cyrus-cursor-runner 0.2.49 → 0.2.51

package/dist/permissions.js

@@ -0,0 +1,278 @@
+// Translates Cyrus / Claude-style tool patterns into the simpler pattern
+// vocabulary that the .cursor/cyrus-permission-check.mjs hook understands.
+//
+// Cyrus tool patterns look like (Claude SDK conventions):
+//   Read(<glob>)           Bash(<cmd>:<args>)
+//   Write(<glob>)          mcp__<server>__<tool>
+//   Edit(<glob>)           Read | Bash | Edit | Write   (bare tool name)
+//
+// Cursor hook patterns look like:
+//   Read(<glob>)
+//   Write(<glob>)
+//   Shell(<cmd>) / Shell(<cmd>:<args-glob>)
+//   Mcp(<server>:<tool>)
+//   Tool(<Name>)
+import { readdirSync } from "node:fs";
+import { join, parse as pathParse, resolve } from "node:path";
+function parseToolPattern(pattern) {
+    const trimmed = pattern.trim();
+    if (!trimmed)
+        return null;
+    const match = trimmed.match(/^([A-Za-z][A-Za-z0-9_]*)(?:\((.*)\))?$/);
+    if (!match)
+        return null;
+    return {
+        name: match[1] || "",
+        argument: match[2]?.trim() ?? null,
+    };
+}
+function normalizeShellCommandBase(argument) {
+    if (!argument)
+        return null;
+    const firstRule = argument.split(",")[0]?.trim();
+    if (!firstRule)
+        return null;
+    if (firstRule === "*" || firstRule === "**")
+        return "*";
+    const beforeColon = firstRule.split(":")[0]?.trim();
+    return beforeColon || null;
+}
+function normalizeShellArgsGlob(argument) {
+    if (!argument)
+        return null;
+    const firstRule = argument.split(",")[0]?.trim();
+    if (!firstRule)
+        return null;
+    const colonIdx = firstRule.indexOf(":");
+    if (colonIdx < 0)
+        return null;
+    const args = firstRule.slice(colonIdx + 1).trim();
+    return args || null;
+}
+function mapMcpPattern(pattern) {
+    const trimmed = pattern.trim();
+    if (!trimmed.toLowerCase().startsWith("mcp__"))
+        return null;
+    const parts = trimmed.split("__");
+    if (parts.length < 2)
+        return null;
+    const server = parts[1]?.trim() || "*";
+    const tool = parts.length >= 3 ? parts.slice(2).join("__").trim() || "*" : "*";
+    return `Mcp(${server}:${tool})`;
+}
+/**
+ * Map a single Cyrus/Claude tool pattern into zero or more Cursor hook
+ * patterns. Returns an empty array for unrecognized patterns.
+ */
+function mapToolPatternToHookPatterns(pattern) {
+    const mcp = mapMcpPattern(pattern);
+    if (mcp)
+        return [mcp];
+    const parsed = parseToolPattern(pattern);
+    if (!parsed)
+        return [];
+    const name = parsed.name.toLowerCase();
+    const arg = parsed.argument;
+    // Bare tool names (no parentheses) mean "allow this tool unrestricted" in
+    // Claude SDK semantics. We must emit BOTH the preToolUse gate (`Tool(...)`)
+    // AND the path/command-level gate (`Read(**)`, `Write(**)`, `Shell(*)`),
+    // otherwise the SDK passes preToolUse but stops the actual file/shell
+    // hook because nothing in the allow list matches the path/command.
+    if (!arg) {
+        if (name === "bash" || name === "shell") {
+            return ["Tool(Shell)", "Shell(*)"];
+        }
+        if (name === "read" || name === "glob" || name === "grep") {
+            return ["Tool(Read)", "Read(**)"];
+        }
+        if (name === "edit" ||
+            name === "write" ||
+            name === "multiedit" ||
+            name === "notebookedit" ||
+            name === "todowrite") {
+            return ["Tool(Write)", "Write(**)"];
+        }
+        // Pass-through for unrecognized bare names — only the preToolUse gate
+        // applies; SDK does not have a path-level hook for these.
+        const cap = parsed.name.charAt(0).toUpperCase() + parsed.name.slice(1);
+        return [`Tool(${cap})`];
+    }
+    if (name === "bash" || name === "shell") {
+        const base = normalizeShellCommandBase(arg);
+        const argsGlob = normalizeShellArgsGlob(arg);
+        const out = [];
+        if (base) {
+            out.push(`Shell(${base})`);
+            if (argsGlob)
+                out.push(`Shell(${base}:${argsGlob})`);
+        }
+        return out;
+    }
+    if (name === "read" || name === "glob" || name === "grep") {
+        return [`Read(${arg})`];
+    }
+    if (name === "edit" ||
+        name === "write" ||
+        name === "multiedit" ||
+        name === "notebookedit" ||
+        name === "todowrite") {
+        return [`Write(${arg})`];
+    }
+    // Unknown — drop silently. Caller can log if needed.
