@rlemaigre/sbx 0.1.0

package/dist/commands/init.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * Init command — copy template config to user config directory.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initCommand = void 0;
+const commander_1 = require("commander");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const paths_1 = require("../lib/paths");
+exports.initCommand = new commander_1.Command("init")
+    .description("Generate a config file at ~/.config/sbx/<name>.yaml")
+    .argument("<name>", "shim name (e.g. pi)")
+    .action((name) => {
+    const target = (0, node_path_1.join)(paths_1.CONFIG_DIR, `${name}.yaml`);
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(target), { recursive: true });
+    (0, node_fs_1.copyFileSync)((0, node_path_1.resolve)(__dirname, "../template.yaml"), target);
+    console.log(`Created ${target}`);
+    console.log(`Edit it, then run: sbx deploy ${name}`);
+});
+//# sourceMappingURL=init.js.map

package/dist/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAEH,yCAAoC;AACpC,qCAAkD;AAClD,yCAAmD;AACnD,wCAA0C;AAE7B,QAAA,WAAW,GAAG,IAAI,mBAAO,CAAC,MAAM,CAAC;KAC3C,WAAW,CAAC,qDAAqD,CAAC;KAClE,QAAQ,CAAC,QAAQ,EAAE,qBAAqB,CAAC;KACzC,MAAM,CAAC,CAAC,IAAY,EAAE,EAAE;IACvB,MAAM,MAAM,GAAG,IAAA,gBAAI,EAAC,kBAAU,EAAE,GAAG,IAAI,OAAO,CAAC,CAAC;IAChD,IAAA,mBAAS,EAAC,IAAA,mBAAO,EAAC,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,IAAA,sBAAY,EAAC,IAAA,mBAAO,EAAC,SAAS,EAAE,kBAAkB,CAAC,EAAE,MAAM,CAAC,CAAC;IAC7D,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,EAAE,CAAC,CAAC;IACjC,OAAO,CAAC,GAAG,CAAC,iCAAiC,IAAI,EAAE,CAAC,CAAC;AACvD,CAAC,CAAC,CAAC"}

package/dist/commands/run.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Run command — execute agent inside sandboxed VM.
+ *
+ * Invoked by shim scripts. Delegates to the API:
+ *   loadConfig → createSandbox → exec + TTY forwarding → shutdown
+ */
+import { Command } from "commander";
+export declare const runCommand: Command;
+//# sourceMappingURL=run.d.ts.map

package/dist/commands/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQpC,eAAO,MAAM,UAAU,SAiCnB,CAAC"}

package/dist/commands/run.js

@@ -0,0 +1,49 @@
+"use strict";
+/**
+ * Run command — execute agent inside sandboxed VM.
+ *
+ * Invoked by shim scripts. Delegates to the API:
+ *   loadConfig → createSandbox → exec + TTY forwarding → shutdown
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runCommand = void 0;
+const commander_1 = require("commander");
+const node_path_1 = require("node:path");
+const paths_1 = require("../lib/paths");
+const tiny_invariant_1 = __importDefault(require("tiny-invariant"));
+const config_1 = require("../lib/config");
+const api_1 = require("../api");
+exports.runCommand = new commander_1.Command("run")
+    .description("Execute agent inside sandboxed VM (internal — invoked by shims)")
+    .argument("[args...]", "arguments to pass to the agent command")
+    .option("--shim-name <name>", "shim name (resolves config)")
+    .allowUnknownOption(true)
+    .action(async (args, opts) => {
+    const shimName = opts.shimName;
+    (0, tiny_invariant_1.default)(shimName, "Missing --shim-name");
+    const config = (0, config_1.loadConfig)((0, node_path_1.join)(paths_1.CONFIG_DIR, `${shimName}.yaml`));
+    (0, tiny_invariant_1.default)(config.cmd, `Config for ${shimName} must specify cmd`);
+    const sandbox = await (0, api_1.createSandbox)({
+        config,
+        cacheDir: (0, node_path_1.join)(paths_1.CACHE_DIR, shimName),
+    });
+    const cmd = args.length > 0 ? `${config.cmd} ${args.join(" ")}` : config.cmd;
+    try {
+        const proc = await sandbox.exec(cmd, {
+            pty: true,
+            stdin: true,
+            stdout: "pipe",
+            stderr: "pipe",
+        });
+        proc.attach(process.stdin, process.stdout, process.stderr);
+        const result = await proc.exit;
+        process.exit(result.exitCode);
+    }
+    finally {
+        await sandbox.shutdown();
+    }
+});
+//# sourceMappingURL=run.js.map

