cyrus-edge-worker 0.2.44 → 0.2.46
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/ConfigManager.d.ts.map +1 -1
- package/dist/ConfigManager.js +3 -0
- package/dist/ConfigManager.js.map +1 -1
- package/dist/EdgeWorker.d.ts +32 -0
- package/dist/EdgeWorker.d.ts.map +1 -1
- package/dist/EdgeWorker.js +224 -70
- package/dist/EdgeWorker.js.map +1 -1
- package/dist/EgressProxy.d.ts +158 -0
- package/dist/EgressProxy.d.ts.map +1 -0
- package/dist/EgressProxy.js +699 -0
- package/dist/EgressProxy.js.map +1 -0
- package/dist/GitService.d.ts +4 -6
- package/dist/GitService.d.ts.map +1 -1
- package/dist/GitService.js +16 -12
- package/dist/GitService.js.map +1 -1
- package/dist/McpConfigService.d.ts.map +1 -1
- package/dist/McpConfigService.js +8 -1
- package/dist/McpConfigService.js.map +1 -1
- package/dist/PromptBuilder.d.ts +2 -4
- package/dist/PromptBuilder.d.ts.map +1 -1
- package/dist/PromptBuilder.js +3 -9
- package/dist/PromptBuilder.js.map +1 -1
- package/dist/RunnerConfigBuilder.d.ts +12 -1
- package/dist/RunnerConfigBuilder.d.ts.map +1 -1
- package/dist/RunnerConfigBuilder.js +49 -0
- package/dist/RunnerConfigBuilder.js.map +1 -1
- package/dist/SharedApplicationServer.d.ts.map +1 -1
- package/dist/SharedApplicationServer.js +1 -0
- package/dist/SharedApplicationServer.js.map +1 -1
- package/dist/cyrus-skills-plugin/skills/verify-and-ship/SKILL.md +14 -2
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/prompts/builder.md +4 -4
- package/dist/prompts/debugger.md +4 -4
- package/dist/prompts/scoper.md +5 -5
- package/dist/prompts/todolist-system-prompt-extension.md +6 -6
- package/package.json +18 -16
- package/prompt-template.md +5 -5
- package/prompts/builder.md +4 -4
- package/prompts/debugger.md +4 -4
- package/prompts/scoper.md +5 -5
- package/prompts/todolist-system-prompt-extension.md +6 -6
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ConfigManager.d.ts","sourceRoot":"","sources":["../src/ConfigManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9E;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IACjC,KAAK,EAAE,gBAAgB,EAAE,CAAC;IAC1B,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,yEAAyE;IACzE,SAAS,EAAE,gBAAgB,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IACnC,aAAa,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,IAAI,CAAC;CACpD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,aAAc,SAAQ,YAAY;IAC9C,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,yEAAyE;IACzE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAgC;IAC7D,OAAO,CAAC,aAAa,CAAC,CAAY;gBAGjC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,OAAO,EACf,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAa5C;;;;OAIG;IACH,kBAAkB,IAAI,IAAI;IA2B1B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ3B;;OAEG;IACH,SAAS,IAAI,gBAAgB;IAI7B;;;;;OAKG;IACH,SAAS,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAIzC;;OAEG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAQvC;;OAEG;YACW,kBAAkB;IA2ChC;;;OAGG;YACW,gBAAgB;
|
|
1
|
+
{"version":3,"file":"ConfigManager.d.ts","sourceRoot":"","sources":["../src/ConfigManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,OAAO,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9E;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IACjC,KAAK,EAAE,gBAAgB,EAAE,CAAC;IAC1B,QAAQ,EAAE,gBAAgB,EAAE,CAAC;IAC7B,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,yEAAyE;IACzE,SAAS,EAAE,gBAAgB,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IACnC,aAAa,EAAE,CAAC,OAAO,EAAE,iBAAiB,KAAK,IAAI,CAAC;CACpD;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,aAAc,SAAQ,YAAY;IAC9C,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,yEAAyE;IACzE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAgC;IAC7D,OAAO,CAAC,aAAa,CAAC,CAAY;gBAGjC,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,OAAO,EACf,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAa5C;;;;OAIG;IACH,kBAAkB,IAAI,IAAI;IA2B1B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ3B;;OAEG;IACH,SAAS,IAAI,gBAAgB;IAI7B;;;;;OAKG;IACH,SAAS,CAAC,MAAM,EAAE,gBAAgB,GAAG,IAAI;IAIzC;;OAEG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAQvC;;OAEG;YACW,kBAAkB;IA2ChC;;;OAGG;YACW,gBAAgB;IAiF9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAoC/B;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IA0BjC;;OAEG;IACH,OAAO,CAAC,SAAS;CAGjB"}
|
package/dist/ConfigManager.js
CHANGED
|
@@ -174,6 +174,8 @@ export class ConfigManager extends EventEmitter {
|
|
|
174
174
|
// Issue update trigger: use parsed value if explicitly set,
|
|
175
175
|
// otherwise keep current or default to true
|
|
176
176
|
issueUpdateTrigger: parsedConfig.issueUpdateTrigger ?? this.config.issueUpdateTrigger,
|
|
177
|
+
// Sandbox / egress proxy config
|
|
178
|
+
sandbox: parsedConfig.sandbox ?? this.config.sandbox,
|
|
177
179
|
};
|
|
178
180
|
// Basic validation
|
|
179
181
|
if (!Array.isArray(newConfig.repositories)) {
|
|
@@ -246,6 +248,7 @@ export class ConfigManager extends EventEmitter {
|
|
|
246
248
|
"issueUpdateTrigger",
|
|
247
249
|
"linearWorkspaces",
|
|
248
250
|
"userAccessControl",
|
|
251
|
+
"sandbox",
|
|
249
252
|
];
|
|
250
253
|
for (const key of globalKeys) {
|
|
251
254
|
if (!this.deepEqual(this.config[key], newConfig[key])) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ConfigManager.js","sourceRoot":"","sources":["../src/ConfigManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,KAAK,IAAI,aAAa,EAAkB,MAAM,UAAU,CAAC;AAsBlE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,aAAc,SAAQ,YAAY;IACtC,MAAM,CAAmB;IAChB,MAAM,CAAU;IACzB,UAAU,CAAU;IAC5B,yEAAyE;IACxD,YAAY,CAAgC;IACrD,aAAa,CAAa;IAElC,YACC,MAAwB,EACxB,MAAe,EACf,UAA8B,EAC9B,YAA2C;QAE3C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IAClC,CAAC;IAED,qEAAqE;IACrE,aAAa;IACb,qEAAqE;IAErE;;;;OAIG;IACH,kBAAkB;QACjB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YACzE,OAAO;QACR,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAE5E,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE;YACnD,UAAU,EAAE,IAAI;YAChB,aAAa,EAAE,IAAI;YACnB,gBAAgB,EAAE;gBACjB,kBAAkB,EAAE,GAAG;gBACvB,YAAY,EAAE,GAAG;aACjB;SACD,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACzD,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAc,EAAE,EAAE;YACjD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI;QACT,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;IACF,CAAC;IAED;;OAEG;IACH,SAAS;QACR,OAAO,IAAI,CAAC,MAAM,CAAC;IACpB,CAAC;IAED;;;;;OAKG;IACH,SAAS,CAAC,MAAwB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,UAAkB;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC9B,CAAC;IAED,qEAAqE;IACrE,mBAAmB;IACnB,qEAAqE;IAErE;;OAEG;IACK,KAAK,CAAC,kBAAkB;QAC/B,IAAI,CAAC;YACJ,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAChD,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO;YACR,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;YAExD,MAAM,cAAc,GACnB,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;gBACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAC3B,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;YAE5B,gDAAgD;YAChD,MAAM,gBAAgB,GAAG,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;YAEnE,IAAI,CAAC,cAAc,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;gBACnD,OAAO;YACR,CAAC;YAED,IAAI,cAAc,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,mCAAmC,OAAO,CAAC,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,QAAQ,CAAC,MAAM,cAAc,OAAO,CAAC,OAAO,CAAC,MAAM,UAAU,CACvI,CAAC;YACH,CAAC;YACD,IAAI,gBAAgB,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACvD,CAAC;YAED,6DAA6D;YAC7D,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,SAAS;aACmB,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;QAC/D,CAAC;IACF,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,gBAAgB;QAC7B,IAAI,CAAC;YACJ,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;gBAC1C,OAAO,IAAI,CAAC;YACb,CAAC;YAED,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC/D,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAE/C,iDAAiD;YACjD,MAAM,SAAS,GAAqB;gBACnC,GAAG,IAAI,CAAC,MAAM;gBACd,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,EAAE;gBAC7C,cAAc,EACb,YAAY,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC1D,gBAAgB,EACf,YAAY,CAAC,gBAAgB,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB;gBAC9D,kBAAkB,EACjB,YAAY,CAAC,kBAAkB;oBAC/B,YAAY,CAAC,YAAY;oBACzB,IAAI,CAAC,MAAM,CAAC,kBAAkB;oBAC9B,IAAI,CAAC,MAAM,CAAC,YAAY;gBACzB,0BAA0B,EACzB,YAAY,CAAC,0BAA0B;oBACvC,YAAY,CAAC,oBAAoB;oBACjC,IAAI,CAAC,MAAM,CAAC,0BAA0B;oBACtC,IAAI,CAAC,MAAM,CAAC,oBAAoB;gBACjC,kBAAkB,EACjB,YAAY,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;gBAClE,iBAAiB,EAChB,YAAY,CAAC,iBAAiB,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB;gBAChE,aAAa,EAAE,YAAY,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa;gBACtE,cAAc,EACb,YAAY,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC1D,4DAA4D;gBAC5D,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY;gBACnE,oBAAoB,EACnB,YAAY,CAAC,oBAAoB,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB;gBACtE,mBAAmB,EAClB,YAAY,CAAC,mBAAmB,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB;gBACpE,sBAAsB,EACrB,YAAY,CAAC,sBAAsB;oBACnC,IAAI,CAAC,MAAM,CAAC,sBAAsB;gBACnC,4DAA4D;gBAC5D,4CAA4C;gBAC5C,kBAAkB,EACjB,YAAY,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;
