@vinkius-core/mcp-fusion 3.1.29 → 3.1.30
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/sandbox/SandboxEngine.d.ts +9 -1
- package/dist/sandbox/SandboxEngine.d.ts.map +1 -1
- package/dist/sandbox/SandboxEngine.js +29 -5
- package/dist/sandbox/SandboxEngine.js.map +1 -1
- package/dist/sandbox/SandboxGuard.d.ts.map +1 -1
- package/dist/sandbox/SandboxGuard.js +31 -1
- package/dist/sandbox/SandboxGuard.js.map +1 -1
- package/dist/sandbox/index.d.ts +1 -1
- package/dist/sandbox/index.d.ts.map +1 -1
- package/dist/sandbox/index.js +1 -1
- package/dist/sandbox/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -88,10 +88,11 @@ export interface SandboxConfig {
|
|
|
88
88
|
* - `RUNTIME`: Script threw an error during execution
|
|
89
89
|
* - `OUTPUT_TOO_LARGE`: Result exceeds `maxOutputBytes`
|
|
90
90
|
* - `INVALID_CODE`: Failed the SandboxGuard fail-fast check
|
|
91
|
+
* - `INVALID_DATA`: Input data contains non-serializable values
|
|
91
92
|
* - `UNAVAILABLE`: `isolated-vm` is not installed
|
|
92
93
|
* - `ABORTED`: Execution was cancelled via AbortSignal (client disconnect)
|
|
93
94
|
*/
|
|
94
|
-
export type SandboxErrorCode = 'TIMEOUT' | 'MEMORY' | 'SYNTAX' | 'RUNTIME' | 'OUTPUT_TOO_LARGE' | 'INVALID_CODE' | 'UNAVAILABLE' | 'ABORTED';
|
|
95
|
+
export type SandboxErrorCode = 'TIMEOUT' | 'MEMORY' | 'SYNTAX' | 'RUNTIME' | 'OUTPUT_TOO_LARGE' | 'INVALID_CODE' | 'INVALID_DATA' | 'UNAVAILABLE' | 'ABORTED';
|
|
95
96
|
/**
|
|
96
97
|
* Result of a sandbox execution.
|
|
97
98
|
*
|
|
@@ -116,6 +117,13 @@ export type SandboxResult<T = unknown> = {
|
|
|
116
117
|
readonly error: string;
|
|
117
118
|
readonly code: SandboxErrorCode;
|
|
118
119
|
};
|
|
120
|
+
/**
|
|
121
|
+
* Reset the cached isolated-vm module reference.
|
|
122
|
+
* Exported exclusively for testing — allows mock/unmock cycles
|
|
123
|
+
* without process restart (Bug #137).
|
|
124
|
+
* @internal
|
|
125
|
+
*/
|
|
126
|
+
export declare function resetIvmCache(): void;
|
|
119
127
|
/**
|
|
120
128
|
* Zero-trust V8 sandbox for executing LLM-provided JavaScript.
