npm - @theokit/sdk - Versions diffs - 2.8.0 → 2.9.0 - Mend

@theokit/sdk 2.8.0 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/CHANGELOG.md +11 -0
package/dist/eval.cjs +113 -1
package/dist/eval.cjs.map +1 -1
package/dist/eval.js +115 -3
package/dist/eval.js.map +1 -1
package/dist/sandbox/index.cjs +3 -1
package/dist/sandbox/index.cjs.map +1 -1
package/dist/sandbox/index.js +3 -1
package/dist/sandbox/index.js.map +1 -1
package/dist/sandbox/provision.d.cts +7 -0
package/dist/sandbox/provision.d.ts +7 -0
package/dist/types/eval.d.ts +6 -2
package/package.json +1 -1

package/dist/eval.js CHANGED Viewed

@@ -1,12 +1,12 @@
 import { randomUUID, randomBytes, createHash } from 'crypto';
-import { readFile, unlink, mkdir, open, rename, statfs, stat, rm, readdir, appendFile, access } from 'fs/promises';
+import { mkdir, writeFile, readFile, unlink, open, rename, statfs, stat, rm, readdir, appendFile, access } from 'fs/promises';
 import { join, dirname, resolve, sep, relative, isAbsolute } from 'path';
 import { z, toJSONSchema } from 'zod';
 import { readFileSync, mkdirSync, appendFileSync, readdirSync, existsSync, realpathSync, lstatSync, readlinkSync } from 'fs';
 import { AsyncLocalStorage } from 'async_hooks';
 import { createRequire } from 'module';
 import { homedir } from 'os';
-import { spawn } from 'child_process';
+import { execFile, spawn } from 'child_process';
 import { fileURLToPath } from 'url';
 var __defProp = Object.defineProperty;
@@ -16190,6 +16190,118 @@ async function llmJudgeScore(options) {
   return parseScore(judgement.text, rubric);
 }
+// src/sandbox/types.ts
+var SandboxSecurityError = class extends Error {
+  code = "sandbox_security";
+  constructor(message) {
+    super(message);
+    this.name = "SandboxSecurityError";
+  }
+};
+var SHELL_METACHARACTERS = /[;&|`$(){}]/;
+var SandboxBackend = class {
+  config;
+  constructor(config = {}) {
+    this.config = {
+      workDir: config.workDir ?? "/tmp",
+      timeoutMs: config.timeoutMs ?? 3e4,
+      maxOutputBytes: config.maxOutputBytes ?? 5 * 1024 * 1024
+    };
+  }
+  async readFile(path) {
+    const result = await this.execute(`cat ${this.shellEscape(path)}`);
+    if (result.exitCode !== 0) {
+      throw new Error(`readFile failed: ${result.stderr}`);
+    }
+    return result.stdout;
+  }
+  async writeFile(path, content) {
+    await this.uploadFile(path, content);
+  }
+  async glob(pattern, cwd) {
+    const dir = cwd ?? this.config.workDir ?? ".";
+    const result = await this.execute(
+      `find ${this.shellEscape(dir)} -name ${this.shellEscape(pattern)} -type f 2>/dev/null`
+    );
+    if (result.exitCode !== 0) return [];
+    return result.stdout.trim().split("\n").filter(Boolean);
+  }
+  async grep(pattern, path) {
+    const target = path ?? ".";
+    const result = await this.execute(
+      `grep -rn ${this.shellEscape(pattern)} ${this.shellEscape(target)} 2>/dev/null`
+    );
+    if (result.exitCode !== 0) return [];
+    return result.stdout.trim().split("\n").filter(Boolean);
+  }
+  async listDir(path) {
+    const result = await this.execute(`ls -1 ${this.shellEscape(path)}`);
+    if (result.exitCode !== 0) return [];
+    return result.stdout.trim().split("\n").filter(Boolean);
+  }
+  validateCommand(command) {
+    if (SHELL_METACHARACTERS.test(command)) {
+      throw new SandboxSecurityError(
+        `Command contains shell metacharacters: ${command.slice(0, 80)}`
+      );
+    }
+  }
+  truncateOutput(output) {
+    const max = this.config.maxOutputBytes ?? 5 * 1024 * 1024;
+    if (Buffer.byteLength(output) > max) {
+      return `${output.slice(0, max)}
+...(truncated)`;
+    }
+    return output;
+  }
+  shellEscape(arg) {
+    return shellEscapePosix(arg);
+  }
+};
+// src/sandbox/local-sandbox.ts
+var LocalSandbox = class extends SandboxBackend {
+  constructor(config = {}) {
+    super(config);
+  }
+  async execute(command, opts) {
+    const timeout = opts?.timeoutMs ?? this.config.timeoutMs ?? 3e4;
+    const max = this.config.maxOutputBytes ?? 5 * 1024 * 1024;
+    return new Promise((resolve3) => {
+      const child = execFile(
+        "/bin/sh",
+        ["-c", command],
+        {
+          cwd: this.config.workDir,
+          timeout,
+          maxBuffer: max,
+          encoding: "utf-8"
+        },
+        (error, stdout, stderr) => {
+          resolve3(this.buildResult(error, stdout ?? "", stderr ?? ""));
+        }
+      );
+      child.on("error", () => {
+        resolve3({ stdout: "", stderr: "spawn error", exitCode: 1, timedOut: false });
+      });
+    });
+  }
+  buildResult(error, stdout, stderr) {
+    const timedOut = error !== null && "killed" in error && error.killed;
+    return {
+      stdout: this.truncateOutput(stdout),
+      stderr: this.truncateOutput(stderr),
+      exitCode: timedOut ? 124 : error ? 1 : 0,
+      timedOut
+    };
+  }
+  async uploadFile(path, content) {
+    const fullPath = path.startsWith("/") ? path : `${this.config.workDir}/${path}`;
+    await mkdir(dirname(fullPath), { recursive: true });
+    await writeFile(fullPath, content, "utf-8");
+  }
+};
 // src/scorers.ts
 var JSON_SHAPE_MAX_BYTES = 1e6;
 function makeStringScorer(name, caseSensitive, compare) {
@@ -16293,7 +16405,7 @@ var Scorers = {
    * that rejects shell metacharacters in `execute` is unsupported for this scorer.
    */
   verifyGate(opts) {
-    const { sandbox, repoDir, failToPass, passToPass, command } = opts;
+    const { sandbox = new LocalSandbox(), repoDir, failToPass, passToPass, command } = opts;
     return {
       name: "verify-gate",
       score: async () => {