@within-7/minto 0.4.0 → 0.4.2

package/dist/services/sandbox/sandboxController.js

@@ -306,20 +306,28 @@ ${validation.violations.map((v) => `- ${v.details}`).join("\n")}`,
       };
     }
   }
+  /**
+   * Escape a path for use in seatbelt profile strings.
+   * Prevents injection via backslashes or double quotes in directory names.
+   */
+  escapeSbplPath(path) {
+    return path.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+  }
   /**
    * Generate macOS seatbelt profile
    */
   generateSeatbeltProfile() {
     const writeAllowed = this.config.filesystem.writeAllowed.map((p) => {
-      if (p === "./") return `(subpath "${this.workingDir}")`;
+      if (p === "./")
+        return `(subpath "${this.escapeSbplPath(this.workingDir)}")`;
       if (p === "*") return '(subpath "/")';
       const absPath = resolve(this.workingDir, p);
-      return `(subpath "${absPath}")`;
+      return `(subpath "${this.escapeSbplPath(absPath)}")`;
     }).join("\n    ");
     const readAllowed = this.config.filesystem.readAllowed.map((p) => {
       if (p === "*") return '(subpath "/")';
       const absPath = resolve(this.workingDir, p);
-      return `(subpath "${absPath}")`;
+      return `(subpath "${this.escapeSbplPath(absPath)}")`;
     }).join("\n    ");
     const networkRules = this.config.network.blockAll ? "(deny network*)" : this.config.network.allowedDomains.length > 0 ? `(allow network-outbound
     (remote tcp "${this.config.network.allowedDomains.join('", "')}"))` : "(allow network-outbound)";

package/dist/services/sandbox/sandboxController.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/services/sandbox/sandboxController.ts"],
-  "sourcesContent": ["/**\n * Sandbox Controller\n *\n * Main controller for the sandbox execution system.\n * Coordinates filesystem, network, and process isolation.\n */\n\nimport { spawn, type ChildProcess } from 'child_process'\nimport { platform } from 'os'\nimport { existsSync } from 'fs'\nimport { resolve } from 'path'\nimport type {\n  ISandboxController,\n  SandboxConfig,\n  SandboxExecutionResult,\n  SandboxImplementation,\n  SandboxViolation,\n} from './types'\nimport { DEFAULT_SANDBOX_CONFIG } from './types'\nimport { FilesystemBoundary } from './filesystemBoundary'\nimport { NetworkProxy } from './networkProxy'\n\n/**\n * Sandbox Controller Implementation\n *\n * Provides unified sandbox management with OS-specific implementations.\n */\nexport class SandboxController implements ISandboxController {\n  private config: SandboxConfig\n  private implementation: SandboxImplementation\n  private filesystemBoundary: FilesystemBoundary\n  private networkProxy: NetworkProxy\n  private violations: SandboxViolation[] = []\n  private workingDir: string\n\n  constructor(workingDir: string, config?: Partial<SandboxConfig>) {\n    this.workingDir = resolve(workingDir)\n    this.config = { ...DEFAULT_SANDBOX_CONFIG, ...config }\n    this.implementation = this.detectImplementation()\n    this.filesystemBoundary = new FilesystemBoundary(\n      this.config.filesystem,\n      this.workingDir,\n    )\n    this.networkProxy = new NetworkProxy(this.config.network)\n  }\n\n  /**\n   * Check if sandbox is available on this system\n   */\n  async isAvailable(): Promise<boolean> {\n    if (!this.config.enabled) {\n      return false\n    }\n\n    switch (this.implementation) {\n      case 'seatbelt':\n        return this.isSeatbeltAvailable()\n      case 'bubblewrap':\n        return this.isBubblewrapAvailable()\n      case 'docker':\n        return this.isDockerAvailable()\n      default:\n        return false\n    }\n  }\n\n  /**\n   * Get the implementation type\n   */\n  getImplementationType(): SandboxImplementation {\n    return this.implementation\n  }\n\n  /**\n   * Initialize the sandbox\n   */\n  async initialize(config: SandboxConfig): Promise<void> {\n    this.config = config\n    this.filesystemBoundary = new FilesystemBoundary(\n      config.filesystem,\n      this.workingDir,\n    )\n    this.networkProxy = new NetworkProxy(config.network)\n    this.violations = []\n  }\n\n  /**\n   * Pre-validate a command against policies\n   */\n  async validateCommand(command: string): Promise<{\n    valid: boolean\n    violations: SandboxViolation[]\n  }> {\n    const violations: SandboxViolation[] = []\n\n    // Check if command is excluded from sandboxing\n    if (this.isExcludedCommand(command)) {\n      return { valid: true, violations: [] }\n    }\n\n    // Validate filesystem access\n    const fsResult = this.filesystemBoundary.analyzeCommand(command)\n    for (const violation of fsResult.violations) {\n      violation.command = command\n      violations.push(violation)\n    }\n\n    // Validate network access\n    const netResult = this.networkProxy.analyzeCommand(command)\n    for (const violation of netResult.violations) {\n      violation.command = command\n      violations.push(violation)\n    }\n\n    // Store all violations\n    this.violations.push(...violations)\n\n    return {\n      valid: violations.length === 0,\n      violations,\n    }\n  }\n\n  /**\n   * Execute a command in the sandbox\n   */\n  async execute(\n    command: string,\n    workingDir: string,\n    signal?: AbortSignal,\n    timeout?: number,\n  ): Promise<SandboxExecutionResult> {\n    const startTime = Date.now()\n    this.workingDir = resolve(workingDir)\n    this.filesystemBoundary.setWorkingDir(this.workingDir)\n\n    // If sandbox is disabled, execute directly\n    if (!this.config.enabled) {\n      return this.executeDirectly(command, signal, timeout)\n    }\n\n    // Validate command first\n    const validation = await this.validateCommand(command)\n    if (!validation.valid) {\n      return {\n        stdout: '',\n        stderr: `Sandbox blocked command:\\n${validation.violations\n          .map(v => `- ${v.details}`)\n          .join('\\n')}`,\n        exitCode: 1,\n        interrupted: false,\n        blocked: true,\n        blockReason: validation.violations[0]?.details,\n        duration: Date.now() - startTime,\n      }\n    }\n\n    // Check if command is excluded from sandboxing\n    if (this.isExcludedCommand(command)) {\n      return this.executeDirectly(command, signal, timeout)\n    }\n\n    // Execute with appropriate sandbox\n    switch (this.implementation) {\n      case 'seatbelt':\n        return this.executeWithSeatbelt(command, signal, timeout, startTime)\n      case 'bubblewrap':\n        return this.executeWithBubblewrap(command, signal, timeout, startTime)\n      case 'docker':\n        return this.executeWithDocker(command, signal, timeout, startTime)\n      default:\n        // No sandbox available, execute directly with validation only\n        return this.executeDirectly(command, signal, timeout)\n    }\n  }\n\n  /**\n   * Get current configuration\n   */\n  getConfig(): SandboxConfig {\n    return { ...this.config }\n  }\n\n  /**\n   * Update configuration\n   */\n  updateConfig(config: Partial<SandboxConfig>): void {\n    this.config = { ...this.config, ...config }\n    if (config.filesystem) {\n      this.filesystemBoundary.updatePolicy(config.filesystem)\n    }\n    if (config.network) {\n      this.networkProxy.updatePolicy(config.network)\n    }\n  }\n\n  /**\n   * Get violation history\n   */\n  getViolations(): SandboxViolation[] {\n    return [\n      ...this.violations,\n      ...this.filesystemBoundary.getViolations(),\n      ...this.networkProxy.getViolations(),\n    ]\n  }\n\n  /**\n   * Clear violation history\n   */\n  clearViolations(): void {\n    this.violations = []\n    this.filesystemBoundary.clearViolations()\n    this.networkProxy.clearViolations()\n  }\n\n  /**\n   * Get filesystem boundary instance\n   */\n  getFilesystemBoundary(): FilesystemBoundary {\n    return this.filesystemBoundary\n  }\n\n  /**\n   * Get network proxy instance\n   */\n  getNetworkProxy(): NetworkProxy {\n    return this.networkProxy\n  }\n\n  /**\n   * Detect the best available sandbox implementation\n   */\n  private detectImplementation(): SandboxImplementation {\n    const os = platform()\n\n    if (os === 'darwin') {\n      // macOS - use seatbelt/sandbox-exec\n      return 'seatbelt'\n    } else if (os === 'linux') {\n      // Linux - prefer bubblewrap, fallback to docker\n      if (this.hasBubblewrap()) {\n        return 'bubblewrap'\n      } else if (this.hasDocker()) {\n        return 'docker'\n      }\n    }\n\n    return 'none'\n  }\n\n  /**\n   * Check if bubblewrap is installed\n   */\n  private hasBubblewrap(): boolean {\n    return existsSync('/usr/bin/bwrap') || existsSync('/usr/local/bin/bwrap')\n  }\n\n  /**\n   * Check if docker is available\n   */\n  private hasDocker(): boolean {\n    return existsSync('/usr/bin/docker') || existsSync('/usr/local/bin/docker')\n  }\n\n  /**\n   * Check if seatbelt (macOS sandbox-exec) is available\n   */\n  private async isSeatbeltAvailable(): Promise<boolean> {\n    return platform() === 'darwin' && existsSync('/usr/bin/sandbox-exec')\n  }\n\n  /**\n   * Check if bubblewrap is available and working\n   */\n  private async isBubblewrapAvailable(): Promise<boolean> {\n    if (!this.hasBubblewrap()) return false\n    try {\n      const result = await this.spawnAsync('bwrap', ['--version'])\n      return result.exitCode === 0\n    } catch {\n      return false\n    }\n  }\n\n  /**\n   * Check if docker is available and running\n   */\n  private async isDockerAvailable(): Promise<boolean> {\n    if (!this.hasDocker()) return false\n    try {\n      const result = await this.spawnAsync('docker', ['info'])\n      return result.exitCode === 0\n    } catch {\n      return false\n    }\n  }\n\n  /**\n   * Check if a command is excluded from sandboxing\n   */\n  private isExcludedCommand(command: string): boolean {\n    const firstWord = command.trim().split(/\\s+/)[0]?.toLowerCase()\n    if (!firstWord) return false\n    return this.config.process.excludedCommands.some(\n      excluded => firstWord === excluded.toLowerCase(),\n    )\n  }\n\n  /**\n   * Execute command directly without sandboxing\n   */\n  private async executeDirectly(\n    command: string,\n    signal?: AbortSignal,\n    timeout?: number,\n  ): Promise<SandboxExecutionResult> {\n    const startTime = Date.now()\n    const effectiveTimeout = timeout || this.config.process.maxExecutionTime\n\n    try {\n      const result = await this.spawnAsync('sh', ['-c', command], {\n        cwd: this.workingDir,\n        signal,\n        timeout: effectiveTimeout,\n      })\n\n      return {\n        stdout: result.stdout,\n        stderr: result.stderr,\n        exitCode: result.exitCode,\n        interrupted: result.interrupted,\n        blocked: false,\n        duration: Date.now() - startTime,\n      }\n    } catch (error) {\n      const err = error as Error\n      return {\n        stdout: '',\n        stderr: err.message,\n        exitCode: 1,\n        interrupted: signal?.aborted || false,\n        blocked: false,\n        duration: Date.now() - startTime,\n      }\n    }\n  }\n\n  /**\n   * Execute command with macOS seatbelt sandbox\n   */\n  private async executeWithSeatbelt(\n    command: string,\n    signal?: AbortSignal,\n    timeout?: number,\n    startTime?: number,\n  ): Promise<SandboxExecutionResult> {\n    const start = startTime || Date.now()\n    const effectiveTimeout = timeout || this.config.process.maxExecutionTime\n\n    // Generate seatbelt profile\n    const profile = this.generateSeatbeltProfile()\n\n    try {\n      const result = await this.spawnAsync(\n        'sandbox-exec',\n        ['-p', profile, 'sh', '-c', command],\n        {\n          cwd: this.workingDir,\n          signal,\n          timeout: effectiveTimeout,\n        },\n      )\n\n      return {\n        stdout: result.stdout,\n        stderr: result.stderr,\n        exitCode: result.exitCode,\n        interrupted: result.interrupted,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    } catch (error) {\n      const err = error as Error\n      const isBlocked =\n        err.message.includes('sandbox') || err.message.includes('denied')\n      return {\n        stdout: '',\n        stderr: err.message,\n        exitCode: 1,\n        interrupted: signal?.aborted || false,\n        blocked: isBlocked,\n        blockReason: isBlocked ? 'Sandbox policy violation' : undefined,\n        duration: Date.now() - start,\n      }\n    }\n  }\n\n  /**\n   * Generate macOS seatbelt profile\n   */\n  private generateSeatbeltProfile(): string {\n    const writeAllowed = this.config.filesystem.writeAllowed\n      .map(p => {\n        if (p === './') return `(subpath \"${this.workingDir}\")`\n        if (p === '*') return '(subpath \"/\")'\n        const absPath = resolve(this.workingDir, p)\n        return `(subpath \"${absPath}\")`\n      })\n      .join('\\n    ')\n\n    const readAllowed = this.config.filesystem.readAllowed\n      .map(p => {\n        if (p === '*') return '(subpath \"/\")'\n        const absPath = resolve(this.workingDir, p)\n        return `(subpath \"${absPath}\")`\n      })\n      .join('\\n    ')\n\n    const networkRules = this.config.network.blockAll\n      ? '(deny network*)'\n      : this.config.network.allowedDomains.length > 0\n        ? `(allow network-outbound\n    (remote tcp \"${this.config.network.allowedDomains.join('\", \"')}\"))`\n        : '(allow network-outbound)'\n\n    return `\n(version 1)\n(deny default)\n\n; Allow basic system operations\n(allow process-exec*)\n(allow process-fork)\n(allow file-read-metadata)\n(allow sysctl-read)\n\n; Allow reading system libraries and executables\n(allow file-read*\n    (subpath \"/usr\")\n    (subpath \"/bin\")\n    (subpath \"/sbin\")\n    (subpath \"/System\")\n    (subpath \"/Library\")\n    (subpath \"/private/var\")\n    (subpath \"/private/tmp\")\n    (subpath \"/dev\")\n    (subpath \"/tmp\")\n    ${readAllowed}\n)\n\n; Allow writing to specific paths\n(allow file-write*\n    (subpath \"/dev\")\n    (subpath \"/private/tmp\")\n    (subpath \"/tmp\")\n    ${writeAllowed}\n)\n\n; Network rules\n${networkRules}\n\n; Allow stdout/stderr\n(allow file-write-data\n    (literal \"/dev/null\")\n    (literal \"/dev/zero\")\n    (literal \"/dev/random\")\n    (literal \"/dev/urandom\")\n    (literal \"/dev/tty\")\n    (literal \"/dev/console\")\n)\n\n; Allow process management\n(allow signal)\n(allow mach-lookup)\n(allow ipc-posix-shm-read-data)\n(allow ipc-posix-shm-write-data)\n`\n  }\n\n  /**\n   * Execute command with Linux bubblewrap sandbox\n   */\n  private async executeWithBubblewrap(\n    command: string,\n    signal?: AbortSignal,\n    timeout?: number,\n    startTime?: number,\n  ): Promise<SandboxExecutionResult> {\n    const start = startTime || Date.now()\n    const effectiveTimeout = timeout || this.config.process.maxExecutionTime\n\n    // Build bubblewrap arguments\n    const bwrapArgs = this.buildBubblewrapArgs()\n\n    try {\n      const result = await this.spawnAsync(\n        'bwrap',\n        [...bwrapArgs, 'sh', '-c', command],\n        {\n          cwd: this.workingDir,\n          signal,\n          timeout: effectiveTimeout,\n        },\n      )\n\n      return {\n        stdout: result.stdout,\n        stderr: result.stderr,\n        exitCode: result.exitCode,\n        interrupted: result.interrupted,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    } catch (error) {\n      const err = error as Error\n      return {\n        stdout: '',\n        stderr: err.message,\n        exitCode: 1,\n        interrupted: signal?.aborted || false,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    }\n  }\n\n  /**\n   * Build bubblewrap command arguments\n   */\n  private buildBubblewrapArgs(): string[] {\n    const args: string[] = []\n\n    // Basic sandboxing\n    args.push('--unshare-all')\n    args.push('--die-with-parent')\n\n    // Mount system directories read-only\n    args.push('--ro-bind', '/usr', '/usr')\n    args.push('--ro-bind', '/bin', '/bin')\n    args.push('--ro-bind', '/lib', '/lib')\n    if (existsSync('/lib64')) {\n      args.push('--ro-bind', '/lib64', '/lib64')\n    }\n    args.push('--ro-bind', '/etc', '/etc')\n\n    // Allow /tmp\n    args.push('--tmpfs', '/tmp')\n\n    // Set working directory with read-write access\n    args.push('--bind', this.workingDir, this.workingDir)\n    args.push('--chdir', this.workingDir)\n\n    // Add additional read paths\n    for (const path of this.config.filesystem.readAllowed) {\n      if (path !== '*' && path !== './' && existsSync(path)) {\n        const absPath = resolve(this.workingDir, path)\n        if (existsSync(absPath)) {\n          args.push('--ro-bind', absPath, absPath)\n        }\n      }\n    }\n\n    // Add additional write paths\n    for (const path of this.config.filesystem.writeAllowed) {\n      if (path !== './' && path !== '*') {\n        const absPath = resolve(this.workingDir, path)\n        if (existsSync(absPath)) {\n          args.push('--bind', absPath, absPath)\n        }\n      }\n    }\n\n    // Network isolation (if blocking all)\n    if (this.config.network.blockAll) {\n      args.push('--unshare-net')\n    }\n\n    // Process limits\n    if (this.config.process.maxProcesses > 0) {\n      args.push(\n        '--setenv',\n        'MINTO_MAX_PROCS',\n        String(this.config.process.maxProcesses),\n      )\n    }\n\n    return args\n  }\n\n  /**\n   * Execute command with Docker sandbox\n   */\n  private async executeWithDocker(\n    command: string,\n    signal?: AbortSignal,\n    timeout?: number,\n    startTime?: number,\n  ): Promise<SandboxExecutionResult> {\n    const start = startTime || Date.now()\n    const effectiveTimeout = timeout || this.config.process.maxExecutionTime\n\n    // Build docker run arguments\n    const dockerArgs = [\n      'run',\n      '--rm',\n      '-i',\n      '--network',\n      this.config.network.blockAll ? 'none' : 'bridge',\n      '-v',\n      `${this.workingDir}:/workspace`,\n      '-w',\n      '/workspace',\n    ]\n\n    // Add memory limit\n    if (this.config.process.maxMemory > 0) {\n      dockerArgs.push('--memory', `${this.config.process.maxMemory}`)\n    }\n\n    // Use a minimal image\n    dockerArgs.push('alpine:latest')\n    dockerArgs.push('sh', '-c', command)\n\n    try {\n      const result = await this.spawnAsync('docker', dockerArgs, {\n        cwd: this.workingDir,\n        signal,\n        timeout: effectiveTimeout,\n      })\n\n      return {\n        stdout: result.stdout,\n        stderr: result.stderr,\n        exitCode: result.exitCode,\n        interrupted: result.interrupted,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    } catch (error) {\n      const err = error as Error\n      return {\n        stdout: '',\n        stderr: err.message,\n        exitCode: 1,\n        interrupted: signal?.aborted || false,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    }\n  }\n\n  /**\n   * Spawn a process with promise wrapper\n   */\n  private spawnAsync(\n    cmd: string,\n    args: string[],\n    options?: {\n      cwd?: string\n      signal?: AbortSignal\n      timeout?: number\n    },\n  ): Promise<{\n    stdout: string\n    stderr: string\n    exitCode: number\n    interrupted: boolean\n  }> {\n    return new Promise((resolve, reject) => {\n      let stdout = ''\n      let stderr = ''\n      let interrupted = false\n      let child: ChildProcess | null = null\n\n      const timeoutId = options?.timeout\n        ? setTimeout(() => {\n            interrupted = true\n            child?.kill('SIGTERM')\n          }, options.timeout)\n        : null\n\n      // Handle abort signal\n      if (options?.signal) {\n        options.signal.addEventListener('abort', () => {\n          interrupted = true\n          child?.kill('SIGTERM')\n        })\n      }\n\n      child = spawn(cmd, args, {\n        cwd: options?.cwd || this.workingDir,\n        shell: false,\n        stdio: ['pipe', 'pipe', 'pipe'],\n      })\n\n      child.stdout?.on('data', (data: Buffer) => {\n        stdout += data.toString()\n      })\n\n      child.stderr?.on('data', (data: Buffer) => {\n        stderr += data.toString()\n      })\n\n      child.on('error', (error: Error) => {\n        if (timeoutId) clearTimeout(timeoutId)\n        reject(error)\n      })\n\n      child.on('close', (code: number | null) => {\n        if (timeoutId) clearTimeout(timeoutId)\n        resolve({\n          stdout,\n          stderr,\n          exitCode: code ?? 