@lumenflow/kernel 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +190 -0
- package/README.md +26 -0
- package/dist/canonical-json.d.ts +7 -0
- package/dist/canonical-json.d.ts.map +1 -0
- package/dist/canonical-json.js +50 -0
- package/dist/canonical-json.js.map +1 -0
- package/dist/event-kinds.d.ts +32 -0
- package/dist/event-kinds.d.ts.map +1 -0
- package/dist/event-kinds.js +49 -0
- package/dist/event-kinds.js.map +1 -0
- package/dist/event-store/index.d.ts +64 -0
- package/dist/event-store/index.d.ts.map +1 -0
- package/dist/event-store/index.js +634 -0
- package/dist/event-store/index.js.map +1 -0
- package/dist/evidence/evidence-store.d.ts +78 -0
- package/dist/evidence/evidence-store.d.ts.map +1 -0
- package/dist/evidence/evidence-store.js +409 -0
- package/dist/evidence/evidence-store.js.map +1 -0
- package/dist/evidence/fs-helpers.d.ts +13 -0
- package/dist/evidence/fs-helpers.d.ts.map +1 -0
- package/dist/evidence/fs-helpers.js +38 -0
- package/dist/evidence/fs-helpers.js.map +1 -0
- package/dist/evidence/index.d.ts +3 -0
- package/dist/evidence/index.d.ts.map +1 -0
- package/dist/evidence/index.js +5 -0
- package/dist/evidence/index.js.map +1 -0
- package/dist/index.d.ts +17 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +19 -0
- package/dist/index.js.map +1 -0
- package/dist/kernel.schemas.d.ts +642 -0
- package/dist/kernel.schemas.d.ts.map +1 -0
- package/dist/kernel.schemas.js +331 -0
- package/dist/kernel.schemas.js.map +1 -0
- package/dist/pack/hash.d.ts +7 -0
- package/dist/pack/hash.d.ts.map +1 -0
- package/dist/pack/hash.js +56 -0
- package/dist/pack/hash.js.map +1 -0
- package/dist/pack/index.d.ts +4 -0
- package/dist/pack/index.d.ts.map +1 -0
- package/dist/pack/index.js +6 -0
- package/dist/pack/index.js.map +1 -0
- package/dist/pack/manifest.d.ts +100 -0
- package/dist/pack/manifest.d.ts.map +1 -0
- package/dist/pack/manifest.js +50 -0
- package/dist/pack/manifest.js.map +1 -0
- package/dist/pack/pack-loader.d.ts +108 -0
- package/dist/pack/pack-loader.d.ts.map +1 -0
- package/dist/pack/pack-loader.js +282 -0
- package/dist/pack/pack-loader.js.map +1 -0
- package/dist/policy/approval-event.d.ts +29 -0
- package/dist/policy/approval-event.d.ts.map +1 -0
- package/dist/policy/approval-event.js +17 -0
- package/dist/policy/approval-event.js.map +1 -0
- package/dist/policy/index.d.ts +3 -0
- package/dist/policy/index.d.ts.map +1 -0
- package/dist/policy/index.js +5 -0
- package/dist/policy/index.js.map +1 -0
- package/dist/policy/policy-engine.d.ts +52 -0
- package/dist/policy/policy-engine.d.ts.map +1 -0
- package/dist/policy/policy-engine.js +83 -0
- package/dist/policy/policy-engine.js.map +1 -0
- package/dist/runtime/index.d.ts +2 -0
- package/dist/runtime/index.d.ts.map +1 -0
- package/dist/runtime/index.js +4 -0
- package/dist/runtime/index.js.map +1 -0
- package/dist/runtime/kernel-runtime.d.ts +170 -0
- package/dist/runtime/kernel-runtime.d.ts.map +1 -0
- package/dist/runtime/kernel-runtime.js +751 -0
- package/dist/runtime/kernel-runtime.js.map +1 -0
- package/dist/sandbox/bwrap-invocation.d.ts +13 -0
- package/dist/sandbox/bwrap-invocation.d.ts.map +1 -0
- package/dist/sandbox/bwrap-invocation.js +105 -0
- package/dist/sandbox/bwrap-invocation.js.map +1 -0
- package/dist/sandbox/index.d.ts +5 -0
- package/dist/sandbox/index.d.ts.map +1 -0
- package/dist/sandbox/index.js +7 -0
- package/dist/sandbox/index.js.map +1 -0
- package/dist/sandbox/profile.d.ts +32 -0
- package/dist/sandbox/profile.d.ts.map +1 -0
- package/dist/sandbox/profile.js +101 -0
- package/dist/sandbox/profile.js.map +1 -0
- package/dist/sandbox/subprocess-dispatcher.d.ts +38 -0
- package/dist/sandbox/subprocess-dispatcher.d.ts.map +1 -0
- package/dist/sandbox/subprocess-dispatcher.js +145 -0
- package/dist/sandbox/subprocess-dispatcher.js.map +1 -0
- package/dist/sandbox/tool-runner-worker.d.ts +54 -0
- package/dist/sandbox/tool-runner-worker.d.ts.map +1 -0
- package/dist/sandbox/tool-runner-worker.js +159 -0
- package/dist/sandbox/tool-runner-worker.js.map +1 -0
- package/dist/shared-constants.d.ts +48 -0
- package/dist/shared-constants.d.ts.map +1 -0
- package/dist/shared-constants.js +49 -0
- package/dist/shared-constants.js.map +1 -0
- package/dist/state-machine/index.d.ts +30 -0
- package/dist/state-machine/index.d.ts.map +1 -0
- package/dist/state-machine/index.js +92 -0
- package/dist/state-machine/index.js.map +1 -0
- package/dist/tool-host/builtins/capabilities.d.ts +20 -0
- package/dist/tool-host/builtins/capabilities.d.ts.map +1 -0
- package/dist/tool-host/builtins/capabilities.js +211 -0
- package/dist/tool-host/builtins/capabilities.js.map +1 -0
- package/dist/tool-host/builtins/index.d.ts +2 -0
- package/dist/tool-host/builtins/index.d.ts.map +1 -0
- package/dist/tool-host/builtins/index.js +4 -0
- package/dist/tool-host/builtins/index.js.map +1 -0
- package/dist/tool-host/index.d.ts +5 -0
- package/dist/tool-host/index.d.ts.map +1 -0
- package/dist/tool-host/index.js +7 -0
- package/dist/tool-host/index.js.map +1 -0
- package/dist/tool-host/scope-intersection.d.ts +10 -0
- package/dist/tool-host/scope-intersection.d.ts.map +1 -0
- package/dist/tool-host/scope-intersection.js +188 -0
- package/dist/tool-host/scope-intersection.js.map +1 -0
- package/dist/tool-host/subprocess-dispatcher.d.ts +14 -0
- package/dist/tool-host/subprocess-dispatcher.d.ts.map +1 -0
- package/dist/tool-host/subprocess-dispatcher.js +14 -0
- package/dist/tool-host/subprocess-dispatcher.js.map +1 -0
- package/dist/tool-host/tool-host.d.ts +42 -0
- package/dist/tool-host/tool-host.d.ts.map +1 -0
- package/dist/tool-host/tool-host.js +395 -0
- package/dist/tool-host/tool-host.js.map +1 -0
- package/dist/tool-host/tool-registry.d.ts +9 -0
- package/dist/tool-host/tool-registry.d.ts.map +1 -0
- package/dist/tool-host/tool-registry.js +28 -0
- package/dist/tool-host/tool-registry.js.map +1 -0
- package/package.json +71 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"kernel-runtime.js","sourceRoot":"","sources":["../../src/runtime/kernel-runtime.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,uBAAuB,GAExB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,uBAAuB,EACvB,iBAAiB,EACjB,8BAA8B,EAC9B,+BAA+B,EAC/B,oCAAoC,EACpC,gCAAgC,EAChC,4BAA4B,EAC5B,6BAA6B,EAC7B,kBAAkB,EAClB,oBAAoB,EACpB,iBAAiB,EACjB,cAAc,EACd,aAAa,EACb,kCAAkC,EAClC,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,UAAU,EACV,gBAAgB,GAGjB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,SAAS,EACT,kBAAkB,EAClB,cAAc,EACd,mBAAmB,GAWpB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,UAAU,EAAE,wBAAwB,EAAyB,MAAM,kBAAkB,CAAC;AAC/F,OAAO,EACL,eAAe,EACf,YAAY,GAIb,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,2BAA2B,GAE5B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAyB,MAAM,2BAA2B,CAAC;AACpF,OAAO,EACL,uBAAuB,EACvB,+BAA+B,GAChC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAmB,MAAM,2BAA2B,CAAC;AAEtE,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE7D,MAAM,oBAAoB,GAAG,IAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;AACzF,MAAM,6BAA6B,GAAG;IACpC,cAAc;IACd,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,oBAAoB,EAAE,cAAc,CAAC;CACnE,CAAC;AACF,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;AACzE,MAAM,+BAA+B,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;AAC1E,MAAM,+BAA+B,GAAG,oCAAoC,CAAC;AAC7E,MAAM,uCAAuC,GAAG,4CAA4C,CAAC;AAC7F,MAAM,8BAA8B,GAAG,2DAA2D,CAAC;AACnG,MAAM,wBAAwB,GAAG,eAAe,CAAC;AACjD,MAAM,+BAA+B,GACnC,oEAAoE,CAAC;AACvE,MAAM,uCAAuC,GAC3C,6DAA6D,CAAC;AA2IhE,SAAS,kBAAkB,CAAC,GAAe,EAAE,cAAuB;IAClE,OAAO,cAAc,IAAI,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,aAAqB;IACvE,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9C,OAAO,OAAO,MAAM,IAAI,aAAa,IAAI,MAAM,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAkB;IAC7C,OAAO,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,eAAe,CAAC,MAAqB;IAC5C,MAAM,YAAY,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QACpD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,IAAI,GAAG,EAAe,CAAC;IACrC,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