@voratiq/sandbox-runtime 0.7.0-voratiq1

package/dist/sandbox/linux-sandbox-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"linux-sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAErD,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,oBAAoB,CAAA;AAK3B,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAA;AA2BrC,8DAA8D;AAC9D,MAAM,uBAAuB,GAAgB,IAAI,GAAG,EAAE,CAAA;AACtD,IAAI,qBAAqB,GAAG,KAAK,CAAA;AAEjC;;GAEG;AACH,SAAS,6BAA6B;IACpC,IAAI,qBAAqB,EAAE,CAAC;QAC1B,OAAM;IACR,CAAC;IAED,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;QACtB,KAAK,MAAM,UAAU,IAAI,uBAAuB,EAAE,CAAC;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,UAAU,CAAC,CAAA;YAClC,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,qBAAqB,GAAG,IAAI,CAAA;AAC9B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,+BAA+B,CAC7C,mBAAmB,GAAG,KAAK;IAE3B,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QACF,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QAEF,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,CAAA;QAEzE,0EAA0E;QAC1E,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,oEAAoE;YACpE,MAAM,kBAAkB,GAAG,sBAAsB,EAAE,KAAK,IAAI,CAAA;YAE5D,kEAAkE;YAClE,MAAM,qBAAqB,GAAG,yBAAyB,EAAE,KAAK,IAAI,CAAA;YAElE,IAAI,kBAAkB,IAAI,qBAAqB,EAAE,CAAC;gBAChD,mEAAmE;gBACnE,OAAO,YAAY,CAAA;YACrB,CAAC;iBAAM,CAAC;gBACN,2EAA2E;gBAC3E,uEAAuE;gBACvE,wDAAwD;gBACxD,eAAe,CACb,gCAAgC,OAAO,CAAC,IAAI,2CAA2C;oBACrF,+EAA+E;oBAC/E,sDAAsD,EACxD,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;gBACD,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,aAAqB,EACrB,cAAsB;IAEtB,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,QAAQ,OAAO,CAAC,CAAA;IACrE,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,QAAQ,OAAO,CAAC,CAAA;IAEvE,oBAAoB;IACpB,MAAM,aAAa,GAAG;QACpB,eAAe,cAAc,iBAAiB;QAC9C,iBAAiB,aAAa,8CAA8C;KAC7E,CAAA;IAED,eAAe,CAAC,+BAA+B,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAEzE,MAAM,iBAAiB,GAAG,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE;QACtD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,qBAAqB;IACrB,MAAM,cAAc,GAAG;QACrB,eAAe,eAAe,iBAAiB;QAC/C,iBAAiB,cAAc,8CAA8C;KAC9E,CAAA;IAED,eAAe,CAAC,gCAAgC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAE3E,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,EAAE,cAAc,EAAE;QACxD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC;QAC5B,uBAAuB;QACvB,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB;YAClB,CAAC;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IACzD,CAAC;IAED,oCAAoC;IACpC,MAAM,WAAW,GAAG,CAAC,CAAA;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IACE,CAAC,iBAAiB,CAAC,GAAG;YACtB,iBAAiB,CAAC,MAAM;YACxB,CAAC,kBAAkB,CAAC,GAAG;YACvB,kBAAkB,CAAC,MAAM,EACzB,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,CAAC;YACH,sBAAsB;YACtB,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBACpE,eAAe,CAAC,6BAA6B,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;gBAC9D,MAAK;YACP,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE;gBACnE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,WAAW,GAAG,CAAC,EAAE,CAAC;YAC1B,0BAA0B;YAC1B,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,IAAI,kBAAkB,CAAC,GAAG,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBACjD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yCAAyC,WAAW,WAAW,CAChE,CAAA;QACH,CAAC;QAED,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO;QACL,cAAc;QACd,eAAe;QACf,iBAAiB;QACjB,kBAAkB;QAClB,aAAa;QACb,cAAc;KACf,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAC1B,cAAsB,EACtB,eAAuB,EACvB,WAAmB,EACnB,iBAAqC,EACrC,KAAc;IAEd,6CAA6C;IAC7C,MAAM,SAAS,GAAG,KAAK,IAAI,MAAM,CAAA;IACjC,MAAM,aAAa,GAAG;QACpB,qDAAqD,cAAc,oBAAoB;QACvF,qDAAqD,eAAe,oBAAoB;QACxF,0CAA0C;KAC3C,CAAA;IAED,+DAA+D;IAC/D,IAAI,iBAAiB,EAAE,CAAC;QACtB,0BAA0B;QAC1B,qEAAqE;QACrE,kEAAkE;QAClE,kEAAkE;QAClE,EAAE;QACF,4CAA4C;QAC5C,6BAA6B;QAC7B,6DAA6D;QAC7D,2BAA2B;QAC3B,EAAE;QACF,oFAAoF;QACpF,MAAM,kBAAkB,GAAG,yBAAyB,EAAE,CAAA;QACtD,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;gBACtE,uFAAuF,CAC1F,CAAA;QACH,CAAC;QAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;YACvC,kBAAkB;YAClB,iBAAiB;YACjB,SAAS;YACT,IAAI;YACJ,WAAW;SACZ,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,CAAC,GAAG,aAAa,EAAE,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAClE,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;SAAM,CAAC;QACN,gDAAgD;QAChD,MAAM,WAAW,GAAG;YAClB,GAAG,aAAa;YAChB,QAAQ,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE;SAC1C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,sBAAsB,CACnC,UAA+C,EAC/C,WAAiD,EACjD,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE;IAEvE,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,sBAAsB;IAEtB,2DAA2D;IAC3D,IAAI,WAAW,EAAE,CAAC;QAChB,qFAAqF;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;QAEhC,4DAA4D;QAC5D,MAAM,iBAAiB,GAAa,EAAE,CAAA;QAEtC,iCAAiC;QACjC,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,eAAe,CACb,0CAA0C,WAAW,OAAO,cAAc,EAAE,CAC7E,CAAA;YAED,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,eAAe,CAAC,uCAAuC,cAAc,EAAE,CAAC,CAAA;gBACxE,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,qDAAqD,cAAc,EAAE,CACtE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACnD,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxC,CAAC;QAED,uEAAuE;QACvE,MAAM,SAAS,GAAG;YAChB,GAAG,CAAC,WAAW,CAAC,eAAe,IAAI,EAAE,CAAC;YACtC,GAAG,CAAC,MAAM,2BAA2B,CAAC,aAAa,CAAC,CAAC;SACtD,CAAA;QAED,KAAK,MAAM,WAAW,IAAI,SAAS,EAAE,CAAC;YACpC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,SAAQ;YACV,CAAC;YAED,0BAA0B;YAC1B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,oDAAoD,cAAc,EAAE,CACrE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,qEAAqE;YACrE,kEAAkE;YAClE,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAChD,WAAW,CAAC,EAAE,CACZ,cAAc,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC;gBAC5C,cAAc,KAAK,WAAW,CACjC,CAAA;YAED,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACxD,CAAC;iBAAM,CAAC;gBACN,eAAe,CACb,gEAAgE,cAAc,EAAE,CACjF,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;IAC/B,CAAC;IAED,+DAA+D;IAC/D,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAA;IAEvD,6EAA6E;IAC7E,+EAA+E;IAC/E,4EAA4E;IAC5E,IAAI,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC3C,aAAa,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAC7C,CAAC;IAED,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE,CAAC;QACxC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,eAAe,CACb,yDAAyD,cAAc,EAAE,CAC1E,CAAA;YACD,SAAQ;QACV,CAAC;QAED,MAAM,YAAY,GAAG,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;QAChD,IAAI,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,cAAc,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B;IAE1B,MAAM,EACJ,OAAO,EACP,sBAAsB,EACtB,yBAAyB,EACzB,cAAc,EACd,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,WAAW,EACX,yBAAyB,EACzB,mBAAmB,EACnB,QAAQ,EACR,aAAa,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAClC,GAAG,MAAM,CAAA;IAEV,kCAAkC;IAClC,IAAI,CAAC,sBAAsB,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAC1D,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,IAAI,iBAAiB,GAAuB,SAAS,CAAA;IAErD,IAAI,CAAC;QACH,8DAA8D;QAC9D,kFAAkF;QAClF,EAAE;QACF,4EAA4E;QAC5E,wCAAwC;QACxC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,iBAAiB,GAAG,qBAAqB,EAAE,IAAI,SAAS,CAAA;YACxD,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,2DAA2D;gBAC3D,MAAM,IAAI,KAAK,CACb,8DAA8D;oBAC5D,4FAA4F;oBAC5F,uFAAuF,CAC1F,CAAA;YACH,CAAC;YAED,qDAAqD;YACrD,6EAA6E;YAC7E,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBACpD,uBAAuB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;gBAC9C,6BAA6B,EAAE,CAAA;YACjC,CAAC;YAED,eAAe,CACb,uEAAuE,CACxE,CAAA;QACH,CAAC;aAAM,IAAI,mBAAmB,EAAE,CAAC;YAC/B,eAAe,CACb,0EAA0E,CAC3E,CAAA;QACH,CAAC;QAED,6CAA6C;QAC7C,IAAI,sBAAsB,EAAE,CAAC;YAC3B,2DAA2D;YAC3D,IAAI,CAAC,cAAc,IAAI,CAAC,eAAe,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CACb,kFAAkF,CACnF,CAAA;YACH,CAAC;YAED,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;YAE/B,qCAAqC;YACrC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACxD,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,eAAe,CAAC,CAAA;YAE1D,kCAAkC;YAClC,yEAAyE;YACzE,4EAA4E;YAC5E,MAAM,QAAQ,GAAG,oBAAoB,CACnC,IAAI,EAAE,8BAA8B;YACpC,IAAI,CACL,CAAA;YACD,SAAS,CAAC,IAAI,CACZ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,GAAW,EAAE,EAAE;gBAClC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBAChC,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAA;gBACjC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;gBACpC,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;YACjC,CAAC,CAAC,CACH,CAAA;YAED,uEAAuE;YACvE,iEAAiE;YACjE,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;gBAChC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,kCAAkC,EAClC,MAAM,CAAC,aAAa,CAAC,CACtB,CAAA;YACH,CAAC;YACD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBACjC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,mCAAmC,EACnC,MAAM,CAAC,cAAc,CAAC,CACvB,CAAA;YACH,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,MAAM,MAAM,GAAG,MAAM,sBAAsB,CACzC,UAAU,EACV,WAAW,EACX,aAAa,CACd,CAAA;QACD,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAA;QAEzB,mBAAmB;QACnB,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAE/B,gDAAgD;QAChD,6EAA6E;QAC7E,kEAAkE;QAClE,wEAAwE;QACxE,qGAAqG;QACrG,mGAAmG;QACnG,4DAA4D;QAC5D,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC/B,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAC/B,+DAA+D;YAC/D,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QACnC,CAAC;QAED,gCAAgC;QAChC,0EAA0E;QAC1E,0EAA0E;QAC1E,MAAM,SAAS,GAAG,QAAQ,IAAI,MAAM,CAAA;QACpC,MAAM,eAAe,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE;YACtD,QAAQ,EAAE,MAAM;SACjB,CAAC,CAAA;QACF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,UAAU,SAAS,qBAAqB,CAAC,CAAA;QAC3D,CAAC;QACD,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;QAC3C,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;QAEjC,+FAA+F;QAC/F,wEAAwE;QACxE,IAAI,sBAAsB,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;YAChE,2EAA2E;YAC3E,uDAAuD;YACvD,MAAM,cAAc,GAAG,mBAAmB,CACxC,cAAc,EACd,eAAe,EACf,OAAO,EACP,iBAAiB,EACjB,KAAK,CACN,CAAA;YACD,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QAChC,CAAC;aAAM,IAAI,iBAAiB,EAAE,CAAC;YAC7B,2EAA2E;YAC3E,4FAA4F;YAC5F,MAAM,kBAAkB,GAAG,yBAAyB,EAAE,CAAA;YACtD,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;oBACtE,uFAAuF,CAC1F,CAAA;YACH,CAAC;YAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;gBACvC,kBAAkB;gBAClB,iBAAiB;gBACjB,KAAK;gBACL,IAAI;gBACJ,OAAO;aACR,CAAC,CAAA;YACF,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QACjC,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACzB,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC,CAAA;QAEhE,MAAM,YAAY,GAAG,EAAE,CAAA;QACvB,IAAI,sBAAsB;YAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACxD,IAAI,yBAAyB;YAAE,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC9D,IAAI,iBAAiB;YAAE,YAAY,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;QAE/D,eAAe,CACb,+CAA+C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CACvF,CAAA;QAED,OAAO,cAAc,CAAA;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,mCAAmC;QACnC,IAAI,iBAAiB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzE,uBAAuB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAA;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,iBAAiB,CAAC,CAAA;YACzC,CAAC;YAAC,OAAO,YAAY,EAAE,CAAC;gBACtB,eAAe,CACb,+DAA+D,YAAY,EAAE,EAC7E,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACH,CAAC;QACH,CAAC;QACD,8BAA8B;QAC9B,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/sandbox/macos-sandbox-utils.d.ts

@@ -0,0 +1,54 @@
+import type { FsReadRestrictionConfig, FsWriteRestrictionConfig } from './sandbox-schemas.js';
+import type { IgnoreViolationsConfig } from './sandbox-config.js';
+export interface MacOSSandboxParams {
+    command: string;
+    httpProxyPort?: number;
+    socksProxyPort?: number;
+    needsNetworkRestriction: boolean;
+    allowUnixSockets?: string[];
+    allowAllUnixSockets?: boolean;
+    allowLocalBinding?: boolean;
+    readConfig: FsReadRestrictionConfig | undefined;
+    writeConfig: FsWriteRestrictionConfig | undefined;
+    ignoreViolations?: IgnoreViolationsConfig | undefined;
+    binShell?: string;
+    ripgrepConfig?: {
+        command: string;
+        args?: string[];
+    };
+}
+export interface SandboxViolationEvent {
+    line: string;
+    command?: string;
+    encodedCommand?: string;
+    timestamp: Date;
+}
+export type SandboxViolationCallback = (violation: SandboxViolationEvent) => void;
+/**
+ * Convert a glob pattern to a regular expression for macOS sandbox profiles
+ *
+ * This implements gitignore-style pattern matching to match the behavior of the
+ * `ignore` library used by the permission system/
+ *
+ * Supported patterns:
+ * - * matches any characters except / (e.g., *.ts matches foo.ts but not foo/bar.ts)
+ * - ** matches any characters including / (e.g., src/** /*.ts matches all .ts files in src/)
+ * - ? matches any single character except / (e.g., file?.txt matches file1.txt)
+ * - [abc] matches any character in the set (e.g., file[0-9].txt matches file3.txt)
+ *
+ * Note: This is designed for macOS sandbox (regex ...) syntax. The resulting regex
+ * will be used in sandbox profiles like: (deny file-write* (regex "pattern"))
+ *
+ * Exported for testing purposes.
