git-doc-mcp 0.1.0

package/dist/sandbox/executor.js

@@ -0,0 +1,259 @@
+/**
+ * Sandbox executor using isolated-vm.
+ * @module sandbox/executor
+ */
+import ivm from 'isolated-vm';
+import { createActionContext } from './context.js';
+/**
+ * Default sandbox options.
+ */
+const DEFAULT_SANDBOX_OPTIONS = {
+    memoryLimit: 128 * 1024 * 1024, // 128MB
+    cpuTimeLimit: 30000, // 30 seconds
+    wallTimeLimit: 60000, // 60 seconds
+};
+/**
+ * Result size limits.
+ */
+const MAX_RESULT_SIZE = 1024 * 1024; // 1MB
+const MAX_CONTENT_ITEMS = 100;
+/**
+ * Validate and truncate result if too large.
+ */
+export function validateResultSize(result) {
+    // Check content item count
+    if (result.content.length > MAX_CONTENT_ITEMS) {
+        return {
+            content: result.content.slice(0, MAX_CONTENT_ITEMS).concat([
+                { type: 'text', text: `[Truncated: ${result.content.length - MAX_CONTENT_ITEMS} more items]` }
+            ]),
+            isError: result.isError,
+        };
+    }
+    // Check total size
+    const serializedSize = JSON.stringify(result).length;
+    if (serializedSize > MAX_RESULT_SIZE) {
+        // Truncate text content
+        const truncatedContent = result.content.map(item => {
+            if (item.type === 'text' && item.text.length > 10000) {
+                return { type: 'text', text: item.text.slice(0, 10000) + '\n...[truncated]' };
+            }
+            return item;
+        });
+        return {
+            content: truncatedContent,
+            isError: result.isError,
+        };
+    }
+    return result;
+}
+/**
+ * Transform ES module action code to CommonJS-style for isolated-vm.
+ */
+export function transformActionCode(code) {
+    // Handle `export default function name(...)` pattern
+    // export default async function echo(input, ctx) -> async function __default__(input, ctx)
+    let transformed = code.replace(/export\s+default\s+(async\s+)?function\s+\w+\s*\(/g, '$1function __default__(');
+    // Handle `export default function(...)` (anonymous) - unlikely but handle it
+    transformed = transformed.replace(/export\s+default\s+(async\s+)?function\s*\(/g, '$1function __default__(');
+    // Handle `export default (async function...)` expressions
+    transformed = transformed.replace(/export\s+default\s+\((async\s+)?function/g, '(__default__ = $1function');
+    // Handle `export default { ... }` objects or arrow functions
+    // export default async (input, ctx) => { ... }
+    if (!transformed.includes('function __default__')) {
+        // Check for arrow function export
+        const arrowMatch = code.match(/export\s+default\s+(async\s+)?\(([^)]*)\)\s*=>\s*/);
+        if (arrowMatch) {
+            const isAsync = arrowMatch[1] ? 'async ' : '';
+            const params = arrowMatch[2];
+            const matchEnd = arrowMatch.index + arrowMatch[0].length;
+            const afterArrow = code.slice(matchEnd);
+            if (afterArrow.trimStart().startsWith('{')) {
+                // Block body: export default async (input) => { ... } → async function __default__(input) { ... }
+                transformed = code.replace(/export\s+default\s+(async\s+)?\([^)]*\)\s*=>\s*/, `${isAsync}function __default__(${params}) `);
+            }
+            else {
+                // Expression body: export default (input) => expr; → function __default__(input) { return expr; }
+                const beforeExport = code.slice(0, arrowMatch.index);
+                const expr = afterArrow.replace(/;\s*$/, '');
+                transformed = beforeExport + `${isAsync}function __default__(${params}) { return ${expr}; }`;
+            }
+        }
+        else {
+            // Generic export default replacement
+            transformed = code.replace(/export\s+default\s+/g, 'const __default__ = ');
+        }
+    }
+    // Remove other exports (they're not needed for action execution)
+    transformed = transformed.replace(/export\s+\{[^}]*\}/g, '');
+    transformed = transformed.replace(/export\s+(const|let|var|function|class)\s+/g, '$1 ');
+    return transformed;
+}
+/**
+ * Execute an action script in an isolated sandbox.
+ *
+ * The action code should export a default async function:
+ * ```javascript
+ * export default async function myAction(input, ctx) {
+ *   return { content: [{ type: 'text', text: 'Result' }] };
+ * }
+ * ```
+ */
+export async function executeAction(actionCode, input, contextOptions, sandboxOptions = {}) {
+    const opts = { ...DEFAULT_SANDBOX_OPTIONS, ...sandboxOptions };
+    // Create action context
+    const actionContext = createActionContext(contextOptions);
+    // Create isolated-vm isolate
+    const isolate = new ivm.Isolate({
+        memoryLimit: opts.memoryLimit,
+    });
+    try {
+        // Transform ES module syntax to CommonJS-style
+        const transformedCode = transformActionCode(actionCode);
+        // Create context
+        const context = await isolate.createContext();
+        const global = context.global;
+        // Create a deferred result holder
+        let resolveResult;
+        let rejectResult;
+        const resultPromise = new Promise((resolve, reject) => {
+            resolveResult = resolve;
+            rejectResult = reject;
+        });
+        // Create log callback
+        const logCallback = (level, message) => {
+            actionContext.log(level, message);
