@sysid/sandbox-runtime-improved 0.0.56-sysid.1 → 0.0.64-sysid.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (129) hide show
  1. package/README.md +106 -4
  2. package/dist/cli.js +12 -18
  3. package/dist/cli.js.map +1 -1
  4. package/dist/index.d.ts +5 -5
  5. package/dist/index.d.ts.map +1 -1
  6. package/dist/index.js +2 -2
  7. package/dist/index.js.map +1 -1
  8. package/dist/sandbox/credential-mask-files.d.ts +157 -0
  9. package/dist/sandbox/credential-mask-files.d.ts.map +1 -0
  10. package/dist/sandbox/credential-mask-files.js +298 -0
  11. package/dist/sandbox/credential-mask-files.js.map +1 -0
  12. package/dist/sandbox/credential-sentinel.d.ts +72 -0
  13. package/dist/sandbox/credential-sentinel.d.ts.map +1 -0
  14. package/dist/sandbox/credential-sentinel.js +130 -0
  15. package/dist/sandbox/credential-sentinel.js.map +1 -0
  16. package/dist/sandbox/domain-pattern.d.ts +36 -0
  17. package/dist/sandbox/domain-pattern.d.ts.map +1 -0
  18. package/dist/sandbox/domain-pattern.js +60 -0
  19. package/dist/sandbox/domain-pattern.js.map +1 -0
  20. package/dist/sandbox/http-proxy.d.ts +33 -2
  21. package/dist/sandbox/http-proxy.d.ts.map +1 -1
  22. package/dist/sandbox/http-proxy.js +30 -2
  23. package/dist/sandbox/http-proxy.js.map +1 -1
  24. package/dist/sandbox/linux-sandbox-utils.d.ts +20 -0
  25. package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -1
  26. package/dist/sandbox/linux-sandbox-utils.js +134 -65
  27. package/dist/sandbox/linux-sandbox-utils.js.map +1 -1
  28. package/dist/sandbox/linux-violation-monitor.d.ts +48 -0
  29. package/dist/sandbox/linux-violation-monitor.d.ts.map +1 -0
  30. package/dist/sandbox/linux-violation-monitor.js +156 -0
  31. package/dist/sandbox/linux-violation-monitor.js.map +1 -0
  32. package/dist/sandbox/listen-in-range.d.ts +12 -0
  33. package/dist/sandbox/listen-in-range.d.ts.map +1 -0
  34. package/dist/sandbox/listen-in-range.js +43 -0
  35. package/dist/sandbox/listen-in-range.js.map +1 -0
  36. package/dist/sandbox/macos-sandbox-utils.d.ts +11 -0
  37. package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -1
  38. package/dist/sandbox/macos-sandbox-utils.js +72 -17
  39. package/dist/sandbox/macos-sandbox-utils.js.map +1 -1
  40. package/dist/sandbox/mitm-ca.d.ts +69 -2
  41. package/dist/sandbox/mitm-ca.d.ts.map +1 -1
  42. package/dist/sandbox/mitm-ca.js +188 -16
  43. package/dist/sandbox/mitm-ca.js.map +1 -1
  44. package/dist/sandbox/mitm-leaf.d.ts +1 -1
  45. package/dist/sandbox/mitm-leaf.d.ts.map +1 -1
  46. package/dist/sandbox/mitm-leaf.js +26 -19
  47. package/dist/sandbox/mitm-leaf.js.map +1 -1
  48. package/dist/sandbox/mux-proxy.d.ts +59 -0
  49. package/dist/sandbox/mux-proxy.d.ts.map +1 -0
  50. package/dist/sandbox/mux-proxy.js +159 -0
  51. package/dist/sandbox/mux-proxy.js.map +1 -0
  52. package/dist/sandbox/request-filter.d.ts +11 -1
  53. package/dist/sandbox/request-filter.d.ts.map +1 -1
  54. package/dist/sandbox/request-filter.js.map +1 -1
  55. package/dist/sandbox/sandbox-config.d.ts +461 -41
  56. package/dist/sandbox/sandbox-config.d.ts.map +1 -1
  57. package/dist/sandbox/sandbox-config.js +342 -26
  58. package/dist/sandbox/sandbox-config.js.map +1 -1
  59. package/dist/sandbox/sandbox-manager.d.ts +5 -1
  60. package/dist/sandbox/sandbox-manager.d.ts.map +1 -1
  61. package/dist/sandbox/sandbox-manager.js +697 -211
  62. package/dist/sandbox/sandbox-manager.js.map +1 -1
  63. package/dist/sandbox/sandbox-schemas.d.ts +15 -0
  64. package/dist/sandbox/sandbox-schemas.d.ts.map +1 -1
  65. package/dist/sandbox/sandbox-utils.d.ts +55 -6
  66. package/dist/sandbox/sandbox-utils.d.ts.map +1 -1
  67. package/dist/sandbox/sandbox-utils.js +143 -30
  68. package/dist/sandbox/sandbox-utils.js.map +1 -1
  69. package/dist/sandbox/socks-proxy.d.ts +11 -5
  70. package/dist/sandbox/socks-proxy.d.ts.map +1 -1
  71. package/dist/sandbox/socks-proxy.js +13 -81
  72. package/dist/sandbox/socks-proxy.js.map +1 -1
  73. package/dist/sandbox/tls-terminate-proxy.d.ts +2 -2
  74. package/dist/sandbox/tls-terminate-proxy.d.ts.map +1 -1
  75. package/dist/sandbox/tls-terminate-proxy.js +31 -5
  76. package/dist/sandbox/tls-terminate-proxy.js.map +1 -1
  77. package/dist/sandbox/windows-sandbox-utils.d.ts +508 -116
  78. package/dist/sandbox/windows-sandbox-utils.d.ts.map +1 -1
  79. package/dist/sandbox/windows-sandbox-utils.js +721 -209
  80. package/dist/sandbox/windows-sandbox-utils.js.map +1 -1
  81. package/dist/utils/shell-quote.d.ts +27 -0
  82. package/dist/utils/shell-quote.d.ts.map +1 -0
  83. package/dist/utils/shell-quote.js +47 -0
  84. package/dist/utils/shell-quote.js.map +1 -0
  85. package/package.json +7 -6
  86. package/vendor/seccomp/arm64/apply-seccomp +0 -0
  87. package/vendor/seccomp/build.ts +8 -30
  88. package/vendor/seccomp/x64/apply-seccomp +0 -0
  89. package/vendor/srt-win/build.ts +21 -0
  90. package/dist/vendor/seccomp/Dockerfile.build +0 -6
  91. package/dist/vendor/seccomp/arm64/apply-seccomp +0 -0
  92. package/dist/vendor/seccomp/build.ts +0 -91
  93. package/dist/vendor/seccomp/x64/apply-seccomp +0 -0
  94. package/dist/vendor/seccomp-src/apply-seccomp.c +0 -280
  95. package/dist/vendor/seccomp-src/seccomp-unix-block.c +0 -148
  96. package/dist/vendor/srt-win/Cargo.lock +0 -361
  97. package/dist/vendor/srt-win/Cargo.toml +0 -46
  98. package/dist/vendor/srt-win/ci/cleanup.ps1 +0 -49
  99. package/dist/vendor/srt-win/ci/smoke-exec.ps1 +0 -446
  100. package/dist/vendor/srt-win/ci/smoke.ps1 +0 -307
  101. package/dist/vendor/srt-win/src/job.rs +0 -102
  102. package/dist/vendor/srt-win/src/launch.rs +0 -732
  103. package/dist/vendor/srt-win/src/lib.rs +0 -20
  104. package/dist/vendor/srt-win/src/main.rs +0 -669
  105. package/dist/vendor/srt-win/src/self_protect.rs +0 -169
  106. package/dist/vendor/srt-win/src/sid.rs +0 -296
  107. package/dist/vendor/srt-win/src/token.rs +0 -341
  108. package/dist/vendor/srt-win/src/util.rs +0 -42
  109. package/dist/vendor/srt-win/src/wfp.rs +0 -992
  110. package/dist/vendor/srt-win/src/winsta.rs +0 -209
  111. package/dist/vendor/srt-win/tests/sd_access_check_matrix.rs +0 -259
  112. package/vendor/seccomp-src/apply-seccomp.c +0 -280
  113. package/vendor/seccomp-src/seccomp-unix-block.c +0 -148
  114. package/vendor/srt-win/Cargo.lock +0 -361
  115. package/vendor/srt-win/Cargo.toml +0 -46
  116. package/vendor/srt-win/ci/cleanup.ps1 +0 -49
  117. package/vendor/srt-win/ci/smoke-exec.ps1 +0 -446
  118. package/vendor/srt-win/ci/smoke.ps1 +0 -307
  119. package/vendor/srt-win/src/job.rs +0 -102
  120. package/vendor/srt-win/src/launch.rs +0 -732
  121. package/vendor/srt-win/src/lib.rs +0 -20
  122. package/vendor/srt-win/src/main.rs +0 -669
  123. package/vendor/srt-win/src/self_protect.rs +0 -169
  124. package/vendor/srt-win/src/sid.rs +0 -296
  125. package/vendor/srt-win/src/token.rs +0 -341
  126. package/vendor/srt-win/src/util.rs +0 -42
  127. package/vendor/srt-win/src/wfp.rs +0 -992
  128. package/vendor/srt-win/src/winsta.rs +0 -209
  129. package/vendor/srt-win/tests/sd_access_check_matrix.rs +0 -259
package/README.md CHANGED
@@ -5,7 +5,7 @@
5
5
 
