@integrity-labs/agt-cli 0.28.95 → 0.28.96

package/dist/bin/agt.js

@@ -37,7 +37,7 @@ import {
   success,
   table,
   warn
-} from "../chunk-QQYVNV5N.js";
+} from "../chunk-LFTKXQEA.js";
 import {
   CHANNEL_REGISTRY,
   DEPLOYMENT_TEMPLATES,
@@ -4777,7 +4777,7 @@ import { execFileSync, execSync } from "child_process";
 import { existsSync as existsSync10, realpathSync as realpathSync2 } from "fs";
 import chalk18 from "chalk";
 import ora16 from "ora";
-var cliVersion = true ? "0.28.95" : "dev";
+var cliVersion = true ? "0.28.96" : "dev";
 async function fetchLatestVersion() {
   const host2 = getHost();
   if (!host2) return null;
@@ -5791,7 +5791,7 @@ function handleError(err) {
 }
 
 // src/bin/agt.ts
-var cliVersion2 = true ? "0.28.95" : "dev";
+var cliVersion2 = true ? "0.28.96" : "dev";
 var program = new Command();
 program.name("agt").description("Augmented CLI \u2014 agent provisioning and management").version(cliVersion2).option("--json", "Emit machine-readable JSON output (suppress spinners and colors)").option("--skip-update-check", "Skip the automatic update check on startup");
 program.hook("preAction", async (thisCommand, actionCommand) => {

