npm - @linzumi/cli - Versions diffs - 0.0.75-beta → 0.0.76-beta - Mend

@linzumi/cli 0.0.75-beta → 0.0.76-beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -58,7 +58,7 @@ Install the CLI or run it with `npx`:
 ```bash
 npm install -g @linzumi/cli@latest
 npx -y @linzumi/cli@latest signup
-npx -y @linzumi/cli@0.0.75-beta --version
+npx -y @linzumi/cli@0.0.76-beta --version
 linzumi --version
 ```

package/dist/index.js CHANGED Viewed

@@ -14633,7 +14633,7 @@ var linzumiCliVersion, linzumiCliVersionText;
 var init_version = __esm({
   "src/version.ts"() {
     "use strict";
-    linzumiCliVersion = "0.0.75-beta";
+    linzumiCliVersion = "0.0.76-beta";
     linzumiCliVersionText = `linzumi ${linzumiCliVersion}`;
   }
 });
@@ -16628,7 +16628,7 @@ var init_signupTaskSuggestions = __esm({
 // src/remoteCodexSandboxRunner.ts
 import { spawn as spawn7 } from "node:child_process";
-import { existsSync as existsSync9 } from "node:fs";
+import { existsSync as existsSync9, realpathSync as realpathSync5 } from "node:fs";
 import { dirname as dirname9, isAbsolute as isAbsolute3 } from "node:path";
 function createConfiguredRemoteCodexSandboxRunner(args) {
   const kind = normalizedSandboxKind(args.env.LINZUMI_REMOTE_CODEX_SANDBOX);
@@ -16785,6 +16785,10 @@ function macosSeatbeltProfile(request, exists) {
     `(allow file-read* (subpath ${sandboxString(path2)}))`,
     `(allow file-write* (subpath ${sandboxString(path2)}))`
   ]).join("\n");
+  const cwdRules = existingPathAliases(request.cwd).flatMap((path2) => [
+    `(allow file-read* (subpath ${sandboxString(path2)}))`,
+    `(allow file-write* (subpath ${sandboxString(path2)}))`
+  ]).join("\n");
   return [
     "(version 1)",
     "(deny default)",
@@ -16792,13 +16796,13 @@ function macosSeatbeltProfile(request, exists) {
     "(allow signal (target self))",
     "(allow sysctl-read)",
     "(allow file-read-metadata)",
+    '(allow file-read-data (literal "/"))',
     '(allow file-read* (literal "/dev/null"))',
     '(allow file-read* (literal "/dev/random"))',
     '(allow file-read* (literal "/dev/urandom"))',
     readableRules,
     writableTempRules,
-    `(allow file-read* (subpath ${sandboxString(request.cwd)}))`,
-    `(allow file-write* (subpath ${sandboxString(request.cwd)}))`
+    cwdRules
   ].join("\n");
 }
 function createBoundedOutputBuffer() {
@@ -16859,6 +16863,9 @@ function parentDirs(path2) {
 function uniqueStrings2(values) {
   return Array.from(new Set(values));
 }
+function existingPathAliases(path2) {
+  return uniqueStrings2([path2, realpathSync5(path2)]);
+}
 function sandboxString(value) {
   return JSON.stringify(value);
 }
@@ -16880,6 +16887,8 @@ var init_remoteCodexSandboxRunner = __esm({
     macosReadOnlyRoots = [
       "/System",
       "/Library",
+      "/etc",
+      "/private/etc",
       "/usr",
       "/bin",
       "/sbin",
@@ -16899,7 +16908,7 @@ import {
   mkdirSync as mkdirSync9,
   mkdtempSync as mkdtempSync4,
   readdirSync as readdirSync2,
-  realpathSync as realpathSync5,
+  realpathSync as realpathSync6,
   rmSync as rmSync4,
   statSync
 } from "node:fs";
@@ -21700,7 +21709,7 @@ function configuredAllowedCwds(values, options = {}) {
       if (options.createMissing === true) {
         mkdirSync9(absolutePath, { recursive: true });
       }
-      const realPath = realpathSync5(absolutePath);
+      const realPath = realpathSync6(absolutePath);
       allowedCwds.push(
         ...realPath === absolutePath ? [realPath] : [realPath, absolutePath]
       );
@@ -21747,7 +21756,7 @@ function browseRunnerDirectory(control, options) {
   const requestId = stringValue(control.requestId) ?? null;
   const requestedPath = stringValue(control.path) ?? currentHomeDirectory();
   try {
-    const currentPath = realpathSync5(resolve7(expandUserPath(requestedPath)));
+    const currentPath = realpathSync6(resolve7(expandUserPath(requestedPath)));
     const stats = statSync(currentPath);
     if (!stats.isDirectory()) {
       return {
@@ -21870,7 +21879,7 @@ function createRunnerProject(control, options, allowedCwds) {
         error: cleanupError === void 0 ? `git_init_failed:${gitFailure}` : `git_init_cleanup_failed:${cleanupError}`
       };
     }
-    const projectRealPath = realpathSync5(projectPath);
+    const projectRealPath = realpathSync6(projectPath);
     const persistedAllowedCwds = addAllowedCwdForLinzumiUrl(
       projectRealPath,
       options.kandanUrl
@@ -45562,7 +45571,7 @@ secure mission control for all your agents on your computers
 init_runner();
 init_claudeCodeSession();
 init_authCache();
-import { existsSync as existsSync14, readFileSync as readFileSync16, realpathSync as realpathSync6 } from "node:fs";
+import { existsSync as existsSync14, readFileSync as readFileSync16, realpathSync as realpathSync7 } from "node:fs";
 import { homedir as homedir13 } from "node:os";
 import { resolve as resolve10 } from "node:path";
 import { fileURLToPath as fileURLToPath4 } from "node:url";
@@ -59741,7 +59750,7 @@ function runPathsCommand(args) {
       if (pathValue === void 0 || pathValue.trim() === "") {
         throw new Error("missing path for linzumi paths add");
       }
-      const trustedPath = realpathSync6(resolve10(expandUserPath(pathValue)));
+      const trustedPath = realpathSync7(resolve10(expandUserPath(pathValue)));
       if (linzumiUrl === void 0) {
         addAllowedCwd(pathValue);
       } else {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@linzumi/cli",
-  "version": "0.0.75-beta",
+  "version": "0.0.76-beta",
   "description": "Linzumi CLI — point a Codex agent at the real code on your laptop, with your team watching and steering from shared threads.",
   "type": "module",
   "bin": {