6
6
  Based on [Anthropic Sandbox Runtime](https://github.com/anthropic-experimental/sandbox-runtime).
7
7
 
8
- This fork will be rebased on [SRT](https://github.com/anthropic-experimental/sandbox-runtime) continuously (currently based on upstream **v0.0.56**).
8
+ This fork will be rebased on [SRT](https://github.com/anthropic-experimental/sandbox-runtime) continuously (currently based on upstream **v0.0.64**).
9
9
  As new features become available, equivalent local ones will be removed.
10
10
 
11
11
  > Objective: keep as close to original as possible, while allowing selected additional features.
@@ -129,6 +129,7 @@ The sandbox uses OS-level primitives to enforce restrictions that apply to the e
129
129
 
130
130
  - **macOS**: Uses `sandbox-exec` with dynamically generated [Seatbelt profiles](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf)
131
131
  - **Linux**: Uses [bubblewrap](https://github.com/containers/bubblewrap) for containerization with network namespace isolation
132
+ - **Windows**: Runs the sandboxed process under a dedicated `srt-sandbox` local user account, with a [Windows Filtering Platform](https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page) egress fence keyed on that account's SID and per-session explicit ACEs on the working tree
132
133
 
133
134
  ![0d1c612947c798aef48e6ab4beb7e8544da9d41a-4096x2305](https://github.com/user-attachments/assets/76c838a9-19ef-4d0b-90bb-cbe1917b3551)
134
135
 
@@ -147,6 +148,8 @@ Both filesystem and network isolation are required for effective sandboxing. Wit
147
148
 
148
149
  - **macOS**: The Seatbelt profile allows communication only to a specific localhost port. The proxies listen on this port, creating a controlled channel for all network access
149
150
 
151
+ - **Windows**: A machine-wide WFP filter set blocks all outbound connections originating from the `srt-sandbox` account except loopback to the proxy port range. The proxies listen inside that range, creating a controlled channel for all network access
152
+
150
153
  Both HTTP/HTTPS (via HTTP proxy) and other TCP traffic (via SOCKS5 proxy) are mediated by these proxies, which enforce your domain allowlists and denylists.
151
154
 
