CAAA;YAC7D,IAAI,aAAa,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;YAE1C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,eAAe,CAAC,sBAAsB,UAAU,wBAAwB,CAAC,CAAA;gBACzE,aAAa,GAAG,gBAAgB,EAAE,CAAA;YACpC,CAAC;YAED,iCAAiC;YACjC,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC1C,MAAM,cAAc,CAAC,UAAU,CAAC,aAAa,CAAC,CAAA;YAE9C,sDAAsD;YACtD,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YACrC,eAAe,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAA;YAE/C,eAAe,CACb,IAAI,CAAC,SAAS,CACZ,cAAc,CAAC,2BAA2B,EAAE,EAC5C,IAAI,EACJ,CAAC,CACF,CACF,CAAA;YAED,6CAA6C;YAC7C,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;YAEtE,gCAAgC;YAChC,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,EAAE,CAAC,CAAA;YAClC,MAAM,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE;gBACpC,KAAK,EAAE,IAAI;gBACX,KAAK,EAAE,SAAS;aACjB,CAAC,CAAA;YAEF,sBAAsB;YACtB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBAChC,IAAI,MAAM,EAAE,CAAC;oBACX,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;oBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;gBACjB,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;YAEF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE;gBACxB,OAAO,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;gBAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC,CAAC,CAAA;YAEF,8BAA8B;YAC9B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACtB,CAAC,CAAC,CAAA;YAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACzB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACvB,CAAC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnE,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CACF,CAAA;IAEH,OAAO,CAAC,KAAK,EAAE,CAAA;AACjB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}

package/dist/sandbox/generate-seccomp-filter.d.ts

@@ -1,15 +1,3 @@
-/**
- * Check if Python 3 is available (synchronous)
- * Python 3 is required for applying seccomp filters via the helper script
- * Memoized to avoid repeated system calls
- */
-export declare const hasPython3Sync: (() => boolean) & import("lodash").MemoizedFunction;
-/**
- * Check if seccomp dependencies are available (synchronous)
- * Returns true if (gcc OR clang) AND libseccomp-dev are installed
- * Memoized to avoid repeated system calls
- */
-export declare const hasSeccompDependenciesSync: (() => boolean) & import("lodash").MemoizedFunction;
 /**
  * Get the path to a pre-generated BPF filter file from the vendor directory
  * Returns the path if it exists, null otherwise
@@ -23,8 +11,20 @@ export declare const hasSeccompDependenciesSync: (() => boolean) & import("lodas
  */
 export declare function getPreGeneratedBpfPath(): string | null;
 /**
- * Generate a seccomp BPF filter that blocks Unix domain socket creation
- * Returns the path to the BPF filter file, or null if generation failed
+ * Get the path to the apply-seccomp binary from the vendor directory
+ * Returns the path if it exists, null otherwise
+ *
+ * Pre-built apply-seccomp binaries are organized by architecture:
+ * - vendor/seccomp/{x64,arm64}/apply-seccomp
+ *
+ * Tries multiple paths for resilience:
+ * 1. ../../vendor/seccomp/{arch}/apply-seccomp (package root - standard npm installs)
+ * 2. ../vendor/seccomp/{arch}/apply-seccomp (dist/vendor - for bundlers)
+ */
+export declare function getApplySeccompBinaryPath(): string | null;
+/**
+ * Get the path to a pre-generated seccomp BPF filter that blocks Unix domain socket creation
+ * Returns the path to the BPF filter file, or null if not available
  *
  * The filter blocks socket(AF_UNIX, ...) syscalls while allowing all other syscalls.
  * This prevents creation of new Unix domain socket file descriptors.
@@ -40,25 +40,17 @@ export declare function getPreGeneratedBpfPath(): string | null;
  * read user-space memory to inspect socket paths).
  *
  * Requirements:
- * - Pre-generated BPF filters included for x64 and ARM64
- * - For other architectures: gcc or clang + libseccomp-dev for runtime compilation
+ * - Pre-generated BPF filters included for x64 and ARM64 only
+ * - Other architectures are not supported
  *
- * @returns Path to the BPF filter file, or null on failure
+ * @returns Path to the pre-generated BPF filter file, or null if not available
  */
 export declare function generateSeccompFilter(): string | null;
 /**
  * Clean up a seccomp filter file
- * Note: Pre-generated BPF files from vendor/ are never deleted
- */
-export declare function cleanupSeccompFilter(filterPath: string): void;
-/**
- * Get the path to the apply-seccomp-and-exec Python script
- * This script applies a seccomp filter and execs a command, replacing the need
- * for nested bwrap with --seccomp flag.