1,\n          interrupted,\n        })\n      })\n    })\n  }\n}\n\n// Global singleton instance\nlet globalSandboxController: SandboxController | null = null\n\n/**\n * Get the global sandbox controller instance\n */\nexport function getSandboxController(workingDir?: string): SandboxController {\n  if (!globalSandboxController) {\n    globalSandboxController = new SandboxController(workingDir || process.cwd())\n  } else if (workingDir) {\n    // Update working directory if provided\n    globalSandboxController = new SandboxController(\n      workingDir,\n      globalSandboxController.getConfig(),\n    )\n  }\n  return globalSandboxController\n}\n\n/**\n * Reset the global sandbox controller (for testing)\n */\nexport function resetSandboxController(): void {\n  globalSandboxController = null\n}\n"],
-  "mappings": "AAOA,SAAS,aAAgC;AACzC,SAAS,gBAAgB;AACzB,SAAS,kBAAkB;AAC3B,SAAS,eAAe;AAQxB,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,oBAAoB;AAOtB,MAAM,kBAAgD;AAAA,EACnD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,aAAiC,CAAC;AAAA,EAClC;AAAA,EAER,YAAY,YAAoB,QAAiC;AAC/D,SAAK,aAAa,QAAQ,UAAU;AACpC,SAAK,SAAS,EAAE,GAAG,wBAAwB,GAAG,OAAO;AACrD,SAAK,iBAAiB,KAAK,qBAAqB;AAChD,SAAK,qBAAqB,IAAI;AAAA,MAC5B,KAAK,OAAO;AAAA,MACZ,KAAK;AAAA,IACP;AACA,SAAK,eAAe,IAAI,aAAa,KAAK,OAAO,OAAO;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAgC;AACpC,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB,aAAO;AAAA,IACT;AAEA,YAAQ,KAAK,gBAAgB;AAAA,MAC3B,KAAK;AACH,eAAO,KAAK,oBAAoB;AAAA,MAClC,KAAK;AACH,eAAO,KAAK,sBAAsB;AAAA,MACpC,KAAK;AACH,eAAO,KAAK,kBAAkB;AAAA,MAChC;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,wBAA+C;AAC7C,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,QAAsC;AACrD,SAAK,SAAS;AACd,SAAK,qBAAqB,IAAI;AAAA,MAC5B,OAAO;AAAA,MACP,KAAK;AAAA,IACP;AACA,SAAK,eAAe,IAAI,aAAa,OAAO,OAAO;AACnD,SAAK,aAAa,CAAC;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,SAGnB;AACD,UAAM,aAAiC,CAAC;AAGxC,QAAI,KAAK,kBAAkB,OAAO,GAAG;AACnC,aAAO,EAAE,OAAO,MAAM,YAAY,CAAC,EAAE;AAAA,IACvC;AAGA,UAAM,WAAW,KAAK,mBAAmB,eAAe,OAAO;AAC/D,eAAW,aAAa,SAAS,YAAY;AAC3C,gBAAU,UAAU;AACpB,iBAAW,KAAK,SAAS;AAAA,IAC3B;AAGA,UAAM,YAAY,KAAK,aAAa,eAAe,OAAO;AAC1D,eAAW,aAAa,UAAU,YAAY;AAC5C,gBAAU,UAAU;AACpB,iBAAW,KAAK,SAAS;AAAA,IAC3B;AAGA,SAAK,WAAW,KAAK,GAAG,UAAU;AAElC,WAAO;AAAA,MACL,OAAO,WAAW,WAAW;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QACJ,SACA,YACA,QACA,SACiC;AACjC,UAAM,YAAY,KAAK,IAAI;AAC3B,SAAK,aAAa,QAAQ,UAAU;AACpC,SAAK,mBAAmB,cAAc,KAAK,UAAU;AAGrD,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB,aAAO,KAAK,gBAAgB,SAAS,QAAQ,OAAO;AAAA,IACtD;AAGA,UAAM,aAAa,MAAM,KAAK,gBAAgB,OAAO;AACrD,QAAI,CAAC,WAAW,OAAO;AACrB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ;AAAA,EAA6B,WAAW,WAC7C,IAAI,OAAK,KAAK,EAAE,OAAO,EAAE,EACzB,KAAK,IAAI,CAAC;AAAA,QACb,UAAU;AAAA,QACV,aAAa;AAAA,QACb,SAAS;AAAA,QACT,aAAa,WAAW,WAAW,CAAC,GAAG;AAAA,QACvC,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAGA,QAAI,KAAK,kBAAkB,OAAO,GAAG;AACnC,aAAO,KAAK,gBAAgB,SAAS,QAAQ,OAAO;AAAA,IACtD;AAGA,YAAQ,KAAK,gBAAgB;AAAA,MAC3B,KAAK;AACH,eAAO,KAAK,oBAAoB,SAAS,QAAQ,SAAS,SAAS;AAAA,MACrE,KAAK;AACH,eAAO,KAAK,sBAAsB,SAAS,QAAQ,SAAS,SAAS;AAAA,MACvE,KAAK;AACH,eAAO,KAAK,kBAAkB,SAAS,QAAQ,SAAS,SAAS;AAAA,MACnE;AAEE,eAAO,KAAK,gBAAgB,SAAS,QAAQ,OAAO;AAAA,IACxD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,YAA2B;AACzB,WAAO,EAAE,GAAG,KAAK,OAAO;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,QAAsC;AACjD,SAAK,SAAS,EAAE,GAAG,KAAK,QAAQ,GAAG,OAAO;AAC1C,QAAI,OAAO,YAAY;AACrB,WAAK,mBAAmB,aAAa,OAAO,UAAU;AAAA,IACxD;AACA,QAAI,OAAO,SAAS;AAClB,WAAK,aAAa,aAAa,OAAO,OAAO;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAoC;AAClC,WAAO;AAAA,MACL,GAAG,KAAK;AAAA,MACR,GAAG,KAAK,mBAAmB,cAAc;AAAA,MACzC,GAAG,KAAK,aAAa,cAAc;AAAA,IACrC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAwB;AACtB,SAAK,aAAa,CAAC;AACnB,SAAK,mBAAmB,gBAAgB;AACxC,SAAK,aAAa,gBAAgB;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA,EAKA,wBAA4C;AAC1C,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAgC;AAC9B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKQ,uBAA8C;AACpD,UAAM,KAAK,SAAS;AAEpB,QAAI,OAAO,UAAU;AAEnB,aAAO;AAAA,IACT,WAAW,OAAO,SAAS;AAEzB,UAAI,KAAK,cAAc,GAAG;AACxB,eAAO;AAAA,MACT,WAAW,KAAK,UAAU,GAAG;AAC3B,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAyB;AAC/B,WAAO,WAAW,gBAAgB,KAAK,WAAW,sBAAsB;AAAA,EAC1E;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAqB;AAC3B,WAAO,WAAW,iBAAiB,KAAK,WAAW,uBAAuB;AAAA,EAC5E;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBAAwC;AACpD,WAAO,SAAS,MAAM,YAAY,WAAW,uBAAuB;AAAA,EACtE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,wBAA0C;AACtD,QAAI,CAAC,KAAK,cAAc,EAAG,QAAO;AAClC,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,WAAW,SAAS,CAAC,WAAW,CAAC;AAC3D,aAAO,OAAO,aAAa;AAAA,IAC7B,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,oBAAsC;AAClD,QAAI,CAAC,KAAK,UAAU,EAAG,QAAO;AAC9B,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,WAAW,UAAU,CAAC,MAAM,CAAC;AACvD,aAAO,OAAO,aAAa;AAAA,IAC7B,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,SAA0B;AAClD,UAAM,YAAY,QAAQ,KAAK,EAAE,MAAM,KAAK,EAAE,CAAC,GAAG,YAAY;AAC9D,QAAI,CAAC,UAAW,QAAO;AACvB,WAAO,KAAK,OAAO,QAAQ,iBAAiB;AAAA,MAC1C,cAAY,cAAc,SAAS,YAAY;AAAA,IACjD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBACZ,SACA,QACA,SACiC;AACjC,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,mBAAmB,WAAW,KAAK,OAAO,QAAQ;AAExD,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,WAAW,MAAM,CAAC,MAAM,OAAO,GAAG;AAAA,QAC1D,KAAK,KAAK;AAAA,QACV;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,aAAO;AAAA,QACL,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF,SAAS,OAAO;AACd,YAAM,MAAM;AACZ,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ,IAAI;AAAA,QACZ,UAAU;AAAA,QACV,aAAa,QAAQ,WAAW;AAAA,QAChC,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,oBACZ,SACA,QACA,SACA,WACiC;AACjC,UAAM,QAAQ,aAAa,KAAK,IAAI;AACpC,UAAM,mBAAmB,WAAW,KAAK,OAAO,QAAQ;AAGxD,UAAM,UAAU,KAAK,wBAAwB;AAE7C,QAAI;AACF,YAAM,SAAS,MAAM,KAAK;AAAA,QACxB;AAAA,QACA,CAAC,MAAM,SAAS,MAAM,MAAM,OAAO;AAAA,QACnC;AAAA,UACE,KAAK,KAAK;AAAA,UACV;AAAA,UACA,SAAS;AAAA,QACX;AAAA,MACF;AAEA,aAAO;AAAA,QACL,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF,SAAS,OAAO;AACd,YAAM,MAAM;AACZ,YAAM,YACJ,IAAI,QAAQ,SAAS,SAAS,KAAK,IAAI,QAAQ,SAAS,QAAQ;AAClE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ,IAAI;AAAA,QACZ,UAAU;AAAA,QACV,aAAa,QAAQ,WAAW;AAAA,QAChC,SAAS;AAAA,QACT,aAAa,YAAY,6BAA6B;AAAA,QACtD,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,0BAAkC;AACxC,UAAM,eAAe,KAAK,OAAO,WAAW,aACzC,IAAI,OAAK;AACR,UAAI,MAAM,KAAM,QAAO,aAAa,KAAK,UAAU;AACnD,UAAI,MAAM,IAAK,QAAO;AACtB,YAAM,UAAU,QAAQ,KAAK,YAAY,CAAC;AAC1C,aAAO,aAAa,OAAO;AAAA,IAC7B,CAAC,EACA,KAAK,QAAQ;AAEhB,UAAM,cAAc,KAAK,OAAO,WAAW,YACxC,IAAI,OAAK;AACR,UAAI,MAAM,IAAK,QAAO;AACtB,YAAM,UAAU,QAAQ,KAAK,YAAY,CAAC;AAC1C,aAAO,aAAa,OAAO;AAAA,IAC7B,CAAC,EACA,KAAK,QAAQ;AAEhB,UAAM,eAAe,KAAK,OAAO,QAAQ,WACrC,oBACA,KAAK,OAAO,QAAQ,eAAe,SAAS,IAC1C;AAAA,mBACS,KAAK,OAAO,QAAQ,eAAe,KAAK,MAAM,CAAC,QACxD;AAEN,WAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAqBL,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQX,YAAY;AAAA;AAAA;AAAA;AAAA,EAIhB,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBZ;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBACZ,SACA,QACA,SACA,WACiC;AACjC,UAAM,QAAQ,aAAa,KAAK,IAAI;AACpC,UAAM,mBAAmB,WAAW,KAAK,OAAO,QAAQ;AAGxD,UAAM,YAAY,KAAK,oBAAoB;AAE3C,QAAI;AACF,YAAM,SAAS,MAAM,KAAK;AAAA,QACxB;AAAA,QACA,CAAC,GAAG,WAAW,MAAM,MAAM,OAAO;AAAA,QAClC;AAAA,UACE,KAAK,KAAK;AAAA,UACV;AAAA,UACA,SAAS;AAAA,QACX;AAAA,MACF;AAEA,aAAO;AAAA,QACL,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF,SAAS,OAAO;AACd,YAAM,MAAM;AACZ,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ,IAAI;AAAA,QACZ,UAAU;AAAA,QACV,aAAa,QAAQ,WAAW;AAAA,QAChC,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,sBAAgC;AACtC,UAAM,OAAiB,CAAC;AAGxB,SAAK,KAAK,eAAe;AACzB,SAAK,KAAK,mBAAmB;AAG7B,SAAK,KAAK,aAAa,QAAQ,MAAM;AACrC,SAAK,KAAK,aAAa,QAAQ,MAAM;AACrC,SAAK,KAAK,aAAa,QAAQ,MAAM;AACrC,QAAI,WAAW,QAAQ,GAAG;AACxB,WAAK,KAAK,aAAa,UAAU,QAAQ;AAAA,IAC3C;AACA,SAAK,KAAK,aAAa,QAAQ,MAAM;AAGrC,SAAK,KAAK,WAAW,MAAM;AAG3B,SAAK,KAAK,UAAU,KAAK,YAAY,KAAK,UAAU;AACpD,SAAK,KAAK,WAAW,KAAK,UAAU;AAGpC,eAAW,QAAQ,KAAK,OAAO,WAAW,aAAa;AACrD,UAAI,SAAS,OAAO,SAAS,QAAQ,WAAW,IAAI,GAAG;AACrD,cAAM,UAAU,QAAQ,KAAK,YAAY,IAAI;AAC7C,YAAI,WAAW,OAAO,GAAG;AACvB,eAAK,KAAK,aAAa,SAAS,OAAO;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AAGA,eAAW,QAAQ,KAAK,OAAO,WAAW,cAAc;AACtD,UAAI,SAAS,QAAQ,SAAS,KAAK;AACjC,cAAM,UAAU,QAAQ,KAAK,YAAY,IAAI;AAC7C,YAAI,WAAW,OAAO,GAAG;AACvB,eAAK,KAAK,UAAU,SAAS,OAAO;AAAA,QACtC;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,QAAQ,UAAU;AAChC,WAAK,KAAK,eAAe;AAAA,IAC3B;AAGA,QAAI,KAAK,OAAO,QAAQ,eAAe,GAAG;AACxC,WAAK;AAAA,QACH;AAAA,QACA;AAAA,QACA,OAAO,KAAK,OAAO,QAAQ,YAAY;AAAA,MACzC;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,kBACZ,SACA,QACA,SACA,WACiC;AACjC,UAAM,QAAQ,aAAa,KAAK,IAAI;AACpC,UAAM,mBAAmB,WAAW,KAAK,OAAO,QAAQ;AAGxD,UAAM,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK,OAAO,QAAQ,WAAW,SAAS;AAAA,MACxC;AAAA,MACA,GAAG,KAAK,UAAU;AAAA,MAClB;AAAA,MACA;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,QAAQ,YAAY,GAAG;AACrC,iBAAW,KAAK,YAAY,GAAG,KAAK,OAAO,QAAQ,SAAS,EAAE;AAAA,IAChE;AAGA,eAAW,KAAK,eAAe;AAC/B,eAAW,KAAK,MAAM,MAAM,OAAO;AAEnC,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,WAAW,UAAU,YAAY;AAAA,QACzD,KAAK,KAAK;AAAA,QACV;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,aAAO;AAAA,QACL,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF,SAAS,OAAO;AACd,YAAM,MAAM;AACZ,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ,IAAI;AAAA,QACZ,UAAU;AAAA,QACV,aAAa,QAAQ,WAAW;AAAA,QAChC,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,WACN,KACA,MACA,SAUC;AACD,WAAO,IAAI,QAAQ,CAACA,UAAS,WAAW;AACtC,UAAI,SAAS;AACb,UAAI,SAAS;AACb,UAAI,cAAc;AAClB,UAAI,QAA6B;AAEjC,YAAM,YAAY,SAAS,UACvB,WAAW,MAAM;AACf,sBAAc;AACd,eAAO,KAAK,SAAS;AAAA,MACvB,GAAG,QAAQ,OAAO,IAClB;AAGJ,UAAI,SAAS,QAAQ;AACnB,gBAAQ,OAAO,iBAAiB,SAAS,MAAM;AAC7C,wBAAc;AACd,iBAAO,KAAK,SAAS;AAAA,QACvB,CAAC;AAAA,MACH;AAEA,cAAQ,MAAM,KAAK,MAAM;AAAA,QACvB,KAAK,SAAS,OAAO,KAAK;AAAA,QAC1B,OAAO;AAAA,QACP,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,MAChC,CAAC;AAED,YAAM,QAAQ,GAAG,QAAQ,CAAC,SAAiB;AACzC,kBAAU,KAAK,SAAS;AAAA,MAC1B,CAAC;AAED,YAAM,QAAQ,GAAG,QAAQ,CAAC,SAAiB;AACzC,kBAAU,KAAK,SAAS;AAAA,MAC1B,CAAC;AAED,YAAM,GAAG,SAAS,CAAC,UAAiB;AAClC,YAAI,UAAW,cAAa,SAAS;AACrC,eAAO,KAAK;AAAA,MACd,CAAC;AAED,YAAM,GAAG,SAAS,CAAC,SAAwB;AACzC,YAAI,UAAW,cAAa,SAAS;AACrC,QAAAA,SAAQ;AAAA,UACN;AAAA,UACA;AAAA,UACA,UAAU,QAAQ;AAAA,UAClB;AAAA,QACF,CAAC;AAAA,MACH,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AACF;AAGA,IAAI,0BAAoD;AAKjD,SAAS,qBAAqB,YAAwC;AAC3E,MAAI,CAAC,yBAAyB;AAC5B,8BAA0B,IAAI,kBAAkB,cAAc,QAAQ,IAAI,CAAC;AAAA,EAC7E,WAAW,YAAY;AAErB,8BAA0B,IAAI;AAAA,MAC5B;AAAA,MACA,wBAAwB,UAAU;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;AAKO,SAAS,yBAA+B;AAC7C,4BAA0B;AAC5B;",
+  "sourcesContent": ["/**\n * Sandbox Controller\n *\n * Main controller for the sandbox execution system.\n * Coordinates filesystem, network, and process isolation.\n */\n\nimport { spawn, type ChildProcess } from 'child_process'\nimport { platform } from 'os'\nimport { existsSync } from 'fs'\nimport { resolve } from 'path'\nimport type {\n  ISandboxController,\n  SandboxConfig,\n  SandboxExecutionResult,\n  SandboxImplementation,\n  SandboxViolation,\n} from './types'\nimport { DEFAULT_SANDBOX_CONFIG } from './types'\nimport { FilesystemBoundary } from './filesystemBoundary'\nimport { NetworkProxy } from './networkProxy'\n\n/**\n * Sandbox Controller Implementation\n *\n * Provides unified sandbox management with OS-specific implementations.\n */\nexport class SandboxController implements ISandboxController {\n  private config: SandboxConfig\n  private implementation: SandboxImplementation\n  private filesystemBoundary: FilesystemBoundary\n  private networkProxy: NetworkProxy\n  private violations: SandboxViolation[] = []\n  private workingDir: string\n\n  constructor(workingDir: string, config?: Partial<SandboxConfig>) {\n    this.workingDir = resolve(workingDir)\n    this.config = { ...DEFAULT_SANDBOX_CONFIG, ...config }\n    this.implementation = this.detectImplementation()\n    this.filesystemBoundary = new FilesystemBoundary(\n      this.config.filesystem,\n      this.workingDir,\n    )\n    this.networkProxy = new NetworkProxy(this.config.network)\n  }\n\n  /**\n   * Check if sandbox is available on this system\n   */\n  async isAvailable(): Promise<boolean> {\n    if (!this.config.enabled) {\n      return false\n    }\n\n    switch (this.implementation) {\n      case 'seatbelt':\n        return this.isSeatbeltAvailable()\n      case 'bubblewrap':\n        return this.isBubblewrapAvailable()\n      case 'docker':\n        return this.isDockerAvailable()\n      default:\n        return false\n    }\n  }\n\n  /**\n   * Get the implementation type\n   */\n  getImplementationType(): SandboxImplementation {\n    return this.implementation\n  }\n\n  /**\n   * Initialize the sandbox\n   */\n  async initialize(config: SandboxConfig): Promise<void> {\n    this.config = config\n    this.filesystemBoundary = new FilesystemBoundary(\n      config.filesystem,\n      this.workingDir,\n    )\n    this.networkProxy = new NetworkProxy(config.network)\n    this.violations = []\n  }\n\n  /**\n   * Pre-validate a command against policies\n   */\n  async validateCommand(command: string): Promise<{\n    valid: boolean\n    violations: SandboxViolation[]\n  }> {\n    const violations: SandboxViolation[] = []\n\n    // Check if command is excluded from sandboxing\n    if (this.isExcludedCommand(command)) {\n      return { valid: true, violations: [] }\n    }\n\n    // Validate filesystem access\n    const fsResult = this.filesystemBoundary.analyzeCommand(command)\n    for (const violation of fsResult.violations) {\n      violation.command = command\n      violations.push(violation)\n    }\n\n    // Validate network access\n    const netResult = this.networkProxy.analyzeCommand(command)\n    for (const violation of netResult.violations) {\n      violation.command = command\n      violations.push(violation)\n    }\n\n    // Store all violations\n    this.violations.push(...violations)\n\n    return {\n      valid: violations.length === 0,\n      violations,\n    }\n  }\n\n  /**\n   * Execute a command in the sandbox\n   */\n  async execute(\n    command: string,\n    workingDir: string,\n    signal?: AbortSignal,\n    timeout?: number,\n  ): Promise<SandboxExecutionResult> {\n    const startTime = Date.now()\n    this.workingDir = resolve(workingDir)\n    this.filesystemBoundary.setWorkingDir(this.workingDir)\n\n    // If sandbox is disabled, execute directly\n    if (!this.config.enabled) {\n      return this.executeDirectly(command, signal, timeout)\n    }\n\n    // Validate command first\n    const validation = await this.validateCommand(command)\n    if (!validation.valid) {\n      return {\n        stdout: '',\n        stderr: `Sandbox blocked command:\\n${validation.violations\n          .map(v => `- ${v.details}`)\n          .join('\\n')}`,\n        exitCode: 1,\n        interrupted: false,\n        blocked: true,\n        blockReason: validation.violations[0]?.details,\n        duration: Date.now() - startTime,\n      }\n    }\n\n    // Check if command is excluded from sandboxing\n    if (this.isExcludedCommand(command)) {\n      return this.executeDirectly(command, signal, timeout)\n    }\n\n    // Execute with appropriate sandbox\n    switch (this.implementation) {\n      case 'seatbelt':\n        return this.executeWithSeatbelt(command, signal, timeout, startTime)\n      case 'bubblewrap':\n        return this.executeWithBubblewrap(command, signal, timeout, startTime)\n      case 'docker':\n        return this.executeWithDocker(command, signal, timeout, startTime)\n      default:\n        // No sandbox available, execute directly with validation only\n        return this.executeDirectly(command, signal, timeout)\n    }\n  }\n\n  /**\n   * Get current configuration\n   */\n  getConfig(): SandboxConfig {\n    return { ...this.config }\n  }\n\n  /**\n   * Update configuration\n   */\n  updateConfig(config: Partial<SandboxConfig>): void {\n    this.config = { ...this.config, ...config }\n    if (config.filesystem) {\n      this.filesystemBoundary.updatePolicy(config.filesystem)\n    }\n    if (config.network) {\n      this.networkProxy.updatePolicy(config.network)\n    }\n  }\n\n  /**\n   * Get violation history\n   */\n  getViolations(): SandboxViolation[] {\n    return [\n      ...this.violations,\n      ...this.filesystemBoundary.getViolations(),\n      ...this.networkProxy.getViolations(),\n    ]\n  }\n\n  /**\n   * Clear violation history\n   */\n  clearViolations(): void {\n    this.violations = []\n    this.filesystemBoundary.clearViolations()\n    this.networkProxy.clearViolations()\n  }\n\n  /**\n   * Get filesystem boundary instance\n   */\n  getFilesystemBoundary(): FilesystemBoundary {\n    return this.filesystemBoundary\n  }\n\n  /**\n   * Get network proxy instance\n   */\n  getNetworkProxy(): NetworkProxy {\n    return this.networkProxy\n  }\n\n  /**\n   * Detect the best available sandbox implementation\n   */\n  private detectImplementation(): SandboxImplementation {\n    const os = platform()\n\n    if (os === 'darwin') {\n      // macOS - use seatbelt/sandbox-exec\n      return 'seatbelt'\n    } else if (os === 'linux') {\n      // Linux - prefer bubblewrap, fallback to docker\n      if (this.hasBubblewrap()) {\n        return 'bubblewrap'\n      } else if (this.hasDocker()) {\n        return 'docker'\n      }\n    }\n\n    return 'none'\n  }\n\n  /**\n   * Check if bubblewrap is installed\n   */\n  private hasBubblewrap(): boolean {\n    return existsSync('/usr/bin/bwrap') || existsSync('/usr/local/bin/bwrap')\n  }\n\n  /**\n   * Check if docker is available\n   */\n  private hasDocker(): boolean {\n    return existsSync('/usr/bin/docker') || existsSync('/usr/local/bin/docker')\n  }\n\n  /**\n   * Check if seatbelt (macOS sandbox-exec) is available\n   */\n  private async isSeatbeltAvailable(): Promise<boolean> {\n    return platform() === 'darwin' && existsSync('/usr/bin/sandbox-exec')\n  }\n\n  /**\n   * Check if bubblewrap is available and working\n   */\n  private async isBubblewrapAvailable(): Promise<boolean> {\n    if (!this.hasBubblewrap()) return false\n    try {\n      const result = await this.spawnAsync('bwrap', ['--version'])\n      return result.exitCode === 0\n    } catch {\n      return false\n    }\n  }\n\n  /**\n   * Check if docker is available and running\n   */\n  private async isDockerAvailable(): Promise<boolean> {\n    if (!this.hasDocker()) return