@mono-agent/sandbox 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +113 -0
  2. package/dist/index.d.ts +107 -0
  3. package/dist/index.d.ts.map +1 -0
  4. package/dist/index.js +378 -0
  5. package/dist/index.js.map +1 -0
  6. package/package.json +31 -0
package/README.md ADDED
@@ -0,0 +1,113 @@
1
+ # @mono-agent/sandbox
2
+
3
+ ## Category
4
+
5
+ Category: `runtime`
6
+
7
+ ## Responsibility
8
+
9
+ Fail-closed sandbox policy normalization and native process wrapping for runtime-owned command execution.
10
+
11
+ ## Install / Usage
12
+
13
+ ```bash
14
+ pnpm --filter @mono-agent/sandbox run build
15
+ ```
16
+
17
+ The drop-in path for hosts is one policy object handed to the runtime — every
18
+ built-in tool (Bash, Read/Write/Edit, Glob/Grep, WebFetch/WebSearch) and stdio
19
+ MCP startup then enforces it without per-call wiring:
20
+
21
+ ```ts
22
+ import { failClosedSandboxPolicy } from "@mono-agent/sandbox";
23
+
24
+ const runtime = createMonoRuntime({
25
+ workspace,
26
+ sandboxPolicy: failClosedSandboxPolicy({ root: workspace }),
27
+ });
28
+ ```
29
+
30
+ The same policy can be built from `MONO_AGENT_SANDBOX_*` env vars via
31
+ `@mono-agent/config`. For direct command preparation:
32
+
33
+ ```ts
34
+ import {
35
+ failClosedSandboxPolicy,
36
+ prepareSandboxedCommand,
37
+ } from "@mono-agent/sandbox";
38
+
39
+ const policy = failClosedSandboxPolicy({ root: process.cwd() });
40
+ const prepared = await prepareSandboxedCommand({
41
+ policy,
42
+ command: {
43
+ command: "/bin/bash",
44
+ args: ["-lc", "pnpm test"],
45
+ cwd: process.cwd(),
46
+ },
47
+ });
48
+ ```
49
+
50
+ By default the package prepares commands for a native `srt` sandbox and fails
51
+ closed when the sandbox engine is unavailable. An unsafe host-process fallback
52
+ requires both `fallback: "unsafe-host-process"` and
53
+ `unsafeAllowHostProcess: true`.
54
+
55
+ ## Policy Semantics
56
+
57
+ - `readableRoots` / `writableRoots` default to `[root]`; everything outside is
58
+ denied, the user's home directory is always added to the native deny-read
59
+ list unless a readable root covers it, and `~/.ssh` is always denied.
60
+ - `denyWrite` defaults to `DEFAULT_DENY_WRITE` (`.env`, `.env.*`,
61
+ `.git/config`, `.git/hooks/**`) and is enforced by the native engine.
62
+ - `network` is `none` by default. `allowlist` entries match exact hosts, or
63
+ subdomains with a `*.` prefix. `localhost` covers loopback addresses
64
+ including bracketed IPv6 (`[::1]`).
65
+ - `mergeSandboxPolicies(configured, request)` is monotonic: a request-scoped
66
+ policy can only tighten roots, network access, and the fallback — never
67
+ weaken or disable the configured policy. The runtime applies this merge
68
+ itself, so per-call options cannot bypass a host-configured policy.
69
+ - Engine availability (`srt --version`) is probed once per process, and srt
70
+ settings files are content-addressed under `tempRoot` and reused across
71
+ commands run under the same policy.
72
+
73
+ ## Public API
74
+
75
+ - `createSandboxPolicy` / `failClosedSandboxPolicy`
76
+ - `mergeSandboxPolicies`
77
+ - `sandboxRequired`
78
+ - `sandboxPolicyToRuntimeOptions`
79
+ - `createSrtSandboxEngine`
80
+ - `prepareSandboxedCommand`
81
+ - `srtSettingsForPolicy`
82
+ - `networkPolicyAllowsUrl`
83
+ - `SANDBOX_MODES`, `SANDBOX_NETWORK_MODES`, `SANDBOX_FALLBACKS`, `DEFAULT_DENY_WRITE`
84
+
85
+ ## Enforcement Scope
86
+
87
+ The native engine wraps runtime-owned process execution: Bash commands and
88
+ stdio MCP server startup. File tools (Read/Write/Edit/Glob/Grep) are enforced
89
+ in-process by path checks that include symlink-target containment. WebFetch
90
+ and WebSearch are enforced in-process by the network policy, including every
91
+ redirect hop. Provider CLI bridges (Claude Code CLI/SDK, Codex app) run their
92
+ own tool loops and are not wrapped by this policy yet — pair them with the
93
+ provider's own sandboxing when that matters.
94
+
95
+ ## Dependency Boundary
96
+
97
+ `@mono-agent/sandbox` is a runtime package. Beyond the shared
98
+ `@mono-agent/agent-contracts` error base it must stay independent of model
99
+ providers, host config, harness execution, communication adapters, and UI
100
+ packages so runtimes can share the same policy object without importing host
101
+ composition code.
102
+
103
+ ## What This Package Does Not Own
104
+
105
+ It does not implement prompt policy, user approval, provider credentials, memory, or adapter-specific allowlists. It also does not make an unavailable native sandbox safe by default; the default policy fails closed unless a caller explicitly opts into unsafe host execution.