QACjC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,SAAS;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,KAAK,CAAC,IAAI,KAAK,kBAAkB,CAAC,WAAW,EAAE,CAAC;YAClD,KAAK,CAAC,GAAG,CACP,KAAK,CAAC,MAAM,EACZ,SAAS,CAAC,KAAK,CAAC;gBACd,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,MAAM,EAAE,YAAY,CAAC,SAAS;gBAC9B,UAAU,EAAE,KAAK,CAAC,SAAS;gBAC3B,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,UAAU,EAAE,KAAK,CAAC,UAAU;aAC7B,CAAC,CACH,CAAC;YACF,SAAS;QACX,CAAC;QAED,MAAM,QAAQ,GACZ,QAAQ;YACR,SAAS,CAAC,KAAK,CAAC;gBACd,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,MAAM,EAAE,YAAY,CAAC,OAAO;gBAC5B,UAAU,EAAE,KAAK,CAAC,SAAS;gBAC3B,EAAE,EAAE,SAAS;gBACb,UAAU,EAAE,SAAS;aACtB,CAAC,CAAC;QAEL,IAAI,KAAK,CAAC,IAAI,KAAK,kBAAkB,CAAC,UAAU,EAAE,CAAC;YACjD,KAAK,CAAC,GAAG,CACP,KAAK,CAAC,MAAM,EACZ,SAAS,CAAC,KAAK,CAAC;gBACd,GAAG,QAAQ;gBACX,MAAM,EAAE,YAAY,CAAC,MAAM;aAC5B,CAAC,CACH,CAAC;YACF,SAAS;QACX,CAAC;QAED,IAAI,KAAK,CAAC,IAAI,KAAK,kBAAkB,CAAC,UAAU,EAAE,CAAC;YACjD,KAAK,CAAC,GAAG,CACP,KAAK,CAAC,MAAM,EACZ,SAAS,CAAC,KAAK,CAAC;gBACd,GAAG,QAAQ;gBACX,MAAM,EAAE,YAAY,CAAC,MAAM;gBAC3B,YAAY,EAAE,KAAK,CAAC,SAAS;aAC9B,CAAC,CACH,CAAC;YACF,SAAS;QACX,CAAC;QAED,KAAK,CAAC,GAAG,CACP,KAAK,CAAC,MAAM,EACZ,SAAS,CAAC,KAAK,CAAC;YACd,GAAG,QAAQ;YACX,MAAM,EAAE,YAAY,CAAC,SAAS;YAC9B,YAAY,EAAE,KAAK,CAAC,SAAS;SAC9B,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAAC,SAA2B;IACxD,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAC;IAChD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;QAClF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACpB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAkC;IAC/D,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO;YACL;gBACE,SAAS,EAAE,iBAAiB,CAAC,gBAAgB;gBAC7C,QAAQ,EAAE,UAAU,CAAC,QAAQ;gBAC7B,MAAM,EAAE,4DAA4D;aACrE;SACF,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;QAC1F,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO;gBACL,GAAG,UAAU,CAAC,SAAS;gBACvB;oBACE,SAAS,EAAE,iBAAiB,CAAC,gBAAgB;oBAC7C,QAAQ,EAAE,MAAM;oBAChB,MAAM,EAAE,oCAAoC;iBAC7C;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC,SAAS,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,WAA+B;IACxD,MAAM,OAAO,GAAqB,EAAE,CAAC;IACrC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;IAE/E,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YAC/E,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,SAAS;YACX,CAAC;YACD,OAAO,CAAC,KAA+B,CAAC,GAAG,KAAK,CAAC;QACnD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,2BAA2B,CAAC,MAAc;IACjD,OAAO,GAAG,+BAA+B,KAAK,MAAM,GAAG,CAAC;AAC1D,CAAC;AAED,SAAS,mCAAmC,CAAC,QAAgB,EAAE,MAAc;IAC3E,OAAO,GAAG,uCAAuC,KAAK,QAAQ,cAAc,MAAM,GAAG,CAAC;AACxF,CAAC;AAED,SAAS,wBAAwB,CAAC,QAAgB,EAAE,MAAc;IAChE,OAAO,aAAa,QAAQ,gBAAgB,MAAM,EAAE,CAAC;AACvD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oCAAoC,CACxD,KAAyC;IAEzC,MAAM,aAAa,GAAG,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAE5F,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI;QACrB,MAAM,EAAE,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE;QACpC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO;QAC1C,YAAY,EAAE,8BAA8B;QAC5C,aAAa,EAAE,+BAA+B;QAC9C,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,UAAU;QACjC,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,eAAe;QAC3C,OAAO,EAAE;YACP,IAAI,EAAE,kBAAkB,CAAC,UAAU;YACnC,KAAK,EAAE,aAAa;SACrB;QACD,WAAW,EAAE,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpF,IAAI,EAAE,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;KAC9B,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,UAAkB;IAC1C,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,KAA8B,CAAC;QACjD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,OAAuC;IACrE,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1D,KAAK,MAAM,SAAS,IAAI,6BAA6B,EAAE,CAAC;QACtD,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QACjE,IAAI,MAAM,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACxC,OAAO,iBAAiB,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,MAAM,iBAAiB,GAAG,6BAA6B,CAAC,CAAC,CAAC,CAAC;IAC3D,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IACD,OAAO,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,mBAAmB,CAAC,YAAoB,EAAE,MAAc;IAC/D,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,GAAG,MAAM,OAAO,CAAC,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,YAAoB,EACpB,MAAc;IAEd,MAAM,YAAY,GAAG,mBAAmB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAE/D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;QAC7D,OAAO,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;IACpD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,KAA8B,CAAC;QACjD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAC,YAAoB,EAAE,IAAc;IACxE,MAAM,KAAK,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE/C,MAAM,YAAY,GAAG,mBAAmB,CAAC,YAAY,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC,CAAC;IAClE,CAAC;IAAC,OAAO,UAAU,EAAE,CAAC;QACpB,MAAM,UAAU,CAAC,KAAK,EAAE,CAAC;QACzB,MAAM,EAAE,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACxC,MAAM,UAAU,CAAC;IACnB,CAAC;IACD,MAAM,UAAU,CAAC,KAAK,EAAE,CAAC;IAEzB,OAAO,YAAY,CAAC;AACtB,CAAC;AAQD,KAAK,UAAU,oBAAoB,CACjC,OAAuC;IAEvC,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1D,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CACpC,OAAO,CAAC,iBAAiB;QACvB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,iBAAiB,IAAI,mBAAmB,CAAC,CAC7E,CAAC;IAEF,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IAEjE,OAAO;QACL,mBAAmB,EAAE,iBAAiB;QACtC,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,cAAc,CAAC,GAAG,CAAC;KAC3C,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,WAA+B;IAC/D,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE;QACnD,OAAO,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACnD,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,OAAO;QACL;YACE,KAAK,EAAE,WAAW;YAClB,gBAAgB,EAAE,OAAO;YACzB,eAAe,EAAE,IAAI;YACrB,KAAK,EAAE,EAAE;SACV;QACD;YACE,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,EAAE;SACV;QACD;YACE,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,SAAS;SACjB;QACD;YACE,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,EAAE;SACV;KACF,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAAC,YAA0B;IACzD,MAAM,iBAAiB,GAAG,uBAAuB,EAAE,CAAC;IAEpD,OAAO,KAAK,EAAE,KAAK,EAAE,EAAE;QACrB,MAAM,gBAAgB,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,CAAC;YACtE,OAAO,gBAAgB,CAAC;QAC1B,CAAC;QAED,MAAM,OAAO,GAA4B;YACvC,OAAO,EAAE,eAAe,CAAC,eAAe;YACxC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,OAAO;YAC9B,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;YAChC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI;SAC/B,CAAC;QAEF,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,gBAAgB,EAAE,GAAG,qBAAqB,CAAC,UAAU,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAAC,MAAc;IAC7C,OAAO;QACL,MAAM;KACP,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAyB;IACzD,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9D,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,OAAO,CAAC,QAAQ,CAAC;AAC1B,CAAC;AAED,MAAM,OAAO,oBAAoB;IACd,aAAa,CAAgB;IAC7B,iBAAiB,CAAS;IAC1B,mBAAmB,CAAS;IAC5B,WAAW,CAAqB;IAChC,YAAY,CAAS;IACrB,UAAU,CAAa;IACvB,aAAa,CAAgB;IAC7B,QAAQ,CAAW;IACnB,YAAY,CAAe;IAC3B,YAAY,CAAmB;IAC/B,GAAG,CAAa;IAChB,YAAY,CAAoD;IAEjF,YAAY,OAA6B;QACvC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;QAC5C,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,mBAAmB,CAAC;QACrD,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,qBAAqB,CAAC;QACzD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC;QACxC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,cAAc,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC;QACtC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;QAC5C,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;QAClC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,aAAa,CAAC;QAC1C,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,aAAa,IAAI,EAAE,CAAC;QAChD,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QAC7C,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,cAAc,IAAI,mBAAmB,CAAC;IACpE,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,eAAe