daycare-cli 2026.2.26 → 2026.2.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (402) hide show
  1. package/dist/config/configResolve.d.ts.map +1 -1
  2. package/dist/config/configResolve.js +15 -1
  3. package/dist/config/configResolve.js.map +1 -1
  4. package/dist/config/configResolve.spec.js +47 -0
  5. package/dist/config/configResolve.spec.js.map +1 -1
  6. package/dist/config/configSettingsParse.d.ts.map +1 -1
  7. package/dist/config/configSettingsParse.js +10 -0
  8. package/dist/config/configSettingsParse.js.map +1 -1
  9. package/dist/config/configSettingsParse.spec.js +32 -0
  10. package/dist/config/configSettingsParse.spec.js.map +1 -1
  11. package/dist/config/configTypes.d.ts +2 -1
  12. package/dist/config/configTypes.d.ts.map +1 -1
  13. package/dist/engine/agents/agent.d.ts +2 -0
  14. package/dist/engine/agents/agent.d.ts.map +1 -1
  15. package/dist/engine/agents/agent.js +18 -3
  16. package/dist/engine/agents/agent.js.map +1 -1
  17. package/dist/engine/agents/agentSystem.d.ts +5 -0
  18. package/dist/engine/agents/agentSystem.d.ts.map +1 -1
  19. package/dist/engine/agents/agentSystem.js +16 -1
  20. package/dist/engine/agents/agentSystem.js.map +1 -1
  21. package/dist/engine/agents/agentSystem.spec.js +59 -0
  22. package/dist/engine/agents/agentSystem.spec.js.map +1 -1
  23. package/dist/engine/agents/ops/agentLoopRun.d.ts +0 -2
  24. package/dist/engine/agents/ops/agentLoopRun.d.ts.map +1 -1
  25. package/dist/engine/agents/ops/agentLoopRun.js +4 -7
  26. package/dist/engine/agents/ops/agentLoopRun.js.map +1 -1
  27. package/dist/engine/agents/ops/agentLoopRun.spec.js +21 -24
  28. package/dist/engine/agents/ops/agentLoopRun.spec.js.map +1 -1
  29. package/dist/engine/agents/ops/agentSystemPromptContext.d.ts +1 -1
  30. package/dist/engine/agents/ops/agentSystemPromptContext.d.ts.map +1 -1
  31. package/dist/engine/agents/ops/agentSystemPromptSectionEnvironment.d.ts.map +1 -1
  32. package/dist/engine/agents/ops/agentSystemPromptSectionEnvironment.js +12 -1
  33. package/dist/engine/agents/ops/agentSystemPromptSectionEnvironment.js.map +1 -1
  34. package/dist/engine/agents/ops/agentSystemPromptSectionMemory.d.ts.map +1 -1
  35. package/dist/engine/agents/ops/agentSystemPromptSectionMemory.js +0 -4
  36. package/dist/engine/agents/ops/agentSystemPromptSectionMemory.js.map +1 -1
  37. package/dist/engine/agents/ops/agentSystemPromptSectionPermissions.d.ts +2 -2
  38. package/dist/engine/agents/ops/agentSystemPromptSectionPermissions.d.ts.map +1 -1
  39. package/dist/engine/agents/ops/agentSystemPromptSectionPermissions.js +12 -30
  40. package/dist/engine/agents/ops/agentSystemPromptSectionPermissions.js.map +1 -1
  41. package/dist/engine/apps/appExecute.spec.js +2 -10
  42. package/dist/engine/apps/appExecute.spec.js.map +1 -1
  43. package/dist/engine/apps/appInstallToolBuild.js +1 -1
  44. package/dist/engine/apps/appInstallToolBuild.js.map +1 -1
  45. package/dist/engine/apps/appInstallToolBuild.spec.js +1 -5
  46. package/dist/engine/apps/appInstallToolBuild.spec.js.map +1 -1
  47. package/dist/engine/apps/appRuleToolBuild.spec.js +1 -5
  48. package/dist/engine/apps/appRuleToolBuild.spec.js.map +1 -1
  49. package/dist/engine/apps/appToolExecutorBuild.spec.js +1 -5
  50. package/dist/engine/apps/appToolExecutorBuild.spec.js.map +1 -1
  51. package/dist/engine/engine.d.ts.map +1 -1
  52. package/dist/engine/engine.js +10 -0
  53. package/dist/engine/engine.js.map +1 -1
  54. package/dist/engine/friends/nametagGenerate.d.ts +6 -0
  55. package/dist/engine/friends/nametagGenerate.d.ts.map +1 -0
  56. package/dist/engine/friends/nametagGenerate.js +9 -0
  57. package/dist/engine/friends/nametagGenerate.js.map +1 -0
  58. package/dist/engine/friends/nametagGenerate.spec.d.ts +2 -0
  59. package/dist/engine/friends/nametagGenerate.spec.d.ts.map +1 -0
  60. package/dist/engine/friends/nametagGenerate.spec.js +18 -0
  61. package/dist/engine/friends/nametagGenerate.spec.js.map +1 -0
  62. package/dist/engine/modules/executablePrompts/executablePromptExpand.spec.js +1 -5
  63. package/dist/engine/modules/executablePrompts/executablePromptExpand.spec.js.map +1 -1
  64. package/dist/engine/modules/monty/montyPythonTypeFromSchemaRuntime.spec.js +1 -5
  65. package/dist/engine/modules/monty/montyPythonTypeFromSchemaRuntime.spec.js.map +1 -1
  66. package/dist/engine/modules/rlm/rlmExecute.spec.js +1 -5
  67. package/dist/engine/modules/rlm/rlmExecute.spec.js.map +1 -1
  68. package/dist/engine/modules/rlm/rlmPromptSkills.spec.js +9 -9
  69. package/dist/engine/modules/rlm/rlmPromptSkills.spec.js.map +1 -1
  70. package/dist/engine/modules/rlm/rlmRestore.spec.js +1 -5
  71. package/dist/engine/modules/rlm/rlmRestore.spec.js.map +1 -1
  72. package/dist/engine/modules/rlm/rlmTool.spec.js +1 -5
  73. package/dist/engine/modules/rlm/rlmTool.spec.js.map +1 -1
  74. package/dist/engine/modules/say/sayFileResolve.d.ts +4 -5
  75. package/dist/engine/modules/say/sayFileResolve.d.ts.map +1 -1
  76. package/dist/engine/modules/say/sayFileResolve.js +24 -14
  77. package/dist/engine/modules/say/sayFileResolve.js.map +1 -1
  78. package/dist/engine/modules/say/sayFileResolve.spec.js +28 -29
  79. package/dist/engine/modules/say/sayFileResolve.spec.js.map +1 -1
  80. package/dist/engine/modules/toolResolver.spec.js +1 -5
  81. package/dist/engine/modules/toolResolver.spec.js.map +1 -1
  82. package/dist/engine/modules/tools/agentCompactTool.spec.js +1 -5
  83. package/dist/engine/modules/tools/agentCompactTool.spec.js.map +1 -1
  84. package/dist/engine/modules/tools/agentResetTool.spec.js +1 -5
  85. package/dist/engine/modules/tools/agentResetTool.spec.js.map +1 -1
  86. package/dist/engine/modules/tools/background.spec.js +3 -11
  87. package/dist/engine/modules/tools/background.spec.js.map +1 -1
  88. package/dist/engine/modules/tools/channelCreateTool.spec.js +1 -5
  89. package/dist/engine/modules/tools/channelCreateTool.spec.js.map +1 -1
  90. package/dist/engine/modules/tools/channelHistoryTool.spec.js +1 -5
  91. package/dist/engine/modules/tools/channelHistoryTool.spec.js.map +1 -1
  92. package/dist/engine/modules/tools/channelMemberTool.spec.js +1 -5
  93. package/dist/engine/modules/tools/channelMemberTool.spec.js.map +1 -1
  94. package/dist/engine/modules/tools/channelSendTool.spec.js +1 -5
  95. package/dist/engine/modules/tools/channelSendTool.spec.js.map +1 -1
  96. package/dist/engine/modules/tools/friendAddToolBuild.d.ts +7 -0
  97. package/dist/engine/modules/tools/friendAddToolBuild.d.ts.map +1 -0
  98. package/dist/engine/modules/tools/friendAddToolBuild.js +160 -0
  99. package/dist/engine/modules/tools/friendAddToolBuild.js.map +1 -0
  100. package/dist/engine/modules/tools/friendAddToolBuild.spec.d.ts +2 -0
  101. package/dist/engine/modules/tools/friendAddToolBuild.spec.d.ts.map +1 -0
  102. package/dist/engine/modules/tools/friendAddToolBuild.spec.js +151 -0
  103. package/dist/engine/modules/tools/friendAddToolBuild.spec.js.map +1 -0
  104. package/dist/engine/modules/tools/friendRemoveToolBuild.d.ts +7 -0
  105. package/dist/engine/modules/tools/friendRemoveToolBuild.d.ts.map +1 -0
  106. package/dist/engine/modules/tools/friendRemoveToolBuild.js +171 -0
  107. package/dist/engine/modules/tools/friendRemoveToolBuild.js.map +1 -0
  108. package/dist/engine/modules/tools/friendRemoveToolBuild.spec.d.ts +2 -0
  109. package/dist/engine/modules/tools/friendRemoveToolBuild.spec.d.ts.map +1 -0
  110. package/dist/engine/modules/tools/friendRemoveToolBuild.spec.js +172 -0
  111. package/dist/engine/modules/tools/friendRemoveToolBuild.spec.js.map +1 -0
  112. package/dist/engine/modules/tools/friendSendToolBuild.d.ts +7 -0
  113. package/dist/engine/modules/tools/friendSendToolBuild.d.ts.map +1 -0
  114. package/dist/engine/modules/tools/friendSendToolBuild.js +101 -0
  115. package/dist/engine/modules/tools/friendSendToolBuild.js.map +1 -0
  116. package/dist/engine/modules/tools/friendSendToolBuild.spec.d.ts +2 -0
  117. package/dist/engine/modules/tools/friendSendToolBuild.spec.d.ts.map +1 -0
  118. package/dist/engine/modules/tools/friendSendToolBuild.spec.js +120 -0
  119. package/dist/engine/modules/tools/friendSendToolBuild.spec.js.map +1 -0
  120. package/dist/engine/modules/tools/friendShareSubuserToolBuild.d.ts +7 -0
  121. package/dist/engine/modules/tools/friendShareSubuserToolBuild.d.ts.map +1 -0
  122. package/dist/engine/modules/tools/friendShareSubuserToolBuild.js +127 -0
  123. package/dist/engine/modules/tools/friendShareSubuserToolBuild.js.map +1 -0
  124. package/dist/engine/modules/tools/friendShareSubuserToolBuild.spec.d.ts +2 -0
  125. package/dist/engine/modules/tools/friendShareSubuserToolBuild.spec.d.ts.map +1 -0
  126. package/dist/engine/modules/tools/friendShareSubuserToolBuild.spec.js +119 -0
  127. package/dist/engine/modules/tools/friendShareSubuserToolBuild.spec.js.map +1 -0
  128. package/dist/engine/modules/tools/friendUnshareSubuserToolBuild.d.ts +7 -0
  129. package/dist/engine/modules/tools/friendUnshareSubuserToolBuild.d.ts.map +1 -0
  130. package/dist/engine/modules/tools/friendUnshareSubuserToolBuild.js +115 -0
  131. package/dist/engine/modules/tools/friendUnshareSubuserToolBuild.js.map +1 -0
  132. package/dist/engine/modules/tools/friendUnshareSubuserToolBuild.spec.d.ts +2 -0
  133. package/dist/engine/modules/tools/friendUnshareSubuserToolBuild.spec.d.ts.map +1 -0