package/dist/{chunk-JYSWJMXU.js → chunk-5NQ652SP.js}

@@ -582,6 +582,150 @@ function resolveClaudeBinary() {
   }
   return "claude";
 }
+function isolationMode(codeName) {
+  if (process.env.AGT_ISOLATION !== "docker") return "none";
+  const allow = (process.env.AGT_ISOLATION_AGENTS ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+  if (allow.length > 0 && (!codeName || !allow.includes(codeName))) return "none";
+  return "docker";
+}
+var EGRESS_BASELINE_DOMAINS = [
+  ".anthropic.com",
+  // claude API
+  "claude.ai",
+  // subscription auth
+  ".augmented.team",
+  // the host/control-plane API
+  ".slack.com",
+  // channels (incl. wss)
+  ".composio.dev"
+  // composio MCP
+];
+function egressMode(codeName) {
+  if (process.env.AGT_EGRESS !== "allowlist") return "none";
+  if (isolationMode(codeName) !== "docker") return "none";
+  return "allowlist";
+}
+var VALID_EGRESS_DOMAIN = /^\.?([a-z0-9-]+\.)+[a-z0-9-]+$/;
+function buildEgressAllowlist(toolsFrontmatter) {
+  const domains = new Set(EGRESS_BASELINE_DOMAINS);
+  for (const tool of toolsFrontmatter?.tools ?? []) {
+    for (const d of tool.network?.allowlist_domains ?? []) {
+      if (typeof d !== "string") continue;
+      const norm = d.trim().toLowerCase();
+      if (VALID_EGRESS_DOMAIN.test(norm)) domains.add(norm);
+    }
+  }
+  return [...domains].sort();
+}
+function egressAllowlistHostPath(codeName, homeDir) {
+  const home = homeDir ?? (process.env.HOME?.trim() || homedir2());
+  return join2(home, ".augmented", "_egress", `${codeName}.txt`);
+}
+function writeEgressAllowlist(codeName, domains, homeDir) {
+  const p = egressAllowlistHostPath(codeName, homeDir);
+  mkdirSync2(dirname(p), { recursive: true });
+  writeFileSync3(p, domains.join("\n") + "\n", { mode: 420 });
+  return p;
+}
+var EGRESS_DOCKER_TIMEOUT_MS = 1e4;
+function isNoSuchContainer(err) {
+  const e = err;
+  const text = `${e?.stderr?.toString() ?? ""}${e?.message ?? ""}`;
+  return /no such container|is not running/i.test(text);
+}
+function reloadEgressSidecar(codeName) {
+  try {
+    execFileSync3("docker", ["kill", "--signal=HUP", `agt-squid-${codeName}`], {
+      stdio: "pipe",
+      timeout: EGRESS_DOCKER_TIMEOUT_MS
+    });
+    return true;
+  } catch (err) {
+    if (!isNoSuchContainer(err)) throw err;
+    return false;
+  }
+}
+function restartEgressSidecar(codeName) {
+  try {
+    execFileSync3("docker", ["restart", `agt-squid-${codeName}`], {
+      stdio: "pipe",
+      timeout: EGRESS_DOCKER_TIMEOUT_MS
+    });
+    return true;
+  } catch (err) {
+    if (!isNoSuchContainer(err)) throw err;
+    return false;
+  }
+}
+function buildDockerRunCommand(args) {
+  const { codeName, agentId, wrapperPath, projectDir, homeDir, runId, passApiKey, egress } = args;
+  const q = (s) => `'${s.replace(/'/g, `'\\''`)}'`;
+  const agentDir = join2(homeDir, ".augmented", codeName);
+  const agentIdDir = join2(homeDir, ".augmented", agentId);
+  const mcpDir = join2(homeDir, ".augmented", "_mcp");
+  const claudeHome = join2(homeDir, ".claude");
+  const claudeJson = join2(homeDir, ".claude.json");
+  const mounts = [
+    `-v ${q(`${agentDir}:${agentDir}`)}`,
+    `-v ${q(`${agentIdDir}:${agentIdDir}`)}`,
+    `-v ${q(`${mcpDir}:${mcpDir}:ro`)}`,
+    `-v ${q(`${claudeHome}:${claudeHome}`)}`,
+    `-v ${q(`${claudeJson}:${claudeJson}`)}`
+  ];
+  const image = process.env.AGT_ISOLATION_IMAGE || "agt-runtime:latest";
+  const memory = process.env.AGT_ISOLATION_MEMORY || "512m";
+  const cpus = process.env.AGT_ISOLATION_CPUS || "1.0";
+  const pids = process.env.AGT_ISOLATION_PIDS || "512";
+  const envArgs = [`-e ${q(`HOME=${homeDir}`)}`];
+  if (passApiKey) envArgs.push("-e ANTHROPIC_API_KEY");
+  if (runId) envArgs.push(`-e ${q(`AGT_RUN_ID=${runId}`)}`);
+  const egressImage = process.env.AGT_EGRESS_IMAGE || "agt-squid:latest";
+  const internalNet = `agt-net-${codeName}`;
+  const squidName = `agt-squid-${codeName}`;
+  const networkArgs = [];
+  let egressSetup = "";
+  if (egress) {
+    networkArgs.push(`--network ${internalNet}`);
+    const proxyUrl = `http://${squidName}:3128`;
+    envArgs.push(`-e ${q(`HTTPS_PROXY=${proxyUrl}`)}`);
