cyrus-edge-worker 0.2.43 → 0.2.45
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/ConfigManager.d.ts.map +1 -1
- package/dist/ConfigManager.js +3 -0
- package/dist/ConfigManager.js.map +1 -1
- package/dist/EdgeWorker.d.ts +28 -0
- package/dist/EdgeWorker.d.ts.map +1 -1
- package/dist/EdgeWorker.js +178 -1
- package/dist/EdgeWorker.js.map +1 -1
- package/dist/EgressProxy.d.ts +158 -0
- package/dist/EgressProxy.d.ts.map +1 -0
- package/dist/EgressProxy.js +699 -0
- package/dist/EgressProxy.js.map +1 -0
- package/dist/GitService.d.ts +4 -6
- package/dist/GitService.d.ts.map +1 -1
- package/dist/GitService.js +16 -12
- package/dist/GitService.js.map +1 -1
- package/dist/McpConfigService.d.ts.map +1 -1
- package/dist/McpConfigService.js +8 -1
- package/dist/McpConfigService.js.map +1 -1
- package/dist/RunnerConfigBuilder.d.ts +12 -1
- package/dist/RunnerConfigBuilder.d.ts.map +1 -1
- package/dist/RunnerConfigBuilder.js +49 -0
- package/dist/RunnerConfigBuilder.js.map +1 -1
- package/dist/SharedApplicationServer.d.ts.map +1 -1
- package/dist/SharedApplicationServer.js +1 -0
- package/dist/SharedApplicationServer.js.map +1 -1
- package/dist/cyrus-skills-plugin/skills/verify-and-ship/SKILL.md +15 -3
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/prompts/builder.md +4 -4
- package/dist/prompts/debugger.md +4 -4
- package/dist/prompts/scoper.md +5 -5
- package/dist/prompts/todolist-system-prompt-extension.md +6 -6
- package/package.json +18 -16
- package/prompt-template.md +5 -5
- package/prompts/builder.md +4 -4
- package/prompts/debugger.md +4 -4
- package/prompts/scoper.md +5 -5
- package/prompts/todolist-system-prompt-extension.md +6 -6
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ConfigManager.d.ts","sourceRoot":"","sources":["../src/ConfigManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9E;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IACjC,KAAK,EAAE,gBAAgB,EAAE,CAAC;IAC1B,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,yEAAyE;IACzE,SAAS,EAAE,gBAAgB,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IACnC,aAAa,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,IAAI,CAAC;CACpD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,aAAc,SAAQ,YAAY;IAC9C,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,yEAAyE;IACzE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAgC;IAC7D,OAAO,CAAC,aAAa,CAAC,CAAY;gBAGjC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,OAAO,EACf,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAa5C;;;;OAIG;IACH,kBAAkB,IAAI,IAAI;IA2B1B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ3B;;OAEG;IACH,SAAS,IAAI,gBAAgB;IAI7B;;;;;OAKG;IACH,SAAS,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAIzC;;OAEG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAQvC;;OAEG;YACW,kBAAkB;IA2ChC;;;OAGG;YACW,gBAAgB;
|
|
1
|
+
{"version":3,"file":"ConfigManager.d.ts","sourceRoot":"","sources":["../src/ConfigManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9E;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IACjC,KAAK,EAAE,gBAAgB,EAAE,CAAC;IAC1B,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,yEAAyE;IACzE,SAAS,EAAE,gBAAgB,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IACnC,aAAa,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,IAAI,CAAC;CACpD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,aAAc,SAAQ,YAAY;IAC9C,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,yEAAyE;IACzE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAgC;IAC7D,OAAO,CAAC,aAAa,CAAC,CAAY;gBAGjC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,OAAO,EACf,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAa5C;;;;OAIG;IACH,kBAAkB,IAAI,IAAI;IA2B1B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ3B;;OAEG;IACH,SAAS,IAAI,gBAAgB;IAI7B;;;;;OAKG;IACH,SAAS,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAIzC;;OAEG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAQvC;;OAEG;YACW,kBAAkB;IA2ChC;;;OAGG;YACW,gBAAgB;IAiF9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAoC/B;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IA0BjC;;OAEG;IACH,OAAO,CAAC,SAAS;CAGjB"}
|
package/dist/ConfigManager.js
CHANGED
|
@@ -174,6 +174,8 @@ export class ConfigManager extends EventEmitter {
|
|
|
174
174
|
// Issue update trigger: use parsed value if explicitly set,
|
|
175
175
|
// otherwise keep current or default to true
|
|
176
176
|
issueUpdateTrigger: parsedConfig.issueUpdateTrigger ?? this.config.issueUpdateTrigger,
|
|
177
|
+
// Sandbox / egress proxy config
|
|
178
|
+
sandbox: parsedConfig.sandbox ?? this.config.sandbox,
|
|
177
179
|
};
|
|
178
180
|
// Basic validation
|
|
179
181
|
if (!Array.isArray(newConfig.repositories)) {
|
|
@@ -246,6 +248,7 @@ export class ConfigManager extends EventEmitter {
|
|
|
246
248
|
"issueUpdateTrigger",
|
|
247
249
|
"linearWorkspaces",
|
|
248
250
|
"userAccessControl",
|
|
251
|
+
"sandbox",
|
|
249
252
|
];
|
|
250
253
|
for (const key of globalKeys) {
|
|
251
254
|
