@sysid/sandbox-runtime-improved 0.0.55-sysid.1 → 0.0.61-sysid.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +43 -2
- package/dist/cli.js +8 -0
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +6 -6
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -2
- package/dist/index.js.map +1 -1
- package/dist/sandbox/credential-mask-files.d.ts +72 -0
- package/dist/sandbox/credential-mask-files.d.ts.map +1 -0
- package/dist/sandbox/credential-mask-files.js +146 -0
- package/dist/sandbox/credential-mask-files.js.map +1 -0
- package/dist/sandbox/credential-sentinel.d.ts +72 -0
- package/dist/sandbox/credential-sentinel.d.ts.map +1 -0
- package/dist/sandbox/credential-sentinel.js +130 -0
- package/dist/sandbox/credential-sentinel.js.map +1 -0
- package/dist/sandbox/domain-pattern.d.ts +36 -0
- package/dist/sandbox/domain-pattern.d.ts.map +1 -0
- package/dist/sandbox/domain-pattern.js +60 -0
- package/dist/sandbox/domain-pattern.js.map +1 -0
- package/dist/sandbox/http-proxy.d.ts +32 -1
- package/dist/sandbox/http-proxy.d.ts.map +1 -1
- package/dist/sandbox/http-proxy.js +10 -2
- package/dist/sandbox/http-proxy.js.map +1 -1
- package/dist/sandbox/linux-sandbox-utils.d.ts +17 -0
- package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/linux-sandbox-utils.js +155 -47
- package/dist/sandbox/linux-sandbox-utils.js.map +1 -1
- package/dist/sandbox/listen-in-range.d.ts +12 -0
- package/dist/sandbox/listen-in-range.d.ts.map +1 -0
- package/dist/sandbox/listen-in-range.js +43 -0
- package/dist/sandbox/listen-in-range.js.map +1 -0
- package/dist/sandbox/macos-sandbox-utils.d.ts +13 -0
- package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/macos-sandbox-utils.js +76 -14
- package/dist/sandbox/macos-sandbox-utils.js.map +1 -1
- package/dist/sandbox/mitm-ca.d.ts +18 -2
- package/dist/sandbox/mitm-ca.d.ts.map +1 -1
- package/dist/sandbox/mitm-ca.js +49 -9
- package/dist/sandbox/mitm-ca.js.map +1 -1
- package/dist/sandbox/mitm-leaf.d.ts.map +1 -1
- package/dist/sandbox/mitm-leaf.js +24 -6
- package/dist/sandbox/mitm-leaf.js.map +1 -1
- package/dist/sandbox/mux-proxy.d.ts +59 -0
- package/dist/sandbox/mux-proxy.d.ts.map +1 -0
- package/dist/sandbox/mux-proxy.js +159 -0
- package/dist/sandbox/mux-proxy.js.map +1 -0
- package/dist/sandbox/request-filter.d.ts +11 -1
- package/dist/sandbox/request-filter.d.ts.map +1 -1
- package/dist/sandbox/request-filter.js.map +1 -1
- package/dist/sandbox/sandbox-config.d.ts +383 -1
- package/dist/sandbox/sandbox-config.d.ts.map +1 -1
- package/dist/sandbox/sandbox-config.js +252 -1
- package/dist/sandbox/sandbox-config.js.map +1 -1
- package/dist/sandbox/sandbox-manager.d.ts +4 -0
- package/dist/sandbox/sandbox-manager.d.ts.map +1 -1
- package/dist/sandbox/sandbox-manager.js +618 -168
- package/dist/sandbox/sandbox-manager.js.map +1 -1
- package/dist/sandbox/sandbox-schemas.d.ts +27 -0
- package/dist/sandbox/sandbox-schemas.d.ts.map +1 -1
- package/dist/sandbox/sandbox-utils.d.ts +42 -6
- package/dist/sandbox/sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/sandbox-utils.js +115 -27
- package/dist/sandbox/sandbox-utils.js.map +1 -1
- package/dist/sandbox/socks-proxy.d.ts +11 -5
- package/dist/sandbox/socks-proxy.d.ts.map +1 -1
- package/dist/sandbox/socks-proxy.js +13 -81
- package/dist/sandbox/socks-proxy.js.map +1 -1
- package/dist/sandbox/tls-terminate-proxy.d.ts +2 -2
- package/dist/sandbox/tls-terminate-proxy.d.ts.map +1 -1
- package/dist/sandbox/tls-terminate-proxy.js +31 -5
- package/dist/sandbox/tls-terminate-proxy.js.map +1 -1
- package/dist/sandbox/windows-sandbox-utils.d.ts +347 -11
- package/dist/sandbox/windows-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/windows-sandbox-utils.js +437 -45
- package/dist/sandbox/windows-sandbox-utils.js.map +1 -1
- package/package.json +7 -4
- package/vendor/seccomp/build.ts +8 -30
- package/vendor/srt-win/build.ts +21 -0
- package/dist/vendor/seccomp/Dockerfile.build +0 -6
- package/dist/vendor/seccomp/arm64/apply-seccomp +0 -0
- package/dist/vendor/seccomp/build.ts +0 -91
- package/dist/vendor/seccomp/x64/apply-seccomp +0 -0
- package/dist/vendor/seccomp-src/apply-seccomp.c +0 -280
- package/dist/vendor/seccomp-src/seccomp-unix-block.c +0 -148
- package/dist/vendor/srt-win/Cargo.lock +0 -361
- package/dist/vendor/srt-win/Cargo.toml +0 -46
- package/dist/vendor/srt-win/ci/cleanup.ps1 +0 -49
- package/dist/vendor/srt-win/ci/smoke-exec.ps1 +0 -446
