@voratiq/sandbox-runtime 0.0.29-voratiq0

package/dist/sandbox/generate-seccomp-filter.js

@@ -0,0 +1,185 @@
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import * as fs from 'node:fs';
+import { logForDebugging } from '../utils/debug.js';
+/**
+ * Map Node.js process.arch to our vendor directory architecture names
+ * Returns null for unsupported architectures
+ */
+function getVendorArchitecture() {
+    const arch = process.arch;
+    switch (arch) {
+        case 'x64':
+        case 'x86_64':
+            return 'x64';
+        case 'arm64':
+        case 'aarch64':
+            return 'arm64';
+        case 'ia32':
+        case 'x86':
+            // TODO: Add support for 32-bit x86 (ia32)
+            // Currently blocked because the seccomp filter does not block the socketcall() syscall,
+            // which is used on 32-bit x86 for all socket operations (socket, socketpair, bind, connect, etc.).
+            // On 32-bit x86, the direct socket() syscall doesn't exist - instead, all socket operations
+            // are multiplexed through socketcall(SYS_SOCKET, ...), socketcall(SYS_SOCKETPAIR, ...), etc.
+            //
+            // To properly support 32-bit x86, we need to:
+            // 1. Build a separate i386 BPF filter (BPF bytecode is architecture-specific)
+            // 2. Modify vendor/seccomp-src/seccomp-unix-block.c to conditionally add rules that block:
+            //    - socketcall(SYS_SOCKET, [AF_UNIX, ...])
+            //    - socketcall(SYS_SOCKETPAIR, [AF_UNIX, ...])
+            // 3. This requires complex BPF logic to inspect socketcall's sub-function argument
+            //
+            // Until then, 32-bit x86 is not supported to avoid a security bypass.
+            logForDebugging(`[SeccompFilter] 32-bit x86 (ia32) is not currently supported due to missing socketcall() syscall blocking. ` +
+                `The current seccomp filter only blocks socket(AF_UNIX, ...), but on 32-bit x86, socketcall() can be used to bypass this.`, { level: 'error' });
+            return null;
+        default:
+            logForDebugging(`[SeccompFilter] Unsupported architecture: ${arch}. Only x64 and arm64 are supported.`);
+            return null;
+    }
+}
+/**
+ * Get the path to a pre-generated BPF filter file from the vendor directory
+ * Returns the path if it exists, null otherwise
+ *
+ * Pre-generated BPF files are organized by architecture:
+ * - vendor/seccomp/{x64,arm64}/unix-block.bpf
+ *
+ * Tries multiple paths for resilience:
+ * 0. Expected path provided via parameter (checked first if provided)
+ * 1. vendor/seccomp/{arch}/unix-block.bpf (bundled - when bundled into consuming packages)
+ * 2. ../../vendor/seccomp/{arch}/unix-block.bpf (package root - standard npm installs)
+ * 3. ../vendor/seccomp/{arch}/unix-block.bpf (dist/vendor - for bundlers)
+ *
+ * @param expectedPath - Optional path to check first (highest priority)
+ */
+export function getPreGeneratedBpfPath(expectedPath) {
+    // Check expected path first (highest priority)
+    if (expectedPath) {
+        if (fs.existsSync(expectedPath)) {
+            logForDebugging(`[SeccompFilter] Using BPF filter from expected path: ${expectedPath}`);
+            return expectedPath;
+        }
+        logForDebugging(`[SeccompFilter] Expected path provided but file not found: ${expectedPath}`);
+    }
+    // Determine architecture
+    const arch = getVendorArchitecture();
+    if (!arch) {
+        logForDebugging(`[SeccompFilter] Cannot find pre-generated BPF filter: unsupported architecture ${process.arch}`);
+        return null;
+    }
+    logForDebugging(`[SeccompFilter] Detected architecture: ${arch}`);
+    // Try to locate the BPF file with fallback paths
+    // Path is relative to the compiled code location (dist/sandbox/)
+    const baseDir = dirname(fileURLToPath(import.meta.url));
+    const relativePath = join('vendor', 'seccomp', arch, 'unix-block.bpf');
+    // Try paths in order of preference
+    const pathsToTry = [
+        join(baseDir, relativePath), // bundled: same directory as bundle (e.g., when bundled into claude-cli)
+        join(baseDir, '..', '..', relativePath), // package root: vendor/seccomp/...
+        join(baseDir, '..', relativePath), // dist: dist/vendor/seccomp/...
