airlock-bot 0.2.18 → 0.2.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +162 -24
- package/dist/allowlist/engine.d.ts.map +1 -1
- package/dist/allowlist/engine.js +13 -7
- package/dist/allowlist/engine.js.map +1 -1
- package/dist/allowlist/pattern.d.ts +14 -0
- package/dist/allowlist/pattern.d.ts.map +1 -1
- package/dist/allowlist/pattern.js +33 -5
- package/dist/allowlist/pattern.js.map +1 -1
- package/dist/backend/cli/adapter.d.ts.map +1 -1
- package/dist/backend/cli/adapter.js +7 -1
- package/dist/backend/cli/adapter.js.map +1 -1
- package/dist/backend/exec-adapter.d.ts.map +1 -1
- package/dist/backend/exec-adapter.js +2 -1
- package/dist/backend/exec-adapter.js.map +1 -1
- package/dist/backend/factory.d.ts.map +1 -1
- package/dist/backend/factory.js +3 -2
- package/dist/backend/factory.js.map +1 -1
- package/dist/backend/mcp-adapter.d.ts +7 -1
- package/dist/backend/mcp-adapter.d.ts.map +1 -1
- package/dist/backend/mcp-adapter.js +49 -1
- package/dist/backend/mcp-adapter.js.map +1 -1
- package/dist/config/loader.d.ts.map +1 -1
- package/dist/config/loader.js +23 -0
- package/dist/config/loader.js.map +1 -1
- package/dist/config/schema.d.ts +1518 -16
- package/dist/config/schema.d.ts.map +1 -1
- package/dist/config/schema.js +151 -3
- package/dist/config/schema.js.map +1 -1
- package/dist/gateway.d.ts.map +1 -1
- package/dist/gateway.js +8 -0
- package/dist/gateway.js.map +1 -1
- package/dist/hitl/engine.d.ts +2 -0
- package/dist/hitl/engine.d.ts.map +1 -1
- package/dist/hitl/engine.js +2 -0
- package/dist/hitl/engine.js.map +1 -1
- package/dist/hitl/formatter.d.ts.map +1 -1
- package/dist/hitl/formatter.js +17 -1
- package/dist/hitl/formatter.js.map +1 -1
- package/dist/hitl/providers/tui.d.ts.map +1 -1
- package/dist/hitl/providers/tui.js +4 -0
- package/dist/hitl/providers/tui.js.map +1 -1
- package/dist/hitl/providers/types.d.ts +2 -0
- package/dist/hitl/providers/types.d.ts.map +1 -1
- package/dist/hook/api.d.ts +14 -0
- package/dist/hook/api.d.ts.map +1 -0
- package/dist/hook/api.js +74 -0
- package/dist/hook/api.js.map +1 -0
- package/dist/hook/normalizer.d.ts +26 -0
- package/dist/hook/normalizer.d.ts.map +1 -0
- package/dist/hook/normalizer.js +84 -0
- package/dist/hook/normalizer.js.map +1 -0
- package/dist/middleware/chain-builder.d.ts.map +1 -1
- package/dist/middleware/chain-builder.js +3 -1
- package/dist/middleware/chain-builder.js.map +1 -1
- package/dist/middleware/core/execute.d.ts.map +1 -1
- package/dist/middleware/core/execute.js +9 -3
- package/dist/middleware/core/execute.js.map +1 -1
- package/dist/middleware/core/hitl-gate.d.ts.map +1 -1
- package/dist/middleware/core/hitl-gate.js +16 -3
- package/dist/middleware/core/hitl-gate.js.map +1 -1
- package/dist/middleware/core/sandbox.d.ts +3 -0
- package/dist/middleware/core/sandbox.d.ts.map +1 -0
- package/dist/middleware/core/sandbox.js +15 -0
- package/dist/middleware/core/sandbox.js.map +1 -0
- package/dist/registry/registry.d.ts +1 -1
- package/dist/registry/registry.d.ts.map +1 -1
- package/dist/registry/registry.js +36 -18
- package/dist/registry/registry.js.map +1 -1
- package/dist/sandbox/index.d.ts +39 -0
- package/dist/sandbox/index.d.ts.map +1 -0
- package/dist/sandbox/index.js +147 -0
- package/dist/sandbox/index.js.map +1 -0
- package/dist/tools/exec.d.ts +2 -1
- package/dist/tools/exec.d.ts.map +1 -1
- package/dist/tools/exec.js +5 -2
- package/dist/tools/exec.js.map +1 -1
- package/dist/types.d.ts +1 -0
- package/dist/types.d.ts.map +1 -1
- package/examples/gateway.yaml +30 -0
- package/examples/sandbox-presets.yaml +142 -0
- package/package.json +7 -1
- package/schema.json +293 -3
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
import { matches } from '../allowlist/pattern.js';
|
|
2
|
+
import { SandboxManager } from '@anthropic-ai/sandbox-runtime';
|
|
3
|
+
function summarizeSandbox(config) {
|
|
4
|
+
const summary = [];
|
|
5
|
+
summary.push(config.network.allowed_domains.length === 0
|
|
6
|
+
? 'network:none'
|
|
7
|
+