- package/dist/vendor/srt-win/ci/smoke.ps1 +0 -307
- package/dist/vendor/srt-win/src/job.rs +0 -102
- package/dist/vendor/srt-win/src/launch.rs +0 -732
- package/dist/vendor/srt-win/src/lib.rs +0 -20
- package/dist/vendor/srt-win/src/main.rs +0 -669
- package/dist/vendor/srt-win/src/self_protect.rs +0 -169
- package/dist/vendor/srt-win/src/sid.rs +0 -296
- package/dist/vendor/srt-win/src/token.rs +0 -341
- package/dist/vendor/srt-win/src/util.rs +0 -42
- package/dist/vendor/srt-win/src/wfp.rs +0 -992
- package/dist/vendor/srt-win/src/winsta.rs +0 -209
- package/dist/vendor/srt-win/tests/sd_access_check_matrix.rs +0 -259
- package/vendor/seccomp-src/apply-seccomp.c +0 -280
- package/vendor/seccomp-src/seccomp-unix-block.c +0 -148
- package/vendor/srt-win/Cargo.lock +0 -361
- package/vendor/srt-win/Cargo.toml +0 -46
- package/vendor/srt-win/ci/cleanup.ps1 +0 -49
- package/vendor/srt-win/ci/smoke-exec.ps1 +0 -446
- package/vendor/srt-win/ci/smoke.ps1 +0 -307
- package/vendor/srt-win/src/job.rs +0 -102
- package/vendor/srt-win/src/launch.rs +0 -732
- package/vendor/srt-win/src/lib.rs +0 -20
- package/vendor/srt-win/src/main.rs +0 -669
- package/vendor/srt-win/src/self_protect.rs +0 -169
- package/vendor/srt-win/src/sid.rs +0 -296
- package/vendor/srt-win/src/token.rs +0 -341
- package/vendor/srt-win/src/util.rs +0 -42
- package/vendor/srt-win/src/wfp.rs +0 -992
- package/vendor/srt-win/src/winsta.rs +0 -209
- package/vendor/srt-win/tests/sd_access_check_matrix.rs +0 -259
|
@@ -36,6 +36,127 @@ declare const ParentProxyConfigSchema: z.ZodObject<{
|
|
|
36
36
|
https?: string | undefined;
|
|
37
37
|
noProxy?: string | undefined;
|
|
38
38
|
}>;
|
|
39
|
+
/**
|
|
40
|
+
* Schema for the access mode of a declared credential source.
|
|
41
|
+
*
|
|
42
|
+
* - `deny` — the sandboxed process cannot read the file / does not see the
|
|
43
|
+
* environment variable.
|
|
44
|
+
* - `mask` — the sandboxed process sees a per-session sentinel value; the
|
|
45
|
+
* host proxy substitutes sentinel→real on egress to `injectHosts`.
|
|
46
|
+
* For files this is whole-file masking (Linux only; degrades to `deny`
|
|
47
|
+
* on macOS — see {@link CredentialFileConfigSchema}).
|
|
48
|
+
*/
|
|
49
|
+
declare const credentialModeSchema: z.ZodEnum<["deny", "mask"]>;
|
|
50
|
+
/**
|
|
51
|
+
* Schema for a single credential file/directory entry.
|
|
52
|
+
*
|
|
53
|
+
* `mode: "mask"` is **whole-file** masking: the entire file content is
|
|
54
|
+
* replaced inside the sandbox with one sentinel string, and the proxy
|
|
55
|
+
* substitutes that sentinel back to the real bytes on egress. This works
|
|
56
|
+
* for files whose content *is* the credential (a token file, a single-line
|
|
57
|
+
* secret). It does **not** work for structured files a tool parses
|
|
58
|
+
* (`.netrc`, JSON/YAML configs) — the tool will fail to parse the sentinel.
|
|
59
|
+
* For those, prefer env-var masking where the tool supports it, or
|
|
60
|
+
* `mode: "deny"`. Format-aware extraction is a possible future extension.
|
|
61
|
+
*
|
|
62
|
+
* On macOS, SBPL cannot redirect reads, so `mode: "mask"` currently
|
|
63
|
+
* degrades to `mode: "deny"` (the file is unreadable inside the sandbox).
|
|
64
|
+
*/
|
|
65
|
+
export declare const CredentialFileConfigSchema: z.ZodObject<{
|
|
66
|
+
path: z.ZodString;
|
|
67
|
+
mode: z.ZodEnum<["deny", "mask"]>;
|
|
68
|
+
injectHosts: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
|
|
69
|
+
}, "strip", z.ZodTypeAny, {
|
|
70
|
+
mode: "deny" | "mask";
|
|
71
|
+
path: string;
|
|
72
|
+
injectHosts?: string[] | undefined;
|
|
73
|
+
}, {
|
|
74
|
+
mode: "deny" | "mask";
|
|
75
|
+
path: string;
|
|
76
|
+
injectHosts?: string[] | undefined;
|
|
77
|
+
}>;
|
|
78
|
+
/**
|
|
79
|
+
* Schema for a single credential environment variable entry.
|
|
80
|
+
*/
|
|
81
|
+
export declare const CredentialEnvVarConfigSchema: z.ZodObject<{
|
|
82
|
+
name: z.ZodString;
|
|
83
|
+
mode: z.ZodEnum<["deny", "mask"]>;
|
|
84
|
+
injectHosts: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
|
|
85
|
+
}, "strip", z.ZodTypeAny, {
|
|
86
|
+
mode: "deny" | "mask";
|
|
87
|
+
name: string;
|
|
88
|
+
injectHosts?: string[] | undefined;
|
|
89
|
+
}, {
|
|
90
|
+
mode: "deny" | "mask";
|
|
91
|
+
name: string;
|
|
92
|
+
injectHosts?: string[] | undefined;
|
|
93
|
+
}>;
|
|
94
|
+
/**
|
|
95
|
+
* Credentials configuration schema for validation.
