npm - @voratiq/sandbox-runtime - Versions diffs - 0.0.29-voratiq0 - Mend

@voratiq/sandbox-runtime 0.0.29-voratiq0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

package/CHANGELOG.md +10 -0
package/LICENSE +201 -0
package/NOTICE +12 -0
package/README.md +17 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +158 -0
package/dist/cli.js.map +1 -0
package/dist/index.d.ts +12 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +9 -0
package/dist/index.js.map +1 -0
package/dist/sandbox/generate-seccomp-filter.d.ts +65 -0
package/dist/sandbox/generate-seccomp-filter.d.ts.map +1 -0
package/dist/sandbox/generate-seccomp-filter.js +185 -0
package/dist/sandbox/generate-seccomp-filter.js.map +1 -0
package/dist/sandbox/http-proxy.d.ts +14 -0
package/dist/sandbox/http-proxy.d.ts.map +1 -0
package/dist/sandbox/http-proxy.js +238 -0
package/dist/sandbox/http-proxy.js.map +1 -0
package/dist/sandbox/linux-sandbox-utils.d.ts +121 -0
package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -0
package/dist/sandbox/linux-sandbox-utils.js +723 -0
package/dist/sandbox/linux-sandbox-utils.js.map +1 -0
package/dist/sandbox/macos-sandbox-utils.d.ts +57 -0
package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -0
package/dist/sandbox/macos-sandbox-utils.js +611 -0
package/dist/sandbox/macos-sandbox-utils.js.map +1 -0
package/dist/sandbox/observability.d.ts +56 -0
package/dist/sandbox/observability.d.ts.map +1 -0
package/dist/sandbox/observability.js +140 -0
package/dist/sandbox/observability.js.map +1 -0
package/dist/sandbox/sandbox-config.d.ts +277 -0
package/dist/sandbox/sandbox-config.d.ts.map +1 -0
package/dist/sandbox/sandbox-config.js +166 -0
package/dist/sandbox/sandbox-config.js.map +1 -0
package/dist/sandbox/sandbox-manager.d.ts +50 -0
package/dist/sandbox/sandbox-manager.d.ts.map +1 -0
package/dist/sandbox/sandbox-manager.js +816 -0
package/dist/sandbox/sandbox-manager.js.map +1 -0
package/dist/sandbox/sandbox-schemas.d.ts +53 -0
package/dist/sandbox/sandbox-schemas.d.ts.map +1 -0
package/dist/sandbox/sandbox-schemas.js +3 -0
package/dist/sandbox/sandbox-schemas.js.map +1 -0
package/dist/sandbox/sandbox-utils.d.ts +83 -0
package/dist/sandbox/sandbox-utils.d.ts.map +1 -0
package/dist/sandbox/sandbox-utils.js +343 -0
package/dist/sandbox/sandbox-utils.js.map +1 -0
package/dist/sandbox/sandbox-violation-store.d.ts +19 -0
package/dist/sandbox/sandbox-violation-store.d.ts.map +1 -0
package/dist/sandbox/sandbox-violation-store.js +54 -0
package/dist/sandbox/sandbox-violation-store.js.map +1 -0
package/dist/sandbox/socks-proxy.d.ts +14 -0
package/dist/sandbox/socks-proxy.d.ts.map +1 -0
package/dist/sandbox/socks-proxy.js +109 -0
package/dist/sandbox/socks-proxy.js.map +1 -0
package/dist/utils/config-loader.d.ts +11 -0
package/dist/utils/config-loader.d.ts.map +1 -0
package/dist/utils/config-loader.js +60 -0
package/dist/utils/config-loader.js.map +1 -0
package/dist/utils/debug.d.ts +7 -0
package/dist/utils/debug.d.ts.map +1 -0
package/dist/utils/debug.js +25 -0
package/dist/utils/debug.js.map +1 -0
package/dist/utils/platform.d.ts +15 -0
package/dist/utils/platform.d.ts.map +1 -0
package/dist/utils/platform.js +49 -0
package/dist/utils/platform.js.map +1 -0
package/dist/utils/ripgrep.d.ts +20 -0
package/dist/utils/ripgrep.d.ts.map +1 -0
package/dist/utils/ripgrep.js +51 -0
package/dist/utils/ripgrep.js.map +1 -0
package/dist/vendor/seccomp/arm64/apply-seccomp +0 -0
package/dist/vendor/seccomp/arm64/unix-block.bpf +0 -0
package/dist/vendor/seccomp/x64/apply-seccomp +0 -0
package/dist/vendor/seccomp/x64/unix-block.bpf +0 -0
package/dist/vendor/seccomp-src/apply-seccomp.c +98 -0
package/dist/vendor/seccomp-src/seccomp-unix-block.c +97 -0
package/package.json +90 -0
package/vendor/seccomp/arm64/apply-seccomp +0 -0
package/vendor/seccomp/arm64/unix-block.bpf +0 -0
package/vendor/seccomp/x64/apply-seccomp +0 -0
package/vendor/seccomp/x64/unix-block.bpf +0 -0
package/vendor/seccomp-src/apply-seccomp.c +98 -0
package/vendor/seccomp-src/seccomp-unix-block.c +97 -0

package/dist/sandbox/observability.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+export type NetworkDecision = 'allow' | 'deny';
+export type NetworkDecisionReason = 'allowlist' | 'denylist' | 'no-match';
+export type NetworkRoute = 'direct' | 'mitm';
+export interface NetworkEvent {
+    type: 'network';
+    ts: number;
+    correlation_id: string;
+    host: string;
+    port: number;
+    decision: NetworkDecision;
+    reason: NetworkDecisionReason;
+    route: NetworkRoute;
+}
+export type FsViolationOperation = 'read' | 'write';
+export type FsViolationReason = 'denyRead' | 'denyWrite' | 'no-allowWrite';
+export interface FsViolationEvent {
+    type: 'fs_violation';
+    ts: number;
+    correlation_id: string;
+    path: string;
+    operation: FsViolationOperation;
+    reason: FsViolationReason;
+}
+export type SandboxEvent = NetworkEvent | FsViolationEvent;
+export interface SandboxEvents {
+    onEvent?: (event: SandboxEvent) => void;
+}
