@telora/daemon 0.17.53 → 0.17.56

package/dist/spawn-sandbox.js

@@ -0,0 +1,210 @@
+/**
+ * OS sandbox for spawned agents -- "make the worktree boundary true" (D3).
+ *
+ * The daemon spawns agents with --dangerously-skip-permissions /
+ * --dangerously-bypass-approvals-and-sandbox. The ONLY isolation around such a
+ * spawn used to be a git worktree, which bounds the git branch but NOT the OS:
+ * the agent could read sibling repos, the operator's home, SSH/cloud creds, and
+ * reach the network freely. This module wraps the spawn command in an OS
+ * sandbox (bubblewrap on Linux) so the agent's filesystem is confined to its
+ * worktree plus an explicit read-only allowlist (toolchain + model-auth config),
+ * with privileged capabilities and namespaces dropped.
+ *
+ * Posture (see docs/security-posture-daemon-execution.md):
+ * - FILESYSTEM confinement + capability/namespace isolation are ENFORCED by bwrap.
+ * - OUTBOUND EGRESS allowlisting is NOT enforced here (bubblewrap has no L3/L7
+ *   egress filter); it is a documented residual gap. Network is shared so the
+ *   agent can still reach the Telora API / git / registries / model API.
+ *
+ * FAIL-CLOSED: an EXPLICIT 'bwrap' mode whose sandbox cannot initialize REFUSES
+ * the spawn (throws SandboxUnavailableError) rather than running unconfined.
+ *
+ * DEFAULT is 'off' (see resolveSandboxMode): auto-enabling a sandbox whose
+ * per-host read-bind set has not been validated could break real spawns, so
+ * operators opt in to 'bwrap' after the per-host validation in
+ * docs/runbook-daemon-service-user.md. On Linux with bwrap present we log a
+ * recommendation to enable it.
+ *
+ * Pure command construction (buildSandboxCommand) takes injected deps so it is
+ * unit-testable without a real bubblewrap.
+ */
+import { existsSync } from 'node:fs';
+import { join, isAbsolute } from 'node:path';
+import { healthEvents } from '@telora/daemon-core';
+/** Thrown when an explicitly-required sandbox cannot initialize (fail-closed). */
+export class SandboxUnavailableError extends Error {
+    constructor(detail) {
+        super(`Sandbox required but unavailable -- refusing spawn (fail-closed). ${detail}`);
+        this.name = 'SandboxUnavailableError';
+    }
+}
+/** Default bubblewrap executable name (overridable via deps for tests). */
+export const BWRAP_COMMAND = 'bwrap';
+/** Return true if an executable name/path exists on the host PATH. */
+export function commandOnPath(command, env = process.env) {
+    if (isAbsolute(command) || command.includes('/'))
+        return existsSync(command);
+    const pathEnv = env.PATH ?? '';
+    return pathEnv.split(':').filter(Boolean).some((dir) => existsSync(join(dir, command)));
+}
+/** Is bubblewrap available on this host? */
+export function isBwrapAvailable(deps = {}) {
+    const cmd = deps.bwrapCommand ?? BWRAP_COMMAND;
+    const exists = deps.commandExists ?? ((c) => commandOnPath(c));
+    return exists(cmd);
+}
+/**
+ * Resolve the effective sandbox mode.
+ *
+ * - explicit config.sandbox.mode wins (and is honored even if unavailable --
+ *   buildSandboxCommand then fail-closes).
+ * - unset + darwin => 'off' (dev; bwrap is Linux-only).
+ * - unset + linux  => 'off' (safe default), with a warning health event emitted
+ *   when bwrap is available. Operators opt in explicitly after per-host validation
+ *   -- see docs/runbook-daemon-service-user.md.
+ */
+export function resolveSandboxMode(sandbox, deps = {}) {
+    if (sandbox?.mode)
+        return sandbox.mode;
+    const platform = deps.platform ?? process.platform;
+    if (platform !== 'linux')
+        return 'off';
+    const available = deps.bwrapAvailable ?? isBwrapAvailable();
+    if (available) {
+        const message = 'bubblewrap is available but the spawn sandbox is OFF (default). ' +
+            'Enable filesystem confinement by setting sandbox.mode="bwrap" in daemon.json ' +
+            'after validating per-host read-binds -- see docs/runbook-daemon-service-user.md.';
+        if (deps.logRecommendation) {
+            deps.logRecommendation(message);
+        }
+        else {
+            healthEvents.emit({
+                severity: 'warn',
+                source: 'spawn-sandbox',
+                code: 'sandbox.off_bwrap_available',
+                message,
+            });
+        }
+    }
+    return 'off';
+}
+/**
+ * Build the (possibly sandbox-wrapped) command + args for a spawn.
+ *
+ * mode 'off'   -> returns the inner command unchanged and emits a loud
+ *                 "running unconfined" signal (the spawn has the daemon user's
+ *                 full authority).