|
|
96
|
+
*
|
|
97
|
+
* Declares credential sources (files and environment variables) with a
|
|
98
|
+
* per-source mode:
|
|
99
|
+
* - `deny` blocks the source inside the sandbox (file reads are denied via the
|
|
100
|
+
* filesystem read-deny mechanism, env vars are unset in the child).
|
|
101
|
+
*
|
|
102
|
+
* Additional modes (e.g. `mask`) will be added in future releases.
|
|
103
|
+
*
|
|
104
|
+
* Only the sources declared here are affected; the section applies no
|
|
105
|
+
* implicit restrictions beyond them.
|
|
106
|
+
*/
|
|
107
|
+
export declare const CredentialsConfigSchema: z.ZodObject<{
|
|
108
|
+
files: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
109
|
+
path: z.ZodString;
|
|
110
|
+
mode: z.ZodEnum<["deny", "mask"]>;
|
|
111
|
+
injectHosts: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
|
|
112
|
+
}, "strip", z.ZodTypeAny, {
|
|
113
|
+
mode: "deny" | "mask";
|
|
114
|
+
path: string;
|
|
115
|
+
injectHosts?: string[] | undefined;
|
|
116
|
+
}, {
|
|
117
|
+
mode: "deny" | "mask";
|
|
118
|
+
path: string;
|
|
119
|
+
injectHosts?: string[] | undefined;
|
|
120
|
+
}>, "many">>;
|
|
121
|
+
envVars: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
122
|
+
name: z.ZodString;
|
|
123
|
+
mode: z.ZodEnum<["deny", "mask"]>;
|
|
124
|
+
injectHosts: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
|
|
125
|
+
}, "strip", z.ZodTypeAny, {
|
|
126
|
+
mode: "deny" | "mask";
|
|
127
|
+
name: string;
|
|
128
|
+
injectHosts?: string[] | undefined;
|
|
129
|
+
}, {
|
|
130
|
+
mode: "deny" | "mask";
|
|
131
|
+
name: string;
|
|
132
|
+
injectHosts?: string[] | undefined;
|
|
133
|
+
}>, "many">>;
|
|
134
|
+
allowPlaintextInject: z.ZodOptional<z.ZodBoolean>;
|
|
135
|
+
}, "strict", z.ZodTypeAny, {
|
|
136
|
+
files?: {
|
|
137
|
+
mode: "deny" | "mask";
|
|
138
|
+
path: string;
|
|
139
|
+
injectHosts?: string[] | undefined;
|
|
140
|
+
}[] | undefined;
|
|
141
|
+
envVars?: {
|
|
142
|
+
mode: "deny" | "mask";
|
|
143
|
+
name: string;
|
|
144
|
+
injectHosts?: string[] | undefined;
|
|
145
|
+
}[] | undefined;
|
|
146
|
+
allowPlaintextInject?: boolean | undefined;
|
|
147
|
+
}, {
|
|
148
|
+
files?: {
|
|
149
|
+
mode: "deny" | "mask";
|
|
150
|
+
path: string;
|
|
151
|
+
injectHosts?: string[] | undefined;
|
|
152
|
+
}[] | undefined;
|
|
153
|
+
envVars?: {
|
|
154
|
+
mode: "deny" | "mask";
|
|
155
|
+
name: string;
|
|
156
|
+
injectHosts?: string[] | undefined;
|
|
157
|
+
}[] | undefined;
|
|
158
|
+
allowPlaintextInject?: boolean | undefined;
|
|
159
|
+
}>;
|
|
39
160
|
/**
|
|
40
161
|
* Network configuration schema for validation
|
|
41
162
|
*/
|
|
@@ -63,18 +184,23 @@ export declare const NetworkConfigSchema: z.ZodObject<{
|
|
|
63
184
|
tlsTerminate: z.ZodOptional<z.ZodEffects<z.ZodObject<{
|
|
64
185
|
caCertPath: z.ZodOptional<z.ZodString>;
|
|
65
186
|
caKeyPath: z.ZodOptional<z.ZodString>;
|
|
187
|
+
excludeDomains: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
|
|
66
188
|
}, "strip", z.ZodTypeAny, {
|
|
67
189
|
caCertPath?: string | undefined;
|
|
68
190
|
caKeyPath?: string | undefined;
|
|
191
|
+
excludeDomains?: string[] | undefined;
|
|
69
192
|
}, {
|
|
70
193
|
caCertPath?: string | undefined;
|
|
71
194
|
caKeyPath?: string | undefined;
|
|
195
|
+
excludeDomains?: string[] | undefined;
|
|
72
196
|
}>, {
|
|
73
197
|
caCertPath?: string | undefined;
|
|
74
198
|
caKeyPath?: string | undefined;
|
|
199
|
+
excludeDomains?: string[] | undefined;
|
|
75
200
|
}, {
|
|
76
201
|
caCertPath?: string | undefined;
|
|
77
202
|
caKeyPath?: string | undefined;
|
|
203
|
+
excludeDomains?: string[] | undefined;
|
|
78
204
|
}>>;
|
|
79
205
|
parentProxy: z.ZodOptional<z.ZodObject<{
|
|
80
206
|
http: z.ZodOptional<z.ZodString>;
|
|
@@ -107,6 +233,7 @@ export declare const NetworkConfigSchema: z.ZodObject<{
|
|
|
107
233
|
tlsTerminate?: {
|
|
108
234
|
caCertPath?: string | undefined;
|
|
109
235
|
caKeyPath?: string | undefined;
|
|
236
|
+
excludeDomains?: string[] | undefined;
|
|
110
237
|
} | undefined;
|
|
111
238
|
parentProxy?: {
|
|
112
239
|
http?: string | undefined;
|
|
@@ -131,6 +258,7 @@ export declare const NetworkConfigSchema: z.ZodObject<{
|
|
|
131
258
|