+    return [];
+}
+function isWildcardArg(argument) {
+    if (!argument)
+        return true;
+    const trimmed = argument.trim();
+    return trimmed.length === 0 || trimmed === "**";
+}
+function isBroadReadPattern(pattern) {
+    const parsed = parseToolPattern(pattern);
+    if (!parsed)
+        return false;
+    const n = parsed.name.toLowerCase();
+    if (!(n === "read" || n === "glob" || n === "grep"))
+        return false;
+    return isWildcardArg(parsed.argument);
+}
+function isBroadWritePattern(pattern) {
+    const parsed = parseToolPattern(pattern);
+    if (!parsed)
+        return false;
+    const n = parsed.name.toLowerCase();
+    if (!(n === "edit" ||
+        n === "write" ||
+        n === "multiedit" ||
+        n === "notebookedit" ||
+        n === "todowrite")) {
+        return false;
+    }
+    return isWildcardArg(parsed.argument);
+}
+function toCursorPath(path) {
+    return path.replace(/\\/g, "/");
+}
+function buildWorkspaceSiblingDenyPatterns(workspacePath, permission) {
+    const resolvedWorkspacePath = resolve(workspacePath);
+    const parsed = pathParse(resolvedWorkspacePath);
+    if (!parsed.root)
+        return [];
+    const segments = resolvedWorkspacePath
+        .slice(parsed.root.length)
+        .split(/[\\/]+/)
+        .filter(Boolean);
+    if (segments.length === 0)
+        return [];
+    const denies = new Set();
+    let parentPath = parsed.root;
+    for (const segment of segments) {
+        let entries;
+        try {
+            entries = readdirSync(parentPath, { withFileTypes: true });
+        }
+        catch {
+            break;
+        }
+        for (const sibling of entries) {
+            if (!sibling.isDirectory() || sibling.name === segment)
+                continue;
+            const siblingPath = join(parentPath, sibling.name);
+            denies.add(`${permission}(${toCursorPath(siblingPath)}/**)`);
+        }
+        parentPath = join(parentPath, segment);
+    }
+    return [...denies];
+}
+function buildSystemRootDenyPatterns(workspacePath, permission) {
+    const workspace = toCursorPath(resolve(workspacePath));
+    const rootCandidates = [
+        "/etc",
+        "/bin",
+        "/sbin",
+        "/usr",
+        "/opt",
+        "/System",
+        "/Library",
+        "/Applications",
+        "/dev",
+        "/proc",
+        "/sys",
+        "/Volumes",
+        "/home",
+    ];
+    const denies = [];
+    for (const rootPath of rootCandidates) {
+        if (workspace === rootPath || workspace.startsWith(`${rootPath}/`))
+            continue;
+        denies.push(`${permission}(${rootPath}/**)`);
+    }
+    return denies;
+}
+/**
+ * Auto-deny patterns that protect the host system and worktree siblings
+ * whenever a session has broad Read/Write permissions. Mirrors the same
+ * scoping the old CLI-based runner applied via .cursor/cli.json.
+ */
+export function buildAutoDenyPatterns(args) {
+    const { workspace, allowedTools = [] } = args;
+    if (!workspace)
+        return [];
+    const denies = new Set();
+    if (allowedTools.some(isBroadReadPattern)) {
+        for (const p of buildWorkspaceSiblingDenyPatterns(workspace, "Read"))
+            denies.add(p);
+        for (const p of buildSystemRootDenyPatterns(workspace, "Read"))
+            denies.add(p);
+    }
+    if (allowedTools.some(isBroadWritePattern)) {
+        for (const p of buildWorkspaceSiblingDenyPatterns(workspace, "Write"))
+            denies.add(p);
+        for (const p of buildSystemRootDenyPatterns(workspace, "Write"))
+            denies.add(p);
+    }
+    return [...denies];
+}
+/**
+ * Build the final permissions config that ships into the worktree
+ * alongside the permission-check helper. Returns deduplicated
+ * allow/deny pattern lists in Cursor hook syntax.
