@voratiq/sandbox-runtime 0.7.0-voratiq1

package/dist/sandbox/sandbox-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-manager.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAA;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAA;AAEzD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAEnD,OAAO,EAAE,WAAW,EAAiB,MAAM,sBAAsB,CAAA;AACjE,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AAQxB,OAAO,EACL,2BAA2B,EAC3B,4BAA4B,EAE5B,+BAA+B,GAChC,MAAM,0BAA0B,CAAA;AACjC,OAAO,EACL,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,0BAA0B,CAAA;AACjC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAA;AACpE,OAAO,EAAE,GAAG,EAAE,MAAM,SAAS,CAAA;AAQ7B,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E,IAAI,MAAwC,CAAA;AAC5C,IAAI,eAAqE,CAAA;AACzE,IAAI,gBAA+C,CAAA;AACnD,IAAI,cAAqD,CAAA;AACzD,IAAI,qBAAqE,CAAA;AACzE,IAAI,iBAAiB,GAAG,KAAK,CAAA;AAC7B,IAAI,kBAA4C,CAAA;AAChD,MAAM,qBAAqB,GAAG,IAAI,qBAAqB,EAAE,CAAA;AACzD,IAAI,sBAA2C,CAAA;AAE/C,+EAA+E;AAC/E,0CAA0C;AAC1C,+EAA+E;AAE/E,SAAS,eAAe;IACtB,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAM;IACR,CAAC;IACD,MAAM,cAAc,GAAG,GAAG,EAAE,CAC1B,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;QAChB,eAAe,CAAC,qCAAqC,CAAC,EAAE,EAAE;YACxD,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IACJ,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAA;IACtC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;IACvC,iBAAiB,GAAG,IAAI,CAAA;AAC1B,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAgB,EAAE,OAAe;IAC7D,+CAA+C;IAC/C,4DAA4D;IAC5D,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA,CAAC,cAAc;QACtD,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC,CAAA;IACxE,CAAC;IAED,wCAAwC;IACxC,OAAO,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,WAAW,EAAE,CAAA;AACzD,CAAC;AAOD,SAAS,oBAAoB,CAC3B,QAA0B,EAC1B,MAAc,EACd,SAAS,GAAG,mBAAmB;IAE/B,OAAO;QACL,QAAQ;QACR,MAAM;QACN,UAAU,EAAE,SAAS;KACtB,CAAA;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,IAAY,EACZ,IAAY,EACZ,kBAAuC;IAEvC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,eAAe,CAAC,8CAA8C,CAAC,CAAA;QAC/D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,oBAAoB,CAAC,MAAM,EAAE,wBAAwB,CAAC;SAChE,CAAA;IACH,CAAC;IAED,6BAA6B;IAC7B,KAAK,MAAM,YAAY,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QACxD,IAAI,oBAAoB,CAAC,IAAI,EAAE,YAAY,CAAC,EAAE,CAAC;YAC7C,eAAe,CAAC,0BAA0B,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;YACzD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,oBAAoB,CAAC,MAAM,EAAE,YAAY,YAAY,EAAE,CAAC;aAClE,CAAA;QACH,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,KAAK,MAAM,aAAa,IAAI,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC1D,IAAI,oBAAoB,CAAC,IAAI,EAAE,aAAa,CAAC,EAAE,CAAC;YAC9C,eAAe,CAAC,2BAA2B,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;YAC1D,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,oBAAoB,CAAC,OAAO,EAAE,aAAa,aAAa,EAAE,CAAC;aACrE,CAAA;QACH,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,eAAe,CAAC,qCAAqC,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;QACpE,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,oBAAoB,CAAC,MAAM,EAAE,kBAAkB,CAAC;SAC1D,CAAA;IACH,CAAC;IAED,eAAe,CAAC,yCAAyC,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;IACxE,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;QAC5D,IAAI,WAAW,EAAE,CAAC;YAChB,eAAe,CAAC,iBAAiB,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;YAChD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,oBAAoB,CAAC,OAAO,EAAE,eAAe,CAAC;aACxD,CAAA;QACH,CAAC;aAAM,CAAC;YACN,eAAe,CAAC,gBAAgB,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;YAC/C,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,oBAAoB,CAAC,MAAM,EAAE,sBAAsB,CAAC;aAC9D,CAAA;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAe,CAAC,iCAAiC,KAAK,EAAE,EAAE;YACxD,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;QACF,OAAO;YACL,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,oBAAoB,CAAC,MAAM,EAAE,gBAAgB,CAAC;SACxD,CAAA;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,kBAAuC;IAEvC,eAAe,GAAG,qBAAqB,CAAC;QACtC,MAAM,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CACrC,oBAAoB,CAAC,IAAI,EAAE,IAAI,EAAE,kBAAkB,CAAC;KACvD,CAAC,CAAA;IAEF,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAA;YAC9D,OAAM;QACR,CAAC;QAED,MAAM,MAAM,GAAG,eAAe,CAAA;QAE9B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAC5B,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE;YAC5B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAA;YAChC,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC3C,MAAM,CAAC,KAAK,EAAE,CAAA;gBACd,eAAe,CAAC,qCAAqC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;gBACpE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;YACvB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC,CAAA;YACzD,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;IAC/B,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,kBAAuC;IAEvC,gBAAgB,GAAG,sBAAsB,CAAC;QACxC,MAAM,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CACrC,oBAAoB,CAAC,IAAI,EAAE,IAAI,EAAE,kBAAkB,CAAC;KACvD,CAAC,CAAA;IAEF,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,0CAA0C;YAC1C,MAAM,CAAC,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC,CAAA;YAC/D,OAAM;QACR,CAAC;QAED,gBAAgB;aACb,MAAM,CAAC,CAAC,EAAE,WAAW,CAAC;aACtB,IAAI,CAAC,CAAC,IAAY,EAAE,EAAE;YACrB,gBAAgB,EAAE,KAAK,EAAE,CAAA;YACzB,OAAO,CAAC,IAAI,CAAC,CAAA;QACf,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAA;IAClB,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,+EAA+E;AAC/E,2DAA2D;AAC3D,+EAA+E;AAE/E,KAAK,UAAU,UAAU,CACvB,aAAmC,EACnC,kBAAuC,EACvC,gBAAgB,GAAG,KAAK;IAExB,iCAAiC;IACjC,IAAI,qBAAqB,EAAE,CAAC;QAC1B,MAAM,qBAAqB,CAAA;QAC3B,OAAM;IACR,CAAC;IAED,0CAA0C;IAC1C,MAAM,GAAG,aAAa,CAAA;IAEtB,+DAA+D;IAC/D,IAAI,CAAC,iBAAiB,EAAE,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;QAC9B,IAAI,YAAY,GAAG,wDAAwD,CAAA;QAE3E,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,YAAY,IAAI,yDAAyD,CAAA;QAC3E,CAAC;aAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChC,YAAY,IAAI,0BAA0B,CAAA;QAC5C,CAAC;aAAM,CAAC;YACN,YAAY,IAAI,cAAc,QAAQ,qBAAqB,CAAA;QAC7D,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,CAAA;IAC/B,CAAC;IAED,yCAAyC;IACzC,IAAI,gBAAgB,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