: `network:${config.network.allowed_domains.join(',')}`);
|
|
8
|
+
if (config.filesystem.allow_write.length > 0) {
|
|
9
|
+
summary.push(`write:${config.filesystem.allow_write.join(',')}`);
|
|
10
|
+
}
|
|
11
|
+
if (config.filesystem.allow_read && config.filesystem.allow_read.length > 0) {
|
|
12
|
+
summary.push(`read:${config.filesystem.allow_read.join(',')}`);
|
|
13
|
+
}
|
|
14
|
+
if (config.filesystem.deny_read.length > 0) {
|
|
15
|
+
summary.push(`deny-read:${config.filesystem.deny_read.join(',')}`);
|
|
16
|
+
}
|
|
17
|
+
return summary;
|
|
18
|
+
}
|
|
19
|
+
export function getSandboxDisplayInfo(agentConfig, toolName, resolved) {
|
|
20
|
+
if (!agentConfig.sandbox.enabled || !resolved)
|
|
21
|
+
return undefined;
|
|
22
|
+
const toolOverride = agentConfig.tool_overrides[toolName];
|
|
23
|
+
const presets = agentConfig.sandbox.presets ?? [];
|
|
24
|
+
const toolPresets = toolOverride?.sandbox_presets ?? [];
|
|
25
|
+
return {
|
|
26
|
+
enabled: true,
|
|
27
|
+
presets,
|
|
28
|
+
toolPresets,
|
|
29
|
+
summary: summarizeSandbox(resolved),
|
|
30
|
+
config: resolved,
|
|
31
|
+
};
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Resolve the effective sandbox config for a tool call.
|
|
35
|
+
* Merges base agent sandbox config with the most specific matching override.
|
|
36
|
+
* Also checks tool_overrides for alias-specific sandbox config.
|
|
37
|
+
*/
|
|
38
|
+
export function resolveSandboxConfig(sandboxConfig, toolName, toolOverrideSandbox) {
|
|
39
|
+
const base = {
|
|
40
|
+
filesystem: { ...sandboxConfig.filesystem },
|
|
41
|
+
network: { ...sandboxConfig.network },
|
|
42
|
+
};
|
|
43
|
+
// Find matching overrides from sandbox.overrides, most specific wins
|
|
44
|
+
// (exact match > longer prefix > shorter prefix)
|
|
45
|
+
const matchingOverrides = Object.entries(sandboxConfig.overrides)
|
|
46
|
+
.filter(([pattern]) => matches(pattern, toolName))
|
|
47
|
+
.sort((a, b) => b[0].length - a[0].length); // longer patterns first
|
|
48
|
+
if (matchingOverrides.length > 0) {
|
|
49
|
+
mergeOverride(base, matchingOverrides[0][1]);
|
|
50
|
+
}
|
|
51
|
+
// Tool-specific sandbox from tool_overrides (alias) takes highest priority
|
|
52
|
+
if (toolOverrideSandbox) {
|
|
53
|
+
mergeOverride(base, toolOverrideSandbox);
|
|
54
|
+
}
|
|
55
|
+
return base;
|
|
56
|
+
}
|
|
57
|
+
function mergeOverride(base, override) {
|
|
58
|
+
if (override.filesystem) {
|
|
59
|
+
// allow_write replaces (the tool flavor defines its own restrictions)
|
|
60
|
+
if (override.filesystem.allow_write !== undefined) {
|
|
61
|
+
base.filesystem.allow_write = override.filesystem.allow_write;
|
|
62
|
+
}
|
|
63
|
+
// deny_read is additive
|
|
64
|
+
if (override.filesystem.deny_read !== undefined) {
|
|
65
|
+
base.filesystem.deny_read = [...base.filesystem.deny_read, ...override.filesystem.deny_read];
|
|
66
|
+
}
|
|
67
|
+
// deny_write is additive
|
|
68
|
+
if (override.filesystem.deny_write !== undefined) {
|
|
69
|
+
base.filesystem.deny_write = [
|
|
70
|
+
...base.filesystem.deny_write,
|
|
71
|
+
...override.filesystem.deny_write,
|
|
72
|
+
];
|
|
73
|
+
}
|
|
74
|
+
// allow_read replaces
|
|
75
|
+
if (override.filesystem.allow_read !== undefined) {
|
|
76
|
+
base.filesystem.allow_read = override.filesystem.allow_read;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
if (override.network) {
|
|
80
|
+
// allowed_domains replaces
|
|
81
|
+
if (override.network.allowed_domains !== undefined) {
|
|
82
|
+
base.network.allowed_domains = override.network.allowed_domains;
|
|
83
|
+
}
|
|
84
|
+
// denied_domains is additive
|
|
85
|
+
if (override.network.denied_domains !== undefined) {
|
|
86
|
+
base.network.denied_domains = [
|
|
87
|
+
...base.network.denied_domains,
|
|
88
|
+
...override.network.denied_domains,
|
|
89
|
+
];
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
/**
|
|
94
|
+
* Convert a ResolvedSandboxConfig into a SandboxRuntimeConfig suitable for
|
|
95
|
+
* the @anthropic-ai/sandbox-runtime SandboxManager.
