mstro-app 0.4.17 → 0.4.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +148 -75
- package/dist/server/cli/headless/claude-invoker-process.d.ts +1 -1
- package/dist/server/cli/headless/claude-invoker-process.d.ts.map +1 -1
- package/dist/server/cli/headless/claude-invoker-process.js +4 -10
- package/dist/server/cli/headless/claude-invoker-process.js.map +1 -1
- package/dist/server/cli/headless/claude-invoker.js +1 -1
- package/dist/server/cli/headless/claude-invoker.js.map +1 -1
- package/dist/server/cli/headless/headless-logger.js +1 -1
- package/dist/server/cli/headless/headless-logger.js.map +1 -1
- package/dist/server/cli/headless/mcp-config.d.ts +7 -2
- package/dist/server/cli/headless/mcp-config.d.ts.map +1 -1
- package/dist/server/cli/headless/mcp-config.js +28 -4
- package/dist/server/cli/headless/mcp-config.js.map +1 -1
- package/dist/server/cli/headless/runner.d.ts.map +1 -1
- package/dist/server/cli/headless/runner.js +0 -1
- package/dist/server/cli/headless/runner.js.map +1 -1
- package/dist/server/cli/headless/types.d.ts +1 -4
- package/dist/server/cli/headless/types.d.ts.map +1 -1
- package/dist/server/cli/improvisation-retry.d.ts +1 -1
- package/dist/server/cli/improvisation-retry.d.ts.map +1 -1
- package/dist/server/cli/improvisation-retry.js +1 -2
- package/dist/server/cli/improvisation-retry.js.map +1 -1
- package/dist/server/cli/improvisation-session-manager.d.ts +0 -1
- package/dist/server/cli/improvisation-session-manager.d.ts.map +1 -1
- package/dist/server/cli/improvisation-session-manager.js +44 -9
- package/dist/server/cli/improvisation-session-manager.js.map +1 -1
- package/dist/server/index.js +17 -2
- package/dist/server/index.js.map +1 -1
- package/dist/server/mcp/bouncer-haiku.d.ts.map +1 -1
- package/dist/server/mcp/bouncer-haiku.js +10 -5
- package/dist/server/mcp/bouncer-haiku.js.map +1 -1
- package/dist/server/mcp/bouncer-integration.d.ts +3 -1
- package/dist/server/mcp/bouncer-integration.d.ts.map +1 -1
- package/dist/server/mcp/bouncer-integration.js +12 -9
- package/dist/server/mcp/bouncer-integration.js.map +1 -1
- package/dist/server/mcp/server.js +3 -1
- package/dist/server/mcp/server.js.map +1 -1
- package/dist/server/services/pathUtils.d.ts.map +1 -1
- package/dist/server/services/pathUtils.js +33 -1
- package/dist/server/services/pathUtils.js.map +1 -1
- package/dist/server/services/plan/composer.d.ts +1 -1
- package/dist/server/services/plan/composer.d.ts.map +1 -1
- package/dist/server/services/plan/composer.js +6 -3
- package/dist/server/services/plan/composer.js.map +1 -1
- package/dist/server/services/plan/executor.d.ts +1 -4
- package/dist/server/services/plan/executor.d.ts.map +1 -1
- package/dist/server/services/plan/executor.js +6 -15
- package/dist/server/services/plan/executor.js.map +1 -1
- package/dist/server/services/plan/issue-retry.d.ts +23 -0
- package/dist/server/services/plan/issue-retry.d.ts.map +1 -0
- package/dist/server/services/plan/issue-retry.js +215 -0
- package/dist/server/services/plan/issue-retry.js.map +1 -0
- package/dist/server/services/plan/review-gate.d.ts.map +1 -1
- package/dist/server/services/plan/review-gate.js +20 -3
- package/dist/server/services/plan/review-gate.js.map +1 -1
- package/dist/server/services/plan/state-reconciler.d.ts +6 -0
- package/dist/server/services/plan/state-reconciler.d.ts.map +1 -1
- package/dist/server/services/plan/state-reconciler.js +68 -1
- package/dist/server/services/plan/state-reconciler.js.map +1 -1
- package/dist/server/services/platform.d.ts.map +1 -1
- package/dist/server/services/platform.js +18 -6
- package/dist/server/services/platform.js.map +1 -1
- package/dist/server/services/terminal/pty-manager.d.ts +2 -4
- package/dist/server/services/terminal/pty-manager.d.ts.map +1 -1
- package/dist/server/services/terminal/pty-manager.js +5 -28
- package/dist/server/services/terminal/pty-manager.js.map +1 -1
- package/dist/server/services/terminal/pty-utils.d.ts +2 -13
- package/dist/server/services/terminal/pty-utils.d.ts.map +1 -1
- package/dist/server/services/terminal/pty-utils.js +2 -74
- package/dist/server/services/terminal/pty-utils.js.map +1 -1
- package/dist/server/services/websocket/autocomplete.d.ts +1 -1
- package/dist/server/services/websocket/autocomplete.d.ts.map +1 -1
- package/dist/server/services/websocket/autocomplete.js +37 -24
- package/dist/server/services/websocket/autocomplete.js.map +1 -1
- package/dist/server/services/websocket/file-explorer-handlers.d.ts +2 -2
- package/dist/server/services/websocket/file-explorer-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/file-explorer-handlers.js +11 -4
- package/dist/server/services/websocket/file-explorer-handlers.js.map +1 -1
- package/dist/server/services/websocket/handler.d.ts.map +1 -1
- package/dist/server/services/websocket/handler.js +14 -1
- package/dist/server/services/websocket/handler.js.map +1 -1
- package/dist/server/services/websocket/plan-board-handlers.d.ts +5 -5
- package/dist/server/services/websocket/plan-board-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/plan-board-handlers.js.map +1 -1
- package/dist/server/services/websocket/plan-execution-handlers.d.ts +6 -6
- package/dist/server/services/websocket/plan-execution-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/plan-execution-handlers.js +1 -4
- package/dist/server/services/websocket/plan-execution-handlers.js.map +1 -1
- package/dist/server/services/websocket/plan-handlers.d.ts +1 -1
- package/dist/server/services/websocket/plan-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/plan-handlers.js.map +1 -1
- package/dist/server/services/websocket/plan-helpers.d.ts +1 -1
- package/dist/server/services/websocket/plan-helpers.d.ts.map +1 -1
- package/dist/server/services/websocket/plan-helpers.js.map +1 -1
