bugproof 0.1.1

package/dist/diff/engine.js

@@ -0,0 +1,88 @@
+/**
+ * Diff engine: compares two .bug artifacts and produces a structured diff report.
+ */
+export function diffArtifacts(left, right) {
+    const changes = [];
+    // Compare exit code
+    if (left.failure.exit_code !== right.failure.exit_code) {
+        changes.push({ field: 'exit_code', left: left.failure.exit_code, right: right.failure.exit_code });
+    }
+    // Compare fingerprint
+    if (left.failure.fingerprint !== right.failure.fingerprint) {
+        changes.push({ field: 'fingerprint', left: left.failure.fingerprint, right: right.failure.fingerprint });
+    }
+    // Compare command
+    const leftCmd = left.manifest.command.join(' ');
+    const rightCmd = right.manifest.command.join(' ');
+    if (leftCmd !== rightCmd) {
+        changes.push({ field: 'command', left: leftCmd, right: rightCmd });
+    }
+    // Compare OS
+    if (left.manifest.captured_on.os !== right.manifest.captured_on.os) {
+        changes.push({ field: 'os', left: left.manifest.captured_on.os, right: right.manifest.captured_on.os });
+    }
+    // Compare architecture
+    if (left.manifest.captured_on.arch !== right.manifest.captured_on.arch) {
+        changes.push({ field: 'arch', left: left.manifest.captured_on.arch, right: right.manifest.captured_on.arch });
+    }
+    // Compare Node version
+    if (left.manifest.captured_on.node_version !== right.manifest.captured_on.node_version) {
+        changes.push({
+            field: 'node_version',
+            left: left.manifest.captured_on.node_version,
+            right: right.manifest.captured_on.node_version,
+        });
+    }
+    // Compare error patterns
+    const leftPatterns = JSON.stringify(left.failure.error_patterns);
+    const rightPatterns = JSON.stringify(right.failure.error_patterns);
+    if (leftPatterns !== rightPatterns) {
+        changes.push({
+            field: 'error_patterns',
+            left: left.failure.error_patterns,
+            right: right.failure.error_patterns,
+        });
+    }
+    // Compare duration (only if significantly different, >20%)
+    const durationDiff = Math.abs(left.failure.duration_ms - right.failure.duration_ms);
+    const avgDuration = (left.failure.duration_ms + right.failure.duration_ms) / 2;
+    if (avgDuration > 0 && durationDiff / avgDuration > 0.2) {
+        changes.push({ field: 'duration_ms', left: left.failure.duration_ms, right: right.failure.duration_ms });
+    }
+    // Compare file lists
+    const fileChanges = diffFileEntries(left.files, right.files);
+    const hasFileChanges = fileChanges.added.length > 0 || fileChanges.removed.length > 0 || fileChanges.modified.length > 0;
+    return {
+        identical: changes.length === 0 && !hasFileChanges,
+        changes,
+        fileChanges: hasFileChanges ? fileChanges : { added: [], removed: [], modified: [] },
+    };
+}
+function diffFileEntries(leftFiles, rightFiles) {
+    const leftMap = new Map(leftFiles.map(f => [f.path, f]));
+    const rightMap = new Map(rightFiles.map(f => [f.path, f]));
+    const added = [];
+    const removed = [];
+    const modified = [];
+    // Files in right but not in left => added
+    for (const [path] of rightMap) {
+        if (!leftMap.has(path)) {
+            added.push(path);
+        }
+    }
+    // Files in left but not in right => removed
+    for (const [path] of leftMap) {
+        if (!rightMap.has(path)) {
+            removed.push(path);
+        }
+    }
+    // Files in both but with different hashes => modified
+    for (const [path, leftEntry] of leftMap) {
+        const rightEntry = rightMap.get(path);
+        if (rightEntry && leftEntry.sha256 !== rightEntry.sha256) {
+            modified.push(path);
+        }
+    }
+    return { added, removed, modified };
+}
+//# sourceMappingURL=engine.js.map

