cyrus-core 0.2.44 → 0.2.45

package/dist/security/WebhookIpValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"WebhookIpValidator.d.ts","sourceRoot":"","sources":["../../src/security/WebhookIpValidator.ts"],"names":[],"mappings":"AASA,OAAO,EAAgB,KAAK,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAEjE;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,mHAOrB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,6BAA6B,uFAKhC,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,oBAAoB,+CAGvB,CAAC;AAEX,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE7D;;;GAGG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAkBtE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAS7C;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAI/D;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAK9C;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CACjC,EAAE,EAAE,MAAM,EACV,SAAS,EAAE,SAAS,MAAM,EAAE,GAC1B,OAAO,CAST;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACzC,+CAA+C;IAC/C,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,4DAA4D;IAC5D,gBAAgB,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC,CAAC,CAAC;IACvE,sBAAsB;IACtB,MAAM,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;;;;GAMG;AACH,qBAAa,kBAAkB;IAC9B,OAAO,CAAC,UAAU,CAA6C;IAC/D,OAAO,CAAC,OAAO,CAAU;IACzB,OAAO,CAAC,MAAM,CAAU;gBAEZ,OAAO,GAAE,yBAA8B;IAanD;;;OAGG;IACG,sBAAsB,IAAI,OAAO,CAAC,IAAI,CAAC;IA6B7C;;;;;;;OAOG;IACH,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,GAAG,OAAO;IAuBxD;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,eAAe,GAAG,SAAS,MAAM,EAAE;CAG1D"}

