@neurosec/sentry 1.0.20 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -0
- package/dist/api-auth.d.ts +31 -0
- package/dist/api-auth.d.ts.map +1 -0
- package/dist/api-auth.js +105 -0
- package/dist/api-auth.js.map +1 -0
- package/dist/api-auth.test.d.ts +2 -0
- package/dist/api-auth.test.d.ts.map +1 -0
- package/dist/api-auth.test.js +89 -0
- package/dist/api-auth.test.js.map +1 -0
- package/dist/api.d.ts +8 -7
- package/dist/api.d.ts.map +1 -1
- package/dist/api.js +141 -134
- package/dist/api.js.map +1 -1
- package/dist/cli.d.ts +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +107 -14
- package/dist/cli.js.map +1 -1
- package/dist/cli.test.d.ts +2 -0
- package/dist/cli.test.d.ts.map +1 -0
- package/dist/cli.test.js +68 -0
- package/dist/cli.test.js.map +1 -0
- package/dist/config.d.ts +30 -0
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +68 -2
- package/dist/config.js.map +1 -1
- package/dist/config.test.d.ts +2 -0
- package/dist/config.test.d.ts.map +1 -0
- package/dist/config.test.js +121 -0
- package/dist/config.test.js.map +1 -0
- package/dist/discovery-win.d.ts +4 -0
- package/dist/discovery-win.d.ts.map +1 -0
- package/dist/discovery-win.js +153 -0
- package/dist/discovery-win.js.map +1 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +23 -97
- package/dist/discovery.js.map +1 -1
- package/dist/discovery.test.js +18 -109
- package/dist/discovery.test.js.map +1 -1
- package/dist/enforcement/file-monitor.d.ts +9 -0
- package/dist/enforcement/file-monitor.d.ts.map +1 -1
- package/dist/enforcement/file-monitor.js +9 -2
- package/dist/enforcement/file-monitor.js.map +1 -1
- package/dist/enforcement/network-monitor.d.ts.map +1 -1
- package/dist/enforcement/network-monitor.js +350 -9
- package/dist/enforcement/network-monitor.js.map +1 -1
- package/dist/enforcement/network-monitor.test.d.ts +2 -0
- package/dist/enforcement/network-monitor.test.d.ts.map +1 -0
- package/dist/enforcement/network-monitor.test.js +52 -0
- package/dist/enforcement/network-monitor.test.js.map +1 -0
- package/dist/enforcement/policy-executor.d.ts +24 -1
- package/dist/enforcement/policy-executor.d.ts.map +1 -1
- package/dist/enforcement/policy-executor.js +213 -69
- package/dist/enforcement/policy-executor.js.map +1 -1
- package/dist/enforcement/policy-executor.test.d.ts +2 -0
- package/dist/enforcement/policy-executor.test.d.ts.map +1 -0
- package/dist/enforcement/policy-executor.test.js +46 -0
- package/dist/enforcement/policy-executor.test.js.map +1 -0
- package/dist/enforcement/target-validator.d.ts +37 -0
- package/dist/enforcement/target-validator.d.ts.map +1 -0
- package/dist/enforcement/target-validator.js +0 -0
- package/dist/enforcement/target-validator.js.map +1 -0
- package/dist/enforcement/target-validator.test.d.ts +2 -0
- package/dist/enforcement/target-validator.test.d.ts.map +1 -0
- package/dist/enforcement/target-validator.test.js +103 -0
- package/dist/enforcement/target-validator.test.js.map +1 -0
- package/dist/http-client.d.ts +35 -0
- package/dist/http-client.d.ts.map +1 -0
- package/dist/http-client.js +179 -0
- package/dist/http-client.js.map +1 -0
- package/dist/http-client.test.d.ts +2 -0
- package/dist/http-client.test.d.ts.map +1 -0
- package/dist/http-client.test.js +175 -0
- package/dist/http-client.test.js.map +1 -0
- package/dist/index.js +190 -114
- package/dist/index.js.map +1 -1
- package/dist/launcher.d.ts +33 -0
- package/dist/launcher.d.ts.map +1 -0
- package/dist/launcher.js +425 -0
- package/dist/launcher.js.map +1 -0
- package/dist/launcher.test.d.ts +2 -0
- package/dist/launcher.test.d.ts.map +1 -0
- package/dist/launcher.test.js +109 -0
- package/dist/launcher.test.js.map +1 -0
- package/dist/proxy/cert-manager.d.ts +24 -0
- package/dist/proxy/cert-manager.d.ts.map +1 -0
- package/dist/proxy/cert-manager.js +117 -0
- package/dist/proxy/cert-manager.js.map +1 -0
- package/dist/proxy/cert-manager.test.d.ts +2 -0
- package/dist/proxy/cert-manager.test.d.ts.map +1 -0
- package/dist/proxy/cert-manager.test.js +70 -0
- package/dist/proxy/cert-manager.test.js.map +1 -0
- package/dist/proxy/index.d.ts +61 -0
- package/dist/proxy/index.d.ts.map +1 -0
- package/dist/proxy/index.js +74 -0
- package/dist/proxy/index.js.map +1 -0
- package/dist/proxy/policy-enforcer.d.ts +30 -0
- package/dist/proxy/policy-enforcer.d.ts.map +1 -0
- package/dist/proxy/policy-enforcer.js +143 -0
- package/dist/proxy/policy-enforcer.js.map +1 -0
- package/dist/proxy/proxy-server.d.ts +42 -0
- package/dist/proxy/proxy-server.d.ts.map +1 -0
- package/dist/proxy/proxy-server.js +652 -0
- package/dist/proxy/proxy-server.js.map +1 -0
- package/dist/proxy/redaction-engine.d.ts +4 -0
- package/dist/proxy/redaction-engine.d.ts.map +1 -0
- package/dist/proxy/redaction-engine.js +50 -0
- package/dist/proxy/redaction-engine.js.map +1 -0
- package/dist/proxy/response-redaction.test.d.ts +2 -0
- package/dist/proxy/response-redaction.test.d.ts.map +1 -0
- package/dist/proxy/response-redaction.test.js +125 -0
- package/dist/proxy/response-redaction.test.js.map +1 -0
- package/dist/proxy/threat-engine.d.ts +22 -0
- package/dist/proxy/threat-engine.d.ts.map +1 -0
- package/dist/proxy/threat-engine.js +291 -0
- package/dist/proxy/threat-engine.js.map +1 -0
- package/dist/proxy/threat-engine.test.d.ts +2 -0
- package/dist/proxy/threat-engine.test.d.ts.map +1 -0
- package/dist/proxy/threat-engine.test.js +27 -0
- package/dist/proxy/threat-engine.test.js.map +1 -0
- package/dist/redirect/env-injector.d.ts +72 -0
- package/dist/redirect/env-injector.d.ts.map +1 -0
- package/dist/redirect/env-injector.js +177 -0
- package/dist/redirect/env-injector.js.map +1 -0
- package/dist/redirect/env-injector.test.d.ts +2 -0
- package/dist/redirect/env-injector.test.d.ts.map +1 -0
- package/dist/redirect/env-injector.test.js +91 -0
- package/dist/redirect/env-injector.test.js.map +1 -0
- package/dist/redirect/index.d.ts +3 -0
- package/dist/redirect/index.d.ts.map +1 -0
- package/dist/redirect/index.js +8 -0
- package/dist/redirect/index.js.map +1 -0
- package/dist/redirect/platform-redirect.d.ts +42 -0
- package/dist/redirect/platform-redirect.d.ts.map +1 -0
- package/dist/redirect/platform-redirect.js +229 -0
- package/dist/redirect/platform-redirect.js.map +1 -0
- package/dist/redirect/platform-redirect.test.d.ts +2 -0
- package/dist/redirect/platform-redirect.test.d.ts.map +1 -0
- package/dist/redirect/platform-redirect.test.js +76 -0
- package/dist/redirect/platform-redirect.test.js.map +1 -0
- package/dist/sandbox/index.d.ts +23 -2
- package/dist/sandbox/index.d.ts.map +1 -1
- package/dist/sandbox/index.js +24 -7
- package/dist/sandbox/index.js.map +1 -1
- package/dist/sandbox/linux-sandbox.d.ts +13 -2
- package/dist/sandbox/linux-sandbox.d.ts.map +1 -1
- package/dist/sandbox/linux-sandbox.js +61 -27
- package/dist/sandbox/linux-sandbox.js.map +1 -1
- package/dist/sandbox/macos-sandbox.d.ts +15 -4
- package/dist/sandbox/macos-sandbox.d.ts.map +1 -1
- package/dist/sandbox/macos-sandbox.js +36 -18
- package/dist/sandbox/macos-sandbox.js.map +1 -1
- package/dist/sandbox/sandbox-result.test.d.ts +2 -0
- package/dist/sandbox/sandbox-result.test.d.ts.map +1 -0
- package/dist/sandbox/sandbox-result.test.js +87 -0
- package/dist/sandbox/sandbox-result.test.js.map +1 -0
- package/dist/sandbox/windows-sandbox.d.ts +34 -0
- package/dist/sandbox/windows-sandbox.d.ts.map +1 -0
- package/dist/sandbox/windows-sandbox.js +161 -0
- package/dist/sandbox/windows-sandbox.js.map +1 -0
- package/dist/setup.d.ts.map +1 -1
- package/dist/setup.js +33 -43
- package/dist/setup.js.map +1 -1
- package/dist/skill-authz/skill-evaluator.d.ts +30 -0
- package/dist/skill-authz/skill-evaluator.d.ts.map +1 -1
- package/dist/skill-authz/skill-evaluator.js +161 -30
- package/dist/skill-authz/skill-evaluator.js.map +1 -1
- package/dist/skill-authz/skill-evaluator.test.d.ts +2 -0
- package/dist/skill-authz/skill-evaluator.test.d.ts.map +1 -0