tlsTerminate?: {
|
|
132
259
|
caCertPath?: string | undefined;
|
|
133
260
|
caKeyPath?: string | undefined;
|
|
261
|
+
excludeDomains?: string[] | undefined;
|
|
134
262
|
} | undefined;
|
|
135
263
|
parentProxy?: {
|
|
136
264
|
http?: string | undefined;
|
|
@@ -142,6 +270,7 @@ export declare const NetworkConfigSchema: z.ZodObject<{
|
|
|
142
270
|
* Filesystem configuration schema for validation
|
|
143
271
|
*/
|
|
144
272
|
export declare const FilesystemConfigSchema: z.ZodObject<{
|
|
273
|
+
disabled: z.ZodOptional<z.ZodBoolean>;
|
|
145
274
|
denyRead: z.ZodArray<z.ZodString, "many">;
|
|
146
275
|
allowRead: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
147
276
|
allowWrite: z.ZodArray<z.ZodString, "many">;
|
|
@@ -151,12 +280,14 @@ export declare const FilesystemConfigSchema: z.ZodObject<{
|
|
|
151
280
|
denyRead: string[];
|
|
152
281
|
allowWrite: string[];
|
|
153
282
|
denyWrite: string[];
|
|
283
|
+
disabled?: boolean | undefined;
|
|
154
284
|
allowRead?: string[] | undefined;
|
|
155
285
|
allowGitConfig?: boolean | undefined;
|
|
156
286
|
}, {
|
|
157
287
|
denyRead: string[];
|
|
158
288
|
allowWrite: string[];
|
|
159
289
|
denyWrite: string[];
|
|
290
|
+
disabled?: boolean | undefined;
|
|
160
291
|
allowRead?: string[] | undefined;
|
|
161
292
|
allowGitConfig?: boolean | undefined;
|
|
162
293
|
}>;
|
|
@@ -190,9 +321,11 @@ export declare const WindowsConfigSchema: z.ZodObject<{
|
|
|
190
321
|
groupName: z.ZodDefault<z.ZodString>;
|
|
191
322
|
groupSid: z.ZodOptional<z.ZodString>;
|
|
192
323
|
wfpSublayerGuid: z.ZodOptional<z.ZodString>;
|
|
324
|
+
asSandboxUser: z.ZodDefault<z.ZodBoolean>;
|
|
193
325
|
proxyPortRange: z.ZodOptional<z.ZodEffects<z.ZodTuple<[z.ZodNumber, z.ZodNumber], null>, [number, number], [number, number]>>;
|
|
194
326
|
}, "strip", z.ZodTypeAny, {
|
|
195
327
|
groupName: string;
|
|
328
|
+
asSandboxUser: boolean;
|
|
196
329
|
groupSid?: string | undefined;
|
|
197
330
|
wfpSublayerGuid?: string | undefined;
|
|
198
331
|
proxyPortRange?: [number, number] | undefined;
|
|
@@ -200,6 +333,7 @@ export declare const WindowsConfigSchema: z.ZodObject<{
|
|
|
200
333
|
groupName?: string | undefined;
|
|
201
334
|
groupSid?: string | undefined;
|
|
202
335
|
wfpSublayerGuid?: string | undefined;
|
|
336
|
+
asSandboxUser?: boolean | undefined;
|
|
203
337
|
proxyPortRange?: [number, number] | undefined;
|
|
204
338
|
}>;
|
|
205
339
|
/**
|
|
@@ -218,7 +352,7 @@ export declare const SeccompConfigSchema: z.ZodObject<{
|
|
|
218
352
|
/**
|
|
219
353
|
* Main configuration schema for Sandbox Runtime validation
|
|
220
354
|
*/
|
|
221
|
-
export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
355
|
+
export declare const SandboxRuntimeConfigSchema: z.ZodEffects<z.ZodObject<{
|
|
222
356
|
network: z.ZodObject<{
|
|
223
357
|
allowedDomains: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
|
|
224
358
|
deniedDomains: z.ZodArray<z.ZodUnion<[z.ZodLiteral<"*">, z.ZodEffects<z.ZodString, string, string>]>, "many">;
|
|
@@ -243,18 +377,23 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
243
377
|
tlsTerminate: z.ZodOptional<z.ZodEffects<z.ZodObject<{
|
|
244
378
|
caCertPath: z.ZodOptional<z.ZodString>;
|
|
245
379
|
caKeyPath: z.ZodOptional<z.ZodString>;
|
|
380
|
+
excludeDomains: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
|
|
246
381
|
}, "strip", z.ZodTypeAny, {
|
|
247
382
|
caCertPath?: string | undefined;
|
|
248
383
|
caKeyPath?: string | undefined;
|
|
384
|
+
excludeDomains?: string[] | undefined;
|
|
249
385
|
}, {
|
|
250
386
|
caCertPath?: string | undefined;
|
|
251
387
|
caKeyPath?: string | undefined;
|
|
388
|
+
excludeDomains?: string[] | undefined;
|
|
252
389
|
}>, {
|
|
253
390
|
caCertPath?: string | undefined;
|
|
254
391
|
caKeyPath?: string | undefined;
|
|
392
|
+
excludeDomains?: string[] | undefined;
|
|
255
393
|
}, {
|
|
256
394
|
caCertPath?: string | undefined;
|
|
257
395
|
caKeyPath?: string | undefined;
|
|
396
|
+
excludeDomains?: string[] | undefined;
|
|
258
397
|
}>>;
|
|
259
398
|
parentProxy: z.ZodOptional<z.ZodObject<{
|
|
260
399
|
http: z.ZodOptional<z.ZodString>;
|
|
@@ -287,6 +426,7 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