|
|
121
129
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SandboxEngine.d.ts","sourceRoot":"","sources":["../../src/sandbox/SandboxEngine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AAGH,OAAO,
|
|
1
|
+
{"version":3,"file":"SandboxEngine.d.ts","sourceRoot":"","sources":["../../src/sandbox/SandboxEngine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AAGH,OAAO,EAAyB,KAAK,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAI/F;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,aAAa;IAC1B;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,gBAAgB,GACtB,SAAS,GACT,QAAQ,GACR,QAAQ,GACR,SAAS,GACT,kBAAkB,GAClB,cAAc,GACd,cAAc,GACd,aAAa,GACb,SAAS,CAAC;AAEhB;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,aAAa,CAAC,CAAC,GAAG,OAAO,IAC/B;IAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC;IAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACtE;IAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,IAAI,EAAE,gBAAgB,CAAA;CAAE,CAAC;AAkCtF;;;;;GAKG;AACH,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,aAAa;IACtB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IAEzC,OAAO,CAAC,QAAQ,CAAM;IACtB,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,UAAU,CAAC,CAAgB;IACnC,+DAA+D;IAC/D,OAAO,CAAC,iBAAiB,CAAK;gBAElB,MAAM,CAAC,EAAE,aAAa;IAgBlC;;;;OAIG;IACH,SAAS,CAAC,IAAI,EAAE,aAAa,GAAG,IAAI;IAKpC;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACG,OAAO,CAAC,CAAC,GAAG,OAAO,EACrB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,OAAO,EACb,OAAO,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,WAAW,CAAA;KAAE,GACnC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;IA4J5B;;;;;OAKG;IACH,OAAO,IAAI,IAAI;IAUf;;OAEG;IACH,IAAI,UAAU,IAAI,OAAO,CAExB;IAED;;;OAGG;IACH,OAAO,CAAC,cAAc;IActB;;;OAGG;IACH,OAAO,CAAC,cAAc;IAatB;;;OAGG;IACH,OAAO,CAAC,cAAc;CA6CzB"}
|
|
@@ -51,6 +51,7 @@ const DEFAULT_TIMEOUT_MS = 5_000;
|
|
|
51
51
|
const DEFAULT_MEMORY_LIMIT_MB = 128;
|
|
52
52
|
const DEFAULT_MAX_OUTPUT_BYTES = 1_048_576; // 1MB
|
|
53
53
|
const MAX_CODE_LENGTH = 65_536; // 64KB — generous for any legitimate sandbox function
|
|
54
|
+
const TEXT_ENCODER = new TextEncoder(); // Bug #138: reuse stateless encoder
|
|
54
55
|
// ── Lazy Require ─────────────────────────────────────────
|
|
55
56
|
/**
|
|
56
57
|
* Lazy-load isolated-vm to avoid hard dependency.
|
|
@@ -74,6 +75,15 @@ function getIvm() {
|
|
|
74
75
|
}
|
|
75
76
|
return _ivm;
|
|
76
77
|
}
|
|
78
|
+
/**
|
|
79
|
+
* Reset the cached isolated-vm module reference.
|
|
80
|
+
* Exported exclusively for testing — allows mock/unmock cycles
|
|
81
|
+
* without process restart (Bug #137).
|
|
82
|
+
* @internal
|
|
83
|
+
*/
|
|
84
|
+
export function resetIvmCache() {
|
|
85
|
+
_ivm = undefined;
|
|
86
|
+
}
|
|
77
87
|
// ── Engine Implementation ────────────────────────────────
|
|
78
88
|
/**
|
|
79
89
|
* Zero-trust V8 sandbox for executing LLM-provided JavaScript.
|
|
@@ -224,7 +234,20 @@ export class SandboxEngine {
|
|
|
224
234
|
// Create pristine context (NO globals injected — this IS the security)
|
|
225
235
|
context = await isolate.createContext();
|
|
226
236
|
// Deep-copy data into isolated heap (no references!)
