@neurosec/sentry 1.0.0

package/dist/types.js

@@ -0,0 +1,209 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AGENT_SANDBOX_PROFILES = void 0;
+exports.AGENT_SANDBOX_PROFILES = [
+    {
+        name: 'claude-code',
+        frameworkIds: ['claude-code', 'mcp-server'],
+        allowedSyscalls: [
+            'read', 'write', 'open', 'openat', 'close', 'stat', 'fstat', 'lstat',
+            'newfstatat', 'mmap', 'munmap', 'mprotect', 'brk', 'futex',
+            'sched_yield', 'clock_gettime', 'nanosleep', 'getrandom',
+            'exit_group', 'exit', 'clone', 'clone3', 'execve', 'execveat',
+            'readlink', 'readlinkat', 'getdents', 'getdents64', 'lseek',
+            'connect', 'sendto', 'recvfrom', 'sendmsg', 'recvmsg', 'bind',
+            'getsockname', 'getpeername', 'setsockopt', 'getsockopt',
+            'ioctl', 'fcntl', 'dup', 'dup2', 'dup3', 'pipe', 'pipe2',
+            'socket', 'access', 'faccessat', 'faccessat2',
+            'getcwd', 'chdir', 'fchdir',
+            'getpid', 'getppid', 'gettid', 'getuid', 'getgid', 'geteuid', 'getegid',
+            'writev', 'readv', 'pread64', 'pwrite64',
+            'fallocate', 'ftruncate', 'truncate',
+            'uname', 'sysinfo', 'prctl',
+            'tgkill', 'rt_sigaction', 'rt_sigprocmask', 'rt_sigreturn',
+            'wait4', 'waitid', 'poll', 'ppoll', 'select', 'epoll_create', 'epoll_ctl', 'epoll_wait',
+            'eventfd2', 'timerfd_create', 'timerfd_settime',
+            'sendfile', 'copy_file_range',
+            'madvise', 'mlock', 'munlock',
+        ],
+        blockedSyscalls: [
+            'ptrace', 'perf_event_open', 'bpf', 'kexec_load', 'swapon', 'swapoff',
+            'reboot', 'init_module', 'finit_module', 'delete_module',
+            'acct', 'setdomainname', 'sethostname',
+            'pivot_root', 'chroot',
+            'mount', 'umount', 'umount2',
+            'setns', 'unshare',
+            'iopl', 'ioperm',
+            'stty',
+        ],
+        fsRules: [
+            { path: '/home/**', permissions: 'rw' },
+            { path: '/tmp/**', permissions: 'rw' },
+            { path: '/workspace/**', permissions: 'rw' },
+            { path: '/app/**', permissions: 'rw' },
+            { path: '/var/tmp/**', permissions: 'rw' },
+            { path: '/etc/**', permissions: 'r' },
+            { path: '/usr/**', permissions: 'r' },
+            { path: '/bin/**', permissions: 'rx' },
+            { path: '/lib/**', permissions: 'r' },
+            { path: '/lib64/**', permissions: 'r' },
+            { path: '/opt/**', permissions: 'r' },
+            { path: '/dev/**', permissions: 'none' },
+            { path: '/sys/**', permissions: 'none' },
+            { path: '/proc/**', permissions: 'r' },
+            { path: '/var/lib/**', permissions: 'none' },
+            { path: '/var/log/**', permissions: 'none' },
+            { path: '/run/**', permissions: 'none' },
+            { path: '/etc/shadow', permissions: 'none' },
+            { path: '/etc/sudoers', permissions: 'none' },
+            { path: '/etc/passwd', permissions: 'r' },
+            { path: '/home/**/.ssh/**', permissions: 'none' },
+            { path: '/home/**/.aws/**', permissions: 'none' },
+            { path: '/home/**/.config/gcloud/**', permissions: 'none' },
+            { path: '/home/**/.gnupg/**', permissions: 'none' },
+            { path: '/home/**/.kube/**', permissions: 'none' },
+        ],
+        networkRules: [
+            { direction: 'egress', host: 'api.anthropic.com', port: 443, action: 'allow' },
+            { direction: 'egress', host: '*.anthropic.com', port: 443, action: 'allow' },
+            { direction: 'egress', host: 'api.openai.com', port: 443, action: 'allow' },
