@neurosec/sentry 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +118 -0
- package/bin/cli.js +18 -0
- package/bin/sentryd.js +19 -0
- package/dist/api.d.ts +21 -0
- package/dist/api.d.ts.map +1 -0
- package/dist/api.js +161 -0
- package/dist/api.js.map +1 -0
- package/dist/audit.d.ts +18 -0
- package/dist/audit.d.ts.map +1 -0
- package/dist/audit.js +114 -0
- package/dist/audit.js.map +1 -0
- package/dist/cli.d.ts +3 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +255 -0
- package/dist/cli.js.map +1 -0
- package/dist/config.d.ts +54 -0
- package/dist/config.d.ts.map +1 -0
- package/dist/config.js +160 -0
- package/dist/config.js.map +1 -0
- package/dist/discovery.d.ts +5 -0
- package/dist/discovery.d.ts.map +1 -0
- package/dist/discovery.js +279 -0
- package/dist/discovery.js.map +1 -0
- package/dist/enforcement/enforcement-engine.d.ts +37 -0
- package/dist/enforcement/enforcement-engine.d.ts.map +1 -0
- package/dist/enforcement/enforcement-engine.js +325 -0
- package/dist/enforcement/enforcement-engine.js.map +1 -0
- package/dist/enforcement/file-monitor.d.ts +4 -0
- package/dist/enforcement/file-monitor.d.ts.map +1 -0
- package/dist/enforcement/file-monitor.js +114 -0
- package/dist/enforcement/file-monitor.js.map +1 -0
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +248 -0
- package/dist/index.js.map +1 -0
- package/dist/logger.d.ts +2 -0
- package/dist/logger.d.ts.map +1 -0
- package/dist/logger.js +17 -0
- package/dist/logger.js.map +1 -0
- package/dist/sandbox/index.d.ts +14 -0
- package/dist/sandbox/index.d.ts.map +1 -0
- package/dist/sandbox/index.js +91 -0
- package/dist/sandbox/index.js.map +1 -0
- package/dist/sandbox/linux-sandbox.d.ts +21 -0
- package/dist/sandbox/linux-sandbox.d.ts.map +1 -0
- package/dist/sandbox/linux-sandbox.js +186 -0
- package/dist/sandbox/linux-sandbox.js.map +1 -0
- package/dist/sandbox/macos-sandbox.d.ts +17 -0
- package/dist/sandbox/macos-sandbox.d.ts.map +1 -0
- package/dist/sandbox/macos-sandbox.js +145 -0
- package/dist/sandbox/macos-sandbox.js.map +1 -0
- package/dist/setup.d.ts +14 -0
- package/dist/setup.d.ts.map +1 -0
- package/dist/setup.js +220 -0
- package/dist/setup.js.map +1 -0
- package/dist/skill-authz/skill-evaluator.d.ts +20 -0
- package/dist/skill-authz/skill-evaluator.d.ts.map +1 -0
- package/dist/skill-authz/skill-evaluator.js +159 -0
- package/dist/skill-authz/skill-evaluator.js.map +1 -0
- package/dist/skill-authz/skill-scanner.d.ts +18 -0
- package/dist/skill-authz/skill-scanner.d.ts.map +1 -0
- package/dist/skill-authz/skill-scanner.js +169 -0
- package/dist/skill-authz/skill-scanner.js.map +1 -0
- package/dist/telemetry.d.ts +18 -0
- package/dist/telemetry.d.ts.map +1 -0
- package/dist/telemetry.js +106 -0
- package/dist/telemetry.js.map +1 -0
- package/dist/types.d.ts +127 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +209 -0
- package/dist/types.js.map +1 -0
- package/package.json +69 -0
- package/scripts/install-sentry-macos.sh +238 -0
- package/scripts/install-sentry.sh +253 -0
- package/scripts/postinstall.js +191 -0
- package/scripts/prepack.js +33 -0
|
@@ -0,0 +1,186 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.LinuxSandbox = void 0;
|
|
7
|
+
const promises_1 = __importDefault(require("fs/promises"));
|
|
8
|
+
const path_1 = __importDefault(require("path"));
|
|
9
|
+
const child_process_1 = require("child_process");
|
|
10
|
+
const logger_1 = require("../logger");
|
|
11
|
+
const CGROUP_ROOT = '/sys/fs/cgroup';
|
|
12
|
+
const SENTRY_CGROUP_NAME = 'neuroshield';
|
|
13
|
+
class LinuxSandbox {
|
|
14
|
+
constructor() {
|
|
15
|
+
this.cgroupV2 = this.detectCgroupVersion();
|
|
16
|
+
}
|
|
17
|
+
detectCgroupVersion() {
|
|
18
|
+
try {
|
|
19
|
+
const info = (0, child_process_1.execSync)('stat -fc %T /sys/fs/cgroup/', {
|
|
20
|
+
encoding: 'utf8',
|
|
21
|
+
timeout: 5000,
|
|
22
|
+
}).trim();
|
|
23
|
+
return info === 'cgroup2fs';
|
|
24
|
+
}
|
|
25
|
+
catch {
|
|
26
|
+
return false;
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
async applySandbox(pid, profile, defaults) {
|
|
30
|
+
const cgroupPath = path_1.default.join(CGROUP_ROOT, SENTRY_CGROUP_NAME, `sentry-${pid}`);
|
|
31
|
+
try {
|
|
32
|
+
await promises_1.default.mkdir(cgroupPath, { recursive: true });
|
|
33
|
+
if (this.cgroupV2) {
|
|
34
|
+
await this.applyCgroupV2(cgroupPath, pid, profile, defaults);
|
|
35
|
+
}
|
|
36
|
+
else {
|
|
37
|
+
await this.applyCgroupV1(cgroupPath, pid, profile, defaults);
|
|
38
|
+
}
|
|
39
|
+
const applied = await this.addPidToCgroup(cgroupPath, pid);
|
|
40
|
+
if (applied) {
|
|
41
|
+
logger_1.logger.info('Linux sandbox configured', { pid, cgroupPath, profile: profile.name });
|
|
42
|
+
}
|
|
43
|
+
return applied;
|
|
44
|
+
}
|
|
45
|
+
catch (err) {
|
|
46
|
+
logger_1.logger.error('Linux sandbox failed', { pid, err: err.message });
|
|
47
|
+
return false;
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
async applyCgroupV2(cgroupPath, pid, profile, defaults) {
|
|
51
|
+
const cpuMax = profile.cpuMax || defaults.cpuMax;
|
|
52
|
+
const memoryMax = profile.memoryMax || defaults.memoryMax;
|
|
53
|
+
const pidMax = profile.pidMax || defaults.pidMax;
|
|
54
|
+
await promises_1.default.writeFile(path_1.default.join(cgroupPath, 'cpu.max'), `${cpuMax}\n`);
|
|
55
|
+
