@rozek/nanoclaw 1.2.17

package/dist/ipc.js

@@ -0,0 +1,311 @@
+import fs from 'fs';
+import path from 'path';
+import { CronExpressionParser } from 'cron-parser';
+import { DATA_DIR, IPC_POLL_INTERVAL, TIMEZONE } from './config.js';
+import { createTask, deleteTask, getTaskById, updateTask } from './db.js';
+import { isValidGroupFolder } from './group-folder.js';
+import { logger } from './logger.js';
+let ipcWatcherRunning = false;
+export function startIpcWatcher(deps) {
+    if (ipcWatcherRunning) {
+        logger.debug('IPC watcher already running, skipping duplicate start');
+        return;
+    }
+    ipcWatcherRunning = true;
+    const ipcBaseDir = path.join(DATA_DIR, 'ipc');
+    fs.mkdirSync(ipcBaseDir, { recursive: true });
+    const processIpcFiles = async () => {
+        // Scan all group IPC directories (identity determined by directory)
+        let groupFolders;
+        try {
+            groupFolders = fs.readdirSync(ipcBaseDir).filter((f) => {
+                const stat = fs.statSync(path.join(ipcBaseDir, f));
+                return stat.isDirectory() && f !== 'errors';
+            });
+        }
+        catch (err) {
+            logger.error({ err }, 'Error reading IPC base directory');
+            setTimeout(processIpcFiles, IPC_POLL_INTERVAL);
+            return;
+        }
+        const registeredGroups = deps.registeredGroups();
+        // Build folder→isMain lookup from registered groups
+        const folderIsMain = new Map();
+        for (const group of Object.values(registeredGroups)) {
+            if (group.isMain)
+                folderIsMain.set(group.folder, true);
+        }
+        for (const sourceGroup of groupFolders) {
+            const isMain = folderIsMain.get(sourceGroup) === true;
+            const messagesDir = path.join(ipcBaseDir, sourceGroup, 'messages');
+            const tasksDir = path.join(ipcBaseDir, sourceGroup, 'tasks');
+            // Process messages from this group's IPC directory
+            try {
+                if (fs.existsSync(messagesDir)) {
+                    const messageFiles = fs
+                        .readdirSync(messagesDir)
+                        .filter((f) => f.endsWith('.json'));
+                    for (const file of messageFiles) {
+                        const filePath = path.join(messagesDir, file);
+                        try {
+                            const data = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+                            if (data.type === 'message' && data.chatJid && data.text) {
+                                // Authorization: verify this group can send to this chatJid
+                                const targetGroup = registeredGroups[data.chatJid];
+                                if (isMain ||
+                                    (targetGroup && targetGroup.folder === sourceGroup)) {
+                                    await deps.sendMessage(data.chatJid, data.text);
+                                    logger.info({ chatJid: data.chatJid, sourceGroup }, 'IPC message sent');
+                                }
+                                else {
+                                    logger.warn({ chatJid: data.chatJid, sourceGroup }, 'Unauthorized IPC message attempt blocked');
+                                }
+                            }
+                            fs.unlinkSync(filePath);
+                        }
+                        catch (err) {
+                            logger.error({ file, sourceGroup, err }, 'Error processing IPC message');
+                            const errorDir = path.join(ipcBaseDir, 'errors');
+                            fs.mkdirSync(errorDir, { recursive: true });
+                            fs.renameSync(filePath, path.join(errorDir, `${sourceGroup}-${file}`));
+                        }
+                    }
+                }
+            }
+            catch (err) {
+                logger.error({ err, sourceGroup }, 'Error reading IPC messages directory');
+            }
+            // Process tasks from this group's IPC directory
+            try {
+                if (fs.existsSync(tasksDir)) {
+                    const taskFiles = fs
+                        .readdirSync(tasksDir)
