@terminals-tech/agent-zero 1.0.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/THEORY.md +207 -0
- package/dist/agency/commandRouter.d.ts +10 -0
- package/dist/agency/commandRouter.d.ts.map +1 -1
- package/dist/agency/commandRouter.js +206 -0
- package/dist/agency/commandRouter.js.map +1 -1
- package/dist/agency/runtime.d.ts +26 -0
- package/dist/agency/runtime.d.ts.map +1 -1
- package/dist/agency/runtime.js +138 -6
- package/dist/agency/runtime.js.map +1 -1
- package/dist/channels/gemini.d.ts +73 -0
- package/dist/channels/gemini.d.ts.map +1 -0
- package/dist/channels/gemini.js +246 -0
- package/dist/channels/gemini.js.map +1 -0
- package/dist/channels/sms.d.ts.map +1 -1
- package/dist/channels/sms.js +1 -2
- package/dist/channels/sms.js.map +1 -1
- package/dist/interop/a2a.d.ts +133 -0
- package/dist/interop/a2a.d.ts.map +1 -0
- package/dist/interop/a2a.js +357 -0
- package/dist/interop/a2a.js.map +1 -0
- package/dist/interop/index.d.ts +10 -0
- package/dist/interop/index.d.ts.map +1 -0
- package/dist/interop/index.js +10 -0
- package/dist/interop/index.js.map +1 -0
- package/dist/interop/mcp.d.ts +111 -0
- package/dist/interop/mcp.d.ts.map +1 -0
- package/dist/interop/mcp.js +337 -0
- package/dist/interop/mcp.js.map +1 -0
- package/dist/moltbook/approvalGate.d.ts +23 -0
- package/dist/moltbook/approvalGate.d.ts.map +1 -1
- package/dist/moltbook/approvalGate.js +45 -0
- package/dist/moltbook/approvalGate.js.map +1 -1
- package/dist/moltbook/attentionField.d.ts +14 -0
- package/dist/moltbook/attentionField.d.ts.map +1 -1
- package/dist/moltbook/attentionField.js +37 -1
- package/dist/moltbook/attentionField.js.map +1 -1
- package/dist/moltbook/daemon.d.ts +27 -0
- package/dist/moltbook/daemon.d.ts.map +1 -1
- package/dist/moltbook/daemon.js +184 -5
- package/dist/moltbook/daemon.js.map +1 -1
- package/dist/moltbook/responseComposer.d.ts +7 -2
- package/dist/moltbook/responseComposer.d.ts.map +1 -1
- package/dist/moltbook/responseComposer.js +36 -7
- package/dist/moltbook/responseComposer.js.map +1 -1
- package/dist/moltbook/strategicContext.d.ts +89 -0
- package/dist/moltbook/strategicContext.d.ts.map +1 -0
- package/dist/moltbook/strategicContext.js +283 -0
- package/dist/moltbook/strategicContext.js.map +1 -0
- package/dist/primitives/index.d.ts +6 -2
- package/dist/primitives/index.d.ts.map +1 -1
- package/dist/primitives/index.js +6 -2
- package/dist/primitives/index.js.map +1 -1
- package/dist/rail/persistence.d.ts +70 -1
- package/dist/rail/persistence.d.ts.map +1 -1
- package/dist/rail/persistence.js +270 -3
- package/dist/rail/persistence.js.map +1 -1
- package/dist/rail/plugin.d.ts +76 -0
- package/dist/rail/plugin.d.ts.map +1 -0
- package/dist/rail/plugin.js +141 -0
- package/dist/rail/plugin.js.map +1 -0
- package/dist/rail/server.d.ts +121 -30
- package/dist/rail/server.d.ts.map +1 -1
- package/dist/rail/server.js +404 -28
- package/dist/rail/server.js.map +1 -1
- package/dist/rail/wsServer.d.ts +7 -0
- package/dist/rail/wsServer.d.ts.map +1 -1
- package/dist/rail/wsServer.js +233 -11
- package/dist/rail/wsServer.js.map +1 -1
- package/dist/resonance/globalKuramoto.d.ts +20 -0
- package/dist/resonance/globalKuramoto.d.ts.map +1 -1
- package/dist/resonance/globalKuramoto.js +95 -2
- package/dist/resonance/globalKuramoto.js.map +1 -1
- package/dist/resonance/kuramoto.d.ts +6 -0
- package/dist/resonance/kuramoto.d.ts.map +1 -1
- package/dist/resonance/kuramoto.js +25 -0
- package/dist/resonance/kuramoto.js.map +1 -1
- package/dist/routing/index.d.ts +2 -0
- package/dist/routing/index.d.ts.map +1 -1
- package/dist/routing/index.js +1 -0
- package/dist/routing/index.js.map +1 -1
- package/dist/routing/modelRegistry.d.ts +54 -0
- package/dist/routing/modelRegistry.d.ts.map +1 -0
- package/dist/routing/modelRegistry.js +150 -0
- package/dist/routing/modelRegistry.js.map +1 -0
- package/dist/routing/thermodynamic.d.ts +14 -3
- package/dist/routing/thermodynamic.d.ts.map +1 -1
- package/dist/routing/thermodynamic.js +26 -12
- package/dist/routing/thermodynamic.js.map +1 -1
- package/dist/runtime/agent-zero.d.ts +38 -2
- package/dist/runtime/agent-zero.d.ts.map +1 -1
- package/dist/runtime/agent-zero.js +110 -7
- package/dist/runtime/agent-zero.js.map +1 -1
- package/dist/runtime/contextWindow.d.ts +62 -0
- package/dist/runtime/contextWindow.d.ts.map +1 -0
- package/dist/runtime/contextWindow.js +125 -0
- package/dist/runtime/contextWindow.js.map +1 -0
- package/dist/runtime/identity.d.ts +65 -0
- package/dist/runtime/identity.d.ts.map +1 -0
- package/dist/runtime/identity.js +199 -0
- package/dist/runtime/identity.js.map +1 -0
- package/dist/runtime/index.d.ts +6 -0
- package/dist/runtime/index.d.ts.map +1 -1
- package/dist/runtime/index.js +6 -0
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/sessionStore.d.ts +70 -0
- package/dist/runtime/sessionStore.d.ts.map +1 -0
- package/dist/runtime/sessionStore.js +134 -0
- package/dist/runtime/sessionStore.js.map +1 -0
- package/dist/security/capabilities.d.ts +46 -0
- package/dist/security/capabilities.d.ts.map +1 -1
- package/dist/security/capabilities.js +176 -0
- package/dist/security/capabilities.js.map +1 -1
- package/dist/security/combinators.d.ts +89 -0
- package/dist/security/combinators.d.ts.map +1 -0
- package/dist/security/combinators.js +168 -0
- package/dist/security/combinators.js.map +1 -0
- package/dist/security/index.d.ts +7 -1
- package/dist/security/index.d.ts.map +1 -1
- package/dist/security/index.js +4 -1
- package/dist/security/index.js.map +1 -1
- package/dist/security/isolation.d.ts +76 -0
- package/dist/security/isolation.d.ts.map +1 -0
- package/dist/security/isolation.js +118 -0
- package/dist/security/isolation.js.map +1 -0
- package/dist/security/sandbox.d.ts +38 -1