|
|
227
|
-
|
|
237
|
+
// Bug #135: catch serialization errors from ExternalCopy separately
|
|
238
|
+
try {
|
|
239
|
+
inputCopy = new ivm.ExternalCopy(data);
|
|
240
|
+
}
|
|
241
|
+
catch (copyErr) {
|
|
242
|
+
const copyMsg = copyErr instanceof Error ? copyErr.message : String(copyErr);
|
|
243
|
+
const result = {
|
|
244
|
+
ok: false,
|
|
245
|
+
error: `Data serialization error: ${copyMsg}. The input data contains non-serializable values (functions, Symbols, WeakRefs, etc.).`,
|
|
246
|
+
code: 'INVALID_DATA',
|
|
247
|
+
};
|
|
248
|
+
this._emitTelemetry(result);
|
|
249
|
+
return result;
|
|
250
|
+
}
|
|
228
251
|
await context.global.set('__input__', inputCopy.copyInto());
|
|
229
252
|
// Compile with wrapper: call the function and serialize result
|
|
230
253
|
const wrappedCode = `const __fn__ = ${code};\nJSON.stringify(__fn__(__input__));`;
|
|
@@ -234,7 +257,7 @@ export class SandboxEngine {
|
|
|
234
257
|
const executionMs = performance.now() - startMs;
|
|
235
258
|
// ── Step 5: Output size guard ───────────────
|
|
236
259
|
if (typeof rawResult === 'string') {
|
|
237
|
-
const outputByteLength =
|
|
260
|
+
const outputByteLength = TEXT_ENCODER.encode(rawResult).byteLength;
|
|
238
261
|
if (outputByteLength > this._maxOutputBytes) {
|
|
239
262
|
const oversized = {
|
|
240
263
|
ok: false,
|
|
@@ -324,13 +347,14 @@ export class SandboxEngine {
|
|
|
324
347
|
_emitTelemetry(result) {
|
|
325
348
|
if (!this._telemetry)
|
|
326
349
|
return;
|
|
327
|
-
|
|
350
|
+
const event = {
|
|
328
351
|
type: 'sandbox.exec',
|
|
329
352
|
ok: result.ok,
|
|
330
353
|
executionMs: result.ok ? result.executionMs : 0,
|
|
331
|
-
|
|
354
|
+
...(!result.ok ? { errorCode: result.code } : {}),
|
|
332
355
|
timestamp: Date.now(),
|
|
333
|
-
}
|
|
356
|
+
};
|
|
357
|
+
this._telemetry(event);
|
|
334
358
|
}
|
|
335
359
|
// ── Private ──────────────────────────────────────────
|
|
336
360
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SandboxEngine.js","sourceRoot":"","sources":["../../src/sandbox/SandboxEngine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,
|
|
1
|
+
{"version":3,"file":"SandboxEngine.js","sourceRoot":"","sources":["../../src/sandbox/SandboxEngine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAA6C,MAAM,oCAAoC,CAAC;AAoF/F,4DAA4D;AAE5D,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACjC,MAAM,uBAAuB,GAAG,GAAG,CAAC;AACpC,MAAM,wBAAwB,GAAG,SAAS,CAAC,CAAC,MAAM;AAClD,MAAM,eAAe,GAAG,MAAM,CAAC,CAAC,sDAAsD;AACtF,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,CAAC,oCAAoC;AAE5E,4DAA4D;AAE5D;;;;GAIG;AACH,8DAA8D;AAC9D,IAAI,IAAI,GAAQ,SAAS,CAAC;AAE1B,8DAA8D;AAC9D,SAAS,MAAM;IACX,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,CAAC;QACD,uDAAuD;QACvD,uDAAuD;QACvD,iEAAiE;QACjE,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACL,IAAI,GAAG,IAAI,CAAC;IAChB,CAAC;IACD,OAAO,IAAI,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa;IACzB,IAAI,GAAG,SAAS,CAAC;AACrB,CAAC;AAED,4DAA4D;AAE5D;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,OAAO,aAAa;IACL,QAAQ,CAAS;IACjB,YAAY,CAAS;IACrB,eAAe,CAAS;IACzC,8DAA8D;IACtD,QAAQ,CAAM,CAAC,cAAc;IAC7B,SAAS,GAAG,KAAK,CAAC;IAClB,UAAU,CAAiB;IACnC,+DAA+D;IACvD,iBAAiB,GAAG,CAAC,CAAC;IAE9B,YAAY,MAAsB;QAC9B,IAAI,CAAC,QAAQ,GAAG,MAAM,EAAE,OAAO,IAAI,kBAAkB,CAAC;QACtD,IAAI,CAAC,YAAY,GAAG,MAAM,EAAE,