package/dist/diff/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/diff/engine.ts"],"names":[],"mappings":"AAAA;;GAEG;AA8BH,MAAM,UAAU,aAAa,CAAC,IAAsB,EAAE,KAAuB;IAC3E,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,oBAAoB;IACpB,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,KAAK,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvD,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;IACrG,CAAC;IAED,sBAAsB;IACtB,IAAI,IAAI,CAAC,OAAO,CAAC,WAAW,KAAK,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3D,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC3G,CAAC;IAED,kBAAkB;IAClB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClD,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,aAAa;IACb,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,KAAK,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACnE,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1G,CAAC;IAED,uBAAuB;IACvB,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,KAAK,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;QACvE,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;IAChH,CAAC;IAED,uBAAuB;IACvB,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,YAAY,KAAK,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,YAAY,EAAE,CAAC;QACvF,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,cAAc;YACrB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,YAAY;YAC5C,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,YAAY;SAC/C,CAAC,CAAC;IACL,CAAC;IAED,yBAAyB;IACzB,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACjE,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACnE,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;QACnC,OAAO,CAAC,IAAI,CAAC;YACX,KAAK,EAAE,gBAAgB;YACvB,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,cAAc;YACjC,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,cAAc;SACpC,CAAC,CAAC;IACL,CAAC;IAED,2DAA2D;IAC3D,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACpF,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAC/E,IAAI,WAAW,GAAG,CAAC,IAAI,YAAY,GAAG,WAAW,GAAG,GAAG,EAAE,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAC3G,CAAC;IAED,qBAAqB;IACrB,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IAC7D,MAAM,cAAc,GAClB,WAAW,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAEpG,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,cAAc;QAClD,OAAO;QACP,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;KACrF,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,SAAsB,EAAE,UAAuB;IACtE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,0CAA0C;IAC1C,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,KAAK,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,OAAO,EAAE,CAAC;QACxC,MAAM,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,UAAU,IAAI,SAAS,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM,EAAE,CAAC;YACzD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtC,CAAC"}

package/dist/replay/engine.d.ts

@@ -0,0 +1,41 @@
+import { RunConfig } from '../types/artifact.js';
+import { FailureRecord } from '../types/failure.js';
+export interface ReplayOptions {
+    artifactPath: string;
+    versionMatch: 'strict' | 'current' | 'branch';
+    envOverrides: Record<string, string>;
+    /** Git commit from the artifact manifest (used for strict mode) */
+    gitCommit?: string;
+    /** Git branch from the artifact manifest (used for branch mode) */
+    gitBranch?: string;
+    sandboxLevel?: 'workspace' | 'isolated' | 'full';
+}
+export interface ReplayResult {
+    actualFailure: FailureRecord;
+    expectedFailure: FailureRecord;
+    actualStdout: string;
+    actualStderr: string;
+    /** The directory where replay actually ran */
+    replayDirectory: string;
+    /** Whether the sandbox fell back to artifact file snapshots */
+    usedFallback?: boolean;
+    /** Sandbox architecture layers applied */
+    bugBox?: {
+        level: string;
+        appliedLayers: string[];
+        skippedLayers: string[];
+        platform: string;
+    };
+}
+/**
+ * Replays a captured artifact in an isolated sandbox.
+ *
+ * Three modes:
+ *   - current: runs in cwd (no sandbox, fast)
+ *   - strict:  creates temp dir at the exact git commit, falls back to artifact files/
+ *   - branch:  creates temp dir at the branch tip, falls back to current
+ *
+ * The sandbox is always cleaned up after the command finishes.
+ */
+export declare function replayArtifact(runConfig: RunConfig, expectedFailure: FailureRecord, options: ReplayOptions): Promise<ReplayResult>;
+//# sourceMappingURL=engine.d.ts.map

package/dist/replay/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/replay/engine.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAKpD,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,QAAQ,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC9C,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,CAAC;CAClD;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,aAAa,CAAC;IAC7B,eAAe,EAAE,aAAa,CAAC;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,8CAA8C;IAC9C,eAAe,EAAE,MAAM,CAAC;IACxB,+DAA+D;IAC/D,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,0CAA0C;IAC1C,MAAM,CAAC,EAAE;QACP,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,aAAa,EAAE,MAAM,EAAE,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,SAAS,EACpB,eAAe,EAAE,aAAa,EAC9B,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,YAAY,CAAC,CA0DvB"}