- package/dist/security/sandbox.d.ts.map +1 -1
- package/dist/security/sandbox.js +68 -8
- package/dist/security/sandbox.js.map +1 -1
- package/package.json +13 -3
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sessionStore.js","sourceRoot":"","sources":["../../src/runtime/sessionStore.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACjG,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAqC5B,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,SAAS,eAAe,CAAC,KAAgB,EAAE,QAAkC;IAC3E,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;IACpC,OAAO;QACL,EAAE,EAAE,UAAU,EAAE;QAChB,OAAO,EAAE,UAAU,CAAC,EAAE;QACtB,SAAS,EAAE,UAAU,CAAC,IAAI;QAC1B,KAAK,EAAE,UAAU,CAAC,KAAK;QACvB,MAAM,EAAE,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC;QAC1C,KAAK,EAAE,eAAe,CAAC,UAAU,CAAC,KAAK,CAAC;QACxC,aAAa,EAAE,UAAU,CAAC,QAAQ,CAAC,KAAK;QACxC,iBAAiB,EAAE,UAAU,CAAC,QAAQ,CAAC,SAAS;QAChD,QAAQ,EAAE,eAAe,CAAC,UAAU,CAAC,QAAQ,CAAC;QAC9C,aAAa,EAAE,eAAe,CAAC,UAAU,CAAC,aAAa,CAAC;QACxD,QAAQ,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,OAAO,oBAAoB;IACvB,SAAS,GAAiC,IAAI,GAAG,EAAE,CAAC;IAE5D,KAAK,CAAC,IAAI,CAAC,KAAgB;QACzB,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC1C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,UAAkB;QAC3B,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;IAChD,CAAC;IAED,OAAO,CAAC,KAAgB,EAAE,QAAyB;QACjD,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgB;QACzB,MAAM,OAAO,GAAiF,EAAE,CAAC;QACjG,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC;YAC3C,IAAI,OAAO,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO;gBAAE,SAAS;YAClD,OAAO,CAAC,IAAI,CAAC;gBACX,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;QACL,CAAC;QACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC;IAC3D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAAkB;QAC7B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC;CACF;AAED,+EAA+E;AAC/E,6BAA6B;AAC7B,+EAA+E;AAE/E,MAAM,OAAO,gBAAgB;IACnB,GAAG,CAAS;IAEpB,YAAY,GAAW;QACrB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAgB;QACzB,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;QACvD,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC,CAAC;QAC3D,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,UAAkB;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,OAAO,CAAC,CAAC;QACtD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;QACvC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC5C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,CAAC,KAAgB,EAAE,QAAyB;QACjD,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgB;QACzB,MAAM,OAAO,GAAiF,EAAE,CAAC;QACjG,IAAI,KAAe,CAAC;QACpB,IAAI,CAAC;YACH,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;gBACxD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;gBAChD,IAAI,OAAO,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO;oBAAE,SAAS;gBAClD,OAAO,CAAC,IAAI,CAAC;oBACX,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,SAAS,EAAE,IAAI,CAAC,SAAS;iBAC1B,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC;IAC3D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAAkB;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,OAAO,CAAC,CAAC;QACtD,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,UAAU,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;CACF"}
|
|
@@ -14,6 +14,7 @@
|
|
|
14
14
|
*/
|
|
15
15
|
import { z } from 'zod';
|
|
16
16
|
import { IsomorphicSandbox, CapabilityScope, BoundaryViolation } from './sandbox.js';
|
|
17
|
+
import { type CapabilityExpression } from './combinators.js';
|
|
17
18
|
export declare const SkillCapabilityDeclaration: z.ZodObject<{
|
|
18
19
|
/** Filesystem access (glob patterns) */
|
|
19
20
|
filesystem: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
@@ -169,6 +170,51 @@ export declare class SkillCapabilityManager {
|
|
|
169
170
|
* Parse capability declaration from SKILL.md frontmatter
|
|
170
171
|
*/
|
|
171
172
|
parseDeclarationFromFrontmatter(frontmatter: string): SkillCapabilityDeclaration;
|
|
173
|
+
/**
|
|
174
|
+
* Parse a declarative security DSL string into a CapabilityExpression.
|
|
175
|
+
*
|
|
176
|
+
* Syntax:
|
|
177
|
+
* read(filesystem:./data/**) & network(api.example.com) | write(filesystem:./output/**)
|
|
178
|
+
*
|
|
179
|
+
* Operators:
|
|
180
|
+
* & = combine (both granted, higher precedence)
|
|
181
|
+
* | = union (either granted, lower precedence)
|
|
182
|
+
*
|
|
183
|
+
* NOTE: In the current capability model, both & and | resolve to `combine()`
|
|
184
|
+
* because capabilities are additive scope sets — "grant A and B" and "grant
|
|
185
|
+
* A or B" both result in the union of scopes. A future `intersect()` combinator
|
|
186
|
+
* would make & restrict to the overlap, but this is not yet implemented.
|
|
187
|
+
* The two operators are preserved for DSL readability and forward compatibility.
|
|
188
|
+
*
|
|
189
|
+
* Functions:
|
|
190
|
+
* read(pattern), write(pattern), network(domain),
|
|
191
|
+
* execute(binary), spawn(N), memory(bytes)
|
|
192
|
+
*
|
|
193
|
+
* Parentheses are used for function arguments, not grouping of expressions.
|
|
194
|
+
*
|
|
195
|
+
* Precedence: & binds tighter than |
|
|
196
|
+
* "A | B & C" = "A | (B & C)"
|
|
197
|
+
*/
|
|
198
|
+
parseDSL(dsl: string): CapabilityExpression;
|
|
199
|
+
/**
|
|
200
|
+
* Tokenize DSL string into an array of tokens.
|
|
201
|
+
* Token types: 'func' (e.g. read), 'lparen', 'rparen', 'and', 'or', 'arg' (argument text)
|
|
202
|
+
*/
|
|
203
|
+
private tokenizeDSL;
|
|
204
|
+
/**
|
|
205
|
+
* Parse union (|) level — lowest precedence.
|
|
206
|
+
* union = intersection (| intersection)*
|
|
207
|
+
*/
|
|
208
|
+
private parseDSLUnion;
|
|
209
|
+
/**
|
|
210
|
+
* Parse intersection (&) level — higher precedence than |.
