npm - @integrity-labs/agt-cli - Versions diffs - 0.28.95 → 0.28.97 - Mend

@integrity-labs/agt-cli 0.28.95 → 0.28.97

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/bin/agt.js CHANGED Viewed

@@ -37,7 +37,7 @@ import {
   success,
   table,
   warn
-} from "../chunk-QQYVNV5N.js";
+} from "../chunk-EN7ZKY4A.js";
 import {
   CHANNEL_REGISTRY,
   DEPLOYMENT_TEMPLATES,
@@ -4777,7 +4777,7 @@ import { execFileSync, execSync } from "child_process";
 import { existsSync as existsSync10, realpathSync as realpathSync2 } from "fs";
 import chalk18 from "chalk";
 import ora16 from "ora";
-var cliVersion = true ? "0.28.95" : "dev";
+var cliVersion = true ? "0.28.97" : "dev";
 async function fetchLatestVersion() {
   const host2 = getHost();
   if (!host2) return null;
@@ -5791,7 +5791,7 @@ function handleError(err) {
 }
 // src/bin/agt.ts
-var cliVersion2 = true ? "0.28.95" : "dev";
+var cliVersion2 = true ? "0.28.97" : "dev";
 var program = new Command();
 program.name("agt").description("Augmented CLI \u2014 agent provisioning and management").version(cliVersion2).option("--json", "Emit machine-readable JSON output (suppress spinners and colors)").option("--skip-update-check", "Skip the automatic update check on startup");
 program.hook("preAction", async (thisCommand, actionCommand) => {