if (!this.deepEqual(this.config[key], newConfig[key])) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ConfigManager.js","sourceRoot":"","sources":["../src/ConfigManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,KAAK,IAAI,aAAa,EAAkB,MAAM,UAAU,CAAC;AAsBlE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,aAAc,SAAQ,YAAY;IACtC,MAAM,CAAmB;IAChB,MAAM,CAAU;IACzB,UAAU,CAAU;IAC5B,yEAAyE;IACxD,YAAY,CAAgC;IACrD,aAAa,CAAa;IAElC,YACC,MAAwB,EACxB,MAAe,EACf,UAA8B,EAC9B,YAA2C;QAE3C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IAClC,CAAC;IAED,qEAAqE;IACrE,aAAa;IACb,qEAAqE;IAErE;;;;OAIG;IACH,kBAAkB;QACjB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YACzE,OAAO;QACR,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAE5E,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE;YACnD,UAAU,EAAE,IAAI;YAChB,aAAa,EAAE,IAAI;YACnB,gBAAgB,EAAE;gBACjB,kBAAkB,EAAE,GAAG;gBACvB,YAAY,EAAE,GAAG;aACjB;SACD,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACzD,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAc,EAAE,EAAE;YACjD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI;QACT,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;IACF,CAAC;IAED;;OAEG;IACH,SAAS;QACR,OAAO,IAAI,CAAC,MAAM,CAAC;IACpB,CAAC;IAED;;;;;OAKG;IACH,SAAS,CAAC,MAAwB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,UAAkB;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC9B,CAAC;IAED,qEAAqE;IACrE,mBAAmB;IACnB,qEAAqE;IAErE;;OAEG;IACK,KAAK,CAAC,kBAAkB;QAC/B,IAAI,CAAC;YACJ,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAChD,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO;YACR,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;YAExD,MAAM,cAAc,GACnB,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;gBACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAC3B,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;YAE5B,gDAAgD;YAChD,MAAM,gBAAgB,GAAG,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;YAEnE,IAAI,CAAC,cAAc,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;gBACnD,OAAO;YACR,CAAC;YAED,IAAI,cAAc,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,mCAAmC,OAAO,CAAC,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,QAAQ,CAAC,MAAM,cAAc,OAAO,CAAC,OAAO,CAAC,MAAM,UAAU,CACvI,CAAC;YACH,CAAC;YACD,IAAI,gBAAgB,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACvD,CAAC;YAED,6DAA6D;YAC7D,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,SAAS;aACmB,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;QAC/D,CAAC;IACF,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,gBAAgB;QAC7B,IAAI,CAAC;YACJ,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;gBAC1C,OAAO,IAAI,CAAC;YACb,CAAC;YAED,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC/D,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAE/C,iDAAiD;YACjD,MAAM,SAAS,GAAqB;gBACnC,GAAG,IAAI,CAAC,MAAM;gBACd,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,EAAE;gBAC7C,cAAc,EACb,YAAY,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC1D,gBAAgB,EACf,YAAY,CAAC,gBAAgB,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB;gBAC9D,kBAAkB,EACjB,YAAY,CAAC,kBAAkB;oBAC/B,YAAY,CAAC,YAAY;oBACzB,IAAI,CAAC,MAAM,CAAC,kBAAkB;oBAC9B,IAAI,CAAC,MAAM,CAAC,YAAY;gBACzB,0BAA0B,EACzB,YAAY,CAAC,0BAA0B;oBACvC,YAAY,CAAC,oBAAoB;oBACjC,IAAI,CAAC,MAAM,CAAC,0BAA0B;oBACtC,IAAI,CAAC,MAAM,CAAC,oBAAoB;gBACjC,kBAAkB,EACjB,YAAY,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;gBAClE,iBAAiB,EAChB,YAAY,CAAC,iBAAiB,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB;gBAChE,aAAa,EAAE,YAAY,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa;gBACtE,cAAc,EACb,YAAY,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC1D,4DAA4D;gBAC5D,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY;gBACnE,oBAAoB,EACnB,YAAY,CAAC,oBAAoB,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB;gBACtE,mBAAmB,EAClB,YAAY,CAAC,mBAAmB,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB;gBACpE,sBAAsB,EACrB,YAAY,CAAC,sBAAsB;oBACnC,IAAI,CAAC,MAAM,CAAC,sBAAsB;gBACnC,4DAA4D;gBAC5D,4CAA4C;gBAC5C,kBAAkB,EACjB,YAAY,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;
|
|
1
|
+
{"version":3,"file":"ConfigManager.js","sourceRoot":"","sources":["../src/ConfigManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,KAAK,IAAI,aAAa,EAAkB,MAAM,UAAU,CAAC;AAsBlE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,aAAc,SAAQ,YAAY;IACtC,MAAM,CAAmB;IAChB,MAAM,CAAU;IACzB,UAAU,CAAU;IAC5B,yEAAyE;IACxD,YAAY,CAAgC;IACrD,aAAa,CAAa;IAElC,YACC,MAAwB,EACxB,MAAe,EACf,UAA8B,EAC9B,YAA2C;QAE3C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IAClC,CAAC;IAED,qEAAqE;IACrE,aAAa;IACb,qEAAqE;IAErE;;;;OAIG;IACH,kBAAkB;QACjB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YACzE,OAAO;QACR,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAE5E,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE;YACnD,UAAU,EAAE,IAAI;YAChB,aAAa,EAAE,IAAI;YACnB,gBAAgB,EAAE;gBACjB,kBAAkB,EAAE,GAAG;gBACvB,YAAY,EAAE,GAAG;aACjB;SACD,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACzD,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAc,EAAE,EAAE;YACjD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI;QACT,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;IACF,CAAC;IAED;;OAEG;IACH,SAAS;QACR,OAAO,IAAI,CAAC,MAAM,CAAC;IACpB,CAAC;IAED;;;;;OAKG;IACH,SAAS,CAAC,MAAwB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,UAAkB;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC9B,CAAC;IAED,qEAAqE;IACrE,mBAAmB;IACnB,qEAAqE;IAErE;;OAEG;IACK,KAAK,CAAC,kBAAkB;QAC/B,IAAI,CAAC;YACJ,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAChD,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO;YACR,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;YAExD,MAAM,cAAc,GACnB,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;gBACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAC3B,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;YAE5B,gDAAgD;YAChD,MAAM,gBAAgB,GAAG,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;YAEnE,IAAI,CAAC,cAAc,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;gBACnD,OAAO;YACR,CAAC;YAED,IAAI,cAAc,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,mCAAmC,OAAO,CAAC,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,QAAQ,CAAC,MAAM,cAAc,OAAO,CAAC,OAAO,CAAC,MAAM,UAAU,CACvI,CAAC;YACH,CAAC;YACD,IAAI,gBAAgB,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACvD,CAAC;YAED,6DAA6D;YAC7D,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,SAAS;aACmB,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;QAC/D,CAAC;IACF,