@calliopelabs/cli 0.8.20 → 2.0.2

package/dist/providers/types.js

@@ -0,0 +1,164 @@
+/**
+ * Provider Shared Types & Utilities
+ *
+ * Constants, token estimation, context health, validation, and shared helpers.
+ */
+import { getModelContextLimit } from '../model-detection.js';
+// Constants
+export const MAX_TOKENS = 8192;
+export const MIN_OUTPUT_TOKENS = 1024; // Minimum output tokens to request
+export const CONTEXT_BUFFER_PERCENT = 0.08; // 8% of context as safety buffer
+export const CONTEXT_BUFFER_MIN = 1024; // Minimum buffer (scales with context size)
+/** Maximum allowed content length (1MB) to prevent memory issues */
+export const MAX_CONTENT_LENGTH = 1024 * 1024;
+// Debug logging helper
+const DEBUG = process.env.CALLIOPE_DEBUG === '1';
+export function debugLog(message, ...args) {
+    if (DEBUG)
+        console.log(`[DEBUG] ${message}`, ...args);
+}
+/**
+ * Extract text from MessageContent
+ */
+export function getTextContent(content) {
+    if (typeof content === 'string') {
+        return content;
+    }
+    return content
+        .filter(block => block.type === 'text')
+        .map(block => block.text)
+        .join('\n');
+}
+/**
+ * Estimate tokens from messages (conservative: ~3 chars per token)
+ * Uses conservative estimation to avoid context overflow
+ */
+export function estimateInputTokens(messages, tools) {
+    let totalChars = 0;
+    for (const msg of messages) {
+        // Add per-message overhead (role, structure, etc.)
+        totalChars += 50;
+        if (typeof msg.content === 'string') {
+            totalChars += msg.content.length;
+        }
+        else if (Array.isArray(msg.content)) {
+            for (const block of msg.content) {
+                if (block.type === 'text') {
+                    totalChars += block.text.length;
+                }
+                else if (block.type === 'image') {
+                    // Images are roughly 85 tokens per tile (assuming ~750 tokens average)
+                    totalChars += 3000;
+                }
+            }
+        }
+        // Add overhead for tool calls in assistant messages
+        if (msg.toolCalls) {
+            totalChars += JSON.stringify(msg.toolCalls).length;
+        }
+    }
+    // Add tool definitions overhead
+    if (tools.length > 0) {
+        totalChars += JSON.stringify(tools).length;
+    }
+    // Very conservative estimate: 2.5 characters per token
+    // Plus 35% overhead for message structure, system prompt, and formatting
+    return Math.ceil((totalChars / 2.5) * 1.35);
+}
+/**
+ * Calculate dynamic max_tokens based on available context space
+ */
+export function calculateMaxTokens(provider, model, messages, tools) {
+    const contextLimit = getModelContextLimit(provider, model);
+    const estimatedInput = estimateInputTokens(messages, tools);
+    // Use percentage-based buffer with minimum floor
+    const buffer = Math.max(CONTEXT_BUFFER_MIN, Math.ceil(contextLimit * CONTEXT_BUFFER_PERCENT));
+    const available = contextLimit - estimatedInput - buffer;
+    debugLog(`Context calculation: limit=${contextLimit}, input≈${estimatedInput}, buffer=${buffer}, available=${available}`);
+    // Ensure we have at least MIN_OUTPUT_TOKENS, up to MAX_TOKENS
+    if (available < MIN_OUTPUT_TOKENS) {
+        debugLog(`WARNING: Very limited output space (${available}), using minimum ${MIN_OUTPUT_TOKENS}`);
+        return MIN_OUTPUT_TOKENS;
+    }
+    return Math.min(MAX_TOKENS, available);
+}
+/**
+ * Check if context needs summarization based on actual token usage
+ * Call this with the input_tokens from the last API response
+ */
+export function needsSummarization(provider, model, actualInputTokens) {
+    const contextLimit = getModelContextLimit(provider, model);
+    const threshold = contextLimit * 0.75; // Trigger summarization at 75% full
+    return actualInputTokens >= threshold;
+}
+/**
+ * Get context health info
+ */
+export function getContextHealth(provider, model, actualInputTokens) {
+    const limit = getModelContextLimit(provider, model);
+    const percent = Math.round((actualInputTokens / limit) * 100);
+    return {
+        limit,
+        used: actualInputTokens,
+        percent,
+        needsSummarization: actualInputTokens >= limit * 0.75,
+    };
+}
+/**
+ * Estimate context usage before making a request (for pre-request summarization)
+ * Uses conservative estimation since we don't have actual token counts yet
+ */
+export function estimateContextUsage(provider, model, messages, tools) {
+    const estimated = estimateInputTokens(messages, tools);
+    const limit = getModelContextLimit(provider, model);