package/dist/replay/engine.js

@@ -0,0 +1,69 @@
+import { executeAndCapture } from '../capture/engine.js';
+import { createBugBox } from '../sandbox/bugbox.js';
+import { sanitizeArtifactEnvironment } from '../utils/security.js';
+/**
+ * Replays a captured artifact in an isolated sandbox.
+ *
+ * Three modes:
+ *   - current: runs in cwd (no sandbox, fast)
+ *   - strict:  creates temp dir at the exact git commit, falls back to artifact files/
+ *   - branch:  creates temp dir at the branch tip, falls back to current
+ *
+ * The sandbox is always cleaned up after the command finishes.
+ */
+export async function replayArtifact(runConfig, expectedFailure, options) {
+    // 1. Create the sandbox workspace via Bug-Box orchestrator
+    const bugbox = await createBugBox({
+        level: options.sandboxLevel || 'workspace',
+        command: runConfig.command,
+        sandboxOptions: {
+            mode: options.versionMatch,
+            originalWorkingDir: runConfig.working_directory,
+            artifactPath: options.artifactPath,
+            gitCommit: options.gitCommit,
+            gitBranch: options.gitBranch,
+        },
+    });
+    try {
+        // 2. Merge environments — sanitize artifact env to block dangerous overrides
+        const safeArtifactEnv = sanitizeArtifactEnvironment(runConfig.environment);
+        const replayEnv = {
+            ...process.env,
+            ...safeArtifactEnv,
+            ...options.envOverrides,
+        };
+        const hostPath = process.env.PATH || process.env.Path || process.env.path;
+        if (hostPath) {
+            replayEnv.PATH = hostPath;
+            if (process.platform === 'win32') {
+                replayEnv.Path = hostPath;
+            }
+        }
+        // 3. Re-run the command in the sandbox directory
+        const replayConfig = {
+            ...runConfig,
+            ...bugbox.runConfigOverrides,
+            environment: replayEnv,
+        };
+        const result = await executeAndCapture(replayConfig);
+        return {
+            actualFailure: result.failure,
+            expectedFailure,
+            actualStdout: result.stdout,
+            actualStderr: result.stderr,
+            replayDirectory: bugbox.sandboxResult.workingDirectory,
+            usedFallback: bugbox.sandboxResult.usedFallback,
+            bugBox: {
+                level: options.sandboxLevel || 'workspace',
+                appliedLayers: bugbox.appliedLayers,
+                skippedLayers: bugbox.skippedLayers,
+                platform: bugbox.capabilities.platform,
+            },
+        };
+    }
+    finally {
+        // 4. Always clean up the sandbox
+        bugbox.cleanupFn();
+    }
+}
+//# sourceMappingURL=engine.js.map

package/dist/replay/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/replay/engine.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAgB,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,sBAAsB,CAAC;AA+BnE;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAoB,EACpB,eAA8B,EAC9B,OAAsB;IAEtB,2DAA2D;IAC3D,MAAM,MAAM,GAAiB,MAAM,YAAY,CAAC;QAC9C,KAAK,EAAE,OAAO,CAAC,YAAY,IAAI,WAAW;QAC1C,OAAO,EAAE,SAAS,CAAC,OAAO;QAC1B,cAAc,EAAE;YACd,IAAI,EAAE,OAAO,CAAC,YAAY;YAC1B,kBAAkB,EAAE,SAAS,CAAC,iBAAiB;YAC/C,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B;KACF,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,6EAA6E;QAC7E,MAAM,eAAe,GAAG,2BAA2B,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC3E,MAAM,SAAS,GAAG;YAChB,GAAG,OAAO,CAAC,GAAG;YACd,GAAG,eAAe;YAClB,GAAG,OAAO,CAAC,YAAY;SACE,CAAC;QAE5B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;QAC1E,IAAI,QAAQ,EAAE,CAAC;YACb,SAAS,CAAC,IAAI,GAAG,QAAQ,CAAC;YAC1B,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACjC,SAAS,CAAC,IAAI,GAAG,QAAQ,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,iDAAiD;QACjD,MAAM,YAAY,GAAc;YAC9B,GAAG,SAAS;YACZ,GAAG,MAAM,CAAC,kBAAkB;YAC5B,WAAW,EAAE,SAAS;SACvB,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,YAAY,CAAC,CAAC;QAErD,OAAO;YACL,aAAa,EAAE,MAAM,CAAC,OAAO;YAC7B,eAAe;YACf,YAAY,EAAE,MAAM,CAAC,MAAM;YAC3B,YAAY,EAAE,MAAM,CAAC,MAAM;YAC3B,eAAe,EAAE,MAAM,CAAC,aAAa,CAAC,gBAAgB;YACtD,YAAY,EAAE,MAAM,CAAC,aAAa,CAAC,YAAY;YAC/C,MAAM,EAAE;gBACN,KAAK,EAAE,OAAO,CAAC,YAAY,IAAI,WAAW;gBAC1C,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,QAAQ,EAAE,MAAM,CAAC,YAAY,CAAC,QAAQ;aACvC;SACF,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,iCAAiC;QACjC,MAAM,CAAC,SAAS,EAAE,CAAC;IACrB,CAAC;AACH,CAAC"}