+ */
+export declare function globToRegex(globPattern: string): string;
+/**
+ * Wrap command with macOS sandbox
+ */
+export declare function wrapCommandWithSandboxMacOS(params: MacOSSandboxParams): Promise<string>;
+/**
+ * Start monitoring macOS system logs for sandbox violations
+ * Look for sandbox-related kernel deny events ending in {logTag}
+ */
+export declare function startMacOSSandboxLogMonitor(callback: SandboxViolationCallback, ignoreViolations?: IgnoreViolationsConfig): () => void;
+//# sourceMappingURL=macos-sandbox-utils.d.ts.map

package/dist/sandbox/macos-sandbox-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"macos-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox-utils.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAA;AAEjE,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,uBAAuB,EAAE,OAAO,CAAA;IAChC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,UAAU,EAAE,uBAAuB,GAAG,SAAS,CAAA;IAC/C,WAAW,EAAE,wBAAwB,GAAG,SAAS,CAAA;IACjD,gBAAgB,CAAC,EAAE,sBAAsB,GAAG,SAAS,CAAA;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAA;CACrD;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,MAAM,wBAAwB,GAAG,CACrC,SAAS,EAAE,qBAAqB,KAC7B,IAAI,CAAA;AAIT;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAkBvD;AA0fD;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CAyEjB;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,wBAAwB,EAClC,gBAAgB,CAAC,EAAE,sBAAsB,GACxC,MAAM,IAAI,CA8GZ"}

package/dist/sandbox/macos-sandbox-utils.js

@@ -0,0 +1,559 @@
+import shellquote from 'shell-quote';
+import { spawn, spawnSync } from 'child_process';
+import * as path from 'path';
+import { logForDebugging } from '../utils/debug.js';
+import { normalizePathForSandbox, generateProxyEnvVars, getMandatoryDenyWithinAllow, encodeSandboxedCommand, decodeSandboxedCommand, containsGlobChars, } from './sandbox-utils.js';
+const sessionSuffix = `_${Math.random().toString(36).slice(2, 11)}_SBX`;
+/**
+ * Convert a glob pattern to a regular expression for macOS sandbox profiles
+ *
+ * This implements gitignore-style pattern matching to match the behavior of the
+ * `ignore` library used by the permission system/
+ *
+ * Supported patterns:
+ * - * matches any characters except / (e.g., *.ts matches foo.ts but not foo/bar.ts)
+ * - ** matches any characters including / (e.g., src/** /*.ts matches all .ts files in src/)
+ * - ? matches any single character except / (e.g., file?.txt matches file1.txt)
+ * - [abc] matches any character in the set (e.g., file[0-9].txt matches file3.txt)
+ *
+ * Note: This is designed for macOS sandbox (regex ...) syntax. The resulting regex
+ * will be used in sandbox profiles like: (deny file-write* (regex "pattern"))
+ *
+ * Exported for testing purposes.
+ */
+export function globToRegex(globPattern) {
+    return ('^' +
+        globPattern
+            // Escape regex special characters (except glob chars * ? [ ])
+            .replace(/[.^$+{}()|\\]/g, '\\$&')
+            // Escape unclosed brackets (no matching ])
+            .replace(/\[([^\]]*?)$/g, '\\[$1')
+            // Convert glob patterns to regex (order matters - ** before *)
+            .replace(/\*\*\//g, '__GLOBSTAR_SLASH__') // Placeholder for **/
+            .replace(/\*\*/g, '__GLOBSTAR__') // Placeholder for **
+            .replace(/\*/g, '[^/]*') // * matches anything except /
+            .replace(/\?/g, '[^/]') // ? matches single character except /
+            // Restore placeholders
+            .replace(/__GLOBSTAR_SLASH__/g, '(.*/)?') // **/ matches zero or more dirs
+            .replace(/__GLOBSTAR__/g, '.*') + // ** matches anything including /
+        '$');
+}
+/**
+ * Generate a unique log tag for sandbox monitoring
+ * @param command - The command being executed (will be base64 encoded)
+ */
+function generateLogTag(command) {
+    const encodedCommand = encodeSandboxedCommand(command);
+    return `CMD64_${encodedCommand}_END_${sessionSuffix}`;
+}
+/**
+ * Get all ancestor directories for a path, up to (but not including) root
+ * Example: /private/tmp/test/file.txt -> ["/private/tmp/test", "/private/tmp", "/private"]
+ */
+function getAncestorDirectories(pathStr) {
+    const ancestors = [];
+    let currentPath = path.dirname(pathStr);
+    // Walk up the directory tree until we reach root
+    while (currentPath !== '/' && currentPath !== '.') {
+        ancestors.push(currentPath);
+        const parentPath = path.dirname(currentPath);
+        // Break if we've reached the top (path.dirname returns the same path for root)
+        if (parentPath === currentPath) {
+            break;
+        }
+        currentPath = parentPath;
+    }
+    return ancestors;
+}
+/**
+ * Generate deny rules for file movement (file-write-unlink) to protect paths
+ * This prevents bypassing read or write restrictions by moving files/directories
+ *
+ * @param pathPatterns - Array of path patterns to protect (can include globs)
+ * @param logTag - Log tag for sandbox violations
+ * @returns Array of sandbox profile rule lines
+ */
+function generateMoveBlockingRules(pathPatterns, logTag) {
+    const rules = [];
+    for (const pathPattern of pathPatterns) {
+        const normalizedPath = normalizePathForSandbox(pathPattern);
+        if (containsGlobChars(normalizedPath)) {