- package/dist/server/services/websocket/plan-issue-handlers.d.ts +4 -4
- package/dist/server/services/websocket/plan-issue-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/plan-issue-handlers.js +10 -0
- package/dist/server/services/websocket/plan-issue-handlers.js.map +1 -1
- package/dist/server/services/websocket/plan-sprint-handlers.d.ts +3 -3
- package/dist/server/services/websocket/plan-sprint-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/plan-sprint-handlers.js.map +1 -1
- package/dist/server/services/websocket/quality-handlers.d.ts +1 -1
- package/dist/server/services/websocket/quality-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/quality-handlers.js +9 -5
- package/dist/server/services/websocket/quality-handlers.js.map +1 -1
- package/dist/server/services/websocket/quality-review-agent.d.ts.map +1 -1
- package/dist/server/services/websocket/quality-review-agent.js +7 -4
- package/dist/server/services/websocket/quality-review-agent.js.map +1 -1
- package/dist/server/services/websocket/session-handlers.d.ts +1 -1
- package/dist/server/services/websocket/session-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/session-handlers.js +5 -2
- package/dist/server/services/websocket/session-handlers.js.map +1 -1
- package/dist/server/services/websocket/settings-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/settings-handlers.js +17 -21
- package/dist/server/services/websocket/settings-handlers.js.map +1 -1
- package/dist/server/services/websocket/terminal-handlers.d.ts +1 -1
- package/dist/server/services/websocket/terminal-handlers.d.ts.map +1 -1
- package/dist/server/services/websocket/terminal-handlers.js +9 -21
- package/dist/server/services/websocket/terminal-handlers.js.map +1 -1
- package/dist/server/services/websocket/types.d.ts +2 -2
- package/dist/server/services/websocket/types.d.ts.map +1 -1
- package/dist/server/utils/port.d.ts +0 -11
- package/dist/server/utils/port.d.ts.map +1 -1
- package/dist/server/utils/port.js +0 -31
- package/dist/server/utils/port.js.map +1 -1
- package/package.json +1 -2
- package/server/cli/headless/claude-invoker-process.ts +5 -12
- package/server/cli/headless/claude-invoker.ts +1 -1
- package/server/cli/headless/headless-logger.ts +1 -1
- package/server/cli/headless/mcp-config.ts +31 -4
- package/server/cli/headless/runner.ts +0 -1
- package/server/cli/headless/types.ts +1 -4
- package/server/cli/improvisation-retry.ts +0 -2
- package/server/cli/improvisation-session-manager.ts +45 -10
- package/server/index.ts +16 -2
- package/server/mcp/bouncer-haiku.ts +11 -5
- package/server/mcp/bouncer-integration.ts +12 -9
- package/server/mcp/server.ts +3 -1
- package/server/services/pathUtils.ts +35 -1
- package/server/services/plan/composer.ts +5 -3
- package/server/services/plan/executor.ts +6 -17
- package/server/services/plan/issue-retry.ts +294 -0
- package/server/services/plan/review-gate.ts +14 -3
- package/server/services/plan/state-reconciler.ts +70 -1
- package/server/services/platform.ts +17 -6
- package/server/services/terminal/pty-manager.ts +6 -33
- package/server/services/terminal/pty-utils.ts +2 -80
- package/server/services/websocket/autocomplete.ts +48 -26
- package/server/services/websocket/file-explorer-handlers.ts +14 -7
- package/server/services/websocket/handler.ts +14 -2
- package/server/services/websocket/plan-board-handlers.ts +5 -5
- package/server/services/websocket/plan-execution-handlers.ts +7 -10
- package/server/services/websocket/plan-handlers.ts +1 -1
- package/server/services/websocket/plan-helpers.ts +1 -1
- package/server/services/websocket/plan-issue-handlers.ts +14 -4
- package/server/services/websocket/plan-sprint-handlers.ts +3 -3
- package/server/services/websocket/quality-handlers.ts +9 -5
- package/server/services/websocket/quality-review-agent.ts +7 -4
- package/server/services/websocket/session-handlers.ts +8 -3
- package/server/services/websocket/settings-handlers.ts +18 -22
- package/server/services/websocket/terminal-handlers.ts +10 -24
- package/server/services/websocket/types.ts +2 -2
- package/server/utils/port.ts +0 -41
- package/dist/server/mcp/bouncer-sandbox.d.ts +0 -60
- package/dist/server/mcp/bouncer-sandbox.d.ts.map +0 -1
- package/dist/server/mcp/bouncer-sandbox.js +0 -182
- package/dist/server/mcp/bouncer-sandbox.js.map +0 -1
- package/dist/server/services/credentials.d.ts +0 -39
- package/dist/server/services/credentials.d.ts.map +0 -1
- package/dist/server/services/credentials.js +0 -110
- package/dist/server/services/credentials.js.map +0 -1
- package/dist/server/services/sandbox-utils.d.ts +0 -8
- package/dist/server/services/sandbox-utils.d.ts.map +0 -1
- package/dist/server/services/sandbox-utils.js +0 -75
- package/dist/server/services/sandbox-utils.js.map +0 -1
- package/server/mcp/bouncer-sandbox.ts +0 -214
- package/server/services/credentials.ts +0 -134
- package/server/services/sandbox-utils.ts +0 -82
|
@@ -7,11 +7,11 @@ import { getPTYManager } from '../terminal/pty-manager.js';
|
|
|
7
7
|
import type { HandlerContext } from './handler-context.js';
|
|
8
8
|
import type { WebSocketMessage, WSContext } from './types.js';
|
|
9
9
|
|
|
10
|
-
export function handleTerminalMessage(ctx: HandlerContext, ws: WSContext, msg: WebSocketMessage, tabId: string, workingDir: string
|
|
10
|
+
export async function handleTerminalMessage(ctx: HandlerContext, ws: WSContext, msg: WebSocketMessage, tabId: string, workingDir: string): Promise<void> {
|
|
11
11
|
const termId = msg.terminalId || tabId;
|
|
12
12
|
switch (msg.type) {
|
|
13
13
|
case 'terminalInit':
|
|
14
|
-
handleTerminalInit(ctx, ws, termId, workingDir, msg.data?.shell, msg.data?.cols, msg.data?.rows
|
|
14
|
+
await handleTerminalInit(ctx, ws, termId, workingDir, msg.data?.shell, msg.data?.cols, msg.data?.rows);