WAAW,IAAI,uBAAuB,CAAC;QACnE,IAAI,CAAC,eAAe,GAAG,MAAM,EAAE,cAAc,IAAI,wBAAwB,CAAC;QAE1E,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;QACrB,IAAI,CAAC,GAAG,EAAE,CAAC;YACP,MAAM,IAAI,KAAK,CACX,oDAAoD;gBACpD,0CAA0C,CAC7C,CAAC;QACN,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IACxE,CAAC;IAED;;;;OAIG;IACH,SAAS,CAAC,IAAmB;QACzB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;OAwBG;IACH,KAAK,CAAC,OAAO,CACT,IAAY,EACZ,IAAa,EACb,OAAkC;QAElC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACjB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;QACzF,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,CAAC;QAE/B,oDAAoD;QACpD,+DAA+D;QAC/D,qDAAqD;QACrD,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;YAClB,OAAO;gBACH,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,gEAAgE;gBACvE,IAAI,EAAE,SAAS;aAClB,CAAC;QACN,CAAC;QAED,mDAAmD;QACnD,oDAAoD;QACpD,iEAAiE;QACjE,IAAI,IAAI,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;YAChC,OAAO;gBACH,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,gBAAgB,IAAI,CAAC,MAAM,4BAA4B,eAAe,WAAW;oBACpF,0DAA0D;gBAC9D,IAAI,EAAE,cAAc;aACvB,CAAC;QACN,CAAC;QAED,mDAAmD;QACnD,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,SAAU,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;QACxE,CAAC;QAED,mDAAmD;QACnD,IAAI,CAAC,cAAc,EAAE,CAAC;QAEtB,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC9B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,mDAAmD;QACnD,0DAA0D;QAC1D,4DAA4D;QAC5D,4DAA4D;QAC5D,0DAA0D;QAC1D,wDAAwD;QACxD,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE;YAC1B,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,IAAI,CAAC,iBAAiB,IAAI,CAAC,EAAE,CAAC;gBAC9B,IAAI,CAAC;oBAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,yBAAyB,CAAC,CAAC;YAClE,CAAC;QACL,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,MAAM,IAAI,OAAO,EAAE,CAAC;YACpB,MAAM,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9D,CAAC;QAED,mDAAmD;QACnD,8DAA8D;QAC9D,IAAI,SAA0B,CAAC,CAAG,mBAAmB;QACrD,8DAA8D;QAC9D,IAAI,OAAwB,CAAC,CAAK,cAAc;QAChD,8DAA8D;QAC9D,IAAI,MAAuB,CAAC,CAAM,aAAa;QAE/C,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAElC,IAAI,CAAC;YACD,uEAAuE;YACvE,OAAO,GAAG,MAAM,OAAO,CAAC,aAAa,EAAE,CAAC;YAExC,qDAAqD;YACrD,oEAAoE;YACpE,IAAI,CAAC;gBACD,SAAS,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;YAC3C,CAAC;YAAC,OAAO,OAAgB,EAAE,CAAC;gBACxB,MAAM,OAAO,GAAG,OAAO,YAAY,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAC7E,MAAM,MAAM,GAAqB;oBAC7B,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,6BAA6B,OAAO,yFAAyF;oBACpI,IAAI,EAAE,cAAc;iBACvB,CAAC;gBACF,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC5B,OAAO,MAAM,CAAC;YAClB,CAAC;YACD,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;YAE5D,+DAA+D;YAC/D,MAAM,WAAW,GAAG,kBAAkB,IAAI,uCAAuC,CAAC;YAClF,MAAM,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;YAElD,wDAAwD;YACxD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAExE,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;YAEhD,+CAA+C;YAC/C,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAChC,MAAM,gBAAgB,GAAG,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC;gBACnE,IAAI,gBAAgB,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;oBAC1C,MAAM,SAAS,GAAqB;wBAChC,EAAE,EAAE,KAAK;wBACT,KAAK,EAAE,gBAAgB,gBAAgB,0BAA0B,IAAI,CAAC,eAAe,WAAW;4BAC5F,sDAAsD;wBAC1D,IAAI,EAAE,kBAAkB;qBAC3B,CAAC;oBACF,