+    ];
+    for (const bpfPath of pathsToTry) {
+        if (fs.existsSync(bpfPath)) {
+            logForDebugging(`[SeccompFilter] Found pre-generated BPF filter: ${bpfPath} (${arch})`);
+            return bpfPath;
+        }
+    }
+    logForDebugging(`[SeccompFilter] Pre-generated BPF filter not found in any expected location (${arch})`);
+    return null;
+}
+/**
+ * Get the path to the apply-seccomp binary from the vendor directory
+ * Returns the path if it exists, null otherwise
+ *
+ * Pre-built apply-seccomp binaries are organized by architecture:
+ * - vendor/seccomp/{x64,arm64}/apply-seccomp
+ *
+ * Tries multiple paths for resilience:
+ * 0. Expected path provided via parameter (checked first if provided)
+ * 1. vendor/seccomp/{arch}/apply-seccomp (bundled - when bundled into consuming packages)
+ * 2. ../../vendor/seccomp/{arch}/apply-seccomp (package root - standard npm installs)
+ * 3. ../vendor/seccomp/{arch}/apply-seccomp (dist/vendor - for bundlers)
+ *
+ * @param expectedPath - Optional path to check first (highest priority)
+ */
+export function getApplySeccompBinaryPath(expectedPath) {
+    // Check expected path first (highest priority)
+    if (expectedPath) {
+        if (fs.existsSync(expectedPath)) {
+            logForDebugging(`[SeccompFilter] Using apply-seccomp binary from expected path: ${expectedPath}`);
+            return expectedPath;
+        }
+        logForDebugging(`[SeccompFilter] Expected path provided but file not found: ${expectedPath}`);
+    }
+    // Determine architecture
+    const arch = getVendorArchitecture();
+    if (!arch) {
+        logForDebugging(`[SeccompFilter] Cannot find apply-seccomp binary: unsupported architecture ${process.arch}`);
+        return null;
+    }
+    logForDebugging(`[SeccompFilter] Looking for apply-seccomp binary for architecture: ${arch}`);
+    // Try to locate the binary with fallback paths
+    // Path is relative to the compiled code location (dist/sandbox/)
+    const baseDir = dirname(fileURLToPath(import.meta.url));
+    const relativePath = join('vendor', 'seccomp', arch, 'apply-seccomp');
+    // Try paths in order of preference
+    const pathsToTry = [
+        join(baseDir, relativePath), // bundled: same directory as bundle (e.g., when bundled into claude-cli)
+        join(baseDir, '..', '..', relativePath), // package root: vendor/seccomp/...
+        join(baseDir, '..', relativePath), // dist: dist/vendor/seccomp/...
+    ];
+    for (const binaryPath of pathsToTry) {
+        if (fs.existsSync(binaryPath)) {
+            logForDebugging(`[SeccompFilter] Found apply-seccomp binary: ${binaryPath} (${arch})`);
+            return binaryPath;
+        }
+    }
+    logForDebugging(`[SeccompFilter] apply-seccomp binary not found in any expected location (${arch})`);
+    return null;
+}
+/**
+ * Get the path to a pre-generated seccomp BPF filter that blocks Unix domain socket creation
+ * Returns the path to the BPF filter file, or null if not available
+ *
+ * The filter blocks socket(AF_UNIX, ...) syscalls while allowing all other syscalls.
+ * This prevents creation of new Unix domain socket file descriptors.
+ *
+ * Security scope:
+ * - Blocks: socket(AF_UNIX, ...) syscall (creating new Unix socket FDs)
+ * - Does NOT block: Operations on inherited Unix socket FDs (bind, connect, sendto, etc.)
+ * - Does NOT block: Unix socket FDs passed via SCM_RIGHTS
+ * - For most sandboxing scenarios, blocking socket creation is sufficient
+ *
+ * Note: This blocks ALL Unix socket creation, regardless of path. The allowUnixSockets
+ * configuration is not supported on Linux due to seccomp-bpf limitations (it cannot
+ * read user-space memory to inspect socket paths).
+ *
+ * Requirements:
+ * - Pre-generated BPF filters included for x64 and ARM64 only
+ * - Other architectures are not supported
+ *
+ * @param expectedPath - Optional path to check first (highest priority)
+ * @returns Path to the pre-generated BPF filter file, or null if not available
+ */
+export function generateSeccompFilter(expectedPath) {
+    const preGeneratedBpf = getPreGeneratedBpfPath(expectedPath);
+    if (preGeneratedBpf) {
+        logForDebugging('[SeccompFilter] Using pre-generated BPF filter');
+        return preGeneratedBpf;
+    }
+    logForDebugging('[SeccompFilter] Pre-generated BPF filter not available for this architecture. ' +
+        'Only x64 and arm64 are supported.', { level: 'error' });
+    return null;
+}
+/**
+ * Clean up a seccomp filter file
+ * Since we only use pre-generated BPF files from vendor/, this is a no-op.
+ * Pre-generated files are never deleted.
+ * Kept for backward compatibility with existing code that calls it.