  134. package/dist/engine/modules/tools/friendUnshareSubuserToolBuild.spec.js +100 -0
  135. package/dist/engine/modules/tools/friendUnshareSubuserToolBuild.spec.js.map +1 -0
  136. package/dist/engine/modules/tools/image-generation.d.ts.map +1 -1
  137. package/dist/engine/modules/tools/image-generation.js +26 -10
  138. package/dist/engine/modules/tools/image-generation.js.map +1 -1
  139. package/dist/engine/modules/tools/image-generation.spec.js +13 -10
  140. package/dist/engine/modules/tools/image-generation.spec.js.map +1 -1
  141. package/dist/engine/modules/tools/mermaid-png.d.ts.map +1 -1
  142. package/dist/engine/modules/tools/mermaid-png.js +16 -11
  143. package/dist/engine/modules/tools/mermaid-png.js.map +1 -1
  144. package/dist/engine/modules/tools/mermaid-png.spec.js +20 -24
  145. package/dist/engine/modules/tools/mermaid-png.spec.js.map +1 -1
  146. package/dist/engine/modules/tools/pdf-process.d.ts.map +1 -1
  147. package/dist/engine/modules/tools/pdf-process.js +10 -38
  148. package/dist/engine/modules/tools/pdf-process.js.map +1 -1
  149. package/dist/engine/modules/tools/pdf-process.spec.js +15 -5
  150. package/dist/engine/modules/tools/pdf-process.spec.js.map +1 -1
  151. package/dist/engine/modules/tools/permanentAgentToolBuild.spec.js +5 -13
  152. package/dist/engine/modules/tools/permanentAgentToolBuild.spec.js.map +1 -1
  153. package/dist/engine/modules/tools/send-file.d.ts.map +1 -1
  154. package/dist/engine/modules/tools/send-file.js +20 -11
  155. package/dist/engine/modules/tools/send-file.js.map +1 -1
  156. package/dist/engine/modules/tools/sendUserMessageTool.spec.js +1 -5
  157. package/dist/engine/modules/tools/sendUserMessageTool.spec.js.map +1 -1
  158. package/dist/engine/modules/tools/sessionHistoryToolBuild.spec.js +1 -2
  159. package/dist/engine/modules/tools/sessionHistoryToolBuild.spec.js.map +1 -1
  160. package/dist/engine/modules/tools/signal.spec.js +1 -5
  161. package/dist/engine/modules/tools/signal.spec.js.map +1 -1
  162. package/dist/engine/modules/tools/signalEventsCsvToolBuild.spec.js +1 -5
  163. package/dist/engine/modules/tools/signalEventsCsvToolBuild.spec.js.map +1 -1
  164. package/dist/engine/modules/tools/signalSubscribeToolBuild.spec.js +1 -5
  165. package/dist/engine/modules/tools/signalSubscribeToolBuild.spec.js.map +1 -1
  166. package/dist/engine/modules/tools/signalUnsubscribeToolBuild.spec.js +1 -5
  167. package/dist/engine/modules/tools/signalUnsubscribeToolBuild.spec.js.map +1 -1
  168. package/dist/engine/modules/tools/skillToolBuild.js +3 -3
  169. package/dist/engine/modules/tools/skillToolBuild.js.map +1 -1
  170. package/dist/engine/modules/tools/skillToolBuild.spec.js +12 -9
  171. package/dist/engine/modules/tools/skillToolBuild.spec.js.map +1 -1
  172. package/dist/engine/modules/tools/subuserConfigureToolBuild.spec.js +1 -2
  173. package/dist/engine/modules/tools/subuserConfigureToolBuild.spec.js.map +1 -1
  174. package/dist/engine/modules/tools/subuserCreateToolBuild.spec.js +1 -2
  175. package/dist/engine/modules/tools/subuserCreateToolBuild.spec.js.map +1 -1
  176. package/dist/engine/modules/tools/subuserListToolBuild.spec.js +1 -2
  177. package/dist/engine/modules/tools/subuserListToolBuild.spec.js.map +1 -1
  178. package/dist/engine/modules/tools/topologyToolBuild.d.ts.map +1 -1
  179. package/dist/engine/modules/tools/topologyToolBuild.js +111 -2
  180. package/dist/engine/modules/tools/topologyToolBuild.js.map +1 -1
  181. package/dist/engine/modules/tools/topologyToolBuild.spec.js +99 -2
  182. package/dist/engine/modules/tools/topologyToolBuild.spec.js.map +1 -1
  183. package/dist/engine/modules/tools/types.d.ts +3 -4
  184. package/dist/engine/modules/tools/types.d.ts.map +1 -1
  185. package/dist/plugins/dashboard/site/404.html +1 -1
  186. package/dist/plugins/dashboard/site/agent.html +1 -1
  187. package/dist/plugins/dashboard/site/agent.txt +1 -1
  188. package/dist/plugins/dashboard/site/agents.html +1 -1
  189. package/dist/plugins/dashboard/site/agents.txt +1 -1
  190. package/dist/plugins/dashboard/site/automations.html +1 -1
  191. package/dist/plugins/dashboard/site/automations.txt +1 -1
  192. package/dist/plugins/dashboard/site/connectors.html +1 -1
  193. package/dist/plugins/dashboard/site/connectors.txt +1 -1
  194. package/dist/plugins/dashboard/site/index.html +1 -1
  195. package/dist/plugins/dashboard/site/index.txt +1 -1
  196. package/dist/plugins/dashboard/site/memory.html +1 -1
  197. package/dist/plugins/dashboard/site/memory.txt +1 -1
  198. package/dist/plugins/dashboard/site/processes.html +1 -1
  199. package/dist/plugins/dashboard/site/processes.txt +1 -1
  200. package/dist/plugins/dashboard/site/providers.html +1 -1
  201. package/dist/plugins/dashboard/site/providers.txt +1 -1
  202. package/dist/plugins/dashboard/site/signals.html +1 -1
  203. package/dist/plugins/dashboard/site/signals.txt +1 -1
  204. package/dist/plugins/dashboard/site/telemetry.html +1 -1
  205. package/dist/plugins/dashboard/site/telemetry.txt +1 -1
  206. package/dist/plugins/dashboard/site/tools.html +1 -1
  207. package/dist/plugins/dashboard/site/tools.txt +1 -1
  208. package/dist/plugins/database/__tests__/plugin.spec.js +4 -2
  209. package/dist/plugins/database/__tests__/plugin.spec.js.map +1 -1
  210. package/dist/plugins/monty-python/tool.spec.js +1 -2
  211. package/dist/plugins/monty-python/tool.spec.js.map +1 -1
  212. package/dist/plugins/shell/processTools.js +1 -1
  213. package/dist/plugins/shell/processTools.js.map +1 -1
  214. package/dist/plugins/shell/processTools.spec.js +2 -3
  215. package/dist/plugins/shell/processTools.spec.js.map +1 -1
  216. package/dist/plugins/shell/tool.d.ts.map +1 -1
  217. package/dist/plugins/shell/tool.js +90 -486
  218. package/dist/plugins/shell/tool.js.map +1 -1
  219. package/dist/plugins/shell/tool.spec.js +11 -20
  220. package/dist/plugins/shell/tool.spec.js.map +1 -1
  221. package/dist/prompts/SYSTEM_ENVIRONMENT.md +6 -0
  222. package/dist/prompts/SYSTEM_MEMORY.md +4 -4
  223. package/dist/prompts/SYSTEM_PERMISSIONS.md +3 -19
  224. package/dist/sandbox/docker/dockerContainerEnsure.d.ts +8 -0
  225. package/dist/sandbox/docker/dockerContainerEnsure.d.ts.map +1 -0
  226. package/dist/sandbox/docker/dockerContainerEnsure.js +56 -0
  227. package/dist/sandbox/docker/dockerContainerEnsure.js.map +1 -0
  228. package/dist/sandbox/docker/dockerContainerEnsure.spec.d.ts +2 -0
  229. package/dist/sandbox/docker/dockerContainerEnsure.spec.d.ts.map +1 -0
  230. package/dist/sandbox/docker/dockerContainerEnsure.spec.js +66 -0
  231. package/dist/sandbox/docker/dockerContainerEnsure.spec.js.map +1 -0
  232. package/dist/sandbox/docker/dockerContainerExec.d.ts +8 -0
  233. package/dist/sandbox/docker/dockerContainerExec.d.ts.map +1 -0
  234. package/dist/sandbox/docker/dockerContainerExec.js +109 -0
  235. package/dist/sandbox/docker/dockerContainerExec.js.map +1 -0
  236. package/dist/sandbox/docker/dockerContainerExec.spec.d.ts +2 -0
  237. package/dist/sandbox/docker/dockerContainerExec.spec.d.ts.map +1 -0
  238. package/dist/sandbox/docker/dockerContainerExec.spec.js +75 -0
  239. package/dist/sandbox/docker/dockerContainerExec.spec.js.map +1 -0
  240. package/dist/sandbox/docker/dockerContainerNameBuild.d.ts +6 -0
  241. package/dist/sandbox/docker/dockerContainerNameBuild.d.ts.map +1 -0
  242. package/dist/sandbox/docker/dockerContainerNameBuild.js +15 -0
  243. package/dist/sandbox/docker/dockerContainerNameBuild.js.map +1 -0
  244. package/dist/sandbox/docker/dockerContainerNameBuild.spec.d.ts +2 -0
  245. package/dist/sandbox/docker/dockerContainerNameBuild.spec.d.ts.map +1 -0
  246. package/dist/sandbox/docker/dockerContainerNameBuild.spec.js +17 -0
  247. package/dist/sandbox/docker/dockerContainerNameBuild.spec.js.map +1 -0
  248. package/dist/sandbox/docker/dockerContainers.d.ts +13 -0
  249. package/dist/sandbox/docker/dockerContainers.d.ts.map +1 -0
  250. package/dist/sandbox/docker/dockerContainers.js +42 -0
  251. package/dist/sandbox/docker/dockerContainers.js.map +1 -0
  252. package/dist/sandbox/docker/dockerContainersShared.d.ts +3 -0
  253. package/dist/sandbox/docker/dockerContainersShared.d.ts.map +1 -0
  254. package/dist/sandbox/docker/dockerContainersShared.js +3 -0
  255. package/dist/sandbox/docker/dockerContainersShared.js.map +1 -0
  256. package/dist/sandbox/docker/dockerRunInSandbox.d.ts +19 -0
  257. package/dist/sandbox/docker/dockerRunInSandbox.d.ts.map +1 -0
  258. package/dist/sandbox/docker/dockerRunInSandbox.integration.spec.d.ts +2 -0
  259. package/dist/sandbox/docker/dockerRunInSandbox.integration.spec.d.ts.map +1 -0
  260. package/dist/sandbox/docker/dockerRunInSandbox.integration.spec.js +143 -0
  261. package/dist/sandbox/docker/dockerRunInSandbox.integration.spec.js.map +1 -0
  262. package/dist/sandbox/docker/dockerRunInSandbox.js +117 -0
  263. package/dist/sandbox/docker/dockerRunInSandbox.js.map +1 -0
  264. package/dist/sandbox/docker/dockerRunInSandbox.spec.d.ts +2 -0
  265. package/dist/sandbox/docker/dockerRunInSandbox.spec.d.ts.map +1 -0
  266. package/dist/sandbox/docker/dockerRunInSandbox.spec.js +127 -0
  267. package/dist/sandbox/docker/dockerRunInSandbox.spec.js.map +1 -0
  268. package/dist/sandbox/docker/dockerTypes.d.ts +23 -0
  269. package/dist/sandbox/docker/dockerTypes.d.ts.map +1 -0
  270. package/dist/sandbox/docker/dockerTypes.js +2 -0