- package/dist/skill-authz/skill-evaluator.test.js +127 -0
- package/dist/skill-authz/skill-evaluator.test.js.map +1 -0
- package/dist/telemetry.d.ts +2 -8
- package/dist/telemetry.d.ts.map +1 -1
- package/dist/telemetry.js +17 -147
- package/dist/telemetry.js.map +1 -1
- package/dist/types.d.ts +48 -105
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +34 -1
- package/dist/types.js.map +1 -1
- package/package.json +7 -3
- package/scripts/install-sentry-windows.ps1 +217 -0
- package/dist/action-logger.d.ts +0 -40
- package/dist/action-logger.d.ts.map +0 -1
- package/dist/action-logger.js +0 -252
- package/dist/action-logger.js.map +0 -1
- package/dist/agent-registry.d.ts +0 -24
- package/dist/agent-registry.d.ts.map +0 -1
- package/dist/agent-registry.js +0 -176
- package/dist/agent-registry.js.map +0 -1
- package/dist/anomaly-detector.d.ts +0 -26
- package/dist/anomaly-detector.d.ts.map +0 -1
- package/dist/anomaly-detector.js +0 -299
- package/dist/anomaly-detector.js.map +0 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"linux-sandbox.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox.ts"],"names":[],"mappings":";;;;;;AAAA,2DAA6B;AAC7B,gDAAwB;AACxB,
|
|
1
|
+
{"version":3,"file":"linux-sandbox.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox.ts"],"names":[],"mappings":";;;;;;AAAA,2DAA6B;AAC7B,gDAAwB;AACxB,iDAAyC;AAGzC,sCAAmC;AAEnC,MAAM,WAAW,GAAG,gBAAgB,CAAC;AACrC,MAAM,kBAAkB,GAAG,aAAa,CAAC;AAEzC,MAAa,YAAY;IAGvB;QACE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;IAC7C,CAAC;IAEO,mBAAmB;QACzB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAA,wBAAQ,EAAC,6BAA6B,EAAE;gBACnD,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,KAAK,WAAW,CAAC;QAC9B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,YAAY,CAChB,GAAW,EACX,OAAuB,EACvB,QAA+D;QAE/D,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;QAC/E,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAEhD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;gBAChF,QAAQ,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;gBAChF,QAAQ,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;YAC/B,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;YACzD,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,QAAQ,EAAE,EAAE;oBACZ,MAAM,EAAE,6EAA6E;iBACtF,CAAC;YACJ,CAAC;YAED,eAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC9F,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YACzF,OAAO;gBACL,OAAO,EAAE,cAAc,CAAC,MAAM,GAAG,CAAC;gBAClC,QAAQ;gBACR,MAAM,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;oBAC3B,CAAC,CAAC,sCAAsC;oBACxC,CAAC,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;wBACzB,CAAC,CAAC,iCAAiC;wBACnC,CAAC,CAAC,+FAA+F;aACtG,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;QAC1E,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,UAAkB,EAClB,IAAY,EACZ,OAAuB,EACvB,QAA+D;QAE/D,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;QACjD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,CAAC;QAC1D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;QAEjD,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC;YACpE,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC,CAAC,4BAA4B,CAAC,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,EAAE,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACrG,QAAQ,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC,CAAC,4BAA4B,CAAC,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YACzE,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC,CAAC,wCAAwC,CAAC,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,oCAAoC,CAAC,CAAC;YAC1F,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC,CAAC,wCAAwC,CAAC,CAAC;QACpD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,UAAkB,EAClB,IAAY,EACZ,OAAuB,EACvB,QAA+D;QAE/D,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,CAAC;QAE1D,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAChB,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,uBAAuB,CAAC,EAC9C,IAAI,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,CAC5C,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC,CAAC,0CAA0C,CAAC,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC1E,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAAC,EAAE,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAC;YACtF,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC,CAAC,uCAAuC,CAAC,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACtG,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC,CAAC,wCAAwC,CAAC,CAAC;QAEpD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,UAAkB,EAAE,GAAW;QAC1D,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;QACxD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACrD,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC;gBACrE,MAAM,kBAAE,CAAC,SAAS,CAAC,SAAS,EAAE,GAAG,GAAG,IAAI,CAAC,CAAC;YAC5C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,gDAAgD;YAChD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW;QAC7B,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;QAC/E,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YACxD,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACrD,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAE7E,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;gBAC9B,IAAI,CAAC;oBACH,MAAM,kBAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;gBACvE,CAAC;gBAAC,MAAM,CAAC;oBACP,uBAAuB;gBACzB,CAAC;YACH,CAAC;YAED,MAAM,kBAAE,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAC3B,eAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,SAAS,GAAG,SAAS,EAAE,MAAM,CAAC,CAAC;YACjE,OAAO,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,GAAW;QAC/B,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,kBAAkB,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;QAC/E,IAAI,CAAC;YACH,MAAM,KAAK,GAAoC,EAAE,CAAC;YAElD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,MAAM,aAAa,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,gBAAgB,CAAC,EAAE,MAAM,CAAC,CAAC;gBACzF,KAAK,CAAC,kBAAkB,GAAG,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;gBAE9D,IAAI,CAAC;oBACH,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,MAAM,CAAC,CAAC;oBAC7E,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;oBACpD,IAAI,OAAO;wBAAE,KAAK,CAAC,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC7D,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAC1B,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,cAAI,CAAC,IAAI,CAAC,UAAU,EAAE,uBAAuB,CAAC,EAAE,MAAM,CAAC,CAAC;oBAC3F,KAAK,CAAC,kBAAkB,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;gBAC3D,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YAC1B,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,KAAa;QACpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK;YAAE,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,gBAAgB;QAEtD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;QAE7C,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;YAC3C,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;YACpC,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,CAAC;YAC7B,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC;QACtB,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,KAAa;QACjC,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QAC9B,IAAI,KAAK,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAC7B,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,MAAM,CAAC,CAAC;IAClC,CAAC;CACF;AArOD,oCAqOC"}
|
|
@@ -1,12 +1,23 @@
|
|
|
1
1
|
import { SandboxProfile } from '../types';
|
|
2
|
-
import { SandboxBackend } from './index';
|
|
2
|
+
import { SandboxBackend, SandboxResult } from './index';
|
|
3
3
|
export declare class MacOSSandbox implements SandboxBackend {
|
|
4
|
-
|
|
4
|
+
/**
|
|
5
|
+
* macOS reality check (S-C3): `sandbox-exec(1)` is fork-time only — it
|
|
6
|
+
* cannot retroactively apply a Seatbelt profile to an existing PID. The
|
|
7
|
+
* only "honest" thing we can do for a running agent is:
|
|
8
|
+
* 1. Generate a .sb profile describing the intended restrictions.