+ */
+export function cleanupSeccompFilter(_filterPath) {
+    // No-op: pre-generated BPF files are never cleaned up
+}
+//# sourceMappingURL=generate-seccomp-filter.js.map

package/dist/sandbox/generate-seccomp-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-seccomp-filter.js","sourceRoot":"","sources":["../../src/sandbox/generate-seccomp-filter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD;;;GAGG;AACH,SAAS,qBAAqB;IAC5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAc,CAAA;IACnC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,KAAK,CAAC;QACX,KAAK,QAAQ;YACX,OAAO,KAAK,CAAA;QACd,KAAK,OAAO,CAAC;QACb,KAAK,SAAS;YACZ,OAAO,OAAO,CAAA;QAChB,KAAK,MAAM,CAAC;QACZ,KAAK,KAAK;YACR,0CAA0C;YAC1C,wFAAwF;YACxF,mGAAmG;YACnG,4FAA4F;YAC5F,6FAA6F;YAC7F,EAAE;YACF,8CAA8C;YAC9C,8EAA8E;YAC9E,2FAA2F;YAC3F,8CAA8C;YAC9C,kDAAkD;YAClD,mFAAmF;YACnF,EAAE;YACF,sEAAsE;YACtE,eAAe,CACb,6GAA6G;gBAC3G,0HAA0H,EAC5H,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACD,OAAO,IAAI,CAAA;QACb;YACE,eAAe,CACb,6CAA6C,IAAI,qCAAqC,CACvF,CAAA;YACD,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,sBAAsB,CAAC,YAAqB;IAC1D,+CAA+C;IAC/C,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAChC,eAAe,CACb,wDAAwD,YAAY,EAAE,CACvE,CAAA;YACD,OAAO,YAAY,CAAA;QACrB,CAAC;QACD,eAAe,CACb,8DAA8D,YAAY,EAAE,CAC7E,CAAA;IACH,CAAC;IAED,yBAAyB;IACzB,MAAM,IAAI,GAAG,qBAAqB,EAAE,CAAA;IACpC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,eAAe,CACb,kFAAkF,OAAO,CAAC,IAAI,EAAE,CACjG,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,eAAe,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAA;IAEjE,iDAAiD;IACjD,iEAAiE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,gBAAgB,CAAC,CAAA;IAEtE,mCAAmC;IACnC,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,EAAE,yEAAyE;QACtG,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,mCAAmC;QAC5E,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,gCAAgC;KACpE,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;QACjC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,eAAe,CACb,mDAAmD,OAAO,KAAK,IAAI,GAAG,CACvE,CAAA;YACD,OAAO,OAAO,CAAA;QAChB,CAAC;IACH,CAAC;IAED,eAAe,CACb,gFAAgF,IAAI,GAAG,CACxF,CAAA;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,yBAAyB,CACvC,YAAqB;IAErB,+CAA+C;IAC/C,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAChC,eAAe,CACb,kEAAkE,YAAY,EAAE,CACjF,CAAA;YACD,OAAO,YAAY,CAAA;QACrB,CAAC;QACD,eAAe,CACb,8DAA8D,YAAY,EAAE,CAC7E,CAAA;IACH,CAAC;IAED,yBAAyB;IACzB,MAAM,IAAI,GAAG,qBAAqB,EAAE,CAAA;IACpC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,eAAe,CACb,8EAA8E,OAAO,CAAC,IAAI,EAAE,CAC7F,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,eAAe,CACb,sEAAsE,IAAI,EAAE,CAC7E,CAAA;IAED,+CAA+C;IAC/C,iEAAiE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IACvD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,eAAe,CAAC,CAAA;IAErE,mCAAmC;IACnC,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,EAAE,yEAAyE;QACtG,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,mCAAmC;QAC5E,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC,EAAE,gCAAgC;KACpE,CAAA;IAED,KAAK,MAAM,UAAU,IAAI,UAAU,EAAE,CAAC;QACpC,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,eAAe,CACb,+CAA+C,UAAU,KAAK,IAAI,GAAG,CACtE,CAAA;YACD,OAAO,UAAU,CAAA;QACnB,CAAC;IACH,CAAC;IAED,eAAe,CACb,4EAA4E,IAAI,GAAG,CACpF,CAAA;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,qBAAqB,CAAC,YAAqB;IACzD,MAAM,eAAe,GAAG,sBAAsB,CAAC,YAAY,CAAC,CAAA;IAC5D,IAAI,eAAe,EAAE,CAAC;QACpB,eAAe,CAAC,gDAAgD,CAAC,CAAA;QACjE,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,eAAe,CACb,gFAAgF;QAC9E,mCAAmC,EACrC,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAmB;IACtD,sDAAsD;AACxD,CAAC"}

package/dist/sandbox/http-proxy.d.ts

@@ -0,0 +1,14 @@
+import type { Socket, Server } from 'node:net';
+import type { Duplex } from 'node:stream';
+import { type NetworkFilterResult } from './observability.js';
+export interface HttpProxyServerOptions {
+    filter(port: number, host: string, socket: Socket | Duplex): Promise<boolean | NetworkFilterResult> | boolean | NetworkFilterResult;
+    /**
+     * Optional function to get the MITM proxy socket path for a given host.
+     * If returns a socket path, the request will be routed through that MITM proxy.
+     * If returns undefined, the request will be handled directly.