|
|
1
|
+
{"version":3,"file":"ConfigManager.js","sourceRoot":"","sources":["../src/ConfigManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,KAAK,IAAI,aAAa,EAAkB,MAAM,UAAU,CAAC;AAsBlE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,aAAc,SAAQ,YAAY;IACtC,MAAM,CAAmB;IAChB,MAAM,CAAU;IACzB,UAAU,CAAU;IAC5B,yEAAyE;IACxD,YAAY,CAAgC;IACrD,aAAa,CAAa;IAElC,YACC,MAAwB,EACxB,MAAe,EACf,UAA8B,EAC9B,YAA2C;QAE3C,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IAClC,CAAC;IAED,qEAAqE;IACrE,aAAa;IACb,qEAAqE;IAErE;;;;OAIG;IACH,kBAAkB;QACjB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YACzE,OAAO;QACR,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAE5E,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE;YACnD,UAAU,EAAE,IAAI;YAChB,aAAa,EAAE,IAAI;YACnB,gBAAgB,EAAE;gBACjB,kBAAkB,EAAE,GAAG;gBACvB,YAAY,EAAE,GAAG;aACjB;SACD,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;YAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACzD,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAc,EAAE,EAAE;YACjD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI;QACT,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;IACF,CAAC;IAED;;OAEG;IACH,SAAS;QACR,OAAO,IAAI,CAAC,MAAM,CAAC;IACpB,CAAC;IAED;;;;;OAKG;IACH,SAAS,CAAC,MAAwB;QACjC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,UAAkB;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC9B,CAAC;IAED,qEAAqE;IACrE,mBAAmB;IACnB,qEAAqE;IAErE;;OAEG;IACK,KAAK,CAAC,kBAAkB;QAC/B,IAAI,CAAC;YACJ,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAChD,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,OAAO;YACR,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;YAExD,MAAM,cAAc,GACnB,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;gBACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAC3B,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;YAE5B,gDAAgD;YAChD,MAAM,gBAAgB,GAAG,IAAI,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;YAEnE,IAAI,CAAC,cAAc,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;gBACnD,OAAO;YACR,CAAC;YAED,IAAI,cAAc,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,mCAAmC,OAAO,CAAC,KAAK,CAAC,MAAM,WAAW,OAAO,CAAC,QAAQ,CAAC,MAAM,cAAc,OAAO,CAAC,OAAO,CAAC,MAAM,UAAU,CACvI,CAAC;YACH,CAAC;YACD,IAAI,gBAAgB,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACvD,CAAC;YAED,6DAA6D;YAC7D,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE;gBAC1B,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,SAAS;aACmB,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;QAC/D,CAAC;IACF,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,gBAAgB;QAC7B,IAAI,CAAC;YACJ,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;gBAC1C,OAAO,IAAI,CAAC;YACb,CAAC;YAED,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC/D,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;YAE/C,iDAAiD;YACjD,MAAM,SAAS,GAAqB;gBACnC,GAAG,IAAI,CAAC,MAAM;gBACd,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,EAAE;gBAC7C,cAAc,EACb,YAAY,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC1D,gBAAgB,EACf,YAAY,CAAC,gBAAgB,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB;gBAC9D,kBAAkB,EACjB,YAAY,CAAC,kBAAkB;oBAC/B,YAAY,CAAC,YAAY;oBACzB,IAAI,CAAC,MAAM,CAAC,kBAAkB;oBAC9B,IAAI,CAAC,MAAM,CAAC,YAAY;gBACzB,0BAA0B,EACzB,YAAY,CAAC,0BAA0B;oBACvC,YAAY,CAAC,oBAAoB;oBACjC,IAAI,CAAC,MAAM,CAAC,0BAA0B;oBACtC,IAAI,CAAC,MAAM,CAAC,oBAAoB;gBACjC,kBAAkB,EACjB,YAAY,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;gBAClE,iBAAiB,EAChB,YAAY,CAAC,iBAAiB,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB;gBAChE,aAAa,EAAE,YAAY,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa;gBACtE,cAAc,EACb,YAAY,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,cAAc;gBAC1D,4DAA4D;gBAC5D,YAAY,EAAE,YAAY,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY;gBACnE,oBAAoB,EACnB,YAAY,CAAC,oBAAoB,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB;gBACtE,mBAAmB,EAClB,YAAY,CAAC,mBAAmB,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB;gBACpE,sBAAsB,EACrB,YAAY,CAAC,sBAAsB;oBACnC,IAAI,CAAC,MAAM,CAAC,sBAAsB;gBACnC,4DAA4D;gBAC5D,4CAA4C;gBAC5C,kBAAkB,EACjB,YAAY,CAAC,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;gBAClE,gCAAgC;gBAChC,OAAO,EAAE,YAAY,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO;aACpD,CAAC;YAEF,mBAAmB;YACnB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC5C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;gBACrE,OAAO,IAAI,CAAC;YACb,CAAC;YAED,+CAA+C;YAC/C,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;gBAC3C,IACC,CAAC,IAAI,CAAC,EAAE;oBACR,CAAC,IAAI,CAAC,IAAI;oBACV,CAAC,IAAI,CAAC,cAAc;oBACpB,CAAC,IAAI,CAAC,UAAU,EACf,CAAC;oBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAChB,6FAA6F,EAC7F,IAAI,CACJ,CAAC;oBACF,OAAO,IAAI,CAAC;gBACb,CAAC;YACF,CAAC;YAED,OAAO,SAAS,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;IAED;;;OAGG;IACK,uBAAuB,CAAC,SAA2B;QAK1D,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,GAAG,CACvB,SAAS,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAmB,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAC9D,CAAC;QAEF,MAAM,KAAK,GAAuB,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAuB,EAAE,CAAC;QACxC,MAAM,OAAO,GAAuB,EAAE,CAAC;QAEvC,uCAAuC;QACvC,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC;YACnC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClB,CAAC;iBAAM,CAAC;gBACP,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACzC,IAAI,WAAW,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC;oBACvD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;YACF,CAAC;QACF,CAAC;QAED,4BAA4B;QAC5B,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;YACvC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBACvB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,CAAC;QACF,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IACrC,CAAC;IAED;;;OAGG;IACK,yBAAyB,CAAC,SAA2B;QAC5D,MAAM,UAAU,GAAkC;YACjD,eAAe;YACf,oBAAoB;YACpB,4BAA4B;YAC5B,oBAAoB;YACpB,mBAAmB;YACnB,cAAc;YACd,sBAAsB;YACtB,qBAAqB;YACrB,wBAAwB;YACxB,gBAAgB;YAChB,oBAAoB;YACpB,kBAAkB;YAClB,mBAAmB;YACnB,SAAS;SACT,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBACvD,OAAO,IAAI,CAAC;YACb,CAAC;QACF,CAAC;QACD,OAAO,KAAK,CAAC;IACd,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,IAAa,EAAE,IAAa;QAC7C,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC;CACD"}
|
package/dist/EdgeWorker.d.ts
CHANGED
|
@@ -58,6 +58,14 @@ export declare class EdgeWorker extends EventEmitter {
|
|
|
58
58
|
private cyrusToolsMcpRegistered;
|
|
59
59
|
private cyrusToolsMcpRequestContext;
|
|
60
60
|
private cyrusToolsMcpSessions;
|
|
61
|
+
/** Validates webhook source IPs against known provider allowlists */
|
|
62
|
+
private webhookIpValidator;
|
|
63
|
+
/** Egress proxy for sandbox network traffic filtering and header injection */
|
|
64
|
+
private egressProxy;
|
|
65
|
+
/** Base SDK sandbox settings to pass to ClaudeRunner sessions (set when proxy starts) */
|
|
66
|
+
private sdkSandboxSettings;
|
|
67
|
+
/** CA cert path for MITM TLS termination (passed per-session env, not process.env) */
|
|
68
|
+
private egressCaCertPath;
|
|
61
69
|
/**
|
|
62
70
|
* Tracks recently processed issue-update webhook keys to prevent
|
|
63
71
|
* duplicate deliveries from Linear's at-least-once delivery.
