@gencode/agents 0.0.6 → 0.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/config-DJX-VM7S.js +198 -0
- package/dist/config-DJX-VM7S.js.map +1 -0
- package/dist/index-JD6Ye-N5.d.ts +149 -0
- package/dist/index-JD6Ye-N5.d.ts.map +1 -0
- package/dist/index.d.ts +2 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/manager-qXa-NP0p.js +1651 -0
- package/dist/manager-qXa-NP0p.js.map +1 -0
- package/dist/message.d.ts +11 -0
- package/dist/message.d.ts.map +1 -0
- package/dist/message.js +46 -0
- package/dist/message.js.map +1 -0
- package/dist/plugins/hooks.d.ts +2 -0
- package/dist/plugins/hooks.d.ts.map +1 -1
- package/dist/plugins/hooks.js.map +1 -1
- package/dist/plugins/tool-hooks.d.ts.map +1 -1
- package/dist/plugins/tool-hooks.js +4 -1
- package/dist/plugins/tool-hooks.js.map +1 -1
- package/dist/runner/event-dispatcher.d.ts +3 -22
- package/dist/runner/event-dispatcher.d.ts.map +1 -1
- package/dist/runner/event-dispatcher.js +6 -75
- package/dist/runner/event-dispatcher.js.map +1 -1
- package/dist/runner/session-lifecycle.d.ts.map +1 -1
- package/dist/runner/session-lifecycle.js +5 -13
- package/dist/runner/session-lifecycle.js.map +1 -1
- package/dist/runner/turn-executor.d.ts.map +1 -1
- package/dist/runner/turn-executor.js +42 -3
- package/dist/runner/turn-executor.js.map +1 -1
- package/dist/security/command-dangerous-rules.d.ts +4 -0
- package/dist/security/command-dangerous-rules.d.ts.map +1 -0
- package/dist/security/command-dangerous-rules.js +26 -0
- package/dist/security/command-dangerous-rules.js.map +1 -0
- package/dist/security/command-parser.d.ts +3 -0
- package/dist/security/command-parser.d.ts.map +1 -0
- package/dist/security/command-parser.js +191 -0
- package/dist/security/command-parser.js.map +1 -0
- package/dist/security/command-path-guard.d.ts +10 -0
- package/dist/security/command-path-guard.d.ts.map +1 -0
- package/dist/security/command-path-guard.js +126 -0
- package/dist/security/command-path-guard.js.map +1 -0
- package/dist/security/command-policy-config.d.ts +5 -0
- package/dist/security/command-policy-config.d.ts.map +1 -0
- package/dist/security/command-policy-config.js +212 -0
- package/dist/security/command-policy-config.js.map +1 -0
- package/dist/security/command-policy-engine.d.ts +8 -0
- package/dist/security/command-policy-engine.d.ts.map +1 -0
- package/dist/security/command-policy-engine.js +122 -0
- package/dist/security/command-policy-engine.js.map +1 -0
- package/dist/security/command-policy-types.d.ts +67 -0
- package/dist/security/command-policy-types.d.ts.map +1 -0
- package/dist/security/command-policy-types.js +2 -0
- package/dist/security/command-policy-types.js.map +1 -0
- package/dist/security/command-safe-bins.d.ts +4 -0
- package/dist/security/command-safe-bins.d.ts.map +1 -0
- package/dist/security/command-safe-bins.js +84 -0
- package/dist/security/command-safe-bins.js.map +1 -0
- package/dist/security/command-trusted-executables.d.ts +6 -0
- package/dist/security/command-trusted-executables.d.ts.map +1 -0
- package/dist/security/command-trusted-executables.js +57 -0
- package/dist/security/command-trusted-executables.js.map +1 -0
- package/dist/tools/cron.d.ts +22 -15
- package/dist/tools/cron.d.ts.map +1 -1
- package/dist/tools/cron.js +40 -20
- package/dist/tools/cron.js.map +1 -1
- package/dist/tools/exec.d.ts.map +1 -1
- package/dist/tools/exec.js +28 -9
- package/dist/tools/exec.js.map +1 -1
- package/dist/tools/process-registry.d.ts.map +1 -1
- package/dist/tools/process-registry.js +25 -15
- package/dist/tools/process-registry.js.map +1 -1
- package/dist/types.d.ts +4 -97
- package/dist/types.d.ts.map +1 -1
- package/package.json +3 -2
|
@@ -0,0 +1,212 @@
|
|
|
1
|
+
import fs from "node:fs";
|
|
2
|
+
import path from "node:path";
|
|
3
|
+
const DEFAULT_POLICY_PATH = process.env.PINGCLAW_COMMAND_POLICY_PATH?.trim() || "/pingclaw/command-policy.json";
|
|
4
|
+
const DEFAULT_POLICY = {
|
|
5
|
+
version: 1,
|
|
6
|
+
dataRoot: "/data",
|
|
7
|
+
security: {
|
|
8
|
+
defaultMode: "allowlist",
|
|
9
|
+
approvalMode: "off",
|
|
10
|
+
},
|
|
11
|
+
exec: {
|
|
12
|
+
allowShell: true,
|
|
13
|
+
allowPty: true,
|
|
14
|
+
maxCommandLength: 8192,
|
|
15
|
+
defaultTimeoutSec: 1800,
|
|
16
|
+
},
|
|
17
|
+
pathPolicy: {
|
|
18
|
+
allowedRoots: ["/data"],
|
|
19
|
+
blockedRoots: [
|
|
20
|
+
"/",
|
|
21
|
+
"/etc",
|
|
22
|
+
"/usr",
|
|
23
|
+
"/var",
|
|
24
|
+
"/bin",
|
|
25
|
+
"/sbin",
|
|
26
|
+
"/lib",
|
|
27
|
+
"/lib64",
|
|
28
|
+
"/boot",
|
|
29
|
+
"/root",
|
|
30
|
+
"/home",
|
|
31
|
+
"/proc",
|
|
32
|
+
"/sys",
|
|
33
|
+
"/dev",
|
|
34
|
+
"/run",
|
|
35
|
+
"/mnt",
|
|
36
|
+
"/media",
|
|
37
|
+
"/tmp",
|
|
38
|
+
],
|
|
39
|
+
followSymlink: true,
|
|
40
|
+
denyPathEscape: true,
|
|
41
|
+
},
|
|
42
|
+
safeBins: {
|
|
43
|
+
enabled: true,
|
|
44
|
+
trustedDirs: ["/bin", "/usr/bin"],
|
|
45
|
+
bins: ["jq", "cut", "uniq", "head", "tail", "tr", "wc", "grep", "sort"],
|
|
46
|
+
profiles: {
|
|
47
|
+
jq: {},
|
|
48
|
+
cut: {},
|
|
49
|
+
uniq: {},
|
|
50
|
+
head: {},
|
|
51
|
+
tail: {},
|
|
52
|
+
tr: {},
|
|
53
|
+
wc: {},
|
|
54
|
+
grep: {},
|
|
55
|
+
sort: {},
|
|
56
|
+
},
|
|
57
|
+
},
|
|
58
|
+
trustedExecutables: {
|
|
59
|
+
enabled: true,