152
155
  For more details on sandboxing in Claude Code, see:
@@ -174,7 +177,8 @@ src/
174
177
  ├── parent-proxy.ts # Upstream/parent proxy chaining
175
178
  ├── socks-proxy.ts # SOCKS5 proxy for network filtering
176
179
  ├── linux-sandbox-utils.ts # Linux bubblewrap sandboxing
177
- └── macos-sandbox-utils.ts # macOS sandbox-exec sandboxing
180
+ ├── macos-sandbox-utils.ts # macOS sandbox-exec sandboxing
181
+ └── windows-sandbox-utils.ts # Windows srt-win sandboxing
178
182
  ```
179
183
 
180
184
  ## Usage
@@ -320,6 +324,26 @@ Uses an **allow-only pattern** - all network access is denied by default.
320
324
  - `https` - Proxy URL for HTTPS/CONNECT traffic (falls back to `http` if unset)
321
325
  - `noProxy` - Comma-separated bypass list: hostname suffixes and CIDR ranges that connect directly
322
326
 
327
+ **TLS termination** (`network.tlsTerminate`, experimental): when set, HTTPS CONNECTs are terminated in-process so SRT can see (and filter, via `network.filterRequest`) the decrypted requests. The sandboxed process is pointed at a trust bundle containing the MITM CA (`caCertPath`/`caKeyPath`, or an ephemeral CA if omitted) plus the host's regular roots, so proxy-minted certificates and real upstream certificates both verify.
328
+
329
+ - `network.tlsTerminate.excludeDomains` - Domain patterns (same syntax as `allowedDomains`) that are **not** terminated. Matching CONNECTs are tunnelled opaquely instead: they are still subject to the domain allowlist, but the client inside the sandbox completes its own TLS handshake with the real upstream, and `filterRequest` / credential injection do not apply to their HTTPS traffic. Use this for the two cases TLS termination fundamentally breaks:
330
+ - **mTLS upstreams** - only the in-sandbox client holds the client certificate, so the proxy cannot re-originate the connection on its behalf.
331
+ - **Certificate-pinning clients** - clients that verify the upstream's identity themselves (custom CAs, SAN pinning) and reject the MITM certificate.
332
+ - `network.tlsTerminate.extraCaCertPaths` - Paths to PEM CA certificate files appended to that trust bundle, after the MITM CA and the host's regular roots. Excluded (non-terminated) hosts are verified by the client inside the sandbox, and the trust env vars SRT sets (`SSL_CERT_FILE`, `GIT_SSL_CAINFO`, ...) _replace_ each tool's own trust configuration, so a site-local root (e.g. an internal mTLS CA) must be in the bundle or those hosts can never be verified. Only the `CERTIFICATE` blocks of each file are copied into the bundle (anything else, e.g. a private key in a combined PEM, is never exposed to the sandbox); files that are missing, unreadable, or contain no PEM `CERTIFICATE` block are skipped, so it is safe to list paths that exist on only some hosts.
333
+
334
+ ```json
335
+ {
336
+ "network": {
337
+ "allowedDomains": ["*.example.com", "internal-mtls.example.net"],
338
+ "deniedDomains": [],
339
+ "tlsTerminate": {
340
+ "excludeDomains": ["internal-mtls.example.net"],
341
+ "extraCaCertPaths": ["/etc/internal-mtls-roots.pem"]
342
+ }
343
+ }
344
+ }
345
+ ```
346
+
323
347
  **Unix Socket Settings** (platform-specific behavior):
324
348
 
325
349
  | Setting | macOS | Linux |
@@ -455,7 +479,7 @@ Watchman accesses files outside the sandbox boundaries, which will trigger permi
455
479
 
456
480
  - **macOS**: Uses `sandbox-exec` with custom profiles (no additional dependencies)
457
481
  - **Linux**: Uses `bubblewrap` (bwrap) for containerization
458
- - **Windows**: Not yet supported
482
+ - **Windows**: Alpha uses a bundled `srt-win.exe` helper (no additional dependencies). See [Windows (alpha)](#windows-alpha) below for setup, security model, and known limitations
459
483
 
460
484
  ### Platform-Specific Dependencies
461
485
 
@@ -498,6 +522,83 @@ The package includes pre-generated seccomp BPF filters for x86-64 and arm archit
498
522
  - Install via Homebrew: `brew install ripgrep`
499
523
  - Or download from: https://github.com/BurntSushi/ripgrep/releases
500
524
 
525
+ **Windows requires:**
526
+
527
+ - No additional dependencies. The `srt-win.exe` helper (x64 and arm64) is bundled with the npm package. A one-time elevated `windows-install` step is required — see below.
528
+
529
+ ## Windows (alpha)
530
+
531
+ Windows support is **alpha**. The sandboxed process runs under a dedicated `srt-sandbox` local user account, isolated from the calling user by native Windows security primitives — a Windows Filtering Platform (WFP) egress fence keyed on the sandbox account's SID, and per-session explicit ACEs that grant or deny that SID access to configured filesystem paths.
532
+
533
+ ### Setup
534
+
535
+ Run once per machine (self-elevates; one UAC prompt):
536
+
537
+ ```powershell
538
+ npx @sysid/sandbox-runtime-improved windows-install
539
+ ```
540
+
541
+ This provisions the `srt-sandbox` local user account (with a random password stored DPAPI-encrypted under `%LOCALAPPDATA%\sandbox-runtime\state.db`), the `sandbox-runtime-users` local group, and installs a machine-wide WFP filter set keyed on the `srt-sandbox` SID. It is **idempotent** — re-running it rotates the sandbox account's password and reconciles the filter set.
542
+
543
+ **No logout is required.** The WFP filters key on the dedicated sandbox account's SID, so your own network, services, and every other principal on the machine are unaffected.
544
+
545
+ After install, `SandboxManager.initialize()` and the `srti` CLI work as on other platforms. `initialize()` verifies the sandbox account and WFP fence are live, and fails with an actionable error if not.
546
+
547
+ Programmatic install/uninstall are exported as `installWindowsSandbox()` / `uninstallWindowsSandbox()`.
548
+
549
+ ### Security model
550
+
551
+ The sandboxed command runs **as the `srt-sandbox` account**, not as the calling user. The bundled `srt-win.exe` helper does a two-hop launch: the broker calls `CreateProcessWithLogonW` to start a runner as `srt-sandbox`, and the runner spawns the target under a restricted token inside a job object. The child inherits the sandbox account's isolated profile (`%USERPROFILE%`, `%TEMP%`, `HKCU`) and a fresh environment overlaid with only the broker's `PATH` and the generated proxy variables.
552
+
553
+ Running under a distinct user SID structurally closes the surrogate-spawn class of escape (Task Scheduler, `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS` onto a broker-owned process, BITS, out-of-process COM with `RunAs="Interactive User"`): any process the child manages to spawn out-of-band still carries the `srt-sandbox` SID, so it remains subject to the WFP egress fence and has no rights on the calling user's files.
554
+
555
+ **Network isolation** is a two-filter WFP set at `FWPM_LAYER_ALE_AUTH_CONNECT_V4/V6`: a PERMIT for loopback destinations inside the configured proxy port range (default `60080–60089`), and a BLOCK for any connect whose token carries the `srt-sandbox` SID. The sandboxed process reaches the internet only via the JS HTTP/SOCKS5 proxies listening in that range; a process that strips its proxy environment and connects directly is blocked at the kernel.
556
+
557
+ **Filesystem isolation** is enforced by NTFS discretionary ACLs. The `srt-sandbox` account has no inherent rights on the calling user's files, so at `initialize()` the sandbox writes **additive, inheriting explicit ACEs for the `srt-sandbox` SID only** — it never rewrites or replaces a path's existing security descriptor:
558
+
559
+ - `filesystem.allowWrite` → an inheriting `MODIFY` ALLOW ACE (`READ|WRITE|EXECUTE|DELETE`, with `FILE_DELETE_CHILD` withheld). The sandboxed process can create, modify, and delete files inside the working tree; withholding `FILE_DELETE_CHILD` from the grant is defense-in-depth for the deny stamps below, not a guard on the tree root.
560
+ - `filesystem.allowRead` → an inheriting `READ|EXECUTE` ALLOW ACE
561
+ - `filesystem.denyRead` / `filesystem.denyWrite` → an inheriting DENY ACE on the target, plus an inheriting `FILE_DELETE_CHILD` DENY on its parent — together with the withheld `FILE_DELETE_CHILD` on the working-tree grant, this stops the sandboxed process from renaming or deleting a denied path via its parent directory
562
+
563
+ `reset()` removes every ACE this session added (refcounted across concurrent hosts via `state.db`; a crash-recovery pass on the next `initialize()` cleans up after an unclean exit). Directory targets are supported (the ACEs inherit to the whole subtree). Glob patterns are expanded to concrete paths at `initialize()` time — a matching path that appears later is not covered.
564
+
565
+ ### TLS termination on Windows
566
+
567
+ `network.tlsTerminate` requires the MITM CA to be present in the **sandbox user's** `CurrentUser\Root` certificate store (schannel — the TLS backend used by `System32\curl.exe`, PowerShell `Invoke-WebRequest`, .NET, and default-backend `git` — trusts only the OS store, not environment variables). This is an install-time step, separate from `windows-install`:
568
+
569
+ ```typescript
570
+ import { windowsTrustCa } from '@sysid/sandbox-runtime-improved'
571
+ windowsTrustCa('/path/to/mitm-ca.crt') // or: srt-win user trust-ca <path>
572
+ ```
573
+
574
+ `initialize()` compares the session CA's thumbprint against the installed one and fails with an actionable message on mismatch, so a stale install-time CA cannot silently break TLS inside the sandbox.
575
+
576
+ OpenSSL-backed clients (msys2 `curl`, `git -c http.sslBackend=openssl`, Node, Python, cargo) are covered by the env-var trust layer: the same trust bundle used on macOS/Linux is passed into the sandbox via `NODE_EXTRA_CA_CERTS`, `SSL_CERT_FILE`, `CURL_CA_BUNDLE`, `GIT_SSL_CAINFO`, `CARGO_HTTP_CAINFO`, etc., and the bundle path is added to the session's `allowRead` grant so the sandbox account can open it.
577
+
578
+ ### Windows-specific configuration
579
+
580
+ The cross-platform `filesystem` and `network` blocks apply as described above. Windows-only settings live under `windows`:
581
+
582
+ - `windows.proxyPortRange` — `[low, high]` inclusive port range the JS proxies bind inside. **Must match** the range passed to `windows-install --proxy-port-range` (default `[60080, 60089]`) — the WFP loopback PERMIT only covers that range.
583
+ - `windows.sublayerGuid` — WFP sublayer GUID under which the filters were installed. Omit to use the compile-time default; set only when enterprise tooling installed the filters under a custom sublayer.
584
+ - `windows.srtWin.path` — path to the `srt-win` binary. Omit to resolve the packaged `vendor/srt-win/<arch>/srt-win.exe`. Set when embedding `srt-win`'s CLI into a multicall binary; spawns then pass `--srt-win` as `argv[1]` so the embedder's dispatcher can route to `srt_win::run_from_args`.
585
+
586
+ ### Known limitations
587
+
588
+ - **Certificate revocation under schannel.** CryptoAPI's CRL/OCSP fetch goes out via WinHTTP under the caller's token, ignoring the proxy environment, so it is blocked by the WFP egress fence. Tools that use schannel with revocation checking on by default fail with `CRYPT_E_REVOCATION_OFFLINE` (`0x80092013`) unless revocation is disabled per tool: `curl --ssl-no-revoke`, `git -c http.schannelCheckRevoke=false`, `CARGO_HTTP_CHECK_REVOKE=false`. `Invoke-WebRequest`, .NET `HttpClient`, and `gh` do not check revocation by default and are unaffected. A CRL distribution point served from the loopback proxy is planned to remove this workaround.
589
+ - **Per-user tool installs are not reachable.** The sandboxed process runs as `srt-sandbox`, not as you, so tools installed under your profile (nvm/fnm-managed Node, per-user `winget`/Scoop packages, `pip install --user`, `%LOCALAPPDATA%\Programs\…`) resolve on the inherited `PATH` but cannot be opened by the sandbox account. Prefer machine-wide installs (`Program Files`, `choco`/`winget --scope machine`), or add the specific profile paths to `filesystem.allowRead`.
590
+ - **Per-exec `filesystem.allowRead` / `filesystem.allowWrite` overrides are not supported.** Session-level `allowRead`/`allowWrite` (in the config passed to `initialize()`) work as described above; passing them per-command in `wrapWithSandbox`'s `customConfig` throws — grants are applied session-wide via `srt-win acl grant` at `initialize()`, and `srt-win exec` only exposes per-exec denies.
591
+ - **`proxyAuthToken` is visible in the runner's command line.** The proxy environment (including `HTTP_PROXY=http://srt:<token>@127.0.0.1:…`) is passed to the two-hop runner as `--env` arguments on `srt-win exec`'s argv, so the token is readable by any local principal that can open the runner process for `PROCESS_QUERY_LIMITED_INFORMATION`. The token exists so the sandboxed process can authenticate to the loopback proxy, so it is not a secret from the sandbox itself; on a single-user development machine this is generally acceptable, but on a shared host treat the proxy allowlist as reachable by other same-session principals.
592
+ - **DNS resolution via the system resolver is not fenced.** `getaddrinfo()` is serviced by the `Dnscache` service running as `NETWORK SERVICE`, so name resolution succeeds even though the subsequent `connect()` from the sandboxed process is blocked. Tools that do their own UDP/53 (`nslookup`, `dig`) are fenced. This mirrors the macOS behaviour.
593
+
594
+ ### Uninstall
595
+
596
+ ```powershell
597
+ npx @sysid/sandbox-runtime-improved windows-uninstall
598
+ ```
599
+
600
+ Removes the WFP filter set, the `srt-sandbox` account and its profile, the `sandbox-runtime-users` group, and clears the credential/setup marker from `state.db` (one UAC prompt). `%LOCALAPPDATA%\sandbox-runtime\state.db` itself is left in place (it is ACL-stamped broker-only); delete the directory manually for a full sweep.
601
+
501
602
  ## Development
502
603
 
503
604
  ```bash
@@ -540,7 +641,7 @@ The sandbox runs HTTP and SOCKS5 proxy servers on the host machine that filter a
540
641
 
