@vercel/sandbox 1.6.0 → 1.7.0

package/dist/utils/network-policy.js

@@ -7,6 +7,28 @@ function toAPINetworkPolicy(policy) {
         return { mode: "allow-all" };
     if (policy === "deny-all")
         return { mode: "deny-all" };
+    if (policy.allow && !Array.isArray(policy.allow)) {
+        const allowedDomains = Object.keys(policy.allow);
+        const injectionRules = [];
+        for (const [domain, rules] of Object.entries(policy.allow)) {
+            const merged = {};
+            for (const rule of rules) {
+                for (const t of rule.transform ?? []) {
+                    Object.assign(merged, t.headers);
+                }
+            }
+            if (Object.keys(merged).length > 0) {
+                injectionRules.push({ domain, headers: merged });
+            }
+        }
+        return {
+            mode: "custom",
+            ...(allowedDomains.length > 0 && { allowedDomains }),
+            ...(injectionRules.length > 0 && { injectionRules }),
+            ...(policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow }),
+            ...(policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }),
+        };
+    }
     return {
         mode: "custom",
         ...(policy.allow && { allowedDomains: policy.allow }),
@@ -19,14 +41,42 @@ function fromAPINetworkPolicy(api) {
         return "allow-all";
     if (api.mode === "deny-all")
         return "deny-all";
-    return {
-        ...(api.allowedDomains && { allow: api.allowedDomains }),
-        ...((api.allowedCIDRs || api.deniedCIDRs) && {
+    const subnets = (api.allowedCIDRs || api.deniedCIDRs)
+        ? {
             subnets: {
                 ...(api.allowedCIDRs && { allow: api.allowedCIDRs }),
                 ...(api.deniedCIDRs && { deny: api.deniedCIDRs }),
             },
-        }),
+        }
+        : undefined;
+    // If injectionRules are present, reconstruct the record form.
+    // The API returns headerNames (secret values are stripped), so we
+    // populate each header value with "<redacted>".
+    if (api.injectionRules && api.injectionRules.length > 0) {
+        const rulesByDomain = new Map(api.injectionRules.map((r) => [r.domain, r.headerNames ?? []]));
+        const allow = {};
+        for (const domain of api.allowedDomains ?? []) {
+            const headerNames = rulesByDomain.get(domain);
+            if (headerNames && headerNames.length > 0) {
+                const headers = Object.fromEntries(headerNames.map((n) => [n, "<redacted>"]));
+                allow[domain] = [{ transform: [{ headers }] }];
+            }
+            else {
+                allow[domain] = [];
+            }
+        }
+        // Include injection rules for domains not in allowedDomains
+        for (const rule of api.injectionRules) {
+            if (!(rule.domain in allow)) {
+                const headers = Object.fromEntries((rule.headerNames ?? []).map((n) => [n, "<redacted>"]));
+                allow[rule.domain] = [{ transform: [{ headers }] }];
+            }
+        }
+        return { allow, ...subnets };
+    }
+    return {
+        ...(api.allowedDomains && { allow: api.allowedDomains }),
+        ...subnets,
     };
 }
 //# sourceMappingURL=network-policy.js.map

