@sysid/sandbox-runtime-improved 0.0.56-sysid.1 → 0.0.64-sysid.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +106 -4
- package/dist/cli.js +12 -18
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +5 -5
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +2 -2
- package/dist/index.js.map +1 -1
- package/dist/sandbox/credential-mask-files.d.ts +157 -0
- package/dist/sandbox/credential-mask-files.d.ts.map +1 -0
- package/dist/sandbox/credential-mask-files.js +298 -0
- package/dist/sandbox/credential-mask-files.js.map +1 -0
- package/dist/sandbox/credential-sentinel.d.ts +72 -0
- package/dist/sandbox/credential-sentinel.d.ts.map +1 -0
- package/dist/sandbox/credential-sentinel.js +130 -0
- package/dist/sandbox/credential-sentinel.js.map +1 -0
- package/dist/sandbox/domain-pattern.d.ts +36 -0
- package/dist/sandbox/domain-pattern.d.ts.map +1 -0
- package/dist/sandbox/domain-pattern.js +60 -0
- package/dist/sandbox/domain-pattern.js.map +1 -0
- package/dist/sandbox/http-proxy.d.ts +33 -2
- package/dist/sandbox/http-proxy.d.ts.map +1 -1
- package/dist/sandbox/http-proxy.js +30 -2
- package/dist/sandbox/http-proxy.js.map +1 -1
- package/dist/sandbox/linux-sandbox-utils.d.ts +20 -0
- package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/linux-sandbox-utils.js +134 -65
- package/dist/sandbox/linux-sandbox-utils.js.map +1 -1
- package/dist/sandbox/linux-violation-monitor.d.ts +48 -0
- package/dist/sandbox/linux-violation-monitor.d.ts.map +1 -0
- package/dist/sandbox/linux-violation-monitor.js +156 -0
- package/dist/sandbox/linux-violation-monitor.js.map +1 -0
- package/dist/sandbox/listen-in-range.d.ts +12 -0
- package/dist/sandbox/listen-in-range.d.ts.map +1 -0
- package/dist/sandbox/listen-in-range.js +43 -0
- package/dist/sandbox/listen-in-range.js.map +1 -0
- package/dist/sandbox/macos-sandbox-utils.d.ts +11 -0
- package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/macos-sandbox-utils.js +72 -17
- package/dist/sandbox/macos-sandbox-utils.js.map +1 -1
- package/dist/sandbox/mitm-ca.d.ts +69 -2
- package/dist/sandbox/mitm-ca.d.ts.map +1 -1
- package/dist/sandbox/mitm-ca.js +188 -16
- package/dist/sandbox/mitm-ca.js.map +1 -1
- package/dist/sandbox/mitm-leaf.d.ts +1 -1
- package/dist/sandbox/mitm-leaf.d.ts.map +1 -1
- package/dist/sandbox/mitm-leaf.js +26 -19
- package/dist/sandbox/mitm-leaf.js.map +1 -1
- package/dist/sandbox/mux-proxy.d.ts +59 -0
- package/dist/sandbox/mux-proxy.d.ts.map +1 -0
- package/dist/sandbox/mux-proxy.js +159 -0
- package/dist/sandbox/mux-proxy.js.map +1 -0
- package/dist/sandbox/request-filter.d.ts +11 -1
- package/dist/sandbox/request-filter.d.ts.map +1 -1
- package/dist/sandbox/request-filter.js.map +1 -1
- package/dist/sandbox/sandbox-config.d.ts +461 -41
- package/dist/sandbox/sandbox-config.d.ts.map +1 -1
- package/dist/sandbox/sandbox-config.js +342 -26
- package/dist/sandbox/sandbox-config.js.map +1 -1
- package/dist/sandbox/sandbox-manager.d.ts +5 -1
- package/dist/sandbox/sandbox-manager.d.ts.map +1 -1
- package/dist/sandbox/sandbox-manager.js +697 -211
- package/dist/sandbox/sandbox-manager.js.map +1 -1
- package/dist/sandbox/sandbox-schemas.d.ts +15 -0
- package/dist/sandbox/sandbox-schemas.d.ts.map +1 -1
- package/dist/sandbox/sandbox-utils.d.ts +55 -6
- package/dist/sandbox/sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/sandbox-utils.js +143 -30
- package/dist/sandbox/sandbox-utils.js.map +1 -1
- package/dist/sandbox/socks-proxy.d.ts +11 -5
- package/dist/sandbox/socks-proxy.d.ts.map +1 -1
- package/dist/sandbox/socks-proxy.js +13 -81
- package/dist/sandbox/socks-proxy.js.map +1 -1
- package/dist/sandbox/tls-terminate-proxy.d.ts +2 -2
- package/dist/sandbox/tls-terminate-proxy.d.ts.map +1 -1
- package/dist/sandbox/tls-terminate-proxy.js +31 -5
- package/dist/sandbox/tls-terminate-proxy.js.map +1 -1
- package/dist/sandbox/windows-sandbox-utils.d.ts +508 -116
- package/dist/sandbox/windows-sandbox-utils.d.ts.map +1 -1
- package/dist/sandbox/windows-sandbox-utils.js +721 -209
- package/dist/sandbox/windows-sandbox-utils.js.map +1 -1
- package/dist/utils/shell-quote.d.ts +27 -0
- package/dist/utils/shell-quote.d.ts.map +1 -0
- package/dist/utils/shell-quote.js +47 -0
- package/dist/utils/shell-quote.js.map +1 -0
- package/package.json +7 -6
- package/vendor/seccomp/arm64/apply-seccomp +0 -0
- package/vendor/seccomp/build.ts +8 -30
- package/vendor/seccomp/x64/apply-seccomp +0 -0
- package/vendor/srt-win/build.ts +21 -0
- package/dist/vendor/seccomp/Dockerfile.build +0 -6
- package/dist/vendor/seccomp/arm64/apply-seccomp +0 -0
- package/dist/vendor/seccomp/build.ts +0 -91
- package/dist/vendor/seccomp/x64/apply-seccomp +0 -0
- package/dist/vendor/seccomp-src/apply-seccomp.c +0 -280
- package/dist/vendor/seccomp-src/seccomp-unix-block.c +0 -148
- package/dist/vendor/srt-win/Cargo.lock +0 -361
- package/dist/vendor/srt-win/Cargo.toml +0 -46
- package/dist/vendor/srt-win/ci/cleanup.ps1 +0 -49
- package/dist/vendor/srt-win/ci/smoke-exec.ps1 +0 -446
- package/dist/vendor/srt-win/ci/smoke.ps1 +0 -307
- package/dist/vendor/srt-win/src/job.rs +0 -102
- package/dist/vendor/srt-win/src/launch.rs +0 -732
- package/dist/vendor/srt-win/src/lib.rs +0 -20
- package/dist/vendor/srt-win/src/main.rs +0 -669
- package/dist/vendor/srt-win/src/self_protect.rs +0 -169
- package/dist/vendor/srt-win/src/sid.rs +0 -296
- package/dist/vendor/srt-win/src/token.rs +0 -341
- package/dist/vendor/srt-win/src/util.rs +0 -42
- package/dist/vendor/srt-win/src/wfp.rs +0 -992
- package/dist/vendor/srt-win/src/winsta.rs +0 -209
- package/dist/vendor/srt-win/tests/sd_access_check_matrix.rs +0 -259
- package/vendor/seccomp-src/apply-seccomp.c +0 -280
- package/vendor/seccomp-src/seccomp-unix-block.c +0 -148
- package/vendor/srt-win/Cargo.lock +0 -361
- package/vendor/srt-win/Cargo.toml +0 -46
- package/vendor/srt-win/ci/cleanup.ps1 +0 -49
- package/vendor/srt-win/ci/smoke-exec.ps1 +0 -446
- package/vendor/srt-win/ci/smoke.ps1 +0 -307
- package/vendor/srt-win/src/job.rs +0 -102
- package/vendor/srt-win/src/launch.rs +0 -732
- package/vendor/srt-win/src/lib.rs +0 -20
- package/vendor/srt-win/src/main.rs +0 -669
- package/vendor/srt-win/src/self_protect.rs +0 -169
- package/vendor/srt-win/src/sid.rs +0 -296
- package/vendor/srt-win/src/token.rs +0 -341
- package/vendor/srt-win/src/util.rs +0 -42
- package/vendor/srt-win/src/wfp.rs +0 -992
- package/vendor/srt-win/src/winsta.rs +0 -209
- package/vendor/srt-win/tests/sd_access_check_matrix.rs +0 -259
package/README.md
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
|
|
6
6
|
Based on [Anthropic Sandbox Runtime](https://github.com/anthropic-experimental/sandbox-runtime).