|
|
15
15
|
break;
|
|
16
16
|
case 'terminalReconnect':
|
|
17
17
|
handleTerminalReconnect(ctx, ws, termId);
|
|
@@ -31,7 +31,7 @@ export function handleTerminalMessage(ctx: HandlerContext, ws: WSContext, msg: W
|
|
|
31
31
|
}
|
|
32
32
|
}
|
|
33
33
|
|
|
34
|
-
function handleTerminalInit(
|
|
34
|
+
async function handleTerminalInit(
|
|
35
35
|
ctx: HandlerContext,
|
|
36
36
|
ws: WSContext,
|
|
37
37
|
terminalId: string,
|
|
@@ -39,8 +39,7 @@ function handleTerminalInit(
|
|
|
39
39
|
requestedShell?: string,
|
|
40
40
|
cols?: number,
|
|
41
41
|
rows?: number,
|
|
42
|
-
|
|
43
|
-
): void {
|
|
42
|
+
): Promise<void> {
|
|
44
43
|
const ptyManager = getPTYManager();
|
|
45
44
|
|
|
46
45
|
if (!ptyManager.isPtyAvailable()) {
|
|
@@ -59,13 +58,12 @@ function handleTerminalInit(
|
|
|
59
58
|
setupTerminalBroadcastListeners(ctx, terminalId);
|
|
60
59
|
|
|
61
60
|
try {
|
|
62
|
-
const { shell, cwd, isReconnect, platform } = ptyManager.create(
|
|
61
|
+
const { shell, cwd, isReconnect, platform } = await ptyManager.create(
|
|
63
62
|
terminalId,
|
|
64
63
|
workingDir,
|
|
65
64
|
cols || 80,
|
|
66
65
|
rows || 24,
|
|
67
66
|
requestedShell,
|
|
68
|
-
{ sandboxed: permission === 'control' || permission === 'view' }
|
|
69
67
|
);
|
|
70
68
|
|
|
71
69
|
if (!isReconnect) {
|
|
@@ -96,23 +94,11 @@ function handleTerminalInit(
|
|
|
96
94
|
} catch (error: unknown) {
|
|
97
95
|
const errorMsg = error instanceof Error ? error.message : String(error);
|
|
98
96
|
console.error(`[WebSocketImproviseHandler] Failed to create terminal:`, error);
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
data: {
|
|
105
|
-
error: 'SANDBOX_UNAVAILABLE',
|
|
106
|
-
message: 'Terminal requires bubblewrap (bwrap) to be installed on the host machine for shared app sessions. Ask the app owner to install it.',
|
|
107
|
-
}
|
|
108
|
-
});
|
|
109
|
-
} else {
|
|
110
|
-
ctx.send(ws, {
|
|
111
|
-
type: 'terminalError',
|
|
112
|
-
terminalId,
|
|
113
|
-
data: { error: errorMsg || 'Failed to create terminal' }
|
|
114
|
-
});
|
|
115
|
-
}
|
|
97
|
+
ctx.send(ws, {
|
|
98
|
+
type: 'terminalError',
|
|
99
|
+
terminalId,
|
|
100
|
+
data: { error: errorMsg || 'Failed to create terminal' }
|
|
101
|
+
});
|
|
116
102
|
removeTerminalSubscriber(ctx, terminalId, ws);
|
|
117
103
|
}
|
|
118
104
|
}
|
|
@@ -158,8 +158,8 @@ export interface WebSocketMessage {
|
|
|
158
158
|
terminalId?: string;
|
|
159
159
|
// biome-ignore lint/suspicious/noExplicitAny: message envelope carries heterogeneous payloads
|
|
160
160
|
data?: any;
|
|
161
|
-
/** Injected by server relay for
|
|
162
|
-
_permission?: '
|
|
161
|
+
/** Injected by server relay for view-only shared users */
|
|
162
|
+
_permission?: 'view';
|
|
163
163
|
}
|
|
164
164
|
|
|
165
165
|
export interface WebSocketResponse {
|
package/server/utils/port.ts
CHANGED
|
@@ -59,44 +59,3 @@ export async function findAvailablePort(startPort: number, maxTries: number = 20
|
|
|
59
59
|
}
|
|
60
60
|
throw new Error(`No available ports found between ${startPort} and ${startPort + maxTries}`)
|
|
61
61
|
}
|
|
62
|
-
|
|
63
|
-
/**
|
|
64
|
-
* Find an available port pair for frontend and backend
|
|
65
|
-
* Frontend = EVEN port (3000, 3002, 3004...)
|
|
66
|
-
* Backend = ODD port (3001, 3003, 3005...)
|
|
67
|
-
*
|
|
68
|
-
* Checks all candidate ports in parallel for fast detection.
|
|
69
|
-
*/
|
|
70
|
-
export async function findAvailablePortPair(startPort: number = 3000, maxPairs: number = 20): Promise<{ frontend: number; backend: number }> {
|
|
71
|
-
// Ensure startPort is even
|
|
72
|
-
const basePort = startPort % 2 === 0 ? startPort : startPort + 1
|
|
73
|
-
|
|
74
|
-
// Generate all candidate pairs
|
|
75
|
-
const pairs: { frontend: number; backend: number }[] = []
|
|
76
|
-
for (let i = 0; i < maxPairs; i++) {
|
|
77
|
-
pairs.push({
|
|
78
|
-
frontend: basePort + (i * 2), // 3000, 3002, 3004...
|
|
79
|
-
backend: basePort + (i * 2) + 1 // 3001, 3003, 3005...
|
|
80
|
-
})
|
|
81
|
-
}
|
|
82
|
-
|
|
83
|
-
// Check all ports in parallel (both frontend and backend ports)
|
|
84
|
-
const allPorts = pairs.flatMap(p => [p.frontend, p.backend])
|
|
85
|
-
const results = await Promise.all(
|
|
86
|
-
allPorts.map(async (port) => ({ port, available: await isPortAvailable(port) }))
|
|
87
|
-
)
|
|
88
|
-
|
|
89
|
-
// Build a set of available ports for O(1) lookup
|
|
90
|
-
const availablePorts = new Set(
|
|
91
|
-
results.filter(r => r.available).map(r => r.port)
|
|
92
|
-
)
|
|
93
|
-
|
|
94
|
-
// Find first pair where both ports are available
|
|
95
|
-
for (const pair of pairs) {
|
|
96
|
-
if (availablePorts.has(pair.frontend) && availablePorts.has(pair.backend)) {
|
|
97
|
-
return pair
|
|
98
|
-
}
|
|
99
|
-
}
|
|
100
|
-
|
|
101
|
-
throw new Error(`No available port pairs found starting from ${startPort}`)
|
|
102
|
-
}
|
|
@@ -1,60 +0,0 @@
|
|
|
1
|
-
export interface SandboxExecResult {
|
|
2
|
-
/** The sandboxed command that was actually run */
|
|
3
|
-
wrappedCommand: string;
|
|
4
|
-
/** Whether sandbox-runtime is available on this platform */
|
|
5
|
-
sandboxAvailable: boolean;
|
|
6
|
-
/** Whether the sandbox contained the operation (no violations) */
|
|
7
|
-
contained: boolean;
|
|
8
|
-
/** List of violation descriptions if any escaped the sandbox */
|
|
9
|
-
violations: string[];
|
|
10
|
-
}
|
|
11
|
-
export interface CanaryCheckResult {
|
|
12
|
-
/** Whether the canary file still exists (should be true if sandbox contained the write) */
|
|
13
|
-
canaryIntact: boolean;
|
|
14
|
-
/** Whether a file was written outside the sandbox (should be false) */
|
|
15
|
-
escapeDetected: boolean;
|
|
16
|
-
}
|
|
17
|
-
/**
|
|
18
|
-
* Test harness that wraps command execution in sandbox-runtime.