|
|
211
|
+
* intersection = primary (& primary)*
|
|
212
|
+
*/
|
|
213
|
+
private parseDSLIntersection;
|
|
214
|
+
/**
|
|
215
|
+
* Parse primary: func(arg)
|
|
216
|
+
*/
|
|
217
|
+
private parseDSLPrimary;
|
|
172
218
|
/**
|
|
173
219
|
* Infer scopes from declaration
|
|
174
220
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"capabilities.d.ts","sourceRoot":"","sources":["../../src/security/capabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EAElB,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"capabilities.d.ts","sourceRoot":"","sources":["../../src/security/capabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EACL,iBAAiB,EACjB,eAAe,EACf,iBAAiB,EAElB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,KAAK,oBAAoB,EAQ1B,MAAM,kBAAkB,CAAC;AAM1B,eAAO,MAAM,0BAA0B;IACrC,wCAAwC;;IAExC,uCAAuC;;IAEvC,gCAAgC;;IAEhC,4BAA4B;;IAE5B,yBAAyB;;;;;;;;;;;;;;EAEzB,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,eAAO,MAAM,qBAAqB;IAChC,iBAAiB;;IAEjB,4BAA4B;;QAhB5B,wCAAwC;;QAExC,uCAAuC;;QAEvC,gCAAgC;;QAEhC,4BAA4B;;QAE5B,yBAAyB;;;;;;;;;;;;;;;IAUzB,oCAAoC;;IAEpC,sCAAsC;;IAEtC,gCAAgC;;IAEhC,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAE7B,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAM1E,qBAAa,sBAAsB;IACjC,OAAO,CAAC,OAAO,CAAoB;IACnC,OAAO,CAAC,QAAQ,CAAiD;gBAErD,OAAO,EAAE,iBAAiB;IAItC;;OAEG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,0BAA0B,GAAG,qBAAqB;IAoE3F;;OAEG;IACH,gBAAgB,CACd,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,eAAe,EACtB,QAAQ,EAAE,MAAM,GACf;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,SAAS,CAAC,EAAE,iBAAiB,CAAA;KAAE;IAuBtD;;OAEG;IACH,sBAAsB,CAAC,IAAI,EAAE,MAAM,EAAE,cAAc,EAAE,eAAe,GAAG,iBAAiB;IAexF;;OAEG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAmB/B;;OAEG;IACH,gBAAgB,IAAI,KAAK,CAAC;QACxB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,eAAe,EAAE,CAAC;QAC1B,MAAM,EAAE,MAAM,CAAC;QACf,cAAc,EAAE,MAAM,CAAC;KACxB,CAAC;IAmBF;;OAEG;IACH,+BAA+B,CAAC,WAAW,EAAE,MAAM,GAAG,0BAA0B;IAsEhF;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,oBAAoB;IAS3C;;;OAGG;IACH,OAAO,CAAC,WAAW;IAsDnB;;;OAGG;IACH,OAAO,CAAC,aAAa;IAerB;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAe5B;;OAEG;IACH,OAAO,CAAC,eAAe;IAqEvB;;OAEG;IACH,OAAO,CAAC,0BAA0B;CAmBnC;AAMD,wBAAgB,4BAA4B,CAAC,OAAO,EAAE,iBAAiB,GAAG,sBAAsB,CAE/F"}
|
|
@@ -14,6 +14,7 @@
|
|
|
14
14
|
*/
|
|
15
15
|
import { z } from 'zod';
|
|
16
16
|
import { BoundaryViolation, } from './sandbox.js';
|
|
17
|
+
import { read, write, network, execute, spawn, memory, combine, } from './combinators.js';
|
|
17
18
|
// ============================================================================
|
|
18
19
|
// SKILL CAPABILITY SCHEMAS
|
|
19
20
|
// ============================================================================
|
|
@@ -240,6 +241,181 @@ export class SkillCapabilityManager {
|
|
|
240
241
|
// Validate and return
|
|
241
242
|
return SkillCapabilityDeclaration.parse(parsed);
|
|
242
243
|
}
|
|
244
|
+
// ==========================================================================
|
|
245
|
+
// DSL PARSER
|
|
246
|
+
// ==========================================================================
|
|
247
|
+
/**
|
|
248
|
+
* Parse a declarative security DSL string into a CapabilityExpression.
|
|
249
|
+
*
|
|
250
|
+
* Syntax:
|
|
251
|
+
* read(filesystem:./data/**) & network(api.example.com) | write(filesystem:./output/**)
|
|
252
|
+
*
|
|
253
|
+
* Operators:
|
|
254
|
+
* & = combine (both granted, higher precedence)
|
|
255
|
+
* | = union (either granted, lower precedence)
|
|
256
|
+
*
|
|
257
|
+
* NOTE: In the current capability model, both & and | resolve to `combine()`
|
|
258
|
+
* because capabilities are additive scope sets — "grant A and B" and "grant
|
|
259
|
+
* A or B" both result in the union of scopes. A future `intersect()` combinator
|
|
260
|
+
* would make & restrict to the overlap, but this is not yet implemented.
|
|
261
|
+
* The two operators are preserved for DSL readability and forward compatibility.
|
|
262
|
+
*
|
|
263
|
+
* Functions:
|
|
264
|
+
* read(pattern), write(pattern), network(domain),
|
|
265
|
+
* execute(binary), spawn(N), memory(bytes)
|
|
266
|
+
*
|
|
267
|
+
* Parentheses are used for function arguments, not grouping of expressions.
|
|
268
|
+
*
|
|
269
|
+
* Precedence: & binds tighter than |
|
|
270
|
+
* "A | B & C" = "A | (B & C)"
|
|
271
|
+
*/
|
|
272
|
+
parseDSL(dsl) {
|
|
273
|
+
const tokens = this.tokenizeDSL(dsl);
|
|
274
|
+
if (tokens.length === 0) {
|
|
275
|
+
throw new Error('DSL parse error: empty expression');
|
|
276
|
+
}
|
|
277
|
+
const result = this.parseDSLUnion(tokens, { pos: 0 });
|
|
278
|
+
return result;
|
|
279
|
+
}
|
|
280
|
+
/**
|
|
281
|
+
* Tokenize DSL string into an array of tokens.
|
|
282
|
+
* Token types: 'func' (e.g. read), 'lparen', 'rparen', 'and', 'or', 'arg' (argument text)
|
|
283
|
+
*/
|
|
284
|
+
tokenizeDSL(dsl) {
|
|
285
|
+
const tokens = [];
|
|
286
|
+
let i = 0;
|
|
287
|
+
const s = dsl.trim();
|
|
288
|
+
while (i < s.length) {
|
|
289
|
+
// Skip whitespace
|
|
290
|
+
if (/\s/.test(s[i])) {
|
|
291
|
+
i++;
|
|
292
|
+
continue;
|
|
293
|
+
}
|
|
294
|
+
// Operators
|
|
295
|
+
if (s[i] === '&') {
|
|
296
|
+
tokens.push({ type: 'and', value: '&' });
|
|
297
|
+
i++;
|
|
298
|
+
continue;
|
|
299
|
+
}
|
|
300
|
+
if (s[i] === '|') {
|
|
301
|
+
tokens.push({ type: 'or', value: '|' });
|
|
302
|
+
i++;
|
|
303
|
+
continue;
|
|
304
|
+
}
|
|
305
|
+
if (s[i] === '(') {
|
|
306
|
+
tokens.push({ type: 'lparen', value: '(' });
|
|
307
|
+
i++;
|
|
308
|
+
continue;
|
|
309
|
+
}
|
|
310
|
+
if (s[i] === ')') {
|
|
311
|
+
tokens.push({ type: 'rparen', value: ')' });
|
|
312
|
+
i++;
|
|
313
|
+
continue;
|
|
314
|
+
}
|
|
315
|
+
// Identifiers / arguments: everything that's not an operator or paren
|
|
316
|
+
let start = i;
|
|
317
|
+
while (i < s.length && !/[&|()]/.test(s[i]) && !/^\s$/.test(s[i])) {
|
|
318
|
+
i++;
|
|
319
|
+
}
|
|
320
|
+
const word = s.slice(start, i).trim();
|
|
321
|
+
if (word.length > 0) {
|
|
322
|
+
// Check if it's a known function name
|
|
323
|
+
const funcNames = ['read', 'write', 'network', 'execute', 'spawn', 'memory'];
|
|
324
|
+
if (funcNames.includes(word)) {
|
|
325
|
+
tokens.push({ type: 'func', value: word });
|
|
326
|
+
}
|
|
327
|
+
else {
|
|
328
|
+
tokens.push({ type: 'arg', value: word });
|
|
329
|
+
}
|
|
330
|
+
}
|
|
331
|
+
}
|
|
332
|
+
return tokens;
|
|
333
|
+
}
|
|
334
|
+
/**
|
|
335
|
+
* Parse union (|) level — lowest precedence.
|
|
336
|
+
* union = intersection (| intersection)*
|
|
337
|
+
*/
|
|
338
|
+
parseDSLUnion(tokens, cursor) {
|
|
339
|
+
let left = this.parseDSLIntersection(tokens, cursor);
|
|
340
|
+
while (cursor.pos < tokens.length && tokens[cursor.pos].type === 'or') {
|
|
341
|
+
cursor.pos++; // consume |
|
|
342
|
+
const right = this.parseDSLIntersection(tokens, cursor);
|
|
343
|
+
left = combine(left, right);
|
|
344
|
+
}
|
|
345
|
+
return left;
|
|
346
|
+
}
|
|
347
|
+
/**
|
|
348
|
+
* Parse intersection (&) level — higher precedence than |.
