npm - @exulu/backend - Versions diffs - 1.61.1 → 1.61.2 - Mend

@exulu/backend 1.61.1 → 1.61.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/{chunk-MPV7HBV6.js → chunk-KKJF3NAY.js} +65 -9
package/dist/{convert-exulu-tools-to-ai-sdk-tools-CULC37U6.js → convert-exulu-tools-to-ai-sdk-tools-GU3BGHDW.js} +1 -1
package/dist/index.cjs +64 -9
package/dist/index.js +1 -1
package/ee/invoke-skills/create-sandbox.ts +93 -8
package/package.json +1 -1

package/dist/{chunk-MPV7HBV6.js → chunk-KKJF3NAY.js} RENAMED Viewed

@@ -744,7 +744,7 @@ var ExuluTool = class {
       });
       providerapikey = resolved.apiKey;
     }
-    const { convertExuluToolsToAiSdkTools: convertExuluToolsToAiSdkTools2 } = await import("./convert-exulu-tools-to-ai-sdk-tools-CULC37U6.js");
+    const { convertExuluToolsToAiSdkTools: convertExuluToolsToAiSdkTools2 } = await import("./convert-exulu-tools-to-ai-sdk-tools-GU3BGHDW.js");
     const tools = await convertExuluToolsToAiSdkTools2(
       [this],
       [],
@@ -6442,6 +6442,42 @@ var getAllExuluVariables = async () => {
 };
 var execAsync2 = promisify2(exec2);
 var EXEC_MAX_BUFFER = 32 * 1024 * 1024;
+var sandboxProbePromise;
+function probeSandboxSupport() {
+  if (sandboxProbePromise) return sandboxProbePromise;
+  sandboxProbePromise = (async () => {
+    if (process.platform === "darwin") return { canSandbox: true };
+    if (process.platform !== "linux") {
+      return { canSandbox: false, reason: `Unsupported platform: ${process.platform}` };
+    }
+    return await new Promise((resolve3) => {
+      const child = spawn2("bwrap", ["--dev-bind", "/", "/", "--", "/bin/true"]);
+      let stderr = "";
+      child.stderr.on("data", (chunk) => {
+        stderr += chunk.toString();
+      });
+      child.on("error", (err) => {
+        resolve3({ canSandbox: false, reason: `bwrap not executable: ${err.message}` });
+      });
+      child.on("exit", (code) => {
+        if (code === 0) resolve3({ canSandbox: true });
+        else resolve3({ canSandbox: false, reason: stderr.trim() || `bwrap exited ${code}` });
+      });
+    });
+  })();
+  return sandboxProbePromise;
+}
+var SANDBOX_FALLBACK_INSTRUCTIONS = 'Skill sandboxing is running in DEGRADED mode: bwrap cannot create user namespaces on this host, so commands\nexecute directly. The container remains the isolation boundary and resolveSessionPath still scopes\nreadFile/writeFile to the session directory at the JS layer, but bash commands are NOT kernel-sandboxed.\n\nTo restore full sandboxing on Ubuntu 23.10+ / 24.04+ hosts (kernel 6.5+):\n  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0\n  echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/60-userns.conf\n  sudo sysctl --system\n\nOn Debian hosts where the same symptom appears:\n  sudo sysctl -w kernel.unprivileged_userns_clone=1\n\nSet EXULU_REQUIRE_SANDBOX=1 to fail startup instead of degrading.';
+var degradedModeLogged = false;
+function logDegradedModeOnce(reason) {
+  if (degradedModeLogged) return;
+  degradedModeLogged = true;
+  console.warn(
+    `[SKILLS] ${SANDBOX_FALLBACK_INSTRUCTIONS}
+Probe error: ${reason ?? "(no detail)"}`
+  );
+}
 var sandboxCache = /* @__PURE__ */ new Map();
 async function downloadSkill(skill, skillsDirectory, config) {
   const version = skill.current_version ?? 1;
@@ -6581,6 +6617,20 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
   if (userId && config.fileUploads && !dirExisted) {
     await restoreArtifactsFromS3(sessionDir, sessionId, userId, config);
   }
+  const probe = await probeSandboxSupport();
+  const useDirectExec = !probe.canSandbox;
+  if (useDirectExec) {
+    if (process.env.EXULU_REQUIRE_SANDBOX === "1") {
+      throw new Error(
+        `[SKILLS] Sandbox required (EXULU_REQUIRE_SANDBOX=1) but unavailable.
+${SANDBOX_FALLBACK_INSTRUCTIONS}
+Probe error: ${probe.reason ?? "(no detail)"}`
+      );
+    }
+    logDegradedModeOnce(probe.reason);
+  }
   const baselineSandboxConfig = {
     network: {
       allowedDomains: [],
@@ -6596,7 +6646,9 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
       denyWrite: []
     }
   };
-  await SandboxManager.initialize(baselineSandboxConfig);
+  if (!useDirectExec) {
+    await SandboxManager.initialize(baselineSandboxConfig);
+  }
   const npmGlobalRoot = await getNpmGlobalRoot();
   const sessionSandboxConfig = {
     network: {
@@ -6632,8 +6684,12 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
     ...process.env,
     ...npmGlobalRoot ? { NODE_PATH: npmGlobalRoot } : {}
   };
+  const wrapIfNeeded = async (command) => {
+    if (useDirectExec) return command;
+    return SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig);
+  };
   const runWrapped = async (command) => {
-    const wrapped = await SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig);
+    const wrapped = await wrapIfNeeded(command);
     try {
       const { stdout, stderr } = await execAsync2(wrapped, {
         maxBuffer: EXEC_MAX_BUFFER,
@@ -6710,10 +6766,8 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
   async function writeFilesInternal(files) {
     const results = [];
     for (const file of files) {
-      const wrapped = await SandboxManager.wrapWithSandbox(
-        `mkdir -p ${shellQuote(dirname(file.path))} && cat > ${shellQuote(file.path)}`,
-        void 0,
-        sessionSandboxConfig
+      const wrapped = await wrapIfNeeded(
+        `mkdir -p ${shellQuote(dirname(file.path))} && cat > ${shellQuote(file.path)}`
       );
       await new Promise((resolveSpawn, rejectSpawn) => {
         const child = spawn2("/bin/bash", ["-c", wrapped]);
@@ -6868,10 +6922,12 @@ ${lines.join("\n")}`;
   const handle = {
     sessionDir,
     tools: wrappedTools,
-    wrapCommand: (command) => SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig),
+    wrapCommand: (command) => wrapIfNeeded(command),
     cleanup: async () => {
       sandboxCache.delete(sessionId);
-      await SandboxManager.reset();
+      if (!useDirectExec) {
+        await SandboxManager.reset();
+      }
       await rm(sessionDir, { recursive: true, force: true });
     }
   };