+    const percent = Math.round((estimated / limit) * 100);
+    return {
+        estimated,
+        limit,
+        percent,
+        needsSummarization: estimated >= limit * 0.75, // Trigger auto-compact at 75%
+    };
+}
+/**
+ * Validate and sanitize LLM response
+ */
+export function validateLLMResponse(response) {
+    // Ensure content is a string
+    if (response.content === null || response.content === undefined) {
+        response.content = '';
+    }
+    else if (typeof response.content !== 'string') {
+        response.content = String(response.content);
+    }
+    // Truncate if too long to prevent memory issues
+    if (response.content.length > MAX_CONTENT_LENGTH) {
+        debugLog('Response content truncated from', response.content.length, 'to', MAX_CONTENT_LENGTH);
+        response.content = response.content.slice(0, MAX_CONTENT_LENGTH) + '\n... [truncated]';
+    }
+    // Validate tool calls if present
+    if (response.toolCalls) {
+        response.toolCalls = response.toolCalls.filter(call => {
+            if (!call.id || typeof call.id !== 'string') {
+                debugLog('Invalid tool call: missing or invalid id', call);
+                return false;
+            }
+            if (!call.name || typeof call.name !== 'string') {
+                debugLog('Invalid tool call: missing or invalid name', call);
+                return false;
+            }
+            if (call.arguments === null || call.arguments === undefined) {
+                call.arguments = {};
+            }
+            return true;
+        });
+        if (response.toolCalls.length === 0) {
+            response.toolCalls = undefined;
+        }
+    }
+    // Ensure valid finish reason
+    if (!['stop', 'tool_use', 'length', 'error'].includes(response.finishReason)) {
+        response.finishReason = 'stop';
+    }
+    return response;
+}
+//# sourceMappingURL=types.js.map

package/dist/providers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAG7D,YAAY;AACZ,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,CAAC;AAC/B,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,CAAC,CAAC,mCAAmC;AAC1E,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,CAAC,CAAC,iCAAiC;AAC7E,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,CAAC,CAAC,4CAA4C;AAEpF,oEAAoE;AACpE,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,IAAI,CAAC;AAE9C,uBAAuB;AACvB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,GAAG,CAAC;AACjD,MAAM,UAAU,QAAQ,CAAC,OAAe,EAAE,GAAG,IAAe;IAC1D,IAAI,KAAK;QAAE,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,CAAC;AACxD,CAAC;AAYD;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAA2B;IACxD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,OAAO;SACX,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC;SACtC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAE,KAAqB,CAAC,IAAI,CAAC;SACzC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAmB,EAAE,KAAa;IACpE,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,mDAAmD;QACnD,UAAU,IAAI,EAAE,CAAC;QAEjB,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACpC,UAAU,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;gBAChC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;oBAC1B,UAAU,IAAK,KAAqB,CAAC,IAAI,CAAC,MAAM,CAAC;gBACnD,CAAC;qBAAM,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBAClC,uEAAuE;oBACvE,UAAU,IAAI,IAAI,CAAC;gBACrB,CAAC;YACH,CAAC;QACH,CAAC;QACD,oDAAoD;QACpD,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAClB,UAAU,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QACrD,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,UAAU,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC7C,CAAC;IAED,uDAAuD;IACvD,yEAAyE;IACzE,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAqB,EACrB,KAAa,EACb,QAAmB,EACnB,KAAa;IAEb,MAAM,YAAY,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC5D,iDAAiD;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,GAAG,sBAAsB,CAAC,CAAC,CAAC;IAC9F,MAAM,SAAS,GAAG,YAAY,GAAG,cAAc,GAAG,MAAM,CAAC;IAEzD,QAAQ,CAAC,8BAA8B,YAAY,WAAW,cAAc,YAAY,MAAM,eAAe,SAAS,EAAE,CAAC,CAAC;IAE1H,8DAA8D;IAC9D,IAAI,SAAS,GAAG,iBAAiB,EAAE,CAAC;QAClC,QAAQ,CAAC,uCAAuC,SAAS,oBAAoB,iBAAiB,EAAE,CAAC,CAAC;QAClG,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AACzC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAqB,EACrB,KAAa,EACb,iBAAyB;IAEzB,MAAM,YAAY,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,YAAY,GAAG,IAAI,CAAC,CAAC,oCAAoC;IAC3E,OAAO,iBAAiB,IAAI,SAAS,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAqB,EACrB,KAAa,EACb,iBAAyB;IAEzB,MAAM,KAAK,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,iBAAiB,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;IAC9D,OAAO;QACL,KAAK;QACL,IAAI,EAAE,iBAAiB;QACvB,OAAO;QACP,kBAAkB,EAAE,iBAAiB,IAAI,KAAK,GAAG,IAAI;KACtD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAqB,EACrB,KAAa,EACb,QAAmB,EACnB,KAAa;IAEb,MAAM,SAAS,GAAG,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,oBAAoB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;IACtD,OAAO;QACL,SAAS;QACT,KAAK;QACL,OAAO;QACP,kBAAkB,EAAE,SAAS,IAAI,KAAK,GAAG,IAAI,EAAE,8BAA8B;KAC9E,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAqB;IACvD,6BAA6B;IAC7B,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAChE,QAAQ,CAAC,OAAO,GAAG,EAAE,CAAC;IACxB,CAAC;SAAM,IAAI,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChD,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,gDAAgD;IAChD,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;QACjD,QAAQ,CAAC,iCAAiC,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;QAC/F,QAAQ,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC,GAAG,mBAAmB,CAAC;IACzF,CAAC;IAED,iCAAiC;IACjC,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;QACvB,QAAQ,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;YACpD,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;gBAC5C,QAAQ,CAAC,0CAA0C,EAAE,IAAI,CAAC,CAAC;gBAC3D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAChD,QAAQ,CAAC,4CAA4C,EAAE,IAAI,CAAC,CAAC;gBAC7D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5D,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC;YACtB,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpC,QAAQ,CAAC,SAAS,GAAG,SAAS,CAAC;QACjC,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7E,QAAQ,CAAC,YAAY,GAAG,MAAM,CAAC;IACjC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/sandbox-native.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Calliope CLI - Native OS Sandbox
+ *
+ * Lightweight OS-level sandboxing as an alternative to Docker.
+ * Currently supports macOS (Seatbelt via sandbox-exec).
+ * Linux Landlock support is planned for the future.
+ */
+export type SandboxBackend = 'seatbelt' | 'landlock' | 'none';
+export interface NativeSandboxResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+    sandboxed: boolean;
+    backend: SandboxBackend;
+}
+export interface NativeSandboxOptions {
+    /** Timeout in milliseconds (default: 60000) */
+    timeout?: number;
+    /** Allow network access (default: false) */
+    networkEnabled?: boolean;
+    /** Additional read-only paths to allow */
+    readOnlyPaths?: string[];
+    /** Additional read-write paths to allow */
+    readWritePaths?: string[];
+}
+/**
+ * Check if macOS Seatbelt (sandbox-exec) is available
+ */
+export declare function isSeatbeltAvailable(): boolean;
+/**
+ * Check if Linux Landlock is available (placeholder for future implementation)
+ */
+export declare function isLandlockAvailable(): boolean;
+/**
+ * Check if any native sandbox backend is available
+ */
+export declare function isNativeSandboxAvailable(): boolean;
+/**
+ * Get the available native sandbox backend
+ */
+export declare function getAvailableBackend(): SandboxBackend;
+/**
+ * Get a human-readable description of the current sandbox status
+ */
+export declare function getSandboxStatus(): {
+    platform: string;
+    backend: SandboxBackend;
+    available: boolean;
+    description: string;
+};
+/**
+ * Execute a shell command inside a native OS sandbox
+ */
+export declare function executeInNativeSandbox(command: string, cwd: string, options?: NativeSandboxOptions): Promise<NativeSandboxResult>;
+/**
+ * Reset cached detection results (useful for testing)
+ */
+export declare function resetDetectionCache(): void;
+//# sourceMappingURL=sandbox-native.d.ts.map

package/dist/sandbox-native.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-native.d.ts","sourceRoot":"","sources":["../src/sandbox-native.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC;AAE9D,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,EAAE,cAAc,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,0CAA0C;IAC1C,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AA+FD;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAiB7C;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAa7C;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAElD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,cAAc,CAIpD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,cAAc,CAAC;IACxB,SAAS,EAAE,OAAO,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB,CAyBA;AAcD;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAyB9B;AA0FD;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,IAAI,CAG1C"}

package/dist/sandbox-native.js

@@ -0,0 +1,292 @@
+/**
+ * Calliope CLI - Native OS Sandbox
+ *
+ * Lightweight OS-level sandboxing as an alternative to Docker.