;QAClD,kBAAkB,GAAG,2BAA2B,CAC9C,qBAAqB,CAAC,YAAY,CAAC,IAAI,CAAC,qBAAqB,CAAC,EAC9D,MAAM,CAAC,gBAAgB,CACxB,CAAA;QACD,eAAe,CAAC,mCAAmC,CAAC,CAAA;IACtD,CAAC;IAED,uCAAuC;IACvC,eAAe,EAAE,CAAA;IAEjB,oCAAoC;IACpC,qBAAqB,GAAG,CAAC,KAAK,IAAI,EAAE;QAClC,IAAI,CAAC;YACH,MAAM,0BAA0B,GAC9B,MAAM,CAAC,OAAO,CAAC,aAAa,KAAK,SAAS,CAAA;YAC5C,MAAM,2BAA2B,GAC/B,MAAM,CAAC,OAAO,CAAC,cAAc,KAAK,SAAS,CAAA;YAE7C,MAAM,CAAC,aAAa,EAAE,cAAc,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBACxD,0BAA0B;oBACxB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,aAAc,CAAC;oBAChD,CAAC,CAAC,oBAAoB,CAAC,kBAAkB,CAAC;gBAC5C,2BAA2B;oBACzB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,cAAe,CAAC;oBACjD,CAAC,CAAC,qBAAqB,CAAC,kBAAkB,CAAC;aAC9C,CAAC,CAAA;YAEF,IAAI,0BAA0B,EAAE,CAAC;gBAC/B,eAAe,CACb,qCAAqC,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,CACpE,CAAA;YACH,CAAC;YAED,IAAI,2BAA2B,EAAE,CAAC;gBAChC,eAAe,CACb,sCAAsC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CACtE,CAAA;YACH,CAAC;YAED,8CAA8C;YAC9C,IAAI,WAAkD,CAAA;YACtD,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;gBAC9B,WAAW,GAAG,MAAM,4BAA4B,CAC9C,aAAa,EACb,cAAc,CACf,CAAA;YACH,CAAC;YAED,MAAM,OAAO,GAA8B;gBACzC,aAAa;gBACb,cAAc;gBACd,WAAW;aACZ,CAAA;YACD,cAAc,GAAG,OAAO,CAAA;YACxB,eAAe,CAAC,oCAAoC,CAAC,CAAA;YACrD,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,wDAAwD;YACxD,qBAAqB,GAAG,SAAS,CAAA;YACjC,cAAc,GAAG,SAAS,CAAA;YAC1B,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;gBAChB,eAAe,CAAC,2CAA2C,CAAC,EAAE,EAAE;oBAC9D,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;YACJ,CAAC,CAAC,CAAA;YACF,MAAM,KAAK,CAAA;QACb,CAAC;IACH,CAAC,CAAC,EAAE,CAAA;IAEJ,MAAM,qBAAqB,CAAA;AAC7B,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAkB;IAC7C,MAAM,kBAAkB,GAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IACzD,OAAO,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,mBAAmB;IAC1B,kEAAkE;IAClE,OAAO,MAAM,KAAK,SAAS,CAAA;AAC7B,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB;IACxB,oCAAoC;IACpC,IAAI,sBAAsB,KAAK,SAAS,EAAE,CAAC;QACzC,OAAO,sBAAsB,CAAA;IAC/B,CAAC;IAED,SAAS,mBAAmB;QAC1B,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;QAE9B,yBAAyB;QACzB,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnC,OAAO,KAAK,CAAA;QACd,CAAC;QAED,qEAAqE;QACrE,iFAAiF;QACjF,MAAM,gBAAgB,GAAG,MAAM,EAAE,OAAO,EAAE,OAAO,KAAK,SAAS,CAAA;QAC/D,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,sCAAsC;YACtC,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;gBACtB,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,MAAM,mBAAmB,GAAG,MAAM,EAAE,OAAO,EAAE,mBAAmB,IAAI,KAAK,CAAA;YACzE,OAAO,+BAA+B,CAAC,mBAAmB,CAAC,CAAA;QAC7D,CAAC;QAED,mDAAmD;QACnD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,sBAAsB,GAAG,mBAAmB,EAAE,CAAA;IAC9C,OAAO,sBAAsB,CAAA;AAC/B,CAAC;AACD,SAAS,eAAe;IACtB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAA;IACzB,CAAC;IAED,oCAAoC;IACpC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ;SACzC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC;SAC3C,MAAM,CAAC,IAAI,CAAC,EAAE;QACb,IAAI,WAAW,EAAE,KAAK,OAAO,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;YACzD,eAAe,CAAC,mCAAmC,IAAI,EAAE,CAAC,CAAA;YAC1D,OAAO,KAAK,CAAA;QACd,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAC,CAAA;IAEJ,OAAO;QACL,QAAQ,EAAE,SAAS;KACpB,CAAA;AACH,CAAC;AAED,SAAS,gBAAgB;IACvB,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,SAAS,EAAE,oBAAoB,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,CAAA;IACnE,CAAC;IAED,mDAAmD;IACnD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,UAAU;SAC5C,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC;SAC3C,MAAM,CAAC,IAAI,CAAC,EAAE;QACb,IAAI,WAAW,EAAE,KAAK,OAAO,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;YACzD,eAAe,CAAC,mCAAmC,IAAI,EAAE,CAAC,CAAA;YAC1D,OAAO,KAAK,CAAA;QACd,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAC,CAAA;IAEJ,kDAAkD;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,SAAS;SAC1C,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC;SAC3C,MAAM,CAAC,IAAI,CAAC,EAAE;QACb,IAAI,WAAW,EAAE,KAAK,OAAO,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;YACzD,eAAe,CAAC,mCAAmC,IAAI,EAAE,CAAC,CAAA;YAC1D,OAAO,KAAK,CAAA;QACd,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAC,CAAA;IAEJ,+DAA+D;IAC/D,MAAM,SAAS,GAAG,CAAC,GAAG,oBAAoB,EAAE,EAAE,GAAG,UAAU,CAAC,CAAA;IAE5D,OAAO;QACL,SAAS;QACT,eAAe,EAAE,SAAS;KAC3B,CAAA;AACH,CAAC;AAED,SAAS,2BAA2B;IAClC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,CAAA;IAClD,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,aAAa,CAAA;IAEhD,OAAO;QACL,GAAG,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;QAChD,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;KAC/C,CAAA;AACH,CAAC;AAED,SAAS,mBAAmB;IAC1B,OAAO,MAAM,EAAE,OAAO,EAAE,gBAAgB,CAAA;AAC1C,CAAC;AAED,SAAS,sBAAsB;IAC7B,OAAO,MAAM,EAAE,OAAO,EAAE,mBAAmB,CAAA;AAC7C,CAAC;AAED,SAAS,oBAAoB;IAC3B,OAAO,MAAM,EAAE,OAAO,EAAE,iBAAiB,CAAA;AAC3C,CAAC;AAED,SAAS,mBAAmB;IAC1B,OAAO,MAAM,EAAE,gBAAgB,CAAA;AACjC,CAAC;AAED,SAAS,4BAA4B;IACnC,OAAO,MAAM,EAAE,yBAAyB,CAAA;AAC1C,CAAC;AAED,SAAS,gBAAgB;IACvB,OAAO,MAAM,EAAE,OAAO,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;AAC7C,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,cAAc,EAAE,aAAa,CAAA;AACtC,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,cAAc,EAAE,cAAc,CAAA;AACvC,CAAC;AAED,SAAS,sBAAsB;IAC7B,OAAO,cAAc,EAAE,WAAW,EAAE,cAAc,CAAA;AACpD,CAAC;AAED,SAAS,uBAAuB;IAC9B,OAAO,cAAc,EAAE,WAAW,EAAE,eAAe,CAAA;AACrD,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,4BAA4B;IACzC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,KAAK,CAAA;IACd,CAAC;IACD,IAAI,qBAAqB,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,qBAAqB,CAAA;YAC3B,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IACD,OAAO,cAAc,KAAK,SAAS,CAAA;AACrC,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,OAAe,EACf,QAAiB;IAEjB,qCAAqC;IACrC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAE9B,kCAAkC;IAClC,MAAM,4BAA4B,EAAE,CAAA;IAEpC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,MAAM,2BAA2B,CAAC;gBACvC,OAAO;gBACP,aAAa,EAAE,YAAY,EAAE;gBAC7B,cAAc,EAAE,iBAAiB,EAAE;gBACnC,UAAU,EAAE,eAAe,EAAE;gBAC7B,WAAW,EAAE,gBAAgB,EAAE;gBAC/B,uBAAuB,EAAE,IAAI;gBAC7B,gBAAgB,EAAE,mBAAmB,EAAE;gBACvC,mBAAmB,EAAE,sBAAsB,EAAE;gBAC7C,iBAAiB,EAAE,oBAAoB,EAAE;gBACzC,gBAAgB,EAAE,mBAAmB,EAAE;gBACvC,QAAQ;gBACR,aAAa,EAAE,gBAAgB,EAAE;aAClC,CAAC,CAAA;QAEJ,KAAK,OAAO;YACV,OAAO,2BAA2B,CAAC;gBACjC,OAAO;gBACP,sBAAsB,EAAE,IAAI;gBAC5B,yBAAyB,EAAE,IAAI;gBAC/B,cAAc,EAAE,sBAAsB,EAAE;gBACxC,eAAe,EAAE,uBAAuB,EAAE;gBAC1C,aAAa,EAAE,cAAc,EAAE,aAAa;gBAC5C,cAAc,EAAE,cAAc,EAAE,cAAc;gBAC9C,UAAU,EAAE,eAAe,EAAE;gBAC7B,WAAW,EAAE,gBAAgB,EAAE;gBAC/B,yBAAyB,EAAE,4BAA4B,EAAE;gBACzD,mBAAmB,EAAE,sBAAsB,EAAE;gBAC7C,QAAQ;gBACR,aAAa,EAAE,gBAAgB,EAAE;aAClC,CAAC,CAAA;QAEJ;YACE,oGAAoG;YACpG,MAAM,IAAI,KAAK,CACb,uDAAuD,QAAQ,EAAE,CAClE,CAAA;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,KAAK;IAClB,mBAAmB;IACnB,IAAI,kBAAkB,EAAE,CAAC;QACvB,kBAAkB,EAAE,CAAA;QACpB,kBAAkB,GAAG,SAAS,CAAA;IAChC,CAAC;IAED,IAAI,cAAc,EAAE,WAAW,EAAE,CAAC;QAChC,MAAM,EACJ,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,kBAAkB,GACnB,GAAG,cAAc,CAAC,WAAW,CAAA;QAE9B,yCAAyC;QACzC,MAAM,YAAY,GAAoB,EAAE,CAAA;QAExC,2CAA2C;QAC3C,IAAI,iBAAiB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC;YACvD,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAC9C,eAAe,CAAC,qCAAqC,CAAC,CAAA;gBAEtD,2BAA2B;gBAC3B,YAAY,CAAC,IAAI,CACf,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE;oBAC1B,iBAAiB,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE;wBAClC,eAAe,CAAC,4BAA4B,CAAC,CAAA;wBAC7C,OAAO,EAAE,CAAA;oBACX,CAAC,CAAC,CAAA;oBACF,0BAA0B;oBAC1B,UAAU,CAAC,GAAG,EAAE;wBACd,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC;4BAC9B,eAAe,CAAC,2CAA2C,EAAE;gCAC3D,KAAK,EAAE,MAAM;6BACd,CAAC,CAAA;4BACF,IAAI,CAAC;gCACH,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;oCAC1B,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gCAChD,CAAC;4BACH,CAAC;4BAAC,MAAM,CAAC;gCACP,kCAAkC;4BACpC,CAAC;wBACH,CAAC;wBACD,OAAO,EAAE,CAAA;oBACX,CAAC,EAAE,IAAI,CAAC,CAAA;gBACV,CAAC,CAAC,CACH,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAK,GAA6B,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBACpD,eAAe,CAAC,8BAA8B,GAAG,EAAE,EAAE;wBACnD,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,IAAI,kBAAkB,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;YACzD,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAC/C,eAAe,CAAC,sCAAsC,CAAC,CAAA;gBAEvD,2BAA2B;gBAC3B,YAAY,CAAC,IAAI,CACf,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE;oBAC1B,kBAAkB,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE;wBACnC,eAAe,CAAC,6BAA6B,CAAC,CAAA;wBAC9C,OAAO,EAAE,CAAA;oBACX,CAAC,CAAC,CAAA;oBACF,0BAA0B;oBAC1B,UAAU,CAAC,GAAG,EAAE;wBACd,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;4BAC/B,eAAe,CAAC,4CAA4C,EAAE;gCAC5D,KAAK,EAAE,MAAM;6BACd,CAAC,CAAA;4BACF,IAAI,CAAC;gCACH,IAAI,kBAAkB,CAAC,GAAG,EAAE,CAAC;oCAC3B,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gCACjD,CAAC;4BACH,CAAC;4BAAC,MAAM,CAAC;gCACP,kCAAkC;4BACpC,CAAC;wBACH,CAAC;wBACD,OAAO,EAAE,CAAA;oBACX,CAAC,EAAE,IAAI,CAAC,CAAA;gBACV,CAAC,CAAC,CACH,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAK,GAA6B,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBACpD,eAAe,CAAC,+BAA+B,GAAG,EAAE,EAAE;wBACpD,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QAE/B,mBAAmB;QACnB,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;gBAC1C,eAAe,CAAC,wBAAwB,CAAC,CAAA;YAC3C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,eAAe,CAAC,8BAA8B,GAAG,EAAE,EAAE;oBACnD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;gBAC3C,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC5C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,eAAe,CAAC,+BAA+B,GAAG,EAAE,EAAE;oBACpD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,aAAa,GAAoB,EAAE,CAAA;IAEzC,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,eAAe,CAAA,CAAC,8CAA8C;QAC7E,MAAM,SAAS,GAAG,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE;YAC5C,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;gBACnB,IAAI,KAAK,IAAI,KAAK,CAAC,OAAO,KAAK,wBAAwB,EAAE,CAAC;oBACxD,eAAe,CAAC,oCAAoC,KAAK,CAAC,OAAO,EAAE,EAAE;wBACnE,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;gBACJ,CAAC;gBACD,OAAO,EAAE,CAAA;YACX,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QACF,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC/B,CAAC;IAED,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,KAAY,EAAE,EAAE;YACjE,eAAe,CAAC,qCAAqC,KAAK,CAAC,OAAO,EAAE,EAAE;gBACpE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QACF,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAChC,CAAC;IAED,gCAAgC;IAChC,MAAM,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAEhC,mBAAmB;IACnB,eAAe,GAAG,SAAS,CAAA;IAC3B,gBAAgB,GAAG,SAAS,CAAA;IAC5B,cAAc,GAAG,SAAS,CAAA;IAC1B,qBAAqB,GAAG,SAAS,CAAA;IACjC,sBAAsB,GAAG,SAAS,CAAA;AACpC,CAAC;AAED,SAAS,wBAAwB;IAC/B,OAAO,qBAAqB,CAAA;AAC9B,CAAC;AAED,SAAS,iCAAiC,CACxC,OAAe,EACf,MAAc;IAEd,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,MAAM,CAAA;IACf,CAAC;IAED,MAAM,UAAU,GAAG,qBAAqB,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAA;IACzE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,MAAM,CAAA;IACf,CAAC;IAED,IAAI,SAAS,GAAG,MAAM,CAAA;IACtB,SAAS,IAAI,GAAG,GAAG,sBAAsB,GAAG,GAAG,CAAA;IAC/C,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,SAAS,IAAI,SAAS,CAAC,IAAI,GAAG,GAAG,CAAA;IACnC,CAAC;IACD,SAAS,IAAI,uBAAuB,CAAA;IAEpC,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,2BAA2B;IAClC,qBAAqB;IACrB,oDAAoD;IACpD,IAAI,WAAW,EAAE,KAAK,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;QACzC,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAa,EAAE,CAAA;IAEjC,2CAA2C;IAC3C,MAAM,QAAQ,GAAG;QACf,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ;QAC7B,GAAG,MAAM,CAAC,UAAU,CAAC,UAAU;QAC/B,GAAG,MAAM,CAAC,UAAU,CAAC,SAAS;KAC/B,CAAA;IAED,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,qFAAqF;QACrF,MAAM,uBAAuB,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAA;QAE9D,2EAA2E;QAC3E,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,EAAE,CAAC;YAC/C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACzB,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC;AAoCD,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C,UAAU;IACV,mBAAmB;IACnB,mBAAmB;IACnB,iBAAiB;IACjB,eAAe;IACf,gBAAgB;IAChB,2BAA2B;IAC3B,mBAAmB;IACnB,oBAAoB;IACpB,4BAA4B;IAC5B,YAAY;IACZ,iBAAiB;IACjB,sBAAsB;IACtB,uBAAuB;IACvB,4BAA4B;IAC5B,eAAe;IACf,KAAK;IACL,wBAAwB;IACxB,iCAAiC;IACjC,2BAA2B;CACnB,CAAA"}