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,gBAAgB;QAC7B,IAAI,CAAC;YACJ,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;gBAC1C,OAAO,IAAI,CAAC;YACb,CAAC;YAED,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC/D,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAE/C,iDAAiD;YACjD,MAAM,SAAS,GAAqB;gBACnC,GAAG,IAAI,CAAC,MAAM;gBACd,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,EAAE;gBAC7C,cAAc,EACb,YAAY,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC1D,gBAAgB,EACf,YAAY,CAAC,gBAAgB,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB;gBAC9D,kBAAkB,EACjB,YAAY,CAAC,kBAAkB;oBAC/B,YAAY,CAAC,YAAY;oBACzB,IAAI,CAAC,MAAM,CAAC,kBAAkB;oBAC9B,IAAI,CAAC,MAAM,CAAC,YAAY;gBACzB,0BAA0B,EACzB,YAAY,CAAC,0BAA0B;oBACvC,YAAY,CAAC,oBAAoB;oBACjC,IAAI,CAAC,MAAM,CAAC,0BAA0B;oBACtC,IAAI,CAAC,MAAM,CAAC,oBAAoB;gBACjC,kBAAkB,EACjB,YAAY,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;gBAClE,iBAAiB,EAChB,YAAY,CAAC,iBAAiB,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB;gBAChE,aAAa,EAAE,YAAY,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa;gBACtE,cAAc,EACb,YAAY,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC1D,4DAA4D;gBAC5D,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY;gBACnE,oBAAoB,EACnB,YAAY,CAAC,oBAAoB,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB;gBACtE,mBAAmB,EAClB,YAAY,CAAC,mBAAmB,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB;gBACpE,sBAAsB,EACrB,YAAY,CAAC,sBAAsB;oBACnC,IAAI,CAAC,MAAM,CAAC,sBAAsB;gBACnC,4DAA4D;gBAC5D,4CAA4C;gBAC5C,kBAAkB,EACjB,YAAY,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;gBAClE,gCAAgC;gBAChC,OAAO,EAAE,YAAY,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO;aACpD,CAAC;YAEF,mBAAmB;YACnB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC5C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;gBACrE,OAAO,IAAI,CAAC;YACb,CAAC;YAED,+CAA+C;YAC/C,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;gBAC3C,IACC,CAAC,IAAI,CAAC,EAAE;oBACR,CAAC,IAAI,CAAC,IAAI;oBACV,CAAC,IAAI,CAAC,cAAc;oBACpB,CAAC,IAAI,CAAC,UAAU,EACf,CAAC;oBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAChB,6FAA6F,EAC7F,IAAI,CACJ,CAAC;oBACF,OAAO,IAAI,CAAC;gBACb,CAAC;YACF,CAAC;YAED,OAAO,SAAS,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;IAED;;;OAGG;IACK,uBAAuB,CAAC,SAA2B;QAK1D,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,GAAG,CACvB,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAmB,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAC9D,CAAC;QAEF,MAAM,KAAK,GAAuB,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAuB,EAAE,CAAC;QACxC,MAAM,OAAO,GAAuB,EAAE,CAAC;QAEvC,uCAAuC;QACvC,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC;YACnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,CAAC;iBAAM,CAAC;gBACP,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACzC,IAAI,WAAW,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC;oBACvD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;YACF,CAAC;QACF,CAAC;QAED,4BAA4B;QAC5B,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;YACvC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBACvB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,CAAC;QACF,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IACrC,CAAC;IAED;;;OAGG;IACK,yBAAyB,CAAC,SAA2B;QAC5D,MAAM,UAAU,GAAkC;YACjD,eAAe;YACf,oBAAoB;YACpB,4BAA4B;YAC5B,oBAAoB;YACpB,mBAAmB;YACnB,cAAc;YACd,sBAAsB;YACtB,qBAAqB;YACrB,wBAAwB;YACxB,gBAAgB;YAChB,oBAAoB;YACpB,kBAAkB;YAClB,mBAAmB;YACnB,SAAS;SACT,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBACvD,OAAO,IAAI,CAAC;YACb,CAAC;QACF,CAAC;QACD,OAAO,KAAK,CAAC;IACd,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,IAAa,EAAE,IAAa;QAC7C,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC;CACD"}
|
package/dist/EdgeWorker.d.ts
CHANGED
|
@@ -58,6 +58,14 @@ export declare class EdgeWorker extends EventEmitter {
|
|
|
58
58
|
private cyrusToolsMcpRegistered;
|
|
59
59
|
private cyrusToolsMcpRequestContext;
|
|
60
60
|
private cyrusToolsMcpSessions;
|
|
61
|
+
/** Validates webhook source IPs against known provider allowlists */
|
|
62
|
+
private webhookIpValidator;
|
|
63
|
+
/** Egress proxy for sandbox network traffic filtering and header injection */
|
|
64
|
+
private egressProxy;
|
|
65
|
+
/** Base SDK sandbox settings to pass to ClaudeRunner sessions (set when proxy starts) */
|
|
66
|
+
private sdkSandboxSettings;
|
|
67
|
+
/** CA cert path for MITM TLS termination (passed per-session env, not process.env) */
|
|
68
|
+
private egressCaCertPath;
|
|
61
69
|
/**
|
|
62
70
|
* Tracks recently processed issue-update webhook keys to prevent
|
|
63
71
|
* duplicate deliveries from Linear's at-least-once delivery.
|
|
@@ -176,6 +184,26 @@ export declare class EdgeWorker extends EventEmitter {
|
|
|
176
184
|
* Stop the edge worker
|
|
177
185
|
*/
|
|
178
186
|
stop(): Promise<void>;
|
|
187
|
+
/**
|
|
188
|
+
* Apply sandbox config changes from a config reload.
|
|
189
|
+
* Handles three transitions:
|
|
190
|
+
* - enabled → enabled: update network policy on the running proxy
|
|
191
|
+
* - disabled → enabled: start a new proxy
|
|
192
|
+
* - enabled → disabled: stop the running proxy
|
|
193
|
+
*/
|
|
194
|
+
private applySandboxConfigChanges;
|
|
195
|
+
/**
|
|
196
|
+
* Log instructions for trusting the egress proxy CA certificate.
|
|
197
|
+
* When systemWideCert is true, logs that env vars are skipped and trust
|
|
198
|
+
* is expected from the OS cert store. Otherwise logs env var list and
|
|
199
|
+
* checks macOS keychain trust status.
|
|
200
|
+
*/
|
|
201
|
+
private logCertTrustInstructions;
|
|
202
|
+
/**
|
|
203
|
+
* Check whether the Cyrus egress proxy CA is trusted at the OS level.
|
|
204
|
+
* macOS: searches the System keychain. Linux: checks update-ca-certificates output.