|
|
7
7
|
|
|
8
|
-
This fork will be rebased on [SRT](https://github.com/anthropic-experimental/sandbox-runtime) continuously (currently based on upstream **v0.0.
|
|
8
|
+
This fork will be rebased on [SRT](https://github.com/anthropic-experimental/sandbox-runtime) continuously (currently based on upstream **v0.0.64**).
|
|
9
9
|
As new features become available, equivalent local ones will be removed.
|
|
10
10
|
|
|
11
11
|
> Objective: keep as close to original as possible, while allowing selected additional features.
|
|
@@ -129,6 +129,7 @@ The sandbox uses OS-level primitives to enforce restrictions that apply to the e
|
|
|
129
129
|
|
|
130
130
|
- **macOS**: Uses `sandbox-exec` with dynamically generated [Seatbelt profiles](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf)
|
|
131
131
|
- **Linux**: Uses [bubblewrap](https://github.com/containers/bubblewrap) for containerization with network namespace isolation
|
|
132
|
+
- **Windows**: Runs the sandboxed process under a dedicated `srt-sandbox` local user account, with a [Windows Filtering Platform](https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page) egress fence keyed on that account's SID and per-session explicit ACEs on the working tree
|
|
132
133
|
|
|
133
134
|

|
|
134
135
|
|
|
@@ -147,6 +148,8 @@ Both filesystem and network isolation are required for effective sandboxing. Wit
|
|
|
147
148
|
|
|
148
149
|
- **macOS**: The Seatbelt profile allows communication only to a specific localhost port. The proxies listen on this port, creating a controlled channel for all network access
|
|
149
150
|
|
|
151
|
+
- **Windows**: A machine-wide WFP filter set blocks all outbound connections originating from the `srt-sandbox` account except loopback to the proxy port range. The proxies listen inside that range, creating a controlled channel for all network access
|
|
152
|
+
|
|
150
153
|
Both HTTP/HTTPS (via HTTP proxy) and other TCP traffic (via SOCKS5 proxy) are mediated by these proxies, which enforce your domain allowlists and denylists.
|
|
151
154
|
|
|
152
155
|
For more details on sandboxing in Claude Code, see:
|
|
@@ -174,7 +177,8 @@ src/
|
|
|
174
177
|
├── parent-proxy.ts # Upstream/parent proxy chaining
|
|
175
178
|
├── socks-proxy.ts # SOCKS5 proxy for network filtering
|
|
176
179
|
├── linux-sandbox-utils.ts # Linux bubblewrap sandboxing
|
|
177
|
-
|
|
180
|
+
├── macos-sandbox-utils.ts # macOS sandbox-exec sandboxing
|
|
181
|
+
└── windows-sandbox-utils.ts # Windows srt-win sandboxing
|
|
178
182
|
```
|
|
179
183
|
|
|
180
184
|
## Usage
|
|
@@ -320,6 +324,26 @@ Uses an **allow-only pattern** - all network access is denied by default.
|
|
|
320
324
|
- `https` - Proxy URL for HTTPS/CONNECT traffic (falls back to `http` if unset)
|
|
321
325
|
- `noProxy` - Comma-separated bypass list: hostname suffixes and CIDR ranges that connect directly
|
|
322
326
|
|
|
327
|
+
**TLS termination** (`network.tlsTerminate`, experimental): when set, HTTPS CONNECTs are terminated in-process so SRT can see (and filter, via `network.filterRequest`) the decrypted requests. The sandboxed process is pointed at a trust bundle containing the MITM CA (`caCertPath`/`caKeyPath`, or an ephemeral CA if omitted) plus the host's regular roots, so proxy-minted certificates and real upstream certificates both verify.
|
|
328
|
+
|
|
329
|
+
- `network.tlsTerminate.excludeDomains` - Domain patterns (same syntax as `allowedDomains`) that are **not** terminated. Matching CONNECTs are tunnelled opaquely instead: they are still subject to the domain allowlist, but the client inside the sandbox completes its own TLS handshake with the real upstream, and `filterRequest` / credential injection do not apply to their HTTPS traffic. Use this for the two cases TLS termination fundamentally breaks:
|
|
330
|
+
- **mTLS upstreams** - only the in-sandbox client holds the client certificate, so the proxy cannot re-originate the connection on its behalf.
|
|
331
|
+
- **Certificate-pinning clients** - clients that verify the upstream's identity themselves (custom CAs, SAN pinning) and reject the MITM certificate.
|
|
332
|
+
- `network.tlsTerminate.extraCaCertPaths` - Paths to PEM CA certificate files appended to that trust bundle, after the MITM CA and the host's regular roots. Excluded (non-terminated) hosts are verified by the client inside the sandbox, and the trust env vars SRT sets (`SSL_CERT_FILE`, `GIT_SSL_CAINFO`, ...) _replace_ each tool's own trust configuration, so a site-local root (e.g. an internal mTLS CA) must be in the bundle or those hosts can never be verified. Only the `CERTIFICATE` blocks of each file are copied into the bundle (anything else, e.g. a private key in a combined PEM, is never exposed to the sandbox); files that are missing, unreadable, or contain no PEM `CERTIFICATE` block are skipped, so it is safe to list paths that exist on only some hosts.
|
|
333
|
+
|
|
334
|
+
```json
|
|
335
|
+
{
|
|
336
|
+
"network": {
|
|
337
|
+
"allowedDomains": ["*.example.com", "internal-mtls.example.net"],
|
|
338
|
+
"deniedDomains": [],
|
|
339
|
+
"tlsTerminate": {
|
|
340
|
+
"excludeDomains": ["internal-mtls.example.net"],
|
|
341
|
+
"extraCaCertPaths": ["/etc/internal-mtls-roots.pem"]
|
|
342
|
+
}
|
|
343
|
+
}
|
|
344
|
+
}
|
|
345
|
+
```
|
|
346
|
+
|
|
323
347
|
**Unix Socket Settings** (platform-specific behavior):
|
|
324
348
|
|
|
325
349
|
| Setting | macOS | Linux |
|
|
@@ -455,7 +479,7 @@ Watchman accesses files outside the sandbox boundaries, which will trigger permi
|
|
|
455
479
|
|
|
456
480
|
- **macOS**: Uses `sandbox-exec` with custom profiles (no additional dependencies)
|
|
457
481
|
- **Linux**: Uses `bubblewrap` (bwrap) for containerization
|
|
458
|
-
- **Windows**:
|
|
482
|
+
- **Windows**: Alpha — uses a bundled `srt-win.exe` helper (no additional dependencies). See [Windows (alpha)](#windows-alpha) below for setup, security model, and known limitations
|
|
459
483
|
|
|
460
484
|
### Platform-Specific Dependencies
|
|
461
485
|
|
|
@@ -498,6 +522,83 @@ The package includes pre-generated seccomp BPF filters for x86-64 and arm archit
|
|
|
498
522
|
- Install via Homebrew: `brew install ripgrep`
|
|
499
523
|
- Or download from: https://github.com/BurntSushi/ripgrep/releases
|
|
500
524
|
|
|
525
|
+
**Windows requires:**
|
|
526
|
+
|
|
527
|
+
- No additional dependencies. The `srt-win.exe` helper (x64 and arm64) is bundled with the npm package. A one-time elevated `windows-install` step is required — see below.