+ * Currently supports macOS (Seatbelt via sandbox-exec).
+ * Linux Landlock support is planned for the future.
+ */
+import { spawn, execFileSync } from 'child_process';
+import * as os from 'os';
+// ============================================================================
+// macOS Seatbelt Profile
+// ============================================================================
+/**
+ * Build a Seatbelt profile for sandboxed execution.
+ *
+ * Defaults:
+ *  - deny everything by default
+ *  - allow process execution and forking
+ *  - allow all file reads (safe; write restriction is the enforcement point)
+ *  - allow file writes only in: project cwd, /dev (stdout/stderr), temp dirs
+ *  - allow file-ioctl (terminal I/O), sysctl-read, mach-lookup, signal
+ *  - optionally allow outbound HTTP/HTTPS
+ */
+/**
+ * Sanitize a path for safe embedding in a Seatbelt profile string.
+ * Escapes characters that are significant in the Scheme-like DSL
+ * (double quotes, backslashes, parentheses) to prevent profile injection.
+ */
+function sanitizeSeatbeltPath(p) {
+    // Reject paths containing null bytes
+    if (p.includes('\0')) {
+        throw new Error(`Invalid path for sandbox profile: contains null bytes`);
+    }
+    // Escape backslashes first, then double quotes
+    return p.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}
+function buildSeatbeltProfile(cwd, options = {}) {
+    const extraReadWrite = options.readWritePaths || [];
+    const safeCwd = sanitizeSeatbeltPath(cwd);
+    // Build read-write subpath rules for extra paths
+    const extraRwRules = extraReadWrite
+        .map((p) => `(allow file-write* (subpath "${sanitizeSeatbeltPath(p)}"))`)
+        .join('\n');
+    // Network rules
+    const networkRules = options.networkEnabled
+        ? `(allow network-outbound (remote ip "*:443") (remote ip "*:80"))\n(allow network-outbound (remote unix-socket))`
+        : '';
+    const profile = `(version 1)
+(deny default)
+
+;; Process execution
+(allow process-exec)
+(allow process-fork)
+
+;; File reads: allow broadly (read-only is safe; write restrictions are the enforcement point)
+(allow file-read*)
+
+;; File writes: restricted to project directory, temp dirs, and stdout/stderr devices
+(allow file-write*
+  (subpath "/dev")
+  (subpath "/private/tmp")
+  (subpath "/private/var/tmp")
+  (subpath "/private/var/folders")
+  (subpath "/var/tmp")
+  (subpath "/tmp")
+  (subpath "${safeCwd}")
+)
+
+;; Extra paths
+${extraRwRules}
+
+;; Terminal I/O control (needed for stdout/stderr)
+(allow file-ioctl)
+
+;; System operations
+(allow sysctl-read)
+(allow mach-lookup)
+(allow signal)
+
+;; Network
+${networkRules}
+`;
+    return profile;
+}
+// ============================================================================
+// Detection
+// ============================================================================
+let _seatbeltAvailable = null;
+let _landlockAvailable = null;
+/**
+ * Check if macOS Seatbelt (sandbox-exec) is available
+ */
+export function isSeatbeltAvailable() {
+    if (_seatbeltAvailable !== null)
+        return _seatbeltAvailable;
+    if (os.platform() !== 'darwin') {
+        _seatbeltAvailable = false;
+        return false;
+    }
+    try {
+        // sandbox-exec exists on macOS by default, just verify the binary is present
+        execFileSync('which', ['sandbox-exec'], { stdio: 'pipe' });
+        _seatbeltAvailable = true;
+    }
+    catch {
+        _seatbeltAvailable = false;
+    }
+    return _seatbeltAvailable;
+}
+/**
+ * Check if Linux Landlock is available (placeholder for future implementation)
+ */
+export function isLandlockAvailable() {
+    if (_landlockAvailable !== null)
+        return _landlockAvailable;
+    if (os.platform() !== 'linux') {
+        _landlockAvailable = false;
+        return false;
+    }
+    // TODO: Check for Landlock support via /proc/sys/kernel/landlock or similar
+    // Landlock requires Linux 5.13+ and is a kernel-level sandboxing mechanism.