|
|
19
|
-
* Provides canary files and violation tracking to verify containment.
|
|
20
|
-
*/
|
|
21
|
-
export declare class BouncerSandboxHarness {
|
|
22
|
-
private sandboxManager;
|
|
23
|
-
private sandboxAvailable;
|
|
24
|
-
private tempDir;
|
|
25
|
-
private canaryDir;
|
|
26
|
-
constructor();
|
|
27
|
-
/**
|
|
28
|
-
* Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
|
|
29
|
-
*/
|
|
30
|
-
initialize(): Promise<{
|
|
31
|
-
available: boolean;
|
|
32
|
-
reason?: string;
|
|
33
|
-
}>;
|
|
34
|
-
/**
|
|
35
|
-
* Execute a command inside the sandbox. Returns containment results.
|
|
36
|
-
* If sandbox is not available, validates the bouncer decision only (no actual execution).
|
|
37
|
-
*/
|
|
38
|
-
executeInSandbox(command: string): Promise<SandboxExecResult>;
|
|
39
|
-
/**
|
|
40
|
-
* Place a canary file and return a checker to verify containment.
|
|
41
|
-
* If a sandboxed command can delete or modify the canary, containment failed.
|
|
42
|
-
*/
|
|
43
|
-
placeCanary(name: string): {
|
|
44
|
-
path: string;
|
|
45
|
-
check: () => CanaryCheckResult;
|
|
46
|
-
};
|
|
47
|
-
/**
|
|
48
|
-
* Get the temp directory where sandboxed commands can write.
|
|
49
|
-
*/
|
|
50
|
-
getSandboxWriteDir(): string;
|
|
51
|
-
/**
|
|
52
|
-
* Whether the sandbox is actually available and initialized.
|
|
53
|
-
*/
|
|
54
|
-
isAvailable(): boolean;
|
|
55
|
-
/**
|
|
56
|
-
* Clean up temp dirs and reset sandbox state.
|
|
57
|
-
*/
|
|
58
|
-
cleanup(): Promise<void>;
|
|
59
|
-
}
|
|
60
|
-
//# sourceMappingURL=bouncer-sandbox.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"bouncer-sandbox.d.ts","sourceRoot":"","sources":["../../../server/mcp/bouncer-sandbox.ts"],"names":[],"mappings":"AAuBA,MAAM,WAAW,iBAAiB;IAChC,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;IACvB,4DAA4D;IAC5D,gBAAgB,EAAE,OAAO,CAAC;IAC1B,kEAAkE;IAClE,SAAS,EAAE,OAAO,CAAC;IACnB,gEAAgE;IAChE,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,2FAA2F;IAC3F,YAAY,EAAE,OAAO,CAAC;IACtB,uEAAuE;IACvE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;;GAGG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,cAAc,CAA0F;IAChH,OAAO,CAAC,gBAAgB,CAAS;IACjC,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAS;;IAQ1B;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAiDpE;;;OAGG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAmDnE;;;OAGG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,iBAAiB,CAAA;KAAE;IAc3E;;OAEG;IACH,kBAAkB,IAAI,MAAM;IAI5B;;OAEG;IACH,WAAW,IAAI,OAAO;IAItB;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAc/B"}
|
|
@@ -1,182 +0,0 @@
|
|
|
1
|
-
// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
|
|
2
|
-
// Licensed under the MIT License. See LICENSE file for details.
|
|
3
|
-
/**
|
|
4
|
-
* Sandbox Harness for Bouncer Testing
|
|
5
|
-
*
|
|
6
|
-
* Wraps command execution in Anthropic's sandbox-runtime (bubblewrap on Linux,
|
|
7
|
-
* sandbox-exec on macOS) to safely test what happens when the bouncer FAILS —
|
|
8
|
-
* i.e., when a malicious tool call gets through.
|
|
9
|
-
*
|
|
10
|
-
* Usage in tests:
|
|
11
|
-
* const harness = new BouncerSandboxHarness();
|
|
12
|
-
* await harness.initialize();
|
|
13
|
-
* const result = await harness.executeInSandbox('rm -rf /tmp/test-canary');
|
|
14
|
-
* expect(result.violations).toContain(...)
|
|
15
|
-
* await harness.cleanup();
|
|
16
|
-
*/
|
|
17
|
-
import { execSync } from 'node:child_process';
|
|
18
|
-
import { existsSync, mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
|
|
19
|
-
import { tmpdir } from 'node:os';
|
|
20
|
-
import { join } from 'node:path';
|
|
21
|
-
/**
|
|
22
|
-
* Test harness that wraps command execution in sandbox-runtime.
|
|
23
|
-
* Provides canary files and violation tracking to verify containment.
|
|
24
|
-
*/
|
|
25
|
-
export class BouncerSandboxHarness {
|
|
26
|
-
sandboxManager = null;
|
|
27
|
-
sandboxAvailable = false;
|
|
28
|
-
tempDir;
|
|
29
|
-
canaryDir;
|
|
30
|
-
constructor() {
|
|
31
|
-
this.tempDir = mkdtempSync(join(tmpdir(), 'bouncer-sandbox-'));
|
|
32
|
-
this.canaryDir = join(this.tempDir, 'canaries');
|
|
33
|
-
mkdirSync(this.canaryDir, { recursive: true });
|
|
34
|
-
}
|
|
35
|
-
/**
|
|
36
|
-
* Initialize the sandbox. Falls back gracefully if bwrap/sandbox-exec not available.
