@yeyuan98/opencode-bioresearcher-plugin 1.5.0 → 1.5.2-alpha.2

package/dist/tools/sandbox/escape-scenarios.test.js

@@ -0,0 +1,182 @@
+/**
+ * Real-World Escape Scenario Tests
+ *
+ * Tests the actual escape vectors discovered during security analysis
+ * to verify they are properly blocked by the sandbox.
+ */
+import { describe, test, expect, beforeEach, afterEach } from 'bun:test';
+import { mkdtemp, rm, mkdir } from 'fs/promises';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { sandboxManager } from './manager';
+import { extractAllPathArgs } from './bash-parser';
+import { hasCommandSubstitution } from './expander';
+describe('Real-World Escape Scenarios', () => {
+    let sandboxDir;
+    let projectDir;
+    let sessionID;
+    beforeEach(async () => {
+        projectDir = await mkdtemp(join(tmpdir(), 'escape-test-'));
+        sandboxDir = join(projectDir, '.sandbox', 'escape-session');
+        await mkdir(sandboxDir, { recursive: true });
+        sessionID = 'escape-test-session';
+        sandboxManager.enable(sessionID, sandboxDir, projectDir, 'escape-test');
+    });
+    afterEach(async () => {
+        sandboxManager.disable(sessionID);
+        await rm(projectDir, { recursive: true, force: true });
+    });
+    describe('Scenario 1: ls .. Escape', () => {
+        test('should extract .. from ls .. command', () => {
+            const paths = extractAllPathArgs('ls ..');
+            expect(paths).toContain('..');
+        });
+        test('should reject .. path via manager', () => {
+            const result = sandboxManager.validatePath(sessionID, '..');
+            expect(result.allowed).toBe(false);
+            expect(result.error).toContain('PATH ESCAPE DETECTED');
+        });
+    });
+    describe('Scenario 2: Python Script Escape', () => {
+        test('should extract script path from python command', () => {
+            const paths = extractAllPathArgs('python script.py');
+            expect(paths).toContain('script.py');
+        });
+        test('should validate script path', () => {
+            const result = sandboxManager.validatePath(sessionID, 'script.py');
+            expect(result.allowed).toBe(true);
+            expect(result.transformedPath).toBe(join(sandboxDir, 'script.py'));
+        });
+        test('should reject script path outside sandbox', () => {
+            const result = sandboxManager.validatePath(sessionID, '../malicious.py');
+            expect(result.allowed).toBe(false);
+            expect(result.error).toContain('PATH ESCAPE DETECTED');
+        });
+    });
+    describe('Scenario 3: Command Substitution', () => {
+        test('should detect $(pwd) command substitution', () => {
+            expect(hasCommandSubstitution('$(pwd)/../file.txt')).toBe(true);
+        });
+        test('should detect backtick command substitution', () => {
+            expect(hasCommandSubstitution('`pwd`/../file.txt')).toBe(true);
+        });
+        test('should allow normal variable expansion', () => {
+            expect(hasCommandSubstitution('$HOME/file.txt')).toBe(false);
+        });
+        test('should extract paths with variables', () => {
+            const paths = extractAllPathArgs('cat $HOME/file.txt');
+            expect(paths).toContain('$HOME/file.txt');
+        });
+    });
+    describe('Scenario 4: Path Traversal Variations', () => {
+        test('should block ../../../etc/passwd', () => {
+            const result = sandboxManager.validatePath(sessionID, '../../../etc/passwd');
+            expect(result.allowed).toBe(false);
+        });
+        test('should block .. with complex path', () => {
+            const result = sandboxManager.validatePath(sessionID, './data/../../outside.txt');
+            expect(result.allowed).toBe(false);
+        });
+        test('should block multiple .. at start', () => {
+            const result = sandboxManager.validatePath(sessionID, '../../../../file.txt');
+            expect(result.allowed).toBe(false);
+        });
+        test('should allow .. that stays in sandbox', () => {
+            // Create subdirectory structure
+            const result = sandboxManager.validatePath(sessionID, 'subdir/../file.txt');
+            expect(result.allowed).toBe(true);
+            expect(result.transformedPath).toBe(join(sandboxDir, 'file.txt'));
+        });
+    });
+    describe('Scenario 5: Absolute Path Injection', () => {
+        test('should block Unix absolute paths', () => {
+            const result = sandboxManager.validatePath(sessionID, '/etc/passwd');
+            expect(result.allowed).toBe(false);
+            expect(result.error).toContain('ABSOLUTE PATH REJECTED');
+        });
+        test('should block Windows absolute paths', () => {
+            const result = sandboxManager.validatePath(sessionID, 'C:\\Windows\\System32');
+            expect(result.allowed).toBe(false);
+            expect(result.error).toContain('ABSOLUTE PATH REJECTED');
+        });
+        test('should block UNC paths on Windows', () => {
+            const result = sandboxManager.validatePath(sessionID, '\\\\server\\share\\file.txt');
+            expect(result.allowed).toBe(false);
+            if (process.platform === 'win32') {
+                expect(result.error).toContain('UNC PATH REJECTED');
+            }
+        });
+    });
+    describe('Scenario 6: Multiple Paths in One Command', () => {
+        test('should extract all paths from cp command', () => {
+            const paths = extractAllPathArgs('cp source.txt dest.txt');
+            expect(paths).toContain('source.txt');
+            expect(paths).toContain('dest.txt');
+        });
+        test('should validate all paths and reject if any escape', () => {
+            const result = sandboxManager.validatePaths(sessionID, [
+                './safe.txt',
+                '../escape.txt',
+                './another-safe.txt'
+            ]);
+            expect(result.allowed).toBe(false);
+            expect(result.firstError).toContain('PATH ESCAPE DETECTED');
+        });
+    });
+    describe('Scenario 7: Redirection Targets', () => {
+        test('should extract redirection targets', () => {
+            const paths = extractAllPathArgs('cat file.txt > output.txt');
+            expect(paths).toContain('output.txt');
+        });
+        test('should extract input redirection', () => {
+            const paths = extractAllPathArgs('cat < input.txt');
+            expect(paths).toContain('input.txt');
+        });
+        test('should extract append redirection', () => {
+            const paths = extractAllPathArgs('echo test >> log.txt');
+            expect(paths).toContain('log.txt');
+        });
+    });
+    describe('Scenario 8: Complex Bash Commands', () => {
+        test('should extract paths from piped commands', () => {
+            const paths = extractAllPathArgs('cat file.txt | grep pattern');
+            expect(paths).toContain('file.txt');
+        });
+        test('should handle commands with multiple flags', () => {
+            const paths = extractAllPathArgs('ls -la -h ./data');
+            expect(paths).toContain('./data');
+        });
+        test('should extract paths with extensions', () => {
+            const paths = extractAllPathArgs('python script.py');
+            expect(paths).toContain('script.py');
+        });
+    });
+    describe('Fail-Closed Behavior', () => {
+        test('should reject all invalid paths', () => {
+            const invalidPaths = [
+                '../..',
+                '/etc/passwd',
+                '../../etc/passwd',
+                './../..',
+                './../../../file.txt'
+            ];
+            for (const invalidPath of invalidPaths) {
+                const result = sandboxManager.validatePath(sessionID, invalidPath);
+                expect(result.allowed).toBe(false);
+            }
+        });
+        test('should allow all valid paths', () => {
+            const validPaths = [
+                './file.txt',
+                'data/file.txt',
+                './a/b/c/file.txt',
+                'file.txt',
+                '.'
+            ];
+            for (const validPath of validPaths) {
+                const result = sandboxManager.validatePath(sessionID, validPath);
+                expect(result.allowed).toBe(true);
+            }
+        });
+    });
+});