|
|
60
|
+
executables: [
|
|
61
|
+
"/usr/bin/node",
|
|
62
|
+
"/usr/bin/npm",
|
|
63
|
+
"/usr/bin/npx",
|
|
64
|
+
"/usr/bin/pnpm",
|
|
65
|
+
"/usr/bin/python",
|
|
66
|
+
"/usr/bin/python3",
|
|
67
|
+
"/usr/bin/pip",
|
|
68
|
+
"/usr/bin/pip3",
|
|
69
|
+
"/usr/bin/bash",
|
|
70
|
+
"/usr/bin/sh",
|
|
71
|
+
"/usr/bin/zsh",
|
|
72
|
+
"/usr/bin/git",
|
|
73
|
+
"/usr/bin/grep",
|
|
74
|
+
"/usr/bin/sort",
|
|
75
|
+
"/usr/bin/find",
|
|
76
|
+
"/usr/bin/cat",
|
|
77
|
+
"/usr/bin/sed",
|
|
78
|
+
"/usr/bin/awk",
|
|
79
|
+
"/usr/bin/ls",
|
|
80
|
+
"/usr/bin/env",
|
|
81
|
+
],
|
|
82
|
+
},
|
|
83
|
+
allowlist: {
|
|
84
|
+
executables: [
|
|
85
|
+
"/usr/bin/ls",
|
|
86
|
+
"/usr/bin/find",
|
|
87
|
+
"/usr/bin/cat",
|
|
88
|
+
"/usr/bin/grep",
|
|
89
|
+
"/usr/bin/sort",
|
|
90
|
+
"/usr/bin/git",
|
|
91
|
+
"/usr/bin/env",
|
|
92
|
+
],
|
|
93
|
+
wrappers: ["env", "timeout", "stdbuf", "nohup"],
|
|
94
|
+
},
|
|
95
|
+
dangerousRules: {
|
|
96
|
+
denyExecutables: [
|
|
97
|
+
"mount",
|
|
98
|
+
"umount",
|
|
99
|
+
"losetup",
|
|
100
|
+
"mkfs",
|
|
101
|
+
"fdisk",
|
|
102
|
+
"parted",
|
|
103
|
+
"fsck",
|
|
104
|
+
"swapon",
|
|
105
|
+
"swapoff",
|
|
106
|
+
"sudo",
|
|
107
|
+
"su",
|
|
108
|
+
"passwd",
|
|
109
|
+
"useradd",
|
|
110
|
+
"usermod",
|
|
111
|
+
"groupadd",
|
|
112
|
+
"shutdown",
|
|
113
|
+
"reboot",
|
|
114
|
+
"poweroff",
|
|
115
|
+
"systemctl",
|
|
116
|
+
"service",
|
|
117
|
+
"iptables",
|
|
118
|
+
"nft",
|
|
119
|
+
"ufw",
|
|
120
|
+
"route",
|
|
121
|
+
"ip",
|
|
122
|
+
"docker",
|
|
123
|
+
"podman",
|
|
124
|
+
"nsenter",
|
|
125
|
+
"unshare",
|
|
126
|
+
"chroot",
|
|
127
|
+
],
|
|
128
|
+
denyShellPatterns: ["curl|sh", "wget|sh", "curl|bash", "wget|bash", "nc -e", "bash -i", "/dev/tcp/"],
|
|
129
|
+
requireApprovalExecutables: [],
|
|
130
|
+
requireApprovalShellPatterns: [],
|
|
131
|
+
},
|
|
132
|
+
};
|
|
133
|
+
function normalizeStringArray(value, fallback) {
|
|
134
|
+
if (!Array.isArray(value)) {
|
|
135
|
+
return [...fallback];
|
|
136
|
+
}
|
|
137
|
+
const normalized = value
|
|
138
|
+
.map((entry) => (typeof entry === "string" ? entry.trim() : ""))
|
|
139
|
+
.filter((entry) => entry.length > 0);
|
|
140
|
+
return normalized.length > 0 ? normalized : [...fallback];
|
|
141
|
+
}
|
|
142
|
+
export function getDefaultCommandPolicyPath() {
|
|
143
|
+
return DEFAULT_POLICY_PATH;
|
|
144
|
+
}
|
|
145
|
+
export function getDefaultCommandPolicy() {
|
|
146
|
+
return JSON.parse(JSON.stringify(DEFAULT_POLICY));
|
|
147
|
+
}
|
|
148
|
+
export function loadCommandPolicy(configPath = DEFAULT_POLICY_PATH) {
|
|
149
|
+
if (!fs.existsSync(configPath)) {
|
|
150
|
+
return getDefaultCommandPolicy();
|
|
151
|
+
}
|
|
152
|
+
const raw = JSON.parse(fs.readFileSync(configPath, "utf8"));
|
|
153
|
+
const defaults = getDefaultCommandPolicy();
|
|
154
|
+
const dataRoot = typeof raw.dataRoot === "string" && raw.dataRoot.trim().length > 0
|
|
155
|
+
? path.posix.normalize(raw.dataRoot.trim())
|
|
156
|
+
: defaults.dataRoot;
|
|
157
|
+
return {
|
|
158
|
+
version: typeof raw.version === "number" ? raw.version : defaults.version,
|
|
159
|
+
dataRoot,
|
|
160
|
+
security: {
|
|
161
|
+
defaultMode: raw.security?.defaultMode === "deny" ||
|
|
162
|
+
raw.security?.defaultMode === "allowlist" ||
|
|
163
|
+
raw.security?.defaultMode === "full"
|
|
164
|
+
? raw.security.defaultMode
|
|
165
|
+
: defaults.security.defaultMode,
|
|
166
|
+
approvalMode: raw.security?.approvalMode === "off" ||
|
|
167
|
+
raw.security?.approvalMode === "on-miss" ||
|
|
168
|
+
raw.security?.approvalMode === "always"
|
|
169
|
+
? raw.security.approvalMode
|
|
170
|
+
: defaults.security.approvalMode,
|
|
171
|
+
},
|
|
172
|
+
exec: {
|
|
173
|
+
allowShell: raw.exec?.allowShell ?? defaults.exec.allowShell,
|
|
174
|
+
allowPty: raw.exec?.allowPty ?? defaults.exec.allowPty,
|
|
175
|
+
maxCommandLength: typeof raw.exec?.maxCommandLength === "number"
|
|
176
|
+
? raw.exec.maxCommandLength
|
|
177
|
+
: defaults.exec.maxCommandLength,
|
|
178
|
+
defaultTimeoutSec: typeof raw.exec?.defaultTimeoutSec === "number"
|
|
179
|
+
? raw.exec.defaultTimeoutSec
|
|
180
|
+
: defaults.exec.defaultTimeoutSec,
|
|
181
|
+
},
|
|
182
|
+
pathPolicy: {
|
|
183
|
+
allowedRoots: normalizeStringArray(raw.pathPolicy?.allowedRoots, [dataRoot]),
|
|
184
|
+
blockedRoots: normalizeStringArray(raw.pathPolicy?.blockedRoots, defaults.pathPolicy.blockedRoots),
|
|
185
|
+
followSymlink: raw.pathPolicy?.followSymlink ?? defaults.pathPolicy.followSymlink,
|
|
186
|
+
denyPathEscape: raw.pathPolicy?.denyPathEscape ?? defaults.pathPolicy.denyPathEscape,
|
|
187
|
+
},
|
|
188
|
+
safeBins: {
|
|
189
|
+
enabled: raw.safeBins?.enabled ?? defaults.safeBins.enabled,
|
|
190
|
+
trustedDirs: normalizeStringArray(raw.safeBins?.trustedDirs, defaults.safeBins.trustedDirs),
|
|
191
|
+
bins: normalizeStringArray(raw.safeBins?.bins, defaults.safeBins.bins),
|
|
192
|
+
profiles: raw.safeBins?.profiles && typeof raw.safeBins.profiles === "object"
|
|
193
|
+
? raw.safeBins.profiles
|
|
194
|
+
: defaults.safeBins.profiles,
|
|
195
|
+
},
|
|
196
|
+
trustedExecutables: {
|
|
197
|
+
enabled: raw.trustedExecutables?.enabled ?? defaults.trustedExecutables.enabled,