package/dist/{convert-exulu-tools-to-ai-sdk-tools-CULC37U6.js → convert-exulu-tools-to-ai-sdk-tools-GU3BGHDW.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   convertExuluToolsToAiSdkTools
-} from "./chunk-MPV7HBV6.js";
+} from "./chunk-KKJF3NAY.js";
 export {
   convertExuluToolsToAiSdkTools
 };

package/dist/index.cjs CHANGED Viewed

@@ -2294,6 +2294,39 @@ var init_variable = __esm({
 });
 // ee/invoke-skills/create-sandbox.ts
+function probeSandboxSupport() {
+  if (sandboxProbePromise) return sandboxProbePromise;
+  sandboxProbePromise = (async () => {
+    if (process.platform === "darwin") return { canSandbox: true };
+    if (process.platform !== "linux") {
+      return { canSandbox: false, reason: `Unsupported platform: ${process.platform}` };
+    }
+    return await new Promise((resolve7) => {
+      const child = (0, import_node_child_process3.spawn)("bwrap", ["--dev-bind", "/", "/", "--", "/bin/true"]);
+      let stderr = "";
+      child.stderr.on("data", (chunk) => {
+        stderr += chunk.toString();
+      });
+      child.on("error", (err) => {
+        resolve7({ canSandbox: false, reason: `bwrap not executable: ${err.message}` });
+      });
+      child.on("exit", (code) => {
+        if (code === 0) resolve7({ canSandbox: true });
+        else resolve7({ canSandbox: false, reason: stderr.trim() || `bwrap exited ${code}` });
+      });
+    });
+  })();
+  return sandboxProbePromise;
+}
+function logDegradedModeOnce(reason) {
+  if (degradedModeLogged) return;
+  degradedModeLogged = true;
+  console.warn(
+    `[SKILLS] ${SANDBOX_FALLBACK_INSTRUCTIONS}
+Probe error: ${reason ?? "(no detail)"}`
+  );
+}
 async function downloadSkill(skill, skillsDirectory, config) {
   const version = skill.current_version ?? 1;
   if (!skill.current_version) {
@@ -2432,6 +2465,20 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
   if (userId && config.fileUploads && !dirExisted) {
     await restoreArtifactsFromS3(sessionDir, sessionId, userId, config);
   }
+  const probe = await probeSandboxSupport();
+  const useDirectExec = !probe.canSandbox;
+  if (useDirectExec) {
+    if (process.env.EXULU_REQUIRE_SANDBOX === "1") {
+      throw new Error(
+        `[SKILLS] Sandbox required (EXULU_REQUIRE_SANDBOX=1) but unavailable.
+${SANDBOX_FALLBACK_INSTRUCTIONS}
+Probe error: ${probe.reason ?? "(no detail)"}`
+      );
+    }
+    logDegradedModeOnce(probe.reason);
+  }
   const baselineSandboxConfig = {
     network: {
       allowedDomains: [],
@@ -2447,7 +2494,9 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
       denyWrite: []
     }
   };
-  await import_sandbox_runtime.SandboxManager.initialize(baselineSandboxConfig);
+  if (!useDirectExec) {
+    await import_sandbox_runtime.SandboxManager.initialize(baselineSandboxConfig);
+  }
   const npmGlobalRoot = await getNpmGlobalRoot();
   const sessionSandboxConfig = {
     network: {
@@ -2483,8 +2532,12 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
     ...process.env,
     ...npmGlobalRoot ? { NODE_PATH: npmGlobalRoot } : {}
   };
+  const wrapIfNeeded = async (command) => {
+    if (useDirectExec) return command;
+    return import_sandbox_runtime.SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig);
+  };
   const runWrapped = async (command) => {
-    const wrapped = await import_sandbox_runtime.SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig);