package/dist/security/WebhookIpValidator.js

@@ -0,0 +1,175 @@
+import { createLogger } from "../logging/index.js";
+/**
+ * Known webhook source IPs/CIDRs for supported providers.
+ *
+ * Linear: https://linear.app/developers/webhooks#securing-webhooks
+ * GitHub: https://api.github.com/meta (hooks field)
+ * GitLab: https://docs.gitlab.com/ee/user/gitlab_com/#ip-range
+ */
+export const LINEAR_WEBHOOK_IPS = [
+    "35.231.147.226",
+    "35.243.134.228",
+    "34.140.253.14",
+    "34.38.87.206",
+    "34.134.222.122",
+    "35.222.25.142",
+];
+/**
+ * Fallback GitHub webhook CIDRs (from /meta API as of 2025).
+ * These are used when the /meta API is unavailable.
+ */
+export const GITHUB_WEBHOOK_CIDRS_FALLBACK = [
+    "192.30.252.0/22",
+    "185.199.108.0/22",
+    "140.82.112.0/20",
+    "143.55.64.0/20",
+];
+/**
+ * GitLab.com webhook source IPs.
+ * https://docs.gitlab.com/ee/user/gitlab_com/#ip-range
+ */
+export const GITLAB_WEBHOOK_CIDRS = [
+    "34.74.90.64/28",
+    "34.74.226.0/24",
+];
+/**
+ * Parse a CIDR notation string into a base IP (as 32-bit number) and mask.
+ * Supports both plain IPs ("1.2.3.4") and CIDR notation ("1.2.3.4/24").
+ */
+export function parseCidr(cidr) {
+    const slashIdx = cidr.indexOf("/");
+    const ip = slashIdx === -1 ? cidr : cidr.slice(0, slashIdx);
+    const prefixLen = slashIdx === -1 ? 32 : Number.parseInt(cidr.slice(slashIdx + 1), 10);
+    const octets = ip.split(".").map((o) => Number.parseInt(o, 10));
+    const ipNum = ((octets[0] << 24) |
+        (octets[1] << 16) |
+        (octets[2] << 8) |
+        octets[3]) >>>
+        0;
+    // Create mask: e.g. /24 → 0xFFFFFF00
+    const mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;
+    return { base: (ipNum & mask) >>> 0, mask };
+}
+/**
+ * Convert an IPv4 address string to a 32-bit unsigned integer.
+ */
+export function ipToNumber(ip) {
+    const octets = ip.split(".").map((o) => Number.parseInt(o, 10));
+    return (((octets[0] << 24) |
+        (octets[1] << 16) |
+        (octets[2] << 8) |
+        octets[3]) >>>
+        0);
+}
+/**
+ * Check if an IPv4 address matches a CIDR range or exact IP.
+ */
+export function ipMatchesCidr(ip, cidr) {
+    const { base, mask } = parseCidr(cidr);
+    const ipNum = ipToNumber(ip);
+    return (ipNum & mask) >>> 0 === base;
+}
+/**
+ * Normalize an IP address by stripping IPv4-mapped IPv6 prefix (::ffff:).
+ * Returns the raw IPv4 string if it was mapped, otherwise returns the original.
+ */
+export function normalizeIp(ip) {
+    if (ip.startsWith("::ffff:")) {
+        return ip.slice(7);
+    }
+    return ip;
+}
+/**
+ * Check if an IP address matches any entry in an allowlist of IPs/CIDRs.
+ */
+export function ipMatchesAllowlist(ip, allowlist) {
+    const normalizedIp = normalizeIp(ip);
+    // Only validate IPv4 addresses (IPv6 webhooks are uncommon for these providers)
+    if (!normalizedIp.match(/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/)) {
+        return false;
+    }
+    return allowlist.some((entry) => ipMatchesCidr(normalizedIp, entry));
+}
+/**
+ * Validates webhook source IPs against known provider allowlists.
+ *
+ * For GitHub, call `refreshGitHubAllowlist()` after construction to fetch
+ * the latest CIDRs from the /meta API. Falls back to a static list if
+ * the API is unavailable.
+ */
+export class WebhookIpValidator {
+    allowlists;
+    enabled;
+    logger;
+    constructor(options = {}) {
+        this.enabled = options.enabled ?? true;
+        this.logger =
+            options.logger ?? createLogger({ component: "WebhookIpValidator" });
+        const custom = options.customAllowlists ?? {};
+        this.allowlists = {
+            linear: custom.linear ?? [...LINEAR_WEBHOOK_IPS],
+            github: custom.github ?? [...GITHUB_WEBHOOK_CIDRS_FALLBACK],
+            gitlab: custom.gitlab ?? [...GITLAB_WEBHOOK_CIDRS],
+        };
+    }
+    /**
+     * Fetch the latest GitHub webhook CIDRs from the /meta API and update the allowlist.
+     * Falls back to the static fallback list on failure.
+     */
+    async refreshGitHubAllowlist() {
+        try {
+            const response = await fetch("https://api.github.com/meta", {
+                headers: { Accept: "application/json" },
+                signal: AbortSignal.timeout(5000),
+            });
+            if (!response.ok) {
+                this.logger.warn(`GitHub /meta API returned ${response.status}, using fallback CIDRs`);
+                return;
+            }
+            const data = (await response.json());
+            if (data.hooks && Array.isArray(data.hooks) && data.hooks.length > 0) {
+                this.allowlists.github = data.hooks;
+                this.logger.info(`Refreshed GitHub webhook allowlist: ${data.hooks.length} CIDRs`);
+            }
+        }
+        catch (error) {
+            this.logger.warn("Failed to fetch GitHub /meta API, using fallback CIDRs", error instanceof Error ? error : new Error(String(error)));
+        }
+    }
+    /**
+     * Validate an IP address against the allowlist for the given provider.
+     * Returns true if:
+     * - IP validation is disabled
+     * - The IP matches the provider's allowlist
+     *
+     * Returns false if the IP does not match.
+     */
+    validate(ip, provider) {
+        if (!this.enabled) {
+            return true;
+        }
+        const allowlist = this.allowlists[provider];
+        if (!allowlist || allowlist.length === 0) {
+            this.logger.warn(`No allowlist configured for provider ${provider}, allowing request`);
+            return true;
+        }
+        const isAllowed = ipMatchesAllowlist(ip, allowlist);
+        if (!isAllowed) {
+            this.logger.warn(`Rejected webhook from ${normalizeIp(ip)} — not in ${provider} allowlist`);
+        }
+        return isAllowed;
+    }
+    /**
+     * Whether IP validation is currently enabled.
+     */
+    isEnabled() {
+        return this.enabled;
+    }
+    /**
+     * Get the current allowlist for a provider (for debugging/logging).
+     */
+    getAllowlist(provider) {
+        return this.allowlists[provider];
+    }
+}
+//# sourceMappingURL=WebhookIpValidator.js.map