- *
- * The script is cached in the temp directory to avoid repeated writes.
- *
- * @returns Path to the Python script, or null on failure
+ * Since we only use pre-generated BPF files from vendor/, this is a no-op.
+ * Pre-generated files are never deleted.
+ * Kept for backward compatibility with existing code that calls it.
  */
-export declare function getApplySeccompExecPath(): string | null;
+export declare function cleanupSeccompFilter(_filterPath: string): void;
 //# sourceMappingURL=generate-seccomp-filter.d.ts.map

package/dist/sandbox/generate-seccomp-filter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"generate-seccomp-filter.d.ts","sourceRoot":"","sources":["../../src/sandbox/generate-seccomp-filter.ts"],"names":[],"mappings":"AAoDA;;;;GAIG;AACH,eAAO,MAAM,cAAc,SAAe,OAAO,qCAU/C,CAAA;AAEF;;;;GAIG;AACH,eAAO,MAAM,0BAA0B,SAAe,OAAO,qCAiE3D,CAAA;AAEF;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,GAAG,IAAI,CAqCtD;AAuLD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,GAAG,IAAI,CAmErD;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAmB7D;AA8DD;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,GAAG,IAAI,CAEvD"}
+{"version":3,"file":"generate-seccomp-filter.d.ts","sourceRoot":"","sources":["../../src/sandbox/generate-seccomp-filter.ts"],"names":[],"mappings":"AAiDA;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,GAAG,IAAI,CAqCtD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,GAAG,IAAI,CAoCzD;AAGD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,GAAG,IAAI,CAarD;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAE9D"}

package/dist/sandbox/generate-seccomp-filter.js

@@ -1,11 +1,7 @@
-import { createHash } from 'node:crypto';
-import { tmpdir } from 'node:os';
 import { join, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import * as fs from 'node:fs';
 import { logForDebugging } from '../utils/debug.js';
-import { spawnSync } from 'node:child_process';
-import { memoize } from 'lodash-es';
 /**
  * Map Node.js process.arch to our vendor directory architecture names
  * Returns null for unsupported architectures
@@ -43,84 +39,6 @@ function getVendorArchitecture() {
             return null;
     }
 }
-/**
- * Check if Python 3 is available (synchronous)
- * Python 3 is required for applying seccomp filters via the helper script
- * Memoized to avoid repeated system calls
- */
-export const hasPython3Sync = memoize(() => {
-    try {
-        const result = spawnSync('python3', ['--version'], {
-            stdio: 'ignore',
-            timeout: 1000,
-        });
-        return result.status === 0;
-    }
-    catch {
-        return false;
-    }
-});
-/**
- * Check if seccomp dependencies are available (synchronous)
- * Returns true if (gcc OR clang) AND libseccomp-dev are installed
- * Memoized to avoid repeated system calls
- */
-export const hasSeccompDependenciesSync = memoize(() => {
-    try {
-        // Check for gcc or clang
-        const gccResult = spawnSync('which', ['gcc'], {
-            stdio: 'ignore',
-            timeout: 1000,
-        });
-        const clangResult = spawnSync('which', ['clang'], {
-            stdio: 'ignore',
-            timeout: 1000,
-        });
-        const hasCompiler = gccResult.status === 0 || clangResult.status === 0;
-        if (!hasCompiler) {
-            return false;
-        }
-        // Check for libseccomp by trying to compile the actual seccomp-unix-block.c file
-        // This is more reliable than checking for specific files since package
-        // installation paths vary across distributions
-        const sourceHash = getFilterGeneratorSourceHash();
-        // Write source to temp file
-        const sourcePath = writeSourceToTempFile('seccomp-unix-block', sourceHash);
-        if (!sourcePath) {
-            return false;
-        }
-        const testBinary = join(tmpdir(), `seccomp-test-${process.pid}-${createHash('sha256').update(Math.random().toString()).digest('hex').substring(0, 8)}`);
-        try {
-            // Try to compile the real program
-            const compiler = gccResult.status === 0 ? 'gcc' : 'clang';