+ */
+export function buildCyrusPermissionsConfig(args) {
+    const { workspace, allowedTools = [], disallowedTools = [], mcpServers: mcpServersIn = {}, } = args;
+    const allow = new Set();
+    for (const pattern of allowedTools) {
+        for (const mapped of mapToolPatternToHookPatterns(pattern)) {
+            allow.add(mapped);
+        }
+    }
+    const deny = new Set();
+    for (const pattern of disallowedTools) {
+        for (const mapped of mapToolPatternToHookPatterns(pattern)) {
+            deny.add(mapped);
+        }
+    }
+    for (const pattern of buildAutoDenyPatterns({ workspace, allowedTools })) {
+        deny.add(pattern);
+    }
+    const mcpServers = [];
+    for (const [name, server] of Object.entries(mcpServersIn)) {
+        if (!server || typeof server !== "object")
+            continue;
+        if (typeof server.url === "string" && server.url) {
+            mcpServers.push({ name, url: server.url });
+        }
+        else if (typeof server.command === "string" && server.command) {
+            const argv = Array.isArray(server.args) ? server.args : [];
+            const commandLine = [server.command, ...argv].join(" ").trim();
+            mcpServers.push({ name, commandLine });
+        }
+    }
+    return {
+        workspace: resolve(workspace),
+        allow: [...allow],
+        deny: [...deny],
+        mcpServers,
+    };
+}
+//# sourceMappingURL=permissions.js.map

package/dist/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../src/permissions.ts"],"names":[],"mappings":"AAAA,yEAAyE;AACzE,2EAA2E;AAC3E,EAAE;AACF,0DAA0D;AAC1D,8CAA8C;AAC9C,iDAAiD;AACjD,yEAAyE;AACzE,EAAE;AACF,kCAAkC;AAClC,iBAAiB;AACjB,kBAAkB;AAClB,4CAA4C;AAC5C,yBAAyB;AACzB,iBAAiB;AAEjB,OAAO,EAAe,WAAW,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,KAAK,IAAI,SAAS,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA6B9D,SAAS,gBAAgB,CAAC,OAAe;IACxC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;IACtE,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,OAAO;QACN,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE;QACpB,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI;KAClC,CAAC;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,QAAuB;IACzD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,IAAI,SAAS,KAAK,GAAG,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IACxD,MAAM,WAAW,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;IACpD,OAAO,WAAW,IAAI,IAAI,CAAC;AAC5B,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAuB;IACtD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;IACjD,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,QAAQ,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,IAAI,IAAI,IAAI,CAAC;AACrB,CAAC;AAED,SAAS,aAAa,CAAC,OAAe;IACrC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC;IACvC,MAAM,IAAI,GACT,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACnE,OAAO,OAAO,MAAM,IAAI,IAAI,GAAG,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,SAAS,4BAA4B,CAAC,OAAe;IACpD,MAAM,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACnC,IAAI,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAEtB,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAEvB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACvC,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAE5B,0EAA0E;IAC1E,4EAA4E;IAC5E,yEAAyE;IACzE,sEAAsE;IACtE,mEAAmE;IACnE,IAAI,CAAC,GAAG,EAAE,CAAC;QACV,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YACzC,OAAO,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YAC3D,OAAO,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;QACnC,CAAC;QACD,IACC,IAAI,KAAK,MAAM;YACf,IAAI,KAAK,OAAO;YAChB,IAAI,KAAK,WAAW;YACpB,IAAI,KAAK,cAAc;YACvB,IAAI,KAAK,WAAW,EACnB,CAAC;YACF,OAAO,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;QACrC,CAAC;QACD,sEAAsE;QACtE,0DAA0D;QAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACvE,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,yBAAyB,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAa,EAAE,CAAC;QACzB,IAAI,IAAI,EAAE,CAAC;YACV,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,GAAG,CAAC,CAAC;YAC3B,IAAI,QAAQ;gBAAE,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,IAAI,QAAQ,GAAG,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QAC3D,OAAO,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,IACC,IAAI,KAAK,MAAM;QACf,IAAI,KAAK,OAAO;QAChB,IAAI,KAAK,WAAW;QACpB,IAAI,KAAK,cAAc;QACvB,IAAI,KAAK,WAAW,EACnB,CAAC;QACF,OAAO,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,qDAAqD;IACrD,OAAO,EAAE,CAAC;AACX,CAAC;AAED,SAAS,aAAa,CAAC,QAAuB;IAC7C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;IAChC,OAAO,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,KAAK,IAAI,CAAC;AACjD,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe;IAC1C,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACpC,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,OAAO,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAe;IAC3C,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACpC,IACC,CAAC,CACA,CAAC,KAAK,MAAM;QACZ,CAAC,KAAK,OAAO;QACb,CAAC,KAAK,WAAW;QACjB,CAAC,KAAK,cAAc;QACpB,CAAC,KAAK,WAAW,CACjB,EACA,CAAC;QACF,OAAO,KAAK,CAAC;IACd,CAAC;IACD,OAAO,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IACjC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,iCAAiC,CACzC,aAAqB,EACrB,UAA4B;IAE5B,MAAM,qBAAqB,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACrD,MAAM,MAAM,GAAG,SAAS,CAAC,qBAAqB,