false\n    try {\n      const result = await this.spawnAsync('docker', ['info'])\n      return result.exitCode === 0\n    } catch {\n      return false\n    }\n  }\n\n  /**\n   * Check if a command is excluded from sandboxing\n   */\n  private isExcludedCommand(command: string): boolean {\n    const firstWord = command.trim().split(/\\s+/)[0]?.toLowerCase()\n    if (!firstWord) return false\n    return this.config.process.excludedCommands.some(\n      excluded => firstWord === excluded.toLowerCase(),\n    )\n  }\n\n  /**\n   * Execute command directly without sandboxing\n   */\n  private async executeDirectly(\n    command: string,\n    signal?: AbortSignal,\n    timeout?: number,\n  ): Promise<SandboxExecutionResult> {\n    const startTime = Date.now()\n    const effectiveTimeout = timeout || this.config.process.maxExecutionTime\n\n    try {\n      const result = await this.spawnAsync('sh', ['-c', command], {\n        cwd: this.workingDir,\n        signal,\n        timeout: effectiveTimeout,\n      })\n\n      return {\n        stdout: result.stdout,\n        stderr: result.stderr,\n        exitCode: result.exitCode,\n        interrupted: result.interrupted,\n        blocked: false,\n        duration: Date.now() - startTime,\n      }\n    } catch (error) {\n      const err = error as Error\n      return {\n        stdout: '',\n        stderr: err.message,\n        exitCode: 1,\n        interrupted: signal?.aborted || false,\n        blocked: false,\n        duration: Date.now() - startTime,\n      }\n    }\n  }\n\n  /**\n   * Execute command with macOS seatbelt sandbox\n   */\n  private async executeWithSeatbelt(\n    command: string,\n    signal?: AbortSignal,\n    timeout?: number,\n    startTime?: number,\n  ): Promise<SandboxExecutionResult> {\n    const start = startTime || Date.now()\n    const effectiveTimeout = timeout || this.config.process.maxExecutionTime\n\n    // Generate seatbelt profile\n    const profile = this.generateSeatbeltProfile()\n\n    try {\n      const result = await this.spawnAsync(\n        'sandbox-exec',\n        ['-p', profile, 'sh', '-c', command],\n        {\n          cwd: this.workingDir,\n          signal,\n          timeout: effectiveTimeout,\n        },\n      )\n\n      return {\n        stdout: result.stdout,\n        stderr: result.stderr,\n        exitCode: result.exitCode,\n        interrupted: result.interrupted,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    } catch (error) {\n      const err = error as Error\n      const isBlocked =\n        err.message.includes('sandbox') || err.message.includes('denied')\n      return {\n        stdout: '',\n        stderr: err.message,\n        exitCode: 1,\n        interrupted: signal?.aborted || false,\n        blocked: isBlocked,\n        blockReason: isBlocked ? 'Sandbox policy violation' : undefined,\n        duration: Date.now() - start,\n      }\n    }\n  }\n\n  /**\n   * Escape a path for use in seatbelt profile strings.\n   * Prevents injection via backslashes or double quotes in directory names.\n   */\n  private escapeSbplPath(path: string): string {\n    return path.replace(/\\\\/g, '\\\\\\\\').replace(/\"/g, '\\\\\"')\n  }\n\n  /**\n   * Generate macOS seatbelt profile\n   */\n  private generateSeatbeltProfile(): string {\n    const writeAllowed = this.config.filesystem.writeAllowed\n      .map(p => {\n        if (p === './')\n          return `(subpath \"${this.escapeSbplPath(this.workingDir)}\")`\n        if (p === '*') return '(subpath \"/\")'\n        const absPath = resolve(this.workingDir, p)\n        return `(subpath \"${this.escapeSbplPath(absPath)}\")`\n      })\n      .join('\\n    ')\n\n    const readAllowed = this.config.filesystem.readAllowed\n      .map(p => {\n        if (p === '*') return '(subpath \"/\")'\n        const absPath = resolve(this.workingDir, p)\n        return `(subpath \"${this.escapeSbplPath(absPath)}\")`\n      })\n      .join('\\n    ')\n\n    const networkRules = this.config.network.blockAll\n      ? '(deny network*)'\n      : this.config.network.allowedDomains.length > 0\n        ? `(allow network-outbound\n    (remote tcp \"${this.config.network.allowedDomains.join('\", \"')}\"))`\n        : '(allow network-outbound)'\n\n    return `\n(version 1)\n(deny default)\n\n; Allow basic system operations\n(allow process-exec*)\n(allow process-fork)\n(allow file-read-metadata)\n(allow sysctl-read)\n\n; Allow reading system libraries and executables\n(allow file-read*\n    (subpath \"/usr\")\n    (subpath \"/bin\")\n    (subpath \"/sbin\")\n    (subpath \"/System\")\n    (subpath \"/Library\")\n    (subpath \"/private/var\")\n    (subpath \"/private/tmp\")\n    (subpath \"/dev\")\n    (subpath \"/tmp\")\n    ${readAllowed}\n)\n\n; Allow writing to specific paths\n(allow file-write*\n    (subpath \"/dev\")\n    (subpath \"/private/tmp\")\n    (subpath \"/tmp\")\n    ${writeAllowed}\n)\n\n; Network rules\n${networkRules}\n\n; Allow stdout/stderr\n(allow file-write-data\n    (literal \"/dev/null\")\n    (literal \"/dev/zero\")\n    (literal \"/dev/random\")\n    (literal \"/dev/urandom\")\n    (literal \"/dev/tty\")\n    (literal \"/dev/console\")\n)\n\n; Allow process management\n(allow signal)\n(allow mach-lookup)\n(allow ipc-posix-shm-read-data)\n(allow ipc-posix-shm-write-data)\n`\n  }\n\n  /**\n   * Execute command with Linux bubblewrap sandbox\n   */\n  private async executeWithBubblewrap(\n    command: string,\n    signal?: AbortSignal,\n    timeout?: number,\n    startTime?: number,\n  ): Promise<SandboxExecutionResult> {\n    const start = startTime || Date.now()\n    const effectiveTimeout = timeout || this.config.process.maxExecutionTime\n\n    // Build bubblewrap arguments\n    const bwrapArgs = this.buildBubblewrapArgs()\n\n    try {\n      const result = await this.spawnAsync(\n        'bwrap',\n        [...bwrapArgs, 'sh', '-c', command],\n        {\n          cwd: this.workingDir,\n          signal,\n          timeout: effectiveTimeout,\n        },\n      )\n\n      return {\n        stdout: result.stdout,\n        stderr: result.stderr,\n        exitCode: result.exitCode,\n        interrupted: result.interrupted,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    } catch (error) {\n      const err = error as Error\n      return {\n        stdout: '',\n        stderr: err.message,\n        exitCode: 1,\n        interrupted: signal?.aborted || false,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    }\n  }\n\n  /**\n   * Build bubblewrap command arguments\n   */\n  private buildBubblewrapArgs(): string[] {\n    const args: string[] = []\n\n    // Basic sandboxing\n    args.push('--unshare-all')\n    args.push('--die-with-parent')\n\n    // Mount system directories read-only\n    args.push('--ro-bind', '/usr', '/usr')\n    args.push('--ro-bind', '/bin', '/bin')\n    args.push('--ro-bind', '/lib', '/lib')\n    if (existsSync('/lib64')) {\n      args.push('--ro-bind', '/lib64', '/lib64')\n    }\n    args.push('--ro-bind', '/etc', '/etc')\n\n    // Allow /tmp\n    args.push('--tmpfs', '/tmp')\n\n    // Set working directory with read-write access\n    args.push('--bind', this.workingDir, this.workingDir)\n    args.push('--chdir', this.workingDir)\n\n    // Add additional read paths\n    for (const path of this.config.filesystem.readAllowed) {\n      if (path !== '*' && path !== './' && existsSync(path)) {\n        const absPath = resolve(this.workingDir, path)\n        if (existsSync(absPath)) {\n          args.push('--ro-bind', absPath, absPath)\n        }\n      }\n    }\n\n    // Add additional write paths\n    for (const path of this.config.filesystem.writeAllowed) {\n      if (path !== './' && path !== '*') {\n        const absPath = resolve(this.workingDir, path)\n        if (existsSync(absPath)) {\n          args.push('--bind', absPath, absPath)\n        }\n      }\n    }\n\n    // Network isolation (if blocking all)\n    if (this.config.network.blockAll) {\n      args.push('--unshare-net')\n    }\n\n    // Process limits\n    if (this.config.process.maxProcesses > 0) {\n      args.push(\n        '--setenv',\n        'MINTO_MAX_PROCS',\n        String(this.config.process.maxProcesses),\n      )\n    }\n\n    return args\n  }\n\n  /**\n   * Execute command with Docker sandbox\n   */\n  private async executeWithDocker(\n    command: string,\n    signal?: AbortSignal,\n    timeout?: number,\n    startTime?: number,\n  ): Promise<SandboxExecutionResult> {\n    const start = startTime || Date.now()\n    const effectiveTimeout = timeout || this.config.process.maxExecutionTime\n\n    // Build docker run arguments\n    const dockerArgs = [\n      'run',\n      '--rm',\n      '-i',\n      '--network',\n      this.config.network.blockAll ? 