-            const compileResult = spawnSync(compiler, ['-o', testBinary, sourcePath, '-lseccomp'], {
-                stdio: 'ignore',
-                timeout: 5000,
-            });
-            // Clean up test binary
-            try {
-                fs.rmSync(testBinary, { force: true });
-            }
-            catch {
-                // Ignore cleanup errors
-            }
-            return compileResult.status === 0;
-        }
-        catch {
-            // Clean up on error
-            try {
-                fs.rmSync(testBinary, { force: true });
-            }
-            catch {
-                // Ignore cleanup errors
-            }
-            return false;
-        }
-    }
-    catch {
-        return false;
-    }
-});
 /**
  * Get the path to a pre-generated BPF filter file from the vendor directory
  * Returns the path if it exists, null otherwise
@@ -158,144 +76,46 @@ export function getPreGeneratedBpfPath() {
     logForDebugging(`[SeccompFilter] Pre-generated BPF filter not found in any expected location (${arch})`);
     return null;
 }
-// Cache directory for compiled binaries
-const CACHE_DIR = join(tmpdir(), 'claude', 'seccomp-cache');
 /**
- * Get the path to a source file in the vendor/seccomp-src directory
- * Handles both development and production paths
+ * Get the path to the apply-seccomp binary from the vendor directory
+ * Returns the path if it exists, null otherwise
  *
- * Tries multiple paths for resilience:
- * 1. ../../vendor/seccomp-src/{filename} (package root - standard npm installs)
- * 2. ../vendor/seccomp-src/{filename} (dist/vendor - for bundlers)
+ * Pre-built apply-seccomp binaries are organized by architecture:
+ * - vendor/seccomp/{x64,arm64}/apply-seccomp
  *
- * Returns the first path that exists, or the first path if none exist
+ * Tries multiple paths for resilience:
+ * 1. ../../vendor/seccomp/{arch}/apply-seccomp (package root - standard npm installs)
+ * 2. ../vendor/seccomp/{arch}/apply-seccomp (dist/vendor - for bundlers)
  */
-function getVendorSourcePath(filename) {
+export function getApplySeccompBinaryPath() {
+    // Determine architecture
+    const arch = getVendorArchitecture();
+    if (!arch) {
+        logForDebugging(`[SeccompFilter] Cannot find apply-seccomp binary: unsupported architecture ${process.arch}`);
+        return null;
+    }
+    logForDebugging(`[SeccompFilter] Looking for apply-seccomp binary for architecture: ${arch}`);
+    // Try to locate the binary with fallback paths
     // Path is relative to the compiled code location (dist/sandbox/)
     const baseDir = dirname(fileURLToPath(import.meta.url));
-    const relativePath = join('vendor', 'seccomp-src', filename);
+    const relativePath = join('vendor', 'seccomp', arch, 'apply-seccomp');
     // Try paths in order of preference
     const pathsToTry = [
-        join(baseDir, '..', '..', relativePath), // package root: vendor/seccomp-src/...
-        join(baseDir, '..', relativePath), // dist: dist/vendor/seccomp-src/...
+        join(baseDir, '..', '..', relativePath), // package root: vendor/seccomp/...
+        join(baseDir, '..', relativePath), // dist: dist/vendor/seccomp/...
     ];
-    // Return first path that exists
-    for (const path of pathsToTry) {
-        if (fs.existsSync(path)) {
-            return path;
-        }
-    }
-    // If none exist, return first path for backward compatibility with error messages
-    return pathsToTry[0];
-}
-/**
- * Read a source file from vendor/seccomp-src directory
- * Returns null if the file doesn't exist
- */
-function readVendorSource(filename) {
-    const sourcePath = getVendorSourcePath(filename);
-    try {
-        if (!fs.existsSync(sourcePath)) {
-            logForDebugging(`[SeccompFilter] Source file not found: ${sourcePath}`, { level: 'warn' });
-            return null;
-        }
-        return fs.readFileSync(sourcePath, 'utf8');
-    }
-    catch (err) {
-        logForDebugging(`[SeccompFilter] Failed to read source file ${sourcePath}: ${err}`, { level: 'error' });
-        return null;
-    }
-}
-/**
- * Get the hash of the filter generator C source
- */
-function getFilterGeneratorSourceHash() {