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IAE5B,MAAM,QAAQ,GAAG,qBAAqB;SACpC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;SACzB,KAAK,CAAC,QAAQ,CAAC;SACf,MAAM,CAAC,OAAO,CAAC,CAAC;IAClB,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,IAAI,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAChC,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACJ,OAAO,GAAG,WAAW,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,CAAC;QAAC,MAAM,CAAC;YACR,MAAM;QACP,CAAC;QACD,KAAK,MAAM,OAAO,IAAI,OAAO,EAAE,CAAC;YAC/B,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO;gBAAE,SAAS;YACjE,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;YACnD,MAAM,CAAC,GAAG,CAAC,GAAG,UAAU,IAAI,YAAY,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;QAC9D,CAAC;QACD,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,2BAA2B,CACnC,aAAqB,EACrB,UAA4B;IAE5B,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG;QACtB,MAAM;QACN,MAAM;QACN,OAAO;QACP,MAAM;QACN,MAAM;QACN,SAAS;QACT,UAAU;QACV,eAAe;QACf,MAAM;QACN,OAAO;QACP,MAAM;QACN,UAAU;QACV,OAAO;KACP,CAAC;IACF,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,QAAQ,IAAI,cAAc,EAAE,CAAC;QACvC,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC;YACjE,SAAS;QACV,MAAM,CAAC,IAAI,CAAC,GAAG,UAAU,IAAI,QAAQ,MAAM,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,MAAM,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAGrC;IACA,MAAM,EAAE,SAAS,EAAE,YAAY,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC;IAC9C,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAE1B,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,IAAI,YAAY,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC3C,KAAK,MAAM,CAAC,IAAI,iCAAiC,CAAC,SAAS,EAAE,MAAM,CAAC;YACnE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,IAAI,2BAA2B,CAAC,SAAS,EAAE,MAAM,CAAC;YAC7D,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAChB,CAAC;IACD,IAAI,YAAY,CAAC,IAAI,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC5C,KAAK,MAAM,CAAC,IAAI,iCAAiC,CAAC,SAAS,EAAE,OAAO,CAAC;YACpE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,IAAI,2BAA2B,CAAC,SAAS,EAAE,OAAO,CAAC;YAC9D,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,2BAA2B,CAAC,IAQ3C;IACA,MAAM,EACL,SAAS,EACT,YAAY,GAAG,EAAE,EACjB,eAAe,GAAG,EAAE,EACpB,UAAU,EAAE,YAAY,GAAG,EAAE,GAC7B,GAAG,IAAI,CAAC;IAET,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACpC,KAAK,MAAM,MAAM,IAAI,4BAA4B,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5D,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC;IACF,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACvC,KAAK,MAAM,MAAM,IAAI,4BAA4B,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5D,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC;IACF,CAAC;IACD,KAAK,MAAM,OAAO,IAAI,qBAAqB,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACnB,CAAC;IAED,MAAM,UAAU,GAAgC,EAAE,CAAC;IACnD,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAC3D,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,SAAS;QACpD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;YAClD,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;QAC5C,CAAC;aAAM,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACjE,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,MAAM,WAAW,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAC/D,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;QACxC,CAAC;IACF,CAAC;IAED,OAAO;QACN,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC;QAC7B,KAAK,EAAE,CAAC,GAAG,KAAK,CAAC;QACjB,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;QACf,UAAU;KACV,CAAC;AACH,CAAC"}

package/dist/sandbox.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Subset of `@anthropic-ai/claude-agent-sdk`'s `SandboxSettings` we know how
+ * to translate. Defined locally (not imported) to avoid a hard dep on
+ * cyrus-claude-runner — the EdgeWorker is the only consumer that originates
+ * a SandboxSettings, and a structural type is enough.
+ */
+export interface CursorSandboxInput {
+    enabled?: boolean;
+    failIfUnavailable?: boolean;
+    allowUnsandboxedCommands?: boolean;
+    network?: {
+        allowedDomains?: string[];
+        deniedDomains?: string[];
+        allowManagedDomainsOnly?: boolean;
+        httpProxyPort?: number;
+        socksProxyPort?: number;
+    };
+    filesystem?: {
+        allowWrite?: string[];
+        denyWrite?: string[];
+        denyRead?: string[];
+        allowRead?: string[];
+    };
+}
+export interface CursorSandboxJson {
+    type: "workspace_readwrite" | "workspace_readonly" | "insecure_none";
+    additionalReadwritePaths: string[];
+    additionalReadonlyPaths: string[];
+    disableTmpWrite: boolean;
+    enableSharedBuildCache: boolean;
+    networkPolicy: {
+        default: "allow" | "deny";
+        allow: string[];
+        deny: string[];
+    };
+}
+export interface BuildSandboxArgs {
+    workspace: string;
+    sandboxSettings?: CursorSandboxInput;
+    /** Path to a CA cert bundle for MITM TLS interception by the egress proxy. */
+    egressCaCertPath?: string;
+    /**
+     * Extra paths Cursor's sandbox should treat as read+write (e.g. attachments
+     * dir, additional repository paths in multi-repo issues). Workspace itself
+     * is implicit in `workspace_readwrite`; pass only the *extras*.
+     */
+    additionalReadwritePaths?: string[];
+}
+/**
+ * Returns the JSON document to write to `<workspace>/.cursor/sandbox.json`
+ * when sandbox is enabled. Returns `null` when sandbox is disabled.
