attocode 0.1.0

package/dist/src/integrations/sandbox/index.js

@@ -0,0 +1,382 @@
+/**
+ * OS-Specific Sandbox Integration
+ *
+ * Provides platform-aware sandboxing for command execution:
+ * - macOS: Uses sandbox-exec with Seatbelt profiles
+ * - Linux: Uses Docker containers for isolation
+ * - Fallback: Basic allowlist-based validation
+ *
+ * Inspired by Codex's approach to secure code execution.
+ *
+ * Usage:
+ *   const sandbox = createSandbox({ writablePaths: ['.'], networkAllowed: false });
+ *   const result = await sandbox.execute('npm install');
+ */
+import { SeatbeltSandbox } from './seatbelt.js';
+import { DockerSandbox } from './docker.js';
+import { BasicSandbox } from './basic.js';
+import { LandlockSandbox } from './landlock.js';
+// =============================================================================
+// DEFAULT OPTIONS
+// =============================================================================
+const DEFAULT_OPTIONS = {
+    writablePaths: ['.'],
+    readablePaths: ['/'],
+    networkAllowed: false,
+    timeout: 60000, // 1 minute
+    workingDir: process.cwd(),
+    env: {},
+    maxMemoryMB: 512,
+    maxCpuSeconds: 30,
+    allowedCommands: [
+        'node', 'npm', 'npx', 'yarn', 'pnpm', 'bun',
+        'git', 'ls', 'cat', 'head', 'tail', 'grep', 'find', 'wc',
+        'echo', 'pwd', 'which', 'env', 'mkdir', 'cp', 'mv', 'touch',
+        'tsc', 'eslint', 'prettier', 'jest', 'vitest', 'mocha',
+    ],
+    blockedCommands: [
+        'rm -rf /',
+        'rm -rf ~',
+        'sudo',
+        'chmod 777',
+        'curl | sh',
+        'curl | bash',
+        'wget | sh',
+        'wget | bash',
+        ':(){:|:&};:',
+        'mkfs',
+        'dd if=/dev/zero',
+    ],
+};
+// =============================================================================
+// SANDBOX MANAGER
+// =============================================================================
+/**
+ * Manages sandbox selection and execution.
+ */
+export class SandboxManager {
+    config;
+    activeSandbox = null;
+    eventListeners = new Set();
+    constructor(config = {}) {
+        this.config = {
+            mode: config.mode ?? 'auto',
+            defaults: { ...DEFAULT_OPTIONS, ...config.defaults },
+            dockerImage: config.dockerImage ?? 'agent-sandbox:latest',
+            verbose: config.verbose ?? false,
+        };
+    }
+    /**
+     * Get or create the appropriate sandbox for this system.
+     */
+    async getSandbox() {
+        if (this.activeSandbox) {
+            return this.activeSandbox;
+        }
+        this.activeSandbox = await this.createSandbox(this.config.mode);
+        return this.activeSandbox;
+    }
+    /**
+     * Execute a command in the sandbox.
+     */
+    async execute(command, options) {
+        const sandbox = await this.getSandbox();
+        const startTime = Date.now();
+        this.emit({
+            type: 'sandbox.execute.start',
+            command,
+            mode: sandbox.getType(),
+        });
+        try {
+            const mergedOptions = { ...this.config.defaults, ...options };
+            const result = await sandbox.execute(command, mergedOptions);
+            const duration = Date.now() - startTime;
+            this.emit({
+                type: 'sandbox.execute.complete',
+                command,
+                exitCode: result.exitCode,
+                duration,
+            });
+            return result;
+        }
+        catch (err) {
+            const error = err instanceof Error ? err.message : String(err);
+            this.emit({ type: 'sandbox.execute.error', command, error });
+            throw err;
+        }
+    }
+    /**
+     * Check if a command should be blocked.
+     */
+    isCommandBlocked(command) {
+        const blockedPatterns = this.config.defaults.blockedCommands ?? [];
+        for (const pattern of blockedPatterns) {
+            if (command.includes(pattern)) {
+                return { blocked: true, reason: `Command contains blocked pattern: ${pattern}` };
+            }
+        }
+        // Check for dangerous patterns
+        const dangerousPatterns = [
+            /rm\s+-[rf]*\s+\/(?!\w)/, // rm -rf / or similar
+            />\s*\/dev\/sd[a-z]/, // writing to block devices
+            /mkfs/, // formatting filesystems
+            /:\(\)\{.*\};:/, // fork bomb
+            /wget.*\|\s*(?:ba)?sh/, // download and execute
+            /curl.*\|\s*(?:ba)?sh/, // download and execute
+        ];
+        for (const pattern of dangerousPatterns) {
+            if (pattern.test(command)) {
+                return { blocked: true, reason: `Command matches dangerous pattern` };
+            }
+        }
+        return { blocked: false };
+    }
+    /**
+     * Set the sandbox mode.