  271. package/dist/sandbox/docker/dockerTypes.js.map +1 -0
  272. package/dist/sandbox/sandbox.d.ts +28 -0
  273. package/dist/sandbox/sandbox.d.ts.map +1 -0
  274. package/dist/sandbox/sandbox.js +499 -0
  275. package/dist/sandbox/sandbox.js.map +1 -0
  276. package/dist/sandbox/sandbox.spec.d.ts +2 -0
  277. package/dist/sandbox/sandbox.spec.d.ts.map +1 -0
  278. package/dist/sandbox/sandbox.spec.js +167 -0
  279. package/dist/sandbox/sandbox.spec.js.map +1 -0
  280. package/dist/sandbox/sandboxCanRead.d.ts.map +1 -1
  281. package/dist/sandbox/sandboxCanRead.js +6 -6
  282. package/dist/sandbox/sandboxCanRead.js.map +1 -1
  283. package/dist/sandbox/sandboxCanRead.spec.js +15 -7
  284. package/dist/sandbox/sandboxCanRead.spec.js.map +1 -1
  285. package/dist/sandbox/sandboxCanWrite.d.ts.map +1 -1
  286. package/dist/sandbox/sandboxCanWrite.js +25 -0
  287. package/dist/sandbox/sandboxCanWrite.js.map +1 -1
  288. package/dist/sandbox/sandboxCanWrite.spec.js +6 -1
  289. package/dist/sandbox/sandboxCanWrite.spec.js.map +1 -1
  290. package/dist/sandbox/sandboxDocker.spec.d.ts +2 -0
  291. package/dist/sandbox/sandboxDocker.spec.d.ts.map +1 -0
  292. package/dist/sandbox/sandboxDocker.spec.js +121 -0
  293. package/dist/sandbox/sandboxDocker.spec.js.map +1 -0
  294. package/dist/sandbox/sandboxFilesystemPolicyBuild.d.ts +1 -1
  295. package/dist/sandbox/sandboxFilesystemPolicyBuild.d.ts.map +1 -1
  296. package/dist/sandbox/sandboxFilesystemPolicyBuild.js +14 -6
  297. package/dist/sandbox/sandboxFilesystemPolicyBuild.js.map +1 -1
  298. package/dist/sandbox/sandboxFilesystemPolicyBuild.spec.js +7 -2
  299. package/dist/sandbox/sandboxFilesystemPolicyBuild.spec.js.map +1 -1
  300. package/dist/sandbox/sandboxPathContainerToHost.d.ts +6 -0
  301. package/dist/sandbox/sandboxPathContainerToHost.d.ts.map +1 -0
  302. package/dist/sandbox/sandboxPathContainerToHost.js +24 -0
  303. package/dist/sandbox/sandboxPathContainerToHost.js.map +1 -0
  304. package/dist/sandbox/sandboxPathContainerToHost.spec.d.ts +2 -0
  305. package/dist/sandbox/sandboxPathContainerToHost.spec.d.ts.map +1 -0
  306. package/dist/sandbox/sandboxPathContainerToHost.spec.js +25 -0
  307. package/dist/sandbox/sandboxPathContainerToHost.spec.js.map +1 -0
  308. package/dist/sandbox/sandboxPathHostToContainer.d.ts +6 -0
  309. package/dist/sandbox/sandboxPathHostToContainer.d.ts.map +1 -0
  310. package/dist/sandbox/sandboxPathHostToContainer.js +23 -0
  311. package/dist/sandbox/sandboxPathHostToContainer.js.map +1 -0
  312. package/dist/sandbox/sandboxPathHostToContainer.spec.d.ts +2 -0
  313. package/dist/sandbox/sandboxPathHostToContainer.spec.d.ts.map +1 -0
  314. package/dist/sandbox/sandboxPathHostToContainer.spec.js +32 -0
  315. package/dist/sandbox/sandboxPathHostToContainer.spec.js.map +1 -0
  316. package/dist/sandbox/sandboxReadBoundaryDenyPathsBuild.d.ts +11 -0
  317. package/dist/sandbox/sandboxReadBoundaryDenyPathsBuild.d.ts.map +1 -0
  318. package/dist/sandbox/sandboxReadBoundaryDenyPathsBuild.js +20 -0
  319. package/dist/sandbox/sandboxReadBoundaryDenyPathsBuild.js.map +1 -0
  320. package/dist/sandbox/sandboxReadBoundaryDenyPathsBuild.spec.d.ts +2 -0
  321. package/dist/sandbox/sandboxReadBoundaryDenyPathsBuild.spec.d.ts.map +1 -0
  322. package/dist/sandbox/sandboxReadBoundaryDenyPathsBuild.spec.js +20 -0
  323. package/dist/sandbox/sandboxReadBoundaryDenyPathsBuild.spec.js.map +1 -0
  324. package/dist/sandbox/sandboxReadDenyPathsBuild.d.ts +13 -0
  325. package/dist/sandbox/sandboxReadDenyPathsBuild.d.ts.map +1 -0
  326. package/dist/sandbox/sandboxReadDenyPathsBuild.js +28 -0
  327. package/dist/sandbox/sandboxReadDenyPathsBuild.js.map +1 -0
  328. package/dist/sandbox/sandboxReadDenyPathsBuild.spec.d.ts +2 -0
  329. package/dist/sandbox/sandboxReadDenyPathsBuild.spec.d.ts.map +1 -0
  330. package/dist/sandbox/sandboxReadDenyPathsBuild.spec.js +29 -0
  331. package/dist/sandbox/sandboxReadDenyPathsBuild.spec.js.map +1 -0
  332. package/dist/sandbox/sandboxTypes.d.ts +76 -0
  333. package/dist/sandbox/sandboxTypes.d.ts.map +1 -0
  334. package/dist/sandbox/sandboxTypes.js +2 -0
  335. package/dist/sandbox/sandboxTypes.js.map +1 -0
  336. package/dist/settings.d.ts +17 -1
  337. package/dist/settings.d.ts.map +1 -1
  338. package/dist/settings.js.map +1 -1
  339. package/dist/skills/daycare-friendship/SKILL.md +295 -0
  340. package/dist/skills/skills/daycare-friendship/SKILL.md +295 -0
  341. package/dist/storage/agentsRepository.d.ts +1 -0
  342. package/dist/storage/agentsRepository.d.ts.map +1 -1
  343. package/dist/storage/agentsRepository.js +16 -0
  344. package/dist/storage/agentsRepository.js.map +1 -1
  345. package/dist/storage/agentsRepository.spec.js +45 -0
  346. package/dist/storage/agentsRepository.spec.js.map +1 -1
  347. package/dist/storage/connectionsRepository.d.ts +18 -0
  348. package/dist/storage/connectionsRepository.d.ts.map +1 -0
  349. package/dist/storage/connectionsRepository.js +163 -0
  350. package/dist/storage/connectionsRepository.js.map +1 -0
  351. package/dist/storage/connectionsRepository.spec.d.ts +2 -0
  352. package/dist/storage/connectionsRepository.spec.d.ts.map +1 -0
  353. package/dist/storage/connectionsRepository.spec.js +115 -0
  354. package/dist/storage/connectionsRepository.spec.js.map +1 -0
  355. package/dist/storage/databaseTypes.d.ts +19 -0
  356. package/dist/storage/databaseTypes.d.ts.map +1 -1
  357. package/dist/storage/migrations/20260222_add_usertag_connections.d.ts +7 -0
  358. package/dist/storage/migrations/20260222_add_usertag_connections.d.ts.map +1 -0
  359. package/dist/storage/migrations/20260222_add_usertag_connections.js +32 -0
  360. package/dist/storage/migrations/20260222_add_usertag_connections.js.map +1 -0
  361. package/dist/storage/migrations/20260222_add_usertag_connections.spec.d.ts +2 -0
  362. package/dist/storage/migrations/20260222_add_usertag_connections.spec.d.ts.map +1 -0
  363. package/dist/storage/migrations/20260222_add_usertag_connections.spec.js +55 -0
  364. package/dist/storage/migrations/20260222_add_usertag_connections.spec.js.map +1 -0
  365. package/dist/storage/migrations/20260225_require_usertag.d.ts +7 -0
  366. package/dist/storage/migrations/20260225_require_usertag.d.ts.map +1 -0
  367. package/dist/storage/migrations/20260225_require_usertag.js +60 -0
  368. package/dist/storage/migrations/20260225_require_usertag.js.map +1 -0
  369. package/dist/storage/migrations/20260225_require_usertag.spec.d.ts +2 -0
  370. package/dist/storage/migrations/20260225_require_usertag.spec.d.ts.map +1 -0
  371. package/dist/storage/migrations/20260225_require_usertag.spec.js +70 -0
  372. package/dist/storage/migrations/20260225_require_usertag.spec.js.map +1 -0
  373. package/dist/storage/migrations/20260226_rename_usertag_to_nametag.d.ts +7 -0
  374. package/dist/storage/migrations/20260226_rename_usertag_to_nametag.d.ts.map +1 -0
  375. package/dist/storage/migrations/20260226_rename_usertag_to_nametag.js +47 -0
  376. package/dist/storage/migrations/20260226_rename_usertag_to_nametag.js.map +1 -0
  377. package/dist/storage/migrations/20260226_rename_usertag_to_nametag.spec.d.ts +2 -0
  378. package/dist/storage/migrations/20260226_rename_usertag_to_nametag.spec.d.ts.map +1 -0
  379. package/dist/storage/migrations/20260226_rename_usertag_to_nametag.spec.js +59 -0
  380. package/dist/storage/migrations/20260226_rename_usertag_to_nametag.spec.js.map +1 -0
  381. package/dist/storage/migrations/_migrations.d.ts.map +1 -1
  382. package/dist/storage/migrations/_migrations.js +7 -1
  383. package/dist/storage/migrations/_migrations.js.map +1 -1
  384. package/dist/storage/storage.d.ts +3 -0
  385. package/dist/storage/storage.d.ts.map +1 -1
  386. package/dist/storage/storage.js +35 -3
  387. package/dist/storage/storage.js.map +1 -1
  388. package/dist/storage/storage.spec.js +1 -0
  389. package/dist/storage/storage.spec.js.map +1 -1
  390. package/dist/storage/usersRepository.d.ts +2 -0
  391. package/dist/storage/usersRepository.d.ts.map +1 -1
  392. package/dist/storage/usersRepository.js +63 -3
  393. package/dist/storage/usersRepository.js.map +1 -1
  394. package/dist/storage/usersRepository.spec.js +9 -2
  395. package/dist/storage/usersRepository.spec.js.map +1 -1
  396. package/dist/types.d.ts +2 -0
  397. package/dist/types.d.ts.map +1 -1
  398. package/dist/types.js +2 -0
  399. package/dist/types.js.map +1 -1
  400. package/package.json +6 -3
  401. /package/dist/plugins/dashboard/site/_next/static/{X_oqQhoSTmj1_qmNPx-r5 → fEfvfa55gmpjx9cT66rjx}/_buildManifest.js +0 -0
  402. /package/dist/plugins/dashboard/site/_next/static/{X_oqQhoSTmj1_qmNPx-r5 → fEfvfa55gmpjx9cT66rjx}/_ssgManifest.js +0 -0
package/dist/sandbox/sandbox.spec.js ADDED
@@ -0,0 +1,167 @@
1
+ import { promises as fs } from "node:fs";
2
+ import os from "node:os";
3
+ import path from "node:path";
4
+ import { afterEach, beforeEach, describe, expect, it } from "vitest";
5
+ import { Sandbox } from "./sandbox.js";
6
+ const itIfSandbox = process.env.CI ? it.skip : it;
7
+ describe("Sandbox", () => {
8
+ let rootDir;
9
+ let homeDir;
10
+ let workingDir;
11
+ let writeDir;
12
+ let outsideDir;
13
+ let permissions;
14
+ let sandbox;
15
+ beforeEach(async () => {
16
+ rootDir = await fs.mkdtemp(path.join(os.tmpdir(), "daycare-sandbox-"));
17
+ homeDir = path.join(rootDir, "home");
18
+ workingDir = path.join(homeDir, "desktop");
19