|
|
528
|
+
|
|
529
|
+
## Windows (alpha)
|
|
530
|
+
|
|
531
|
+
Windows support is **alpha**. The sandboxed process runs under a dedicated `srt-sandbox` local user account, isolated from the calling user by native Windows security primitives — a Windows Filtering Platform (WFP) egress fence keyed on the sandbox account's SID, and per-session explicit ACEs that grant or deny that SID access to configured filesystem paths.
|
|
532
|
+
|
|
533
|
+
### Setup
|
|
534
|
+
|
|
535
|
+
Run once per machine (self-elevates; one UAC prompt):
|
|
536
|
+
|
|
537
|
+
```powershell
|
|
538
|
+
npx @sysid/sandbox-runtime-improved windows-install
|
|
539
|
+
```
|
|
540
|
+
|
|
541
|
+
This provisions the `srt-sandbox` local user account (with a random password stored DPAPI-encrypted under `%LOCALAPPDATA%\sandbox-runtime\state.db`), the `sandbox-runtime-users` local group, and installs a machine-wide WFP filter set keyed on the `srt-sandbox` SID. It is **idempotent** — re-running it rotates the sandbox account's password and reconciles the filter set.
|
|
542
|
+
|
|
543
|
+
**No logout is required.** The WFP filters key on the dedicated sandbox account's SID, so your own network, services, and every other principal on the machine are unaffected.
|
|
544
|
+
|
|
545
|
+
After install, `SandboxManager.initialize()` and the `srti` CLI work as on other platforms. `initialize()` verifies the sandbox account and WFP fence are live, and fails with an actionable error if not.
|
|
546
|
+
|
|
547
|
+
Programmatic install/uninstall are exported as `installWindowsSandbox()` / `uninstallWindowsSandbox()`.
|
|
548
|
+
|
|
549
|
+
### Security model
|
|
550
|
+
|
|
551
|
+
The sandboxed command runs **as the `srt-sandbox` account**, not as the calling user. The bundled `srt-win.exe` helper does a two-hop launch: the broker calls `CreateProcessWithLogonW` to start a runner as `srt-sandbox`, and the runner spawns the target under a restricted token inside a job object. The child inherits the sandbox account's isolated profile (`%USERPROFILE%`, `%TEMP%`, `HKCU`) and a fresh environment overlaid with only the broker's `PATH` and the generated proxy variables.
|
|
552
|
+
|
|
553
|
+
Running under a distinct user SID structurally closes the surrogate-spawn class of escape (Task Scheduler, `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS` onto a broker-owned process, BITS, out-of-process COM with `RunAs="Interactive User"`): any process the child manages to spawn out-of-band still carries the `srt-sandbox` SID, so it remains subject to the WFP egress fence and has no rights on the calling user's files.
|
|
554
|
+
|
|
555
|
+
**Network isolation** is a two-filter WFP set at `FWPM_LAYER_ALE_AUTH_CONNECT_V4/V6`: a PERMIT for loopback destinations inside the configured proxy port range (default `60080–60089`), and a BLOCK for any connect whose token carries the `srt-sandbox` SID. The sandboxed process reaches the internet only via the JS HTTP/SOCKS5 proxies listening in that range; a process that strips its proxy environment and connects directly is blocked at the kernel.
|
|
556
|
+
|
|
557
|
+
**Filesystem isolation** is enforced by NTFS discretionary ACLs. The `srt-sandbox` account has no inherent rights on the calling user's files, so at `initialize()` the sandbox writes **additive, inheriting explicit ACEs for the `srt-sandbox` SID only** — it never rewrites or replaces a path's existing security descriptor:
|
|
558
|
+
|
|
559
|
+
- `filesystem.allowWrite` → an inheriting `MODIFY` ALLOW ACE (`READ|WRITE|EXECUTE|DELETE`, with `FILE_DELETE_CHILD` withheld). The sandboxed process can create, modify, and delete files inside the working tree; withholding `FILE_DELETE_CHILD` from the grant is defense-in-depth for the deny stamps below, not a guard on the tree root.
|
|
560
|
+
- `filesystem.allowRead` → an inheriting `READ|EXECUTE` ALLOW ACE
|
|
561
|
+
- `filesystem.denyRead` / `filesystem.denyWrite` → an inheriting DENY ACE on the target, plus an inheriting `FILE_DELETE_CHILD` DENY on its parent — together with the withheld `FILE_DELETE_CHILD` on the working-tree grant, this stops the sandboxed process from renaming or deleting a denied path via its parent directory
|
|
562
|
+
|
|
563
|
+
`reset()` removes every ACE this session added (refcounted across concurrent hosts via `state.db`; a crash-recovery pass on the next `initialize()` cleans up after an unclean exit). Directory targets are supported (the ACEs inherit to the whole subtree). Glob patterns are expanded to concrete paths at `initialize()` time — a matching path that appears later is not covered.
|
|
564
|
+
|
|
565
|
+
### TLS termination on Windows
|
|
566
|
+
|
|
567
|
+
`network.tlsTerminate` requires the MITM CA to be present in the **sandbox user's** `CurrentUser\Root` certificate store (schannel — the TLS backend used by `System32\curl.exe`, PowerShell `Invoke-WebRequest`, .NET, and default-backend `git` — trusts only the OS store, not environment variables). This is an install-time step, separate from `windows-install`:
|
|
568
|
+
|
|
569
|
+
```typescript
|
|
570
|
+
import { windowsTrustCa } from '@sysid/sandbox-runtime-improved'
|
|
571
|
+
windowsTrustCa('/path/to/mitm-ca.crt') // or: srt-win user trust-ca <path>
|
|
572
|
+
```
|
|
573
|
+
|
|
574
|
+
`initialize()` compares the session CA's thumbprint against the installed one and fails with an actionable message on mismatch, so a stale install-time CA cannot silently break TLS inside the sandbox.
|
|
575
|
+
|
|
576
|
+
OpenSSL-backed clients (msys2 `curl`, `git -c http.sslBackend=openssl`, Node, Python, cargo) are covered by the env-var trust layer: the same trust bundle used on macOS/Linux is passed into the sandbox via `NODE_EXTRA_CA_CERTS`, `SSL_CERT_FILE`, `CURL_CA_BUNDLE`, `GIT_SSL_CAINFO`, `CARGO_HTTP_CAINFO`, etc., and the bundle path is added to the session's `allowRead` grant so the sandbox account can open it.
|
|
577
|
+
|
|
578
|
+
### Windows-specific configuration
|
|
579
|
+
|
|
580
|
+
The cross-platform `filesystem` and `network` blocks apply as described above. Windows-only settings live under `windows`:
|
|
581
|
+
|
|
582
|
+
- `windows.proxyPortRange` — `[low, high]` inclusive port range the JS proxies bind inside. **Must match** the range passed to `windows-install --proxy-port-range` (default `[60080, 60089]`) — the WFP loopback PERMIT only covers that range.
|
|
583
|
+
- `windows.sublayerGuid` — WFP sublayer GUID under which the filters were installed. Omit to use the compile-time default; set only when enterprise tooling installed the filters under a custom sublayer.
|
|
584
|
+
- `windows.srtWin.path` — path to the `srt-win` binary. Omit to resolve the packaged `vendor/srt-win/<arch>/srt-win.exe`. Set when embedding `srt-win`'s CLI into a multicall binary; spawns then pass `--srt-win` as `argv[1]` so the embedder's dispatcher can route to `srt_win::run_from_args`.