106
+
107
+ ## Verification
108
+
109
+ ```bash
110
+ pnpm --filter @mono-agent/sandbox run build
111
+ pnpm --filter @mono-agent/sandbox run typecheck
112
+ pnpm --filter @mono-agent/sandbox run test
113
+ ```
package/dist/index.d.ts ADDED
@@ -0,0 +1,107 @@
1
+ import { CodedError } from "@mono-agent/agent-contracts";
2
+ export declare const SANDBOX_MODES: readonly ["native", "off"];
3
+ export type SandboxMode = (typeof SANDBOX_MODES)[number];
4
+ export declare const SANDBOX_NETWORK_MODES: readonly ["none", "localhost", "allowlist", "all"];
5
+ export type SandboxNetworkMode = (typeof SANDBOX_NETWORK_MODES)[number];
6
+ export declare const SANDBOX_FALLBACKS: readonly ["fail-closed", "unsafe-host-process"];
7
+ export type SandboxFallback = (typeof SANDBOX_FALLBACKS)[number];
8
+ export type SandboxEngineId = string;
9
+ export declare const DEFAULT_DENY_WRITE: readonly [".env", ".env.*", ".git/config", ".git/hooks/**"];
10
+ export interface SandboxNetworkPolicyInput {
11
+ readonly mode?: SandboxNetworkMode;
12
+ readonly allowlist?: readonly string[];
13
+ }
14
+ export interface SandboxPolicyInput {
15
+ readonly mode?: SandboxMode;
16
+ readonly engine?: SandboxEngineId;
17
+ readonly root?: string;
18
+ readonly readableRoots?: readonly string[];
19
+ readonly writableRoots?: readonly string[];
20
+ readonly denyWrite?: readonly string[];
21
+ readonly tempRoot?: string;
22
+ readonly network?: SandboxNetworkPolicyInput;
23
+ readonly fallback?: SandboxFallback;
24
+ readonly unsafeAllowHostProcess?: boolean;
25
+ }
26
+ export interface SandboxNetworkPolicy {
27
+ readonly mode: SandboxNetworkMode;
28
+ readonly allowlist: readonly string[];
29
+ }
30
+ export interface SandboxPolicy {
31
+ readonly mode: SandboxMode;
32
+ readonly engine: SandboxEngineId;
33
+ readonly root: string;
34
+ readonly readableRoots: readonly string[];
35
+ readonly writableRoots: readonly string[];
36
+ readonly denyWrite: readonly string[];
37
+ readonly tempRoot: string;
38
+ readonly network: SandboxNetworkPolicy;
39
+ readonly fallback: SandboxFallback;
40
+ readonly unsafeAllowHostProcess: boolean;
41
+ }
42
+ export type SandboxErrorCode = "invalid_sandbox_policy" | "sandbox_unavailable";
43
+ export declare class SandboxPolicyError extends CodedError<SandboxErrorCode> {
44
+ }
45
+ export declare class SandboxUnavailableError extends SandboxPolicyError {
46
+ constructor(message: string, details?: Record<string, unknown>);
47
+ }
48
+ export interface SandboxCommandSpec {
49
+ readonly command: string;
50
+ readonly args?: readonly string[];
51
+ readonly cwd?: string;
52
+ readonly env?: Record<string, string | undefined>;
53
+ }
54
+ export interface PreparedSandboxCommand extends SandboxCommandSpec {
55
+ readonly args: readonly string[];
56
+ readonly cwd: string;
57
+ readonly sandboxed: boolean;
58
+ readonly sandboxSettingsPath?: string;
59
+ readonly cleanup?: () => Promise<void>;
60
+ }
61
+ export interface SandboxEngine {
62
+ readonly id: SandboxEngineId;
63
+ isAvailable(): Promise<boolean>;
64
+ prepareCommand(command: SandboxCommandSpec, policy: SandboxPolicy): Promise<PreparedSandboxCommand>;
65
+ }
66
+ export interface PrepareSandboxedCommandInput {
67
+ readonly policy?: SandboxPolicy;
68
+ readonly command: SandboxCommandSpec;
69
+ readonly engine?: SandboxEngine;
70
+ }
71
+ export interface SandboxPolicyRuntimeOptions {
72
+ readonly sandboxPolicy: SandboxPolicy;
73
+ }
74
+ export interface SrtNetworkSettings {
75
+ readonly allowedDomains: readonly string[];
76
+ readonly deniedDomains: readonly string[];
77
+ readonly allowLocalBinding: boolean;
78
+ readonly allowAllUnixSockets: boolean;
79
+ }
80
+ export interface SrtFilesystemSettings {
81
+ readonly denyRead: readonly string[];
82
+ readonly allowRead: readonly string[];
83
+ readonly allowWrite: readonly string[];
84
+ readonly denyWrite: readonly string[];
85
+ }
86
+ export interface SrtSettings {
87
+ readonly network: SrtNetworkSettings;
88
+ readonly filesystem: SrtFilesystemSettings;
89
+ }
90
+ export interface SrtSandboxEngineOptions {
91
+ readonly command?: string;
92
+ }
93
+ export declare function createSandboxPolicy(input?: SandboxPolicyInput): SandboxPolicy;
94
+ export declare function failClosedSandboxPolicy(input?: Omit<SandboxPolicyInput, "mode" | "fallback" | "unsafeAllowHostProcess">): SandboxPolicy;
95
+ export declare function sandboxRequired(policy: SandboxPolicy): boolean;
96
+ export declare function sandboxPolicyToRuntimeOptions(policy: SandboxPolicy): SandboxPolicyRuntimeOptions;
97
+ /**
98
+ * Monotonic merge: the result is never more permissive than `configured`.
99
+ * A request-scoped policy can only tighten roots, network access, and the
100
+ * fallback; it can never re-enable host execution or widen filesystem access.