|
|
96
|
+
*/
|
|
97
|
+
export function toSandboxRuntimeConfig(config) {
|
|
98
|
+
return {
|
|
99
|
+
filesystem: {
|
|
100
|
+
allowWrite: config.filesystem.allow_write,
|
|
101
|
+
denyRead: config.filesystem.deny_read,
|
|
102
|
+
denyWrite: config.filesystem.deny_write,
|
|
103
|
+
...(config.filesystem.allow_read ? { allowRead: config.filesystem.allow_read } : {}),
|
|
104
|
+
},
|
|
105
|
+
network: {
|
|
106
|
+
allowedDomains: config.network.allowed_domains,
|
|
107
|
+
deniedDomains: config.network.denied_domains,
|
|
108
|
+
},
|
|
109
|
+
};
|
|
110
|
+
}
|
|
111
|
+
async function ensureSandboxRuntime(config) {
|
|
112
|
+
if (typeof SandboxManager.isSupportedPlatform === 'function' &&
|
|
113
|
+
!SandboxManager.isSupportedPlatform()) {
|
|
114
|
+
throw new Error('Sandbox runtime is not supported on this platform');
|
|
115
|
+
}
|
|
116
|
+
const canInitialize = typeof SandboxManager.initialize === 'function';
|
|
117
|
+
const isEnabled = typeof SandboxManager.isSandboxingEnabled === 'function'
|
|
118
|
+
? SandboxManager.isSandboxingEnabled()
|
|
119
|
+
: false;
|
|
120
|
+
if (canInitialize && !isEnabled) {
|
|
121
|
+
await SandboxManager.initialize(config);
|
|
122
|
+
return;
|
|
123
|
+
}
|
|
124
|
+
if (typeof SandboxManager.updateConfig === 'function') {
|
|
125
|
+
SandboxManager.updateConfig(config);
|
|
126
|
+
}
|
|
127
|
+
if (typeof SandboxManager.waitForNetworkInitialization === 'function') {
|
|
128
|
+
const ready = await SandboxManager.waitForNetworkInitialization();
|
|
129
|
+
if (!ready && canInitialize) {
|
|
130
|
+
await SandboxManager.initialize(config);
|
|
131
|
+
}
|
|
132
|
+
return;
|
|
133
|
+
}
|
|
134
|
+
if (canInitialize) {
|
|
135
|
+
await SandboxManager.initialize(config);
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
/**
|
|
139
|
+
* Wraps a shell command using the SandboxManager programmatic API.
|
|
140
|
+
* Returns the wrapped command string that includes sandbox restrictions.