+            { direction: 'egress', host: 'api.neurosec.ai', port: 443, action: 'allow' },
+            { direction: 'egress', host: '127.0.0.1', port: 9081, action: 'allow' },
+            { direction: 'egress', action: 'deny' },
+            { direction: 'ingress', action: 'deny' },
+        ],
+        retainedCapabilities: [],
+        cpuMax: '1.0',
+        memoryMax: '2GB',
+        pidMax: 200,
+        blockedCapabilities: [
+            'CAP_NET_RAW', 'CAP_NET_ADMIN', 'CAP_SYS_ADMIN', 'CAP_SYS_PTRACE',
+            'CAP_SYS_MODULE', 'CAP_SYS_BOOT', 'CAP_SYS_RAWIO',
+            'CAP_SYS_ADMIN', 'CAP_AUDIT_CONTROL', 'CAP_SETUID', 'CAP_SETGID',
+            'CAP_DAC_OVERRIDE', 'CAP_DAC_READ_SEARCH', 'CAP_FOWNER',
+            'CAP_IPC_OWNER', 'CAP_KILL',
+        ],
+    },
+    {
+        name: 'langchain',
+        frameworkIds: ['langchain', 'langgraph', 'crewai', 'autogen', 'haystack', 'dspy'],
+        allowedSyscalls: [
+            'read', 'write', 'open', 'openat', 'close', 'stat', 'fstat', 'lstat',
+            'newfstatat', 'mmap', 'munmap', 'mprotect', 'brk', 'futex',
+            'sched_yield', 'clock_gettime', 'nanosleep', 'getrandom',
+            'exit_group', 'exit', 'clone', 'clone3', 'execve', 'execveat',
+            'readlink', 'readlinkat', 'getdents', 'getdents64', 'lseek',
+            'connect', 'sendto', 'recvfrom', 'sendmsg', 'recvmsg',
+            'ioctl', 'fcntl', 'dup', 'dup2', 'dup3', 'pipe', 'pipe2',
+            'socket', 'access', 'faccessat', 'faccessat2',
+            'getcwd', 'chdir', 'fchdir',
+            'getpid', 'getppid', 'gettid',
+            'writev', 'readv', 'pread64', 'pwrite64',
+            'uname', 'sysinfo', 'prctl',
+            'rt_sigaction', 'rt_sigprocmask',
+            'poll', 'ppoll', 'select', 'epoll_create', 'epoll_ctl', 'epoll_wait',
+            'eventfd2',
+            'madvise',
+        ],
+        blockedSyscalls: [
+            'ptrace', 'perf_event_open', 'bpf', 'kexec_load', 'swapon', 'swapoff',
+            'reboot', 'init_module', 'finit_module', 'delete_module',
+            'mount', 'umount', 'umount2',
+            'setns', 'unshare',
+            'iopl', 'ioperm',
+            'acct',
+        ],
+        fsRules: [
+            { path: '/workspace/**', permissions: 'rw' },
+            { path: '/home/**', permissions: 'rw' },
+            { path: '/tmp/**', permissions: 'rw' },
+            { path: '/app/**', permissions: 'rw' },
+            { path: '/usr/**', permissions: 'r' },
+            { path: '/etc/**', permissions: 'r' },
+            { path: '/bin/**', permissions: 'rx' },
+            { path: '/lib/**', permissions: 'r' },
+            { path: '/lib64/**', permissions: 'r' },
+            { path: '/dev/**', permissions: 'none' },
+            { path: '/sys/**', permissions: 'none' },
+            { path: '/proc/**', permissions: 'r' },
+            { path: '/var/lib/**', permissions: 'none' },
+            { path: '/var/log/**', permissions: 'none' },
+            { path: '/run/**', permissions: 'none' },
+            { path: '/home/**/.ssh/**', permissions: 'none' },
+            { path: '/home/**/.aws/**', permissions: 'none' },
+            { path: '/home/**/.config/gcloud/**', permissions: 'none' },
+            { path: '/home/**/.gnupg/**', permissions: 'none' },
+            { path: '/home/**/.kube/**', permissions: 'none' },
+            { path: '/etc/shadow', permissions: 'none' },
+            { path: '/etc/sudoers', permissions: 'none' },
+        ],
+        networkRules: [
+            { direction: 'egress', host: 'api.openai.com', port: 443, action: 'allow' },
+            { direction: 'egress', host: 'api.anthropic.com', port: 443, action: 'allow' },