101
+ */
102
+ export declare function mergeSandboxPolicies(configured: SandboxPolicy | undefined, request: SandboxPolicy | undefined): SandboxPolicy | undefined;
103
+ export declare function createSrtSandboxEngine(options?: SrtSandboxEngineOptions): SandboxEngine;
104
+ export declare function prepareSandboxedCommand(input: PrepareSandboxedCommandInput): Promise<PreparedSandboxCommand>;
105
+ export declare function srtSettingsForPolicy(policy: SandboxPolicy): SrtSettings;
106
+ export declare function networkPolicyAllowsUrl(policy: SandboxPolicy | undefined, url: string): boolean;
107
+ //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAIzD,eAAO,MAAM,aAAa,4BAA6B,CAAC;AACxD,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzD,eAAO,MAAM,qBAAqB,oDAAqD,CAAC;AACxF,MAAM,MAAM,kBAAkB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAExE,eAAO,MAAM,iBAAiB,iDAAkD,CAAC;AACjF,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,iBAAiB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEjE,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AAErC,eAAO,MAAM,kBAAkB,6DAA8D,CAAC;AAE9F,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,IAAI,CAAC,EAAE,kBAAkB,CAAC;IACnC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACxC;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC;IAC5B,QAAQ,CAAC,MAAM,CAAC,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C,QAAQ,CAAC,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,OAAO,CAAC,EAAE,yBAAyB,CAAC;IAC7C,QAAQ,CAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;IACpC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAC3C;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,kBAAkB,CAAC;IAClC,QAAQ,CAAC,SAAS,EAAE,SAAS,MAAM,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,aAAa,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1C,QAAQ,CAAC,aAAa,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1C,QAAQ,CAAC,SAAS,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,OAAO,EAAE,oBAAoB,CAAC;IACvC,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,sBAAsB,EAAE,OAAO,CAAC;CAC1C;AAED,MAAM,MAAM,gBAAgB,GACxB,wBAAwB,GACxB,qBAAqB,CAAC;AAE1B,qBAAa,kBAAmB,SAAQ,UAAU,CAAC,gBAAgB,CAAC;CAAG;AAEvE,qBAAa,uBAAwB,SAAQ,kBAAkB;gBACjD,OAAO,EAAE,MAAM,EAAE,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM;CAGnE;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CACnD;AAED,MAAM,WAAW,sBAAuB,SAAQ,kBAAkB;IAChE,QAAQ,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAC;IAC7B,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAChC,cAAc,CAAC,OAAO,EAAE,kBAAkB,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAC;CACrG;AAED,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,kBAAkB,CAAC;IACrC,QAAQ,CAAC,MAAM,CAAC,EAAE,aAAa,CAAC;CACjC;AAED,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;CACvC;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,cAAc,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C,QAAQ,CAAC,aAAa,EAAE,SAAS,MAAM,EAAE,CAAC;IAC1C,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;CACvC;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,SAAS,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,QAAQ,CAAC,SAAS,EAAE,SAAS,MAAM,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,OAAO,EAAE,kBAAkB,CAAC;IACrC,QAAQ,CAAC,UAAU,EAAE,qBAAqB,CAAC;CAC5C;AAED,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,wBAAgB,mBAAmB,CAAC,KAAK,GAAE,kBAAuB,GAAG,aAAa,CA+BjF;AAED,wBAAgB,uBAAuB,CAAC,KAAK,GAAE,IAAI,CAAC,kBAAkB,EAAE,MAAM,GAAG,UAAU,GAAG,wBAAwB,CAAM,GAAG,aAAa,CAQ3I;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAE9D;AAED,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,aAAa,GAAG,2BAA2B,CAEhG;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,aAAa,GAAG,SAAS,EACrC,OAAO,EAAE,aAAa,GAAG,SAAS,GACjC,aAAa,GAAG,SAAS,CAwB3B;AAED,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,uBAA4B,GAAG,aAAa,CAyB3F;AAgBD,wBAAsB,uBAAuB,CAAC,KAAK,EAAE,4BAA4B,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAuBlH;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,aAAa,GAAG,WAAW,CAevE;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,aAAa,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAsB9F"}
package/dist/index.js ADDED
@@ -0,0 +1,378 @@
1
+ import { execFile } from "node:child_process";
2
+ import { createHash, randomUUID } from "node:crypto";
3
+ import { existsSync } from "node:fs";
4
+ import { mkdir, rename, writeFile } from "node:fs/promises";
5
+ import { homedir } from "node:os";
6
+ import { dirname, resolve } from "node:path";
7
+ import { promisify } from "node:util";
8
+ import { CodedError } from "@mono-agent/agent-contracts";
9
+ const execFileAsync = promisify(execFile);
10
+ export const SANDBOX_MODES = ["native", "off"];
11
+ export const SANDBOX_NETWORK_MODES = ["none", "localhost", "allowlist", "all"];
12
+ export const SANDBOX_FALLBACKS = ["fail-closed", "unsafe-host-process"];
13
+ export const DEFAULT_DENY_WRITE = [".env", ".env.*", ".git/config", ".git/hooks/**"];
14
+ export class SandboxPolicyError extends CodedError {
15
+ }
16
+ export class SandboxUnavailableError extends SandboxPolicyError {
17
+ constructor(message, details = {}) {
18
+ super("sandbox_unavailable", message, details);
19
+ }
20
+ }
21
+ export function createSandboxPolicy(input = {}) {
22
+ const mode = input.mode ?? "native";
23
+ const root = normalizePath(input.root ?? process.cwd(), "root");
24
+ const fallback = input.fallback ?? "fail-closed";
25
+ const unsafeAllowHostProcess = input.unsafeAllowHostProcess === true;
26
+ if (fallback === "unsafe-host-process" && !unsafeAllowHostProcess) {
27
+ throw new SandboxPolicyError("invalid_sandbox_policy", "unsafe-host-process fallback requires unsafeAllowHostProcess: true.", { field: "unsafeAllowHostProcess" });
28
+ }
29
+ const readableRoots = normalizePathList(input.readableRoots ?? [root], root, "readableRoots");
30
+ const writableRoots = normalizePathList(input.writableRoots ?? [root], root, "writableRoots");
31
+ const denyWrite = normalizeStringList(input.denyWrite ?? DEFAULT_DENY_WRITE, "denyWrite");
32
+ const tempRoot = normalizePath(input.tempRoot ?? resolve(root, ".mono-agent", "tmp"), "tempRoot");
33
+ const network = normalizeNetworkPolicy(input.network);
34
+ return {
35
+ mode,
36
+ engine: normalizeNonEmptyString(input.engine ?? "srt", "engine"),
37
+ root,
38
+ readableRoots,
39
+ writableRoots,
40
+ denyWrite,
41
+ tempRoot,
42
+ network,
43
+ fallback,
44
+ unsafeAllowHostProcess,
45
+ };
46
+ }
47
+ export function failClosedSandboxPolicy(input = {}) {
48
+ return createSandboxPolicy({
49
+ ...input,
50
+ mode: "native",
51
+ fallback: "fail-closed",
52
+ unsafeAllowHostProcess: false,
53
+ network: input.network ?? { mode: "none" },
54
+ });
55
+ }
56
+ export function sandboxRequired(policy) {
57
+ return policy.mode !== "off" && policy.fallback === "fail-closed";
58
+ }
59
+ export function sandboxPolicyToRuntimeOptions(policy) {
60
+ return { sandboxPolicy: policy };
61
+ }
62
+ /**
63
+ * Monotonic merge: the result is never more permissive than `configured`.