package/dist/{chunk-JYSWJMXU.js → chunk-5NQ652SP.js} RENAMED Viewed

@@ -582,6 +582,150 @@ function resolveClaudeBinary() {
   }
   return "claude";
 }
+function isolationMode(codeName) {
+  if (process.env.AGT_ISOLATION !== "docker") return "none";
+  const allow = (process.env.AGT_ISOLATION_AGENTS ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+  if (allow.length > 0 && (!codeName || !allow.includes(codeName))) return "none";
+  return "docker";
+}
+var EGRESS_BASELINE_DOMAINS = [
+  ".anthropic.com",
+  // claude API
+  "claude.ai",
+  // subscription auth
+  ".augmented.team",
+  // the host/control-plane API
+  ".slack.com",
+  // channels (incl. wss)
+  ".composio.dev"
+  // composio MCP
+];
+function egressMode(codeName) {
+  if (process.env.AGT_EGRESS !== "allowlist") return "none";
+  if (isolationMode(codeName) !== "docker") return "none";
+  return "allowlist";
+}
+var VALID_EGRESS_DOMAIN = /^\.?([a-z0-9-]+\.)+[a-z0-9-]+$/;
+function buildEgressAllowlist(toolsFrontmatter) {
+  const domains = new Set(EGRESS_BASELINE_DOMAINS);
+  for (const tool of toolsFrontmatter?.tools ?? []) {
+    for (const d of tool.network?.allowlist_domains ?? []) {
+      if (typeof d !== "string") continue;
+      const norm = d.trim().toLowerCase();
+      if (VALID_EGRESS_DOMAIN.test(norm)) domains.add(norm);
+    }
+  }
+  return [...domains].sort();
+}
+function egressAllowlistHostPath(codeName, homeDir) {
+  const home = homeDir ?? (process.env.HOME?.trim() || homedir2());
+  return join2(home, ".augmented", "_egress", `${codeName}.txt`);
+}
+function writeEgressAllowlist(codeName, domains, homeDir) {
+  const p = egressAllowlistHostPath(codeName, homeDir);
+  mkdirSync2(dirname(p), { recursive: true });
+  writeFileSync3(p, domains.join("\n") + "\n", { mode: 420 });
+  return p;
+}
+var EGRESS_DOCKER_TIMEOUT_MS = 1e4;
+function isNoSuchContainer(err) {
+  const e = err;
+  const text = `${e?.stderr?.toString() ?? ""}${e?.message ?? ""}`;
+  return /no such container|is not running/i.test(text);
+}
+function reloadEgressSidecar(codeName) {
+  try {
+    execFileSync3("docker", ["kill", "--signal=HUP", `agt-squid-${codeName}`], {
+      stdio: "pipe",
+      timeout: EGRESS_DOCKER_TIMEOUT_MS
+    });
+    return true;
+  } catch (err) {
+    if (!isNoSuchContainer(err)) throw err;
+    return false;
+  }
+}
+function restartEgressSidecar(codeName) {
+  try {
+    execFileSync3("docker", ["restart", `agt-squid-${codeName}`], {
+      stdio: "pipe",
+      timeout: EGRESS_DOCKER_TIMEOUT_MS
+    });
+    return true;
+  } catch (err) {
+    if (!isNoSuchContainer(err)) throw err;
+    return false;
+  }
+}
+function buildDockerRunCommand(args) {
+  const { codeName, agentId, wrapperPath, projectDir, homeDir, runId, passApiKey, egress } = args;
+  const q = (s) => `'${s.replace(/'/g, `'\\''`)}'`;
+  const agentDir = join2(homeDir, ".augmented", codeName);
+  const agentIdDir = join2(homeDir, ".augmented", agentId);
+  const mcpDir = join2(homeDir, ".augmented", "_mcp");
+  const claudeHome = join2(homeDir, ".claude");
+  const claudeJson = join2(homeDir, ".claude.json");
+  const mounts = [
+    `-v ${q(`${agentDir}:${agentDir}`)}`,
+    `-v ${q(`${agentIdDir}:${agentIdDir}`)}`,
+    `-v ${q(`${mcpDir}:${mcpDir}:ro`)}`,
+    `-v ${q(`${claudeHome}:${claudeHome}`)}`,
+    `-v ${q(`${claudeJson}:${claudeJson}`)}`
+  ];
+  const image = process.env.AGT_ISOLATION_IMAGE || "agt-runtime:latest";
+  const memory = process.env.AGT_ISOLATION_MEMORY || "512m";
+  const cpus = process.env.AGT_ISOLATION_CPUS || "1.0";
+  const pids = process.env.AGT_ISOLATION_PIDS || "512";
+  const envArgs = [`-e ${q(`HOME=${homeDir}`)}`];
+  if (passApiKey) envArgs.push("-e ANTHROPIC_API_KEY");
+  if (runId) envArgs.push(`-e ${q(`AGT_RUN_ID=${runId}`)}`);
+  const egressImage = process.env.AGT_EGRESS_IMAGE || "agt-squid:latest";
+  const internalNet = `agt-net-${codeName}`;
+  const squidName = `agt-squid-${codeName}`;
+  const networkArgs = [];
+  let egressSetup = "";
+  if (egress) {
+    networkArgs.push(`--network ${internalNet}`);
+    const proxyUrl = `http://${squidName}:3128`;
+    envArgs.push(`-e ${q(`HTTPS_PROXY=${proxyUrl}`)}`);
