@downcity/agent 1.1.96 → 1.1.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/executor/composer/system/default/assets/core.prompt.d.ts +1 -1
- package/bin/executor/composer/system/default/assets/core.prompt.d.ts.map +1 -1
- package/bin/executor/composer/system/default/assets/core.prompt.js +1 -1
- package/bin/executor/composer/system/default/assets/core.prompt.js.map +1 -1
- package/bin/executor/tools/shell/ShellToolBridge.d.ts.map +1 -1
- package/bin/executor/tools/shell/ShellToolBridge.js +14 -0
- package/bin/executor/tools/shell/ShellToolBridge.js.map +1 -1
- package/bin/executor/tools/shell/types/ShellPlugin.d.ts +8 -0
- package/bin/executor/tools/shell/types/ShellPlugin.d.ts.map +1 -1
- package/bin/index.d.ts +1 -1
- package/bin/index.d.ts.map +1 -1
- package/bin/index.js.map +1 -1
- package/bin/plugin/core/ImagePlugin.d.ts +3 -64
- package/bin/plugin/core/ImagePlugin.d.ts.map +1 -1
- package/bin/plugin/core/ImagePlugin.js +12 -232
- package/bin/plugin/core/ImagePlugin.js.map +1 -1
- package/bin/sandbox/LinuxBubblewrapSandbox.d.ts +1 -3
- package/bin/sandbox/LinuxBubblewrapSandbox.d.ts.map +1 -1
- package/bin/sandbox/LinuxBubblewrapSandbox.js +31 -30
- package/bin/sandbox/LinuxBubblewrapSandbox.js.map +1 -1
- package/bin/sandbox/MacOsSeatbeltSandbox.d.ts +1 -1
- package/bin/sandbox/MacOsSeatbeltSandbox.d.ts.map +1 -1
- package/bin/sandbox/MacOsSeatbeltSandbox.js +30 -29
- package/bin/sandbox/MacOsSeatbeltSandbox.js.map +1 -1
- package/bin/sandbox/SandboxConfigResolver.d.ts +1 -0
- package/bin/sandbox/SandboxConfigResolver.d.ts.map +1 -1
- package/bin/sandbox/SandboxConfigResolver.js +13 -3
- package/bin/sandbox/SandboxConfigResolver.js.map +1 -1
- package/bin/sandbox/SandboxRunner.d.ts +17 -4
- package/bin/sandbox/SandboxRunner.d.ts.map +1 -1
- package/bin/sandbox/SandboxRunner.js +20 -5
- package/bin/sandbox/SandboxRunner.js.map +1 -1
- package/bin/sandbox/types/SandboxRuntime.d.ts +46 -6
- package/bin/sandbox/types/SandboxRuntime.d.ts.map +1 -1
- package/bin/sandbox/types/SandboxRuntime.js +2 -2
- package/bin/types/plugin/ImagePlugin.d.ts +2 -79
- package/bin/types/plugin/ImagePlugin.d.ts.map +1 -1
- package/package.json +2 -2
- package/scripts/image-plugin-job.test.mjs +21 -108
- package/scripts/linux-bubblewrap-sandbox.test.mjs +23 -14
- package/src/executor/composer/system/default/assets/core.prompt.ts +1 -1
- package/src/executor/composer/system/default/assets/core.prompt.ts.txt +5 -0
- package/src/executor/tools/shell/ShellToolBridge.ts +14 -0
- package/src/executor/tools/shell/types/ShellPlugin.ts +8 -0
- package/src/index.ts +0 -5
- package/src/plugin/core/ImagePlugin.ts +13 -286
- package/src/sandbox/LinuxBubblewrapSandbox.ts +35 -43
- package/src/sandbox/MacOsSeatbeltSandbox.ts +35 -41
- package/src/sandbox/SandboxConfigResolver.ts +15 -3
- package/src/sandbox/SandboxRunner.ts +32 -7
- package/src/sandbox/types/SandboxRuntime.ts +54 -6
- package/src/types/plugin/ImagePlugin.ts +2 -79
- package/tsconfig.tsbuildinfo +1 -1
|
@@ -2,17 +2,14 @@
|
|
|
2
2
|
* ImagePlugin:Agent 内置图片生成插件。
|
|
3
3
|
*
|
|
4
4
|
* 关键点(中文)
|
|
5
|
-
* -
|
|
6
|
-
* -
|
|
5
|
+
* - 对 Agent 只暴露同步体验的 `generate` action。
|
|
6
|
+
* - City / provider 的图片能力通过单个 image 函数注入。
|
|
7
7
|
* - action 返回 AI SDK UIMessage,后续由 plugin tool bridge 抽取 file parts 写回 assistant 消息。
|
|
8
8
|
*/
|
|
9
|
-
import crypto from "node:crypto";
|
|
10
9
|
import { BasePlugin } from "../../plugin/core/BasePlugin.js";
|
|
11
10
|
const DEFAULT_IMAGE_PLUGIN_NAME = "image";
|
|
12
11
|
const DEFAULT_IMAGE_PLUGIN_TITLE = "Image";
|
|
13
12
|
const DEFAULT_IMAGE_PLUGIN_DESCRIPTION = "Generate images and return them as assistant file parts.";
|
|
14
|
-
const DEFAULT_WAIT_TIMEOUT_MS = 60_000;
|
|
15
|
-
const DEFAULT_POLL_INTERVAL_MS = 3_000;
|
|
16
13
|
/**
|
|
17
14
|
* 判断值是否为普通对象。
|
|
18
15
|
*/
|
|
@@ -31,40 +28,16 @@ function normalize_image_payload(payload) {
|
|
|
31
28
|
}
|
|
32
29
|
return { ...record };
|
|
33
30
|
}
|
|
34
|
-
function normalize_job_id_payload(payload) {
|
|
35
|
-
const record = to_record(payload ?? {});
|
|
36
|
-
const job_id = String(record?.job_id || "").trim();
|
|
37
|
-
if (!job_id) {
|
|
38
|
-
throw new TypeError("ImagePlugin job action requires job_id");
|
|
39
|
-
}
|
|
40
|
-
return { job_id };
|
|
41
|
-
}
|
|
42
31
|
/**
|
|
43
32
|
* 校验 image 函数返回的 UIMessage。
|
|
44
33
|
*/
|
|
45
34
|
function normalize_image_result(result) {
|
|
46
35
|
const record = to_record(result);
|
|
47
36
|
if (!record || !Array.isArray(record.parts)) {
|
|
48
|
-
throw new TypeError("ImagePlugin image
|
|
37
|
+
throw new TypeError("ImagePlugin image provider must return an AI SDK UIMessage");
|
|
49
38
|
}
|
|
50
39
|
return result;
|
|
51
40
|
}
|
|
52
|
-
/**
|
|
53
|
-
* 归一化任务状态查询结果,确保 status action 不携带图片结果。
|
|
54
|
-
*/
|
|
55
|
-
function normalize_job_status_result(result) {
|
|
56
|
-
return {
|
|
57
|
-
job_id: result.job_id,
|
|
58
|
-
status: result.status,
|
|
59
|
-
...(result.message ? { message: result.message } : {}),
|
|
60
|
-
...(result.error ? { error: result.error } : {}),
|
|
61
|
-
...(typeof result.poll_after_ms === "number"
|
|
62
|
-
? { poll_after_ms: result.poll_after_ms }
|
|
63
|
-
: {}),
|
|
64
|
-
...(result.created_at ? { created_at: result.created_at } : {}),
|
|
65
|
-
...(result.updated_at ? { updated_at: result.updated_at } : {}),
|
|
66
|
-
};
|
|
67
|
-
}
|
|
68
41
|
/**
|
|
69
42
|
* Agent 图片生成插件。
|
|
70
43
|
*/
|
|
@@ -82,236 +55,43 @@ export class ImagePlugin extends BasePlugin {
|
|