64
+ * A request-scoped policy can only tighten roots, network access, and the
65
+ * fallback; it can never re-enable host execution or widen filesystem access.
66
+ */
67
+ export function mergeSandboxPolicies(configured, request) {
68
+ if (configured === undefined) {
69
+ return request;
70
+ }
71
+ if (request === undefined) {
72
+ return configured;
73
+ }
74
+ if (configured.mode === "off") {
75
+ return request.mode === "native" ? request : configured;
76
+ }
77
+ if (request.mode === "off") {
78
+ return configured;
79
+ }
80
+ return {
81
+ ...configured,
82
+ readableRoots: intersectRoots(configured.readableRoots, request.readableRoots),
83
+ writableRoots: intersectRoots(configured.writableRoots, request.writableRoots),
84
+ denyWrite: [...new Set([...(configured.denyWrite ?? []), ...(request.denyWrite ?? [])])],
85
+ network: mergeNetworkPolicies(configured.network, request.network),
86
+ fallback: configured.fallback === "fail-closed" || request.fallback === "fail-closed"
87
+ ? "fail-closed"
88
+ : configured.fallback,
89
+ unsafeAllowHostProcess: configured.unsafeAllowHostProcess && request.unsafeAllowHostProcess,
90
+ };
91
+ }
92
+ export function createSrtSandboxEngine(options = {}) {
93
+ const command = options.command ?? "srt";
94
+ // Availability cannot change mid-session in a way we can act on, and the
95
+ // probe spawns a process — resolve it once per engine instance.
96
+ let availability = null;
97
+ return {
98
+ id: "srt",
99
+ isAvailable() {
100
+ availability ??= execFileAsync(command, ["--version"], { timeout: 5_000 })
101
+ .then(() => true, () => false);
102
+ return availability;
103
+ },
104
+ async prepareCommand(spec, policy) {
105
+ const cwd = resolve(spec.cwd ?? policy.root);
106
+ const settingsPath = await writeSrtSettingsFile(policy);
107
+ return {
108
+ ...spec,
109
+ command,
110
+ args: ["--settings", settingsPath, spec.command, ...(spec.args ?? [])],
111
+ cwd,
112
+ sandboxed: true,
113
+ sandboxSettingsPath: settingsPath,
114
+ };
115
+ },
116
+ };
117
+ }
118
+ const defaultEngines = new Map();
119
+ function resolveDefaultEngine(policy) {
120
+ if (policy.engine !== "srt") {
121
+ return undefined;
122
+ }
123
+ let engine = defaultEngines.get(policy.engine);
124
+ if (engine === undefined) {
125
+ engine = createSrtSandboxEngine();
126
+ defaultEngines.set(policy.engine, engine);
127
+ }
128
+ return engine;
129
+ }
130
+ export async function prepareSandboxedCommand(input) {
131
+ const policy = input.policy;
132
+ const command = normalizeCommandSpec(input.command, policy?.root);
133
+ if (policy == null || policy.mode === "off") {
134
+ return { ...command, sandboxed: false };
135
+ }
136
+ const engine = input.engine ?? resolveDefaultEngine(policy);
137
+ if (engine === undefined || !(await engine.isAvailable())) {
138
+ if (policy.fallback === "unsafe-host-process" && policy.unsafeAllowHostProcess) {
139
+ return { ...command, sandboxed: false };
140
+ }
141
+ throw new SandboxUnavailableError(engine === undefined
142
+ ? `No sandbox engine is registered for "${policy.engine}" and policy is fail-closed.`
143
+ : "Sandbox engine is unavailable and policy is fail-closed.", {
144
+ engine: engine?.id ?? policy.engine,
145
+ command: command.command,
146
+ });
147
+ }
148
+ return engine.prepareCommand(command, policy);
149
+ }
150
+ export function srtSettingsForPolicy(policy) {
151
+ return {
152
+ network: {
153
+ allowedDomains: domainsForNetworkPolicy(policy.network),
154
+ deniedDomains: [],
155
+ allowLocalBinding: policy.network.mode === "localhost",
156
+ allowAllUnixSockets: false,
157
+ },
158
+ filesystem: {
159
+ denyRead: denyReadRootsForPolicy(policy),
160
+ allowRead: [...policy.readableRoots],
161
+ allowWrite: [...policy.writableRoots],
162
+ denyWrite: [...(policy.denyWrite ?? DEFAULT_DENY_WRITE)],
163
+ },
164
+ };
165
+ }
166
+ export function networkPolicyAllowsUrl(policy, url) {
167
+ if (policy == null || policy.mode === "off") {
168
+ return true;
169
+ }
170
+ let parsed;
171
+ try {
172
+ parsed = new URL(url);
173
+ }
174
+ catch {
175
+ return false;
176
+ }
177
+ // URL.hostname keeps IPv6 hosts bracketed ("[::1]"); match on the bare host.