|
|
@@ -176,6 +184,26 @@ export declare class EdgeWorker extends EventEmitter {
|
|
|
176
184
|
* Stop the edge worker
|
|
177
185
|
*/
|
|
178
186
|
stop(): Promise<void>;
|
|
187
|
+
/**
|
|
188
|
+
* Apply sandbox config changes from a config reload.
|
|
189
|
+
* Handles three transitions:
|
|
190
|
+
* - enabled → enabled: update network policy on the running proxy
|
|
191
|
+
* - disabled → enabled: start a new proxy
|
|
192
|
+
* - enabled → disabled: stop the running proxy
|
|
193
|
+
*/
|
|
194
|
+
private applySandboxConfigChanges;
|
|
195
|
+
/**
|
|
196
|
+
* Log instructions for trusting the egress proxy CA certificate.
|
|
197
|
+
* When systemWideCert is true, logs that env vars are skipped and trust
|
|
198
|
+
* is expected from the OS cert store. Otherwise logs env var list and
|
|
199
|
+
* checks macOS keychain trust status.
|
|
200
|
+
*/
|
|
201
|
+
private logCertTrustInstructions;
|
|
202
|
+
/**
|
|
203
|
+
* Check whether the Cyrus egress proxy CA is trusted at the OS level.
|
|
204
|
+
* macOS: searches the System keychain. Linux: checks update-ca-certificates output.
|
|
205
|
+
*/
|
|
206
|
+
private isCertTrustedSystemWide;
|
|
179
207
|
/**
|
|
180
208
|
* Set the config file path for dynamic reloading
|
|
181
209
|
*/
|
|
@@ -308,6 +336,10 @@ export declare class EdgeWorker extends EventEmitter {
|
|
|
308
336
|
* Get issue tracker for a workspace (direct lookup by workspace ID)
|
|
309
337
|
*/
|
|
310
338
|
private getIssueTrackerForWorkspace;
|
|
339
|
+
/**
|
|
340
|
+
* Get the activity sink for a repository by looking up its workspace.
|
|
341
|
+
*/
|
|
342
|
+
private getActivitySinkForRepo;
|
|
311
343
|
/**
|
|
312
344
|
* Get the Linear API token for a workspace from workspace-level config.
|
|
313
345
|
*/
|
package/dist/EdgeWorker.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"EdgeWorker.d.ts","sourceRoot":"","sources":["../src/EdgeWorker.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"EdgeWorker.d.ts","sourceRoot":"","sources":["../src/EdgeWorker.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQ3C,OAAO,KAAK,EAQX,iBAAiB,EACjB,gBAAgB,EAMhB,KAAK,EAKL,gBAAgB,EAEhB,2BAA2B,EAQ3B,MAAM,YAAY,CAAC;AAqFpB,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAmB/D,OAAO,EACN,gBAAgB,EAEhB,MAAM,uBAAuB,CAAC;AAS/B,OAAO,KAAK,EAAoB,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGrE,MAAM,CAAC,OAAO,WAAW,UAAU;IAClC,EAAE,CAAC,CAAC,SAAS,MAAM,gBAAgB,EAClC,KAAK,EAAE,CAAC,EACR,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC,GAC3B,IAAI,CAAC;IACR,IAAI,CAAC,CAAC,SAAS,MAAM,gBAAgB,EACpC,KAAK,EAAE,CAAC,EACR,GAAG,IAAI,EAAE,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,GACtC,OAAO,CAAC;CACX;AAMD;;;;;GAKG;AACH,qBAAa,UAAW,SAAQ,YAAY;IAC3C,OAAO,CAAC,MAAM,CAAmB;IACjC,OAAO,CAAC,YAAY,CAA4C;IAChE,OAAO,CAAC,mBAAmB,CAAsB;IACjD,OAAO,CAAC,aAAa,CAAyC;IAC9D,OAAO,CAAC,mBAAmB,CAAkC;IAC7D,OAAO,CAAC,aAAa,CAAgD;IACrE,OAAO,CAAC,oBAAoB,CAAqC;IACjE,OAAO,CAAC,oBAAoB,CAAqC;IACjE,OAAO,CAAC,sBAAsB,CAAuC;IACrE,OAAO,CAAC,oBAAoB,CAAqC;IACjE,OAAO,CAAC,mBAAmB,CAAoC;IAC/D,OAAO,CAAC,kBAAkB,CACpB;IACN,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,YAAY,CAA6B;IACjD,OAAO,CAAC,aAAa,CAA8B;IACnD,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,uBAAuB,CAA0B;IACzD,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,UAAU,CAAC,CAAS;IAC5B,2CAA2C;IACpC,gBAAgB,EAAE,gBAAgB,CAAC;IAC1C,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,kBAAkB,CAAK;IAC/B,4EAA4E;IAC5E,OAAO,CAAC,sBAAsB,CAAyB;IACvD,qEAAqE;IACrE,OAAO,CAAC,iBAAiB,CAAoB;IAC7C,OAAO,CAAC,MAAM,CAAU;IAExB,OAAO,CAAC,iBAAiB,CAAoB;IAC7C,OAAO,CAAC,sBAAsB,CAAyB;IACvD,OAAO,CAAC,sBAAsB,CAAyB;IACvD,OAAO,CAAC,gBAAgB,CAAmB;IAC3C,OAAO,CAAC,mBAAmB,CAAsB;IACjD,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,aAAa,CAAgB;IACrC,OAAO,CAAC,qBAAqB,CAAwB;IACrD,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAsB;IAC5D,OAAO,CAAC,uBAAuB,CAAS;IACxC,OAAO,CAAC,2BAA2B,CACY;IAC/C,OAAO,CAAC,qBAAqB,CAAuB;IACpD,qEAAqE;IACrE,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,8EAA8E;IAC9E,OAAO,CAAC,WAAW,CAA4B;IAC/C,yFAAyF;IACzF,OAAO,CAAC,kBAAkB,CAEX;IACf,sFAAsF;IACtF,OAAO,CAAC,gBAAgB,CAAuB;IAC/C;;;;OAIG;IACH,OAAO,CAAC,wBAAwB,CAAqB;gBAEzC,MAAM,EAAE,gBAAgB;IA2PpC;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAmF5B;;OAEG;YACW,oBAAoB;IAiIlC;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAY9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAa/B;;;OAGG;IACH,OAAO,CAAC,4BAA4B;IAuEpC;;;OAGG;IACH,OAAO,CAAC,4BAA4B;IA+CpC;;;OAGG;IACH,OAAO,CAAC,2BAA2B;IA+FnC;;;;;OAKG;IACH;;;;;OAKG;YACW,kBAAkB;YAiBlB,mBAAmB;IA0TjC;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAgBjC;;;;OAIG;YACW,iBAAiB;IAsD/B;;;OAGG;YACW,qBAAqB;IAqDnC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA8B/B;;OAEG;IACH,OAAO,CAAC,oCAAoC;IA2C5C;;OAEG;YACW,eAAe;IAiF7B;;;OAGG;YACW,mBAAmB;IA+QjC;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAejC;;;OAGG;YACW,qBAAqB;IAoDnC;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA+B/B;;OAEG;IACH,OAAO,CAAC,oCAAoC;IA2C5C;;OAEG;YACW,eAAe;IAiF7B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAsBrB;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAoD3B;;;;;;OAMG;YACW,yBAAyB;IAwDvC;;;;;OAKG;IACH,OAAO,CAAC,wBAAwB;IAgDhC;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAuB/B;;OAEG;IACH,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAKvC;;;;OAIG;YACW,yBAAyB;IAmGvC;;;;;;;;OAQG;IACH,OAAO,CAAC,2BAA2B;IA4CnC;;OAEG;YACW,kBAAkB;IAmChC;;OAEG;YACW,0BAA0B;IAsDxC;;OAEG;YACW,yBAAyB;IAsFvC;;OAEG;IACH,OAAO,CAAC,WAAW;IAKnB;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAO7B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAK3B;;OAEG;YACW,aAAa;IAsE3B;;;;;;OAMG;YACW,aAAa;IA8C3B;;;;;OAKG;YACW,yBAAyB;IAWvC;;;;;OAKG;YACW,uBAAuB;IAWrC;;;;;OAKG;YACW,uBAAuB;IAWrC;;;;;OAKG;YACW,0BAA0B;IAWxC;;;;;OAKG;YACW,qBAAqB;IASnC;;;OAGG;YACW,6BAA6B;IAyC3C;;OAEG;YACW,4BAA4B;IA8D1C;;;;;;;;;;;;;;;;;OAiBG;YACW,wBAAwB;IAwMtC;;;;;;OAMG;IACH,OAAO,CAAC,sBAAsB;IAoB9B;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAMnC;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAM9B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAWlC;;;;;;;;OAQG;YACW,uBAAuB;IAwKrC;;;;;OAKG;YACW