+export interface NetworkFilterResult {
+    allowed: boolean;
+    reason: NetworkDecisionReason;
+}
+type SandboxEventContext = {
+    correlationId?: string;
+    onEvent?: (event: SandboxEvent) => void;
+};
+export declare function pushSandboxEventContext(context: SandboxEventContext): () => void;
+export declare function getSandboxEventContextDepth(): number;
+export declare function scrubSecrets(value: unknown): unknown;
+export declare function emitNetworkDecisionEvent(params: {
+    host: string;
+    port: number;
+    decision: NetworkDecision;
+    reason: NetworkDecisionReason;
+    route: NetworkRoute;
+    correlationId?: string;
+    ts?: number;
+}): void;
+export declare function emitFsViolationEvent(params: {
+    path: string;
+    operation: FsViolationOperation;
+    reason: FsViolationReason;
+    correlationId?: string;
+    ts?: number;
+}): void;
+export {};
+//# sourceMappingURL=observability.d.ts.map

package/dist/sandbox/observability.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"observability.d.ts","sourceRoot":"","sources":["../../src/sandbox/observability.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,MAAM,CAAA;AAC9C,MAAM,MAAM,qBAAqB,GAAG,WAAW,GAAG,UAAU,GAAG,UAAU,CAAA;AACzE,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,MAAM,CAAA;AAE5C,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,SAAS,CAAA;IACf,EAAE,EAAE,MAAM,CAAA;IACV,cAAc,EAAE,MAAM,CAAA;IACtB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,eAAe,CAAA;IACzB,MAAM,EAAE,qBAAqB,CAAA;IAC7B,KAAK,EAAE,YAAY,CAAA;CACpB;AAED,MAAM,MAAM,oBAAoB,GAAG,MAAM,GAAG,OAAO,CAAA;AACnD,MAAM,MAAM,iBAAiB,GAAG,UAAU,GAAG,WAAW,GAAG,eAAe,CAAA;AAE1E,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,cAAc,CAAA;IACpB,EAAE,EAAE,MAAM,CAAA;IACV,cAAc,EAAE,MAAM,CAAA;IACtB,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,oBAAoB,CAAA;IAC/B,MAAM,EAAE,iBAAiB,CAAA;CAC1B;AAED,MAAM,MAAM,YAAY,GAAG,YAAY,GAAG,gBAAgB,CAAA;AAE1D,MAAM,WAAW,aAAa;IAC5B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,IAAI,CAAA;CACxC;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,MAAM,EAAE,qBAAqB,CAAA;CAC9B;AAoBD,KAAK,mBAAmB,GAAG;IACzB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,IAAI,CAAA;CACxC,CAAA;AAID,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,mBAAmB,GAC3B,MAAM,IAAI,CAWZ;AAED,wBAAgB,2BAA2B,IAAI,MAAM,CAEpD;AA4DD,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAmBpD;AAcD,wBAAgB,wBAAwB,CAAC,MAAM,EAAE;IAC/C,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,eAAe,CAAA;IACzB,MAAM,EAAE,qBAAqB,CAAA;IAC7B,KAAK,EAAE,YAAY,CAAA;IACnB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,EAAE,CAAC,EAAE,MAAM,CAAA;CACZ,GAAG,IAAI,CAcP;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,oBAAoB,CAAA;IAC/B,MAAM,EAAE,iBAAiB,CAAA;IACzB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,EAAE,CAAC,EAAE,MAAM,CAAA;CACZ,GAAG,IAAI,CAYP"}

package/dist/sandbox/observability.js ADDED Viewed

@@ -0,0 +1,140 @@
+const REDACTED = '[REDACTED]';
+const CLI_FLAG_NAMES = ['token', 'password', 'secret', 'key', 'auth'];
+const SENSITIVE_HEADER_NAMES = [
+    'authorization',
+    'cookie',
+    'x-api-key',
+    'proxy-authorization',
+];
+const SENSITIVE_QUERY_PARAMS = ['token', 'key', 'secret', 'password', 'auth'];
+const SENSITIVE_ENV_SUFFIXES = [
+    '_TOKEN',
+    '_KEY',
+    '_SECRET',
+    '_PASSWORD',
+    '_CREDENTIAL',
+];
+const contextStack = [];
+export function pushSandboxEventContext(context) {
+    contextStack.push(context);
+    let popped = false;
+    return () => {
+        if (popped)
+            return;
+        popped = true;
+        const idx = contextStack.lastIndexOf(context);
+        if (idx !== -1) {
+            contextStack.splice(idx, 1);
+        }
+    };
+}
+export function getSandboxEventContextDepth() {
+    return contextStack.length;
+}
+function getCurrentContext() {
+    return contextStack.at(-1);
+}
+function scrubCliFlags(input) {
+    let out = input;
+    for (const name of CLI_FLAG_NAMES) {
+        const re = new RegExp(`(--${name})(\\s+|=)([^\\s]+)`, 'gi');
+        out = out.replace(re, `$1$2${REDACTED}`);
+    }
+    return out;
+}
+function scrubUrlQueryParams(input) {
+    const qIndex = input.indexOf('?');
+    if (qIndex === -1)
+        return input;
+    const hashIndex = input.indexOf('#', qIndex);
+    const base = input.slice(0, qIndex);
+    const query = input.slice(qIndex + 1, hashIndex === -1 ? undefined : hashIndex);
+    const hash = hashIndex === -1 ? '' : input.slice(hashIndex);
+    const parts = query.split('&').map(part => {
+        const eq = part.indexOf('=');
+        const rawKey = eq === -1 ? part : part.slice(0, eq);
+        const rawValue = eq === -1 ? '' : part.slice(eq + 1);
+        let decodedKey = rawKey;
+        try {
+            decodedKey = decodeURIComponent(rawKey);
+        }
+        catch {
+            // Leave as-is if it contains invalid percent-encoding
+        }
+        const key = decodedKey.toLowerCase();
+        if (SENSITIVE_QUERY_PARAMS.includes(key)) {