178
+ const host = stripIpv6Brackets(parsed.hostname.toLowerCase());
179
+ if (policy.network.mode === "all") {
180
+ return true;
181
+ }
182
+ if (policy.network.mode === "none") {
183
+ return false;
184
+ }
185
+ if (policy.network.mode === "localhost") {
186
+ return isLocalhost(host);
187
+ }
188
+ return policy.network.allowlist.some((domain) => domainMatches(host, domain));
189
+ }
190
+ function normalizeCommandSpec(spec, fallbackCwd) {
191
+ const command = normalizeNonEmptyString(spec.command, "command");
192
+ const cwd = resolve(spec.cwd ?? fallbackCwd ?? process.cwd());
193
+ return {
194
+ command,
195
+ args: normalizeArgs(spec.args ?? []),
196
+ cwd,
197
+ ...(spec.env === undefined ? {} : { env: { ...spec.env } }),
198
+ sandboxed: false,
199
+ };
200
+ }
201
+ // argv entries may legitimately be empty (e.g. `--prefix ""`) and whitespace is
202
+ // significant, so unlike policy fields they are only type-checked.
203
+ function normalizeArgs(values) {
204
+ if (!Array.isArray(values)) {
205
+ throw new SandboxPolicyError("invalid_sandbox_policy", "args must be an array.", { field: "args" });
206
+ }
207
+ return values.map((value, index) => {
208
+ if (typeof value !== "string") {
209
+ throw new SandboxPolicyError("invalid_sandbox_policy", `args[${index}] must be a string.`, { field: `args[${index}]` });
210
+ }
211
+ return value;
212
+ });
213
+ }
214
+ function normalizeNetworkPolicy(input) {
215
+ const mode = input?.mode ?? "none";
216
+ if (!SANDBOX_NETWORK_MODES.includes(mode)) {
217
+ throw new SandboxPolicyError("invalid_sandbox_policy", "Invalid sandbox network mode.", { mode });
218
+ }
219
+ const allowlist = normalizeStringList(input?.allowlist ?? [], "network.allowlist")
220
+ .map((domain) => domain.toLowerCase());
221
+ if (mode === "allowlist" && allowlist.length === 0) {
222
+ throw new SandboxPolicyError("invalid_sandbox_policy", "allowlist network mode requires at least one domain.", {
223
+ field: "network.allowlist",
224
+ });
225
+ }
226
+ return {
227
+ mode,
228
+ allowlist: mode === "allowlist" ? allowlist : [],
229
+ };
230
+ }
231
+ /**
232
+ * Intersection semantics: the merged policy allows a host only if both
233
+ * policies allow it. Incomparable modes (localhost vs allowlist) reduce to the
234
+ * allowlist entries that are loopback hosts; an empty intersection is "none",
235
+ * never an invalid empty allowlist.
236
+ */
237
+ function mergeNetworkPolicies(configured, request) {
238
+ if (request === undefined) {
239
+ return configured;
240
+ }
241
+ if (configured.mode === "none" || request.mode === "none") {
242
+ return { mode: "none", allowlist: [] };
243
+ }
244
+ if (configured.mode === "all") {
245
+ return { mode: request.mode, allowlist: [...request.allowlist] };
246
+ }
247
+ if (request.mode === "all") {
248
+ return { mode: configured.mode, allowlist: [...configured.allowlist] };
249
+ }
250
+ if (configured.mode === "localhost" && request.mode === "localhost") {
251
+ return { mode: "localhost", allowlist: [] };
252
+ }
253
+ if (configured.mode === "allowlist" && request.mode === "allowlist") {
254
+ const requestDomains = new Set(request.allowlist);
255
+ const allowlist = configured.allowlist.filter((domain) => requestDomains.has(domain)).sort();
256
+ return allowlist.length === 0 ? { mode: "none", allowlist: [] } : { mode: "allowlist", allowlist };
257
+ }
258
+ const loopbackEntries = (configured.mode === "allowlist" ? configured.allowlist : request.allowlist)
259
+ .filter((domain) => isLocalhost(domain))
260
+ .sort();
261
+ return loopbackEntries.length === 0
262
+ ? { mode: "none", allowlist: [] }
263
+ : { mode: "allowlist", allowlist: loopbackEntries };
264
+ }
265
+ function intersectRoots(configured, request) {
266
+ const out = new Set();
267
+ for (const configuredRoot of configured) {
268
+ for (const requestRoot of request) {
269
+ if (pathContains(configuredRoot, requestRoot)) {
270
+ out.add(requestRoot);
271
+ }
272
+ else if (pathContains(requestRoot, configuredRoot)) {
273
+ out.add(configuredRoot);
274
+ }
275
+ }
276
+ }
277
+ return removeCoveredRoots([...out].sort());
278
+ }
279
+ function domainsForNetworkPolicy(policy) {
280
+ if (policy.mode === "all") {
281
+ return ["*"];
282
+ }
283
+ if (policy.mode === "localhost") {
284
+ return ["localhost", "127.0.0.1", "::1"];
285
+ }
286
+ if (policy.mode === "allowlist") {
287
+ return [...policy.allowlist];
288
+ }
289
+ return [];
290
+ }
291
+ function denyReadRootsForPolicy(policy) {
292
+ const roots = new Set();
293
+ const home = homedir();
294
+ // Secrets live under the home directory; deny it unless the policy
295
+ // explicitly grants it. More-specific allowRead roots inside home still win.