+        };
+        // Create fetch wrapper that returns a JSON string (not an object).
+        // isolated-vm cannot transfer objects or Promises across the boundary
+        // via Reference.apply(), but strings transfer cleanly.
+        const fetchCallback = async (url, optionsJson) => {
+            try {
+                const options = optionsJson ? JSON.parse(optionsJson) : {};
+                const response = await actionContext.fetch(url, options);
+                const text = await response.text();
+                return JSON.stringify({
+                    ok: response.ok,
+                    status: response.status,
+                    statusText: response.statusText,
+                    text: text,
+                    headers: Object.fromEntries(response.headers.entries()),
+                });
+            }
+            catch (error) {
+                return JSON.stringify({
+                    ok: false,
+                    status: 0,
+                    statusText: 'Error',
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        };
+        // Create getSecret wrapper (returns null instead of undefined for isolated-vm boundary)
+        const getSecretCallback = (name, url) => {
+            return actionContext.getSecret(name, url) ?? null;
+        };
+        // Set up callbacks in the isolate
+        // _fetch uses ivm.Reference (not Callback) because it is async.
+        // ivm.Callback cannot return Promises across the isolate boundary.
+        await global.set('_log', new ivm.Callback(logCallback));
+        await global.set('_fetch', new ivm.Reference(fetchCallback));
+        await global.set('_resolve', new ivm.Callback((result) => resolveResult(result)));
+        await global.set('_reject', new ivm.Callback((error) => rejectResult(new Error(error))));
+        await global.set('_input', new ivm.ExternalCopy(input).copyInto());
+        await global.set('_getSecret', new ivm.Callback(getSecretCallback));
+        await global.set('_manifest', new ivm.ExternalCopy(actionContext.manifest).copyInto());
+        // Create the wrapper script with full capture-then-delete pattern (AC17, AC18)
+        const wrapperScript = `
+      // Capture ALL globals into local const variables BEFORE anything else
+      const __fetch__ = _fetch;
+      const __log__ = _log;
+      const __manifest__ = _manifest;
+      const __getSecret__ = _getSecret;
+      const __input__ = _input;
+      const __resolve__ = _resolve;
+      const __reject__ = _reject;
+
+      // Delete all raw globals immediately
+      delete globalThis._fetch;
+      delete globalThis._log;
+      delete globalThis._resolve;
+      delete globalThis._reject;
+      delete globalThis._input;
+      delete globalThis._manifest;
+      delete globalThis._getSecret;
+
+      // Build ctx from captured locals only
+      const ctx = {
+        manifest: __manifest__,
+        fetch: async (url, options) => {
+          // __fetch__ is an ivm.Reference to an async host function.
+          // It returns a JSON string; we parse it and add the json() helper.
+          const optionsJson = options ? JSON.stringify(options) : undefined;
+          const raw = await __fetch__.apply(undefined, [url, optionsJson], { result: { promise: true, copy: true } });
+          const res = JSON.parse(raw);
+          res.json = function() { return JSON.parse(res.text); };
+          return res;
+        },
+        log: (level, message) => {
+          __log__(level, message);
+        },
+        getSecret: (name, url) => {
+          const result = __getSecret__(name, url);
+          return result === null ? undefined : result;
+        },
+      };
+
+      // Transformed action code
+      ${transformedCode}
+
+      // Find the action function
+      const actionFn = typeof __default__ !== 'undefined' ? __default__ : null;
+
+      if (typeof actionFn !== 'function') {
+        __reject__('Action must export a default async function');
+      } else {
+        // Execute the action using captured locals
+        Promise.resolve()
+          .then(() => actionFn(__input__, ctx))
+          .then(result => {
+            if (!result || !Array.isArray(result.content)) {
+              __reject__('Action must return { content: [...] }');
+            } else {
+              __resolve__(result);
+            }
+          })
+          .catch(err => {
+            __reject__(err.message || String(err));
+          });
+      }
+    `;
+        // Compile and run the script
+        const script = await isolate.compileScript(wrapperScript);
+        // Run with timeout
+        await script.run(context, {
+            timeout: opts.cpuTimeLimit,
+        });
+        // Wait for the result with wall timeout
+        const rawResult = await Promise.race([
+            resultPromise,
+            new Promise((_, reject) => {
+                setTimeout(() => reject(new Error('Action timeout')), opts.wallTimeLimit);
+            }),
+        ]);
+        // Validate and truncate result if too large
+        return validateResultSize(rawResult);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            content: [{ type: 'text', text: `Execution error: ${message}` }],
+            isError: true,
+        };
+    }
+    finally {
+        // Clean up
+        isolate.dispose();
+    }
+}
+//# sourceMappingURL=executor.js.map