package/dist/replay/sandbox.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Replay Sandbox: creates an isolated workspace for deterministic replay.
+ *
+ * Three modes:
+ *   - current: run in cwd (no isolation, fast)
+ *   - strict:  git worktree at exact commit, falls back to artifact files/
+ *   - branch:  git worktree at branch tip, falls back to current
+ */
+export interface SandboxOptions {
+    mode: 'current' | 'strict' | 'branch';
+    originalWorkingDir: string;
+    artifactPath: string;
+    gitCommit?: string;
+    gitBranch?: string;
+    /** Optional pre-created directory to place the sandbox into */
+    targetDir?: string;
+}
+export interface SandboxResult {
+    workingDirectory: string;
+    tempDir?: string;
+    needsCleanup: boolean;
+    /** True when git checkout failed and we fell back to the artifact's files/ snapshot */
+    usedFallback?: boolean;
+}
+/**
+ * Creates a sandbox workspace for replay.
+ */
+export declare function createSandbox(options: SandboxOptions): Promise<SandboxResult>;
+/**
+ * Removes the sandbox temp directory.
+ */
+export declare function cleanupSandbox(result: SandboxResult): void;
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/replay/sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../../src/replay/sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,SAAS,GAAG,QAAQ,GAAG,QAAQ,CAAC;IACtC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,uFAAuF;IACvF,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC,CAsFnF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CA0B1D"}