package/dist/tools/sandbox/expander.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Path Expansion for Sandbox Validation
+ *
+ * Expands shell variables and command substitutions in path arguments
+ * to validate the actual paths that will be accessed at runtime.
+ *
+ * SECURITY: This function FAILS CLOSED - it throws errors rather than
+ * returning null to prevent bypassing validation.
+ */
+import type { PluginInput } from '@opencode-ai/plugin';
+type BunShell = PluginInput['$'];
+/**
+ * Expand and resolve a path argument that may contain variables.
+ * Returns the absolute path after shell expansion.
+ *
+ * SECURITY: Throws error on any failure to prevent validation bypass.
+ *
+ * @param pathArg - Path argument to expand (may contain variables, ~, etc.)
+ * @param cwd - Current working directory (should be sandbox path)
+ * @param shell - BunShell instance for command execution
+ * @returns Absolute path after expansion
+ * @throws Error if expansion fails or path doesn't exist
+ */
+export declare function expandPath(pathArg: string, cwd: string, shell: BunShell): Promise<string>;
+/**
+ * Check if a path argument contains command substitution.
+ * Command substitution can execute arbitrary code during expansion.
+ */
+export declare function hasCommandSubstitution(pathArg: string): boolean;
+export {};

package/dist/tools/sandbox/expander.js

@@ -0,0 +1,57 @@
+/**
+ * Path Expansion for Sandbox Validation
+ *
+ * Expands shell variables and command substitutions in path arguments
+ * to validate the actual paths that will be accessed at runtime.
+ *
+ * SECURITY: This function FAILS CLOSED - it throws errors rather than
+ * returning null to prevent bypassing validation.
+ */
+/**
+ * Expand and resolve a path argument that may contain variables.
+ * Returns the absolute path after shell expansion.
+ *
+ * SECURITY: Throws error on any failure to prevent validation bypass.
+ *
+ * @param pathArg - Path argument to expand (may contain variables, ~, etc.)
+ * @param cwd - Current working directory (should be sandbox path)
+ * @param shell - BunShell instance for command execution
+ * @returns Absolute path after expansion
+ * @throws Error if expansion fails or path doesn't exist
+ */
+export async function expandPath(pathArg, cwd, shell) {
+    let result;
+    try {
+        // Execute realpath to expand variables, ~, and resolve path
+        // SECURITY: Do NOT use .nothrow() - let errors propagate
+        result = await shell `realpath ${pathArg}`
+            .cwd(cwd)
+            .quiet()
+            .text()
+            .then((x) => x.trim());
+    }
+    catch (error) {
+        // Fail closed: throw descriptive error instead of returning null
+        const errorMsg = error instanceof Error ? error.message : String(error);
+        throw new Error(`PATH EXPANSION FAILED: "${pathArg}"\n` +
+            `Working directory: "${cwd}"\n` +
+            `Error: ${errorMsg}\n` +
+            `This may indicate the path does not exist or contains invalid characters.`);
+    }
+    // Validate we got a non-empty result
+    if (!result || result.length === 0) {
+        throw new Error(`PATH EXPANSION RETURNED EMPTY: "${pathArg}"\n` +
+            `Working directory: "${cwd}"\n` +
+            `realpath returned empty result, which indicates a validation failure.`);
+    }
+    return result;
+}
+/**
+ * Check if a path argument contains command substitution.
+ * Command substitution can execute arbitrary code during expansion.
+ */
+export function hasCommandSubstitution(pathArg) {
+    // Check for command substitution: $(cmd) or `cmd`
+    // Also check for partial matches like $(cmd or `cmd (if space breaks the pattern)
+    return /\$\(/.test(pathArg) || /`/.test(pathArg);
+}

package/dist/tools/sandbox/final-verification.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Final Verification Test for Sandbox Security Fixes
+ *
+ * This test verifies that all discovered escape vectors are properly blocked.
+ */
+export {};