+     */
+    async setMode(mode) {
+        if (mode === this.config.mode)
+            return;
+        const oldMode = this.config.mode;
+        // Cleanup old sandbox
+        if (this.activeSandbox) {
+            await this.activeSandbox.cleanup();
+            this.activeSandbox = null;
+        }
+        this.config.mode = mode;
+        this.emit({ type: 'sandbox.mode.changed', from: oldMode, to: mode });
+    }
+    /**
+     * Get the current sandbox mode.
+     */
+    getMode() {
+        return this.config.mode;
+    }
+    /**
+     * Get info about available sandboxes.
+     */
+    async getAvailableSandboxes() {
+        const results = [];
+        // Check Seatbelt (macOS)
+        const seatbelt = new SeatbeltSandbox(this.config.defaults);
+        results.push({ mode: 'seatbelt', available: await seatbelt.isAvailable() });
+        // Check Landlock (Linux)
+        const landlock = new LandlockSandbox(this.config.defaults);
+        results.push({ mode: 'landlock', available: await landlock.isAvailable() });
+        // Check Docker
+        const docker = new DockerSandbox(this.config.defaults, this.config.dockerImage);
+        results.push({ mode: 'docker', available: await docker.isAvailable() });
+        // Basic is always available
+        results.push({ mode: 'basic', available: true });
+        // None is always available
+        results.push({ mode: 'none', available: true });
+        return results;
+    }
+    /**
+     * Subscribe to sandbox events.
+     */
+    subscribe(listener) {
+        this.eventListeners.add(listener);
+        return () => this.eventListeners.delete(listener);
+    }
+    /**
+     * Cleanup resources.
+     */
+    async cleanup() {
+        if (this.activeSandbox) {
+            await this.activeSandbox.cleanup();
+            this.activeSandbox = null;
+        }
+        this.eventListeners.clear();
+    }
+    // Internal methods
+    /**
+     * Create a sandbox based on mode.
+     */
+    async createSandbox(mode) {
+        if (mode === 'auto') {
+            return this.autoDetectSandbox();
+        }
+        switch (mode) {
+            case 'seatbelt': {
+                const seatbelt = new SeatbeltSandbox(this.config.defaults);
+                if (await seatbelt.isAvailable()) {
+                    return seatbelt;
+                }
+                throw new Error('Seatbelt sandbox not available (requires macOS)');
+            }
+            case 'landlock': {
+                const landlock = new LandlockSandbox(this.config.defaults);
+                if (await landlock.isAvailable()) {
+                    return landlock;
+                }
+                throw new Error('Landlock sandbox not available (requires Linux with Landlock/bwrap/firejail)');
+            }
+            case 'docker': {
+                const docker = new DockerSandbox(this.config.defaults, this.config.dockerImage);
+                if (await docker.isAvailable()) {
+                    return docker;
+                }
+                throw new Error('Docker sandbox not available');
+            }
+            case 'basic':
+                return new BasicSandbox(this.config.defaults);
+            case 'none':
+                return new NoSandbox();
+            default:
+                throw new Error(`Unknown sandbox mode: ${mode}`);
+        }
+    }
+    /**
+     * Auto-detect the best available sandbox.
+     */
+    async autoDetectSandbox() {
+        // Try Seatbelt first (macOS)
+        if (process.platform === 'darwin') {
+            const seatbelt = new SeatbeltSandbox(this.config.defaults);
+            if (await seatbelt.isAvailable()) {
+                if (this.config.verbose) {
+                    console.log('[Sandbox] Auto-detected: Seatbelt (macOS)');
+                }
+                return seatbelt;
+            }
+        }
+        // Try Landlock on Linux (preferred over Docker for lower overhead)
+        if (process.platform === 'linux') {
+            const landlock = new LandlockSandbox(this.config.defaults);
+            if (await landlock.isAvailable()) {
+                if (this.config.verbose) {
+                    console.log('[Sandbox] Auto-detected: Landlock (Linux)');
+                }
+                return landlock;
+            }
+        }
+        // Try Docker (any platform with Docker)
+        const docker = new DockerSandbox(this.config.defaults, this.config.dockerImage);
+        if (await docker.isAvailable()) {
+            if (this.config.verbose) {
+                console.log('[Sandbox] Auto-detected: Docker');
+            }
+            return docker;
+        }
+        // Fall back to basic sandbox
+        if (this.config.verbose) {
+            console.log('[Sandbox] Auto-detected: Basic (allowlist-based)');
+        }
+        return new BasicSandbox(this.config.defaults);
+    }
+    /**
+     * Emit a sandbox event.