-    const source = readVendorSource('seccomp-unix-block.c');
-    if (!source) {
-        // Fallback hash if source file is missing
-        return 'missing';
-    }
-    return createHash('sha256')
-        .update(source)
-        .digest('hex')
-        .substring(0, 16);
-}
-/**
- * Write C source code to a temporary file
- * Returns the path to the temporary source file, or null on failure
- */
-function writeSourceToTempFile(name, hash) {
-    const sourcePath = join(CACHE_DIR, `${name}-${hash}.c`);
-    // Check if source file already exists (cached)
-    if (fs.existsSync(sourcePath)) {
-        return sourcePath;
-    }
-    // Read source from vendor directory
-    const source = readVendorSource(`${name}.c`);
-    if (!source) {
-        logForDebugging(`[SeccompFilter] Cannot write source file: source not found in vendor directory`, { level: 'error' });
-        return null;
-    }
-    try {
-        // Create cache directory if it doesn't exist (recursive to create parent dirs)
-        fs.mkdirSync(CACHE_DIR, { recursive: true });
-        // Write the C source to the temp file
-        fs.writeFileSync(sourcePath, source, { encoding: 'utf8' });
-        logForDebugging(`[SeccompFilter] Wrote C source to ${sourcePath}`);
-        return sourcePath;
-    }
-    catch (err) {
-        logForDebugging(`[SeccompFilter] Failed to write source file: ${err}`, {
-            level: 'error',
-        });
-        return null;
-    }
-}
-/**
- * Compile the seccomp filter generator program
- * Returns the path to the compiled binary or null on failure
- */
-function compileSeccompGenerator() {
-    const sourceHash = getFilterGeneratorSourceHash();
-    const binaryPath = join(CACHE_DIR, `seccomp-unix-block-${sourceHash}`);
-    // Check if cached binary exists
-    if (fs.existsSync(binaryPath)) {
-        logForDebugging('[SeccompFilter] Using cached filter generator binary');
-        return binaryPath;
-    }
-    logForDebugging('[SeccompFilter] Compiling seccomp filter generator...');
-    // Write source to temp file
-    const sourcePath = writeSourceToTempFile('seccomp-unix-block', sourceHash);
-    if (!sourcePath) {
-        return null;
-    }
-    // Try gcc first, then clang
-    const compilers = ['gcc', 'clang'];
-    for (const compiler of compilers) {
-        const result = spawnSync(compiler, ['-o', binaryPath, sourcePath, '-lseccomp'], {
-            stdio: 'pipe',
-            timeout: 30000, // 30 second timeout
-        });
-        if (result.status === 0) {
-            logForDebugging(`[SeccompFilter] Successfully compiled filter generator with ${compiler}`);
+    for (const binaryPath of pathsToTry) {
+        if (fs.existsSync(binaryPath)) {
+            logForDebugging(`[SeccompFilter] Found apply-seccomp binary: ${binaryPath} (${arch})`);
             return binaryPath;
         }
-        logForDebugging(`[SeccompFilter] Filter generator compilation with ${compiler} failed: ${result.stderr?.toString() || 'unknown error'}`, { level: 'error' });
     }
-    logForDebugging('[SeccompFilter] Failed to compile filter generator with any available compiler. ' +
-        'Ensure gcc or clang and libseccomp-dev are installed.', { level: 'error' });
+    logForDebugging(`[SeccompFilter] apply-seccomp binary not found in any expected location (${arch})`);
     return null;
 }
 /**
- * Get the path to the seccomp-unix-block generator binary
- * Compiles the binary at runtime
- */
-function getSeccompGeneratorPath() {
-    return compileSeccompGenerator();
-}
-/**
- * Generate a seccomp BPF filter that blocks Unix domain socket creation
- * Returns the path to the BPF filter file, or null if generation failed
+ * Get the path to a pre-generated seccomp BPF filter that blocks Unix domain socket creation
+ * Returns the path to the BPF filter file, or null if not available
  *
  * The filter blocks socket(AF_UNIX, ...) syscalls while allowing all other syscalls.
  * This prevents creation of new Unix domain socket file descriptors.
@@ -311,137 +131,28 @@ function getSeccompGeneratorPath() {
  * read user-space memory to inspect socket paths).