+            // Use regex matching for glob patterns
+            const regexPattern = globToRegex(normalizedPath);
+            // Block moving/renaming files matching this pattern
+            rules.push(`(deny file-write-unlink`, `  (regex ${escapePath(regexPattern)})`, `  (with message "${logTag}"))`);
+            // For glob patterns, extract the static prefix and block ancestor moves
+            // Remove glob characters to get the directory prefix
+            const staticPrefix = normalizedPath.split(/[*?[\]]/)[0];
+            if (staticPrefix && staticPrefix !== '/') {
+                // Get the directory containing the glob pattern
+                const baseDir = staticPrefix.endsWith('/')
+                    ? staticPrefix.slice(0, -1)
+                    : path.dirname(staticPrefix);
+                // Block moves of the base directory itself
+                rules.push(`(deny file-write-unlink`, `  (literal ${escapePath(baseDir)})`, `  (with message "${logTag}"))`);
+                // Block moves of ancestor directories
+                for (const ancestorDir of getAncestorDirectories(baseDir)) {
+                    rules.push(`(deny file-write-unlink`, `  (literal ${escapePath(ancestorDir)})`, `  (with message "${logTag}"))`);
+                }
+            }
+        }
+        else {
+            // Use subpath matching for literal paths
+            // Block moving/renaming the denied path itself
+            rules.push(`(deny file-write-unlink`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+            // Block moves of ancestor directories
+            for (const ancestorDir of getAncestorDirectories(normalizedPath)) {
+                rules.push(`(deny file-write-unlink`, `  (literal ${escapePath(ancestorDir)})`, `  (with message "${logTag}"))`);
+            }
+        }
+    }
+    return rules;
+}
+/**
+ * Generate filesystem read rules for sandbox profile
+ */
+function generateReadRules(config, logTag) {
+    if (!config) {
+        return [`(allow file-read*)`];
+    }
+    const rules = [];
+    // Start by allowing everything
+    rules.push(`(allow file-read*)`);
+    // Then deny specific paths
+    for (const pathPattern of config.denyOnly || []) {
+        const normalizedPath = normalizePathForSandbox(pathPattern);
+        if (containsGlobChars(normalizedPath)) {
+            // Use regex matching for glob patterns
+            const regexPattern = globToRegex(normalizedPath);
+            rules.push(`(deny file-read*`, `  (regex ${escapePath(regexPattern)})`, `  (with message "${logTag}"))`);
+        }
+        else {
+            // Use subpath matching for literal paths
+            rules.push(`(deny file-read*`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+        }
+    }
+    // Block file movement to prevent bypass via mv/rename
+    rules.push(...generateMoveBlockingRules(config.denyOnly || [], logTag));
+    return rules;
+}
+/**
+ * Generate filesystem write rules for sandbox profile
+ */
+async function generateWriteRules(config, logTag, ripgrepConfig = { command: 'rg' }) {
+    if (!config) {
+        return [`(allow file-write*)`];
+    }
+    const rules = [];
+    // Automatically allow TMPDIR parent on macOS when write restrictions are enabled
+    const tmpdirParents = getTmpdirParentIfMacOSPattern();
+    for (const tmpdirParent of tmpdirParents) {
+        const normalizedPath = normalizePathForSandbox(tmpdirParent);
+        rules.push(`(allow file-write*`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+    }
+    // Generate allow rules
+    for (const pathPattern of config.allowOnly || []) {
+        const normalizedPath = normalizePathForSandbox(pathPattern);
+        if (containsGlobChars(normalizedPath)) {
+            // Use regex matching for glob patterns
+            const regexPattern = globToRegex(normalizedPath);
+            rules.push(`(allow file-write*`, `  (regex ${escapePath(regexPattern)})`, `  (with message "${logTag}"))`);
+        }
+        else {
+            // Use subpath matching for literal paths
+            rules.push(`(allow file-write*`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+        }
+    }
+    // Combine user-specified and mandatory deny rules
+    const denyPaths = [
+        ...(config.denyWithinAllow || []),
+        ...(await getMandatoryDenyWithinAllow(ripgrepConfig)),
+    ];
+    for (const pathPattern of denyPaths) {
+        const normalizedPath = normalizePathForSandbox(pathPattern);
+        if (containsGlobChars(normalizedPath)) {
+            // Use regex matching for glob patterns
+            const regexPattern = globToRegex(normalizedPath);
+            rules.push(`(deny file-write*`, `  (regex ${escapePath(regexPattern)})`, `  (with message "${logTag}"))`);
+        }
+        else {
+            // Use subpath matching for literal paths
+            rules.push(`(deny file-write*`, `  (subpath ${escapePath(normalizedPath)})`, `  (with message "${logTag}"))`);
+        }
+    }
+    // Block file movement to prevent bypass via mv/rename
+    rules.push(...generateMoveBlockingRules(denyPaths, logTag));
+    return rules;
+}
+/**
+ * Generate complete sandbox profile
+ */
