lavs-runtime 0.1.0

package/dist/permission-checker.js

@@ -0,0 +1,172 @@
+"use strict";
+/**
+ * LAVS Permission Checker
+ *
+ * Enforces permission constraints declared in LAVS manifests.
+ *
+ * ## Enforcement Model
+ *
+ * LAVS permissions have two enforcement levels:
+ *
+ * | Permission       | Level    | What is checked                                |
+ * |-----------------|----------|------------------------------------------------|
+ * | Path traversal  | ENFORCED | Handler cwd and command paths are validated     |
+ * | fileAccess      | ADVISORY | Glob pattern matching at dispatch time;         |
+ * |                 |          | NOT intercepted at OS/syscall level during      |
+ * |                 |          | script execution. Scripts can still access       |
+ * |                 |          | files the process has OS-level permission for.   |
+ * | networkAccess   | ADVISORY | Declared for auditing; not enforced at runtime. |
+ * |                 |          | Use OS-level isolation (nsjail, Docker) for     |
+ * |                 |          | strict enforcement.                              |
+ * | maxExecTime     | ENFORCED | Handler killed via SIGTERM/SIGKILL on timeout.  |
+ * | maxMemory       | ADVISORY | Not enforced in current runtime.                |
+ *
+ * Future: Consider OS-level sandboxing for fileAccess and networkAccess.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionChecker = void 0;
+const path_1 = __importDefault(require("path"));
+const minimatch_1 = require("minimatch");
+const types_1 = require("./types");
+/**
+ * LAVS Permission Checker - enforces manifest-declared security constraints
+ */
+class PermissionChecker {
+    /**
+     * Merge manifest-level and endpoint-level permissions.
+     * Endpoint-level permissions take precedence over manifest-level.
+     *
+     * @param manifestPermissions - Manifest-level permissions (defaults)
+     * @param endpointPermissions - Endpoint-level permissions (overrides)
+     * @returns Merged permissions object
+     */
+    mergePermissions(manifestPermissions, endpointPermissions) {
+        if (!manifestPermissions && !endpointPermissions) {
+            return {};
+        }
+        if (!manifestPermissions) {
+            return { ...endpointPermissions };
+        }
+        if (!endpointPermissions) {
+            return { ...manifestPermissions };
+        }
+        return {
+            fileAccess: endpointPermissions.fileAccess ?? manifestPermissions.fileAccess,
+            networkAccess: endpointPermissions.networkAccess ?? manifestPermissions.networkAccess,
+            maxExecutionTime: endpointPermissions.maxExecutionTime ?? manifestPermissions.maxExecutionTime,
+            maxMemory: endpointPermissions.maxMemory ?? manifestPermissions.maxMemory,
+        };
+    }
+    /**
+     * Check if a target path is within the allowed base directory.
+     * Prevents path traversal attacks (e.g., ../../etc/passwd).
+     *
+     * @param targetPath - The path to check (absolute or relative)
+     * @param allowedBase - The allowed base directory (absolute)
+     * @throws LAVSError with code PermissionDenied if path is outside allowed base
+     */
+    checkPathTraversal(targetPath, allowedBase) {
+        const resolvedTarget = path_1.default.resolve(allowedBase, targetPath);
+        const normalizedBase = path_1.default.resolve(allowedBase);
+        // Ensure resolved target is within or equal to the allowed base
+        if (!resolvedTarget.startsWith(normalizedBase + path_1.default.sep) && resolvedTarget !== normalizedBase) {
+            throw new types_1.LAVSError(types_1.LAVSErrorCode.PermissionDenied, `Path traversal detected: '${targetPath}' resolves outside allowed directory '${allowedBase}'`, { resolvedPath: resolvedTarget, allowedBase: normalizedBase });
+        }
+    }
+    /**
+     * Check if a handler's working directory is within the allowed base.
+     *
+     * @param handler - Script handler with optional cwd
+     * @param agentDir - Agent directory (the allowed base)
+     * @throws LAVSError with code PermissionDenied if cwd is outside agent directory
+     */
+    checkHandlerCwd(handler, agentDir) {
+        if (!handler.cwd) {
+            return; // No custom cwd, will use agentDir as default
+        }
+        this.checkPathTraversal(handler.cwd, agentDir);
+    }
+    /**
+     * Check if file access patterns allow a given path.
+     * Uses glob matching against permissions.fileAccess patterns.
+     *
+     * @param filePath - The file path to check (relative to agent dir)
+     * @param permissions - Permission constraints including fileAccess patterns
+     * @returns true if access is allowed, false otherwise
+     */
+    checkFileAccess(filePath, permissions) {
+        // No fileAccess restrictions - allow all
+        if (!permissions.fileAccess || permissions.fileAccess.length === 0) {
+            return true;
+        }
+        // Normalize the file path
+        const normalizedPath = filePath.startsWith('./') ? filePath : `./${filePath}`;
+        // First check deny patterns (negative patterns take precedence)
+        for (const pattern of permissions.fileAccess) {
+            if (pattern.startsWith('!')) {
+                if ((0, minimatch_1.minimatch)(normalizedPath, pattern.slice(1))) {
+                    return false; // Explicitly denied
+                }
+            }
+        }
+        // Then check allow patterns
+        for (const pattern of permissions.fileAccess) {
+            if (!pattern.startsWith('!')) {
+                if ((0, minimatch_1.minimatch)(normalizedPath, pattern)) {
+                    return true; // Allowed
+                }
+            }
+        }
+        // No positive pattern matched - deny by default
+        return false;
+    }
+    /**
+     * Get the effective execution timeout for a handler.
+     * Priority: handler.timeout > permissions.maxExecutionTime > default (30000ms)
+     *
+     * @param handler - Script handler with optional timeout
+     * @param permissions - Permission constraints with optional maxExecutionTime
+     * @param defaultTimeout - Default timeout in milliseconds (default: 30000)
+     * @returns Effective timeout in milliseconds
+     */
+    getEffectiveTimeout(handler, permissions, defaultTimeout = 30000) {
+        // Handler-level timeout takes precedence
+        if (handler.timeout != null && handler.timeout > 0) {
+            // But cannot exceed permission-level max
+            if (permissions.maxExecutionTime != null && permissions.maxExecutionTime > 0) {
+                return Math.min(handler.timeout, permissions.maxExecutionTime);
+            }
+            return handler.timeout;
+        }
+        // Permission-level timeout
+        if (permissions.maxExecutionTime != null && permissions.maxExecutionTime > 0) {
+            return permissions.maxExecutionTime;
+        }
+        return defaultTimeout;
+    }
+    /**
+     * Run all permission checks for a script handler execution.
+     * This is a convenience method that combines multiple checks.
+     *
+     * @param handler - Script handler configuration
+     * @param permissions - Merged permissions
+     * @param agentDir - Agent base directory
+     * @throws LAVSError if any permission check fails
+     */
+    assertAllowed(handler, permissions, agentDir) {
+        // 1. Check handler cwd for path traversal
+        this.checkHandlerCwd(handler, agentDir);
+        // 2. Check script command path if it looks like a file path
+        if (handler.command && (handler.command.includes('/') || handler.command.includes('\\'))) {
+            // Only check relative paths (absolute paths are resolved by loader)
+            if (!path_1.default.isAbsolute(handler.command)) {
+                this.checkPathTraversal(handler.command, agentDir);
+            }
+        }
+    }
+}
+exports.PermissionChecker = PermissionChecker;
+//# sourceMappingURL=permission-checker.js.map