+ writeDir = path.join(homeDir, "documents");
20
+ outsideDir = path.join(rootDir, "outside");
21
+ await fs.mkdir(workingDir, { recursive: true });
22
+ await fs.mkdir(writeDir, { recursive: true });
23
+ await fs.mkdir(outsideDir, { recursive: true });
24
+ permissions = {
25
+ workingDir,
26
+ writeDirs: [homeDir]
27
+ };
28
+ sandbox = new Sandbox({
29
+ homeDir,
30
+ permissions
31
+ });
32
+ });
33
+ afterEach(async () => {
34
+ await fs.rm(rootDir, { recursive: true, force: true });
35
+ });
36
+ it("stores homeDir and resolves workingDir from permissions", () => {
37
+ expect(sandbox.homeDir).toBe(path.resolve(homeDir));
38
+ expect(sandbox.workingDir).toBe(path.resolve(workingDir));
39
+ expect(sandbox.permissions).toBe(permissions);
40
+ });
41
+ it("uses workingDir from permissions only", () => {
42
+ const fromPermissions = new Sandbox({
43
+ homeDir,
44
+ permissions: {
45
+ ...permissions,
46
+ workingDir: writeDir
47
+ }
48
+ });
49
+ expect(fromPermissions.workingDir).toBe(path.resolve(writeDir));
50
+ });
51
+ it("reads text with pagination", async () => {
52
+ const filePath = path.join(workingDir, "notes.txt");
53
+ await fs.writeFile(filePath, "line-1\nline-2\nline-3", "utf8");
54
+ const firstRead = await sandbox.read({ path: filePath, limit: 2 });
55
+ expect(firstRead.type).toBe("text");
56
+ if (firstRead.type !== "text") {
57
+ return;
58
+ }
59
+ expect(firstRead.content).toContain("line-1\nline-2");
60
+ expect(firstRead.content).toContain("Use offset=3 to continue.");
61
+ expect(firstRead.truncated).toBe(false);
62
+ const secondRead = await sandbox.read({ path: filePath, offset: 3, limit: 1 });
63
+ if (secondRead.type !== "text") {
64
+ throw new Error("Expected text read result.");
65
+ }
66
+ expect(secondRead.content).toContain("line-3");
67
+ });
68
+ it("reads image files as binary image payloads", async () => {
69
+ const imagePath = path.join(workingDir, "image.png");
70
+ const oneByOnePngBase64 = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/x8AAwMCAO5L5f8AAAAASUVORK5CYII=";
71
+ await fs.writeFile(imagePath, Buffer.from(oneByOnePngBase64, "base64"));
72
+ const read = await sandbox.read({ path: imagePath });
73
+ expect(read.type).toBe("image");
74
+ if (read.type !== "image") {
75
+ return;
76
+ }
77
+ expect(read.mimeType).toBe("image/png");
78
+ expect(read.content.length).toBeGreaterThan(0);
79
+ });
80
+ it("rejects reading symbolic links", async () => {
81
+ const target = path.join(workingDir, "target.txt");
82
+ const symlink = path.join(workingDir, "link.txt");
83
+ await fs.writeFile(target, "data", "utf8");
84
+ await fs.symlink(target, symlink);
85
+ await expect(sandbox.read({ path: symlink })).rejects.toThrow("Cannot read symbolic link directly.");
86
+ });
87
+ it("rejects non-app access to app directories", async () => {
88
+ const appPath = path.join(workingDir, "apps", "my-app", "APP.md");
89
+ await fs.mkdir(path.dirname(appPath), { recursive: true });
90
+ await fs.writeFile(appPath, "app", "utf8");
91
+ await expect(sandbox.read({ path: appPath })).rejects.toThrow("App directories are not accessible from non-app agents.");
92
+ });
93
+ it("writes new files and creates parent directories", async () => {
94
+ const outputPath = path.join(writeDir, "nested", "out.txt");
95
+ const writeResult = await sandbox.write({
96
+ path: outputPath,
97
+ content: "hello"
98
+ });
99
+ expect(writeResult.bytes).toBe(5);
100
+ expect(writeResult.resolvedPath).toBe(await fs.realpath(outputPath));
101
+ expect(writeResult.sandboxPath).toBe("~/documents/nested/out.txt");
102
+ await expect(fs.readFile(outputPath, "utf8")).resolves.toBe("hello");
103
+ });
104
+ it("appends to files when append is true", async () => {
105
+ const outputPath = path.join(writeDir, "append.txt");
106
+ await fs.writeFile(outputPath, "start", "utf8");
107
+ await sandbox.write({
108
+ path: outputPath,
109
+ content: "-end",
110
+ append: true
111
+ });
112
+ await expect(fs.readFile(outputPath, "utf8")).resolves.toBe("start-end");
113
+ });
114
+ it("rejects writing outside granted directories", async () => {
115
+ const outputPath = path.join(outsideDir, "out.txt");
116
+ await expect(sandbox.write({ path: outputPath, content: "nope" })).rejects.toThrow("Path is outside the allowed directories.");
117
+ });
118
+ it("rejects writing to symbolic links", async () => {
119
+ const target = path.join(writeDir, "target.txt");
120
+ const symlink = path.join(writeDir, "link.txt");
121
+ await fs.writeFile(target, "data", "utf8");
122
+ await fs.symlink(target, symlink);
123
+ await expect(sandbox.write({ path: symlink, content: "overwrite" })).rejects.toThrow("Cannot write to symbolic link.");
124
+ });
125
+ it("reads binary content when binary mode is enabled", async () => {
126
+ const binaryPath = path.join(workingDir, "file.bin");
127
+ await fs.writeFile(binaryPath, Buffer.from([0, 1, 2, 3]));
128
+ const read = await sandbox.read({ path: binaryPath, binary: true });
129
+ expect(read.type).toBe("binary");
130
+ if (read.type !== "binary") {
131
+ return;
132
+ }
133
+ expect(read.content.equals(Buffer.from([0, 1, 2, 3]))).toBe(true);
134
+ });
135
+ it("validates domain allowlist before execution", async () => {
136
+ await expect(sandbox.exec({
137
+ command: "echo ok"
138
+ })).rejects.toThrow("allowedDomains must include at least one explicit domain");
139
+ });
140
+ it("rejects wildcard domains", async () => {
141
+ await expect(sandbox.exec({
142
+ command: "echo ok",
143
+ allowedDomains: ["*"]
144
+ })).rejects.toThrow("Wildcard");
145
+ });
146
+ itIfSandbox("executes command with explicit domains", async () => {
147
+ const result = await sandbox.exec({
148
+ command: "echo ok",
149
+ allowedDomains: ["example.com"]
150
+ });
151
+ expect(result.failed).toBe(false);
152
+ expect(result.stdout).toContain("ok");
153
+ expect(result.exitCode).toBe(0);
154
+ });
155
+ itIfSandbox("supports cwd override", async () => {
156
+ const cwd = path.join(workingDir, "cwd");
157
+ await fs.mkdir(cwd, { recursive: true });
158
+ const result = await sandbox.exec({
159
+ command: "pwd",
160
+ cwd,
161
+ allowedDomains: ["example.com"]
162
+ });
163
+ expect(result.failed).toBe(false);
164
+ expect(result.cwd).toBe(cwd);
165
+ });
166
+ });
167
+ //# sourceMappingURL=sandbox.spec.js.map
package/dist/sandbox/sandbox.spec.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sandbox.spec.js","sourceRoot":"","sources":["../../sources/sandbox/sandbox.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAGrE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;AAElD,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE;IACrB,IAAI,OAAe,CAAC;IACpB,IAAI,OAAe,CAAC;IACpB,IAAI,UAAkB,CAAC;IACvB,IAAI,QAAgB,CAAC;IACrB,IAAI,UAAkB,CAAC;IACvB,IAAI,WAA+B,CAAC;IACpC,IAAI,OAAgB,CAAC;IAErB,UAAU,CAAC,KAAK,IAAI,EAAE;QAClB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QACvE,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACrC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC3C,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC3C,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC3C,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhD,WAAW,GAAG;YACV,UAAU;YACV,SAAS,EAAE,CAAC,OAAO,CAAC;SACvB,CAAC;QAEF,OAAO,GAAG,IAAI,OAAO,CAAC;YAClB,OAAO;YACP,WAAW;SACd,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;QAC1D,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC7C,MAAM,eAAe,GAAG,IAAI,OAAO,CAAC;YAChC,OAAO;YACP,WAAW,EAAE;gBACT,GAAG,WAAW;gBACd,UAAU,EAAE,QAAQ;aACvB;SACJ,CAAC,CAAC;QACH,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACpD,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,wBAAwB,EAAE,MAAM,CAAC,CAAC;QAE/D,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QACnE,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACpC,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC5B,OAAO;QACX,CAAC;QACD,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QACtD,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,2BAA2B,CAAC,CAAC;QACjE,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAExC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAC;QAC/E,IAAI,UAAU,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAClD,CAAC;QACD,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACrD,MAAM,iBAAiB,GACnB,8FAA8F,CAAC;QACnG,MAAM,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAAC,CAAC;QAExE,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChC,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YACxB,OAAO;QACX,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACnD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAElC,MAAM,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC;IACzG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAClE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAE3C,MAAM,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACzD,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QAE5D,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC;YACpC,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,OAAO;SACnB,CAAC,CAAC;QACH,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;QACrE,MAAM,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QACnE,MAAM,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QACrD,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QAEhD,MAAM,OAAO,CAAC,KAAK,CAAC;YAChB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,MAAM;YACf,MAAM,EAAE,IAAI;SACf,CAAC,CAAC;QAEH,MAAM,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QACpD,MAAM,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC9E,0CAA0C,CAC7C,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAChD,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAElC,MAAM,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAChF,gCAAgC,CACnC,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACrD,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAE1D,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACpE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACzB,OAAO;QACX,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,MAAM,CACR,OAAO,CAAC,IAAI,CAAC;YACT,OAAO,EAAE,SAAS;SACrB,CAAC,CACL,CAAC,OAAO,CAAC,OAAO,CAAC,0DAA0D,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,MAAM,CACR,OAAO,CAAC,IAAI,CAAC;YACT,OAAO,EAAE,SAAS;YAClB,cAAc,EAAE,CAAC,GAAG,CAAC;SACxB,CAAC,CACL,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,WAAW,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAC9B,OAAO,EAAE,SAAS;YAClB,cAAc,EAAE,CAAC,aAAa,CAAC;SAClC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,WAAW,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QACzC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEzC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAC9B,OAAO,EAAE,KAAK;YACd,GAAG;YACH,cAAc,EAAE,CAAC,aAAa,CAAC;SAClC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}