package/dist/utils/network-policy.js.map

@@ -1 +1 @@
-{"version":3,"file":"network-policy.js","sourceRoot":"","sources":["../../src/utils/network-policy.ts"],"names":[],"mappings":";;AAMA,gDASC;AAED,oDAYC;AAvBD,SAAgB,kBAAkB,CAAC,MAAqB;IACtD,IAAI,MAAM,KAAK,WAAW;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IACzD,IAAI,MAAM,KAAK,UAAU;QAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IACvD,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,cAAc,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;QACrD,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACpE,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED,SAAgB,oBAAoB,CAAC,GAAqB;IACxD,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW;QAAE,OAAO,WAAW,CAAC;IACjD,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IAC/C,OAAO;QACL,GAAG,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,cAAc,EAAE,CAAC;QACxD,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI;YAC3C,OAAO,EAAE;gBACP,GAAG,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;aAClD;SACF,CAAC;KACH,CAAC;AACJ,CAAC"}
+{"version":3,"file":"network-policy.js","sourceRoot":"","sources":["../../src/utils/network-policy.ts"],"names":[],"mappings":";;AAMA,gDAmCC;AAED,oDAgDC;AArFD,SAAgB,kBAAkB,CAAC,MAAqB;IACtD,IAAI,MAAM,KAAK,WAAW;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IACzD,IAAI,MAAM,KAAK,UAAU;QAAE,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IAEvD,IAAI,MAAM,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACjD,MAAM,cAAc,GAA6C,EAAE,CAAC;QAEpE,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3D,MAAM,MAAM,GAA2B,EAAE,CAAC;YAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;oBACrC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;gBACnC,CAAC;YACH,CAAC;YACD,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACnC,cAAc,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC;YACpD,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC;YACpD,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACpE,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;SAClE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,cAAc,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;QACrD,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,IAAI,EAAE,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACpE,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED,SAAgB,oBAAoB,CAAC,GAAqB;IACxD,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW;QAAE,OAAO,WAAW,CAAC;IACjD,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IAE/C,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,WAAW,CAAC;QACnD,CAAC,CAAC;YACE,OAAO,EAAE;gBACP,GAAG,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC;aAClD;SACF;QACH,CAAC,CAAC,SAAS,CAAC;IAEd,8DAA8D;IAC9D,kEAAkE;IAClE,gDAAgD;IAChD,IAAI,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,MAAM,aAAa,GAAG,IAAI,GAAG,CAC3B,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAC/D,CAAC;QAEF,MAAM,KAAK,GAAwC,EAAE,CAAC;QACtD,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,cAAc,IAAI,EAAE,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC9C,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC;gBAC9E,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YACrB,CAAC;QACH,CAAC;QACD,4DAA4D;QAC5D,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,cAAc,EAAE,CAAC;YACtC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAChC,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CACvD,CAAC;gBACF,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,GAAG,OAAO,EAAE,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,GAAG,CAAC,GAAG,CAAC,cAAc,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,cAAc,EAAE,CAAC;QACxD,GAAG,OAAO;KACX,CAAC;AACJ,CAAC"}

package/dist/version.d.ts

@@ -1 +1 @@
-export declare const VERSION = "1.6.0";
+export declare const VERSION = "1.7.0";

package/dist/version.js

@@ -2,5 +2,5 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
 // Autogenerated by inject-version.ts
-exports.VERSION = "1.6.0";
+exports.VERSION = "1.7.0";
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vercel/sandbox",
-  "version": "1.6.0",
+  "version": "1.7.0",
   "description": "Software Development Kit for Vercel Sandbox",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -22,7 +22,7 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@vercel/oidc": "^3.1.0",
+    "@vercel/oidc": "3.2.0",
     "async-retry": "1.3.3",
     "jsonlines": "0.1.1",
     "ms": "2.1.3",

package/dist/utils/jwt-expiry.d.ts

@@ -1,42 +0,0 @@
-import { z } from "zod";
-import { schema } from "./get-credentials";
-export declare class OidcRefreshError extends Error {
-    name: string;
-}
-/**
- * Expiry implementation for JWT tokens (OIDC tokens).
- * Parses the JWT once and provides fast expiry validation.
- */
-export declare class JwtExpiry {
-    readonly token: string;
-    private expiryTime;
-    readonly payload?: Readonly<z.infer<typeof schema>>;
-    static fromToken(token: string): JwtExpiry | null;
-    /**
-     * Creates a new JWT expiry checker.
-     *
-     * @param token - The JWT token to parse
-     */
-    constructor(token: string);
-    /**
-     * Checks if the JWT token is valid (not expired).
-     * @returns true if token is valid, false if expired or expiring soon
-     */
-    isValid(): boolean;
-    /**
-     * Gets the expiry date of the JWT token.
-     *
-     * @returns Date object representing when the token expires, or null if no expiry
-     */
-    getExpiryDate(): Date | null;
-    /**
-     * Refreshes the JWT token by fetching a new OIDC token.
-     *
-     * @returns Promise resolving to a new JwtExpiry instance with fresh token
-     */
-    refresh(): Promise<JwtExpiry>;
-    /**
-     * Refreshes the JWT token if it's expired or expiring soon.
-     */
-    tryRefresh(): Promise<JwtExpiry | null>;
-}