+     */
+    getMitmSocketPath?(host: string): string | undefined;
+}
+export declare function createHttpProxyServer(options: HttpProxyServerOptions): Server;
+//# sourceMappingURL=http-proxy.d.ts.map

package/dist/sandbox/http-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-proxy.d.ts","sourceRoot":"","sources":["../../src/sandbox/http-proxy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AAC9C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAOzC,OAAO,EAEL,KAAK,mBAAmB,EACzB,MAAM,oBAAoB,CAAA;AAE3B,MAAM,WAAW,sBAAsB;IACrC,MAAM,CACJ,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,GAAG,MAAM,GACtB,OAAO,CAAC,OAAO,GAAG,mBAAmB,CAAC,GAAG,OAAO,GAAG,mBAAmB,CAAA;IAEzE;;;;OAIG;IACH,iBAAiB,CAAC,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;CACrD;AAWD,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,sBAAsB,GAAG,MAAM,CAiR7E"}

package/dist/sandbox/http-proxy.js

@@ -0,0 +1,238 @@
+import { Agent, createServer } from 'node:http';
+import { request as httpRequest } from 'node:http';
+import { request as httpsRequest } from 'node:https';
+import { connect } from 'node:net';
+import { URL } from 'node:url';
+import { logForDebugging } from '../utils/debug.js';
+import { emitNetworkDecisionEvent, } from './observability.js';
+function normalizeFilterResult(result) {
+    if (typeof result === 'boolean') {
+        return { allowed: result, reason: 'no-match' };
+    }
+    return result;
+}
+export function createHttpProxyServer(options) {
+    const server = createServer();
+    // Handle CONNECT requests for HTTPS traffic
+    server.on('connect', async (req, socket) => {
+        // Attach error handler immediately to prevent unhandled errors
+        socket.on('error', err => {
+            logForDebugging(`Client socket error: ${err.message}`, { level: 'error' });
+        });
+        try {
+            const [hostname, portStr] = req.url.split(':');
+            const port = portStr === undefined ? undefined : parseInt(portStr, 10);
+            if (!hostname || !port) {
+                logForDebugging(`Invalid CONNECT request: ${req.url}`, {
+                    level: 'error',
+                });
+                socket.end('HTTP/1.1 400 Bad Request\r\n\r\n');
+                return;
+            }
+            const filterResult = normalizeFilterResult(await options.filter(port, hostname, socket));
+            const mitmSocketPath = options.getMitmSocketPath?.(hostname);
+            const route = mitmSocketPath ? 'mitm' : 'direct';
+            emitNetworkDecisionEvent({
+                host: hostname,
+                port,
+                decision: filterResult.allowed ? 'allow' : 'deny',
+                reason: filterResult.reason,
+                route,
+            });
+            if (!filterResult.allowed) {
+                logForDebugging(`Connection blocked to ${hostname}:${port}`, {
+                    level: 'error',
+                });
+                socket.end('HTTP/1.1 403 Forbidden\r\n' +
+                    'Content-Type: text/plain\r\n' +
+                    'X-Proxy-Error: blocked-by-allowlist\r\n' +
+                    '\r\n' +
+                    'Connection blocked by network allowlist');
+                return;
+            }
+            if (mitmSocketPath) {
+                // Route through MITM proxy via Unix socket
+                logForDebugging(`Routing CONNECT ${hostname}:${port} through MITM proxy at ${mitmSocketPath}`);
+                const mitmSocket = connect({ path: mitmSocketPath }, () => {
+                    // Send CONNECT request to the MITM proxy
+                    mitmSocket.write(`CONNECT ${hostname}:${port} HTTP/1.1\r\n` +
+                        `Host: ${hostname}:${port}\r\n` +
+                        '\r\n');
+                });
+                // Buffer to accumulate the MITM proxy's response
+                let responseBuffer = '';
+                const onMitmData = (chunk) => {
+                    responseBuffer += chunk.toString();
+                    // Check if we've received the full HTTP response headers
+                    const headerEndIndex = responseBuffer.indexOf('\r\n\r\n');
+                    if (headerEndIndex !== -1) {
+                        // Remove data listener, we're done parsing the response
+                        mitmSocket.removeListener('data', onMitmData);
+                        // Check if MITM proxy accepted the connection
+                        const statusLine = responseBuffer.substring(0, responseBuffer.indexOf('\r\n'));
+                        if (statusLine.includes(' 200 ')) {
+                            // Connection established, now pipe data between client and MITM
+                            socket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+                            // If there's any data after the headers, write it to the client
+                            const remainingData = responseBuffer.substring(headerEndIndex + 4);
+                            if (remainingData.length > 0) {
+                                socket.write(remainingData);
+                            }
+                            mitmSocket.pipe(socket);
+                            socket.pipe(mitmSocket);
+                        }
+                        else {
+                            logForDebugging(`MITM proxy rejected CONNECT: ${statusLine}`, {
+                                level: 'error',
+                            });
+                            socket.end('HTTP/1.1 502 Bad Gateway\r\n\r\n');
+                            mitmSocket.destroy();
+                        }
+                    }
+                };
+                mitmSocket.on('data', onMitmData);