+    const wrapped = await wrapIfNeeded(command);
     try {
       const { stdout, stderr } = await execAsync2(wrapped, {
         maxBuffer: EXEC_MAX_BUFFER,
@@ -2561,10 +2614,8 @@ async function createSessionSandbox(sessionId, skills, config, userId) {
   async function writeFilesInternal(files) {
     const results = [];
     for (const file of files) {
-      const wrapped = await import_sandbox_runtime.SandboxManager.wrapWithSandbox(
-        `mkdir -p ${shellQuote((0, import_node_path3.dirname)(file.path))} && cat > ${shellQuote(file.path)}`,
-        void 0,
-        sessionSandboxConfig
+      const wrapped = await wrapIfNeeded(
+        `mkdir -p ${shellQuote((0, import_node_path3.dirname)(file.path))} && cat > ${shellQuote(file.path)}`
       );
       await new Promise((resolveSpawn, rejectSpawn) => {
         const child = (0, import_node_child_process3.spawn)("/bin/bash", ["-c", wrapped]);
@@ -2719,17 +2770,19 @@ ${lines.join("\n")}`;
   const handle = {
     sessionDir,
     tools: wrappedTools,
-    wrapCommand: (command) => import_sandbox_runtime.SandboxManager.wrapWithSandbox(command, void 0, sessionSandboxConfig),
+    wrapCommand: (command) => wrapIfNeeded(command),
     cleanup: async () => {
       sandboxCache.delete(sessionId);
-      await import_sandbox_runtime.SandboxManager.reset();
+      if (!useDirectExec) {
+        await import_sandbox_runtime.SandboxManager.reset();
+      }
       await (0, import_promises.rm)(sessionDir, { recursive: true, force: true });
     }
   };
   sandboxCache.set(sessionId, { handle, installedSkills });
   return handle;
 }
-var import_sandbox_runtime, import_promises, import_node_fs3, import_node_path3, import_node_child_process3, import_node_util2, import_bash_tool, import_ai, import_zod4, import_crypto_js2, getAllExuluVariables, execAsync2, EXEC_MAX_BUFFER, sandboxCache;
+var import_sandbox_runtime, import_promises, import_node_fs3, import_node_path3, import_node_child_process3, import_node_util2, import_bash_tool, import_ai, import_zod4, import_crypto_js2, getAllExuluVariables, execAsync2, EXEC_MAX_BUFFER, sandboxProbePromise, SANDBOX_FALLBACK_INSTRUCTIONS, degradedModeLogged, sandboxCache;
 var init_create_sandbox = __esm({
   "ee/invoke-skills/create-sandbox.ts"() {
     "use strict";
@@ -2776,6 +2829,8 @@ var init_create_sandbox = __esm({
     };
     execAsync2 = (0, import_node_util2.promisify)(import_node_child_process3.exec);
     EXEC_MAX_BUFFER = 32 * 1024 * 1024;
+    SANDBOX_FALLBACK_INSTRUCTIONS = 'Skill sandboxing is running in DEGRADED mode: bwrap cannot create user namespaces on this host, so commands\nexecute directly. The container remains the isolation boundary and resolveSessionPath still scopes\nreadFile/writeFile to the session directory at the JS layer, but bash commands are NOT kernel-sandboxed.\n\nTo restore full sandboxing on Ubuntu 23.10+ / 24.04+ hosts (kernel 6.5+):\n  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0\n  echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/60-userns.conf\n  sudo sysctl --system\n\nOn Debian hosts where the same symptom appears:\n  sudo sysctl -w kernel.unprivileged_userns_clone=1\n\nSet EXULU_REQUIRE_SANDBOX=1 to fail startup instead of degrading.';
+    degradedModeLogged = false;
     sandboxCache = /* @__PURE__ */ new Map();
   }
 });