package/dist/security/WebhookIpValidator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"WebhookIpValidator.js","sourceRoot":"","sources":["../../src/security/WebhookIpValidator.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,YAAY,EAAgB,MAAM,qBAAqB,CAAC;AAEjE;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG;IACjC,gBAAgB;IAChB,gBAAgB;IAChB,eAAe;IACf,cAAc;IACd,gBAAgB;IAChB,eAAe;CACN,CAAC;AAEX;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC5C,iBAAiB;IACjB,kBAAkB;IAClB,iBAAiB;IACjB,gBAAgB;CACP,CAAC;AAEX;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG;IACnC,gBAAgB;IAChB,gBAAgB;CACP,CAAC;AAIX;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,IAAY;IACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,MAAM,EAAE,GAAG,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAC5D,MAAM,SAAS,GACd,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEtE,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAChE,MAAM,KAAK,GACV,CAAC,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC;QAClB,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC;QAClB,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC;QACjB,MAAM,CAAC,CAAC,CAAE,CAAC;QACZ,CAAC,CAAC;IAEH,qCAAqC;IACrC,MAAM,IAAI,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC;IAElE,OAAO,EAAE,IAAI,EAAE,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,EAAU;IACpC,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAChE,OAAO,CACN,CAAC,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC;QAClB,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC;QAClB,CAAC,MAAM,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC;QACjB,MAAM,CAAC,CAAC,CAAE,CAAC;QACZ,CAAC,CACD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,EAAU,EAAE,IAAY;IACrD,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;IAC7B,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,EAAU;IACrC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,EAAE,CAAC;AACX,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CACjC,EAAU,EACV,SAA4B;IAE5B,MAAM,YAAY,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAErC,gFAAgF;IAChF,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,sCAAsC,CAAC,EAAE,CAAC;QACjE,OAAO,KAAK,CAAC;IACd,CAAC;IAED,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC;AACtE,CAAC;AAcD;;;;;;GAMG;AACH,MAAM,OAAO,kBAAkB;IACtB,UAAU,CAA6C;IACvD,OAAO,CAAU;IACjB,MAAM,CAAU;IAExB,YAAY,UAAqC,EAAE;QAClD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC;QACvC,IAAI,CAAC,MAAM;YACV,OAAO,CAAC,MAAM,IAAI,YAAY,CAAC,EAAE,SAAS,EAAE,oBAAoB,EAAE,CAAC,CAAC;QAErE,MAAM,MAAM,GAAG,OAAO,CAAC,gBAAgB,IAAI,EAAE,CAAC;QAC9C,IAAI,CAAC,UAAU,GAAG;YACjB,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,kBAAkB,CAAC;YAChD,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,6BAA6B,CAAC;YAC3D,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,GAAG,oBAAoB,CAAC;SAClD,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,sBAAsB;QAC3B,IAAI,CAAC;YACJ,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6BAA6B,EAAE;gBAC3D,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;gBACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aACjC,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,6BAA6B,QAAQ,CAAC,MAAM,wBAAwB,CACpE,CAAC;gBACF,OAAO;YACR,CAAC;YAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyB,CAAC;YAC7D,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtE,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC;gBACpC,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,uCAAuC,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAChE,CAAC;YACH,CAAC;QACF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,wDAAwD,EACxD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CACzD,CAAC;QACH,CAAC;IACF,CAAC;IAED;;;;;;;OAOG;IACH,QAAQ,CAAC,EAAU,EAAE,QAAyB;QAC7C,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,wCAAwC,QAAQ,oBAAoB,CACpE,CAAC;YACF,OAAO,IAAI,CAAC;QACb,CAAC;QAED,MAAM,SAAS,GAAG,kBAAkB,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;QACpD,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,yBAAyB,WAAW,CAAC,EAAE,CAAC,aAAa,QAAQ,YAAY,CACzE,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,SAAS;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,QAAyB;QACrC,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;CACD"}