package/dist/sandbox/sandbox-schemas.d.ts

@@ -0,0 +1,17 @@
+export interface FsReadRestrictionConfig {
+    denyOnly: string[];
+}
+export interface FsWriteRestrictionConfig {
+    allowOnly: string[];
+    denyWithinAllow: string[];
+}
+export interface NetworkRestrictionConfig {
+    allowedHosts?: string[];
+    deniedHosts?: string[];
+}
+export type NetworkHostPattern = {
+    host: string;
+    port: number | undefined;
+};
+export type SandboxAskCallback = (params: NetworkHostPattern) => Promise<boolean>;
+//# sourceMappingURL=sandbox-schemas.d.ts.map

package/dist/sandbox/sandbox-schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-schemas.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":"AACA,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,wBAAwB;IACvC,SAAS,EAAE,MAAM,EAAE,CAAA;IACnB,eAAe,EAAE,MAAM,EAAE,CAAA;CAC1B;AAGD,MAAM,WAAW,wBAAwB;IACvC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CACvB;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,GAAG,SAAS,CAAA;CACzB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,CAC/B,MAAM,EAAE,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAAC,CAAA"}

package/dist/sandbox/sandbox-schemas.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=sandbox-schemas.js.map

package/dist/sandbox/sandbox-schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-schemas.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-schemas.ts"],"names":[],"mappings":""}

package/dist/sandbox/sandbox-utils.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Check if a path pattern contains glob characters
+ */
+export declare function containsGlobChars(pathPattern: string): boolean;
+/**
+ * Remove trailing /** glob suffix from a path pattern
+ * Used to normalize path patterns since /** just means "directory and everything under it"
+ */
+export declare function removeTrailingGlobSuffix(pathPattern: string): string;
+/**
+ * Normalize a path for use in sandbox configurations
+ * Handles:
+ * - Tilde (~) expansion for home directory
+ * - Relative paths (./foo, ../foo, etc.) converted to absolute
+ * - Absolute paths remain unchanged
+ * - Symlinks are resolved to their real paths for non-glob patterns
+ * - Glob patterns preserve wildcards after path normalization
+ *
+ * Returns the absolute path with symlinks resolved (or normalized glob pattern)
+ */
+export declare function normalizePathForSandbox(pathPattern: string): string;
+/**
+ * Get recommended system paths that should be writable for commands to work properly
+ *
+ * WARNING: These default paths are intentionally broad for compatibility but may
+ * allow access to files from other processes. In highly security-sensitive
+ * environments, you should configure more restrictive write paths.
+ */
+export declare function getDefaultWritePaths(): string[];
+/**
+ * Get mandatory deny paths within allowed write areas
+ * This uses ripgrep to scan the filesystem for dangerous files and directories
+ * Returns absolute paths that must be blocked from writes
+ * @param ripgrepConfig Ripgrep configuration (command and optional args)
+ */
+export declare function getMandatoryDenyWithinAllow(ripgrepConfig?: {
+    command: string;
+    args?: string[];
+}): Promise<string[]>;
+/**
+ * Generate proxy environment variables for sandboxed processes
+ */
+export declare function generateProxyEnvVars(httpProxyPort?: number, socksProxyPort?: number): string[];
+/**
+ * Encode a command for sandbox monitoring
+ * Truncates to 100 chars and base64 encodes to avoid parsing issues
+ */
+export declare function encodeSandboxedCommand(command: string): string;
+/**
+ * Decode a base64-encoded command from sandbox monitoring
+ */
+export declare function decodeSandboxedCommand(encodedCommand: string): string;
+//# sourceMappingURL=sandbox-utils.d.ts.map

package/dist/sandbox/sandbox-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAyCA;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAO9D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAEpE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAiDnE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAiB/C;AAED;;;;;GAKG;AACH,wBAAsB,2BAA2B,CAC/C,aAAa,GAAE;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;CAAsB,GACtE,OAAO,CAAC,MAAM,EAAE,CAAC,CAwKnB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,aAAa,CAAC,EAAE,MAAM,EACtB,cAAc,CAAC,EAAE,MAAM,GACtB,MAAM,EAAE,CA6FV;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAG9D;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAErE"}