,gCAAgC;IAiH9C;;;;;;;;;;;;;OAaG;YACW,qBAAqB;IAkOnC;;;;;;;OAOG;YACW,gBAAgB;IAiD9B;;;;;;;OAOG;YACW,iCAAiC;IA2D/C;;;;;OAKG;YACW,6BAA6B;IA0C3C;;;OAGG;YACW,4BAA4B;IA6M1C;;;;;;;;OAQG;YACW,+BAA+B;IAiI7C;;;;OAIG;YACW,qBAAqB;IA8BnC;;OAEG;YACW,mBAAmB;IAQjC;;;OAGG;YACW,iBAAiB;IAiB/B;;OAEG;YACW,gBAAgB;IAI9B;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAIhC;;;OAGG;IACH,OAAO,CAAC,gCAAgC;IAMxC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAkB3B;;OAEG;YACW,+BAA+B;IAqB7C;;;;;;;;OAQG;YACW,kBAAkB;IAchC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAIhC;;OAEG;IACH,mBAAmB,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC;IAY3C;;;OAGG;IACH,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG;IAKtC;;OAEG;IACG,cAAc,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAChD,WAAW,EAAE,MAAM,CAAC;QACpB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,mBAAmB,EAAE,MAAM,CAAC;KAC5B,CAAC;IAKF;;OAEG;IACH,aAAa,IAAI,MAAM;IAIvB;;OAEG;IACH,mBAAmB,IAAI,MAAM;IAI7B;;;;OAIG;YAEW,uBAAuB;IA+ErC;;OAEG;IAeH;;OAEG;YACW,WAAW;IAczB;;OAEG;IASH;;;;;OAKG;YACW,wBAAwB;IActC;;;;;;OAMG;YACW,0BAA0B;IAmBxC;;OAEG;IACH,OAAO,CAAC,6BAA6B;YASvB,6BAA6B;IA0G3C,OAAO,CAAC,uBAAuB;IAe/B,OAAO,CAAC,yBAAyB;YAgBnB,oCAAoC;IA2HlD,OAAO,CAAC,mBAAmB;IAW3B;;;;;;;;;;OAUG;YACW,kBAAkB;IAuChC;;;OAGG;YACW,cAAc;IAiB5B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAuB5B;;OAEG;YACW,qBAAqB;IAuGnC;;;;;OAKG;IACH,OAAO,CAAC,sBAAsB;IAoB9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAmC/B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAgB3B;;OAEG;YACW,sBAAsB;IAIpC;;OAEG;YACW,kCAAkC;IAgDhD;;;;OAIG;IACH;;;;OAIG;YACW,sBAAsB;IAqDpC;;;;;;;OAOG;IACH,OAAO,CAAC,6BAA6B;IAgBrC;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAe5B;;;OAGG;IACH,OAAO,CAAC,iBAAiB;IAezB;;OAEG;IACI,wBAAwB,CAC9B,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,GACnB,GAAG,EAAE;IAQR;;;;;OAKG;IACH,OAAO,CAAC,eAAe;IAqBvB;;;;;;OAMG;YACW,iBAAiB;IA0C/B;;OAEG;YACW,kBAAkB;IAchC;;OAEG;YACW,kBAAkB;IAYhC;;OAEG;IACI,iBAAiB,IAAI,2BAA2B;IAqBvD;;OAEG;IACI,eAAe,CAAC,KAAK,EAAE,2BAA2B,GAAG,IAAI;IAmEhE;;;;;;OAMG;YACW,kBAAkB;IAQhC;;OAEG;YACW,yBAAyB;IAUvC;;OAEG;YACW,8BAA8B;IAU5C;;OAEG;YACW,mBAAmB;IAcjC;;;;;;;;;;;;;;;;;OAiBG;YACW,8BAA8B;IA0D5C;;OAEG;YACW,gCAAgC;IAc9C;;;;;;;;;;OAUG;IACG,kBAAkB,CACvB,OAAO,EAAE,iBAAiB,EAC1B,UAAU,EAAE,gBAAgB,EAC5B,SAAS,EAAE,MAAM,EACjB,mBAAmB,EAAE,mBAAmB,EACxC,UAAU,EAAE,MAAM,EAClB,kBAAkB,GAAE,MAAW,EAC/B,YAAY,GAAE,OAAe,EAC7B,4BAA4B,GAAE,MAAM,EAAO,EAC3C,iBAAiB,CAAC,EAAE,MAAM,EAC1B,QAAQ,CAAC,EAAE,MAAM,EACjB,aAAa,CAAC,EAAE,MAAM,EACtB,gBAAgB,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,IAAI,CAAC;IA+JhB;;OAEG;YACW,iCAAiC;IAY/C;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAQ7B;;OAEG;IACU,qBAAqB,CACjC,OAAO,EAAE,MAAM,EACf,iBAAiB,EAAE,MAAM,GACvB,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC;IAqCxB;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAmDxB;;OAEG;YACW,eAAe;CAqD7B"}
|
package/dist/EdgeWorker.js
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { AsyncLocalStorage } from "node:async_hooks";
|
|
2
|
+
import { execSync } from "node:child_process";
|
|
2
3
|
import { EventEmitter } from "node:events";
|
|
3
4
|
import { mkdir, readdir, readFile, writeFile } from "node:fs/promises";
|
|
4
5
|
import { basename, join } from "node:path";
|
|
@@ -6,7 +7,7 @@ import { LinearClient } from "@linear/sdk";
|
|
|
6
7
|
import { ClaudeRunner } from "cyrus-claude-runner";
|
|
7
8
|
import { CodexRunner } from "cyrus-codex-runner";
|
|
8
9
|
import { ConfigUpdater } from "cyrus-config-updater";
|
|
9
|
-
import { CLIIssueTrackerService, CLIRPCServer, createLogger, DEFAULT_PROXY_URL, isAgentSessionCreatedWebhook, isAgentSessionPromptedWebhook, isContentUpdateMessage, isIssueAssignedWebhook, isIssueCommentMentionWebhook, isIssueDeletedWebhook, isIssueNewCommentWebhook, isIssueStateChangeMessage, isIssueStateChangeWebhook, isIssueTitleOrDescriptionUpdateWebhook, isIssueUnassignedWebhook, isSessionStartMessage, isStopSignalMessage, isUnassignMessage, isUserPromptMessage, PersistenceManager, requireLinearWorkspaceId, resolvePath, } from "cyrus-core";
|
|
10
|
+
import { CLIIssueTrackerService, CLIRPCServer, createLogger, DEFAULT_PROXY_URL, isAgentSessionCreatedWebhook, isAgentSessionPromptedWebhook, isContentUpdateMessage, isIssueAssignedWebhook, isIssueCommentMentionWebhook, isIssueDeletedWebhook, isIssueNewCommentWebhook, isIssueStateChangeMessage, isIssueStateChangeWebhook, isIssueTitleOrDescriptionUpdateWebhook, isIssueUnassignedWebhook, isSessionStartMessage, isStopSignalMessage, isUnassignMessage, isUserPromptMessage, PersistenceManager, requireLinearWorkspaceId, resolvePath, WebhookIpValidator, } from "cyrus-core";
|
|
10
11
|
import { CursorRunner } from "cyrus-cursor-runner";
|
|
11
12
|
import { GeminiRunner } from "cyrus-gemini-runner";
|
|
12
13
|
import { extractCommentAuthor, extractCommentBody, extractCommentId, extractCommentUrl, extractPRBaseBranchRef, extractPRBranchRef, extractPRNumber, extractPRTitle, extractRepoFullName, extractRepoName, extractRepoOwner, extractSessionKey, GitHubAppTokenProvider, GitHubCommentService, GitHubEventTransport, isCommentOnPullRequest, isIssueCommentPayload, isPullRequestReviewCommentPayload, isPullRequestReviewPayload, stripMention, } from "cyrus-github-event-transport";
|
|
@@ -23,6 +24,7 @@ import { LiveChatRepositoryProvider } from "./ChatRepositoryProvider.js";
|
|
|
23
24
|
import { ChatSessionHandler } from "./ChatSessionHandler.js";
|
|
24
25
|
import { ConfigManager } from "./ConfigManager.js";
|
|
25
26
|
import { DefaultSkillsDeployer } from "./DefaultSkillsDeployer.js";
|
|
27
|
+
import { EgressProxy } from "./EgressProxy.js";
|
|
26
28
|
import { GitService } from "./GitService.js";
|
|
27
29
|
import { GlobalSessionRegistry } from "./GlobalSessionRegistry.js";
|
|
28
30
|
import { McpConfigService } from "./McpConfigService.js";
|
|
@@ -46,7 +48,7 @@ export class EdgeWorker extends EventEmitter {
|
|
|
46
48
|
config;
|
|
47
49
|
repositories = new Map(); // repository 'id' (internal, stored in config.json) mapped to the full repo config
|
|
48
50
|
agentSessionManager; // Single instance managing all agent sessions across repositories