await promises_1.default.writeFile(path_1.default.join(cgroupPath, 'memory.max'), this.parseMemoryBytes(memoryMax).toString());
|
|
56
|
+
try {
|
|
57
|
+
await promises_1.default.writeFile(path_1.default.join(cgroupPath, 'pids.max'), pidMax.toString());
|
|
58
|
+
}
|
|
59
|
+
catch {
|
|
60
|
+
// pids controller may not be enabled
|
|
61
|
+
}
|
|
62
|
+
const ioFile = path_1.default.join(cgroupPath, 'io.max');
|
|
63
|
+
try {
|
|
64
|
+
await promises_1.default.writeFile(ioFile, '8:0 rbps=104857600 wbps=52428800\n');
|
|
65
|
+
}
|
|
66
|
+
catch {
|
|
67
|
+
// io controller may not be available
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
async applyCgroupV1(cgroupPath, pid, profile, defaults) {
|
|
71
|
+
const memoryMax = profile.memoryMax || defaults.memoryMax;
|
|
72
|
+
try {
|
|
73
|
+
await promises_1.default.writeFile(path_1.default.join(cgroupPath, 'memory.limit_in_bytes'), this.parseMemoryBytes(memoryMax).toString());
|
|
74
|
+
}
|
|
75
|
+
catch {
|
|
76
|
+
// memory controller may not be mounted
|
|
77
|
+
}
|
|
78
|
+
try {
|
|
79
|
+
const cpuCfsQuota = this.parseCpuQuota(profile.cpuMax || defaults.cpuMax);
|
|
80
|
+
await promises_1.default.writeFile(path_1.default.join(cgroupPath, 'cpu.cfs_quota_us'), cpuCfsQuota.toString());
|
|
81
|
+
}
|
|
82
|
+
catch {
|
|
83
|
+
// cpu controller may not be mounted
|
|
84
|
+
}
|
|
85
|
+
try {
|
|
86
|
+
await promises_1.default.writeFile(path_1.default.join(cgroupPath, 'pids.max'), (profile.pidMax || defaults.pidMax).toString());
|
|
87
|
+
}
|
|
88
|
+
catch {
|
|
89
|
+
// pids controller may not be mounted
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
async addPidToCgroup(cgroupPath, pid) {
|
|
93
|
+
const procsFile = path_1.default.join(cgroupPath, 'cgroup.procs');
|
|
94
|
+
try {
|
|
95
|
+
const current = await promises_1.default.readFile(procsFile, 'utf8');
|
|
96
|
+
if (!current.split('\n').map(l => l.trim()).includes(pid.toString())) {
|
|
97
|
+
await promises_1.default.writeFile(procsFile, `${pid}\n`);
|
|
98
|
+
}
|
|
99
|
+
return true;
|
|
100
|
+
}
|
|
101
|
+
catch {
|
|
102
|
+
// Process may have exited or we lack permission
|
|
103
|
+
return false;
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
async removeSandbox(pid) {
|
|
107
|
+
const cgroupPath = path_1.default.join(CGROUP_ROOT, SENTRY_CGROUP_NAME, `sentry-${pid}`);
|
|
108
|
+
try {
|
|
109
|
+
const procsFile = path_1.default.join(cgroupPath, 'cgroup.procs');
|
|
110
|
+
const content = await promises_1.default.readFile(procsFile, 'utf8');
|
|
111
|
+
const remainingPids = content.split('\n').map(l => l.trim()).filter(Boolean);
|
|
112
|
+
for (const p of remainingPids) {
|
|
113
|
+
try {
|
|
114
|
+
await promises_1.default.writeFile(path_1.default.join(CGROUP_ROOT, 'cgroup.procs'), `${p}\n`);
|
|
115
|
+
}
|
|
116
|
+
catch {
|
|
117
|
+
// migrate back to root
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
await promises_1.default.rmdir(cgroupPath);
|
|
121
|
+
logger_1.logger.info('Linux sandbox removed', { pid, cgroupPath });
|
|
122
|
+
return true;
|
|
123
|
+
}
|
|
124
|
+
catch {
|
|
125
|
+
return false;
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
async isSandboxed(pid) {
|
|
129
|
+
try {
|
|
130
|
+
const content = await promises_1.default.readFile(`/proc/${pid}/cgroup`, 'utf8');
|
|
131
|
+
return content.includes(SENTRY_CGROUP_NAME);
|
|
132
|
+
}
|
|
133
|
+
catch {
|
|
134
|
+
return false;
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
async getSandboxStats(pid) {
|
|
138
|
+
const cgroupPath = path_1.default.join(CGROUP_ROOT, SENTRY_CGROUP_NAME, `sentry-${pid}`);
|
|
139
|
+
try {
|
|
140
|
+
const stats = {};
|
|
141
|
+
if (this.cgroupV2) {
|
|
142
|
+
const memoryCurrent = await promises_1.default.readFile(path_1.default.join(cgroupPath, 'memory.current'), 'utf8');
|
|
143
|
+
stats.memoryCurrentBytes = parseInt(memoryCurrent.trim(), 10);
|
|
144
|
+
try {
|
|
145
|
+
const cpuStat = await promises_1.default.readFile(path_1.default.join(cgroupPath, 'cpu.stat'), 'utf8');
|
|
146
|
+
const usageUs = cpuStat.match(/usage_usec\s+(\d+)/);
|
|
147
|
+
if (usageUs)
|
|
148
|
+
stats.cpuUsageUsec = parseInt(usageUs[1], 10);
|
|
149
|
+
}
|
|
150
|
+
catch { /* ignore */ }
|
|
151
|
+
}
|
|
152
|
+
else {
|
|
153
|
+
try {
|
|
154
|
+
const memUsage = await promises_1.default.readFile(path_1.default.join(cgroupPath, 'memory.usage_in_bytes'), 'utf8');
|
|
155
|
+
stats.memoryCurrentBytes = parseInt(memUsage.trim(), 10);
|
|
156
|
+
}
|
|
157
|
+
catch { /* ignore */ }
|
|
158
|
+
}
|
|
159
|
+
return stats;
|
|
160
|
+
}
|
|
161
|
+
catch {
|
|
162
|
+
return null;
|
|
163
|
+
}
|
|
164
|
+
}
|
|
165
|
+
parseMemoryBytes(value) {
|
|
166
|
+
const match = value.match(/^(\d+)(GB|MB|KB|B)?$/i);
|
|
167
|
+
if (!match)
|
|
168
|
+
return 512 * 1024 * 1024; // 512MB default
|
|
169
|
+
const num = parseInt(match[1], 10);
|
|
170
|
+
const unit = (match[2] || 'B').toUpperCase();
|
|
171
|
+
switch (unit) {
|
|
172
|
+
case 'GB': return num * 1024 * 1024 * 1024;
|
|
173
|
+
case 'MB': return num * 1024 * 1024;
|
|
174
|
+
case 'KB': return num * 1024;
|
|
175
|
+
default: return num;
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
parseCpuQuota(value) {
|
|
179
|
+
const num = parseFloat(value);
|
|
180
|
+
if (isNaN(num))
|
|
181
|
+
return 50000;
|
|
182
|
+
return Math.round(num * 100000);