'none' : 'bridge',\n      '-v',\n      `${this.workingDir}:/workspace`,\n      '-w',\n      '/workspace',\n    ]\n\n    // Add memory limit\n    if (this.config.process.maxMemory > 0) {\n      dockerArgs.push('--memory', `${this.config.process.maxMemory}`)\n    }\n\n    // Use a minimal image\n    dockerArgs.push('alpine:latest')\n    dockerArgs.push('sh', '-c', command)\n\n    try {\n      const result = await this.spawnAsync('docker', dockerArgs, {\n        cwd: this.workingDir,\n        signal,\n        timeout: effectiveTimeout,\n      })\n\n      return {\n        stdout: result.stdout,\n        stderr: result.stderr,\n        exitCode: result.exitCode,\n        interrupted: result.interrupted,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    } catch (error) {\n      const err = error as Error\n      return {\n        stdout: '',\n        stderr: err.message,\n        exitCode: 1,\n        interrupted: signal?.aborted || false,\n        blocked: false,\n        duration: Date.now() - start,\n      }\n    }\n  }\n\n  /**\n   * Spawn a process with promise wrapper\n   */\n  private spawnAsync(\n    cmd: string,\n    args: string[],\n    options?: {\n      cwd?: string\n      signal?: AbortSignal\n      timeout?: number\n    },\n  ): Promise<{\n    stdout: string\n    stderr: string\n    exitCode: number\n    interrupted: boolean\n  }> {\n    return new Promise((resolve, reject) => {\n      let stdout = ''\n      let stderr = ''\n      let interrupted = false\n      let child: ChildProcess | null = null\n\n      const timeoutId = options?.timeout\n        ? setTimeout(() => {\n            interrupted = true\n            child?.kill('SIGTERM')\n          }, options.timeout)\n        : null\n\n      // Handle abort signal\n      if (options?.signal) {\n        options.signal.addEventListener('abort', () => {\n          interrupted = true\n          child?.kill('SIGTERM')\n        })\n      }\n\n      child = spawn(cmd, args, {\n        cwd: options?.cwd || this.workingDir,\n        shell: false,\n        stdio: ['pipe', 'pipe', 'pipe'],\n      })\n\n      child.stdout?.on('data', (data: Buffer) => {\n        stdout += data.toString()\n      })\n\n      child.stderr?.on('data', (data: Buffer) => {\n        stderr += data.toString()\n      })\n\n      child.on('error', (error: Error) => {\n        if (timeoutId) clearTimeout(timeoutId)\n        reject(error)\n      })\n\n      child.on('close', (code: number | null) => {\n        if (timeoutId) clearTimeout(timeoutId)\n        resolve({\n          stdout,\n          stderr,\n          exitCode: code ?? 1,\n          interrupted,\n        })\n      })\n    })\n  }\n}\n\n// Global singleton instance\nlet globalSandboxController: SandboxController | null = null\n\n/**\n * Get the global sandbox controller instance\n */\nexport function getSandboxController(workingDir?: string): SandboxController {\n  if (!globalSandboxController) {\n    globalSandboxController = new SandboxController(workingDir || process.cwd())\n  } else if (workingDir) {\n    // Update working directory if provided\n    globalSandboxController = new SandboxController(\n      workingDir,\n      globalSandboxController.getConfig(),\n    )\n  }\n  return globalSandboxController\n}\n\n/**\n * Reset the global sandbox controller (for testing)\n */\nexport function resetSandboxController(): void {\n  globalSandboxController = null\n}\n"],
+  "mappings": "AAOA,SAAS,aAAgC;AACzC,SAAS,gBAAgB;AACzB,SAAS,kBAAkB;AAC3B,SAAS,eAAe;AAQxB,SAAS,8BAA8B;AACvC,SAAS,0BAA0B;AACnC,SAAS,oBAAoB;AAOtB,MAAM,kBAAgD;AAAA,EACnD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,aAAiC,CAAC;AAAA,EAClC;AAAA,EAER,YAAY,YAAoB,QAAiC;AAC/D,SAAK,aAAa,QAAQ,UAAU;AACpC,SAAK,SAAS,EAAE,GAAG,wBAAwB,GAAG,OAAO;AACrD,SAAK,iBAAiB,KAAK,qBAAqB;AAChD,SAAK,qBAAqB,IAAI;AAAA,MAC5B,KAAK,OAAO;AAAA,MACZ,KAAK;AAAA,IACP;AACA,SAAK,eAAe,IAAI,aAAa,KAAK,OAAO,OAAO;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cAAgC;AACpC,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB,aAAO;AAAA,IACT;AAEA,YAAQ,KAAK,gBAAgB;AAAA,MAC3B,KAAK;AACH,eAAO,KAAK,oBAAoB;AAAA,MAClC,KAAK;AACH,eAAO,KAAK,sBAAsB;AAAA,MACpC,KAAK;AACH,eAAO,KAAK,kBAAkB;AAAA,MAChC;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,wBAA+C;AAC7C,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,QAAsC;AACrD,SAAK,SAAS;AACd,SAAK,qBAAqB,IAAI;AAAA,MAC5B,OAAO;AAAA,MACP,KAAK;AAAA,IACP;AACA,SAAK,eAAe,IAAI,aAAa,OAAO,OAAO;AACnD,SAAK,aAAa,CAAC;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,SAGnB;AACD,UAAM,aAAiC,CAAC;AAGxC,QAAI,KAAK,kBAAkB,OAAO,GAAG;AACnC,aAAO,EAAE,OAAO,MAAM,YAAY,CAAC,EAAE;AAAA,IACvC;AAGA,UAAM,WAAW,KAAK,mBAAmB,eAAe,OAAO;AAC/D,eAAW,aAAa,SAAS,YAAY;AAC3C,gBAAU,UAAU;AACpB,iBAAW,KAAK,SAAS;AAAA,IAC3B;AAGA,UAAM,YAAY,KAAK,aAAa,eAAe,OAAO;AAC1D,eAAW,aAAa,UAAU,YAAY;AAC5C,gBAAU,UAAU;AACpB,iBAAW,KAAK,SAAS;AAAA,IAC3B;AAGA,SAAK,WAAW,KAAK,GAAG,UAAU;AAElC,WAAO;AAAA,MACL,OAAO,WAAW,WAAW;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QACJ,SACA,YACA,QACA,SACiC;AACjC,UAAM,YAAY,KAAK,IAAI;AAC3B,SAAK,aAAa,QAAQ,UAAU;AACpC,SAAK,mBAAmB,cAAc,KAAK,UAAU;AAGrD,QAAI,CAAC,KAAK,OAAO,SAAS;AACxB,aAAO,KAAK,gBAAgB,SAAS,QAAQ,OAAO;AAAA,IACtD;AAGA,UAAM,aAAa,MAAM,KAAK,gBAAgB,OAAO;AACrD,QAAI,CAAC,WAAW,OAAO;AACrB,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ;AAAA,EAA6B,WAAW,WAC7C,IAAI,OAAK,KAAK,EAAE,OAAO,EAAE,EACzB,KAAK,IAAI,CAAC;AAAA,QACb,UAAU;AAAA,QACV,aAAa;AAAA,QACb,SAAS;AAAA,QACT,aAAa,WAAW,WAAW,CAAC,GAAG;AAAA,QACvC,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAGA,QAAI,KAAK,kBAAkB,OAAO,GAAG;AACnC,aAAO,KAAK,gBAAgB,SAAS,QAAQ,OAAO;AAAA,IACtD;AAGA,YAAQ,KAAK,gBAAgB;AAAA,MAC3B,KAAK;AACH,eAAO,KAAK,oBAAoB,SAAS,QAAQ,SAAS,SAAS;AAAA,MACrE,KAAK;AACH,eAAO,KAAK,sBAAsB,SAAS,QAAQ,SAAS,SAAS;AAAA,MACvE,KAAK;AACH,eAAO,KAAK,kBAAkB,SAAS,QAAQ,SAAS,SAAS;AAAA,MACnE;AAEE,eAAO,KAAK,gBAAgB,SAAS,QAAQ,OAAO;AAAA,IACxD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,YAA2B;AACzB,WAAO,EAAE,GAAG,KAAK,OAAO;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,QAAsC;AACjD,SAAK,SAAS,EAAE,GAAG,KAAK,QAAQ,GAAG,OAAO;AAC1C,QAAI,OAAO,YAAY;AACrB,WAAK,mBAAmB,aAAa,OAAO,UAAU;AAAA,IACxD;AACA,QAAI,OAAO,SAAS;AAClB,WAAK,aAAa,aAAa,OAAO,OAAO;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAoC;AAClC,WAAO;AAAA,MACL,GAAG,KAAK;AAAA,MACR,GAAG,KAAK,mBAAmB,cAAc;AAAA,MACzC,GAAG,KAAK,aAAa,cAAc;AAAA,IACrC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAwB;AACtB,SAAK,aAAa,CAAC;AACnB,SAAK,mBAAmB,gBAAgB;AACxC,SAAK,aAAa,gBAAgB;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA,EAKA,wBAA4C;AAC1C,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAgC;AAC9B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKQ,uBAA8C;AACpD,UAAM,KAAK,SAAS;AAEpB,QAAI,OAAO,UAAU;AAEnB,aAAO;AAAA,IACT,WAAW,OAAO,SAAS;AAEzB,UAAI,KAAK,cAAc,GAAG;AACxB,eAAO;AAAA,MACT,WAAW,KAAK,UAAU,GAAG;AAC3B,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAyB;AAC/B,WAAO,WAAW,gBAAgB,KAAK,WAAW,sBAAsB;AAAA,EAC1E;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAqB;AAC3B,WAAO,WAAW,iBAAiB,KAAK,WAAW,uBAAuB;AAAA,EAC5E;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBAAwC;AACpD,WAAO,SAAS,MAAM,YAAY,WAAW,uBAAuB;AAAA,EACtE;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,wBAA0C;AACtD,QAAI,CAAC,KAAK,cAAc,EAAG,QAAO;AAClC,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,WAAW,SAAS,CAAC,WAAW,CAAC;AAC3D,aAAO,OAAO,aAAa;AAAA,IAC7B,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,oBAAsC;AAClD,QAAI,CAAC,KAAK,UAAU,EAAG,QAAO;AAC9B,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,WAAW,UAAU,CAAC,MAAM,CAAC;AACvD,aAAO,OAAO,aAAa;AAAA,IAC7B,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,SAA0B;AAClD,UAAM,YAAY,QAAQ,KAAK,EAAE,MAAM,KAAK,EAAE,CAAC,GAAG,YAAY;AAC9D,QAAI,CAAC,UAAW,QAAO;AACvB,WAAO,KAAK,OAAO,QAAQ,iBAAiB;AAAA,MAC1C,cAAY,cAAc,SAAS,YAAY;AAAA,IACjD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBACZ,SACA,QACA,SACiC;AACjC,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,mBAAmB,WAAW,KAAK,OAAO,QAAQ;AAExD,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,WAAW,MAAM,CAAC,MAAM,OAAO,GAAG;AAAA,QAC1D,KAAK,KAAK;AAAA,QACV;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,aAAO;AAAA,QACL,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF,SAAS,OAAO;AACd,YAAM,MAAM;AACZ,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ,IAAI;AAAA,QACZ,UAAU;AAAA,QACV,aAAa,QAAQ,WAAW;AAAA,QAChC,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,oBACZ,SACA,QACA,SACA,WACiC;AACjC,UAAM,QAAQ,aAAa,KAAK,IAAI;AACpC,UAAM,mBAAmB,WAAW,KAAK,OAAO,QAAQ;AAGxD,UAAM,UAAU,KAAK,wBAAwB;AAE7C,QAAI;AACF,YAAM,SAAS,MAAM,KAAK;AAAA,QACxB;AAAA,QACA,CAAC,MAAM,SAAS,MAAM,MAAM,OAAO;AAAA,QACnC;AAAA,UACE,KAAK,KAAK;AAAA,UACV;AAAA,UACA,SAAS;AAAA,QACX;AAAA,MACF;AAEA,aAAO;AAAA,QACL,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF,SAAS,OAAO;AACd,YAAM,MAAM;AACZ,YAAM,YACJ,IAAI,QAAQ,SAAS,SAAS,KAAK,IAAI,QAAQ,SAAS,QAAQ;AAClE,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ,IAAI;AAAA,QACZ,UAAU;AAAA,QACV,aAAa,QAAQ,WAAW;AAAA,QAChC,SAAS;AAAA,QACT,aAAa,YAAY,6BAA6B;AAAA,QACtD,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,eAAe,MAAsB;AAC3C,WAAO,KAAK,QAAQ,OAAO,MAAM,EAAE,QAAQ,MAAM,KAAK;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA,EAKQ,0BAAkC;AACxC,UAAM,eAAe,KAAK,OAAO,WAAW,aACzC,IAAI,OAAK;AACR,UAAI,MAAM;AACR,eAAO,aAAa,KAAK,eAAe,KAAK,UAAU,CAAC;AAC1D,UAAI,MAAM,IAAK,QAAO;AACtB,YAAM,UAAU,QAAQ,KAAK,YAAY,CAAC;AAC1C,aAAO,aAAa,KAAK,eAAe,OAAO,CAAC;AAAA,IAClD,CAAC,EACA,KAAK,QAAQ;AAEhB,UAAM,cAAc,KAAK,OAAO,WAAW,YACxC,IAAI,OAAK;AACR,UAAI,MAAM,IAAK,QAAO;AACtB,YAAM,UAAU,QAAQ,KAAK,YAAY,CAAC;AAC1C,aAAO,aAAa,KAAK,eAAe,OAAO,CAAC;AAAA,IAClD,CAAC,EACA,KAAK,QAAQ;AAEhB,UAAM,eAAe,KAAK,OAAO,QAAQ,WACrC,oBACA,KAAK,OAAO,QAAQ,eAAe,SAAS,IAC1C;AAAA,mBACS,KAAK,OAAO,QAAQ,eAAe,KAAK,MAAM,CAAC,QACxD;AAEN,WAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAqBL,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAQX,YAAY;AAAA;AAAA;AAAA;AAAA,EAIhB,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBZ;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBACZ,SACA,QACA,SACA,WACiC;AACjC,UAAM,QAAQ,aAAa,KAAK,IAAI;AACpC,UAAM,mBAAmB,WAAW,KAAK,OAAO,QAAQ;AAGxD,UAAM,YAAY,KAAK,oBAAoB;AAE3C,QAAI;AACF,YAAM,SAAS,MAAM,KAAK;AAAA,QACxB;AAAA,QACA,CAAC,GAAG,WAAW,MAAM,MAAM,OAAO;AAAA,QAClC;AAAA,UACE,KAAK,KAAK;AAAA,UACV;AAAA,UACA,SAAS;AAAA,QACX;AAAA,MACF;AAEA,aAAO;AAAA,QACL,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF,SAAS,OAAO;AACd,YAAM,MAAM;AACZ,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ,IAAI;AAAA,QACZ,UAAU;AAAA,QACV,aAAa,QAAQ,WAAW;AAAA,QAChC,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,sBAAgC;AACtC,UAAM,OAAiB,CAAC;AAGxB,SAAK,KAAK,eAAe;AACzB,SAAK,KAAK,mBAAmB;AAG7B,SAAK,KAAK,aAAa,QAAQ,MAAM;AACrC,SAAK,KAAK,aAAa,QAAQ,MAAM;AACrC,SAAK,KAAK,aAAa,QAAQ,MAAM;AACrC,QAAI,WAAW,QAAQ,GAAG;AACxB,WAAK,KAAK,aAAa,UAAU,QAAQ;AAAA,IAC3C;AACA,SAAK,KAAK,aAAa,QAAQ,MAAM;AAGrC,SAAK,KAAK,WAAW,MAAM;AAG3B,SAAK,KAAK,UAAU,KAAK,YAAY,KAAK,UAAU;AACpD,SAAK,KAAK,WAAW,KAAK,UAAU;AAGpC,eAAW,QAAQ,KAAK,OAAO,WAAW,aAAa;AACrD,UAAI,SAAS,OAAO,SAAS,QAAQ,WAAW,IAAI,GAAG;AACrD,cAAM,UAAU,QAAQ,KAAK,YAAY,IAAI;AAC7C,YAAI,WAAW,OAAO,GAAG;AACvB,eAAK,KAAK,aAAa,SAAS,OAAO;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AAGA,eAAW,QAAQ,KAAK,OAAO,WAAW,cAAc;AACtD,UAAI,SAAS,QAAQ,SAAS,KAAK;AACjC,cAAM,UAAU,QAAQ,KAAK,YAAY,IAAI;AAC7C,YAAI,WAAW,OAAO,GAAG;AACvB,eAAK,KAAK,UAAU,SAAS,OAAO;AAAA,QACtC;AAAA,MACF;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,QAAQ,UAAU;AAChC,WAAK,KAAK,eAAe;AAAA,IAC3B;AAGA,QAAI,KAAK,OAAO,QAAQ,eAAe,GAAG;AACxC,WAAK;AAAA,QACH;AAAA,QACA;AAAA,QACA,OAAO,KAAK,OAAO,QAAQ,YAAY;AAAA,MACzC;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,kBACZ,SACA,QACA,SACA,WACiC;AACjC,UAAM,QAAQ,aAAa,KAAK,IAAI;AACpC,UAAM,mBAAmB,WAAW,KAAK,OAAO,QAAQ;AAGxD,UAAM,aAAa;AAAA,MACjB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK,OAAO,QAAQ,WAAW,SAAS;AAAA,MACxC;AAAA,MACA,GAAG,KAAK,UAAU;AAAA,MAClB;AAAA,MACA;AAAA,IACF;AAGA,QAAI,KAAK,OAAO,QAAQ,YAAY,GAAG;AACrC,iBAAW,KAAK,YAAY,GAAG,KAAK,OAAO,QAAQ,SAAS,EAAE;AAAA,IAChE;AAGA,eAAW,KAAK,eAAe;AAC/B,eAAW,KAAK,MAAM,MAAM,OAAO;AAEnC,QAAI;AACF,YAAM,SAAS,MAAM,KAAK,WAAW,UAAU,YAAY;AAAA,QACzD,KAAK,KAAK;AAAA,QACV;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAED,aAAO;AAAA,QACL,QAAQ,OAAO;AAAA,QACf,QAAQ,OAAO;AAAA,QACf,UAAU,OAAO;AAAA,QACjB,aAAa,OAAO;AAAA,QACpB,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF,SAAS,OAAO;AACd,YAAM,MAAM;AACZ,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,QAAQ,IAAI;AAAA,QACZ,UAAU;AAAA,QACV,aAAa,QAAQ,WAAW;AAAA,QAChC,SAAS;AAAA,QACT,UAAU,KAAK,IAAI,IAAI;AAAA,MACzB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,WACN,KACA,MACA,SAUC;AACD,WAAO,IAAI,QAAQ,CAACA,UAAS,WAAW;AACtC,UAAI,SAAS;AACb,UAAI,SAAS;AACb,UAAI,cAAc;AAClB,UAAI,QAA6B;AAEjC,YAAM,YAAY,SAAS,UACvB,WAAW,MAAM;AACf,sBAAc;AACd,eAAO,KAAK,SAAS;AAAA,MACvB,GAAG,QAAQ,OAAO,IAClB;AAGJ,UAAI,SAAS,QAAQ;AACnB,gBAAQ,OAAO,iBAAiB,SAAS,MAAM;AAC7C,wBAAc;AACd,iBAAO,KAAK,SAAS;AAAA,QACvB,CAAC;AAAA,MACH;AAEA,cAAQ,MAAM,KAAK,MAAM;AAAA,QACvB,KAAK,SAAS,OAAO,KAAK;AAAA,QAC1B,OAAO;AAAA,QACP,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,MAChC,CAAC;AAED,YAAM,QAAQ,GAAG,QAAQ,CAAC,SAAiB;AACzC,kBAAU,KAAK,SAAS;AAAA,MAC1B,CAAC;AAED,YAAM,QAAQ,GAAG,QAAQ,CAAC,SAAiB;AACzC,kBAAU,KAAK,SAAS;AAAA,MAC1B,CAAC;AAED,YAAM,GAAG,SAAS,CAAC,UAAiB;AAClC,YAAI,UAAW,cAAa,SAAS;AACrC,eAAO,KAAK;AAAA,MACd,CAAC;AAED,YAAM,GAAG,SAAS,CAAC,SAAwB;AACzC,YAAI,UAAW,cAAa,SAAS;AACrC,QAAAA,SAAQ;AAAA,UACN;AAAA,UACA;AAAA,UACA,UAAU,QAAQ;AAAA,UAClB;AAAA,QACF,CAAC;AAAA,MACH,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AACF;AAGA,IAAI,0BAAoD;AAKjD,SAAS,qBAAqB,YAAwC;AAC3E,MAAI,CAAC,yBAAyB;AAC5B,8BAA0B,IAAI,kBAAkB,cAAc,QAAQ,IAAI,CAAC;AAAA,EAC7E,WAAW,YAAY;AAErB,8BAA0B,IAAI;AAAA,MAC5B;AAAA,MACA,wBAAwB,UAAU;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;AAKO,SAAS,yBAA+B;AAC7C,4BAA0B;AAC5B;",
   "names": ["resolve"]
 }

package/dist/services/sessionMemoryInjector.js

@@ -0,0 +1,77 @@
+import { getGlobalConfig } from "../utils/config.js";
+import { getOriginalCwd } from "../utils/state.js";
+import { debug as debugLogger } from "../utils/debugLogger.js";
+import { SessionMemoryManager } from "./sessionMemory.js";
+let sessionMemoryLoaded = false;
+let cachedSessionMemoryBlock = null;
+function getSessionMemoryBlock() {
+  if (sessionMemoryLoaded) {
+    return cachedSessionMemoryBlock;
+  }
+  sessionMemoryLoaded = true;
+  try {
+    const config = getGlobalConfig();
+    if (config.enableSessionMemory === false) {
+      debugLogger.state("SESSION_MEMORY", { status: "disabled_by_config" });
+      return null;
+    }
+    const projectPath = getOriginalCwd();
+    if (!projectPath) {
+      return null;
+    }
+    const manager = new SessionMemoryManager(projectPath);
+    try {
+      manager.cleanupOldSessions(5);
+    } catch {
+    }
+    const recentSession = manager.getMostRecentSession();
+    if (!recentSession?.memory?.summary) {
+      debugLogger.state("SESSION_MEMORY", { status: "no_previous_session" });
+      return null;
+    }
+    const block = formatSessionMemoryBlock(recentSession.memory);
+    if (!block) {
+      return null;
+    }
+    cachedSessionMemoryBlock = block;
+    debugLogger.state("SESSION_MEMORY", {
+      status: "injected",
+      summaryLength: String(recentSession.memory.summary.length),
+      decisionsCount: String(recentSession.memory.decisions?.length ?? 0)
+    });
+    return cachedSessionMemoryBlock;
+  } catch (error) {
+    debugLogger.warn(
+      "SESSION_MEMORY",
+      `Failed to load session memory: ${error instanceof Error ? error.message : String(error)}`
+    );
+    return null;
+  }
+}
+function formatSessionMemoryBlock(memory) {
+  const parts = [];
+  if (!memory.summary || memory.summary.trim().length === 0) {
+    return null;
+  }
+  parts.push(memory.summary);
+  if (memory.decisions && memory.decisions.length > 0) {
+    const decisionsText = memory.decisions.slice(0, 10).map((d) => `- ${d.description}`).join("\n");
+    parts.push(`Key decisions:
+${decisionsText}`);
+  }
+  if (memory.focusAreas && memory.focusAreas.length > 0) {
+    parts.push(`Focus areas: ${memory.focusAreas.join(", ")}`);
+  }
+  return `<session-memory>
+${parts.join("\n")}
+</session-memory>`;
+}
+function resetSessionMemoryCache() {
+  sessionMemoryLoaded = false;
+  cachedSessionMemoryBlock = null;
+}
+export {
+  getSessionMemoryBlock,
+  resetSessionMemoryCache
+};
+//# sourceMappingURL=sessionMemoryInjector.js.map

package/dist/services/sessionMemoryInjector.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/services/sessionMemoryInjector.ts"],
+  "sourcesContent": ["/**\n * Session Memory Injector\n *\n * Loads the most recent session memory for the current project\n * and formats it as a system prompt block for injection into new sessions.\n *\n * This mirrors Claude Code's behavior of injecting <session-memory> tags\n * from past sessions into new conversations.\n */\n\nimport { getGlobalConfig } from '@utils/config'\nimport { getOriginalCwd } from '@utils/state'\nimport { debug as debugLogger } from '@utils/debugLogger'\nimport { SessionMemoryManager, type SessionMemoryData } from './sessionMemory'\n\n/**\n * Whether session memory has been loaded for this process.\n * We only load once per session to avoid repeated disk I/O.\n */\nlet sessionMemoryLoaded = false\nlet cachedSessionMemoryBlock: string | null = null\n\n/**\n * Load and format the most recent session memory as a system prompt block.\n *\n * Called once per session (at first query). Returns null if:\n * - enableSessionMemory config is false\n * - No previous sessions exist for this project\n * - The most recent session has no meaningful content\n */\nexport function getSessionMemoryBlock(): string | null {\n  if (sessionMemoryLoaded) {\n    return cachedSessionMemoryBlock\n  }\n\n  sessionMemoryLoaded = true\n\n  try {\n    const config = getGlobalConfig()\n\n    // enableSessionMemory defaults to true when not explicitly set\n    if (config.enableSessionMemory === false) {\n      debugLogger.state('SESSION_MEMORY', { status: 'disabled_by_config' })\n      return null\n    }\n\n    const projectPath = getOriginalCwd()\n    if (!projectPath) {\n      return null\n    }\n\n    const manager = new SessionMemoryManager(projectPath)\n\n    // Cleanup old sessions (keep last 5) - non-blocking best-effort\n    try {\n      manager.cleanupOldSessions(5)\n    } catch {\n      // Non-critical\n    }\n\n    const recentSession = manager.getMostRecentSession()\n    if (!recentSession?.memory?.summary) {\n      debugLogger.state('SESSION_MEMORY', { status: 'no_previous_session' })\n      return null\n    }\n\n    const block = formatSessionMemoryBlock(recentSession.memory)\n    if (!block) {\n      return null\n    }\n\n    cachedSessionMemoryBlock = block\n\n    debugLogger.state('SESSION_MEMORY', {\n      status: 'injected',\n      summaryLength: String(recentSession.memory.summary.length),\n      decisionsCount: String(recentSession.memory.decisions?.length ?? 0),\n    })\n\n    return cachedSessionMemoryBlock\n  } catch (error) {\n    debugLogger.warn(\n      'SESSION_MEMORY',\n      `Failed to load session memory: ${error instanceof Error ? error.message : String(error)}`,\n    )\n    return null\n  }\n}\n\n/**\n * Format a SessionMemoryData into a <session-memory> prompt block.\n */\nfunction formatSessionMemoryBlock(memory: SessionMemoryData): string | null {\n  const parts: string[] = []\n\n  // Summary is required\n  if (!memory.summary || memory.summary.trim().length === 0) {\n    return null\n  }\n\n  parts.push(memory.summary)\n\n  // Key decisions\n  if (memory.decisions && memory.decisions.length > 0) {\n    const decisionsText = memory.decisions\n      .slice(0, 10) // Limit to 10 most recent decisions\n      .map(d => `- ${d.description}`)\n      .join('\\n')\n    parts.push(`Key decisions:\\n${decisionsText}`)\n  }\n\n  // Focus areas\n  if (memory.focusAreas && memory.focusAreas.length > 0) {\n    parts.push(`Focus areas: ${memory.focusAreas.join(', ')}`)\n  }\n\n  return `<session-memory>\\n${parts.join('\\n')}\\n</session-memory>`\n}\n\n/**\n * Reset the cached session memory (for testing or session reset).\n */\nexport function resetSessionMemoryCache(): void {\n  sessionMemoryLoaded = false\n  cachedSessionMemoryBlock = null\n}\n"],