+    envArgs.push(`-e ${q(`HTTP_PROXY=${proxyUrl}`)}`);
+    envArgs.push(`-e ${q(`NO_PROXY=${squidName},localhost,127.0.0.1`)}`);
+    egressSetup = [
+      `docker rm -f ${squidName} agt-${codeName} >/dev/null 2>&1 || true`,
+      `docker network create agt-egress >/dev/null 2>&1 || true`,
+      // FAIL-CLOSED: a stale or hand-created `agt-net-<codeName>` that is NOT
+      // internal would give the agent a route off-net, bypassing the proxy.
+      // Don't trust create-if-absent - verify the Internal flag and rebuild the
+      // network when it's missing or wrong.
+      `{ [ "$(docker network inspect -f '{{.Internal}}' ${internalNet} 2>/dev/null)" = "true" ] || { docker network rm ${internalNet} >/dev/null 2>&1 || true; docker network create --internal ${internalNet} >/dev/null; }; }`,
+      // squid processes untrusted agent traffic - give it the same hardening as
+      // the agent container (drop all caps, block privilege escalation). squid
+      // binds 3128 (>1024) and needs no capabilities; verified it still boots.
+      `docker run -d --name ${squidName} --network ${internalNet} --restart unless-stopped --memory 128m --cap-drop ALL --security-opt no-new-privileges -v ${q(`${egress.allowlistHostPath}:/etc/squid/allowlist.txt:ro`)} ${q(egressImage)} >/dev/null`,
+      `docker network connect agt-egress ${squidName} >/dev/null 2>&1`
+    ].join(" && ");
+  }
+  const runCmd = [
+    "exec docker run --rm -it",
+    `--name agt-${codeName}`,
+    `--memory ${memory}`,
+    `--cpus ${cpus}`,
+    `--pids-limit ${pids}`,
+    // Defence in depth (red-team 2026-06-16): drop all Linux capabilities and
+    // block privilege escalation. claude + node MCP servers need none - verified
+    // booting clean under these. The mount namespace is the primary boundary;
+    // these shrink what a container-escape CVE could reach if it ever landed.
+    "--cap-drop ALL",
+    "--security-opt no-new-privileges",
+    ...networkArgs,
+    ...mounts,
+    `-w ${q(projectDir)}`,
+    ...envArgs,
+    q(image),
+    q(wrapperPath)
+  ].join(" ");
+  return egress ? `${egressSetup} && ${runCmd}` : `docker rm -f agt-${codeName} >/dev/null 2>&1; ${runCmd}`;
+}
 function writePersistentClaudeWrapper(args) {
   const { projectDir, claudeBin, initPrompt, claudeArgsJoined } = args;
   const envIntegrationsPath = join2(projectDir, ".env.integrations");
@@ -840,7 +984,24 @@ function spawnSession(config, session) {
     if (claudeAuthMode === "api_key" && config.anthropicApiKey) {
       tmuxSessionEnvArgs.push("-e", `ANTHROPIC_API_KEY=${config.anthropicApiKey}`);
     }
-    const claudeCmd = JSON.stringify(wrapperPath);
+    const sessionHomeDir = process.env.HOME?.trim() || homedir2();
+    let egress;
+    if (egressMode(codeName) === "allowlist") {
+      const allowlist = config.egressAllowlist ?? buildEgressAllowlist(null);
+      const allowlistHostPath = writeEgressAllowlist(codeName, allowlist, sessionHomeDir);
+      egress = { allowlistHostPath };
+      log(`[persistent-session] egress allowlist for '${codeName}': ${allowlist.length} domains (deny-by-default)`);
+    }
+    const claudeCmd = isolationMode(codeName) === "docker" ? buildDockerRunCommand({
+      codeName,
+      agentId: config.agentId,
+      wrapperPath,
+      projectDir,
+      homeDir: sessionHomeDir,
+      runId: config.runId ?? void 0,
+      passApiKey: claudeAuthMode === "api_key" && !!config.anthropicApiKey,
+      egress
+    }) : JSON.stringify(wrapperPath);
     const tmuxEnv = {
       ...process.env,
       // Treat empty-string as missing too — `HOME=""` makes ~ resolve
@@ -1369,6 +1530,15 @@ export {
   takeWatchdogGiveUpCount,
   creditWatchdogGiveUpCount,
   resolveClaudeBinary,
+  isolationMode,
+  EGRESS_BASELINE_DOMAINS,
+  egressMode,
+  buildEgressAllowlist,
+  egressAllowlistHostPath,
+  writeEgressAllowlist,
+  reloadEgressSidecar,
+  restartEgressSidecar,
+  buildDockerRunCommand,
   writePersistentClaudeWrapper,
   paneLogPath,
   readPaneLogTail,
@@ -1395,4 +1565,4 @@ export {
   stopAllSessionsAndWait,
   getProjectDir
 };
-//# sourceMappingURL=chunk-JYSWJMXU.js.map
+//# sourceMappingURL=chunk-5NQ652SP.js.map