|
82
55
|
*/
|
|
83
56
|
description;
|
|
84
57
|
image;
|
|
85
|
-
create_job;
|
|
86
|
-
read_job_status;
|
|
87
|
-
read_job_result;
|
|
88
|
-
wait_timeout_ms;
|
|
89
|
-
poll_interval_ms;
|
|
90
|
-
local_jobs = new Map();
|
|
91
58
|
constructor(options) {
|
|
92
59
|
super();
|
|
93
60
|
const name = String(options.name || DEFAULT_IMAGE_PLUGIN_NAME).trim();
|
|
94
61
|
if (!name) {
|
|
95
62
|
throw new Error("ImagePlugin requires a non-empty name");
|
|
96
63
|
}
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
(typeof options.create !== "function" ||
|
|
100
|
-
typeof options.status !== "function" ||
|
|
101
|
-
typeof options.result !== "function")) {
|
|
102
|
-
throw new Error("ImagePlugin custom job API requires create, status, and result functions");
|
|
103
|
-
}
|
|
104
|
-
if (!has_custom_job_api && typeof options.image !== "function") {
|
|
105
|
-
throw new Error("ImagePlugin requires either image(input) or create/status/result functions");
|
|
64
|
+
if (typeof options.image !== "function") {
|
|
65
|
+
throw new Error("ImagePlugin requires an image function");
|
|
106
66
|
}
|
|
107
67
|
this.name = name;
|
|
108
68
|
this.title = String(options.title || DEFAULT_IMAGE_PLUGIN_TITLE).trim();
|
|
109
69
|
this.description = String(options.description || DEFAULT_IMAGE_PLUGIN_DESCRIPTION).trim();
|
|
110
70
|
this.image = options.image;
|
|
111
|
-
this.create_job = options.create;
|
|
112
|
-
this.read_job_status = options.status;
|
|
113
|
-
this.read_job_result = options.result;
|
|
114
|
-
this.wait_timeout_ms =
|
|
115
|
-
typeof options.wait_timeout_ms === "number" && options.wait_timeout_ms > 0
|
|
116
|
-
? options.wait_timeout_ms
|
|
117
|
-
: DEFAULT_WAIT_TIMEOUT_MS;
|
|
118
|
-
this.poll_interval_ms =
|
|
119
|
-
typeof options.poll_interval_ms === "number" && options.poll_interval_ms > 0
|
|
120
|
-
? options.poll_interval_ms
|
|
121
|
-
: DEFAULT_POLL_INTERVAL_MS;
|
|
122
71
|
}
|
|
123
72
|
/**
|
|
124
73
|
* 图片插件给模型的最小使用说明。
|
|
125
74
|
*/
|
|
126
75
|
system(_context) {
|
|
127
76
|
return [
|
|
128
|
-
"Image generation is available through the plugin_call tool
|
|
129
|
-
`Call plugin "${this.name}" action "
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
"Use action \"generate\" only as a compatibility shortcut when you explicitly need to wait for completion.",
|
|
133
|
-
"Pass a JSON payload with prompt, optional size/aspect_ratio/quality/n, and optional provider_options to create/generate.",
|
|
77
|
+
"Image generation is available through the plugin_call tool.",
|
|
78
|
+
`Call plugin "${this.name}" action "generate" when the user asks to create, render, draw, or edit an image.`,
|
|
79
|
+
"Pass a JSON payload with prompt, optional size/aspect_ratio/quality/n, and optional provider_options.",
|
|
80
|
+
"The generated image files will be attached to the final assistant message automatically.",
|
|
134
81
|
].join("\n");
|
|
135
82
|
}
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
throw new Error("ImagePlugin local image job requires image(input)");
|
|
139
|
-
}
|
|
140
|
-
const now = new Date().toISOString();
|
|
141
|
-
const job_id = `img_${crypto.randomUUID()}`;
|
|
142
|
-
const record = {
|
|
143
|
-
job_id,
|
|
144
|
-
status: "running",
|
|
145
|
-
message: "image job is running",
|
|
146
|
-
created_at: now,
|
|
147
|
-
updated_at: now,
|
|
148
|
-
};
|
|
149
|
-
this.local_jobs.set(job_id, record);
|
|
150
|
-
void this.run_local_job(record, input, this.image);
|
|
151
|
-
return {
|
|
152
|
-
job_id,
|
|
153
|
-
status: record.status,
|
|
154
|
-
message: record.message,
|
|
155
|
-
poll_after_ms: this.poll_interval_ms,
|
|
156
|
-
created_at: record.created_at,
|
|
157
|
-
updated_at: record.updated_at,
|
|
158
|
-
};
|
|
159
|
-
}
|
|
160
|
-
async run_local_job(record, input, image) {
|
|
161
|
-
try {
|
|
162
|
-
const message = normalize_image_result(await image(input));
|
|
163
|
-
record.status = "succeeded";
|
|
164
|
-
record.result = message;
|
|
165
|
-
record.message = "image job succeeded";
|
|
166
|
-
record.updated_at = new Date().toISOString();
|
|
167
|
-
}
|
|
168
|
-
catch (error) {
|
|
169
|
-
record.status = "failed";
|
|
170
|
-
record.error = String(error);
|
|
171
|
-
record.message = "image job failed";
|
|
172
|
-
record.updated_at = new Date().toISOString();
|
|
173
|
-
}
|
|
174
|
-
}
|
|
175
|
-
read_local_job(job_id) {
|
|
176
|
-
const record = this.local_jobs.get(job_id);
|
|
177
|
-
if (!record) {
|
|
178
|
-
throw new Error(`Unknown image job: ${job_id}`);
|
|
179
|
-
}
|
|
180
|
-
return record;
|
|
181
|
-
}
|
|
182
|
-
serialize_local_status(record) {
|
|
183
|
-
return {
|
|
184
|
-
job_id: record.job_id,
|
|
185
|
-
status: record.status,
|
|
186
|
-
...(record.message ? { message: record.message } : {}),
|
|
187
|
-
...(record.error ? { error: record.error } : {}),
|
|
188
|
-
...(record.status === "running" || record.status === "queued"
|
|
189
|
-
? { poll_after_ms: this.poll_interval_ms }
|
|
190
|
-
: {}),
|
|
191
|
-
created_at: record.created_at,
|
|
192
|
-
updated_at: record.updated_at,
|
|
193
|
-
};
|
|
194
|
-
}
|
|
195
|
-
serialize_local_result(record) {
|
|
196
|
-
return {
|
|
197
|
-
job_id: record.job_id,
|
|
198
|
-
status: record.status,
|
|
199
|
-
...(record.result ? { result: record.result } : {}),
|
|
200
|
-
...(record.error ? { error: record.error } : {}),
|
|
201
|
-
...(record.message ? { message: record.message } : {}),
|
|
202
|
-
created_at: record.created_at,
|
|