package/dist/commands/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;AAEH,yCAAoC;AACpC,yCAAiC;AACjC,wCAAqD;AACrD,oEAAuC;AAEvC,0CAA2C;AAC3C,gCAAuC;AAE1B,QAAA,UAAU,GAAG,IAAI,mBAAO,CAAC,KAAK,CAAC;KACzC,WAAW,CAAC,iEAAiE,CAAC;KAC9E,QAAQ,CAAC,WAAW,EAAE,wCAAwC,CAAC;KAC/D,MAAM,CAAC,oBAAoB,EAAE,6BAA6B,CAAC;KAC3D,kBAAkB,CAAC,IAAI,CAAC;KACxB,MAAM,CAAC,KAAK,EAAE,IAAc,EAAE,IAAI,EAAE,EAAE;IACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAkB,CAAC;IACzC,IAAA,wBAAS,EAAC,QAAQ,EAAE,qBAAqB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,IAAA,mBAAU,EAAC,IAAA,gBAAI,EAAC,kBAAU,EAAE,GAAG,QAAQ,OAAO,CAAC,CAAC,CAAC;IAChE,IAAA,wBAAS,EAAC,MAAM,CAAC,GAAG,EAAE,cAAc,QAAQ,mBAAmB,CAAC,CAAC;IAEjE,MAAM,OAAO,GAAG,MAAM,IAAA,mBAAa,EAAC;QAClC,MAAM;QACN,QAAQ,EAAE,IAAA,gBAAI,EAAC,iBAAS,EAAE,QAAQ,CAAC;KACpC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;IAE7E,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE;YACnC,GAAG,EAAE,IAAI;YACT,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,CAAC,QAAQ,EAAE,CAAC;IAC3B,CAAC;AACH,CAAC,CAAC,CAAC"}

package/dist/commands/undeploy.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Undeploy command — remove shim scripts.
+ */
+import { Command } from "commander";
+export declare const undeployCommand: Command;
+//# sourceMappingURL=undeploy.d.ts.map

package/dist/commands/undeploy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"undeploy.d.ts","sourceRoot":"","sources":["../../src/commands/undeploy.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAKpC,eAAO,MAAM,eAAe,SAiBxB,CAAC"}

package/dist/commands/undeploy.js

@@ -0,0 +1,28 @@
+"use strict";
+/**
+ * Undeploy command — remove shim scripts.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.undeployCommand = void 0;
+const commander_1 = require("commander");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const paths_1 = require("../lib/paths");
+exports.undeployCommand = new commander_1.Command("undeploy")
+    .description("Remove shim scripts")
+    .argument("<names...>", "shim names to remove")
+    .action((names) => {
+    for (const name of names) {
+        const shimPath = process.platform === "win32"
+            ? (0, node_path_1.join)(paths_1.SHIM_DIR, `${name}.cmd`)
+            : (0, node_path_1.join)(paths_1.SHIM_DIR, name);
+        if ((0, node_fs_1.existsSync)(shimPath)) {
+            (0, node_fs_1.unlinkSync)(shimPath);
+            console.log(`Removed ${shimPath}`);
+        }
+        else {
+            console.error(`Shim not found: ${shimPath}`);
+        }
+    }
+});
+//# sourceMappingURL=undeploy.js.map