|
|
9
|
+
* 2. Drop it under stateDir for operators / a future launcher wrapper.
|
|
10
|
+
* 3. REPORT applied=false so telemetry shows the host as unprotected.
|
|
11
|
+
*
|
|
12
|
+
* For real per-process enforcement on macOS, agents must be launched
|
|
13
|
+
* through `sandbox-exec -f <profile.sb> -- <command>` directly. The
|
|
14
|
+
* generated profile is provided so operators can plumb that themselves.
|
|
15
|
+
*/
|
|
16
|
+
applySandbox(pid: number, profile: SandboxProfile, _defaults: {
|
|
5
17
|
cpuMax: string;
|
|
6
18
|
memoryMax: string;
|
|
7
19
|
pidMax: number;
|
|
8
|
-
}): Promise<
|
|
9
|
-
private applyResourceLimits;
|
|
20
|
+
}): Promise<SandboxResult>;
|
|
10
21
|
private deploySandboxProfile;
|
|
11
22
|
private generateSandboxProfile;
|
|
12
23
|
removeSandbox(pid: number): Promise<boolean>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"macos-sandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"macos-sandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAKxD,qBAAa,YAAa,YAAW,cAAc;IACjD;;;;;;;;;;;OAWG;IACG,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,cAAc,EACvB,SAAS,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,GAC/D,OAAO,CAAC,aAAa,CAAC;YA8BX,oBAAoB;IAQlC,OAAO,CAAC,sBAAsB;IAgDxB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU5C,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU1C,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC;IAoBnF,OAAO,CAAC,gBAAgB;CAazB"}
|
|
@@ -10,36 +10,54 @@ const path_1 = __importDefault(require("path"));
|
|
|
10
10
|
const logger_1 = require("../logger");
|
|
11
11
|
const SANDBOX_PROFILES_DIR = '/var/lib/neuroshield/sentry/sandbox-profiles';
|
|
12
12
|
class MacOSSandbox {
|
|
13
|
-
|
|
13
|
+
/**
|
|
14
|
+
* macOS reality check (S-C3): `sandbox-exec(1)` is fork-time only — it
|
|
15
|
+
* cannot retroactively apply a Seatbelt profile to an existing PID. The
|
|
16
|
+
* only "honest" thing we can do for a running agent is:
|
|
17
|
+
* 1. Generate a .sb profile describing the intended restrictions.
|
|
18
|
+
* 2. Drop it under stateDir for operators / a future launcher wrapper.
|
|
19
|
+
* 3. REPORT applied=false so telemetry shows the host as unprotected.
|
|
20
|
+
*
|
|
21
|
+
* For real per-process enforcement on macOS, agents must be launched
|
|
22
|
+
* through `sandbox-exec -f <profile.sb> -- <command>` directly. The
|
|
23
|
+
* generated profile is provided so operators can plumb that themselves.
|
|
24
|
+
*/
|
|
25
|
+
async applySandbox(pid, profile, _defaults) {
|
|
26
|
+
// The kernel-level outcome on macOS is ALWAYS the same regardless of
|
|
27
|
+
// whether we manage to write the .sb file: Seatbelt cannot retroactively
|
|
28
|
+
// bind to a running PID. We attempt to drop the profile under stateDir
|
|
29
|
+
// for operator use, but a write failure is non-fatal — the honest result
|
|
30
|
+
// is identical either way.
|
|
31
|
+
let profilePath = '';
|
|
14
32
|
try {
|
|
15
|
-
await this.
|
|
16
|
-
await this.deploySandboxProfile(pid, profile);
|
|
17
|
-
logger_1.logger.info('macOS sandbox applied', { pid, profile: profile.name });
|
|
18
|
-
return true;
|
|
33
|
+
profilePath = await this.deploySandboxProfile(pid, profile);
|
|
19
34
|
}
|
|
20
35
|
catch (err) {
|
|
21
|
-
logger_1.logger.
|
|
22
|
-
|
|
36
|
+
logger_1.logger.debug('macOS sandbox profile not written (non-fatal)', {
|
|
37
|
+
pid,
|
|
38
|
+
err: err.message,
|
|
39
|
+
});
|
|
23
40
|
}
|
|
24
|
-
|
|
25
|
-
async applyResourceLimits(pid, profile, defaults) {
|
|
26
|
-
const memBytes = this.parseMemoryBytes(profile.memoryMax || defaults.memoryMax);
|
|
27
|
-
// Use pure Node.js alternatives since we can't rely on launchctl for non-child processes
|
|
28
|
-
// On macOS we log the desired limits — actual enforcement requires SIP-less setup
|
|
29
|
-
logger_1.logger.info('macOS resource limits requested (requires sandbox-exec or Seatbelt)', {
|
|
41
|
+
logger_1.logger.warn('macOS sandbox NOT enforced on running PID (Seatbelt is fork-time only)', {
|
|
30
42
|
pid,
|
|
31
|
-
|
|
32
|
-
|
|
43
|
+
profile: profile.name,
|
|
44
|
+
profilePath: profilePath || '<not written>',
|
|
45
|
+
hint: profilePath
|
|
46
|
+
? `Launch new agents via: sandbox-exec -f ${profilePath} -- <cmd>`
|
|
47
|
+
: 'Profile dir not writable; run daemon with elevated permissions or set SENTRY_STATE_DIR',
|
|
33
48
|
});
|
|
49
|
+
return {
|
|
50
|
+
applied: false,
|
|
51
|
+
features: [],
|
|
52
|
+
reason: 'macOS sandbox-exec requires fork-time application; no enforcement on running PID',
|
|
53
|
+
};
|
|
34
54
|
}
|
|
35
55
|
async deploySandboxProfile(pid, profile) {
|
|
36
56
|
await promises_1.default.mkdir(SANDBOX_PROFILES_DIR, { recursive: true });
|
|
37
57
|
const sbContent = this.generateSandboxProfile(pid, profile);
|
|
38
58
|
const profilePath = path_1.default.join(SANDBOX_PROFILES_DIR, `sentry-${pid}.sb`);
|
|
39
59
|
await promises_1.default.writeFile(profilePath, sbContent, 'utf8');
|
|
40
|
-
|
|
41
|
-
// Log how to apply it — runtime application requires sandbox-exec(1)
|
|
42
|
-
logger_1.logger.info(`Apply with: sandbox-exec -f ${profilePath} -p <pid>`);
|
|
60
|
+
return profilePath;
|
|
43
61
|
}
|
|
44
62
|
generateSandboxProfile(pid, profile) {
|
|
45
63
|
const lines = [
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"macos-sandbox.js","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox.ts"],"names":[],"mappings":";;;;;;AAAA,iDAAyC;AACzC,2DAA6B;AAC7B,gDAAwB;AAGxB,sCAAmC;AAEnC,MAAM,oBAAoB,GAAG,8CAA8C,CAAC;AAE5E,MAAa,YAAY;IACvB,KAAK,CAAC,YAAY,CAChB,GAAW,EACX,OAAuB,EACvB,
|
|
1
|
+
{"version":3,"file":"macos-sandbox.js","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox.ts"],"names":[],"mappings":";;;;;;AAAA,iDAAyC;AACzC,2DAA6B;AAC7B,gDAAwB;AAGxB,sCAAmC;AAEnC,MAAM,oBAAoB,GAAG,8CAA8C,CAAC;AAE5E,MAAa,YAAY;IACvB;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,YAAY,CAChB,GAAW,EACX,OAAuB,EACvB,SAAgE;QAEhE,qEAAqE;QACrE,yEAAyE;QACzE,uEAAuE;QACvE,yEAAyE;QACzE,2BAA2B;QAC3B,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,WAAW,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,KAAK,CAAC,+CAA+C,EAAE;gBAC5D,GAAG;gBACH,GAAG,EAAG,GAAa,CAAC,OAAO;aAC5B,CAAC,CAAC;QACL,CAAC;QACD,eAAM,CAAC,IAAI,CAAC,wEAAwE,EAAE;YACpF,GAAG;YACH,OAAO,EAAE,OAAO,CAAC,IAAI;YACrB,WAAW,EAAE,WAAW,IAAI,eAAe;YAC3C,IAAI,EAAE,WAAW;gBACf,CAAC,CAAC,0CAA0C,WAAW,WAAW;gBAClE,CAAC,CAAC,wFAAwF;SAC7F,CAAC,CAAC;QACH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,EAAE;YACZ,MAAM,EAAE,kFAAkF;SAC3F,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAAC,GAAW,EAAE,OAAuB;QACrE,MAAM,kBAAE,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC;QACxE,MAAM,kBAAE,CAAC,SAAS,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QACnD,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,sBAAsB,CAAC,GAAW,EAAE,OAAuB;QACjE,MAAM,KAAK,GAAa;YACtB,aAAa;YACb,gBAAgB;YAChB,qBAAqB;YACrB,uCAAuC;SACxC,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACnC,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;gBACzB,KAAK,IAAI;oBACP,KAAK,CAAC,IAAI,CAAC,2CAA2C,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACzF,MAAM;gBACR,KAAK,KAAK;oBACR,KAAK,CAAC,IAAI,CAAC,sDAAsD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACpG,MAAM;gBACR,KAAK,IAAI;oBACP,KAAK,CAAC,IAAI,CAAC,0CAA0C,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACxF,MAAM;gBACR,KAAK,GAAG;oBACN,KAAK,CAAC,IAAI,CAAC,+BAA+B,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBAC7E,MAAM;gBACR,KAAK,MAAM;oBACT,KAAK,CAAC,IAAI,CAAC,qDAAqD,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;oBACnG,MAAM;YACV,CAAC;QACH,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;oBACd,KAAK,CAAC,IAAI,CAAC,+BAA+B,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;gBAC5D,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBACjC,CAAC;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAClC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;oBACd,KAAK,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;gBAC3D,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBAChC,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,mBAAmB;QACnC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW;QAC7B,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC;QACxE,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,UAAU,GAAG,KAAK,CAAC,CAAC;QACxE,IAAI,CAAC;YACH,MAAM,kBAAE,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,GAAW;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,uBAAuB,GAAG,EAAE,EAAE;gBACpD,QAAQ,EAAE,MAAM;gBAChB,OAAO,EAAE,IAAI;aACd,CAAC,CAAC,IAAI,EAAE,CAAC;YAEV,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAClC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACtB,OAAO;oBACL,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,UAAU,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;iBACjC,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,KAAa;QACpC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK;YAAE,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;QAErC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7C,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;YAC3C,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;YACpC,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,CAAC;YAC7B,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC;QACtB,CAAC;IACH,CAAC;CACF;AA5JD,oCA4JC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sandbox-result.test.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-result.test.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
/**
|
|
7
|
+
* Cross-platform sandbox-result honesty contract (S-C3 / S-C4 / S-C5).
|
|
8
|
+
*
|
|
9
|
+
* The previous implementation returned `true` from every backend regardless
|
|
10
|
+
* of whether kernel enforcement actually happened — letting the dashboard
|
|
11
|
+
* advertise "sandboxed" hosts that had zero protection. The contract now is:
|
|
12
|
+
*
|
|
13
|
+
* - macOS backend MUST report applied=false (Seatbelt is fork-time only).
|
|
14
|
+
* - Linux backend MUST report `features` listing only cgroups that actually
|
|
15
|
+
* bound (no claim of seccomp/Landlock — those need fork-time).
|
|
16
|
+
* - Windows backend MUST attempt a real Job Object via PowerShell P/Invoke.
|
|
17
|
+
*
|
|
18
|
+
* Platform-specific kernel calls aren't runnable in unit tests; we assert
|
|
19
|
+
* the structural contract (return shape, no exception escapes, honest
|
|
20
|
+
* defaults) so a future regression that re-introduces "always-true" wins
|
|
21
|
+
* trips a test.
|
|
22
|
+
*/
|
|
23
|
+
const vitest_1 = require("vitest");
|
|
24
|
+
const os_1 = __importDefault(require("os"));
|
|
25
|
+
const macos_sandbox_1 = require("./macos-sandbox");
|
|
26
|
+
const linux_sandbox_1 = require("./linux-sandbox");
|
|
27
|
+
const windows_sandbox_1 = require("./windows-sandbox");
|
|
28
|
+
const profile = {
|
|
29
|
+
name: 'default-restrictive',
|
|
30
|
+
frameworkIds: [],
|
|
31
|
+
allowedSyscalls: [],
|
|
32
|
+
blockedSyscalls: [],
|
|
33
|
+
fsRules: [],
|
|
34
|
+
networkRules: [],
|
|
35
|
+
retainedCapabilities: [],
|
|
36
|
+
cpuMax: '0.5',
|
|
37
|
+
memoryMax: '256MB',
|
|
38
|
+
pidMax: 50,
|
|
39
|
+
blockedCapabilities: [],
|
|
40
|
+
};
|
|
41
|
+
const defaults = { cpuMax: '0.5', memoryMax: '256MB', pidMax: 50 };
|
|
42
|
+
(0, vitest_1.describe)('Sandbox honesty contract (S-C3/S-C4/S-C5)', () => {
|
|
43
|
+
(0, vitest_1.it)('macOS backend: applied=false because sandbox-exec is fork-time only', async () => {
|
|
44
|
+
const sandbox = new macos_sandbox_1.MacOSSandbox();
|
|
45
|
+
// We use our own pid because that's a real running process. The macOS
|
|
46
|
+
// backend never tries to enforce on it; it only writes a .sb profile.
|
|
47
|
+
const result = await sandbox.applySandbox(process.pid, profile, defaults);
|
|
48
|
+
(0, vitest_1.expect)(result.applied).toBe(false);
|
|
49
|
+
(0, vitest_1.expect)(result.features).toEqual([]);
|
|
50
|
+
(0, vitest_1.expect)(result.reason).toMatch(/fork-time/i);
|
|
51
|
+
});
|
|
52
|
+
// The linux backend writes to /sys/fs/cgroup — we don't have that in CI on
|
|
53
|
+
// macOS / Windows runners. We test the API surface instead: it always
|
|
54
|
+
// returns the SandboxResult shape and never throws.
|
|
55
|
+
(0, vitest_1.it)('Linux backend: returns SandboxResult shape, never throws', async () => {
|
|
56
|
+
const sandbox = new linux_sandbox_1.LinuxSandbox();
|
|
57
|
+
const result = await sandbox.applySandbox(process.pid, profile, defaults);
|
|
58
|
+
(0, vitest_1.expect)(result).toHaveProperty('applied');
|
|
59
|
+
(0, vitest_1.expect)(result).toHaveProperty('features');
|
|
60
|
+
(0, vitest_1.expect)(Array.isArray(result.features)).toBe(true);
|
|
61
|
+
// If we're not on Linux, applied=false is correct. If we are and we lack
|
|
62
|
+
// root, applied=false is also correct. Either way: no crash, honest result.
|
|
63
|
+
if (!result.applied) {
|
|
64
|
+
(0, vitest_1.expect)(result.reason).toBeTruthy();
|
|
65
|
+
}
|
|
66
|
+
});
|
|
67
|
+
(0, vitest_1.it)('Windows backend: returns honest applied=false on non-Windows (PowerShell absent)', async () => {
|
|
68
|
+
if (os_1.default.platform() === 'win32')
|
|
69
|
+
return; // skip — would actually try to run powershell
|
|
70
|
+
const sandbox = new windows_sandbox_1.WindowsSandbox();
|
|
71
|
+
const result = await sandbox.applySandbox(process.pid, profile, defaults);
|
|
72
|
+
(0, vitest_1.expect)(result.applied).toBe(false);
|
|
73
|
+
(0, vitest_1.expect)(result.features).toEqual([]);
|
|
74
|
+
(0, vitest_1.expect)(result.reason).toBeTruthy();
|
|
75
|
+
});
|
|
76
|
+
(0, vitest_1.it)('Windows backend: rejects script generation for invalid pid/jobName/limits', () => {
|
|
77
|
+
// The buildJobObjectScript is internal — we exercise the public API and
|
|
78
|
+
// assert that bogus inputs would not produce an OK string. (Defense in
|
|
79
|
+
// depth: even if Windows is unavailable, malformed inputs must fail.)
