maestro-agent-sdk 0.1.2 → 0.1.4

package/dist/tools/builtin/sandbox.js

@@ -1,58 +0,0 @@
-import { resolve as resolvePath } from "node:path";
-import { WORKSPACE_DIR } from "../../platform/config.js";
-/**
- * Maestro builtin filesystem sandbox.
- *
- * Optional gate Read/Write/Edit (and any PreToolUse hook that consults it)
- * can use to constrain file access to `${WORKSPACE_DIR}`. Default is
- * **disabled** — claude/codex providers grant unconstrained FS access via
- * `bypassPermissions` / `danger-full-access`, and forcing a stricter posture
- * on maestro alone silently breaks any workflow that legitimately reaches
- * outside the workspace (reading `~/.config`, writing into a sibling repo,
- * etc.). The single-tenant Mac deployments maestro targets trust the model
- * with the whole UID anyway.
- *
- * Opt-in: set `MAESTRO_FS_SANDBOX_ENABLED=1` to enforce. Only paths under
- * `${WORKSPACE_DIR}` (`~/claude-code-workspace`) are allowed when enabled;
- * system paths (`~/.ssh`, `/etc`, `/usr`, sibling clawgram clones, etc.)
- * are rejected. Useful for multi-tenant or hardened setups where the
- * model should not be trusted with arbitrary FS access.
- *
- * Symlink note: we resolve `..` segments via `path.resolve` but do NOT
- * follow symlinks (no `realpathSync`) — a symlink inside the workspace
- * pointing OUT is still considered inside (the link target is what gets
- * written/read, and the user explicitly placed that link there). Tightening
- * this is a follow-up if it ever matters.
- */
-const ENV_ENABLED = "MAESTRO_FS_SANDBOX_ENABLED";
-/**
- * Check whether `filePath` is allowed by the sandbox. Returns null on allow,
- * or an error message string on deny. Callers stringify the error into a
- * `{error}` payload so the model sees a structured rejection.
- *
- * The path is normalized (`..` collapsed) but symlinks are NOT followed.
- * Caller is responsible for ensuring `filePath` is already absolute — the
- * Read/Write/Edit tools enforce that at the top of `execute`.
- */
-export function checkFilesystemAccess(filePath) {
-    if (!isSandboxEnabled())
-        return null;
-    const resolved = resolvePath(filePath);
-    // Allow path === root and any descendant. The separator suffix avoids
-    // `WORKSPACE_DIR-sibling` style false-allows.
-    if (resolved === WORKSPACE_DIR)
-        return null;
-    const prefix = WORKSPACE_DIR.endsWith("/") ? WORKSPACE_DIR : `${WORKSPACE_DIR}/`;
-    if (resolved.startsWith(prefix))
-        return null;
-    return (`Sandbox: path '${filePath}' is outside the workspace root (${WORKSPACE_DIR}). ` +
-        `Unset ${ENV_ENABLED} or scope the operation under the workspace.`);
-}
-/** Whether the sandbox is currently active. Default is OFF; the operator
- *  opts in by exporting `MAESTRO_FS_SANDBOX_ENABLED=1`. Read each call so a
- *  test can toggle it without restarting the process. */
-export function isSandboxEnabled() {
-    return process.env[ENV_ENABLED] === "1";
-}
-export const __ENV_ENABLED = ENV_ENABLED;
-//# sourceMappingURL=sandbox.js.map

package/dist/tools/builtin/sandbox.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"sandbox.js","sourceRoot":"","sources":["../../../src/tools/builtin/sandbox.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,MAAM,WAAW,GAAG,4BAA4B,CAAC;AAEjD;;;;;;;;GAQG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,IAAI,CAAC,gBAAgB,EAAE;QAAE,OAAO,IAAI,CAAC;IACrC,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACvC,sEAAsE;IACtE,8CAA8C;IAC9C,IAAI,QAAQ,KAAK,aAAa;QAAE,OAAO,IAAI,CAAC;IAC5C,MAAM,MAAM,GAAG,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,aAAa,GAAG,CAAC;IACjF,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7C,OAAO,CACL,kBAAkB,QAAQ,oCAAoC,aAAa,KAAK;QAChF,SAAS,WAAW,8CAA8C,CACnE,CAAC;AACJ,CAAC;AAED;;yDAEyD;AACzD,MAAM,UAAU,gBAAgB;IAC9B,OAAO,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,GAAG,CAAC;AAC1C,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAG,WAAW,CAAC"}