package/dist/permission-checker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-checker.js","sourceRoot":"","sources":["../src/permission-checker.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;;;;;;AAEH,gDAAwB;AACxB,yCAAsC;AACtC,mCAKiB;AAEjB;;GAEG;AACH,MAAa,iBAAiB;IAC5B;;;;;;;OAOG;IACH,gBAAgB,CACd,mBAAiC,EACjC,mBAAiC;QAEjC,IAAI,CAAC,mBAAmB,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACjD,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO,EAAE,GAAG,mBAAmB,EAAE,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO,EAAE,GAAG,mBAAmB,EAAE,CAAC;QACpC,CAAC;QAED,OAAO;YACL,UAAU,EAAE,mBAAmB,CAAC,UAAU,IAAI,mBAAmB,CAAC,UAAU;YAC5E,aAAa,EAAE,mBAAmB,CAAC,aAAa,IAAI,mBAAmB,CAAC,aAAa;YACrF,gBAAgB,EAAE,mBAAmB,CAAC,gBAAgB,IAAI,mBAAmB,CAAC,gBAAgB;YAC9F,SAAS,EAAE,mBAAmB,CAAC,SAAS,IAAI,mBAAmB,CAAC,SAAS;SAC1E,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,kBAAkB,CAAC,UAAkB,EAAE,WAAmB;QACxD,MAAM,cAAc,GAAG,cAAI,CAAC,OAAO,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAC7D,MAAM,cAAc,GAAG,cAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAEjD,gEAAgE;QAChE,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,cAAc,GAAG,cAAI,CAAC,GAAG,CAAC,IAAI,cAAc,KAAK,cAAc,EAAE,CAAC;YAC/F,MAAM,IAAI,iBAAS,CACjB,qBAAa,CAAC,gBAAgB,EAC9B,6BAA6B,UAAU,yCAAyC,WAAW,GAAG,EAC9F,EAAE,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,cAAc,EAAE,CAC9D,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,eAAe,CAAC,OAAsB,EAAE,QAAgB;QACtD,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,OAAO,CAAC,8CAA8C;QACxD,CAAC;QAED,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;;OAOG;IACH,eAAe,CAAC,QAAgB,EAAE,WAAwB;QACxD,yCAAyC;QACzC,IAAI,CAAC,WAAW,CAAC,UAAU,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,0BAA0B;QAC1B,MAAM,cAAc,GAAG,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;QAE9E,gEAAgE;QAChE,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;YAC7C,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,IAAI,IAAA,qBAAS,EAAC,cAAc,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChD,OAAO,KAAK,CAAC,CAAC,oBAAoB;gBACpC,CAAC;YACH,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,KAAK,MAAM,OAAO,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;YAC7C,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC7B,IAAI,IAAA,qBAAS,EAAC,cAAc,EAAE,OAAO,CAAC,EAAE,CAAC;oBACvC,OAAO,IAAI,CAAC,CAAC,UAAU;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;OAQG;IACH,mBAAmB,CACjB,OAAsB,EACtB,WAAwB,EACxB,iBAAyB,KAAK;QAE9B,yCAAyC;QACzC,IAAI,OAAO,CAAC,OAAO,IAAI,IAAI,IAAI,OAAO,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC;YACnD,yCAAyC;YACzC,IAAI,WAAW,CAAC,gBAAgB,IAAI,IAAI,IAAI,WAAW,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;gBAC7E,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,CAAC,gBAAgB,CAAC,CAAC;YACjE,CAAC;YACD,OAAO,OAAO,CAAC,OAAO,CAAC;QACzB,CAAC;QAED,2BAA2B;QAC3B,IAAI,WAAW,CAAC,gBAAgB,IAAI,IAAI,IAAI,WAAW,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;YAC7E,OAAO,WAAW,CAAC,gBAAgB,CAAC;QACtC,CAAC;QAED,OAAO,cAAc,CAAC;IACxB,CAAC;IAED;;;;;;;;OAQG;IACH,aAAa,CACX,OAAsB,EACtB,WAAwB,EACxB,QAAgB;QAEhB,0CAA0C;QAC1C,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAExC,4DAA4D;QAC5D,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACzF,oEAAoE;YACpE,IAAI,CAAC,cAAI,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtC,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAnKD,8CAmKC"}