package/dist/security/index.d.ts

@@ -0,0 +1,3 @@
+export type { WebhookIpValidatorOptions, WebhookProvider, } from "./WebhookIpValidator.js";
+export { GITHUB_WEBHOOK_CIDRS_FALLBACK, GITLAB_WEBHOOK_CIDRS, ipMatchesAllowlist, ipMatchesCidr, ipToNumber, LINEAR_WEBHOOK_IPS, normalizeIp, parseCidr, WebhookIpValidator, } from "./WebhookIpValidator.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACX,yBAAyB,EACzB,eAAe,GACf,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACN,6BAA6B,EAC7B,oBAAoB,EACpB,kBAAkB,EAClB,aAAa,EACb,UAAU,EACV,kBAAkB,EAClB,WAAW,EACX,SAAS,EACT,kBAAkB,GAClB,MAAM,yBAAyB,CAAC"}

package/dist/security/index.js

@@ -0,0 +1,2 @@
+export { GITHUB_WEBHOOK_CIDRS_FALLBACK, GITLAB_WEBHOOK_CIDRS, ipMatchesAllowlist, ipMatchesCidr, ipToNumber, LINEAR_WEBHOOK_IPS, normalizeIp, parseCidr, WebhookIpValidator, } from "./WebhookIpValidator.js";
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAIA,OAAO,EACN,6BAA6B,EAC7B,oBAAoB,EACpB,kBAAkB,EAClB,aAAa,EACb,UAAU,EACV,kBAAkB,EAClB,WAAW,EACX,SAAS,EACT,kBAAkB,GAClB,MAAM,yBAAyB,CAAC"}

package/dist/trusted-domains.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Default allowed domains for the "trusted" network policy preset.
+ * Matches the Claude Code on the web "Trusted" access level allowlist.
+ *
+ * @see https://docs.anthropic.com/en/docs/claude-code/claude-code-on-the-web#default-allowed-domains
+ */
+export declare const TRUSTED_DOMAINS: readonly string[];
+//# sourceMappingURL=trusted-domains.d.ts.map

package/dist/trusted-domains.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-domains.d.ts","sourceRoot":"","sources":["../src/trusted-domains.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,eAAO,MAAM,eAAe,EAAE,SAAS,MAAM,EA0P5C,CAAC"}