296
+ const homeReadable = policy.readableRoots.some((root) => pathContains(root, home));
297
+ if (!homeReadable) {
298
+ roots.add(home);
299
+ }
300
+ for (const readableRoot of policy.readableRoots) {
301
+ if (readableRoot === home || readableRoot.startsWith(`${home}/`)) {
302
+ roots.add(dirname(home));
303
+ }
304
+ if (readableRoot.startsWith("/Users/")) {
305
+ roots.add("/Users");
306
+ }
307
+ if (readableRoot.startsWith("/home/")) {
308
+ roots.add("/home");
309
+ }
310
+ }
311
+ roots.add(resolve(home, ".ssh"));
312
+ return removeCoveredRoots([...roots].sort());
313
+ }
314
+ // srt settings are a pure function of the policy, so the file is
315
+ // content-addressed and shared across every command run under that policy.
316
+ async function writeSrtSettingsFile(policy) {
317
+ const content = `${JSON.stringify(srtSettingsForPolicy(policy), null, 2)}\n`;
318
+ const digest = createHash("sha256").update(content).digest("hex").slice(0, 16);
319
+ const settingsPath = resolve(policy.tempRoot, `srt-settings-${digest}.json`);
320
+ if (existsSync(settingsPath)) {
321
+ return settingsPath;
322
+ }
323
+ await mkdir(policy.tempRoot, { recursive: true });
324
+ const stagingPath = `${settingsPath}.${process.pid}.${randomUUID()}.tmp`;
325
+ await writeFile(stagingPath, content, "utf8");
326
+ await rename(stagingPath, settingsPath);
327
+ return settingsPath;
328
+ }
329
+ function normalizePath(value, field) {
330
+ return resolve(normalizeNonEmptyString(value, field));
331
+ }
332
+ function normalizePathList(values, root, field) {
333
+ const paths = normalizeStringList(values, field).map((value) => resolve(root, value));
334
+ return [...new Set(paths)];
335
+ }
336
+ function normalizeStringList(values, field) {
337
+ if (!Array.isArray(values)) {
338
+ throw new SandboxPolicyError("invalid_sandbox_policy", `${field} must be an array.`, { field });
339
+ }
340
+ return values.map((value, index) => normalizeNonEmptyString(value, `${field}[${index}]`));
341
+ }
342
+ function normalizeNonEmptyString(value, field) {
343
+ if (typeof value !== "string") {
344
+ throw new SandboxPolicyError("invalid_sandbox_policy", `${field} must be a string.`, { field });
345
+ }
346
+ const normalized = value.trim();
347
+ if (normalized.length === 0) {
348
+ throw new SandboxPolicyError("invalid_sandbox_policy", `${field} must not be empty.`, { field });
349
+ }
350
+ return normalized;
351
+ }
352
+ function stripIpv6Brackets(host) {
353
+ return host.startsWith("[") && host.endsWith("]") ? host.slice(1, -1) : host;
354
+ }
355
+ function isLocalhost(host) {
356
+ return host === "localhost" || host === "::1" || host === "127.0.0.1" || host.startsWith("127.");
357
+ }
358
+ function domainMatches(host, pattern) {
359
+ if (pattern.startsWith("*.")) {
360
+ const suffix = pattern.slice(1);
361
+ return host.endsWith(suffix) && host.length > suffix.length;
362
+ }
363
+ return host === pattern;
364
+ }
365
+ function pathContains(root, target) {
366
+ return target === root || target.startsWith(root === "/" ? "/" : `${root}/`);
367
+ }
368
+ function removeCoveredRoots(paths) {
369
+ const out = [];
370
+ for (const path of paths) {
371
+ if (out.some((root) => pathContains(root, path))) {
372
+ continue;
373
+ }
374
+ out.push(path);
375
+ }
376
+ return out;
377
+ }
378
+ //# sourceMappingURL=index.js.map
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAEzD,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAU,CAAC;AAGxD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,CAAU,CAAC;AAGxF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,aAAa,EAAE,qBAAqB,CAAU,CAAC;AAKjF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,eAAe,CAAU,CAAC;AA0C9F,MAAM,OAAO,kBAAmB,SAAQ,UAA4B;CAAG;AAEvE,MAAM,OAAO,uBAAwB,SAAQ,kBAAkB;IAC7D,YAAY,OAAe,EAAE,UAAmC,EAAE;QAChE,KAAK,CAAC,qBAAqB,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;CACF;AAwDD,MAAM,UAAU,mBAAmB,CAAC,QAA4B,EAAE;IAChE,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,QAAQ,CAAC;IACpC,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,aAAa,CAAC;IACjD,MAAM,sBAAsB,GAAG,KAAK,CAAC,sBAAsB,KAAK,IAAI,CAAC;IACrE,IAAI,QAAQ,KAAK,qBAAqB,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAClE,MAAM,IAAI,kBAAkB,CAC1B,wBAAwB,EACxB,qEAAqE,EACrE,EAAE,KAAK,EAAE,wBAAwB,EAAE,CACpC,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAG,iBAAiB,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,eAAe,CAAC,CAAC;IAC9F,MAAM,aAAa,GAAG,iBAAiB,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,eAAe,CAAC,CAAC;IAC9F,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,CAAC,SAAS,IAAI,kBAAkB,EAAE,WAAW,CAAC,CAAC;IAC1F,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,aAAa,EAAE,KAAK,CAAC,EAAE,UAAU,CAAC,CAAC;IAClG,MAAM,OAAO,GAAG,sBAAsB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEtD,OAAO;QACL,IAAI;QACJ,MAAM,EAAE,uBAAuB,CAAC,KAAK,CAAC,MAAM,IAAI,KAAK,EAAE,QAAQ,CAAC;QAChE,IAAI;QACJ,aAAa;QACb,aAAa;QACb,SAAS;QACT,QAAQ;QACR,OAAO;QACP,QAAQ;QACR,sBAAsB;KACvB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,QAAkF,EAAE;IAC1H,OAAO,mBAAmB,CAAC;QACzB,GAAG,KAAK;QACR,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,aAAa;QACvB,sBAAsB,EAAE,KAAK;QAC7B,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE;KAC3C,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAqB;IACnD,OAAO,MAAM,CAAC,IAAI,KAAK,KAAK,IAAI,MAAM,CAAC,QAAQ,KAAK,aAAa,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