+                mitmSocket.on('error', err => {
+                    logForDebugging(`MITM proxy connection failed: ${err.message}`, {
+                        level: 'error',
+                    });
+                    socket.end('HTTP/1.1 502 Bad Gateway\r\n\r\n');
+                });
+                socket.on('error', err => {
+                    logForDebugging(`Client socket error: ${err.message}`, {
+                        level: 'error',
+                    });
+                    mitmSocket.destroy();
+                });
+                socket.on('end', () => mitmSocket.end());
+                mitmSocket.on('end', () => socket.end());
+            }
+            else {
+                // Direct connection (original behavior)
+                const serverSocket = connect(port, hostname, () => {
+                    socket.write('HTTP/1.1 200 Connection Established\r\n\r\n');
+                    serverSocket.pipe(socket);
+                    socket.pipe(serverSocket);
+                });
+                serverSocket.on('error', err => {
+                    logForDebugging(`CONNECT tunnel failed: ${err.message}`, {
+                        level: 'error',
+                    });
+                    socket.end('HTTP/1.1 502 Bad Gateway\r\n\r\n');
+                });
+                socket.on('error', err => {
+                    logForDebugging(`Client socket error: ${err.message}`, {
+                        level: 'error',
+                    });
+                    serverSocket.destroy();
+                });
+                socket.on('end', () => serverSocket.end());
+                serverSocket.on('end', () => socket.end());
+            }
+        }
+        catch (err) {
+            logForDebugging(`Error handling CONNECT: ${err}`, { level: 'error' });
+            socket.end('HTTP/1.1 500 Internal Server Error\r\n\r\n');
+        }
+    });
+    // Handle regular HTTP requests
+    server.on('request', async (req, res) => {
+        try {
+            const url = new URL(req.url);
+            const hostname = url.hostname;
+            const port = url.port
+                ? parseInt(url.port, 10)
+                : url.protocol === 'https:'
+                    ? 443
+                    : 80;
+            const filterResult = normalizeFilterResult(await options.filter(port, hostname, req.socket));
+            const mitmSocketPath = options.getMitmSocketPath?.(hostname);
+            const route = mitmSocketPath ? 'mitm' : 'direct';
+            emitNetworkDecisionEvent({
+                host: hostname,
+                port,
+                decision: filterResult.allowed ? 'allow' : 'deny',
+                reason: filterResult.reason,
+                route,
+            });
+            if (!filterResult.allowed) {
+                logForDebugging(`HTTP request blocked to ${hostname}:${port}`, {
+                    level: 'error',
+                });
+                res.writeHead(403, {
+                    'Content-Type': 'text/plain',
+                    'X-Proxy-Error': 'blocked-by-allowlist',
+                });
+                res.end('Connection blocked by network allowlist');
+                return;
+            }
+            if (mitmSocketPath) {
+                // Route through MITM proxy via Unix socket
+                // Use an agent that connects via the Unix socket
+                logForDebugging(`Routing HTTP ${req.method} ${hostname}:${port} through MITM proxy at ${mitmSocketPath}`);
+                const mitmAgent = new Agent({
+                    // @ts-expect-error - socketPath is valid but not in types
+                    socketPath: mitmSocketPath,
+                });
+                // Send request to MITM proxy with full URL (proxy-style request)
+                const proxyReq = httpRequest({
+                    agent: mitmAgent,
+                    // For proxy requests, path should be the full URL
+                    path: req.url,
+                    method: req.method,
+                    headers: {
+                        ...req.headers,
+                        host: url.host,
+                    },
+                }, proxyRes => {
+                    res.writeHead(proxyRes.statusCode, proxyRes.headers);
+                    proxyRes.pipe(res);
+                });
+                proxyReq.on('error', err => {
+                    logForDebugging(`MITM proxy request failed: ${err.message}`, {
+                        level: 'error',
+                    });
+                    if (!res.headersSent) {
+                        res.writeHead(502, { 'Content-Type': 'text/plain' });
+                        res.end('Bad Gateway');
+                    }
+                });
+                req.pipe(proxyReq);
+            }
+            else {
+                // Direct request (original behavior)
+                // Choose http or https module
+                const requestFn = url.protocol === 'https:' ? httpsRequest : httpRequest;
+                const proxyReq = requestFn({
+                    hostname,
+                    port,
+                    path: url.pathname + url.search,
+                    method: req.method,
+                    headers: {
+                        ...req.headers,
+                        host: url.host,
+                    },
+                }, proxyRes => {
+                    res.writeHead(proxyRes.statusCode, proxyRes.headers);
+                    proxyRes.pipe(res);
+                });
+                proxyReq.on('error', err => {
+                    logForDebugging(`Proxy request failed: ${err.message}`, {
+                        level: 'error',