|
|
141
|
+
*/
|
|
142
|
+
export async function wrapCommandWithSandbox(command, sandbox) {
|
|
143
|
+
const runtimeConfig = toSandboxRuntimeConfig(sandbox);
|
|
144
|
+
await ensureSandboxRuntime(runtimeConfig);
|
|
145
|
+
return SandboxManager.wrapWithSandbox(command, undefined, runtimeConfig);
|
|
146
|
+
}
|
|
147
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAElD,OAAO,EAAE,cAAc,EAA6B,MAAM,+BAA+B,CAAC;AAuB1F,SAAS,gBAAgB,CAAC,MAA6B;IACrD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,CAAC,IAAI,CACV,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;QACzC,CAAC,CAAC,cAAc;QAChB,CAAC,CAAC,WAAW,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAC1D,CAAC;IAEF,IAAI,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,SAAS,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5E,OAAO,CAAC,IAAI,CAAC,QAAQ,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IACD,IAAI,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,OAAO,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,WAAwB,EACxB,QAAgB,EAChB,QAAgC;IAEhC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,QAAQ;QAAE,OAAO,SAAS,CAAC;IAEhE,MAAM,YAAY,GAAG,WAAW,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;IAClD,MAAM,WAAW,GAAG,YAAY,EAAE,eAAe,IAAI,EAAE,CAAC;IAExD,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO;QACP,WAAW;QACX,OAAO,EAAE,gBAAgB,CAAC,QAAQ,CAAC;QACnC,MAAM,EAAE,QAAQ;KACjB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAClC,aAA4B,EAC5B,QAAgB,EAChB,mBAA2C;IAE3C,MAAM,IAAI,GAA0B;QAClC,UAAU,EAAE,EAAE,GAAG,aAAa,CAAC,UAAU,EAAE;QAC3C,OAAO,EAAE,EAAE,GAAG,aAAa,CAAC,OAAO,EAAE;KACtC,CAAC;IAEF,qEAAqE;IACrE,iDAAiD;IACjD,MAAM,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC;SAC9D,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;SACjD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,wBAAwB;IAEtE,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,aAAa,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,2EAA2E;IAC3E,IAAI,mBAAmB,EAAE,CAAC;QACxB,aAAa,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,IAA2B,EAAE,QAA+B;IACjF,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;QACxB,sEAAsE;QACtE,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YAClD,IAAI,CAAC,UAAU,CAAC,WAAW,GAAG,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;QAChE,CAAC;QACD,wBAAwB;QACxB,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAChD,IAAI,CAAC,UAAU,CAAC,SAAS,GAAG,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,EAAE,GAAG,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC/F,CAAC;QACD,yBAAyB;QACzB,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACjD,IAAI,CAAC,UAAU,CAAC,UAAU,GAAG;gBAC3B,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU;gBAC7B,GAAG,QAAQ,CAAC,UAAU,CAAC,UAAU;aAClC,CAAC;QACJ,CAAC;QACD,sBAAsB;QACtB,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACjD,IAAI,CAAC,UAAU,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC;QAC9D,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,2BAA2B;QAC3B,IAAI,QAAQ,CAAC,OAAO,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;YACnD,IAAI,CAAC,OAAO,CAAC,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,eAAe,CAAC;QAClE,CAAC;QACD,6BAA6B;QAC7B,IAAI,QAAQ,CAAC,OAAO,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YAClD,IAAI,CAAC,OAAO,CAAC,cAAc,GAAG;gBAC5B,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc;gBAC9B,GAAG,QAAQ,CAAC,OAAO,CAAC,cAAc;aACnC,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,MAA6B;IAClE,OAAO;QACL,UAAU,EAAE;YACV,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,WAAW;YACzC,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC,SAAS;YACrC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,UAAU;YACvC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACrF;QACD,OAAO,EAAE;YACP,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,eAAe;YAC9C,aAAa,EAAE,MAAM,CAAC,OAAO,CAAC,cAAc;SAC7C;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,MAA4B;IAC9D,IACE,OAAO,cAAc,CAAC,mBAAmB,KAAK,UAAU;QACxD,CAAC,cAAc,CAAC,mBAAmB,EAAE,EACrC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,cAAc,CAAC,UAAU,KAAK,UAAU,CAAC;IACtE,MAAM,SAAS,GACb,OAAO,cAAc,CAAC,mBAAmB,KAAK,UAAU;QACtD,CAAC,CAAC,cAAc,CAAC,mBAAmB,EAAE;QACtC,CAAC,CAAC,KAAK,CAAC;IAEZ,IAAI,aAAa,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QACxC,OAAO;IACT,CAAC;IAED,IAAI,OAAO,cAAc,CAAC,YAAY,KAAK,UAAU,EAAE,CAAC;QACtD,cAAc,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,OAAO,cAAc,CAAC,4BAA4B,KAAK,UAAU,EAAE,CAAC;QACtE,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,4BAA4B,EAAE,CAAC;QAClE,IAAI,CAAC,KAAK,IAAI,aAAa,EAAE,CAAC;YAC5B,MAAM,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAe,EACf,OAA8B;IAE9B,MAAM,aAAa,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACtD,MAAM,oBAAoB,CAAC,aAAa,CAAC,CAAC;IAC1C,OAAO,cAAc,CAAC,eAAe,CAAC,OAAO,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;AAC3E,CAAC"}