package/dist/sandbox/sandbox-utils.js

@@ -0,0 +1,368 @@
+import { homedir } from 'os';
+import * as path from 'path';
+import * as fs from 'fs';
+import { getPlatform } from '../utils/platform.js';
+import { ripGrep } from '../utils/ripgrep.js';
+/**
+ * Dangerous files that should be protected from writes.
+ * These files can be used for code execution or data exfiltration.
+ */
+const DANGEROUS_FILES = [
+    '.gitconfig',
+    '.gitmodules',
+    '.bashrc',
+    '.bash_profile',
+    '.zshrc',
+    '.zprofile',
+    '.profile',
+    '.ripgreprc',
+    '.mcp.json',
+];
+/**
+ * Dangerous directories that should be protected from writes.
+ * These directories contain sensitive configuration or executable files.
+ */
+const DANGEROUS_DIRECTORIES = ['.git', '.vscode', '.idea'];
+/**
+ * Normalizes a path for case-insensitive comparison.
+ * This prevents bypassing security checks using mixed-case paths on case-insensitive
+ * filesystems (macOS/Windows) like `.cLauDe/Settings.locaL.json`.
+ *
+ * We always normalize to lowercase regardless of platform for consistent security.
+ * @param path The path to normalize
+ * @returns The lowercase path for safe comparison
+ */
+function normalizeCaseForComparison(pathStr) {
+    return pathStr.toLowerCase();
+}
+/**
+ * Check if a path pattern contains glob characters
+ */
+export function containsGlobChars(pathPattern) {
+    return (pathPattern.includes('*') ||
+        pathPattern.includes('?') ||
+        pathPattern.includes('[') ||
+        pathPattern.includes(']'));
+}
+/**
+ * Remove trailing /** glob suffix from a path pattern
+ * Used to normalize path patterns since /** just means "directory and everything under it"
+ */
+export function removeTrailingGlobSuffix(pathPattern) {
+    return pathPattern.replace(/\/\*\*$/, '');
+}
+/**
+ * Normalize a path for use in sandbox configurations
+ * Handles:
+ * - Tilde (~) expansion for home directory
+ * - Relative paths (./foo, ../foo, etc.) converted to absolute
+ * - Absolute paths remain unchanged
+ * - Symlinks are resolved to their real paths for non-glob patterns
+ * - Glob patterns preserve wildcards after path normalization
+ *
+ * Returns the absolute path with symlinks resolved (or normalized glob pattern)
+ */
+export function normalizePathForSandbox(pathPattern) {
+    const cwd = process.cwd();
+    let normalizedPath = pathPattern;
+    // Expand ~ to home directory
+    if (pathPattern === '~') {
+        normalizedPath = homedir();
+    }
+    else if (pathPattern.startsWith('~/')) {
+        normalizedPath = homedir() + pathPattern.slice(1);
+    }
+    else if (pathPattern.startsWith('./') || pathPattern.startsWith('../')) {
+        // Convert relative to absolute based on current working directory
+        normalizedPath = path.resolve(cwd, pathPattern);
+    }
+    else if (!path.isAbsolute(pathPattern)) {
+        // Handle other relative paths (e.g., ".", "..", "foo/bar")
+        normalizedPath = path.resolve(cwd, pathPattern);
+    }
+    // For glob patterns, resolve symlinks for the directory portion only
+    if (containsGlobChars(normalizedPath)) {
+        // Extract the static directory prefix before glob characters
+        const staticPrefix = normalizedPath.split(/[*?[\]]/)[0];
+        if (staticPrefix && staticPrefix !== '/') {
+            // Get the directory containing the glob pattern
+            // If staticPrefix ends with /, remove it to get the directory
+            const baseDir = staticPrefix.endsWith('/')
+                ? staticPrefix.slice(0, -1)
+                : path.dirname(staticPrefix);
+            // Try to resolve symlinks for the base directory
+            try {
+                const resolvedBaseDir = fs.realpathSync(baseDir);
+                // Reconstruct the pattern with the resolved directory
+                const patternSuffix = normalizedPath.slice(baseDir.length);
+                return resolvedBaseDir + patternSuffix;
+            }
+            catch {
+                // If directory doesn't exist or can't be resolved, keep the original pattern
+            }
+        }
+        return normalizedPath;
+    }
+    // Resolve symlinks to real paths to avoid bwrap issues
+    try {
+        normalizedPath = fs.realpathSync(normalizedPath);
+    }
+    catch {
+        // If path doesn't exist or can't be resolved, keep the normalized path
+    }
+    return normalizedPath;
+}
+/**
+ * Get recommended system paths that should be writable for commands to work properly
+ *
+ * WARNING: These default paths are intentionally broad for compatibility but may
+ * allow access to files from other processes. In highly security-sensitive
+ * environments, you should configure more restrictive write paths.
+ */
+export function getDefaultWritePaths() {
+    const homeDir = homedir();
+    const recommendedPaths = [
+        '/dev/stdout',
+        '/dev/stderr',
+        '/dev/null',
+        '/dev/tty',
+        '/dev/dtracehelper',
+        '/dev/autofs_nowait',
+        '/tmp/claude',
+        '/private/tmp/claude',
+        path.join(homeDir, '.npm/_logs'),
+        path.join(homeDir, '.claude/debug'),
+        '.',
+    ];
+    return recommendedPaths;
+}
+/**
+ * Get mandatory deny paths within allowed write areas
+ * This uses ripgrep to scan the filesystem for dangerous files and directories
+ * Returns absolute paths that must be blocked from writes
+ * @param ripgrepConfig Ripgrep configuration (command and optional args)
+ */
+export async function getMandatoryDenyWithinAllow(ripgrepConfig = { command: 'rg' }) {
+    const denyPaths = [];
+    const cwd = process.cwd();
+    // Always deny writes to settings.json files
+    // Block in home directory
+    denyPaths.push(path.join(homedir(), '.claude', 'settings.json'));
+    // Block in current directory
+    denyPaths.push(path.resolve(cwd, '.claude', 'settings.json'));
+    denyPaths.push(path.resolve(cwd, '.claude', 'settings.local.json'));
+    // Use shared constants for dangerous files
+    const dangerousFiles = [...DANGEROUS_FILES];
+    // Use shared constants plus additional Claude-specific directories
+    // Note: We don't include .git as a whole directory since we need it to be writable for git operations
+    // Instead, we'll block specific dangerous paths within .git (hooks and config) below
+    const dangerousDirectories = [
+        ...DANGEROUS_DIRECTORIES.filter(d => d !== '.git'),
+        '.claude/commands',
+        '.claude/agents',
+    ];
+    // Create an AbortController for ripgrep operations
+    const abortController = new AbortController();
+    // Add absolute paths for dangerous files in CWD
+    for (const fileName of dangerousFiles) {
+        // Always include the potential path in CWD (even if file doesn't exist yet)
+        const cwdFilePath = path.resolve(cwd, fileName);
+        denyPaths.push(cwdFilePath);
+        // Find all existing instances of this file in CWD and subdirectories using ripgrep
+        try {
+            // Use ripgrep to find files with exact name match (case-insensitive)
+            // -g/--glob: Include/exclude files matching this glob pattern
+            // --files: List files that would be searched
+            // --hidden: Search hidden files
+            // --iglob: Case-insensitive glob matching to catch .Bashrc, .BASHRC, etc.
+            const matches = await ripGrep([
+                '--files',
+                '--hidden',
+                '--iglob',
+                fileName,
+                '-g',
+                '!**/node_modules/**',
+            ], cwd, abortController.signal, ripgrepConfig);
+            // Convert relative paths to absolute paths
+            const absoluteMatches = matches.map(match => path.resolve(cwd, match));
+            denyPaths.push(...absoluteMatches);
+        }
+        catch (error) {
+            // If ripgrep fails, we cannot safely determine all dangerous files
+            throw new Error(`Failed to scan for dangerous file "${fileName}": ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    // Add absolute paths for dangerous directories in CWD
+    for (const dirName of dangerousDirectories) {
+        // Always include the potential path in CWD (even if directory doesn't exist yet)
+        const cwdDirPath = path.resolve(cwd, dirName);
+        denyPaths.push(cwdDirPath);