|
|
585
|
+
|
|
586
|
+
### Known limitations
|
|
587
|
+
|
|
588
|
+
- **Certificate revocation under schannel.** CryptoAPI's CRL/OCSP fetch goes out via WinHTTP under the caller's token, ignoring the proxy environment, so it is blocked by the WFP egress fence. Tools that use schannel with revocation checking on by default fail with `CRYPT_E_REVOCATION_OFFLINE` (`0x80092013`) unless revocation is disabled per tool: `curl --ssl-no-revoke`, `git -c http.schannelCheckRevoke=false`, `CARGO_HTTP_CHECK_REVOKE=false`. `Invoke-WebRequest`, .NET `HttpClient`, and `gh` do not check revocation by default and are unaffected. A CRL distribution point served from the loopback proxy is planned to remove this workaround.
|
|
589
|
+
- **Per-user tool installs are not reachable.** The sandboxed process runs as `srt-sandbox`, not as you, so tools installed under your profile (nvm/fnm-managed Node, per-user `winget`/Scoop packages, `pip install --user`, `%LOCALAPPDATA%\Programs\…`) resolve on the inherited `PATH` but cannot be opened by the sandbox account. Prefer machine-wide installs (`Program Files`, `choco`/`winget --scope machine`), or add the specific profile paths to `filesystem.allowRead`.
|
|
590
|
+
- **Per-exec `filesystem.allowRead` / `filesystem.allowWrite` overrides are not supported.** Session-level `allowRead`/`allowWrite` (in the config passed to `initialize()`) work as described above; passing them per-command in `wrapWithSandbox`'s `customConfig` throws — grants are applied session-wide via `srt-win acl grant` at `initialize()`, and `srt-win exec` only exposes per-exec denies.
|
|
591
|
+
- **`proxyAuthToken` is visible in the runner's command line.** The proxy environment (including `HTTP_PROXY=http://srt:<token>@127.0.0.1:…`) is passed to the two-hop runner as `--env` arguments on `srt-win exec`'s argv, so the token is readable by any local principal that can open the runner process for `PROCESS_QUERY_LIMITED_INFORMATION`. The token exists so the sandboxed process can authenticate to the loopback proxy, so it is not a secret from the sandbox itself; on a single-user development machine this is generally acceptable, but on a shared host treat the proxy allowlist as reachable by other same-session principals.
|
|
592
|
+
- **DNS resolution via the system resolver is not fenced.** `getaddrinfo()` is serviced by the `Dnscache` service running as `NETWORK SERVICE`, so name resolution succeeds even though the subsequent `connect()` from the sandboxed process is blocked. Tools that do their own UDP/53 (`nslookup`, `dig`) are fenced. This mirrors the macOS behaviour.
|
|
593
|
+
|
|
594
|
+
### Uninstall
|
|
595
|
+
|
|
596
|
+
```powershell
|
|
597
|
+
npx @sysid/sandbox-runtime-improved windows-uninstall
|
|
598
|
+
```
|
|
599
|
+
|
|
600
|
+
Removes the WFP filter set, the `srt-sandbox` account and its profile, the `sandbox-runtime-users` group, and clears the credential/setup marker from `state.db` (one UAC prompt). `%LOCALAPPDATA%\sandbox-runtime\state.db` itself is left in place (it is ACL-stamped broker-only); delete the directory manually for a full sweep.
|
|
601
|
+
|
|
501
602
|
## Development
|
|
502
603
|
|
|
503
604
|
```bash
|
|
@@ -540,7 +641,7 @@ The sandbox runs HTTP and SOCKS5 proxy servers on the host machine that filter a
|
|
|
540
641
|
|
|
541
642
|
- **macOS**: The Seatbelt profile allows communication only to specific localhost ports where the proxies listen. All other network access is blocked.
|
|
542
643
|
|
|
543
|
-
**
|
|
644
|
+
- **Windows**: A WFP `ALE_AUTH_CONNECT` filter blocks every outbound connect from the `srt-sandbox` account except loopback to the configured proxy port range. The proxies bind inside that range. Environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `ALL_PROXY`, …) point tools at the proxies, but the WFP filter is the boundary — a process that ignores or unsets them is still fenced.
|
|
544
645
|
|
|
545
646
|
### Filesystem Isolation
|
|
546
647
|
|
|
@@ -548,6 +649,7 @@ Filesystem restrictions are enforced at the OS level:
|
|
|
548
649
|
|
|
549
650
|
- **macOS**: Uses `sandbox-exec` with dynamically generated Seatbelt profiles that specify allowed read/write paths
|
|
550
651
|
- **Linux**: Uses `bubblewrap` with bind mounts, marking directories as read-only or read-write based on configuration
|
|
652
|
+
- **Windows**: Writes additive `(OI)(CI)` explicit ACEs for the `srt-sandbox` SID onto the configured paths (ALLOW on `allowRead`/`allowWrite`, DENY on `denyRead`/`denyWrite`), then removes them at `reset()`
|
|
551
653
|
|
|
552
654
|
**Default filesystem permissions:**
|
|
553
655
|
|
package/dist/cli.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
|
-
import
|
|
2
|
+
import { quote } from './utils/shell-quote.js';
|
|
3
3
|
import { Command } from 'commander';
|
|
4
4
|
import { SandboxManager } from './index.js';
|
|
5
5
|
import { spawn } from 'child_process';
|
|
@@ -46,12 +46,11 @@ async function main() {
|
|
|
46
46
|
// available programmatically as installWindowsSandbox().
|
|
47
47
|
program
|
|
48
48
|
.command('windows-install')
|
|
49
|
-
.description('Windows:
|
|
50
|
-
'(one UAC prompt).
|
|
51
|
-
.option('--name <group>', 'discriminator group name')
|
|
52
|
-
.option('--group-sid <sid>', 'discriminator group SID (overrides --name)')
|
|
49
|
+
.description('Windows: provision the `srt-sandbox` user account + install WFP ' +
|
|
50
|
+
'filters (one UAC prompt). No logout needed.')
|
|
53
51
|
.option('--sublayer-guid <guid>', 'WFP sublayer GUID')
|
|
54
52
|
.option('--proxy-port-range <lo-hi>', 'loopback PERMIT port range (e.g. 60080-60089)')
|
|
53
|
+
.option('--sandbox-user <name>', 'name for the sandbox user account (default: srt-sandbox)')
|
|
55
54
|
.option('--force', 'replace an existing install with different config')
|
|
56
55
|
.action(async (o) => {
|
|
57
56
|
const { installWindowsSandbox } = await import('./sandbox/windows-sandbox-utils.js');
|
|
@@ -60,10 +59,9 @@ async function main() {
|
|
|
60
59
|
: undefined;
|
|
61
60
|
try {
|
|
62
61
|
const r = installWindowsSandbox({
|
|
63
|
-
groupName: o.name,
|
|
64
|
-
groupSid: o.groupSid,
|
|
65
62
|
sublayerGuid: o.sublayerGuid,
|
|
66
63
|
proxyPortRange: range,
|
|
64
|
+
sandboxUser: o.sandboxUser,
|
|
67
65
|
force: Boolean(o.force),
|
|
68
66
|
});
|
|
69
67
|
if (r.cancelled) {
|
|
@@ -71,19 +69,16 @@ async function main() {
|
|
|
71
69
|
process.exit(2);
|
|
72
70
|
}
|
|
73
71
|
console.log(`Installed.\n` +
|
|
74
|
-
`
|
|
75
|
-
(r.