package/dist/commands/undeploy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"undeploy.js","sourceRoot":"","sources":["../../src/commands/undeploy.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAEH,yCAAoC;AACpC,qCAAiD;AACjD,yCAAiC;AACjC,wCAAwC;AAE3B,QAAA,eAAe,GAAG,IAAI,mBAAO,CAAC,UAAU,CAAC;KACnD,WAAW,CAAC,qBAAqB,CAAC;KAClC,QAAQ,CAAC,YAAY,EAAE,sBAAsB,CAAC;KAC9C,MAAM,CAAC,CAAC,KAAe,EAAE,EAAE;IAC1B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GACZ,OAAO,CAAC,QAAQ,KAAK,OAAO;YAC1B,CAAC,CAAC,IAAA,gBAAI,EAAC,gBAAQ,EAAE,GAAG,IAAI,MAAM,CAAC;YAC/B,CAAC,CAAC,IAAA,gBAAI,EAAC,gBAAQ,EAAE,IAAI,CAAC,CAAC;QAE3B,IAAI,IAAA,oBAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,IAAA,oBAAU,EAAC,QAAQ,CAAC,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,WAAW,QAAQ,EAAE,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,mBAAmB,QAAQ,EAAE,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,99 @@
+/**
+ * Configuration interfaces, loading, and builder methods.
+ *
+ * `SandboxConfig` wraps the YAML config datastructure (SPECS §3.1)
+ * and provides methods to build Gondolin VFS mounts and HTTP hooks.
+ */
+import type { HttpHooks, VirtualProvider } from "@earendil-works/gondolin";
+/**
+ * Outbound network policy.
+ */
+export interface INetworkPolicy {
+    allowedHosts?: string[];
+    allowedInternalHosts?: string[];
+}
+/**
+ * Host filesystem mount.
+ */
+export interface IMount {
+    hostPath: string;
+    guestPath: string;
+    readOnly?: boolean;
+    shadow?: string[];
+}
+/**
+ * Secret injection configuration.
+ */
+export interface ISecretConfig {
+    hosts: string[];
+}
+/**
+ * Sandbox configuration — wraps the YAML config datastructure (SPECS §3.1)
+ * and provides methods to build Gondolin VFS mounts and HTTP hooks.
+ */
+export declare class SandboxConfig {
+    readonly cmd?: string;
+    readonly setup?: string[];
+    readonly network?: INetworkPolicy;
+    readonly mounts?: IMount[];
+    readonly shadow?: string[];
+    readonly env?: Record<string, string>;
+    readonly secrets?: Record<string, ISecretConfig>;
+    /**
+     * Create a SandboxConfig from a plain object.
+     */
+    static from(data: Record<string, unknown>): SandboxConfig;
+    /**
+     * Load a sandbox configuration from a YAML file.
+     */
+    static load(path: string): SandboxConfig;
+    private constructor();
+    /**
+     * Build VFS providers from config mounts and shadow rules.
+     * Mount chain: RealFS → Readonly (if readOnly) → Shadow (if shadow paths).
+     */
+    buildVFSProviders(): Record<string, VirtualProvider>;
+    /**
+     * Build HTTP hooks and secret env vars from config.
+     * Secrets are read from the host environment at runtime.
+     */
+    buildHttpHooks(): {
+        httpHooks: HttpHooks;
+        env: Record<string, string>;
+    };
+    /**
+     * Build VFS providers from a plain config object.
+     * @deprecated Use instance `config.buildVFSProviders()` instead.
+     */
+    static buildVFSProviders(config: Record<string, unknown>): Record<string, VirtualProvider>;
+    /**
+     * Build HTTP hooks from a plain config object.
+     * @deprecated Use instance `config.buildHttpHooks()` instead.
+     */
+    static buildHttpHooks(config: Record<string, unknown>): {
+        httpHooks: HttpHooks;
+        env: Record<string, string>;
+    };
+    /**
+     * Assert that each mount has required hostPath and guestPath.
+     */
+    private static validateMounts;
+    /**
+     * Check if a guest path matches any shadow pattern (glob or prefix).
+     */
+    private static matchesShadow;
+    /**
+     * Build the RealFS → Readonly → Shadow provider chain for a single mount.
+     */
+    private static buildMountChain;
+}
+/**
+ * Expand ~ prefix to HOME directory path.
+ */
+export declare function expandTilde(path: string): string;
+/**
+ * Load a sandbox configuration from a YAML file.
+ * @deprecated Use `SandboxConfig.load(path)` instead.
+ */
+export declare function loadConfig(path: string): SandboxConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAO3E;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAID;;;GAGG;AACH,qBAAa,aAAa;IACxB,SAAgB,GAAG,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAgB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAgB,OAAO,CAAC,EAAE,cAAc,CAAC;IACzC,SAAgB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,SAAgB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClC,SAAgB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,SAAgB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAExD;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa;IAIzD;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa;IASxC,OAAO;IAUP;;;OAGG;IACH,iBAAiB,IAAI,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC;IAWpD;;;OAGG;IACH,cAAc,IAAI;QAAE,SAAS,EAAE,SAAS,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE;IAoBvE;;;OAGG;IACH,MAAM,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC;IAI1F;;;OAGG;IACH,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;QAAE,SAAS,EAAE,SAAS,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE;IAM7G;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,cAAc;IAO7B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,aAAa;IAU5B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;CAqB/B;AAID;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAKhD;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,CAEtD"}