package/dist/sandbox/executor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.js","sourceRoot":"","sources":["../../src/sandbox/executor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,GAAG,MAAM,aAAa,CAAC;AAC9B,OAAO,EAAE,mBAAmB,EAAwB,MAAM,cAAc,CAAC;AAczE;;GAEG;AACH,MAAM,uBAAuB,GAA6B;IACxD,WAAW,EAAE,GAAG,GAAG,IAAI,GAAG,IAAI,EAAE,QAAQ;IACxC,YAAY,EAAE,KAAK,EAAE,aAAa;IAClC,aAAa,EAAE,KAAK,EAAE,aAAa;CACpC,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,MAAM;AAC3C,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAU9B;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAkB;IACnD,2BAA2B;IAC3B,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;QAC9C,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC,MAAM,CAAC;gBACzD,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,iBAAiB,cAAc,EAAE;aAC/F,CAAC;YACF,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC;IACJ,CAAC;IAED,mBAAmB;IACnB,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IACrD,IAAI,cAAc,GAAG,eAAe,EAAE,CAAC;QACrC,wBAAwB;QACxB,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;YACjD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;gBACrD,OAAO,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,kBAAkB,EAAE,CAAC;YACzF,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,gBAAgB;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAY;IAC9C,qDAAqD;IACrD,2FAA2F;IAC3F,IAAI,WAAW,GAAG,IAAI,CAAC,OAAO,CAC5B,oDAAoD,EACpD,yBAAyB,CAC1B,CAAC;IAEF,6EAA6E;IAC7E,WAAW,GAAG,WAAW,CAAC,OAAO,CAC/B,8CAA8C,EAC9C,yBAAyB,CAC1B,CAAC;IAEF,0DAA0D;IAC1D,WAAW,GAAG,WAAW,CAAC,OAAO,CAC/B,2CAA2C,EAC3C,2BAA2B,CAC5B,CAAC;IAEF,6DAA6D;IAC7D,+CAA+C;IAC/C,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;QAClD,kCAAkC;QAClC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACnF,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9C,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;YAC7B,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAM,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAExC,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3C,kGAAkG;gBAClG,WAAW,GAAG,IAAI,CAAC,OAAO,CACxB,iDAAiD,EACjD,GAAG,OAAO,wBAAwB,MAAM,IAAI,CAC7C,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,kGAAkG;gBAClG,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,KAAM,CAAC,CAAC;gBACtD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBAC7C,WAAW,GAAG,YAAY,GAAG,GAAG,OAAO,wBAAwB,MAAM,cAAc,IAAI,KAAK,CAAC;YAC/F,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qCAAqC;YACrC,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,sBAAsB,EAAE,sBAAsB,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED,iEAAiE;IACjE,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;IAC7D,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,6CAA6C,EAAE,KAAK,CAAC,CAAC;IAExF,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,UAAkB,EAClB,KAAc,EACd,cAAoC,EACpC,iBAAiC,EAAE;IAEnC,MAAM,IAAI,GAAG,EAAE,GAAG,uBAAuB,EAAE,GAAG,cAAc,EAAE,CAAC;IAE/D,wBAAwB;IACxB,MAAM,aAAa,GAAG,mBAAmB,CAAC,cAAc,CAAC,CAAC;IAE1D,6BAA6B;IAC7B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC;QAC9