|
|
349
|
+
* intersection = primary (& primary)*
|
|
350
|
+
*/
|
|
351
|
+
parseDSLIntersection(tokens, cursor) {
|
|
352
|
+
let left = this.parseDSLPrimary(tokens, cursor);
|
|
353
|
+
while (cursor.pos < tokens.length && tokens[cursor.pos].type === 'and') {
|
|
354
|
+
cursor.pos++; // consume &
|
|
355
|
+
const right = this.parseDSLPrimary(tokens, cursor);
|
|
356
|
+
left = combine(left, right);
|
|
357
|
+
}
|
|
358
|
+
return left;
|
|
359
|
+
}
|
|
360
|
+
/**
|
|
361
|
+
* Parse primary: func(arg)
|
|
362
|
+
*/
|
|
363
|
+
parseDSLPrimary(tokens, cursor) {
|
|
364
|
+
if (cursor.pos >= tokens.length) {
|
|
365
|
+
throw new Error('DSL parse error: unexpected end of expression');
|
|
366
|
+
}
|
|
367
|
+
const token = tokens[cursor.pos];
|
|
368
|
+
if (token.type !== 'func') {
|
|
369
|
+
throw new Error(`DSL parse error: expected function name, got '${token.value}'`);
|
|
370
|
+
}
|
|
371
|
+
const funcName = token.value;
|
|
372
|
+
cursor.pos++; // consume func name
|
|
373
|
+
// Expect '('
|
|
374
|
+
if (cursor.pos >= tokens.length || tokens[cursor.pos].type !== 'lparen') {
|
|
375
|
+
throw new Error(`DSL parse error: expected '(' after '${funcName}'`);
|
|
376
|
+
}
|
|
377
|
+
cursor.pos++; // consume (
|
|
378
|
+
// Collect argument tokens until ')'
|
|
379
|
+
const argParts = [];
|
|
380
|
+
while (cursor.pos < tokens.length && tokens[cursor.pos].type !== 'rparen') {
|
|
381
|
+
argParts.push(tokens[cursor.pos].value);
|
|
382
|
+
cursor.pos++;
|
|
383
|
+
}
|
|
384
|
+
if (cursor.pos >= tokens.length || tokens[cursor.pos].type !== 'rparen') {
|
|
385
|
+
throw new Error(`DSL parse error: expected ')' to close '${funcName}('`);
|
|
386
|
+
}
|
|
387
|
+
cursor.pos++; // consume )
|
|
388
|
+
const arg = argParts.join('');
|
|
389
|
+
// Strip optional type prefix (e.g., "filesystem:" or "api.example.com")
|
|
390
|
+
const colonIdx = arg.indexOf(':');
|
|
391
|
+
const cleanArg = colonIdx >= 0 ? arg.slice(colonIdx + 1) : arg;
|
|
392
|
+
switch (funcName) {
|
|
393
|
+
case 'read':
|
|
394
|
+
return read(cleanArg);
|
|
395
|
+
case 'write':
|
|
396
|
+
return write(cleanArg);
|
|
397
|
+
case 'network':
|
|
398
|
+
return network(arg); // network uses the full domain, no prefix stripping
|
|
399
|
+
case 'execute':
|
|
400
|
+
return execute(cleanArg);
|
|
401
|
+
case 'spawn': {
|
|
402
|
+
const n = parseInt(arg, 10);
|
|
403
|
+
if (isNaN(n) || n < 0) {
|
|
404
|
+
throw new Error(`DSL parse error: spawn requires a non-negative integer, got '${arg}'`);
|
|
405
|
+
}
|
|
406
|
+
return spawn(n);
|
|
407
|
+
}
|
|
408
|
+
case 'memory': {
|
|
409
|
+
const bytes = parseInt(arg, 10);
|
|
410
|
+
if (isNaN(bytes) || bytes <= 0) {
|
|
411
|
+
throw new Error(`DSL parse error: memory requires a positive integer, got '${arg}'`);
|
|
412
|
+
}
|
|
413
|
+
return memory(bytes);
|
|
414
|
+
}
|
|
415
|
+
default:
|
|
416
|
+
throw new Error(`DSL parse error: unknown function '${funcName}'`);
|
|
417
|
+
}
|
|
418
|
+
}
|
|
243
419
|
/**
|
|
244
420
|
* Infer scopes from declaration
|
|
245
421
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../../src/security/capabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAGL,iBAAiB,GAElB,MAAM,cAAc,CAAC;AAEtB,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,wCAAwC;IACxC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3C,uCAAuC;IACvC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,gCAAgC;IAChC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAChD,4BAA4B;IAC5B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,EAAE,gBAAgB;IAChF,yBAAyB;IACzB,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACpC,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,iBAAiB;IACjB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,WAAW,EAAE,0BAA0B;IACvC,oCAAoC;IACpC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;IAC3B,sCAAsC;IACtC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,gCAAgC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,6BAA6B;IAC7B,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC;CACvC,CAAC,CAAC;AAGH,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,OAAO,sBAAsB;IACzB,OAAO,CAAoB;IAC3B,QAAQ,GAAuC,IAAI,GAAG,EAAE,CAAC;IAEjE,YAAY,OAA0B;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,IAAY,EAAE,WAAuC;QACjE,0CAA0C;QAC1C,MAAM,MAAM,GAAsB,EAAE,CAAC;QACrC,MAAM,SAAS,GAAsB,EAAE,CAAC;QAExC,oBAAoB;QACpB,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7B,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;gBAC7C,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;gBAC1C,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBACpE,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,WAAW,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,WAAW,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,gBAAgB;QAChB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,gBAAgB,WAAW,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEjF,qBAAqB;QACrB,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,2CAA2C;QAC3C,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACzB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEzD,+BAA+B;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE;YACnD,MAAM;YACN,SAAS;YACT,MAAM,EAAE,UAAU,IAAI,EAAE;SACzB,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,2BAA2B;QAC3B,MAAM,OAAO,GAA0B;YACrC,SAAS,EAAE,IAAI;YACf,WAAW;YACX,eAAe,EAAE,UAAU,CAAC,KAAK;YACjC,GAAG,EAAE,IAAI;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,UAAU,EAAE,EAAE;SACf,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACjC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,gBAAgB,CACd,IAAY,EACZ,KAAsB,EACtB,QAAgB;QAEhB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,SAAS,GAAsB;gBACnC,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,UAAU,IAAI,kBAAkB;gBACzC,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QACvC,CAAC;QAED,yCAAyC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAE5E,mBAAmB;QACnB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,sBAAsB,CAAC,IAAY,EAAE,cAA+B;QAClE,MAAM,SAAS,GAAsB;YACnC,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,UAAU,IAAI,oCAAoC,cAAc,GAAG;YAC5E,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO;YAAE,OAAO;QAErB,+BAA+B;QAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAE7C,iCAAiC;QACjC,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,sCAAsC;YACxC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,gBAAgB;QAMd,MAAM,MAAM,GAKP,EAAE,CAAC;QAER,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACpE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC;YAC9C,MAAM,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;YAEjD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,+BAA+B,CAAC,WAAmB;QACjD,gCAAgC;QAChC,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAE1E,8BAA8B;QAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,MAAM,GAA4B,EAAE,CAAC;QAE3C,IAAI,UAAU,GAAkB,IAAI,CAAC;QACrC,IAAI,YAAY,GAAa,EAAE,CAAC;QAEhC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAElD,aAAa;YACb,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,IAAI,UAAU,EAAE,CAAC;oBACf,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,SAAS;YACX,CAAC;YAED,uBAAuB;YACvB,IAAI,UAAU,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,CAAC;gBAClC,YAAY,GAAG,EAAE,CAAC;YACpB,CAAC;YAED,iBAAiB;YACjB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YACrE,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;gBAC7B,UAAU,GAAG,GAAG,CAAC;gBAEjB,UAAU;gBACV,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;oBAC1C,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,KAAK,MAAM,CAAC;oBAC/B,UAAU,GAAG,IAAI,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,SAAS;gBACT,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxB,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBAClC,UAAU,GAAG,IAAI,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,2CAA2C;gBAC3C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;oBACpB,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;YACH,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,IAAI,UAAU,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,CAAC;QACpC,CAAC;QAED,sBAAsB;QACtB,OAAO,0BAA0B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACK,0BAA0B,CAAC,WAAuC;QACxE,MAAM,MAAM,GAAsB,EAAE,CAAC;QAErC,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,CAAC;QACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,iBAAiB;QACrD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,MAAM,UAAU,4BAA4B,CAAC,OAA0B;IACrE,OAAO,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC"}
|
|
1
|
+