package/dist/config.js

@@ -0,0 +1,165 @@
+"use strict";
+/**
+ * Configuration interfaces, loading, and builder methods.
+ *
+ * `SandboxConfig` wraps the YAML config datastructure (SPECS §3.1)
+ * and provides methods to build Gondolin VFS mounts and HTTP hooks.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SandboxConfig = void 0;
+exports.expandTilde = expandTilde;
+exports.loadConfig = loadConfig;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const js_yaml_1 = require("js-yaml");
+const minimatch_1 = require("minimatch");
+const tiny_invariant_1 = __importDefault(require("tiny-invariant"));
+const gondolin_1 = require("@earendil-works/gondolin");
+const gondolin_2 = require("@earendil-works/gondolin");
+// ─── SandboxConfig class ─────────────────────────────────────────────────────
+/**
+ * Sandbox configuration — wraps the YAML config datastructure (SPECS §3.1)
+ * and provides methods to build Gondolin VFS mounts and HTTP hooks.
+ */
+class SandboxConfig {
+    cmd;
+    setup;
+    network;
+    mounts;
+    shadow;
+    env;
+    secrets;
+    /**
+     * Create a SandboxConfig from a plain object.
+     */
+    static from(data) {
+        return new SandboxConfig(data);
+    }
+    /**
+     * Load a sandbox configuration from a YAML file.
+     */
+    static load(path) {
+        const resolved = expandTilde(path);
+        const raw = (0, js_yaml_1.load)((0, node_fs_1.readFileSync)(resolved, "utf-8"));
+        (0, tiny_invariant_1.default)(typeof raw === "object" && raw !== null, "Config must be a YAML mapping");
+        const config = new SandboxConfig(raw);
+        SandboxConfig.validateMounts(config.mounts);
+        return config;
+    }
+    constructor(data) {
+        this.cmd = data.cmd;
+        this.setup = data.setup;
+        this.network = data.network;
+        this.mounts = data.mounts;
+        this.shadow = data.shadow;
+        this.env = data.env;
+        this.secrets = data.secrets;
+    }
+    /**
+     * Build VFS providers from config mounts and shadow rules.
+     * Mount chain: RealFS → Readonly (if readOnly) → Shadow (if shadow paths).
+     */
+    buildVFSProviders() {
+        const mounts = {};
+        const globalShadow = this.shadow ?? [];
+        for (const mount of this.mounts ?? []) {
+            mounts[mount.guestPath] = SandboxConfig.buildMountChain(mount, globalShadow);
+        }
+        return mounts;
+    }
+    /**
+     * Build HTTP hooks and secret env vars from config.
+     * Secrets are read from the host environment at runtime.
+     */
+    buildHttpHooks() {
+        const secrets = {};
+        for (const [name, secret] of Object.entries(this.secrets ?? {})) {
+            secrets[name] = {
+                hosts: secret.hosts,
+                value: process.env[name] ?? "",
+            };
+        }
+        return (0, gondolin_1.createHttpHooks)({
+            allowedHosts: this.network?.allowedHosts ?? [],
+            allowedInternalHosts: this.network?.allowedInternalHosts ?? [],
+            blockInternalRanges: true,
+            secrets,
+        });
+    }
+    // ─── Static methods (backward compatibility) ───────────────────────────────
+    /**
+     * Build VFS providers from a plain config object.
+     * @deprecated Use instance `config.buildVFSProviders()` instead.
+     */
+    static buildVFSProviders(config) {
+        return new SandboxConfig(config).buildVFSProviders();
+    }
+    /**
+     * Build HTTP hooks from a plain config object.
+     * @deprecated Use instance `config.buildHttpHooks()` instead.
+     */
+    static buildHttpHooks(config) {
+        return new SandboxConfig(config).buildHttpHooks();
+    }
+    // ─── Private static helpers ────────────────────────────────────────────────
+    /**
+     * Assert that each mount has required hostPath and guestPath.
+     */
+    static validateMounts(mounts = []) {
+        for (const mount of mounts) {
+            (0, tiny_invariant_1.default)(mount.hostPath, "Mount must have hostPath");
+            (0, tiny_invariant_1.default)(mount.guestPath, "Mount must have guestPath");
+        }
+    }
+    /**
+     * Check if a guest path matches any shadow pattern (glob or prefix).
+     */
+    static matchesShadow(shadowPaths, path) {
+        return shadowPaths.some((p) => {
+            if (p.endsWith("/")) {
+                const dir = `/${p.slice(0, -1)}`;
+                return path === dir || path.startsWith(`${dir}/`);
+            }
+            return (0, minimatch_1.minimatch)(path, `/${p}`, { dot: true });
+        });
+    }
+    /**
+     * Build the RealFS → Readonly → Shadow provider chain for a single mount.
+     */
+    static buildMountChain(mount, globalShadow) {
+        let provider = new gondolin_2.RealFSProvider(expandTilde(mount.hostPath));
+        if (mount.readOnly) {