541
642
  - **macOS**: The Seatbelt profile allows communication only to specific localhost ports where the proxies listen. All other network access is blocked.
542
643
 
543
- **Parent/upstream proxy chaining:** When running behind a corporate proxy, configure `network.parentProxy` (or set `HTTP_PROXY`/`HTTPS_PROXY`/`NO_PROXY` environment variables) to chain the sandbox's proxies through an upstream proxy. Both HTTP and SOCKS5 traffic will tunnel through the parent proxy via CONNECT. Destinations matching `noProxy` patterns bypass the parent and connect directly.
644
+ - **Windows**: A WFP `ALE_AUTH_CONNECT` filter blocks every outbound connect from the `srt-sandbox` account except loopback to the configured proxy port range. The proxies bind inside that range. Environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `ALL_PROXY`, …) point tools at the proxies, but the WFP filter is the boundary a process that ignores or unsets them is still fenced.
544
645
 
545
646
  ### Filesystem Isolation
546
647
 
@@ -548,6 +649,7 @@ Filesystem restrictions are enforced at the OS level:
548
649
 
549
650
  - **macOS**: Uses `sandbox-exec` with dynamically generated Seatbelt profiles that specify allowed read/write paths
550
651
  - **Linux**: Uses `bubblewrap` with bind mounts, marking directories as read-only or read-write based on configuration
652
+ - **Windows**: Writes additive `(OI)(CI)` explicit ACEs for the `srt-sandbox` SID onto the configured paths (ALLOW on `allowRead`/`allowWrite`, DENY on `denyRead`/`denyWrite`), then removes them at `reset()`
551
653
 