287
426
|
tlsTerminate?: {
|
|
288
427
|
caCertPath?: string | undefined;
|
|
289
428
|
caKeyPath?: string | undefined;
|
|
429
|
+
excludeDomains?: string[] | undefined;
|
|
290
430
|
} | undefined;
|
|
291
431
|
parentProxy?: {
|
|
292
432
|
http?: string | undefined;
|
|
@@ -311,6 +451,7 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
311
451
|
tlsTerminate?: {
|
|
312
452
|
caCertPath?: string | undefined;
|
|
313
453
|
caKeyPath?: string | undefined;
|
|
454
|
+
excludeDomains?: string[] | undefined;
|
|
314
455
|
} | undefined;
|
|
315
456
|
parentProxy?: {
|
|
316
457
|
http?: string | undefined;
|
|
@@ -319,6 +460,7 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
319
460
|
} | undefined;
|
|
320
461
|
}>;
|
|
321
462
|
filesystem: z.ZodObject<{
|
|
463
|
+
disabled: z.ZodOptional<z.ZodBoolean>;
|
|
322
464
|
denyRead: z.ZodArray<z.ZodString, "many">;
|
|
323
465
|
allowRead: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
324
466
|
allowWrite: z.ZodArray<z.ZodString, "many">;
|
|
@@ -328,15 +470,70 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
328
470
|
denyRead: string[];
|
|
329
471
|
allowWrite: string[];
|
|
330
472
|
denyWrite: string[];
|
|
473
|
+
disabled?: boolean | undefined;
|
|
331
474
|
allowRead?: string[] | undefined;
|
|
332
475
|
allowGitConfig?: boolean | undefined;
|
|
333
476
|
}, {
|
|
334
477
|
denyRead: string[];
|
|
335
478
|
allowWrite: string[];
|
|
336
479
|
denyWrite: string[];
|
|
480
|
+
disabled?: boolean | undefined;
|
|
337
481
|
allowRead?: string[] | undefined;
|
|
338
482
|
allowGitConfig?: boolean | undefined;
|
|
339
483
|
}>;
|
|
484
|
+
credentials: z.ZodOptional<z.ZodObject<{
|
|
485
|
+
files: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
486
|
+
path: z.ZodString;
|
|
487
|
+
mode: z.ZodEnum<["deny", "mask"]>;
|
|
488
|
+
injectHosts: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
|
|
489
|
+
}, "strip", z.ZodTypeAny, {
|
|
490
|
+
mode: "deny" | "mask";
|
|
491
|
+
path: string;
|
|
492
|
+
injectHosts?: string[] | undefined;
|
|
493
|
+
}, {
|
|
494
|
+
mode: "deny" | "mask";
|
|
495
|
+
path: string;
|
|
496
|
+
injectHosts?: string[] | undefined;
|
|
497
|
+
}>, "many">>;
|
|
498
|
+
envVars: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
499
|
+
name: z.ZodString;
|
|
500
|
+
mode: z.ZodEnum<["deny", "mask"]>;
|
|
501
|
+
injectHosts: z.ZodOptional<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
|
|
502
|
+
}, "strip", z.ZodTypeAny, {
|
|
503
|
+
mode: "deny" | "mask";
|
|
504
|
+
name: string;
|
|
505
|
+
injectHosts?: string[] | undefined;
|
|
506
|
+
}, {
|
|
507
|
+
mode: "deny" | "mask";
|
|
508
|
+
name: string;
|
|
509
|
+
injectHosts?: string[] | undefined;
|
|
510
|
+
}>, "many">>;
|
|
511
|
+
allowPlaintextInject: z.ZodOptional<z.ZodBoolean>;
|
|
512
|
+
}, "strict", z.ZodTypeAny, {
|
|
513
|
+
files?: {
|
|
514
|
+
mode: "deny" | "mask";
|
|
515
|
+
path: string;
|
|
516
|
+
injectHosts?: string[] | undefined;
|
|
517
|
+
}[] | undefined;
|
|
518
|
+
envVars?: {
|
|
519
|
+
mode: "deny" | "mask";
|
|
520
|
+
name: string;
|
|
521
|
+
injectHosts?: string[] | undefined;
|
|
522
|
+
}[] | undefined;
|
|
523
|
+
allowPlaintextInject?: boolean | undefined;
|
|
524
|
+
}, {
|
|
525
|
+
files?: {
|
|
526
|
+
mode: "deny" | "mask";
|
|
527
|
+
path: string;
|
|
528
|
+
injectHosts?: string[] | undefined;
|
|
529
|
+
}[] | undefined;
|
|
530
|
+
envVars?: {
|
|
531
|
+
mode: "deny" | "mask";
|
|
532
|
+
name: string;
|
|
533
|
+
injectHosts?: string[] | undefined;
|
|
534
|
+
}[] | undefined;
|
|
535
|
+
allowPlaintextInject?: boolean | undefined;
|
|
536
|
+
}>>;
|
|
340
537
|
ignoreViolations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
|
|
341
538
|
enableWeakerNestedSandbox: z.ZodOptional<z.ZodBoolean>;
|
|
342
539
|
enableWeakerNetworkIsolation: z.ZodOptional<z.ZodBoolean>;
|
|
@@ -373,9 +570,11 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
373
570
|
groupName: z.ZodDefault<z.ZodString>;
|
|
374
571
|
groupSid: z.ZodOptional<z.ZodString>;
|
|
375
572
|
wfpSublayerGuid: z.ZodOptional<z.ZodString>;
|
|
573
|
+
asSandboxUser: z.ZodDefault<z.ZodBoolean>;
|
|
376
574
|