package/dist/tools/hooks/sandbox-fs.d.ts

@@ -1,25 +0,0 @@
-import type { HookRegistration } from "../../tools/registry.js";
-/**
- * Filesystem sandbox as a PreToolUse hook.
- *
- * Centralized opt-in gate for any tool whose input carries a `file_path`
- * argument (Read/Write/Edit today, future FS-touching MCP tools by
- * inheritance). Default is **disabled** to match the unconstrained FS
- * posture of claude (`bypassPermissions`) and codex (`danger-full-access`)
- * providers — divergence here used to silently break maestro-only workflows
- * that legitimately reach outside the workspace. Operator opts in by
- * exporting `MAESTRO_FS_SANDBOX_ENABLED=1`.
- *
- * Scope: only tools whose `input.file_path` is a non-empty string are
- * inspected. Tools that don't surface a file path (bash, web_fetch, MCP
- * tools without an FS argument) are unaffected — this hook is FS-specific
- * by design. A future bash-sandbox hook would be a separate registration.
- *
- * Absolute-path enforcement is left to the tool itself: the model's error
- * message is clearer when it comes from the tool (`Read: file_path must be
- * absolute`) than from the sandbox hook ("path is not absolute"). The
- * sandbox only weighs in once an absolute path has been confirmed —
- * mirroring how the inline check used to work.
- */
-export declare function createSandboxFsHook(): HookRegistration;
-//# sourceMappingURL=sandbox-fs.d.ts.map

package/dist/tools/hooks/sandbox-fs.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"sandbox-fs.d.ts","sourceRoot":"","sources":["../../../src/tools/hooks/sandbox-fs.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEzD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,IAAI,gBAAgB,CAsBtD"}

package/dist/tools/hooks/sandbox-fs.js

@@ -1,48 +0,0 @@
-import { isAbsolute } from "node:path";
-import { checkFilesystemAccess, isSandboxEnabled } from "../../tools/builtin/sandbox.js";
-/**
- * Filesystem sandbox as a PreToolUse hook.
- *
- * Centralized opt-in gate for any tool whose input carries a `file_path`
- * argument (Read/Write/Edit today, future FS-touching MCP tools by
- * inheritance). Default is **disabled** to match the unconstrained FS
- * posture of claude (`bypassPermissions`) and codex (`danger-full-access`)
- * providers — divergence here used to silently break maestro-only workflows
- * that legitimately reach outside the workspace. Operator opts in by
- * exporting `MAESTRO_FS_SANDBOX_ENABLED=1`.
- *
- * Scope: only tools whose `input.file_path` is a non-empty string are
- * inspected. Tools that don't surface a file path (bash, web_fetch, MCP
- * tools without an FS argument) are unaffected — this hook is FS-specific
- * by design. A future bash-sandbox hook would be a separate registration.
- *
- * Absolute-path enforcement is left to the tool itself: the model's error
- * message is clearer when it comes from the tool (`Read: file_path must be
- * absolute`) than from the sandbox hook ("path is not absolute"). The
- * sandbox only weighs in once an absolute path has been confirmed —
- * mirroring how the inline check used to work.
- */
-export function createSandboxFsHook() {
-    return {
-        name: "sandbox-fs",
-        pre(ctx) {
-            // Cheap exit when the operator hasn't opted into the sandbox — the
-            // common case, so skip the work before doing any property reads.
-            if (!isSandboxEnabled())
-                return { decision: "allow" };
-            const filePath = ctx.input.file_path;
-            if (typeof filePath !== "string" || filePath.length === 0) {
-                return { decision: "allow" };
-            }
-            // Defer absolute-path errors to the tool — its message is clearer.
-            if (!isAbsolute(filePath))
-                return { decision: "allow" };
-            const err = checkFilesystemAccess(filePath);
-            if (err) {
-                return { decision: "block", error: `${ctx.toolName}: ${err}` };
-            }
-            return { decision: "allow" };
-        },
-    };
-}
-//# sourceMappingURL=sandbox-fs.js.map

package/dist/tools/hooks/sandbox-fs.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"sandbox-fs.js","sourceRoot":"","sources":["../../../src/tools/hooks/sandbox-fs.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAGlF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,GAAG,CAAC,GAAG;YACL,mEAAmE;YACnE,iEAAiE;YACjE,IAAI,CAAC,gBAAgB,EAAE;gBAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;YAEtD,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC;YACrC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1D,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;YAC/B,CAAC;YACD,mEAAmE;YACnE,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;YAExD,MAAM,GAAG,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,GAAG,EAAE,CAAC;gBACR,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,EAAE,EAAE,CAAC;YACjE,CAAC;YACD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;QAC/B,CAAC;KACF,CAAC;AACJ,CAAC"}