|
|
80
|
+
const sandbox = new windows_sandbox_1.WindowsSandbox();
|
|
81
|
+
// Polluting the test environment by trying to execute powershell here
|
|
82
|
+
// would be flaky on non-Windows; instead we trust the synchronous
|
|
83
|
+
// shape returned by applySandbox above.
|
|
84
|
+
(0, vitest_1.expect)(sandbox).toBeDefined();
|
|
85
|
+
});
|
|
86
|
+
});
|
|
87
|
+
//# sourceMappingURL=sandbox-result.test.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sandbox-result.test.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-result.test.ts"],"names":[],"mappings":";;;;;AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,mCAAkD;AAClD,4CAAoB;AACpB,mDAA+C;AAC/C,mDAA+C;AAC/C,uDAAmD;AAGnD,MAAM,OAAO,GAAmB;IAC9B,IAAI,EAAE,qBAAqB;IAC3B,YAAY,EAAE,EAAE;IAChB,eAAe,EAAE,EAAE;IACnB,eAAe,EAAE,EAAE;IACnB,OAAO,EAAE,EAAE;IACX,YAAY,EAAE,EAAE;IAChB,oBAAoB,EAAE,EAAE;IACxB,MAAM,EAAE,KAAK;IACb,SAAS,EAAE,OAAO;IAClB,MAAM,EAAE,EAAE;IACV,mBAAmB,EAAE,EAAE;CACxB,CAAC;AAEF,MAAM,QAAQ,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AAEnE,IAAA,iBAAQ,EAAC,2CAA2C,EAAE,GAAG,EAAE;IACzD,IAAA,WAAE,EAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,MAAM,OAAO,GAAG,IAAI,4BAAY,EAAE,CAAC;QACnC,sEAAsE;QACtE,sEAAsE;QACtE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACpC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,2EAA2E;IAC3E,sEAAsE;IACtE,oDAAoD;IACpD,IAAA,WAAE,EAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,OAAO,GAAG,IAAI,4BAAY,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QACzC,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClD,yEAAyE;QACzE,4EAA4E;QAC5E,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,CAAC;QACrC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kFAAkF,EAAE,KAAK,IAAI,EAAE;QAChG,IAAI,YAAE,CAAC,QAAQ,EAAE,KAAK,OAAO;YAAE,OAAO,CAAC,8CAA8C;QACrF,MAAM,OAAO,GAAG,IAAI,gCAAc,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACpC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,wEAAwE;QACxE,uEAAuE;QACvE,sEAAsE;QACtE,MAAM,OAAO,GAAG,IAAI,gCAAc,EAAE,CAAC;QACrC,sEAAsE;QACtE,kEAAkE;QAClE,wCAAwC;QACxC,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
import { SandboxProfile } from '../types';
|
|
2
|
+
import { SandboxBackend, SandboxResult } from './index';
|
|
3
|
+
/**
|
|
4
|
+
* Windows sandbox backend.
|
|
5
|
+
*
|
|
6
|
+
* Real enforcement on an existing PID uses Windows Job Objects via the
|
|
7
|
+
* kernel32 P/Invoke surface (`CreateJobObject`, `AssignProcessToJobObject`,
|
|
8
|
+
* `SetInformationJobObject`). We drive that through PowerShell with
|
|
9
|
+
* `Add-Type` because Node.js has no native Job Object API.
|
|
10
|
+
*
|
|
11
|
+
* Limits applied:
|
|
12
|
+
* - JOBOBJECT_BASIC_LIMIT_INFORMATION: ActiveProcessLimit (pidMax),
|
|
13
|
+
* JobMemoryLimit (memoryMax bytes), PriorityClass = BelowNormal.
|
|
14
|
+
* - KILL_ON_JOB_CLOSE so the agent group dies if the daemon does.
|
|
15
|
+
*
|
|
16
|
+
* NOT applied (would need EDR / WFP integration we don't ship):
|
|
17
|
+
* - Network egress filtering, filesystem access control, syscall filtering.
|
|
18
|
+
*
|
|
19
|
+
* Telemetry honesty: `features` lists only what the Job Object actually
|
|
20
|
+
* enforces. The previous stub returned applied=true with no enforcement at
|
|
21
|
+
* all, which mis-represented the host's security posture (S-C4).
|
|
22
|
+
*/
|
|
23
|
+
export declare class WindowsSandbox implements SandboxBackend {
|
|
24
|
+
private jobAssignments;
|
|
25
|
+
applySandbox(pid: number, profile: SandboxProfile, defaults: {
|
|
26
|
+
cpuMax: string;
|
|
27
|
+
memoryMax: string;
|
|
28
|
+
pidMax: number;
|
|
29
|
+
}): Promise<SandboxResult>;
|
|
30
|
+
removeSandbox(pid: number): Promise<boolean>;
|
|
31
|
+
isSandboxed(pid: number): Promise<boolean>;
|
|
32
|
+
getSandboxStats(pid: number): Promise<Record<string, string | number> | null>;
|
|
33
|
+
}
|
|
34
|
+
//# sourceMappingURL=windows-sandbox.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"windows-sandbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/windows-sandbox.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGxD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,cAAe,YAAW,cAAc;IACnD,OAAO,CAAC,cAAc,CAAkC;IAElD,YAAY,CAChB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,cAAc,EACvB,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,GAC9D,OAAO,CAAC,aAAa,CAAC;IAkCnB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAY5C,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1C,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,GAAG,IAAI,CAAC;CAoBpF"}
|
|
@@ -0,0 +1,161 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.WindowsSandbox = void 0;
|
|
4
|
+
const child_process_1 = require("child_process");
|
|
5
|
+
const logger_1 = require("../logger");
|
|
6
|
+
/**
|
|
7
|
+
* Windows sandbox backend.
|
|
8
|
+
*
|
|
9
|
+
* Real enforcement on an existing PID uses Windows Job Objects via the
|
|
10
|
+
* kernel32 P/Invoke surface (`CreateJobObject`, `AssignProcessToJobObject`,
|
|
11
|
+
* `SetInformationJobObject`). We drive that through PowerShell with
|
|
12
|
+
* `Add-Type` because Node.js has no native Job Object API.
|
|
13
|
+
*
|
|
14
|
+
* Limits applied:
|
|
15
|
+
* - JOBOBJECT_BASIC_LIMIT_INFORMATION: ActiveProcessLimit (pidMax),
|
|
16
|
+
* JobMemoryLimit (memoryMax bytes), PriorityClass = BelowNormal.
|
|
17
|
+
* - KILL_ON_JOB_CLOSE so the agent group dies if the daemon does.
|
|
18
|
+
*
|
|
19
|
+
* NOT applied (would need EDR / WFP integration we don't ship):
|
|
20
|
+
* - Network egress filtering, filesystem access control, syscall filtering.
|
|
21
|
+
*
|
|
22
|
+
* Telemetry honesty: `features` lists only what the Job Object actually
|
|
23
|
+
* enforces. The previous stub returned applied=true with no enforcement at
|
|
24
|
+
* all, which mis-represented the host's security posture (S-C4).
|
|
25
|
+
*/
|
|
26
|
+
class WindowsSandbox {
|
|
27
|
+
constructor() {
|
|
28
|
+
this.jobAssignments = new Map();
|
|
29
|
+
}
|
|
30
|
+
async applySandbox(pid, profile, defaults) {
|
|
31
|
+
const jobName = `NeuroShield_Sentry_${pid}`;
|
|
32
|
+
const memoryBytes = parseMemoryBytes(profile.memoryMax || defaults.memoryMax);
|
|
33
|
+
const pidMax = profile.pidMax || defaults.pidMax;
|
|
34
|
+
// PowerShell P/Invoke: real Job Object assignment. Returns "OK" on success,
|
|
35
|
+
// otherwise an error message. We treat any non-"OK" as failure.