+            return `${rawKey}=${encodeURIComponent(REDACTED)}`;
+        }
+        return eq === -1 ? rawKey : `${rawKey}=${rawValue}`;
+    });
+    return `${base}?${parts.join('&')}${hash}`;
+}
+function scrubString(input) {
+    return scrubUrlQueryParams(scrubCliFlags(input));
+}
+function isSensitiveHeaderKey(key) {
+    return SENSITIVE_HEADER_NAMES.includes(key.toLowerCase());
+}
+function isSensitiveEnvKey(key) {
+    const upper = key.toUpperCase();
+    return SENSITIVE_ENV_SUFFIXES.some(suffix => upper.endsWith(suffix));
+}
+export function scrubSecrets(value) {
+    if (typeof value === 'string') {
+        return scrubString(value);
+    }
+    if (Array.isArray(value)) {
+        return value.map(scrubSecrets);
+    }
+    if (value && typeof value === 'object') {
+        const out = {};
+        for (const [key, nested] of Object.entries(value)) {
+            if (isSensitiveHeaderKey(key) || isSensitiveEnvKey(key)) {
+                out[key] = REDACTED;
+                continue;
+            }
+            out[key] = scrubSecrets(nested);
+        }
+        return out;
+    }
+    return value;
+}
+function emitEvent(event) {
+    const ctx = getCurrentContext();
+    if (!ctx?.onEvent)
+        return;
+    try {
+        const scrubbed = scrubSecrets(event);
+        ctx.onEvent(scrubbed);
+    }
+    catch {
+        // Never allow observability to break sandbox enforcement paths
+    }
+}
+export function emitNetworkDecisionEvent(params) {
+    const ctx = getCurrentContext();
+    const correlationId = params.correlationId ?? ctx?.correlationId ?? '';
+    emitEvent({
+        type: 'network',
+        ts: params.ts ?? Date.now(),
+        correlation_id: correlationId,
+        host: params.host,
+        port: params.port,
+        decision: params.decision,
+        reason: params.reason,
+        route: params.route,
+    });
+}
+export function emitFsViolationEvent(params) {
+    const ctx = getCurrentContext();
+    const correlationId = params.correlationId ?? ctx?.correlationId ?? '';
+    emitEvent({
+        type: 'fs_violation',
+        ts: params.ts ?? Date.now(),
+        correlation_id: correlationId,
+        path: params.path,
+        operation: params.operation,
+        reason: params.reason,
+    });
+}
+//# sourceMappingURL=observability.js.map

package/dist/sandbox/observability.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"observability.js","sourceRoot":"","sources":["../../src/sandbox/observability.ts"],"names":[],"mappings":"AAsCA,MAAM,QAAQ,GAAG,YAAY,CAAA;AAE7B,MAAM,cAAc,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAU,CAAA;AAC9E,MAAM,sBAAsB,GAAG;IAC7B,eAAe;IACf,QAAQ;IACR,WAAW;IACX,qBAAqB;CACb,CAAA;AACV,MAAM,sBAAsB,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,CAAA;AAC7E,MAAM,sBAAsB,GAAG;IAC7B,QAAQ;IACR,MAAM;IACN,SAAS;IACT,WAAW;IACX,aAAa;CACL,CAAA;AAOV,MAAM,YAAY,GAA0B,EAAE,CAAA;AAE9C,MAAM,UAAU,uBAAuB,CACrC,OAA4B;IAE5B,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC1B,IAAI,MAAM,GAAG,KAAK,CAAA;IAClB,OAAO,GAAG,EAAE;QACV,IAAI,MAAM;YAAE,OAAM;QAClB,MAAM,GAAG,IAAI,CAAA;QACb,MAAM,GAAG,GAAG,YAAY,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;QAC7C,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;YACf,YAAY,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;QAC7B,CAAC;IACH,CAAC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,2BAA2B;IACzC,OAAO,YAAY,CAAC,MAAM,CAAA;AAC5B,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;AAC5B,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,GAAG,GAAG,KAAK,CAAA;IACf,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,MAAM,IAAI,oBAAoB,EAAE,IAAI,CAAC,CAAA;QAC3D,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,QAAQ,EAAE,CAAC,CAAA;IAC1C,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACjC,IAAI,MAAM,KAAK,CAAC,CAAC;QAAE,OAAO,KAAK,CAAA;IAE/B,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAC5C,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;IACnC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CACvB,MAAM,GAAG,CAAC,EACV,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CACzC,CAAA;IACD,MAAM,IAAI,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;IAE3D,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QACxC,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC5B,MAAM,MAAM,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;QACnD,MAAM,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAA;QACpD,IAAI,UAAU,GAAG,MAAM,CAAA;QACvB,IAAI,CAAC;YACH,UAAU,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,MAAM,GAAG,GAAG,UAAU,CAAC,WAAW,EAAE,CAAA;QACpC,IAAI,sBAAsB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACzC,OAAO,GAAG,MAAM,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAA;QACpD,CAAC;QACD,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,QAAQ,EAAE,CAAA;IACrD,CAAC,CAAC,CAAA;IAEF,OAAO,GAAG,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAAA;AAC5C,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,OAAO,mBAAmB,