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
exports.LinuxSandbox = LinuxSandbox;
|
|
186
|
+
//# sourceMappingURL=linux-sandbox.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"linux-sandbox.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox.ts"],"names":[],"mappings":";;;;;;AAAA,2DAA6B;AAC7B,gDAAwB;AACxB,iDAAoD;AAGpD,sCAAmC;AAEnC,MAAM,WAAW,GAAG,gBAAgB,CAAC;AACrC,MAAM,kBAAkB,GAAG,aAAa,CAAC;AAEzC,MAAa,YAAY;IAGvB;QACE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;IAC7C,CAAC;IAEO,mBAAmB;QACzB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAA,wBAAQ,EAAC,6BAA6B,EAAE;gBACnD,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,KAAK,WAAW,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,GAAW,EACX,OAAuB,EACvB,QAA+D;QAE/D,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;QAE/E,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAEhD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC/D,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC/D,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;YAC3D,IAAI,OAAO,EAAE,CAAC;gBACZ,eAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YACtF,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,UAAkB,EAClB,GAAW,EACX,OAAuB,EACvB,QAA+D;QAE/D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;QACjD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,CAAC;QAC1D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;QAEjD,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC;QACpE,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,EAAE,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAErG,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3E,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;QAED,MAAM,MAAM,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAAC,MAAM,EAAE,oCAAoC,CAAC,CAAC;QACnE,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,UAAkB,EAClB,GAAW,EACX,OAAuB,EACvB,QAA+D;QAE/D,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,CAAC;QAE1D,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAChB,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,uBAAuB,CAAC,EAC9C,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,CAC5C,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC1E,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAAC,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,oCAAoC;QACtC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACxG,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,UAAkB,EAAE,GAAW;QAC1D,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;QACxD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACrD,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC;gBACrE,MAAM,kBAAE,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,CAAC;YAC5C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,gDAAgD;YAChD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW;QAC7B,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;QAC/E,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YACxD,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACrD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAE7E,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;gBAC9B,IAAI,CAAC;oBACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;gBACvE,CAAC;gBAAC,MAAM,CAAC;oBACP,uBAAuB;gBACzB,CAAC;YACH,CAAC;YAED,MAAM,kBAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC3B,eAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,SAAS,GAAG,SAAS,EAAE,MAAM,CAAC,CAAC;YACjE,OAAO,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,GAAW;QAC/B,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;QAC/E,IAAI,CAAC;YACH,MAAM,KAAK,GAAoC,EAAE,CAAC;YAElD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,MAAM,aAAa,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC,CAAC;gBACzF,KAAK,CAAC,kBAAkB,GAAG,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;gBAE9D,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,MAAM,CAAC,CAAC;oBAC7E,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;oBACpD,IAAI,OAAO;wBAAE,KAAK,CAAC,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC7D,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAC1B,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAAC;oBAC3F,KAAK,CAAC,kBAAkB,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;gBAC3D,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAC1B,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,KAAa;QACpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK;YAAE,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,gBAAgB;QAEtD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;QAE7C,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;YAC3C,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;YACpC,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,CAAC;YAC7B,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC;QACtB,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,KAAa;QACjC,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,KAAK,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7B,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,MAAM,CAAC,CAAC;IAClC,CAAC;CACF;AArMD,oCAqMC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { SandboxProfile } from '../types';
|
|
2
|
+
import { SandboxBackend } from './index';
|
|
3
|
+
export declare class MacOSSandbox implements SandboxBackend {
|
|
4
|
+
applySandbox(pid: number, profile: SandboxProfile, defaults: {