package/dist/trusted-domains.js

@@ -0,0 +1,242 @@
+/**
+ * Default allowed domains for the "trusted" network policy preset.
+ * Matches the Claude Code on the web "Trusted" access level allowlist.
+ *
+ * @see https://docs.anthropic.com/en/docs/claude-code/claude-code-on-the-web#default-allowed-domains
+ */
+export const TRUSTED_DOMAINS = [
+    // ── Anthropic services ──────────────────────────────────────────────
+    "api.anthropic.com",
+    "statsig.anthropic.com",
+    "docs.claude.com",
+    "platform.claude.com",
+    "code.claude.com",
+    "claude.ai",
+    // ── Version control ─────────────────────────────────────────────────
+    "github.com",
+    "www.github.com",
+    "api.github.com",
+    "npm.pkg.github.com",
+    "raw.githubusercontent.com",
+    "pkg-npm.githubusercontent.com",
+    "objects.githubusercontent.com",
+    "release-assets.githubusercontent.com",
+    "codeload.github.com",
+    "avatars.githubusercontent.com",
+    "camo.githubusercontent.com",
+    "gist.github.com",
+    "gitlab.com",
+    "www.gitlab.com",
+    "registry.gitlab.com",
+    "bitbucket.org",
+    "www.bitbucket.org",
+    "api.bitbucket.org",
+    // ── Container registries ────────────────────────────────────────────
+    "registry-1.docker.io",
+    "auth.docker.io",
+    "index.docker.io",
+    "hub.docker.com",
+    "www.docker.com",
+    "production.cloudflare.docker.com",
+    "download.docker.com",
+    "gcr.io",
+    "*.gcr.io",
+    "ghcr.io",
+    "mcr.microsoft.com",
+    "*.data.mcr.microsoft.com",
+    "public.ecr.aws",
+    // ── Cloud platforms ─────────────────────────────────────────────────
+    "cloud.google.com",
+    "accounts.google.com",
+    "gcloud.google.com",
+    "*.googleapis.com",
+    "storage.googleapis.com",
+    "compute.googleapis.com",
+    "container.googleapis.com",
+    "azure.com",
+    "portal.azure.com",
+    "microsoft.com",
+    "www.microsoft.com",
+    "*.microsoftonline.com",
+    "packages.microsoft.com",
+    "dotnet.microsoft.com",
+    "dot.net",
+    "visualstudio.com",
+    "dev.azure.com",
+    "*.amazonaws.com",
+    "*.api.aws",
+    "oracle.com",
+    "www.oracle.com",
+    "java.com",
+    "www.java.com",
+    "java.net",
+    "www.java.net",
+    "download.oracle.com",
+    "yum.oracle.com",
+    // ── JavaScript and Node package managers ────────────────────────────
+    "registry.npmjs.org",
+    "www.npmjs.com",
+    "www.npmjs.org",
+    "npmjs.com",
+    "npmjs.org",
+    "yarnpkg.com",
+    "registry.yarnpkg.com",
+    // ── Python package managers ─────────────────────────────────────────
+    "pypi.org",
+    "www.pypi.org",
+    "files.pythonhosted.org",
+    "pythonhosted.org",
+    "test.pypi.org",
+    "pypi.python.org",
+    "pypa.io",
+    "www.pypa.io",
+    // ── Ruby package managers ───────────────────────────────────────────
+    "rubygems.org",
+    "www.rubygems.org",
+    "api.rubygems.org",
+    "index.rubygems.org",
+    "ruby-lang.org",
+    "www.ruby-lang.org",
+    "rubyforge.org",
+    "www.rubyforge.org",
+    "rubyonrails.org",
+    "www.rubyonrails.org",
+    "rvm.io",
+    "get.rvm.io",
+    // ── Rust package managers ───────────────────────────────────────────
+    "crates.io",
+    "www.crates.io",
+    "index.crates.io",
+    "static.crates.io",
+    "rustup.rs",
+    "static.rust-lang.org",
+    "www.rust-lang.org",
+    // ── Go package managers ─────────────────────────────────────────────