proxyPortRange: z.ZodOptional<z.ZodEffects<z.ZodTuple<[z.ZodNumber, z.ZodNumber], null>, [number, number], [number, number]>>;
|
|
377
575
|
}, "strip", z.ZodTypeAny, {
|
|
378
576
|
groupName: string;
|
|
577
|
+
asSandboxUser: boolean;
|
|
379
578
|
groupSid?: string | undefined;
|
|
380
579
|
wfpSublayerGuid?: string | undefined;
|
|
381
580
|
proxyPortRange?: [number, number] | undefined;
|
|
@@ -383,6 +582,7 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
383
582
|
groupName?: string | undefined;
|
|
384
583
|
groupSid?: string | undefined;
|
|
385
584
|
wfpSublayerGuid?: string | undefined;
|
|
585
|
+
asSandboxUser?: boolean | undefined;
|
|
386
586
|
proxyPortRange?: [number, number] | undefined;
|
|
387
587
|
}>>;
|
|
388
588
|
}, "strip", z.ZodTypeAny, {
|
|
@@ -404,6 +604,7 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
404
604
|
tlsTerminate?: {
|
|
405
605
|
caCertPath?: string | undefined;
|
|
406
606
|
caKeyPath?: string | undefined;
|
|
607
|
+
excludeDomains?: string[] | undefined;
|
|
407
608
|
} | undefined;
|
|
408
609
|
parentProxy?: {
|
|
409
610
|
http?: string | undefined;
|
|
@@ -415,9 +616,23 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
415
616
|
denyRead: string[];
|
|
416
617
|
allowWrite: string[];
|
|
417
618
|
denyWrite: string[];
|
|
619
|
+
disabled?: boolean | undefined;
|
|
418
620
|
allowRead?: string[] | undefined;
|
|
419
621
|
allowGitConfig?: boolean | undefined;
|
|
420
622
|
};
|
|
623
|
+
credentials?: {
|
|
624
|
+
files?: {
|
|
625
|
+
mode: "deny" | "mask";
|
|
626
|
+
path: string;
|
|
627
|
+
injectHosts?: string[] | undefined;
|
|
628
|
+
}[] | undefined;
|
|
629
|
+
envVars?: {
|
|
630
|
+
mode: "deny" | "mask";
|
|
631
|
+
name: string;
|
|
632
|
+
injectHosts?: string[] | undefined;
|
|
633
|
+
}[] | undefined;
|
|
634
|
+
allowPlaintextInject?: boolean | undefined;
|
|
635
|
+
} | undefined;
|
|
421
636
|
ignoreViolations?: Record<string, string[]> | undefined;
|
|
422
637
|
enableWeakerNestedSandbox?: boolean | undefined;
|
|
423
638
|
enableWeakerNetworkIsolation?: boolean | undefined;
|
|
@@ -438,6 +653,7 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
438
653
|
socatPath?: string | undefined;
|
|
439
654
|
windows?: {
|
|
440
655
|
groupName: string;
|
|
656
|
+
asSandboxUser: boolean;
|
|
441
657
|
groupSid?: string | undefined;
|
|
442
658
|
wfpSublayerGuid?: string | undefined;
|
|
443
659
|
proxyPortRange?: [number, number] | undefined;
|
|
@@ -461,6 +677,7 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
461
677
|
tlsTerminate?: {
|
|
462
678
|
caCertPath?: string | undefined;
|
|
463
679
|
caKeyPath?: string | undefined;
|
|
680
|
+
excludeDomains?: string[] | undefined;
|
|
464
681
|
} | undefined;
|
|
465
682
|
parentProxy?: {
|
|
466
683
|
http?: string | undefined;
|
|
@@ -472,9 +689,169 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
472
689
|
denyRead: string[];
|
|
473
690
|
allowWrite: string[];
|
|
474
691
|
denyWrite: string[];
|
|
692
|
+
disabled?: boolean | undefined;
|
|
475
693
|
allowRead?: string[] | undefined;
|
|
476
694
|
allowGitConfig?: boolean | undefined;
|
|
477
695
|
};
|
|
696
|
+
credentials?: {
|
|
697
|
+
files?: {
|
|
698
|
+
mode: "deny" | "mask";
|
|
699
|
+
path: string;
|
|
700
|
+
injectHosts?: string[] | undefined;
|
|
701
|
+
}[] | undefined;
|
|
702
|
+
envVars?: {
|
|
703
|
+
mode: "deny" | "mask";
|
|
704
|
+
name: string;
|
|
705
|
+
injectHosts?: string[] | undefined;
|
|
706
|
+
}[] | undefined;
|
|
707
|
+
allowPlaintextInject?: boolean | undefined;
|
|
708
|
+
} | undefined;
|
|
709
|
+
ignoreViolations?: Record<string, string[]> | undefined;
|
|
710
|
+
enableWeakerNestedSandbox?: boolean | undefined;
|
|
711
|
+
enableWeakerNetworkIsolation?: boolean | undefined;
|
|
712
|
+
allowAppleEvents?: boolean | undefined;
|
|
713
|
+
ripgrep?: {
|
|
714
|
+
command: string;
|
|
715
|
+
args?: string[] | undefined;
|
|
716
|
+
argv0?: string | undefined;
|
|
717
|
+
} | undefined;
|
|
718
|
+
mandatoryDenySearchDepth?: number | undefined;
|
|
719
|
+
allowPty?: boolean | undefined;
|
|
720
|
+
allowBrowserProcess?: boolean | undefined;
|
|
721
|
+
seccomp?: {
|
|
722
|
+
argv0?: string | undefined;
|
|
723
|
+
applyPath?: string | undefined;
|
|
724
|
+
} | undefined;
|
|
725