+async function generateSandboxProfile({ readConfig, writeConfig, httpProxyPort, socksProxyPort, needsNetworkRestriction, allowUnixSockets, allowAllUnixSockets, allowLocalBinding, logTag, ripgrepConfig = { command: 'rg' }, }) {
+    const profile = [
+        '(version 1)',
+        `(deny default (with message "${logTag}"))`,
+        '',
+        `; LogTag: ${logTag}`,
+        '',
+        '; Essential permissions - based on Chrome sandbox policy',
+        '; Process permissions',
+        '(allow process-exec)',
+        '(allow process-fork)',
+        '(allow process-info* (target same-sandbox))',
+        '(allow signal (target same-sandbox))',
+        '(allow mach-priv-task-port (target same-sandbox))',
+        '',
+        '; User preferences',
+        '(allow user-preference-read)',
+        '',
+        '; Mach IPC - specific services only (no wildcard)',
+        '(allow mach-lookup',
+        '  (global-name "com.apple.audio.systemsoundserver")',
+        '  (global-name "com.apple.distributed_notifications@Uv3")',
+        '  (global-name "com.apple.FontObjectsServer")',
+        '  (global-name "com.apple.fonts")',
+        '  (global-name "com.apple.logd")',
+        '  (global-name "com.apple.lsd.mapdb")',
+        '  (global-name "com.apple.PowerManagement.control")',
+        '  (global-name "com.apple.system.logger")',
+        '  (global-name "com.apple.system.notification_center")',
+        '  (global-name "com.apple.trustd.agent")',
+        '  (global-name "com.apple.system.opendirectoryd.libinfo")',
+        '  (global-name "com.apple.system.opendirectoryd.membership")',
+        '  (global-name "com.apple.bsd.dirhelper")',
+        '  (global-name "com.apple.securityd.xpc")',
+        // Voratiq: allow configd for network queries
+        '  (global-name "com.apple.SystemConfiguration.configd")',
+        '  (global-name "com.apple.coreservices.launchservicesd")',
+        ')',
+        '',
+        '; POSIX IPC - shared memory',
+        '(allow ipc-posix-shm)',
+        '',
+        '; POSIX IPC - semaphores for Python multiprocessing',
+        '(allow ipc-posix-sem)',
+        '',
+        '; IOKit - specific operations only',
+        '(allow iokit-open',
+        '  (iokit-registry-entry-class "IOSurfaceRootUserClient")',
+        '  (iokit-registry-entry-class "RootDomainUserClient")',
+        '  (iokit-user-client-class "IOSurfaceSendRight")',
+        ')',
+        '',
+        '; IOKit properties',
+        '(allow iokit-get-properties)',
+        '',
+        "; Specific safe system-sockets, doesn't allow network access",
+        '(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))',
+        '',
+        '; sysctl - specific sysctls only',
+        '(allow sysctl-read',
+        '  (sysctl-name "hw.activecpu")',
+        '  (sysctl-name "hw.busfrequency_compat")',
+        '  (sysctl-name "hw.byteorder")',
+        '  (sysctl-name "hw.cacheconfig")',
+        '  (sysctl-name "hw.cachelinesize_compat")',
+        '  (sysctl-name "hw.cpufamily")',
+        '  (sysctl-name "hw.cpufrequency")',
+        '  (sysctl-name "hw.cpufrequency_compat")',
+        '  (sysctl-name "hw.cputype")',
+        '  (sysctl-name "hw.l1dcachesize_compat")',
+        '  (sysctl-name "hw.l1icachesize_compat")',
+        '  (sysctl-name "hw.l2cachesize_compat")',
+        '  (sysctl-name "hw.l3cachesize_compat")',
+        '  (sysctl-name "hw.logicalcpu")',
+        '  (sysctl-name "hw.logicalcpu_max")',
+        '  (sysctl-name "hw.machine")',
+        '  (sysctl-name "hw.memsize")',
+        '  (sysctl-name "hw.ncpu")',
+        '  (sysctl-name "hw.nperflevels")',
+        '  (sysctl-name "hw.packages")',
+        '  (sysctl-name "hw.pagesize_compat")',
+        '  (sysctl-name "hw.pagesize")',
+        '  (sysctl-name "hw.physicalcpu")',
+        '  (sysctl-name "hw.physicalcpu_max")',
+        '  (sysctl-name "hw.tbfrequency_compat")',
+        '  (sysctl-name "hw.vectorunit")',
+        '  (sysctl-name "kern.argmax")',
+        '  (sysctl-name "kern.bootargs")',
+        '  (sysctl-name "kern.hostname")',
+        '  (sysctl-name "kern.maxfiles")',
+        '  (sysctl-name "kern.maxfilesperproc")',
+        '  (sysctl-name "kern.maxproc")',
+        '  (sysctl-name "kern.ngroups")',
+        '  (sysctl-name "kern.osproductversion")',
+        '  (sysctl-name "kern.osrelease")',
+        '  (sysctl-name "kern.ostype")',
+        '  (sysctl-name "kern.osvariant_status")',
+        '  (sysctl-name "kern.osversion")',
+        '  (sysctl-name "kern.secure_kernel")',
+        '  (sysctl-name "kern.tcsm_available")',
+        '  (sysctl-name "kern.tcsm_enable")',
+        '  (sysctl-name "kern.usrstack64")',
+        '  (sysctl-name "kern.version")',
+        '  (sysctl-name "kern.willshutdown")',
+        '  (sysctl-name "machdep.cpu.brand_string")',
+        '  (sysctl-name "machdep.ptrauth_enabled")',
+        '  (sysctl-name "security.mac.lockdown_mode_state")',
+        '  (sysctl-name "sysctl.proc_cputype")',
+        '  (sysctl-name "vm.loadavg")',
+        '  (sysctl-name-prefix "hw.optional.arm")',
+        '  (sysctl-name-prefix "hw.optional.arm.")',
+        '  (sysctl-name-prefix "hw.optional.armv8_")',
+        '  (sysctl-name-prefix "hw.perflevel")',
+        '  (sysctl-name-prefix "kern.proc.pgrp.")',