|
|
198
|
+
executables: normalizeStringArray(raw.trustedExecutables?.executables, defaults.trustedExecutables.executables),
|
|
199
|
+
},
|
|
200
|
+
allowlist: {
|
|
201
|
+
executables: normalizeStringArray(raw.allowlist?.executables, defaults.allowlist.executables),
|
|
202
|
+
wrappers: normalizeStringArray(raw.allowlist?.wrappers, defaults.allowlist.wrappers),
|
|
203
|
+
},
|
|
204
|
+
dangerousRules: {
|
|
205
|
+
denyExecutables: normalizeStringArray(raw.dangerousRules?.denyExecutables, defaults.dangerousRules.denyExecutables),
|
|
206
|
+
denyShellPatterns: normalizeStringArray(raw.dangerousRules?.denyShellPatterns, defaults.dangerousRules.denyShellPatterns),
|
|
207
|
+
requireApprovalExecutables: normalizeStringArray(raw.dangerousRules?.requireApprovalExecutables, defaults.dangerousRules.requireApprovalExecutables),
|
|
208
|
+
requireApprovalShellPatterns: normalizeStringArray(raw.dangerousRules?.requireApprovalShellPatterns, defaults.dangerousRules.requireApprovalShellPatterns),
|
|
209
|
+
},
|
|
210
|
+
};
|
|
211
|
+
}
|
|
212
|
+
//# sourceMappingURL=command-policy-config.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-policy-config.js","sourceRoot":"","sources":["../../src/security/command-policy-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,mBAAmB,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,IAAI,EAAE,IAAI,+BAA+B,CAAC;AAEhH,MAAM,cAAc,GAAwB;IAC1C,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE,OAAO;IACjB,QAAQ,EAAE;QACR,WAAW,EAAE,WAAW;QACxB,YAAY,EAAE,KAAK;KACpB;IACD,IAAI,EAAE;QACJ,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;KACxB;IACD,UAAU,EAAE;QACV,YAAY,EAAE,CAAC,OAAO,CAAC;QACvB,YAAY,EAAE;YACZ,GAAG;YACH,MAAM;YACN,MAAM;YACN,MAAM;YACN,MAAM;YACN,OAAO;YACP,MAAM;YACN,QAAQ;YACR,OAAO;YACP,OAAO;YACP,OAAO;YACP,OAAO;YACP,MAAM;YACN,MAAM;YACN,MAAM;YACN,MAAM;YACN,QAAQ;YACR,MAAM;SACP;QACD,aAAa,EAAE,IAAI;QACnB,cAAc,EAAE,IAAI;KACrB;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;QACjC,IAAI,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC;QACvE,QAAQ,EAAE;YACR,EAAE,EAAE,EAAE;YACN,GAAG,EAAE,EAAE;YACP,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;YACR,EAAE,EAAE,EAAE;YACN,EAAE,EAAE,EAAE;YACN,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,EAAE;SACT;KACF;IACD,kBAAkB,EAAE;QAClB,OAAO,EAAE,IAAI;QACb,WAAW,EAAE;YACX,eAAe;YACf,cAAc;YACd,cAAc;YACd,eAAe;YACf,iBAAiB;YACjB,kBAAkB;YAClB,cAAc;YACd,eAAe;YACf,eAAe;YACf,aAAa;YACb,cAAc;YACd,cAAc;YACd,eAAe;YACf,eAAe;YACf,eAAe;YACf,cAAc;YACd,cAAc;YACd,cAAc;YACd,aAAa;YACb,cAAc;SACf;KACF;IACD,SAAS,EAAE;QACT,WAAW,EAAE;YACX,aAAa;YACb,eAAe;YACf,cAAc;YACd,eAAe;YACf,eAAe;YACf,cAAc;YACd,cAAc;SACf;QACD,QAAQ,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC;KAChD;IACD,cAAc,EAAE;QACd,eAAe,EAAE;YACf,OAAO;YACP,QAAQ;YACR,SAAS;YACT,MAAM;YACN,OAAO;YACP,QAAQ;YACR,MAAM;YACN,QAAQ;YACR,SAAS;YACT,MAAM;YACN,IAAI;YACJ,QAAQ;YACR,SAAS;YACT,SAAS;YACT,UAAU;YACV,UAAU;YACV,QAAQ;YACR,UAAU;YACV,WAAW;YACX,SAAS;YACT,UAAU;YACV,KAAK;YACL,KAAK;YACL,OAAO;YACP,IAAI;YACJ,QAAQ;YACR,QAAQ;YACR,SAAS;YACT,SAAS;YACT,QAAQ;SACT;QACD,iBAAiB,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC;QACpG,0BAA0B,EAAE,EAAE;QAC9B,4BAA4B,EAAE,EAAE;KACjC;CACF,CAAC;AAEF,SAAS,oBAAoB,CAAC,KAAc,EAAE,QAAkB;IAC9D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;IACvB,CAAC;IACD,MAAM,UAAU,GAAG,KAAK;SACrB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;SAC/D,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACvC,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAwB,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,UAAU,GAAG,mBAAmB;IAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,uBAAuB,EAAE,CAAC;IACnC,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAiC,CAAC;IAC5F,MAAM,QAAQ,GAAG,uBAAuB,EAAE,CAAC;IAC3C,MAAM,QAAQ,GACZ,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC3C,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAExB,OAAO;QACL,OAAO,EAAE,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO;QACzE,QAAQ;QACR,QAAQ,EAAE;YACR,WAAW,EACT,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,MAAM;gBACpC,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,WAAW;gBACzC,GAAG,CAAC,QAAQ,EAAE,WAAW,KAAK,MAAM;gBAClC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW;gBAC1B,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW;YACnC,YAAY,EACV,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,KAAK;gBACpC,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,SAAS;gBACxC,GAAG,CAAC,QAAQ,EAAE,YAAY,KAAK,QAAQ;gBACrC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY;gBAC3B,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY;SACrC;QACD,IAAI,EAAE;YACJ,UAAU,EAAE,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,QAAQ,CAAC,IAAI,CAAC,UAAU;YAC5D,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,QAAQ;YACtD,gBAAgB,EACd,OAAO,GAAG,CAAC,IAAI,EAAE,gBAAgB,KAAK,QAAQ;gBAC5C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB;gBAC3B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,gBAAgB;YACpC,iBAAiB,EACf,OAAO,GAAG,CAAC,IAAI,EAAE,iBAAiB,KAAK,QAAQ;gBAC7C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB;gBAC5B,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,iBAAiB;SACtC;QACD,UAAU,EAAE;YACV,YAAY,EAAE,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC,QAAQ,CAAC,CAAC;YAC5E,YAAY,EAAE,oBAAoB,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,EAAE,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;YAClG,aAAa,EAAE,GAAG,CAAC,UAAU,EAAE,aAAa,IAAI,QAAQ,CAAC,UAAU,CAAC,aAAa;YACjF,cAAc,EAAE,GAAG,CAAC,UAAU,EAAE,cAAc,IAAI,QAAQ,CAAC,UAAU,CAAC,cAAc;SACrF;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,GAAG,CAAC,QAAQ,EAAE,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO;YAC3D,WAAW,EAAE,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC3F,IAAI,EAAE,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC;YACtE,QAAQ,EACN,GAAG,CAAC,QAAQ,EAAE,QAAQ,IAAI,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,KAAK,QAAQ;gBACjE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ;gBACvB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ;SACjC;QACD,kBAAkB,EAAE;YAClB,OAAO,EAAE,GAAG,CAAC,kBAAkB,EAAE,OAAO,IAAI,QAAQ,CAAC,kBAAkB,CAAC,OAAO;YAC/E,WAAW,EAAE,oBAAoB,CAC/B,GAAG,CAAC,kBAAkB,EAAE,WAAW,EACnC,QAAQ,CAAC,kBAAkB,CAAC,WAAW,CACxC;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,oBAAoB,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,SAAS,CAAC,WAAW,CAAC;YAC7F,QAAQ,EAAE,oBAAoB,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC;SACrF;QACD,cAAc,EAAE;YACd,eAAe,EAAE,oBAAoB,CACnC,GAAG,CAAC,cAAc,EAAE,eAAe,EACnC,QAAQ,CAAC,cAAc,CAAC,eAAe,CACxC;YACD,iBAAiB,EAAE,oBAAoB,CACrC,GAAG,CAAC,cAAc,EAAE,iBAAiB,EACrC,QAAQ,CAAC,cAAc,CAAC,iBAAiB,CAC1C;YACD,0BAA0B,EAAE,oBAAoB,CAC9C,GAAG,CAAC,cAAc,EAAE,0BAA0B,EAC9C,QAAQ,CAAC,cAAc,CAAC,0BAA0B,CACnD;YACD,4BAA4B,EAAE,oBAAoB,CAChD,GAAG,CAAC,cAAc,EAAE,4BAA4B,EAChD,QAAQ,CAAC,cAAc,CAAC,4BAA4B,CACrD;SACF;KACF,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import type { CommandPolicyConfig, CommandPolicyResult } from "./command-policy-types.js";
|
|
2
|
+
export declare function evaluateCommandPolicy(params: {
|
|
3
|
+
command: string;
|
|
4
|
+
cwd: string;
|
|
5
|
+
allowedRoot: string;
|
|
6
|
+
policy: CommandPolicyConfig;
|
|
7
|
+
}): CommandPolicyResult;
|
|
8
|
+
//# sourceMappingURL=command-policy-engine.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-policy-engine.d.ts","sourceRoot":"","sources":["../../src/security/command-policy-engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAO1F,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,mBAAmB,CAAC;CAC7B,GAAG,mBAAmB,CAgItB"}
|
|
@@ -0,0 +1,122 @@
|
|
|
1
|
+
import { parseCommand } from "./command-parser.js";
|
|
2
|
+
import { matchDangerousExecutable, matchDangerousShellPattern } from "./command-dangerous-rules.js";
|
|
3
|
+
import { matchAllowlistExecutable, matchTrustedExecutable } from "./command-trusted-executables.js";
|
|
4
|
+
import { validateCommandPaths } from "./command-path-guard.js";
|
|
5
|
+
import { matchSafeBin } from "./command-safe-bins.js";
|
|
6
|
+
export function evaluateCommandPolicy(params) {
|
|
7
|
+
const normalizedCommand = params.command.trim();
|
|
8
|
+
if (!normalizedCommand) {
|
|
9
|
+
return {
|
|
10
|
+
decision: "deny",
|
|
11
|
+
reason: "empty_command",
|
|
12
|
+
normalizedCommand,
|
|
13
|
+
parsedSegments: [],
|
|
14
|
+
};
|
|
15
|
+
}
|
|
16
|
+
if (normalizedCommand.length > params.policy.exec.maxCommandLength) {
|
|
17
|
+
return {
|
|
18
|
+
decision: "deny",
|
|
19
|
+
reason: "parse_error",
|
|
20
|
+
normalizedCommand,
|
|
21
|
+
parsedSegments: [],
|
|
22
|
+
};
|
|
23
|
+
}
|
|
24
|
+
const dangerousPattern = matchDangerousShellPattern(normalizedCommand, params.policy.dangerousRules);
|
|
25
|
+
if (dangerousPattern) {
|
|
26
|
+
return {
|
|
27
|
+
decision: "deny",
|
|
28
|
+
reason: "dangerous_shell_pattern",
|
|
29
|
+
matchedRuleId: dangerousPattern,
|
|
30
|
+
normalizedCommand,
|
|
31
|
+
parsedSegments: [],
|
|
32
|
+
};
|
|
33
|
+
}
|
|
34
|
+
const parsed = parseCommand(normalizedCommand);
|
|
35
|
+
if (!parsed) {
|
|
36
|
+
return {
|
|
37
|
+
decision: "deny",
|
|
38
|
+
reason: "parse_error",
|
|
39
|
+
normalizedCommand,
|
|
40
|
+
parsedSegments: [],
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
let matchedTrusted = null;
|
|
44
|
+
let matchedAllowlist = null;
|
|
45
|
+
let matchedSafeBin = null;
|
|
46
|
+
for (const segment of parsed.segments) {
|
|
47
|
+
const dangerousExecutable = matchDangerousExecutable(segment, params.policy.dangerousRules);
|
|
48
|
+
if (dangerousExecutable) {
|
|
49
|
+
return {
|
|
50
|
+
decision: "deny",
|
|
51
|
+
reason: "dangerous_executable",
|
|
52
|
+
matchedRuleId: dangerousExecutable,
|
|
53
|
+
normalizedCommand,
|
|
54
|
+
parsedSegments: parsed.segments,
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
const pathError = validateCommandPaths({
|
|
58
|
+
cwd: params.cwd,
|
|
59
|
+
allowedRoot: params.allowedRoot,
|
|
60
|
+
pathPolicy: params.policy.pathPolicy,
|
|
61
|
+
segment,
|
|
62
|
+
allowlist: params.policy.allowlist,
|
|
63
|
+
});
|
|
64
|
+
if (pathError) {
|
|
65
|
+
return {
|
|
66
|
+
decision: "deny",
|
|
67
|
+
reason: "path_escape",
|
|
68
|
+
matchedRuleId: pathError,
|
|
69
|
+
normalizedCommand,
|
|
70
|
+
parsedSegments: parsed.segments,
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
const trusted = matchTrustedExecutable(segment, params.policy.trustedExecutables, params.policy.allowlist);
|
|
74
|
+