|
+
bwrapPath?: string | undefined;
|
|
726
|
+
socatPath?: string | undefined;
|
|
727
|
+
windows?: {
|
|
728
|
+
groupName?: string | undefined;
|
|
729
|
+
groupSid?: string | undefined;
|
|
730
|
+
wfpSublayerGuid?: string | undefined;
|
|
731
|
+
asSandboxUser?: boolean | undefined;
|
|
732
|
+
proxyPortRange?: [number, number] | undefined;
|
|
733
|
+
} | undefined;
|
|
734
|
+
}>, {
|
|
735
|
+
network: {
|
|
736
|
+
allowedDomains: string[];
|
|
737
|
+
deniedDomains: string[];
|
|
738
|
+
strictAllowlist?: boolean | undefined;
|
|
739
|
+
allowUnixSockets?: string[] | undefined;
|
|
740
|
+
allowAllUnixSockets?: boolean | undefined;
|
|
741
|
+
allowLocalBinding?: boolean | undefined;
|
|
742
|
+
allowMachLookup?: string[] | undefined;
|
|
743
|
+
httpProxyPort?: number | undefined;
|
|
744
|
+
socksProxyPort?: number | undefined;
|
|
745
|
+
mitmProxy?: {
|
|
746
|
+
socketPath: string;
|
|
747
|
+
domains: string[];
|
|
748
|
+
} | undefined;
|
|
749
|
+
filterRequest?: FilterRequestCallback | undefined;
|
|
750
|
+
tlsTerminate?: {
|
|
751
|
+
caCertPath?: string | undefined;
|
|
752
|
+
caKeyPath?: string | undefined;
|
|
753
|
+
excludeDomains?: string[] | undefined;
|
|
754
|
+
} | undefined;
|
|
755
|
+
parentProxy?: {
|
|
756
|
+
http?: string | undefined;
|
|
757
|
+
https?: string | undefined;
|
|
758
|
+
noProxy?: string | undefined;
|
|
759
|
+
} | undefined;
|
|
760
|
+
};
|
|
761
|
+
filesystem: {
|
|
762
|
+
denyRead: string[];
|
|
763
|
+
allowWrite: string[];
|
|
764
|
+
denyWrite: string[];
|
|
765
|
+
disabled?: boolean | undefined;
|
|
766
|
+
allowRead?: string[] | undefined;
|
|
767
|
+
allowGitConfig?: boolean | undefined;
|
|
768
|
+
};
|
|
769
|
+
credentials?: {
|
|
770
|
+
files?: {
|
|
771
|
+
mode: "deny" | "mask";
|
|
772
|
+
path: string;
|
|
773
|
+
injectHosts?: string[] | undefined;
|
|
774
|
+
}[] | undefined;
|
|
775
|
+
envVars?: {
|
|
776
|
+
mode: "deny" | "mask";
|
|
777
|
+
name: string;
|
|
778
|
+
injectHosts?: string[] | undefined;
|
|
779
|
+
}[] | undefined;
|
|
780
|
+
allowPlaintextInject?: boolean | undefined;
|
|
781
|
+
} | undefined;
|
|
782
|
+
ignoreViolations?: Record<string, string[]> | undefined;
|
|
783
|
+
enableWeakerNestedSandbox?: boolean | undefined;
|
|
784
|
+
enableWeakerNetworkIsolation?: boolean | undefined;
|
|
785
|
+
allowAppleEvents?: boolean | undefined;
|
|
786
|
+
ripgrep?: {
|
|
787
|
+
command: string;
|
|
788
|
+
args?: string[] | undefined;
|
|
789
|
+
argv0?: string | undefined;
|
|
790
|
+
} | undefined;
|
|
791
|
+
mandatoryDenySearchDepth?: number | undefined;
|
|
792
|
+
allowPty?: boolean | undefined;
|
|
793
|
+
allowBrowserProcess?: boolean | undefined;
|
|
794
|
+
seccomp?: {
|
|
795
|
+
argv0?: string | undefined;
|
|
796
|
+
applyPath?: string | undefined;
|
|
797
|
+
} | undefined;
|
|
798
|
+
bwrapPath?: string | undefined;
|
|
799
|
+
socatPath?: string | undefined;
|
|
800
|
+
windows?: {
|
|
801
|
+
groupName: string;
|
|
802
|
+
asSandboxUser: boolean;
|
|
803
|
+
groupSid?: string | undefined;
|
|
804
|
+
wfpSublayerGuid?: string | undefined;
|
|
805
|
+
proxyPortRange?: [number, number] | undefined;
|
|
806
|
+
} | undefined;
|
|
807
|
+
}, {
|
|
808
|
+
network: {
|
|
809
|
+
allowedDomains: string[];
|
|
810
|
+
deniedDomains: string[];
|
|
811
|
+
strictAllowlist?: boolean | undefined;
|
|
812
|
+
allowUnixSockets?: string[] | undefined;
|
|
813
|
+
allowAllUnixSockets?: boolean | undefined;
|
|
814
|
+
allowLocalBinding?: boolean | undefined;
|
|
815
|
+
allowMachLookup?: string[] | undefined;
|
|
816
|
+
httpProxyPort?: number | undefined;
|
|
817
|
+
socksProxyPort?: number | undefined;
|
|
818
|
+
mitmProxy?: {
|
|
819
|
+
socketPath: string;
|
|
820
|
+
domains: string[];
|
|
821
|
+
} | undefined;
|
|
822
|
+
filterRequest?: FilterRequestCallback | undefined;
|
|
823
|
+
tlsTerminate?: {
|
|
824
|
+
caCertPath?: string | undefined;
|
|
825
|
+
caKeyPath?: string | undefined;
|
|
826
|
+
excludeDomains?: string[] | undefined;
|
|
827
|
+
} | undefined;
|
|
828
|
+
parentProxy?: {
|
|
829
|
+
http?: string | undefined;
|
|
830
|
+
https?: string | undefined;
|
|
831
|
+
noProxy?: string | undefined;
|
|
832
|
+
} | undefined;
|
|
833
|
+
};