+    // For now, return false until full implementation is done.
+    _landlockAvailable = false;
+    return false;
+}
+/**
+ * Check if any native sandbox backend is available
+ */
+export function isNativeSandboxAvailable() {
+    return isSeatbeltAvailable() || isLandlockAvailable();
+}
+/**
+ * Get the available native sandbox backend
+ */
+export function getAvailableBackend() {
+    if (isSeatbeltAvailable())
+        return 'seatbelt';
+    if (isLandlockAvailable())
+        return 'landlock';
+    return 'none';
+}
+/**
+ * Get a human-readable description of the current sandbox status
+ */
+export function getSandboxStatus() {
+    const platform = os.platform();
+    const backend = getAvailableBackend();
+    const available = backend !== 'none';
+    let description;
+    switch (backend) {
+        case 'seatbelt':
+            description = 'macOS Seatbelt (sandbox-exec) - restricts file access, network, and system calls';
+            break;
+        case 'landlock':
+            description = 'Linux Landlock - kernel-level filesystem sandboxing';
+            break;
+        case 'none':
+            if (platform === 'darwin') {
+                description = 'sandbox-exec not found on this macOS system';
+            }
+            else if (platform === 'linux') {
+                description = 'Landlock not available (requires Linux 5.13+, not yet implemented)';
+            }
+            else {
+                description = `No native sandbox available for ${platform}`;
+            }
+            break;
+    }
+    return { platform, backend, available, description };
+}
+// ============================================================================
+// Output Size Limits
+// ============================================================================
+/** Maximum size for stdout/stderr buffers (10MB) to prevent unbounded memory growth */
+const MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
+const TRUNCATION_WARNING = '\n\n[Output truncated at 10MB limit]';
+// ============================================================================
+// Execution
+// ============================================================================
+/**
+ * Execute a shell command inside a native OS sandbox
+ */
+export function executeInNativeSandbox(command, cwd, options = {}) {
+    const backend = getAvailableBackend();
+    switch (backend) {
+        case 'seatbelt':
+            return executeWithSeatbelt(command, cwd, options);
+        case 'landlock':
+            // Landlock not yet implemented — fall through to unsandboxed
+            return Promise.resolve({
+                stdout: '',
+                stderr: 'Landlock sandbox is not yet implemented. Command was not executed.',
+                exitCode: 1,
+                sandboxed: false,
+                backend: 'none',
+            });
+        case 'none':
+        default:
+            return Promise.resolve({
+                stdout: '',
+                stderr: 'No native sandbox backend available. Command was not executed.',
+                exitCode: 1,
+                sandboxed: false,
+                backend: 'none',
+            });
+    }
+}
+/**
+ * Execute a command using macOS Seatbelt (sandbox-exec)
+ */
+function executeWithSeatbelt(command, cwd, options = {}) {
+    const timeout = options.timeout || 60000;
+    const profile = buildSeatbeltProfile(cwd, options);
+    return new Promise((resolve) => {
+        let stdout = '';
+        let stderr = '';
+        let timedOut = false;
+        let stdoutTruncated = false;
+        let stderrTruncated = false;
+        const child = spawn('sandbox-exec', ['-p', profile, 'bash', '-c', command], {
+            cwd,
+            timeout,
+            env: { ...process.env, TERM: 'dumb' },
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        const timer = setTimeout(() => {
+            timedOut = true;
+            child.kill('SIGKILL');
+        }, timeout);
+        child.stdout.on('data', (data) => {
+            if (!stdoutTruncated) {
+                stdout += data.toString();
+                if (stdout.length > MAX_OUTPUT_SIZE) {
+                    stdout = stdout.slice(0, MAX_OUTPUT_SIZE);
+                    stdoutTruncated = true;
+                }
+            }
+        });
+        child.stderr.on('data', (data) => {
+            if (!stderrTruncated) {
+                stderr += data.toString();
+                if (stderr.length > MAX_OUTPUT_SIZE) {
+                    stderr = stderr.slice(0, MAX_OUTPUT_SIZE);