+     */
+    emit(event) {
+        for (const listener of this.eventListeners) {
+            try {
+                listener(event);
+            }
+            catch {
+                // Ignore listener errors
+            }
+        }
+    }
+}
+// =============================================================================
+// NO SANDBOX (PASSTHROUGH)
+// =============================================================================
+/**
+ * No sandbox - executes commands directly (unsafe).
+ */
+class NoSandbox {
+    async execute(command, options) {
+        const { spawn } = await import('child_process');
+        return new Promise((resolve) => {
+            const timeout = options?.timeout ?? 60000;
+            const workDir = options?.workingDir ?? process.cwd();
+            const proc = spawn('bash', ['-c', command], {
+                cwd: workDir,
+                env: { ...process.env, ...options?.env },
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            let stdout = '';
+            let stderr = '';
+            let killed = false;
+            let timedOut = false;
+            const timer = setTimeout(() => {
+                timedOut = true;
+                killed = true;
+                proc.kill('SIGKILL');
+            }, timeout);
+            proc.stdout?.on('data', (data) => {
+                stdout += data.toString();
+            });
+            proc.stderr?.on('data', (data) => {
+                stderr += data.toString();
+            });
+            proc.on('close', (code) => {
+                clearTimeout(timer);
+                resolve({
+                    stdout,
+                    stderr,
+                    exitCode: code ?? 1,
+                    killed,
+                    timedOut,
+                });
+            });
+            proc.on('error', (err) => {
+                clearTimeout(timer);
+                resolve({
+                    stdout,
+                    stderr,
+                    exitCode: 1,
+                    killed: false,
+                    timedOut: false,
+                    error: err.message,
+                });
+            });
+        });
+    }
+    async isAvailable() {
+        return true;
+    }
+    getType() {
+        return 'none';
+    }
+    async cleanup() {
+        // No cleanup needed
+    }
+}
+// =============================================================================
+// FACTORY FUNCTIONS
+// =============================================================================
+/**
+ * Create a sandbox manager.
+ */
+export function createSandboxManager(config) {
+    return new SandboxManager(config);
+}
+/**
+ * Create a sandbox directly with auto-detection.
+ */
+export async function createSandbox(options) {
+    const manager = new SandboxManager({ defaults: options });
+    return manager.getSandbox();
+}
+/**
+ * Quick execute with auto-detected sandbox.
+ */
+export async function sandboxExec(command, options) {
+    const sandbox = await createSandbox(options);
+    try {
+        return await sandbox.execute(command, options);
+    }
+    finally {
+        await sandbox.cleanup();
+    }
+}
+// =============================================================================
+// RE-EXPORTS
+// =============================================================================
+export { SeatbeltSandbox } from './seatbelt.js';
+export { DockerSandbox } from './docker.js';
+export { BasicSandbox } from './basic.js';
+export { LandlockSandbox, createLandlockSandbox, checkLandlockSupport } from './landlock.js';
+//# sourceMappingURL=index.js.map

package/dist/src/integrations/sandbox/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/integrations/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAwGhD,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF,MAAM,eAAe,GAA6B;IAChD,aAAa,EAAE,CAAC,GAAG,CAAC;IACpB,aAAa,EAAE,CAAC,GAAG,CAAC;IACpB,cAAc,EAAE,KAAK;IACrB,OAAO,EAAE,KAAK,EAAE,WAAW;IAC3B,UAAU,EAAE,OAAO,CAAC,GAAG,EAAE;IACzB,GAAG,EAAE,EAAE;IACP,WAAW,EAAE,GAAG;IAChB,aAAa,EAAE,EAAE;IACjB,eAAe,EAAE;QACf,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK;QAC3C,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI;QACxD,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO;QAC3D,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO;KACvD;IACD,eAAe,EAAE;QACf,UAAU;QACV,UAAU;QACV,MAAM;QACN,WAAW;QACX,WAAW;QACX,aAAa;QACb,WAAW;QACX,aAAa;QACb,aAAa;QACb,MAAM;QACN,iBAAiB;KAClB;CACF,CAAC;AAEF,gFAAgF;AAChF,kBAAkB;AAClB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,MAAM,CAAiC;IACvC,aAAa,GAAmB,IAAI,CAAC;IACrC,cAAc,GAA8B,IAAI,GAAG,EAAE,CAAC;IAE9D,YAAY,SAA+B,EAAE;QAC3C,IAAI,CAAC,MAAM,GAAG;YACZ,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,MAAM;YAC3B,QAAQ,EAAE,EAAE,GAAG,eAAe,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE;YACpD,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