552
654
  **Default filesystem permissions:**
553
655
 
package/dist/cli.js CHANGED
@@ -1,5 +1,5 @@
1
1
  #!/usr/bin/env node
2
- import shellquote from 'shell-quote';
2
+ import { quote } from './utils/shell-quote.js';
3
3
  import { Command } from 'commander';
4
4
  import { SandboxManager } from './index.js';
5
5
  import { spawn } from 'child_process';
@@ -46,12 +46,11 @@ async function main() {
46
46
  // available programmatically as installWindowsSandbox().
47
47
  program
48
48
  .command('windows-install')
49
- .description('Windows: create the discriminator group + install WFP filters ' +
50
- '(one UAC prompt). Then log out and back in.')
51
- .option('--name <group>', 'discriminator group name')
52
- .option('--group-sid <sid>', 'discriminator group SID (overrides --name)')
49
+ .description('Windows: provision the `srt-sandbox` user account + install WFP ' +
50
+ 'filters (one UAC prompt). No logout needed.')
53
51
  .option('--sublayer-guid <guid>', 'WFP sublayer GUID')
54
52
  .option('--proxy-port-range <lo-hi>', 'loopback PERMIT port range (e.g. 60080-60089)')
53
+ .option('--sandbox-user <name>', 'name for the sandbox user account (default: srt-sandbox)')
55
54
  .option('--force', 'replace an existing install with different config')
56
55
  .action(async (o) => {
57
56
  const { installWindowsSandbox } = await import('./sandbox/windows-sandbox-utils.js');
@@ -60,10 +59,9 @@ async function main() {
60
59
  : undefined;
61
60
  try {
62
61
  const r = installWindowsSandbox({
63
- groupName: o.name,
64
- groupSid: o.groupSid,
65
62
  sublayerGuid: o.sublayerGuid,
66
63
  proxyPortRange: range,
64
+ sandboxUser: o.sandboxUser,
67
65
  force: Boolean(o.force),
68
66
  });
69
67
  if (r.cancelled) {
@@ -71,19 +69,16 @@ async function main() {
71
69
  process.exit(2);
72
70
  }
73
71
  console.log(`Installed.\n` +
74
- ` group: ${r.group.state}` +
75
- (r.group.sid ? ` (${r.group.sid})` : '') +
72
+ ` sandbox user: ${r.user.provisioned ? 'provisioned' : 'MISSING'}` +
73
+ (r.user.sid ? ` (${r.user.sid})` : '') +
76
74
  `\n` +
77
75
  ` WFP: ${r.wfp.state}, ${r.wfp.filters} filters` +
78
76
  (r.wfp.portRange
79
77
  ? `, port range ${r.wfp.portRange[0]}-${r.wfp.portRange[1]}`
80
78
  : '') +
81
79
  `\n\n` +
82
- (r.group.state === 'ready'
83
- ? `Group is already in your token no logout needed.`
84
- : `→ LOG OUT and back in so the group SID enters your token.\n` +
85
- ` Network stays up meanwhile (WFP filter-0 PERMITs ` +
86
- `non-members).`));
80
+ `No logout needed — the WFP filter keys on the dedicated ` +
81
+ `\`srt-sandbox\` user's SID, so your network is unaffected.`);
87
82
  }
88
83
  catch (e) {
89
84
  console.error(`Error: ${e.message}`);
@@ -92,8 +87,7 @@ async function main() {
92
87
  });
93
88
  program
94
89
  .command('windows-uninstall')
95
- .description('Windows: remove WFP filters (one UAC prompt). Group is kept — ' +
96
- 'use `srt-win.exe group delete` for full teardown.')
90
+ .description('Windows: remove WFP filters + the `srt-sandbox` account (one UAC prompt).')
97
91
  .option('--sublayer-guid <guid>', 'WFP sublayer GUID')
98
92
  .action(async (o) => {
99
93
  const { uninstallWindowsSandbox } = await import('./sandbox/windows-sandbox-utils.js');
@@ -103,7 +97,7 @@ async function main() {
103
97
  console.error('Uninstall cancelled at the UAC prompt.');
104
98
  process.exit(2);
105
99
  }
106
- console.log('WFP filters removed. Group membership kept.');
100
+ console.log('WFP filters and `srt-sandbox` account removed.');
107
101
  }
108
102
  catch (e) {
109
103
  console.error(`Error: ${e.message}`);
@@ -191,7 +185,7 @@ async function main() {
191
185
  // executed via `bash -c <command>`, so each arg must be
192
186
  // shell-quoted to survive that re-parse — a plain join(' ')
193
187
  // splits arguments containing whitespace (#157).
194
- command = shellquote.quote(commandArgs);
188
+ command = quote(commandArgs);
195
189
  logForDebugging(`Original command: ${command}`);
196
190
  }
197
191
  else {
package/dist/cli.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,UAAU,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAC3E,OAAO,KAAK,QAAQ,MAAM,UAAU,CAAA;AACpC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAA;AAEtC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AAC9C,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAA;AAE9C;;GAEG;AACH,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,oBAAoB,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;QACL,OAAO,EAAE;YACP,cAAc,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE;SAClB;QACD,UAAU,EAAE;YACV,QAAQ,EAAE,EAAE;YACZ,SAAS,EAAE,EAAE;YACb,UAAU,EAAE,EAAE;YACd,SAAS,EAAE,EAAE;SACd;KACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAE7B,OAAO;SACJ,IAAI,CAAC,MAAM,CAAC;SACZ,WAAW,CACV,oEAAoE,CACrE;SACA,OAAO,CAAC,OAAO,CAAC,CAAA;IAEnB,iEAAiE;IACjE,yDAAyD;IACzD,yDAAyD;IACzD,OAAO;SACJ,OAAO,CAAC,iBAAiB,CAAC;SAC1B,WAAW,CACV,gEAAgE;QAC9D,6CAA6C,CAChD;SACA,MAAM,CAAC,gBAAgB,EAAE,0BAA0B,CAAC;SACpD,MAAM,CAAC,mBAAmB,EAAE,4CAA4C,CAAC;SACzE,MAAM,CAAC,wBAAwB,EAAE,mBAAmB,CAAC;SACrD,MAAM,CACL,4BAA4B,EAC5B,+CAA+C,CAChD;SACA,MAAM,CAAC,SAAS,EAAE,mDAAmD,CAAC;SACtE,MAAM,CAAC,KAAK,EAAE,CAA+C,EAAE,EAAE;QAChE,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAC5C,oCAAoC,CACrC,CAAA;QACD,MAAM,KAAK,GACT,OAAO,CAAC,CAAC,cAAc,KAAK,QAAQ;YAClC,CAAC,CAAE,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAsB;YAC/D,CAAC,CAAC,SAAS,CAAA;QACf,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,qBAAqB,CAAC;gBAC9B,SAAS,EAAE,CAAC,CAAC,IAA0B;gBACvC,QAAQ,EAAE,CAAC,CAAC,QAA8B;gBAC1C,YAAY,EAAE,CAAC,CAAC,YAAkC;gBAClD,cAAc,EAAE,KAAK;gBACrB,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;aACxB,CAAC,CAAA;YACF,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAA;gBACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YACD,OAAO,CAAC,GAAG,CACT,cAAc;gBACZ,YAAY,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE;gBAC3B,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxC,IAAI;gBACJ,YAAY,CAAC,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,UAAU;gBACnD,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS;oBACd,CAAC,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;oBAC5D,CAAC,CAAC,EAAE,CAAC;gBACP,MAAM;gBACN,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,KAAK,OAAO;oBACxB,CAAC,CAAC,oDAAoD;oBACtD,CAAC,CAAC,6DAA6D;wBAC7D,qDAAqD;wBACrD,eAAe,CAAC,CACvB,CAAA;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,UAAW,CAAW,CAAC,OAAO,EAAE,CAAC,CAAA;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CAAC,CAAA;IAEJ,OAAO;SACJ,OAAO,CAAC,mBAAmB,CAAC;SAC5B,WAAW,CACV,gEAAgE;QAC9D,mDAAmD,CACtD;SACA,MAAM,CAAC,wBAAwB,EAAE,mBAAmB,CAAC;SACrD,MAAM,CAAC,KAAK,EAAE,CAAqC,EAAE,EAAE;QACtD,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAC9C,oCAAoC,CACrC,CAAA;QACD,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,uBAAuB,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,YAAY,EAAE,CAAC,CAAA;YACnE,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAA;gBACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAA;QAC5D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,UAAW,CAAW,CAAC,OAAO,EAAE,CAAC,CAAA;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CAAC,CAAA;IAEJ,2CAA2C;IAC3C,OAAO;SACJ,QAAQ,CAAC,cAAc,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,aAAa,EAAE,sBAAsB,CAAC;SAC7C,MAAM,CACL,uBAAuB,EACvB,qDAAqD,CACtD;SACA,MAAM,CACL,cAAc,EACd,+DAA+D,CAChE;SACA,MAAM,CACL,mBAAmB,EACnB,gEAAgE,EAChE,QAAQ,CACT;SACA,kBAAkB,EAAE;SACpB,MAAM,CACL,KAAK,EACH,WAAqB,EACrB,OAKC,EACD,EAAE;QACF,IAAI,CAAC;YACH,6DAA6D;YAC7D,+DAA+D;YAC/D,oEAAoE;YACpE,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,MAAM,CAAA;YAChC,CAAC;YAED,wBAAwB;YACxB,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,oBAAoB,EAAE,CAAA;YAC7D,IAAI,aAAa,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;YAE1C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,iEAAiE;gBACjE,4DAA4D;gBAC5D,yDAAyD;gBACzD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,OAAO,CAAC,KAAK,CACX,uCAAuC,UAAU,sCAAsC;wBACrF,0CAA0C,CAC7C,CAAA;oBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;gBACjB,CAAC;gBACD,eAAe,CACb,sBAAsB,UAAU,wBAAwB,CACzD,CAAA;gBACD,aAAa,GAAG,gBAAgB,EAAE,CAAA;YACpC,CAAC;YAED,iCAAiC;YACjC,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC1C,MAAM,cAAc,CAAC,UAAU,CAAC,aAAa,CAAC,CAAA;YAE9C,4DAA4D;YAC5D,IAAI,aAAa,GAA8B,IAAI,CAAA;YACnD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,aAAa,GAAG,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE;wBAC5C,EAAE,EAAE,OAAO,CAAC,SAAS;qBACtB,CAAC,CAAA;oBACF,aAAa,GAAG,QAAQ,CAAC,eAAe,CAAC;wBACvC,KAAK,EAAE,aAAa;wBACpB,SAAS,EAAE,QAAQ;qBACpB,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE;wBAC9B,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAA;wBAC5C,IAAI,SAAS,EAAE,CAAC;4BACd,eAAe,CACb,mCAAmC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAC/D,CAAA;4BACD,cAAc,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;wBACxC,CAAC;6BAAM,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;4BACvB,gDAAgD;4BAChD,eAAe,CACb,2CAA2C,IAAI,EAAE,CAClD,CAAA;wBACH,CAAC;oBACH,CAAC,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;wBAC9B,eAAe,CAAC,qBAAqB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;oBACrD,CAAC,CAAC,CAAA;oBAEF,eAAe,CACb,sCAAsC,OAAO,CAAC,SAAS,EAAE,CAC1D,CAAA;