package/dist/tools/sandbox/final-verification.test.js

@@ -0,0 +1,70 @@
+/**
+ * Final Verification Test for Sandbox Security Fixes
+ *
+ * This test verifies that all discovered escape vectors are properly blocked.
+ */
+import { test, expect, describe } from 'bun:test';
+import { validateAndTransformPath, isPathWithinSandbox } from './validator';
+import { extractAllPathArgs } from './bash-parser';
+import { hasCommandSubstitution } from './expander';
+import { tmpdir } from 'os';
+import { join } from 'path';
+describe('Final Verification - All Escape Vectors Blocked', () => {
+    const sandboxDir = join(tmpdir(), 'final-verify-sandbox');
+    test('Escape Vector 1: ls .. is blocked', () => {
+        // Extract path from command
+        const paths = extractAllPathArgs('ls ..');
+        expect(paths).toContain('..');
+        // Validate the path
+        const result = validateAndTransformPath('..', sandboxDir);
+        expect(result.allowed).toBe(false);
+        expect(result.error).toContain('PATH ESCAPE DETECTED');
+    });
+    test('Escape Vector 2: ../../etc/passwd is blocked', () => {
+        const result = validateAndTransformPath('../../etc/passwd', sandboxDir);
+        expect(result.allowed).toBe(false);
+        expect(result.error).toContain('PATH ESCAPE DETECTED');
+    });
+    test('Escape Vector 3: Command substitution is detected', () => {
+        expect(hasCommandSubstitution('$(pwd)/../file.txt')).toBe(true);
+        expect(hasCommandSubstitution('`pwd`/../file.txt')).toBe(true);
+    });
+    test('Escape Vector 4: Absolute paths are blocked', () => {
+        const result = validateAndTransformPath('/etc/passwd', sandboxDir);
+        expect(result.allowed).toBe(false);
+        expect(result.error).toContain('ABSOLUTE PATH REJECTED');
+    });
+    test('Valid paths are still allowed', () => {
+        const result = validateAndTransformPath('./data/file.txt', sandboxDir);
+        expect(result.allowed).toBe(true);
+        expect(result.transformedPath).toBe(join(sandboxDir, 'data', 'file.txt'));
+    });
+    test('Multiple paths are extracted from commands', () => {
+        const paths = extractAllPathArgs('cp source.txt dest.txt');
+        expect(paths).toContain('source.txt');
+        expect(paths).toContain('dest.txt');
+        expect(paths.length).toBe(2);
+    });
+    test('Path containment checks work correctly', () => {
+        expect(isPathWithinSandbox(sandboxDir, sandboxDir)).toBe(true);
+        expect(isPathWithinSandbox(join(sandboxDir, 'file.txt'), sandboxDir)).toBe(true);
+        expect(isPathWithinSandbox(join(sandboxDir, '..', 'outside'), sandboxDir)).toBe(false);
+    });
+    test('Complex escape attempts are all blocked', () => {
+        const escapeAttempts = [
+            '..',
+            '../',
+            '../..',
+            '../../..',
+            '../../../etc/passwd',
+            './../..',
+            './../../../file.txt',
+            '/etc/passwd',
+            'C:\\Windows\\System32',
+        ];
+        for (const attempt of escapeAttempts) {
+            const result = validateAndTransformPath(attempt, sandboxDir);
+            expect(result.allowed).toBe(false);
+        }
+    });
+});

package/dist/tools/sandbox/hooks.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Sandbox Plugin Hooks
+ *
+ * Implements plugin hooks for sandbox enforcement:
+ * - tool.execute.before: Path validation and transformation
+ * - shell.env: Environment variable injection
+ * - permission.ask: Auto-deny paths outside sandbox
+ */
+import type { Hooks, PluginInput } from '@opencode-ai/plugin';
+import type { SandboxManagerImpl } from './manager';
+type BunShell = PluginInput['$'];
+/**
+ * Create sandbox enforcement hooks for the plugin system.
+ */
+export declare function createSandboxHooks(manager: SandboxManagerImpl, shell: BunShell): Partial<Hooks>;
+/**
+ * Get the tool path args mapping (for testing or extension).
+ */
+export declare function getToolPathArgs(): Record<string, string[]>;
+/**
+ * Register additional tool path arguments.
+ * Useful for plugins that add new tools.
+ */
+export declare function registerToolPathArgs(toolName: string, pathArgs: string[]): void;
+export {};