B,WAAW,EAAE,IAAI,CAAC,WAAW;KAC9B,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,+CAA+C;QAC/C,MAAM,eAAe,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC;QAExD,iBAAiB;QACjB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,aAAa,EAAE,CAAC;QAC9C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE9B,kCAAkC;QAClC,IAAI,aAA0C,CAAC;QAC/C,IAAI,YAAoC,CAAC;QACzC,MAAM,aAAa,GAAG,IAAI,OAAO,CAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAChE,aAAa,GAAG,OAAO,CAAC;YACxB,YAAY,GAAG,MAAM,CAAC;QACxB,CAAC,CAAC,CAAC;QAEH,sBAAsB;QACtB,MAAM,WAAW,GAAG,CAAC,KAAa,EAAE,OAAe,EAAE,EAAE;YACrD,aAAa,CAAC,GAAG,CAAC,KAA4C,EAAE,OAAO,CAAC,CAAC;QAC3E,CAAC,CAAC;QAEF,mEAAmE;QACnE,sEAAsE;QACtE,uDAAuD;QACvD,MAAM,aAAa,GAAG,KAAK,EAAE,GAAW,EAAE,WAAoB,EAAE,EAAE;YAChE,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3D,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,GAAG,EAAE,OAAsB,CAAC,CAAC;gBACxE,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACnC,OAAO,IAAI,CAAC,SAAS,CAAC;oBACpB,EAAE,EAAE,QAAQ,CAAC,EAAE;oBACf,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;oBAC/B,IAAI,EAAE,IAAI;oBACV,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC,SAAS,CAAC;oBACpB,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,CAAC;oBACT,UAAU,EAAE,OAAO;oBACnB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC;QAEF,wFAAwF;QACxF,MAAM,iBAAiB,GAAG,CAAC,IAAY,EAAE,GAAW,EAAE,EAAE;YACtD,OAAO,aAAa,CAAC,SAAS,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC;QACpD,CAAC,CAAC;QAEF,kCAAkC;QAClC,gEAAgE;QAChE,mEAAmE;QACnE,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;QACxD,MAAM,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,GAAG,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC;QAC7D,MAAM,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,MAAkB,EAAE,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC9F,MAAM,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,KAAa,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACjG,MAAM,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACnE,MAAM,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,GAAG,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACpE,MAAM,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,GAAG,CAAC,YAAY,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEvF,+EAA+E;QAC/E,MAAM,aAAa,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAyClB,eAAe;;;;;;;;;;;;;;;;;;;;;;KAsBlB,CAAC;QAEF,6BAA6B;QAC7B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC;QAE1D,mBAAmB;QACnB,MAAM,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE;YACxB,OAAO,EAAE,IAAI,CAAC,YAAY;SAC3B,CAAC,CAAC;QAEH,wCAAwC;QACxC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YACnC,aAAa;YACb,IAAI,OAAO,CAAa,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;gBACpC,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;YAC5E,CAAC,CAAC;SACH,CAAC,CAAC;QAEH,4CAA4C;QAC5C,OAAO,kBAAkB,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,oBAAoB,OAAO,EAAE,EAAE,CAAC;YAChE,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,WAAW;QACX,OAAO,CAAC,OAAO,EAAE,CAAC;IACpB,CAAC;AACH,CAAC"}