|
|
205
|
+
*/
|
|
206
|
+
private isCertTrustedSystemWide;
|
|
179
207
|
/**
|
|
180
208
|
* Set the config file path for dynamic reloading
|
|
181
209
|
*/
|
package/dist/EdgeWorker.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"EdgeWorker.d.ts","sourceRoot":"","sources":["../src/EdgeWorker.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"EdgeWorker.d.ts","sourceRoot":"","sources":["../src/EdgeWorker.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQ3C,OAAO,KAAK,EAQX,iBAAiB,EACjB,gBAAgB,EAMhB,KAAK,EAKL,gBAAgB,EAEhB,2BAA2B,EAQ3B,MAAM,YAAY,CAAC;AAqFpB,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAmB/D,OAAO,EACN,gBAAgB,EAEhB,MAAM,uBAAuB,CAAC;AAS/B,OAAO,KAAK,EAAoB,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGrE,MAAM,CAAC,OAAO,WAAW,UAAU;IAClC,EAAE,CAAC,CAAC,SAAS,MAAM,gBAAgB,EAClC,KAAK,EAAE,CAAC,EACR,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC,GAC3B,IAAI,CAAC;IACR,IAAI,CAAC,CAAC,SAAS,MAAM,gBAAgB,EACpC,KAAK,EAAE,CAAC,EACR,GAAG,IAAI,EAAE,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,GACtC,OAAO,CAAC;CACX;AAMD;;;;;GAKG;AACH,qBAAa,UAAW,SAAQ,YAAY;IAC3C,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,YAAY,CAA4C;IAChE,OAAO,CAAC,mBAAmB,CAAsB;IACjD,OAAO,CAAC,aAAa,CAAyC;IAC9D,OAAO,CAAC,mBAAmB,CAAkC;IAC7D,OAAO,CAAC,aAAa,CAAgD;IACrE,OAAO,CAAC,oBAAoB,CAAqC;IACjE,OAAO,CAAC,oBAAoB,CAAqC;IACjE,OAAO,CAAC,sBAAsB,CAAuC;IACrE,OAAO,CAAC,oBAAoB,CAAqC;IACjE,OAAO,CAAC,mBAAmB,CAAoC;IAC/D,OAAO,CAAC,kBAAkB,CACpB;IACN,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,YAAY,CAA6B;IACjD,OAAO,CAAC,aAAa,CAA8B;IACnD,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,uBAAuB,CAA0B;IACzD,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,2CAA2C;IACpC,gBAAgB,EAAE,gBAAgB,CAAC;IAC1C,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,kBAAkB,CAAK;IAC/B,4EAA4E;IAC5E,OAAO,CAAC,sBAAsB,CAAyB;IACvD,qEAAqE;IACrE,OAAO,CAAC,iBAAiB,CAAoB;IAC7C,OAAO,CAAC,MAAM,CAAU;IAExB,OAAO,CAAC,iBAAiB,CAAoB;IAC7C,OAAO,CAAC,sBAAsB,CAAyB;IACvD,OAAO,CAAC,sBAAsB,CAAyB;IACvD,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,mBAAmB,CAAsB;IACjD,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAsB;IAC5D,OAAO,CAAC,uBAAuB,CAAS;IACxC,OAAO,CAAC,2BAA2B,CACY;IAC/C,OAAO,CAAC,qBAAqB,CAAuB;IACpD,qEAAqE;IACrE,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,8EAA8E;IAC9E,OAAO,CAAC,WAAW,CAA4B;IAC/C,yFAAyF;IACzF,OAAO,CAAC,kBAAkB,CAEX;IACf,sFAAsF;IACtF,OAAO,CAAC,gBAAgB,CAAuB;IAC/C;;;;OAIG;IACH,OAAO,CAAC,wBAAwB,CAAqB;gBAEzC,MAAM,EAAE,gBAAgB;IAiQpC;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoF5B;;OAEG;YACW,oBAAoB;IAiIlC;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAY9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAa/B;;;OAGG;IACH,OAAO,CAAC,4BAA4B;IAuEpC;;;OAGG;IACH,OAAO,CAAC,4BAA4B;IA+CpC;;;OAGG;IACH,OAAO,CAAC,2BAA2B;IA+FnC;;;;;OAKG;IACH;;;;;OAKG;YACW,kBAAkB;YAiBlB,mBAAmB;IA0TjC;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAgBjC;;;;OAIG;YACW,iBAAiB;IAsD/B;;;OAGG;YACW,qBAAqB;IAqDnC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA8B/B;;OAEG;IACH,OAAO,CAAC,oCAAoC;IA2C5C;;OAEG;YACW,eAAe;IAiF7B;;;OAGG;YACW,mBAAmB;IA+QjC;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAejC;;;OAGG;YACW,qBAAqB;IAoDnC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA+B/B;;OAEG;IACH,OAAO,CAAC,oCAAoC;IA2C5C;;OAEG;YACW,eAAe;IAiF7B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAsBrB;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAoD3B;;;;;;OAMG;YACW,yBAAyB;IAwDvC;;;;;OAKG;IACH,OAAO,CAAC,wBAAwB;IAgDhC;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAuB/B;;OAEG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAKvC;;;;OAIG;YACW,yBAAyB;IAmGvC;;;;;;;;OAQG;IACH,OAAO,CAAC,2BAA2B;IAwCnC;;OAEG;YACW,kBAAkB;IAkEhC;;OAEG;YACW,0BAA0B;IA2FxC;;OAEG;YACW,yBAAyB;IAqFvC;;OAEG;IACH,OAAO,CAAC,WAAW;IAKnB;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAO7B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAK3B;;OAEG;YACW,aAAa;IAsE3B;;;;;;OAMG;YACW,aAAa;IA8C3B;;;;;OAKG;YACW,yBAAyB;IAWvC;;;;;OAKG;YACW,uBAAuB;IAWrC;;;;;OAKG;YACW,uBAAuB;IAWrC;;;;;OAKG;YACW,0BAA0B;IAWxC;;;;;OAKG;YACW,qBAAqB;IASnC;;;OAGG;YACW,6BAA6B;IAyC3C;;OAEG;YACW,4BAA4B;IA8D1C;;;;;;;;;;;;;;;;;OAiBG;YACW,wBAAwB;IAwMtC;;;;;;OAMG;IACH,OAAO,CAAC,sBAAsB;IAoB9B;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAMnC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAWlC;;;;;;;;OAQG;YACW,uBAAuB;IAwKrC;;;;;OAKG;YACW,gCAAgC;IAiH9C;;;;;;;;;;;;;OAaG;YACW,qBAAqB;IAkOnC;;;;;;;OAOG;YACW,gBAAgB;IAiD9B;;;;;;;OAOG;YACW,iCAAiC;IA2D/C;;;;;OAKG;YACW,6BAA6B;IA0C3C;;;OAGG;YACW,4BAA4B;IA6M1C;;;;;;;;OAQG;YACW,+BAA+B;IAiI7C;;;;OAIG;YACW,qBAAqB;IA8BnC;;OAEG;YACW,mBAAmB;IAQjC;;;OAGG;YACW,iBAAiB;IAiB/B;;OAEG;YACW,gBAAgB;IAI9B;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAIhC;;;OAGG;IACH,OAAO,CAAC,gCAAgC;IAMxC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAkB3B;;OAEG;YACW,+BAA+B;IAqB7C;;;;;;;;OAQG;YACW,kBAAkB;IAchC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAIhC;;OAEG;IACH,mBAAmB,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC;IAY3C;;;OAGG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG;IAKtC;;OAEG;IACG,cAAc,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAChD,WAAW,EAAE,MAAM,CAAC;QACpB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,mBAAmB,EAAE,MAAM,CAAC;KAC5B,CAAC;IAKF;;OAEG;IACH,aAAa,IAAI,MAAM;IAIvB;;OAEG;IACH,mBAAmB,IAAI,MAAM;IAI7B;;;;OAIG;YAEW,uBAAuB;IA+ErC;;OAEG;IAeH;;OAEG;YACW,WAAW;IAczB;;OAEG;IASH;;;;;OAKG;YACW,wBAAwB;IActC;;;;;;OAMG;YACW,0BAA0B;IAmBxC;;OAEG;IACH,OAAO,CAAC,6BAA6B;YASvB,6BAA6B;IA0G3C,OAAO,CAAC,uBAAuB;IAe/B,OAAO,CAAC,yBAAyB;YAgBnB,oCAAoC;IA2HlD,OAAO,CAAC,mBAAmB;IAW3B;;;;;;;;;;OAUG;YACW,kBAAkB;IAuChC;;;OAGG;YACW,cAAc;IAiB5B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAuB5B;;OAEG;YACW,qBAAqB;IA8FnC;;;;;OAKG;IACH,OAAO,CAAC,sBAAsB;IAoB9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmC/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAgB3B;;OAEG;YACW,sBAAsB;IAIpC;;OAEG;YACW,kCAAkC;IA8ChD;;;;OAIG;IACH;;;;OAIG;YACW,sBAAsB;IAqDpC;;;;;;;OAOG;IACH,OAAO,CAAC,6BAA6B;IAgBrC;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAe5B;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAezB;;OAEG;IACI,wBAAwB,CAC9B,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,GACnB,GAAG,EAAE;IAQR;;;;;OAKG;IACH,OAAO,CAAC,eAAe;IAqBvB;;;;;;OAMG;YACW,iBAAiB;IA0C/B;;OAEG;YACW,kBAAkB;IAchC;;OAEG;YACW,kBAAkB;IAYhC;;OAEG;IACI,iBAAiB,IAAI,2BAA2B;IAqBvD;;OAEG;IACI,eAAe,CAAC,KAAK,EAAE,2BAA2B,GAAG,IAAI;IAmEhE;;;;;;OAMG;YACW,kBAAkB;IAQhC;;OAEG;YACW,yBAAyB;IAUvC;;OAEG;YACW,8BAA8B;IAU5C;;OAEG;YACW,mBAAmB;IAcjC;;;;;;;;;;;;;;;;;OAiBG;YACW,8BAA8B;IA0D5C;;OAEG;YACW,gCAAgC;IAc9C;;;;;;;;;;OAUG;IACG,kBAAkB,CACvB,OAAO,EAAE,iBAAiB,EAC1B,UAAU,EAAE,gBAAgB,EAC5B,SAAS,EAAE,MAAM,EACjB,mBAAmB,EAAE,mBAAmB,EACxC,UAAU,EAAE,MAAM,EAClB,kBAAkB,GAAE,MAAW,EAC/B,YAAY,GAAE,OAAe,EAC7B,4BAA4B,GAAE,MAAM,EAAO,EAC3C,iBAAiB,CAAC,EAAE,MAAM,EAC1B,QAAQ,CAAC,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,MAAM,EACtB,gBAAgB,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,IAAI,CAAC;IA+JhB;;OAEG;YACW,iCAAiC;IAY/C;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAQ7B;;OAEG;IACU,qBAAqB,CACjC,OAAO,EAAE,MAAM,EACf,iBAAiB,EAAE,MAAM,GACvB,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC;IAqCxB;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAmDxB;;OAEG;YACW,eAAe;CAqD7B"}
|
package/dist/EdgeWorker.js
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { AsyncLocalStorage } from "node:async_hooks";
|
|
2
|
+
import { execSync } from "node:child_process";
|
|
2
3
|
import { EventEmitter } from "node:events";
|
|
3
4
|
import { mkdir, readdir, readFile, writeFile } from "node:fs/promises";
|
|
4
5
|
import { basename, join } from "node:path";
|
|
@@ -6,7 +7,7 @@ import { LinearClient } from "@linear/sdk";
|
|
|
6
7
|
import { ClaudeRunner } from "cyrus-claude-runner";
|
|
7
8
|
import { CodexRunner } from "cyrus-codex-runner";
|
|
8
9
|
import { ConfigUpdater } from "cyrus-config-updater";
|
|
9
|
-
import { CLIIssueTrackerService, CLIRPCServer, createLogger, DEFAULT_PROXY_URL, isAgentSessionCreatedWebhook, isAgentSessionPromptedWebhook, isContentUpdateMessage, isIssueAssignedWebhook, isIssueCommentMentionWebhook, isIssueDeletedWebhook, isIssueNewCommentWebhook, isIssueStateChangeMessage, isIssueStateChangeWebhook, isIssueTitleOrDescriptionUpdateWebhook, isIssueUnassignedWebhook, isSessionStartMessage, isStopSignalMessage, isUnassignMessage, isUserPromptMessage, PersistenceManager, requireLinearWorkspaceId, resolvePath, } from "cyrus-core";
|
|
10
|
+
import { CLIIssueTrackerService, CLIRPCServer, createLogger, DEFAULT_PROXY_URL, isAgentSessionCreatedWebhook, isAgentSessionPromptedWebhook, isContentUpdateMessage, isIssueAssignedWebhook, isIssueCommentMentionWebhook, isIssueDeletedWebhook, isIssueNewCommentWebhook, isIssueStateChangeMessage, isIssueStateChangeWebhook, isIssueTitleOrDescriptionUpdateWebhook, isIssueUnassignedWebhook, isSessionStartMessage, isStopSignalMessage, isUnassignMessage, isUserPromptMessage, PersistenceManager, requireLinearWorkspaceId, resolvePath, WebhookIpValidator, } from "cyrus-core";