+        // Find all existing instances of this directory in CWD and subdirectories using ripgrep
+        try {
+            // Use ripgrep to find directories (case-insensitive)
+            // Note: ripgrep lists files, so we need to find files within these directories
+            // and then extract the directory paths
+            const pattern = `**/${dirName}/**`;
+            const matches = await ripGrep([
+                '--files',
+                '--hidden',
+                '--iglob',
+                pattern,
+                '-g',
+                '!**/node_modules/**',
+            ], cwd, abortController.signal, ripgrepConfig);
+            // Extract directory paths from file paths
+            const dirPaths = new Set();
+            for (const match of matches) {
+                const absolutePath = path.resolve(cwd, match);
+                // Find the dangerous directory in the path (case-insensitive)
+                const segments = absolutePath.split(path.sep);
+                const normalizedDirName = normalizeCaseForComparison(dirName);
+                // Find the directory using case-insensitive comparison
+                const dirIndex = segments.findIndex(segment => normalizeCaseForComparison(segment) === normalizedDirName);
+                if (dirIndex !== -1) {
+                    // Reconstruct path up to and including the dangerous directory
+                    const dirPath = segments.slice(0, dirIndex + 1).join(path.sep);
+                    dirPaths.add(dirPath);
+                }
+            }
+            denyPaths.push(...dirPaths);
+        }
+        catch (error) {
+            // If ripgrep fails, we cannot safely determine all dangerous directories
+            throw new Error(`Failed to scan for dangerous directory "${dirName}": ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    // Special handling for dangerous .git paths
+    // We block specific paths within .git that can be used for code execution
+    const dangerousGitPaths = [
+        '.git/hooks', // Block all hook files to prevent code execution via git hooks
+        '.git/config', // Block config file to prevent dangerous config options like core.fsmonitor
+    ];
+    for (const gitPath of dangerousGitPaths) {
+        // Add the path in the current working directory
+        const absoluteGitPath = path.resolve(cwd, gitPath);
+        denyPaths.push(absoluteGitPath);
+        // Also find .git directories in subdirectories and block their hooks/config
+        // This handles nested repositories (case-insensitive)
+        try {
+            // Find all .git directories by looking for .git/HEAD files (case-insensitive)
+            const gitHeadFiles = await ripGrep([
+                '--files',
+                '--hidden',
+                '--iglob',
+                '**/.git/HEAD',
+                '-g',
+                '!**/node_modules/**',
+            ], cwd, abortController.signal, ripgrepConfig);
+            for (const gitHeadFile of gitHeadFiles) {
+                // Get the .git directory path
+                const gitDir = path.dirname(gitHeadFile);
+                // Add the dangerous path within this .git directory
+                if (gitPath === '.git/hooks') {
+                    const hooksPath = path.join(gitDir, 'hooks');
+                    denyPaths.push(hooksPath);
+                }
+                else if (gitPath === '.git/config') {
+                    const configPath = path.join(gitDir, 'config');
+                    denyPaths.push(configPath);
+                }
+            }
+        }
+        catch (error) {
+            // If ripgrep fails, we cannot safely determine all .git repositories
+            throw new Error(`Failed to scan for .git directories: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    // Remove duplicates and return
+    return Array.from(new Set(denyPaths));
+}
+/**
+ * Generate proxy environment variables for sandboxed processes
+ */
+export function generateProxyEnvVars(httpProxyPort, socksProxyPort) {
+    const envVars = [`SANDBOX_RUNTIME=1`, `TMPDIR=/tmp/claude`];
+    // If no proxy ports provided, return minimal env vars
+    if (!httpProxyPort && !socksProxyPort) {
+        return envVars;
+    }
+    // Always set NO_PROXY to exclude localhost and private networks from proxying
+    const noProxyAddresses = [
+        'localhost',
+        '127.0.0.1',
+        '::1',
+        '*.local',
+        '.local',
+        '169.254.0.0/16', // Link-local
+        '10.0.0.0/8', // Private network
+        '172.16.0.0/12', // Private network
+        '192.168.0.0/16', // Private network
+    ].join(',');
+    envVars.push(`NO_PROXY=${noProxyAddresses}`);
+    envVars.push(`no_proxy=${noProxyAddresses}`);
+    if (httpProxyPort) {
+        envVars.push(`HTTP_PROXY=http://localhost:${httpProxyPort}`);
+        envVars.push(`HTTPS_PROXY=http://localhost:${httpProxyPort}`);
+        // Lowercase versions for compatibility with some tools
+        envVars.push(`http_proxy=http://localhost:${httpProxyPort}`);
+        envVars.push(`https_proxy=http://localhost:${httpProxyPort}`);
+    }
+    if (socksProxyPort) {
+        // Use socks5h:// for proper DNS resolution through proxy
+        envVars.push(`ALL_PROXY=socks5h://localhost:${socksProxyPort}`);
+        envVars.push(`all_proxy=socks5h://localhost:${socksProxyPort}`);
+        // Configure Git to use SSH through SOCKS proxy (platform-aware)
+        if (getPlatform() === 'macos') {
+            // macOS has nc available
+            envVars.push(`GIT_SSH_COMMAND="ssh -o ProxyCommand='nc -X 5 -x localhost:${socksProxyPort} %h %p'"`);
+        }
+        // FTP proxy support (use socks5h for DNS resolution through proxy)
+        envVars.push(`FTP_PROXY=socks5h://localhost:${socksProxyPort}`);
+        envVars.push(`ftp_proxy=socks5h://localhost:${socksProxyPort}`);
+        // rsync proxy support
+        envVars.push(`RSYNC_PROXY=localhost:${socksProxyPort}`);
+        // Database tools NOTE: Most database clients don't have built-in proxy support
+        // You typically need to use SSH tunneling or a SOCKS wrapper like tsocks/proxychains
+        // Docker CLI uses HTTP for the API
+        // This makes Docker use the HTTP proxy for registry operations
+        envVars.push(`DOCKER_HTTP_PROXY=http://localhost:${httpProxyPort || socksProxyPort}`);
+        envVars.push(`DOCKER_HTTPS_PROXY=http://localhost:${httpProxyPort || socksProxyPort}`);
+        // Kubernetes kubectl - uses standard HTTPS_PROXY
+        // kubectl respects HTTPS_PROXY which we already set above
+        // AWS CLI - uses standard HTTPS_PROXY (v2 supports it well)
+        // AWS CLI v2 respects HTTPS_PROXY which we already set above
+        // Google Cloud SDK - has specific proxy settings
+        // Use HTTPS proxy to match other HTTP-based tools
+        if (httpProxyPort) {
+            envVars.push(`CLOUDSDK_PROXY_TYPE=https`);
+            envVars.push(`CLOUDSDK_PROXY_ADDRESS=localhost`);
+            envVars.push(`CLOUDSDK_PROXY_PORT=${httpProxyPort}`);
+        }
+        // Azure CLI - uses HTTPS_PROXY
+        // Azure CLI respects HTTPS_PROXY which we already set above
+        // Terraform - uses standard HTTP/HTTPS proxy vars
+        // Terraform respects HTTP_PROXY/HTTPS_PROXY which we already set above
+        // gRPC-based tools - use standard proxy vars
+        envVars.push(`GRPC_PROXY=socks5h://localhost:${socksProxyPort}`);
+        envVars.push(`grpc_proxy=socks5h://localhost:${socksProxyPort}`);
+    }
+    // WARNING: Do not set HTTP_PROXY/HTTPS_PROXY to SOCKS URLs when only SOCKS proxy is available
+    // Most HTTP clients do not support SOCKS URLs in these variables and will fail, and we want
+    // to avoid overriding the client otherwise respecting the ALL_PROXY env var which points to SOCKS.
+    return envVars;
+}
+/**
+ * Encode a command for sandbox monitoring
+ * Truncates to 100 chars and base64 encodes to avoid parsing issues
+ */
+export function encodeSandboxedCommand(command) {
+    const truncatedCommand = command.slice(0, 100);
+    return Buffer.from(truncatedCommand).toString('base64');
+}
+/**
+ * Decode a base64-encoded command from sandbox monitoring
+ */
+export function decodeSandboxedCommand(encodedCommand) {
+    return Buffer.from(encodedCommand, 'base64').toString('utf8');
+}
+//# sourceMappingURL=sandbox-utils.js.map