package/dist/index.js CHANGED Viewed

@@ -53,7 +53,7 @@ import {
   vectorSearch,
   waitForLiteLLMReady,
   withRetry
-} from "./chunk-MPV7HBV6.js";
+} from "./chunk-KKJF3NAY.js";
 import {
   findLiteLLMModel
 } from "./chunk-ILAHW4UT.js";

package/ee/invoke-skills/create-sandbox.ts CHANGED Viewed

@@ -60,6 +60,69 @@ const execAsync = promisify(exec);
 // Sandbox commands can be very long (long deny lists) — bump default buffer.
 const EXEC_MAX_BUFFER = 32 * 1024 * 1024;
+/**
+ * Probe whether bwrap can actually create a user namespace on this host.
+ * SRT's own dependency check only verifies bwrap is installed, not that the
+ * kernel will let it run — and the latter is what Ubuntu 24.04 (kernel 6.8+
+ * with `kernel.apparmor_restrict_unprivileged_userns=1`) and Debian hosts with
+ * `kernel.unprivileged_userns_clone=0` deny.
+ *
+ * Memoized for the process lifetime: the answer is host-level state that
+ * doesn't change without a sysctl flip + restart.
+ */
+type SandboxProbeResult = { canSandbox: boolean; reason?: string };
+let sandboxProbePromise: Promise<SandboxProbeResult> | undefined;
+function probeSandboxSupport(): Promise<SandboxProbeResult> {
+    if (sandboxProbePromise) return sandboxProbePromise;
+    sandboxProbePromise = (async () => {
+        if (process.platform === 'darwin') return { canSandbox: true };
+        if (process.platform !== 'linux') {
+            return { canSandbox: false, reason: `Unsupported platform: ${process.platform}` };
+        }
+        return await new Promise<SandboxProbeResult>((resolve) => {
+            // Minimal bwrap invocation: bind / read-only and exit. If the host
+            // refuses unprivileged user namespaces, this returns
+            // "Operation not permitted" — same path SRT would hit on every command.
+            const child = spawn('bwrap', ['--dev-bind', '/', '/', '--', '/bin/true']);
+            let stderr = '';
+            child.stderr.on('data', (chunk) => { stderr += chunk.toString(); });
+            child.on('error', (err) => {
+                resolve({ canSandbox: false, reason: `bwrap not executable: ${err.message}` });
+            });
+            child.on('exit', (code) => {
+                if (code === 0) resolve({ canSandbox: true });
+                else resolve({ canSandbox: false, reason: stderr.trim() || `bwrap exited ${code}` });
+            });
+        });
+    })();
+    return sandboxProbePromise;
+}
+const SANDBOX_FALLBACK_INSTRUCTIONS =
+    'Skill sandboxing is running in DEGRADED mode: bwrap cannot create user namespaces on this host, so commands\n' +
+    'execute directly. The container remains the isolation boundary and resolveSessionPath still scopes\n' +
+    'readFile/writeFile to the session directory at the JS layer, but bash commands are NOT kernel-sandboxed.\n' +
+    '\n' +
+    'To restore full sandboxing on Ubuntu 23.10+ / 24.04+ hosts (kernel 6.5+):\n' +
+    '  sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0\n' +
+    '  echo "kernel.apparmor_restrict_unprivileged_userns=0" | sudo tee /etc/sysctl.d/60-userns.conf\n' +
+    '  sudo sysctl --system\n' +
+    '\n' +
+    'On Debian hosts where the same symptom appears:\n' +
+    '  sudo sysctl -w kernel.unprivileged_userns_clone=1\n' +
+    '\n' +
+    'Set EXULU_REQUIRE_SANDBOX=1 to fail startup instead of degrading.';
+let degradedModeLogged = false;
+function logDegradedModeOnce(reason: string | undefined): void {
+    if (degradedModeLogged) return;
+    degradedModeLogged = true;
+    console.warn(
+        `[SKILLS] ${SANDBOX_FALLBACK_INSTRUCTIONS}\n\nProbe error: ${reason ?? '(no detail)'}`,
+    );
+}
 // This is called on every session where a skill is enabled
 // each sandbox setup includes the skill files from the enabled
 // skills, and uses the Anthropic Sandbox Runtime (SRT) to
@@ -380,6 +443,19 @@ export async function createSessionSandbox(
         await restoreArtifactsFromS3(sessionDir, sessionId, userId, config)
     }
+    // Probe whether bwrap can actually create namespaces on this host. On a