+            { direction: 'egress', host: '*.openai.com', port: 443, action: 'allow' },
+            { direction: 'egress', host: '*.anthropic.com', port: 443, action: 'allow' },
+            { direction: 'egress', host: 'api.neurosec.ai', port: 443, action: 'allow' },
+            { direction: 'egress', host: '127.0.0.1', port: 9081, action: 'allow' },
+            { direction: 'egress', action: 'deny' },
+            { direction: 'ingress', action: 'deny' },
+        ],
+        retainedCapabilities: [],
+        cpuMax: '2.0',
+        memoryMax: '4GB',
+        pidMax: 500,
+        blockedCapabilities: [
+            'CAP_NET_RAW', 'CAP_NET_ADMIN', 'CAP_SYS_ADMIN', 'CAP_SYS_PTRACE',
+            'CAP_SYS_MODULE', 'CAP_SYS_BOOT', 'CAP_SYS_RAWIO',
+            'CAP_AUDIT_CONTROL', 'CAP_SETUID', 'CAP_SETGID',
+            'CAP_DAC_OVERRIDE', 'CAP_DAC_READ_SEARCH', 'CAP_FOWNER',
+            'CAP_IPC_OWNER', 'CAP_KILL',
+        ],
+    },
+    {
+        name: 'default-restrictive',
+        frameworkIds: [],
+        allowedSyscalls: [
+            'read', 'write', 'open', 'openat', 'close', 'stat', 'fstat',
+            'mmap', 'munmap', 'brk', 'futex', 'exit_group', 'exit',
+            'clock_gettime', 'nanosleep', 'getrandom', 'getpid', 'gettid',
+            'connect', 'sendto', 'recvfrom',
+            'socket', 'setsockopt',
+            'rt_sigaction', 'rt_sigprocmask',
+        ],
+        blockedSyscalls: [
+            'ptrace', 'perf_event_open', 'bpf', 'kexec_load', 'mount', 'umount',
+            'init_module', 'delete_module', 'reboot', 'swapon',
+            'clone', 'clone3', 'execve', 'execveat', 'fork', 'vfork',
+            'setns', 'unshare', 'chroot', 'pivot_root',
+        ],
+        fsRules: [
+            { path: '/tmp/**', permissions: 'rw' },
+            { path: '/home/**', permissions: 'r' },
+            { path: '/usr/**', permissions: 'r' },
+            { path: '/dev/**', permissions: 'none' },
+            { path: '/sys/**', permissions: 'none' },
+            { path: '/proc/**', permissions: 'r' },
+            { path: '/etc/**', permissions: 'r' },
+            { path: '/etc/shadow', permissions: 'none' },
+            { path: '/etc/sudoers', permissions: 'none' },
+        ],
+        networkRules: [
+            { direction: 'egress', host: '127.0.0.1', port: 9081, action: 'allow' },
+            { direction: 'egress', action: 'deny' },
+            { direction: 'ingress', action: 'deny' },
+        ],
+        retainedCapabilities: [],
+        cpuMax: '0.5',
+        memoryMax: '512MB',
+        pidMax: 50,
+        blockedCapabilities: [
+            'CAP_NET_RAW', 'CAP_NET_ADMIN', 'CAP_SYS_ADMIN', 'CAP_SYS_PTRACE',
+            'CAP_SYS_MODULE', 'CAP_SYS_BOOT', 'CAP_SYS_RAWIO',
+            'CAP_AUDIT_CONTROL', 'CAP_SETUID', 'CAP_SETGID',
+            'CAP_DAC_OVERRIDE', 'CAP_DAC_READ_SEARCH', 'CAP_FOWNER',
+            'CAP_IPC_OWNER', 'CAP_KILL', 'CAP_CHOWN', 'CAP_FSETID',
+            'CAP_LINUX_IMMUTABLE', 'CAP_NET_BIND_SERVICE', 'CAP_NET_BROADCAST',
+        ],
+    },
+];
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";;;AA4Ia,QAAA,sBAAsB,GAAqB;IACtD;QACE,IAAI,EAAE,aAAa;QACnB,YAAY,EAAE,CAAC,aAAa,EAAE,YAAY,CAAC;QAC3C,eAAe,EAAE;YACf,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO;YACpE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;YAC1D,aAAa,EAAE,eAAe,EAAE,WAAW,EAAE,WAAW;YACxD,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU;YAC7D,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO;YAC3D,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM;YAC7D,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY;YACxD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;YACxD,