;QACb,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAY,EAAE,KAAc,EAAE,GAAqB;QACnE,MAAM,OAAO,GAAG,sBAAsB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClD,MAAM,QAAQ,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;QACnD,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC;QAE9C,IAAI,UAAkB,CAAC;QACvB,IAAI,oBAAoB,GAAG,KAAK,CAAC;QACjC,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,IAAI,CAAC,0BAA0B,EAAE,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,SAAS,GAAG,KAA8B,CAAC;YACjD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAChC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,oBAAoB,GAAG,IAAI,CAAC;YAC5B,UAAU,GAAG,cAAc,CAAC;gBAC1B,CAAC,kCAAkC,CAAC,sBAAsB,CAAC,EAAE,IAAI,CAAC,iBAAiB;aACpF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,UAAU,KAAK,YAAY,EAAE,CAAC;YAChC,MAAM,aAAa,GAAsB;gBACvC,cAAc,EAAE,CAAC;gBACjB,IAAI,EAAE,kBAAkB,CAAC,aAAa;gBACtC,IAAI,EAAE,WAAW;gBACjB,EAAE,EAAE,IAAI,CAAC,aAAa,CAAC,EAAE;gBACzB,aAAa,EAAE,YAAY;gBAC3B,WAAW,EAAE,UAAU;gBACvB,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC;aACxC,CAAC;YACF,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE5C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACL,IAAI,EAAE,wBAAwB;oBAC9B,OAAO,EAAE,oBAAoB;wBAC3B,CAAC,CAAC,uCAAuC;wBACzC,CAAC,CAAC,+BAA+B;oBACnC,OAAO,EAAE;wBACP,YAAY,EAAE,IAAI,CAAC,aAAa,CAAC,EAAE;wBACnC,mBAAmB,EAAE,IAAI,CAAC,iBAAiB;wBAC3C,CAAC,kCAAkC,CAAC,sBAAsB,CAAC,EAAE,oBAAoB;wBACjF,aAAa,EAAE,YAAY;wBAC3B,WAAW,EAAE,UAAU;qBACxB;iBACF;aACF,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,sBAAsB,CAAC,KAAK,CAAC;YAClD,GAAG,OAAO;YACV,QAAQ,EAAE;gBACR,GAAG,QAAQ;gBACX,CAAC,uBAAuB,CAAC,qBAAqB,CAAC,EAAE,UAAU;aAC5D;SACF,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,QAAkB;QACjC,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAElD,IAAI,UAAU,CAAC,YAAY,KAAK,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CACb,qCAAqC,IAAI,CAAC,aAAa,CAAC,EAAE,SAAS,UAAU,CAAC,YAAY,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,UAAU,CAAC,OAAO,CAAC,CAAC;QAC3F,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,cAAc,UAAU,CAAC,OAAO,uCAAuC,CAAC,CAAC;QAC3F,CAAC;QAED,IAAI,YAAoB,CAAC;QACzB,IAAI,CAAC;YACH,YAAY,GAAG,MAAM,sBAAsB,CAAC,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QAC7E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,SAAS,GAAG,KAA8B,CAAC;YACjD,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAChC,MAAM,IAAI,KAAK,CAAC,gCAAgC,UAAU,CAAC,EAAE,oBAAoB,EAAE;oBACjF,KAAK,EAAE,KAAK;iBACb,CAAC,CAAC;YACL,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,YAAY,GAAqB;YACrC,cAAc,EAAE,CAAC;YACjB,IAAI,EAAE,kBAAkB,CAAC,YAAY;YACrC,OAAO,EAAE,UAAU,CAAC,EAAE;YACtB,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC;YACvC,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC;SACtC,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,UAAU,EAAE,CAAC;YACpB,mEAAmE;YACnE,wEAAwE;YACxE,0EAA0E;YAC1E,MAAM,EAAE,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACxC,MAAM,UAAU,CAAC;QACnB,CAAC;QAED,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,cAAc,EAAE,YAAY;YAC5B,KAAK,EAAE,YAAY;SACpB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAqB;QACnC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEvD,gBAAgB,CAAC,SAAS,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAEzE,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC;YAC9C,OAAO,EAAE,eAAe,CAAC,QAAQ;YACjC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE,IAAI,CAAC,MAAM;SACrB,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;QACzD,CAAC;QAED,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QACvE,MAAM,YAAY,GAAqB;YACrC,cAAc,EAAE,CAAC;YACjB,IAAI,EAAE,kBAAkB,CAAC,YAAY;YACrC,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,gBAAgB;YAC3B,EAAE,EAAE,KAAK,CAAC,EAAE;YACZ,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,WAAW,EAAE,KAAK,CAAC,WAAW;SAC/B,CAAC;QAEF,MAAM,eAAe,GAAoB;YACvC,cAAc,EAAE,CAAC;YACjB,IAAI,EAAE,kBAAkB,CAAC,WAAW;YACpC,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,MAAM,EAAE,KAAK;YACb,SAAS,EAAE,gBAAgB;YAC3B,EAAE,EAAE,KAAK,CAAC,EAAE;YACZ,UAAU,EAAE,KAAK,CAAC,UAAU;SAC7B,CAAC;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,EAAE,eAAe,CAAC,CAAC,CAAC;QAEjE,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,GAAG,EAAE,SAAS,CAAC,KAAK,CAAC;gBACnB,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,MAAM,EAAE,YAAY,CAAC,SAAS;gBAC9B,UAAU,EAAE,eAAe,CAAC,SAAS;gBACrC,EAAE,EAAE,KAAK,CAAC,EAAE;gBACZ,UAAU,EAAE,KAAK,CAAC,UAAU;aAC7B,CAAC;YACF,MAAM,EAAE,CAAC,YAAY,EAAE,eAAe,CAAC;YACvC,MAAM;SACP,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAqB;QACnC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEvD,gBAAgB,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAE1E,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,gBAAgB,IAAI,CAAC,EAAE,uBAAuB,CAAC,CAAC;QAClE,CAAC;QAED,MAAM,YAAY,GAAqB;YACrC,cAAc,EAAE,CAAC;YACjB,IAAI,EAAE,kBAAkB,CAAC,YAAY;YACrC,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC;YACxD,MAAM;SACP,CAAC;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QAC3C,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,KAAK,EAAE,YAAY;SACpB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAuB;QACvC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEvD,gBAAgB,CAAC,SAAS,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAEzE,MAAM,cAAc,GAAuB;YACzC,cAAc,EAAE,CAAC;YACjB,IAAI,EAAE,kBAAkB,CAAC,cAAc;YACvC,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC;SACzD,CAAC;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC7C,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,KAAK,EAAE,cAAc;SACtB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAwB;QACzC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEvD,gBAAgB,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAEvE,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,IAAI,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC;QAC5D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,CAAC,EAAE,wBAAwB,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC;YAC9C,OAAO,EAAE,eAAe,CAAC,aAAa;YACtC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE,IAAI,CAAC,MAAM;SACrB,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,kBAAkB,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;QAEzE,MAAM,iBAAiB,GAAsB;YAC3C,cAAc,EAAE,CAAC;YACjB,IAAI,EAAE,kBAAkB,CAAC,aAAa;YACtC,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,MAAM,EAAE,KAAK;YACb,SAAS,EAAE,kBAAkB;YAC7B,aAAa,EAAE,KAAK,CAAC,aAAa;SACnC,CAAC;QAEF,MAAM,kBAAkB,GAAuB;YAC7C,cAAc,EAAE,CAAC;YACjB,IAAI,EAAE,kBAAkB,CAAC,cAAc;YACvC,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,SAAS,EAAE,kBAAkB;YAC7B,aAAa,EAAE,KAAK,CAAC,aAAa;SACnC,CAAC;QAEF,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,iBAAiB,EAAE,kBAAkB,CAAC,CAAC,CAAC;QACzE,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAE5C,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,CAAC;YAC/C,MAAM;SACP,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc;QAC9B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,uBAAuB,CAAC,MAAM,CAAC,CAAC,CAAC;QACnF,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC;QACnC,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAExD,MAAM,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YACpD,IAAI,OAAO,CAAC,IAAI,KAAK,gBAAgB,CAAC,kBAAkB,EAAE,CAAC;gBACzD,OAAO,OAAO,CAAC,gBAAgB,CAAC;YAClC,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,MAAM,mBAAmB,GACvB,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,wBAAwB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAElF,OAAO;YACL,OAAO,EAAE,MAAM;YACf,IAAI;YACJ,KAAK;YACL,WAAW,EAAE,UAAU;YACvB,QAAQ;YACR,gBAAgB,EAAE,qBAAqB,CAAC,CAAC,GAAG,gBAAgB,EAAE,GAAG,mBAAmB,CAAC,CAAC;YACtF,MAAM;SACP,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,MAAc;QAC1C,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QACrE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,2BAA2B,MAAM,EAAE,CAAC,CAAC;QACvD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,MAAc;QAC3C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,uBAAuB,CAAC,MAAM,CAAC,CAAC,CAAC;QACjF,OAAO,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IAEO,KAAK,CAAC,wBAAwB,CACpC,IAAc,EACd,KAAgB;QAEhB,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,MAAM,CAAC;QACxC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC;YAClD,OAAO,EAAE,eAAe,CAAC,aAAa;YACtC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,IAAI,CAAC,EAAE;YAChB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE,IAAI,CAAC,MAAM;SACrB,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC,SAAS,CAAC;IAC9B,CAAC;IAEO,KAAK,CAAC,0BAA0B;QACtC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAClE,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAAC,MAAc;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QACpE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,uEAAuE;QACvE,wEAAwE;QACxE,6DAA6D;QAC7D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;QACrD,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;QAErC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,KAAK,CAAC,IAAI,KAAK,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;gBACtD,SAAS;YACX,CAAC;YACD,IAAI,KAAK,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;gBAC7B,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YAC7B,IAAI,KAAK,CAAC,IAAI,KAAK,gBAAgB,CAAC,iBAAiB,EAAE,CAAC;gBACtD,OAAO,KAAK,CAAC,OAAO,KAAK,MAAM,CAAC;YAClC,CAAC;YACD,OAAO,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAuC;IAEvC,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1D,MAAM,iBAAiB,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,aAAa,GAAG,iBAAiB,CAAC,cAAc,CAAC;IACvD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAE9C,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAC/B,OAAO,CAAC,YAAY;QAClB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,oBAAoB,EAAE,6BAA6B,CAAC,CAChF,CAAC;IACF,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CACjC,OAAO,CAAC,cAAc;QACpB,IAAI,CAAC,IAAI,CACP,aAAa,EACb,oBAAoB,EACpB,8BAA8B,EAC9B,+BAA+B,CAChC,CACJ,CAAC;IACF,MAAM,iBAAiB,GAAG,IAAI,CAAC,OAAO,CACpC,OAAO,CAAC,iBAAiB;QACvB,IAAI,CAAC,IAAI,CACP,aAAa,EACb,oBAAoB,EACpB,8BAA8B,EAC9B,oCAAoC,CACrC,CACJ,CAAC;IACF,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAC/B,OAAO,CAAC,YAAY;QAClB,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,oBAAoB,EAAE,gCAAgC,CAAC,CACnF,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IACjD,MAAM,WAAW,GAAuB,EAAE,CAAC;IAE3C,KAAK,MAAM,GAAG,IAAI,aAAa,CAAC,KAAK,EAAE,CAAC;QACtC,IAAI,UAA4B,CAAC;QACjC,IAAI,CAAC;YACH,UAAU,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC;gBACjC,aAAa;gBACb,MAAM,EAAE,GAAG,CAAC,EAAE;aACf,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACzE,CAAC;QACD,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC/B,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;IACpC,IAAI,OAAO,CAAC,mBAAmB,KAAK,KAAK,EAAE,CAAC;QAC1C,+BAA+B,CAAC,QAAQ,EAAE;YACxC,cAAc,EAAE,aAAa,CAAC,QAAQ,CAAC,cAAc;SACtD,CAAC,CAAC;IACL,CAAC;IAED,MAAM,sBAAsB,GAC1B,OAAO,CAAC,sBAAsB,IAAI,oCAAoC,CAAC;IACzE,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YAC7C,IAAI,UAAiC,CAAC;YACtC,IAAI,CAAC;gBACH,UAAU,GAAG,MAAM,sBAAsB,CAAC;oBACxC,aAAa;oBACb,UAAU;oBACV,IAAI;iBACL,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;oBACjF,KAAK,EAAE,KAAK;iBACb,CAAC,CAAC;YACL,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC;QACpC,MAAM,EAAE,OAAO,CAAC,YAAY,IAAI,wBAAwB,CAAC,WAAW,CAAC;KACtE,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC;IAE1D,MAAM,iBAAiB,GAAsB;QAC3C,cAAc;QACd,YAAY,EAAE,iBAAiB;QAC/B,cAAc,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,oBAAoB,CAAC,YAAY,EAAE,MAAM,CAAC;KAC7E,CAAC;IACF,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAAC;IACrD,MAAM,qBAAqB,GAA0B;QACnD,cAAc,EAAE,CAAC;QACjB,IAAI,EAAE,kBAAkB,CAAC,iBAAiB;QAC1C,SAAS,EAAE,kBAAkB,CAAC,GAAG,CAAC;QAClC,WAAW,EAAE,iBAAiB,CAAC,qBAAqB;QACpD,eAAe,EAAE,8BAA8B;KAChD,CAAC;IACF,MAAM,UAAU,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAE/C,MAAM,QAAQ,GAAG,IAAI,QAAQ,CAAC;QAC5B,QAAQ;QACR,aAAa;QACb,oBAAoB,EAClB,OAAO,CAAC,oBAAoB;YAC5B,IAAI,2BAA2B,CAAC;gBAC9B,aAAa;gBACb,GAAG,OAAO,CAAC,kCAAkC;aAC9C,CAAC;QACJ,UAAU,EAAE,uBAAuB,CAAC,YAAY,CAAC;QACjD,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC;IACH,MAAM,QAAQ,CAAC,SAAS,EAAE,CAAC;IAE3B,OAAO,IAAI,oBAAoB,CAAC;QAC9B,cAAc,EAAE,aAAa;QAC7B,mBAAmB,EAAE,iBAAiB,CAAC,mBAAmB;QAC1D,qBAAqB,EAAE,iBAAiB,CAAC,qBAAqB;QAC9D,YAAY,EAAE,WAAW;QACzB,cAAc,EAAE,YAAY;QAC5B,WAAW,EAAE,UAAU;QACvB,cAAc,EAAE,aAAa;QAC7B,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,aAAa,EAAE,iBAAiB,CAAC,WAAW,CAAC;QAC7C,GAAG;QACH,cAAc,EAAE,OAAO,CAAC,YAAY;KACrC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { SandboxProfile } from './profile.js';
|
|
2
|
+
export interface SandboxInvocation {
|
|
3
|
+
command: string;
|
|
4
|
+
args: string[];
|
|
5
|
+
env: Record<string, string>;
|
|
6
|
+
}
|
|
7
|
+
export interface BuildBwrapInvocationInput {
|
|
8
|
+
profile: SandboxProfile;
|
|
9
|
+
command: string[];
|
|
10
|
+
sandboxBinary?: string;
|
|
11
|
+
}
|
|
12
|
+
export declare function buildBwrapInvocation(input: BuildBwrapInvocationInput): SandboxInvocation;
|
|
13
|
+
//# sourceMappingURL=bwrap-invocation.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"bwrap-invocation.d.ts","sourceRoot":"","sources":["../../src/sandbox/bwrap-invocation.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAoB,cAAc,EAAE,MAAM,cAAc,CAAC;AAErE,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,cAAc,CAAC;IACxB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAgGD,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,yBAAyB,GAAG,iBAAiB,CAoCxF"}
|
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
// Copyright (c) 2026 Hellmai Ltd
|
|
2
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
3
|
+
import path from 'node:path';
|
|
4
|
+
const SYSTEM_READONLY_ALLOWLIST = ['/usr', '/bin', '/sbin', '/lib', '/lib64', '/etc'];
|
|
5
|
+
function assertCommand(command) {
|
|
6
|
+
if (command.length === 0) {
|
|
7
|
+
throw new Error('Sandbox command is required');
|
|
8
|
+
}
|
|
9
|
+
}
|
|
10
|
+
function dedupeMounts(mounts) {
|
|
11
|
+
const unique = new Map();
|
|
12
|
+
for (const mount of mounts) {
|
|
13
|
+
const key = `${mount.source}=>${mount.target}`;
|
|
14
|
+
if (!unique.has(key)) {
|
|
15
|
+
unique.set(key, mount);
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
return [...unique.values()];
|
|
19
|
+
}
|
|
20
|
+
function normalizePrefix(prefix) {
|
|
21
|
+
const resolved = path.resolve(prefix);
|
|
22
|
+
if (resolved === path.sep) {
|
|
23
|
+
return resolved;
|
|
24
|
+
}
|
|
25
|
+
return resolved.replace(/[/\\]+$/, '');
|
|
26
|
+
}
|
|
27
|
+
function isWithinPrefix(candidate, prefix) {
|
|
28
|
+
const normalizedCandidate = normalizePrefix(candidate);
|
|
29
|
+
const normalizedPrefix = normalizePrefix(prefix);
|
|
30
|
+
if (normalizedPrefix === path.sep) {
|
|
31
|
+
return true;
|
|
32
|
+
}
|
|
33
|
+
return (normalizedCandidate === normalizedPrefix ||
|
|
34
|
+
normalizedCandidate.startsWith(`${normalizedPrefix}${path.sep}`));
|
|
35
|
+
}
|
|
36
|
+
function collectCommandMountPrefixes(profile) {
|
|
37
|
+
const prefixes = [
|
|
38
|
+
...profile.readonly_bind_mounts.map((mount) => mount.target),
|
|
39
|
+
...profile.writable_bind_mounts.map((mount) => mount.target),
|
|
40
|
+
];
|
|
41
|
+
return [...new Set(prefixes.map(normalizePrefix))];
|
|
42
|
+
}
|
|
43
|
+
function collectCommandReadonlyMounts(profile, command) {
|
|
44
|
+
const mountPrefixes = collectCommandMountPrefixes(profile);
|
|
45
|
+
const mounts = [];
|
|
46
|
+
for (const segment of command) {
|
|
47
|
+
if (!path.isAbsolute(segment)) {
|
|
48
|
+
continue;
|
|
49
|
+
}
|
|
50
|
+
const absolute = path.resolve(segment);
|
|
51
|
+
const parent = path.dirname(absolute);
|
|
52
|
+
const grandparent = path.dirname(parent);
|
|
53
|
+
if (parent !== '/' && mountPrefixes.some((prefix) => isWithinPrefix(parent, prefix))) {
|
|
54
|
+
mounts.push({ source: parent, target: parent });
|
|
55
|
+
}
|
|
56
|
+
if (grandparent !== '/' &&
|
|
57
|
+
mountPrefixes.some((prefix) => isWithinPrefix(grandparent, prefix))) {
|
|
58
|
+
mounts.push({ source: grandparent, target: grandparent });
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
return dedupeMounts(mounts);