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,eAAe,CACb,6BAA6B,OAAO,CAAC,SAAS,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACtG,CAAA;gBACH,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;gBACtB,aAAa,EAAE,KAAK,EAAE,CAAA;YACxB,CAAC,CAAC,CAAA;YAEF,yCAAyC;YACzC,IAAI,OAAe,CAAA;YACnB,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;gBACd,oDAAoD;gBACpD,OAAO,GAAG,OAAO,CAAC,CAAC,CAAA;gBACnB,eAAe,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,2DAA2D;gBAC3D,wDAAwD;gBACxD,4DAA4D;gBAC5D,iDAAiD;gBACjD,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,WAAW,CAAC,CAAA;gBACvC,eAAe,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAA;YACjD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CACX,6EAA6E,CAC9E,CAAA;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YAED,eAAe,CACb,IAAI,CAAC,SAAS,CACZ,cAAc,CAAC,2BAA2B,EAAE,EAC5C,IAAI,EACJ,CAAC,CACF,CACF,CAAA;YAED,yDAAyD;YACzD,yDAAyD;YACzD,uDAAuD;YACvD,uDAAuD;YACvD,0CAA0C;YAC1C,IAAI,KAAK,CAAA;YACT,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,+DAA+D;gBAC/D,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GACjB,MAAM,cAAc,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAA;gBACnD,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;oBACpC,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,SAAS;oBAChB,GAAG;iBACJ,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,gBAAgB,GACpB,MAAM,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;gBAC/C,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE;oBAC9B,KAAK,EAAE,IAAI;oBACX,KAAK,EAAE,SAAS;iBACjB,CAAC,CAAA;YACJ,CAAC;YAED,sBAAsB;YACtB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBAChC,uDAAuD;gBACvD,kEAAkE;gBAClE,8CAA8C;gBAC9C,cAAc,CAAC,mBAAmB,EAAE,CAAA;gBAEpC,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;wBAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;wBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;YAEF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE;gBACxB,OAAO,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;gBAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC,CAAC,CAAA;YAEF,8BAA8B;YAC9B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACtB,CAAC,CAAC,CAAA;YAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACzB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACvB,CAAC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnE,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CACF,CAAA;IAEH,OAAO,CAAC,KAAK,EAAE,CAAA;AACjB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
1
+ {"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,KAAK,EAAE,MAAM,wBAAwB,CAAA;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAC3E,OAAO,KAAK,QAAQ,MAAM,UAAU,CAAA;AACpC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAA;AAEtC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AAC9C,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAA;AAE9C;;GAEG;AACH,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,oBAAoB,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;QACL,OAAO,EAAE;YACP,cAAc,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE;SAClB;QACD,UAAU,EAAE;YACV,QAAQ,EAAE,EAAE;YACZ,SAAS,EAAE,EAAE;YACb,UAAU,EAAE,EAAE;YACd,SAAS,EAAE,EAAE;SACd;KACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAE7B,OAAO;SACJ,IAAI,CAAC,MAAM,CAAC;SACZ,WAAW,CACV,oEAAoE,CACrE;SACA,OAAO,CAAC,OAAO,CAAC,CAAA;IAEnB,iEAAiE;IACjE,yDAAyD;IACzD,yDAAyD;IACzD,OAAO;SACJ,OAAO,CAAC,iBAAiB,CAAC;SAC1B,WAAW,CACV,kEAAkE;QAChE,6CAA6C,CAChD;SACA,MAAM,CAAC,wBAAwB,EAAE,mBAAmB,CAAC;SACrD,MAAM,CACL,4BAA4B,EAC5B,+CAA+C,CAChD;SACA,MAAM,CACL,uBAAuB,EACvB,0DAA0D,CAC3D;SACA,MAAM,CAAC,SAAS,EAAE,mDAAmD,CAAC;SACtE,MAAM,CAAC,KAAK,EAAE,CAA+C,EAAE,EAAE;QAChE,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAC5C,oCAAoC,CACrC,CAAA;QACD,MAAM,KAAK,GACT,OAAO,CAAC,CAAC,cAAc,KAAK,QAAQ;YAClC,CAAC,CAAE,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAsB;YAC/D,CAAC,CAAC,SAAS,CAAA;QACf,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,qBAAqB,CAAC;gBAC9B,YAAY,EAAE,CAAC,CAAC,YAAkC;gBAClD,cAAc,EAAE,KAAK;gBACrB,WAAW,EAAE,CAAC,CAAC,WAAiC;gBAChD,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;aACxB,CAAC,CAAA;YACF,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAA;gBACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YACD,OAAO,CAAC,GAAG,CACT,cAAc;gBACZ,mBAAmB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,EAAE;gBACnE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtC,IAAI;gBACJ,YAAY,CAAC,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,UAAU;gBACnD,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS;oBACd,CAAC,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;oBAC5D,CAAC,CAAC,EAAE,CAAC;gBACP,MAAM;gBACN,0DAA0D;gBAC1D,4DAA4D,CAC/D,CAAA;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,UAAW,CAAW,CAAC,OAAO,EAAE,CAAC,CAAA;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CAAC,CAAA;IAEJ,OAAO;SACJ,OAAO,CAAC,mBAAmB,CAAC;SAC5B,WAAW,CACV,2EAA2E,CAC5E;SACA,MAAM,CAAC,wBAAwB,EAAE,mBAAmB,CAAC;SACrD,MAAM,CAAC,KAAK,EAAE,CAAqC,EAAE,EAAE;QACtD,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAC9C,oCAAoC,CACrC,CAAA;QACD,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,uBAAuB,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,YAAY,EAAE,CAAC,CAAA;YACnE,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAA;gBACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAA;QAC/D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,UAAW,CAAW,CAAC,OAAO,EAAE,CAAC,CAAA;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CAAC,CAAA;IAEJ,2CAA2C;IAC3C,OAAO;SACJ,QAAQ,CAAC,cAAc,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,aAAa,EAAE,sBAAsB,CAAC;SAC7C,MAAM,CACL,uBAAuB,EACvB,qDAAqD,CACtD;SACA,MAAM,CACL,cAAc,EACd,+DAA+D,CAChE;SACA,MAAM,CACL,mBAAmB,EACnB,gEAAgE,EAChE,QAAQ,CACT;SACA,kBAAkB,EAAE;SACpB,MAAM,CACL,KAAK,EACH,WAAqB,EACrB,OAKC,EACD,EAAE;QACF,IAAI,CAAC;YACH,6DAA6D;YAC7D,+DAA+D;YAC/D,oEAAoE;YACpE,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,MAAM,CAAA;YAChC,CAAC;YAED,wBAAwB;YACxB,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,oBAAoB,EAAE,CAAA;YAC7D,IAAI,aAAa,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;YAE1C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,iEAAiE;gBACjE,4DAA4D;gBAC5D,yDAAyD;gBACzD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,OAAO,CAAC,KAAK,CACX,uCAAuC,UAAU,sCAAsC;wBACrF,0CAA0C,CAC7C,CAAA;oBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;gBACjB,CAAC;gBACD,eAAe,CACb,sBAAsB,UAAU,wBAAwB,CACzD,CAAA;gBACD,aAAa,GAAG,gBAAgB,EAAE,CAAA;YACpC,CAAC;YAED,iCAAiC;YACjC,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC1C,MAAM,cAAc,CAAC,UAAU,CAAC,aAAa,CAAC,CAAA;YAE9C,4DAA4D;YAC5D,IAAI,aAAa,GAA8B,IAAI,CAAA;YACnD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,aAAa,GAAG,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE;wBAC5C,EAAE,EAAE,OAAO,CAAC,SAAS;qBACtB,CAAC,CAAA;oBACF,aAAa,GAAG,QAAQ,CAAC,eAAe,CAAC;wBACvC,KAAK,EAAE,aAAa;wBACpB,SAAS,EAAE,QAAQ;qBACpB,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE;wBAC9B,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAA;wBAC5C,IAAI,SAAS,EAAE,CAAC;4BACd,eAAe,CACb,mCAAmC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAC/D,CAAA;4BACD,cAAc,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;wBACxC,CAAC;6BAAM,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;4BACvB,gDAAgD;4BAChD,eAAe,CACb,2CAA2C,IAAI,EAAE,CAClD,CAAA;wBACH,CAAC;oBACH,CAAC,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;wBAC9B,eAAe,CAAC,qBAAqB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;oBACrD,CAAC,CAAC,CAAA;oBAEF,eAAe,CACb,sCAAsC,OAAO,CAAC,SAAS,EAAE,CAC1D,CAAA;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,eAAe,CACb,6BAA6B,OAAO,CAAC,SAAS,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACtG,CAAA;gBACH,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;gBACtB,aAAa,EAAE,KAAK,EAAE,CAAA;YACxB,CAAC,CAAC,CAAA;YAEF,yCAAyC;YACzC,IAAI,OAAe,CAAA;YACnB,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;gBACd,oDAAoD;gBACpD,OAAO,GAAG,OAAO,CAAC,CAAC,CAAA;gBACnB,eAAe,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,2DAA2D;gBAC3D,wDAAwD;gBACxD,4DAA4D;gBAC5D,iDAAiD;gBACjD,OAAO,GAAG,KAAK,CAAC,WAAW,CAAC,CAAA;gBAC5B,eAAe,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAA;YACjD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CACX,6EAA6E,CAC9E,CAAA;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YAED,eAAe,CACb,IAAI,CAAC,SAAS,CACZ,cAAc,CAAC,2BAA2B,EAAE,EAC5C,IAAI,EACJ,CAAC,CACF,CACF,CAAA;YAED,yDAAyD;YACzD,yDAAyD;YACzD,uDAAuD;YACvD,uDAAuD;YACvD,0CAA0C;YAC1C,IAAI,KAAK,CAAA;YACT,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,+DAA+D;gBAC/D,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GACjB,MAAM,cAAc,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAA;gBACnD,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;oBACpC,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,SAAS;oBAChB,GAAG;iBACJ,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,gBAAgB,GACpB,MAAM,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;gBAC/C,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE;oBAC9B,KAAK,EAAE,IAAI;oBACX,KAAK,EAAE,SAAS;iBACjB,CAAC,CAAA;YACJ,CAAC;YAED,sBAAsB;YACtB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBAChC,uDAAuD;gBACvD,kEAAkE;gBAClE,8CAA8C;gBAC9C,cAAc,CAAC,mBAAmB,EAAE,CAAA;gBAEpC,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;wBAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;wBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;YAEF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE;gBACxB,OAAO,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;gBAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC,CAAC,CAAA;YAEF,8BAA8B;YAC9B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACtB,CAAC,CAAC,CAAA;YAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACzB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACvB,CAAC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnE,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CACF,CAAA;IAEH,OAAO,CAAC,KAAK,EAAE,CAAA;AACjB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