|
|
49
|
-
activitySinks = new Map(); // Maps
|
|
51
|
+
activitySinks = new Map(); // Maps Linear workspace ID to activity sink (one per workspace, mirrors issueTrackers)
|
|
50
52
|
sessionRepositories = new Map(); // Maps session ID to repository ID
|
|
51
53
|
issueTrackers = new Map(); // one issue tracker per Linear workspace (keyed by linearWorkspaceId)
|
|
52
54
|
linearEventTransport = null; // Single event transport for webhook delivery
|
|
@@ -88,6 +90,14 @@ export class EdgeWorker extends EventEmitter {
|
|
|
88
90
|
cyrusToolsMcpRegistered = false;
|
|
89
91
|
cyrusToolsMcpRequestContext = new AsyncLocalStorage();
|
|
90
92
|
cyrusToolsMcpSessions = new Sessions();
|
|
93
|
+
/** Validates webhook source IPs against known provider allowlists */
|
|
94
|
+
webhookIpValidator;
|
|
95
|
+
/** Egress proxy for sandbox network traffic filtering and header injection */
|
|
96
|
+
egressProxy = null;
|
|
97
|
+
/** Base SDK sandbox settings to pass to ClaudeRunner sessions (set when proxy starts) */
|
|
98
|
+
sdkSandboxSettings = null;
|
|
99
|
+
/** CA cert path for MITM TLS termination (passed per-session env, not process.env) */
|
|
100
|
+
egressCaCertPath = null;
|
|
91
101
|
/**
|
|
92
102
|
* Tracks recently processed issue-update webhook keys to prevent
|
|
93
103
|
* duplicate deliveries from Linear's at-least-once delivery.
|
|
@@ -147,6 +157,19 @@ export class EdgeWorker extends EventEmitter {
|
|
|
147
157
|
return this.getIssueTrackerForWorkspace(linearWorkspaceId) ?? null;
|
|
148
158
|
},
|
|
149
159
|
});
|
|
160
|
+
// Initialize webhook IP validator
|
|
161
|
+
// Enabled by default in self-hosted mode (CYRUS_HOST_EXTERNAL=true),
|
|
162
|
+
// can be overridden with WEBHOOK_IP_VALIDATION=false to disable
|
|
163
|
+
const isExternalHost = process.env.CYRUS_HOST_EXTERNAL?.toLowerCase().trim() === "true";
|
|
164
|
+
const ipValidationEnv = process.env.WEBHOOK_IP_VALIDATION?.toLowerCase().trim();
|
|
165
|
+
const ipValidationEnabled = ipValidationEnv === "true" ||
|
|
166
|
+
(ipValidationEnv !== "false" && isExternalHost);
|
|
167
|
+
this.webhookIpValidator = new WebhookIpValidator({
|
|
168
|
+
enabled: ipValidationEnabled,
|
|
169
|
+
});
|
|
170
|
+
if (ipValidationEnabled) {
|
|
171
|
+
this.logger.info("Webhook IP validation enabled");
|
|
172
|
+
}
|
|
150
173
|
// Initialize shared application server
|
|
151
174
|
const serverPort = config.serverPort || config.webhookPort || 3456;
|
|
152
175
|
const serverHost = config.serverHost || "localhost";
|
|
@@ -202,15 +225,9 @@ export class EdgeWorker extends EventEmitter {
|
|
|
202
225
|
this.issueTrackers.set(linearWorkspaceId, issueTracker);
|
|
203
226
|
}
|
|
204
227
|
}
|
|
205
|
-
// Create activity sinks
|
|
206
|
-
for (const [
|
|
207
|
-
|
|
208
|
-
continue;
|
|
209
|
-
const issueTracker = this.issueTrackers.get(repo.linearWorkspaceId);
|
|
210
|
-
if (issueTracker) {
|
|
211
|
-
const activitySink = new LinearActivitySink(issueTracker, repo.linearWorkspaceId);
|
|
212
|
-
this.activitySinks.set(repoId, activitySink);
|
|
213
|
-
}
|
|
228
|
+
// Create activity sinks per workspace (one per workspace, mirrors issueTrackers)
|
|
229
|
+
for (const [workspaceId, issueTracker] of this.issueTrackers) {
|
|
230
|
+
this.activitySinks.set(workspaceId, new LinearActivitySink(issueTracker, workspaceId));
|
|
214
231
|
}
|
|
215
232
|
// Initialize user access control with global and per-repository configs
|
|
216
233
|
const repoAccessConfigs = new Map();
|
|
@@ -238,7 +255,6 @@ export class EdgeWorker extends EventEmitter {
|
|
|
238
255
|
repositories: this.repositories,
|
|
239
256
|
issueTrackers: this.issueTrackers,
|
|
240
257
|
gitService: this.gitService,
|
|
241
|
-
config: this.config,
|
|
242
258
|
});
|
|
243
259
|
this.defaultSkillsDeployer = new DefaultSkillsDeployer(this.cyrusHome, this.logger);
|
|
244
260
|
this.skillsPluginResolver = new SkillsPluginResolver(this.cyrusHome, this.logger);
|
|
@@ -256,19 +272,52 @@ export class EdgeWorker extends EventEmitter {
|
|
|
256
272
|
await this.loadPersistedState();
|
|
257
273
|
// Start config file watcher via ConfigManager
|
|
258
274
|
this.configManager.on("configChanged", async (changes) => {
|
|
275
|
+
this.updateLinearWorkspaceTokens(changes.newConfig);
|
|
259
276
|
await this.removeDeletedRepositories(changes.removed);
|
|
260
277
|
await this.updateModifiedRepositories(changes.modified);
|
|
261
278
|
await this.addNewRepositories(changes.added);
|
|
262
|
-
//
|
|
263
|
-
this.
|
|
279
|
+
// Live-update sandbox / egress proxy settings
|
|
280
|
+
await this.applySandboxConfigChanges(changes.newConfig);
|
|
264
281
|
this.config = changes.newConfig;
|
|
265
282
|
this.configManager.setConfig(changes.newConfig);
|
|
266
283
|
this.runnerSelectionService.setConfig(changes.newConfig);
|
|
267
284
|
this.toolPermissionResolver.setConfig(changes.newConfig);
|
|
268
285
|
});
|
|
269
286
|
this.configManager.startConfigWatcher();
|
|
287
|
+
// Start egress proxy if sandbox is enabled.
|
|
288
|
+
// The proxy intercepts Bash-spawned subprocess traffic only (git, gh, npm, etc.).
|
|
289
|
+
// Claude's inference API, MCP servers, and built-in file tools bypass the proxy.
|
|
290
|
+
if (this.config.sandbox?.enabled) {
|
|
291
|
+
this.logger.info("🛡️ Sandbox egress proxy: starting...");
|
|
292
|
+
this.egressProxy = new EgressProxy(this.config.sandbox, this.cyrusHome, this.logger);
|
|
293
|
+
await this.egressProxy.start();
|
|
294
|
+
// Store base SDK sandbox settings — merged per-session with worktree path
|
|
295
|
+
this.sdkSandboxSettings = {
|
|
296
|
+
enabled: true,
|
|
297
|
+
network: {
|
|
298
|
+
httpProxyPort: this.egressProxy.getHttpProxyPort(),
|
|
299
|
+
socksProxyPort: this.egressProxy.getSocksProxyPort(),
|
|
300
|
+
},
|
|
301
|
+
};
|
|
302
|
+
const systemWideCert = this.config.sandbox?.systemWideCert === true;
|
|
303
|
+
this.logCertTrustInstructions(this.egressProxy.getCACertPath(), systemWideCert);
|
|
304
|
+
// When systemWideCert is true, the OS cert store handles trust
|
|
305
|
+
// for all tools — skip per-session cert env vars.