|
|
10
11
|
import { CursorRunner } from "cyrus-cursor-runner";
|
|
11
12
|
import { GeminiRunner } from "cyrus-gemini-runner";
|
|
12
13
|
import { extractCommentAuthor, extractCommentBody, extractCommentId, extractCommentUrl, extractPRBaseBranchRef, extractPRBranchRef, extractPRNumber, extractPRTitle, extractRepoFullName, extractRepoName, extractRepoOwner, extractSessionKey, GitHubAppTokenProvider, GitHubCommentService, GitHubEventTransport, isCommentOnPullRequest, isIssueCommentPayload, isPullRequestReviewCommentPayload, isPullRequestReviewPayload, stripMention, } from "cyrus-github-event-transport";
|
|
@@ -23,6 +24,7 @@ import { LiveChatRepositoryProvider } from "./ChatRepositoryProvider.js";
|
|
|
23
24
|
import { ChatSessionHandler } from "./ChatSessionHandler.js";
|
|
24
25
|
import { ConfigManager } from "./ConfigManager.js";
|
|
25
26
|
import { DefaultSkillsDeployer } from "./DefaultSkillsDeployer.js";
|
|
27
|
+
import { EgressProxy } from "./EgressProxy.js";
|
|
26
28
|
import { GitService } from "./GitService.js";
|
|
27
29
|
import { GlobalSessionRegistry } from "./GlobalSessionRegistry.js";
|
|
28
30
|
import { McpConfigService } from "./McpConfigService.js";
|
|
@@ -88,6 +90,14 @@ export class EdgeWorker extends EventEmitter {
|
|
|
88
90
|
cyrusToolsMcpRegistered = false;
|
|
89
91
|
cyrusToolsMcpRequestContext = new AsyncLocalStorage();
|
|
90
92
|
cyrusToolsMcpSessions = new Sessions();
|
|
93
|
+
/** Validates webhook source IPs against known provider allowlists */
|
|
94
|
+
webhookIpValidator;
|
|
95
|
+
/** Egress proxy for sandbox network traffic filtering and header injection */
|
|
96
|
+
egressProxy = null;
|
|
97
|
+
/** Base SDK sandbox settings to pass to ClaudeRunner sessions (set when proxy starts) */
|
|
98
|
+
sdkSandboxSettings = null;
|
|
99
|
+
/** CA cert path for MITM TLS termination (passed per-session env, not process.env) */
|
|
100
|
+
egressCaCertPath = null;
|
|
91
101
|
/**
|
|
92
102
|
* Tracks recently processed issue-update webhook keys to prevent
|
|
93
103
|
* duplicate deliveries from Linear's at-least-once delivery.
|
|
@@ -147,6 +157,19 @@ export class EdgeWorker extends EventEmitter {
|
|
|
147
157
|
return this.getIssueTrackerForWorkspace(linearWorkspaceId) ?? null;
|
|
148
158
|
},
|
|
149
159
|
});
|
|
160
|
+
// Initialize webhook IP validator
|
|
161
|
+
// Enabled by default in self-hosted mode (CYRUS_HOST_EXTERNAL=true),
|
|
162
|
+
// can be overridden with WEBHOOK_IP_VALIDATION=false to disable
|
|
163
|
+
const isExternalHost = process.env.CYRUS_HOST_EXTERNAL?.toLowerCase().trim() === "true";
|
|
164
|
+
const ipValidationEnv = process.env.WEBHOOK_IP_VALIDATION?.toLowerCase().trim();
|
|
165
|
+
const ipValidationEnabled = ipValidationEnv === "true" ||
|
|
166
|
+
(ipValidationEnv !== "false" && isExternalHost);
|
|
167
|
+
this.webhookIpValidator = new WebhookIpValidator({
|
|
168
|
+
enabled: ipValidationEnabled,
|
|
169
|
+
});
|
|
170
|
+
if (ipValidationEnabled) {
|
|
171
|
+
this.logger.info("Webhook IP validation enabled");
|
|
172
|
+
}
|
|
150
173
|
// Initialize shared application server
|
|
151
174
|
const serverPort = config.serverPort || config.webhookPort || 3456;
|
|
152
175
|
const serverHost = config.serverHost || "localhost";
|
|
@@ -261,14 +284,48 @@ export class EdgeWorker extends EventEmitter {
|
|
|
261
284
|
await this.addNewRepositories(changes.added);
|
|
262
285
|
// Detect and apply workspace token changes before overwriting config
|
|
263
286
|
this.updateLinearWorkspaceTokens(changes.newConfig);
|
|
287
|
+
// Live-update sandbox / egress proxy settings
|
|
288
|
+
await this.applySandboxConfigChanges(changes.newConfig);
|
|
264
289
|
this.config = changes.newConfig;
|
|
265
290
|
this.configManager.setConfig(changes.newConfig);
|
|
266
291
|
this.runnerSelectionService.setConfig(changes.newConfig);
|
|
267
292
|
this.toolPermissionResolver.setConfig(changes.newConfig);
|
|
268
293
|
});
|
|
269
294
|
this.configManager.startConfigWatcher();
|
|
295
|
+
// Start egress proxy if sandbox is enabled.
|
|
296
|
+
// The proxy intercepts Bash-spawned subprocess traffic only (git, gh, npm, etc.).
|
|
297
|
+
// Claude's inference API, MCP servers, and built-in file tools bypass the proxy.