,MAAqB;IACjE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;AACnC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAqC,EACrC,OAAkC;IAElC,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC9B,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC;IAC1D,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,OAAO;QACL,GAAG,UAAU;QACb,aAAa,EAAE,cAAc,CAAC,UAAU,CAAC,aAAa,EAAE,OAAO,CAAC,aAAa,CAAC;QAC9E,aAAa,EAAE,cAAc,CAAC,UAAU,CAAC,aAAa,EAAE,OAAO,CAAC,aAAa,CAAC;QAC9E,SAAS,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,IAAI,EAAE,CAAC,EAAE,GAAG,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACxF,OAAO,EAAE,oBAAoB,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;QAClE,QAAQ,EAAE,UAAU,CAAC,QAAQ,KAAK,aAAa,IAAI,OAAO,CAAC,QAAQ,KAAK,aAAa;YACnF,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,UAAU,CAAC,QAAQ;QACvB,sBAAsB,EAAE,UAAU,CAAC,sBAAsB,IAAI,OAAO,CAAC,sBAAsB;KAC5F,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,UAAmC,EAAE;IAC1E,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC;IACzC,yEAAyE;IACzE,gEAAgE;IAChE,IAAI,YAAY,GAA4B,IAAI,CAAC;IACjD,OAAO;QACL,EAAE,EAAE,KAAK;QACT,WAAW;YACT,YAAY,KAAK,aAAa,CAAC,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;iBACvE,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;YACjC,OAAO,YAAY,CAAC;QACtB,CAAC;QACD,KAAK,CAAC,cAAc,CAAC,IAAwB,EAAE,MAAqB;YAClE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC;YAC7C,MAAM,YAAY,GAAG,MAAM,oBAAoB,CAAC,MAAM,CAAC,CAAC;YACxD,OAAO;gBACL,GAAG,IAAI;gBACP,OAAO;gBACP,IAAI,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;gBACtE,GAAG;gBACH,SAAS,EAAE,IAAI;gBACf,mBAAmB,EAAE,YAAY;aAClC,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,IAAI,GAAG,EAAkC,CAAC;AAEjE,SAAS,oBAAoB,CAAC,MAAqB;IACjD,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QAC5B,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,GAAG,sBAAsB,EAAE,CAAC;QAClC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,KAAmC;IAC/E,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC5B,MAAM,OAAO,GAAG,oBAAoB,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;IAClE,IAAI,MAAM,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5C,OAAO,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IAC1C,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,IAAI,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC1D,IAAI,MAAM,CAAC,QAAQ,KAAK,qBAAqB,IAAI,MAAM,CAAC,sBAAsB,EAAE,CAAC;YAC/E,OAAO,EAAE,GAAG,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,IAAI,uBAAuB,CAC/B,MAAM,KAAK,SAAS;YAClB,CAAC,CAAC,wCAAwC,MAAM,CAAC,MAAM,8BAA8B;YACrF,CAAC,CAAC,0DAA0D,EAC9D;YACE,MAAM,EAAE,MAAM,EAAE,EAAE,IAAI,MAAM,CAAC,MAAM;YACnC,OAAO,EAAE,OAAO,CAAC,OAAO;SACzB,CACF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAAqB;IACxD,OAAO;QACL,OAAO,EAAE;YACP,cAAc,EAAE,uBAAuB,CAAC,MAAM,CAAC,OAAO,CAAC;YACvD,aAAa,EAAE,EAAE;YACjB,iBAAiB,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,WAAW;YACtD,mBAAmB,EAAE,KAAK;SAC3B;QACD,UAAU,EAAE;YACV,QAAQ,EAAE,sBAAsB,CAAC,MAAM,CAAC;YACxC,SAAS,EAAE,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC;YACpC,UAAU,EAAE,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC;YACrC,SAAS,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,kBAAkB,CAAC,CAAC;SACzD;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAiC,EAAE,GAAW;IACnF,IAAI,MAAM,IAAI,IAAI,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,6EAA6E;IAC7E,MAAM,IAAI,GAAG,iBAAiB,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACnC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QACxC,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAwB,EAAE,WAA+B;IACrF,MAAM,OAAO,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9D,OAAO;QACL,OAAO;QACP,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;QACpC,GAAG;QACH,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC3D,SAAS,EAAE,KAAK;KACjB,CAAC;AACJ,CAAC;AAED,gFAAgF;AAChF,mEAAmE;AACnE,SAAS,aAAa,CAAC,MAAyB;IAC9C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,kBAAkB,CAAC,wBAAwB,EAAE,wBAAwB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACtG,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,kBAAkB,CAAC,wBAAwB,EAAE,QAAQ,KAAK,qBAAqB,EAAE,EAAE,KAAK,EAAE,QAAQ,KAAK,GAAG,EAAE,CAAC,CAAC;QAC1H,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,sBAAsB,CAAC,KAA4C;IAC1E,MAAM,IAAI,GAAG,KAAK,EAAE,IAAI,IAAI,MAAM,CAAC;IACnC,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,kBAAkB,CAAC,wBAAwB,EAAE,+BAA+B,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACpG,CAAC;IACD,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,EAAE,SAAS,IAAI,EAAE,EAAE,mBAAmB,CAAC;SAC/E,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACzC,IAAI,IAAI,KAAK,WAAW,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnD,MAAM,IAAI,kBAAkB,CAAC,wBAAwB,EAAE,sDAAsD,EAAE;YAC7G,KAAK,EAAE,mBAAmB;SAC3B,CAAC,CAAC;IACL,CAAC;IACD,OAAO;QACL,IAAI;QACJ,SAAS,EAAE,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;KACjD,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,oBAAoB,CAC3B,UAAgC,EAChC,OAAyC;IAEzC,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,KAAK,MAAM,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC1D,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IACzC,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC9B,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,GAAG,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;IACnE,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,OAAO,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