|
|
5
|
+
cpuMax: string;
|
|
6
|
+
memoryMax: string;
|
|
7
|
+
pidMax: number;
|
|
8
|
+
}): Promise<boolean>;
|
|
9
|
+
private applyResourceLimits;
|
|
10
|
+
private deploySandboxProfile;
|
|
11
|
+
private generateSandboxProfile;
|
|
12
|
+
removeSandbox(pid: number): Promise<boolean>;
|
|
13
|
+
isSandboxed(pid: number): Promise<boolean>;
|
|
14
|
+
getSandboxStats(pid: number): Promise<Record<string, string | number> | null>;
|
|
15
|
+
private parseMemoryBytes;
|
|
16
|
+
}
|
|
17
|
+
//# sourceMappingURL=macos-sandbox.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"macos-sandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAKzC,qBAAa,YAAa,YAAW,cAAc;IAC3C,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,cAAc,EACvB,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,GAC9D,OAAO,CAAC,OAAO,CAAC;YAYL,mBAAmB;YAgBnB,oBAAoB;IAalC,OAAO,CAAC,sBAAsB;IAgDxB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU5C,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU1C,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC;IAoBnF,OAAO,CAAC,gBAAgB;CAazB"}
|
|
@@ -0,0 +1,145 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.MacOSSandbox = void 0;
|
|
7
|
+
const child_process_1 = require("child_process");
|
|
8
|
+
const promises_1 = __importDefault(require("fs/promises"));
|
|
9
|
+
const path_1 = __importDefault(require("path"));
|
|
10
|
+
const logger_1 = require("../logger");
|
|
11
|
+
const SANDBOX_PROFILES_DIR = '/var/lib/neuroshield/sentry/sandbox-profiles';
|
|
12
|
+
class MacOSSandbox {
|
|
13
|
+
async applySandbox(pid, profile, defaults) {
|
|
14
|
+
try {
|
|
15
|
+
await this.applyResourceLimits(pid, profile, defaults);
|
|
16
|
+
await this.deploySandboxProfile(pid, profile);
|
|
17
|
+
logger_1.logger.info('macOS sandbox applied', { pid, profile: profile.name });
|
|
18
|
+
return true;
|
|
19
|
+
}
|
|
20
|
+
catch (err) {
|
|
21
|
+
logger_1.logger.error('macOS sandbox failed', { pid, err: err.message });
|
|
22
|
+
return false;
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
async applyResourceLimits(pid, profile, defaults) {
|
|
26
|
+
const memBytes = this.parseMemoryBytes(profile.memoryMax || defaults.memoryMax);
|
|
27
|
+
// Use pure Node.js alternatives since we can't rely on launchctl for non-child processes
|
|
28
|
+
// On macOS we log the desired limits — actual enforcement requires SIP-less setup
|
|
29
|
+
logger_1.logger.info('macOS resource limits requested (requires sandbox-exec or Seatbelt)', {
|
|
30
|
+
pid,
|
|
31
|
+
memoryMax: memBytes,
|
|
32
|
+
cpuMax: profile.cpuMax || defaults.cpuMax,
|
|
33
|
+
});
|
|
34
|
+
}
|
|
35
|
+
async deploySandboxProfile(pid, profile) {
|
|
36
|
+
await promises_1.default.mkdir(SANDBOX_PROFILES_DIR, { recursive: true });
|
|
37
|
+
const sbContent = this.generateSandboxProfile(pid, profile);
|
|
38
|
+
const profilePath = path_1.default.join(SANDBOX_PROFILES_DIR, `sentry-${pid}.sb`);
|
|
39
|
+
await promises_1.default.writeFile(profilePath, sbContent, 'utf8');
|
|
40
|
+
logger_1.logger.debug('Sandbox profile written', { path: profilePath });
|
|
41
|
+
// Log how to apply it — runtime application requires sandbox-exec(1)
|
|
42
|
+
logger_1.logger.info(`Apply with: sandbox-exec -f ${profilePath} -p <pid>`);
|
|
43
|
+
}
|
|
44
|
+
generateSandboxProfile(pid, profile) {
|
|
45
|
+
const lines = [
|
|
46
|
+
`(version 1)`,
|
|
47
|
+
`(deny default)`,
|
|
48
|
+
`(allow sysctl-read)`,
|
|
49
|
+
`(allow ipc-posix-sem* ipc-posix-shm*)`,
|
|
50
|
+
];
|
|
51
|
+
for (const rule of profile.fsRules) {
|
|
52
|
+
switch (rule.permissions) {
|
|
53
|
+
case 'rw':
|
|
54
|
+
lines.push(`(allow file-read* file-write* (subpath "${rule.path.replace('/**', '')}"))`);
|
|
55
|
+
break;
|
|
56
|
+
case 'rwx':
|
|
57
|
+
lines.push(`(allow file-read* file-write* file-exec* (subpath "${rule.path.replace('/**', '')}"))`);
|
|
58
|
+
break;
|
|
59
|
+
case 'rx':
|
|
60
|
+
lines.push(`(allow file-read* file-exec* (subpath "${rule.path.replace('/**', '')}"))`);
|
|
61
|
+
break;
|
|
62
|
+
case 'r':
|
|
63
|
+
lines.push(`(allow file-read* (subpath "${rule.path.replace('/**', '')}"))`);
|
|
64
|
+
break;
|
|
65
|
+
case 'none':
|
|
66
|
+
lines.push(`(deny file-read* file-write* file-exec* (subpath "${rule.path.replace('/**', '')}"))`);
|
|
67
|
+
break;
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
for (const rule of profile.networkRules) {
|
|
71
|
+
if (rule.action === 'allow') {
|
|
72
|
+
if (rule.host) {
|
|
73
|
+
lines.push(`(allow network* (remote ip "${rule.host}"))`);
|
|
74
|
+
}
|
|
75
|
+
else {
|
|
76
|
+
lines.push(`(allow network*)`);
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
else if (rule.action === 'deny') {
|
|
80
|
+
if (rule.host) {
|
|
81
|
+
lines.push(`(deny network* (remote ip "${rule.host}"))`);
|
|
82
|
+
}
|
|
83
|
+
else {
|
|
84
|
+
lines.push(`(deny network*)`);
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
lines.push(''); // trailing newline
|
|
89
|
+
return lines.join('\n');
|
|
90
|
+
}
|
|
91
|
+
async removeSandbox(pid) {
|
|
92
|
+
const profilePath = path_1.default.join(SANDBOX_PROFILES_DIR, `sentry-${pid}.sb`);
|
|
93
|
+
try {
|
|
94
|
+
await promises_1.default.unlink(profilePath);
|
|
95
|
+
return true;
|
|
96
|
+
}
|
|
97
|
+
catch {
|
|
98
|
+
return false;