+            provider = new gondolin_2.ReadonlyProvider(provider);
+        }
+        const shadowPaths = [...globalShadow, ...(mount.shadow ?? [])];
+        if (shadowPaths.length > 0) {
+            provider = new gondolin_2.ShadowProvider(provider, {
+                shouldShadow: (info) => SandboxConfig.matchesShadow(shadowPaths, info.path),
+            });
+        }
+        return provider;
+    }
+}
+exports.SandboxConfig = SandboxConfig;
+// ─── Standalone helpers ──────────────────────────────────────────────────────
+/**
+ * Expand ~ prefix to HOME directory path.
+ */
+function expandTilde(path) {
+    if (!path.startsWith("~"))
+        return path;
+    const home = process.env.HOME;
+    (0, tiny_invariant_1.default)(home, "HOME environment variable not set");
+    return (0, node_path_1.resolve)(home, path.slice(2));
+}
+/**
+ * Load a sandbox configuration from a YAML file.
+ * @deprecated Use `SandboxConfig.load(path)` instead.
+ */
+function loadConfig(path) {
+    return SandboxConfig.load(path);
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;AAmMH,kCAKC;AAMD,gCAEC;AA9MD,qCAAuC;AACvC,yCAAoC;AACpC,qCAA+B;AAC/B,yCAAsC;AACtC,oEAAuC;AACvC,uDAA2D;AAE3D,uDAIkC;AA2BlC,gFAAgF;AAEhF;;;GAGG;AACH,MAAa,aAAa;IACR,GAAG,CAAU;IACb,KAAK,CAAY;IACjB,OAAO,CAAkB;IACzB,MAAM,CAAY;IAClB,MAAM,CAAY;IAClB,GAAG,CAA0B;IAC7B,OAAO,CAAiC;IAExD;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,IAA6B;QACvC,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,IAAY;QACtB,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,GAAG,GAAG,IAAA,cAAI,EAAC,IAAA,sBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAY,CAAC;QAC7D,IAAA,wBAAS,EAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,+BAA+B,CAAC,CAAC;QACpF,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,GAA8B,CAAC,CAAC;QACjE,aAAa,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,YAAoB,IAA6B;QAC/C,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAyB,CAAC;QAC1C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAA6B,CAAC;QAChD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAqC,CAAC;QAC1D,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAA8B,CAAC;QAClD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAA8B,CAAC;QAClD,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAyC,CAAC;QAC1D,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAoD,CAAC;IAC3E,CAAC;IAED;;;OAGG;IACH,iBAAiB;QACf,MAAM,MAAM,GAAoC,EAAE,CAAC;QACnD,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;QAEvC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YACtC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,aAAa,CAAC,eAAe,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAC/E,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACH,cAAc;QACZ,MAAM,OAAO,GAAuD,EAAE,CAAC;QAEvE,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,CAAC;YAChE,OAAO,CAAC,IAAI,CAAC,GAAG;gBACd,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;aAC/B,CAAC;QACJ,CAAC;QAED,OAAO,IAAA,0BAAe,EAAC;YACrB,YAAY,EAAE,IAAI,CAAC,OAAO,EAAE,YAAY,IAAI,EAAE;YAC9C,oBAAoB,EAAE,IAAI,CAAC,OAAO,EAAE,oBAAoB,IAAI,EAAE;YAC9D,mBAAmB,EAAE,IAAI;YACzB,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,8EAA8E;IAE9E;;;OAGG;IACH,MAAM,CAAC,iBAAiB,CAAC,MAA+B;QACtD,OAAO,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC,iBAAiB,EAAE,CAAC;IACvD,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,cAAc,CAAC,MAA+B;QACnD,OAAO,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC,cAAc,EAAE,CAAC;IACpD,CAAC;IAED,8EAA8E;IAE9E;;OAEG;IACK,MAAM,CAAC,cAAc,CAAC,SAAmB,EAAE;QACjD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAA,wBAAS,EAAC,KAAK,CAAC,QAAQ,EAAE,0BAA0B,CAAC,CAAC;YACtD,IAAA,wBAAS,EAAC,KAAK,CAAC,SAAS,EAAE,2BAA2B,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,aAAa,CAAC,WAAqB,EAAE,IAAY;QAC9D,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YAC5B,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;YACpD,CAAC;YACD,OAAO,IAAA,qBAAS,EAAC,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,eAAe,CAC5B,KAAa,EACb,YAAsB;QAEtB,IAAI,QAAQ,GAAoB,IAAI,yBAAc,CAChD,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,CAC5B,CAAC;QAEF,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,QAAQ,GAAG,IAAI,2BAAgB,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,WAAW,GAAG,CAAC,GAAG,YAAY,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;QAC/D,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,QAAQ,GAAG,IAAI,yBAAc,CAAC,QAAQ,EAAE;gBACtC,YAAY,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC;aAC5E,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AA9ID,sCA8IC;AAED,gFAAgF;AAEhF;;GAEG;AACH,SAAgB,WAAW,CAAC,IAAY;IACtC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;IAC9B,IAAA,wBAAS,EAAC,IAAI,EAAE,mCAAmC,CAAC,CAAC;IACrD,OAAO,IAAA,mBAAO,EAAC,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,SAAgB,UAAU,CAAC,IAAY;IACrC,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC"}