+                    });
+                    if (!res.headersSent) {
+                        res.writeHead(502, { 'Content-Type': 'text/plain' });
+                        res.end('Bad Gateway');
+                    }
+                });
+                req.pipe(proxyReq);
+            }
+        }
+        catch (err) {
+            logForDebugging(`Error handling HTTP request: ${err}`, { level: 'error' });
+            res.writeHead(500, { 'Content-Type': 'text/plain' });
+            res.end('Internal Server Error');
+        }
+    });
+    return server;
+}
+//# sourceMappingURL=http-proxy.js.map

package/dist/sandbox/http-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-proxy.js","sourceRoot":"","sources":["../../src/sandbox/http-proxy.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAA;AAC/C,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAA;AAClD,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,YAAY,CAAA;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,UAAU,CAAA;AAClC,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAA;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EACL,wBAAwB,GAEzB,MAAM,oBAAoB,CAAA;AAiB3B,SAAS,qBAAqB,CAC5B,MAAqC;IAErC,IAAI,OAAO,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,CAAA;IAChD,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAA+B;IACnE,MAAM,MAAM,GAAG,YAAY,EAAE,CAAA;IAE7B,4CAA4C;IAC5C,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE;QACzC,+DAA+D;QAC/D,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;YACvB,eAAe,CAAC,wBAAwB,GAAG,CAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;QAC5E,CAAC,CAAC,CAAA;QAEF,IAAI,CAAC;YACH,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,GAAG,CAAC,GAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/C,MAAM,IAAI,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;YAEtE,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;gBACvB,eAAe,CAAC,4BAA4B,GAAG,CAAC,GAAG,EAAE,EAAE;oBACrD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,MAAM,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAA;gBAC9C,OAAM;YACR,CAAC;YAED,MAAM,YAAY,GAAG,qBAAqB,CACxC,MAAM,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,CAC7C,CAAA;YACD,MAAM,cAAc,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC,QAAQ,CAAC,CAAA;YAC5D,MAAM,KAAK,GAAG,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;YAEhD,wBAAwB,CAAC;gBACvB,IAAI,EAAE,QAAQ;gBACd,IAAI;gBACJ,QAAQ,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;gBACjD,MAAM,EAAE,YAAY,CAAC,MAAM;gBAC3B,KAAK;aACN,CAAC,CAAA;YAEF,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;gBAC1B,eAAe,CAAC,yBAAyB,QAAQ,IAAI,IAAI,EAAE,EAAE;oBAC3D,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,MAAM,CAAC,GAAG,CACR,4BAA4B;oBAC1B,8BAA8B;oBAC9B,yCAAyC;oBACzC,MAAM;oBACN,yCAAyC,CAC5C,CAAA;gBACD,OAAM;YACR,CAAC;YAED,IAAI,cAAc,EAAE,CAAC;gBACnB,2CAA2C;gBAC3C,eAAe,CACb,mBAAmB,QAAQ,IAAI,IAAI,0BAA0B,cAAc,EAAE,CAC9E,CAAA;gBAED,MAAM,UAAU,GAAG,OAAO,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,GAAG,EAAE;oBACxD,yCAAyC;oBACzC,UAAU,CAAC,KAAK,CACd,WAAW,QAAQ,IAAI,IAAI,eAAe;wBACxC,SAAS,QAAQ,IAAI,IAAI,MAAM;wBAC/B,MAAM,CACT,CAAA;gBACH,CAAC,CAAC,CAAA;gBAEF,iDAAiD;gBACjD,IAAI,cAAc,GAAG,EAAE,CAAA;gBAEvB,MAAM,UAAU,GAAG,CAAC,KAAa,EAAE,EAAE;oBACnC,cAAc,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAA;oBAElC,yDAAyD;oBACzD,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;oBACzD,IAAI,cAAc,KAAK,CAAC,CAAC,EAAE,CAAC;wBAC1B,wDAAwD;wBACxD,UAAU,CAAC,cAAc,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;wBAE7C,8CAA8C;wBAC9C,MAAM,UAAU,GAAG,cAAc,CAAC,SAAS,CACzC,CAAC,EACD,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,CAC/B,CAAA;wBACD,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;4BACjC,gEAAgE;4BAChE,MAAM,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAA;4BAE3D,gEAAgE;4BAChE,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,cAAc,GAAG,CAAC,CAAC,CAAA;4BAClE,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gCAC7B,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAA;4BAC7B,CAAC;4BAED,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;4BACvB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;wBACzB,CAAC;6BAAM,CAAC;4BACN,eAAe,CAAC,gCAAgC,UAAU,EAAE,EAAE;gCAC5D,KAAK,EAAE,OAAO;6BACf,CAAC,CAAA;4BACF,MAAM,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAA;4BAC9C,UAAU,CAAC,OAAO,EAAE,CAAA;wBACtB,CAAC;oBACH,CAAC;gBACH,CAAC,CAAA;gBAED,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;gBAEjC,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;oBAC3B,eAAe,CAAC,iCAAiC,GAAG,CAAC,OAAO,EAAE,EAAE;wBAC9D,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;oBACF,MAAM,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAA;gBAChD,CAAC,CAAC,CAAA;gBAEF,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;oBACvB,eAAe,CAAC,wBAAwB,GAAG,CAAC,OAAO,EAAE,EAAE;wBACrD,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;oBACF,UAAU,CAAC,OAAO,EAAE,CAAA;gBACtB,CAAC,CAAC,CAAA;gBAEF,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,CAAA;gBACxC,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;YAC1C,CAAC;iBAAM,CAAC;gBACN,wCAAwC;gBACxC,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE;oBAChD,MAAM,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAA;oBAC3D,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;oBACzB,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;gBAC3B,CAAC,CAAC,CAAA;gBAEF,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;oBAC7B,eAAe,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE,EAAE;wBACvD,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;oBACF,MAAM,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAA;gBAChD,CAAC,CAAC,CAAA;gBAEF,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;oBACvB,eAAe,CAAC,wBAAwB,GAAG,CAAC,OAAO,EAAE,EAAE