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
async isSandboxed(pid) {
|
|
102
|
+
const profilePath = path_1.default.join(SANDBOX_PROFILES_DIR, `sentry-${pid}.sb`);
|
|
103
|
+
try {
|
|
104
|
+
await promises_1.default.access(profilePath);
|
|
105
|
+
return true;
|
|
106
|
+
}
|
|
107
|
+
catch {
|
|
108
|
+
return false;
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
async getSandboxStats(pid) {
|
|
112
|
+
try {
|
|
113
|
+
const result = (0, child_process_1.execSync)(`ps -o rss=,pcpu= -p ${pid}`, {
|
|
114
|
+
encoding: 'utf8',
|
|
115
|
+
timeout: 3000,
|
|
116
|
+
}).trim();
|
|
117
|
+
const parts = result.split(/\s+/);
|
|
118
|
+
if (parts.length >= 2) {
|
|
119
|
+
return {
|
|
120
|
+
memoryRssKb: parseInt(parts[0], 10),
|
|
121
|
+
cpuPercent: parseFloat(parts[1]),
|
|
122
|
+
};
|
|
123
|
+
}
|
|
124
|
+
return null;
|
|
125
|
+
}
|
|
126
|
+
catch {
|
|
127
|
+
return null;
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
parseMemoryBytes(value) {
|
|
131
|
+
const match = value.match(/^(\d+)(GB|MB|KB|B)?$/i);
|
|
132
|
+
if (!match)
|
|
133
|
+
return 512 * 1024 * 1024;
|
|
134
|
+
const num = parseInt(match[1], 10);
|
|
135
|
+
const unit = (match[2] || 'B').toUpperCase();
|
|
136
|
+
switch (unit) {
|
|
137
|
+
case 'GB': return num * 1024 * 1024 * 1024;
|
|
138
|
+
case 'MB': return num * 1024 * 1024;
|
|
139
|
+
case 'KB': return num * 1024;
|
|
140
|
+
default: return num;
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
}
|
|
144
|
+
exports.MacOSSandbox = MacOSSandbox;
|
|
145
|
+
//# sourceMappingURL=macos-sandbox.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"macos-sandbox.js","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox.ts"],"names":[],"mappings":";;;;;;AAAA,iDAAyC;AACzC,2DAA6B;AAC7B,gDAAwB;AAGxB,sCAAmC;AAEnC,MAAM,oBAAoB,GAAG,8CAA8C,CAAC;AAE5E,MAAa,YAAY;IACvB,KAAK,CAAC,YAAY,CAChB,GAAW,EACX,OAAuB,EACvB,QAA+D;QAE/D,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,mBAAmB,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACvD,MAAM,IAAI,CAAC,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,eAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YACrE,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAC/B,GAAW,EACX,OAAuB,EACvB,QAA+D;QAE/D,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC;QAEhF,yFAAyF;QACzF,kFAAkF;QAClF,eAAM,CAAC,IAAI,CAAC,qEAAqE,EAAE;YACjF,GAAG;YACH,SAAS,EAAE,QAAQ;YACnB,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM;SAC1C,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAAC,GAAW,EAAE,OAAuB;QACrE,MAAM,kBAAE,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1D,MAAM,SAAS,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC;QAExE,MAAM,kBAAE,CAAC,SAAS,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QACnD,eAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;QAE/D,qEAAqE;QACrE,eAAM,CAAC,IAAI,CAAC,+BAA+B,WAAW,WAAW,CAAC,CAAC;IACrE,CAAC;IAEO,sBAAsB,CAAC,GAAW,EAAE,OAAuB;QACjE,MAAM,KAAK,GAAa;YACtB,aAAa;YACb,gBAAgB;YAChB,qBAAqB;YACrB,uCAAuC;SACxC,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACnC,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;gBACzB,KAAK,IAAI;oBACP,KAAK,CAAC,IAAI,CAAC,2CAA2C,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACzF,MAAM;gBACR,KAAK,KAAK;oBACR,KAAK,CAAC,IAAI,CAAC,sDAAsD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACpG,MAAM;gBACR,KAAK,IAAI;oBACP,KAAK,CAAC,IAAI,CAAC,0CAA0C,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACxF,MAAM;gBACR,KAAK,GAAG;oBACN,KAAK,CAAC,IAAI,CAAC,+BAA+B,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBAC7E,MAAM;gBACR,KAAK,MAAM;oBACT,KAAK,CAAC,IAAI,CAAC,qDAAqD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACnG,MAAM;YACV,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;oBACd,KAAK,CAAC,IAAI,CAAC,+BAA+B,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;gBAC5D,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACjC,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAClC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;oBACd,KAAK,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;gBAC3D,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,mBAAmB;QACnC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW;QAC7B,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC;QACxE,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC;QACxE,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,GAAW;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,uBAAuB,GAAG,EAAE,EAAE;gBACpD,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,IAAI,EAAE,CAAC;YAEV,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAClC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACtB,OAAO;oBACL,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,UAAU,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;iBACjC,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,KAAa;QACpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK;YAAE,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;QAErC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7C,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;YAC3C,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;YACpC,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,CAAC;YAC7B,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC;QACtB,CAAC;IACH,CAAC;CACF;AAnJD,oCAmJC"}
|
package/dist/setup.d.ts
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