|
package/dist/tools/exec.d.ts
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import type { AgentConfig } from '../config/schema.js';
|
|
2
2
|
import type { Tool } from '@modelcontextprotocol/sdk/types.js';
|
|
3
|
+
import { type ResolvedSandboxConfig } from '../sandbox/index.js';
|
|
3
4
|
export interface ExecResult {
|
|
4
5
|
exit_code: number | null;
|
|
5
6
|
stdout: string;
|
|
@@ -16,5 +17,5 @@ export declare function buildExecTool(): Tool;
|
|
|
16
17
|
*/
|
|
17
18
|
export declare function containsShellInjection(command: string): boolean;
|
|
18
19
|
export declare function evaluateExecCommand(command: string, agentConfig: AgentConfig): ExecDecision;
|
|
19
|
-
export declare function executeExec(command: string, agentConfig: AgentConfig, cwd?: string, timeoutMs?: number): Promise<ExecResult>;
|
|
20
|
+
export declare function executeExec(command: string, agentConfig: AgentConfig, cwd?: string, timeoutMs?: number, sandbox?: ResolvedSandboxConfig): Promise<ExecResult>;
|
|
20
21
|
//# sourceMappingURL=exec.d.ts.map
|
package/dist/tools/exec.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../src/tools/exec.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;
|
|
1
|
+
{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../src/tools/exec.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE/D,OAAO,EAA0B,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAEzF,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,CAAC;AAOpD,wBAAgB,aAAa,IAAI,IAAI,CAcpC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAE/D;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,GAAG,YAAY,CAS3F;AAED,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,WAAW,EACxB,GAAG,CAAC,EAAE,MAAM,EACZ,SAAS,CAAC,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAAC,UAAU,CAAC,CAsErB"}
|
package/dist/tools/exec.js
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { spawn } from 'child_process';
|
|
2
2
|
import { matchesCommand } from '../allowlist/pattern.js';
|
|
3
|
+
import { wrapCommandWithSandbox } from '../sandbox/index.js';
|
|
3
4
|
const MAX_OUTPUT_BYTES = 10 * 1024 * 1024; // 10MB cap on stdout/stderr
|
|
4
5
|
/** Shell metacharacters that allow command chaining / injection */
|
|
5
6
|
const SHELL_INJECTION_RE = /[;|&`$(){}]/;
|
|
@@ -38,11 +39,13 @@ export function evaluateExecCommand(command, agentConfig) {
|
|
|
38
39
|
return 'allow';
|
|
39
40
|
return 'deny'; // fail-closed
|
|
40
41
|
}
|
|
41
|
-
export async function executeExec(command, agentConfig, cwd, timeoutMs) {
|
|
42
|
+
export async function executeExec(command, agentConfig, cwd, timeoutMs, sandbox) {
|
|
42
43
|
const timeout = timeoutMs ?? agentConfig.exec.default_timeout_ms;
|
|
43
44
|
const start = Date.now();
|
|
45
|
+
// Wrap command with sandbox if config is provided
|
|
46
|
+
const effectiveCommand = sandbox ? await wrapCommandWithSandbox(command, sandbox) : command;
|
|
44
47
|
return new Promise((resolve, reject) => {
|
|
45
|
-
const child = spawn('/bin/sh', ['-c',
|
|
48
|
+
const child = spawn('/bin/sh', ['-c', effectiveCommand], {
|
|
46
49
|
cwd,
|
|
47
50
|
env: agentConfig.exec.env,
|
|
48
51
|
stdio: ['ignore', 'pipe', 'pipe'],
|
package/dist/tools/exec.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"exec.js","sourceRoot":"","sources":["../../src/tools/exec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAGtC,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;
|
|
1
|
+