|
|
298
|
+
if (this.config.sandbox?.enabled) {
|
|
299
|
+
this.logger.info("🛡️ Sandbox egress proxy: starting...");
|
|
300
|
+
this.egressProxy = new EgressProxy(this.config.sandbox, this.cyrusHome, this.logger);
|
|
301
|
+
await this.egressProxy.start();
|
|
302
|
+
// Store base SDK sandbox settings — merged per-session with worktree path
|
|
303
|
+
this.sdkSandboxSettings = {
|
|
304
|
+
enabled: true,
|
|
305
|
+
network: {
|
|
306
|
+
httpProxyPort: this.egressProxy.getHttpProxyPort(),
|
|
307
|
+
socksProxyPort: this.egressProxy.getSocksProxyPort(),
|
|
308
|
+
},
|
|
309
|
+
};
|
|
310
|
+
const systemWideCert = this.config.sandbox?.systemWideCert === true;
|
|
311
|
+
this.logCertTrustInstructions(this.egressProxy.getCACertPath(), systemWideCert);
|
|
312
|
+
// When systemWideCert is true, the OS cert store handles trust
|
|
313
|
+
// for all tools — skip per-session cert env vars.
|
|
314
|
+
if (!systemWideCert) {
|
|
315
|
+
this.egressCaCertPath = this.egressProxy.buildCACertBundle();
|
|
316
|
+
}
|
|
317
|
+
}
|
|
318
|
+
else {
|
|
319
|
+
this.logger.info("🛡️ Sandbox egress proxy: disabled (set sandbox.enabled=true in config.json to enable)");
|
|
320
|
+
}
|
|
270
321
|
// Initialize and register components BEFORE starting server (routes must be registered before listen())
|
|
271
322
|
await this.initializeComponents();
|
|
323
|
+
// Refresh GitHub webhook allowlist from /meta API (non-blocking)
|
|
324
|
+
if (this.webhookIpValidator.isEnabled()) {
|
|
325
|
+
this.webhookIpValidator.refreshGitHubAllowlist().catch((error) => {
|
|
326
|
+
this.logger.warn("Failed to refresh GitHub webhook allowlist", error instanceof Error ? error : new Error(String(error)));
|
|
327
|
+
});
|
|
328
|
+
}
|
|
272
329
|
// Start shared application server (this also starts Cloudflare tunnel if CLOUDFLARE_TOKEN is set)
|
|
273
330
|
await this.sharedApplicationServer.start();
|
|
274
331
|
}
|
|
@@ -322,6 +379,9 @@ export class EdgeWorker extends EventEmitter {
|
|
|
322
379
|
fastifyServer: this.sharedApplicationServer.getFastifyInstance(),
|
|
323
380
|
verificationMode,
|
|
324
381
|
secret,
|
|
382
|
+
ipAllowlist: verificationMode === "direct" && this.webhookIpValidator.isEnabled()
|
|
383
|
+
? this.webhookIpValidator.getAllowlist("linear")
|
|
384
|
+
: undefined,
|
|
325
385
|
});
|
|
326
386
|
// Listen for legacy webhook events (deprecated, kept for backward compatibility)
|
|
327
387
|
this.linearEventTransport.on("event", (event) => {
|
|
@@ -410,6 +470,9 @@ export class EdgeWorker extends EventEmitter {
|
|
|
410
470
|
fastifyServer: this.sharedApplicationServer.getFastifyInstance(),
|
|
411
471
|
verificationMode,
|
|
412
472
|
secret,
|
|
473
|
+
ipAllowlist: useSignatureVerification && this.webhookIpValidator.isEnabled()
|
|
474
|
+
? this.webhookIpValidator.getAllowlist("github")
|
|
475
|
+
: undefined,
|
|
413
476
|
});
|
|
414
477
|
// Listen for legacy GitHub webhook events (deprecated, kept for backward compatibility)
|
|
415
478
|
this.gitHubEventTransport.on("event", (event) => {
|
|
@@ -1435,9 +1498,121 @@ ${taskSection}`;
|
|
|
1435
1498
|
this.mcpConfigService.clearAllContexts();
|
|
1436
1499
|
this.cyrusToolsMcpSessions.removeAllListeners();
|
|
1437
1500
|
this.cyrusToolsMcpRegistered = false;
|
|
1501
|
+
// Stop egress proxy
|
|
1502
|
+
if (this.egressProxy) {
|
|
1503
|
+
await this.egressProxy.stop();
|
|
1504
|
+
this.egressProxy = null;
|
|
1505
|
+
this.sdkSandboxSettings = null;
|
|
1506
|
+
this.egressCaCertPath = null;
|
|
1507
|
+
}
|
|
1438
1508
|
// Stop shared application server (this also stops Cloudflare tunnel if running)
|
|
1439
1509
|
await this.sharedApplicationServer.stop();
|
|
1440
1510
|
}
|
|
1511
|
+
/**
|
|
1512
|
+
* Apply sandbox config changes from a config reload.
|
|
1513
|
+
* Handles three transitions:
|
|
1514
|
+
* - enabled → enabled: update network policy on the running proxy
|
|
1515
|
+
* - disabled → enabled: start a new proxy
|
|
1516
|
+
* - enabled → disabled: stop the running proxy
|
|
1517
|
+
*/
|
|
1518
|
+
async applySandboxConfigChanges(newConfig) {
|
|
1519
|
+
const wasEnabled = this.egressProxy !== null;
|
|
1520
|
+
const isEnabled = newConfig.sandbox?.enabled === true;
|
|
1521
|
+
if (wasEnabled && isEnabled) {
|
|
1522
|
+
// Policy update — proxy stays running, rules change
|
|
1523
|
+
// Pass current policy (or empty object to reset to allow-all)
|
|
1524
|
+
this.egressProxy.updateNetworkPolicy(newConfig.sandbox?.networkPolicy ?? {});
|
|
1525
|
+
// Handle systemWideCert toggling while proxy is running
|
|
1526
|
+
if (newConfig.sandbox?.systemWideCert) {
|
|
1527
|
+
this.egressCaCertPath = null;
|
|
1528
|
+
}
|
|
1529
|
+
else if (!this.egressCaCertPath) {
|
|
1530
|
+
this.egressCaCertPath = this.egressProxy.buildCACertBundle();
|
|
1531
|
+
}
|
|
1532
|
+
}
|
|
1533
|
+
else if (!wasEnabled && isEnabled) {
|
|
1534
|
+
// Start proxy for the first time
|
|
1535
|
+
this.logger.info("🛡️ Sandbox egress proxy: starting (config change)...");
|
|
1536
|
+
this.egressProxy = new EgressProxy(newConfig.sandbox, this.cyrusHome, this.logger);
|
|
1537
|
+
await this.egressProxy.start();
|
|
1538
|
+
this.sdkSandboxSettings = {
|
|
1539
|
+
enabled: true,
|
|
1540
|
+
network: {
|
|
1541
|
+
httpProxyPort: this.egressProxy.getHttpProxyPort(),
|
|
1542
|
+
socksProxyPort: this.egressProxy.getSocksProxyPort(),
|
|
1543
|
+
},
|
|
1544
|
+
};
|
|
1545
|
+
const systemWideCert = newConfig.sandbox?.systemWideCert === true;
|
|
1546
|
+
this.logCertTrustInstructions(this.egressProxy.getCACertPath(), systemWideCert);
|
|
1547
|
+
if (!systemWideCert) {
|
|
1548
|
+
this.egressCaCertPath = this.egressProxy.buildCACertBundle();
|
|
1549
|
+
}
|
|
1550
|
+
}
|
|
1551
|
+
else if (wasEnabled && !isEnabled) {
|
|
1552
|
+
// Stop proxy
|
|
1553
|
+
this.logger.info("🛡️ Sandbox egress proxy: stopping (disabled in config)");
|
|
1554
|
+
await this.egressProxy.stop();
|
|
1555
|
+
this.egressProxy = null;
|
|
1556
|
+
this.sdkSandboxSettings = null;
|
|
1557
|
+
this.egressCaCertPath = null;
|
|
1558
|
+
}
|
|
1559
|
+
}
|
|
1560
|
+
/**
|
|
1561
|
+
* Log instructions for trusting the egress proxy CA certificate.