203
|
-
updated_at: record.updated_at,
|
|
204
|
-
};
|
|
205
|
-
}
|
|
206
|
-
async wait_for_job(job_id) {
|
|
207
|
-
const deadline = Date.now() + this.wait_timeout_ms;
|
|
208
|
-
while (Date.now() <= deadline) {
|
|
209
|
-
const result = this.read_job_result
|
|
210
|
-
? await this.read_job_result({ job_id })
|
|
211
|
-
: this.serialize_local_result(this.read_local_job(job_id));
|
|
212
|
-
if (result.status === "succeeded" && result.result) {
|
|
213
|
-
return normalize_image_result(result.result);
|
|
214
|
-
}
|
|
215
|
-
if (result.status === "failed") {
|
|
216
|
-
throw new Error(result.error || result.message || "image job failed");
|
|
217
|
-
}
|
|
218
|
-
await new Promise((resolve) => setTimeout(resolve, this.poll_interval_ms));
|
|
219
|
-
}
|
|
220
|
-
throw new Error(`image job timed out: ${job_id}`);
|
|
83
|
+
async generate_image(input) {
|
|
84
|
+
return normalize_image_result(await this.image(input));
|
|
221
85
|
}
|
|
222
86
|
/**
|
|
223
87
|
* 显式 action 集合。
|
|
224
88
|
*/
|
|
225
89
|
actions = {
|
|
226
|
-
create: {
|
|
227
|
-
execute: async ({ payload }) => {
|
|
228
|
-
try {
|
|
229
|
-
const input = normalize_image_payload(payload);
|
|
230
|
-
const result = this.create_job
|
|
231
|
-
? await this.create_job(input)
|
|
232
|
-
: this.create_local_job(input);
|
|
233
|
-
return {
|
|
234
|
-
success: true,
|
|
235
|
-
data: result,
|
|
236
|
-
message: result.message || "image job created",
|
|
237
|
-
};
|
|
238
|
-
}
|
|
239
|
-
catch (error) {
|
|
240
|
-
return {
|
|
241
|
-
success: false,
|
|
242
|
-
error: String(error),
|
|
243
|
-
message: String(error),
|
|
244
|
-
};
|
|
245
|
-
}
|
|
246
|
-
},
|
|
247
|
-
},
|
|
248
|
-
status: {
|
|
249
|
-
execute: async ({ payload }) => {
|
|
250
|
-
try {
|
|
251
|
-
const input = normalize_job_id_payload(payload);
|
|
252
|
-
const result = this.read_job_status
|
|
253
|
-
? normalize_job_status_result(await this.read_job_status(input))
|
|
254
|
-
: this.serialize_local_status(this.read_local_job(input.job_id));
|
|
255
|
-
return {
|
|
256
|
-
success: true,
|
|
257
|
-
data: result,
|
|
258
|
-
message: result.message || `image job ${result.status}`,
|
|
259
|
-
};
|
|
260
|
-
}
|
|
261
|
-
catch (error) {
|
|
262
|
-
return {
|
|
263
|
-
success: false,
|
|
264
|
-
error: String(error),
|
|
265
|
-
message: String(error),
|
|
266
|
-
};
|
|
267
|
-
}
|
|
268
|
-
},
|
|
269
|
-
},
|
|
270
|
-
result: {
|
|
271
|
-
execute: async ({ payload }) => {
|
|
272
|
-
try {
|
|
273
|
-
const input = normalize_job_id_payload(payload);
|
|
274
|
-
const result = this.read_job_result
|
|
275
|
-
? await this.read_job_result(input)
|
|
276
|
-
: this.serialize_local_result(this.read_local_job(input.job_id));
|
|
277
|
-
if (result.status === "succeeded" && result.result) {
|
|
278
|
-
return {
|
|
279
|
-
success: true,
|
|
280
|
-
data: result.result,
|
|
281
|
-
message: result.message || "image job succeeded",
|
|
282
|
-
};
|
|
283
|
-
}
|
|
284
|
-
if (result.status === "failed") {
|
|
285
|
-
return {
|
|
286
|
-
success: false,
|
|
287
|
-
data: result,
|
|
288
|
-
error: result.error || result.message || "image job failed",
|
|
289
|
-
message: result.message || "image job failed",
|
|
290
|
-
};
|
|
291
|
-
}
|
|
292
|
-
return {
|
|
293
|
-
success: true,
|
|
294
|
-
data: result,
|
|
295
|
-
message: result.message || `image job ${result.status}`,
|
|
296
|
-
};
|
|
297
|
-
}
|
|
298
|
-
catch (error) {
|
|
299
|
-
return {
|
|
300
|
-
success: false,
|
|
301
|
-
error: String(error),
|
|
302
|
-
message: String(error),
|
|
303
|
-
};
|
|
304
|
-
}
|
|
305
|
-
},
|
|
306
|
-
},
|
|
307
90
|
generate: {
|
|
308
91
|
execute: async ({ payload }) => {
|
|
309
92
|
try {
|
|
310
93
|
const input = normalize_image_payload(payload);
|
|
311
|
-
const
|
|
312
|
-
? await this.create_job(input)
|
|
313
|
-
: this.create_local_job(input);
|
|
314
|
-
const message = await this.wait_for_job(job.job_id);
|
|
94
|
+
const message = await this.generate_image(input);
|
|
315
95
|
return {
|
|
316
96
|
success: true,
|
|
317
97
|
data: message,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ImagePlugin.js","sourceRoot":"","sources":["../../../src/plugin/core/ImagePlugin.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAWjC,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAEzD,MAAM,yBAAyB,GAAG,OAAO,CAAC;AAC1C,MAAM,0BAA0B,GAAG,OAAO,CAAC;AAC3C,MAAM,gCAAgC,GACpC,0DAA0D,CAAC;AAC7D,MAAM,uBAAuB,GAAG,MAAM,CAAC;AACvC,MAAM,wBAAwB,GAAG,KAAK,CAAC;AAiCvC;;GAEG;AACH,SAAS,SAAS,CAAC,KAAc;IAC/B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,OAA8B;IAC7D,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,EAAE,GAAG,MAAM,EAAsB,CAAC;AAC3C,CAAC;AAED,SAAS,wBAAwB,CAAC,OAA8B;IAC9D,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACnD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CAAC,wCAAwC,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,MAAyB;IACvD,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,SAAS,CAAC,4DAA4D,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAClC,MAAkC;IAElC,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChD,GAAG,CAAC,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ;YAC1C,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE;YACzC,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAChE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,UAAU;IACzC;;OAEG;IACM,IAAI,CAAS;IAEtB;;OAEG;IACM,KAAK,CAAS;IAEvB;;OAEG;IACM,WAAW,CAAS;IAEZ,KAAK,CAA8B;IACnC,UAAU,CAAgC;IAC1C,eAAe,CAAgC;IAC/C,eAAe,CAAgC;IAC/C,eAAe,CAAS;IACxB,gBAAgB,CAAS;IACzB,UAAU,GAAG,IAAI,GAAG,EAA+B,CAAC;IAErE,YAAY,OAA2B;QACrC,KAAK,EAAE,CAAC;QACR,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,yBAAyB,CAAC,CAAC,IAAI,EAAE,CAAC;QACtE,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,MAAM,kBAAkB,GAAG,OAAO,CAChC,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CACnD,CAAC;QACF,IACE,kBAAkB;YAClB,CAAC,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU;gBACnC,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU;gBACpC,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU,CAAC,EACvC,CAAC;YACD,MAAM,IAAI,KAAK,CACb,0EAA0E,CAC3E,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,kBAAkB,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC/D,MAAM,IAAI,KAAK,CACb,4EAA4E,CAC7E,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,0BAA0B,CAAC,CAAC,IAAI,EAAE,CAAC;QACxE,IAAI,CAAC,WAAW,GAAG,MAAM,CACvB,OAAO,CAAC,WAAW,IAAI,gCAAgC,CACxD,CAAC,IAAI,EAAE,CAAC;QACT,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;QACjC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;QACtC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;QACtC,IAAI,CAAC,eAAe;YAClB,OAAO,OAAO,CAAC,eAAe,KAAK,QAAQ,IAAI,OAAO,CAAC,eAAe,GAAG,CAAC;gBACxE,CAAC,CAAC,OAAO,CAAC,eAAe;gBACzB,CAAC,CAAC,uBAAuB,CAAC;QAC9B,IAAI,CAAC,gBAAgB;YACnB,OAAO,OAAO,CAAC,gBAAgB,KAAK,QAAQ,IAAI,OAAO,CAAC,gBAAgB,GAAG,CAAC;gBAC1E,CAAC,CAAC,OAAO,CAAC,gBAAgB;gBAC1B,CAAC,CAAC,wBAAwB,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAsB;QAC3B,OAAO;YACL,2FAA2F;YAC3F,gBAAgB,IAAI,CAAC,IAAI,iFAAiF;YAC1G,qBAAqB,IAAI,CAAC,IAAI,wDAAwD;YACtF,0CAA0C,IAAI,CAAC,IAAI,kEAAkE;YACrH,2GAA2G;YAC3G,0HAA0H;SAC3H,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IAEO,gBAAgB,CAAC,KAAuB;QAC9C,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAwB;YAClC,MAAM;YACN,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,sBAAsB;YAC/B,UAAU,EAAE,GAAG;YACf,UAAU,EAAE,GAAG;SAChB,CAAC;QACF,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEpC,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAEnD,OAAO;YACL,MAAM;YACN,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,aAAa,EAAE,IAAI,CAAC,gBAAgB;YACpC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,MAA2B,EAC3B,KAAuB,EACvB,KAA+C;QAE/C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,sBAAsB,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;YAC3D,MAAM,CAAC,MAAM,GAAG,WAAW,CAAC;YAC5B,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC;YACxB,MAAM,CAAC,OAAO,GAAG,qBAAqB,CAAC;YACvC,MAAM,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC;YACzB,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAC7B,MAAM,CAAC,OAAO,GAAG,kBAAkB,CAAC;YACpC,MAAM,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/C,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,MAAc;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,sBAAsB,MAAM,EAAE,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,sBAAsB,CAAC,MAA2B;QACxD,OAAO;YACL,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAChD,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ;gBAC3D,CAAC,CAAC,EAAE,aAAa,EAAE,IAAI,CAAC,gBAAgB,EAAE;gBAC1C,CAAC,CAAC,EAAE,CAAC;YACP,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC;IACJ,CAAC;IAEO,sBAAsB,CAAC,MAA2B;QACxD,OAAO;YACL,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAChD,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,MAAc;QACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC;QACnD,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,QAAQ,EAAE,CAAC;YAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe;gBACjC,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;gBACxC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7D,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBACnD,OAAO,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC/C,CAAC;YACD,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,OAAO,IAAI,kBAAkB,CAAC,CAAC;YACxE,CAAC;YACD,MAAM,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;QAC7E,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,wBAAwB,MAAM,EAAE,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACM,OAAO,GAAG;QACjB,MAAM,EAAE;YACN,OAAO,EAAE,KAAK,EAAE,EAAE,OAAO,EAA0B,EAAE,EAAE;gBACrD,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;oBAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU;wBAC5B,CAAC,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;wBAC9B,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;oBACjC,OAAO;wBACL,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,MAA+B;wBACrC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,mBAAmB;qBAC/C,CAAC;gBACJ,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;wBACpB,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;qBACvB,CAAC;gBACJ,CAAC;YACH,CAAC;SACF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,KAAK,EAAE,EAAE,OAAO,EAA0B,EAAE,EAAE;gBACrD,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;oBAChD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe;wBACjC,CAAC,CAAC,2BAA2B,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;wBAChE,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;oBACnE,OAAO;wBACL,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,MAA+B;wBACrC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,aAAa,MAAM,CAAC,MAAM,EAAE;qBACxD,CAAC;gBACJ,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;wBACpB,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;qBACvB,CAAC;gBACJ,CAAC;YACH,CAAC;SACF;QACD,MAAM,EAAE;YACN,OAAO,EAAE,KAAK,EAAE,EAAE,OAAO,EAA0B,EAAE,EAAE;gBACrD,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