package/dist/lib/config.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Configuration interfaces and YAML loading/saving.
+ *
+ * Mirrors the YAML config keys (SPECS §3.1).
+ */
+/**
+ * Outbound network policy.
+ */
+export interface INetworkPolicy {
+    allowedHosts?: string[];
+    allowedInternalHosts?: string[];
+    blockInternalRanges?: boolean;
+    dnsMode?: "synthetic" | "trusted" | "open";
+}
+/**
+ * Host filesystem mount.
+ */
+export interface IMount {
+    hostPath: string;
+    guestPath: string;
+    readOnly?: boolean;
+    shadow?: string[];
+}
+/**
+ * Secret injection configuration.
+ */
+export interface ISecretConfig {
+    hosts: string[];
+}
+/**
+ * Sandbox configuration — mirrors the YAML config keys (SPECS §3.1).
+ */
+export interface ISandboxConfig {
+    cmd?: string;
+    packages?: string[];
+    network?: INetworkPolicy;
+    mounts?: IMount[];
+    shadow?: string[];
+    env?: Record<string, string>;
+    secrets?: Record<string, ISecretConfig>;
+}
+/**
+ * Load a sandbox configuration from a YAML file.
+ * Same syntax as the Coding Assistants config files.
+ */
+export declare function loadConfig(path: string): ISandboxConfig;
+/**
+ * Save a sandbox configuration to a YAML file.
+ */
+export declare function saveConfig(path: string, config: ISandboxConfig): void;
+//# sourceMappingURL=config.d.ts.map

package/dist/lib/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAUH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,OAAO,CAAC,EAAE,WAAW,GAAG,SAAS,GAAG,MAAM,CAAC;CAC5C;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,cAAc,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CACzC;AAYD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc,CAOvD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG,IAAI,CAGrE"}

package/dist/lib/config.js

@@ -0,0 +1,47 @@
+"use strict";
+/**
+ * Configuration interfaces and YAML loading/saving.
+ *
+ * Mirrors the YAML config keys (SPECS §3.1).
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+exports.saveConfig = saveConfig;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const ajv_1 = __importDefault(require("ajv"));
+const js_yaml_1 = require("js-yaml");
+const tiny_invariant_1 = __importDefault(require("tiny-invariant"));
+const config_json_1 = __importDefault(require("../../schema/config.json"));
+const ajv = new ajv_1.default({ strict: false });
+const validate = ajv.compile(config_json_1.default);
+function expandTilde(path) {
+    if (!path.startsWith("~"))
+        return path;
+    const home = process.env.HOME;
+    (0, tiny_invariant_1.default)(home, "HOME environment variable not set");
+    return (0, node_path_1.resolve)(home, path.slice(1));
+}
+/**
+ * Load a sandbox configuration from a YAML file.
+ * Same syntax as the Coding Assistants config files.
+ */
+function loadConfig(path) {
+    const resolved = expandTilde(path);
+    const raw = (0, js_yaml_1.load)((0, node_fs_1.readFileSync)(resolved, "utf-8"));
+    if (!validate(raw)) {
+        throw new Error(`Config validation failed: ${JSON.stringify(validate.errors)}`);
+    }
+    return raw;
+}
+/**
+ * Save a sandbox configuration to a YAML file.
+ */
+function saveConfig(path, config) {
+    const resolved = expandTilde(path);
+    (0, node_fs_1.writeFileSync)(resolved, (0, js_yaml_1.dump)(config, { lineWidth: -1 }));
+}
+//# sourceMappingURL=config.js.map