  *
  * Requirements:
- * - Pre-generated BPF filters included for x64 and ARM64
- * - For other architectures: gcc or clang + libseccomp-dev for runtime compilation
+ * - Pre-generated BPF filters included for x64 and ARM64 only
+ * - Other architectures are not supported
  *
- * @returns Path to the BPF filter file, or null on failure
+ * @returns Path to the pre-generated BPF filter file, or null if not available
  */
 export function generateSeccompFilter() {
-    // Check for Python 3 first - required for applying seccomp filters
-    if (!hasPython3Sync()) {
-        logForDebugging('[SeccompFilter] Python 3 is not available. ' +
-            'Python 3 is required for applying seccomp filters via the helper script. ' +
-            'Install Python 3 (e.g., "apt-get install python3") or set allowAllUnixSockets: true to disable Unix socket blocking.', { level: 'error' });
-        return null;
-    }
-    // Try pre-generated BPF filter first (fast path - no compilation needed)
     const preGeneratedBpf = getPreGeneratedBpfPath();
     if (preGeneratedBpf) {
         logForDebugging('[SeccompFilter] Using pre-generated BPF filter');
         return preGeneratedBpf;
     }
-    // Fall back to runtime generation (requires gcc/clang + libseccomp-dev)
-    logForDebugging('[SeccompFilter] Pre-generated BPF not available, falling back to runtime compilation');
-    // Get the generator binary (pre-built or compile it)
-    const binaryPath = getSeccompGeneratorPath();
-    if (!binaryPath) {
-        logForDebugging('[SeccompFilter] Cannot generate BPF filter: no pre-generated file and compilation failed. ' +
-            'Ensure gcc/clang and libseccomp-dev are installed for runtime compilation.', { level: 'error' });
-        return null;
-    }
-    // Generate a unique filename for this filter
-    const filterPath = join(tmpdir(), `claude-seccomp-${process.pid}-${createHash('sha256').update(Math.random().toString()).digest('hex').substring(0, 8)}.bpf`);
-    logForDebugging(`[SeccompFilter] Generating BPF filter to ${filterPath}`);
-    // Run the compiled binary to generate the filter
-    const result = spawnSync(binaryPath, [filterPath], {
-        stdio: 'pipe',
-        timeout: 5000, // 5 second timeout
-    });
-    if (result.status !== 0) {
-        logForDebugging(`[SeccompFilter] Failed to generate filter: ${result.stderr?.toString() || 'unknown error'}`, { level: 'error' });
-        return null;
-    }
-    // Verify the filter file was created
-    if (!fs.existsSync(filterPath)) {
-        logForDebugging('[SeccompFilter] Filter file was not created', {
-            level: 'error',
-        });
-        return null;
-    }
-    logForDebugging('[SeccompFilter] Successfully generated BPF filter via runtime compilation');
-    return filterPath;
+    logForDebugging('[SeccompFilter] Pre-generated BPF filter not available for this architecture. ' +
+        'Only x64 and arm64 are supported.', { level: 'error' });
+    return null;
 }
 /**
  * Clean up a seccomp filter file
- * Note: Pre-generated BPF files from vendor/ are never deleted
- */
-export function cleanupSeccompFilter(filterPath) {
-    // Don't delete pre-generated BPF files from vendor/
-    if (filterPath.includes('/vendor/seccomp/')) {
-        logForDebugging('[SeccompFilter] Skipping cleanup of pre-generated BPF file');
-        return;
-    }
-    // Only clean up runtime-generated files (in /tmp/)
-    try {
-        if (fs.existsSync(filterPath)) {
-            fs.rmSync(filterPath, { force: true });
-            logForDebugging(`[SeccompFilter] Cleaned up filter file: ${filterPath}`);
-        }
-    }
-    catch (err) {
-        logForDebugging(`[SeccompFilter] Failed to clean up filter file: ${err}`, {
-            level: 'error',
-        });
-    }
-}
-/**
- * Get the hash of the apply-seccomp Python script source
- */
-function getApplySeccompScriptHash() {
-    const source = readVendorSource('apply-seccomp-and-exec.py');
-    if (!source) {
-        // Fallback hash if source file is missing
-        return 'missing';
-    }
-    return createHash('sha256')
-        .update(source)
-        .digest('hex')
-        .substring(0, 16);
-}
-/**
- * Write the apply-seccomp Python script to the cache directory
- * Returns the path to the script, or null on failure
- */
-function writeApplySeccompScript() {
-    const scriptHash = getApplySeccompScriptHash();
-    const scriptPath = join(CACHE_DIR, `apply-seccomp-and-exec-${scriptHash}.py`);
-    // Check if script already exists (cached)
-    if (fs.existsSync(scriptPath)) {
-        logForDebugging('[SeccompFilter] Using cached apply-seccomp Python script');
-        return scriptPath;
-    }
-    // Read source from vendor directory
-    const source = readVendorSource('apply-seccomp-and-exec.py');
-    if (!source) {
-        logForDebugging('[SeccompFilter] Cannot write Python script: source not found in vendor directory', { level: 'error' });
-        return null;
-    }
-    try {
-        // Create cache directory if it doesn't exist
-        fs.mkdirSync(CACHE_DIR, { recursive: true });
-        // Write the Python script
-        fs.writeFileSync(scriptPath, source, {
-            encoding: 'utf8',
-            mode: 0o755, // Make executable
-        });
-        logForDebugging(`[SeccompFilter] Wrote apply-seccomp Python script to ${scriptPath}`);
-        return scriptPath;
-    }
-    catch (err) {
-        logForDebugging(`[SeccompFilter] Failed to write apply-seccomp Python script: ${err}`, { level: 'error' });
-        return null;
-    }
-}
-/**
- * Get the path to the apply-seccomp-and-exec Python script
- * This script applies a seccomp filter and execs a command, replacing the need
- * for nested bwrap with --seccomp flag.
- *
- * The script is cached in the temp directory to avoid repeated writes.