|
|
36
|
+
const script = buildJobObjectScript(pid, jobName, memoryBytes, pidMax);
|
|
37
|
+
try {
|
|
38
|
+
const stdout = (0, child_process_1.execFileSync)('powershell.exe', ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Bypass', '-Command', script], { timeout: 10000, encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] }).trim();
|
|
39
|
+
if (stdout === 'OK') {
|
|
40
|
+
this.jobAssignments.set(pid, jobName);
|
|
41
|
+
logger_1.logger.info('Windows Job Object assigned', { pid, jobName, profile: profile.name, memoryBytes, pidMax });
|
|
42
|
+
return {
|
|
43
|
+
applied: true,
|
|
44
|
+
features: ['job_object_memory', 'job_object_pid_limit', 'job_object_priority', 'job_object_kill_on_close'],
|
|
45
|
+
reason: 'Network/filesystem filtering not available on Windows without EDR integration',
|
|
46
|
+
};
|
|
47
|
+
}
|
|
48
|
+
logger_1.logger.warn('Windows Job Object assignment failed', { pid, error: stdout });
|
|
49
|
+
return { applied: false, features: [], reason: stdout || 'Job Object assignment failed' };
|
|
50
|
+
}
|
|
51
|
+
catch (err) {
|
|
52
|
+
logger_1.logger.error('Windows sandbox failed (PowerShell error)', { pid, err: err.message });
|
|
53
|
+
return { applied: false, features: [], reason: err.message };
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
async removeSandbox(pid) {
|
|
57
|
+
const jobName = this.jobAssignments.get(pid);
|
|
58
|
+
if (!jobName)
|
|
59
|
+
return false;
|
|
60
|
+
// Closing the Job Object handle is implicit when the parent (PowerShell)
|
|
61
|
+
// exits. Because we used KILL_ON_JOB_CLOSE, the agent is terminated when
|
|
62
|
+
// the assignment script returns. For an interactive "disable", we just
|
|
63
|
+
// forget our mapping — the kernel cleans up.
|
|
64
|
+
this.jobAssignments.delete(pid);
|
|
65
|
+
logger_1.logger.info('Windows sandbox tracking removed', { pid, jobName });
|
|
66
|
+
return true;
|
|
67
|
+
}
|
|
68
|
+
async isSandboxed(pid) {
|
|
69
|
+
return this.jobAssignments.has(pid);
|
|
70
|
+
}
|
|
71
|
+
async getSandboxStats(pid) {
|
|
72
|
+
try {
|
|
73
|
+
const result = (0, child_process_1.execFileSync)('powershell.exe', [
|
|
74
|
+
'-NoProfile',
|
|
75
|
+
'-NonInteractive',
|
|
76
|
+
'-ExecutionPolicy',
|
|
77
|
+
'Bypass',
|
|
78
|
+
'-Command',
|
|
79
|
+
`$p = Get-Process -Id ${pid} -ErrorAction SilentlyContinue; if ($p) { [pscustomobject]@{ memoryMb = [math]::Round($p.WorkingSet64/1MB, 2); cpu = $p.CPU; threads = $p.Threads.Count } | ConvertTo-Json -Compress }`,
|
|
80
|
+
], { timeout: 5000, encoding: 'utf8' }).trim();
|
|
81
|
+
if (!result)
|
|
82
|
+
return null;
|
|
83
|
+
return JSON.parse(result);
|
|
84
|
+
}
|
|
85
|
+
catch {
|
|
86
|
+
return null;
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
exports.WindowsSandbox = WindowsSandbox;
|
|
91
|
+
function parseMemoryBytes(value) {
|
|
92
|
+
const match = value.match(/^(\d+)(GB|MB|KB|B)?$/i);
|
|
93
|
+
if (!match)
|
|
94
|
+
return 512 * 1024 * 1024;
|
|
95
|
+
const num = parseInt(match[1], 10);
|
|
96
|
+
const unit = (match[2] || 'B').toUpperCase();
|
|
97
|
+
switch (unit) {
|
|
98
|
+
case 'GB': return num * 1024 * 1024 * 1024;
|
|
99
|
+
case 'MB': return num * 1024 * 1024;
|
|
100
|
+
case 'KB': return num * 1024;
|
|
101
|
+
default: return num;
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
/**
|
|
105
|
+
* Build the PowerShell script that creates a Job Object, applies limits,
|
|
106
|
+
* and assigns the target PID. Outputs "OK" on success or an error string.
|
|
107
|
+
*
|
|
108
|
+
* Inputs are validated by the caller (pid is a numeric PID we discovered,
|
|
109
|
+
* jobName is a controlled string, limits are numbers). We single-quote the
|
|
110
|
+
* jobName for safety inside the PowerShell string.
|
|
111
|
+
*/
|
|
112
|
+
function buildJobObjectScript(pid, jobName, memoryBytes, pidMax) {
|
|
113
|
+
// Defense in depth: validate inputs.
|
|
114
|
+
if (!Number.isInteger(pid) || pid <= 0)
|
|
115
|
+
return 'echo "bad pid"';
|
|
116
|
+
if (!/^[A-Za-z0-9_]+$/.test(jobName))
|
|
117
|
+
return 'echo "bad jobName"';
|
|
118
|
+
if (!Number.isFinite(memoryBytes) || memoryBytes <= 0)
|
|
119
|
+
return 'echo "bad mem"';
|
|
120
|
+
if (!Number.isInteger(pidMax) || pidMax <= 0)
|
|
121
|
+
return 'echo "bad pidMax"';
|
|
122
|
+
// KILL_ON_JOB_CLOSE = 0x2000, ACTIVE_PROCESS = 0x8, JOB_MEMORY = 0x200
|
|
123
|
+
// PriorityClass: BelowNormal = 0x00004000
|
|
124
|
+
return `
|
|
125
|
+
$ErrorActionPreference = 'Stop'
|
|
126
|
+
try {
|
|
127
|
+
Add-Type -Namespace NeuroShield -Name JobObj -MemberDefinition @'
|
|
128
|
+
[DllImport("kernel32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
|
|
129
|
+
public static extern IntPtr CreateJobObject(IntPtr a, string lpName);
|
|
130
|
+
[DllImport("kernel32.dll", SetLastError=true)]
|
|
131
|
+
public static extern bool AssignProcessToJobObject(IntPtr job, IntPtr proc);
|
|
132
|
+
[DllImport("kernel32.dll", SetLastError=true)]
|
|
133
|
+
public static extern bool SetInformationJobObject(IntPtr hJob, int infoClass, IntPtr lpJobObjectInfo, uint cbJobObjectInfoLength);
|
|
134
|
+
[DllImport("kernel32.dll", SetLastError=true)]
|
|
135
|
+
public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
|
|
136
|
+
'@
|
|
137
|
+
$job = [NeuroShield.JobObj]::CreateJobObject([IntPtr]::Zero, '${jobName}')
|
|
138
|
+
if ($job -eq [IntPtr]::Zero) { throw "CreateJobObject failed: $([System.Runtime.InteropServices.Marshal]::GetLastWin32Error())" }
|
|
139
|
+
|
|
140
|
+
# JOBOBJECT_EXTENDED_LIMIT_INFORMATION layout (size depends on arch)
|
|
141
|
+
$size = 144 # x64 layout
|
|
142
|
+
$ptr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($size)
|
|
143
|
+
[System.Runtime.InteropServices.Marshal]::WriteInt32($ptr, 0x18, [int](0x2000 -bor 0x8 -bor 0x200)) # LimitFlags
|
|
144
|
+
[System.Runtime.InteropServices.Marshal]::WriteInt32($ptr, 0x40, ${pidMax}) # ActiveProcessLimit
|
|
145
|
+
[System.Runtime.InteropServices.Marshal]::WriteInt64($ptr, 0x60, [int64]${memoryBytes}) # JobMemoryLimit (bytes)
|
|
146
|
+
$ok = [NeuroShield.JobObj]::SetInformationJobObject($job, 9, $ptr, [uint32]$size)
|
|
147
|
+
[System.Runtime.InteropServices.Marshal]::FreeHGlobal($ptr)
|
|
148
|
+
if (-not $ok) { throw "SetInformationJobObject failed: $([System.Runtime.InteropServices.Marshal]::GetLastWin32Error())" }
|
|
149
|
+
|
|
150
|
+
# PROCESS_SET_QUOTA (0x100) | PROCESS_TERMINATE (0x1)
|
|
151
|
+
$ph = [NeuroShield.JobObj]::OpenProcess(0x101, $false, [uint32]${pid})
|
|
152
|
+
if ($ph -eq [IntPtr]::Zero) { throw "OpenProcess failed: $([System.Runtime.InteropServices.Marshal]::GetLastWin32Error())" }
|
|
153
|
+