;wBACrD,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;oBACF,YAAY,CAAC,OAAO,EAAE,CAAA;gBACxB,CAAC,CAAC,CAAA;gBAEF,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,EAAE,CAAC,CAAA;gBAC1C,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAA;YAC5C,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,2BAA2B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;YACrE,MAAM,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;QAC1D,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,+BAA+B;IAC/B,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACtC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAI,CAAC,CAAA;YAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI;gBACnB,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;gBACxB,CAAC,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ;oBACzB,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,EAAE,CAAA;YAER,MAAM,YAAY,GAAG,qBAAqB,CACxC,MAAM,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CACjD,CAAA;YACD,MAAM,cAAc,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC,QAAQ,CAAC,CAAA;YAC5D,MAAM,KAAK,GAAG,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAA;YAEhD,wBAAwB,CAAC;gBACvB,IAAI,EAAE,QAAQ;gBACd,IAAI;gBACJ,QAAQ,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM;gBACjD,MAAM,EAAE,YAAY,CAAC,MAAM;gBAC3B,KAAK;aACN,CAAC,CAAA;YAEF,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;gBAC1B,eAAe,CAAC,2BAA2B,QAAQ,IAAI,IAAI,EAAE,EAAE;oBAC7D,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;gBACF,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;oBACjB,cAAc,EAAE,YAAY;oBAC5B,eAAe,EAAE,sBAAsB;iBACxC,CAAC,CAAA;gBACF,GAAG,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAA;gBAClD,OAAM;YACR,CAAC;YAED,IAAI,cAAc,EAAE,CAAC;gBACnB,2CAA2C;gBAC3C,iDAAiD;gBACjD,eAAe,CACb,gBAAgB,GAAG,CAAC,MAAM,IAAI,QAAQ,IAAI,IAAI,0BAA0B,cAAc,EAAE,CACzF,CAAA;gBAED,MAAM,SAAS,GAAG,IAAI,KAAK,CAAC;oBAC1B,0DAA0D;oBAC1D,UAAU,EAAE,cAAc;iBAC3B,CAAC,CAAA;gBAEF,iEAAiE;gBACjE,MAAM,QAAQ,GAAG,WAAW,CAC1B;oBACE,KAAK,EAAE,SAAS;oBAChB,kDAAkD;oBAClD,IAAI,EAAE,GAAG,CAAC,GAAG;oBACb,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,OAAO,EAAE;wBACP,GAAG,GAAG,CAAC,OAAO;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;qBACf;iBACF,EACD,QAAQ,CAAC,EAAE;oBACT,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAW,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAA;oBACrD,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACpB,CAAC,CACF,CAAA;gBAED,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;oBACzB,eAAe,CAAC,8BAA8B,GAAG,CAAC,OAAO,EAAE,EAAE;wBAC3D,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;oBACF,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;wBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAA;wBACpD,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;oBACxB,CAAC;gBACH,CAAC,CAAC,CAAA;gBAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACpB,CAAC;iBAAM,CAAC;gBACN,qCAAqC;gBACrC,8BAA8B;gBAC9B,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAA;gBAExE,MAAM,QAAQ,GAAG,SAAS,CACxB;oBACE,QAAQ;oBACR,IAAI;oBACJ,IAAI,EAAE,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM;oBAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,OAAO,EAAE;wBACP,GAAG,GAAG,CAAC,OAAO;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;qBACf;iBACF,EACD,QAAQ,CAAC,EAAE;oBACT,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAW,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAA;oBACrD,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACpB,CAAC,CACF,CAAA;gBAED,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;oBACzB,eAAe,CAAC,yBAAyB,GAAG,CAAC,OAAO,EAAE,EAAE;wBACtD,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;oBACF,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;wBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAA;wBACpD,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;oBACxB,CAAC;gBACH,CAAC,CAAC,CAAA;gBAEF,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACpB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,gCAAgC,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;YAC1E,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAA;YACpD,GAAG,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;QAClC,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/sandbox/linux-sandbox-utils.d.ts

@@ -0,0 +1,121 @@
+import type { ChildProcess } from 'node:child_process';
+import type { FsReadRestrictionConfig, FsWriteRestrictionConfig } from './sandbox-schemas.js';
+export interface LinuxNetworkBridgeContext {
+    httpSocketPath: string;
+    socksSocketPath: string;
+    httpBridgeProcess: ChildProcess;
+    socksBridgeProcess: ChildProcess;
+    httpProxyPort: number;
+    socksProxyPort: number;
+}
+export interface LinuxSandboxParams {
+    command: string;
+    needsNetworkRestriction: boolean;
+    httpSocketPath?: string;
+    socksSocketPath?: string;
+    httpProxyPort?: number;
+    socksProxyPort?: number;
+    readConfig?: FsReadRestrictionConfig;
+    writeConfig?: FsWriteRestrictionConfig;
+    enableWeakerNestedSandbox?: boolean;
+    allowAllUnixSockets?: boolean;
+    binShell?: string;
+    ripgrepConfig?: {
+        command: string;
+        args?: string[];
+    };
+    /** Maximum directory depth to search for dangerous files (default: 3) */
+    mandatoryDenySearchDepth?: number;
+    /** Allow writes to .git/config files (default: false) */
+    allowGitConfig?: boolean;
+    /** Custom seccomp binary paths */
+    seccompConfig?: {
+        bpfPath?: string;
+        applyPath?: string;
+    };
+    /** Abort signal to cancel the ripgrep scan */
+    abortSignal?: AbortSignal;
+}
+/**
+ * Check if Linux sandbox dependencies are available (synchronous)
+ * Returns true if bwrap and socat are installed.