package/dist/replay/sandbox.js

@@ -0,0 +1,167 @@
+/**
+ * Replay Sandbox: creates an isolated workspace for deterministic replay.
+ *
+ * Three modes:
+ *   - current: run in cwd (no isolation, fast)
+ *   - strict:  git worktree at exact commit, falls back to artifact files/
+ *   - branch:  git worktree at branch tip, falls back to current
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { spawnSync } from 'child_process';
+import { isValidGitRef } from '../utils/security.js';
+/**
+ * Creates a sandbox workspace for replay.
+ */
+export async function createSandbox(options) {
+    // ── current mode: no isolation ──
+    if (options.mode === 'current') {
+        const tempDir = options.targetDir || fs.mkdtempSync(path.join(os.tmpdir(), 'bugproof-replay-'));
+        const artifactFilesDir = path.join(options.artifactPath, 'files');
+        if (fs.existsSync(artifactFilesDir)) {
+            copyDirRecursive(artifactFilesDir, tempDir);
+            return {
+                workingDirectory: tempDir,
+                tempDir,
+                needsCleanup: true,
+                usedFallback: true,
+            };
+        }
+        return {
+            workingDirectory: options.originalWorkingDir,
+            needsCleanup: false,
+        };
+    }
+    // ── branch mode without a branch: fall back to current ──
+    if (options.mode === 'branch' && !options.gitBranch) {
+        return {
+            workingDirectory: options.originalWorkingDir,
+            needsCleanup: false,
+        };
+    }
+    // ── strict or branch: try git worktree ──
+    const tempDir = options.targetDir || fs.mkdtempSync(path.join(os.tmpdir(), 'bugproof-replay-'));
+    // Determine the ref to checkout
+    const ref = options.mode === 'strict' ? options.gitCommit : options.gitBranch;
+    if (ref) {
+        // Security: validate ref before passing to git
+        if (!isValidGitRef(ref)) {
+            // Invalid ref, skip directly to fallback
+        }
+        else {
+            const worktreeResult = tryGitWorktree(options.originalWorkingDir, tempDir, ref);
+            if (worktreeResult.success) {
+                return {
+                    workingDirectory: tempDir,
+                    tempDir,
+                    needsCleanup: true,
+                };
+            }
+            // Worktree failed. For strict mode, try a detached checkout clone.
+            if (options.mode === 'strict') {
+                const cloneResult = tryGitCloneAndCheckout(options.originalWorkingDir, tempDir, ref);
+                if (cloneResult.success) {
+                    return {
+                        workingDirectory: tempDir,
+                        tempDir,
+                        needsCleanup: true,
+                    };
+                }
+            }
+        }
+    }
+    // ── Fallback: copy artifact's files/ snapshot into the temp dir ──
+    const artifactFilesDir = path.join(options.artifactPath, 'files');
+    if (fs.existsSync(artifactFilesDir)) {
+        copyDirRecursive(artifactFilesDir, tempDir);
+        return {
+            workingDirectory: tempDir,
+            tempDir,
+            needsCleanup: true,
+            usedFallback: true,
+        };
+    }
+    // Nothing worked, clean up and fall back to cwd
+    if (!options.targetDir) {
+        fs.rmSync(tempDir, { recursive: true, force: true });
+    }
+    return {
+        workingDirectory: options.originalWorkingDir,
+        needsCleanup: false,
+        usedFallback: true,
+    };
+}
+/**
+ * Removes the sandbox temp directory.
+ */
+export function cleanupSandbox(result) {
+    if (!result.needsCleanup || !result.tempDir)
+        return;
+    try {
+        // If it was a worktree, remove it properly first
+        const gitDir = path.join(result.tempDir, '.git');
+        if (fs.existsSync(gitDir)) {
+            const gitContent = fs.readFileSync(gitDir, 'utf-8').trim();
+            if (gitContent.startsWith('gitdir:')) {
+                // This is a worktree, find the parent repo and remove the worktree
+                spawnSync('git', ['worktree', 'remove', '--force', result.tempDir], {
+                    encoding: 'utf-8',
+                    timeout: 10000,
+                });
+                return;
+            }
+        }
+    }
+    catch {
+        // Fall through to force delete
+    }
+    try {
+        fs.rmSync(result.tempDir, { recursive: true, force: true });
+    }
+    catch {
+        // Best effort cleanup
+    }
+}
+// ── Internal helpers ──
+function tryGitWorktree(repoDir, targetDir, ref) {
+    // First verify the ref exists in this repo
+    const verify = spawnSync('git', ['rev-parse', '--verify', ref], {
+        cwd: repoDir,
+        encoding: 'utf-8',
+        timeout: 5000,
+    });
+    if (verify.status !== 0) {
+        return { success: false };
+    }
+    // Create a detached worktree
+    const result = spawnSync('git', ['worktree', 'add', '--detach', targetDir, '--', ref], { cwd: repoDir, encoding: 'utf-8', timeout: 30000 });
+    return { success: result.status === 0 };
+}
+function tryGitCloneAndCheckout(repoDir, targetDir, commitSha) {
+    // Local clone (no network, shares objects via hardlinks)
+    const clone = spawnSync('git', ['clone', '--no-checkout', '--shared', repoDir, targetDir], { encoding: 'utf-8', timeout: 30000 });
+    if (clone.status !== 0) {
+        return { success: false };
+    }
+    const checkout = spawnSync('git', ['checkout', commitSha], { cwd: targetDir, encoding: 'utf-8', timeout: 10000 });
+    return { success: checkout.status === 0 };
+}
+function copyDirRecursive(src, dest) {
+    fs.mkdirSync(dest, { recursive: true });
+    const entries = fs.readdirSync(src, { withFileTypes: true });
+    for (const entry of entries) {
+        // Security: skip symlinks to prevent escape attacks
+        if (entry.isSymbolicLink())
+            continue;
+        const srcPath = path.join(src, entry.name);
+        const destPath = path.join(dest, entry.name);
+        if (entry.isDirectory()) {
+            copyDirRecursive(srcPath, destPath);
+        }
+        else if (entry.isFile()) {
+            fs.copyFileSync(srcPath, destPath);
+        }
+    }
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/replay/sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.js","sourceRoot":"","sources":["../../src/replay/sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAoBrD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAuB;IACzD,mCAAmC;IACnC,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QAChG,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAElE,IAAI,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACpC,gBAAgB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;YAC5C,OAAO;gBACL,gBAAgB,EAAE,OAAO;gBACzB,OAAO;gBACP,YAAY,EAAE,IAAI;gBAClB,YAAY,EAAE,IAAI;aACnB,CAAC;QACJ,CAAC;QAED,OAAO;YACL,gBAAgB,EAAE,OAAO,CAAC,kBAAkB;YAC5C,YAAY,EAAE,KAAK;SACpB,CAAC;IACJ,CAAC;IAED,2DAA2D;IAC3D,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACpD,OAAO;YACL,gBAAgB,EAAE,OAAO,CAAC,kBAAkB;YAC5C,YAAY,EAAE,KAAK;SACpB,CAAC;IACJ,CAAC;IAED,2CAA2C;IAC3C,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAEhG,gCAAgC;IAChC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;IAE9E,IAAI,GAAG,EAAE,CAAC;QACR,+CAA+C;QAC/C,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,yCAAyC;QAC3C,CAAC;aAAM,CAAC;YACN,MAAM,cAAc,GAAG,cAAc,CAAC,OAAO,CAAC,kBAAkB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;YAEhF,IAAI,cAAc,CAAC,OAAO,EAAE,CAAC;gBAC3B,OAAO;oBACL,gBAAgB,EAAE,OAAO;oBACzB,OAAO;oBACP,YAAY,EAAE,IAAI;iBACnB,CAAC;YACJ,CAAC;YAED,mEAAmE;YACnE,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC9B,MAAM,WAAW,GAAG,sBAAsB,CAAC,OAAO,CAAC,kBAAkB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;gBACrF,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;oBACxB,OAAO;wBACL,gBAAgB,EAAE,OAAO;wBACzB,OAAO;wBACP,YAAY,EAAE,IAAI;qBACnB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAClE,IAAI,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACpC,gBAAgB,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QAC5C,OAAO;YACL,gBAAgB,EAAE,OAAO;YACzB,OAAO;YACP,YAAY,EAAE,IAAI;YAClB,YAAY,EAAE,IAAI;SACnB,CAAC;IACJ,CAAC;IAED,gDAAgD;IAChD,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;QACvB,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,OAAO;QACL,gBAAgB,EAAE,OAAO,CAAC,kBAAkB;QAC5C,YAAY,EAAE,KAAK;QACnB,YAAY,EAAE,IAAI;KACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAAqB;IAClD,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,OAAO;QAAE,OAAO;IAEpD,IAAI,CAAC;QACH,iDAAiD;QACjD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACjD,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YAC3D,IAAI,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrC,mEAAmE;gBACnE,SAAS,CAAC,KAAK,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE;oBAClE,QAAQ,EAAE,OAAO;oBACjB,OAAO,EAAE,KAAK;iBACf,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,+BAA+B;IACjC,CAAC;IAED,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,sBAAsB;IACxB,CAAC;AACH,CAAC;AAED,yBAAyB;AAEzB,SAAS,cAAc,CACrB,OAAe,EACf,SAAiB,EACjB,GAAW;IAEX,2CAA2C;IAC3C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE;QAC9D,GAAG,EAAE,OAAO;QACZ,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,IAAI;KACd,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,6BAA6B;IAC7B,MAAM,MAAM,GAAG,SAAS,CACtB,KAAK,EACL,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,CAAC,EACrD,EAAE,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CACpD,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAe,EACf,SAAiB,EACjB,SAAiB;IAEjB,yDAAyD;IACzD,MAAM,KAAK,GAAG,SAAS,CACrB,KAAK,EACL,CAAC,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,CAAC,EAC1D,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CACtC,CAAC;IAEF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CACxB,KAAK,EACL,CAAC,UAAU,EAAE,SAAS,CAAC,EACvB,EAAE,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CACtD,CAAC;IAEF,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW,EAAE,IAAY;IACjD,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAE7D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,oDAAoD;QACpD,IAAI,KAAK,CAAC,cAAc,EAAE;YAAE,SAAS;QAErC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtC,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/replay/verdict.d.ts