package/dist/lib/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;AAgEH,gCAOC;AAKD,gCAGC;AA7ED,qCAAsD;AACtD,yCAA0C;AAC1C,8CAAsB;AACtB,qCAAqC;AACrC,oEAAuC;AAEvC,2EAA8C;AA0C9C,MAAM,GAAG,GAAG,IAAI,aAAG,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;AACvC,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,qBAAM,CAAC,CAAC;AAErC,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;IAC9B,IAAA,wBAAS,EAAC,IAAI,EAAE,mCAAmC,CAAC,CAAC;IACrD,OAAO,IAAA,mBAAO,EAAC,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,SAAgB,UAAU,CAAC,IAAY;IACrC,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,IAAA,cAAI,EAAC,IAAA,sBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAY,CAAC;IAC7D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,GAAqB,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,IAAY,EAAE,MAAsB;IAC7D,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACnC,IAAA,uBAAa,EAAC,QAAQ,EAAE,IAAA,cAAI,EAAC,MAAM,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/lib/network.d.ts

@@ -0,0 +1,18 @@
+/**
+ * HTTP hooks building from config network policy and secrets.
+ *
+ * Maps YAML network + secrets to Gondolin's createHttpHooks.
+ */
+import type { HttpHooks } from "@earendil-works/gondolin";
+import { ISandboxConfig } from "./config";
+/**
+ * Build HTTP hooks and secret env vars from config.
+ *
+ * Secrets are read from the host environment at runtime.
+ * Returns { httpHooks, env } — the env maps secret names to placeholder values.
+ */
+export declare function buildHttpHooks(config: ISandboxConfig): {
+    httpHooks: HttpHooks;
+    env: Record<string, string>;
+};
+//# sourceMappingURL=network.d.ts.map

package/dist/lib/network.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.d.ts","sourceRoot":"","sources":["../../src/lib/network.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAE1D,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG;IACtD,SAAS,EAAE,SAAS,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B,CAmBA"}

package/dist/lib/network.js

@@ -0,0 +1,31 @@
+"use strict";
+/**
+ * HTTP hooks building from config network policy and secrets.
+ *
+ * Maps YAML network + secrets to Gondolin's createHttpHooks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildHttpHooks = buildHttpHooks;
+const gondolin_1 = require("@earendil-works/gondolin");
+/**
+ * Build HTTP hooks and secret env vars from config.
+ *
+ * Secrets are read from the host environment at runtime.
+ * Returns { httpHooks, env } — the env maps secret names to placeholder values.
+ */
+function buildHttpHooks(config) {
+    const secrets = {};
+    for (const [name, secret] of Object.entries(config.secrets ?? {})) {
+        secrets[name] = {
+            hosts: secret.hosts,
+            value: process.env[name] ?? "",
+        };
+    }
+    return (0, gondolin_1.createHttpHooks)({
+        allowedHosts: config.network?.allowedHosts ?? [],
+        allowedInternalHosts: config.network?.allowedInternalHosts ?? [],
+        blockInternalRanges: config.network?.blockInternalRanges ?? true,
+        secrets,
+    });
+}
+//# sourceMappingURL=network.js.map

package/dist/lib/network.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"network.js","sourceRoot":"","sources":["../../src/lib/network.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AAaH,wCAsBC;AAjCD,uDAA2D;AAK3D;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,MAAsB;IAInD,MAAM,OAAO,GAGT,EAAE,CAAC;IAEP,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,GAAG;YACd,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE;SAC/B,CAAC;IACJ,CAAC;IAED,OAAO,IAAA,0BAAe,EAAC;QACrB,YAAY,EAAE,MAAM,CAAC,OAAO,EAAE,YAAY,IAAI,EAAE;QAChD,oBAAoB,EAAE,MAAM,CAAC,OAAO,EAAE,oBAAoB,IAAI,EAAE;QAChE,mBAAmB,EAAE,MAAM,CAAC,OAAO,EAAE,mBAAmB,IAAI,IAAI;QAChE,OAAO;KACR,CAAC,CAAC;AACL,CAAC"}