- *
- * @returns Path to the Python script, or null on failure
+ * Since we only use pre-generated BPF files from vendor/, this is a no-op.
+ * Pre-generated files are never deleted.
+ * Kept for backward compatibility with existing code that calls it.
  */
-export function getApplySeccompExecPath() {
-    return writeApplySeccompScript();
+export function cleanupSeccompFilter(_filterPath) {
+    // No-op: pre-generated BPF files are never cleaned up
 }
 //# sourceMappingURL=generate-seccomp-filter.js.map

package/dist/sandbox/generate-seccomp-filter.js.map

@@ -1 +1 @@
-{"version":3,"file":"generate-seccomp-filter.js","sourceRoot":"","sources":["../../src/sandbox/generate-seccomp-filter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAEnC;;;GAGG;AACH,SAAS,qBAAqB;IAC5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAc,CAAA;IACnC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,KAAK,CAAC;QACX,KAAK,QAAQ;YACX,OAAO,KAAK,CAAA;QACd,KAAK,OAAO,CAAC;QACb,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB,KAAK,MAAM,CAAC;QACZ,KAAK,KAAK;YACR,0CAA0C;YAC1C,wFAAwF;YACxF,mGAAmG;YACnG,4FAA4F;YAC5F,6FAA6F;YAC7F,EAAE;YACF,8CAA8C;YAC9C,8EAA8E;YAC9E,2FAA2F;YAC3F,8CAA8C;YAC9C,kDAAkD;YAClD,mFAAmF;YACnF,EAAE;YACF,sEAAsE;YACtE,eAAe,CACb,6GAA6G;gBAC7G,0HAA0H,EAC1H,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACD,OAAO,IAAI,CAAA;QACb;YACE,eAAe,CACb,6CAA6C,IAAI,qCAAqC,CACvF,CAAA;YACD,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,OAAO,CAAC,GAAY,EAAE;IAClD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,WAAW,CAAC,EAAE;YACjD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QACF,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAA;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC,CAAC,CAAA;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,OAAO,CAAC,GAAY,EAAE;IAC9D,IAAI,CAAC;QACH,yBAAyB;QACzB,MAAM,SAAS,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE;YAC5C,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QACF,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,CAAA;QACtE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,iFAAiF;QACjF,uEAAuE;QACvE,+CAA+C;QAC/C,MAAM,UAAU,GAAG,4BAA4B,EAAE,CAAA;QAEjD,4BAA4B;QAC5B,MAAM,UAAU,GAAG,qBAAqB,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAA;QAC1E,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CACrB,MAAM,EAAE,EACR,gBAAgB,OAAO,CAAC,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CACrH,CAAA;QAED,IAAI,CAAC;YACH,kCAAkC;YAClC,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAA;YACzD,MAAM,aAAa,GAAG,SAAS,CAC7B,QAAQ,EACR,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,CAAC,EAC3C;gBACE,KAAK,EAAE,QAAQ;gBACf,OAAO,EAAE,IAAI;aACd,CACF,CAAA;YAED,uBAAuB;YACvB,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;YAED,OAAO,aAAa,CAAC,MAAM,KAAK,CAAC,CAAA;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;YACpB,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,wBAAwB;YAC1B,CAAC;YACD,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC,CAAC,CAAA;AAEF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB;IAEpC,yBAAyB;IACzB,MAAM,IAAI,GAAG,qBAAqB,EAAE,CAAA;IACpC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,eAAe,CACb,kFAAkF,OAAO,CAAC,IAAI,EAAE,CACjG,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,eAAe,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAA;IAEjE,iDAAiD;IACjD,iEAAiE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,gBAAgB,CAAC,CAAA;IAEtE,mCAAmC;IACnC,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,mCAAmC;QAC5E,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC,EAAQ,gCAAgC;KAC1E,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;QACjC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,eAAe,CACb,mDAAmD,OAAO,KAAK,IAAI,GAAG,CACvE,CAAA;YACD,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,eAAe,CACb,gFAAgF,IAAI,GAAG,CACxF,CAAA;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,wCAAwC;AACxC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAA;AAE3D;;;;;;;;;GASG;AACH,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,iEAAiE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAA;IAE5D,mCAAmC;IACnC,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,uCAAuC;QAChF,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC,EAAQ,oCAAoC;KAC9E,CAAA;IAED,gCAAgC;IAChC,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,kFAAkF;IAClF,OAAO,UAAU,CAAC,CAAC,CAAC,CAAA;AACtB,CAAC;