package/dist/utils/jwt-expiry.js

@@ -1,106 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.JwtExpiry = exports.OidcRefreshError = void 0;
-const decode_base64_url_1 = require("./decode-base64-url");
-const get_credentials_1 = require("./get-credentials");
-const oidc_1 = require("@vercel/oidc");
-const ms_1 = __importDefault(require("ms"));
-/** Time buffer before token expiry to consider it invalid (in milliseconds) */
-const BUFFER_MS = (0, ms_1.default)("5m");
-class OidcRefreshError extends Error {
-    constructor() {
-        super(...arguments);
-        this.name = "OidcRefreshError";
-    }
-}
-exports.OidcRefreshError = OidcRefreshError;
-/**
- * Expiry implementation for JWT tokens (OIDC tokens).
- * Parses the JWT once and provides fast expiry validation.
- */
-class JwtExpiry {
-    static fromToken(token) {
-        if (!isJwtFormat(token)) {
-            return null;
-        }
-        else {
-            return new JwtExpiry(token);
-        }
-    }
-    /**
-     * Creates a new JWT expiry checker.
-     *
-     * @param token - The JWT token to parse
-     */
-    constructor(token) {
-        this.token = token;
-        try {
-            const tokenContents = token.split(".")[1];
-            this.payload = get_credentials_1.schema.parse((0, decode_base64_url_1.decodeBase64Url)(tokenContents));
-            this.expiryTime = this.payload.exp || null;
-        }
-        catch {
-            // Malformed token - treat as expired to trigger refresh
-            this.expiryTime = 0;
-        }
-    }
-    /**
-     * Checks if the JWT token is valid (not expired).
-     * @returns true if token is valid, false if expired or expiring soon
-     */
-    isValid() {
-        if (this.expiryTime === null) {
-            return false; // No expiry means malformed JWT
-        }
-        const now = Math.floor(Date.now() / 1000);
-        const buffer = BUFFER_MS / 1000;
-        return now + buffer < this.expiryTime;
-    }
-    /**
-     * Gets the expiry date of the JWT token.
-     *
-     * @returns Date object representing when the token expires, or null if no expiry
-     */
-    getExpiryDate() {
-        return this.expiryTime ? new Date(this.expiryTime * 1000) : null;
-    }
-    /**
-     * Refreshes the JWT token by fetching a new OIDC token.
-     *
-     * @returns Promise resolving to a new JwtExpiry instance with fresh token
-     */
-    async refresh() {
-        try {
-            const freshToken = await (0, oidc_1.getVercelOidcToken)();
-            return new JwtExpiry(freshToken);
-        }
-        catch (cause) {
-            throw new OidcRefreshError("Failed to refresh OIDC token", {
-                cause,
-            });
-        }
-    }
-    /**
-     * Refreshes the JWT token if it's expired or expiring soon.
-     */
-    async tryRefresh() {
-        if (this.isValid()) {
-            return null; // Still valid, no need to refresh
-        }
-        return this.refresh();
-    }
-}
-exports.JwtExpiry = JwtExpiry;
-/**
- * Checks if a token follows JWT format (has 3 parts separated by dots).
- *
- * @param token - The token to check
- * @returns true if token appears to be a JWT, false otherwise
- */
-function isJwtFormat(token) {
-    return token.split(".").length === 3;
-}
-//# sourceMappingURL=jwt-expiry.js.map

package/dist/utils/jwt-expiry.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"jwt-expiry.js","sourceRoot":"","sources":["../../src/utils/jwt-expiry.ts"],"names":[],"mappings":";;;;;;AACA,2DAAsD;AACtD,uDAA2C;AAC3C,uCAAkD;AAClD,4CAAoB;AAEpB,+EAA+E;AAC/E,MAAM,SAAS,GAAG,IAAA,YAAE,EAAC,IAAI,CAAC,CAAC;AAE3B,MAAa,gBAAiB,SAAQ,KAAK;IAA3C;;QACE,SAAI,GAAG,kBAAkB,CAAC;IAC5B,CAAC;CAAA;AAFD,4CAEC;AAED;;;GAGG;AACH,MAAa,SAAS;IAIpB,MAAM,CAAC,SAAS,CAAC,KAAa;QAC5B,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,YAAqB,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;QAChC,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1C,IAAI,CAAC,OAAO,GAAG,wBAAM,CAAC,KAAK,CAAC,IAAA,mCAAe,EAAC,aAAa,CAAC,CAAC,CAAC;YAC5D,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,wDAAwD;YACxD,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;YAC7B,OAAO,KAAK,CAAC,CAAC,gCAAgC;QAChD,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,SAAS,GAAG,IAAI,CAAC;QAChC,OAAO,GAAG,GAAG,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC;IACxC,CAAC;IAED;;;;OAIG;IACH,aAAa;QACX,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACnE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,IAAA,yBAAkB,GAAE,CAAC;YAC9C,OAAO,IAAI,SAAS,CAAC,UAAU,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,gBAAgB,CAAC,8BAA8B,EAAE;gBACzD,KAAK;aACN,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,CAAC,kCAAkC;QACjD,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;IACxB,CAAC;CACF;AA7ED,8BA6EC;AAED;;;;;GAKG;AACH,SAAS,WAAW,CAAC,KAAa;IAChC,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AACvC,CAAC"}