package/dist/sandbox/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Sandbox module - executor, context, and URL validation.
+ * @module sandbox
+ */
+export * from './executor.js';
+export * from './context.js';
+export * from './url-validator.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/sandbox/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC"}

package/dist/sandbox/index.js

@@ -0,0 +1,8 @@
+/**
+ * Sandbox module - executor, context, and URL validation.
+ * @module sandbox
+ */
+export * from './executor.js';
+export * from './context.js';
+export * from './url-validator.js';
+//# sourceMappingURL=index.js.map

package/dist/sandbox/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC"}

package/dist/sandbox/url-validator.d.ts

@@ -0,0 +1,40 @@
+/**
+ * URL validation for SSRF protection and redirect handling.
+ * @module sandbox/url-validator
+ */
+/**
+ * URL validation options.
+ */
+export interface UrlValidationOptions {
+    /** Allowed URL schemes (default: ['https']) */
+    allowedSchemes?: string[];
+    /** Maximum number of redirects to follow */
+    maxRedirects?: number;
+    /** Whether to allow localhost (default: false) */
+    allowLocalhost?: boolean;
+    /** Custom blocked IP ranges */
+    blockedIpRanges?: string[];
+}
+/**
+ * Check if IP is in CIDR range (supports IPv4 and IPv6).
+ */
+export declare function isIpInCidr(ip: string, cidr: string): boolean;
+/**
+ * Validate URL for SSRF protection.
+ * @throws Error if URL is invalid or blocked
+ */
+export declare function validateUrl(urlString: string, options?: UrlValidationOptions): Promise<URL>;
+/**
+ * Validate a redirect URL.
+ * Re-validates all SSRF protections for the redirect target.
+ */
+export declare function validateRedirect(redirectUrl: string, _originalUrl: string, options?: UrlValidationOptions): Promise<URL>;
+/**
+ * Check if a URL is HTTPS.
+ */
+export declare function isHttps(url: string): boolean;
+/**
+ * Extract hostname from URL.
+ */
+export declare function getHostname(url: string): string | undefined;
+//# sourceMappingURL=url-validator.d.ts.map

package/dist/sandbox/url-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-validator.d.ts","sourceRoot":"","sources":["../../src/sandbox/url-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,+CAA+C;IAC/C,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,4CAA4C;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kDAAkD;IAClD,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,+BAA+B;IAC/B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAiDD;;GAEG;AACH,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAsC5D;AA8BD;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,GAAG,CAAC,CAyCd;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,GAAG,CAAC,CAOd;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAM5C;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAM3D"}