+ */
+export declare function hasLinuxSandboxDependenciesSync(allowAllUnixSockets?: boolean, seccompConfig?: {
+    bpfPath?: string;
+    applyPath?: string;
+}): boolean;
+/**
+ * Initialize the Linux network bridge for sandbox networking
+ *
+ * ARCHITECTURE NOTE:
+ * Linux network sandboxing uses bwrap --unshare-net which creates a completely isolated
+ * network namespace with NO network access. To enable network access, we:
+ *
+ * 1. Host side: Run socat bridges that listen on Unix sockets and forward to host proxy servers
+ *    - HTTP bridge: Unix socket -> host HTTP proxy (for HTTP/HTTPS traffic)
+ *    - SOCKS bridge: Unix socket -> host SOCKS5 proxy (for SSH/git traffic)
+ *
+ * 2. Sandbox side: Bind the Unix sockets into the isolated namespace and run socat listeners
+ *    - HTTP listener on port 3128 -> HTTP Unix socket -> host HTTP proxy
+ *    - SOCKS listener on port 1080 -> SOCKS Unix socket -> host SOCKS5 proxy
+ *
+ * 3. Configure environment:
+ *    - HTTP_PROXY=http://localhost:3128 for HTTP/HTTPS tools
+ *    - GIT_SSH_COMMAND with socat for SSH through SOCKS5
+ *
+ * LIMITATION: Unlike macOS sandbox which can enforce domain-based allowlists at the kernel level,
+ * Linux's --unshare-net provides only all-or-nothing network isolation. Domain filtering happens
+ * at the host proxy level, not the sandbox boundary. This means network restrictions on Linux
+ * depend on the proxy's filtering capabilities.
+ *
+ * DEPENDENCIES: Requires bwrap (bubblewrap) and socat
+ */
+export declare function initializeLinuxNetworkBridge(httpProxyPort: number, socksProxyPort: number): Promise<LinuxNetworkBridgeContext>;
+/**
+ * Wrap a command with sandbox restrictions on Linux
+ *
+ * UNIX SOCKET BLOCKING (APPLY-SECCOMP):
+ * This implementation uses a custom apply-seccomp binary to block Unix domain socket
+ * creation for user commands while allowing network infrastructure:
+ *
+ * Stage 1: Outer bwrap - Network and filesystem isolation (NO seccomp)
+ *   - Bubblewrap starts with isolated network namespace (--unshare-net)
+ *   - Bubblewrap applies PID namespace isolation (--unshare-pid and --proc)
+ *   - Filesystem restrictions are applied (read-only mounts, bind mounts, etc.)
+ *   - Socat processes start and connect to Unix socket bridges (can use socket(AF_UNIX, ...))
+ *
+ * Stage 2: apply-seccomp - Seccomp filter application (ONLY seccomp)
+ *   - apply-seccomp binary applies seccomp filter via prctl(PR_SET_SECCOMP)
+ *   - Sets PR_SET_NO_NEW_PRIVS to allow seccomp without root
+ *   - Execs user command with seccomp active (cannot create new Unix sockets)
+ *
+ * This solves the conflict between:
+ * - Security: Blocking arbitrary Unix socket creation in user commands
+ * - Functionality: Network sandboxing requires socat to call socket(AF_UNIX, ...) for bridge connections
+ *
+ * The seccomp-bpf filter blocks socket(AF_UNIX, ...) syscalls, preventing:
+ * - Creating new Unix domain socket file descriptors
+ *
+ * Security limitations:
+ * - Does NOT block operations (bind, connect, sendto, etc.) on inherited Unix socket FDs
+ * - Does NOT prevent passing Unix socket FDs via SCM_RIGHTS
+ * - For most sandboxing use cases, blocking socket creation is sufficient
+ *
+ * The filter allows:
+ * - All TCP/UDP sockets (AF_INET, AF_INET6) for normal network operations
+ * - All other syscalls
+ *
+ * PLATFORM NOTE:
+ * The allowUnixSockets configuration is not path-based on Linux (unlike macOS)
+ * because seccomp-bpf cannot inspect user-space memory to read socket paths.
+ *
+ * Requirements for seccomp filtering:
+ * - Pre-built apply-seccomp binaries are included for x64 and ARM64
+ * - Pre-generated BPF filters are included for x64 and ARM64
+ * - Other architectures are not currently supported (no apply-seccomp binary available)
+ * - To use sandboxing without Unix socket blocking on unsupported architectures,
+ *   set allowAllUnixSockets: true in your configuration
+ * Dependencies are checked by hasLinuxSandboxDependenciesSync() before enabling the sandbox.
+ */
+export declare function wrapCommandWithSandboxLinux(params: LinuxSandboxParams): Promise<string>;
+//# sourceMappingURL=linux-sandbox-utils.d.ts.map

package/dist/sandbox/linux-sandbox-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"linux-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAWtD,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAQ7B,MAAM,WAAW,yBAAyB;IACxC,cAAc,EAAE,MAAM,CAAA;IACtB,eAAe,EAAE,MAAM,CAAA;IACvB,iBAAiB,EAAE,YAAY,CAAA;IAC/B,kBAAkB,EAAE,YAAY,CAAA;IAChC,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,UAAU,CAAC,EAAE,uBAAuB,CAAA;IACpC,WAAW,CAAC,EAAE,wBAAwB,CAAA;IACtC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAA;IACpD,yEAAyE;IACzE,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,yDAAyD;IACzD,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,kCAAkC;IAClC,aAAa,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;IACxD,8CAA8C;IAC9C,WAAW,CAAC,EAAE,WAAW,CAAA;CAC1B;AA2MD;;;GAGG;AACH,wBAAgB,+BAA+B,CAC7C,mBAAmB,UAAQ,EAC3B,aAAa,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,GACvD,OAAO,CAuCT;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,yBAAyB,CAAC,CA2HpC;AAoOD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CAuPjB"}