+ */
+export declare function buildCursorSandboxJson(args: BuildSandboxArgs): CursorSandboxJson | null;
+/**
+ * Returns the env vars to set on `process.env` (so child shell tools inherit
+ * them) before invoking `agent.send`. These cover:
+ *   - cert-trust env vars when an egress CA bundle is configured
+ *   - HTTP_PROXY / HTTPS_PROXY / ALL_PROXY when the egress proxy is configured
+ */
+export declare function buildSandboxEnv(args: {
+    sandboxSettings?: CursorSandboxInput;
+    egressCaCertPath?: string;
+}): Record<string, string>;
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../src/sandbox.ts"],"names":[],"mappings":"AAkCA;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IAClC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,OAAO,CAAC,EAAE;QACT,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,uBAAuB,CAAC,EAAE,OAAO,CAAC;QAClC,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,cAAc,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,UAAU,CAAC,EAAE;QACZ,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;CACF;AAED,MAAM,WAAW,iBAAiB;IACjC,IAAI,EAAE,qBAAqB,GAAG,oBAAoB,GAAG,eAAe,CAAC;IACrE,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,uBAAuB,EAAE,MAAM,EAAE,CAAC;IAClC,eAAe,EAAE,OAAO,CAAC;IACzB,sBAAsB,EAAE,OAAO,CAAC;IAChC,aAAa,EAAE;QACd,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC;QAC1B,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,IAAI,EAAE,MAAM,EAAE,CAAC;KACf,CAAC;CACF;AAED,MAAM,WAAW,gBAAgB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,kBAAkB,CAAC;IACrC,8EAA8E;IAC9E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;OAIG;IACH,wBAAwB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACrC,IAAI,EAAE,gBAAgB,GACpB,iBAAiB,GAAG,IAAI,CAqE1B;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE;IACrC,eAAe,CAAC,EAAE,kBAAkB,CAAC;IACrC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC1B,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgCzB"}

package/dist/sandbox.js

@@ -0,0 +1,143 @@
+// Translates the Cyrus / Claude `SandboxSettings` shape into the Cursor SDK's
+// `.cursor/sandbox.json` schema (plus the env vars that need to be set on
+// `process.env` so child shell tools inherit cert-trust + proxy hints).
+//
+// Cursor sandbox model summary (validated via learning tests on
+// `@cursor/sdk@1.0.11`):
+//   - `local.sandboxOptions: { enabled: true }` engages Apple Seatbelt on
+//     macOS / Landlock+Bubblewrap on Linux via the bundled `cursorsandbox`
+//     helper (auto-discovered from `@cursor/sdk-<platform>-<arch>`).
+//   - Default policy `workspace_readwrite`: workspace + /tmp are writable,
+//     filesystem-wide read is allowed, off-workspace writes blocked, network
+//     blocked unless `.cursor/sandbox.json` allows hosts.
+//   - `.cursor/sandbox.json` lets us extend the policy with extra
+//     read/write paths and a deny-default network allowlist.
+//
+// Mapping from Claude `SandboxSettings`:
+//   filesystem.allowWrite[]     -> additionalReadwritePaths
+//   filesystem.allowRead[]      -> additionalReadonlyPaths
+//   network.allowedDomains[]    -> networkPolicy.allow
+//   network.deniedDomains[]     -> networkPolicy.deny
+//   network.httpProxyPort       -> add 127.0.0.1 to allow + HTTP_PROXY env
+//   network.socksProxyPort      -> add 127.0.0.1 to allow + ALL_PROXY env
+//   egressCaCertPath            -> NODE_EXTRA_CA_CERTS / SSL_CERT_FILE / ... env
+//
+// Limitations (Cursor SDK lacks per-path deny under workspace_readwrite,
+// per-call filesystem hooks, etc.):
+//   - filesystem.denyRead / denyWrite are accepted but not enforced.
+//     Document via comments; rely on workspace_readwrite default + hook
+//     helper for read-blocking sensitive paths.
+//   - network.allowAllUnixSockets / allowMachLookup / allowLocalBinding:
+//     not exposed by Cursor sandbox.json; default sandbox behavior applies.
+import { resolve } from "node:path";
+/**
+ * Returns the JSON document to write to `<workspace>/.cursor/sandbox.json`
+ * when sandbox is enabled. Returns `null` when sandbox is disabled.
+ */
+export function buildCursorSandboxJson(args) {
+    const { workspace, sandboxSettings, egressCaCertPath } = args;
+    if (!sandboxSettings?.enabled)
+        return null;
+    const extraWrite = new Set();
+    const extraRead = new Set();
+    const allow = new Set();
+    const deny = new Set();
+    for (const p of args.additionalReadwritePaths ?? []) {
+        if (p && resolve(p) !== resolve(workspace))
+            extraWrite.add(resolve(p));
+    }
+    const fs = sandboxSettings.filesystem;
+    if (fs?.allowWrite) {
+        for (const p of fs.allowWrite) {
+            if (!p)
+                continue;
+            const abs = resolve(p);
+            if (abs !== resolve(workspace))
+                extraWrite.add(abs);
+        }
+    }
+    if (fs?.allowRead) {
+        for (const p of fs.allowRead) {
+            if (!p)
+                continue;
+            // "." is the workspace shorthand; ignore it because Cursor's
+            // `workspace_readwrite` already grants workspace reads.