+    "proxy.golang.org",
+    "sum.golang.org",
+    "index.golang.org",
+    "golang.org",
+    "www.golang.org",
+    "goproxy.io",
+    "pkg.go.dev",
+    // ── JVM package managers ────────────────────────────────────────────
+    "maven.org",
+    "repo.maven.org",
+    "central.maven.org",
+    "repo1.maven.org",
+    "repo.maven.apache.org",
+    "jcenter.bintray.com",
+    "gradle.org",
+    "www.gradle.org",
+    "services.gradle.org",
+    "plugins.gradle.org",
+    "kotlinlang.org",
+    "www.kotlinlang.org",
+    "spring.io",
+    "repo.spring.io",
+    // ── Other package managers ──────────────────────────────────────────
+    // PHP Composer
+    "packagist.org",
+    "www.packagist.org",
+    "repo.packagist.org",
+    // .NET NuGet
+    "nuget.org",
+    "www.nuget.org",
+    "api.nuget.org",
+    // Dart/Flutter
+    "pub.dev",
+    "api.pub.dev",
+    // Elixir/Erlang
+    "hex.pm",
+    "www.hex.pm",
+    // Perl CPAN
+    "cpan.org",
+    "www.cpan.org",
+    "metacpan.org",
+    "www.metacpan.org",
+    "api.metacpan.org",
+    // iOS/macOS
+    "cocoapods.org",
+    "www.cocoapods.org",
+    "cdn.cocoapods.org",
+    // Haskell
+    "haskell.org",
+    "www.haskell.org",
+    "hackage.haskell.org",
+    // Swift
+    "swift.org",
+    "www.swift.org",
+    // ── Linux distributions ─────────────────────────────────────────────
+    "archive.ubuntu.com",
+    "security.ubuntu.com",
+    "ubuntu.com",
+    "www.ubuntu.com",
+    "*.ubuntu.com",
+    "ppa.launchpad.net",
+    "launchpad.net",
+    "www.launchpad.net",
+    "*.nixos.org",
+    // ── Development tools and platforms ─────────────────────────────────
+    // Kubernetes
+    "dl.k8s.io",
+    "pkgs.k8s.io",
+    "k8s.io",
+    "www.k8s.io",
+    // HashiCorp
+    "releases.hashicorp.com",
+    "apt.releases.hashicorp.com",
+    "rpm.releases.hashicorp.com",
+    "archive.releases.hashicorp.com",
+    "hashicorp.com",
+    "www.hashicorp.com",
+    // Anaconda/Conda
+    "repo.anaconda.com",
+    "conda.anaconda.org",
+    "anaconda.org",
+    "www.anaconda.com",
+    "anaconda.com",
+    "continuum.io",
+    // Apache
+    "apache.org",
+    "www.apache.org",
+    "archive.apache.org",
+    "downloads.apache.org",
+    // Eclipse
+    "eclipse.org",
+    "www.eclipse.org",
+    "download.eclipse.org",
+    // Node.js
+    "nodejs.org",
+    "www.nodejs.org",
+    // Other
+    "developer.apple.com",
+    "developer.android.com",
+    "pkg.stainless.com",
+    "binaries.prisma.sh",
+    // ── Cloud services and monitoring ───────────────────────────────────
+    "statsig.com",
+    "www.statsig.com",
+    "api.statsig.com",
+    "sentry.io",
+    "*.sentry.io",
+    "downloads.sentry-cdn.com",
+    "http-intake.logs.datadoghq.com",
+    "*.datadoghq.com",
+    "*.datadoghq.eu",
+    "api.honeycomb.io",
+    // ── Content delivery and mirrors ────────────────────────────────────
+    "sourceforge.net",
+    "*.sourceforge.net",
+    "packagecloud.io",
+    "*.packagecloud.io",
+    "fonts.googleapis.com",
+    "fonts.gstatic.com",
+    // ── Schema and configuration ────────────────────────────────────────
+    "json-schema.org",
+    "www.json-schema.org",
+    "json.schemastore.org",
+    "www.schemastore.org",
+    // ── Model Context Protocol ──────────────────────────────────────────
+    "*.modelcontextprotocol.io",
+];
+//# sourceMappingURL=trusted-domains.js.map