package/dist/rate-limiter.d.ts

@@ -0,0 +1,57 @@
+/**
+ * LAVS Rate Limiter
+ *
+ * Simple in-memory rate limiter for LAVS endpoint calls.
+ * Uses a sliding window counter algorithm.
+ */
+/**
+ * Rate limit configuration
+ */
+export interface RateLimitConfig {
+    /** Maximum number of requests allowed in the window */
+    maxRequests: number;
+    /** Time window in milliseconds */
+    windowMs: number;
+}
+/**
+ * Rate limit check result
+ */
+export interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+}
+/**
+ * LAVS Rate Limiter - prevents excessive endpoint calls
+ */
+export declare class LAVSRateLimiter {
+    private windows;
+    private defaultConfig;
+    /**
+     * Create a rate limiter with default configuration
+     * @param config - Default rate limit config (default: 60 requests per minute)
+     */
+    constructor(config?: Partial<RateLimitConfig>);
+    /**
+     * Check if a request is allowed under the rate limit.
+     *
+     * @param key - Rate limit key (e.g., `${agentId}:${endpointId}`)
+     * @param config - Optional per-key override config
+     * @returns Rate limit check result
+     */
+    check(key: string, config?: Partial<RateLimitConfig>): RateLimitResult;
+    /**
+     * Reset rate limit for a key
+     */
+    reset(key: string): void;
+    /**
+     * Clear all rate limit entries
+     */
+    clearAll(): void;
+    /**
+     * Clean up expired windows to prevent memory leaks.
+     * Should be called periodically.
+     */
+    cleanup(): void;
+}
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../src/rate-limiter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,uDAAuD;IACvD,WAAW,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAOD;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,OAAO,CAAuC;IACtD,OAAO,CAAC,aAAa,CAAkB;IAEvC;;;OAGG;gBACS,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC;IAO7C;;;;;;OAMG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAAG,eAAe;IA+BtE;;OAEG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAIxB;;OAEG;IACH,QAAQ,IAAI,IAAI;IAIhB;;;OAGG;IACH,OAAO,IAAI,IAAI;CAQhB"}