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;oBAC/B,OAAO,SAAS,CAAC;gBACrB,CAAC;YACL,CAAC;YAED,+CAA+C;YAC/C,MAAM,MAAM,GAAG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACjF,MAAM,MAAM,GAAqB,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAW,EAAE,WAAW,EAAE,CAAC;YAC/E,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;YAC5B,OAAO,MAAM,CAAC;QAElB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACpB,kEAAkE;YAClE,6DAA6D;YAC7D,IAAI,OAAO,EAAE,CAAC;gBACV,MAAM,MAAM,GAAqB;oBAC7B,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE,kEAAkE;oBACzE,IAAI,EAAE,SAAS;iBAClB,CAAC;gBACF,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;gBAC5B,OAAO,MAAM,CAAC;YAClB,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAqB,CAAC;YAC5D,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;YAC5B,OAAO,MAAM,CAAC;QAClB,CAAC;gBAAS,CAAC;YACP,gDAAgD;YAChD,mDAAmD;YACnD,+CAA+C;YAC/C,IAAI,MAAM,IAAI,OAAO,EAAE,CAAC;gBACpB,MAAM,CAAC,mBAAmB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACjD,CAAC;YAED,gDAAgD;YAChD,gDAAgD;YAChD,kDAAkD;YAClD,uDAAuD;YACvD,IAAI,CAAC;gBAAC,SAAS,EAAE,OAAO,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,sCAAsC,CAAC,CAAC;YAC9E,IAAI,CAAC;gBAAC,MAAM,EAAE,OAAO,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,sCAAsC,CAAC,CAAC;YAC3E,IAAI,CAAC;gBAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,sCAAsC,CAAC,CAAC;YAE5E,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7B,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,OAAO;QACH,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO;QAC3B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACtB,IAAI,CAAC;YACD,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACL,oCAAoC;QACxC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,IAAI,UAAU;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IAC1B,CAAC;IAED;;;OAGG;IACK,cAAc,CAAC,MAA8B;QACjD,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,OAAO;QAC7B,MAAM,KAAK,GAAqB;YAC5B,IAAI,EAAE,cAAc;YACpB,EAAE,EAAE,MAAM,CAAC,EAAE;YACb,WAAW,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;YAC/C,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QACF,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAED,wDAAwD;IAExD;;;OAGG;IACK,cAAc;QAClB,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;QACrB,mCAAmC;QACnC,IAAI,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,CAAC;gBAC5B,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;YACxE,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACL,+CAA+C;YAC/C,IAAI,CAAC,QAAQ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;QACxE,CAAC;IACL,CAAC;IAED;;;OAGG;IACK,cAAc,CAAC,GAAY;QAC/B,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjE,+CAA+C;QAC/C,IAAI,OAAO,CAAC,QAAQ,CAAC,4BAA4B,CAAC,EAAE,CAAC;YACjD,OAAO;gBACH,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,+BAA+B,IAAI,CAAC,QAAQ,OAAO;oBACtD,yDAAyD;gBAC7D,IAAI,EAAE,SAAS;aAClB,CAAC;QACN,CAAC;QAED,+BAA+B;QAC/B,IACI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;YACxC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;YACjC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EACvC,CAAC;YACC,2CAA2C;YAC3C,IAAI,CAAC;gBAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YACxD,OAAO;gBACH,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,8BAA8B,IAAI,CAAC,YAAY,aAAa;oBAC/D,mDAAmD;gBACvD,IAAI,EAAE,QAAQ;aACjB,CAAC;QACN,CAAC;QAED,+BAA