package/dist/tools/sandbox/hooks.js

@@ -0,0 +1,217 @@
+/**
+ * Sandbox Plugin Hooks
+ *
+ * Implements plugin hooks for sandbox enforcement:
+ * - tool.execute.before: Path validation and transformation
+ * - shell.env: Environment variable injection
+ * - permission.ask: Auto-deny paths outside sandbox
+ */
+import { extractAllPathArgs } from './bash-parser';
+import { expandPath, hasCommandSubstitution } from './expander';
+import { isPathWithinSandbox } from './validator';
+/**
+ * Maps tool names to their path-containing argument names.
+ * These arguments will be validated and transformed when sandbox is active.
+ */
+const TOOL_PATH_ARGS = {
+    // Built-in file tools
+    'read': ['filePath'],
+    'write': ['filePath'],
+    'edit': ['filePath'],
+    'glob': ['path'],
+    'grep': ['path'],
+    // Table tools
+    'tableGetSheetPreview': ['file_path'],
+    'tableListSheets': ['file_path'],
+    'tableGetHeaders': ['file_path'],
+    'tableGetCell': ['file_path'],
+    'tableFilterRows': ['file_path'],
+    'tableSearch': ['file_path'],
+    'tableGetRange': ['file_path'],
+    'tableSummarize': ['file_path'],
+    'tableGroupBy': ['file_path'],
+    'tablePivotSummary': ['file_path'],
+    'tableAppendRows': ['file_path'],
+    'tableUpdateCell': ['file_path'],
+    'tableCreateFile': ['file_path'],
+    // Parser tools
+    'parse_pubmed_articleSet': ['filePath', 'outputDir'],
+    'parse_obo_file': ['filePath', 'outputDir'],
+};
+/**
+ * Get nested property from object using dot notation.
+ * Example: getNestedValue({a: {b: 1}}, 'a.b') => 1
+ */
+function getNestedValue(obj, path) {
+    return path.split('.').reduce((current, key) => {
+        if (current === null || current === undefined)
+            return undefined;
+        return current[key];
+    }, obj);
+}
+/**
+ * Set nested property in object using dot notation.
+ */
+function setNestedValue(obj, path, value) {
+    const keys = path.split('.');
+    const lastKey = keys.pop();
+    const target = keys.reduce((current, key) => {
+        if (current[key] === undefined) {
+            current[key] = {};
+        }
+        return current[key];
+    }, obj);
+    target[lastKey] = value;
+}
+/**
+ * Create sandbox enforcement hooks for the plugin system.
+ */
+export function createSandboxHooks(manager, shell) {
+    return {
+        /**
+         * Hook: tool.execute.before
+         *
+         * Validates and transforms paths before tool execution.
+         * For bash commands, expands variables and validates resolved paths.
+         */
+        async "tool.execute.before"(input, output) {
+            const sandbox = manager.get(input.sessionID);
+            if (!sandbox) {
+                // No sandbox active - allow tool to proceed normally
+                return;
+            }
+            const toolName = input.tool;
+            // Special handling for bash commands
+            if (toolName === 'bash') {
+                const command = output.args.command;
+                // Extract ALL arguments from file operations (including variables)
+                const pathArgs = extractAllPathArgs(command);
+                // Expand and validate each argument
+                for (const arg of pathArgs) {
+                    // Block command substitution in path arguments
+                    if (hasCommandSubstitution(arg)) {
+                        throw new Error(`COMMAND SUBSTITUTION NOT ALLOWED IN PATH ARGUMENTS\n` +
+                            `Argument: ${arg}\n` +
+                            `Command substitution can execute arbitrary code and is not allowed in file paths.`);
+                    }
+                    // Expand the argument (resolves variables, tilde, etc.)
+                    // SECURITY: expandPath throws on failure - this is fail-closed behavior
+                    let expanded;
+                    try {
+                        expanded = await expandPath(arg, sandbox.sandboxPath, shell);
+                    }
+                    catch (error) {
+                        // Fail closed: any expansion error prevents command execution
+                        throw new Error(`PATH EXPANSION FAILED - COMMAND BLOCKED\n` +
+                            `Argument: ${arg}\n` +
+                            `Sandbox boundary: ${sandbox.sandboxPath}\n` +
+                            `Error: ${error instanceof Error ? error.message : String(error)}\n` +