+        '  (sysctl-name-prefix "kern.proc.pid.")',
+        '  (sysctl-name-prefix "machdep.cpu.")',
+        '  (sysctl-name-prefix "net.routetable.")',
+        ')',
+        '',
+        '; V8 thread calculations',
+        '(allow sysctl-write',
+        '  (sysctl-name "kern.tcsm_enable")',
+        ')',
+        '',
+        '; Distributed notifications',
+        '(allow distributed-notification-post)',
+        '',
+        '; Specific mach-lookup permissions for security operations',
+        '(allow mach-lookup (global-name "com.apple.SecurityServer"))',
+        // Voratiq: allow configd for network queries
+        '(allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))',
+        '',
+        '; File I/O on device files',
+        '(allow file-ioctl (literal "/dev/null"))',
+        '(allow file-ioctl (literal "/dev/zero"))',
+        '(allow file-ioctl (literal "/dev/random"))',
+        '(allow file-ioctl (literal "/dev/urandom"))',
+        '(allow file-ioctl (literal "/dev/dtracehelper"))',
+        '(allow file-ioctl (literal "/dev/tty"))',
+        '',
+        '(allow file-ioctl file-read-data file-write-data',
+        '  (require-all',
+        '    (literal "/dev/null")',
+        '    (vnode-type CHARACTER-DEVICE)',
+        '  )',
+        ')',
+        '',
+    ];
+    // Network rules
+    profile.push('; Network');
+    if (!needsNetworkRestriction) {
+        profile.push('(allow network*)');
+    }
+    else {
+        // Allow local binding if requested
+        if (allowLocalBinding) {
+            profile.push('(allow network-bind (local ip "localhost:*"))');
+            profile.push('(allow network-inbound (local ip "localhost:*"))');
+            profile.push('(allow network-outbound (local ip "localhost:*"))');
+        }
+        // Unix domain sockets for local IPC (SSH agent, Docker, etc.)
+        if (allowAllUnixSockets) {
+            // Allow all Unix socket paths
+            profile.push('(allow network* (subpath "/"))');
+        }
+        else if (allowUnixSockets && allowUnixSockets.length > 0) {
+            // Allow specific Unix socket paths
+            for (const socketPath of allowUnixSockets) {
+                const normalizedPath = normalizePathForSandbox(socketPath);
+                profile.push(`(allow network* (subpath ${escapePath(normalizedPath)}))`);
+            }
+        }
+        // If both allowAllUnixSockets and allowUnixSockets are false/undefined/empty, Unix sockets are blocked by default
+        // Allow localhost TCP operations for the HTTP proxy
+        if (httpProxyPort !== undefined) {
+            profile.push(`(allow network-bind (local ip "localhost:${httpProxyPort}"))`);
+            profile.push(`(allow network-inbound (local ip "localhost:${httpProxyPort}"))`);
+            profile.push(`(allow network-outbound (remote ip "localhost:${httpProxyPort}"))`);
+        }
+        // Allow localhost TCP operations for the SOCKS proxy
+        if (socksProxyPort !== undefined) {
+            profile.push(`(allow network-bind (local ip "localhost:${socksProxyPort}"))`);
+            profile.push(`(allow network-inbound (local ip "localhost:${socksProxyPort}"))`);
+            profile.push(`(allow network-outbound (remote ip "localhost:${socksProxyPort}"))`);
+        }
+    }
+    profile.push('');
+    // Read rules
+    profile.push('; File read');
+    profile.push(...generateReadRules(readConfig, logTag));
+    profile.push('');
+    // Write rules
+    profile.push('; File write');
+    profile.push(...(await generateWriteRules(writeConfig, logTag, ripgrepConfig)));
+    return profile.join('\n');
+}
+/**
+ * Escape path for sandbox profile using JSON.stringify for proper escaping
+ */
+function escapePath(pathStr) {
+    return JSON.stringify(pathStr);
+}
+/**
+ * Get TMPDIR parent directory if it matches macOS pattern /var/folders/XX/YYY/T/
+ * Returns both /var/ and /private/var/ versions since /var is a symlink
+ */
+function getTmpdirParentIfMacOSPattern() {
+    const tmpdir = process.env.TMPDIR;
+    if (!tmpdir)
+        return [];
+    const match = tmpdir.match(/^\/(private\/)?var\/folders\/[^/]{2}\/[^/]+\/T\/?$/);
+    if (!match)
+        return [];
+    const parent = tmpdir.replace(/\/T\/?$/, '');
+    // Return both /var/ and /private/var/ versions since /var is a symlink
+    if (parent.startsWith('/private/var/')) {
+        return [parent, parent.replace('/private', '')];
+    }
+    else if (parent.startsWith('/var/')) {
+        return [parent, '/private' + parent];
+    }
+    return [parent];
+}
+/**
+ * Wrap command with macOS sandbox
+ */
+export async function wrapCommandWithSandboxMacOS(params) {
+    const { command, httpProxyPort, socksProxyPort, needsNetworkRestriction, allowUnixSockets, allowAllUnixSockets, allowLocalBinding, readConfig, writeConfig, binShell, ripgrepConfig = { command: 'rg' }, } = params;
+    // No sandboxing needed
+    if (!needsNetworkRestriction && !readConfig && !writeConfig) {
+        return command;
+    }
+    const logTag = generateLogTag(command);
+    const profile = await generateSandboxProfile({
+        readConfig,
+        writeConfig,
+        httpProxyPort,
+        socksProxyPort,
+        needsNetworkRestriction,
+        allowUnixSockets,