|
|
72
|
+
` sandbox user: ${r.user.provisioned ? 'provisioned' : 'MISSING'}` +
|
|
73
|
+
(r.user.sid ? ` (${r.user.sid})` : '') +
|
|
76
74
|
`\n` +
|
|
77
75
|
` WFP: ${r.wfp.state}, ${r.wfp.filters} filters` +
|
|
78
76
|
(r.wfp.portRange
|
|
79
77
|
? `, port range ${r.wfp.portRange[0]}-${r.wfp.portRange[1]}`
|
|
80
78
|
: '') +
|
|
81
79
|
`\n\n` +
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
: `→ LOG OUT and back in so the group SID enters your token.\n` +
|
|
85
|
-
` Network stays up meanwhile (WFP filter-0 PERMITs ` +
|
|
86
|
-
`non-members).`));
|
|
80
|
+
`No logout needed — the WFP filter keys on the dedicated ` +
|
|
81
|
+
`\`srt-sandbox\` user's SID, so your network is unaffected.`);
|
|
87
82
|
}
|
|
88
83
|
catch (e) {
|
|
89
84
|
console.error(`Error: ${e.message}`);
|
|
@@ -92,8 +87,7 @@ async function main() {
|
|
|
92
87
|
});
|
|
93
88
|
program
|
|
94
89
|
.command('windows-uninstall')
|
|
95
|
-
.description('Windows: remove WFP filters (one UAC prompt).
|
|
96
|
-
'use `srt-win.exe group delete` for full teardown.')
|
|
90
|
+
.description('Windows: remove WFP filters + the `srt-sandbox` account (one UAC prompt).')
|
|
97
91
|
.option('--sublayer-guid <guid>', 'WFP sublayer GUID')
|
|
98
92
|
.action(async (o) => {
|
|
99
93
|
const { uninstallWindowsSandbox } = await import('./sandbox/windows-sandbox-utils.js');
|
|
@@ -103,7 +97,7 @@ async function main() {
|
|
|
103
97
|
console.error('Uninstall cancelled at the UAC prompt.');
|
|
104
98
|
process.exit(2);
|
|
105
99
|
}
|
|
106
|
-
console.log('WFP filters
|
|
100
|
+
console.log('WFP filters and `srt-sandbox` account removed.');
|
|
107
101
|
}
|
|
108
102
|
catch (e) {
|
|
109
103
|
console.error(`Error: ${e.message}`);
|
|
@@ -191,7 +185,7 @@ async function main() {
|
|
|
191
185
|
// executed via `bash -c <command>`, so each arg must be
|
|
192
186
|
// shell-quoted to survive that re-parse — a plain join(' ')
|
|
193
187
|
// splits arguments containing whitespace (#157).
|
|
194
|
-
command =
|
|
188
|
+
command = quote(commandArgs);
|
|
195
189
|
logForDebugging(`Original command: ${command}`);
|
|
196
190
|
}
|
|
197
191
|
else {
|
package/dist/cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,KAAK,EAAE,MAAM,wBAAwB,CAAA;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAC3E,OAAO,KAAK,QAAQ,MAAM,UAAU,CAAA;AACpC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAA;AAEtC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AAC9C,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAA;AAE9C;;GAEG;AACH,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,oBAAoB,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;QACL,OAAO,EAAE;YACP,cAAc,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE;SAClB;QACD,UAAU,EAAE;YACV,QAAQ,EAAE,EAAE;YACZ,SAAS,EAAE,EAAE;YACb,UAAU,EAAE,EAAE;YACd,SAAS,EAAE,EAAE;SACd;KACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAE7B,OAAO;SACJ,IAAI,CAAC,MAAM,CAAC;SACZ,WAAW,CACV,oEAAoE,CACrE;SACA,OAAO,CAAC,OAAO,CAAC,CAAA;IAEnB,iEAAiE;IACjE,yDAAyD;IACzD,yDAAyD;IACzD,OAAO;SACJ,OAAO,CAAC,iBAAiB,CAAC;SAC1B,WAAW,CACV,kEAAkE;QAChE,6CAA6C,CAChD;SACA,MAAM,CAAC,wBAAwB,EAAE,mBAAmB,CAAC;SACrD,MAAM,CACL,4BAA4B,EAC5B,+CAA+C,CAChD;SACA,MAAM,CACL,uBAAuB,EACvB,0DAA0D,CAC3D;SACA,MAAM,CAAC,SAAS,EAAE,mDAAmD,CAAC;SACtE,MAAM,CAAC,KAAK,EAAE,CAA+C,EAAE,EAAE;QAChE,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAC5C,oCAAoC,CACrC,CAAA;QACD,MAAM,KAAK,GACT,OAAO,CAAC,CAAC,cAAc,KAAK,QAAQ;YAClC,CAAC,CAAE,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAsB;YAC/D,CAAC,CAAC,SAAS,CAAA;QACf,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,qBAAqB,CAAC;gBAC9B,YAAY,EAAE,CAAC,CAAC,YAAkC;gBAClD,cAAc,EAAE,KAAK;gBACrB,WAAW,EAAE,CAAC,CAAC,WAAiC;gBAChD,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;aACxB,CAAC,CAAA;YACF,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAA;gBACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YACD,OAAO,CAAC,GAAG,CACT,cAAc;gBACZ,mBAAmB,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,EAAE;gBACnE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtC,IAAI;gBACJ,YAAY,CAAC,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,UAAU;gBACnD,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS;oBACd,CAAC,CAAC,gBAAgB,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE;oBAC5D,CAAC,CAAC,EAAE,CAAC;gBACP,MAAM;gBACN,0DAA0D;gBAC1D,4DAA4D,CAC/D,CAAA;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,UAAW,CAAW,CAAC,OAAO,EAAE,CAAC,CAAA;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CAAC,CAAA;IAEJ,OAAO;SACJ,OAAO,CAAC,mBAAmB,CAAC;SAC5B,WAAW,CACV,2EAA2E,CAC5E;SACA,MAAM,CAAC,wBAAwB,EAAE,mBAAmB,CAAC;SACrD,MAAM,CAAC,KAAK,EAAE,CAAqC,EAAE,EAAE;QACtD,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAC9C,oCAAoC,CACrC,CAAA;QACD,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,uBAAuB,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,YAAY,EAAE,CAAC,CAAA;YACnE,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAA;gBACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAA;QAC/D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,UAAW,CAAW,CAAC,OAAO,EAAE,CAAC,CAAA;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CAAC,CAAA;IAEJ,2CAA2C;IAC3C,OAAO;SACJ,QAAQ,CAAC,cAAc,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,aAAa,EAAE,sBAAsB,CAAC;SAC7C,MAAM,CACL,uBAAuB,EACvB,qDAAqD,CACtD;SACA,MAAM,CACL,cAAc,EACd,+DAA+D,CAChE;SACA,MAAM,CACL,mBAAmB,EACnB,gEAAgE,EAChE,QAAQ,CACT;SACA,kBAAkB,EAAE;SACpB,MAAM,CACL,KAAK,EACH,WAAqB,EACrB,OAKC,EACD,EAAE;QACF,IAAI,CAAC;YACH,6DAA6D;YAC7D,+DAA+D;YAC/D,oEAAoE;YACpE,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,MAAM,CAAA;YAChC,CAAC;YAED,wBAAwB;YACxB,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,oBAAoB,EAAE,CAAA;YAC7D,IAAI,aAAa,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;YAE1C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,iEAAiE;gBACjE,4DAA4D;gBAC5D,yDAAyD;gBACzD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,OAAO,CAAC,KAAK,CACX,uCAAuC,UAAU,sCAAsC;wBACrF,0CAA0C,CAC7C,CAAA;oBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;gBACjB,CAAC;gBACD,eAAe,CACb,sBAAsB,UAAU,wBAAwB,CACzD,CAAA;gBACD,aAAa,GAAG,gBAAgB,EAAE,CAAA;YACpC,CAAC;YAED,iCAAiC;YACjC,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC1C,MAAM,cAAc,CAAC,UAAU,CAAC,aAAa,CAAC,CAAA;YAE9C,4DAA4D;YAC5D,IAAI,aAAa,GAA8B,IAAI,CAAA;YACnD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,aAAa,GAAG,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE;wBAC5C,EAAE,EAAE,OAAO,CAAC,SAAS;qBACtB,CAAC,CAAA;oBACF,aAAa,GAAG,QAAQ,CAAC,eAAe,CAAC;wBACvC,KAAK,EAAE,aAAa;wBACpB,SAAS,EAAE,QAAQ;qBACpB,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE;wBAC9B,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAA;wBAC5C,IAAI,SAAS,EAAE,CAAC;4BACd,eAAe,CACb,mCAAmC