;oBAChD,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe;wBACjC,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC;wBACnC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;oBACnE,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;wBACnD,OAAO;4BACL,OAAO,EAAE,IAAI;4BACb,IAAI,EAAE,MAAM,CAAC,MAA+B;4BAC5C,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,qBAAqB;yBACjD,CAAC;oBACJ,CAAC;oBACD,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;wBAC/B,OAAO;4BACL,OAAO,EAAE,KAAK;4BACd,IAAI,EAAE,MAA+B;4BACrC,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,OAAO,IAAI,kBAAkB;4BAC3D,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,kBAAkB;yBAC9C,CAAC;oBACJ,CAAC;oBACD,OAAO;wBACL,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,MAA+B;wBACrC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,aAAa,MAAM,CAAC,MAAM,EAAE;qBACxD,CAAC;gBACJ,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;wBACpB,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;qBACvB,CAAC;gBACJ,CAAC;YACH,CAAC;SACF;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,KAAK,EAAE,EAAE,OAAO,EAA0B,EAAE,EAAE;gBACrD,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;oBAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU;wBACzB,CAAC,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;wBAC9B,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,CAAC;oBACjC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBACpD,OAAO;wBACL,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,OAAgC;wBACtC,OAAO,EAAE,iBAAiB;qBAC3B,CAAC;gBACJ,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;wBACpB,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;qBACvB,CAAC;gBACJ,CAAC;YACH,CAAC;SACF;KACF,CAAC;CACH"}
|
|
1
|
+
{"version":3,"file":"ImagePlugin.js","sourceRoot":"","sources":["../../../src/plugin/core/ImagePlugin.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAEzD,MAAM,yBAAyB,GAAG,OAAO,CAAC;AAC1C,MAAM,0BAA0B,GAAG,OAAO,CAAC;AAC3C,MAAM,gCAAgC,GACpC,0DAA0D,CAAC;AAE7D;;GAEG;AACH,SAAS,SAAS,CAAC,KAAc;IAC/B,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,OAA8B;IAC7D,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,EAAE,GAAG,MAAM,EAAsB,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,MAAyB;IACvD,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,SAAS,CAAC,4DAA4D,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,UAAU;IACzC;;OAEG;IACM,IAAI,CAAS;IAEtB;;OAEG;IACM,KAAK,CAAS;IAEvB;;OAEG;IACM,WAAW,CAAS;IAEZ,KAAK,CAA2C;IAEjE,YAAY,OAA2B;QACrC,KAAK,EAAE,CAAC;QACR,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,yBAAyB,CAAC,CAAC,IAAI,EAAE,CAAC;QACtE,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,0BAA0B,CAAC,CAAC,IAAI,EAAE,CAAC;QACxE,IAAI,CAAC,WAAW,GAAG,MAAM,CACvB,OAAO,CAAC,WAAW,IAAI,gCAAgC,CACxD,CAAC,IAAI,EAAE,CAAC;QACT,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAsB;QAC3B,OAAO;YACL,6DAA6D;YAC7D,gBAAgB,IAAI,CAAC,IAAI,mFAAmF;YAC5G,uGAAuG;YACvG,0FAA0F;SAC3F,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,KAAuB;QAClD,OAAO,sBAAsB,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;IACzD,CAAC;IAED;;OAEG;IACM,OAAO,GAAG;QACjB,QAAQ,EAAE;YACR,OAAO,EAAE,KAAK,EAAE,EAAE,OAAO,EAA0B,EAAE,EAAE;gBACrD,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;oBAC/C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;oBACjD,OAAO;wBACL,OAAO,EAAE,IAAI;wBACb,IAAI,EAAE,OAAgC;wBACtC,OAAO,EAAE,iBAAiB;qBAC3B,CAAC;gBACJ,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,OAAO;wBACL,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;wBACpB,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC;qBACvB,CAAC;gBACJ,CAAC;YACH,CAAC;SACF;KACF,CAAC;CACH"}
|
|
@@ -4,13 +4,11 @@
|
|
|
4
4
|
* 关键点(中文)
|
|
5
5
|
* - 基于 `bwrap` 提供 Linux 本机 shell sandbox。
|
|
6
6
|
* - 继续保持“shell 命令必须进入 sandbox”的安全语义,不提供宿主机裸跑回退。
|
|
7
|
-
* - 边界与 macOS backend
|
|
7
|
+
* - 边界与 macOS backend 对齐:路径、环境变量、网络、agent 级共享 HOME/TMPDIR/cache。
|
|
8
8
|
*/
|
|
9
9
|
import type { SandboxSpawnParams, SandboxSpawnResult } from "../sandbox/types/SandboxRuntime.js";
|
|
10
10
|
export declare function buildLinuxBubblewrapArgs(params: SandboxSpawnParams & {
|
|
11
11
|
actualCwd: string;
|
|
12
|
-
shellHomeDir: string;
|
|
13
|
-
shellTmpDir: string;
|
|
14
12
|
}): string[];
|
|
15
13
|
/**
|
|
16
14
|
* 在 Linux bubblewrap sandbox 中启动 shell 子进程。
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"LinuxBubblewrapSandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/LinuxBubblewrapSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EACV,kBAAkB,EAClB,kBAAkB,EACnB,MAAM,mCAAmC,CAAC;
|
|
1
|
+
{"version":3,"file":"LinuxBubblewrapSandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/LinuxBubblewrapSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EACV,kBAAkB,EAClB,kBAAkB,EACnB,MAAM,mCAAmC,CAAC;AA0G3C,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,kBAAkB,GAAG;IACpE,SAAS,EAAE,MAAM,CAAC;CACnB,GAAG,MAAM,EAAE,CA2DX;AAED;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,kBAAkB,CAAC,CA+B7B"}
|
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* 关键点(中文)
|
|
5
5
|
* - 基于 `bwrap` 提供 Linux 本机 shell sandbox。
|
|
6
6
|
* - 继续保持“shell 命令必须进入 sandbox”的安全语义,不提供宿主机裸跑回退。
|
|
7
|
-
* - 边界与 macOS backend
|
|
7
|
+
* - 边界与 macOS backend 对齐:路径、环境变量、网络、agent 级共享 HOME/TMPDIR/cache。
|
|
8
8
|
*/
|
|
9
9
|
import { spawn } from "node:child_process";
|
|
10
10
|
import path from "node:path";
|
|
@@ -33,17 +33,19 @@ function buildReadablePaths(params) {
|
|
|
33
33
|
"/lib64",
|
|
34
34
|
"/etc",
|
|
35
35
|
params.rootPath,
|
|
36
|
-
params.