{"version":3,"file":"exec.js","sourceRoot":"","sources":["../../src/tools/exec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAGtC,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAA8B,MAAM,qBAAqB,CAAC;AAazF,MAAM,gBAAgB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,4BAA4B;AAEvE,mEAAmE;AACnE,MAAM,kBAAkB,GAAG,aAAa,CAAC;AAEzC,MAAM,UAAU,aAAa;IAC3B,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,iDAAiD;QAC9D,WAAW,EAAE;YACX,IAAI,EAAE,QAAiB;YACvB,UAAU,EAAE;gBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,sBAAsB,EAAE;gBAChE,GAAG,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,mBAAmB,EAAE;gBACzD,UAAU,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,yBAAyB,EAAE;aACvE;YACD,QAAQ,EAAE,CAAC,SAAS,CAAC;SACtB;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,OAAO,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,WAAwB;IAC3E,2DAA2D;IAC3D,IAAI,sBAAsB,CAAC,OAAO,CAAC;QAAE,OAAO,MAAM,CAAC;IAEnD,sBAAsB;IACtB,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IACjF,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/E,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAAE,OAAO,OAAO,CAAC;IACnF,OAAO,MAAM,CAAC,CAAC,cAAc;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,WAAwB,EACxB,GAAY,EACZ,SAAkB,EAClB,OAA+B;IAE/B,MAAM,OAAO,GAAG,SAAS,IAAI,WAAW,CAAC,IAAI,CAAC,kBAAkB,CAAC;IACjE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEzB,kDAAkD;IAClD,MAAM,gBAAgB,GAAG,OAAO,CAAC,CAAC,CAAC,MAAM,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAE5F,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,gBAAgB,CAAC,EAAE;YACvD,GAAG;YACH,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG;YACzB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,SAAS,GAAG,KAAK,CAAC;QAEtB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACxC,IAAI,WAAW,GAAG,gBAAgB,EAAE,CAAC;gBACnC,MAAM,SAAS,GAAG,gBAAgB,GAAG,WAAW,CAAC;gBACjD,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,QAAQ,EAAE,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,IAAI,CAAC;YACnB,CAAC;YACD,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;QAC9B,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACxC,IAAI,WAAW,GAAG,gBAAgB,EAAE,CAAC;gBACnC,MAAM,SAAS,GAAG,gBAAgB,GAAG,WAAW,CAAC;gBACjD,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,QAAQ,EAAE,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,SAAS,GAAG,IAAI,CAAC;YACnB,CAAC;YACD,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;QAC9B,CAAC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,QAAQ,GAAG,IAAI,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACtB,UAAU,CAAC,GAAG,EAAE;gBACd,IAAI,CAAC;oBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACxB,CAAC;gBAAC,MAAM,CAAC;oBACP,iCAAiC;gBACnC,CAAC;YACH,CAAC,EAAE,IAAI,CAAC,CAAC;QACX,CAAC,EAAE,OAAO,CAAC,CAAC;QAEZ,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,OAAO,CAAC;gBACN,SAAS,EAAE,IAAI;gBACf,MAAM;gBACN,MAAM;gBACN,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC/B,SAAS,EAAE,QAAQ;gBACnB,SAAS;aACV,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
package/dist/types.d.ts
CHANGED
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC;CAC1D"}
|
package/examples/gateway.yaml
CHANGED
|
@@ -31,6 +31,19 @@ providers:
|
|
|
31
31
|
exec: builtin
|
|
32
32
|
http: builtin
|
|
33
33
|
|
|
34
|
+
# Optional reusable sandbox presets for policy-wrapped tool variants.
|
|
35
|
+
# See examples/sandbox-presets.yaml for a focused end-to-end example.
|
|
36
|
+
# sandbox_presets:
|
|
37
|
+
# local_transform:
|
|
38
|
+
# filesystem:
|
|
39
|
+
# allow_read: ['.']
|
|
40
|
+
# allow_write: ['/tmp', '/private/tmp']
|
|
41
|
+
# deny_read: ['~/.ssh', '~/.aws', '.env']
|
|
42
|
+
# deny_write: ['.']
|
|
43
|
+
# network:
|
|
44
|
+
# allowed_domains: []
|
|
45
|
+
# denied_domains: []
|
|
46
|
+
|
|
34
47
|
# Agents
|
|
35
48
|
agents:
|
|
36
49
|
# Helena: full-access developer agent with approval on destructive ops
|
|
@@ -61,6 +74,23 @@ agents:
|
|
|
61
74
|
domain_allowlist:
|
|
62
75
|
- 'api.github.com'
|
|
63
76
|
- '*.sentry.io'
|
|
77
|
+
# sandbox:
|
|
78
|
+
# enabled: true
|
|
79
|
+
# presets: ['local_transform']
|
|
80
|
+
# tool_overrides:
|
|
81
|
+
# python/sandboxed:
|
|
82
|
+
# alias_of: 'exec/run'
|
|
83
|
+
# description: 'Run Python for local transforms only'
|
|
84
|
+
# python/full:
|
|
85
|
+
# alias_of: 'exec/run'
|
|
86
|
+
# description: 'Run Python with broader permissions after approval'
|
|
87
|
+
# sandbox:
|
|
88
|
+
# filesystem:
|
|
89
|
+
# allow_write: ['.', '/tmp', '/private/tmp']
|
|
90
|
+
# deny_write: []
|
|
91
|
+
# network:
|
|
92
|
+
# allowed_domains: ['pypi.org', '*.pythonhosted.org']
|
|
93
|
+
# denied_domains: []
|
|
64
94
|
|
|
65
95
|
# Claude Code: read-only, no approval needed
|
|
66
96
|
claude-code:
|
|
@@ -0,0 +1,142 @@
|
|
|
1
|
+
# Sandbox presets + tool variant example.
|
|
2
|
+
#
|
|
3
|
+
# Goal:
|
|
4
|
+
# - give agents a fast-path tool that is broadly allowed because it runs in a
|
|
5
|
+
# tight sandbox
|
|
6
|
+
# - keep a second full-power variant that still requires approval
|
|
7
|
+
#
|
|
8
|
+
# Run: npx tsx src/index.ts --agent claude-code --config examples/sandbox-presets.yaml
|
|
9
|
+
|
|
10
|
+
providers:
|
|
11
|
+
exec: builtin
|
|
12
|
+
|
|
13
|
+
# Reusable sandbox building blocks.
|
|
14
|
+
# These can be referenced by agents and by individual tool variants.
|
|
15
|
+
sandbox_presets:
|
|
16
|
+
local_transform:
|
|
17
|
+
filesystem:
|
|
18
|
+
# Let the agent read the repo, but only write to temp space.
|
|
19
|
+
allow_read:
|
|
20
|
+
- '.'
|
|
21
|
+
allow_write:
|
|
22
|
+
- '/tmp'
|
|
23
|
+
- '/private/tmp'
|
|
24
|
+
# Additive deny rules protect common secret locations.
|
|
25
|
+
deny_read:
|
|
26
|
+
- '~/.ssh'
|
|
27
|
+
- '~/.aws'
|
|
28
|
+
- '~/.config/gcloud'
|
|
29
|
+
- '.env'
|
|
30
|
+
# Prevent writes back into the repo by default.
|
|
31
|
+
deny_write:
|
|
32
|
+
- '.'
|
|
33
|
+
network:
|
|
34
|
+
# Empty allowlist means no outbound network.
|
|
35
|
+
allowed_domains: []
|
|
36
|
+
denied_domains: []
|
|
37
|
+
|
|
38
|
+
github_only:
|
|
39
|
+
network:
|
|
40
|
+
allowed_domains:
|
|
41
|
+
- 'github.com'
|
|
42
|
+
- '*.github.com'
|
|
43
|
+
- 'api.github.com'
|
|
44
|
+
denied_domains: []
|
|
45
|
+
|
|
46
|
+
agents:
|
|
47
|
+
claude-code:
|
|
48
|
+
allow:
|
|
49
|
+
- 'python/sandboxed'
|
|
50
|
+
- 'node/sandboxed'
|
|
51
|
+
ask:
|
|
52
|
+
- 'python/full'
|
|
53
|
+
- 'python/github'
|
|
54
|
+
- 'node/full'
|
|
55
|
+
deny:
|
|
56
|
+
- 'exec/run'
|
|
57
|
+
|
|
58
|
+
# Agent-level sandbox defaults apply to any tool that resolves through the
|
|
59
|
+
# sandbox middleware, then tool-specific presets / overrides refine it.
|
|
60
|
+
sandbox:
|
|
61
|
+
enabled: true
|
|
62
|
+
presets:
|
|
63
|
+
- local_transform
|
|
64
|
+
|
|
65
|
+
tool_overrides:
|
|
66
|
+
# Safe fast path: same underlying capability, but strongly sandboxed.
|
|
67
|
+
python/sandboxed:
|
|
68
|
+
alias_of: 'exec/run'
|
|
69
|
+
description: 'Run Python for local JSON/text transformations only'
|
|
70
|
+
|
|
71
|
+
# Full-power variant: same base tool, but leave it approval-gated.
|
|
72
|
+
python/full:
|
|
73
|
+
alias_of: 'exec/run'
|
|
74
|
+
description: 'Run Python with normal permissions after approval'
|
|
75
|
+
sandbox:
|
|
76
|
+
filesystem:
|
|
77
|
+
# Override allow_write so approved runs can modify the repo.
|
|
78
|
+
allow_write:
|
|
79
|
+
- '.'