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAC/D,CAAA;4BACD,cAAc,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;wBACxC,CAAC;6BAAM,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;4BACvB,gDAAgD;4BAChD,eAAe,CACb,2CAA2C,IAAI,EAAE,CAClD,CAAA;wBACH,CAAC;oBACH,CAAC,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;wBAC9B,eAAe,CAAC,qBAAqB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;oBACrD,CAAC,CAAC,CAAA;oBAEF,eAAe,CACb,sCAAsC,OAAO,CAAC,SAAS,EAAE,CAC1D,CAAA;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,eAAe,CACb,6BAA6B,OAAO,CAAC,SAAS,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACtG,CAAA;gBACH,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;gBACtB,aAAa,EAAE,KAAK,EAAE,CAAA;YACxB,CAAC,CAAC,CAAA;YAEF,yCAAyC;YACzC,IAAI,OAAe,CAAA;YACnB,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;gBACd,oDAAoD;gBACpD,OAAO,GAAG,OAAO,CAAC,CAAC,CAAA;gBACnB,eAAe,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,2DAA2D;gBAC3D,wDAAwD;gBACxD,4DAA4D;gBAC5D,iDAAiD;gBACjD,OAAO,GAAG,KAAK,CAAC,WAAW,CAAC,CAAA;gBAC5B,eAAe,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAA;YACjD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CACX,6EAA6E,CAC9E,CAAA;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YAED,eAAe,CACb,IAAI,CAAC,SAAS,CACZ,cAAc,CAAC,2BAA2B,EAAE,EAC5C,IAAI,EACJ,CAAC,CACF,CACF,CAAA;YAED,yDAAyD;YACzD,yDAAyD;YACzD,uDAAuD;YACvD,uDAAuD;YACvD,0CAA0C;YAC1C,IAAI,KAAK,CAAA;YACT,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,+DAA+D;gBAC/D,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GACjB,MAAM,cAAc,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAA;gBACnD,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;oBACpC,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,SAAS;oBAChB,GAAG;iBACJ,CAAC,CAAA;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,gBAAgB,GACpB,MAAM,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;gBAC/C,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE;oBAC9B,KAAK,EAAE,IAAI;oBACX,KAAK,EAAE,SAAS;iBACjB,CAAC,CAAA;YACJ,CAAC;YAED,sBAAsB;YACtB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBAChC,uDAAuD;gBACvD,kEAAkE;gBAClE,8CAA8C;gBAC9C,cAAc,CAAC,mBAAmB,EAAE,CAAA;gBAEpC,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;wBAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;wBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;YAEF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE;gBACxB,OAAO,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;gBAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC,CAAC,CAAA;YAEF,8BAA8B;YAC9B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACtB,CAAC,CAAC,CAAA;YAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACzB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACvB,CAAC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnE,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CACF,CAAA;IAEH,OAAO,CAAC,KAAK,EAAE,CAAA;AACjB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
|
package/dist/index.d.ts
CHANGED
|
@@ -3,13 +3,13 @@ export { SandboxViolationStore } from './sandbox/sandbox-violation-store.js';
|
|
|
3
3
|
export type { SandboxRuntimeConfig, NetworkConfig, FilesystemConfig, CredentialsConfig, CredentialFileConfig, CredentialEnvVarConfig, CredentialMode, IgnoreViolationsConfig, } from './sandbox/sandbox-config.js';
|
|
4
4
|
export { SandboxRuntimeConfigSchema, NetworkConfigSchema, FilesystemConfigSchema, CredentialsConfigSchema, IgnoreViolationsConfigSchema, RipgrepConfigSchema, } from './sandbox/sandbox-config.js';
|
|
5
5
|
export type { SandboxAskCallback, FsReadRestrictionConfig, FsWriteRestrictionConfig, CredentialRestrictionConfig, NetworkRestrictionConfig, NetworkHostPattern, } from './sandbox/sandbox-schemas.js';
|
|
6
|
-
export type { FilterRequestCallback, RequestDecision, } from './sandbox/request-filter.js';
|
|
6
|
+
export type { FilterRequestCallback, RequestDecision, MutateForwardedHeaders, } from './sandbox/request-filter.js';
|
|
7
7
|
export type { SandboxViolationEvent } from './sandbox/macos-sandbox-utils.js';
|
|
8
8
|
export { type SandboxDependencyCheck } from './sandbox/linux-sandbox-utils.js';
|
|
9
|
-
export { getSrtWinPath,
|
|
10
|
-
export type {
|
|
11
|
-
export type { WindowsConfig } from './sandbox/sandbox-config.js';
|
|
12
|
-
export { WindowsConfigSchema } from './sandbox/sandbox-config.js';
|
|
9
|
+
export { getSrtWinPath, resolveSrtWin, getWindowsWfpStatus, verifyWindowsWfpEgress, getWindowsSandboxUserStatus, getWindowsSandboxCaCert, windowsTrustCa, installWindowsSandbox, uninstallWindowsSandbox, windowsInstallInstructions, stampWindowsAcl, restoreWindowsAcl, grantWindowsAcl, revokeWindowsAcl, expandWindowsFsPaths, buildGitConfigEnv, DEFAULT_WINDOWS_PROXY_PORT_RANGE, SRT_WIN_DISPATCH_ARG1, } from './sandbox/windows-sandbox-utils.js';
|
|
10
|
+
export type { WindowsInstallOptions, WindowsInstallResult, WindowsWfpStatus, WindowsAclStampOptions, WindowsAclGrantOptions, WindowsAclAceOutcome, WindowsWfpStatusResult, WindowsWfpVerifyResult, WindowsSandboxUserStatus, SrtWinSpawn, } from './sandbox/windows-sandbox-utils.js';
|
|
11
|
+
export type { WindowsConfig, SrtWinConfig } from './sandbox/sandbox-config.js';
|
|
12
|
+
export { WindowsConfigSchema, SrtWinConfigSchema, } from './sandbox/sandbox-config.js';
|
|
13
13
|
export { getDefaultWritePaths } from './sandbox/sandbox-utils.js';
|
|
14
14
|
export { getWslVersion } from './utils/platform.js';
|
|
15
15
|
export type { Platform } from './utils/platform.js';
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAG5E,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,EACtB,cAAc,EACd,sBAAsB,GACvB,MAAM,6BAA6B,CAAA;AAEpC,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,6BAA6B,CAAA;AAGpC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,wBAAwB,EACxB,2BAA2B,EAC3B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AAGrC,YAAY,EACV,qBAAqB,EACrB,eAAe,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAG5E,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,oBAAoB,EACpB,sBAAsB,EACtB,cAAc,EACd,sBAAsB,GACvB,MAAM,6BAA6B,CAAA;AAEpC,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,6BAA6B,CAAA;AAGpC,YAAY,EACV,kBAAkB,EAClB,uBAAuB,EACvB,wBAAwB,EACxB,2BAA2B,EAC3B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,8BAA8B,CAAA;AAGrC,YAAY,EACV,qBAAqB,EACrB,eAAe,EACf,sBAAsB,GACvB,MAAM,6BAA6B,CAAA;AAGpC,YAAY,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAA;AAC7E,OAAO,EAAE,KAAK,sBAAsB,EAAE,MAAM,kCAAkC,CAAA;AAG9E,OAAO,EACL,aAAa,EACb,aAAa,EACb,mBAAmB,EACnB,sBAAsB,EACtB,2BAA2B,EAC3B,uBAAuB,EACvB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,0BAA0B,EAC1B,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,gCAAgC,EAChC,qBAAqB,GACtB,MAAM,oCAAoC,CAAA;AAC3C,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,gBAAgB,EAChB,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,EACpB,sBAAsB,EACtB,sBAAsB,EACtB,wBAAwB,EACxB,WAAW,GACZ,MAAM,oCAAoC,CAAA;AAC3C,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAA;AAC9E,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,6BAA6B,CAAA;AAGpC,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AAGjE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AACnD,YAAY,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA"}