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,UAAU,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAA;IAEhD,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,eAAe,CACb,0CAA0C,UAAU,EAAE,EACtD,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;YACD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAA;IAC5C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAe,CACb,8CAA8C,UAAU,KAAK,GAAG,EAAE,EAClE,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,4BAA4B;IACnC,MAAM,MAAM,GAAG,gBAAgB,CAAC,sBAAsB,CAAC,CAAA;IACvD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,0CAA0C;QAC1C,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,MAAM,CAAC;SACd,MAAM,CAAC,KAAK,CAAC;SACb,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;AACrB,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAC5B,IAAY,EACZ,IAAY;IAEZ,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,GAAG,IAAI,IAAI,IAAI,IAAI,CAAC,CAAA;IAEvD,+CAA+C;IAC/C,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,oCAAoC;IACpC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,IAAI,IAAI,CAAC,CAAA;IAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,eAAe,CACb,gFAAgF,EAChF,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC;QACH,+EAA+E;QAC/E,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;QAE5C,sCAAsC;QACtC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC1D,eAAe,CAAC,qCAAqC,UAAU,EAAE,CAAC,CAAA;QAClE,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAe,CAAC,gDAAgD,GAAG,EAAE,EAAE;YACrE,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;QACF,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,uBAAuB;IAC9B,MAAM,UAAU,GAAG,4BAA4B,EAAE,CAAA;IAEjD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,sBAAsB,UAAU,EAAE,CAAC,CAAA;IAEtE,gCAAgC;IAChC,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,eAAe,CAAC,sDAAsD,CAAC,CAAA;QACvE,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,eAAe,CAAC,uDAAuD,CAAC,CAAA;IAExE,4BAA4B;IAC5B,MAAM,UAAU,GAAG,qBAAqB,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAA;IAC1E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,4BAA4B;IAC5B,MAAM,SAAS,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;IAClC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,SAAS,CACtB,QAAQ,EACR,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,CAAC,EAC3C;YACE,KAAK,EAAE,MAAM;YACb,OAAO,EAAE,KAAK,EAAE,oBAAoB;SACrC,CACF,CAAA;QAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,eAAe,CACb,+DAA+D,QAAQ,EAAE,CAC1E,CAAA;YACD,OAAO,UAAU,CAAA;QACnB,CAAC;QAED,eAAe,CACb,qDAAqD,QAAQ,YAAY,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,eAAe,EAAE,EACvH,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;IACH,CAAC;IAED,eAAe,CACb,kFAAkF;QAChF,uDAAuD,EACzD,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,uBAAuB;IAC9B,OAAO,uBAAuB,EAAE,CAAA;AAClC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,qBAAqB;IACnC,mEAAmE;IACnE,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;QACtB,eAAe,CACb,6CAA6C;YAC3C,2EAA2E;YAC3E,sHAAsH,EACxH,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,yEAAyE;IACzE,MAAM,eAAe,GAAG,sBAAsB,EAAE,CAAA;IAChD,IAAI,eAAe,EAAE,CAAC;QACpB,eAAe,CAAC,gDAAgD,CAAC,CAAA;QACjE,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,wEAAwE;IACxE,eAAe,CACb,sFAAsF,CACvF,CAAA;IAED,qDAAqD;IACrD,MAAM,UAAU,GAAG,uBAAuB,EAAE,CAAA;IAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,eAAe,CACb,4FAA4F;YAC1F,4EAA4E,EAC9E,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,6CAA6C;IAC7C,MAAM,UAAU,GAAG,IAAI,CACrB,MAAM,EAAE,EACR,kBAAkB,OAAO,CAAC,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,CAC3H,CAAA;IAED,eAAe,CAAC,4CAA4C,UAAU,EAAE,CAAC,CAAA;IAEzE,iDAAiD;IACjD,MAAM,MAAM,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,EAAE;QACjD,KAAK,EAAE,MAAM;QACb,OAAO,EAAE,IAAI,EAAE,mBAAmB;KACnC,CAAC,CAAA;IAEF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,eAAe,CACb,8CAA8C,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,eAAe,EAAE,EAC5F,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,eAAe,CAAC,6CAA6C,EAAE;YAC7D,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;QACF,OAAO,IAAI,CAAA;IACb,CAAC;IAED,eAAe,CAAC,2EAA2E,CAAC,CAAA;IAC5F,OAAO,UAAU,CAAA;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAkB;IAErD,oDAAoD;IACpD,IAAI,UAAU,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5C,eAAe,CAAC,4DAA4D,CAAC,CAAA;QAC7E,OAAM;IACR,CAAC;IAED,mDAAmD;IACnD,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;YACtC,