|
|
37
|
-
params.
|
|
36
|
+
params.sandboxDir,
|
|
37
|
+
params.tmpDir,
|
|
38
|
+
params.cacheDir,
|
|
38
39
|
path.dirname(params.shellPath),
|
|
39
40
|
]);
|
|
40
41
|
}
|
|
41
42
|
function buildWritablePaths(params) {
|
|
42
43
|
return dedupeExistingPaths([
|
|
43
44
|
...params.config.writablePaths,
|
|
44
|
-
params.
|
|
45
|
-
params.
|
|
46
|
-
params.
|
|
45
|
+
params.executionDir,
|
|
46
|
+
params.config.sandboxDir,
|
|
47
|
+
params.config.tmpDir,
|
|
48
|
+
params.config.cacheDir,
|
|
47
49
|
]);
|
|
48
50
|
}
|
|
49
51
|
function isPathCoveredBy(paths, targetPath) {
|
|
@@ -72,8 +74,13 @@ function buildSandboxEnv(params) {
|
|
|
72
74
|
env[key] = value;
|
|
73
75
|
}
|
|
74
76
|
env.PATH = String(env.PATH || params.baseEnv.PATH || DEFAULT_PATH_VALUE);
|
|
75
|
-
env.HOME = params.
|
|
76
|
-
env.TMPDIR = params.
|
|
77
|
+
env.HOME = params.config.homeDir;
|
|
78
|
+
env.TMPDIR = params.config.tmpDir;
|
|
79
|
+
env.XDG_CACHE_HOME = params.config.cacheDir;
|
|
80
|
+
env.DC_SANDBOX = "1";
|
|
81
|
+
env.DC_SANDBOX_DIR = params.config.sandboxDir;
|
|
82
|
+
env.DC_SANDBOX_HOME = params.config.homeDir;
|
|
83
|
+
env.DC_SANDBOX_CACHE = params.config.cacheDir;
|
|
77
84
|
env.SHELL = params.shellPath;
|
|
78
85
|
return env;
|
|
79
86
|
}
|
|
@@ -98,14 +105,11 @@ export function buildLinuxBubblewrapArgs(params) {
|
|
|
98
105
|
const readablePaths = buildReadablePaths({
|
|
99
106
|
rootPath: params.config.rootPath,
|
|
100
107
|
shellPath: params.shellPath,
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
const writablePaths = buildWritablePaths({
|
|
105
|
-
...params,
|
|
106
|
-
shellHomeDir: params.shellHomeDir,
|
|
107
|
-
shellTmpDir: params.shellTmpDir,
|
|
108
|
+
sandboxDir: params.config.sandboxDir,
|
|
109
|
+
tmpDir: params.config.tmpDir,
|
|
110
|
+
cacheDir: params.config.cacheDir,
|
|
108
111
|
});
|
|
112
|
+
const writablePaths = buildWritablePaths(params);
|
|
109
113
|
const writableSet = new Set(writablePaths);
|
|
110
114
|
const createdDirs = new Set();
|
|
111
115
|
const mountedPaths = [];
|
|
@@ -130,9 +134,9 @@ export function buildLinuxBubblewrapArgs(params) {
|
|
|
130
134
|
mountedPaths.push(readablePath);
|
|
131
135
|
}
|
|
132
136
|
for (const writablePath of writablePaths) {
|
|
133
|
-
if (
|
|
134
|
-
|
|
135
|
-
|
|
137
|
+
if (isPathCoveredBy(mountedPaths, writablePath))
|
|
138
|
+
continue;
|
|
139
|
+
addParentDirs(args, writablePath, createdDirs);
|
|
136
140
|
addWritableBind(args, writablePath);
|
|
137
141
|
mountedPaths.push(writablePath);
|
|
138
142
|
}
|
|
@@ -150,26 +154,19 @@ export function buildLinuxBubblewrapArgs(params) {
|
|
|
150
154
|
* 在 Linux bubblewrap sandbox 中启动 shell 子进程。
|
|
151
155
|
*/
|
|
152
156
|
export async function spawnLinuxBubblewrapSandbox(params) {
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
await fs.ensureDir(
|
|
157
|
-
await fs.ensureDir(shellTmpDir);
|
|
157
|
+
await fs.ensureDir(params.config.sandboxDir);
|
|
158
|
+
await fs.ensureDir(params.config.tmpDir);
|
|
159
|
+
await fs.ensureDir(params.config.cacheDir);
|
|
160
|
+
await fs.ensureDir(params.executionDir);
|
|
158
161
|
for (const writablePath of params.config.writablePaths) {
|
|
159
162
|
await fs.ensureDir(writablePath);
|
|
160
163
|
}
|
|
161
164
|
const child = spawn("bwrap", buildLinuxBubblewrapArgs({
|
|
162
165
|
...params,
|
|
163
|
-
shellHomeDir,
|
|
164
|
-
shellTmpDir,
|
|
165
166
|
}), {
|
|
166
167
|
cwd: params.actualCwd,
|
|
167
168
|
stdio: "pipe",
|
|
168
|
-
env: buildSandboxEnv(
|
|
169
|
-
...params,
|
|
170
|
-
shellHomeDir,
|
|
171
|
-
shellTmpDir,
|
|
172
|
-
}),
|
|
169
|
+
env: buildSandboxEnv(params),
|
|
173
170
|
});
|
|
174
171
|
child.stdout.setEncoding("utf8");
|
|
175
172
|
child.stderr.setEncoding("utf8");
|
|
@@ -179,6 +176,10 @@ export async function spawnLinuxBubblewrapSandbox(params) {
|
|
|
179
176
|
sandboxed: true,
|
|
180
177
|
backend: "linux-bubblewrap",
|
|
181
178
|
networkMode: params.config.networkMode,
|
|
179
|
+
sandboxDir: params.config.sandboxDir,
|
|
180
|
+
homeDir: params.config.homeDir,
|
|
181
|
+
tmpDir: params.config.tmpDir,
|
|
182
|
+
cacheDir: params.config.cacheDir,
|
|
182
183
|
};
|
|
183
184
|
}
|
|
184
185
|
//# sourceMappingURL=LinuxBubblewrapSandbox.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"LinuxBubblewrapSandbox.js","sourceRoot":"","sources":["../../src/sandbox/LinuxBubblewrapSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,UAAU,CAAC;AAM1B,MAAM,kBAAkB,GACtB,8DAA8D,CAAC;AAEjE,SAAS,mBAAmB,CAAC,MAAgB;IAC3C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,SAAS;QAClD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,SAAS;QACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CAAC,
|
|
1
|
+
{"version":3,"file":"LinuxBubblewrapSandbox.js","sourceRoot":"","sources":["../../src/sandbox/LinuxBubblewrapSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,UAAU,CAAC;AAM1B,MAAM,kBAAkB,GACtB,8DAA8D,CAAC;AAEjE,SAAS,mBAAmB,CAAC,MAAgB;IAC3C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,SAAS;QAClD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,SAAS;QACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CAAC,MAM3B;IACC,OAAO,mBAAmB,CAAC;QACzB,MAAM;QACN,MAAM;QACN,OAAO;QACP,MAAM;QACN,QAAQ;QACR,MAAM;QACN,MAAM,CAAC,QAAQ;QACf,MAAM,CAAC,UAAU;QACjB,MAAM,CAAC,MAAM;QACb,MAAM,CAAC,QAAQ;QACf,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;KAC/B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA0B;IACpD,OAAO,mBAAmB,CAAC;QACzB,GAAG,MAAM,CAAC,MAAM,CAAC,aAAa;QAC9B,MAAM,CAAC,YAAY;QACnB,MAAM,CAAC,MAAM,CAAC,UAAU;QACxB,MAAM,CAAC,MAAM,CAAC,MAAM;QACpB,MAAM,CAAC,MAAM,CAAC,QAAQ;KACvB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,eAAe,CAAC,KAAe,EAAE,UAAkB;IAC1D,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;QAC1B,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,eAAe,KAAK,gBAAgB;YAAE,OAAO,IAAI,CAAC;QACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,eAAe,EAAE,gBAAgB,CAAC,CAAC;QAClE,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,eAAe,CAAC,MAA0B;IACjD,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;YAAE,SAAS;QACzD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,SAAS;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;YAAE,SAAS;QACzD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,kBAAkB,CAAC,CAAC;IACzE,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;IACjC,GAAG,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;IAClC,GAAG,CAAC,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;IAC5C,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;IACrB,GAAG,CAAC,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC;IAC9C,GAAG,CAAC,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;IAC5C,GAAG,CAAC,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;IAC9C,GAAG,CAAC,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC;IAE7B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe,CAAC,IAAc,EAAE,UAAkB;IACzD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,eAAe,CAAC,IAAc,EAAE,UAAkB;IACzD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,aAAa,CAAC,IAAc,EAAE,UAAkB,EAAE,WAAwB;IACjF,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvE,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACzD,OAAO,GAAG,GAAG,OAAO,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QACvC,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC;YAAE,SAAS;QACvC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAExC;IACC,MAAM,aAAa,GAAG,kBAAkB,CAAC;QACvC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;QAChC,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;QACpC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;QAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;KACjC,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG;QACX,mBAAmB;QACnB,eAAe;QACf,QAAQ;QACR,OAAO;QACP,OAAO;QACP,MAAM;KACP,CAAC;IAEF,IAAI,MAAM,CAAC,MAAM,CAAC,WAAW,KAAK,KAAK,EAAE,CAAC;QACxC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC;YAAE,SAAS;QAC5C,IAAI,CAAC,eAAe,CAAC,YAAY,EAAE,YAAY,CAAC,EAAE,CAAC;YACjD,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;QACjD,CAAC;QACD,eAAe,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QACpC,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,eAAe,CAAC,YAAY,EAAE,YAAY,CAAC;YAAE,SAAS;QAC1D,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,WAAW,CAAC,CAAC;QAC/C,eAAe,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QACpC,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClC,CAAC;IAED,IACE,CAAC,eAAe,CAAC,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC;QACjD,CAAC,eAAe,CAAC,aAAa,EAAE,MAAM,CAAC,SAAS,CAAC,EACjD,CAAC;QACD,IAAI,CAAC,eAAe,CAAC,YAAY,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QACrD,CAAC;QACD,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,CAAC,IAAI,CACP,SAAS,EACT,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAC3B,MAAM,CAAC,GAAG,CACX,CAAC;IACF,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAAkD;IAElD,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC7C,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACxC,KAAK,MAAM,YAAY,IAAI,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;QACvD,MAAM,EAAE,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,wBAAwB,CAAC;QACpD,GAAG,MAAM;KACV,CAAC,EAAE;QACF,GAAG,EAAE,MAAM,CAAC,SAAS;QACrB,KAAK,EAAE,MAAM;QACb,GAAG,EAAE,eAAe,CAAC,MAAM,CAAC;KAC7B,CAAC,CAAC;IAEH,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACjC,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAEjC,OAAO;QACL,KAAK;QACL,GAAG,EAAE,MAAM,CAAC,SAAS;QACrB,SAAS,EAAE,IAAI;QACf,OAAO,EAAE,kBAAkB;QAC3B,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,WAAW;QACtC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;QACpC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO;QAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM;QAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ;KACjC,CAAC;AACJ,CAAC"}
|
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* 关键点(中文)
|
|
5
5
|
* - 当前最小实现直接基于系统自带 `sandbox-exec`。
|
|
6
6
|
* - 目标不是抽象完整 provider 体系,而是先把 shell 命令从“宿主机直跑”收敛成“带边界执行”。
|
|
7
|
-
* -
|
|
7
|
+
* - 边界只保留四类:路径、环境变量、网络、agent 级共享 HOME/TMPDIR/cache。
|
|
8
8
|
*/
|
|
9
9
|
import type { SandboxSpawnParams, SandboxSpawnResult } from "../sandbox/types/SandboxRuntime.js";
|
|
10
10
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"MacOsSeatbeltSandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/MacOsSeatbeltSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EACV,kBAAkB,EAClB,kBAAkB,EACnB,MAAM,mCAAmC,CAAC;
|
|
1
|
+
{"version":3,"file":"MacOsSeatbeltSandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/MacOsSeatbeltSandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EACV,kBAAkB,EAClB,kBAAkB,EACnB,MAAM,mCAAmC,CAAC;AA8H3C;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,kBAAkB,GAAG;IAAE,SAAS,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,kBAAkB,CAAC,CA2C7B"}
|
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* 关键点(中文)
|
|
5
5
|
* - 当前最小实现直接基于系统自带 `sandbox-exec`。
|
|
6
6
|
* - 目标不是抽象完整 provider 体系,而是先把 shell 命令从“宿主机直跑”收敛成“带边界执行”。
|
|
7
|
-
* -
|
|
7
|
+
* - 边界只保留四类:路径、环境变量、网络、agent 级共享 HOME/TMPDIR/cache。
|
|
8
8
|
*/
|
|
9
9
|
import { spawn } from "node:child_process";
|
|
10
10
|
import path from "node:path";
|
|
@@ -36,17 +36,19 @@ function buildReadablePaths(params) {
|
|
|
36
36
|
"/opt/homebrew",
|
|
37
37
|
"/usr/local",
|
|
38
38
|
params.rootPath,
|
|
39
|
-
params.
