@neeter/server 0.8.1 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/hooks.d.ts +25 -1
- package/dist/hooks.js +19 -1
- package/package.json +2 -2
package/dist/hooks.d.ts
CHANGED
|
@@ -1,10 +1,34 @@
|
|
|
1
1
|
import type { HookCallbackMatcher } from "@anthropic-ai/claude-agent-sdk";
|
|
2
|
+
export interface SandboxHookOptions {
|
|
3
|
+
/**
|
|
4
|
+
* Allow Bash tool calls through the sandbox hook (default: `false`).
|
|
5
|
+
*
|
|
6
|
+
* Bash commands can reference arbitrary filesystem paths via subshells,
|
|
7
|
+
* variable expansion, redirects, and other shell features that can't be
|
|
8
|
+
* reliably inspected. When `false`, all Bash calls are blocked.
|
|
9
|
+
*
|
|
10
|
+
* If you need Bash access inside a sandbox, set this to `true` and use
|
|
11
|
+
* OS-level isolation instead: containers with `--network none` and a
|
|
12
|
+
* read-only filesystem, `@anthropic-ai/sandbox-runtime`, or VMs.
|
|
13
|
+
*
|
|
14
|
+
* @see https://platform.claude.com/docs/en/agent-sdk/secure-deployment
|
|
15
|
+
*/
|
|
16
|
+
allowBash?: boolean;
|
|
17
|
+
}
|
|
2
18
|
/**
|
|
3
19
|
* Creates a PreToolUse hook that blocks file operations outside a sandbox directory.
|
|
4
20
|
* Inspects `file_path` and `path` fields in tool input and blocks any resolved path
|
|
5
21
|
* that falls outside the given directory.
|
|
6
22
|
*
|
|
23
|
+
* Bash is blocked by default because shell commands can reference paths outside the
|
|
24
|
+
* sandbox in ways that can't be reliably detected (subshells, variable expansion,
|
|
25
|
+
* redirects, backticks). To sandbox Bash, use OS-level isolation — containers,
|
|
26
|
+
* `@anthropic-ai/sandbox-runtime`, or VMs — and set `options.allowBash` to `true`.
|
|
27
|
+
*
|
|
28
|
+
* @see https://platform.claude.com/docs/en/agent-sdk/secure-deployment
|
|
29
|
+
*
|
|
7
30
|
* @param sandboxDir - Absolute path to the sandbox directory (must already be resolved)
|
|
8
31
|
* @param resolvePath - Path resolver function (e.g. `path.resolve` from `node:path`)
|
|
32
|
+
* @param options - Configuration options
|
|
9
33
|
*/
|
|
10
|
-
export declare function createSandboxHook(sandboxDir: string, resolvePath: (...segments: string[]) => string): HookCallbackMatcher[];
|
|
34
|
+
export declare function createSandboxHook(sandboxDir: string, resolvePath: (...segments: string[]) => string, options?: SandboxHookOptions): HookCallbackMatcher[];
|
package/dist/hooks.js
CHANGED
|
@@ -3,17 +3,35 @@
|
|
|
3
3
|
* Inspects `file_path` and `path` fields in tool input and blocks any resolved path
|
|
4
4
|
* that falls outside the given directory.
|
|
5
5
|
*
|
|
6
|
+
* Bash is blocked by default because shell commands can reference paths outside the
|
|
7
|
+
* sandbox in ways that can't be reliably detected (subshells, variable expansion,
|
|
8
|
+
* redirects, backticks). To sandbox Bash, use OS-level isolation — containers,
|
|
9
|
+
* `@anthropic-ai/sandbox-runtime`, or VMs — and set `options.allowBash` to `true`.
|
|
10
|
+
*
|
|
11
|
+
* @see https://platform.claude.com/docs/en/agent-sdk/secure-deployment
|
|
12
|
+
*
|
|
6
13
|
* @param sandboxDir - Absolute path to the sandbox directory (must already be resolved)
|
|
7
14
|
* @param resolvePath - Path resolver function (e.g. `path.resolve` from `node:path`)
|
|
15
|
+
* @param options - Configuration options
|
|
8
16
|
*/
|
|
9
|
-
export function createSandboxHook(sandboxDir, resolvePath) {
|
|
17
|
+
export function createSandboxHook(sandboxDir, resolvePath, options) {
|
|
10
18
|
const normalizedDir = resolvePath(sandboxDir);
|
|
19
|
+
const allowBash = options?.allowBash ?? false;
|
|
11
20
|
return [
|
|
12
21
|
{
|
|
13
22
|
hooks: [
|
|
14
23
|
async (input) => {
|
|
15
24
|
if (input.hook_event_name !== "PreToolUse")
|
|
16
25
|
return {};
|
|
26
|
+
const toolName = input.tool_name;
|
|
27
|
+
if (toolName === "Bash" && !allowBash) {
|
|
28
|
+
return {
|
|
29
|
+
decision: "block",
|
|
30
|
+
reason: "Bash is blocked in sandbox mode — shell commands can reference arbitrary paths. " +
|
|
31
|
+
"Use allowBash with OS-level isolation (containers, sandbox-runtime) for Bash access. " +
|
|
32
|
+
"See https://platform.claude.com/docs/en/agent-sdk/secure-deployment",
|
|
33
|
+
};
|
|
34
|
+
}
|
|
17
35
|
const toolInput = input.tool_input;
|
|
18
36
|
const filePath = (toolInput.file_path ?? toolInput.path);
|
|
19
37
|
if (!filePath)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@neeter/server",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.9.0",
|
|
4
4
|
"description": "Hono server toolkit for building chat UIs on top of the Claude Agent SDK",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "Dan Leeper",
|
|
@@ -21,7 +21,7 @@
|
|
|
21
21
|
"README.md"
|
|
22
22
|
],
|
|
23
23
|
"dependencies": {
|
|
24
|
-
"@neeter/types": "0.
|
|
24
|
+
"@neeter/types": "0.9.0"
|
|
25
25
|
},
|
|
26
26
|
"peerDependencies": {
|
|
27
27
|
"@anthropic-ai/claude-agent-sdk": ">=0.2.0",
|