package/dist/index.d.ts CHANGED
@@ -3,13 +3,13 @@ export { SandboxViolationStore } from './sandbox/sandbox-violation-store.js';
3
3
  export type { SandboxRuntimeConfig, NetworkConfig, FilesystemConfig, CredentialsConfig, CredentialFileConfig, CredentialEnvVarConfig, CredentialMode, IgnoreViolationsConfig, } from './sandbox/sandbox-config.js';
4
4
  export { SandboxRuntimeConfigSchema, NetworkConfigSchema, FilesystemConfigSchema, CredentialsConfigSchema, IgnoreViolationsConfigSchema, RipgrepConfigSchema, } from './sandbox/sandbox-config.js';
5
5
  export type { SandboxAskCallback, FsReadRestrictionConfig, FsWriteRestrictionConfig, CredentialRestrictionConfig, NetworkRestrictionConfig, NetworkHostPattern, } from './sandbox/sandbox-schemas.js';
6
- export type { FilterRequestCallback, RequestDecision, } from './sandbox/request-filter.js';
6
+ export type { FilterRequestCallback, RequestDecision, MutateForwardedHeaders, } from './sandbox/request-filter.js';
7
7
  export type { SandboxViolationEvent } from './sandbox/macos-sandbox-utils.js';
8
8
  export { type SandboxDependencyCheck } from './sandbox/linux-sandbox-utils.js';
9
- export { getSrtWinPath, getWindowsGroupStatus, getWindowsWfpStatus, installWindowsSandbox, uninstallWindowsSandbox, createWindowsGroup, deleteWindowsGroup, createWindowsWfp, windowsInstallInstructions, DEFAULT_WINDOWS_GROUP_NAME, DEFAULT_WINDOWS_PROXY_PORT_RANGE, } from './sandbox/windows-sandbox-utils.js';
10
- export type { WindowsGroupRef, WindowsInstallOptions, WindowsInstallResult, WindowsGroupStatus, WindowsGroupStatusResult, WindowsWfpStatus, WindowsWfpStatusResult, } from './sandbox/windows-sandbox-utils.js';
11
- export type { WindowsConfig } from './sandbox/sandbox-config.js';
12
- export { WindowsConfigSchema } from './sandbox/sandbox-config.js';
9
+ export { getSrtWinPath, resolveSrtWin, getWindowsWfpStatus, verifyWindowsWfpEgress, getWindowsSandboxUserStatus, getWindowsSandboxCaCert, windowsTrustCa, installWindowsSandbox, uninstallWindowsSandbox, windowsInstallInstructions, stampWindowsAcl, restoreWindowsAcl, grantWindowsAcl, revokeWindowsAcl, expandWindowsFsPaths, buildGitConfigEnv, DEFAULT_WINDOWS_PROXY_PORT_RANGE, SRT_WIN_DISPATCH_ARG1, } from './sandbox/windows-sandbox-utils.js';
10
+ export type { WindowsInstallOptions, WindowsInstallResult, WindowsWfpStatus, WindowsAclStampOptions, WindowsAclGrantOptions, WindowsAclAceOutcome, WindowsWfpStatusResult, WindowsWfpVerifyResult, WindowsSandboxUserStatus, SrtWinSpawn, } from './sandbox/windows-sandbox-utils.js';
11
+ export type { WindowsConfig, SrtWinConfig } from './sandbox/sandbox-config.js';
12
+ export { WindowsConfigSchema, SrtWinConfigSchema, } from './sandbox/sandbox-config.js';
13
13
  export { getDefaultWritePaths } from './sandbox/sandbox-utils.js';
14
14
  export { getWslVersion } from './utils/platform.js';
15
15
  export type { Platform } from './utils/platform.js';
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAG5E,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,EACtB,cAAc,EACd,sBAAsB,GACvB,MAAM,6BAA6B,CAAA;AAEpC,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,6BAA6B,CAAA;AAGpC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,wBAAwB,EACxB,2BAA2B,EAC3B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AAGrC,YAAY,EACV,qBAAqB,EACrB,eAAe,GAChB,MAAM,6BAA6B,CAAA;AAGpC,YAAY,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAA;AAC7E,OAAO,EAAE,KAAK,sBAAsB,EAAE,MAAM,kCAAkC,CAAA;AAG9E,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,EACrB,uBAAuB,EACvB,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,0BAA0B,EAC1B,0BAA0B,EAC1B,gCAAgC,GACjC,MAAM,oCAAoC,CAAA;AAC3C,YAAY,EACV,eAAe,EACf,qBAAqB,EACrB,oBAAoB,EACpB,kBAAkB,EAClB,wBAAwB,EACxB,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,oCAAoC,CAAA;AAC3C,YAAY,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AAGjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AAGjE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,YAAY,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAG5E,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,EACtB,cAAc,EACd,sBAAsB,GACvB,MAAM,6BAA6B,CAAA;AAEpC,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,6BAA6B,CAAA;AAGpC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,wBAAwB,EACxB,2BAA2B,EAC3B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AAGrC,YAAY,EACV,qBAAqB,EACrB,eAAe,EACf,sBAAsB,GACvB,MAAM,6BAA6B,CAAA;AAGpC,YAAY,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAA;AAC7E,OAAO,EAAE,KAAK,sBAAsB,EAAE,MAAM,kCAAkC,CAAA;AAG9E,OAAO,EACL,aAAa,EACb,aAAa,EACb,mBAAmB,EACnB,sBAAsB,EACtB,2BAA2B,EAC3B,uBAAuB,EACvB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,0BAA0B,EAC1B,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,gCAAgC,EAChC,qBAAqB,GACtB,MAAM,oCAAoC,CAAA;AAC3C,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,sBAAsB,EACtB,wBAAwB,EACxB,WAAW,GACZ,MAAM,oCAAoC,CAAA;AAC3C,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAA;AAC9E,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,6BAA6B,CAAA;AAGpC,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AAGjE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,YAAY,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA"}
package/dist/index.js CHANGED
@@ -3,8 +3,8 @@ export { SandboxManager } from './sandbox/sandbox-manager.js';
3
3
  export { SandboxViolationStore } from './sandbox/sandbox-violation-store.js';
4
4
  export { SandboxRuntimeConfigSchema, NetworkConfigSchema, FilesystemConfigSchema, CredentialsConfigSchema, IgnoreViolationsConfigSchema, RipgrepConfigSchema, } from './sandbox/sandbox-config.js';
5
5
  // Windows install/status API
6
- export { getSrtWinPath, getWindowsGroupStatus, getWindowsWfpStatus, installWindowsSandbox, uninstallWindowsSandbox, createWindowsGroup, deleteWindowsGroup, createWindowsWfp, windowsInstallInstructions, DEFAULT_WINDOWS_GROUP_NAME, DEFAULT_WINDOWS_PROXY_PORT_RANGE, } from './sandbox/windows-sandbox-utils.js';
7
- export { WindowsConfigSchema } from './sandbox/sandbox-config.js';
6
+ export { getSrtWinPath, resolveSrtWin, getWindowsWfpStatus, verifyWindowsWfpEgress, getWindowsSandboxUserStatus, getWindowsSandboxCaCert, windowsTrustCa, installWindowsSandbox, uninstallWindowsSandbox, windowsInstallInstructions, stampWindowsAcl, restoreWindowsAcl, grantWindowsAcl, revokeWindowsAcl, expandWindowsFsPaths, buildGitConfigEnv, DEFAULT_WINDOWS_PROXY_PORT_RANGE, SRT_WIN_DISPATCH_ARG1, } from './sandbox/windows-sandbox-utils.js';
7
+ export { WindowsConfigSchema, SrtWinConfigSchema, } from './sandbox/sandbox-config.js';
8
8
  // Utility functions
9
9
  export { getDefaultWritePaths } from './sandbox/sandbox-utils.js';
10
10
  // Platform utilities
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,kBAAkB;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAc5E,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,6BAA6B,CAAA;AAsBpC,6BAA6B;AAC7B,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,mBAAmB,EACnB,qBAAqB,EACrB,uBAAuB,EACvB,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,0BAA0B,EAC1B,0BAA0B,EAC1B,gCAAgC,GACjC,MAAM,oCAAoC,CAAA;AAW3C,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAA;AAEjE,oBAAoB;AACpB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AAEjE,qBAAqB;AACrB,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,kBAAkB;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAc5E,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,6BAA6B,CAAA;AAuBpC,6BAA6B;AAC7B,OAAO,EACL,aAAa,EACb,aAAa,EACb,mBAAmB,EACnB,sBAAsB,EACtB,2BAA2B,EAC3B,uBAAuB,EACvB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,0BAA0B,EAC1B,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,gCAAgC,EAChC,qBAAqB,GACtB,MAAM,oCAAoC,CAAA;AAc3C,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,6BAA6B,CAAA;AAEpC,oBAAoB;AACpB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AAEjE,qBAAqB;AACrB,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA"}
@@ -0,0 +1,157 @@
1
+ /**
2
+ * Credential file masking (Linux).
3
+ *
4
+ * For a `credentials.files` entry with `mode: "mask"`, srt reads the real
5
+ * file content on the host, registers one or more sentinels in the
6
+ * {@link SentinelRegistry}, and writes a fake file (sentinel-substituted)
7
+ * to a manager-owned temp directory. The Linux sandbox then `--ro-bind`s
8
+ * the fake over the real path, so the sandboxed process reads the
9
+ * sentinel(s). The proxy substitution from env-var masking already scans
10
+ * every header for any registered sentinel, so a tool that does
11