|
|
62
|
+
}
|
|
63
|
+
function collectReadonlyAllowlistMounts(profile, command) {
|
|
64
|
+
const writableTargets = new Set(profile.writable_bind_mounts.map((mount) => mount.target));
|
|
65
|
+
const readonlyMounts = [
|
|
66
|
+
...SYSTEM_READONLY_ALLOWLIST.map((mountPath) => ({
|
|
67
|
+
source: mountPath,
|
|
68
|
+
target: mountPath,
|
|
69
|
+
})),
|
|
70
|
+
...collectCommandReadonlyMounts(profile, command),
|
|
71
|
+
...profile.readonly_bind_mounts,
|
|
72
|
+
];
|
|
73
|
+
return dedupeMounts(readonlyMounts).filter((mount) => !writableTargets.has(mount.target));
|
|
74
|
+
}
|
|
75
|
+
export function buildBwrapInvocation(input) {
|
|
76
|
+
assertCommand(input.command);
|
|
77
|
+
const args = ['--die-with-parent', '--new-session', '--tmpfs', '/'];
|
|
78
|
+
for (const mount of collectReadonlyAllowlistMounts(input.profile, input.command)) {
|
|
79
|
+
args.push('--ro-bind', mount.source, mount.target);
|
|
80
|
+
}
|
|
81
|
+
for (const mount of input.profile.writable_bind_mounts) {
|
|
82
|
+
args.push('--bind', mount.source, mount.target);
|
|
83
|
+
}
|
|
84
|
+
for (const overlay of input.profile.deny_overlays) {
|
|
85
|
+
if (overlay.kind === 'file') {
|
|
86
|
+
args.push('--bind', '/dev/null', overlay.path);
|
|
87
|
+
}
|
|
88
|
+
else {
|
|
89
|
+
args.push('--tmpfs', overlay.path);
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
if (input.profile.network_posture === 'off') {
|
|
93
|
+
args.push('--unshare-net');
|
|
94
|
+
}
|
|
95
|
+
for (const [key, value] of Object.entries(input.profile.env)) {
|
|
96
|
+
args.push('--setenv', key, value);
|
|
97
|
+
}
|
|
98
|
+
args.push('--proc', '/proc', '--dev', '/dev', '--', ...input.command);
|
|
99
|
+
return {
|
|
100
|
+
command: input.sandboxBinary || 'bwrap',
|
|
101
|
+
args,
|
|
102
|
+
env: input.profile.env,
|
|
103
|
+
};
|
|
104
|
+
}
|
|
105
|
+
//# sourceMappingURL=bwrap-invocation.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"bwrap-invocation.js","sourceRoot":"","sources":["../../src/sandbox/bwrap-invocation.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,OAAO,IAAI,MAAM,WAAW,CAAC;AAe7B,MAAM,yBAAyB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAU,CAAC;AAE/F,SAAS,aAAa,CAAC,OAAiB;IACtC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,MAA0B;IAC9C,MAAM,MAAM,GAAG,IAAI,GAAG,EAA4B,CAAC;IACnD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,GAAG,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,eAAe,CAAC,MAAc;IACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACtC,IAAI,QAAQ,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1B,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,QAAQ,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,cAAc,CAAC,SAAiB,EAAE,MAAc;IACvD,MAAM,mBAAmB,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IACvD,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACjD,IAAI,gBAAgB,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,CACL,mBAAmB,KAAK,gBAAgB;QACxC,mBAAmB,CAAC,UAAU,CAAC,GAAG,gBAAgB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CACjE,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAAC,OAAuB;IAC1D,MAAM,QAAQ,GAAG;QACf,GAAG,OAAO,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC;QAC5D,GAAG,OAAO,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC;KAC7D,CAAC;IACF,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,4BAA4B,CACnC,OAAuB,EACvB,OAAiB;IAEjB,MAAM,aAAa,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAuB,EAAE,CAAC;IAEtC,KAAK,MAAM,OAAO,IAAI,OAAO,EAAE,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,SAAS;QACX,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAEzC,IAAI,MAAM,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,EAAE,CAAC;YACrF,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;QAClD,CAAC;QACD,IACE,WAAW,KAAK,GAAG;YACnB,aAAa,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,cAAc,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,EACnE,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,8BAA8B,CACrC,OAAuB,EACvB,OAAiB;IAEjB,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAC3F,MAAM,cAAc,GAAG;QACrB,GAAG,yBAAyB,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC/C,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;QACH,GAAG,4BAA4B,CAAC,OAAO,EAAE,OAAO,CAAC;QACjD,GAAG,OAAO,CAAC,oBAAoB;KAChC,CAAC;IAEF,OAAO,YAAY,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;AAC5F,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,KAAgC;IACnE,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAE7B,MAAM,IAAI,GAAa,CAAC,mBAAmB,EAAE,eAAe,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;IAE9E,KAAK,MAAM,KAAK,IAAI,8BAA8B,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACjF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,oBAAoB,EAAE,CAAC;QACvD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAClD,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,eAAe,KAAK,KAAK,EAAE,CAAC;QAC5C,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7D,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;IAEtE,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,aAAa,IAAI,OAAO;QACvC,IAAI;QACJ,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG;KACvB,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAGA,cAAc,uBAAuB,CAAC;AACtC,cAAc,cAAc,CAAC;AAC7B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
// Copyright (c) 2026 Hellmai Ltd
|
|
2
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
3
|
+
export * from './bwrap-invocation.js';
|
|
4
|
+
export * from './profile.js';
|
|
5
|
+
export * from './subprocess-dispatcher.js';
|
|
6
|
+
export * from './tool-runner-worker.js';
|
|
7
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,cAAc,uBAAuB,CAAC;AACtC,cAAc,cAAc,CAAC;AAC7B,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC"}
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
import type { ToolScope } from '../kernel.schemas.js';
|
|
2
|
+
export type SandboxNetworkPosture = 'off' | 'full';
|
|
3
|
+
export interface SandboxBindMount {
|
|
4
|
+
source: string;
|
|
5
|
+
target: string;
|
|
6
|
+
}
|
|
7
|
+
export interface SandboxDenyOverlay {
|
|
8
|
+
path: string;
|
|
9
|
+
kind: 'directory' | 'file';
|
|
10
|
+
}
|
|
11
|
+
export interface SandboxProfile {
|
|
12
|
+
readonly_bind_mounts: SandboxBindMount[];
|
|
13
|
+
writable_bind_mounts: SandboxBindMount[];
|
|
14
|
+
network_posture: SandboxNetworkPosture;
|
|
15
|
+
deny_overlays: SandboxDenyOverlay[];
|
|
16
|
+
env: Record<string, string>;
|
|
17
|
+
}
|
|
18
|
+
export interface CreateDefaultDenyOverlaysInput {
|
|
19
|
+
workspaceRoot: string;
|
|
20
|
+
homeDir?: string;
|
|
21
|
+
}
|
|
22
|
+
export interface BuildSandboxProfileFromScopesOptions {
|
|
23
|
+
workspaceRoot?: string;
|
|
24
|
+
homeDir?: string;
|
|
25
|
+
env?: NodeJS.ProcessEnv;
|
|
26
|
+
denyOverlays?: SandboxDenyOverlay[];
|
|
27
|
+
}
|
|
28
|
+
export declare const READ_CONFINEMENT_NOTE = "read confinement best-effort (v1)";
|
|
29
|
+
export declare function createDefaultDenyOverlays(input: CreateDefaultDenyOverlaysInput): SandboxDenyOverlay[];
|
|
30
|
+
export declare function resolveScopeEnforcementNote(scopes: ToolScope[]): string | undefined;
|
|
31
|
+
export declare function buildSandboxProfileFromScopes(scopeEnforced: ToolScope[], options?: BuildSandboxProfileFromScopesOptions): SandboxProfile;
|
|
32
|
+
//# sourceMappingURL=profile.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"profile.d.ts","sourceRoot":"","sources":["../../src/sandbox/profile.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEtD,MAAM,MAAM,qBAAqB,GAAG,KAAK,GAAG,MAAM,CAAC;AAEnD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,WAAW,GAAG,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,cAAc;IAC7B,oBAAoB,EAAE,gBAAgB,EAAE,CAAC;IACzC,oBAAoB,EAAE,gBAAgB,EAAE,CAAC;IACzC,eAAe,EAAE,qBAAqB,CAAC;IACvC,aAAa,EAAE,kBAAkB,EAAE,CAAC;IACpC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,8BAA8B;IAC7C,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,oCAAoC;IACnD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,YAAY,CAAC,EAAE,kBAAkB,EAAE,CAAC;CACrC;AAED,eAAO,MAAM,qBAAqB,sCAAsC,CAAC;AAwDzE,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,8BAA8B,GACpC,kBAAkB,EAAE,CAStB;AAED,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,GAAG,SAAS,CAGnF;AAED,wBAAgB,6BAA6B,CAC3C,aAAa,EAAE,SAAS,EAAE,EAC1B,OAAO,GAAE,oCAAyC,GACjD,cAAc,CAsChB"}