+    envArgs.push(`-e ${q(`HTTP_PROXY=${proxyUrl}`)}`);
+    envArgs.push(`-e ${q(`NO_PROXY=${squidName},localhost,127.0.0.1`)}`);
+    egressSetup = [
+      `docker rm -f ${squidName} agt-${codeName} >/dev/null 2>&1 || true`,
+      `docker network create agt-egress >/dev/null 2>&1 || true`,
+      // FAIL-CLOSED: a stale or hand-created `agt-net-<codeName>` that is NOT
+      // internal would give the agent a route off-net, bypassing the proxy.
+      // Don't trust create-if-absent - verify the Internal flag and rebuild the
+      // network when it's missing or wrong.
+      `{ [ "$(docker network inspect -f '{{.Internal}}' ${internalNet} 2>/dev/null)" = "true" ] || { docker network rm ${internalNet} >/dev/null 2>&1 || true; docker network create --internal ${internalNet} >/dev/null; }; }`,
+      // squid processes untrusted agent traffic - give it the same hardening as
+      // the agent container (drop all caps, block privilege escalation). squid
+      // binds 3128 (>1024) and needs no capabilities; verified it still boots.
+      `docker run -d --name ${squidName} --network ${internalNet} --restart unless-stopped --memory 128m --cap-drop ALL --security-opt no-new-privileges -v ${q(`${egress.allowlistHostPath}:/etc/squid/allowlist.txt:ro`)} ${q(egressImage)} >/dev/null`,
+      `docker network connect agt-egress ${squidName} >/dev/null 2>&1`
+    ].join(" && ");
+  }
+  const runCmd = [
+    "exec docker run --rm -it",
+    `--name agt-${codeName}`,
+    `--memory ${memory}`,
+    `--cpus ${cpus}`,
+    `--pids-limit ${pids}`,
+    // Defence in depth (red-team 2026-06-16): drop all Linux capabilities and
+    // block privilege escalation. claude + node MCP servers need none - verified
+    // booting clean under these. The mount namespace is the primary boundary;
+    // these shrink what a container-escape CVE could reach if it ever landed.
+    "--cap-drop ALL",
+    "--security-opt no-new-privileges",
+    ...networkArgs,
+    ...mounts,
+    `-w ${q(projectDir)}`,
+    ...envArgs,
+    q(image),
+    q(wrapperPath)
+  ].join(" ");
+  return egress ? `${egressSetup} && ${runCmd}` : `docker rm -f agt-${codeName} >/dev/null 2>&1; ${runCmd}`;
+}
 function writePersistentClaudeWrapper(args) {
   const { projectDir, claudeBin, initPrompt, claudeArgsJoined } = args;
   const envIntegrationsPath = join2(projectDir, ".env.integrations");
@@ -840,7 +984,24 @@ function spawnSession(config, session) {
     if (claudeAuthMode === "api_key" && config.anthropicApiKey) {
       tmuxSessionEnvArgs.push("-e", `ANTHROPIC_API_KEY=${config.anthropicApiKey}`);
     }
-    const claudeCmd = JSON.stringify(wrapperPath);
+    const sessionHomeDir = process.env.HOME?.trim() || homedir2();
+    let egress;
+    if (egressMode(codeName) === "allowlist") {
+      const allowlist = config.egressAllowlist ?? buildEgressAllowlist(null);
+      const allowlistHostPath = writeEgressAllowlist(codeName, allowlist, sessionHomeDir);
+      egress = { allowlistHostPath };
+      log(`[persistent-session] egress allowlist for '${codeName}': ${allowlist.length} domains (deny-by-default)`);
+    }
+    const claudeCmd = isolationMode(codeName) === "docker" ? buildDockerRunCommand({
+      codeName,
+      agentId: config.agentId,
+      wrapperPath,
+      projectDir,
+      homeDir: sessionHomeDir,
+      runId: config.runId ?? void 0,
+      passApiKey: claudeAuthMode === "api_key" && !!config.anthropicApiKey,
+      egress
+    }) : JSON.stringify(wrapperPath);
     const tmuxEnv = {
       ...process.env,
       // Treat empty-string as missing too — `HOME=""` makes ~ resolve
@@ -1369,6 +1530,15 @@ export {
   takeWatchdogGiveUpCount,
   creditWatchdogGiveUpCount,
   resolveClaudeBinary,
+  isolationMode,
+  EGRESS_BASELINE_DOMAINS,
+  egressMode,
+  buildEgressAllowlist,
+  egressAllowlistHostPath,
+  writeEgressAllowlist,
+  reloadEgressSidecar,
+  restartEgressSidecar,
+  buildDockerRunCommand,
   writePersistentClaudeWrapper,
   paneLogPath,
   readPaneLogTail,
@@ -1395,4 +1565,4 @@ export {
   stopAllSessionsAndWait,
   getProjectDir
 };
-//# sourceMappingURL=chunk-JYSWJMXU.js.map
+//# sourceMappingURL=chunk-5NQ652SP.js.map