package/dist/sandbox/url-validator.js

@@ -0,0 +1,178 @@
+/**
+ * URL validation for SSRF protection and redirect handling.
+ * @module sandbox/url-validator
+ */
+import * as dns from 'node:dns/promises';
+/**
+ * Default validation options.
+ */
+const DEFAULT_OPTIONS = {
+    allowedSchemes: ['https'],
+    maxRedirects: 5,
+    allowLocalhost: false,
+    blockedIpRanges: [],
+};
+/**
+ * Blocked IP ranges for SSRF protection.
+ */
+const BLOCKED_PRIVATE_RANGES = [
+    '10.0.0.0/8',
+    '172.16.0.0/12',
+    '192.168.0.0/16',
+    '127.0.0.0/8',
+    '169.254.0.0/16',
+    '::1/128',
+    'fc00::/7',
+    'fe80::/10',
+];
+/**
+ * Parse an IPv6 address into a BigInt (128-bit).
+ */
+function parseIpv6ToBigInt(ip) {
+    const halves = ip.split('::');
+    const left = halves[0] ? halves[0].split(':').filter(s => s !== '') : [];
+    const right = halves.length > 1 && halves[1] ? halves[1].split(':').filter(s => s !== '') : [];
+    const groups = [];
+    for (const g of left)
+        groups.push(parseInt(g, 16));
+    const fill = 8 - left.length - right.length;
+    for (let i = 0; i < fill; i++)
+        groups.push(0);
+    for (const g of right)
+        groups.push(parseInt(g, 16));
+    let result = BigInt(0);
+    for (const group of groups) {
+        result = (result << BigInt(16)) | BigInt(group);
+    }
+    return result;
+}
+/**
+ * Check if IP is in CIDR range (supports IPv4 and IPv6).
+ */
+export function isIpInCidr(ip, cidr) {
+    const [range, bitsStr] = cidr.split('/');
+    if (!range) {
+        return false;
+    }
+    const isIpv6 = ip.includes(':');
+    const isRangeIpv6 = range.includes(':');
+    // Must be same address family
+    if (isIpv6 !== isRangeIpv6)
+        return false;
+    if (isIpv6) {
+        const bits = bitsStr !== undefined ? parseInt(bitsStr, 10) : 128;
+        const ipNum = parseIpv6ToBigInt(ip);
+        const rangeNum = parseIpv6ToBigInt(range);
+        const mask = bits === 0 ? BigInt(0) : ((BigInt(1) << BigInt(128)) - BigInt(1)) << BigInt(128 - bits);
+        return (ipNum & mask) === (rangeNum & mask);
+    }
+    // IPv4
+    const rangeParts = range.split('.').map(Number);
+    const ipParts = ip.split('.').map(Number);
+    if (rangeParts.length !== 4 || ipParts.length !== 4) {
+        return false;
+    }
+    const bits = bitsStr !== undefined ? parseInt(bitsStr, 10) : 32;
+    let maskNum = 0;
+    for (let i = 0; i < bits; i++) {
+        maskNum |= (1 << (31 - i));
+    }
+    const rangeNum = ((rangeParts[0] ?? 0) << 24) | ((rangeParts[1] ?? 0) << 16) | ((rangeParts[2] ?? 0) << 8) | (rangeParts[3] ?? 0);
+    const ipNum = ((ipParts[0] ?? 0) << 24) | ((ipParts[1] ?? 0) << 16) | ((ipParts[2] ?? 0) << 8) | (ipParts[3] ?? 0);
+    return (rangeNum & maskNum) === (ipNum & maskNum);
+}
+/**
+ * Check if IP is in any blocked range.
+ */
+function isBlockedIp(ip, options) {
+    // Check custom blocked ranges
+    for (const range of options.blockedIpRanges) {
+        if (isIpInCidr(ip, range)) {
+            return true;
+        }
+    }
+    // Check default private ranges
+    for (const range of BLOCKED_PRIVATE_RANGES) {
+        if (isIpInCidr(ip, range)) {
+            return true;
+        }
+    }
+    // Check localhost
+    if (!options.allowLocalhost) {
+        if (ip === '127.0.0.1' || ip === '::1' || ip === 'localhost') {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Validate URL for SSRF protection.
+ * @throws Error if URL is invalid or blocked
+ */
+export async function validateUrl(urlString, options = {}) {
+    const opts = { ...DEFAULT_OPTIONS, ...options };
+    // Parse URL
+    let url;
+    try {
+        url = new URL(urlString);
+    }
+    catch {
+        throw new Error(`Invalid URL: ${urlString}`);
+    }
+    // Check scheme
+    if (!opts.allowedSchemes.includes(url.protocol.replace(':', ''))) {
+        throw new Error(`URL scheme "${url.protocol}" not allowed. Allowed: ${opts.allowedSchemes.join(', ')}. Use --allow-http to allow insecure HTTP connections.`);
+    }
+    // Resolve hostname to IP for SSRF protection
+    const hostname = url.hostname;
+    let ips;
+    try {
+        // Try to resolve as IPv4 first, then IPv6
+        const result = await dns.lookup(hostname, { all: true });
+        ips = result.map((r) => r.address);
+    }
+    catch {
+        throw new Error(`Failed to resolve hostname: ${hostname}`);
+    }
+    // Check all resolved IPs
+    for (const ip of ips) {
+        if (isBlockedIp(ip, opts)) {
+            throw new Error(`Blocked IP address: ${ip} (resolved from ${hostname}). ` +
+                `This appears to be a private/internal network address.`);
+        }
+    }
+    return url;
+}
+/**
+ * Validate a redirect URL.
+ * Re-validates all SSRF protections for the redirect target.
+ */
+export async function validateRedirect(redirectUrl, _originalUrl, options = {}) {
+    // Validate the redirect URL with all SSRF checks
+    const url = await validateUrl(redirectUrl, options);
+    // Log redirect for audit (caller provides audit logger at a higher level)
+    return url;
+}
+/**
+ * Check if a URL is HTTPS.
+ */
+export function isHttps(url) {
+    try {
+        return new URL(url).protocol === 'https:';
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Extract hostname from URL.
+ */
+export function getHostname(url) {
+    try {
+        return new URL(url).hostname;
+    }
+    catch {
+        return undefined;
+    }
+}
+//# sourceMappingURL=url-validator.js.map