package/dist/trusted-domains.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-domains.js","sourceRoot":"","sources":["../src/trusted-domains.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IACjD,uEAAuE;IACvE,mBAAmB;IACnB,uBAAuB;IACvB,iBAAiB;IACjB,qBAAqB;IACrB,iBAAiB;IACjB,WAAW;IAEX,uEAAuE;IACvE,YAAY;IACZ,gBAAgB;IAChB,gBAAgB;IAChB,oBAAoB;IACpB,2BAA2B;IAC3B,+BAA+B;IAC/B,+BAA+B;IAC/B,sCAAsC;IACtC,qBAAqB;IACrB,+BAA+B;IAC/B,4BAA4B;IAC5B,iBAAiB;IACjB,YAAY;IACZ,gBAAgB;IAChB,qBAAqB;IACrB,eAAe;IACf,mBAAmB;IACnB,mBAAmB;IAEnB,uEAAuE;IACvE,sBAAsB;IACtB,gBAAgB;IAChB,iBAAiB;IACjB,gBAAgB;IAChB,gBAAgB;IAChB,kCAAkC;IAClC,qBAAqB;IACrB,QAAQ;IACR,UAAU;IACV,SAAS;IACT,mBAAmB;IACnB,0BAA0B;IAC1B,gBAAgB;IAEhB,uEAAuE;IACvE,kBAAkB;IAClB,qBAAqB;IACrB,mBAAmB;IACnB,kBAAkB;IAClB,wBAAwB;IACxB,wBAAwB;IACxB,0BAA0B;IAC1B,WAAW;IACX,kBAAkB;IAClB,eAAe;IACf,mBAAmB;IACnB,uBAAuB;IACvB,wBAAwB;IACxB,sBAAsB;IACtB,SAAS;IACT,kBAAkB;IAClB,eAAe;IACf,iBAAiB;IACjB,WAAW;IACX,YAAY;IACZ,gBAAgB;IAChB,UAAU;IACV,cAAc;IACd,UAAU;IACV,cAAc;IACd,qBAAqB;IACrB,gBAAgB;IAEhB,uEAAuE;IACvE,oBAAoB;IACpB,eAAe;IACf,eAAe;IACf,WAAW;IACX,WAAW;IACX,aAAa;IACb,sBAAsB;IAEtB,uEAAuE;IACvE,UAAU;IACV,cAAc;IACd,wBAAwB;IACxB,kBAAkB;IAClB,eAAe;IACf,iBAAiB;IACjB,SAAS;IACT,aAAa;IAEb,uEAAuE;IACvE,cAAc;IACd,kBAAkB;IAClB,kBAAkB;IAClB,oBAAoB;IACpB,eAAe;IACf,mBAAmB;IACnB,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,qBAAqB;IACrB,QAAQ;IACR,YAAY;IAEZ,uEAAuE;IACvE,WAAW;IACX,eAAe;IACf,iBAAiB;IACjB,kBAAkB;IAClB,WAAW;IACX,sBAAsB;IACtB,mBAAmB;IAEnB,uEAAuE;IACvE,kBAAkB;IAClB,gBAAgB;IAChB,kBAAkB;IAClB,YAAY;IACZ,gBAAgB;IAChB,YAAY;IACZ,YAAY;IAEZ,uEAAuE;IACvE,WAAW;IACX,gBAAgB;IAChB,mBAAmB;IACnB,iBAAiB;IACjB,uBAAuB;IACvB,qBAAqB;IACrB,YAAY;IACZ,gBAAgB;IAChB,qBAAqB;IACrB,oBAAoB;IACpB,gBAAgB;IAChB,oBAAoB;IACpB,WAAW;IACX,gBAAgB;IAEhB,uEAAuE;IACvE,eAAe;IACf,eAAe;IACf,mBAAmB;IACnB,oBAAoB;IACpB,aAAa;IACb,WAAW;IACX,eAAe;IACf,eAAe;IACf,eAAe;IACf,SAAS;IACT,aAAa;IACb,gBAAgB;IAChB,QAAQ;IACR,YAAY;IACZ,YAAY;IACZ,UAAU;IACV,cAAc;IACd,cAAc;IACd,kBAAkB;IAClB,kBAAkB;IAClB,YAAY;IACZ,eAAe;IACf,mBAAmB;IACnB,mBAAmB;IACnB,UAAU;IACV,aAAa;IACb,iBAAiB;IACjB,qBAAqB;IACrB,QAAQ;IACR,WAAW;IACX,eAAe;IAEf,uEAAuE;IACvE,oBAAoB;IACpB,qBAAqB;IACrB,YAAY;IACZ,gBAAgB;IAChB,cAAc;IACd,mBAAmB;IACnB,eAAe;IACf,mBAAmB;IACnB,aAAa;IAEb,uEAAuE;IACvE,aAAa;IACb,WAAW;IACX,aAAa;IACb,QAAQ;IACR,YAAY;IACZ,YAAY;IACZ,wBAAwB;IACxB,4BAA4B;IAC5B,4BAA4B;IAC5B,gCAAgC;IAChC,eAAe;IACf,mBAAmB;IACnB,iBAAiB;IACjB,mBAAmB;IACnB,oBAAoB;IACpB,cAAc;IACd,kBAAkB;IAClB,cAAc;IACd,cAAc;IACd,SAAS;IACT,YAAY;IACZ,gBAAgB;IAChB,oBAAoB;IACpB,sBAAsB;IACtB,UAAU;IACV,aAAa;IACb,iBAAiB;IACjB,sBAAsB;IACtB,UAAU;IACV,YAAY;IACZ,gBAAgB;IAChB,QAAQ;IACR,qBAAqB;IACrB,uBAAuB;IACvB,mBAAmB;IACnB,oBAAoB;IAEpB,uEAAuE;IACvE,aAAa;IACb,iBAAiB;IACjB,iBAAiB;IACjB,WAAW;IACX,aAAa;IACb,0BAA0B;IAC1B,gCAAgC;IAChC,iBAAiB;IACjB,gBAAgB;IAChB,kBAAkB;IAElB,uEAAuE;IACvE,iBAAiB;IACjB,mBAAmB;IACnB,iBAAiB;IACjB,mBAAmB;IACnB,sBAAsB;IACtB,mBAAmB;IAEnB,uEAAuE;IACvE,iBAAiB;IACjB,qBAAqB;IACrB,sBAAsB;IACtB,qBAAqB;IAErB,uEAAuE;IACvE,2BAA2B;CAC3B,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cyrus-core",
-  "version": "0.2.44",
+  "version": "0.2.45",
   "description": "Core business logic for Cyrus",
   "type": "module",
   "main": "dist/index.js",
@@ -16,7 +16,7 @@
   },
   "devDependencies": {
     "@types/node": "^20.0.0",
-    "fastify": "^5.8.3",
+    "fastify": "^5.8.5",
     "tsx": "^4.20.6",
     "typescript": "^5.3.3",
     "vitest": "^3.1.4"