+  "mappings": "AAUA,SAAS,uBAAuB;AAChC,SAAS,sBAAsB;AAC/B,SAAS,SAAS,mBAAmB;AACrC,SAAS,4BAAoD;AAM7D,IAAI,sBAAsB;AAC1B,IAAI,2BAA0C;AAUvC,SAAS,wBAAuC;AACrD,MAAI,qBAAqB;AACvB,WAAO;AAAA,EACT;AAEA,wBAAsB;AAEtB,MAAI;AACF,UAAM,SAAS,gBAAgB;AAG/B,QAAI,OAAO,wBAAwB,OAAO;AACxC,kBAAY,MAAM,kBAAkB,EAAE,QAAQ,qBAAqB,CAAC;AACpE,aAAO;AAAA,IACT;AAEA,UAAM,cAAc,eAAe;AACnC,QAAI,CAAC,aAAa;AAChB,aAAO;AAAA,IACT;AAEA,UAAM,UAAU,IAAI,qBAAqB,WAAW;AAGpD,QAAI;AACF,cAAQ,mBAAmB,CAAC;AAAA,IAC9B,QAAQ;AAAA,IAER;AAEA,UAAM,gBAAgB,QAAQ,qBAAqB;AACnD,QAAI,CAAC,eAAe,QAAQ,SAAS;AACnC,kBAAY,MAAM,kBAAkB,EAAE,QAAQ,sBAAsB,CAAC;AACrE,aAAO;AAAA,IACT;AAEA,UAAM,QAAQ,yBAAyB,cAAc,MAAM;AAC3D,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,IACT;AAEA,+BAA2B;AAE3B,gBAAY,MAAM,kBAAkB;AAAA,MAClC,QAAQ;AAAA,MACR,eAAe,OAAO,cAAc,OAAO,QAAQ,MAAM;AAAA,MACzD,gBAAgB,OAAO,cAAc,OAAO,WAAW,UAAU,CAAC;AAAA,IACpE,CAAC;AAED,WAAO;AAAA,EACT,SAAS,OAAO;AACd,gBAAY;AAAA,MACV;AAAA,MACA,kCAAkC,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAAA,IAC1F;AACA,WAAO;AAAA,EACT;AACF;AAKA,SAAS,yBAAyB,QAA0C;AAC1E,QAAM,QAAkB,CAAC;AAGzB,MAAI,CAAC,OAAO,WAAW,OAAO,QAAQ,KAAK,EAAE,WAAW,GAAG;AACzD,WAAO;AAAA,EACT;AAEA,QAAM,KAAK,OAAO,OAAO;AAGzB,MAAI,OAAO,aAAa,OAAO,UAAU,SAAS,GAAG;AACnD,UAAM,gBAAgB,OAAO,UAC1B,MAAM,GAAG,EAAE,EACX,IAAI,OAAK,KAAK,EAAE,WAAW,EAAE,EAC7B,KAAK,IAAI;AACZ,UAAM,KAAK;AAAA,EAAmB,aAAa,EAAE;AAAA,EAC/C;AAGA,MAAI,OAAO,cAAc,OAAO,WAAW,SAAS,GAAG;AACrD,UAAM,KAAK,gBAAgB,OAAO,WAAW,KAAK,IAAI,CAAC,EAAE;AAAA,EAC3D;AAEA,SAAO;AAAA,EAAqB,MAAM,KAAK,IAAI,CAAC;AAAA;AAC9C;AAKO,SAAS,0BAAgC;AAC9C,wBAAsB;AACtB,6BAA2B;AAC7B;",
+  "names": []
+}

package/dist/services/systemReminder.js

@@ -1,4 +1,8 @@
+import { homedir } from "os";
 import { getTodos } from "../utils/todoStorage.js";
+function escapeXml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
 class SystemReminderService {
   sessionState = {
     lastTodoUpdate: 0,
@@ -33,13 +37,18 @@ class SystemReminderService {
     }
     const reminders = [];
     const currentTime = Date.now();
+    if (this.sessionState.remindersSent.size > 100) {
+      this.pruneOldReminders(currentTime);
+    }
     const reminderGenerators = [
+      () => this.getPlanModeActiveReminder(),
       () => this.dispatchTodoEvent(agentId),
       () => this.dispatchTaskToolsReminder(),
       () => this.dispatchSecurityEvent(),
       () => this.dispatchPerformanceEvent(),
       () => this.getMentionReminders(),
-      () => this.getEventReminders()
+      () => this.getEventReminders(),
+      () => this.getTeamMessageReminders(agentId)
     ];
     for (const generator of reminderGenerators) {
       if (reminders.length >= 8) break;
@@ -52,6 +61,35 @@ class SystemReminderService {
     }
     return reminders;
   }
+  /**
+   * Plan mode persistent reminder — injected EVERY turn while plan mode is active (CC behavior).
+   * Not gated by remindersSent because it must appear on every generateReminders() call.
+   */
+  getPlanModeActiveReminder() {
+    try {
+      const {
+        isPlanModeEnabled,
+        getPlanFilePath
+      } = require("../utils/plan/planMode");
+      if (!isPlanModeEnabled()) return null;
+      const planPath = getPlanFilePath();
+      return this.createReminderMessage(
+        "plan_mode_active",
+        "general",
+        "high",
+        `Plan mode is active. You MUST NOT make any edits or changes except to the plan file at: ${planPath}
+
+End every turn with either:
+- AskUserQuestion (to clarify requirements)
+- ExitPlanMode (to present your plan for approval)
+
+Do NOT write code, edit files, or run commands other than read-only exploration.`,
+        Date.now()
+      );
+    } catch {
+      return null;
+    }
+  }
   dispatchTodoEvent(agentId) {
     if (!this.sessionState.config.todoEmptyReminder) return null;
     const todos = getTodos(agentId);
@@ -103,9 +141,9 @@ ${todoContent}. Continue on with the tasks at hand if applicable.`,
     if (this.sessionState.remindersSent.has(key)) return null;
     const sessionDuration = Date.now() - this.sessionState.sessionStartTime;
     if (sessionDuration < 5 * 60 * 1e3) return null;
-    const hasTaskActivity = Array.from(
-      this.sessionState.remindersSent
-    ).some((k) => k.startsWith("task_"));
+    const hasTaskActivity = Array.from(this.sessionState.remindersSent).some(
+      (k) => k.startsWith("task_")
+    );
     if (hasTaskActivity) return null;
     this.emitEvent("task:tools_reminder", {});
     return null;
@@ -188,6 +226,8 @@ ${todoContent}. Continue on with the tasks at hand if applicable.`,
     "plan_file_reference",
     "plan_mode_reentry",
     "plan_exited",
+    "plan_verify",
+    "plan_mode_active",
     "skill_invoked",
     "mcp_resource_no_content",
     "compact_file_reference",
@@ -224,6 +264,47 @@ ${todoContent}. Continue on with the tasks at hand if applicable.`,
     expiredKeys.forEach((key) => this.reminderCache.delete(key));
     return reminders;
   }
+  /**
+   * Deliver pending team mailbox messages to the current agent as reminders.
+   * Checks unread messages for the agent's team-scoped ID and formats them
+   * as <team-message> blocks for conversation injection.
+   */
+  getTeamMessageReminders(agentId) {
+    if (!agentId) return null;
+    const teamName = process.env.MINTO_TEAM_NAME || agentId.split("@")[1];
+    if (!teamName) return null;
+    try {
+      const { getTeam } = require("./agentTeams/teamManager");
+      const entry = getTeam(teamName);
+      if (!entry) return null;
+      const { mailbox } = entry;
+      const unread = mailbox.getUnread(agentId);
+      if (unread.length === 0) return null;
+      mailbox.markRead(unread.map((m) => m.id));
+      const currentTime = Date.now();
+      const reminders = [];
+      for (const msg of unread) {
+        const senderName = msg.from.split("@")[0] || msg.from;
+        const summaryText = msg.summary || msg.text.slice(0, 60).replace(/"/g, "'");
+        const colorAttr = msg.color ? ` color="${escapeXml(msg.color)}"` : "";
+        const content = `<team-message from="${escapeXml(senderName)}"${colorAttr} summary="${escapeXml(summaryText)}">
+${escapeXml(msg.text)}
+</team-message>`;
+        reminders.push(
+          this.createReminderMessage(
+            "team_message",
+            "task",
+            "high",
+            content,
+            currentTime
+          )
+        );
+      }
+      return reminders;
+    } catch {
+      return null;
+    }
+  }
   /**
    * Generate reminders for external file changes
    * Called when todo files are modified externally
@@ -349,7 +430,7 @@ ${content}
           "hook_additional_context",
           "general",
           "medium",
-          `Additional context from hook "${context.hookName}": ${context.content}`,
+          `Additional context from hook "${escapeXml(context.hookName)}": ${escapeXml(String(context.content))}`,
           Date.now()
         );
         this.reminderCache.set(key, reminder);
@@ -363,7 +444,7 @@ ${content}
           "hook_blocking_error",
           "general",
           "high",
-          `A hook blocked the action: ${context.reason}`,
+          `A hook blocked the action: ${escapeXml(String(context.reason))}`,
           Date.now()
         );
         this.reminderCache.set(key, reminder);
@@ -377,7 +458,7 @@ ${content}
           "hook_stopped_continuation",
           "general",
           "high",
-          `A hook stopped continuation: ${context.reason}`,
+          `A hook stopped continuation: ${escapeXml(String(context.reason))}`,
           Date.now()
         );
         this.reminderCache.set(key, reminder);
@@ -537,6 +618,20 @@ ${content}
         this.reminderCache.set(key, reminder);
       }
     });
+    this.addEventListener("plan:verify", (context) => {
+      const key = `plan_verify_${context.planPath}`;
+      if (!this.sessionState.remindersSent.has(key)) {
+        this.sessionState.remindersSent.add(key);
+        const reminder = this.createReminderMessage(
+          "plan_verify",
+          "general",
+          "medium",
+          `Implementation is complete. Verify against the approved plan at: ${context.planPath}. Check that all planned changes were made, run tests, and confirm the verification procedures from the plan pass.`,
+          Date.now()
+        );
+        this.reminderCache.set(key, reminder);
+      }
+    });
     this.addEventListener("token:usage", (context) => {
       const key = `token_usage_${context.threshold}`;
       if (!this.sessionState.remindersSent.has(key)) {
@@ -569,11 +664,17 @@ ${content}
       const key = `team_coord_${context.teamId}_${Date.now()}`;
       if (!this.sessionState.remindersSent.has(key)) {
         this.sessionState.remindersSent.add(key);
+        const teamId = context.teamId;
+        const homeDir = homedir();
+        const teamConfigPath = `${homeDir}/.minto/teams/${teamId}/config.json`;
+        const taskListPath = `${homeDir}/.minto/tasks/${teamId}`;
         const reminder = this.createReminderMessage(
           "team_coordination",
           "task",
           "medium",
-          `Team coordination: ${context.message}`,
+          `Team coordination: ${context.message}
+teamConfigPath: ${teamConfigPath}
+taskListPath: ${taskListPath}`,
           Date.now()
         );
         this.reminderCache.set(key, reminder);
@@ -656,6 +757,27 @@ ${content}
       this.reminderCache.set(params.key, reminder);
     }
   }
+  /**
+   * Prune old reminder keys to prevent unbounded Set growth.
+   * Keeps keys that contain timestamps or are "sticky" (security, performance).
+   * Removes generic keys when the set exceeds threshold.
+   */
+  pruneOldReminders(_currentTime) {
+    const stickyPrefixes = ["file_security", "performance_", "todo_empty_"];
+    const toDelete = [];
+    for (const key of this.sessionState.remindersSent) {
+      if (!stickyPrefixes.some((p) => key.startsWith(p))) {
+        toDelete.push(key);
+      }
+    }
+    const removeCount = Math.min(
+      toDelete.length,
+      Math.floor(toDelete.length / 2)
+    );
+    for (let i = 0; i < removeCount; i++) {
+      this.sessionState.remindersSent.delete(toDelete[i]);
+    }
+  }
   resetSession() {
     this.sessionState = {
       lastTodoUpdate: 0,