|
|
306
|
+
if (!systemWideCert) {
|
|
307
|
+
this.egressCaCertPath = this.egressProxy.buildCACertBundle();
|
|
308
|
+
}
|
|
309
|
+
}
|
|
310
|
+
else {
|
|
311
|
+
this.logger.info("🛡️ Sandbox egress proxy: disabled (set sandbox.enabled=true in config.json to enable)");
|
|
312
|
+
}
|
|
270
313
|
// Initialize and register components BEFORE starting server (routes must be registered before listen())
|
|
271
314
|
await this.initializeComponents();
|
|
315
|
+
// Refresh GitHub webhook allowlist from /meta API (non-blocking)
|
|
316
|
+
if (this.webhookIpValidator.isEnabled()) {
|
|
317
|
+
this.webhookIpValidator.refreshGitHubAllowlist().catch((error) => {
|
|
318
|
+
this.logger.warn("Failed to refresh GitHub webhook allowlist", error instanceof Error ? error : new Error(String(error)));
|
|
319
|
+
});
|
|
320
|
+
}
|
|
272
321
|
// Start shared application server (this also starts Cloudflare tunnel if CLOUDFLARE_TOKEN is set)
|
|
273
322
|
await this.sharedApplicationServer.start();
|
|
274
323
|
}
|
|
@@ -322,6 +371,9 @@ export class EdgeWorker extends EventEmitter {
|
|
|
322
371
|
fastifyServer: this.sharedApplicationServer.getFastifyInstance(),
|
|
323
372
|
verificationMode,
|
|
324
373
|
secret,
|
|
374
|
+
ipAllowlist: verificationMode === "direct" && this.webhookIpValidator.isEnabled()
|
|
375
|
+
? this.webhookIpValidator.getAllowlist("linear")
|
|
376
|
+
: undefined,
|
|
325
377
|
});
|
|
326
378
|
// Listen for legacy webhook events (deprecated, kept for backward compatibility)
|
|
327
379
|
this.linearEventTransport.on("event", (event) => {
|
|
@@ -410,6 +462,9 @@ export class EdgeWorker extends EventEmitter {
|
|
|
410
462
|
fastifyServer: this.sharedApplicationServer.getFastifyInstance(),
|
|
411
463
|
verificationMode,
|
|
412
464
|
secret,
|
|
465
|
+
ipAllowlist: useSignatureVerification && this.webhookIpValidator.isEnabled()
|
|
466
|
+
? this.webhookIpValidator.getAllowlist("github")
|
|
467
|
+
: undefined,
|
|
413
468
|
});
|
|
414
469
|
// Listen for legacy GitHub webhook events (deprecated, kept for backward compatibility)
|
|
415
470
|
this.gitHubEventTransport.on("event", (event) => {
|
|
@@ -721,7 +776,7 @@ export class EdgeWorker extends EventEmitter {
|
|
|
721
776
|
]);
|
|
722
777
|
// Register session-to-repo mapping and activity sink
|
|
723
778
|
this.sessionRepositories.set(githubSessionId, repository.id);
|
|
724
|
-
const activitySink = this.
|
|
779
|
+
const activitySink = this.getActivitySinkForRepo(repository.id);
|
|
725
780
|
if (activitySink) {
|
|
726
781
|
agentSessionManager.setActivitySink(githubSessionId, activitySink);
|
|
727
782
|
}
|
|
@@ -1129,7 +1184,7 @@ ${taskSection}`;
|
|
|
1129
1184
|
]);
|
|
1130
1185
|
// Register session-to-repo mapping and activity sink
|
|
1131
1186
|
this.sessionRepositories.set(gitlabSessionId, repository.id);
|
|
1132
|
-
const activitySink = this.
|
|
1187
|
+
const activitySink = this.getActivitySinkForRepo(repository.id);
|
|
1133
1188
|
if (activitySink) {
|
|
1134
1189
|
agentSessionManager.setActivitySink(gitlabSessionId, activitySink);
|
|
1135
1190
|
}
|
|
@@ -1435,9 +1490,121 @@ ${taskSection}`;
|
|
|
1435
1490
|
this.mcpConfigService.clearAllContexts();
|
|
1436
1491
|
this.cyrusToolsMcpSessions.removeAllListeners();
|
|
1437
1492
|
this.cyrusToolsMcpRegistered = false;
|
|
1493
|
+
// Stop egress proxy
|
|
1494
|
+
if (this.egressProxy) {
|
|
1495
|
+
await this.egressProxy.stop();
|
|
1496
|
+
this.egressProxy = null;
|
|
1497
|
+
this.sdkSandboxSettings = null;
|
|
1498
|
+
this.egressCaCertPath = null;
|
|
1499
|
+
}
|
|
1438
1500
|
// Stop shared application server (this also stops Cloudflare tunnel if running)
|
|
1439
1501
|
await this.sharedApplicationServer.stop();
|
|
1440
1502
|
}
|
|
1503
|
+
/**
|
|
1504
|
+
* Apply sandbox config changes from a config reload.
|
|
1505
|
+
* Handles three transitions:
|
|
1506
|
+
* - enabled → enabled: update network policy on the running proxy
|
|
1507
|
+
* - disabled → enabled: start a new proxy
|
|
1508
|
+
* - enabled → disabled: stop the running proxy
|
|
1509
|
+
*/
|
|
1510
|
+
async applySandboxConfigChanges(newConfig) {
|
|
1511
|
+
const wasEnabled = this.egressProxy !== null;
|
|
1512
|
+
const isEnabled = newConfig.sandbox?.enabled === true;
|
|
1513
|
+
if (wasEnabled && isEnabled) {
|
|
1514
|
+
// Policy update — proxy stays running, rules change
|
|
1515
|
+
// Pass current policy (or empty object to reset to allow-all)
|
|
1516
|
+
this.egressProxy.updateNetworkPolicy(newConfig.sandbox?.networkPolicy ?? {});
|
|
1517
|
+
// Handle systemWideCert toggling while proxy is running
|
|
1518
|
+
if (newConfig.sandbox?.systemWideCert) {
|
|
1519
|
+
this.egressCaCertPath = null;
|
|
1520
|
+
}
|
|
1521
|
+
else if (!this.egressCaCertPath) {
|
|
1522
|
+
this.egressCaCertPath = this.egressProxy.buildCACertBundle();
|
|
1523
|
+
}
|
|
1524
|
+
}
|
|
1525
|
+
else if (!wasEnabled && isEnabled) {
|
|
1526
|
+
// Start proxy for the first time
|
|
1527
|
+
this.logger.info("🛡️ Sandbox egress proxy: starting (config change)...");
|
|
1528
|
+
this.egressProxy = new EgressProxy(newConfig.sandbox, this.cyrusHome, this.logger);
|
|
1529
|
+
await this.egressProxy.start();
|
|
1530
|
+
this.sdkSandboxSettings = {
|
|
1531
|
+
enabled: true,
|
|
1532
|
+
network: {
|
|
1533
|
+
httpProxyPort: this.egressProxy.getHttpProxyPort(),
|
|
1534
|
+
socksProxyPort: this.egressProxy.getSocksProxyPort(),
|
|
1535
|
+
},
|
|
1536
|
+
};
|
|
1537
|
+
const systemWideCert = newConfig.sandbox?.systemWideCert === true;
|
|
1538
|
+
this.logCertTrustInstructions(this.egressProxy.getCACertPath(), systemWideCert);
|
|
1539
|
+
if (!systemWideCert) {
|
|
1540
|
+
this.egressCaCertPath = this.egressProxy.buildCACertBundle();
|
|
1541
|
+
}
|
|
1542
|
+
}
|
|
1543
|
+
else if (wasEnabled && !isEnabled) {
|
|
1544
|
+
// Stop proxy
|
|
1545
|
+
this.logger.info("🛡️ Sandbox egress proxy: stopping (disabled in config)");
|
|
1546
|
+
await this.egressProxy.stop();
|
|
1547
|
+
this.egressProxy = null;
|
|
1548
|
+
this.sdkSandboxSettings = null;
|
|
1549
|
+
this.egressCaCertPath = null;
|
|
1550
|
+
}
|
|
1551
|
+
}
|
|
1552
|
+
/**
|
|
1553
|
+
* Log instructions for trusting the egress proxy CA certificate.
|
|
1554
|
+
* When systemWideCert is true, logs that env vars are skipped and trust
|
|
1555
|
+
* is expected from the OS cert store. Otherwise logs env var list and
|
|
1556
|
+
* checks macOS keychain trust status.