|
|
80
|
+
- '/tmp'
|
|
81
|
+
- '/private/tmp'
|
|
82
|
+
deny_write: []
|
|
83
|
+
network:
|
|
84
|
+
# Example broad approved networking.
|
|
85
|
+
allowed_domains:
|
|
86
|
+
- 'pypi.org'
|
|
87
|
+
- '*.pythonhosted.org'
|
|
88
|
+
denied_domains: []
|
|
89
|
+
|
|
90
|
+
# Middle ground: GitHub-only network for scripts that need API access.
|
|
91
|
+
python/github:
|
|
92
|
+
alias_of: 'exec/run'
|
|
93
|
+
description: 'Run Python with GitHub-only network access after approval'
|
|
94
|
+
sandbox_presets:
|
|
95
|
+
- github_only
|
|
96
|
+
|
|
97
|
+
node/sandboxed:
|
|
98
|
+
alias_of: 'exec/run'
|
|
99
|
+
description: 'Run Node.js for local transformations only'
|
|
100
|
+
|
|
101
|
+
node/full:
|
|
102
|
+
alias_of: 'exec/run'
|
|
103
|
+
description: 'Run Node.js with broader permissions after approval'
|
|
104
|
+
sandbox:
|
|
105
|
+
filesystem:
|
|
106
|
+
allow_write:
|
|
107
|
+
- '.'
|
|
108
|
+
- '/tmp'
|
|
109
|
+
- '/private/tmp'
|
|
110
|
+
deny_write: []
|
|
111
|
+
network:
|
|
112
|
+
allowed_domains:
|
|
113
|
+
- 'registry.npmjs.org'
|
|
114
|
+
- '*.npmjs.org'
|
|
115
|
+
denied_domains: []
|
|
116
|
+
|
|
117
|
+
exec:
|
|
118
|
+
# Example shell policy for the underlying exec provider.
|
|
119
|
+
# The tool permission still controls whether the tool can be called at all;
|
|
120
|
+
# these patterns constrain the command strings passed into exec/run.
|
|
121
|
+
allow:
|
|
122
|
+
- 'python3 -c *'
|
|
123
|
+
- 'python -c *'
|
|
124
|
+
- 'node -e *'
|
|
125
|
+
ask:
|
|
126
|
+
- 'python3 *'
|
|
127
|
+
- 'python *'
|
|
128
|
+
- 'node *'
|
|
129
|
+
deny:
|
|
130
|
+
- 'sudo *'
|
|
131
|
+
- 'rm -rf *'
|
|
132
|
+
|
|
133
|
+
approvals:
|
|
134
|
+
provider:
|
|
135
|
+
type: stdio
|
|
136
|
+
timeout_ms: 300000
|
|
137
|
+
batch_window_ms: 5000
|
|
138
|
+
|
|
139
|
+
audit:
|
|
140
|
+
db_path: ':memory:'
|
|
141
|
+
retention_days: 1
|
|
142
|
+
redact_fields: []
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "airlock-bot",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.20",
|
|
4
4
|
"description": "Permissions-aware MCP gateway with human-in-the-loop approval for AI agents",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"type": "module",
|
|
@@ -40,6 +40,10 @@
|
|
|
40
40
|
"build": "tsc",
|
|
41
41
|
"dev": "tsx src/index.ts",
|
|
42
42
|
"configure-agent": "tsx scripts/configure-agent.ts",
|
|
43
|
+
"docs:dev": "vitepress dev docs",
|
|
44
|
+
"docs:llms": "tsx scripts/generate-llms.ts",
|
|
45
|
+
"docs:build": "npm run docs:llms && vitepress build docs",
|
|
46
|
+
"docs:preview": "vitepress preview docs",
|
|
43
47
|
"test": "vitest",
|
|
44
48
|
"typecheck": "tsc --noEmit",
|
|
45
49
|
"lint": "eslint src",
|
|
@@ -50,6 +54,7 @@
|
|
|
50
54
|
"prepublishOnly": "npm run schema && npm run build"
|
|
51
55
|
},
|
|
52
56
|
"dependencies": {
|
|
57
|
+
"@anthropic-ai/sandbox-runtime": "^0.0.42",
|
|
53
58
|
"@apidevtools/swagger-parser": "^12.1.0",
|
|
54
59
|
"@modelcontextprotocol/sdk": "^1.27.1",
|
|
55
60
|
"ai": "^6.0.116",
|
|
@@ -77,6 +82,7 @@
|
|
|
77
82
|
"tsx": "^4.7.0",
|
|
78
83
|
"typescript": "^5.4.0",
|
|
79
84
|
"typescript-eslint": "^8.57.0",
|
|
85
|
+
"vitepress": "^1.6.4",
|
|
80
86
|
"vitest": "^3.0.0",
|
|
81
87
|
"zod-to-json-schema": "^3.25.1"
|
|
82
88
|
}
|