+            if (p === ".")
+                continue;
+            extraRead.add(resolve(p));
+        }
+    }
+    // Cursor's sandbox.json doesn't support denyRead/denyWrite under
+    // workspace_readwrite. Documented limitation. (Hook-based per-path
+    // reads can compensate when needed via `.cursor/hooks.json`.)
+    const network = sandboxSettings.network;
+    if (network?.allowedDomains)
+        for (const d of network.allowedDomains)
+            allow.add(d);
+    if (network?.deniedDomains)
+        for (const d of network.deniedDomains)
+            deny.add(d);
+    // When the Cyrus egress proxy is in use, child shell processes need to be
+    // able to reach the loopback proxy port. Add 127.0.0.1 / ::1 to the
+    // network allow-list so curl / npm / git can connect to it.
+    if (typeof network?.httpProxyPort === "number" ||
+        typeof network?.socksProxyPort === "number") {
+        allow.add("127.0.0.1");
+        allow.add("::1");
+        allow.add("localhost");
+    }
+    // Read access to the CA cert bundle path so child processes can read
+    // it via NODE_EXTRA_CA_CERTS / SSL_CERT_FILE etc.
+    if (egressCaCertPath)
+        extraRead.add(resolve(egressCaCertPath));
+    return {
+        type: "workspace_readwrite",
+        additionalReadwritePaths: [...extraWrite].sort(),
+        additionalReadonlyPaths: [...extraRead].sort(),
+        disableTmpWrite: false,
+        enableSharedBuildCache: false,
+        networkPolicy: {
+            default: "deny",
+            allow: [...allow].sort(),
+            deny: [...deny].sort(),
+        },
+    };
+}
+/**
+ * Returns the env vars to set on `process.env` (so child shell tools inherit
+ * them) before invoking `agent.send`. These cover:
+ *   - cert-trust env vars when an egress CA bundle is configured
+ *   - HTTP_PROXY / HTTPS_PROXY / ALL_PROXY when the egress proxy is configured
+ */
+export function buildSandboxEnv(args) {
+    const { sandboxSettings, egressCaCertPath } = args;
+    const env = {};
+    if (!sandboxSettings?.enabled)
+        return env;
+    if (egressCaCertPath) {
+        env.NODE_EXTRA_CA_CERTS = egressCaCertPath; // Node.js (SDK, npm, etc.)
+        env.SSL_CERT_FILE = egressCaCertPath; // OpenSSL (general fallback)
+        env.GIT_SSL_CAINFO = egressCaCertPath; // Git HTTPS
+        env.REQUESTS_CA_BUNDLE = egressCaCertPath; // Python requests
+        env.PIP_CERT = egressCaCertPath; // pip
+        env.CURL_CA_BUNDLE = egressCaCertPath; // curl (OpenSSL builds)
+        env.CARGO_HTTP_CAINFO = egressCaCertPath; // Rust / cargo
+        env.AWS_CA_BUNDLE = egressCaCertPath; // AWS CLI / boto3
+        env.DENO_CERT = egressCaCertPath; // Deno
+    }
+    const network = sandboxSettings.network;
+    if (typeof network?.httpProxyPort === "number") {
+        const url = `http://127.0.0.1:${network.httpProxyPort}`;
+        env.HTTP_PROXY = url;
+        env.HTTPS_PROXY = url;
+        env.http_proxy = url;
+        env.https_proxy = url;
+    }
+    if (typeof network?.socksProxyPort === "number") {
+        const url = `socks5://127.0.0.1:${network.socksProxyPort}`;
+        env.ALL_PROXY = url;
+        env.all_proxy = url;
+    }
+    return env;
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.js","sourceRoot":"","sources":["../src/sandbox.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,0EAA0E;AAC1E,wEAAwE;AACxE,EAAE;AACF,gEAAgE;AAChE,yBAAyB;AACzB,0EAA0E;AAC1E,2EAA2E;AAC3E,qEAAqE;AACrE,2EAA2E;AAC3E,6EAA6E;AAC7E,0DAA0D;AAC1D,kEAAkE;AAClE,6DAA6D;AAC7D,EAAE;AACF,yCAAyC;AACzC,4DAA4D;AAC5D,2DAA2D;AAC3D,uDAAuD;AACvD,sDAAsD;AACtD,2EAA2E;AAC3E,0EAA0E;AAC1E,iFAAiF;AACjF,EAAE;AACF,yEAAyE;AACzE,oCAAoC;AACpC,qEAAqE;AACrE,wEAAwE;AACxE,gDAAgD;AAChD,yEAAyE;AACzE,4EAA4E;AAE5E,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAqDpC;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CACrC,IAAsB;IAEtB,MAAM,EAAE,SAAS,EAAE,eAAe,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC;IAC9D,IAAI,CAAC,eAAe,EAAE,OAAO;QAAE,OAAO,IAAI,CAAC;IAE3C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,wBAAwB,IAAI,EAAE,EAAE,CAAC;QACrD,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,SAAS,CAAC;YAAE,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,EAAE,GAAG,eAAe,CAAC,UAAU,CAAC;IACtC,IAAI,EAAE,EAAE,UAAU,