export interface SetupOptions {
|
|
2
|
+
neurosecUrl?: string;
|
|
3
|
+
orgId?: string;
|
|
4
|
+
token?: string;
|
|
5
|
+
mode?: string;
|
|
6
|
+
configPath?: string;
|
|
7
|
+
nonInteractive?: boolean;
|
|
8
|
+
}
|
|
9
|
+
export declare function runSetup(options: SetupOptions): Promise<{
|
|
10
|
+
configPath: string;
|
|
11
|
+
tokenPath: string;
|
|
12
|
+
}>;
|
|
13
|
+
export declare function cliSetupNonInteractive(options: Record<string, string>): Promise<void>;
|
|
14
|
+
//# sourceMappingURL=setup.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":"AAoGA,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AA0BD,wBAAsB,QAAQ,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAmHxG;AAED,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAS3F"}
|
package/dist/setup.js
ADDED
|
@@ -0,0 +1,220 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.runSetup = runSetup;
|
|
7
|
+
exports.cliSetupNonInteractive = cliSetupNonInteractive;
|
|
8
|
+
const fs_1 = __importDefault(require("fs"));
|
|
9
|
+
const path_1 = __importDefault(require("path"));
|
|
10
|
+
const readline_1 = __importDefault(require("readline"));
|
|
11
|
+
const os_1 = __importDefault(require("os"));
|
|
12
|
+
const DEFAULT_NEUROSEC_URL = 'https://api.neurosec.ai';
|
|
13
|
+
const CONFIG_TEMPLATE = (opts) => `# NeuroShield Sentry Daemon Configuration
|
|
14
|
+
# Generated by \`neuroshield-sentry setup\` at ${new Date().toISOString()}
|
|
15
|
+
|
|
16
|
+
sentry:
|
|
17
|
+
host_id: "${opts.hostId}"
|
|
18
|
+
version: "1.0.0"
|
|
19
|
+
health_port: 9190
|
|
20
|
+
api_port: 9191
|
|
21
|
+
state_dir: ${opts.platform === 'darwin' ? '/usr/local/var/lib/neuroshield/sentry' : '/var/lib/neuroshield/sentry'}
|
|
22
|
+
pid_file_path: ${opts.platform === 'darwin' ? '/usr/local/var/run/neuroshield-sentry.pid' : '/var/run/neuroshield-sentry.pid'}
|
|
23
|
+
|
|
24
|
+
neurosec:
|
|
25
|
+
endpoint: "${opts.neurosecUrl}"
|
|
26
|
+
org_id: "${opts.orgId}"
|
|
27
|
+
token_path: ${opts.platform === 'darwin' ? '/usr/local/etc/neuroshield/sentry.token' : '/etc/neuroshield/sentry.token'}
|
|
28
|
+
sync_interval_ms: 30000
|
|
29
|
+
heartbeat_interval_ms: 300000
|
|
30
|
+
|
|
31
|
+
enforcement:
|
|
32
|
+
mode: "${opts.mode}"
|
|
33
|
+
sandbox_enabled: ${opts.platform === 'linux' ? 'true' : 'false'}
|
|
34
|
+
syscall_filter_enabled: ${opts.platform === 'linux' ? 'true' : 'false'}
|
|
35
|
+
network_filter_enabled: true
|
|
36
|
+
filesystem_filter_enabled: true
|
|
37
|
+
|
|
38
|
+
sandbox_defaults:
|
|
39
|
+
cpu_max: "0.5"
|
|
40
|
+
memory_max: "512MB"
|
|
41
|
+
pid_max: 100
|
|
42
|
+
|
|
43
|
+
network:
|
|
44
|
+
allow_hosts:
|
|
45
|
+
- "api.openai.com:443"
|
|
46
|
+
- "api.anthropic.com:443"
|
|
47
|
+
- "${new URL(opts.neurosecUrl).hostname}:443"
|
|
48
|
+
block_hosts:
|
|
49
|
+
- "*.pastebin.com"
|
|
50
|
+
- "*.ngrok.io"
|
|
51
|
+
- "*.requestbin.net"
|
|
52
|
+
- "*.webhook.site"
|
|
53
|
+
allow_private: false
|
|
54
|
+
dns_monitor_enabled: true
|
|
55
|
+
|
|
56
|
+
skill_authz:
|
|
57
|
+
enabled: true
|
|
58
|
+
allow_unknown: false
|
|
59
|
+
require_approval:
|
|
60
|
+
- "shell_exec"
|
|
61
|
+
- "bash"
|
|
62
|
+
- "terminal"
|
|
63
|
+
- "run_command"
|
|
64
|
+
|
|
65
|
+
audit:
|
|
66
|
+
log_path: ${opts.platform === 'darwin' ? '/usr/local/var/log/neuroshield/sentry.log' : '/var/log/neuroshield/sentry.log'}
|
|
67
|
+
retention_days: 90
|
|
68
|
+
max_size_mb: 500
|
|
69
|
+
|
|
70
|
+
discovery:
|
|
71
|
+
interval_ms: 30000
|
|
72
|
+
source_paths:
|
|
73
|
+
- /workspace
|
|
74
|
+
- /app
|
|
75
|
+
- /home
|
|
76
|
+
- /tmp
|
|
77
|
+
`;
|
|
78
|
+
function getPlatformConfigPaths(plat) {
|
|
79
|
+
if (plat === 'darwin') {
|
|
80
|
+
return {
|
|
81
|
+
configDir: '/usr/local/etc/neuroshield',
|
|
82
|
+
configPath: '/usr/local/etc/neuroshield/sentry.yaml',
|
|
83
|
+
tokenPath: '/usr/local/etc/neuroshield/sentry.token',
|
|
84
|
+
stateDir: '/usr/local/var/lib/neuroshield/sentry',
|
|
85
|
+
logDir: '/usr/local/var/log/neuroshield',
|
|
86
|
+
};
|
|
87
|
+
}
|
|
88
|
+
return {
|
|
89
|
+
configDir: '/etc/neuroshield',
|
|
90
|
+
configPath: '/etc/neuroshield/sentry.yaml',
|
|
91
|
+
tokenPath: '/etc/neuroshield/sentry.token',
|
|
92
|
+
stateDir: '/var/lib/neuroshield/sentry',
|
|
93
|
+
logDir: '/var/log/neuroshield',
|
|
94
|
+
};
|
|
95
|
+
}
|
|
96
|
+
function prompt(question, defaultValue) {
|
|
97
|
+
const rl = readline_1.default.createInterface({ input: process.stdin, output: process.stdout });
|
|
98
|
+
return new Promise(resolve => {
|
|
99
|
+
const hint = defaultValue ? ` [${defaultValue}]` : '';
|
|
100
|
+
rl.question(`${question}${hint}: `, answer => {
|
|
101
|
+
rl.close();
|
|
102
|
+
resolve(answer.trim() || defaultValue || '');
|
|
103
|
+
});
|
|
104
|
+
});
|
|
105
|
+
}
|
|
106
|
+
function hostname() {
|
|
107
|
+
try {
|
|
108
|
+
return os_1.default.hostname();
|
|
109
|
+
}
|
|
110
|
+
catch {
|
|
111
|
+
return 'unknown';
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
function generateMachineToken() {
|
|
115
|
+
const random = require('crypto').randomBytes(32).toString('hex');
|
|
116
|
+
return `nst_${random}`;
|
|
117
|
+
}
|
|
118
|
+
async function runSetup(options) {
|
|
119
|
+
const platform = os_1.default.platform();
|
|
120
|
+
const paths = getPlatformConfigPaths(platform);