+ * mode 'bwrap' -> if bwrap is unavailable, THROWS SandboxUnavailableError
+ *                 (fail-closed); otherwise returns a bwrap invocation that binds
+ *                 the worktree read-write, the readOnlyPaths read-only, system
+ *                 dirs read-only, and drops privileged namespaces.
+ */
+export function buildSandboxCommand(opts) {
+    const { command, args, policy, mode, bwrapAvailable } = opts;
+    const bwrap = opts.bwrapCommand ?? BWRAP_COMMAND;
+    if (mode === 'off') {
+        opts.onUnconfined?.('spawn sandbox is OFF -- the agent runs with the daemon user\'s full filesystem authority');
+        return { command, args: [...args] };
+    }
+    // mode === 'bwrap'
+    if (!bwrapAvailable) {
+        throw new SandboxUnavailableError(`sandbox.mode is "bwrap" but the "${bwrap}" executable was not found on the daemon host. ` +
+            'Install bubblewrap or set sandbox.mode="off" (unconfined) deliberately.');
+    }
+    const bwrapArgs = [
+        // Lifecycle / isolation: drop privileged namespaces, keep NET (the agent
+        // needs Telora/git/registry/model access). Die with the daemon; new session.
+        '--die-with-parent',
+        '--new-session',
+        '--unshare-user',
+        '--unshare-ipc',
+        '--unshare-pid',
+        '--unshare-uts',
+        '--unshare-cgroup',
+        // Minimal virtual filesystems.
+        '--proc', '/proc',
+        '--dev', '/dev',
+        '--tmpfs', '/tmp',
+        // System runtime + config, read-only. -try so a missing dir is skipped, not fatal.
+        '--ro-bind', '/usr', '/usr',
+        '--ro-bind-try', '/bin', '/bin',
+        '--ro-bind-try', '/sbin', '/sbin',
+        '--ro-bind-try', '/lib', '/lib',
+        '--ro-bind-try', '/lib64', '/lib64',
+        // /etc read-only: CA certs, resolv.conf, passwd. Does NOT expose any home dir.
+        '--ro-bind-try', '/etc', '/etc',
+    ];
+    // The worktree is the ONLY writable host tree.
+    bwrapArgs.push('--bind', policy.worktreePath, policy.worktreePath);
+    // Explicit read-only allowlist (toolchain + model-auth config). Anything not
+    // listed -- sibling repos, ~/.ssh, ~/.aws, other homes -- is simply not bound,
+    // so it is invisible inside the sandbox.
+    for (const p of policy.readOnlyPaths ?? []) {
+        if (p && p.trim())
+            bwrapArgs.push('--ro-bind-try', p, p);
+    }
+    bwrapArgs.push('--chdir', policy.worktreePath);
+    // Terminator, then the real command.
+    bwrapArgs.push('--', command, ...args);
+    return { command: bwrap, args: bwrapArgs };
+}
+/**
+ * High-level helper used by the spawn path: resolve mode from config, derive the
+ * read-only allowlist (toolchain + model-auth config), and build the wrapped
+ * command. Emits a health event on unconfined runs and refuses (throws) when an
+ * explicitly-required sandbox is unavailable.
+ */
+export function wrapSpawnCommand(config, spawn) {
+    const mode = resolveSandboxMode(config.sandbox);
+    const bwrapAvailable = isBwrapAvailable();
+    const readOnlyPaths = deriveReadOnlyPaths(config, spawn.command);
+    return buildSandboxCommand({
+        command: spawn.command,
+        args: spawn.args,
+        policy: { worktreePath: spawn.worktreePath, readOnlyPaths },
+        mode,
+        bwrapAvailable,
+        onUnconfined: (reason) => {
+            healthEvents.emit({
+                severity: 'warn',
+                source: 'spawn-sandbox',
+                code: 'sandbox.unconfined',
+                message: reason,
+            });
+        },
+    });
+}
+/**
+ * Derive the read-only host paths a spawn legitimately needs: the toolchain
+ * (the backend command's dir + the daemon's own node), the agent's model-auth
+ * config under HOME (~/.claude.json, ~/.claude, ~/.codex), and any extra paths
+ * configured. Kept narrow -- this is the allowlist that decides what the agent
+ * can read OUTSIDE its worktree. Exported for tests.
+ */
+export function deriveReadOnlyPaths(config, backendCommand) {
+    const paths = new Set();
+    const home = process.env.HOME;
+    // Model-auth config the agent needs (NOT ~/.ssh, NOT ~/.aws).
+    // ~/.gitconfig: read-only, safe to expose -- agents commit work under the
+    // daemon user's identity; without this git refuses to commit inside the sandbox.