|
|
40
|
-
params.
|
|
39
|
+
params.sandboxDir,
|
|
40
|
+
params.tmpDir,
|
|
41
|
+
params.cacheDir,
|
|
41
42
|
path.dirname(params.shellPath),
|
|
42
43
|
]);
|
|
43
44
|
}
|
|
44
45
|
function buildWritablePaths(params) {
|
|
45
46
|
return dedupePaths([
|
|
46
47
|
...params.config.writablePaths,
|
|
47
|
-
params.
|
|
48
|
-
params.
|
|
49
|
-
params.
|
|
48
|
+
params.executionDir,
|
|
49
|
+
params.config.sandboxDir,
|
|
50
|
+
params.config.tmpDir,
|
|
51
|
+
params.config.cacheDir,
|
|
50
52
|
]);
|
|
51
53
|
}
|
|
52
54
|
function buildNetworkRules(networkMode) {
|
|
@@ -59,14 +61,11 @@ function buildSeatbeltProfile(params) {
|
|
|
59
61
|
const readablePaths = buildReadablePaths({
|
|
60
62
|
rootPath: params.config.rootPath,
|
|
61
63
|
shellPath: params.shellPath,
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
const writablePaths = buildWritablePaths({
|
|
66
|
-
...params,
|
|
67
|
-
shellHomeDir: params.shellHomeDir,
|
|
68
|
-
shellTmpDir: params.shellTmpDir,
|
|
64
|
+
sandboxDir: params.config.sandboxDir,
|
|
65
|
+
tmpDir: params.config.tmpDir,
|
|
66
|
+
cacheDir: params.config.cacheDir,
|
|
69
67
|
});
|
|
68
|
+
const writablePaths = buildWritablePaths(params);
|
|
70
69
|
const lines = [
|
|
71
70
|
"(version 1)",
|
|
72
71
|
"(deny default)",
|
|
@@ -102,9 +101,14 @@ function buildSandboxEnv(params) {
|
|
|
102
101
|
env[key] = value;
|
|
103
102
|
}
|
|
104
103
|
env.PATH = String(env.PATH || params.baseEnv.PATH || DEFAULT_PATH_VALUE);
|
|
105
|
-
env.HOME = params.
|
|
106
|
-
env.ZDOTDIR = params.
|
|
107
|
-
env.TMPDIR = params.
|
|
104
|
+
env.HOME = params.config.homeDir;
|
|
105
|
+
env.ZDOTDIR = params.config.homeDir;
|
|
106
|
+
env.TMPDIR = params.config.tmpDir;
|
|
107
|
+
env.XDG_CACHE_HOME = params.config.cacheDir;
|
|
108
|
+
env.DC_SANDBOX = "1";
|
|
109
|
+
env.DC_SANDBOX_DIR = params.config.sandboxDir;
|
|
110
|
+
env.DC_SANDBOX_HOME = params.config.homeDir;
|
|
111
|
+
env.DC_SANDBOX_CACHE = params.config.cacheDir;
|
|
108
112
|
env.SHELL = params.shellPath;
|
|
109
113
|
return env;
|
|
110
114
|
}
|
|
@@ -112,16 +116,13 @@ function buildSandboxEnv(params) {
|
|
|
112
116
|
* 在 macOS seatbelt sandbox 中启动 shell 子进程。
|
|
113
117
|
*/
|
|
114
118
|
export async function spawnMacOsSeatbeltSandbox(params) {
|
|
115
|
-
const
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
await fs.ensureDir(
|
|
120
|
-
await fs.ensureDir(shellTmpDir);
|
|
119
|
+
const profilePath = path.join(params.executionDir, "sandbox-profile.sb");
|
|
120
|
+
await fs.ensureDir(params.config.sandboxDir);
|
|
121
|
+
await fs.ensureDir(params.config.tmpDir);
|
|
122
|
+
await fs.ensureDir(params.config.cacheDir);
|
|
123
|
+
await fs.ensureDir(params.executionDir);
|
|
121
124
|
const profile = buildSeatbeltProfile({
|
|
122
125
|
...params,
|
|
123
|
-
shellHomeDir,
|
|
124
|
-
shellTmpDir,
|
|
125
126
|
});
|
|
126
127
|
await fs.writeFile(profilePath, profile, "utf-8");
|
|
127
128
|
const child = spawn("sandbox-exec", [
|
|
@@ -133,11 +134,7 @@ export async function spawnMacOsSeatbeltSandbox(params) {
|
|
|
133
134
|
], {
|
|
134
135
|
cwd: params.actualCwd,
|
|
135
136
|
stdio: "pipe",
|
|
136
|
-
env: buildSandboxEnv(
|
|
137
|
-
...params,
|
|
138
|
-
shellHomeDir,
|
|
139
|
-
shellTmpDir,
|
|
140
|
-
}),
|
|
137
|
+
env: buildSandboxEnv(params),
|
|
141
138
|
});
|
|
142
139
|
child.stdout.setEncoding("utf8");
|
|
143
140
|
child.stderr.setEncoding("utf8");
|
|
@@ -147,6 +144,10 @@ export async function spawnMacOsSeatbeltSandbox(params) {
|
|
|
147
144
|
sandboxed: true,
|
|
148
145
|
backend: "macos-seatbelt",
|
|
149
146
|
networkMode: params.config.networkMode,
|
|
147
|
+
sandboxDir: params.config.sandboxDir,
|
|
148
|
+
homeDir: params.config.homeDir,
|
|
149
|
+
tmpDir: params.config.tmpDir,
|
|
150
|
+
cacheDir: params.config.cacheDir,
|
|
150
151
|
};
|
|
151
152
|
}
|
|
152
153
|
//# sourceMappingURL=MacOsSeatbeltSandbox.js.map
|