+    // failure, either throw (strict mode) or degrade to direct exec.
+    const probe = await probeSandboxSupport();
+    const useDirectExec = !probe.canSandbox;
+    if (useDirectExec) {
+        if (process.env.EXULU_REQUIRE_SANDBOX === '1') {
+            throw new Error(
+                `[SKILLS] Sandbox required (EXULU_REQUIRE_SANDBOX=1) but unavailable.\n\n${SANDBOX_FALLBACK_INSTRUCTIONS}\n\nProbe error: ${probe.reason ?? '(no detail)'}`,
+            );
+        }
+        logDegradedModeOnce(probe.reason);
+    }
     // SRT's `SandboxManager.initialize()` is a one-shot singleton (see
     // node_modules/@anthropic-ai/sandbox-runtime/.../sandbox-manager.js:187-191);
     // the first config wins and later calls are no-ops. That's incompatible
@@ -402,7 +478,9 @@ export async function createSessionSandbox(
         },
     }
-    await SandboxManager.initialize(baselineSandboxConfig)
+    if (!useDirectExec) {
+        await SandboxManager.initialize(baselineSandboxConfig)
+    }
     // Resolve the global node_modules directory so skill-generated scripts
     // can `require()` packages installed via `npm install -g <pkg>` (e.g. the
@@ -487,13 +565,21 @@ export async function createSessionSandbox(
         ...(npmGlobalRoot ? { NODE_PATH: npmGlobalRoot } : {}),
     }
+    // Either wrap a command with bwrap/sandbox-exec or return it unchanged when
+    // the host can't sandbox. In degraded mode the container itself is the
+    // isolation boundary; resolveSessionPath still scopes readFile/writeFile.
+    const wrapIfNeeded = async (command: string): Promise<string> => {
+        if (useDirectExec) return command;
+        return SandboxManager.wrapWithSandbox(command, undefined, sessionSandboxConfig);
+    };
     // wrapWithSandbox only constructs the sandbox-exec invocation string —
     // it does NOT run it. We have to shell out ourselves and capture the
     // real stdout/stderr/exitCode. The third arg passes the per-session
     // policy so the kernel only allows this session's dir, not whatever
     // baseline the singleton was initialized with.
     const runWrapped = async (command: string): Promise<{ stdout: string; stderr: string; exitCode: number }> => {
-        const wrapped = await SandboxManager.wrapWithSandbox(command, undefined, sessionSandboxConfig);
+        const wrapped = await wrapIfNeeded(command);
         try {
             const { stdout, stderr } = await execAsync(wrapped, {
                 maxBuffer: EXEC_MAX_BUFFER,
@@ -618,10 +704,8 @@ export async function createSessionSandbox(
         for (const file of files) {
             // Pipe content via stdin so arbitrary file content (quotes, $, etc.)
             // doesn't need to be escaped into the shell command.
-            const wrapped = await SandboxManager.wrapWithSandbox(
+            const wrapped = await wrapIfNeeded(
                 `mkdir -p ${shellQuote(dirname(file.path))} && cat > ${shellQuote(file.path)}`,
-                undefined,
-                sessionSandboxConfig,
             )
             await new Promise<void>((resolveSpawn, rejectSpawn) => {
                 const child = spawn('/bin/bash', ['-c', wrapped])
@@ -855,11 +939,12 @@ export async function createSessionSandbox(
     const handle: SessionSandboxHandle = {
         sessionDir,
         tools: wrappedTools,
-        wrapCommand: (command: string) =>
-            SandboxManager.wrapWithSandbox(command, undefined, sessionSandboxConfig),
+        wrapCommand: (command: string) => wrapIfNeeded(command),
         cleanup: async () => {
             sandboxCache.delete(sessionId)
-            await SandboxManager.reset()
+            if (!useDirectExec) {
+                await SandboxManager.reset()
+            }
             await rm(sessionDir, { recursive: true, force: true })
         },
     }

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@exulu/backend",
   "author": "Qventu Bv.",
-  "version": "1.61.1",
+  "version": "1.61.2",
   "main": "./dist/index.js",
   "private": false,
   "publishConfig": {