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAA;AAClD,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAW;IACvC,OAAO,sBAAsB,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAW,CAAC,CAAA;AACpE,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;IAC/B,OAAO,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAA;AACtE,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,WAAW,CAAC,KAAK,CAAC,CAAA;IAC3B,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;IAChC,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,GAAG,GAA4B,EAAE,CAAA;QACvC,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,IAAI,oBAAoB,CAAC,GAAG,CAAC,IAAI,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxD,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAA;gBACnB,SAAQ;YACV,CAAC;YACD,GAAG,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAA;QACjC,CAAC;QACD,OAAO,GAAG,CAAA;IACZ,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,SAAS,CAAC,KAAmB;IACpC,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAA;IAC/B,IAAI,CAAC,GAAG,EAAE,OAAO;QAAE,OAAM;IAEzB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAiB,CAAA;QACpD,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAQxC;IACC,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAA;IAC/B,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,GAAG,EAAE,aAAa,IAAI,EAAE,CAAA;IAEtE,SAAS,CAAC;QACR,IAAI,EAAE,SAAS;QACf,EAAE,EAAE,MAAM,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE;QAC3B,cAAc,EAAE,aAAa;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,KAAK,EAAE,MAAM,CAAC,KAAK;KACpB,CAAC,CAAA;AACJ,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAMpC;IACC,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAA;IAC/B,MAAM,aAAa,GAAG,MAAM,CAAC,aAAa,IAAI,GAAG,EAAE,aAAa,IAAI,EAAE,CAAA;IAEtE,SAAS,CAAC;QACR,IAAI,EAAE,cAAc;QACpB,EAAE,EAAE,MAAM,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE;QAC3B,cAAc,EAAE,aAAa;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAA;AACJ,CAAC"}

package/dist/sandbox/sandbox-config.d.ts ADDED Viewed

@@ -0,0 +1,277 @@
+/**
+ * Configuration for Sandbox Runtime
+ * This is the main configuration interface that consumers pass to SandboxManager.initialize()
+ */
+import { z } from 'zod';
+/**
+ * Schema for MITM proxy configuration
+ * Allows routing specific domains through an upstream MITM proxy via Unix socket
+ */
+declare const MitmProxyConfigSchema: z.ZodObject<{
+    socketPath: z.ZodString;
+    domains: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
+}, "strip", z.ZodTypeAny, {
+    socketPath: string;
+    domains: string[];
+}, {
+    socketPath: string;
+    domains: string[];
+}>;
+/**
+ * Network configuration schema for validation
+ */
+export declare const NetworkConfigSchema: z.ZodObject<{
+    allowedDomains: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
+    deniedDomains: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
+    allowUnixSockets: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    allowAllUnixSockets: z.ZodOptional<z.ZodBoolean>;
+    allowLocalBinding: z.ZodOptional<z.ZodBoolean>;
+    httpProxyPort: z.ZodOptional<z.ZodNumber>;
+    socksProxyPort: z.ZodOptional<z.ZodNumber>;
+    mitmProxy: z.ZodOptional<z.ZodObject<{
+        socketPath: z.ZodString;
+        domains: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
+    }, "strip", z.ZodTypeAny, {
+        socketPath: string;
+        domains: string[];
+    }, {
+        socketPath: string;
+        domains: string[];
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    allowedDomains: string[];
+    deniedDomains: string[];
+    allowUnixSockets?: string[] | undefined;
+    allowAllUnixSockets?: boolean | undefined;
+    allowLocalBinding?: boolean | undefined;
+    httpProxyPort?: number | undefined;
+    socksProxyPort?: number | undefined;
+    mitmProxy?: {
+        socketPath: string;
+        domains: string[];
+    } | undefined;
+}, {
+    allowedDomains: string[];
+    deniedDomains: string[];
+    allowUnixSockets?: string[] | undefined;
+    allowAllUnixSockets?: boolean | undefined;
+    allowLocalBinding?: boolean | undefined;
+    httpProxyPort?: number | undefined;
+    socksProxyPort?: number | undefined;
+    mitmProxy?: {
+        socketPath: string;
+        domains: string[];
+    } | undefined;
+}>;
+/**
+ * Filesystem configuration schema for validation
+ */
+export declare const FilesystemConfigSchema: z.ZodObject<{
+    denyRead: z.ZodArray<z.ZodString, "many">;
+    allowWrite: z.ZodArray<z.ZodString, "many">;
+    denyWrite: z.ZodArray<z.ZodString, "many">;
+    allowGitConfig: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    denyRead: string[];
+    denyWrite: string[];
+    allowWrite: string[];
+    allowGitConfig?: boolean | undefined;
+}, {
+    denyRead: string[];
+    denyWrite: string[];
+    allowWrite: string[];
+    allowGitConfig?: boolean | undefined;
+}>;
+/**
+ * Configuration schema for ignoring specific sandbox violations
+ * Maps command patterns to filesystem paths to ignore violations for.