|
|
1562
|
+
* When systemWideCert is true, logs that env vars are skipped and trust
|
|
1563
|
+
* is expected from the OS cert store. Otherwise logs env var list and
|
|
1564
|
+
* checks macOS keychain trust status.
|
|
1565
|
+
*/
|
|
1566
|
+
logCertTrustInstructions(certPath, systemWideCert = false) {
|
|
1567
|
+
this.logger.info(`🛡️ Sandbox TLS interception CA certificate: ${certPath}`);
|
|
1568
|
+
if (systemWideCert) {
|
|
1569
|
+
this.logger.info("🛡️ systemWideCert: true — per-session CA cert env vars are skipped (OS cert store handles trust)");
|
|
1570
|
+
}
|
|
1571
|
+
else {
|
|
1572
|
+
this.logger.info("🛡️ Per-session env vars are set automatically: NODE_EXTRA_CA_CERTS, GIT_SSL_CAINFO, SSL_CERT_FILE, REQUESTS_CA_BUNDLE, PIP_CERT, CURL_CA_BUNDLE, CARGO_HTTP_CAINFO, AWS_CA_BUNDLE, DENO_CERT");
|
|
1573
|
+
}
|
|
1574
|
+
const trusted = this.isCertTrustedSystemWide();
|
|
1575
|
+
if (trusted) {
|
|
1576
|
+
this.logger.info("🛡️ CA certificate is trusted system-wide ✓");
|
|
1577
|
+
if (!systemWideCert) {
|
|
1578
|
+
this.logger.info("🛡️ Tip: set sandbox.systemWideCert: true in config.json to skip per-session cert env vars");
|
|
1579
|
+
}
|
|
1580
|
+
}
|
|
1581
|
+
else {
|
|
1582
|
+
if (process.platform === "darwin") {
|
|
1583
|
+
this.logger.warn("🛡️ CA certificate is NOT trusted in the macOS System keychain. To trust (requires sudo):");
|
|
1584
|
+
this.logger.warn(`🛡️ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ${certPath}`);
|
|
1585
|
+
}
|
|
1586
|
+
else if (process.platform === "linux") {
|
|
1587
|
+
this.logger.warn("🛡️ CA certificate is NOT trusted system-wide. To trust (requires sudo):");
|
|
1588
|
+
this.logger.warn(`🛡️ sudo cp ${certPath} /usr/local/share/ca-certificates/cyrus-egress-ca.crt && sudo update-ca-certificates`);
|
|
1589
|
+
}
|
|
1590
|
+
if (systemWideCert) {
|
|
1591
|
+
this.logger.warn("🛡️ systemWideCert is true but cert is not trusted — tools using the OS cert store will fail TLS verification");
|
|
1592
|
+
}
|
|
1593
|
+
}
|
|
1594
|
+
}
|
|
1595
|
+
/**
|
|
1596
|
+
* Check whether the Cyrus egress proxy CA is trusted at the OS level.
|
|
1597
|
+
* macOS: searches the System keychain. Linux: checks update-ca-certificates output.
|
|
1598
|
+
*/
|
|
1599
|
+
isCertTrustedSystemWide() {
|
|
1600
|
+
try {
|
|
1601
|
+
if (process.platform === "darwin") {
|
|
1602
|
+
execSync('security find-certificate -c "Cyrus Egress Proxy CA" /Library/Keychains/System.keychain', { stdio: "ignore" });
|
|
1603
|
+
return true;
|
|
1604
|
+
}
|
|
1605
|
+
if (process.platform === "linux") {
|
|
1606
|
+
// Check if our cert exists in the system CA certificates directory
|
|
1607
|
+
execSync("test -f /usr/local/share/ca-certificates/cyrus-egress-ca.crt", { stdio: "ignore" });
|
|
1608
|
+
return true;
|
|
1609
|
+
}
|
|
1610
|
+
return false;
|
|
1611
|
+
}
|
|
1612
|
+
catch {
|
|
1613
|
+
return false;
|
|
1614
|
+
}
|
|
1615
|
+
}
|
|
1441
1616
|
/**
|
|
1442
1617
|
* Set the config file path for dynamic reloading
|
|
1443
1618
|
*/
|
|
@@ -3511,6 +3686,8 @@ ${input.userComment}
|
|
|
3511
3686
|
cyrusHome: this.cyrusHome,
|
|
3512
3687
|
logger: log,
|
|
3513
3688
|
plugins: await this.skillsPluginResolver.resolve(),
|
|
3689
|
+
sandboxSettings: this.sdkSandboxSettings ?? undefined,
|
|
3690
|
+
egressCaCertPath: this.egressCaCertPath ?? undefined,
|
|
3514
3691
|
onMessage: (message) => {
|
|
3515
3692
|
this.handleClaudeMessage(sessionId, message, repository.id);
|
|
3516
3693
|
},
|