|
|
37
|
-
*/
|
|
38
|
-
async initialize() {
|
|
39
|
-
try {
|
|
40
|
-
const { SandboxManager } = await import('@anthropic-ai/sandbox-runtime');
|
|
41
|
-
if (!SandboxManager.isSupportedPlatform()) {
|
|
42
|
-
return { available: false, reason: 'Platform not supported by sandbox-runtime' };
|
|
43
|
-
}
|
|
44
|
-
const deps = SandboxManager.checkDependencies();
|
|
45
|
-
if (deps.errors.length > 0) {
|
|
46
|
-
return {
|
|
47
|
-
available: false,
|
|
48
|
-
reason: `Missing dependencies: ${deps.errors.join(', ')}`,
|
|
49
|
-
};
|
|
50
|
-
}
|
|
51
|
-
await SandboxManager.initialize({
|
|
52
|
-
network: {
|
|
53
|
-
allowedDomains: [], // Block ALL network access
|
|
54
|
-
deniedDomains: ['*'],
|
|
55
|
-
},
|
|
56
|
-
filesystem: {
|
|
57
|
-
denyRead: [
|
|
58
|
-
'/home/*/.ssh',
|
|
59
|
-
'/home/*/.aws',
|
|
60
|
-
'/home/*/.gnupg',
|
|
61
|
-
'/etc/shadow',
|
|
62
|
-
'/etc/passwd',
|
|
63
|
-
],
|
|
64
|
-
allowWrite: [this.tempDir], // Only allow writes to our temp dir
|
|
65
|
-
denyWrite: [
|
|
66
|
-
'/',
|
|
67
|
-
'/home',
|
|
68
|
-
'/etc',
|
|
69
|
-
'/usr',
|
|
70
|
-
'/var',
|
|
71
|
-
],
|
|
72
|
-
},
|
|
73
|
-
});
|
|
74
|
-
this.sandboxManager = SandboxManager;
|
|
75
|
-
this.sandboxAvailable = true;
|
|
76
|
-
return { available: true };
|
|
77
|
-
}
|
|
78
|
-
catch (error) {
|
|
79
|
-
const msg = error instanceof Error ? error.message : String(error);
|
|
80
|
-
return { available: false, reason: `Failed to initialize sandbox: ${msg}` };
|
|
81
|
-
}
|
|
82
|
-
}
|
|
83
|
-
/**
|
|
84
|
-
* Execute a command inside the sandbox. Returns containment results.
|
|
85
|
-
* If sandbox is not available, validates the bouncer decision only (no actual execution).
|
|
86
|
-
*/
|
|
87
|
-
async executeInSandbox(command) {
|
|
88
|
-
if (!this.sandboxAvailable || !this.sandboxManager) {
|
|
89
|
-
return {
|
|
90
|
-
wrappedCommand: command,
|
|
91
|
-
sandboxAvailable: false,
|
|
92
|
-
contained: true,
|
|
93
|
-
violations: ['Sandbox not available — decision-only testing mode'],
|
|
94
|
-
};
|
|
95
|
-
}
|
|
96
|
-
const violations = [];
|
|
97
|
-
try {
|
|
98
|
-
const wrappedCommand = await this.sandboxManager.wrapWithSandbox(command);
|
|
99
|
-
// Execute the wrapped command and capture violations
|
|
100
|
-
try {
|
|
101
|
-
execSync(wrappedCommand, {
|
|
102
|
-
timeout: 5000,
|
|
103
|
-
stdio: 'pipe',
|
|
104
|
-
cwd: this.tempDir,
|
|
105
|
-
});
|
|
106
|
-
}
|
|
107
|
-
catch {
|
|
108
|
-
// Command failure inside sandbox is expected for malicious ops
|
|
109
|
-
}
|
|
110
|
-
// Check violation store
|
|
111
|
-
const stderr = this.sandboxManager.annotateStderrWithSandboxFailures(command, '');
|
|
112
|
-
if (stderr) {
|
|
113
|
-
violations.push(stderr);
|
|
114
|
-
}
|
|
115
|
-
this.sandboxManager.cleanupAfterCommand();
|
|
116
|
-
return {
|
|
117
|
-
wrappedCommand,
|
|
118
|
-
sandboxAvailable: true,
|
|
119
|
-
contained: violations.length === 0,
|
|
120
|
-
violations,
|
|
121
|
-
};
|
|
122
|
-
}
|
|
123
|
-
catch (error) {
|
|
124
|
-
const msg = error instanceof Error ? error.message : String(error);
|
|
125
|
-
violations.push(`Sandbox execution error: ${msg}`);
|
|
126
|
-
return {
|
|
127
|
-
wrappedCommand: command,
|
|
128
|
-
sandboxAvailable: true,
|
|
129
|
-
contained: true, // Error means the command didn't execute
|
|
130
|
-
violations,
|
|
131
|
-
};
|
|
132
|
-
}
|
|
133
|
-
}
|
|
134
|
-
/**
|
|
135
|
-
* Place a canary file and return a checker to verify containment.
|
|
136
|
-
* If a sandboxed command can delete or modify the canary, containment failed.
|
|
137
|
-
*/
|
|
138
|
-
placeCanary(name) {
|
|
139
|
-
const canaryPath = join(this.canaryDir, name);
|
|
140
|
-
const escapePath = join(this.canaryDir, `${name}.escaped`);
|
|
141
|
-
writeFileSync(canaryPath, `canary-${Date.now()}`, 'utf-8');
|
|
142
|
-
return {
|
|
143
|
-
path: canaryPath,
|
|
144
|
-
check: () => ({
|
|
145
|
-
canaryIntact: existsSync(canaryPath),
|
|
146
|
-
escapeDetected: existsSync(escapePath),
|
|
147
|
-
}),
|
|
148
|
-
};
|
|
149
|
-
}
|
|
150
|
-
/**
|
|
151
|
-
* Get the temp directory where sandboxed commands can write.
|
|
152
|
-
*/
|
|
153
|
-
getSandboxWriteDir() {
|
|
154
|
-
return this.tempDir;
|
|
155
|
-
}
|
|
156
|
-
/**
|
|
157
|
-
* Whether the sandbox is actually available and initialized.
|
|
158
|
-
*/
|
|
159
|
-
isAvailable() {
|
|
160
|
-
return this.sandboxAvailable;
|
|
161
|
-
}
|
|
162
|
-
/**
|
|
163
|
-
* Clean up temp dirs and reset sandbox state.