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;YAC/B,IAAI,CAAC,CAAC;gBAAE,SAAS;YACjB,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACvB,IAAI,GAAG,KAAK,OAAO,CAAC,SAAS,CAAC;gBAAE,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACrD,CAAC;IACF,CAAC;IACD,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC;QACnB,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,SAAS,EAAE,CAAC;YAC9B,IAAI,CAAC,CAAC;gBAAE,SAAS;YACjB,6DAA6D;YAC7D,wDAAwD;YACxD,IAAI,CAAC,KAAK,GAAG;gBAAE,SAAS;YACxB,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;IACF,CAAC;IAED,iEAAiE;IACjE,mEAAmE;IACnE,8DAA8D;IAE9D,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC;IACxC,IAAI,OAAO,EAAE,cAAc;QAC1B,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,cAAc;YAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACtD,IAAI,OAAO,EAAE,aAAa;QACzB,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,aAAa;YAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAEpD,0EAA0E;IAC1E,oEAAoE;IACpE,4DAA4D;IAC5D,IACC,OAAO,OAAO,EAAE,aAAa,KAAK,QAAQ;QAC1C,OAAO,OAAO,EAAE,cAAc,KAAK,QAAQ,EAC1C,CAAC;QACF,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACvB,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACjB,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACxB,CAAC;IAED,qEAAqE;IACrE,kDAAkD;IAClD,IAAI,gBAAgB;QAAE,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAE/D,OAAO;QACN,IAAI,EAAE,qBAAqB;QAC3B,wBAAwB,EAAE,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,EAAE;QAChD,uBAAuB,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,EAAE;QAC9C,eAAe,EAAE,KAAK;QACtB,sBAAsB,EAAE,KAAK;QAC7B,aAAa,EAAE;YACd,OAAO,EAAE,MAAM;YACf,KAAK,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,EAAE;YACxB,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE;SACtB;KACD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,IAG/B;IACA,MAAM,EAAE,eAAe,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC;IACnD,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,CAAC,eAAe,EAAE,OAAO;QAAE,OAAO,GAAG,CAAC;IAE1C,IAAI,gBAAgB,EAAE,CAAC;QACtB,GAAG,CAAC,mBAAmB,GAAG,gBAAgB,CAAC,CAAC,2BAA2B;QACvE,GAAG,CAAC,aAAa,GAAG,gBAAgB,CAAC,CAAC,6BAA6B;QACnE,GAAG,CAAC,cAAc,GAAG,gBAAgB,CAAC,CAAC,YAAY;QACnD,GAAG,CAAC,kBAAkB,GAAG,gBAAgB,CAAC,CAAC,kBAAkB;QAC7D,GAAG,CAAC,QAAQ,GAAG,gBAAgB,CAAC,CAAC,MAAM;QACvC,GAAG,CAAC,cAAc,GAAG,gBAAgB,CAAC,CAAC,wBAAwB;QAC/D,GAAG,CAAC,iBAAiB,GAAG,gBAAgB,CAAC,CAAC,eAAe;QACzD,GAAG,CAAC,aAAa,GAAG,gBAAgB,CAAC,CAAC,kBAAkB;QACxD,GAAG,CAAC,SAAS,GAAG,gBAAgB,CAAC,CAAC,OAAO;IAC1C,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC;IACxC,IAAI,OAAO,OAAO,EAAE,aAAa,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,oBAAoB,OAAO,CAAC,aAAa,EAAE,CAAC;QACxD,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;QACrB,GAAG,CAAC,WAAW,GAAG,GAAG,CAAC;QACtB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;QACrB,GAAG,CAAC,WAAW,GAAG,GAAG,CAAC;IACvB,CAAC;IACD,IAAI,OAAO,OAAO,EAAE,cAAc,KAAK,QAAQ,EAAE,CAAC;QACjD,MAAM,GAAG,GAAG,sBAAsB,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3D,GAAG,CAAC,SAAS,GAAG,GAAG,CAAC;QACpB,GAAG,CAAC,SAAS,GAAG,GAAG,CAAC;IACrB,CAAC;IAED,OAAO,GAAG,CAAC;AACZ,CAAC"}

package/dist/types.d.ts

@@ -1,24 +1,32 @@
 import type { AgentRunnerConfig, AgentSessionInfo, SDKMessage } from "cyrus-core";
-export type CursorJsonEvent = Record<string, unknown>;
+import type { CursorSandboxInput } from "./sandbox.js";
 export interface CursorRunnerConfig extends AgentRunnerConfig {
-    /** Path to cursor-agent CLI binary (defaults to `cursor-agent` in PATH) */
-    cursorPath?: string;
-    /** API key override for Cursor CLI authentication */
+    /** API key for Cursor SDK authentication (falls back to CURSOR_API_KEY env). */
     cursorApiKey?: string;
-    /** Sandbox mode for Cursor tool execution */
-    sandbox?: "enabled" | "disabled";
-    /** Approval policy for Cursor tool/shell execution */
-    askForApproval?: "never" | "on-request" | "on-failure" | "untrusted";
-    /** Automatically approve all MCP servers when running headless */
-    approveMcps?: boolean;
+    /**
+     * Sandbox settings, structurally compatible with Cyrus / Claude SDK
+     * `SandboxSettings`. When `enabled: true`, the runner engages Cursor's
+     * `local.sandboxOptions` and writes a `.cursor/sandbox.json` policy
+     * mirroring `filesystem.allowRead/Write` and `network.allowed/deniedDomains`.