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY;YAC7C,QAAQ,EAAE,OAAO,EAAE,QAAQ;YAC3B,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS;YACvE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU;YACxC,WAAW,EAAE,WAAW,EAAE,UAAU;YACpC,OAAO,EAAE,SAAS,EAAE,OAAO;YAC3B,QAAQ,EAAE,cAAc,EAAE,gBAAgB,EAAE,cAAc;YAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY;YACvF,UAAU,EAAE,gBAAgB,EAAE,iBAAiB;YAC/C,UAAU,EAAE,iBAAiB;YAC7B,SAAS,EAAE,OAAO,EAAE,SAAS;SAC9B;QACD,eAAe,EAAE;YACf,QAAQ,EAAE,iBAAiB,EAAE,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS;YACrE,QAAQ,EAAE,aAAa,EAAE,cAAc,EAAE,eAAe;YACxD,MAAM,EAAE,eAAe,EAAE,aAAa;YACtC,YAAY,EAAE,QAAQ;YACtB,OAAO,EAAE,QAAQ,EAAE,SAAS;YAC5B,OAAO,EAAE,SAAS;YAClB,MAAM,EAAE,QAAQ;YAChB,MAAM;SACP;QACD,OAAO,EAAE;YACP,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE;YACvC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE;YACtC,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,IAAI,EAAE;YAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE;YACtC,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,IAAI,EAAE;YAC1C,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE;YACtC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,EAAE;YACvC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,EAAE;YACtC,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE;YAC5C,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE;YAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE;YAC5C,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,EAAE;YAC7C,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,GAAG,EAAE;YACzC,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,EAAE;YACjD,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,EAAE;YACjD,EAAE,IAAI,EAAE,4BAA4B,EAAE,WAAW,EAAE,MAAM,EAAE;YAC3D,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,EAAE;YACnD,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,EAAE;SACnD;QACD,YAAY,EAAE;YACZ,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YAC9E,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YAC5E,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YAC3E,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YAC5E,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE;YACvE,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE;YACvC,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE;SACzC;QACD,oBAAoB,EAAE,EAAE;QACxB,MAAM,EAAE,KAAK;QACb,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,GAAG;QACX,mBAAmB,EAAE;YACnB,aAAa,EAAE,eAAe,EAAE,eAAe,EAAE,gBAAgB;YACjE,gBAAgB,EAAE,cAAc,EAAE,eAAe;YACjD,eAAe,EAAE,mBAAmB,EAAE,YAAY,EAAE,YAAY;YAChE,kBAAkB,EAAE,qBAAqB,EAAE,YAAY;YACvD,eAAe,EAAE,UAAU;SAC5B;KACF;IACD;QACE,IAAI,EAAE,WAAW;QACjB,YAAY,EAAE,CAAC,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC;QACjF,eAAe,EAAE;YACf,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO;YACpE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO;YAC1D,aAAa,EAAE,eAAe,EAAE,WAAW,EAAE,WAAW;YACxD,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU;YAC7D,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO;YAC3D,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS;YACrD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO;YACxD,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY;YAC7C,QAAQ,EAAE,OAAO,EAAE,QAAQ;YAC3B,QAAQ,EAAE,SAAS,EAAE,QAAQ;YAC7B,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU;YACxC,OAAO,EAAE,SAAS,EAAE,OAAO;YAC3B,cAAc,EAAE,gBAAgB;YAChC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY;YACpE,UAAU;YACV,SAAS;SACV;QACD,eAAe,EAAE;YACf,QAAQ,EAAE,iBAAiB,EAAE,KAAK,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS;YACrE,QAAQ,EAAE,aAAa,EAAE,cAAc,EAAE,eAAe;YACxD,OAAO,EAAE,QAAQ,EAAE,SAAS;YAC5B,OAAO,EAAE,SAAS;YAClB,MAAM,EAAE,QAAQ;YAChB,MAAM;SACP;QACD,OAAO,EAAE;YACP,