+B;QAC/B,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YAClC,OAAO;gBACH,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,4BAA4B,OAAO,EAAE;gBAC5C,IAAI,EAAE,QAAQ;aACjB,CAAC;QACN,CAAC;QAED,gEAAgE;QAChE,OAAO;YACH,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,kBAAkB,OAAO,EAAE;YAClC,IAAI,EAAE,SAAS;SAClB,CAAC;IACN,CAAC;CACJ"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SandboxGuard.d.ts","sourceRoot":"","sources":["../../src/sandbox/SandboxGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,MAAM,WAAW,WAAW;IACxB,kDAAkD;IAClD,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,uEAAuE;IACvE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC/B;
|
|
1
|
+
{"version":3,"file":"SandboxGuard.d.ts","sourceRoot":"","sources":["../../src/sandbox/SandboxGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAIH,MAAM,WAAW,WAAW;IACxB,kDAAkD;IAClD,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,uEAAuE;IACvE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC/B;AAiCD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,CA2C7D"}
|
|
@@ -28,7 +28,6 @@ const SUSPICIOUS_PATTERNS = [
|
|
|
28
28
|
{ pattern: /\bimport\s*\(/, reason: 'Dynamic import() is not available in the sandbox.' },
|
|
29
29
|
{ pattern: /\bimport\s+/, reason: 'ES module imports are not available in the sandbox.' },
|
|
30
30
|
{ pattern: /\brequire\s*\(/, reason: 'require() is not available in the sandbox.' },
|
|
31
|
-
{ pattern: /^\s*async\b/, reason: 'Async functions are not supported in the sandbox. The sandbox uses synchronous JSON.stringify(fn(input)) — an async function would serialize to \'{}\'. Use a synchronous function instead.' },
|
|
32
31
|
];
|
|
33
32
|
/**
|
|
34
33
|
* The code must start with one of these patterns to be recognized
|
|
@@ -88,6 +87,37 @@ export function validateSandboxCode(code) {
|
|
|
88
87
|
return { ok: false, violation: reason };
|
|
89
88
|
}
|
|
90
89
|
}
|
|
90
|
+
// Bug #136: detect `async` anywhere in the code (not just at the start).
|
|
91
|
+
// Strip string literals first to avoid false positives on e.g. "async".
|
|
92
|
+
if (containsAsyncKeyword(trimmed)) {
|
|
93
|
+
return {
|
|
94
|
+
ok: false,
|
|
95
|
+
violation: 'Async functions are not supported in the sandbox. ' +
|
|
96
|
+
'The sandbox uses synchronous JSON.stringify(fn(input)) — ' +
|
|
97
|
+
'an async function would serialize to \'{}\'. ' +
|
|
98
|
+
'Use a synchronous function instead.',
|
|
99
|
+
};
|
|
100
|
+
}
|
|
91
101
|
return { ok: true };
|
|
92
102
|
}
|
|
103
|
+
// ── Helpers ──────────────────────────────────────────────
|
|
104
|
+
/**
|
|
105
|
+
* Strip string literals (single, double, template) to avoid
|
|
106
|
+
* false positives when scanning for keywords like `async`.
|
|
107
|
+
* Replaces each string literal with empty quotes of the same kind.
|
|
108
|
+
* @internal
|
|
109
|
+
*/
|
|
110
|
+
function stripStringLiterals(code) {
|
|
111
|
+
// Match single-quoted, double-quoted, and back-tick strings
|
|
112
|
+
// (respects escape sequences: \' \" \` don't close the string)
|
|
113
|
+
return code.replace(/(?:'(?:[^'\\]|\\.)*'|"(?:[^"\\]|\\.)*"|`(?:[^`\\]|\\.)*`)/gs, '""');
|
|
114
|
+
}
|
|
115
|
+
/**
|
|
116
|
+
* Check if `async` appears as a keyword anywhere in the code,
|
|
117
|
+
* ignoring occurrences inside string literals (Bug #136).