package/dist/lib/paths.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Platform-aware path constants.
+ *
+ * Resolves config, shim, and cache directories per SPECS §3.2.
+ */
+/** Config directory: ~/.config/sbx/ */
+export declare const CONFIG_DIR: string;
+/** Shim directory: ~/.local/bin/ (Linux) or mapped WSL path (Windows) */
+export declare const SHIM_DIR: string;
+/** Cache directory: ~/.cache/sbx/ */
+export declare const CACHE_DIR: string;
+//# sourceMappingURL=paths.d.ts.map

package/dist/lib/paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.d.ts","sourceRoot":"","sources":["../../src/lib/paths.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAOH,uCAAuC;AACvC,eAAO,MAAM,UAAU,QAAwC,CAAC;AAEhE,yEAAyE;AACzE,eAAO,MAAM,QAAQ,QAGqB,CAAC;AAE3C,qCAAqC;AACrC,eAAO,MAAM,SAAS,QAAuC,CAAC"}

package/dist/lib/paths.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * Platform-aware path constants.
+ *
+ * Resolves config, shim, and cache directories per SPECS §3.2.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CACHE_DIR = exports.SHIM_DIR = exports.CONFIG_DIR = void 0;
+const node_path_1 = require("node:path");
+const home = process.env.HOME;
+if (!home)
+    throw new Error("HOME environment variable not set");
+/** Config directory: ~/.config/sbx/ */
+exports.CONFIG_DIR = (0, node_path_1.resolve)((0, node_path_1.join)(home, ".config", "sbx"));
+/** Shim directory: ~/.local/bin/ (Linux) or mapped WSL path (Windows) */
+exports.SHIM_DIR = process.platform === "win32"
+    ? (0, node_path_1.resolve)((0, node_path_1.join)(home, "AppData", "Roaming", "bin"))
+    : (0, node_path_1.resolve)((0, node_path_1.join)(home, ".local", "bin"));
+/** Cache directory: ~/.cache/sbx/ */
+exports.CACHE_DIR = (0, node_path_1.resolve)((0, node_path_1.join)(home, ".cache", "sbx"));
+//# sourceMappingURL=paths.js.map

package/dist/lib/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../../src/lib/paths.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH,yCAA0C;AAE1C,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;AAC9B,IAAI,CAAC,IAAI;IAAE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;AAEhE,uCAAuC;AAC1B,QAAA,UAAU,GAAG,IAAA,mBAAO,EAAC,IAAA,gBAAI,EAAC,IAAI,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;AAEhE,yEAAyE;AAC5D,QAAA,QAAQ,GACnB,OAAO,CAAC,QAAQ,KAAK,OAAO;IAC1B,CAAC,CAAC,IAAA,mBAAO,EAAC,IAAA,gBAAI,EAAC,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC,IAAA,mBAAO,EAAC,IAAA,gBAAI,EAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;AAE3C,qCAAqC;AACxB,QAAA,SAAS,GAAG,IAAA,mBAAO,EAAC,IAAA,gBAAI,EAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC"}

package/dist/lib/vfs.d.ts

@@ -0,0 +1,15 @@
+/**
+ * VFS provider building from config mounts and shadow rules.
+ *
+ * Builds the RealFS → Readonly → Shadow mount chain per SPECS §2.1.
+ */
+import type { VirtualProvider } from "@earendil-works/gondolin";
+import { ISandboxConfig } from "./config";
+/**
+ * Build VFS providers from config mounts and shadow rules.
+ *
+ * Mount chain: RealFS → Readonly (if readOnly) → Shadow (if shadow paths).
+ * Global shadow is merged with per-mount shadow.
+ */
+export declare function buildVFSProviders(config: ISandboxConfig): Record<string, VirtualProvider>;
+//# sourceMappingURL=vfs.d.ts.map

package/dist/lib/vfs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vfs.d.ts","sourceRoot":"","sources":["../../src/lib/vfs.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAUH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAEhE,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAS1C;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,cAAc,GACrB,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CA2BjC"}