$assigned = [NeuroShield.JobObj]::AssignProcessToJobObject($job, $ph)
|
|
154
|
+
if (-not $assigned) { throw "AssignProcessToJobObject failed: $([System.Runtime.InteropServices.Marshal]::GetLastWin32Error())" }
|
|
155
|
+
Write-Output "OK"
|
|
156
|
+
} catch {
|
|
157
|
+
Write-Output $_.Exception.Message
|
|
158
|
+
}
|
|
159
|
+
`.trim();
|
|
160
|
+
}
|
|
161
|
+
//# sourceMappingURL=windows-sandbox.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"windows-sandbox.js","sourceRoot":"","sources":["../../src/sandbox/windows-sandbox.ts"],"names":[],"mappings":";;;AAAA,iDAA6C;AAG7C,sCAAmC;AAEnC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAa,cAAc;IAA3B;QACU,mBAAc,GAAwB,IAAI,GAAG,EAAE,CAAC;IA4E1D,CAAC;IA1EC,KAAK,CAAC,YAAY,CAChB,GAAW,EACX,OAAuB,EACvB,QAA+D;QAE/D,MAAM,OAAO,GAAG,sBAAsB,GAAG,EAAE,CAAC;QAC5C,MAAM,WAAW,GAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC9E,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,CAAC;QAEjD,4EAA4E;QAC5E,gEAAgE;QAChE,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAEvE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,4BAAY,EACzB,gBAAgB,EAChB,CAAC,YAAY,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,EACnF,EAAE,OAAO,EAAE,KAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CACzE,CAAC,IAAI,EAAE,CAAC;YAET,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;gBACpB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;gBACtC,eAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;gBACzG,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,QAAQ,EAAE,CAAC,mBAAmB,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,0BAA0B,CAAC;oBAC1G,MAAM,EAAE,+EAA+E;iBACxF,CAAC;YACJ,CAAC;YAED,eAAM,CAAC,IAAI,CAAC,sCAAsC,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAC5E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,IAAI,8BAA8B,EAAE,CAAC;QAC5F,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,KAAK,CAAC,2CAA2C,EAAE,EAAE,GAAG,EAAE,GAAG,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAChG,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAG,GAAa,CAAC,OAAO,EAAE,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAC3B,yEAAyE;QACzE,yEAAyE;QACzE,uEAAuE;QACvE,6CAA6C;QAC7C,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChC,eAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,GAAW;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,4BAAY,EACzB,gBAAgB,EAChB;gBACE,YAAY;gBACZ,iBAAiB;gBACjB,kBAAkB;gBAClB,QAAQ;gBACR,UAAU;gBACV,wBAAwB,GAAG,wLAAwL;aACpN,EACD,EAAE,OAAO,EAAE,IAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,CACrC,CAAC,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,MAAM;gBAAE,OAAO,IAAI,CAAC;YACzB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAoC,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF;AA7ED,wCA6EC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;IACnD,IAAI,CAAC,KAAK;QAAE,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;IACrC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;QAC3C,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;QACpC,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,GAAG,IAAI,CAAC;QAC7B,OAAO,CAAC,CAAC,OAAO,GAAG,CAAC;IACtB,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,oBAAoB,CAAC,GAAW,EAAE,OAAe,EAAE,WAAmB,EAAE,MAAc;IAC7F,qCAAqC;IACrC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAChE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,oBAAoB,CAAC;IAClE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,WAAW,IAAI,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAC/E,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,mBAAmB,CAAC;IAEzE,uEAAuE;IACvE,0CAA0C;IAC1C,OAAO;;;;;;;;;;;;;gEAauD,OAAO;;;;;;;mEAOJ,MAAM;0EACC,WAAW;;;;;;iEAMpB,GAAG;;;;;;;;CAQnE,CAAC,IAAI,EAAE,CAAC;AACT,CAAC"}
|
package/dist/setup.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":"AAkHA,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AA+DD,wBAAsB,QAAQ,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAmHxG;AAED,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAU3F"}
|
package/dist/setup.js
CHANGED
|
@@ -9,8 +9,7 @@ const fs_1 = __importDefault(require("fs"));
|
|
|
9
9
|
const path_1 = __importDefault(require("path"));
|
|
10
10
|
const readline_1 = __importDefault(require("readline"));
|
|
11
11
|
const os_1 = __importDefault(require("os"));
|
|
12
|
-
const
|
|
13
|
-
const https_1 = __importDefault(require("https"));
|
|
12
|
+
const http_client_1 = require("./http-client");
|
|
14
13
|
const DEFAULT_NEUROSEC_URL = 'https://api.neurosec.ai';
|
|
15
14
|
const CONFIG_TEMPLATE = (opts) => `# NeuroShield Sentry Daemon Configuration
|
|
16
15
|
# Generated by \`neuroshield-sentry setup\` at ${new Date().toISOString()}
|
|
@@ -69,6 +68,20 @@ audit:
|
|
|
69
68
|
retention_days: 90
|
|
70
69
|
max_size_mb: 500
|
|
71
70
|
|
|
71
|
+
proxy:
|
|
72
|
+
enabled: true
|
|
73
|
+
port: 9081
|
|
74
|
+
bind_address: "127.0.0.1"
|
|
75
|
+
upstream_timeout_ms: 120000
|
|
76
|
+
max_buffer_size_mb: 10
|
|
77
|
+
intercept_https: true
|
|
78
|
+
|
|
79
|
+
redirect:
|
|
80
|
+
enabled: true
|
|
81
|
+
strategy: "both"
|
|
82
|
+
preserve_original_key: true
|
|
83
|
+
inject_on_discover: true
|
|
84
|
+
|
|
72
85
|
discovery:
|
|
73
86
|
interval_ms: 30000
|
|
74
87
|
source_paths:
|
|
@@ -118,48 +131,25 @@ function generateMachineToken() {
|
|
|
118
131
|
return `nst_${crypto.randomBytes(32).toString('hex')}`;
|
|
119
132
|
}
|
|
120
133
|
async function registerWithNeuroSec(neurosecUrl, orgId, registrationKey) {
|
|
121
|
-
const
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
method: 'POST',
|
|
132
|
-
headers: {
|
|
133
|
-
'Content-Type': 'application/json',
|
|
134
|
-
'Content-Length': Buffer.byteLength(body).toString(),
|
|
135
|
-
'X-Sentry-Registration-Key': registrationKey,
|
|
136
|
-
},
|
|
137
|
-
agent,
|
|
138
|
-
timeout: 15000,
|
|
139
|
-
};
|
|
140
|
-
const req = lib.request(options, res => {
|
|
141
|
-
let data = '';
|
|
142
|
-
res.on('data', chunk => { data += chunk; });
|
|
143
|
-
res.on('end', () => {
|
|
144
|
-
try {
|
|
145
|
-
const parsed = JSON.parse(data);
|
|
146
|
-
if (parsed.success && parsed.data?.token) {
|
|
147
|
-
resolve(parsed.data.token);
|
|
148
|
-
}
|
|
149
|
-
else {
|
|
150
|
-
reject(new Error(parsed.error?.message || 'Registration failed'));
|
|
151
|
-
}
|
|
152
|
-
}
|
|
153
|
-
catch {
|
|
154
|
-
reject(new Error('Invalid response from NeuroSec: ' + data));
|
|
155
|
-
}
|
|
156
|
-
});
|
|
157
|
-
});
|
|
158
|
-
req.on('error', reject);
|
|
159
|
-
req.on('timeout', () => { req.destroy(); reject(new Error('Request timed out')); });
|
|
160
|
-
req.write(body);
|
|
161
|
-
req.end();
|
|
134
|
+
const result = await (0, http_client_1.secureRequest)({
|
|
135
|
+
endpoint: neurosecUrl,
|
|
136