package/dist/rate-limiter.js

@@ -0,0 +1,84 @@
+"use strict";
+/**
+ * LAVS Rate Limiter
+ *
+ * Simple in-memory rate limiter for LAVS endpoint calls.
+ * Uses a sliding window counter algorithm.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LAVSRateLimiter = void 0;
+/**
+ * LAVS Rate Limiter - prevents excessive endpoint calls
+ */
+class LAVSRateLimiter {
+    windows = new Map();
+    defaultConfig;
+    /**
+     * Create a rate limiter with default configuration
+     * @param config - Default rate limit config (default: 60 requests per minute)
+     */
+    constructor(config) {
+        this.defaultConfig = {
+            maxRequests: config?.maxRequests ?? 60,
+            windowMs: config?.windowMs ?? 60000,
+        };
+    }
+    /**
+     * Check if a request is allowed under the rate limit.
+     *
+     * @param key - Rate limit key (e.g., `${agentId}:${endpointId}`)
+     * @param config - Optional per-key override config
+     * @returns Rate limit check result
+     */
+    check(key, config) {
+        const { maxRequests, windowMs } = { ...this.defaultConfig, ...config };
+        const now = Date.now();
+        let entry = this.windows.get(key);
+        // If no entry or window expired, start a new window
+        if (!entry || (now - entry.windowStart) >= windowMs) {
+            entry = { count: 0, windowStart: now };
+            this.windows.set(key, entry);
+        }
+        // Check if within limit
+        if (entry.count >= maxRequests) {
+            return {
+                allowed: false,
+                remaining: 0,
+                resetAt: entry.windowStart + windowMs,
+            };
+        }
+        // Increment counter
+        entry.count++;
+        return {
+            allowed: true,
+            remaining: maxRequests - entry.count,
+            resetAt: entry.windowStart + windowMs,
+        };
+    }
+    /**
+     * Reset rate limit for a key
+     */
+    reset(key) {
+        this.windows.delete(key);
+    }
+    /**
+     * Clear all rate limit entries
+     */
+    clearAll() {
+        this.windows.clear();
+    }
+    /**
+     * Clean up expired windows to prevent memory leaks.
+     * Should be called periodically.
+     */
+    cleanup() {
+        const now = Date.now();
+        for (const [key, entry] of this.windows.entries()) {
+            if ((now - entry.windowStart) >= this.defaultConfig.windowMs * 2) {
+                this.windows.delete(key);
+            }
+        }
+    }
+}
+exports.LAVSRateLimiter = LAVSRateLimiter;
+//# sourceMappingURL=rate-limiter.js.map

package/dist/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../src/rate-limiter.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA0BH;;GAEG;AACH,MAAa,eAAe;IAClB,OAAO,GAA6B,IAAI,GAAG,EAAE,CAAC;IAC9C,aAAa,CAAkB;IAEvC;;;OAGG;IACH,YAAY,MAAiC;QAC3C,IAAI,CAAC,aAAa,GAAG;YACnB,WAAW,EAAE,MAAM,EAAE,WAAW,IAAI,EAAE;YACtC,QAAQ,EAAE,MAAM,EAAE,QAAQ,IAAI,KAAK;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,GAAW,EAAE,MAAiC;QAClD,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,aAAa,EAAE,GAAG,MAAM,EAAE,CAAC;QACvE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAElC,oDAAoD;QACpD,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,WAAW,CAAC,IAAI,QAAQ,EAAE,CAAC;YACpD,KAAK,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;YACvC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,wBAAwB;QACxB,IAAI,KAAK,CAAC,KAAK,IAAI,WAAW,EAAE,CAAC;YAC/B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS,EAAE,CAAC;gBACZ,OAAO,EAAE,KAAK,CAAC,WAAW,GAAG,QAAQ;aACtC,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,KAAK,CAAC,KAAK,EAAE,CAAC;QAEd,OAAO;YACL,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,WAAW,GAAG,KAAK,CAAC,KAAK;YACpC,OAAO,EAAE,KAAK,CAAC,WAAW,GAAG,QAAQ;SACtC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAW;QACf,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YAClD,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;gBACjE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;CACF;AA/ED,0CA+EC"}