{"version":3,"file":"capabilities.js","sourceRoot":"","sources":["../../src/security/capabilities.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAGL,iBAAiB,GAElB,MAAM,cAAc,CAAC;AACtB,OAAO,EAEL,IAAI,EACJ,KAAK,EACL,OAAO,EACP,OAAO,EACP,KAAK,EACL,MAAM,EACN,OAAO,GACR,MAAM,kBAAkB,CAAC;AAE1B,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,wCAAwC;IACxC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC3C,uCAAuC;IACvC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,gCAAgC;IAChC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAChD,4BAA4B;IAC5B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,EAAE,gBAAgB;IAChF,yBAAyB;IACzB,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACpC,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,iBAAiB;IACjB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,4BAA4B;IAC5B,WAAW,EAAE,0BAA0B;IACvC,oCAAoC;IACpC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE;IAC3B,sCAAsC;IACtC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,gCAAgC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,6BAA6B;IAC7B,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC;CACvC,CAAC,CAAC;AAGH,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,OAAO,sBAAsB;IACzB,OAAO,CAAoB;IAC3B,QAAQ,GAAuC,IAAI,GAAG,EAAE,CAAC;IAEjE,YAAY,OAA0B;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,IAAY,EAAE,WAAuC;QACjE,0CAA0C;QAC1C,MAAM,MAAM,GAAsB,EAAE,CAAC;QACrC,MAAM,SAAS,GAAsB,EAAE,CAAC;QAExC,oBAAoB;QACpB,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7B,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;gBAC7C,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;gBAC1C,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBACpE,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,WAAW,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,WAAW,WAAW,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,gBAAgB;QAChB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,gBAAgB,WAAW,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEjF,qBAAqB;QACrB,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,2CAA2C;QAC3C,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACzB,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QAEzD,+BAA+B;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,EAAE;YACnD,MAAM;YACN,SAAS;YACT,MAAM,EAAE,UAAU,IAAI,EAAE;SACzB,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,2BAA2B;QAC3B,MAAM,OAAO,GAA0B;YACrC,SAAS,EAAE,IAAI;YACf,WAAW;YACX,eAAe,EAAE,UAAU,CAAC,KAAK;YACjC,GAAG,EAAE,IAAI;YACT,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YACrB,UAAU,EAAE,EAAE;SACf,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACjC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,gBAAgB,CACd,IAAY,EACZ,KAAsB,EACtB,QAAgB;QAEhB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,SAAS,GAAsB;gBACnC,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,UAAU,IAAI,kBAAkB;gBACzC,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,CAAC;YACF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QACvC,CAAC;QAED,yCAAyC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAE5E,mBAAmB;QACnB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,sBAAsB,CAAC,IAAY,EAAE,cAA+B;QAClE,MAAM,SAAS,GAAsB;YACnC,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,UAAU,IAAI,oCAAoC,cAAc,GAAG;YAC5E,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACrC,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO;YAAE,OAAO;QAErB,+BAA+B;QAC/B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAE7C,iCAAiC;QACjC,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACvC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,sCAAsC;YACxC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,gBAAgB;QAMd,MAAM,MAAM,GAKP,EAAE,CAAC;QAER,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACpE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC;YAC9C,MAAM,cAAc,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;YAEjD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,+BAA+B,CAAC,WAAmB;QACjD,gCAAgC;QAChC,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAE1E,8BAA8B;QAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,MAAM,GAA4B,EAAE,CAAC;QAE3C,IAAI,UAAU,GAAkB,IAAI,CAAC;QACrC,IAAI,YAAY,GAAa,EAAE,CAAC;QAEhC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAElD,aAAa;YACb,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,IAAI,UAAU,EAAE,CAAC;oBACf,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,SAAS;YACX,CAAC;YAED,uBAAuB;YACvB,IAAI,UAAU,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,CAAC;gBAClC,YAAY,GAAG,EAAE,CAAC;YACpB,CAAC;YAED,iBAAiB;YACjB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YACrE,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;gBAC7B,UAAU,GAAG,GAAG,CAAC;gBAEjB,UAAU;gBACV,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;oBAC1C,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,KAAK,MAAM,CAAC;oBAC/B,UAAU,GAAG,IAAI,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,SAAS;gBACT,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxB,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBAClC,UAAU,GAAG,IAAI,CAAC;oBAClB,SAAS;gBACX,CAAC;gBAED,2CAA2C;gBAC3C,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;oBACpB,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;YACH,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,IAAI,UAAU,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,CAAC,UAAU,CAAC,GAAG,YAAY,CAAC;QACpC,CAAC;QAED,sBAAsB;QACtB,OAAO,0BAA0B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAED,6EAA6E;IAC7E,aAAa;IACb,6EAA6E;IAE7E;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACH,QAAQ,CAAC,GAAW;QAClB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QACtD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACK,WAAW,CAAC,GAAW;QAC7B,MAAM,MAAM,GAA2C,EAAE,CAAC;QAC1D,IAAI,CAAC,GAAG,CAAC,CAAC;QACV,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAErB,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;YACpB,kBAAkB;YAClB,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACpB,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YAED,YAAY;YACZ,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBACzC,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBACxC,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC5C,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YACD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC5C,CAAC,EAAE,CAAC;gBACJ,SAAS;YACX,CAAC;YAED,sEAAsE;YACtE,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAClE,CAAC,EAAE,CAAC;YACN,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACtC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,sCAAsC;gBACtC,MAAM,SAAS,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;gBAC7E,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC7C,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACK,aAAa,CACnB,MAA8C,EAC9C,MAAuB;QAEvB,IAAI,IAAI,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAErD,OAAO,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;YAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACxD,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACK,oBAAoB,CAC1B,MAA8C,EAC9C,MAAuB;QAEvB,IAAI,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAEhD,OAAO,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACvE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;YAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACnD,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,eAAe,CACrB,MAA8C,EAC9C,MAAuB;QAEvB,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjC,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,iDAAiD,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC;QAC7B,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,oBAAoB;QAElC,aAAa;QACb,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CAAC,wCAAwC,QAAQ,GAAG,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;QAE1B,oCAAoC;QACpC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC1E,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;YACxC,MAAM,CAAC,GAAG,EAAE,CAAC;QACf,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CAAC,2CAA2C,QAAQ,IAAI,CAAC,CAAC;QAC3E,CAAC;QACD,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,YAAY;QAE1B,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAE9B,wEAAwE;QACxE,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAE/D,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,MAAM;gBACT,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC;YACxB,KAAK,OAAO;gBACV,OAAO,KAAK,CAAC,QAAQ,CAAC,CAAC;YACzB,KAAK,SAAS;gBACZ,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,oDAAoD;YAC3E,KAAK,SAAS;gBACZ,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC3B,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC5B,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtB,MAAM,IAAI,KAAK,CAAC,gEAAgE,GAAG,GAAG,CAAC,CAAC;gBAC1F,CAAC;gBACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAChC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,6DAA6D,GAAG,GAAG,CAAC,CAAC;gBACvF,CAAC;gBACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC;YACvB,CAAC;YACD;gBACE,MAAM,IAAI,KAAK,CAAC,sCAAsC,QAAQ,GAAG,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED;;OAEG;IACK,0BAA0B,CAAC,WAAuC;QACxE,MAAM,MAAM,GAAsB,EAAE,CAAC;QAErC,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,WAAW,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,CAAC;QACD,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,iBAAiB;QACrD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,MAAM,UAAU,4BAA4B,CAAC,OAA0B;IACrE,OAAO,IAAI,sBAAsB,CAAC,OAAO,CAAC,CAAC;AAC7C,CAAC"}
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Capability Combinators
|
|
3
|
+
*
|
|
4
|
+
* Nix-inspired combinator system for composing capability profiles.