package/schemas/EdgeConfig.json

@@ -829,6 +829,92 @@
 				}
 			},
 			"additionalProperties": false
+		},
+		"sandbox": {
+			"type": "object",
+			"properties": {
+				"enabled": {
+					"type": "boolean"
+				},
+				"httpProxyPort": {
+					"default": 9080,
+					"type": "number"
+				},
+				"socksProxyPort": {
+					"default": 9081,
+					"type": "number"
+				},
+				"networkPolicy": {
+					"type": "object",
+					"properties": {
+						"preset": {
+							"type": "string",
+							"enum": ["trusted"]
+						},
+						"allow": {
+							"type": "object",
+							"propertyNames": {
+								"type": "string"
+							},
+							"additionalProperties": {
+								"type": "array",
+								"items": {
+									"type": "object",
+									"properties": {
+										"transform": {
+											"type": "array",
+											"items": {
+												"type": "object",
+												"properties": {
+													"headers": {
+														"type": "object",
+														"propertyNames": {
+															"type": "string"
+														},
+														"additionalProperties": {
+															"type": "string"
+														}
+													}
+												},
+												"required": ["headers"],
+												"additionalProperties": false
+											}
+										}
+									},
+									"additionalProperties": false
+								}
+							}
+						},
+						"subnets": {
+							"type": "object",
+							"properties": {
+								"allow": {
+									"type": "array",
+									"items": {
+										"type": "string"
+									}
+								},
+								"deny": {
+									"type": "array",
+									"items": {
+										"type": "string"
+									}
+								}
+							},
+							"additionalProperties": false
+						}
+					},
+					"additionalProperties": false
+				},
+				"systemWideCert": {
+					"type": "boolean"
+				},
+				"logRequests": {
+					"type": "boolean"
+				}
+			},
+			"required": ["httpProxyPort", "socksProxyPort"],
+			"additionalProperties": false
 		}
 	},
 	"required": ["repositories"],

package/schemas/EdgeConfigPayload.json

@@ -823,6 +823,92 @@
 				}
 			},
 			"additionalProperties": false
+		},
+		"sandbox": {
+			"type": "object",
+			"properties": {
+				"enabled": {
+					"type": "boolean"
+				},
+				"httpProxyPort": {
+					"default": 9080,
+					"type": "number"
+				},
+				"socksProxyPort": {
+					"default": 9081,
+					"type": "number"
+				},
+				"networkPolicy": {
+					"type": "object",
+					"properties": {
+						"preset": {
+							"type": "string",
+							"enum": ["trusted"]
+						},
+						"allow": {
+							"type": "object",
+							"propertyNames": {
+								"type": "string"
+							},
+							"additionalProperties": {
+								"type": "array",
+								"items": {
+									"type": "object",
+									"properties": {
+										"transform": {
+											"type": "array",
+											"items": {
+												"type": "object",
+												"properties": {
+													"headers": {
+														"type": "object",
+														"propertyNames": {
+															"type": "string"
+														},
+														"additionalProperties": {
+															"type": "string"
+														}
+													}
+												},
+												"required": ["headers"],
+												"additionalProperties": false
+											}
+										}
+									},
+									"additionalProperties": false
+								}
+							}
+						},
+						"subnets": {
+							"type": "object",
+							"properties": {
+								"allow": {
+									"type": "array",
+									"items": {
+										"type": "string"
+									}
+								},
+								"deny": {
+									"type": "array",
+									"items": {
+										"type": "string"
+									}
+								}
+							},
+							"additionalProperties": false
+						}
+					},
+					"additionalProperties": false
+				},
+				"systemWideCert": {
+					"type": "boolean"
+				},
+				"logRequests": {
+					"type": "boolean"
+				}
+			},
+			"required": ["httpProxyPort", "socksProxyPort"],
+			"additionalProperties": false
 		}
 	},
 	"required": ["repositories"],