package/dist/script-executor.d.ts

@@ -0,0 +1,70 @@
+/**
+ * LAVS Script Executor
+ *
+ * Executes script handlers with proper input/output handling and security.
+ */
+import { ScriptHandler, ExecutionContext } from './types';
+export declare class ScriptExecutor {
+    /**
+     * Execute a script handler
+     * @param handler - Script handler configuration
+     * @param input - Input data to pass to script
+     * @param context - Execution context with permissions
+     * @returns Script output (parsed as JSON)
+     */
+    execute(handler: ScriptHandler, input: any, context: ExecutionContext): Promise<any>;
+    /**
+     * Resolve argument templates with input values
+     * Replaces {{path.to.value}} with actual values from input
+     */
+    private resolveArgs;
+    /**
+     * Get value from nested object by dot path
+     * e.g., "user.name" from { user: { name: "Alice" } } => "Alice"
+     * Protects against prototype pollution by blocking __proto__, constructor, prototype keys.
+     */
+    private getValueByPath;
+    /**
+     * Build environment variables for script execution
+     */
+    buildEnvironment(handler: ScriptHandler, input: any, context: ExecutionContext): Record<string, string>;
+    /**
+     * Sensitive environment variable patterns (case-insensitive match).
+     * These keywords in variable names indicate potentially sensitive data.
+     */
+    private static readonly SENSITIVE_PATTERNS;
+    /**
+     * Whitelist of variable names that are safe even if they match sensitive patterns.
+     * For example, LAVS variables or NODE_ENV.
+     */
+    private static readonly SAFE_OVERRIDES;
+    /**
+     * Filter out environment variables that match sensitive patterns.
+     * Variables explicitly declared in handler.env are preserved (they are
+     * intentionally set by the manifest author), but inherited vars from
+     * process.env that match sensitive patterns are removed.
+     *
+     * @param env - Environment variables to filter
+     * @returns Filtered environment variables
+     */
+    filterSensitiveVars(env: Record<string, string>): Record<string, string>;
+    /**
+     * Get base environment variables (filtered for security)
+     * Only include safe variables, exclude sensitive ones
+     */
+    getBaseEnvironment(): Record<string, string>;
+    /**
+     * Convert input object to environment variables
+     * Flattens nested objects with underscore notation
+     */
+    private inputToEnv;
+    /**
+     * Capture stdout/stderr from process and wait for completion
+     */
+    private captureOutput;
+    /**
+     * Parse script output as JSON
+     */
+    private parseOutput;
+}
+//# sourceMappingURL=script-executor.d.ts.map

package/dist/script-executor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"script-executor.d.ts","sourceRoot":"","sources":["../src/script-executor.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,aAAa,EACb,gBAAgB,EAGjB,MAAM,SAAS,CAAC;AAEjB,qBAAa,cAAc;IACzB;;;;;;OAMG;IACG,OAAO,CACX,OAAO,EAAE,aAAa,EACtB,KAAK,EAAE,GAAG,EACV,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,GAAG,CAAC;IAmFf;;;OAGG;IACH,OAAO,CAAC,WAAW;IAWnB;;;;OAIG;IACH,OAAO,CAAC,cAAc;IAiBtB;;OAEG;IACH,gBAAgB,CACd,OAAO,EAAE,aAAa,EACtB,KAAK,EAAE,GAAG,EACV,OAAO,EAAE,gBAAgB,GACxB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAsBzB;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAWxC;IAEF;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAKnC;IAEH;;;;;;;;OAQG;IACH,mBAAmB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAwBxE;;;OAGG;IACH,kBAAkB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IA0B5C;;;OAGG;IACH,OAAO,CAAC,UAAU;IAoBlB;;OAEG;YACW,aAAa;IAoD3B;;OAEG;IACH,OAAO,CAAC,WAAW;CAkCpB"}