;IACzE,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,KAAK,WAAW,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QACpE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;IAC9C,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,KAAK,WAAW,IAAI,OAAO,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QACpE,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7F,OAAO,SAAS,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;IACrG,CAAC;IACD,MAAM,eAAe,GAAG,CAAC,UAAU,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;SACjG,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;SACvC,IAAI,EAAE,CAAC;IACV,OAAO,eAAe,CAAC,MAAM,KAAK,CAAC;QACjC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,EAAE;QACjC,CAAC,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC;AACxD,CAAC;AAED,SAAS,cAAc,CAAC,UAA6B,EAAE,OAA0B;IAC/E,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,cAAc,IAAI,UAAU,EAAE,CAAC;QACxC,KAAK,MAAM,WAAW,IAAI,OAAO,EAAE,CAAC;YAClC,IAAI,YAAY,CAAC,cAAc,EAAE,WAAW,CAAC,EAAE,CAAC;gBAC9C,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YACvB,CAAC;iBAAM,IAAI,YAAY,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,CAAC;gBACrD,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,kBAAkB,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,uBAAuB,CAAC,MAA4B;IAC3D,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,OAAO,CAAC,WAAW,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAChC,OAAO,CAAC,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;IAC/B,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAqB;IACnD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;IACvB,mEAAmE;IACnE,6EAA6E;IAC7E,MAAM,YAAY,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;IACnF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClB,CAAC;IACD,KAAK,MAAM,YAAY,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QAChD,IAAI,YAAY,KAAK,IAAI,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC;YACjE,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,IAAI,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtB,CAAC;QACD,IAAI,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IACD,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IACjC,OAAO,kBAAkB,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,iEAAiE;AACjE,2EAA2E;AAC3E,KAAK,UAAU,oBAAoB,CAAC,MAAqB;IACvD,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,oBAAoB,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC;IAC7E,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC/E,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,MAAM,OAAO,CAAC,CAAC;IAC7E,IAAI,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC7B,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,MAAM,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,GAAG,YAAY,IAAI,OAAO,CAAC,GAAG,IAAI,UAAU,EAAE,MAAM,CAAC;IACzE,MAAM,SAAS,CAAC,WAAW,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAC9C,MAAM,MAAM,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACxC,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,aAAa,CAAC,KAAa,EAAE,KAAa;IACjD,OAAO,OAAO,CAAC,uBAAuB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAyB,EAAE,IAAY,EAAE,KAAa;IAC/E,MAAM,KAAK,GAAG,mBAAmB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;IACtF,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAyB,EAAE,KAAa;IACnE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,kBAAkB,CAAC,wBAAwB,EAAE,GAAG,KAAK,oBAAoB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,uBAAuB,CAAC,KAAK,EAAE,GAAG,KAAK,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC;AAC5F,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAc,EAAE,KAAa;IAC5D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,kBAAkB,CAAC,wBAAwB,EAAE,GAAG,KAAK,oBAAoB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAChC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,kBAAkB,CAAC,wBAAwB,EAAE,GAAG,KAAK,qBAAqB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;IACnG,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY;IACrC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/E,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;AACnG,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,OAAe;IAClD,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAChC,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC9D,CAAC;IACD,OAAO,IAAI,KAAK,OAAO,CAAC;AAC1B,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,MAAc;IAChD,OAAO,MAAM,KAAK,IAAI,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAwB;IAClD,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC;YACjD,SAAS;QACX,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
package/package.json ADDED
@@ -0,0 +1,31 @@
1
+ {
2
+ "name": "@mono-agent/sandbox",
3
+ "version": "0.1.0",
4
+ "description": "Fail-closed sandbox policy and native process wrapping for Mono Agent runtimes.",
5
+ "type": "module",
6
+ "license": "UNLICENSED",
7
+ "private": false,
8
+ "main": "./dist/index.js",
9
+ "types": "./dist/index.d.ts",
10
+ "exports": {
11
+ ".": {
12
+ "types": "./dist/index.d.ts",
13
+ "import": "./dist/index.js"
14
+ }
15
+ },
16
+ "files": [
17
+ "dist",
18
+ "README.md"
19
+ ],
20
+ "dependencies": {
21
+ "@mono-agent/agent-contracts": "0.1.0"
22
+ },
23
+ "publishConfig": {
24
+ "access": "public"
25
+ },
26
+ "scripts": {
27
+ "build": "tsc -p tsconfig.build.json",
28
+ "typecheck": "tsc -p tsconfig.json --noEmit",
29
+ "test": "vitest run --passWithNoTests"
30
+ }
31
+ }