|
|
1557
|
+
*/
|
|
1558
|
+
logCertTrustInstructions(certPath, systemWideCert = false) {
|
|
1559
|
+
this.logger.info(`🛡️ Sandbox TLS interception CA certificate: ${certPath}`);
|
|
1560
|
+
if (systemWideCert) {
|
|
1561
|
+
this.logger.info("🛡️ systemWideCert: true — per-session CA cert env vars are skipped (OS cert store handles trust)");
|
|
1562
|
+
}
|
|
1563
|
+
else {
|
|
1564
|
+
this.logger.info("🛡️ Per-session env vars are set automatically: NODE_EXTRA_CA_CERTS, GIT_SSL_CAINFO, SSL_CERT_FILE, REQUESTS_CA_BUNDLE, PIP_CERT, CURL_CA_BUNDLE, CARGO_HTTP_CAINFO, AWS_CA_BUNDLE, DENO_CERT");
|
|
1565
|
+
}
|
|
1566
|
+
const trusted = this.isCertTrustedSystemWide();
|
|
1567
|
+
if (trusted) {
|
|
1568
|
+
this.logger.info("🛡️ CA certificate is trusted system-wide ✓");
|
|
1569
|
+
if (!systemWideCert) {
|
|
1570
|
+
this.logger.info("🛡️ Tip: set sandbox.systemWideCert: true in config.json to skip per-session cert env vars");
|
|
1571
|
+
}
|
|
1572
|
+
}
|
|
1573
|
+
else {
|
|
1574
|
+
if (process.platform === "darwin") {
|
|
1575
|
+
this.logger.warn("🛡️ CA certificate is NOT trusted in the macOS System keychain. To trust (requires sudo):");
|
|
1576
|
+
this.logger.warn(`🛡️ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ${certPath}`);
|
|
1577
|
+
}
|
|
1578
|
+
else if (process.platform === "linux") {
|
|
1579
|
+
this.logger.warn("🛡️ CA certificate is NOT trusted system-wide. To trust (requires sudo):");
|
|
1580
|
+
this.logger.warn(`🛡️ sudo cp ${certPath} /usr/local/share/ca-certificates/cyrus-egress-ca.crt && sudo update-ca-certificates`);
|
|
1581
|
+
}
|
|
1582
|
+
if (systemWideCert) {
|
|
1583
|
+
this.logger.warn("🛡️ systemWideCert is true but cert is not trusted — tools using the OS cert store will fail TLS verification");
|
|
1584
|
+
}
|
|
1585
|
+
}
|
|
1586
|
+
}
|
|
1587
|
+
/**
|
|
1588
|
+
* Check whether the Cyrus egress proxy CA is trusted at the OS level.
|
|
1589
|
+
* macOS: searches the System keychain. Linux: checks update-ca-certificates output.
|
|
1590
|
+
*/
|
|
1591
|
+
isCertTrustedSystemWide() {
|
|
1592
|
+
try {
|
|
1593
|
+
if (process.platform === "darwin") {
|
|
1594
|
+
execSync('security find-certificate -c "Cyrus Egress Proxy CA" /Library/Keychains/System.keychain', { stdio: "ignore" });
|
|
1595
|
+
return true;
|
|
1596
|
+
}
|
|
1597
|
+
if (process.platform === "linux") {
|
|
1598
|
+
// Check if our cert exists in the system CA certificates directory
|
|
1599
|
+
execSync("test -f /usr/local/share/ca-certificates/cyrus-egress-ca.crt", { stdio: "ignore" });
|
|
1600
|
+
return true;
|
|
1601
|
+
}
|
|
1602
|
+
return false;
|
|
1603
|
+
}
|
|
1604
|
+
catch {
|
|
1605
|
+
return false;
|
|
1606
|
+
}
|
|
1607
|
+
}
|
|
1441
1608
|
/**
|
|
1442
1609
|
* Set the config file path for dynamic reloading
|
|
1443
1610
|
*/
|
|
@@ -1531,9 +1698,10 @@ ${taskSection}`;
|
|
|
1531
1698
|
this.logger.info(`🔑 Updated Linear token for workspace ${workspaceId}`);
|
|
1532
1699
|
}
|
|
1533
1700
|
else if (this.config.platform !== "cli") {
|
|
1534
|
-
// Workspace is new — create a tracker for it
|
|
1701
|
+
// Workspace is new — create a tracker and activity sink for it
|
|
1535
1702
|
const newIssueTracker = new LinearIssueTrackerService(new LinearClient({ accessToken: newToken }), this.buildOAuthConfig(workspaceId));
|
|
1536
1703
|
this.issueTrackers.set(workspaceId, newIssueTracker);
|
|
1704
|
+
this.activitySinks.set(workspaceId, new LinearActivitySink(newIssueTracker, workspaceId));
|
|
1537
1705
|
this.logger.info(`🔑 Created issue tracker for new workspace ${workspaceId}`);
|
|
1538
1706
|
}
|
|
1539
1707
|
}
|
|
@@ -1569,24 +1737,6 @@ ${taskSection}`;
|
|
|
1569
1737
|
};
|
|
1570
1738
|
// Add to internal map
|
|
1571
1739
|
this.repositories.set(repo.id, resolvedRepo);
|
|
1572
|
-
// Create issue tracker for this workspace if not already present
|
|
1573
|
-
if (!this.issueTrackers.has(requireLinearWorkspaceId(repo))) {
|
|
1574
|
-
const linearToken = this.getLinearTokenForWorkspace(requireLinearWorkspaceId(repo));
|
|
1575
|
-
const issueTracker = this.config.platform === "cli"
|
|
1576
|
-
? (() => {
|
|
1577
|
-
const service = new CLIIssueTrackerService();
|
|
1578
|
-
service.seedDefaultData();
|
|
1579
|
-
return service;
|
|
1580
|
-
})()
|
|
1581
|
-
: new LinearIssueTrackerService(new LinearClient({
|
|
1582
|
-
accessToken: linearToken,
|
|
1583
|
-
}), this.buildOAuthConfig(requireLinearWorkspaceId(repo)));
|
|
1584
|
-
this.issueTrackers.set(requireLinearWorkspaceId(repo), issueTracker);
|
|
1585
|
-
}
|
|
1586
|
-
// Create activity sink for this repository
|
|
1587
|
-
const issueTracker = this.issueTrackers.get(requireLinearWorkspaceId(repo));
|
|
1588
|
-
const activitySink = new LinearActivitySink(issueTracker, requireLinearWorkspaceId(repo));
|
|
1589
|
-
this.activitySinks.set(repo.id, activitySink);
|
|
1590
1740
|
this.logger.info(`✅ Repository added successfully: ${repo.name}`);
|
|
1591
1741
|
}
|
|
1592
1742
|
catch (error) {
|
|
@@ -1622,28 +1772,6 @@ ${taskSection}`;
|
|
|
1622
1772
|
};
|
|
1623
1773
|
// Update stored config
|
|
1624
1774
|
this.repositories.set(repo.id, resolvedRepo);
|
|
1625
|
-
// If workspace changed or token was updated, ensure issue tracker is current
|
|
1626
|
-
const currentToken = this.getLinearTokenForWorkspace(requireLinearWorkspaceId(repo));
|
|
1627
|
-
if (!this.issueTrackers.has(requireLinearWorkspaceId(repo))) {
|
|
1628
|
-
this.logger.info(` 🔑 Creating issue tracker for workspace ${requireLinearWorkspaceId(repo)}`);
|
|
1629
|
-
const newIssueTracker = this.config.platform === "cli"
|
|
1630
|
-
? (() => {
|
|
1631
|
-
const service = new CLIIssueTrackerService();
|
|
1632
|
-
service.seedDefaultData();
|
|
1633
|
-
return service;
|
|
1634
|
-
})()
|
|
1635
|
-
: new LinearIssueTrackerService(new LinearClient({
|
|
1636
|
-
accessToken: currentToken,
|
|
1637
|
-
}), this.buildOAuthConfig(requireLinearWorkspaceId(repo)));
|
|
1638
|
-
this.issueTrackers.set(requireLinearWorkspaceId(repo), newIssueTracker);
|
|
1639
|
-
}
|
|
1640
|
-
else {
|
|
1641
|
-
// Update token on existing issue tracker if it changed
|
|
1642
|
-
const issueTracker = this.issueTrackers.get(requireLinearWorkspaceId(repo));
|
|
1643
|
-
if (issueTracker && currentToken) {
|
|
1644
|
-
issueTracker.setAccessToken(currentToken);
|
|
1645
|
-
}
|
|
1646
|
-
}
|
|
1647
1775
|
// If active status changed
|
|
1648
1776
|
if (oldRepo.isActive !== repo.isActive) {
|
|
1649
1777
|
if (repo.isActive === false) {
|
|
@@ -1702,11 +1830,12 @@ ${taskSection}`;
|
|
|
1702
1830
|
}
|
|
1703
1831
|
// Remove repository from all maps
|
|
1704
1832
|
this.repositories.delete(repo.id);
|
|
1705
|
-
this
|
|
1706
|
-
|
|
1707
|
-
const workspaceStillInUse = Array.from(this.repositories.values()).some((r) => r.linearWorkspaceId ===
|
|
1833
|
+
// Only remove workspace issue tracker and activity sink if no other repos use this workspace
|
|
1834
|
+
const wsId = requireLinearWorkspaceId(repo);
|
|
1835
|
+
const workspaceStillInUse = Array.from(this.repositories.values()).some((r) => r.linearWorkspaceId === wsId);
|
|
1708
1836
|
if (!workspaceStillInUse) {
|
|
1709
|
-
this.issueTrackers.delete(
|
|
1837
|
+
this.issueTrackers.delete(wsId);
|
|
1838
|
+
this.activitySinks.delete(wsId);
|
|
1710
1839
|
}
|
|
1711
1840
|
this.logger.info(`✅ Repository removed successfully: ${repo.name}`);
|
|
1712
1841
|
}
|
|
@@ -2150,6 +2279,15 @@ ${taskSection}`;
|
|
|
2150
2279
|
getIssueTrackerForWorkspace(linearWorkspaceId) {
|
|
2151
2280
|
return this.issueTrackers.get(linearWorkspaceId);
|
|
2152
2281
|
}
|
|
2282
|
+
/**
|
|
2283
|
+
* Get the activity sink for a repository by looking up its workspace.