@@ -0,0 +1,8 @@
+import { ReplayResult } from './engine.js';
+export type VerdictStatus = 'confirmed' | 'not_confirmed' | 'blocked_by_env';
+export interface Verdict {
+    status: VerdictStatus;
+    message: string;
+}
+export declare function generateVerdict(result: ReplayResult): Verdict;
+//# sourceMappingURL=verdict.d.ts.map

package/dist/replay/verdict.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verdict.d.ts","sourceRoot":"","sources":["../../src/replay/verdict.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,eAAe,GAAG,gBAAgB,CAAC;AAE7E,MAAM,WAAW,OAAO;IACtB,MAAM,EAAE,aAAa,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAqC7D"}

package/dist/replay/verdict.js

@@ -0,0 +1,32 @@
+export function generateVerdict(result) {
+    const { expectedFailure, actualFailure } = result;
+    // 1. Exact Fingerprint Match
+    if (expectedFailure.fingerprint === actualFailure.fingerprint) {
+        return {
+            status: 'confirmed',
+            message: 'Reproduction confirmed (exact fingerprint match)'
+        };
+    }
+    // 2. Fuzzy Pattern Match
+    // Check if actual failure shares any of the same error patterns
+    const sharedPatterns = actualFailure.error_patterns.filter(p => expectedFailure.error_patterns.includes(p));
+    if (sharedPatterns.length > 0) {
+        return {
+            status: 'confirmed',
+            message: `Reproduction confirmed (fuzzy match on patterns: ${sharedPatterns.join(', ')})`
+        };
+    }
+    // 3. Different exit code, but failed
+    if (actualFailure.exit_code !== 0) {
+        return {
+            status: 'not_confirmed',
+            message: `Failed, but with a different error. Expected pattern: ${expectedFailure.error_patterns[0] || 'Unknown'} / Actual pattern: ${actualFailure.error_patterns[0] || 'Unknown'}`
+        };
+    }
+    // 4. Succeeded
+    return {
+        status: 'not_confirmed',
+        message: 'Command succeeded on replay. The bug did not reproduce.'
+    };
+}
+//# sourceMappingURL=verdict.js.map