package/dist/sandbox/sandbox-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAA;AAC5B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAClD,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAE7C;;;GAGG;AACH,MAAM,eAAe,GAAG;IACtB,YAAY;IACZ,aAAa;IACb,SAAS;IACT,eAAe;IACf,QAAQ;IACR,WAAW;IACX,UAAU;IACV,YAAY;IACZ,WAAW;CACH,CAAA;AAEV;;;GAGG;AACH,MAAM,qBAAqB,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAU,CAAA;AAEnE;;;;;;;;GAQG;AACH,SAAS,0BAA0B,CAAC,OAAe;IACjD,OAAO,OAAO,CAAC,WAAW,EAAE,CAAA;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,OAAO,CACL,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QACzB,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAC1B,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAAmB;IAC1D,OAAO,WAAW,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;AAC3C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,WAAmB;IACzD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,IAAI,cAAc,GAAG,WAAW,CAAA;IAEhC,6BAA6B;IAC7B,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACxB,cAAc,GAAG,OAAO,EAAE,CAAA;IAC5B,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,cAAc,GAAG,OAAO,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IACnD,CAAC;SAAM,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACzE,kEAAkE;QAClE,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;SAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACzC,2DAA2D;QAC3D,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IACjD,CAAC;IAED,qEAAqE;IACrE,IAAI,iBAAiB,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,6DAA6D;QAC7D,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAA;QACvD,IAAI,YAAY,IAAI,YAAY,KAAK,GAAG,EAAE,CAAC;YACzC,gDAAgD;YAChD,8DAA8D;YAC9D,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;gBACxC,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAC3B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAA;YAE9B,iDAAiD;YACjD,IAAI,CAAC;gBACH,MAAM,eAAe,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAA;gBAChD,sDAAsD;gBACtD,MAAM,aAAa,GAAG,cAAc,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;gBAC1D,OAAO,eAAe,GAAG,aAAa,CAAA;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,6EAA6E;YAC/E,CAAC;QACH,CAAC;QACD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,uDAAuD;IACvD,IAAI,CAAC;QACH,cAAc,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,uEAAuE;IACzE,CAAC;IAED,OAAO,cAAc,CAAA;AACvB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,OAAO,GAAG,OAAO,EAAE,CAAA;IACzB,MAAM,gBAAgB,GAAG;QACvB,aAAa;QACb,aAAa;QACb,WAAW;QACX,UAAU;QACV,mBAAmB;QACnB,oBAAoB;QACpB,aAAa;QACb,qBAAqB;QACrB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC;QACnC,GAAG;KACJ,CAAA;IAED,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE;IAEvE,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IAEzB,4CAA4C;IAC5C,0BAA0B;IAC1B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAChE,6BAA6B;IAC7B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAA;IAC7D,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC,CAAA;IAEnE,2CAA2C;IAC3C,MAAM,cAAc,GAAG,CAAC,GAAG,eAAe,CAAC,CAAA;IAE3C,mEAAmE;IACnE,sGAAsG;IACtG,qFAAqF;IACrF,MAAM,oBAAoB,GAAG;QAC3B,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAClD,kBAAkB;QAClB,gBAAgB;KACjB,CAAA;IAED,mDAAmD;IACnD,MAAM,eAAe,GAAG,IAAI,eAAe,EAAE,CAAA;IAE7C,gDAAgD;IAChD,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;QACtC,4EAA4E;QAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QAC/C,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QAE3B,mFAAmF;QACnF,IAAI,CAAC;YACH,qEAAqE;YACrE,8DAA8D;YAC9D,6CAA6C;YAC7C,gCAAgC;YAChC,0EAA0E;YAC1E,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,QAAQ;gBACR,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,EACtB,aAAa,CACd,CAAA;YACD,2CAA2C;YAC3C,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;YACtE,SAAS,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAA;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,mEAAmE;YACnE,MAAM,IAAI,KAAK,CACb,sCAAsC,QAAQ,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7G,CAAA;QACH,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,iFAAiF;QACjF,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC7C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAE1B,wFAAwF;QACxF,IAAI,CAAC;YACH,qDAAqD;YACrD,+EAA+E;YAC/E,uCAAuC;YACvC,MAAM,OAAO,GAAG,MAAM,OAAO,KAAK,CAAA;YAClC,MAAM,OAAO,GAAG,MAAM,OAAO,CAC3B;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,OAAO;gBACP,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,EACtB,aAAa,CACd,CAAA;YAED,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAA;YAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;gBAC7C,8DAA8D;gBAC9D,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC7C,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;gBAC7D,uDAAuD;gBACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CACjC,OAAO,CAAC,EAAE,CAAC,0BAA0B,CAAC,OAAO,CAAC,KAAK,iBAAiB,CACrE,CAAA;gBACD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;oBACpB,+DAA+D;oBAC/D,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAC9D,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;gBACvB,CAAC;YACH,CAAC;YACD,SAAS,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAA;QAC7B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,yEAAyE;YACzE,MAAM,IAAI,KAAK,CACb,2CAA2C,OAAO,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjH,CAAA;QACH,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,0EAA0E;IAC1E,MAAM,iBAAiB,GAAG;QACxB,YAAY,EAAE,+DAA+D;QAC7E,aAAa,EAAE,4EAA4E;KAC5F,CAAA;IAED,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,gDAAgD;QAChD,MAAM,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAClD,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAE/B,4EAA4E;QAC5E,sDAAsD;QACtD,IAAI,CAAC;YACH,8EAA8E;YAC9E,MAAM,YAAY,GAAG,MAAM,OAAO,CAChC;gBACE,SAAS;gBACT,UAAU;gBACV,SAAS;gBACT,cAAc;gBACd,IAAI;gBACJ,qBAAqB;aACtB,EACD,GAAG,EACH,eAAe,CAAC,MAAM,EACtB,aAAa,CACd,CAAA;YAED,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;gBACvC,8BAA8B;gBAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;gBAExC,oDAAoD;gBACpD,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;oBAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;oBAC5C,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;gBAC3B,CAAC;qBAAM,IAAI,OAAO,KAAK,aAAa,EAAE,CAAC;oBACrC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;oBAC9C,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qEAAqE;YACrE,MAAM,IAAI,KAAK,CACb,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACjG,CAAA;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAAsB,EACtB,cAAuB;IAEvB,MAAM,OAAO,GAAa,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAA;IAErE,sDAAsD;IACtD,IAAI,CAAC,aAAa,IAAI,CAAC,cAAc,EAAE,CAAC;QACtC,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,8EAA8E;IAC9E,MAAM,gBAAgB,GAAG;QACvB,WAAW;QACX,WAAW;QACX,KAAK;QACL,SAAS;QACT,QAAQ;QACR,gBAAgB,EAAE,aAAa;QAC/B,YAAY,EAAE,kBAAkB;QAChC,eAAe,EAAE,kBAAkB;QACnC,gBAAgB,EAAE,kBAAkB;KACrC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACX,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAC5C,OAAO,CAAC,IAAI,CAAC,YAAY,gBAAgB,EAAE,CAAC,CAAA;IAE5C,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;QAC7D,uDAAuD;QACvD,OAAO,CAAC,IAAI,CAAC,+BAA+B,aAAa,EAAE,CAAC,CAAA;QAC5D,OAAO,CAAC,IAAI,CAAC,gCAAgC,aAAa,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,IAAI,cAAc,EAAE,CAAC;QACnB,yDAAyD;QACzD,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,gEAAgE;QAChE,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,yBAAyB;YACzB,OAAO,CAAC,IAAI,CACV,8DAA8D,cAAc,UAAU,CACvF,CAAA;QACH,CAAC;QAED,mEAAmE;QACnE,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,IAAI,CAAC,iCAAiC,cAAc,EAAE,CAAC,CAAA;QAE/D,sBAAsB;QACtB,OAAO,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAA;QAEvD,+EAA+E;QAC/E,qFAAqF;QAErF,mCAAmC;QACnC,+DAA+D;QAC/D,OAAO,CAAC,IAAI,CACV,sCAAsC,aAAa,IAAI,cAAc,EAAE,CACxE,CAAA;QACD,OAAO,CAAC,IAAI,CACV,uCAAuC,aAAa,IAAI,cAAc,EAAE,CACzE,CAAA;QAED,iDAAiD;QACjD,0DAA0D;QAE1D,4DAA4D;QAC5D,6DAA6D;QAE7D,iDAAiD;QACjD,kDAAkD;QAClD,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACzC,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;YAChD,OAAO,CAAC,IAAI,CAAC,uBAAuB,aAAa,EAAE,CAAC,CAAA;QACtD,CAAC;QAED,+BAA+B;QAC/B,4DAA4D;QAE5D,kDAAkD;QAClD,uEAAuE;QAEvE,6CAA6C;QAC7C,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;QAChE,OAAO,CAAC,IAAI,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAA;IAClE,CAAC;IAED,8FAA8F;IAC9F,4FAA4F;IAC5F,mGAAmG;IAEnG,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,cAAsB;IAC3D,OAAO,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AAC/D,CAAC"}