package/dist/sandbox/sandboxCanRead.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sandboxCanRead.d.ts","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanRead.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAMlD;;;GAGG;AACH,wBAAsB,cAAc,CAAC,WAAW,EAAE,kBAAkB,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAyBrG"}
1
+ {"version":3,"file":"sandboxCanRead.d.ts","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanRead.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAOlD;;;GAGG;AACH,wBAAsB,cAAc,CAAC,WAAW,EAAE,kBAAkB,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAyBrG"}
package/dist/sandbox/sandboxCanRead.js CHANGED
@@ -1,16 +1,16 @@
1
1
  import { promises as fs } from "node:fs";
2
- import os from "node:os";
3
2
  import path from "node:path";
4
3
  import { isWithinSecure, pathResolveSecure } from "./pathResolveSecure.js";
5
4
  import { sandboxAppsAccessCheck } from "./sandboxAppsAccessCheck.js";
6
5
  import { sandboxPathDenyCheck } from "./sandboxPathDenyCheck.js";
6
+ import { sandboxReadBoundaryDenyPathsBuild } from "./sandboxReadBoundaryDenyPathsBuild.js";
7
7
  import { sandboxSensitiveDenyPathsBuild } from "./sandboxSensitiveDenyPathsBuild.js";
8
8
  /**
9
9
  * Resolves a read target against the current read allowlist.
10
10
  * Expects: target is an absolute path.
11
11
  */
12
12
  export async function sandboxCanRead(permissions, target) {
13
- // Read uses a broad allowlist, then applies explicit deny-lists to match sandbox safety policy.
13
+ // Read uses a broad allowlist, then applies hard deny-lists.
14
14
  const allowedDirs = [path.parse(target).root];
15
15
  const result = await pathResolveSecure(allowedDirs, target);
16
16
  const access = sandboxAppsAccessCheck(permissions, result.realPath);
@@ -18,16 +18,16 @@ export async function sandboxCanRead(permissions, target) {
18
18
  throw new Error(access.reason ?? "Read access denied.");
19
19
  }
20
20
  if (sandboxPathDenyCheck(result.realPath, sandboxSensitiveDenyPathsBuild())) {
21
- throw new Error("Read access denied for sensitive paths.");
21
+ throw new Error("Read access denied for denied paths.");
22
22
  }
23
- const explicitlyAllowedDirs = [permissions.workingDir, ...permissions.writeDirs, ...(permissions.readDirs ?? [])];
23
+ const explicitlyAllowedDirs = [permissions.workingDir, ...(permissions.readDirs ?? [])];
24
24
  for (const allowedDir of explicitlyAllowedDirs) {
25
25
  if (isWithinSecure(await existingPathResolve(allowedDir), result.realPath)) {
26
26
  return result.realPath;
27
27
  }
28
28
  }
29
- if (isWithinSecure(await existingPathResolve(os.homedir()), result.realPath)) {
30
- throw new Error("Read access denied for OS home paths without explicit permission.");
29
+ if (sandboxPathDenyCheck(result.realPath, sandboxReadBoundaryDenyPathsBuild())) {
30
+ throw new Error("Read access denied for denied paths.");
31
31
  }
32
32
  return result.realPath;
33
33
  }
package/dist/sandbox/sandboxCanRead.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sandboxCanRead.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanRead.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,WAA+B,EAAE,MAAc;IAChF,gGAAgG;IAChG,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,sBAAsB,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,IAAI,qBAAqB,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,CAAC,EAAE,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,qBAAqB,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,GAAG,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,WAAW,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC;IAClH,KAAK,MAAM,UAAU,IAAI,qBAAqB,EAAE,CAAC;QAC7C,IAAI,cAAc,CAAC,MAAM,mBAAmB,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzE,OAAO,MAAM,CAAC,QAAQ,CAAC;QAC3B,CAAC;IACL,CAAC;IAED,IAAI,cAAc,CAAC,MAAM,mBAAmB,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACzF,CAAC;IAED,OAAO,MAAM,CAAC,QAAQ,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,MAAc;IAC7C,IAAI,CAAC;QACD,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;AACL,CAAC"}
1
+ {"version":3,"file":"sandboxCanRead.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanRead.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3E,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAC3F,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,WAA+B,EAAE,MAAc;IAChF,6DAA6D;IAC7D,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,sBAAsB,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,IAAI,qBAAqB,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,CAAC,EAAE,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,qBAAqB,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,GAAG,CAAC,WAAW,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC;IACxF,KAAK,MAAM,UAAU,IAAI,qBAAqB,EAAE,CAAC;QAC7C,IAAI,cAAc,CAAC,MAAM,mBAAmB,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzE,OAAO,MAAM,CAAC,QAAQ,CAAC;QAC3B,CAAC;IACL,CAAC;IAED,IAAI,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,iCAAiC,EAAE,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO,MAAM,CAAC,QAAQ,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,MAAc;IAC7C,IAAI,CAAC;QACD,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;AACL,CAAC"}
package/dist/sandbox/sandboxCanRead.spec.js CHANGED
@@ -51,23 +51,22 @@ describe("sandboxCanRead", () => {
51
51
  });
52
52
  it("denies reading sensitive paths", async () => {
53
53
  const permissions = buildPermissions(workingDir, [homeDir]);
54
- await expect(sandboxCanRead(permissions, homeSensitiveFile)).rejects.toThrow("Read access denied for sensitive paths.");
54
+ await expect(sandboxCanRead(permissions, homeSensitiveFile)).rejects.toThrow("Read access denied for denied paths.");
55
55
  });
56
56
  it("denies reading random home-directory files by default", async () => {
57
57
  const permissions = buildPermissions(workingDir, []);
58
- await expect(sandboxCanRead(permissions, homeRandomFile)).rejects.toThrow("Read access denied for OS home paths without explicit permission.");
58
+ await expect(sandboxCanRead(permissions, homeRandomFile)).rejects.toThrow("Read access denied for denied paths.");
59
59
  });
60
- it("allows reading files in workingDir even when workingDir is inside home", async () => {
60
+ it("allows reading files in workingDir when workingDir is inside OS home", async () => {
61
61
  const permissions = buildPermissions(path.join(homeDir, "workspace"), []);
62
62
  const result = await sandboxCanRead(permissions, homeWorkspaceFile);
63
63
  expect(result).toBe(await fs.realpath(homeWorkspaceFile));
64
64
  });
65
- it("allows reading files in explicitly granted writeDirs inside home", async () => {
65
+ it("denies reading files in explicitly granted writeDirs inside OS home", async () => {
66
66
  const permissions = buildPermissions(workingDir, [path.join(homeDir, "allowed")]);
67
- const result = await sandboxCanRead(permissions, homeWriteDirFile);
68
- expect(result).toBe(await fs.realpath(homeWriteDirFile));
67
+ await expect(sandboxCanRead(permissions, homeWriteDirFile)).rejects.toThrow("Read access denied for denied paths.");
69
68
  });
70
- it("allows reading files in explicitly granted readDirs inside home", async () => {
69
+ it("allows reading files in explicitly granted readDirs inside OS home", async () => {
71
70
  const permissions = buildPermissions(workingDir, [], [path.join(homeDir, ".daycare", "skills")]);
72
71
  const result = await sandboxCanRead(permissions, homeReadDirFile);
73
72
  expect(result).toBe(await fs.realpath(homeReadDirFile));
@@ -77,6 +76,15 @@ describe("sandboxCanRead", () => {
77
76
  const result = await sandboxCanRead(permissions, outsideFile);
78
77
  expect(result).toBe(await fs.realpath(outsideFile));
79
78
  });
79
+ it("allows reading files in explicitly granted readDirs outside OS home", async () => {
80
+ const explicitReadDir = path.join(outsideDir, "allowed-read");
81
+ const explicitReadFile = path.join(explicitReadDir, "file.txt");
82
+ await fs.mkdir(explicitReadDir, { recursive: true });
83