|
|
118
|
+
* @internal
|
|
119
|
+
*/
|
|
120
|
+
function containsAsyncKeyword(code) {
|
|
121
|
+
return /\basync\b/.test(stripStringLiterals(code));
|
|
122
|
+
}
|
|
93
123
|
//# sourceMappingURL=SandboxGuard.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SandboxGuard.js","sourceRoot":"","sources":["../../src/sandbox/SandboxGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAWH,4DAA4D;AAE5D;;;;GAIG;AACH,MAAM,mBAAmB,GAAuD;IAC5E,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,mDAAmD,EAAE;IACzF,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,qDAAqD,EAAE;IACzF,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,4CAA4C,EAAE;
|
|
1
|
+
{"version":3,"file":"SandboxGuard.js","sourceRoot":"","sources":["../../src/sandbox/SandboxGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAWH,4DAA4D;AAE5D;;;;GAIG;AACH,MAAM,mBAAmB,GAAuD;IAC5E,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,mDAAmD,EAAE;IACzF,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,qDAAqD,EAAE;IACzF,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,4CAA4C,EAAE;CACtF,CAAC;AAEF;;;GAGG;AACH,MAAM,iBAAiB,GAA0B;IAC7C,kBAAkB,EAAe,aAAa;IAC9C,wBAAwB,EAAQ,WAAW;IAC3C,mBAAmB,EAAc,sBAAsB;IACvD,yBAAyB,EAAQ,2BAA2B;IAC5D,kEAAkE;IAClE,yDAAyD;IACzD,0BAA0B,EAAO,mBAAmB;IACpD,2BAA2B,EAAM,4BAA4B;IAC7D,gCAAgC,EAAE,iBAAiB;CACtD,CAAC;AAEF,4DAA4D;AAE5D;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC5C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,kCAAkC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAE5B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,kCAAkC,EAAE,CAAC;IACxE,CAAC;IAED,yCAAyC;IACzC,MAAM,iBAAiB,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACvE,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACrB,OAAO;YACH,EAAE,EAAE,KAAK;YACT,SAAS,EACL,wDAAwD;gBACxD,mDAAmD;SAC1D,CAAC;IACN,CAAC;IAED,2DAA2D;IAC3D,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,mBAAmB,EAAE,CAAC;QACpD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;QAC5C,CAAC;IACL,CAAC;IAED,yEAAyE;IACzE,wEAAwE;IACxE,IAAI,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,OAAO;YACH,EAAE,EAAE,KAAK;YACT,SAAS,EACL,oDAAoD;gBACpD,2DAA2D;gBAC3D,+CAA+C;gBAC/C,qCAAqC;SAC5C,CAAC;IACN,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,4DAA4D;AAE5D;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,IAAY;IACrC,4DAA4D;IAC5D,+DAA+D;IAC/D,OAAO,IAAI,CAAC,OAAO,CAAC,6DAA6D,EAAE,IAAI,CAAC,CAAC;AAC7F,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAAC,IAAY;IACtC,OAAO,WAAW,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC;AACvD,CAAC"}
|
package/dist/sandbox/index.d.ts
CHANGED
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
* The `isolated-vm` package is an optional peerDependency.
|
|
9
9
|
* The framework works fully without it — sandbox is a power add-on.
|
|
10
10
|
*/
|
|
11
|
-
export { SandboxEngine } from './SandboxEngine.js';
|
|
11
|
+
export { SandboxEngine, resetIvmCache } from './SandboxEngine.js';
|
|
12
12
|
export type { SandboxConfig, SandboxResult, SandboxErrorCode } from './SandboxEngine.js';
|
|
13
13
|
export { validateSandboxCode } from './SandboxGuard.js';
|
|
14
14
|
export type { GuardResult } from './SandboxGuard.js';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACzF,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAIrD;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B,QAKiC,CAAC"}
|
package/dist/sandbox/index.js
CHANGED
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
* The `isolated-vm` package is an optional peerDependency.
|
|
9
9
|
* The framework works fully without it — sandbox is a power add-on.
|
|
10
10
|
*/
|
|
11
|
-
export { SandboxEngine } from './SandboxEngine.js';
|
|
11
|
+
export { SandboxEngine, resetIvmCache } from './SandboxEngine.js';
|
|
12
12
|
export { validateSandboxCode } from './SandboxGuard.js';
|
|
13
13
|
// ── HATEOAS Auto-Prompting Instruction ───────────────────
|
|
14
14
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAElE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,4DAA4D;AAE5D;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,0BAA0B,GACnC,sDAAsD;IACtD,iFAAiF;IACjF,4DAA4D;IAC5D,kDAAkD;IAClD,oEAAoE,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@vinkius-core/mcp-fusion",
|
|
3
|
-
"version": "3.1.
|
|
3
|
+
"version": "3.1.30",
|
|
4
4
|
"description": "MVA (Model-View-Agent) framework for the Model Context Protocol. Structured perception packages with Presenters, cognitive guardrails, self-healing errors, action consolidation, and tRPC-style type safety — so AI agents perceive and act on your data deterministically.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|