|
|
5
|
+
* Combinators are pure functions that produce CapabilityExpression objects,
|
|
6
|
+
* which can be materialized into sandbox capabilities via attenuate().
|
|
7
|
+
*
|
|
8
|
+
* Composition model:
|
|
9
|
+
* - combine(): union of scopes and resources (grant both)
|
|
10
|
+
* - restrict(): adds deny patterns to block specific access
|
|
11
|
+
* - withTTL(): sets expiration on the expression
|
|
12
|
+
* - materialize(): converts expression into a live sandbox capability
|
|
13
|
+
*/
|
|
14
|
+
import { IsomorphicSandbox, type CapabilityScope, type ResourcePattern, type Capability } from './sandbox.js';
|
|
15
|
+
export interface CapabilityExpression {
|
|
16
|
+
/** Scopes granted by this expression */
|
|
17
|
+
scopes: CapabilityScope[];
|
|
18
|
+
/** Resource patterns (allow/deny) */
|
|
19
|
+
resources: ResourcePattern[];
|
|
20
|
+
/** Time-to-live in milliseconds (undefined = never expires) */
|
|
21
|
+
ttl?: number;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Grant read access to the given glob patterns.
|
|
25
|
+
*/
|
|
26
|
+
export declare function read(...patterns: string[]): CapabilityExpression;
|
|
27
|
+
/**
|
|
28
|
+
* Grant write access to the given glob patterns.
|
|
29
|
+
*/
|
|
30
|
+
export declare function write(...patterns: string[]): CapabilityExpression;
|
|
31
|
+
/**
|
|
32
|
+
* Grant network access to the given domain patterns.
|
|
33
|
+
*/
|
|
34
|
+
export declare function network(...domains: string[]): CapabilityExpression;
|
|
35
|
+
/**
|
|
36
|
+
* Grant execute access to the given binary patterns.
|
|
37
|
+
*/
|
|
38
|
+
export declare function execute(...binaries: string[]): CapabilityExpression;
|
|
39
|
+
/**
|
|
40
|
+
* Grant memory access with a byte limit.
|
|
41
|
+
* The limit is encoded as a resource pattern: `memory:bytes:<limit>`.
|
|
42
|
+
*/
|
|
43
|
+
export declare function memory(limitBytes: number): CapabilityExpression;
|
|
44
|
+
/**
|
|
45
|
+
* Grant spawn access with a max children limit.
|
|
46
|
+
* The limit is encoded as a resource pattern: `spawn:*:<max>`.
|
|
47
|
+
*/
|
|
48
|
+
export declare function spawn(maxChildren: number): CapabilityExpression;
|
|
49
|
+
/**
|
|
50
|
+
* Combine multiple expressions by merging their scopes (deduped) and resources.
|
|
51
|
+
* If any expression has a TTL, the minimum TTL is used.
|
|
52
|
+
*/
|
|
53
|
+
export declare function combine(...exprs: CapabilityExpression[]): CapabilityExpression;
|
|
54
|
+
/**
|
|
55
|
+
* Restrict an expression by adding deny patterns from the deny expression.
|
|
56
|
+
* The deny expression's resource patterns are converted to deny type.
|
|
57
|
+
* Scopes from the deny expression are NOT removed from the base expression --
|
|
58
|
+
* denial is at the resource level, not the scope level.
|
|
59
|
+
*/
|
|
60
|
+
export declare function restrict(expr: CapabilityExpression, deny: CapabilityExpression): CapabilityExpression;
|
|
61
|
+
/**
|
|
62
|
+
* Set a TTL on an expression. If the expression already has a TTL,
|
|
63
|
+
* the minimum of the two is used.
|
|
64
|
+
*/
|
|
65
|
+
export declare function withTTL(expr: CapabilityExpression, ttlMs: number): CapabilityExpression;
|
|
66
|
+
/**
|
|
67
|
+
* Materialize a CapabilityExpression into a live sandbox Capability.
|
|
68
|
+
*
|
|
69
|
+
* Attenuates from the given parent token, mapping the expression's scopes
|
|
70
|
+
* and resources into the sandbox's capability model.
|
|
71
|
+
*
|
|
72
|
+
* Returns null if the parent token is invalid or the attenuation fails
|
|
73
|
+
* (e.g., requested scopes not available in parent).
|
|
74
|
+
*/
|
|
75
|
+
export declare function materialize(sandbox: IsomorphicSandbox, parentToken: string, expr: CapabilityExpression, reason: string): Capability | null;
|
|
76
|
+
/**
|
|
77
|
+
* Pre-built capability profiles for common agent roles.
|
|
78
|
+
*/
|
|
79
|
+
export declare const PROFILES: {
|
|
80
|
+
/** Read-only access to all resources */
|
|
81
|
+
readonly readOnly: CapabilityExpression;
|
|
82
|
+
/** Network-only access to all domains */
|
|
83
|
+
readonly networkOnly: CapabilityExpression;
|
|
84
|
+
/** Researcher: read all, network all, 256MB memory */
|
|
85
|
+
readonly researcher: CapabilityExpression;
|
|
86
|
+
/** Worker: read all, write to output, execute, spawn up to 3 children */
|
|
87
|
+
readonly worker: CapabilityExpression;
|
|
88
|
+
};
|
|
89
|
+
//# sourceMappingURL=combinators.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"combinators.d.ts","sourceRoot":"","sources":["../../src/security/combinators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,iBAAiB,EACjB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,UAAU,EAChB,MAAM,cAAc,CAAC;AAMtB,MAAM,WAAW,oBAAoB;IACnC,wCAAwC;IACxC,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,qCAAqC;IACrC,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,+DAA+D;IAC/D,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAMD;;GAEG;AACH,wBAAgB,IAAI,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,oBAAoB,CAKhE;AAED;;GAEG;AACH,wBAAgB,KAAK,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,oBAAoB,CAKjE;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE,GAAG,oBAAoB,CAKlE;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,GAAG,QAAQ,EAAE,MAAM,EAAE,GAAG,oBAAoB,CAKnE;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,oBAAoB,CAK/D;AAED;;;GAGG;AACH,wBAAgB,KAAK,CAAC,WAAW,EAAE,MAAM,GAAG,oBAAoB,CAK/D;AAMD;;;GAGG;AACH,wBAAgB,OAAO,CAAC,GAAG,KAAK,EAAE,oBAAoB,EAAE,GAAG,oBAAoB,CAyB9E;AAED;;;;;GAKG;AACH,wBAAgB,QAAQ,CACtB,IAAI,EAAE,oBAAoB,EAC1B,IAAI,EAAE,oBAAoB,GACzB,oBAAoB,CAWtB;AAED;;;GAGG;AACH,wBAAgB,OAAO,CACrB,IAAI,EAAE,oBAAoB,EAC1B,KAAK,EAAE,MAAM,GACZ,oBAAoB,CAOtB;AAMD;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,iBAAiB,EAC1B,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,oBAAoB,EAC1B,MAAM,EAAE,MAAM,GACb,UAAU,GAAG,IAAI,CASnB;AAMD;;GAEG;AACH,eAAO,MAAM,QAAQ;IACnB,wCAAwC;;IAExC,yCAAyC;;IAEzC,sDAAsD;;IAEtD,yEAAyE;;CAEjE,CAAC"}
|
|
@@ -0,0 +1,168 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Capability Combinators
|
|
3
|
+
*
|
|
4
|
+
* Nix-inspired combinator system for composing capability profiles.