+ */
+export declare const IgnoreViolationsConfigSchema: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>;
+/**
+ * Ripgrep configuration schema
+ */
+export declare const RipgrepConfigSchema: z.ZodObject<{
+    command: z.ZodString;
+    args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    command: string;
+    args?: string[] | undefined;
+}, {
+    command: string;
+    args?: string[] | undefined;
+}>;
+/**
+ * Seccomp configuration schema (Linux only)
+ * Allows specifying custom paths to seccomp binaries
+ */
+export declare const SeccompConfigSchema: z.ZodObject<{
+    bpfPath: z.ZodOptional<z.ZodString>;
+    applyPath: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    bpfPath?: string | undefined;
+    applyPath?: string | undefined;
+}, {
+    bpfPath?: string | undefined;
+    applyPath?: string | undefined;
+}>;
+/**
+ * Main configuration schema for Sandbox Runtime validation
+ */
+export declare const SandboxRuntimeConfigSchema: z.ZodObject<{
+    network: z.ZodObject<{
+        allowedDomains: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
+        deniedDomains: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
+        allowUnixSockets: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        allowAllUnixSockets: z.ZodOptional<z.ZodBoolean>;
+        allowLocalBinding: z.ZodOptional<z.ZodBoolean>;
+        httpProxyPort: z.ZodOptional<z.ZodNumber>;
+        socksProxyPort: z.ZodOptional<z.ZodNumber>;
+        mitmProxy: z.ZodOptional<z.ZodObject<{
+            socketPath: z.ZodString;
+            domains: z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">;
+        }, "strip", z.ZodTypeAny, {
+            socketPath: string;
+            domains: string[];
+        }, {
+            socketPath: string;
+            domains: string[];
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        allowedDomains: string[];
+        deniedDomains: string[];
+        allowUnixSockets?: string[] | undefined;
+        allowAllUnixSockets?: boolean | undefined;
+        allowLocalBinding?: boolean | undefined;
+        httpProxyPort?: number | undefined;
+        socksProxyPort?: number | undefined;
+        mitmProxy?: {
+            socketPath: string;
+            domains: string[];
+        } | undefined;
+    }, {
+        allowedDomains: string[];
+        deniedDomains: string[];
+        allowUnixSockets?: string[] | undefined;
+        allowAllUnixSockets?: boolean | undefined;
+        allowLocalBinding?: boolean | undefined;
+        httpProxyPort?: number | undefined;
+        socksProxyPort?: number | undefined;
+        mitmProxy?: {
+            socketPath: string;
+            domains: string[];
+        } | undefined;
+    }>;
+    filesystem: z.ZodObject<{
+        denyRead: z.ZodArray<z.ZodString, "many">;
+        allowWrite: z.ZodArray<z.ZodString, "many">;
+        denyWrite: z.ZodArray<z.ZodString, "many">;
+        allowGitConfig: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        denyRead: string[];
+        denyWrite: string[];
+        allowWrite: string[];
+        allowGitConfig?: boolean | undefined;
+    }, {
+        denyRead: string[];
+        denyWrite: string[];
+        allowWrite: string[];
+        allowGitConfig?: boolean | undefined;
+    }>;
+    ignoreViolations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
+    enableWeakerNestedSandbox: z.ZodOptional<z.ZodBoolean>;
+    ripgrep: z.ZodOptional<z.ZodObject<{
+        command: z.ZodString;
+        args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        command: string;
+        args?: string[] | undefined;
+    }, {
+        command: string;
+        args?: string[] | undefined;
+    }>>;
+    mandatoryDenySearchDepth: z.ZodOptional<z.ZodNumber>;
+    allowPty: z.ZodOptional<z.ZodBoolean>;
+    seccomp: z.ZodOptional<z.ZodObject<{
+        bpfPath: z.ZodOptional<z.ZodString>;
+        applyPath: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        bpfPath?: string | undefined;
+        applyPath?: string | undefined;
+    }, {
+        bpfPath?: string | undefined;
+        applyPath?: string | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    network: {
+        allowedDomains: string[];
+        deniedDomains: string[];
+        allowUnixSockets?: string[] | undefined;
+        allowAllUnixSockets?: boolean | undefined;
+        allowLocalBinding?: boolean | undefined;
+        httpProxyPort?: number | undefined;
+        socksProxyPort?: number | undefined;
+        mitmProxy?: {
+            socketPath: string;
+            domains: string[];
+        } | undefined;