|
|
164
|
-
*/
|
|
165
|
-
async cleanup() {
|
|
166
|
-
try {
|
|
167
|
-
if (this.sandboxManager) {
|
|
168
|
-
await this.sandboxManager.reset();
|
|
169
|
-
}
|
|
170
|
-
}
|
|
171
|
-
catch {
|
|
172
|
-
// Ignore cleanup errors
|
|
173
|
-
}
|
|
174
|
-
try {
|
|
175
|
-
rmSync(this.tempDir, { recursive: true, force: true });
|
|
176
|
-
}
|
|
177
|
-
catch {
|
|
178
|
-
// Ignore cleanup errors
|
|
179
|
-
}
|
|
180
|
-
}
|
|
181
|
-
}
|
|
182
|
-
//# sourceMappingURL=bouncer-sandbox.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"bouncer-sandbox.js","sourceRoot":"","sources":["../../../server/mcp/bouncer-sandbox.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACpF,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAoBjC;;;GAGG;AACH,MAAM,OAAO,qBAAqB;IACxB,cAAc,GAAqF,IAAI,CAAC;IACxG,gBAAgB,GAAG,KAAK,CAAC;IACzB,OAAO,CAAS;IAChB,SAAS,CAAS;IAE1B;QACE,IAAI,CAAC,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QAC/D,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAChD,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;YAEzE,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE,EAAE,CAAC;gBAC1C,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,2CAA2C,EAAE,CAAC;YACnF,CAAC;YAED,MAAM,IAAI,GAAG,cAAc,CAAC,iBAAiB,EAAE,CAAC;YAChD,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,OAAO;oBACL,SAAS,EAAE,KAAK;oBAChB,MAAM,EAAE,yBAAyB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBAC1D,CAAC;YACJ,CAAC;YAED,MAAM,cAAc,CAAC,UAAU,CAAC;gBAC9B,OAAO,EAAE;oBACP,cAAc,EAAE,EAAE,EAAE,2BAA2B;oBAC/C,aAAa,EAAE,CAAC,GAAG,CAAC;iBACrB;gBACD,UAAU,EAAE;oBACV,QAAQ,EAAE;wBACR,cAAc;wBACd,cAAc;wBACd,gBAAgB;wBAChB,aAAa;wBACb,aAAa;qBACd;oBACD,UAAU,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,oCAAoC;oBAChE,SAAS,EAAE;wBACT,GAAG;wBACH,OAAO;wBACP,MAAM;wBACN,MAAM;wBACN,MAAM;qBACP;iBACF;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;YACrC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAC7B,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC7B,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,iCAAiC,GAAG,EAAE,EAAE,CAAC;QAC9E,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB,CAAC,OAAe;QACpC,IAAI,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACnD,OAAO;gBACL,cAAc,EAAE,OAAO;gBACvB,gBAAgB,EAAE,KAAK;gBACvB,SAAS,EAAE,IAAI;gBACf,UAAU,EAAE,CAAC,oDAAoD,CAAC;aACnE,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YAE1E,qDAAqD;YACrD,IAAI,CAAC;gBACH,QAAQ,CAAC,cAAc,EAAE;oBACvB,OAAO,EAAE,IAAI;oBACb,KAAK,EAAE,MAAM;oBACb,GAAG,EAAE,IAAI,CAAC,OAAO;iBAClB,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,+DAA+D;YACjE,CAAC;YAED,wBAAwB;YACxB,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,iCAAiC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAClF,IAAI,MAAM,EAAE,CAAC;gBACX,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC1B,CAAC;YAED,IAAI,CAAC,cAAc,CAAC,mBAAmB,EAAE,CAAC;YAE1C,OAAO;gBACL,cAAc;gBACd,gBAAgB,EAAE,IAAI;gBACtB,SAAS,EAAE,UAAU,CAAC,MAAM,KAAK,CAAC;gBAClC,UAAU;aACX,CAAC;QACJ,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,UAAU,CAAC,IAAI,CAAC,4BAA4B,GAAG,EAAE,CAAC,CAAC;YACnD,OAAO;gBACL,cAAc,EAAE,OAAO;gBACvB,gBAAgB,EAAE,IAAI;gBACtB,SAAS,EAAE,IAAI,EAAE,yCAAyC;gBAC1D,UAAU;aACX,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,IAAI,UAAU,CAAC,CAAC;QAC3D,aAAa,CAAC,UAAU,EAAE,UAAU,IAAI,CAAC,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;QAE3D,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBACZ,YAAY,EAAE,UAAU,CAAC,UAAU,CAAC;gBACpC,cAAc,EAAE,UAAU,CAAC,UAAU,CAAC;aACvC,CAAC;SACH,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,kBAAkB;QAChB,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBACxB,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;YACpC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QACD,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;CACF"}
|
|
@@ -1,39 +0,0 @@
|
|
|
1
|
-
export interface Credentials {
|
|
2
|
-
token: string;
|
|
3
|
-
userId: string;
|
|
4
|
-
email: string;
|
|
5
|
-
name?: string;
|
|
6
|
-
deviceId?: string;
|
|
7
|
-
clientId: string;
|
|
8
|
-
createdAt: string;
|
|
9
|
-
lastRefreshedAt?: string;
|
|
10
|
-
}
|
|
11
|
-
/**
|
|
12
|
-
* Get stored credentials, or null if not logged in
|
|
13
|
-
*/
|
|
14
|
-
export declare function getCredentials(): Credentials | null;
|
|
15
|
-
/**
|
|
16
|
-
* Save credentials after successful login
|
|
17
|
-
*/
|
|
18
|
-
export declare function saveCredentials(credentials: Credentials): void;
|
|
19
|
-
/**
|
|
20
|
-
* Update the token (used during refresh)
|
|
21
|
-
*/
|
|
22
|
-
export declare function updateToken(newToken: string): void;
|
|
23
|
-
/**
|
|
24
|
-
* Delete credentials (logout)
|
|
25
|
-
*/
|
|
26
|
-
export declare function deleteCredentials(): boolean;
|
|
27
|
-
/**
|
|
28
|
-
* Check if user is logged in
|
|
29
|
-
*/
|
|
30
|
-
export declare function isLoggedIn(): boolean;
|
|
31
|
-
/**
|
|
32
|
-
* Get the credentials file path (for display)
|
|
33
|
-
*/
|
|
34
|
-
export declare function getCredentialsPath(): string;
|
|
35
|
-
/**
|
|
36
|
-
* Get the mstro directory path
|
|
37
|
-
*/
|
|
38
|
-
export declare function getMstroDir(): string;
|
|
39
|
-
//# sourceMappingURL=credentials.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../../server/services/credentials.ts"],"names":[],"mappings":"AA4BA,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,eAAe,CAAC,EAAE,MAAM,CAAA;CACzB;AAWD;;GAEG;AACH,wBAAgB,cAAc,IAAI,WAAW,GAAG,IAAI,CAoBnD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,WAAW,EAAE,WAAW,GAAG,IAAI,CAK9D;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CASlD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAY3C;AAED;;GAEG;AACH,wBAAgB,UAAU,IAAI,OAAO,CAEpC;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED;;GAEG;AACH,wBAAgB,WAAW,IAAI,MAAM,CAEpC"}
|
|
@@ -1,110 +0,0 @@
|
|
|
1
|
-
// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
|
|
2
|
-
// Licensed under the MIT License. See LICENSE file for details.