+                            `All paths must be valid and expandable within the sandbox.`);
+                    }
+                    // Validate the EXPANDED absolute path
+                    if (!isPathWithinSandbox(expanded, sandbox.sandboxPath)) {
+                        throw new Error(`PATH ESCAPES SANDBOX AFTER EXPANSION\n` +
+                            `Argument: ${arg}\n` +
+                            `Expands to: ${expanded}\n` +
+                            `Sandbox boundary: ${sandbox.sandboxPath}\n` +
+                            `All file access must remain within the sandbox folder.`);
+                    }
+                }
+                // Set workdir to sandbox path
+                // This is shell-agnostic (works with bash, CMD.exe, PowerShell, zsh)
+                // The bash tool passes workdir to spawn() which sets cwd natively
+                output.args.workdir = sandbox.sandboxPath;
+                return;
+            }
+            // Handle other tools with path arguments
+            const pathArgs = TOOL_PATH_ARGS[toolName];
+            if (!pathArgs) {
+                // Tool not in mapping - no path transformation needed
+                return;
+            }
+            // Process each path argument
+            for (const argPath of pathArgs) {
+                const value = getNestedValue(output.args, argPath);
+                if (typeof value === 'string' && value.length > 0) {
+                    const result = manager.validatePath(input.sessionID, value);
+                    if (!result.allowed) {
+                        throw new Error(result.error || 'Sandbox path validation failed');
+                    }
+                    // Transform the path to sandbox-resolved path
+                    setNestedValue(output.args, argPath, result.transformedPath);
+                }
+            }
+        },
+        /**
+         * Hook: shell.env
+         *
+         * Injects environment variables to indicate sandbox is active.
+         */
+        async "shell.env"(input, output) {
+            // input.sessionID may be undefined in some contexts
+            const sessionID = input.sessionID;
+            if (!sessionID)
+                return;
+            const sandbox = manager.get(sessionID);
+            if (!sandbox)
+                return;
+            // Set environment variables for sandbox awareness
+            output.env = {
+                ...output.env,
+                OPENCODE_SANDBOX: '1',
+                OPENCODE_SANDBOX_PATH: sandbox.sandboxPath,
+            };
+        },
+        /**
+         * Hook: permission.ask
+         *
+         * Auto-deny file permissions for paths outside sandbox.
+         * Auto-allow paths within sandbox.
+         */
+        async "permission.ask"(input, output) {
+            const sessionID = input.sessionID;
+            if (!sessionID)
+                return;
+            const sandbox = manager.get(sessionID);
+            if (!sandbox)
+                return;
+            // File-related permissions that should be sandboxed
+            const filePermissions = ['read', 'edit', 'glob', 'grep', 'list', 'bash'];
+            if (!filePermissions.includes(input.type)) {
+                // Non-file permission - let normal flow handle it
+                return;
+            }
+            // Get patterns to check (pattern can be string or string[])
+            const pattern = input.pattern;
+            if (!pattern)
+                return;
+            const patterns = Array.isArray(pattern) ? pattern : [pattern];
+            // Validate each pattern
+            for (const p of patterns) {
+                if (typeof p !== 'string')
+                    continue;
+                const result = manager.validatePath(sessionID, p);
+                if (!result.allowed) {
+                    // Path outside sandbox - deny
+                    output.status = 'deny';
+                    return;
+                }
+            }
+            // All patterns within sandbox - allow
+            output.status = 'allow';
+        }
+    };
+}
+/**
+ * Get the tool path args mapping (for testing or extension).
+ */
+export function getToolPathArgs() {
+    return { ...TOOL_PATH_ARGS };
+}
+/**
+ * Register additional tool path arguments.
+ * Useful for plugins that add new tools.
+ */
+export function registerToolPathArgs(toolName, pathArgs) {
+    TOOL_PATH_ARGS[toolName] = pathArgs;
+}