const safeBin = matchSafeBin(segment, params.policy.safeBins, params.policy.allowlist);
|
|
75
|
+
const allowed = matchAllowlistExecutable(segment, params.policy.allowlist);
|
|
76
|
+
matchedSafeBin ||= safeBin;
|
|
77
|
+
matchedTrusted ||= trusted;
|
|
78
|
+
matchedAllowlist ||= allowed;
|
|
79
|
+
if (!safeBin && !trusted && !allowed) {
|
|
80
|
+
return {
|
|
81
|
+
decision: "deny",
|
|
82
|
+
reason: "allowlist_miss",
|
|
83
|
+
normalizedCommand,
|
|
84
|
+
parsedSegments: parsed.segments,
|
|
85
|
+
};
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
if (matchedSafeBin) {
|
|
89
|
+
return {
|
|
90
|
+
decision: "allow",
|
|
91
|
+
reason: "safe_bin_match",
|
|
92
|
+
matchedRuleId: matchedSafeBin,
|
|
93
|
+
normalizedCommand,
|
|
94
|
+
parsedSegments: parsed.segments,
|
|
95
|
+
};
|
|
96
|
+
}
|
|
97
|
+
if (matchedTrusted) {
|
|
98
|
+
return {
|
|
99
|
+
decision: "allow",
|
|
100
|
+
reason: "trusted_executable_match",
|
|
101
|
+
matchedRuleId: matchedTrusted,
|
|
102
|
+
normalizedCommand,
|
|
103
|
+
parsedSegments: parsed.segments,
|
|
104
|
+
};
|
|
105
|
+
}
|
|
106
|
+
if (matchedAllowlist) {
|
|
107
|
+
return {
|
|
108
|
+
decision: "allow",
|
|
109
|
+
reason: "allowlist_match",
|
|
110
|
+
matchedRuleId: matchedAllowlist,
|
|
111
|
+
normalizedCommand,
|
|
112
|
+
parsedSegments: parsed.segments,
|
|
113
|
+
};
|
|
114
|
+
}
|
|
115
|
+
return {
|
|
116
|
+
decision: "deny",
|
|
117
|
+
reason: "allowlist_miss",
|
|
118
|
+
normalizedCommand,
|
|
119
|
+
parsedSegments: parsed.segments,
|
|
120
|
+
};
|
|
121
|
+
}
|
|
122
|
+
//# sourceMappingURL=command-policy-engine.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-policy-engine.js","sourceRoot":"","sources":["../../src/security/command-policy-engine.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,wBAAwB,EAAE,0BAA0B,EAAE,MAAM,8BAA8B,CAAC;AACpG,OAAO,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,MAAM,kCAAkC,CAAC;AACpG,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAEtD,MAAM,UAAU,qBAAqB,CAAC,MAKrC;IACC,MAAM,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IAChD,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,eAAe;YACvB,iBAAiB;YACjB,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,IAAI,iBAAiB,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACnE,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,aAAa;YACrB,iBAAiB;YACjB,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,0BAA0B,CAAC,iBAAiB,EAAE,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IACrG,IAAI,gBAAgB,EAAE,CAAC;QACrB,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,yBAAyB;YACjC,aAAa,EAAE,gBAAgB;YAC/B,iBAAiB;YACjB,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,iBAAiB,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO;YACL,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,aAAa;YACrB,iBAAiB;YACjB,cAAc,EAAE,EAAE;SACnB,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,GAAkB,IAAI,CAAC;IACzC,IAAI,gBAAgB,GAAkB,IAAI,CAAC;IAC3C,IAAI,cAAc,GAAkB,IAAI,CAAC;IAEzC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACtC,MAAM,mBAAmB,GAAG,wBAAwB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC5F,IAAI,mBAAmB,EAAE,CAAC;YACxB,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,sBAAsB;gBAC9B,aAAa,EAAE,mBAAmB;gBAClC,iBAAiB;gBACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;aAChC,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,oBAAoB,CAAC;YACrC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU;YACpC,OAAO;YACP,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS;SACnC,CAAC,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,aAAa;gBACrB,aAAa,EAAE,SAAS;gBACxB,iBAAiB;gBACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;aAChC,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,sBAAsB,CACpC,OAAO,EACP,MAAM,CAAC,MAAM,CAAC,kBAAkB,EAChC,MAAM,CAAC,MAAM,CAAC,SAAS,CACxB,CAAC;QACF,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACvF,MAAM,OAAO,GAAG,wBAAwB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC3E,cAAc,KAAK,OAAO,CAAC;QAC3B,cAAc,KAAK,OAAO,CAAC;QAC3B,gBAAgB,KAAK,OAAO,CAAC;QAE7B,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;YACrC,OAAO;gBACL,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,gBAAgB;gBACxB,iBAAiB;gBACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;aAChC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,gBAAgB;YACxB,aAAa,EAAE,cAAc;YAC7B,iBAAiB;YACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;SAChC,CAAC;IACJ,CAAC;IACD,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,0BAA0B;YAClC,aAAa,EAAE,cAAc;YAC7B,iBAAiB;YACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;SAChC,CAAC;IACJ,CAAC;IACD,IAAI,gBAAgB,EAAE,CAAC;QACrB,OAAO;YACL,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,iBAAiB;YACzB,aAAa,EAAE,gBAAgB;YAC/B,iBAAiB;YACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;SAChC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,gBAAgB;QACxB,iBAAiB;QACjB,cAAc,EAAE,MAAM,CAAC,QAAQ;KAChC,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
export type CommandDecision = "allow" | "deny" | "require_approval";
|
|
2
|
+
export type CommandDecisionReason = "empty_command" | "parse_error" | "dangerous_executable" | "dangerous_shell_pattern" | "path_escape" | "blocked_root" | "allowlist_match" | "trusted_executable_match" | "safe_bin_match" | "allowlist_miss" | "approval_required";