eAAe,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAA;QAC1E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAe,CAAC,mDAAmD,GAAG,EAAE,EAAE;YACxE,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB;IAChC,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAA;IAC5D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,0CAA0C;QAC1C,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,MAAM,CAAC;SACd,MAAM,CAAC,KAAK,CAAC;SACb,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;AACrB,CAAC;AAED;;;GAGG;AACH,SAAS,uBAAuB;IAC9B,MAAM,UAAU,GAAG,yBAAyB,EAAE,CAAA;IAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,0BAA0B,UAAU,KAAK,CAAC,CAAA;IAE7E,0CAA0C;IAC1C,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,eAAe,CAAC,0DAA0D,CAAC,CAAA;QAC3E,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,oCAAoC;IACpC,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAA;IAC5D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,eAAe,CACb,kFAAkF,EAClF,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC;QACH,6CAA6C;QAC7C,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;QAE5C,0BAA0B;QAC1B,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE;YACnC,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,KAAK,EAAE,kBAAkB;SAChC,CAAC,CAAA;QAEF,eAAe,CAAC,wDAAwD,UAAU,EAAE,CAAC,CAAA;QACrF,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAe,CACb,gEAAgE,GAAG,EAAE,EACrE,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,uBAAuB,EAAE,CAAA;AAClC,CAAC"}
+{"version":3,"file":"generate-seccomp-filter.js","sourceRoot":"","sources":["../../src/sandbox/generate-seccomp-filter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD;;;GAGG;AACH,SAAS,qBAAqB;IAC5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAc,CAAA;IACnC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,KAAK,CAAC;QACX,KAAK,QAAQ;YACX,OAAO,KAAK,CAAA;QACd,KAAK,OAAO,CAAC;QACb,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB,KAAK,MAAM,CAAC;QACZ,KAAK,KAAK;YACR,0CAA0C;YAC1C,wFAAwF;YACxF,mGAAmG;YACnG,4FAA4F;YAC5F,6FAA6F;YAC7F,EAAE;YACF,8CAA8C;YAC9C,8EAA8E;YAC9E,2FAA2F;YAC3F,8CAA8C;YAC9C,kDAAkD;YAClD,mFAAmF;YACnF,EAAE;YACF,sEAAsE;YACtE,eAAe,CACb,6GAA6G;gBAC7G,0HAA0H,EAC1H,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACD,OAAO,IAAI,CAAA;QACb;YACE,eAAe,CACb,6CAA6C,IAAI,qCAAqC,CACvF,CAAA;YACD,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAGD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB;IAEpC,yBAAyB;IACzB,MAAM,IAAI,GAAG,qBAAqB,EAAE,CAAA;IACpC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,eAAe,CACb,kFAAkF,OAAO,CAAC,IAAI,EAAE,CACjG,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,eAAe,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAA;IAEjE,iDAAiD;IACjD,iEAAiE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,gBAAgB,CAAC,CAAA;IAEtE,mCAAmC;IACnC,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,mCAAmC;QAC5E,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC,EAAQ,gCAAgC;KAC1E,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;QACjC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,eAAe,CACb,mDAAmD,OAAO,KAAK,IAAI,GAAG,CACvE,CAAA;YACD,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,eAAe,CACb,gFAAgF,IAAI,GAAG,CACxF,CAAA;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,yBAAyB;IACvC,yBAAyB;IACzB,MAAM,IAAI,GAAG,qBAAqB,EAAE,CAAA;IACpC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,eAAe,CACb,8EAA8E,OAAO,CAAC,IAAI,EAAE,CAC7F,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,eAAe,CAAC,sEAAsE,IAAI,EAAE,CAAC,CAAA;IAE7F,+CAA+C;IAC/C,iEAAiE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,eAAe,CAAC,CAAA;IAErE,mCAAmC;IACnC,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,mCAAmC;QAC5E,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC,EAAQ,gCAAgC;KAC1E,CAAA;IAED,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;QACpC,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,eAAe,CACb,+CAA+C,UAAU,KAAK,IAAI,GAAG,CACtE,CAAA;YACD,OAAO,UAAU,CAAA;QACnB,CAAC;IACH,CAAC;IAED,eAAe,CACb,4EAA4E,IAAI,GAAG,CACpF,CAAA;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAGD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,qBAAqB;IACnC,MAAM,eAAe,GAAG,sBAAsB,EAAE,CAAA;IAChD,IAAI,eAAe,EAAE,CAAC;QACpB,eAAe,CAAC,gDAAgD,CAAC,CAAA;QACjE,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,eAAe,CACb,gFAAgF;QAC9E,mCAAmC,EACrC,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAmB;IACtD,sDAAsD;AACxD,CAAC"}