+                    stderrTruncated = true;
+                }
+            }
+        });
+        child.on('close', (code) => {
+            clearTimeout(timer);
+            if (stdoutTruncated)
+                stdout += TRUNCATION_WARNING;
+            if (stderrTruncated)
+                stderr += TRUNCATION_WARNING;
+            if (timedOut) {
+                resolve({
+                    stdout,
+                    stderr: stderr + '\nExecution timed out',
+                    exitCode: 124,
+                    sandboxed: true,
+                    backend: 'seatbelt',
+                });
+            }
+            else {
+                resolve({
+                    stdout,
+                    stderr,
+                    exitCode: code || 0,
+                    sandboxed: true,
+                    backend: 'seatbelt',
+                });
+            }
+        });
+        child.on('error', (err) => {
+            clearTimeout(timer);
+            resolve({
+                stdout: '',
+                stderr: err.message,
+                exitCode: 1,
+                sandboxed: false,
+                backend: 'none',
+            });
+        });
+    });
+}
+/**
+ * Reset cached detection results (useful for testing)
+ */
+export function resetDetectionCache() {
+    _seatbeltAvailable = null;
+    _landlockAvailable = null;
+}
+//# sourceMappingURL=sandbox-native.js.map

package/dist/sandbox-native.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-native.js","sourceRoot":"","sources":["../src/sandbox-native.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AA2BzB,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;;;;;;;;GAUG;AACH;;;;GAIG;AACH,SAAS,oBAAoB,CAAC,CAAS;IACrC,qCAAqC;IACrC,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,+CAA+C;IAC/C,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,oBAAoB,CAC3B,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IAEpD,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAE1C,iDAAiD;IACjD,MAAM,YAAY,GAAG,cAAc;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,gCAAgC,oBAAoB,CAAC,CAAC,CAAC,KAAK,CAAC;SACxE,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,gBAAgB;IAChB,MAAM,YAAY,GAAG,OAAO,CAAC,cAAc;QACzC,CAAC,CAAC,gHAAgH;QAClH,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,OAAO,GAAG;;;;;;;;;;;;;;;;;;cAkBJ,OAAO;;;;EAInB,YAAY;;;;;;;;;;;EAWZ,YAAY;CACb,CAAC;IAEA,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,IAAI,kBAAkB,GAAmB,IAAI,CAAC;AAC9C,IAAI,kBAAkB,GAAmB,IAAI,CAAC;AAE9C;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,kBAAkB,KAAK,IAAI;QAAE,OAAO,kBAAkB,CAAC;IAE3D,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC/B,kBAAkB,GAAG,KAAK,CAAC;QAC3B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,6EAA6E;QAC7E,YAAY,CAAC,OAAO,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3D,kBAAkB,GAAG,IAAI,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB,GAAG,KAAK,CAAC;IAC7B,CAAC;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,kBAAkB,KAAK,IAAI;QAAE,OAAO,kBAAkB,CAAC;IAE3D,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;QAC9B,kBAAkB,GAAG,KAAK,CAAC;QAC3B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,2DAA2D;IAC3D,kBAAkB,GAAG,KAAK,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,mBAAmB,EAAE,IAAI,mBAAmB,EAAE,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,mBAAmB,EAAE;QAAE,OAAO,UAAU,CAAC;IAC7C,IAAI,mBAAmB,EAAE;QAAE,OAAO,UAAU,CAAC;IAC7C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAM9B,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;IACtC,MAAM,SAAS,GAAG,OAAO,KAAK,MAAM,CAAC;IAErC,IAAI,WAAmB,CAAC;IACxB,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU;YACb,WAAW,GAAG,kFAAkF,CAAC;YACjG,MAAM;QACR,KAAK,UAAU;YACb,WAAW,GAAG,qDAAqD,CAAC;YACpE,MAAM;QACR,KAAK,MAAM;YACT,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC1B,WAAW,GAAG,6CAA6C,CAAC;YAC9D,CAAC;iBAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAChC,WAAW,GAAG,oEAAoE,CAAC;YACrF,CAAC;iBAAM,CAAC;gBACN,WAAW,GAAG,mCAAmC,QAAQ,EAAE,CAAC;YAC9D,CAAC;YACD,MAAM;IACV,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;AACvD,CAAC;AAED,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,uFAAuF;AACvF,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AACzC,MAAM,kBAAkB,GAAG,sCAAsC,CAAC;AAElE,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAAe,EACf,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;IAEtC,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,mBAAmB,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QACpD,KAAK,UAAU;YACb,6DAA6D;YAC7D,OAAO,OAAO,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