|
|
3
|
-
/**
|
|
4
|
-
* Credentials Service
|
|
5
|
-
*
|
|
6
|
-
* Manages persistent authentication credentials stored in ~/.mstro/credentials.json
|
|
7
|
-
*
|
|
8
|
-
* Structure:
|
|
9
|
-
* {
|
|
10
|
-
* "token": "device-token-here",
|
|
11
|
-
* "userId": "user-uuid",
|
|
12
|
-
* "email": "user@example.com",
|
|
13
|
-
* "name": "User Name",
|
|
14
|
-
* "deviceId": "device-uuid",
|
|
15
|
-
* "clientId": "client-uuid",
|
|
16
|
-
* "createdAt": "2024-01-01T00:00:00.000Z",
|
|
17
|
-
* "lastRefreshedAt": "2024-01-01T00:00:00.000Z"
|
|
18
|
-
* }
|
|
19
|
-
*/
|
|
20
|
-
import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
|
|
21
|
-
import { homedir } from 'node:os';
|
|
22
|
-
import { join } from 'node:path';
|
|
23
|
-
const MSTRO_DIR = join(homedir(), '.mstro');
|
|
24
|
-
const CREDENTIALS_FILE = join(MSTRO_DIR, 'credentials.json');
|
|
25
|
-
/**
|
|
26
|
-
* Ensure the ~/.mstro directory exists
|
|
27
|
-
*/
|
|
28
|
-
function ensureMstroDir() {
|
|
29
|
-
if (!existsSync(MSTRO_DIR)) {
|
|
30
|
-
mkdirSync(MSTRO_DIR, { recursive: true, mode: 0o700 });
|
|
31
|
-
}
|
|
32
|
-
}
|
|
33
|
-
/**
|
|
34
|
-
* Get stored credentials, or null if not logged in
|
|
35
|
-
*/
|
|
36
|
-
export function getCredentials() {
|
|
37
|
-
if (!existsSync(CREDENTIALS_FILE)) {
|
|
38
|
-
return null;
|
|
39
|
-
}
|
|
40
|
-
try {
|
|
41
|
-
const content = readFileSync(CREDENTIALS_FILE, 'utf-8');
|
|
42
|
-
const credentials = JSON.parse(content);
|
|
43
|
-
// Validate required fields
|
|
44
|
-
if (!credentials.token || !credentials.userId || !credentials.email || !credentials.clientId) {
|
|
45
|
-
console.warn('Invalid credentials file, missing required fields');
|
|
46
|
-
return null;
|
|
47
|
-
}
|
|
48
|
-
return credentials;
|
|
49
|
-
}
|
|
50
|
-
catch (err) {
|
|
51
|
-
console.warn('Failed to read credentials file:', err);
|
|
52
|
-
return null;
|
|
53
|
-
}
|
|
54
|
-
}
|
|
55
|
-
/**
|
|
56
|
-
* Save credentials after successful login
|
|
57
|
-
*/
|
|
58
|
-
export function saveCredentials(credentials) {
|
|
59
|
-
ensureMstroDir();
|
|
60
|
-
writeFileSync(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), {
|
|
61
|
-
mode: 0o600 // Read/write for owner only
|
|
62
|
-
});
|
|
63
|
-
}
|
|
64
|
-
/**
|
|
65
|
-
* Update the token (used during refresh)
|
|
66
|
-
*/
|
|
67
|
-
export function updateToken(newToken) {
|
|
68
|
-
const credentials = getCredentials();
|
|
69
|
-
if (!credentials) {
|
|
70
|
-
throw new Error('No credentials to update');
|
|
71
|
-
}
|
|
72
|
-
credentials.token = newToken;
|
|
73
|
-
credentials.lastRefreshedAt = new Date().toISOString();
|
|
74
|
-
saveCredentials(credentials);
|
|
75
|
-
}
|
|
76
|
-
/**
|
|
77
|
-
* Delete credentials (logout)
|
|
78
|
-
*/
|
|
79
|
-
export function deleteCredentials() {
|
|
80
|
-
if (!existsSync(CREDENTIALS_FILE)) {
|
|
81
|
-
return false;
|
|
82
|
-
}
|
|
83
|
-
try {
|
|
84
|
-
unlinkSync(CREDENTIALS_FILE);
|
|
85
|
-
return true;
|
|
86
|
-
}
|
|
87
|
-
catch (err) {
|
|
88
|
-
console.error('Failed to delete credentials:', err);
|
|
89
|
-
return false;
|
|
90
|
-
}
|
|
91
|
-
}
|
|
92
|
-
/**
|
|
93
|
-
* Check if user is logged in
|
|
94
|
-
*/
|
|
95
|
-
export function isLoggedIn() {
|
|
96
|
-
return getCredentials() !== null;
|
|
97
|
-
}
|
|
98
|
-
/**
|
|
99
|
-
* Get the credentials file path (for display)
|
|
100
|
-
*/
|
|
101
|
-
export function getCredentialsPath() {
|
|
102
|
-
return CREDENTIALS_FILE;
|
|
103
|
-
}
|
|
104
|
-
/**
|
|
105
|
-
* Get the mstro directory path
|
|
106
|
-
*/
|
|
107
|
-
export function getMstroDir() {
|
|
108
|
-
return MSTRO_DIR;
|
|
109
|
-
}
|
|
110
|
-
//# sourceMappingURL=credentials.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../../server/services/credentials.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AACxF,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAA;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAEhC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAA;AAC3C,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;AAa5D;;GAEG;AACH,SAAS,cAAc;IACrB,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IACxD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,YAAY,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAA;QACvD,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAgB,CAAA;QAEtD,2BAA2B;QAC3B,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,WAAW,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC7F,OAAO,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAA;YACjE,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,WAAW,CAAA;IACpB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAA;QACrD,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,WAAwB;IACtD,cAAc,EAAE,CAAA;IAChB,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;QACpE,IAAI,EAAE,KAAK,CAAC,4BAA4B;KACzC,CAAC,CAAA;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,QAAgB;IAC1C,MAAM,WAAW,GAAG,cAAc,EAAE,CAAA;IACpC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;IAC7C,CAAC;IAED,WAAW,CAAC,KAAK,GAAG,QAAQ,CAAA;IAC5B,WAAW,CAAC,eAAe,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IACtD,eAAe,CAAC,WAAW,CAAC,CAAA;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC;QACH,UAAU,CAAC,gBAAgB,CAAC,CAAA;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAA;QACnD,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU;IACxB,OAAO,cAAc,EAAE,KAAK,IAAI,CAAA;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,OAAO,gBAAgB,CAAA;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,OAAO,SAAS,CAAA;AAClB,CAAC"}
|
|
@@ -1,8 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Create a sanitized environment for sandboxed execution.
|
|
3
|
-
* Strips sensitive env vars and sets HOME to the project directory.