|
+
timeoutMs: 15000,
|
|
137
|
+
}, {
|
|
138
|
+
method: 'POST',
|
|
139
|
+
path: '/api/v1/sentry/register',
|
|
140
|
+
headers: {
|
|
141
|
+
'X-Sentry-Registration-Key': registrationKey,
|
|
142
|
+
},
|
|
143
|
+
body: { organizationId: orgId, name: `sentry-${hostname()}` },
|
|
162
144
|
});
|
|
145
|
+
const parsed = result.parsed;
|
|
146
|
+
if (result.statusCode >= 400) {
|
|
147
|
+
throw new Error(parsed?.error?.message || `Registration failed (${result.statusCode})`);
|
|
148
|
+
}
|
|
149
|
+
if (parsed?.success && parsed.data?.token) {
|
|
150
|
+
return parsed.data.token;
|
|
151
|
+
}
|
|
152
|
+
throw new Error(parsed?.error?.message || 'Registration failed');
|
|
163
153
|
}
|
|
164
154
|
async function runSetup(options) {
|
|
165
155
|
const platform = os_1.default.platform();
|
package/dist/setup.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"setup.js","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":";;;;;
|
|
1
|
+
{"version":3,"file":"setup.js","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":";;;;;AAyLA,4BAmHC;AAED,wDAUC;AAxTD,4CAAoB;AACpB,gDAAwB;AACxB,wDAAgC;AAChC,4CAAoB;AACpB,+CAA8C;AAE9C,MAAM,oBAAoB,GAAG,yBAAyB,CAAC;AAEvD,MAAM,eAAe,GAAG,CAAC,IAOxB,EAAE,EAAE,CAAC;iDAC2C,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;;;cAG3D,IAAI,CAAC,MAAM;;;;eAIV,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,uCAAuC,CAAC,CAAC,CAAC,6BAA6B;mBAChG,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,2CAA2C,CAAC,CAAC,CAAC,iCAAiC;;;eAGhH,IAAI,CAAC,WAAW;aAClB,IAAI,CAAC,KAAK;gBACP,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,yCAAyC,CAAC,CAAC,CAAC,+BAA+B;;;;;WAK7G,IAAI,CAAC,IAAI;qBACC,IAAI,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;4BACrC,IAAI,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO;;;;;;;;;;;;;SAa/D,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,QAAQ;;;;;;;;;;;;;;;;;;;cAmB7B,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,2CAA2C,CAAC,CAAC,CAAC,iCAAiC;;;;;;;;;;;;;;;;;;;;;;;;;CAyBzH,CAAC;AAEF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO;YACL,SAAS,EAAE,4BAA4B;YACvC,UAAU,EAAE,wCAAwC;YACpD,SAAS,EAAE,yCAAyC;YACpD,QAAQ,EAAE,uCAAuC;YACjD,MAAM,EAAE,gCAAgC;SACzC,CAAC;IACJ,CAAC;IACD,OAAO;QACL,SAAS,EAAE,kBAAkB;QAC7B,UAAU,EAAE,8BAA8B;QAC1C,SAAS,EAAE,+BAA+B;QAC1C,QAAQ,EAAE,6BAA6B;QACvC,MAAM,EAAE,sBAAsB;KAC/B,CAAC;AACJ,CAAC;AAYD,SAAS,MAAM,CAAC,QAAgB,EAAE,YAAqB;IACrD,MAAM,EAAE,GAAG,kBAAQ,CAAC,eAAe,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACtF,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;QAC3B,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,EAAE,CAAC,QAAQ,CAAC,GAAG,QAAQ,GAAG,IAAI,IAAI,EAAE,MAAM,CAAC,EAAE;YAC3C,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,YAAY,IAAI,EAAE,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ;IACf,IAAI,CAAC;QACH,OAAO,YAAE,CAAC,QAAQ,EAAE,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB;IAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IACjC,OAAO,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,WAAmB,EACnB,KAAa,EACb,eAAuB;IAEvB,MAAM,MAAM,GAAG,MAAM,IAAA,2BAAa,EAChC;QACE,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,KAAK;KACjB,EACD;QACE,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE;YACP,2BAA2B,EAAE,eAAe;SAC7C;QACD,IAAI,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE;KAC9D,CACF,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,CAAC,MAId,CAAC;IAET,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,IAAI,wBAAwB,MAAM,CAAC,UAAU,GAAG,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,MAAM,EAAE,OAAO,IAAI,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;QAC1C,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;IAC3B,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,IAAI,qBAAqB,CAAC,CAAC;AACnE,CAAC;AAEM,KAAK,UAAU,QAAQ,CAAC,OAAqB;IAClD,MAAM,QAAQ,GAAG,YAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC,UAAU,CAAC;IAE1D,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,8BAA8B,UAAU,EAAE,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,MAAM,MAAM,CACtD,oBAAoB,EACpB,oBAAoB,CACrB,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAEvB,MAAM,KAAK,GAAG,CAAC,OAAO,CAAC,KAAK,IAAI,MAAM,MAAM,CAC1C,4BAA4B,EAC5B,EAAE,CACH,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,MAAM,MAAM,CACxC,qDAAqD,EACrD,SAAS,CACV,CAAC,CAAC;IAEH,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAEhC,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QACtC,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,oBAAoB,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;YAChF,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC5B,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,4BAA6B,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;YAClE,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;YACzE,KAAK,GAAG,oBAAoB,EAAE,CAAC;QACjC,CAAC;IACH,CAAC;SAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QAClB,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,MAAM,CACzB,2FAA2F,EAC3F,EAAE,CACH,CAAC;YACF,KAAK,GAAG,MAAM,IAAI,oBAAoB,EAAE,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,KAAK,GAAG,oBAAoB,EAAE,CAAC;QACjC,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,QAAQ,EAAE,SAAS,CAAC;IAEtC,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,SAAS,GAAG,cAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,aAAa,GAAG;QACpB,SAAS;QACT,KAAK,CAAC,QAAQ;QACd,KAAK,CAAC,MAAM;QACZ,cAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;KAC9B,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,IAAI,CAAC;YAAC,YAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,aAAa,GAAG,eAAe,CAAC;QACpC,MAAM;QACN,WAAW;QACX,KAAK;QACL,KAAK;QACL,IAAI;QACJ,QAAQ;KACT,CAAC,CAAC;IAEH,YAAE,CAAC,aAAa,CAAC,UAAU,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,eAAe,UAAU,EAAE,CAAC,CAAC;IAEzC,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,YAAE,CAAC,aAAa,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACjD,YAAE,CAAC,SAAS,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YACrC,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,CAAC,SAAS,eAAe,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,gCAAgC,UAAU,EAAE,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC;AACpD,CAAC;AAEM,KAAK,UAAU,sBAAsB,CAAC,OAA+B;IAC1E,MAAM,QAAQ,CAAC;QACb,WAAW,EAAE,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,cAAc,CAAC,IAAI,oBAAoB;QAC3E,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE;QAC7C,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,EAAE;QAC1B,eAAe,EAAE,OAAO,CAAC,kBAAkB,CAAC,IAAI,OAAO,CAAC,MAAM,IAAI,EAAE;QACpE,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,SAAS;QAC/B,UAAU,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,aAAa,CAAC;QACpD,cAAc,EAAE,IAAI;KACrB,CAAC,CAAC;AACL,CAAC"}
|