|
|
3
|
+
export type CommandPathPolicy = {
|
|
4
|
+
allowedRoots: string[];
|
|
5
|
+
blockedRoots: string[];
|
|
6
|
+
followSymlink: boolean;
|
|
7
|
+
denyPathEscape: boolean;
|
|
8
|
+
};
|
|
9
|
+
export type CommandSafeBinsPolicy = {
|
|
10
|
+
enabled: boolean;
|
|
11
|
+
trustedDirs: string[];
|
|
12
|
+
bins: string[];
|
|
13
|
+
profiles: Record<string, Record<string, unknown>>;
|
|
14
|
+
};
|
|
15
|
+
export type CommandTrustedExecutablesPolicy = {
|
|
16
|
+
enabled: boolean;
|
|
17
|
+
executables: string[];
|
|
18
|
+
};
|
|
19
|
+
export type CommandAllowlistPolicy = {
|
|
20
|
+
executables: string[];
|
|
21
|
+
wrappers: string[];
|
|
22
|
+
};
|
|
23
|
+
export type CommandDangerousRulesPolicy = {
|
|
24
|
+
denyExecutables: string[];
|
|
25
|
+
denyShellPatterns: string[];
|
|
26
|
+
requireApprovalExecutables: string[];
|
|
27
|
+
requireApprovalShellPatterns: string[];
|
|
28
|
+
};
|
|
29
|
+
export type CommandPolicyConfig = {
|
|
30
|
+
version: number;
|
|
31
|
+
dataRoot: string;
|
|
32
|
+
security: {
|
|
33
|
+
defaultMode: "deny" | "allowlist" | "full";
|
|
34
|
+
approvalMode: "off" | "on-miss" | "always";
|
|
35
|
+
};
|
|
36
|
+
exec: {
|
|
37
|
+
allowShell: boolean;
|
|
38
|
+
allowPty: boolean;
|
|
39
|
+
maxCommandLength: number;
|
|
40
|
+
defaultTimeoutSec: number;
|
|
41
|
+
};
|
|
42
|
+
pathPolicy: CommandPathPolicy;
|
|
43
|
+
safeBins: CommandSafeBinsPolicy;
|
|
44
|
+
trustedExecutables: CommandTrustedExecutablesPolicy;
|
|
45
|
+
allowlist: CommandAllowlistPolicy;
|
|
46
|
+
dangerousRules: CommandDangerousRulesPolicy;
|
|
47
|
+
};
|
|
48
|
+
export type ParsedCommandSegment = {
|
|
49
|
+
raw: string;
|
|
50
|
+
argv: string[];
|
|
51
|
+
executable: string | null;
|
|
52
|
+
redirections: Array<{
|
|
53
|
+
operator: string;
|
|
54
|
+
target: string;
|
|
55
|
+
}>;
|
|
56
|
+
};
|
|
57
|
+
export type ParsedCommand = {
|
|
58
|
+
segments: ParsedCommandSegment[];
|
|
59
|
+
};
|
|
60
|
+
export type CommandPolicyResult = {
|
|
61
|
+
decision: CommandDecision;
|
|
62
|
+
reason: CommandDecisionReason;
|
|
63
|
+
matchedRuleId?: string;
|
|
64
|
+
normalizedCommand: string;
|
|
65
|
+
parsedSegments: ParsedCommandSegment[];
|
|
66
|
+
};
|
|
67
|
+
//# sourceMappingURL=command-policy-types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-policy-types.d.ts","sourceRoot":"","sources":["../../src/security/command-policy-types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,MAAM,GAAG,kBAAkB,CAAC;AAEpE,MAAM,MAAM,qBAAqB,GAC7B,eAAe,GACf,aAAa,GACb,sBAAsB,GACtB,yBAAyB,GACzB,aAAa,GACb,cAAc,GACd,iBAAiB,GACjB,0BAA0B,GAC1B,gBAAgB,GAChB,gBAAgB,GAChB,mBAAmB,CAAC;AAExB,MAAM,MAAM,iBAAiB,GAAG;IAC9B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc,EAAE,OAAO,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACnD,CAAC;AAEF,MAAM,MAAM,+BAA+B,GAAG;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,0BAA0B,EAAE,MAAM,EAAE,CAAC;IACrC,4BAA4B,EAAE,MAAM,EAAE,CAAC;CACxC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE;QACR,WAAW,EAAE,MAAM,GAAG,WAAW,GAAG,MAAM,CAAC;QAC3C,YAAY,EAAE,KAAK,GAAG,SAAS,GAAG,QAAQ,CAAC;KAC5C,CAAC;IACF,IAAI,EAAE;QACJ,UAAU,EAAE,OAAO,CAAC;QACpB,QAAQ,EAAE,OAAO,CAAC;QAClB,gBAAgB,EAAE,MAAM,CAAC;QACzB,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;IACF,UAAU,EAAE,iBAAiB,CAAC;IAC9B,QAAQ,EAAE,qBAAqB,CAAC;IAChC,kBAAkB,EAAE,+BAA+B,CAAC;IACpD,SAAS,EAAE,sBAAsB,CAAC;IAClC,cAAc,EAAE,2BAA2B,CAAC;CAC7C,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC3D,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,QAAQ,EAAE,oBAAoB,EAAE,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,QAAQ,EAAE,eAAe,CAAC;IAC1B,MAAM,EAAE,qBAAqB,CAAC;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,cAAc,EAAE,oBAAoB,EAAE,CAAC;CACxC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-policy-types.js","sourceRoot":"","sources":["../../src/security/command-policy-types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import type { CommandSafeBinsPolicy, ParsedCommandSegment } from "./command-policy-types.js";
|
|
2
|
+
import type { CommandAllowlistPolicy } from "./command-policy-types.js";
|
|
3
|
+
export declare function matchSafeBin(segment: ParsedCommandSegment, safeBins: CommandSafeBinsPolicy, allowlist: CommandAllowlistPolicy): string | null;
|
|
4
|
+
//# sourceMappingURL=command-safe-bins.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-safe-bins.d.ts","sourceRoot":"","sources":["../../src/security/command-safe-bins.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,qBAAqB,EACrB,oBAAoB,EACrB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAyExE,wBAAgB,YAAY,CAC1B,OAAO,EAAE,oBAAoB,EAC7B,QAAQ,EAAE,qBAAqB,EAC/B,SAAS,EAAE,sBAAsB,GAChC,MAAM,GAAG,IAAI,CAgBf"}
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
import path from "node:path";
|
|
2
|
+
import { unwrapExecutable } from "./command-trusted-executables.js";
|
|
3
|
+
const DENIED_FLAGS = {
|
|
4
|
+
grep: ["-r", "-R", "--recursive", "--dereference-recursive", "-f", "--file"],
|
|
5
|
+
jq: ["-f", "--from-file", "--argfile", "--slurpfile", "--rawfile", "-L", "--library-path"],
|
|
6
|
+