,sBAAsB;YACzD,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,KAAK;SACjC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,aAAa,CAAC;QAC5B,CAAC;QAED,IAAI,CAAC,aAAa,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,OAAiC;QAC9D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,uBAAuB;YAC7B,OAAO;YACP,IAAI,EAAE,OAAO,CAAC,OAAO,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,GAAG,OAAO,EAAE,CAAC;YAC9D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YAE7D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC;gBACR,IAAI,EAAE,0BAA0B;gBAChC,OAAO;gBACP,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,QAAQ;aACT,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC/D,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YAC7D,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,OAAe;QAC9B,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,IAAI,EAAE,CAAC;QAEnE,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,qCAAqC,OAAO,EAAE,EAAE,CAAC;YACnF,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,MAAM,iBAAiB,GAAG;YACxB,wBAAwB,EAAS,sBAAsB;YACvD,oBAAoB,EAAc,2BAA2B;YAC7D,MAAM,EAA6B,yBAAyB;YAC5D,eAAe,EAAoB,YAAY;YAC/C,sBAAsB,EAAa,uBAAuB;YAC1D,sBAAsB,EAAa,uBAAuB;SAC3D,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;YACxC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;YACxE,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,IAAiB;QAC7B,IAAI,IAAI,KAAK,IAAI,CAAC,MAAM,CAAC,IAAI;YAAE,OAAO;QAEtC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAEjC,sBAAsB;QACtB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC;IAED;;OAEG;IACH,OAAO;QACL,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,qBAAqB;QACzB,MAAM,OAAO,GAAgD,EAAE,CAAC;QAEhE,yBAAyB;QACzB,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC3D,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAE5E,yBAAyB;QACzB,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC3D,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAE5E,eAAe;QACf,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAChF,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAExE,4BAA4B;QAC5B,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEjD,2BAA2B;QAC3B,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,QAA8B;QACtC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClC,OAAO,GAAG,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACX,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;IAED,mBAAmB;IAEnB;;OAEG;IACK,KAAK,CAAC,aAAa,CAAC,IAAiB;QAC3C,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAClC,CAAC;QAED,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBAC3D,IAAI,MAAM,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;oBACjC,OAAO,QAAQ,CAAC;gBAClB,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACrE,CAAC;YAED,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBAC3D,IAAI,MAAM,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;oBACjC,OAAO,QAAQ,CAAC;gBAClB,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,8EAA8E,CAAC,CAAC;YAClG,CAAC;YAED,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBAChF,IAAI,MAAM,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;oBAC/B,OAAO,MAAM,CAAC;gBAChB,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;YAClD,CAAC;YAED,KAAK,OAAO;gBACV,OAAO,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAEhD,KAAK,MAAM;gBACT,OAAO,IAAI,SAAS,EAAE,CAAC;YAEzB;gBACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,iBAAiB;QAC7B,6BAA6B;QAC7B,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC3D,IAAI,MAAM,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;gBACjC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACxB,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;gBAC3D,CAAC;gBACD,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,mEAAmE;QACnE,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC3D,IAAI,MAAM,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;gBACjC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACxB,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;gBAC3D,CAAC;gBACD,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAChF,IAAI,MAAM,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;YAC/B,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;YACjD,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,6BAA6B;QAC7B,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,kDAAkD,CAAC,CAAC;QAClE,CAAC;QACD,OAAO,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,KAAmB;QAC9B,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YAC3C,IAAI,CAAC;gBACH,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClB,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;GAEG;AACH,MAAM,SAAS;IACb,KAAK,CAAC,OAAO,CAAC,OAAe,EAAE,OAAiC;QAC9D,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAEhD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,KAAK,CAAC;YAC1C,MAAM,OAAO,GAAG,OAAO,EAAE,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAErD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE;gBAC1C,GAAG,EAAE,OAAO;gBACZ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,EAAE;gBACxC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;YAEH,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,KAAK,CAAC;YACnB,IAAI,QAAQ,GAAG,KAAK,CAAC;YAErB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,QAAQ,GAAG,IAAI,CAAC;gBAChB,MAAM,GAAG,IAAI,CAAC;gBACd,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvB,CAAC,EAAE,OAAO,CAAC,CAAC;YAEZ,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBAC/B,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBAC/B,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACxB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM;oBACN,QAAQ,EAAE,IAAI,IAAI,CAAC;oBACnB,MAAM;oBACN,QAAQ;iBACT,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACvB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,OAAO,CAAC;oBACN,MAAM;oBACN,MAAM;oBACN,QAAQ,EAAE,CAAC;oBACX,MAAM,EAAE,KAAK;oBACb,QAAQ,EAAE,KAAK;oBACf,KAAK,EAAE,GAAG,CAAC,OAAO;iBACnB,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,oBAAoB;IACtB,CAAC;CACF;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAA6B;IAChE,OAAO,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAwB;IAC1D,MAAM,OAAO,GAAG,IAAI,cAAc,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IAC1D,OAAO,OAAO,CAAC,UAAU,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAe,EACf,OAAwB;IAExB,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,CAAC;QACH,OAAO,MAAM,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,CAAC,OAAO,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC"}

package/dist/src/integrations/sandbox/landlock.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Landlock Sandbox (Linux)
+ *
+ * Uses Linux Landlock LSM for unprivileged process sandboxing.
+ * Requires Linux kernel 5.13+ with Landlock enabled.
+ *
+ * Landlock works by creating a ruleset that restricts what the process can do:
+ * - File system access (read, write, execute)
+ * - Network access (Linux 6.7+)
+ *
+ * Unlike seccomp, Landlock operates at the file path level rather than
+ * syscall level, making it more suitable for path-based restrictions.
+ */
+import type { Sandbox, ExecResult, SandboxOptions, SandboxMode } from './index.js';
+/**
+ * Landlock-based sandbox for Linux.
+ * Falls back to bubblewrap or firejail if native Landlock is not easily accessible.
+ */
+export declare class LandlockSandbox implements Sandbox {
+    private defaults;
+    private landlockAvailable;
+    private landlockVersion;
+    private useBubblewrap;
+    private useFirejail;
+    constructor(defaults: Partial<SandboxOptions>);
+    isAvailable(): Promise<boolean>;
+    getType(): SandboxMode;
+    execute(command: string, options?: Partial<SandboxOptions>): Promise<ExecResult>;
+    /**
+     * Build the sandboxed command.
+     */
+    private buildSandboxedCommand;
+    /**
+     * Build command using bubblewrap (bwrap).
+     */
+    private buildBubblewrapCommand;
+    /**
+     * Build command using firejail.
+     */
+    private buildFirejailCommand;
+    /**
+     * Build command with ulimit constraints (minimal isolation).
+     */
+    private buildUlimitCommand;
+    cleanup(): Promise<void>;
+}
+/**
+ * Create a Landlock sandbox.
+ */
+export declare function createLandlockSandbox(options?: Partial<SandboxOptions>): LandlockSandbox;
+/**
+ * Check if Landlock/Linux isolation is available.
+ */
+export declare function checkLandlockSupport(): Promise<{
+    available: boolean;
+    method: 'landlock' | 'bubblewrap' | 'firejail' | 'ulimit' | 'none';
+    details: string;
+}>;
+//# sourceMappingURL=landlock.d.ts.map

package/dist/src/integrations/sandbox/landlock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"landlock.d.ts","sourceRoot":"","sources":["../../../../src/integrations/sandbox/landlock.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAuFnF;;;GAGG;AACH,qBAAa,eAAgB,YAAW,OAAO;IAC7C,OAAO,CAAC,QAAQ,CAA2B;IAC3C,OAAO,CAAC,iBAAiB,CAAwB;IACjD,OAAO,CAAC,eAAe,CAAa;IACpC,OAAO,CAAC,aAAa,CAAkB;IACvC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,QAAQ,EAAE,OAAO,CAAC,cAAc,CAAC;IAevC,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAqCrC,OAAO,IAAI,WAAW;IAKhB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC;IA4DtF;;OAEG;YACW,qBAAqB;IAiBnC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAmD9B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAwC5B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAcpB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAG/B;AAMD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,GAAG,eAAe,CAExF;AAED;;GAEG;AACH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC;IACpD,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,UAAU,GAAG,YAAY,GAAG,UAAU,GAAG,QAAQ,GAAG,MAAM,CAAC;IACnE,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC,CA2BD"}