+                        .filter((f) => f.endsWith('.json'));
+                    for (const file of taskFiles) {
+                        const filePath = path.join(tasksDir, file);
+                        try {
+                            const data = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+                            // Pass source group identity to processTaskIpc for authorization
+                            await processTaskIpc(data, sourceGroup, isMain, deps);
+                            fs.unlinkSync(filePath);
+                        }
+                        catch (err) {
+                            logger.error({ file, sourceGroup, err }, 'Error processing IPC task');
+                            const errorDir = path.join(ipcBaseDir, 'errors');
+                            fs.mkdirSync(errorDir, { recursive: true });
+                            fs.renameSync(filePath, path.join(errorDir, `${sourceGroup}-${file}`));
+                        }
+                    }
+                }
+            }
+            catch (err) {
+                logger.error({ err, sourceGroup }, 'Error reading IPC tasks directory');
+            }
+        }
+        setTimeout(processIpcFiles, IPC_POLL_INTERVAL);
+    };
+    processIpcFiles();
+    logger.info('IPC watcher started (per-group namespaces)');
+}
+export async function processTaskIpc(data, sourceGroup, // Verified identity from IPC directory
+isMain, // Verified from directory path
+deps) {
+    const registeredGroups = deps.registeredGroups();
+    switch (data.type) {
+        case 'schedule_task':
+            if (data.prompt &&
+                data.schedule_type &&
+                data.schedule_value &&
+                data.targetJid) {
+                // Resolve the target group from JID
+                const targetJid = data.targetJid;
+                const targetGroupEntry = registeredGroups[targetJid];
+                if (!targetGroupEntry) {
+                    logger.warn({ targetJid }, 'Cannot schedule task: target group not registered');
+                    break;
+                }
+                const targetFolder = targetGroupEntry.folder;
+                // Authorization: non-main groups can only schedule for themselves
+                if (!isMain && targetFolder !== sourceGroup) {
+                    logger.warn({ sourceGroup, targetFolder }, 'Unauthorized schedule_task attempt blocked');
+                    break;
+                }
+                const scheduleType = data.schedule_type;
+                let nextRun = null;
+                if (scheduleType === 'cron') {
+                    try {
+                        const interval = CronExpressionParser.parse(data.schedule_value, {
+                            tz: TIMEZONE,
+                        });
+                        nextRun = interval.next().toISOString();
+                    }
+                    catch {
+                        logger.warn({ scheduleValue: data.schedule_value }, 'Invalid cron expression');
+                        break;
+                    }
+                }
+                else if (scheduleType === 'interval') {
+                    const ms = parseInt(data.schedule_value, 10);
+                    if (isNaN(ms) || ms <= 0) {
+                        logger.warn({ scheduleValue: data.schedule_value }, 'Invalid interval');
+                        break;
+                    }
+                    nextRun = new Date(Date.now() + ms).toISOString();
+                }
+                else if (scheduleType === 'once') {
+                    const date = new Date(data.schedule_value);
+                    if (isNaN(date.getTime())) {
+                        logger.warn({ scheduleValue: data.schedule_value }, 'Invalid timestamp');
+                        break;
+                    }
+                    nextRun = date.toISOString();
+                }
+                const taskId = data.taskId ||
+                    `task-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+                const contextMode = data.context_mode === 'group' || data.context_mode === 'isolated'
+                    ? data.context_mode
+                    : 'isolated';
+                createTask({
+                    id: taskId,