|
|
4
|
-
*/
|
|
5
|
-
export declare function sanitizeEnvForSandbox(env: NodeJS.ProcessEnv, workingDir: string, options?: {
|
|
6
|
-
overrideHome?: boolean;
|
|
7
|
-
}): Record<string, string>;
|
|
8
|
-
//# sourceMappingURL=sandbox-utils.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"sandbox-utils.d.ts","sourceRoot":"","sources":["../../../server/services/sandbox-utils.ts"],"names":[],"mappings":"AAsDA;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,GAAG,EAAE,MAAM,CAAC,UAAU,EACtB,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;IAAE,YAAY,CAAC,EAAE,OAAO,CAAA;CAAE,GACnC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAmBxB"}
|
|
@@ -1,75 +0,0 @@
|
|
|
1
|
-
// Copyright (c) 2025-present Mstro, Inc. All rights reserved.
|
|
2
|
-
// Licensed under the MIT License. See LICENSE file for details.
|
|
3
|
-
/**
|
|
4
|
-
* Sandbox Utilities
|
|
5
|
-
*
|
|
6
|
-
* Environment sanitization for sandboxed shared sessions.
|
|
7
|
-
* Used by both PTY manager (terminal) and Claude invoker (prompts)
|
|
8
|
-
* to restrict shared users to the project directory.
|
|
9
|
-
*/
|
|
10
|
-
/** Env var prefixes that may contain secrets or grant access outside the project */
|
|
11
|
-
const BLOCKED_PREFIXES = [
|
|
12
|
-
'AWS_',
|
|
13
|
-
'GITHUB_',
|
|
14
|
-
'GH_',
|
|
15
|
-
'NPM_',
|
|
16
|
-
'DOCKER_',
|
|
17
|
-
'SSH_',
|
|
18
|
-
'GPG_',
|
|
19
|
-
'AZURE_',
|
|
20
|
-
'GCP_',
|
|
21
|
-
'GOOGLE_',
|
|
22
|
-
'OPENAI_',
|
|
23
|
-
'ANTHROPIC_',
|
|
24
|
-
'STRIPE_',
|
|
25
|
-
'TWILIO_',
|
|
26
|
-
'SENDGRID_',
|
|
27
|
-
'DATADOG_',
|
|
28
|
-
'SENTRY_',
|
|
29
|
-
'SLACK_',
|
|
30
|
-
'DISCORD_',
|
|
31
|
-
];
|
|
32
|
-
/** Specific env vars that may contain secrets or sensitive paths */
|
|
33
|
-
const BLOCKED_KEYS = new Set([
|
|
34
|
-
'HISTFILE',
|
|
35
|
-
'LESSHISTFILE',
|
|
36
|
-
'MYSQL_PWD',
|
|
37
|
-
'PGPASSWORD',
|
|
38
|
-
'PGPASSFILE',
|
|
39
|
-
'REDIS_URL',
|
|
40
|
-
'DATABASE_URL',
|
|
41
|
-
'MONGO_URI',
|
|
42
|
-
'MONGODB_URI',
|
|
43
|
-
'SECRET_KEY',
|
|
44
|
-
'API_KEY',
|
|
45
|
-
'API_SECRET',
|
|
46
|
-
'ACCESS_TOKEN',
|
|
47
|
-
'REFRESH_TOKEN',
|
|
48
|
-
'PRIVATE_KEY',
|
|
49
|
-
'JWT_SECRET',
|
|
50
|
-
]);
|
|
51
|
-
/**
|
|
52
|
-
* Create a sanitized environment for sandboxed execution.
|
|
53
|
-
* Strips sensitive env vars and sets HOME to the project directory.
|
|
54
|
-
*/
|
|
55
|
-
export function sanitizeEnvForSandbox(env, workingDir, options) {
|
|
56
|
-
const result = {};
|
|
57
|
-
for (const [key, value] of Object.entries(env)) {
|
|
58
|
-
if (!value)
|
|
59
|
-
continue;
|
|
60
|
-
if (BLOCKED_KEYS.has(key))
|
|
61
|
-
continue;
|
|
62
|
-
if (BLOCKED_PREFIXES.some(p => key.startsWith(p)))
|
|
63
|
-
continue;
|
|
64
|
-
result[key] = value;
|
|
65
|
-
}
|
|
66
|
-
// Override HOME to project directory so `cd ~` stays sandboxed (e.g. terminals).
|
|
67
|
-
// Claude Code processes opt out (overrideHome: false) to preserve OAuth auth lookup.
|
|
68
|
-
if (options?.overrideHome !== false) {
|
|
69
|
-
result.HOME = workingDir;
|
|
70
|
-
}
|
|
71
|
-
// Marker so scripts can detect sandboxed execution
|
|
72
|
-
result.MSTRO_SANDBOXED = '1';
|
|
73
|
-
return result;
|
|
74
|
-
}
|
|
75
|
-
//# sourceMappingURL=sandbox-utils.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"sandbox-utils.js","sourceRoot":"","sources":["../../../server/services/sandbox-utils.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,gEAAgE;AAEhE;;;;;;GAMG;AAEH,oFAAoF;AACpF,MAAM,gBAAgB,GAAG;IACvB,MAAM;IACN,SAAS;IACT,KAAK;IACL,MAAM;IACN,SAAS;IACT,MAAM;IACN,MAAM;IACN,QAAQ;IACR,MAAM;IACN,SAAS;IACT,SAAS;IACT,YAAY;IACZ,SAAS;IACT,SAAS;IACT,WAAW;IACX,UAAU;IACV,SAAS;IACT,QAAQ;IACR,UAAU;CACX,CAAC;AAEF,oEAAoE;AACpE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;IAC3B,UAAU;IACV,cAAc;IACd,WAAW;IACX,YAAY;IACZ,YAAY;IACZ,WAAW;IACX,cAAc;IACd,WAAW;IACX,aAAa;IACb,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,cAAc;IACd,eAAe;IACf,aAAa;IACb,YAAY;CACb,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,GAAsB,EACtB,UAAkB,EAClB,OAAoC;IAEpC,MAAM,MAAM,GAA2B,EAAE,CAAC;IAE1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACpC,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAAE,SAAS;QAC5D,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACtB,CAAC;IAED,iFAAiF;IACjF,qFAAqF;IACrF,IAAI,OAAO,EAAE,YAAY,KAAK,KAAK,EAAE,CAAC;QACpC,MAAM,CAAC,IAAI,GAAG,UAAU,CAAC;IAC3B,CAAC;IACD,mDAAmD;IACnD,MAAM,CAAC,eAAe,GAAG,GAAG,CAAC;IAE7B,OAAO,MAAM,CAAC;AAChB,CAAC"}
|