package/dist/replay/verdict.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verdict.js","sourceRoot":"","sources":["../../src/replay/verdict.ts"],"names":[],"mappings":"AASA,MAAM,UAAU,eAAe,CAAC,MAAoB;IAClD,MAAM,EAAE,eAAe,EAAE,aAAa,EAAE,GAAG,MAAM,CAAC;IAElD,6BAA6B;IAC7B,IAAI,eAAe,CAAC,WAAW,KAAK,aAAa,CAAC,WAAW,EAAE,CAAC;QAC9D,OAAO;YACL,MAAM,EAAE,WAAW;YACnB,OAAO,EAAE,kDAAkD;SAC5D,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,gEAAgE;IAChE,MAAM,cAAc,GAAG,aAAa,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC7D,eAAe,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC3C,CAAC;IAEF,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,MAAM,EAAE,WAAW;YACnB,OAAO,EAAE,oDAAoD,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;SAC1F,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,IAAI,aAAa,CAAC,SAAS,KAAK,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,MAAM,EAAE,eAAe;YACvB,OAAO,EAAE,yDAAyD,eAAe,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,SAAS,sBAAsB,aAAa,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,SAAS,EAAE;SACrL,CAAC;IACJ,CAAC;IAED,eAAe;IACf,OAAO;QACL,MAAM,EAAE,eAAe;QACvB,OAAO,EAAE,yDAAyD;KACnE,CAAC;AACJ,CAAC"}

package/dist/sandbox/bugbox.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Bug-Box Orchestrator
+ *
+ * Ties together capabilities, filesystem permissions, network isolation,
+ * and the existing replay sandbox into a single easy-to-use interface.
+ */
+import { SandboxResult, SandboxOptions } from '../replay/sandbox.js';
+import { PlatformCapabilities } from './capabilities.js';
+import { IsolatedDirResult } from './filesystem.js';
+import { NetworkStrategy } from './network.js';
+import { ProcessStrategy } from './process.js';
+import { ResourceStrategy, ResourceLimits } from './resources.js';
+import { RunConfig } from '../types/artifact.js';
+export interface BugBoxOptions {
+    level: 'workspace' | 'isolated' | 'full';
+    sandboxOptions: SandboxOptions;
+    command: string[];
+    resourceLimits?: ResourceLimits;
+}
+export interface BugBoxResult {
+    sandboxResult: SandboxResult;
+    capabilities: PlatformCapabilities;
+    appliedLayers: string[];
+    skippedLayers: string[];
+    networkStrategy: NetworkStrategy;
+    processStrategy: ProcessStrategy;
+    resourceStrategy: ResourceStrategy;
+    isolatedDir?: IsolatedDirResult;
+    runConfigOverrides: Partial<RunConfig>;
+    cleanupFn: () => void;
+}
+/**
+ * Creates a Bug-Box environment for replaying an artifact.
+ *
+ * @param options Level of isolation and underlying sandbox options
+ */
+export declare function createBugBox(options: BugBoxOptions): Promise<BugBoxResult>;
+//# sourceMappingURL=bugbox.d.ts.map

package/dist/sandbox/bugbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bugbox.d.ts","sourceRoot":"","sources":["../../src/sandbox/bugbox.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,cAAc,EAAiC,MAAM,sBAAsB,CAAC;AACpG,OAAO,EAAsB,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAC7E,OAAO,EAIL,iBAAiB,EAClB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAKL,eAAe,EAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EAGL,eAAe,EAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EAGL,gBAAgB,EAChB,cAAc,EACf,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEjD,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,CAAC;IACzC,cAAc,EAAE,cAAc,CAAC;IAC/B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,aAAa,CAAC;IAC7B,YAAY,EAAE,oBAAoB,CAAC;IACnC,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,EAAE,eAAe,CAAC;IACjC,eAAe,EAAE,eAAe,CAAC;IACjC,gBAAgB,EAAE,gBAAgB,CAAC;IACnC,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,kBAAkB,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IACvC,SAAS,EAAE,MAAM,IAAI,CAAC;CACvB;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,CA2HhF"}