package/dist/sandbox/url-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-validator.js","sourceRoot":"","sources":["../../src/sandbox/url-validator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,GAAG,MAAM,mBAAmB,CAAC;AAgBzC;;GAEG;AACH,MAAM,eAAe,GAAmC;IACtD,cAAc,EAAE,CAAC,OAAO,CAAC;IACzB,YAAY,EAAE,CAAC;IACf,cAAc,EAAE,KAAK;IACrB,eAAe,EAAE,EAAE;CACpB,CAAC;AAEF;;GAEG;AACH,MAAM,sBAAsB,GAAG;IAC7B,YAAY;IACZ,eAAe;IACf,gBAAgB;IAChB,aAAa;IACb,gBAAgB;IAChB,SAAS;IACT,UAAU;IACV,WAAW;CACZ,CAAC;AAEF;;GAEG;AACH,SAAS,iBAAiB,CAAC,EAAU;IACnC,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACzE,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/F,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,CAAC,IAAI,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAEnD,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE;QAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAE9C,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAEpD,IAAI,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACvB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,GAAG,CAAC,MAAM,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,EAAU,EAAE,IAAY;IACjD,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,MAAM,GAAG,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAChC,MAAM,WAAW,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAExC,8BAA8B;IAC9B,IAAI,MAAM,KAAK,WAAW;QAAE,OAAO,KAAK,CAAC;IAEzC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,IAAI,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QACjE,MAAM,KAAK,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACpC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;QACrG,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO;IACP,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE1C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAChE,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAClI,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAEnH,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,OAAO,CAAC,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,EAAU,EAAE,OAAuC;IACtE,8BAA8B;IAC9B,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5C,IAAI,UAAU,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,KAAK,MAAM,KAAK,IAAI,sBAAsB,EAAE,CAAC;QAC3C,IAAI,UAAU,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,IAAI,EAAE,KAAK,WAAW,IAAI,EAAE,KAAK,KAAK,IAAI,EAAE,KAAK,WAAW,EAAE,CAAC;YAC7D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,UAAgC,EAAE;IAElC,MAAM,IAAI,GAAG,EAAE,GAAG,eAAe,EAAE,GAAG,OAAO,EAAE,CAAC;IAEhD,YAAY;IACZ,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gBAAgB,SAAS,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,eAAe;IACf,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CACb,eAAe,GAAG,CAAC,QAAQ,2BAA2B,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,wDAAwD,CAC7I,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAC9B,IAAI,GAAa,CAAC;IAElB,IAAI,CAAC;QACH,0CAA0C;QAC1C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,+BAA+B,QAAQ,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,yBAAyB;IACzB,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,WAAW,CAAC,EAAE,EAAE,IAAI,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CACb,uBAAuB,EAAE,mBAAmB,QAAQ,KAAK;gBACzD,wDAAwD,CACzD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAmB,EACnB,YAAoB,EACpB,UAAgC,EAAE;IAElC,iDAAiD;IACjD,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAEpD,0EAA0E;IAE1E,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,GAAW;IACjC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/secrets/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Secrets module - manager and pattern matching.
+ * @module secrets
+ */
+export * from './manager.js';
+export * from './patterns.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,cAAc,CAAC;AAC7B,cAAc,eAAe,CAAC"}