+ await fs.writeFile(explicitReadFile, "explicit-read", "utf8");
84
+ const permissions = buildPermissions(workingDir, [], [explicitReadDir]);
85
+ const result = await sandboxCanRead(permissions, explicitReadFile);
86
+ expect(result).toBe(await fs.realpath(explicitReadFile));
87
+ });
80
88
  it("denies non-app agents from reading app directories", async () => {
81
89
  const permissions = buildPermissions(workingDir, [workingDir]);
82
90
  await expect(sandboxCanRead(permissions, appFile)).rejects.toThrow("App directories are not accessible from non-app agents.");
package/dist/sandbox/sandboxCanRead.spec.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sandboxCanRead.spec.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanRead.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAGzE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC5B,IAAI,UAAkB,CAAC;IACvB,IAAI,UAAkB,CAAC;IACvB,IAAI,WAAmB,CAAC;IACxB,IAAI,OAAe,CAAC;IACpB,IAAI,iBAAyB,CAAC;IAC9B,IAAI,cAAsB,CAAC;IAC3B,IAAI,iBAAyB,CAAC;IAC9B,IAAI,gBAAwB,CAAC;IAC7B,IAAI,eAAuB,CAAC;IAC5B,IAAI,OAAe,CAAC;IACpB,IAAI,YAAoB,CAAC;IAEzB,UAAU,CAAC,KAAK,IAAI,EAAE;QAClB,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,6BAA6B,CAAC,CAAC,CAAC;QACrF,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,2BAA2B,CAAC,CAAC,CAAC;QACnF,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QAC7E,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAEjD,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACnD,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;QAE3D,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QACzD,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAClD,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;QACjE,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QAC7D,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QACnF,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnE,MAAM,EAAE,CAAC,SAAS,CAAC,iBAAiB,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAC3D,MAAM,EAAE,CAAC,SAAS,CAAC,cAAc,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,EAAE,CAAC,SAAS,CAAC,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,CAAC,CAAC;QAChE,MAAM,EAAE,CAAC,SAAS,CAAC,gBAAgB,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;QAC7D,MAAM,EAAE,CAAC,SAAS,CAAC,eAAe,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;QAE1D,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC5D,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QACpE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;QACpD,MAAM,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,oBAAoB,EAAE,MAAM,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,EAAE,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QAE5D,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACxE,yCAAyC,CAC5C,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAErD,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACrE,mEAAmE,CACtE,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC;QAE1E,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC;QAEpE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;QAElF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;QAEnE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;QAEjG,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QAElE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAErD,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAE9D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC9D,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACnE,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACnE,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACnE,qDAAqD,CACxD,CAAC;IACN,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,UAAkB,EAAE,SAAmB,EAAE,WAAqB,EAAE;IACtF,OAAO;QACH,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QACpC,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;KACzD,CAAC;AACN,CAAC"}
1
+ {"version":3,"file":"sandboxCanRead.spec.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanRead.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAGzE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC5B,IAAI,UAAkB,CAAC;IACvB,IAAI,UAAkB,CAAC;IACvB,IAAI,WAAmB,CAAC;IACxB,IAAI,OAAe,CAAC;IACpB,IAAI,iBAAyB,CAAC;IAC9B,IAAI,cAAsB,CAAC;IAC3B,IAAI,iBAAyB,CAAC;IAC9B,IAAI,gBAAwB,CAAC;IAC7B,IAAI,eAAuB,CAAC;IAC5B,IAAI,OAAe,CAAC;IACpB,IAAI,YAAoB,CAAC;IAEzB,UAAU,CAAC,KAAK,IAAI,EAAE;QAClB,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,6BAA6B,CAAC,CAAC,CAAC;QACrF,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,2BAA2B,CAAC,CAAC,CAAC;QACnF,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QAC7E,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAEjD,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QACnD,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;QAE3D,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QACzD,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAClD,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;QACjE,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QAC7D,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QACnF,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnE,MAAM,EAAE,CAAC,SAAS,CAAC,iBAAiB,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QAC3D,MAAM,EAAE,CAAC,SAAS,CAAC,cAAc,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,EAAE,CAAC,SAAS,CAAC,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,CAAC,CAAC;QAChE,MAAM,EAAE,CAAC,SAAS,CAAC,gBAAgB,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;QAC7D,MAAM,EAAE,CAAC,SAAS,CAAC,eAAe,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;QAE1D,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC5D,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QACpE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChE,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;QACpD,MAAM,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,oBAAoB,EAAE,MAAM,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,EAAE,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QAE5D,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACxE,sCAAsC,CACzC,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAErD,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACrE,sCAAsC,CACzC,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QAClF,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC;QAE1E,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC;QAEpE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACjF,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;QAElF,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACvE,sCAAsC,CACzC,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;QAEjG,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;QAElE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACtD,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAErD,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAE9D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACjF,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;QAC9D,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,EAAE,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrD,MAAM,EAAE,CAAC,SAAS,CAAC,gBAAgB,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC;QAExE,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;QAEnE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC9D,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACnE,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACnE,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,cAAc,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACnE,qDAAqD,CACxD,CAAC;IACN,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,UAAkB,EAAE,SAAmB,EAAE,WAAqB,EAAE;IACtF,OAAO;QACH,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QACpC,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;KACzD,CAAC;AACN,CAAC"}
package/dist/sandbox/sandboxCanWrite.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sandboxCanWrite.d.ts","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanWrite.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAQlD;;;GAGG;AACH,wBAAsB,eAAe,CAAC,WAAW,EAAE,kBAAkB,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAkBtG"}
1
+ {"version":3,"file":"sandboxCanWrite.d.ts","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanWrite.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AASlD;;;GAGG;AACH,wBAAsB,eAAe,CAAC,WAAW,EAAE,kBAAkB,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAsBtG"}
package/dist/sandbox/sandboxCanWrite.js CHANGED
@@ -1,5 +1,8 @@
1
+ import { promises as fs } from "node:fs";
2
+ import path from "node:path";
1
3
  import { pathResolveSecure } from "./pathResolveSecure.js";
2
4
  import { sandboxAppsAccessCheck } from "./sandboxAppsAccessCheck.js";
5
+ import { sandboxCanRead } from "./sandboxCanRead.js";
3
6
  import { sandboxDangerousFileCheck } from "./sandboxDangerousFileCheck.js";
4
7
  import { sandboxDangerousFilesBuild } from "./sandboxDangerousFilesBuild.js";
5
8
  import { sandboxPathDenyCheck } from "./sandboxPathDenyCheck.js";
@@ -15,6 +18,9 @@ export async function sandboxCanWrite(permissions, target) {
15
18
  if (!access.allowed) {
16
19
  throw new Error(access.reason ?? "Write access denied.");
17
20
  }
21
+ // Require readability of the target (or nearest existing parent) before writes.
22
+ const readCheckTarget = await writableReadCheckTargetResolve(result.realPath);
23
+ await sandboxCanRead(permissions, readCheckTarget);
18
24
  // Keep write behavior aligned with sandbox-runtime deny protections.