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
// Copyright (c) 2026 Hellmai Ltd
|
|
2
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
3
|
+
import os from 'node:os';
|
|
4
|
+
import path from 'node:path';
|
|
5
|
+
export const READ_CONFINEMENT_NOTE = 'read confinement best-effort (v1)';
|
|
6
|
+
function isGlobSegment(segment) {
|
|
7
|
+
return /[*?[{(]/.test(segment);
|
|
8
|
+
}
|
|
9
|
+
function resolveScopePatternToPath(pattern, workspaceRoot) {
|
|
10
|
+
const normalized = pattern.replaceAll('\\', '/');
|
|
11
|
+
const rawSegments = normalized.split('/').filter((segment) => segment.length > 0);
|
|
12
|
+
const staticSegments = [];
|
|
13
|
+
for (const segment of rawSegments) {
|
|
14
|
+
if (isGlobSegment(segment)) {
|
|
15
|
+
break;
|
|
16
|
+
}
|
|
17
|
+
staticSegments.push(segment);
|
|
18
|
+
}
|
|
19
|
+
if (normalized.startsWith('/')) {
|
|
20
|
+
const absolutePrefix = staticSegments.length === 0 ? '/' : `/${staticSegments.join('/')}`;
|
|
21
|
+
return path.resolve(absolutePrefix);
|
|
22
|
+
}
|
|
23
|
+
if (staticSegments.length === 0) {
|
|
24
|
+
return path.resolve(workspaceRoot);
|
|
25
|
+
}
|
|
26
|
+
return path.resolve(workspaceRoot, staticSegments.join('/'));
|
|
27
|
+
}
|
|
28
|
+
function dedupeMounts(mounts) {
|
|
29
|
+
const seen = new Set();
|
|
30
|
+
return mounts.filter((mount) => {
|
|
31
|
+
const key = `${mount.source}=>${mount.target}`;
|
|
32
|
+
if (seen.has(key)) {
|
|
33
|
+
return false;
|
|
34
|
+
}
|
|
35
|
+
seen.add(key);
|
|
36
|
+
return true;
|
|
37
|
+
});
|
|
38
|
+
}
|
|
39
|
+
function normalizeEnvironment(env) {
|
|
40
|
+
if (!env) {
|
|
41
|
+
return {};
|
|
42
|
+
}
|
|
43
|
+
const normalized = {};
|
|
44
|
+
for (const [key, value] of Object.entries(env)) {
|
|
45
|
+
if (typeof value === 'string') {
|
|
46
|
+
normalized[key] = value;
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
return normalized;
|
|
50
|
+
}
|
|
51
|
+
export function createDefaultDenyOverlays(input) {
|
|
52
|
+
const workspaceRoot = path.resolve(input.workspaceRoot);
|
|
53
|
+
const homeDir = path.resolve(input.homeDir || os.homedir());
|
|
54
|
+
return [
|
|
55
|
+
{ path: path.join(homeDir, '.ssh'), kind: 'directory' },
|
|
56
|
+
{ path: path.join(homeDir, '.aws'), kind: 'directory' },
|
|
57
|
+
{ path: path.join(homeDir, '.gnupg'), kind: 'directory' },
|
|
58
|
+
{ path: path.join(workspaceRoot, '.env'), kind: 'file' },
|
|
59
|
+
];
|
|
60
|
+
}
|
|
61
|
+
export function resolveScopeEnforcementNote(scopes) {
|
|
62
|
+
const hasReadPathScope = scopes.some((scope) => scope.type === 'path' && scope.access === 'read');
|
|
63
|
+
return hasReadPathScope ? READ_CONFINEMENT_NOTE : undefined;
|
|
64
|
+
}
|
|
65
|
+
export function buildSandboxProfileFromScopes(scopeEnforced, options = {}) {
|
|
66
|
+
const workspaceRoot = path.resolve(options.workspaceRoot || process.cwd());
|
|
67
|
+
const writable_bind_mounts = [];
|
|
68
|
+
const readonly_bind_mounts = [];
|
|
69
|
+
let network_posture = 'off';
|
|
70
|
+
for (const scope of scopeEnforced) {
|
|
71
|
+
if (scope.type === 'network') {
|
|
72
|
+
if (scope.posture === 'full') {
|
|
73
|
+
network_posture = 'full';
|
|
74
|
+
}
|
|
75
|
+
continue;
|
|
76
|
+
}
|
|
77
|
+
const resolvedPath = resolveScopePatternToPath(scope.pattern, workspaceRoot);
|
|
78
|
+
const mount = {
|
|
79
|
+
source: resolvedPath,
|
|
80
|
+
target: resolvedPath,
|
|
81
|
+
};
|
|
82
|
+
if (scope.access === 'write') {
|
|
83
|
+
writable_bind_mounts.push(mount);
|
|
84
|
+
}
|
|
85
|
+
else {
|
|
86
|
+
readonly_bind_mounts.push(mount);
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
return {
|
|
90
|
+
readonly_bind_mounts: dedupeMounts(readonly_bind_mounts),
|
|
91
|
+
writable_bind_mounts: dedupeMounts(writable_bind_mounts),
|
|
92
|
+
network_posture,
|
|
93
|
+
deny_overlays: options.denyOverlays ||
|
|
94
|
+
createDefaultDenyOverlays({
|
|
95
|
+
workspaceRoot,
|
|
96
|
+
homeDir: options.homeDir,
|
|
97
|
+
}),
|
|
98
|
+
env: normalizeEnvironment(options.env),
|
|
99
|
+
};
|
|
100
|
+
}
|
|
101
|
+
//# sourceMappingURL=profile.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"profile.js","sourceRoot":"","sources":["../../src/sandbox/profile.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAmC7B,MAAM,CAAC,MAAM,qBAAqB,GAAG,mCAAmC,CAAC;AAEzE,SAAS,aAAa,CAAC,OAAe;IACpC,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,yBAAyB,CAAC,OAAe,EAAE,aAAqB;IACvE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACjD,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAClF,MAAM,cAAc,GAAa,EAAE,CAAC;IAEpC,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,MAAM;QACR,CAAC;QACD,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAED,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1F,OAAO,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,YAAY,CAAC,MAA0B;IAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,GAAG,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QAC/C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAkC;IAC9D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,UAAU,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAqC;IAErC,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,OAAO;QACL,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE;QACvD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE;QACvD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE;QACzD,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE;KACzD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAmB;IAC7D,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IAClG,OAAO,gBAAgB,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9D,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,aAA0B,EAC1B,UAAgD,EAAE;IAElD,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC3E,MAAM,oBAAoB,GAAuB,EAAE,CAAC;IACpD,MAAM,oBAAoB,GAAuB,EAAE,CAAC;IACpD,IAAI,eAAe,GAA0B,KAAK,CAAC;IAEnD,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;QAClC,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,KAAK,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;gBAC7B,eAAe,GAAG,MAAM,CAAC;YAC3B,CAAC;YACD,SAAS;QACX,CAAC;QAED,MAAM,YAAY,GAAG,yBAAyB,CAAC,KAAK,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAC7E,MAAM,KAAK,GAAqB;YAC9B,MAAM,EAAE,YAAY;YACpB,MAAM,EAAE,YAAY;SACrB,CAAC;QACF,IAAI,KAAK,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC7B,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC;aAAM,CAAC;YACN,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO;QACL,oBAAoB,EAAE,YAAY,CAAC,oBAAoB,CAAC;QACxD,oBAAoB,EAAE,YAAY,CAAC,oBAAoB,CAAC;QACxD,eAAe;QACf,aAAa,EACX,OAAO,CAAC,YAAY;YACpB,yBAAyB,CAAC;gBACxB,aAAa;gBACb,OAAO,EAAE,OAAO,CAAC,OAAO;aACzB,CAAC;QACJ,GAAG,EAAE,oBAAoB,CAAC,OAAO,CAAC,GAAG,CAAC;KACvC,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import type { ToolOutput } from '../kernel.schemas.js';
|
|
2
|
+
import type { SubprocessDispatchRequest, SubprocessDispatcher } from '../tool-host/subprocess-dispatcher.js';
|
|
3
|
+
export interface SubprocessTransportRequest {
|
|
4
|
+
command: string;
|
|
5
|
+
args: string[];
|
|
6
|
+
stdin: string;
|
|
7
|
+
env: Record<string, string>;
|
|
8
|
+
}
|
|
9
|
+
export interface SubprocessTransportResult {
|
|
10
|
+
code: number;
|
|
11
|
+
stdout: string;
|
|
12
|
+
stderr: string;
|
|
13
|
+
}
|
|
14
|
+
export interface SubprocessTransport {
|
|
15
|
+
execute(request: SubprocessTransportRequest): Promise<SubprocessTransportResult>;
|
|
16
|
+
}
|
|
17
|
+
export interface SandboxSubprocessDispatcherOptions {
|
|
18
|
+
commandExists?: (binary: string) => boolean;
|
|
19
|
+
transport?: SubprocessTransport;
|
|
20
|
+
workspaceRoot?: string;
|
|
21
|
+
homeDir?: string;
|
|
22
|
+
env?: NodeJS.ProcessEnv;
|
|
23
|
+
workerEntry?: string;