|
|
5
|
+
* Combinators are pure functions that produce CapabilityExpression objects,
|
|
6
|
+
* which can be materialized into sandbox capabilities via attenuate().
|
|
7
|
+
*
|
|
8
|
+
* Composition model:
|
|
9
|
+
* - combine(): union of scopes and resources (grant both)
|
|
10
|
+
* - restrict(): adds deny patterns to block specific access
|
|
11
|
+
* - withTTL(): sets expiration on the expression
|
|
12
|
+
* - materialize(): converts expression into a live sandbox capability
|
|
13
|
+
*/
|
|
14
|
+
// ============================================================================
|
|
15
|
+
// PRIMITIVE COMBINATORS
|
|
16
|
+
// ============================================================================
|
|
17
|
+
/**
|
|
18
|
+
* Grant read access to the given glob patterns.
|
|
19
|
+
*/
|
|
20
|
+
export function read(...patterns) {
|
|
21
|
+
return {
|
|
22
|
+
scopes: ['read'],
|
|
23
|
+
resources: patterns.map(p => ({ pattern: p, type: 'allow' })),
|
|
24
|
+
};
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Grant write access to the given glob patterns.
|
|
28
|
+
*/
|
|
29
|
+
export function write(...patterns) {
|
|
30
|
+
return {
|
|
31
|
+
scopes: ['write'],
|
|
32
|
+
resources: patterns.map(p => ({ pattern: p, type: 'allow' })),
|
|
33
|
+
};
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Grant network access to the given domain patterns.
|
|
37
|
+
*/
|
|
38
|
+
export function network(...domains) {
|
|
39
|
+
return {
|
|
40
|
+
scopes: ['network'],
|
|
41
|
+
resources: domains.map(d => ({ pattern: d, type: 'allow' })),
|
|
42
|
+
};
|
|
43
|
+
}
|
|
44
|
+
/**
|
|
45
|
+
* Grant execute access to the given binary patterns.
|
|
46
|
+
*/
|
|
47
|
+
export function execute(...binaries) {
|
|
48
|
+
return {
|
|
49
|
+
scopes: ['execute'],
|
|
50
|
+
resources: binaries.map(b => ({ pattern: b, type: 'allow' })),
|
|
51
|
+
};
|
|
52
|
+
}
|
|
53
|
+
/**
|
|
54
|
+
* Grant memory access with a byte limit.
|
|
55
|
+
* The limit is encoded as a resource pattern: `memory:bytes:<limit>`.
|
|
56
|
+
*/
|
|
57
|
+
export function memory(limitBytes) {
|
|
58
|
+
return {
|
|
59
|
+
scopes: ['memory'],
|
|
60
|
+
resources: [{ pattern: `memory:bytes:${limitBytes}`, type: 'allow' }],
|
|
61
|
+
};
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Grant spawn access with a max children limit.
|
|
65
|
+
* The limit is encoded as a resource pattern: `spawn:*:<max>`.
|
|
66
|
+
*/
|
|
67
|
+
export function spawn(maxChildren) {
|
|
68
|
+
return {
|
|
69
|
+
scopes: ['spawn'],
|
|
70
|
+
resources: [{ pattern: `spawn:*:${maxChildren}`, type: 'allow' }],
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
// ============================================================================
|
|
74
|
+
// COMPOSITION OPERATORS
|
|
75
|
+
// ============================================================================
|
|
76
|
+
/**
|
|
77
|
+
* Combine multiple expressions by merging their scopes (deduped) and resources.
|
|
78
|
+
* If any expression has a TTL, the minimum TTL is used.
|
|
79
|
+
*/
|
|
80
|
+
export function combine(...exprs) {
|
|
81
|
+
const scopeSet = new Set();
|
|
82
|
+
const resources = [];
|
|
83
|
+
let minTTL;
|
|
84
|
+
for (const expr of exprs) {
|
|
85
|
+
for (const scope of expr.scopes) {
|
|
86
|
+
scopeSet.add(scope);
|
|
87
|
+
}
|
|
88
|
+
resources.push(...expr.resources);
|
|
89
|
+
if (expr.ttl !== undefined) {
|
|
90
|
+
minTTL = minTTL === undefined ? expr.ttl : Math.min(minTTL, expr.ttl);
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
const result = {
|
|
94
|
+
scopes: Array.from(scopeSet),
|
|
95
|
+
resources,
|
|
96
|
+
};
|
|
97
|
+
if (minTTL !== undefined) {
|
|
98
|
+
result.ttl = minTTL;
|
|
99
|
+
}
|
|
100
|
+
return result;
|
|
101
|
+
}
|
|
102
|
+
/**
|
|
103
|
+
* Restrict an expression by adding deny patterns from the deny expression.
|
|
104
|
+
* The deny expression's resource patterns are converted to deny type.
|
|
105
|
+
* Scopes from the deny expression are NOT removed from the base expression --
|
|
106
|
+
* denial is at the resource level, not the scope level.
|
|
107
|
+
*/
|
|
108
|
+
export function restrict(expr, deny) {
|
|
109
|
+
const denyPatterns = deny.resources.map(r => ({
|
|
110
|
+
pattern: r.pattern,
|
|
111
|
+
type: 'deny',
|
|
112
|
+
}));
|
|
113
|
+
return {
|
|
114
|
+
scopes: [...expr.scopes],
|
|
115
|
+
resources: [...expr.resources, ...denyPatterns],
|
|
116
|
+
...(expr.ttl !== undefined ? { ttl: expr.ttl } : {}),
|
|
117
|
+
};
|
|
118
|
+
}
|
|
119
|
+
/**
|
|
120
|
+
* Set a TTL on an expression. If the expression already has a TTL,
|
|
121
|
+
* the minimum of the two is used.
|
|
122
|
+
*/
|
|
123
|
+
export function withTTL(expr, ttlMs) {
|
|
124
|
+
const effectiveTTL = expr.ttl !== undefined ? Math.min(expr.ttl, ttlMs) : ttlMs;
|
|
125
|
+
return {
|
|
126
|
+
scopes: [...expr.scopes],
|
|
127
|
+
resources: [...expr.resources],
|
|
128
|
+
ttl: effectiveTTL,
|
|
129
|
+
};
|
|
130
|
+
}
|
|
131
|
+
// ============================================================================
|
|
132
|
+
// MATERIALIZATION
|
|
133
|
+
// ============================================================================
|
|
134
|
+
/**
|
|
135
|
+
* Materialize a CapabilityExpression into a live sandbox Capability.
|
|
136
|
+
*
|
|
137
|
+
* Attenuates from the given parent token, mapping the expression's scopes
|
|
138
|
+
* and resources into the sandbox's capability model.
|
|
139
|
+
*
|
|
140
|
+
* Returns null if the parent token is invalid or the attenuation fails
|
|
141
|
+
* (e.g., requested scopes not available in parent).