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,IAAI,EAAE;YAC5C,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,IAAI,EAAE;YACvC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE;YACtC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE;YACtC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE;YACtC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,EAAE;YACvC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,EAAE;YACtC,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE;YAC5C,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE;YAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,EAAE;YACjD,EAAE,IAAI,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,EAAE;YACjD,EAAE,IAAI,EAAE,4BAA4B,EAAE,WAAW,EAAE,MAAM,EAAE;YAC3D,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,EAAE;YACnD,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,EAAE;YAClD,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE;YAC5C,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,EAAE;SAC9C;QACD,YAAY,EAAE;YACZ,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YAC3E,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YAC9E,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YACzE,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YAC5E,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,iBAAiB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE;YAC5E,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE;YACvE,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE;YACvC,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE;SACzC;QACD,oBAAoB,EAAE,EAAE;QACxB,MAAM,EAAE,KAAK;QACb,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,GAAG;QACX,mBAAmB,EAAE;YACnB,aAAa,EAAE,eAAe,EAAE,eAAe,EAAE,gBAAgB;YACjE,gBAAgB,EAAE,cAAc,EAAE,eAAe;YACjD,mBAAmB,EAAE,YAAY,EAAE,YAAY;YAC/C,kBAAkB,EAAE,qBAAqB,EAAE,YAAY;YACvD,eAAe,EAAE,UAAU;SAC5B;KACF;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,YAAY,EAAE,EAAE;QAChB,eAAe,EAAE;YACf,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO;YAC3D,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM;YACtD,eAAe,EAAE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ;YAC7D,SAAS,EAAE,QAAQ,EAAE,UAAU;YAC/B,QAAQ,EAAE,YAAY;YACtB,cAAc,EAAE,gBAAgB;SACjC;QACD,eAAe,EAAE;YACf,QAAQ,EAAE,iBAAiB,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ;YACnE,aAAa,EAAE,eAAe,EAAE,QAAQ,EAAE,QAAQ;YAClD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO;YACxD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY;SAC3C;QACD,OAAO,EAAE;YACP,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,EAAE;YACtC,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,EAAE;YACtC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE;YACxC,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,EAAE;YACtC,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,GAAG,EAAE;YACrC,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE;YAC5C,EAAE,IAAI,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,EAAE;SAC9C;QACD,YAAY,EAAE;YACZ,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE;YACvE,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE;YACvC,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE;SACzC;QACD,oBAAoB,EAAE,EAAE;QACxB,MAAM,EAAE,KAAK;QACb,SAAS,EAAE,OAAO;QAClB,MAAM,EAAE,EAAE;QACV,mBAAmB,EAAE;YACnB,aAAa,EAAE,eAAe,EAAE,eAAe,EAAE,gBAAgB;YACjE,gBAAgB,EAAE,cAAc,EAAE,eAAe;YACjD,mBAAmB,EAAE,YAAY,EAAE,YAAY;YAC/C,kBAAkB,EAAE,qBAAqB,EAAE,YAAY;YACvD,eAAe,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY;YACtD,qBAAqB,EAAE,sBAAsB,EAAE,mBAAmB;SACnE;KACF;CACF,CAAC"}

package/package.json

@@ -0,0 +1,69 @@
+{
+  "name": "@neurosec/sentry",
+  "version": "1.0.0",
+  "description": "NeuroShield Sentry — host-level agent protection daemon. Detects and blocks malicious AI agent actions at the OS level.",