|
|
24
|
+
nodeBinary?: string;
|
|
25
|
+
}
|
|
26
|
+
export declare class NodeSubprocessTransport implements SubprocessTransport {
|
|
27
|
+
execute(request: SubprocessTransportRequest): Promise<SubprocessTransportResult>;
|
|
28
|
+
}
|
|
29
|
+
export declare class SandboxSubprocessDispatcher implements SubprocessDispatcher {
|
|
30
|
+
private readonly commandExists;
|
|
31
|
+
private readonly transport;
|
|
32
|
+
private readonly profileOptions;
|
|
33
|
+
private readonly workerEntry;
|
|
34
|
+
private readonly nodeBinary;
|
|
35
|
+
constructor(options?: SandboxSubprocessDispatcherOptions);
|
|
36
|
+
dispatch(request: SubprocessDispatchRequest): Promise<ToolOutput>;
|
|
37
|
+
}
|
|
38
|
+
//# sourceMappingURL=subprocess-dispatcher.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"subprocess-dispatcher.d.ts","sourceRoot":"","sources":["../../src/sandbox/subprocess-dispatcher.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAa,MAAM,sBAAsB,CAAC;AAClE,OAAO,KAAK,EACV,yBAAyB,EACzB,oBAAoB,EACrB,MAAM,uCAAuC,CAAC;AAa/C,MAAM,WAAW,0BAA0B;IACzC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,yBAAyB;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAAC;CAClF;AAED,MAAM,WAAW,kCAAkC;IACjD,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC;IAC5C,SAAS,CAAC,EAAE,mBAAmB,CAAC;IAChC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AA4CD,qBAAa,uBAAwB,YAAW,mBAAmB;IAC3D,OAAO,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,yBAAyB,CAAC;CAsCvF;AAED,qBAAa,2BAA4B,YAAW,oBAAoB;IACtE,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA8B;IAC5D,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAsB;IAChD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAuC;IACtE,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,GAAE,kCAAuC;IAYtD,QAAQ,CAAC,OAAO,EAAE,yBAAyB,GAAG,OAAO,CAAC,UAAU,CAAC;CA0ExE"}
|
|
@@ -0,0 +1,145 @@
|
|
|
1
|
+
// Copyright (c) 2026 Hellmai Ltd
|
|
2
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
3
|
+
import { spawn, spawnSync } from 'node:child_process';
|
|
4
|
+
import { randomUUID } from 'node:crypto';
|
|
5
|
+
import fs from 'node:fs';
|
|
6
|
+
import { fileURLToPath } from 'node:url';
|
|
7
|
+
import { buildBwrapInvocation } from './bwrap-invocation.js';
|
|
8
|
+
import { buildSandboxProfileFromScopes, resolveScopeEnforcementNote, } from './profile.js';
|
|
9
|
+
import { UTF8_ENCODING } from '../shared-constants.js';
|
|
10
|
+
import { parseToolRunnerWorkerResponse, } from './tool-runner-worker.js';
|
|
11
|
+
function buildFailureOutput(code, message, details) {
|
|
12
|
+
return {
|
|
13
|
+
success: false,
|
|
14
|
+
error: {
|
|
15
|
+
code,
|
|
16
|
+
message,
|
|
17
|
+
...(details ? { details } : {}),
|
|
18
|
+
},
|
|
19
|
+
};
|
|
20
|
+
}
|
|
21
|
+
function withScopeNote(output, scopes) {
|
|
22
|
+
const scopeEnforcementNote = resolveScopeEnforcementNote(scopes);
|
|
23
|
+
if (!scopeEnforcementNote) {
|
|
24
|
+
return output;
|
|
25
|
+
}
|
|
26
|
+
return {
|
|
27
|
+
...output,
|
|
28
|
+
metadata: {
|
|
29
|
+
...(output.metadata || {}),
|
|
30
|
+
scope_enforcement_note: scopeEnforcementNote,
|
|
31
|
+
},
|
|
32
|
+
};
|
|
33
|
+
}
|
|
34
|
+
function defaultCommandExists(binary) {
|
|
35
|
+
const probe = spawnSync(binary, ['--help'], { stdio: 'ignore' });
|
|
36
|
+
return !probe.error;
|
|
37
|
+
}
|
|
38
|
+
function resolveDefaultWorkerEntry() {
|
|
39
|
+
const jsPath = fileURLToPath(new URL('./tool-runner-worker.js', import.meta.url));
|
|
40
|
+
if (fs.existsSync(jsPath)) {
|
|
41
|
+
return jsPath;
|
|
42
|
+
}
|
|
43
|
+
return fileURLToPath(new URL('./tool-runner-worker.ts', import.meta.url));
|
|
44
|
+
}
|
|
45
|
+
export class NodeSubprocessTransport {
|
|
46
|
+
async execute(request) {
|
|
47
|
+
return new Promise((resolve, reject) => {
|
|
48
|
+
const child = spawn(request.command, request.args, {
|
|
49
|
+
stdio: 'pipe',
|
|
50
|
+
env: {
|
|
51
|
+
...process.env,
|
|
52
|
+
...request.env,
|
|
53
|
+
},
|
|
54
|
+
});
|
|
55
|
+
let stdout = '';
|
|
56
|
+
let stderr = '';
|
|
57
|
+
child.stdout.setEncoding(UTF8_ENCODING);
|
|
58
|
+
child.stderr.setEncoding(UTF8_ENCODING);
|
|
59
|
+
child.stdout.on('data', (chunk) => {
|
|
60
|
+
stdout += chunk;
|
|
61
|
+
});
|
|
62
|
+
child.stderr.on('data', (chunk) => {
|
|
63
|
+
stderr += chunk;
|
|
64
|
+
});
|
|
65
|
+
child.on('error', (error) => {
|
|
66
|
+
reject(error);
|
|
67
|
+
});
|
|
68
|
+
child.on('close', (code) => {
|
|
69
|
+
resolve({
|
|
70
|
+
code: code ?? 1,
|
|
71
|
+
stdout,
|
|
72
|
+
stderr,
|
|
73
|
+
});
|
|
74
|
+
});
|
|
75
|
+
child.stdin.end(request.stdin);
|
|
76
|
+
});
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
export class SandboxSubprocessDispatcher {
|
|
80
|
+
commandExists;
|
|
81
|
+
transport;
|
|
82
|
+
profileOptions;
|
|
83
|
+
workerEntry;
|
|
84
|
+
nodeBinary;
|
|
85
|
+
constructor(options = {}) {
|
|
86
|
+
this.commandExists = options.commandExists || defaultCommandExists;
|
|
87
|
+
this.transport = options.transport || new NodeSubprocessTransport();
|
|
88
|
+
this.profileOptions = {
|
|
89
|
+
workspaceRoot: options.workspaceRoot,
|
|
90
|
+
homeDir: options.homeDir,
|
|
91
|
+
env: options.env,
|
|
92
|
+
};
|
|
93
|
+
this.workerEntry = options.workerEntry || resolveDefaultWorkerEntry();
|
|
94
|
+
this.nodeBinary = options.nodeBinary || process.execPath;
|
|
95
|
+
}
|
|
96
|
+
async dispatch(request) {
|
|
97
|
+
if (request.capability.handler.kind !== 'subprocess') {
|
|
98
|
+
return buildFailureOutput('INVALID_HANDLER_KIND', 'Subprocess dispatcher requires subprocess handlers.');
|
|
99
|
+
}
|
|
100
|
+
if (!this.commandExists('bwrap')) {
|
|
101
|
+
return withScopeNote(buildFailureOutput('SUBPROCESS_SANDBOX_UNAVAILABLE', 'Subprocess execution unavailable: required binary "bwrap" was not found.'), request.scopeEnforced);
|
|
102
|
+
}
|
|
103
|
+
const invocationPayload = {
|
|
104
|
+
tool_name: request.capability.name,
|
|
105
|
+
handler_entry: request.capability.handler.entry,
|
|
106
|
+
input: request.input,
|
|
107
|
+
scope_enforced: request.scopeEnforced,
|
|
108
|
+
receipt_id: randomUUID(),
|
|
109
|
+
};
|
|
110
|
+
const profile = buildSandboxProfileFromScopes(request.scopeEnforced, this.profileOptions);
|
|
111
|
+
const sandboxInvocation = buildBwrapInvocation({
|
|
112
|
+
profile,
|
|
113
|
+
command: [this.nodeBinary, this.workerEntry],
|
|
114
|
+
});
|
|
115
|
+
let transportResult;
|
|
116
|
+
try {
|
|
117
|
+
transportResult = await this.transport.execute({
|
|
118
|
+
command: sandboxInvocation.command,
|
|
119
|
+
args: sandboxInvocation.args,
|
|
120
|
+
stdin: JSON.stringify(invocationPayload),
|
|
121
|
+
env: sandboxInvocation.env,
|
|
122
|
+
});
|
|
123
|
+
}
|
|
124
|
+
catch (error) {
|
|
125
|
+
return withScopeNote(buildFailureOutput('SUBPROCESS_TRANSPORT_FAILED', error.message), request.scopeEnforced);
|
|
126
|
+
}
|
|
127
|
+
if (transportResult.code !== 0) {
|
|
128
|
+
return withScopeNote(buildFailureOutput('SUBPROCESS_EXIT_NONZERO', 'Subprocess worker exited with non-zero code.', {
|
|
129
|
+
exit_code: transportResult.code,
|
|
130
|
+
stderr: transportResult.stderr,
|
|
131
|
+
}), request.scopeEnforced);
|
|
132
|
+
}
|
|
133
|
+
try {
|
|
134
|
+
const response = parseToolRunnerWorkerResponse(transportResult.stdout);
|
|
135
|
+
return withScopeNote(response.output, request.scopeEnforced);
|
|
136
|
+
}
|
|
137
|
+
catch (error) {
|
|
138
|
+
return withScopeNote(buildFailureOutput('SUBPROCESS_PROTOCOL_ERROR', error.message, {
|
|
139
|
+
stdout: transportResult.stdout,
|
|
140
|
+
stderr: transportResult.stderr,
|
|
141
|
+
}), request.scopeEnforced);
|
|
142
|
+
}
|
|
143
|
+
}
|
|
144
|
+
}
|
|
145
|
+