+                    group_folder: targetFolder,
+                    chat_jid: targetJid,
+                    prompt: data.prompt,
+                    schedule_type: scheduleType,
+                    schedule_value: data.schedule_value,
+                    context_mode: contextMode,
+                    next_run: nextRun,
+                    status: 'active',
+                    created_at: new Date().toISOString(),
+                });
+                logger.info({ taskId, sourceGroup, targetFolder, contextMode }, 'Task created via IPC');
+                deps.onTasksChanged();
+            }
+            break;
+        case 'pause_task':
+            if (data.taskId) {
+                const task = getTaskById(data.taskId);
+                if (task && (isMain || task.group_folder === sourceGroup)) {
+                    updateTask(data.taskId, { status: 'paused' });
+                    logger.info({ taskId: data.taskId, sourceGroup }, 'Task paused via IPC');
+                    deps.onTasksChanged();
+                }
+                else {
+                    logger.warn({ taskId: data.taskId, sourceGroup }, 'Unauthorized task pause attempt');
+                }
+            }
+            break;
+        case 'resume_task':
+            if (data.taskId) {
+                const task = getTaskById(data.taskId);
+                if (task && (isMain || task.group_folder === sourceGroup)) {
+                    updateTask(data.taskId, { status: 'active' });
+                    logger.info({ taskId: data.taskId, sourceGroup }, 'Task resumed via IPC');
+                    deps.onTasksChanged();
+                }
+                else {
+                    logger.warn({ taskId: data.taskId, sourceGroup }, 'Unauthorized task resume attempt');
+                }
+            }
+            break;
+        case 'cancel_task':
+            if (data.taskId) {
+                const task = getTaskById(data.taskId);
+                if (task && (isMain || task.group_folder === sourceGroup)) {
+                    deleteTask(data.taskId);
+                    logger.info({ taskId: data.taskId, sourceGroup }, 'Task cancelled via IPC');
+                    deps.onTasksChanged();
+                }
+                else {
+                    logger.warn({ taskId: data.taskId, sourceGroup }, 'Unauthorized task cancel attempt');
+                }
+            }
+            break;
+        case 'update_task':
+            if (data.taskId) {
+                const task = getTaskById(data.taskId);
+                if (!task) {
+                    logger.warn({ taskId: data.taskId, sourceGroup }, 'Task not found for update');
+                    break;
+                }
+                if (!isMain && task.group_folder !== sourceGroup) {
+                    logger.warn({ taskId: data.taskId, sourceGroup }, 'Unauthorized task update attempt');
+                    break;
+                }
+                const updates = {};
+                if (data.prompt !== undefined)
+                    updates.prompt = data.prompt;
+                if (data.schedule_type !== undefined)
+                    updates.schedule_type = data.schedule_type;
+                if (data.schedule_value !== undefined)
+                    updates.schedule_value = data.schedule_value;
+                // Recompute next_run if schedule changed
+                if (data.schedule_type || data.schedule_value) {
+                    const updatedTask = {
+                        ...task,
+                        ...updates,
+                    };
+                    if (updatedTask.schedule_type === 'cron') {
+                        try {
+                            const interval = CronExpressionParser.parse(updatedTask.schedule_value, { tz: TIMEZONE });
+                            updates.next_run = interval.next().toISOString();
+                        }
+                        catch {
+                            logger.warn({ taskId: data.taskId, value: updatedTask.schedule_value }, 'Invalid cron in task update');
+                            break;
+                        }
+                    }
+                    else if (updatedTask.schedule_type === 'interval') {
+                        const ms = parseInt(updatedTask.schedule_value, 10);