+    };
+    filesystem: {
+        denyRead: string[];
+        denyWrite: string[];
+        allowWrite: string[];
+        allowGitConfig?: boolean | undefined;
+    };
+    ignoreViolations?: Record<string, string[]> | undefined;
+    enableWeakerNestedSandbox?: boolean | undefined;
+    ripgrep?: {
+        command: string;
+        args?: string[] | undefined;
+    } | undefined;
+    mandatoryDenySearchDepth?: number | undefined;
+    allowPty?: boolean | undefined;
+    seccomp?: {
+        bpfPath?: string | undefined;
+        applyPath?: string | undefined;
+    } | undefined;
+}, {
+    network: {
+        allowedDomains: string[];
+        deniedDomains: string[];
+        allowUnixSockets?: string[] | undefined;
+        allowAllUnixSockets?: boolean | undefined;
+        allowLocalBinding?: boolean | undefined;
+        httpProxyPort?: number | undefined;
+        socksProxyPort?: number | undefined;
+        mitmProxy?: {
+            socketPath: string;
+            domains: string[];
+        } | undefined;
+    };
+    filesystem: {
+        denyRead: string[];
+        denyWrite: string[];
+        allowWrite: string[];
+        allowGitConfig?: boolean | undefined;
+    };
+    ignoreViolations?: Record<string, string[]> | undefined;
+    enableWeakerNestedSandbox?: boolean | undefined;
+    ripgrep?: {
+        command: string;
+        args?: string[] | undefined;
+    } | undefined;
+    mandatoryDenySearchDepth?: number | undefined;
+    allowPty?: boolean | undefined;
+    seccomp?: {
+        bpfPath?: string | undefined;
+        applyPath?: string | undefined;
+    } | undefined;
+}>;
+export type MitmProxyConfig = z.infer<typeof MitmProxyConfigSchema>;
+export type NetworkConfig = z.infer<typeof NetworkConfigSchema>;
+export type FilesystemConfig = z.infer<typeof FilesystemConfigSchema>;
+export type IgnoreViolationsConfig = z.infer<typeof IgnoreViolationsConfigSchema>;
+export type RipgrepConfig = z.infer<typeof RipgrepConfigSchema>;
+export type SeccompConfig = z.infer<typeof SeccompConfigSchema>;
+export type SandboxRuntimeConfig = z.infer<typeof SandboxRuntimeConfigSchema>;
+export {};
+//# sourceMappingURL=sandbox-config.d.ts.map

package/dist/sandbox/sandbox-config.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sandbox-config.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAoDvB;;;GAGG;AACH,QAAA,MAAM,qBAAqB;;;;;;;;;EAQzB,CAAA;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA0C9B,CAAA;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;EAcjC,CAAA;AAEF;;;GAGG;AACH,eAAO,MAAM,4BAA4B,2DAItC,CAAA;AAEH;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;EAU9B,CAAA;AAEF;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;EAM9B,CAAA;AAEF;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgCrC,CAAA;AAGF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAA;AACnE,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAC/D,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAA;AACrE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAC1C,OAAO,4BAA4B,CACpC,CAAA;AACD,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAC/D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAA;AAC/D,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA"}

package/dist/sandbox/sandbox-config.js ADDED Viewed

@@ -0,0 +1,166 @@
+/**
+ * Configuration for Sandbox Runtime
+ * This is the main configuration interface that consumers pass to SandboxManager.initialize()
+ */
+import { z } from 'zod';
+/**
+ * Schema for domain patterns (e.g., "example.com", "*.npmjs.org")
+ * Validates that domain patterns are safe and don't include overly broad wildcards
+ */
+const domainPatternSchema = z.string().refine(val => {
+    // Reject protocols, paths, ports, etc.
+    if (val.includes('://') || val.includes('/') || val.includes(':')) {
+        return false;
+    }
+    // Allow localhost
+    if (val === 'localhost')
+        return true;
+    // Allow wildcard domains like *.example.com
+    if (val.startsWith('*.')) {
+        const domain = val.slice(2);
+        // After the *. there must be a valid domain with at least one more dot
+        // e.g., *.example.com is valid, *.com is not (too broad)
+        if (!domain.includes('.') ||
+            domain.startsWith('.') ||
+            domain.endsWith('.')) {
+            return false;
+        }
+        // Count dots - must have at least 2 parts after the wildcard (e.g., example.com)
+        const parts = domain.split('.');
+        return parts.length >= 2 && parts.every(p => p.length > 0);
+    }
+    // Reject any other use of wildcards (e.g., *, *., etc.)