package/dist/tools/sandbox/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Sandbox Tool Module
+ *
+ * Provides invisible file sandboxing for safe file operations.
+ *
+ * Usage:
+ * 1. Agent calls sandbox_enable({ sessionName: "my-session" })
+ * 2. Sandbox folder is created at .sandbox/<session-name>_<timestamp>
+ * 3. All file operations use relative paths, which are transparently redirected
+ * 4. Absolute paths are rejected
+ * 5. Path traversal attempts (../) that escape sandbox are blocked
+ */
+export { sandboxTools, sandboxEnableTool, sandboxDisableTool, sandboxStatusTool } from './tool';
+export { sandboxManager, SandboxManagerImpl } from './manager';
+export { createSandboxHooks, getToolPathArgs, registerToolPathArgs } from './hooks';
+export type { SandboxState, PathValidationResult, BashPathExtractionResult, ToolPathArgsMap } from './types';
+export { isAbsolutePath, isPathWithinSandbox, validateAndTransformPath, looksLikePath } from './validator';
+export { extractPathsFromBashCommand, extractAllPathArgs } from './bash-parser';
+export { expandPath, hasCommandSubstitution } from './expander';

package/dist/tools/sandbox/index.js

@@ -0,0 +1,24 @@
+/**
+ * Sandbox Tool Module
+ *
+ * Provides invisible file sandboxing for safe file operations.
+ *
+ * Usage:
+ * 1. Agent calls sandbox_enable({ sessionName: "my-session" })
+ * 2. Sandbox folder is created at .sandbox/<session-name>_<timestamp>
+ * 3. All file operations use relative paths, which are transparently redirected
+ * 4. Absolute paths are rejected
+ * 5. Path traversal attempts (../) that escape sandbox are blocked
+ */
+// Tools
+export { sandboxTools, sandboxEnableTool, sandboxDisableTool, sandboxStatusTool } from './tool';
+// Manager
+export { sandboxManager, SandboxManagerImpl } from './manager';
+// Hooks
+export { createSandboxHooks, getToolPathArgs, registerToolPathArgs } from './hooks';
+// Validator utilities (for testing)
+export { isAbsolutePath, isPathWithinSandbox, validateAndTransformPath, looksLikePath } from './validator';
+// Bash parser utilities (for testing)
+export { extractPathsFromBashCommand, extractAllPathArgs } from './bash-parser';
+// Expander utilities (for testing)
+export { expandPath, hasCommandSubstitution } from './expander';