+        allowAllUnixSockets,
+        allowLocalBinding,
+        logTag,
+        ripgrepConfig,
+    });
+    // Generate proxy environment variables using shared utility
+    const proxyEnv = `export ${generateProxyEnvVars(httpProxyPort, socksProxyPort).join(' ')} && `;
+    // Use the user's shell (zsh, bash, etc.) to ensure aliases/snapshots work
+    // Resolve the full path to the shell binary
+    const shellName = binShell || 'bash';
+    const shellPathResult = spawnSync('which', [shellName], { encoding: 'utf8' });
+    if (shellPathResult.status !== 0) {
+        throw new Error(`Shell '${shellName}' not found in PATH`);
+    }
+    const shell = shellPathResult.stdout.trim();
+    const wrappedCommand = shellquote.quote([
+        'sandbox-exec',
+        '-p',
+        profile,
+        shell,
+        '-c',
+        proxyEnv + command,
+    ]);
+    logForDebugging(`[Sandbox macOS] Applied restrictions - network: ${!!(httpProxyPort || socksProxyPort)}, read: ${readConfig
+        ? 'allowAllExcept' in readConfig
+            ? 'allowAllExcept'
+            : 'denyAllExcept'
+        : 'none'}, write: ${writeConfig
+        ? 'allowAllExcept' in writeConfig
+            ? 'allowAllExcept'
+            : 'denyAllExcept'
+        : 'none'}`);
+    return wrappedCommand;
+}
+/**
+ * Start monitoring macOS system logs for sandbox violations
+ * Look for sandbox-related kernel deny events ending in {logTag}
+ */
+export function startMacOSSandboxLogMonitor(callback, ignoreViolations) {
+    // Pre-compile regex patterns for better performance
+    const cmdExtractRegex = /CMD64_(.+?)_END/;
+    const sandboxExtractRegex = /Sandbox:\s+(.+)$/;
+    // Pre-process ignore patterns for faster lookup
+    const wildcardPaths = ignoreViolations?.['*'] || [];
+    const commandPatterns = ignoreViolations
+        ? Object.entries(ignoreViolations).filter(([pattern]) => pattern !== '*')
+        : [];
+    // Stream and filter kernel logs for all sandbox violations
+    // We can't filter by specific logTag since it's dynamic per command
+    const logProcess = spawn('log', [
+        'stream',
+        '--predicate',
+        `(eventMessage ENDSWITH "${sessionSuffix}")`,
+        '--style',
+        'compact',
+    ]);
+    logProcess.stdout?.on('data', (data) => {
+        const lines = data.toString().split('\n');
+        // Get violation and command lines
+        const violationLine = lines.find(line => line.includes('Sandbox:') && line.includes('deny'));
+        const commandLine = lines.find(line => line.startsWith('CMD64_'));
+        if (!violationLine)
+            return;
+        // Extract violation details
+        const sandboxMatch = violationLine.match(sandboxExtractRegex);
+        if (!sandboxMatch?.[1])
+            return;
+        const violationDetails = sandboxMatch[1];
+        // Try to get command
+        let command;
+        let encodedCommand;
+        if (commandLine) {
+            const cmdMatch = commandLine.match(cmdExtractRegex);
+            encodedCommand = cmdMatch?.[1];
+            if (encodedCommand) {
+                try {
+                    command = decodeSandboxedCommand(encodedCommand);
+                }
+                catch {
+                    // Failed to decode, continue without command
+                }
+            }
+        }
+        // Always filter out noisey violations
+        if (violationDetails.includes('mDNSResponder') ||
+            violationDetails.includes('mach-lookup com.apple.diagnosticd') ||
+            violationDetails.includes('mach-lookup com.apple.analyticsd')) {
+            return;
+        }
+        // Check if we should ignore this violation
+        if (ignoreViolations && command) {
+            // Check wildcard patterns first
+            if (wildcardPaths.length > 0) {
+                const shouldIgnore = wildcardPaths.some(path => violationDetails.includes(path));
+                if (shouldIgnore)
+                    return;
+            }
+            // Check command-specific patterns
+            for (const [pattern, paths] of commandPatterns) {
+                if (command.includes(pattern)) {
+                    const shouldIgnore = paths.some(path => violationDetails.includes(path));
+                    if (shouldIgnore)
+                        return;
+                }
+            }
+        }
+        // Not ignored - report the violation
+        callback({
+            line: violationDetails,
+            command,
+            encodedCommand,
+            timestamp: new Date(), // We could parse the timestamp from the log but this feels more reliable
+        });
+    });
+    logProcess.stderr?.on('data', (data) => {
+        logForDebugging(`[Sandbox Monitor] Log stream stderr: ${data.toString()}`);
+    });
+    logProcess.on('error', (error) => {
+        logForDebugging(`[Sandbox Monitor] Failed to start log stream: ${error.message}`);
+    });
+    logProcess.on('exit', (code) => {
+        logForDebugging(`[Sandbox Monitor] Log stream exited with code: ${code}`);
+    });
+    return () => {
+        logForDebugging('[Sandbox Monitor] Stopping log monitor');
+        logProcess.kill('SIGTERM');
+    };
+}
+//# sourceMappingURL=macos-sandbox-utils.js.map