,oEAAoE;gBAC5E,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,KAAK,MAAM,CAAC;QACZ;YACE,OAAO,OAAO,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,gEAAgE;gBACxE,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;IACP,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAC1B,OAAe,EACf,GAAW,EACX,UAAgC,EAAE;IAElC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IACzC,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,eAAe,GAAG,KAAK,CAAC;QAC5B,IAAI,eAAe,GAAG,KAAK,CAAC;QAE5B,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE;YAC1E,GAAG;YACH,OAAO;YACP,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE;YACrC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,QAAQ,GAAG,IAAI,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC1B,IAAI,MAAM,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;oBACpC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;oBAC1C,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC/B,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAC1B,IAAI,MAAM,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;oBACpC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;oBAC1C,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YAEpB,IAAI,eAAe;gBAAE,MAAM,IAAI,kBAAkB,CAAC;YAClD,IAAI,eAAe;gBAAE,MAAM,IAAI,kBAAkB,CAAC;YAElD,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM,EAAE,MAAM,GAAG,uBAAuB;oBACxC,QAAQ,EAAE,GAAG;oBACb,SAAS,EAAE,IAAI;oBACf,OAAO,EAAE,UAAU;iBACpB,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM;oBACN,QAAQ,EAAE,IAAI,IAAI,CAAC;oBACnB,SAAS,EAAE,IAAI;oBACf,OAAO,EAAE,UAAU;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC;gBACN,MAAM,EAAE,EAAE;gBACV,MAAM,EAAE,GAAG,CAAC,OAAO;gBACnB,QAAQ,EAAE,CAAC;gBACX,SAAS,EAAE,KAAK;gBAChB,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,kBAAkB,GAAG,IAAI,CAAC;IAC1B,kBAAkB,GAAG,IAAI,CAAC;AAC5B,CAAC"}

package/dist/sandbox.d.ts

@@ -37,7 +37,7 @@ export declare function ensureImage(image: string): Promise<boolean>;
 /**
  * Execute code in Docker sandbox
  */
-export declare function executeInSandbox(language: Language, code: string, config?: Partial<SandboxConfig>): Promise<ExecutionResult>;
+export declare function executeInSandbox(language: Language, code: string, config?: Partial<SandboxConfig>, cwd?: string): Promise<ExecutionResult>;
 /**
  * Execute code without sandbox (fallback)
  */
@@ -45,5 +45,5 @@ export declare function executeUnsafe(language: Language, code: string, timeout?
 /**
  * Execute code (with or without sandbox based on availability)
  */
-export declare function execute(language: Language, code: string, config?: Partial<SandboxConfig>): Promise<ExecutionResult>;
+export declare function execute(language: Language, code: string, config?: Partial<SandboxConfig>, cwd?: string): Promise<ExecutionResult>;
 //# sourceMappingURL=sandbox.d.ts.map

package/dist/sandbox.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../src/sandbox.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAWH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,OAAO,CAAC;IACxB,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,MAAM,CAAC;AAiC3E;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAW3C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAOlD;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAQjE;AAMD;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,MAAM,GAAE,OAAO,CAAC,aAAa,CAAM,GAClC,OAAO,CAAC,eAAe,CAAC,CAmH1B;AAoFD;;GAEG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,MAAc,GACtB,OAAO,CAAC,eAAe,CAAC,CAoF1B;AAMD;;GAEG;AACH,wBAAsB,OAAO,CAC3B,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,MAAM,GAAE,OAAO,CAAC,aAAa,CAAM,GAClC,OAAO,CAAC,eAAe,CAAC,CAQ1B"}
+{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../src/sandbox.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAWH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,OAAO,CAAC;IACxB,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,GAAG,MAAM,CAAC;AAiC3E;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAW3C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAOlD;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAQjE;AAcD;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,MAAM,GAAE,OAAO,CAAC,aAAa,CAAM,EACnC,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,eAAe,CAAC,CAoI1B;AAqFD;;GAEG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,MAAc,GACtB,OAAO,CAAC,eAAe,CAAC,CAyG1B;AAMD;;GAEG;AACH,wBAAsB,OAAO,CAC3B,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE,MAAM,EACZ,MAAM,GAAE,OAAO,CAAC,aAAa,CAAM,EACnC,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,eAAe,CAAC,CAQ1B"}