package/dist/secrets/index.js

@@ -0,0 +1,7 @@
+/**
+ * Secrets module - manager and pattern matching.
+ * @module secrets
+ */
+export * from './manager.js';
+export * from './patterns.js';
+//# sourceMappingURL=index.js.map

package/dist/secrets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,cAAc,CAAC;AAC7B,cAAc,eAAe,CAAC"}

package/dist/secrets/manager.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Secret approval and scoping manager.
+ * @module secrets/manager
+ */
+import { Secret } from '../manifest/schema.js';
+/**
+ * Approved secret with its scope patterns.
+ */
+export interface ApprovedSecret {
+    name: string;
+    value: string;
+    scopes: string[];
+}
+/**
+ * Secrets manager handles secret approval and scoped access.
+ */
+export declare class SecretsManager {
+    private approvedSecrets;
+    /**
+     * Approve a secret with its value and scope patterns.
+     */
+    approve(secret: Secret, value: string): void;
+    /**
+     * Check if a secret is approved.
+     */
+    isApproved(name: string): boolean;
+    /**
+     * Get a secret value if approved and URL is in scope.
+     * @returns The secret value, or undefined if not approved or out of scope
+     */
+    getSecret(name: string, url?: string): string | undefined;
+    /**
+     * Get all approved secrets for a specific URL.
+     * Only returns secrets whose scopes include the URL.
+     */
+    getSecretsForUrl(url: string): Record<string, string>;
+    /**
+     * Get all approved secrets (without scope validation).
+     * Use with caution - for passing to worker process only.
+     */
+    getAllSecrets(): Record<string, string>;
+    /**
+     * Get scope patterns for a secret.
+     */
+    getScopes(name: string): string[] | undefined;
+    /**
+     * Clear all approved secrets.
+     */
+    clear(): void;
+    /**
+     * List all approved secret names.
+     */
+    listApproved(): string[];
+}
+//# sourceMappingURL=manager.d.ts.map

package/dist/secrets/manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/secrets/manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAG/C;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,eAAe,CAA0C;IAEjE;;OAEG;IACH,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAQ5C;;OAEG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIjC;;;OAGG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAkBzD;;;OAGG;IACH,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAerD;;;OAGG;IACH,aAAa,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAQvC;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS;IAI7C;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACH,YAAY,IAAI,MAAM,EAAE;CAGzB"}