|
|
834
|
+
filesystem: {
|
|
835
|
+
denyRead: string[];
|
|
836
|
+
allowWrite: string[];
|
|
837
|
+
denyWrite: string[];
|
|
838
|
+
disabled?: boolean | undefined;
|
|
839
|
+
allowRead?: string[] | undefined;
|
|
840
|
+
allowGitConfig?: boolean | undefined;
|
|
841
|
+
};
|
|
842
|
+
credentials?: {
|
|
843
|
+
files?: {
|
|
844
|
+
mode: "deny" | "mask";
|
|
845
|
+
path: string;
|
|
846
|
+
injectHosts?: string[] | undefined;
|
|
847
|
+
}[] | undefined;
|
|
848
|
+
envVars?: {
|
|
849
|
+
mode: "deny" | "mask";
|
|
850
|
+
name: string;
|
|
851
|
+
injectHosts?: string[] | undefined;
|
|
852
|
+
}[] | undefined;
|
|
853
|
+
allowPlaintextInject?: boolean | undefined;
|
|
854
|
+
} | undefined;
|
|
478
855
|
ignoreViolations?: Record<string, string[]> | undefined;
|
|
479
856
|
enableWeakerNestedSandbox?: boolean | undefined;
|
|
480
857
|
enableWeakerNetworkIsolation?: boolean | undefined;
|
|
@@ -497,6 +874,7 @@ export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
|
|
|
497
874
|
groupName?: string | undefined;
|
|
498
875
|
groupSid?: string | undefined;
|
|
499
876
|
wfpSublayerGuid?: string | undefined;
|
|
877
|
+
asSandboxUser?: boolean | undefined;
|
|
500
878
|
proxyPortRange?: [number, number] | undefined;
|
|
501
879
|
} | undefined;
|
|
502
880
|
}>;
|
|
@@ -504,6 +882,10 @@ export type MitmProxyConfig = z.infer<typeof MitmProxyConfigSchema>;
|
|
|
504
882
|
export type ParentProxyConfig = z.infer<typeof ParentProxyConfigSchema>;
|
|
505
883
|
export type NetworkConfig = z.infer<typeof NetworkConfigSchema>;
|
|
506
884
|
export type FilesystemConfig = z.infer<typeof FilesystemConfigSchema>;
|
|
885
|
+
export type CredentialMode = z.infer<typeof credentialModeSchema>;
|
|
886
|
+
export type CredentialFileConfig = z.infer<typeof CredentialFileConfigSchema>;
|
|
887
|
+
export type CredentialEnvVarConfig = z.infer<typeof CredentialEnvVarConfigSchema>;
|
|
888
|
+
export type CredentialsConfig = z.infer<typeof CredentialsConfigSchema>;
|
|
507
889
|
export type IgnoreViolationsConfig = z.infer<typeof IgnoreViolationsConfigSchema>;
|
|
508
890
|
export type RipgrepConfig = z.infer<typeof RipgrepConfigSchema>;
|
|
509
891
|
export type SeccompConfig = z.infer<typeof SeccompConfigSchema>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sandbox-config.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAGhE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;
|
|
1
|
+
{"version":3,"file":"sandbox-config.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAA;AAGhE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAiEvB;;;GAGG;AACH,QAAA,MAAM,qBAAqB;;;;;;;;;EAQzB,CAAA;AAEF;;;;GAIG;AACH,QAAA,MAAM,uBAAuB;;;;;;;;;;;;EAoB3B,CAAA;AAEF;;;;;;;;;GASG;AACH,QAAA,MAAM,oBAAoB,6BAA2B,CAAA;AAcrD;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;EAerC,CAAA;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;EAcvC,CAAA;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsBzB,CAAA;AAEX;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAqI9B,CAAA;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;EAgCjC,CAAA;AAEF;;;GAGG;AACH,eAAO,MAAM,4BAA4B,2DAItC,CAAA;AAEH;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;EAY9B,CAAA;AAEF;;;;GAIG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;EAgD9B,CAAA;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;EAa9B,CAAA;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2NnC,CAAA;AAGJ,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AACnE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AACvE,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAC/D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA;AACrE,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAA;AACjE,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA;AAC7E,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAC1C,OAAO,4BAA4B,CACpC,CAAA;AACD,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AACvE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAC1C,OAAO,4BAA4B,CACpC,CAAA;AACD,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAC/D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAC/D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAC/D,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA"}
|