//# sourceMappingURL=subprocess-dispatcher.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"subprocess-dispatcher.js","sourceRoot":"","sources":["../../src/sandbox/subprocess-dispatcher.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,sCAAsC;AAEtC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAMzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EACL,6BAA6B,EAC7B,2BAA2B,GAE5B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EACL,6BAA6B,GAE9B,MAAM,yBAAyB,CAAC;AA6BjC,SAAS,kBAAkB,CACzB,IAAY,EACZ,OAAe,EACf,OAAiC;IAEjC,OAAO;QACL,OAAO,EAAE,KAAK;QACd,KAAK,EAAE;YACL,IAAI;YACJ,OAAO;YACP,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAChC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,MAAkB,EAAE,MAAmB;IAC5D,MAAM,oBAAoB,GAAG,2BAA2B,CAAC,MAAM,CAAC,CAAC;IACjE,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO;QACL,GAAG,MAAM;QACT,QAAQ,EAAE;YACR,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;YAC1B,sBAAsB,EAAE,oBAAoB;SAC7C;KACF,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAc;IAC1C,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC;AACtB,CAAC;AAED,SAAS,yBAAyB;IAChC,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,GAAG,CAAC,yBAAyB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAClF,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,aAAa,CAAC,IAAI,GAAG,CAAC,yBAAyB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED,MAAM,OAAO,uBAAuB;IAClC,KAAK,CAAC,OAAO,CAAC,OAAmC;QAC/C,OAAO,IAAI,OAAO,CAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAChE,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE;gBACjD,KAAK,EAAE,MAAM;gBACb,GAAG,EAAE;oBACH,GAAG,OAAO,CAAC,GAAG;oBACd,GAAG,OAAO,CAAC,GAAG;iBACf;aACF,CAAC,CAAC;YAEH,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAEhB,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;YACxC,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;YAExC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACxC,MAAM,IAAI,KAAK,CAAC;YAClB,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACxC,MAAM,IAAI,KAAK,CAAC;YAClB,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;gBAC1B,MAAM,CAAC,KAAK,CAAC,CAAC;YAChB,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACzB,OAAO,CAAC;oBACN,IAAI,EAAE,IAAI,IAAI,CAAC;oBACf,MAAM;oBACN,MAAM;iBACP,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,OAAO,2BAA2B;IACrB,aAAa,CAA8B;IAC3C,SAAS,CAAsB;IAC/B,cAAc,CAAuC;IACrD,WAAW,CAAS;IACpB,UAAU,CAAS;IAEpC,YAAY,UAA8C,EAAE;QAC1D,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,oBAAoB,CAAC;QACnE,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,uBAAuB,EAAE,CAAC;QACpE,IAAI,CAAC,cAAc,GAAG;YACpB,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,GAAG,EAAE,OAAO,CAAC,GAAG;SACjB,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,yBAAyB,EAAE,CAAC;QACtE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,QAAQ,CAAC;IAC3D,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAkC;QAC/C,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACrD,OAAO,kBAAkB,CACvB,sBAAsB,EACtB,qDAAqD,CACtD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,OAAO,aAAa,CAClB,kBAAkB,CAChB,gCAAgC,EAChC,0EAA0E,CAC3E,EACD,OAAO,CAAC,aAAa,CACtB,CAAC;QACJ,CAAC;QAED,MAAM,iBAAiB,GAA+B;YACpD,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,IAAI;YAClC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK;YAC/C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,cAAc,EAAE,OAAO,CAAC,aAAa;YACrC,UAAU,EAAE,UAAU,EAAE;SACzB,CAAC;QAEF,MAAM,OAAO,GAAG,6BAA6B,CAAC,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QAC1F,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;YAC7C,OAAO;YACP,OAAO,EAAE,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC;SAC7C,CAAC,CAAC;QAEH,IAAI,eAA0C,CAAC;QAC/C,IAAI,CAAC;YACH,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;gBAC7C,OAAO,EAAE,iBAAiB,CAAC,OAAO;gBAClC,IAAI,EAAE,iBAAiB,CAAC,IAAI;gBAC5B,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACxC,GAAG,EAAE,iBAAiB,CAAC,GAAG;aAC3B,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,aAAa,CAClB,kBAAkB,CAAC,6BAA6B,EAAG,KAAe,CAAC,OAAO,CAAC,EAC3E,OAAO,CAAC,aAAa,CACtB,CAAC;QACJ,CAAC;QAED,IAAI,eAAe,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,aAAa,CAClB,kBAAkB,CAChB,yBAAyB,EACzB,8CAA8C,EAC9C;gBACE,SAAS,EAAE,eAAe,CAAC,IAAI;gBAC/B,MAAM,EAAE,eAAe,CAAC,MAAM;aAC/B,CACF,EACD,OAAO,CAAC,aAAa,CACtB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,6BAA6B,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;YACvE,OAAO,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,aAAa,CAClB,kBAAkB,CAAC,2BAA2B,EAAG,KAAe,CAAC,OAAO,EAAE;gBACxE,MAAM,EAAE,eAAe,CAAC,MAAM;gBAC9B,MAAM,EAAE,eAAe,CAAC,MAAM;aAC/B,CAAC,EACF,OAAO,CAAC,aAAa,CACtB,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
import { type ToolOutput, type ToolScope } from '../kernel.schemas.js';
|
|
3
|
+
export interface ToolRunnerWorkerContext {
|
|
4
|
+
tool_name: string;
|
|
5
|
+
receipt_id: string;
|
|
6
|
+
scope_enforced: ToolScope[];
|
|
7
|
+
}
|
|
8
|
+
export declare const ToolRunnerWorkerInvocationSchema: z.ZodObject<{
|
|
9
|
+
tool_name: z.ZodString;
|
|
10
|
+
handler_entry: z.ZodString;
|
|
11
|
+
input: z.ZodUnknown;
|
|
12
|
+
scope_enforced: z.ZodArray<z.ZodDiscriminatedUnion<[z.ZodObject<{
|
|
13
|
+
type: z.ZodLiteral<"path">;
|
|
14
|
+
pattern: z.ZodString;
|
|
15
|
+
access: z.ZodEnum<{
|
|
16
|
+
read: "read";
|
|
17
|
+
write: "write";
|
|
18
|
+
}>;
|
|
19
|
+
}, z.core.$strip>, z.ZodObject<{
|
|
20
|
+
type: z.ZodLiteral<"network">;
|
|
21
|
+
posture: z.ZodEnum<{
|
|
22
|
+
off: "off";
|
|
23
|
+
full: "full";
|
|
24
|
+
}>;
|
|
25
|
+
}, z.core.$strip>], "type">>;
|
|
26
|
+
receipt_id: z.ZodString;
|
|
27
|
+
}, z.core.$strip>;
|
|
28
|
+
export type ToolRunnerWorkerInvocation = z.infer<typeof ToolRunnerWorkerInvocationSchema>;
|
|
29
|
+
export declare const ToolRunnerWorkerResponseSchema: z.ZodObject<{
|
|
30
|
+
output: z.ZodObject<{
|
|
31
|
+
success: z.ZodBoolean;
|
|
32
|
+
data: z.ZodOptional<z.ZodUnknown>;
|
|
33
|
+
error: z.ZodOptional<z.ZodObject<{
|
|
34
|
+
code: z.ZodString;
|
|
35
|
+
message: z.ZodString;
|
|
36
|
+
details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
37
|
+
}, z.core.$strip>>;
|
|
38
|
+
metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
39
|
+
}, z.core.$strip>;
|
|
40
|
+
}, z.core.$strip>;
|
|
41
|
+
export type ToolRunnerWorkerResponse = z.infer<typeof ToolRunnerWorkerResponseSchema>;
|
|
42
|
+
export interface ToolRunnerWorkerExecutionOptions {
|
|
43
|
+
importModule?: (specifier: string) => Promise<unknown>;
|
|
44
|
+
}
|
|
45
|
+
export interface ToolRunnerWorkerStreams {
|
|
46
|
+
stdin: NodeJS.ReadableStream;
|
|
47
|
+
stdout: NodeJS.WritableStream;
|
|
48
|
+
stderr: NodeJS.WritableStream;
|
|
49
|
+
}
|
|
50
|
+
export declare function parseToolRunnerWorkerResponse(raw: string): ToolRunnerWorkerResponse;
|
|
51
|
+
export declare function executeToolRunnerInvocation(invocationInput: unknown, options?: ToolRunnerWorkerExecutionOptions): Promise<ToolOutput>;
|
|
52
|
+
export declare function runToolRunnerWorkerFromStreams(streams: ToolRunnerWorkerStreams, options?: ToolRunnerWorkerExecutionOptions): Promise<void>;
|
|
53
|
+
export declare function runToolRunnerWorkerProcess(): Promise<void>;
|
|
54
|
+
//# sourceMappingURL=tool-runner-worker.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tool-runner-worker.d.ts","sourceRoot":"","sources":["../../src/sandbox/tool-runner-worker.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAGL,KAAK,UAAU,EACf,KAAK,SAAS,EACf,MAAM,sBAAsB,CAAC;AAI9B,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,SAAS,EAAE,CAAC;CAC7B;AAED,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;iBAM3C,CAAC;AAEH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gCAAgC,CAAC,CAAC;AAE1F,eAAO,MAAM,8BAA8B;;;;;;;;;;;iBAEzC,CAAC;AAEH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAEtF,MAAM,WAAW,gCAAgC;IAC/C,YAAY,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CACxD;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,MAAM,CAAC,cAAc,CAAC;IAC7B,MAAM,EAAE,MAAM,CAAC,cAAc,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC,cAAc,CAAC;CAC/B;AA0FD,wBAAgB,6BAA6B,CAAC,GAAG,EAAE,MAAM,GAAG,wBAAwB,CAGnF;AAED,wBAAsB,2BAA2B,CAC/C,eAAe,EAAE,OAAO,EACxB,OAAO,GAAE,gCAAqC,GAC7C,OAAO,CAAC,UAAU,CAAC,CA2DrB;AAED,wBAAsB,8BAA8B,CAClD,OAAO,EAAE,uBAAuB,EAChC,OAAO,GAAE,gCAAqC,GAC7C,OAAO,CAAC,IAAI,CAAC,CAgBf;AAED,wBAAsB,0BAA0B,IAAI,OAAO,CAAC,IAAI,CAAC,CAMhE"}
|