19
25
  if (sandboxPathDenyCheck(result.realPath, sandboxSensitiveDenyPathsBuild())) {
20
26
  throw new Error("Write access denied for sensitive paths.");
@@ -24,4 +30,23 @@ export async function sandboxCanWrite(permissions, target) {
24
30
  }
25
31
  return result.realPath;
26
32
  }
33
+ async function writableReadCheckTargetResolve(target) {
34
+ let current = path.resolve(target);
35
+ while (true) {
36
+ try {
37
+ await fs.access(current);
38
+ return current;
39
+ }
40
+ catch (error) {
41
+ if (error.code !== "ENOENT") {
42
+ throw error;
43
+ }
44
+ }
45
+ const parent = path.dirname(current);
46
+ if (parent === current) {
47
+ return current;
48
+ }
49
+ current = parent;
50
+ }
51
+ }
27
52
  //# sourceMappingURL=sandboxCanWrite.js.map
package/dist/sandbox/sandboxCanWrite.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sandboxCanWrite.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanWrite.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,WAA+B,EAAE,MAAc;IACjF,MAAM,WAAW,GAAG,CAAC,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,sBAAsB,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,IAAI,sBAAsB,CAAC,CAAC;IAC7D,CAAC;IAED,qEAAqE;IACrE,IAAI,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,CAAC,EAAE,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,yBAAyB,CAAC,MAAM,CAAC,QAAQ,EAAE,0BAA0B,EAAE,CAAC,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,MAAM,CAAC,QAAQ,CAAC;AAC3B,CAAC"}
1
+ {"version":3,"file":"sandboxCanWrite.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanWrite.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAErF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,WAA+B,EAAE,MAAc;IACjF,MAAM,WAAW,GAAG,CAAC,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,sBAAsB,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,IAAI,sBAAsB,CAAC,CAAC;IAC7D,CAAC;IAED,gFAAgF;IAChF,MAAM,eAAe,GAAG,MAAM,8BAA8B,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC9E,MAAM,cAAc,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IAEnD,qEAAqE;IACrE,IAAI,oBAAoB,CAAC,MAAM,CAAC,QAAQ,EAAE,8BAA8B,EAAE,CAAC,EAAE,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,yBAAyB,CAAC,MAAM,CAAC,QAAQ,EAAE,0BAA0B,EAAE,CAAC,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,MAAM,CAAC,QAAQ,CAAC;AAC3B,CAAC;AAED,KAAK,UAAU,8BAA8B,CAAC,MAAc;IACxD,IAAI,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACnC,OAAO,IAAI,EAAE,CAAC;QACV,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACzB,OAAO,OAAO,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,MAAM,KAAK,CAAC;YAChB,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACrB,OAAO,OAAO,CAAC;QACnB,CAAC;QACD,OAAO,GAAG,MAAM,CAAC;IACrB,CAAC;AACL,CAAC"}
package/dist/sandbox/sandboxCanWrite.spec.js CHANGED
@@ -54,7 +54,12 @@ describe("sandboxCanWrite", () => {
54
54
  });
55
55
  it("denies writing to sensitive paths even when parent is in writeDirs", async () => {
56
56
  const permissions = buildPermissions(workingDir, [homeDir]);
57
- await expect(sandboxCanWrite(permissions, sensitiveFile)).rejects.toThrow("Write access denied for sensitive paths.");
57
+ await expect(sandboxCanWrite(permissions, sensitiveFile)).rejects.toThrow("Read access denied for denied paths.");
58
+ });
59
+ it("denies writes when target path is not readable", async () => {
60
+ const permissions = buildPermissions(workingDir, [homeDir]);
61
+ const target = path.join(homeDir, "notes", "blind-write.txt");
62
+ await expect(sandboxCanWrite(permissions, target)).rejects.toThrow("Read access denied for denied paths.");
58
63
  });
59
64
  it("denies writing dangerous filenames in allowed writeDirs", async () => {
60
65
  const permissions = buildPermissions(workingDir, [outsideDir]);
package/dist/sandbox/sandboxCanWrite.spec.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sandboxCanWrite.spec.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanWrite.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAGzE,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC7B,IAAI,UAAkB,CAAC;IACvB,IAAI,UAAkB,CAAC;IACvB,IAAI,OAAe,CAAC;IACpB,IAAI,aAAqB,CAAC;IAC1B,IAAI,aAAqB,CAAC;IAC1B,IAAI,iBAAyB,CAAC;IAC9B,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,KAAK,IAAI,EAAE;QAClB,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,8BAA8B,CAAC,CAAC,CAAC;QACtF,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC,CAAC;QACpF,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC,CAAC;QAC9E,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACjD,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,iBAAiB,CAAC,CAAC;QAC9D,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QACjD,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QACzE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrE,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,EAAE,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QAE7D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC;IACnH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAEnD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAEpD,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC;IACnH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QAE5D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACrE,0CAA0C,CAC7C,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACrE,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACzE,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC/D,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,UAAkB,EAAE,SAAmB;IAC7D,OAAO;QACH,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QACpC,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;KAC3D,CAAC;AACN,CAAC"}
1
+ {"version":3,"file":"sandboxCanWrite.spec.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxCanWrite.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAGzE,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC7B,IAAI,UAAkB,CAAC;IACvB,IAAI,UAAkB,CAAC;IACvB,IAAI,OAAe,CAAC;IACpB,IAAI,aAAqB,CAAC;IAC1B,IAAI,aAAqB,CAAC;IAC1B,IAAI,iBAAyB,CAAC;IAC9B,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,KAAK,IAAI,EAAE;QAClB,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,8BAA8B,CAAC,CAAC,CAAC;QACtF,UAAU,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC,CAAC;QACpF,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC,CAAC;QAC9E,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACjD,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,iBAAiB,CAAC,CAAC;QAC9D,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QACjD,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QACzE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACrE,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,EAAE,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QAE7D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC;IACnH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QACxE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAEnD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;QAE7D,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAEpD,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC;IACnH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QAE5D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACrE,sCAAsC,CACzC,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC;QAE9D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,sCAAsC,CAAC,CAAC;IAC/G,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACrE,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACzE,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QAE5D,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;IACzF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,WAAW,GAAG,gBAAgB,CAAC,UAAU,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAE/D,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC/D,yDAAyD,CAC5D,CAAC;IACN,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,UAAkB,EAAE,SAAmB;IAC7D,OAAO;QACH,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QACpC,SAAS,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;KAC3D,CAAC;AACN,CAAC"}
package/dist/sandbox/sandboxDocker.spec.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=sandboxDocker.spec.d.ts.map
package/dist/sandbox/sandboxDocker.spec.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sandboxDocker.spec.d.ts","sourceRoot":"","sources":["../../sources/sandbox/sandboxDocker.spec.ts"],"names":[],"mappings":""}
package/dist/sandbox/sandboxDocker.spec.js ADDED
@@ -0,0 +1,121 @@
1
+ import { promises as fs } from "node:fs";
2
+ import os from "node:os";
3
+ import path from "node:path";
4
+ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
5
+ import { dockerRunInSandbox } from "./docker/dockerRunInSandbox.js";
6
+ import { runInSandbox } from "./runtime.js";
7
+ import { Sandbox } from "./sandbox.js";
8
+ vi.mock("./runtime.js", () => ({
9
+ runInSandbox: vi.fn()
10
+ }));
11
+ vi.mock("./docker/dockerRunInSandbox.js", () => ({
12
+ dockerRunInSandbox: vi.fn()
13
+ }));
14
+ describe("Sandbox docker integration", () => {
15
+ let rootDir;
16
+ let homeDir;
17
+ let workingDir;
18
+ let permissions;
19
+ beforeEach(async () => {
20
+ rootDir = await fs.mkdtemp(path.join(os.tmpdir(), "daycare-sandbox-docker-"));
21
+ homeDir = path.join(rootDir, "home");
22
+ workingDir = path.join(homeDir, "desktop");
23
+ await fs.mkdir(workingDir, { recursive: true });
24
+ await fs.mkdir(path.join(homeDir, "documents"), { recursive: true });
25
+ permissions = {
26
+ workingDir,
27
+ writeDirs: [homeDir]
28
+ };
29
+ vi.mocked(runInSandbox).mockReset();
30
+ vi.mocked(dockerRunInSandbox).mockReset();
31
+ });
32
+ afterEach(async () => {
33
+ await fs.rm(rootDir, { recursive: true, force: true });
34
+ });
35
+ it("uses host runtime when docker is not enabled", async () => {
36
+ vi.mocked(runInSandbox).mockResolvedValue({
37
+ stdout: "host",
38
+ stderr: ""
39
+ });
40
+ const sandbox = new Sandbox({
41
+ homeDir,
42
+ permissions
43
+ });
44
+ const result = await sandbox.exec({
45
+ command: "echo host",
46
+ allowedDomains: ["example.com"]
47
+ });
48
+ expect(result.failed).toBe(false);
49
+ expect(result.stdout).toBe("host");
50
+ expect(runInSandbox).toHaveBeenCalledTimes(1);
51
+ expect(dockerRunInSandbox).not.toHaveBeenCalled();
52
+ });
53
+ it("uses docker runtime when docker is enabled", async () => {
54
+ vi.mocked(dockerRunInSandbox).mockResolvedValue({
55
+ stdout: "docker",
56
+ stderr: ""
57
+ });
58