+     * If the Cyrus egress proxy is active (`network.httpProxyPort` set), the
+     * runner also adds `127.0.0.1` to the network allow-list and sets the
+     * proxy env vars on `process.env` so child shell tools route through it.
+     */
+    sandboxSettings?: CursorSandboxInput;
+    /**
+     * Path to the egress proxy CA cert bundle. When set, the runner exports
+     * `NODE_EXTRA_CA_CERTS`, `SSL_CERT_FILE`, etc. into `process.env` so
+     * sandboxed child processes trust the MITM-intercepting proxy.
+     */
+    egressCaCertPath?: string;
 }
 export interface CursorSessionInfo extends AgentSessionInfo {
+    /** The SDK agentId (local-prefix `agent-<uuid>`). */
     sessionId: string | null;
 }
 export interface CursorRunnerEvents {
     message: (message: SDKMessage) => void;
     error: (error: Error) => void;
     complete: (messages: SDKMessage[]) => void;
-    streamEvent: (event: CursorJsonEvent) => void;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,iBAAiB,EACjB,gBAAgB,EAChB,UAAU,EACV,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEtD,MAAM,WAAW,kBAAmB,SAAQ,iBAAiB;IAC5D,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC;IACjC,sDAAsD;IACtD,cAAc,CAAC,EAAE,OAAO,GAAG,YAAY,GAAG,YAAY,GAAG,WAAW,CAAC;IACrE,kEAAkE;IAClE,WAAW,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,iBAAkB,SAAQ,gBAAgB;IAC1D,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IAClC,OAAO,EAAE,CAAC,OAAO,EAAE,UAAU,KAAK,IAAI,CAAC;IACvC,KAAK,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IAC9B,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,IAAI,CAAC;IAC3C,WAAW,EAAE,CAAC,KAAK,EAAE,eAAe,KAAK,IAAI,CAAC;CAC9C"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,iBAAiB,EACjB,gBAAgB,EAChB,UAAU,EACV,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAEvD,MAAM,WAAW,kBAAmB,SAAQ,iBAAiB;IAC5D,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;;;OAQG;IACH,eAAe,CAAC,EAAE,kBAAkB,CAAC;IAErC;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,iBAAkB,SAAQ,gBAAgB;IAC1D,qDAAqD;IACrD,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IAClC,OAAO,EAAE,CAAC,OAAO,EAAE,UAAU,KAAK,IAAI,CAAC;IACvC,KAAK,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IAC9B,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,KAAK,IAAI,CAAC;CAC3C"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cyrus-cursor-runner",
-  "version": "0.2.49",
+  "version": "0.2.51",
   "description": "Cursor Agent CLI process wrapper for Cyrus",
   "type": "module",
   "main": "dist/index.js",
@@ -9,8 +9,9 @@
     "dist"
   ],
   "dependencies": {
-    "cyrus-core": "0.2.49",
-    "cyrus-simple-agent-runner": "0.2.49"
+    "@cursor/sdk": "^1.0.11",
+    "cyrus-core": "0.2.51",
+    "cyrus-simple-agent-runner": "0.2.51"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",
@@ -21,7 +22,7 @@
     "access": "public"
   },
   "scripts": {
-    "build": "tsc",
+    "build": "tsc && node -e \"require('node:fs').copyFileSync('src/permission-check.mjs', 'dist/permission-check.mjs')\"",
     "dev": "tsc --watch",
     "test": "node ../../node_modules/.pnpm/node_modules/vitest/vitest.mjs",
     "test:run": "node ../../node_modules/.pnpm/node_modules/vitest/vitest.mjs run --passWithNoTests",