|
|
121
|
+
const configPath = options.configPath || paths.configPath;
|
|
122
|
+
if (!options.nonInteractive) {
|
|
123
|
+
console.log('');
|
|
124
|
+
console.log('╔══════════════════════════════════════════════════╗');
|
|
125
|
+
console.log('║ NeuroShield Sentry — Setup Wizard ║');
|
|
126
|
+
console.log('╚══════════════════════════════════════════════════╝');
|
|
127
|
+
console.log('');
|
|
128
|
+
console.log(`This will configure the Sentry daemon for this host.`);
|
|
129
|
+
console.log(`Config will be written to: ${configPath}`);
|
|
130
|
+
console.log('');
|
|
131
|
+
}
|
|
132
|
+
const neurosecUrl = options.neurosecUrl || await prompt(' NeuroSec API URL', DEFAULT_NEUROSEC_URL);
|
|
133
|
+
const orgId = options.orgId || await prompt(' NeuroSec Organization ID', '');
|
|
134
|
+
const mode = options.mode || await prompt(' Enforcement mode (monitor / enforce / quarantine)', 'monitor');
|
|
135
|
+
const useExistingToken = options.token === undefined && !options.nonInteractive;
|
|
136
|
+
let token = options.token || '';
|
|
137
|
+
if (!token && useExistingToken) {
|
|
138
|
+
const existing = await prompt(' Sentry token (or press Enter to auto-generate)', '');
|
|
139
|
+
token = existing || generateMachineToken();
|
|
140
|
+
}
|
|
141
|
+
else if (!token) {
|
|
142
|
+
token = generateMachineToken();
|
|
143
|
+
}
|
|
144
|
+
const hostId = `${hostname()}-sentry`;
|
|
145
|
+
if (!options.nonInteractive) {
|
|
146
|
+
console.log('');
|
|
147
|
+
console.log(' Configuring...');
|
|
148
|
+
}
|
|
149
|
+
const configDir = path_1.default.dirname(configPath);
|
|
150
|
+
const pathsToCreate = [
|
|
151
|
+
configDir,
|
|
152
|
+
paths.stateDir,
|
|
153
|
+
paths.logDir,
|
|
154
|
+
path_1.default.dirname(paths.tokenPath),
|
|
155
|
+
];
|
|
156
|
+
for (const dir of pathsToCreate) {
|
|
157
|
+
try {
|
|
158
|
+
fs_1.default.mkdirSync(dir, { recursive: true });
|
|
159
|
+
}
|
|
160
|
+
catch {
|
|
161
|
+
// best-effort for dirs that may need root
|
|
162
|
+
}
|
|
163
|
+
}
|
|
164
|
+
const configContent = CONFIG_TEMPLATE({
|
|
165
|
+
hostId,
|
|
166
|
+
neurosecUrl,
|
|
167
|
+
orgId,
|
|
168
|
+
token,
|
|
169
|
+
mode,
|
|
170
|
+
platform,
|
|
171
|
+
});
|
|
172
|
+
fs_1.default.writeFileSync(configPath, configContent, 'utf8');
|
|
173
|
+
console.log(` ✓ Config written: ${configPath}`);
|
|
174
|
+
if (token) {
|
|
175
|
+
try {
|
|
176
|
+
fs_1.default.writeFileSync(paths.tokenPath, token, 'utf8');
|
|
177
|
+
fs_1.default.chmodSync(paths.tokenPath, 0o600);
|
|
178
|
+
console.log(` ✓ Token written: ${paths.tokenPath}`);
|
|
179
|
+
}
|
|
180
|
+
catch (err) {
|
|
181
|
+
console.log(` ⚠ Could not write token to ${paths.tokenPath} (need root?)`);
|
|
182
|
+
console.log(` Store token manually: echo '${token}' > ${paths.tokenPath}`);
|
|
183
|
+
console.log(` chmod 600 ${paths.tokenPath}`);
|
|
184
|
+
}
|
|
185
|
+
}
|
|
186
|
+
if (!options.nonInteractive) {
|
|
187
|
+
console.log('');
|
|
188
|
+
console.log(' ─── Setup Complete ───');
|
|
189
|
+
console.log('');
|
|
190
|
+
console.log(' Next steps:');
|
|
191
|
+
console.log(' 1. Install the service:');
|
|
192
|
+
console.log(` sudo neuroshield-sentry install`);
|
|
193
|
+
console.log('');
|
|
194
|
+
console.log(' 2. Or start manually:');
|
|
195
|
+
console.log(` sudo neuroshield-sentryd ${configPath}`);
|
|
196
|
+
console.log('');
|
|
197
|
+
console.log(' 3. View status:');
|
|
198
|
+
console.log(' neuroshield-sentry status');
|
|
199
|
+
console.log('');
|
|
200
|
+
console.log(' 4. View real-time decisions:');
|
|
201
|
+
console.log(' neuroshield-sentry logs');
|
|
202
|
+
console.log('');
|
|
203
|
+
if (!token || token === '') {
|
|
204
|
+
console.log(' ⚠ No token set! Edit the config to add your NeuroSec sentry token.');
|
|
205
|
+
console.log('');
|
|
206
|
+
}
|
|
207
|
+
}
|
|
208
|
+
return { configPath, tokenPath: paths.tokenPath };
|
|
209
|
+
}
|
|
210
|
+
async function cliSetupNonInteractive(options) {
|
|
211
|
+
await runSetup({
|
|
212
|
+
neurosecUrl: options.url || options['neurosec-url'] || DEFAULT_NEUROSEC_URL,
|
|
213
|
+
orgId: options.org || options['org-id'] || '',
|
|
214
|
+
token: options.token || '',
|
|
215
|
+
mode: options.mode || 'monitor',
|
|
216
|
+
configPath: options.config || options['config-path'],
|
|
217
|
+
nonInteractive: true,
|
|
218
|
+
});
|
|
219
|
+
}
|
|
220
|
+
//# sourceMappingURL=setup.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"setup.js","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":";;;;;AAqIA,4BAmHC;AAED,wDASC;AAnQD,4CAAoB;AACpB,gDAAwB;AACxB,wDAAgC;AAChC,4CAAoB;AAGpB,MAAM,oBAAoB,GAAG,yBAAyB,CAAC;AAEvD,MAAM,eAAe,GAAG,CAAC,IAOxB,EAAE,EAAE,CAAC;iDAC2C,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;;;cAG3D,IAAI,CAAC,MAAM;;;;eAIV,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,uCAAuC,CAAC,CAAC,CAAC,6BAA6B;mBAChG,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,2CAA2C,CAAC,CAAC,CAAC,iCAAiC;;;eAGhH,IAAI,CAAC,WAAW;aAClB,IAAI,CAAC,KAAK;gBACP,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,yCAAyC,CAAC,CAAC,CAAC,+BAA+B;;;;;WAK7G,IAAI,CAAC,IAAI;qBACC,IAAI,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;4BACrC,IAAI,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;;;;;;;;;;;;;SAa/D,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,QAAQ;;;;;;;;;