+                        if (!isNaN(ms) && ms > 0) {
+                            updates.next_run = new Date(Date.now() + ms).toISOString();
+                        }
+                    }
+                }
+                updateTask(data.taskId, updates);
+                logger.info({ taskId: data.taskId, sourceGroup, updates }, 'Task updated via IPC');
+                deps.onTasksChanged();
+            }
+            break;
+        case 'refresh_groups':
+            // Only main group can request a refresh
+            if (isMain) {
+                logger.info({ sourceGroup }, 'Group metadata refresh requested via IPC');
+                await deps.syncGroups(true);
+                // Write updated snapshot immediately
+                const availableGroups = deps.getAvailableGroups();
+                deps.writeGroupsSnapshot(sourceGroup, true, availableGroups, new Set(Object.keys(registeredGroups)));
+            }
+            else {
+                logger.warn({ sourceGroup }, 'Unauthorized refresh_groups attempt blocked');
+            }
+            break;
+        case 'register_group':
+            // Only main group can register new groups
+            if (!isMain) {
+                logger.warn({ sourceGroup }, 'Unauthorized register_group attempt blocked');
+                break;
+            }
+            if (data.jid && data.name && data.folder && data.trigger) {
+                if (!isValidGroupFolder(data.folder)) {
+                    logger.warn({ sourceGroup, folder: data.folder }, 'Invalid register_group request - unsafe folder name');
+                    break;
+                }
+                // Defense in depth: agent cannot set isMain via IPC
+                deps.registerGroup(data.jid, {
+                    name: data.name,
+                    folder: data.folder,
+                    trigger: data.trigger,
+                    added_at: new Date().toISOString(),
+                    containerConfig: data.containerConfig,
+                    requiresTrigger: data.requiresTrigger,
+                });
+            }
+            else {
+                logger.warn({ data }, 'Invalid register_group request - missing required fields');
+            }
+            break;
+        default:
+            logger.warn({ type: data.type }, 'Unknown IPC task type');
+    }
+}
+//# sourceMappingURL=ipc.js.map

package/dist/ipc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ipc.js","sourceRoot":"","sources":["../src/ipc.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEnD,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEpE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAkBrC,IAAI,iBAAiB,GAAG,KAAK,CAAC;AAE9B,MAAM,UAAU,eAAe,CAAC,IAAa;IAC3C,IAAI,iBAAiB,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QACtE,OAAO;IACT,CAAC;IACD,iBAAiB,GAAG,IAAI,CAAC;IAEzB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC9C,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE9C,MAAM,eAAe,GAAG,KAAK,IAAI,EAAE;QACjC,oEAAoE;QACpE,IAAI,YAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,YAAY,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACrD,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC;gBACnD,OAAO,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,KAAK,QAAQ,CAAC;YAC9C,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,kCAAkC,CAAC,CAAC;YAC1D,UAAU,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAEjD,oDAAoD;QACpD,MAAM,YAAY,GAAG,IAAI,GAAG,EAAmB,CAAC;QAChD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACpD,IAAI,KAAK,CAAC,MAAM;gBAAE,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACzD,CAAC;QAED,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC;YACtD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;YACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;YAE7D,mDAAmD;YACnD,IAAI,CAAC;gBACH,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC/B,MAAM,YAAY,GAAG,EAAE;yBACpB,WAAW,CAAC,WAAW,CAAC;yBACxB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;oBACtC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;wBAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;wBAC9C,IAAI,CAAC;4BACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;4BAC5D,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gCACzD,4DAA4D;gCAC5D,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gCACnD,IACE,MAAM;oCACN,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,WAAW,CAAC,EACnD,CAAC;oCACD,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;oCAChD,MAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,EACtC,kBAAkB,CACnB,CAAC;gCACJ,CAAC;qCAAM,CAAC;oCACN,MAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,EACtC,0CAA0C,CAC3C,CAAC;gCACJ,CAAC;4BACH,CAAC;4BACD,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC1B,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,MAAM,CAAC,KAAK,CACV,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,EAC1B,8BAA8B,CAC/B,CAAC;4BACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;4BACjD,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;4BAC5C,EAAE,CAAC,UAAU,CACX,QAAQ,EACR,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,WAAW,IAAI,IAAI,EAAE,CAAC,CAC9C,CAAC;wBACJ,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CACV,EAAE,GAAG,EAAE,WAAW,EAAE,EACpB,sCAAsC,CACvC,CAAC;YACJ,CAAC;YAED,gDAAgD;YAChD,IAAI,CAAC;gBACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC5B,MAAM,SAAS,GAAG,EAAE;yBACjB,WAAW,CAAC,QAAQ,CAAC;yBACrB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;oBACtC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;wBAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;wBAC3C,IAAI,CAAC;4BACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;4BAC5D,iEAAiE;4BACjE,MAAM,cAAc,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;4BACtD,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;wBAC1B,CAAC;wBAAC,OAAO,GAAG,EAAE,CAAC;4BACb,MAAM,CAAC,KAAK,CACV,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,EAC1B,2BAA2B,CAC5B,CAAC;4BACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;4BACjD,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;4BAC5C,EAAE,CAAC,UAAU,CACX,QAAQ,EACR,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,WAAW,IAAI,IAAI,EAAE,CAAC,CAC9C,CAAC;wBACJ,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,EAAE,mCAAmC,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;QAED,UAAU,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;IACjD,CAAC,CAAC;IAEF,eAAe,EAAE,CAAC;IAClB,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAiBC,EACD,WAAmB,EAAE,uCAAuC;AAC5D,MAAe,EAAE,+BAA+B;AAChD,IAAa;IAEb,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;IAEjD,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,eAAe;YAClB,IACE,IAAI,CAAC,MAAM;gBACX,IAAI,CAAC,aAAa;gBAClB,IAAI,CAAC,cAAc;gBACnB,IAAI,CAAC,SAAS,EACd,CAAC;gBACD,oCAAoC;gBACpC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAmB,CAAC;gBAC3C,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;gBAErD,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBACtB,MAAM,CAAC,IAAI,CACT,EAAE,SAAS,EAAE,EACb,mDAAmD,CACpD,CAAC;oBACF,MAAM;gBACR,CAAC;gBAED,MAAM,YAAY,GAAG,gBAAgB,CAAC,MAAM,CAAC;gBAE7C,kEAAkE;gBAClE,IAAI,CAAC,MAAM,IAAI,YAAY,KAAK,WAAW,EAAE,CAAC;oBAC5C,MAAM,CAAC,IAAI,CACT,EAAE,WAAW,EAAE,YAAY,EAAE,EAC7B,4CAA4C,CAC7C,CAAC;oBACF,MAAM;gBACR,CAAC;gBAED,MAAM,YAAY,GAAG,IAAI,CAAC,aAA6C,CAAC;gBAExE,IAAI,OAAO,GAAkB,IAAI,CAAC;gBAClC,IAAI,YAAY,KAAK,MAAM,EAAE,CAAC;oBAC5B,IAAI,CAAC;wBACH,MAAM,QAAQ,GAAG,oBAAoB,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,EAAE;4BAC/D,EAAE,EAAE,QAAQ;yBACb,CAAC,CAAC;wBACH,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;oBAC1C,CAAC;oBAAC,MAAM,CAAC;wBACP,MAAM,CAAC,IAAI,CACT,EAAE,aAAa,EAAE,IAAI,CAAC,cAAc,EAAE,EACtC,yBAAyB,CAC1B,CAAC;wBACF,MAAM;oBACR,CAAC;gBACH,CAAC;qBAAM,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;oBACvC,MAAM,EAAE,GAAG,QAAQ,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;oBAC7C,IAAI,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;wBACzB,MAAM,CAAC,IAAI,CACT,EAAE,aAAa,EAAE,IAAI,CAAC,cAAc,EAAE,EACtC,kBAAkB,CACnB,CAAC;wBACF,MAAM;oBACR,CAAC;oBACD,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;gBACpD,CAAC;qBAAM,IAAI,YAAY,KAAK,MAAM,EAAE,CAAC;oBACnC,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;oBAC3C,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;wBAC1B,MAAM,CAAC,IAAI,CACT,EAAE,aAAa,EAAE,IAAI,CAAC,cAAc,EAAE,EACtC,mBAAmB,CACpB,CAAC;wBACF,MAAM;oBACR,CAAC;oBACD,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC/B,CAAC;gBAED,MAAM,MAAM,GACV,IAAI,CAAC,MAAM;oBACX,QAAQ,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBACjE,MAAM,WAAW,GACf,IAAI,CAAC,YAAY,KAAK,OAAO,IAAI,IAAI,CAAC,YAAY,KAAK,UAAU;oBAC/D,CAAC,CAAC,IAAI,CAAC,YAAY;oBACnB,CAAC,CAAC,UAAU,CAAC;gBACjB,UAAU,CAAC;oBACT,EAAE,EAAE,MAAM;oBACV,YAAY,EAAE,YAAY;oBAC1B,QAAQ,EAAE,SAAS;oBACnB,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,aAAa,EAAE,YAAY;oBAC3B,cAAc,EAAE,IAAI,CAAC,cAAc;oBACnC,YAAY,EAAE,WAAW;oBACzB,QAAQ,EAAE,OAAO;oBACjB,MAAM,EAAE,QAAQ;oBAChB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;iBACrC,CAAC,CAAC;gBACH,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,EAClD,sBAAsB,CACvB,CAAC;gBACF,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,CAAC;YACD,MAAM;QAER,KAAK,YAAY;YACf,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACtC,IAAI,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,YAAY,KAAK,WAAW,CAAC,EAAE,CAAC;oBAC1D,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAC9C,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,EACpC,qBAAqB,CACtB,CAAC;oBACF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,EACpC,iCAAiC,CAClC,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,MAAM;QAER,KAAK,aAAa;YAChB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACtC,IAAI,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,YAAY,KAAK,WAAW,CAAC,EAAE,CAAC;oBAC1D,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;oBAC9C,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,EACpC,sBAAsB,CACvB,CAAC;oBACF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,EACpC,kCAAkC,CACnC,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,MAAM;QAER,KAAK,aAAa;YAChB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACtC,IAAI,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,YAAY,KAAK,WAAW,CAAC,EAAE,CAAC;oBAC1D,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBACxB,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,EACpC,wBAAwB,CACzB,CAAC;oBACF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,EACpC,kCAAkC,CACnC,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,MAAM;QAER,KAAK,aAAa;YAChB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACtC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,EACpC,2BAA2B,CAC5B,CAAC;oBACF,MAAM;gBACR,CAAC;gBACD,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,YAAY,KAAK,WAAW,EAAE,CAAC;oBACjD,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,EACpC,kCAAkC,CACnC,CAAC;oBACF,MAAM;gBACR,CAAC;gBAED,MAAM,OAAO,GAAqC,EAAE,CAAC;gBACrD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;oBAAE,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;gBAC5D,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS;oBAClC,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,aAGnB,CAAC;gBACb,IAAI,IAAI,CAAC,cAAc,KAAK,SAAS;oBACnC,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;gBAE/C,yCAAyC;gBACzC,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;oBAC9C,MAAM,WAAW,GAAG;wBAClB,GAAG,IAAI;wBACP,GAAG,OAAO;qBACX,CAAC;oBACF,IAAI,WAAW,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;wBACzC,IAAI,CAAC;4BACH,MAAM,QAAQ,GAAG,oBAAoB,CAAC,KAAK,CACzC,WAAW,CAAC,cAAc,EAC1B,EAAE,EAAE,EAAE,QAAQ,EAAE,CACjB,CAAC;4BACF,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;wBACnD,CAAC;wBAAC,MAAM,CAAC;4BACP,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,WAAW,CAAC,cAAc,EAAE,EAC1D,6BAA6B,CAC9B,CAAC;4BACF,MAAM;wBACR,CAAC;oBACH,CAAC;yBAAM,IAAI,WAAW,CAAC,aAAa,KAAK,UAAU,EAAE,CAAC;wBACpD,MAAM,EAAE,GAAG,QAAQ,CAAC,WAAW,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;wBACpD,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;4BACzB,OAAO,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;wBAC7D,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;gBACjC,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,EAC7C,sBAAsB,CACvB,CAAC;gBACF,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,CAAC;YACD,MAAM;QAER,KAAK,gBAAgB;YACnB,wCAAwC;YACxC,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,IAAI,CACT,EAAE,WAAW,EAAE,EACf,0CAA0C,CAC3C,CAAC;gBACF,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;gBAC5B,qCAAqC;gBACrC,MAAM,eAAe,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAClD,IAAI,CAAC,mBAAmB,CACtB,WAAW,EACX,IAAI,EACJ,eAAe,EACf,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CACvC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CACT,EAAE,WAAW,EAAE,EACf,6CAA6C,CAC9C,CAAC;YACJ,CAAC;YACD,MAAM;QAER,KAAK,gBAAgB;YACnB,0CAA0C;YAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,CAAC,IAAI,CACT,EAAE,WAAW,EAAE,EACf,6CAA6C,CAC9C,CAAC;gBACF,MAAM;YACR,CAAC;YACD,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBACzD,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;oBACrC,MAAM,CAAC,IAAI,CACT,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,EACpC,qDAAqD,CACtD,CAAC;oBACF,MAAM;gBACR,CAAC;gBACD,oDAAoD;gBACpD,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE;oBAC3B,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBAClC,eAAe,EAAE,IAAI,CAAC,eAAe;oBACrC,eAAe,EAAE,IAAI,CAAC,eAAe;iBACtC,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CACT,EAAE,IAAI,EAAE,EACR,0DAA0D,CAC3D,CAAC;YACJ,CAAC;YACD,MAAM;QAER;YACE,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,uBAAuB,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC"}

package/dist/logger.d.ts

@@ -0,0 +1,3 @@
+import pino from 'pino';
+export declare const logger: pino.Logger<never, boolean>;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,eAAO,MAAM,MAAM,6BAGjB,CAAC"}

package/dist/logger.js

@@ -0,0 +1,14 @@
+import pino from 'pino';
+export const logger = pino({
+    level: process.env.LOG_LEVEL || 'info',
+    transport: { target: 'pino-pretty', options: { colorize: true } },
+});
+// Route uncaught errors through pino so they get timestamps in stderr
+process.on('uncaughtException', (err) => {
+    logger.fatal({ err }, 'Uncaught exception');
+    process.exit(1);
+});
+process.on('unhandledRejection', (reason) => {
+    logger.error({ err: reason }, 'Unhandled rejection');
+});
+//# sourceMappingURL=logger.js.map

package/dist/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,MAAM,CAAC,MAAM,MAAM,GAAG,IAAI,CAAC;IACzB,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,MAAM;IACtC,SAAS,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;CAClE,CAAC,CAAC;AAEH,sEAAsE;AACtE,OAAO,CAAC,EAAE,CAAC,mBAAmB,EAAE,CAAC,GAAG,EAAE,EAAE;IACtC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,oBAAoB,CAAC,CAAC;IAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEH,OAAO,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC,MAAM,EAAE,EAAE;IAC1C,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,qBAAqB,CAAC,CAAC;AACvD,CAAC,CAAC,CAAC"}

package/dist/mount-security.d.ts

@@ -0,0 +1,34 @@
+import { AdditionalMount, MountAllowlist } from './types.js';
+/**
+ * Load the mount allowlist from the external config location.
+ * Returns null if the file doesn't exist or is invalid.
+ * Result is cached in memory for the lifetime of the process.
+ */
+export declare function loadMountAllowlist(): MountAllowlist | null;
+export interface MountValidationResult {
+    allowed: boolean;
+    reason: string;
+    realHostPath?: string;
+    resolvedContainerPath?: string;
+    effectiveReadonly?: boolean;
+}
+/**
+ * Validate a single additional mount against the allowlist.
+ * Returns validation result with reason.
+ */
+export declare function validateMount(mount: AdditionalMount, isMain: boolean): MountValidationResult;
+/**
+ * Validate all additional mounts for a group.
+ * Returns array of validated mounts (only those that passed validation).
+ * Logs warnings for rejected mounts.
+ */
+export declare function validateAdditionalMounts(mounts: AdditionalMount[], groupName: string, isMain: boolean): Array<{
+    hostPath: string;
+    containerPath: string;
+    readonly: boolean;
+}>;
+/**
+ * Generate a template allowlist file for users to customize
+ */
+export declare function generateAllowlistTemplate(): string;
+//# sourceMappingURL=mount-security.d.ts.map

package/dist/mount-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mount-security.d.ts","sourceRoot":"","sources":["../src/mount-security.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,eAAe,EAAe,cAAc,EAAE,MAAM,YAAY,CAAC;AAkC1E;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,cAAc,GAAG,IAAI,CAiE1D;AAsGD,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,KAAK,EAAE,eAAe,EACtB,MAAM,EAAE,OAAO,GACd,qBAAqB,CA6FvB;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,eAAe,EAAE,EACzB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,GACd,KAAK,CAAC;IACP,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC,CAyCD;AAED;;GAEG;AACH,wBAAgB,yBAAyB,IAAI,MAAM,CA6BlD"}