|
package/dist/index.js
CHANGED
|
@@ -3,8 +3,8 @@ export { SandboxManager } from './sandbox/sandbox-manager.js';
|
|
|
3
3
|
export { SandboxViolationStore } from './sandbox/sandbox-violation-store.js';
|
|
4
4
|
export { SandboxRuntimeConfigSchema, NetworkConfigSchema, FilesystemConfigSchema, CredentialsConfigSchema, IgnoreViolationsConfigSchema, RipgrepConfigSchema, } from './sandbox/sandbox-config.js';
|
|
5
5
|
// Windows install/status API
|
|
6
|
-
export { getSrtWinPath,
|
|
7
|
-
export { WindowsConfigSchema } from './sandbox/sandbox-config.js';
|
|
6
|
+
export { getSrtWinPath, resolveSrtWin, getWindowsWfpStatus, verifyWindowsWfpEgress, getWindowsSandboxUserStatus, getWindowsSandboxCaCert, windowsTrustCa, installWindowsSandbox, uninstallWindowsSandbox, windowsInstallInstructions, stampWindowsAcl, restoreWindowsAcl, grantWindowsAcl, revokeWindowsAcl, expandWindowsFsPaths, buildGitConfigEnv, DEFAULT_WINDOWS_PROXY_PORT_RANGE, SRT_WIN_DISPATCH_ARG1, } from './sandbox/windows-sandbox-utils.js';
|
|
7
|
+
export { WindowsConfigSchema, SrtWinConfigSchema, } from './sandbox/sandbox-config.js';
|
|
8
8
|
// Utility functions
|
|
9
9
|
export { getDefaultWritePaths } from './sandbox/sandbox-utils.js';
|
|
10
10
|
// Platform utilities
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,kBAAkB;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAc5E,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,6BAA6B,CAAA;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,kBAAkB;AAClB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sCAAsC,CAAA;AAc5E,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,4BAA4B,EAC5B,mBAAmB,GACpB,MAAM,6BAA6B,CAAA;AAuBpC,6BAA6B;AAC7B,OAAO,EACL,aAAa,EACb,aAAa,EACb,mBAAmB,EACnB,sBAAsB,EACtB,2BAA2B,EAC3B,uBAAuB,EACvB,cAAc,EACd,qBAAqB,EACrB,uBAAuB,EACvB,0BAA0B,EAC1B,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,gCAAgC,EAChC,qBAAqB,GACtB,MAAM,oCAAoC,CAAA;AAc3C,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,6BAA6B,CAAA;AAEpC,oBAAoB;AACpB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AAEjE,qBAAqB;AACrB,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA"}
|
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Credential file masking (Linux).
|
|
3
|
+
*
|
|
4
|
+
* For a `credentials.files` entry with `mode: "mask"`, srt reads the real
|
|
5
|
+
* file content on the host, registers one or more sentinels in the
|
|
6
|
+
* {@link SentinelRegistry}, and writes a fake file (sentinel-substituted)
|
|
7
|
+
* to a manager-owned temp directory. The Linux sandbox then `--ro-bind`s
|
|
8
|
+
* the fake over the real path, so the sandboxed process reads the
|
|
9
|
+
* sentinel(s). The proxy substitution from env-var masking already scans
|
|
10
|
+
* every header for any registered sentinel, so a tool that does
|
|
11
|
+
* `Authorization: Bearer $(cat <maskedFile>)` reaches the upstream with
|
|
12
|
+
* the real bytes — no proxy changes required.
|
|
13
|
+
*
|
|
14
|
+
* Without `extract`, masking is **whole-file**: one sentinel replaces the
|
|
15
|
+
* entire content. With `extract`, masking is **structured**: a regex picks
|
|
16
|
+
* out the credential value(s) and only those spans are replaced, so a tool
|
|
17
|
+
* that parses the file (JSON/YAML/.netrc) still sees valid syntax. See
|
|
18
|
+
* {@link extractAndSubstitute} and {@link CredentialFileConfigSchema}.
|
|
19
|
+
*
|
|
20
|
+
* On macOS, SBPL cannot redirect reads, so masked files degrade to
|
|
21
|
+
* `mode: "deny"` (see macos-sandbox-utils.ts).
|
|
22
|
+
*/
|
|
23
|
+
import type { CredentialFileConfig } from './sandbox-config.js';
|
|
24
|
+
import type { SentinelRegistry } from './credential-sentinel.js';
|
|
25
|
+
/**
|
|
26
|
+
* Result of {@link extractAndSubstitute}: the file content with each
|
|
27
|
+
* matched capture-group-1 span replaced by `sentinelFor(capture, i)`,
|
|
28
|
+
* plus the distinct captured values in first-seen (index) order.
|
|
29
|
+
*/
|
|
30
|
+
export interface ExtractResult {
|
|
31
|
+
fakeContent: string;
|
|
32
|
+
captures: string[];
|
|
33
|
+
}
|
|
34
|
+
/** Options for {@link extractAndSubstitute}. */
|
|
35
|
+
export interface ExtractOptions {
|
|
36
|
+
/**
|
|
37
|
+
* If true, verbatim occurrences of each captured value *outside* the
|
|
38
|
+
* regex-matched spans are also replaced with that capture's sentinel —
|
|
39
|
+
* for a secret repeated where the regex does not reach (e.g. pasted
|
|
40
|
+
* into a comment). The scan matches raw substrings: a short or common
|
|
41
|
+
* captured value may corrupt unrelated content that happens to contain
|
|
42
|
+
* it, so this option is intended for long, high-entropy secrets.
|
|
43
|
+
*/
|
|
44
|
+
maskDuplicates?: boolean;
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Apply `pattern` globally to `content` and return `content` with each
|
|
48
|
+
* matched capture-group-1 span replaced by `sentinelFor(capture, i)`,
|
|
49
|
+
* where `i` is the zero-based index of the distinct captured value in
|
|
50
|
+
* first-seen order.
|
|
51
|
+
*
|
|
52
|
+
* Offset-based: the regex `d` flag exposes capture-group offsets, so the
|
|
53
|
+
* output is built by slicing between spans and splicing the sentinel in
|
|
54
|
+
* at the exact `[start, end)` of group 1. By default only the
|
|
55
|
+
* regex-matched span is replaced — a captured value that coincidentally
|
|
56
|
+
* appears elsewhere in the file (outside any match) is left intact. No
|
|
57
|
+
* placeholder pass, no substring-ordering concern.
|
|
58
|
+
*
|
|
59
|
+
* With `maskDuplicates` (see {@link ExtractOptions}), an indexOf scan
|
|
60
|
+
* additionally collects every verbatim occurrence of each captured value
|
|
61
|
+
* elsewhere in the file. All spans are computed against the ORIGINAL
|
|
62
|
+
* content — never the partially substituted output — so an inserted
|
|
63
|
+
* sentinel can never be re-matched and corrupted, even when a captured
|
|
64
|
+
* value is a substring of the sentinel literal. Regex-match spans win
|
|
65
|
+
* over verbatim ones, and verbatim scans run longest-capture-first so a
|
|
66
|
+
* shorter capture that is a substring of a longer one cannot claim part
|
|
67
|
+
* of the longer secret's occurrence.