+ const sandbox = new Sandbox({
59
+ homeDir,
60
+ permissions,
61
+ docker: {
62
+ enabled: true,
63
+ image: "daycare-sandbox",
64
+ tag: "latest",
65
+ userId: "u123"
66
+ }
67
+ });
68
+ const result = await sandbox.exec({
69
+ command: "echo docker",
70
+ allowedDomains: ["example.com"]
71
+ });
72
+ expect(result.failed).toBe(false);
73
+ expect(result.stdout).toBe("docker");
74
+ expect(dockerRunInSandbox).toHaveBeenCalledTimes(1);
75
+ expect(runInSandbox).not.toHaveBeenCalled();
76
+ });
77
+ it("rewrites container read paths back to host paths", async () => {
78
+ const targetPath = path.join(homeDir, "documents", "notes.txt");
79
+ await fs.writeFile(targetPath, "hello", "utf8");
80
+ const sandbox = new Sandbox({
81
+ homeDir,
82
+ permissions,
83
+ docker: {
84
+ enabled: true,
85
+ image: "daycare-sandbox",
86
+ tag: "latest",
87
+ userId: "u123"
88
+ }
89
+ });
90
+ const read = await sandbox.read({
91
+ path: "/home/documents/notes.txt",
92
+ raw: true
93
+ });
94
+ expect(read.type).toBe("text");
95
+ if (read.type !== "text") {
96
+ return;
97
+ }
98
+ expect(read.content).toBe("hello");
99
+ expect(read.resolvedPath).toBe(await fs.realpath(targetPath));
100
+ });
101
+ it("rewrites container write paths back to host paths", async () => {
102
+ const sandbox = new Sandbox({
103
+ homeDir,
104
+ permissions,
105
+ docker: {
106
+ enabled: true,
107
+ image: "daycare-sandbox",
108
+ tag: "latest",
109
+ userId: "u123"
110
+ }
111
+ });
112
+ const result = await sandbox.write({
113
+ path: "/home/documents/output.txt",
114
+ content: "docker-write"
115
+ });
116
+ const outputPath = path.join(homeDir, "documents", "output.txt");
117
+ expect(result.resolvedPath).toBe(await fs.realpath(outputPath));
118
+ await expect(fs.readFile(outputPath, "utf8")).resolves.toBe("docker-write");
119
+ });
120
+ });
121
+ //# sourceMappingURL=sandboxDocker.spec.js.map
package/dist/sandbox/sandboxDocker.spec.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"sandboxDocker.spec.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxDocker.spec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAGzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAEvC,EAAE,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,CAAC;IAC3B,YAAY,EAAE,EAAE,CAAC,EAAE,EAAE;CACxB,CAAC,CAAC,CAAC;AAEJ,EAAE,CAAC,IAAI,CAAC,gCAAgC,EAAE,GAAG,EAAE,CAAC,CAAC;IAC7C,kBAAkB,EAAE,EAAE,CAAC,EAAE,EAAE;CAC9B,CAAC,CAAC,CAAC;AAEJ,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IACxC,IAAI,OAAe,CAAC;IACpB,IAAI,OAAe,CAAC;IACpB,IAAI,UAAkB,CAAC;IACvB,IAAI,WAA+B,CAAC;IAEpC,UAAU,CAAC,KAAK,IAAI,EAAE;QAClB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC,CAAC;QAC9E,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACrC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC3C,MAAM,EAAE,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAErE,WAAW,GAAG;YACV,UAAU;YACV,SAAS,EAAE,CAAC,OAAO,CAAC;SACvB,CAAC;QAEF,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,SAAS,EAAE,CAAC;QACpC,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,SAAS,EAAE,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC1D,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,iBAAiB,CAAC;YACtC,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,EAAE;SACb,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;YACxB,OAAO;YACP,WAAW;SACd,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAC9B,OAAO,EAAE,WAAW;YACpB,cAAc,EAAE,CAAC,aAAa,CAAC;SAClC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,CAAC,YAAY,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAC9C,MAAM,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QACxD,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,iBAAiB,CAAC;YAC5C,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,EAAE;SACb,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;YACxB,OAAO;YACP,WAAW;YACX,MAAM,EAAE;gBACJ,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,iBAAiB;gBACxB,GAAG,EAAE,QAAQ;gBACb,MAAM,EAAE,MAAM;aACjB;SACJ,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAC9B,OAAO,EAAE,aAAa;YACtB,cAAc,EAAE,CAAC,aAAa,CAAC;SAClC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrC,MAAM,CAAC,kBAAkB,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACpD,MAAM,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;QAChE,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QAEhD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;YACxB,OAAO;YACP,WAAW;YACX,MAAM,EAAE;gBACJ,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,iBAAiB;gBACxB,GAAG,EAAE,QAAQ;gBACb,MAAM,EAAE,MAAM;aACjB;SACJ,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAC5B,IAAI,EAAE,2BAA2B;YACjC,GAAG,EAAE,IAAI;SACZ,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACvB,OAAO;QACX,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;YACxB,OAAO;YACP,WAAW;YACX,MAAM,EAAE;gBACJ,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,iBAAiB;gBACxB,GAAG,EAAE,QAAQ;gBACb,MAAM,EAAE,MAAM;aACjB;SACJ,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC;YAC/B,IAAI,EAAE,4BAA4B;YAClC,OAAO,EAAE,cAAc;SAC1B,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;QACjE,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;QAChE,MAAM,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;AACP,CAAC,CAAC,CAAC"}
package/dist/sandbox/sandboxFilesystemPolicyBuild.d.ts CHANGED
@@ -10,7 +10,7 @@ type SandboxFilesystemPolicy = {
10
10
  denyWrite: string[];
11
11
  };
12
12
  /**
13
- * Builds sandbox filesystem policy with a default sensitive-path deny list.
13
+ * Builds sandbox filesystem policy with read/write deny-lists.
14
14
  * Expects: permissions paths are already absolute and normalized.
15
15
  */
16
16
  export declare function sandboxFilesystemPolicyBuild(input: SandboxFilesystemPolicyBuildInput): SandboxFilesystemPolicy;
package/dist/sandbox/sandboxFilesystemPolicyBuild.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sandboxFilesystemPolicyBuild.d.ts","sourceRoot":"","sources":["../../sources/sandbox/sandboxFilesystemPolicyBuild.ts"],"names":[],"mappings":"AAKA,KAAK,iCAAiC,GAAG;IACrC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;CAC9B,CAAC;AAEF,KAAK,uBAAuB,GAAG;IAC3B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,SAAS,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC;AAEF;;;GAGG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,iCAAiC,GAAG,uBAAuB,CAmB9G"}
1
+ {"version":3,"file":"sandboxFilesystemPolicyBuild.d.ts","sourceRoot":"","sources":["../../sources/sandbox/sandboxFilesystemPolicyBuild.ts"],"names":[],"mappings":"AAMA,KAAK,iCAAiC,GAAG;IACrC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;CAC9B,CAAC;AAEF,KAAK,uBAAuB,GAAG;IAC3B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,SAAS,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC;AAEF;;;GAGG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,iCAAiC,GAAG,uBAAuB,CA2B9G"}
package/dist/sandbox/sandboxFilesystemPolicyBuild.js CHANGED
@@ -1,26 +1,34 @@
1
1
  import path from "node:path";
2
2
  import { sandboxAppsDenyPathsBuild } from "./sandboxAppsDenyPathsBuild.js";
3
+ import { sandboxReadDenyPathsBuild } from "./sandboxReadDenyPathsBuild.js";
3
4
  import { sandboxSensitiveDenyPathsBuild } from "./sandboxSensitiveDenyPathsBuild.js";
4
5
  /**
5
- * Builds sandbox filesystem policy with a default sensitive-path deny list.
6
+ * Builds sandbox filesystem policy with read/write deny-lists.
6
7
  * Expects: permissions paths are already absolute and normalized.
7
8
  */
8
9
  export function sandboxFilesystemPolicyBuild(input) {
9
10
  const allowWrite = dedupeResolvedPaths([...input.writeDirs]);
11
+ const appDenyPaths = sandboxAppsDenyPathsBuild({
12
+ workingDir: input.workingDir ?? ""
13
+ });
10
14
  const denyRead = dedupeResolvedPaths([
15
+ ...sandboxReadDenyPathsBuild({
16
+ homeDir: input.homeDir,
17
+ platform: input.platform
18
+ }),
19
+ ...appDenyPaths
20
+ ]);
21
+ const denyWrite = dedupeResolvedPaths([
11
22
  ...sandboxSensitiveDenyPathsBuild({
12
23
  homeDir: input.homeDir,
13
24
  platform: input.platform
14
25
  }),
15
- ...sandboxAppsDenyPathsBuild({
16
- workingDir: input.workingDir ?? ""
17
- })
26
+ ...appDenyPaths
18
27
  ]);
19
28
  return {
20
29
  denyRead,
21
30
  allowWrite,
22
- // Keep read/write denials aligned to prevent both data exfiltration and tampering.
23
- denyWrite: [...denyRead]
31
+ denyWrite
24
32
  };
25
33
  }
26
34
  function dedupeResolvedPaths(values) {
package/dist/sandbox/sandboxFilesystemPolicyBuild.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sandboxFilesystemPolicyBuild.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxFilesystemPolicyBuild.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAerF;;;GAGG;AACH,MAAM,UAAU,4BAA4B,CAAC,KAAwC;IACjF,MAAM,UAAU,GAAG,mBAAmB,CAAC,CAAC,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;IAE7D,MAAM,QAAQ,GAAG,mBAAmB,CAAC;QACjC,GAAG,8BAA8B,CAAC;YAC9B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;SAC3B,CAAC;QACF,GAAG,yBAAyB,CAAC;YACzB,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;SACrC,CAAC;KACL,CAAC,CAAC;IAEH,OAAO;QACH,QAAQ;QACR,UAAU;QACV,mFAAmF;QACnF,SAAS,EAAE,CAAC,GAAG,QAAQ,CAAC;KAC3B,CAAC;AACN,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAgB;IACzC,MAAM,QAAQ,GAAG,MAAM;SAClB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;SACnC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}
1
+ {"version":3,"file":"sandboxFilesystemPolicyBuild.js","sourceRoot":"","sources":["../../sources/sandbox/sandboxFilesystemPolicyBuild.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,8BAA8B,EAAE,MAAM,qCAAqC,CAAC;AAerF;;;GAGG;AACH,MAAM,UAAU,4BAA4B,CAAC,KAAwC;IACjF,MAAM,UAAU,GAAG,mBAAmB,CAAC,CAAC,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;IAC7D,MAAM,YAAY,GAAG,yBAAyB,CAAC;QAC3C,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,EAAE;KACrC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,mBAAmB,CAAC;QACjC,GAAG,yBAAyB,CAAC;YACzB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;SAC3B,CAAC;QACF,GAAG,YAAY;KAClB,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,mBAAmB,CAAC;QAClC,GAAG,8BAA8B,CAAC;YAC9B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;SAC3B,CAAC;QACF,GAAG,YAAY;KAClB,CAAC,CAAC;IAEH,OAAO;QACH,QAAQ;QACR,UAAU;QACV,SAAS;KACZ,CAAC;AACN,CAAC;AAED,SAAS,mBAAmB,CAAC,MAAgB;IACzC,MAAM,QAAQ,GAAG,MAAM;SAClB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;SACnC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}