|
|
2284
|
+
*/
|
|
2285
|
+
getActivitySinkForRepo(repoId) {
|
|
2286
|
+
const repo = this.repositories.get(repoId);
|
|
2287
|
+
if (!repo?.linearWorkspaceId)
|
|
2288
|
+
return undefined;
|
|
2289
|
+
return this.activitySinks.get(repo.linearWorkspaceId);
|
|
2290
|
+
}
|
|
2153
2291
|
/**
|
|
2154
2292
|
* Get the Linear API token for a workspace from workspace-level config.
|
|
2155
2293
|
*/
|
|
@@ -2208,7 +2346,7 @@ ${taskSection}`;
|
|
|
2208
2346
|
agentSessionManager.createCyrusAgentSession(sessionId, issue.id, issueMinimal, workspace, "linear", repositoryContexts);
|
|
2209
2347
|
// Register session-to-repo mapping and activity sink (use primary repo)
|
|
2210
2348
|
this.sessionRepositories.set(sessionId, primaryRepo.id);
|
|
2211
|
-
const activitySink = this.
|
|
2349
|
+
const activitySink = this.getActivitySinkForRepo(primaryRepo.id);
|
|
2212
2350
|
if (activitySink) {
|
|
2213
2351
|
agentSessionManager.setActivitySink(sessionId, activitySink);
|
|
2214
2352
|
}
|
|
@@ -3344,7 +3482,14 @@ ${taskSection}`;
|
|
|
3344
3482
|
// 5. Build issue context using appropriate builder
|
|
3345
3483
|
// Use label-based prompt ONLY if we have a label-based system prompt
|
|
3346
3484
|
const promptType = this.determinePromptType(input, !!labelBasedSystemPrompt);
|
|
3347
|
-
|
|
3485
|
+
// Build workspace repo paths map for prompt context.
|
|
3486
|
+
// For multi-repo sessions, workspace.repoPaths maps each repo ID to its worktree.
|
|
3487
|
+
// For single-repo sessions, use workspace.path as the worktree for the primary repo.
|
|
3488
|
+
const workspaceRepoPaths = input.session.workspace.repoPaths ??
|
|
3489
|
+
(repositories.length === 1
|
|
3490
|
+
? { [repositories[0].id]: input.session.workspace.path }
|
|
3491
|
+
: undefined);
|
|
3492
|
+
const issueContext = await this.buildIssueContextForPromptAssembly(input.fullIssue, repositories, promptType, input.attachmentManifest, input.guidance, input.agentSession, input.resolvedBaseBranches, workspaceRepoPaths);
|
|
3348
3493
|
parts.push(issueContext.prompt);
|
|
3349
3494
|
components.push("issue-context");
|
|
3350
3495
|
// 4. Add user comment (if present)
|
|
@@ -3390,11 +3535,18 @@ ${input.userComment}
|
|
|
3390
3535
|
* correct bot account without hardcoding.
|
|
3391
3536
|
*/
|
|
3392
3537
|
buildAgentContextBlock() {
|
|
3393
|
-
const githubBot = process.env.GITHUB_BOT_USERNAME || "
|
|
3394
|
-
const gitlabBot = process.env.GITLAB_BOT_USERNAME || "
|
|
3538
|
+
const githubBot = process.env.GITHUB_BOT_USERNAME || "";
|
|
3539
|
+
const gitlabBot = process.env.GITLAB_BOT_USERNAME || "";
|
|
3540
|
+
if (!githubBot && !gitlabBot) {
|
|
3541
|
+
return "";
|
|
3542
|
+
}
|
|
3395
3543
|
const lines = ["\n\n<agent_context>"];
|
|
3396
|
-
|
|
3397
|
-
|
|
3544
|
+
if (githubBot) {
|
|
3545
|
+
lines.push(` <github_bot_username>${githubBot}</github_bot_username>`);
|
|
3546
|
+
}
|
|
3547
|
+
if (gitlabBot) {
|
|
3548
|
+
lines.push(` <gitlab_bot_username>${gitlabBot}</gitlab_bot_username>`);
|
|
3549
|
+
}
|
|
3398
3550
|
lines.push("</agent_context>");
|
|
3399
3551
|
return lines.join("\n");
|
|
3400
3552
|
}
|
|
@@ -3455,7 +3607,7 @@ ${input.userComment}
|
|
|
3455
3607
|
/**
|
|
3456
3608
|
* Adapter method for prompt assembly - routes to appropriate issue context builder
|
|
3457
3609
|
*/
|
|
3458
|
-
async buildIssueContextForPromptAssembly(issue, repositories, promptType, attachmentManifest, guidance, agentSession, resolvedBaseBranches) {
|
|
3610
|
+
async buildIssueContextForPromptAssembly(issue, repositories, promptType, attachmentManifest, guidance, agentSession, resolvedBaseBranches, workspaceRepoPaths) {
|
|
3459
3611
|
// Delegate to appropriate builder based on promptType
|
|
3460
3612
|
if (promptType === "mention") {
|
|
3461
3613
|
if (!agentSession) {
|
|
@@ -3469,7 +3621,7 @@ ${input.userComment}
|
|
|
3469
3621
|
}
|
|
3470
3622
|
// Fallback to standard issue context
|
|
3471
3623
|
return this.promptBuilder.buildIssueContextPrompt(issue, repositories, undefined, // No new comment for initial prompt assembly
|
|
3472
|
-
attachmentManifest, guidance, resolvedBaseBranches);
|
|
3624
|
+
attachmentManifest, guidance, resolvedBaseBranches, workspaceRepoPaths);
|
|
3473
3625
|
}
|
|
3474
3626
|
/**
|
|
3475
3627
|
* Resolve the default runner type for SimpleRunner (classification) use.
|
|
@@ -3504,6 +3656,8 @@ ${input.userComment}
|
|
|
3504
3656
|
cyrusHome: this.cyrusHome,
|
|
3505
3657
|
logger: log,
|
|
3506
3658
|
plugins: await this.skillsPluginResolver.resolve(),
|
|
3659
|
+
sandboxSettings: this.sdkSandboxSettings ?? undefined,
|
|
3660
|
+
egressCaCertPath: this.egressCaCertPath ?? undefined,
|
|
3507
3661
|
onMessage: (message) => {
|
|
3508
3662
|
this.handleClaudeMessage(sessionId, message, repository.id);
|
|
3509
3663
|
},
|
|
@@ -3668,7 +3822,7 @@ ${input.userComment}
|
|
|
3668
3822
|
if (repoId) {
|
|
3669
3823
|
this.sessionRepositories.set(sessionId, repoId);
|
|
3670
3824
|
// Also register the activity sink for this restored session
|
|
3671
|
-
const activitySink = this.
|
|
3825
|
+
const activitySink = this.getActivitySinkForRepo(repoId);
|
|
3672
3826
|
if (activitySink) {
|
|
3673
3827
|
this.agentSessionManager.setActivitySink(sessionId, activitySink);
|
|
3674
3828
|
}
|