+    if (home) {
+        paths.add(join(home, '.claude.json'));
+        paths.add(join(home, '.claude'));
+        paths.add(join(home, '.codex'));
+        paths.add(join(home, '.gitconfig'));
+    }
+    // Per-product isolated CODEX_HOME, when set.
+    if (config.codexHome)
+        paths.add(config.codexHome);
+    // The daemon's node executable (so the agent's tooling can re-exec node).
+    if (process.execPath)
+        paths.add(process.execPath);
+    // The backend command itself, when it is an absolute path outside /usr.
+    if (isAbsolute(backendCommand))
+        paths.add(backendCommand);
+    // Operator-configured extras.
+    for (const p of config.sandbox?.readOnlyPaths ?? [])
+        paths.add(p);
+    return [...paths];
+}
+//# sourceMappingURL=spawn-sandbox.js.map

package/dist/spawn-sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spawn-sandbox.js","sourceRoot":"","sources":["../src/spawn-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGnD,kFAAkF;AAClF,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAChD,YAAY,MAAc;QACxB,KAAK,CAAC,qEAAqE,MAAM,EAAE,CAAC,CAAC;QACrF,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAED,2EAA2E;AAC3E,MAAM,CAAC,MAAM,aAAa,GAAG,OAAO,CAAC;AAErC,sEAAsE;AACtE,MAAM,UAAU,aAAa,CAAC,OAAe,EAAE,MAAyB,OAAO,CAAC,GAAG;IACjF,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;IAC/B,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;AAC1F,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,gBAAgB,CAC9B,OAA4E,EAAE;IAE9E,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,IAAI,aAAa,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IACvE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAkC,EAClC,OAA4G,EAAE;IAE9G,IAAI,OAAO,EAAE,IAAI;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IAEvC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IACnD,IAAI,QAAQ,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAEvC,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,IAAI,gBAAgB,EAAE,CAAC;IAC5D,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,OAAO,GACX,kEAAkE;YAClE,+EAA+E;YAC/E,kFAAkF,CAAC;QACrF,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,IAAI,CAAC;gBAChB,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,eAAe;gBACvB,IAAI,EAAE,6BAA6B;gBACnC,OAAO;aACR,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AA+BD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAsB;IACxD,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,IAAI,aAAa,CAAC;IAEjD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,YAAY,EAAE,CACjB,0FAA0F,CAC3F,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,CAAC;IACtC,CAAC;IAED,mBAAmB;IACnB,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,uBAAuB,CAC/B,oCAAoC,KAAK,iDAAiD;YACxF,yEAAyE,CAC5E,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAa;QAC1B,yEAAyE;QACzE,6EAA6E;QAC7E,mBAAmB;QACnB,eAAe;QACf,gBAAgB;QAChB,eAAe;QACf,eAAe;QACf,eAAe;QACf,kBAAkB;QAClB,+BAA+B;QAC/B,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,MAAM;QACjB,mFAAmF;QACnF,WAAW,EAAE,MAAM,EAAE,MAAM;QAC3B,eAAe,EAAE,MAAM,EAAE,MAAM;QAC/B,eAAe,EAAE,OAAO,EAAE,OAAO;QACjC,eAAe,EAAE,MAAM,EAAE,MAAM;QAC/B,eAAe,EAAE,QAAQ,EAAE,QAAQ;QACnC,+EAA+E;QAC/E,eAAe,EAAE,MAAM,EAAE,MAAM;KAChC,CAAC;IAEF,+CAA+C;IAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAEnE,6EAA6E;IAC7E,+EAA+E;IAC/E,yCAAyC;IACzC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,aAAa,IAAI,EAAE,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE;YAAE,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAC/C,qCAAqC;IACrC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IAEvC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAC9B,MAAoB,EACpB,KAAyE;IAEzE,MAAM,IAAI,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,cAAc,GAAG,gBAAgB,EAAE,CAAC;IAE1C,MAAM,aAAa,GAAG,mBAAmB,CAAC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;IAEjE,OAAO,mBAAmB,CAAC;QACzB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,MAAM,EAAE,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE,aAAa,EAAE;QAC3D,IAAI;QACJ,cAAc;QACd,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE;YACvB,YAAY,CAAC,IAAI,CAAC;gBAChB,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,eAAe;gBACvB,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAoB,EAAE,cAAsB;IAC9E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;IAE9B,8DAA8D;IAC9D,0EAA0E;IAC1E,iFAAiF;IACjF,IAAI,IAAI,EAAE,CAAC;QACT,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC;QACtC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;QACjC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;QAChC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,6CAA6C;IAC7C,IAAI,MAAM,CAAC,SAAS;QAAE,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAElD,0EAA0E;IAC1E,IAAI,OAAO,CAAC,QAAQ;QAAE,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAElD,wEAAwE;IACxE,IAAI,UAAU,CAAC,cAAc,CAAC;QAAE,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAE1D,8BAA8B;IAC9B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,aAAa,IAAI,EAAE;QAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAElE,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC"}

package/dist/types/config.d.ts

@@ -21,12 +21,52 @@ export interface TelemetryConfig {
     /** Number of days to retain telemetry events. Default: 30. */
     retentionDays: number;
 }
+/**
+ * OS sandbox mode for spawned agents.