package/dist/sandbox/bugbox.js

@@ -0,0 +1,122 @@
+/**
+ * Bug-Box Orchestrator
+ *
+ * Ties together capabilities, filesystem permissions, network isolation,
+ * and the existing replay sandbox into a single easy-to-use interface.
+ */
+import { createSandbox, cleanupSandbox } from '../replay/sandbox.js';
+import { detectCapabilities } from './capabilities.js';
+import { createIsolatedDir, lockDirReadOnly, cleanupIsolatedDir, } from './filesystem.js';
+import { selectNetworkStrategy, buildNetworkIsolationArgs, createNetworkCleanup, addFirewallBlockRule, } from './network.js';
+import { selectProcessStrategy, buildProcessIsolationArgs, } from './process.js';
+import { selectResourceStrategy, buildResourceIsolationArgs, } from './resources.js';
+/**
+ * Creates a Bug-Box environment for replaying an artifact.
+ *
+ * @param options Level of isolation and underlying sandbox options
+ */
+export async function createBugBox(options) {
+    const caps = detectCapabilities();
+    const appliedLayers = [];
+    const skippedLayers = [];
+    // 1. Fast path: 'workspace' mode (no OS-level isolation, just git worktree)
+    if (options.level === 'workspace') {
+        const sandboxResult = await createSandbox(options.sandboxOptions);
+        return {
+            sandboxResult,
+            capabilities: caps,
+            appliedLayers,
+            skippedLayers,
+            networkStrategy: 'none',
+            processStrategy: 'none',
+            resourceStrategy: 'none',
+            runConfigOverrides: {
+                working_directory: sandboxResult.workingDirectory,
+            },
+            cleanupFn: () => cleanupSandbox(sandboxResult),
+        };
+    }
+    // 2. 'isolated' or 'full' mode: start by creating the restricted filesystem structure
+    const isolatedDir = createIsolatedDir();
+    appliedLayers.push('filesystem');
+    // 3. Populate the workspace with source files (via git worktree or fallback)
+    const sandboxResult = await createSandbox({
+        ...options.sandboxOptions,
+        targetDir: isolatedDir.workspaceDir, // Force sandbox to use our restricted dir
+    });
+    // If the sandbox fell back to copying the artifact's files/ snapshot,
+    // lock the filesDir read-only to prevent the replayed process from
+    // modifying the captured source snapshot.
+    if (sandboxResult.usedFallback) {
+        lockDirReadOnly(isolatedDir.filesDir);
+    }
+    const runConfigOverrides = {
+        working_directory: sandboxResult.workingDirectory,
+    };
+    // 4. Network Isolation
+    let netStrategy = 'none';
+    let netCleanup = () => { };
+    const ruleName = `bugbox-net-${Date.now()}`;
+    if (options.level === 'isolated' || options.level === 'full') {
+        netStrategy = selectNetworkStrategy(caps);
+        if (netStrategy === 'none') {
+            skippedLayers.push('network: primitive not available on this OS');
+        }
+        else {
+            appliedLayers.push('network');
+            const netResult = buildNetworkIsolationArgs(netStrategy, options.command);
+            runConfigOverrides.command = netResult.command;
+            if (netResult.needsPreExec) {
+                const exePath = netResult.command[0];
+                // If this fails, we just continue (best effort isolation)
+                addFirewallBlockRule(ruleName, exePath);
+            }
+            netCleanup = createNetworkCleanup(netStrategy, ruleName);
+        }
+    }
+    // 5. Process & Resource Isolation (Only in 'full' mode)
+    let procStrategy = 'none';
+    let resStrategy = 'none';
+    if (options.level === 'full') {
+        // Process Isolation
+        procStrategy = selectProcessStrategy(caps);
+        if (procStrategy === 'none') {
+            skippedLayers.push('process: primitive not available on this OS');
+        }
+        else {
+            appliedLayers.push('process');
+            runConfigOverrides.command = buildProcessIsolationArgs(procStrategy, runConfigOverrides.command || options.command);
+        }
+        // Resource Limits
+        resStrategy = selectResourceStrategy(caps);
+        if (resStrategy === 'none') {
+            skippedLayers.push('resources: primitive not available on this OS');
+        }
+        else if (options.resourceLimits && (options.resourceLimits.maxMemoryMB || options.resourceLimits.maxCpuPercent)) {
+            appliedLayers.push('resources');
+            runConfigOverrides.command = buildResourceIsolationArgs(resStrategy, runConfigOverrides.command || options.command, options.resourceLimits);
+        }
+    }
+    // 6. Build combined cleanup
+    const cleanupFn = () => {
+        // 1. Tear down network rules
+        netCleanup();
+        // 2. Remove git worktree
+        cleanupSandbox(sandboxResult);
+        // 3. Remove restricted temp directory
+        cleanupIsolatedDir(isolatedDir);
+    };
+    return {
+        sandboxResult,
+        capabilities: caps,
+        appliedLayers,
+        skippedLayers,
+        networkStrategy: netStrategy,
+        processStrategy: procStrategy,
+        resourceStrategy: resStrategy,
+        isolatedDir,
+        runConfigOverrides,
+        cleanupFn,
+    };
+}
+//# sourceMappingURL=bugbox.js.map