|
|
68
|
+
*
|
|
69
|
+
* Returns `null` when the pattern matches nothing — the caller routes
|
|
70
|
+
* that per the entry's `onExtractNoMatch` option (warn / deny / error;
|
|
71
|
+
* see {@link buildMaskedFileBinds}).
|
|
72
|
+
*
|
|
73
|
+
* Throws when a match has no group-1 capture. The schema already rejects
|
|
74
|
+
* patterns with zero groups, so this only fires when group 1 is optional
|
|
75
|
+
* and absent for some match (e.g. `"token: (\\S+)?"`); accepting that
|
|
76
|
+
* would silently mask nothing for that occurrence.
|
|
77
|
+
*
|
|
78
|
+
* Pure on `content`/`pattern`; the callback may close over a registry.
|
|
79
|
+
*/
|
|
80
|
+
export declare function extractAndSubstitute(content: string, pattern: string, sentinelFor: (capture: string, index: number) => string, options?: ExtractOptions): ExtractResult | null;
|
|
81
|
+
/** One masked file's bind mapping for the platform builder. */
|
|
82
|
+
export interface MaskedFileBind {
|
|
83
|
+
/** Resolved (tilde-expanded, realpath'd) host path of the real file. */
|
|
84
|
+
realPath: string;
|
|
85
|
+
/** Path to the fake file containing the sentinel. */
|
|
86
|
+
fakePath: string;
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* Manager-owned temp dir holding the fake files.
|
|
90
|
+
*
|
|
91
|
+
* INVARIANT: this directory must never be writable from inside the sandbox.
|
|
92
|
+
* The Linux layer enforces this by emitting `--ro-bind <dirPath> <dirPath>`
|
|
93
|
+
* after every other filesystem mount (see generateFilesystemArgs), so the
|
|
94
|
+
* store stays read-only even if a caller's allowWrite covers os.tmpdir() or
|
|
95
|
+
* the host's $TMPDIR points under a default-writable path. If the sandbox
|
|
96
|
+
* could write here it could replace a fake's content (the bind exposes the
|
|
97
|
+
* source file) or plant a symlink for a later host-side write() to follow.
|
|
98
|
+
*/
|
|
99
|
+
export declare class MaskedFileStore {
|
|
100
|
+
private dir;
|
|
101
|
+
private readonly byKey;
|
|
102
|
+
/**
|
|
103
|
+
* Write `sentinel` to a fake file for `key` and return its path.
|
|
104
|
+
* Idempotent on `key`: a repeat call rewrites the same fake (so a
|
|
105
|
+
* changed sentinel after re-register propagates) instead of leaking a
|
|
106
|
+
* new file per wrapWithSandbox() call.
|
|
107
|
+
*/
|
|
108
|
+
write(key: string, sentinel: string): string;
|
|
109
|
+
/** Remove the temp dir and every fake file in it. Idempotent. */
|
|
110
|
+
dispose(): void;
|
|
111
|
+
/** Temp dir path, or undefined if no fake has been written yet. */
|
|
112
|
+
get dirPath(): string | undefined;
|
|
113
|
+
}
|
|
114
|
+
/** Result of {@link buildMaskedFileBinds}. */
|
|
115
|
+
export interface MaskedFileBuildResult {
|
|
116
|
+
binds: MaskedFileBind[];
|
|
117
|
+
/**
|
|
118
|
+
* Resolved paths of `mode: "mask"` entries that degraded to deny at
|
|
119
|
+
* runtime — populated when `extract` matches nothing and the entry's
|
|
120
|
+
* `onExtractNoMatch` is `"deny"`. Callers union these into the
|
|
121
|
+
* read-deny set so the credential file is unreadable rather than
|
|
122
|
+
* exposed.
|
|
123
|
+
*/
|
|
124
|
+
degradeToDenyPaths: string[];
|
|
125
|
+
}
|
|
126
|
+
/**
|
|
127
|
+
* For each `mode: "mask"` file entry: resolve the path, read the real
|
|
128
|
+
* content, build the fake content (whole-file or structured per `extract`),
|
|
129
|
+
* register sentinels in `registry`, write the fake via `store`, and return
|
|
130
|
+
* the bind list plus any entries that degraded to deny.
|
|
131
|
+
*
|
|
132
|
+
* Whole-file mode (no `extract`): one sentinel keyed `file:<path>` whose
|
|
133
|
+
* real value is the entire file content; the fake file *is* the sentinel.
|
|
134
|
+
*
|
|
135
|
+
* Structured mode (`extract` set): one sentinel per distinct captured
|
|
136
|
+
* value, keyed `file:<path>#<i>`; the fake file is the real content with
|
|
137
|
+
* each captured span replaced by its sentinel. If the regex matches
|
|
138
|
+
* nothing, the entry's `onExtractNoMatch` decides:
|
|
139
|
+
* - `"warn"` (default): skip the entry with a loud stderr warning —
|
|
140
|
+
* fail-open, the file stays readable via the root mount;
|
|
141
|
+
* - `"deny"`: push the path to `degradeToDenyPaths` — fail-closed, the
|
|
142
|
+
* file becomes unreadable inside the sandbox;
|
|
143
|
+
* - `"error"`: throw, so nothing runs until the regex is fixed.
|
|
144
|
+
* With `maskDuplicates`, verbatim occurrences of each captured value
|
|
145
|
+
* outside the matched spans are also replaced (see {@link ExtractOptions}).
|
|
146
|
+
*
|
|
147
|
+
* Entries whose path does not exist, is unreadable, or resolves to a
|
|
148
|
+
* directory are skipped with a debug log — same posture as a masked env
|
|
149
|
+
* var that's unset on the host: nothing to protect, and surfacing a hard
|
|
150
|
+
* error would make a portable config brittle across machines.
|
|
151
|
+
*
|
|
152
|
+
* The directory check is the authoritative one (the schema only catches a
|
|
153
|
+
* trailing slash); whole-file masking has no meaning for a directory.
|
|
154
|
+
*/
|
|
155
|
+
export declare function buildMaskedFileBinds(files: readonly CredentialFileConfig[], allowedDomains: readonly string[], registry: SentinelRegistry, store: MaskedFileStore): MaskedFileBuildResult;
|
|
156
|
+
export declare const MASKED_FILE_STORE_PREFIX = "srt-credmask-";
|
|
157
|
+
//# sourceMappingURL=credential-mask-files.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"credential-mask-files.d.ts","sourceRoot":"","sources":["../../src/sandbox/credential-mask-files.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAOH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAC/D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAA;AAShE;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAWD,gDAAgD;AAChD,MAAM,WAAW,cAAc;IAC7B;;;;;;;OAOG;IACH,cAAc,CAAC,EAAE,OAAO,CAAA;CACzB;AASD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,MAAM,EACvD,OAAO,GAAE,cAAmB,GAC3B,aAAa,GAAG,IAAI,CAkEtB;AAED,+DAA+D;AAC/D,MAAM,WAAW,cAAc;IAC7B,wEAAwE;IACxE,QAAQ,EAAE,MAAM,CAAA;IAChB,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED;;;;;;;;;;GAUG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,GAAG,CAAoB;IAC/B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA4B;IAElD;;;;;OAKG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM;IAoB5C,iEAAiE;IACjE,OAAO,IAAI,IAAI;IAcf,mEAAmE;IACnE,IAAI,OAAO,IAAI,MAAM,GAAG,SAAS,CAEhC;CACF;AAED,8CAA8C;AAC9C,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,cAAc,EAAE,CAAA;IACvB;;;;;;OAMG;IACH,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,SAAS,oBAAoB,EAAE,EACtC,cAAc,EAAE,SAAS,MAAM,EAAE,EACjC,QAAQ,EAAE,gBAAgB,EAC1B,KAAK,EAAE,eAAe,GACrB,qBAAqB,CAiGvB;AAED,eAAO,MAAM,wBAAwB,kBAAkB,CAAA"}
|