package/dist/sandbox/sandbox-violation-store.d.ts

@@ -0,0 +1,19 @@
+import { type SandboxViolationEvent } from './macos-sandbox-utils.js';
+/**
+ * In-memory tail for sandbox violations
+ */
+export declare class SandboxViolationStore {
+    private violations;
+    private totalCount;
+    private readonly maxSize;
+    private listeners;
+    addViolation(violation: SandboxViolationEvent): void;
+    getViolations(limit?: number): SandboxViolationEvent[];
+    getCount(): number;
+    getTotalCount(): number;
+    getViolationsForCommand(command: string): SandboxViolationEvent[];
+    clear(): void;
+    subscribe(listener: (violations: SandboxViolationEvent[]) => void): () => void;
+    private notifyListeners;
+}
+//# sourceMappingURL=sandbox-violation-store.d.ts.map

package/dist/sandbox/sandbox-violation-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-violation-store.d.ts","sourceRoot":"","sources":["../../src/sandbox/sandbox-violation-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,qBAAqB,EAAE,MAAM,0BAA0B,CAAA;AAGrE;;GAEG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,UAAU,CAA8B;IAChD,OAAO,CAAC,UAAU,CAAI;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAM;IAC9B,OAAO,CAAC,SAAS,CACN;IAEX,YAAY,CAAC,SAAS,EAAE,qBAAqB,GAAG,IAAI;IASpD,aAAa,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,qBAAqB,EAAE;IAOtD,QAAQ,IAAI,MAAM;IAIlB,aAAa,IAAI,MAAM;IAIvB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,qBAAqB,EAAE;IAKjE,KAAK,IAAI,IAAI;IAMb,SAAS,CACP,QAAQ,EAAE,CAAC,UAAU,EAAE,qBAAqB,EAAE,KAAK,IAAI,GACtD,MAAM,IAAI;IAQb,OAAO,CAAC,eAAe;CAKxB"}

package/dist/sandbox/sandbox-violation-store.js

@@ -0,0 +1,54 @@
+import { encodeSandboxedCommand } from './sandbox-utils.js';
+/**
+ * In-memory tail for sandbox violations
+ */
+export class SandboxViolationStore {
+    constructor() {
+        this.violations = [];
+        this.totalCount = 0;
+        this.maxSize = 100;
+        this.listeners = new Set();
+    }
+    addViolation(violation) {
+        this.violations.push(violation);
+        this.totalCount++;
+        if (this.violations.length > this.maxSize) {
+            this.violations = this.violations.slice(-this.maxSize);
+        }
+        this.notifyListeners();
+    }
+    getViolations(limit) {
+        if (limit === undefined) {
+            return [...this.violations];
+        }
+        return this.violations.slice(-limit);
+    }
+    getCount() {
+        return this.violations.length;
+    }
+    getTotalCount() {
+        return this.totalCount;
+    }
+    getViolationsForCommand(command) {
+        const commandBase64 = encodeSandboxedCommand(command);
+        return this.violations.filter(v => v.encodedCommand === commandBase64);
+    }
+    clear() {
+        this.violations = [];
+        // Don't reset totalCount when clearing
+        this.notifyListeners();
+    }
+    subscribe(listener) {
+        this.listeners.add(listener);
+        listener(this.getViolations());
+        return () => {
+            this.listeners.delete(listener);
+        };
+    }
+    notifyListeners() {
+        // Always notify with all violations so listeners can track the full count
+        const violations = this.getViolations();
+        this.listeners.forEach(listener => listener(violations));
+    }
+}
+//# sourceMappingURL=sandbox-violation-store.js.map

package/dist/sandbox/sandbox-violation-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox-violation-store.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-violation-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAA;AAE3D;;GAEG;AACH,MAAM,OAAO,qBAAqB;IAAlC;QACU,eAAU,GAA4B,EAAE,CAAA;QACxC,eAAU,GAAG,CAAC,CAAA;QACL,YAAO,GAAG,GAAG,CAAA;QACtB,cAAS,GACf,IAAI,GAAG,EAAE,CAAA;IAoDb,CAAC;IAlDC,YAAY,CAAC,SAAgC;QAC3C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QAC/B,IAAI,CAAC,UAAU,EAAE,CAAA;QACjB,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC1C,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACxD,CAAC;QACD,IAAI,CAAC,eAAe,EAAE,CAAA;IACxB,CAAC;IAED,aAAa,CAAC,KAAc;QAC1B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAA;QAC7B,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAA;IACtC,CAAC;IAED,QAAQ;QACN,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAA;IAC/B,CAAC;IAED,aAAa;QACX,OAAO,IAAI,CAAC,UAAU,CAAA;IACxB,CAAC;IAED,uBAAuB,CAAC,OAAe;QACrC,MAAM,aAAa,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAA;QACrD,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,KAAK,aAAa,CAAC,CAAA;IACxE,CAAC;IAED,KAAK;QACH,IAAI,CAAC,UAAU,GAAG,EAAE,CAAA;QACpB,uCAAuC;QACvC,IAAI,CAAC,eAAe,EAAE,CAAA;IACxB,CAAC;IAED,SAAS,CACP,QAAuD;QAEvD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC5B,QAAQ,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAA;QAC9B,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;QACjC,CAAC,CAAA;IACH,CAAC;IAEO,eAAe;QACrB,0EAA0E;QAC1E,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,CAAA;QACvC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAA;IAC1D,CAAC;CACF"}

package/dist/sandbox/socks-proxy.d.ts

@@ -0,0 +1,18 @@
+import { type Socks5Server } from '@pondwader/socks5-server';
+import { type TelemetrySandboxVerdict } from '../utils/telemetry.js';
+export interface ProxyFilterDecision {
+    allowed: boolean;
+    verdict: TelemetrySandboxVerdict;
+}
+export interface SocksProxyServerOptions {
+    filter(port: number, host: string): Promise<ProxyFilterDecision> | ProxyFilterDecision;
+}
+export interface SocksProxyWrapper {
+    server: Socks5Server;
+    getPort(): number | undefined;
+    listen(port: number, hostname: string): Promise<number>;
+    close(): Promise<void>;
+    unref(): void;
+}
+export declare function createSocksProxyServer(options: SocksProxyServerOptions): SocksProxyWrapper;
+//# sourceMappingURL=socks-proxy.d.ts.map

package/dist/sandbox/socks-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"socks-proxy.d.ts","sourceRoot":"","sources":["../../src/sandbox/socks-proxy.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,KAAK,YAAY,EAClB,MAAM,0BAA0B,CAAA;AAGjC,OAAO,EAGL,KAAK,uBAAuB,EAC7B,MAAM,uBAAuB,CAAA;AAmC9B,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,EAAE,uBAAuB,CAAA;CACjC;AAED,MAAM,WAAW,uBAAuB;IACtC,MAAM,CACJ,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,mBAAmB,CAAC,GAAG,mBAAmB,CAAA;CACtD;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,YAAY,CAAA;IACpB,OAAO,IAAI,MAAM,GAAG,SAAS,CAAA;IAC7B,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IACvD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAA;IACtB,KAAK,IAAI,IAAI,CAAA;CACd;AAuCD,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,uBAAuB,GAC/B,iBAAiB,CA+NnB"}