;;;;;;;;;;cAmB7B,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,2CAA2C,CAAC,CAAC,CAAC,iCAAiC;;;;;;;;;;;CAWzH,CAAC;AAEF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO;YACL,SAAS,EAAE,4BAA4B;YACvC,UAAU,EAAE,wCAAwC;YACpD,SAAS,EAAE,yCAAyC;YACpD,QAAQ,EAAE,uCAAuC;YACjD,MAAM,EAAE,gCAAgC;SACzC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,SAAS,EAAE,kBAAkB;QAC7B,UAAU,EAAE,8BAA8B;QAC1C,SAAS,EAAE,+BAA+B;QAC1C,QAAQ,EAAE,6BAA6B;QACvC,MAAM,EAAE,sBAAsB;KAC/B,CAAC;AACJ,CAAC;AAWD,SAAS,MAAM,CAAC,QAAgB,EAAE,YAAqB;IACrD,MAAM,EAAE,GAAG,kBAAQ,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACtF,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;QAC3B,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,EAAE,CAAC,QAAQ,CAAC,GAAG,QAAQ,GAAG,IAAI,IAAI,EAAE,MAAM,CAAC,EAAE;YAC3C,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,YAAY,IAAI,EAAE,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ;IACf,IAAI,CAAC;QACH,OAAO,YAAE,CAAC,QAAQ,EAAE,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB;IAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACjE,OAAO,OAAO,MAAM,EAAE,CAAC;AACzB,CAAC;AAEM,KAAK,UAAU,QAAQ,CAAC,OAAqB;IAClD,MAAM,QAAQ,GAAG,YAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC,UAAU,CAAC;IAE1D,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,8BAA8B,UAAU,EAAE,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,MAAM,MAAM,CACrD,oBAAoB,EACpB,oBAAoB,CACrB,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,MAAM,MAAM,CACzC,4BAA4B,EAC5B,EAAE,CACH,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,MAAM,MAAM,CACvC,qDAAqD,EACrD,SAAS,CACV,CAAC;IAEF,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;IAChF,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAEhC,IAAI,CAAC,KAAK,IAAI,gBAAgB,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,MAAM,MAAM,CAC3B,kDAAkD,EAClD,EAAE,CACH,CAAC;QACF,KAAK,GAAG,QAAQ,IAAI,oBAAoB,EAAE,CAAC;IAC7C,CAAC;SAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QAClB,KAAK,GAAG,oBAAoB,EAAE,CAAC;IACjC,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,QAAQ,EAAE,SAAS,CAAC;IAEtC,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAClC,CAAC;IAED,MAAM,SAAS,GAAG,cAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,aAAa,GAAG;QACpB,SAAS;QACT,KAAK,CAAC,QAAQ;QACd,KAAK,CAAC,MAAM;QACZ,cAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;KAC9B,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,YAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,0CAA0C;QAC5C,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,eAAe,CAAC;QACpC,MAAM;QACN,WAAW;QACX,KAAK;QACL,KAAK;QACL,IAAI;QACJ,QAAQ;KACT,CAAC,CAAC;IAEH,YAAE,CAAC,aAAa,CAAC,UAAU,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,uBAAuB,UAAU,EAAE,CAAC,CAAC;IAEjD,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,YAAE,CAAC,aAAa,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACjD,YAAE,CAAC,SAAS,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YACrC,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,gCAAgC,KAAK,CAAC,SAAS,eAAe,CAAC,CAAC;YAC5E,OAAO,CAAC,GAAG,CAAC,mCAAmC,KAAK,OAAO,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;YAC9E,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,mCAAmC,UAAU,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAC;YACrF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC;AACpD,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAAC,OAA+B;IAC1E,MAAM,QAAQ,CAAC;QACb,WAAW,EAAE,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,cAAc,CAAC,IAAI,oBAAoB;QAC3E,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE;QAC7C,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;QAC1B,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,SAAS;QAC/B,UAAU,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,aAAa,CAAC;QACpD,cAAc,EAAE,IAAI;KACrB,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { SkillAuthzRequest, SkillAuthzDecision } from '../types';
|
|
2
|
+
import { SentryConfig } from '../config';
|
|
3
|
+
import { AuditLogger } from '../audit';
|
|
4
|
+
export declare class SkillEvaluator {
|
|
5
|
+
private config;
|
|
6
|
+
private pendingApprovals;
|
|
7
|
+
private cache;
|
|
8
|
+
private auditLogger;
|
|
9
|
+
constructor(config: SentryConfig, auditLogger?: AuditLogger);
|
|
10
|
+
evaluate(request: SkillAuthzRequest): SkillAuthzDecision;
|
|
11
|
+
approve(invocationId: string): boolean;
|
|
12
|
+
deny(invocationId: string): boolean;
|
|
13
|
+
getPendingApprovals(): Array<{
|
|
14
|
+
invocationId: string;
|
|
15
|
+
skillName: string;
|
|
16
|
+
frameworkId: string;
|
|
17
|
+
}>;
|
|
18
|
+
private computeRiskScore;
|
|
19
|
+
}
|
|
20
|
+
//# sourceMappingURL=skill-evaluator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"skill-evaluator.d.ts","sourceRoot":"","sources":["../../src/skill-authz/skill-evaluator.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAc,MAAM,UAAU,CAAC;AAC7E,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAUvC,qBAAa,cAAc;IAMvB,OAAO,CAAC,MAAM;IALhB,OAAO,CAAC,gBAAgB,CAA2C;IACnE,OAAO,CAAC,KAAK,CAA8C;IAC3D,OAAO,CAAC,WAAW,CAAc;gBAGvB,MAAM,EAAE,YAAY,EAC5B,WAAW,CAAC,EAAE,WAAW;IAK3B,QAAQ,CAAC,OAAO,EAAE,iBAAiB,GAAG,kBAAkB;IAuExD,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAatC,IAAI,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAWnC,mBAAmB,IAAI,KAAK,CAAC;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC;IAc9F,OAAO,CAAC,gBAAgB;CA6CzB"}
|