+ * - 'bwrap': confine each spawn with bubblewrap (Linux). If bwrap cannot
+ *   initialize, the spawn is REFUSED (fail-closed) -- never run unconfined.
+ * - 'off':   no OS sandbox; the spawn runs with the daemon user's authority
+ *            (the worktree bounds only the git branch, not the filesystem).
+ */
+export type SandboxMode = 'bwrap' | 'off';
+/**
+ * Configuration for the spawn OS sandbox (D3 -- "make the worktree boundary true").
+ *
+ * Default resolution when `mode` is unset: macOS (dev) => 'off'; Linux => 'off'
+ * by default too, but the daemon logs a recommendation to enable 'bwrap' when
+ * bubblewrap is available. Defaulting to 'off' is deliberate -- auto-enabling a
+ * sandbox whose per-host read-bind set has not been validated could break real
+ * spawns; operators opt in to 'bwrap' after the per-host validation in
+ * docs/runbook-daemon-service-user.md. An EXPLICIT 'bwrap' is fail-closed: if
+ * bubblewrap is unavailable the spawn is refused, never silently unconfined.
+ */
+export interface SandboxConfig {
+    /** Sandbox mode. Unset => platform default (see above). */
+    mode?: SandboxMode;
+    /**
+     * Extra host paths to expose read-only inside the sandbox -- the toolchain
+     * (node/claude/codex bin dirs) and the agent's model-auth config the spawn
+     * legitimately needs (e.g. ~/.claude.json, ~/.codex). The worktree itself is
+     * always bound read-write; everything not listed is invisible.
+     */
+    readOnlyPaths?: string[];
+    /**
+     * Outbound egress allowlist (hostnames). NOTE: bubblewrap does NOT enforce
+     * L3/L7 egress, so this is currently advisory and documented as a residual
+     * gap in docs/security-posture-daemon-execution.md (candidate enforcement:
+     * per-uid nftables rules at the service-user layer). Filesystem confinement
+     * + capability/namespace isolation are the enforced boundary today.
+     */
+    egressAllowlist?: string[];
+}
 /**
  * Configuration for the daemon.
  *
  * Extends BaseConfig from @telora/daemon-core with daemon-specific fields.
  */
 export interface DaemonConfig extends BaseConfig {
+    /** OS sandbox for spawned agents (D3). Undefined => platform default. */
+    sandbox?: SandboxConfig;
     /** Path/command for the Codex CLI executable. Default: 'codex' (on PATH). */
     codexPath?: string;
     worktreeDir: string;

package/dist/types/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,WAAW,GAAG,aAAa,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,eAAe,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAa,SAAQ,UAAU;IAC9C,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,4FAA4F;IAC5F,4BAA4B,EAAE,MAAM,CAAC;IACrC,gFAAgF;IAChF,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,iDAAiD;IACjD,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,gBAAgB,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,eAAe,CAAC;IAC3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/types/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,WAAW,GAAG,aAAa,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,6DAA6D;IAC7D,OAAO,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,uEAAuE;IACvE,eAAe,EAAE,MAAM,CAAC;IACxB,8DAA8D;IAC9D,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,KAAK,CAAC;AAE1C;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC5B,2DAA2D;IAC3D,IAAI,CAAC,EAAE,WAAW,CAAC;IACnB;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAa,SAAQ,UAAU;IAC9C,yEAAyE;IACzE,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,4FAA4F;IAC5F,4BAA4B,EAAE,MAAM,CAAC;IACrC,gFAAgF;IAChF,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,iDAAiD;IACjD,aAAa,EAAE,MAAM,CAAC;IACtB,qEAAqE;IACrE,gBAAgB,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,eAAe,CAAC;IAC3B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@telora/daemon",
-  "version": "0.17.53",
+  "version": "0.17.56",
   "description": "Agent orchestration daemon for Telora - spawns and manages Claude Code instances",
   "type": "module",
   "bin": {
@@ -36,7 +36,7 @@
   },
   "//testRunner": "Uses Node.js built-in test runner (node:test) via tsx for TypeScript support. The root package uses Vitest; this is a deliberate choice for the daemon package to avoid framework dependencies. See src/__tests__/ for test files.",
   "dependencies": {
-    "@telora/daemon-core": "^0.2.37",
+    "@telora/daemon-core": "^0.2.38",
     "@telora/mcp-products": "^0.22.57",
     "commander": "^14.0.3",
     "yaml": "^2.4.0",