+    if (val.includes('*')) {
+        return false;
+    }
+    // Regular domains must have at least one dot and only valid characters
+    return val.includes('.') && !val.startsWith('.') && !val.endsWith('.');
+}, {
+    message: 'Invalid domain pattern. Must be a valid domain (e.g., "example.com") or wildcard (e.g., "*.example.com"). Overly broad patterns like "*.com" or "*" are not allowed for security reasons.',
+});
+/**
+ * Schema for filesystem paths
+ */
+const filesystemPathSchema = z.string().min(1, 'Path cannot be empty');
+/**
+ * Schema for MITM proxy configuration
+ * Allows routing specific domains through an upstream MITM proxy via Unix socket
+ */
+const MitmProxyConfigSchema = z.object({
+    socketPath: z.string().min(1).describe('Unix socket path to the MITM proxy'),
+    domains: z
+        .array(domainPatternSchema)
+        .min(1)
+        .describe('Domains to route through the MITM proxy (e.g., ["api.example.com", "*.internal.org"])'),
+});
+/**
+ * Network configuration schema for validation
+ */
+export const NetworkConfigSchema = z.object({
+    allowedDomains: z
+        .array(domainPatternSchema)
+        .describe('List of allowed domains (e.g., ["github.com", "*.npmjs.org"])'),
+    deniedDomains: z
+        .array(domainPatternSchema)
+        .describe('List of denied domains'),
+    allowUnixSockets: z
+        .array(z.string())
+        .optional()
+        .describe('Unix socket paths that are allowed (macOS only)'),
+    allowAllUnixSockets: z
+        .boolean()
+        .optional()
+        .describe('Allow ALL Unix sockets (Linux only - disables Unix socket blocking)'),
+    allowLocalBinding: z
+        .boolean()
+        .optional()
+        .describe('Whether to allow binding to local ports (default: false)'),
+    httpProxyPort: z
+        .number()
+        .int()
+        .min(1)
+        .max(65535)
+        .optional()
+        .describe('Port of an external HTTP proxy to use instead of starting a local one. When provided, the library will skip starting its own HTTP proxy and use this port. The external proxy must handle domain filtering.'),
+    socksProxyPort: z
+        .number()
+        .int()
+        .min(1)
+        .max(65535)
+        .optional()
+        .describe('Port of an external SOCKS proxy to use instead of starting a local one. When provided, the library will skip starting its own SOCKS proxy and use this port. The external proxy must handle domain filtering.'),
+    mitmProxy: MitmProxyConfigSchema.optional().describe('Optional MITM proxy configuration. Routes matching domains through an upstream proxy via Unix socket while SRT still handles allow/deny filtering.'),
+});
+/**
+ * Filesystem configuration schema for validation
+ */
+export const FilesystemConfigSchema = z.object({
+    denyRead: z.array(filesystemPathSchema).describe('Paths denied for reading'),
+    allowWrite: z
+        .array(filesystemPathSchema)
+        .describe('Paths allowed for writing'),
+    denyWrite: z
+        .array(filesystemPathSchema)
+        .describe('Paths denied for writing (takes precedence over allowWrite)'),
+    allowGitConfig: z
+        .boolean()
+        .optional()
+        .describe('Allow writes to .git/config files (default: false). Enables git remote URL updates while keeping .git/hooks protected.'),
+});
+/**
+ * Configuration schema for ignoring specific sandbox violations
+ * Maps command patterns to filesystem paths to ignore violations for.
+ */
+export const IgnoreViolationsConfigSchema = z
+    .record(z.string(), z.array(z.string()))
+    .describe('Map of command patterns to filesystem paths to ignore violations for. Use "*" to match all commands');
+/**
+ * Ripgrep configuration schema
+ */
+export const RipgrepConfigSchema = z.object({
+    command: z
+        .string()
+        .describe('The ripgrep command to execute (e.g., "rg", "claude")'),
+    args: z
+        .array(z.string())
+        .optional()
+        .describe('Additional arguments to pass before ripgrep args (e.g., ["--ripgrep"])'),
+});
+/**
+ * Seccomp configuration schema (Linux only)
+ * Allows specifying custom paths to seccomp binaries
+ */
+export const SeccompConfigSchema = z.object({
+    bpfPath: z
+        .string()
+        .optional()
+        .describe('Path to the unix-block.bpf filter file'),
+    applyPath: z.string().optional().describe('Path to the apply-seccomp binary'),
+});
+/**
+ * Main configuration schema for Sandbox Runtime validation
+ */
+export const SandboxRuntimeConfigSchema = z.object({
+    network: NetworkConfigSchema.describe('Network restrictions configuration'),
+    filesystem: FilesystemConfigSchema.describe('Filesystem restrictions configuration'),
+    ignoreViolations: IgnoreViolationsConfigSchema.optional().describe('Optional configuration for ignoring specific violations'),
+    enableWeakerNestedSandbox: z