+  "keywords": [
+    "ai-security",
+    "agent-security",
+    "llm-guard",
+    "neurosec",
+    "neuroshield",
+    "mcp-security",
+    "ai-governance"
+  ],
+  "homepage": "https://neurosec.ai/sentry",
+  "bugs": {
+    "url": "https://github.com/neurosec-ai/neurosec/issues"
+  },
+  "license": "MIT",
+  "author": "NeuroSec <dev@neurosec.ai> (https://neurosec.ai)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/neurosec-ai/neurosec.git",
+    "directory": "packages/sentry"
+  },
+  "engines": {
+    "node": ">=20.0.0",
+    "npm": ">=9.0.0"
+  },
+  "os": [
+    "linux",
+    "darwin"
+  ],
+  "preferGlobal": true,
+  "bin": {
+    "neuroshield-sentryd": "./bin/sentryd.js",
+    "neuroshield-sentry": "./bin/cli.js"
+  },
+  "main": "dist/index.js",
+  "files": [
+    "bin/",
+    "dist/",
+    "scripts/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "start": "node bin/sentryd.js",
+    "dev": "ts-node src/index.ts",
+    "lint": "eslint src --ext .ts",
+    "test": "vitest run",
+    "prepack": "npm run build && node scripts/prepack.js",
+    "postinstall": "node scripts/postinstall.js"
+  },
+  "dependencies": {
+    "yaml": "^2.3.4",
+    "uuid": "^9.0.0",
+    "winston": "^3.11.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.3.0",
+    "vitest": "^1.0.0"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  }
+}

package/scripts/install-sentry-macos.sh

@@ -0,0 +1,238 @@
+#!/usr/bin/env bash
+# NeuroShield Sentry Daemon — macOS launchd Installation Script
+# Usage: sudo bash install-sentry-macos.sh [--mode enforce|monitor|quarantine]
+
+set -euo pipefail
+
+SENTRY_VERSION="${SENTRY_VERSION:-1.0.0}"
+INSTALL_DIR="/usr/local/lib/neuroshield"
+CONFIG_DIR="/etc/neuroshield"
+STATE_DIR="/var/lib/neuroshield/sentry"
+LOG_DIR="/var/log/neuroshield"
+BIN_PATH="/usr/local/bin/neuroshield-sentryd"
+CONFIG_PATH="${CONFIG_DIR}/sentry.yaml"
+PLIST_LABEL="com.neuroshield.sentry"
+PLIST_PATH="/Library/LaunchDaemons/${PLIST_LABEL}.plist"
+ENFORCEMENT_MODE="monitor"
+
+# Parse --mode flag
+for arg in "$@"; do
+  case "${arg}" in
+    --mode=*) ENFORCEMENT_MODE="${arg#*=}" ;;
+    --mode) shift; ENFORCEMENT_MODE="$1" ;;
+  esac
+done
+
+echo "============================================"
+echo " NeuroShield Sentry v${SENTRY_VERSION} Installer (macOS)"
+echo " Mode: ${ENFORCEMENT_MODE}"
+echo "============================================"
+
+if [ "$EUID" -ne 0 ]; then
+  echo "Error: This script must be run as root (sudo)" >&2
+  exit 1
+fi
+
+if ! command -v node &>/dev/null; then
+  echo "Error: Node.js is required (>= 20)" >&2
+  exit 1
+fi
+
+NODE_VERSION=$(node -v | sed 's/v//' | cut -d. -f1)
+if [ "${NODE_VERSION}" -lt 20 ]; then
+  echo "Error: Node.js >= 20 required (found v${NODE_VERSION})" >&2
+  exit 1
+fi
+
+# Create directories
+echo "Creating directories..."
+mkdir -p "${INSTALL_DIR}"
+mkdir -p "${CONFIG_DIR}"
+mkdir -p "${STATE_DIR}"
+mkdir -p "${LOG_DIR}"
+mkdir -p /var/run
+
+# Build
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+SENTRY_PACKAGE="${PROJECT_DIR}/packages/sentry"
+
+if [ -f "${SENTRY_PACKAGE}/package.json" ]; then
+  echo "Building sentry daemon from source..."
+  cd "${SENTRY_PACKAGE}"
+  if [ ! -d "node_modules" ]; then
+    npm install --production
+  fi
+  npx tsc --outDir dist 2>/dev/null || true
+  cp -r dist "${INSTALL_DIR}/"
+  cp -r node_modules "${INSTALL_DIR}/"
+  cp package.json "${INSTALL_DIR}/"
+fi
+
+# Install binary wrapper
+cat > "${BIN_PATH}" <<- 'BINEOF'
+#!/usr/bin/env node
+require('/usr/local/lib/neuroshield/dist/index.js');
+BINEOF
+chmod +x "${BIN_PATH}"
+
+# Generate default config if not exists
+if [ ! -f "${CONFIG_PATH}" ]; then
+  echo "Generating default config..."