+ * `Authorization: Bearer $(cat <maskedFile>)` reaches the upstream with
12
+ * the real bytes — no proxy changes required.
13
+ *
14
+ * Without `extract`, masking is **whole-file**: one sentinel replaces the
15
+ * entire content. With `extract`, masking is **structured**: a regex picks
16
+ * out the credential value(s) and only those spans are replaced, so a tool
17
+ * that parses the file (JSON/YAML/.netrc) still sees valid syntax. See
18
+ * {@link extractAndSubstitute} and {@link CredentialFileConfigSchema}.
19
+ *
20
+ * On macOS, SBPL cannot redirect reads, so masked files degrade to
21
+ * `mode: "deny"` (see macos-sandbox-utils.ts).
22
+ */
23
+ import type { CredentialFileConfig } from './sandbox-config.js';
24
+ import type { SentinelRegistry } from './credential-sentinel.js';
25
+ /**
26
+ * Result of {@link extractAndSubstitute}: the file content with each
27
+ * matched capture-group-1 span replaced by `sentinelFor(capture, i)`,
28
+ * plus the distinct captured values in first-seen (index) order.
29
+ */
30
+ export interface ExtractResult {
31
+ fakeContent: string;
32
+ captures: string[];
33
+ }
34
+ /** Options for {@link extractAndSubstitute}. */
35
+ export interface ExtractOptions {
36
+ /**
37
+ * If true, verbatim occurrences of each captured value *outside* the
38
+ * regex-matched spans are also replaced with that capture's sentinel —
39
+ * for a secret repeated where the regex does not reach (e.g. pasted
40
+ * into a comment). The scan matches raw substrings: a short or common
41
+ * captured value may corrupt unrelated content that happens to contain
42
+ * it, so this option is intended for long, high-entropy secrets.
43
+ */
44
+ maskDuplicates?: boolean;
45
+ }
46
+ /**
47
+ * Apply `pattern` globally to `content` and return `content` with each
48
+ * matched capture-group-1 span replaced by `sentinelFor(capture, i)`,
49
+ * where `i` is the zero-based index of the distinct captured value in
50
+ * first-seen order.
51
+ *
52
+ * Offset-based: the regex `d` flag exposes capture-group offsets, so the
53
+ * output is built by slicing between spans and splicing the sentinel in
54
+ * at the exact `[start, end)` of group 1. By default only the
55
+ * regex-matched span is replaced — a captured value that coincidentally
56
+ * appears elsewhere in the file (outside any match) is left intact. No
57
+ * placeholder pass, no substring-ordering concern.
58
+ *
59
+ * With `maskDuplicates` (see {@link ExtractOptions}), an indexOf scan
60
+ * additionally collects every verbatim occurrence of each captured value
61
+ * elsewhere in the file. All spans are computed against the ORIGINAL
62
+ * content — never the partially substituted output — so an inserted
63
+ * sentinel can never be re-matched and corrupted, even when a captured
64
+ * value is a substring of the sentinel literal. Regex-match spans win
65
+ * over verbatim ones, and verbatim scans run longest-capture-first so a
66
+ * shorter capture that is a substring of a longer one cannot claim part
67
+ * of the longer secret's occurrence.
68
+ *
69
+ * Returns `null` when the pattern matches nothing — the caller routes
70
+ * that per the entry's `onExtractNoMatch` option (warn / deny / error;
71
+ * see {@link buildMaskedFileBinds}).
72
+ *
73
+ * Throws when a match has no group-1 capture. The schema already rejects
74
+ * patterns with zero groups, so this only fires when group 1 is optional
75
+ * and absent for some match (e.g. `"token: (\\S+)?"`); accepting that
76
+ * would silently mask nothing for that occurrence.
77
+ *
78
+ * Pure on `content`/`pattern`; the callback may close over a registry.
79
+ */
80
+ export declare function extractAndSubstitute(content: string, pattern: string, sentinelFor: (capture: string, index: number) => string, options?: ExtractOptions): ExtractResult | null;
81
+ /** One masked file's bind mapping for the platform builder. */
82
+ export interface MaskedFileBind {
83
+ /** Resolved (tilde-expanded, realpath'd) host path of the real file. */
84
+ realPath: string;
85
+ /** Path to the fake file containing the sentinel. */
86
+ fakePath: string;
87
+ }
88
+ /**
89
+ * Manager-owned temp dir holding the fake files.
90
+ *
91
+ * INVARIANT: this directory must never be writable from inside the sandbox.
92
+ * The Linux layer enforces this by emitting `--ro-bind <dirPath> <dirPath>`
93
+ * after every other filesystem mount (see generateFilesystemArgs), so the
94
+ * store stays read-only even if a caller's allowWrite covers os.tmpdir() or
95
+ * the host's $TMPDIR points under a default-writable path. If the sandbox
96
+ * could write here it could replace a fake's content (the bind exposes the
97
+ * source file) or plant a symlink for a later host-side write() to follow.
98
+ */
99
+ export declare class MaskedFileStore {
100
+ private dir;
101
+ private readonly byKey;
102
+ /**
103
+ * Write `sentinel` to a fake file for `key` and return its path.
104
+ * Idempotent on `key`: a repeat call rewrites the same fake (so a
105
+ * changed sentinel after re-register propagates) instead of leaking a
106
+ * new file per wrapWithSandbox() call.
107
+ */
108
+ write(key: string, sentinel: string): string;
109
+ /** Remove the temp dir and every fake file in it. Idempotent. */
110
+ dispose(): void;
111
+ /** Temp dir path, or undefined if no fake has been written yet. */
112
+ get dirPath(): string | undefined;
113
+ }
114
+ /** Result of {@link buildMaskedFileBinds}. */
115
+ export interface MaskedFileBuildResult {
116
+ binds: MaskedFileBind[];
117
+ /**
118
+ * Resolved paths of `mode: "mask"` entries that degraded to deny at
119
+ * runtime — populated when `extract` matches nothing and the entry's
120
+ * `onExtractNoMatch` is `"deny"`. Callers union these into the
121
+ * read-deny set so the credential file is unreadable rather than
122
+ * exposed.
123
+ */
124
+ degradeToDenyPaths: string[];
125
+ }
126
+ /**
127
+ * For each `mode: "mask"` file entry: resolve the path, read the real
128
+ * content, build the fake content (whole-file or structured per `extract`),
129
+ * register sentinels in `registry`, write the fake via `store`, and return
130
+ * the bind list plus any entries that degraded to deny.
131
+ *
132
+ * Whole-file mode (no `extract`): one sentinel keyed `file:<path>` whose
133
+ * real value is the entire file content; the fake file *is* the sentinel.
134
+ *
135
+ * Structured mode (`extract` set): one sentinel per distinct captured
136
+ * value, keyed `file:<path>#<i>`; the fake file is the real content with
137
+ * each captured span replaced by its sentinel. If the regex matches
138
+ * nothing, the entry's `onExtractNoMatch` decides:
139
+ * - `"warn"` (default): skip the entry with a loud stderr warning —
140
+ * fail-open, the file stays readable via the root mount;
141
+ * - `"deny"`: push the path to `degradeToDenyPaths` — fail-closed, the
142
+ * file becomes unreadable inside the sandbox;
143
+ * - `"error"`: throw, so nothing runs until the regex is fixed.
144
+ * With `maskDuplicates`, verbatim occurrences of each captured value
145
+ * outside the matched spans are also replaced (see {@link ExtractOptions}).
146
+ *
147
+ * Entries whose path does not exist, is unreadable, or resolves to a
148
+ * directory are skipped with a debug log — same posture as a masked env
149
+ * var that's unset on the host: nothing to protect, and surfacing a hard
150
+ * error would make a portable config brittle across machines.
151
+ *
152
+ * The directory check is the authoritative one (the schema only catches a
153
+ * trailing slash); whole-file masking has no meaning for a directory.
154
+ */
155
+ export declare function buildMaskedFileBinds(files: readonly CredentialFileConfig[], allowedDomains: readonly string[], registry: SentinelRegistry, store: MaskedFileStore): MaskedFileBuildResult;
156
+ export declare const MASKED_FILE_STORE_PREFIX = "srt-credmask-";
157
+ //# sourceMappingURL=credential-mask-files.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credential-mask-files.d.ts","sourceRoot":"","sources":["../../src/sandbox/credential-mask-files.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAOH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAC/D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAShE;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAWD,gDAAgD;AAChD,MAAM,WAAW,cAAc;IAC7B;;;;;;;OAOG;IACH,cAAc,CAAC,EAAE,OAAO,CAAA;CACzB;AASD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,MAAM,EACvD,OAAO,GAAE,cAAmB,GAC3B,aAAa,GAAG,IAAI,CAkEtB;AAED,+DAA+D;AAC/D,MAAM,WAAW,cAAc;IAC7B,wEAAwE;IACxE,QAAQ,EAAE,MAAM,CAAA;IAChB,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED;;;;;;;;;;GAUG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,GAAG,CAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA4B;IAElD;;;;;OAKG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM;IAoB5C,iEAAiE;IACjE,OAAO,IAAI,IAAI;IAcf,mEAAmE;IACnE,IAAI,OAAO,IAAI,MAAM,GAAG,SAAS,CAEhC;CACF;AAED,8CAA8C;AAC9C,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,cAAc,EAAE,CAAA;IACvB;;;;;;OAMG;IACH,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,SAAS,oBAAoB,EAAE,EACtC,cAAc,EAAE,SAAS,MAAM,EAAE,EACjC,QAAQ,EAAE,gBAAgB,EAC1B,KAAK,EAAE,eAAe,GACrB,qBAAqB,CAiGvB;AAED,eAAO,MAAM,wBAAwB,kBAAkB,CAAA"}