|
|
142
|
+
*/
|
|
143
|
+
export function materialize(sandbox, parentToken, expr, reason) {
|
|
144
|
+
const expiresAt = expr.ttl !== undefined ? Date.now() + expr.ttl : undefined;
|
|
145
|
+
return sandbox.attenuate(parentToken, {
|
|
146
|
+
scopes: expr.scopes,
|
|
147
|
+
resources: expr.resources,
|
|
148
|
+
expiresAt,
|
|
149
|
+
reason,
|
|
150
|
+
});
|
|
151
|
+
}
|
|
152
|
+
// ============================================================================
|
|
153
|
+
// PRESET PROFILES
|
|
154
|
+
// ============================================================================
|
|
155
|
+
/**
|
|
156
|
+
* Pre-built capability profiles for common agent roles.
|
|
157
|
+
*/
|
|
158
|
+
export const PROFILES = {
|
|
159
|
+
/** Read-only access to all resources */
|
|
160
|
+
readOnly: combine(read('**')),
|
|
161
|
+
/** Network-only access to all domains */
|
|
162
|
+
networkOnly: combine(network('*')),
|
|
163
|
+
/** Researcher: read all, network all, 256MB memory */
|
|
164
|
+
researcher: combine(read('**'), network('*'), memory(256 * 1024 * 1024)),
|
|
165
|
+
/** Worker: read all, write to output, execute, spawn up to 3 children */
|
|
166
|
+
worker: combine(read('**'), write('./output/**'), execute('*'), spawn(3)),
|
|
167
|
+
};
|
|
168
|
+
//# sourceMappingURL=combinators.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"combinators.js","sourceRoot":"","sources":["../../src/security/combinators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAsBH,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,IAAI,CAAC,GAAG,QAAkB;IACxC,OAAO;QACL,MAAM,EAAE,CAAC,MAAM,CAAC;QAChB,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,OAAgB,EAAE,CAAC,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,KAAK,CAAC,GAAG,QAAkB;IACzC,OAAO;QACL,MAAM,EAAE,CAAC,OAAO,CAAC;QACjB,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,OAAgB,EAAE,CAAC,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,GAAG,OAAiB;IAC1C,OAAO;QACL,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,OAAgB,EAAE,CAAC,CAAC;KACtE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,GAAG,QAAkB;IAC3C,OAAO;QACL,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,SAAS,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,OAAgB,EAAE,CAAC,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,MAAM,CAAC,UAAkB;IACvC,OAAO;QACL,MAAM,EAAE,CAAC,QAAQ,CAAC;QAClB,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,gBAAgB,UAAU,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KACtE,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,KAAK,CAAC,WAAmB;IACvC,OAAO;QACL,MAAM,EAAE,CAAC,OAAO,CAAC;QACjB,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,WAAW,WAAW,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,GAAG,KAA6B;IACtD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC5C,MAAM,SAAS,GAAsB,EAAE,CAAC;IACxC,IAAI,MAA0B,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACtB,CAAC;QACD,SAAS,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,GAAG,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAyB;QACnC,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC5B,SAAS;KACV,CAAC;IAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC;IACtB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CACtB,IAA0B,EAC1B,IAA0B;IAE1B,MAAM,YAAY,GAAsB,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC/D,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,IAAI,EAAE,MAAe;KACtB,CAAC,CAAC,CAAC;IAEJ,OAAO;QACL,MAAM,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;QACxB,SAAS,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,EAAE,GAAG,YAAY,CAAC;QAC/C,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACrD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CACrB,IAA0B,EAC1B,KAAa;IAEb,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAChF,OAAO;QACL,MAAM,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;QACxB,SAAS,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;QAC9B,GAAG,EAAE,YAAY;KAClB,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;;;;;;;GAQG;AACH,MAAM,UAAU,WAAW,CACzB,OAA0B,EAC1B,WAAmB,EACnB,IAA0B,EAC1B,MAAc;IAEd,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAE7E,OAAO,OAAO,CAAC,SAAS,CAAC,WAAW,EAAE;QACpC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS;QACT,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,kBAAkB;AAClB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAG;IACtB,wCAAwC;IACxC,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,yCAAyC;IACzC,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAClC,sDAAsD;IACtD,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC;IACxE,yEAAyE;IACzE,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC;CACjE,CAAC"}
|
package/dist/security/index.d.ts
CHANGED
|
@@ -1,11 +1,17 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* @terminals-tech/agent-zero/security
|
|
3
3
|
*
|
|
4
|
-
* AES-256-GCM vault, capability sandbox, injection firewall, Ed25519 skill verification
|
|
4
|
+
* AES-256-GCM vault, capability sandbox, injection firewall, Ed25519 skill verification,
|
|
5
|
+
* capability combinators, agent isolation boundaries.
|
|
5
6
|
*/
|
|
6
7
|
export { Vault, createVault } from './vault.js';
|
|
7
8
|
export { IsomorphicSandbox, CapabilityScope, detectInjection, generateCapabilityToken } from './sandbox.js';
|
|
9
|
+
export type { AuditEntry } from './sandbox.js';
|
|
8
10
|
export { SkillCapabilityManager, createSkillCapabilityManager } from './capabilities.js';
|
|
9
11
|
export { InjectionFirewall, ParanoiaLevel, createFirewall } from './injectionFirewall.js';
|
|
10
12
|
export { generateSigningKeyPair, signManifest, verifyManifest, verifySkillIntegrity, createManifest, hashFile, loadSignedManifest, } from './skillVerify.js';
|
|
13
|
+
export { read, write, network, execute, memory, spawn, combine, restrict, withTTL, materialize, PROFILES, } from './combinators.js';
|
|
14
|
+
export type { CapabilityExpression } from './combinators.js';
|
|
15
|
+
export { AgentIsolationManager } from './isolation.js';
|
|
16
|
+
export type { IsolationBoundary } from './isolation.js';
|
|
11
17
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC5G,YAAY,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,IAAI,EACJ,KAAK,EACL,OAAO,EACP,OAAO,EACP,MAAM,EACN,KAAK,EACL,OAAO,EACP,QAAQ,EACR,OAAO,EACP,WAAW,EACX,QAAQ,GACT,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AACvD,YAAY,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC"}
|
package/dist/security/index.js
CHANGED
|
@@ -1,11 +1,14 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* @terminals-tech/agent-zero/security
|
|
3
3
|
*
|
|
4
|
-
* AES-256-GCM vault, capability sandbox, injection firewall, Ed25519 skill verification
|
|
4
|
+
* AES-256-GCM vault, capability sandbox, injection firewall, Ed25519 skill verification,
|
|
5
|
+
* capability combinators, agent isolation boundaries.
|
|
5
6
|
*/
|
|
6
7
|
export { Vault, createVault } from './vault.js';
|
|
7
8
|
export { IsomorphicSandbox, CapabilityScope, detectInjection, generateCapabilityToken } from './sandbox.js';
|
|
8
9
|
export { SkillCapabilityManager, createSkillCapabilityManager } from './capabilities.js';
|
|
9
10
|
export { InjectionFirewall, ParanoiaLevel, createFirewall } from './injectionFirewall.js';
|
|
10
11
|
export { generateSigningKeyPair, signManifest, verifyManifest, verifySkillIntegrity, createManifest, hashFile, loadSignedManifest, } from './skillVerify.js';
|
|
12
|
+
export { read, write, network, execute, memory, spawn, combine, restrict, withTTL, materialize, PROFILES, } from './combinators.js';
|
|
13
|
+
export { AgentIsolationManager } from './isolation.js';
|
|
11
14
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAE5G,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC1F,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,QAAQ,EACR,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,IAAI,EACJ,KAAK,EACL,OAAO,EACP,OAAO,EACP,MAAM,EACN,KAAK,EACL,OAAO,EACP,QAAQ,EACR,OAAO,EACP,WAAW,EACX,QAAQ,GACT,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC"}
|