+  cat > "${CONFIG_PATH}" <<- EOF
+# NeuroShield Sentry Daemon Configuration (macOS)
+sentry:
+  host_id: "$(scutil --get ComputerName 2>/dev/null || hostname)-sentry"
+  version: "${SENTRY_VERSION}"
+  health_port: 9190
+  api_port: 9191
+  state_dir: ${STATE_DIR}
+  pid_file_path: /var/run/neuroshield-sentry.pid
+
+neurosec:
+  endpoint: "https://api.neurosec.ai"
+  org_id: "${NEUROSEC_ORG_ID:-}"
+  token_path: ${CONFIG_DIR}/sentry.token
+  tls_cert: ${CONFIG_DIR}/cert.pem
+  tls_key: ${CONFIG_DIR}/key.pem
+  sync_interval_ms: 30000
+  heartbeat_interval_ms: 300000
+
+enforcement:
+  mode: "${ENFORCEMENT_MODE}"
+  sandbox_enabled: false
+  syscall_filter_enabled: false
+  network_filter_enabled: true
+  filesystem_filter_enabled: true
+
+sandbox_defaults:
+  cpu_max: "0.5"
+  memory_max: "512MB"
+  pid_max: 100
+
+network:
+  allow_hosts:
+    - "api.openai.com:443"
+    - "api.anthropic.com:443"
+    - "api.neurosec.ai:443"
+  block_hosts:
+    - "*.pastebin.com"
+    - "*.ngrok.io"
+    - "*.requestbin.net"
+    - "*.webhook.site"
+  allow_private: false
+  dns_monitor_enabled: true
+
+skill_authz:
+  enabled: true
+  allow_unknown: false
+  require_approval:
+    - "shell_exec"
+    - "bash"
+    - "terminal"
+    - "run_command"
+
+audit:
+  log_path: ${LOG_DIR}/sentry.log
+  retention_days: 90
+  max_size_mb: 500
+
+discovery:
+  interval_ms: 30000
+  source_paths:
+    - /workspace
+    - /app
+    - /Users
+    - /tmp
+EOF
+  echo "  Config written to ${CONFIG_PATH}"
+fi
+
+# Create empty token file
+if [ ! -f "${CONFIG_DIR}/sentry.token" ]; then
+  touch "${CONFIG_DIR}/sentry.token"
+  chmod 600 "${CONFIG_DIR}/sentry.token"
+fi
+
+# Install launchd plist
+echo "Installing launchd service..."
+cat > "${PLIST_PATH}" <<- EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${PLIST_LABEL}</string>
+
+  <key>ProgramArguments</key>
+  <array>
+    <string>${BIN_PATH}</string>
+    <string>${CONFIG_PATH}</string>
+  </array>
+
+  <key>RunAtLoad</key>
+  <true/>
+
+  <key>KeepAlive</key>
+  <dict>
+    <key>Crashed</key>
+    <true/>
+    <key>SuccessfulExit</key>
+    <false/>
+  </dict>
+
+  <key>ThrottleInterval</key>
+  <integer>10</integer>
+
+  <key>WorkingDirectory</key>
+  <string>${INSTALL_DIR}</string>
+
+  <key>StandardOutPath</key>
+  <string>${LOG_DIR}/sentry-stdout.log</string>
+
+  <key>StandardErrorPath</key>
+  <string>${LOG_DIR}/sentry-stderr.log</string>
+
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>NODE_ENV</key>
+    <string>production</string>
+    <key>SENTRY_CONFIG_PATH</key>
+    <string>${CONFIG_PATH}</string>
+    <key>LOG_LEVEL</key>
+    <string>info</string>
+  </dict>
+
+  <key>UserName</key>
+  <string>root</string>
+
+  <key>SessionCreate</key>
+  <true/>
+</dict>
+</plist>
+EOF
+
+chmod 644 "${PLIST_PATH}"
+echo "  Plist: ${PLIST_PATH}"
+
+# Load the service
+launchctl load "${PLIST_PATH}"
+
+echo ""
+echo "============================================"
+echo " Installation Complete!"
+echo "============================================"
+echo ""
+echo " Next steps:"
+echo "   1. Edit ${CONFIG_PATH} with your NeuroSec org ID"
+echo "   2. Set your sentry token: echo 'your-token' > ${CONFIG_DIR}/sentry.token"
+echo "   3. Start the daemon:  launchctl start ${PLIST_LABEL}"
+echo "   4. Check status:     launchctl list ${PLIST_LABEL}"
+echo "   5. View logs:        tail -f ${LOG_DIR}/sentry-stdout.log"
+echo "   6. Local API:        curl http://127.0.0.1:9191/api/v1/status"
+echo ""
+echo " To uninstall:"
+echo "   sudo launchctl unload ${PLIST_PATH}"
+echo "   sudo rm ${PLIST_PATH}"
+echo ""