sort: ["-o", "--output", "--compress-program", "--files0-from", "--random-source", "--temporary-directory", "-T"],
|
|
7
|
+
wc: ["--files0-from"],
|
|
8
|
+
};
|
|
9
|
+
function basename(value) {
|
|
10
|
+
if (!value) {
|
|
11
|
+
return "";
|
|
12
|
+
}
|
|
13
|
+
return path.posix.basename(value).toLowerCase();
|
|
14
|
+
}
|
|
15
|
+
function includesDeniedFlag(args, deniedFlags) {
|
|
16
|
+
for (let index = 0; index < args.length; index += 1) {
|
|
17
|
+
const arg = args[index];
|
|
18
|
+
for (const denied of deniedFlags) {
|
|
19
|
+
if (arg === denied || arg.startsWith(`${denied}=`) || (denied.length === 2 && arg.startsWith(denied) && arg.length > 2)) {
|
|
20
|
+
return true;
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
return false;
|
|
25
|
+
}
|
|
26
|
+
function countPositionals(args) {
|
|
27
|
+
const positionals = [];
|
|
28
|
+
let stopFlags = false;
|
|
29
|
+
for (const arg of args) {
|
|
30
|
+
if (stopFlags) {
|
|
31
|
+
positionals.push(arg);
|
|
32
|
+
continue;
|
|
33
|
+
}
|
|
34
|
+
if (arg === "--") {
|
|
35
|
+
stopFlags = true;
|
|
36
|
+
continue;
|
|
37
|
+
}
|
|
38
|
+
if (arg.startsWith("-")) {
|
|
39
|
+
continue;
|
|
40
|
+
}
|
|
41
|
+
positionals.push(arg);
|
|
42
|
+
}
|
|
43
|
+
return positionals;
|
|
44
|
+
}
|
|
45
|
+
function validateSafeBinArgs(executable, args) {
|
|
46
|
+
if (includesDeniedFlag(args, DENIED_FLAGS[executable] ?? [])) {
|
|
47
|
+
return false;
|
|
48
|
+
}
|
|
49
|
+
const positionals = countPositionals(args);
|
|
50
|
+
switch (executable) {
|
|
51
|
+
case "jq":
|
|
52
|
+
return positionals.length <= 1;
|
|
53
|
+
case "head":
|
|
54
|
+
case "tail":
|
|
55
|
+
case "uniq":
|
|
56
|
+
case "tr":
|
|
57
|
+
case "wc":
|
|
58
|
+
case "cut":
|
|
59
|
+
return positionals.length === 0;
|
|
60
|
+
case "grep":
|
|
61
|
+
return positionals.length <= 1;
|
|
62
|
+
case "sort":
|
|
63
|
+
return positionals.length === 0;
|
|
64
|
+
default:
|
|
65
|
+
return false;
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
export function matchSafeBin(segment, safeBins, allowlist) {
|
|
69
|
+
if (!safeBins.enabled) {
|
|
70
|
+
return null;
|
|
71
|
+
}
|
|
72
|
+
const executable = basename(unwrapExecutable(segment, allowlist));
|
|
73
|
+
if (!executable) {
|
|
74
|
+
return null;
|
|
75
|
+
}
|
|
76
|
+
if (!safeBins.bins.some((entry) => entry.toLowerCase() === executable)) {
|
|
77
|
+
return null;
|
|
78
|
+
}
|
|
79
|
+
const args = basename(segment.executable) === "env"
|
|
80
|
+
? segment.argv.slice(segment.argv.findIndex((arg) => !/^[A-Za-z_][A-Za-z0-9_]*=/.test(arg) && arg !== "env") + 1)
|
|
81
|
+
: segment.argv.slice(1);
|
|
82
|
+
return validateSafeBinArgs(executable, args) ? executable : null;
|
|
83
|
+
}
|
|
84
|
+
//# sourceMappingURL=command-safe-bins.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-safe-bins.js","sourceRoot":"","sources":["../../src/security/command-safe-bins.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAK7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AAGpE,MAAM,YAAY,GAA6B;IAC7C,IAAI,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,aAAa,EAAE,yBAAyB,EAAE,IAAI,EAAE,QAAQ,CAAC;IAC5E,EAAE,EAAE,CAAC,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,IAAI,EAAE,gBAAgB,CAAC;IAC1F,IAAI,EAAE,CAAC,IAAI,EAAE,UAAU,EAAE,oBAAoB,EAAE,eAAe,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,IAAI,CAAC;IACjH,EAAE,EAAE,CAAC,eAAe,CAAC;CACtB,CAAC;AAEF,SAAS,QAAQ,CAAC,KAAoB;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAc,EAAE,WAAqB;IAC/D,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAE,CAAC;QACzB,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;YACjC,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;gBACxH,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAc;IACtC,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,SAAS,EAAE,CAAC;YACd,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtB,SAAS;QACX,CAAC;QACD,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,SAAS,GAAG,IAAI,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,SAAS;QACX,CAAC;QACD,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,mBAAmB,CAAC,UAAkB,EAAE,IAAc;IAC7D,IAAI,kBAAkB,CAAC,IAAI,EAAE,YAAY,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;QAC7D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC3C,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,IAAI;YACP,OAAO,WAAW,CAAC,MAAM,IAAI,CAAC,CAAC;QACjC,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM,CAAC;QACZ,KAAK,IAAI,CAAC;QACV,KAAK,IAAI,CAAC;QACV,KAAK,KAAK;YACR,OAAO,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QAClC,KAAK,MAAM;YACT,OAAO,WAAW,CAAC,MAAM,IAAI,CAAC,CAAC;QACjC,KAAK,MAAM;YACT,OAAO,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QAClC;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,OAA6B,EAC7B,QAA+B,EAC/B,SAAiC;IAEjC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,UAAU,GAAG,QAAQ,CAAC,gBAAgB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;IAClE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,EAAE,CAAC;QACvE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,IAAI,GACR,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,KAAK;QACpC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,0BAA0B,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,KAAK,CAAC,GAAG,CAAC,CAAC;QACjH,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,mBAAmB,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;AACnE,CAAC"}