+        .boolean()
+        .optional()
+        .describe('Enable weaker nested sandbox mode (for Docker environments)'),
+    ripgrep: RipgrepConfigSchema.optional().describe('Custom ripgrep configuration (default: { command: "rg" })'),
+    mandatoryDenySearchDepth: z
+        .number()
+        .int()
+        .min(1)
+        .max(10)
+        .optional()
+        .describe('Maximum directory depth to search for dangerous files on Linux (default: 3). ' +
+        'Higher values provide more protection but slower performance.'),
+    allowPty: z
+        .boolean()
+        .optional()
+        .describe('Allow pseudo-terminal (pty) operations (macOS only)'),
+    seccomp: SeccompConfigSchema.optional().describe('Custom seccomp binary paths (Linux only).'),
+});
+//# sourceMappingURL=sandbox-config.js.map

package/dist/sandbox/sandbox-config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sandbox-config.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;;GAGG;AACH,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAC3C,GAAG,CAAC,EAAE;IACJ,uCAAuC;IACvC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAClE,OAAO,KAAK,CAAA;IACd,CAAC;IAED,kBAAkB;IAClB,IAAI,GAAG,KAAK,WAAW;QAAE,OAAO,IAAI,CAAA;IAEpC,4CAA4C;IAC5C,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QAC3B,uEAAuE;QACvE,yDAAyD;QACzD,IACE,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;YACrB,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC;YACtB,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EACpB,CAAC;YACD,OAAO,KAAK,CAAA;QACd,CAAC;QACD,iFAAiF;QACjF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC/B,OAAO,KAAK,CAAC,MAAM,IAAI,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC5D,CAAC;IAED,wDAAwD;IACxD,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,uEAAuE;IACvE,OAAO,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;AACxE,CAAC,EACD;IACE,OAAO,EACL,2LAA2L;CAC9L,CACF,CAAA;AAED;;GAEG;AACH,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,sBAAsB,CAAC,CAAA;AAEtE;;;GAGG;AACH,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IAC5E,OAAO,EAAE,CAAC;SACP,KAAK,CAAC,mBAAmB,CAAC;SAC1B,GAAG,CAAC,CAAC,CAAC;SACN,QAAQ,CACP,uFAAuF,CACxF;CACJ,CAAC,CAAA;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,cAAc,EAAE,CAAC;SACd,KAAK,CAAC,mBAAmB,CAAC;SAC1B,QAAQ,CAAC,+DAA+D,CAAC;IAC5E,aAAa,EAAE,CAAC;SACb,KAAK,CAAC,mBAAmB,CAAC;SAC1B,QAAQ,CAAC,wBAAwB,CAAC;IACrC,gBAAgB,EAAE,CAAC;SAChB,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;SACV,QAAQ,CAAC,iDAAiD,CAAC;IAC9D,mBAAmB,EAAE,CAAC;SACnB,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CACP,qEAAqE,CACtE;IACH,iBAAiB,EAAE,CAAC;SACjB,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CAAC,0DAA0D,CAAC;IACvE,aAAa,EAAE,CAAC;SACb,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,KAAK,CAAC;SACV,QAAQ,EAAE;SACV,QAAQ,CACP,6MAA6M,CAC9M;IACH,cAAc,EAAE,CAAC;SACd,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,KAAK,CAAC;SACV,QAAQ,EAAE;SACV,QAAQ,CACP,+MAA+M,CAChN;IACH,SAAS,EAAE,qBAAqB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAClD,oJAAoJ,CACrJ;CACF,CAAC,CAAA;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7C,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,QAAQ,CAAC,0BAA0B,CAAC;IAC5E,UAAU,EAAE,CAAC;SACV,KAAK,CAAC,oBAAoB,CAAC;SAC3B,QAAQ,CAAC,2BAA2B,CAAC;IACxC,SAAS,EAAE,CAAC;SACT,KAAK,CAAC,oBAAoB,CAAC;SAC3B,QAAQ,CAAC,6DAA6D,CAAC;IAC1E,cAAc,EAAE,CAAC;SACd,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CACP,wHAAwH,CACzH;CACJ,CAAC,CAAA;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC;KAC1C,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;KACvC,QAAQ,CACP,qGAAqG,CACtG,CAAA;AAEH;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,CAAC;SACP,MAAM,EAAE;SACR,QAAQ,CAAC,uDAAuD,CAAC;IACpE,IAAI,EAAE,CAAC;SACJ,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,QAAQ,EAAE;SACV,QAAQ,CACP,wEAAwE,CACzE;CACJ,CAAC,CAAA;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,CAAC;SACP,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,wCAAwC,CAAC;IACrD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kCAAkC,CAAC;CAC9E,CAAC,CAAA;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,mBAAmB,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IAC3E,UAAU,EAAE,sBAAsB,CAAC,QAAQ,CACzC,uCAAuC,CACxC;IACD,gBAAgB,EAAE,4BAA4B,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAChE,yDAAyD,CAC1D;IACD,yBAAyB,EAAE,CAAC;SACzB,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CAAC,6DAA6D,CAAC;IAC1E,OAAO,EAAE,mBAAmB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAC9C,2DAA2D,CAC5D;IACD,wBAAwB,EAAE,CAAC;SACxB,MAAM,EAAE;SACR,GAAG,EAAE;SACL,GAAG,CAAC,CAAC,CAAC;SACN,GAAG,CAAC,EAAE,CAAC;SACP,QAAQ,EAAE;SACV,QAAQ,CACP,+EAA+E;QAC7E,+DAA+D,CAClE;IACH,QAAQ,EAAE,CAAC;SACR,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,QAAQ,CAAC,qDAAqD,CAAC;IAClE,OAAO,EAAE,mBAAmB,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAC9C,2CAA2C,CAC5C;CACF,CAAC,CAAA"}