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
import type { CommandAllowlistPolicy, CommandTrustedExecutablesPolicy, ParsedCommandSegment } from "./command-policy-types.js";
|
|
2
|
+
export declare function isAllowedWrapper(value: string | null, policy: CommandAllowlistPolicy): boolean;
|
|
3
|
+
export declare function unwrapExecutable(segment: ParsedCommandSegment, policy: CommandAllowlistPolicy): string | null;
|
|
4
|
+
export declare function matchTrustedExecutable(segment: ParsedCommandSegment, trustedExecutables: CommandTrustedExecutablesPolicy, allowlist: CommandAllowlistPolicy): string | null;
|
|
5
|
+
export declare function matchAllowlistExecutable(segment: ParsedCommandSegment, policy: CommandAllowlistPolicy): string | null;
|
|
6
|
+
//# sourceMappingURL=command-trusted-executables.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-trusted-executables.d.ts","sourceRoot":"","sources":["../../src/security/command-trusted-executables.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,sBAAsB,EACtB,+BAA+B,EAC/B,oBAAoB,EACrB,MAAM,2BAA2B,CAAC;AASnC,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,sBAAsB,GAAG,OAAO,CAG9F;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,oBAAoB,EAAE,MAAM,EAAE,sBAAsB,GAAG,MAAM,GAAG,IAAI,CAgB7G;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,oBAAoB,EAC7B,kBAAkB,EAAE,+BAA+B,EACnD,SAAS,EAAE,sBAAsB,GAChC,MAAM,GAAG,IAAI,CAaf;AAED,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,oBAAoB,EAC7B,MAAM,EAAE,sBAAsB,GAC7B,MAAM,GAAG,IAAI,CAaf"}
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
import path from "node:path";
|
|
2
|
+
function basename(value) {
|
|
3
|
+
if (!value) {
|
|
4
|
+
return "";
|
|
5
|
+
}
|
|
6
|
+
return path.posix.basename(value).toLowerCase();
|
|
7
|
+
}
|
|
8
|
+
export function isAllowedWrapper(value, policy) {
|
|
9
|
+
const name = basename(value);
|
|
10
|
+
return policy.wrappers.some((entry) => entry.toLowerCase() === name);
|
|
11
|
+
}
|
|
12
|
+
export function unwrapExecutable(segment, policy) {
|
|
13
|
+
if (!segment.executable) {
|
|
14
|
+
return null;
|
|
15
|
+
}
|
|
16
|
+
if (!isAllowedWrapper(segment.executable, policy)) {
|
|
17
|
+
return segment.executable;
|
|
18
|
+
}
|
|
19
|
+
const wrapperName = basename(segment.executable);
|
|
20
|
+
if (wrapperName === "env") {
|
|
21
|
+
let index = 1;
|
|
22
|
+
while (index < segment.argv.length && /^[A-Za-z_][A-Za-z0-9_]*=/.test(segment.argv[index])) {
|
|
23
|
+
index += 1;
|
|
24
|
+
}
|
|
25
|
+
return segment.argv[index] ?? null;
|
|
26
|
+
}
|
|
27
|
+
return segment.argv[1] ?? null;
|
|
28
|
+
}
|
|
29
|
+
export function matchTrustedExecutable(segment, trustedExecutables, allowlist) {
|
|
30
|
+
const executable = unwrapExecutable(segment, allowlist);
|
|
31
|
+
const name = basename(executable);
|
|
32
|
+
if (!name || !trustedExecutables.enabled) {
|
|
33
|
+
return null;
|
|
34
|
+
}
|
|
35
|
+
for (const entry of trustedExecutables.executables) {
|
|
36
|
+
const entryName = basename(entry);
|
|
37
|
+
if (entryName === name) {
|
|
38
|
+
return entry;
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
return null;
|
|
42
|
+
}
|
|
43
|
+
export function matchAllowlistExecutable(segment, policy) {
|
|
44
|
+
const executable = unwrapExecutable(segment, policy);
|
|
45
|
+
const name = basename(executable);
|
|
46
|
+
if (!name) {
|
|
47
|
+
return null;
|
|
48
|
+
}
|
|
49
|
+
for (const entry of policy.executables) {
|
|
50
|
+
const entryName = basename(entry);
|
|
51
|
+
if (entryName === name) {
|
|
52
|
+
return entry;
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
return null;
|
|
56
|
+
}
|
|
57
|
+
//# sourceMappingURL=command-trusted-executables.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"command-trusted-executables.js","sourceRoot":"","sources":["../../src/security/command-trusted-executables.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAO7B,SAAS,QAAQ,CAAC,KAAoB;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAoB,EAAE,MAA8B;IACnF,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7B,OAAO,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,OAA6B,EAAE,MAA8B;IAC5F,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;QAClD,OAAO,OAAO,CAAC,UAAU,CAAC;IAC5B,CAAC;IACD,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACjD,IAAI,WAAW,KAAK,KAAK,EAAE,CAAC;QAC1B,IAAI,KAAK,GAAG,CAAC,CAAC;QACd,OAAO,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAE,CAAC,EAAE,CAAC;YAC5F,KAAK,IAAI,CAAC,CAAC;QACb,CAAC;QACD,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC;IACrC,CAAC;IACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAA6B,EAC7B,kBAAmD,EACnD,SAAiC;IAEjC,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACxD,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,kBAAkB,CAAC,WAAW,EAAE,CAAC;QACnD,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAClC,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,OAA6B,EAC7B,MAA8B;IAE9B,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,IAAI,CAAC;IACd,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAClC,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
|