opencode-swarm 7.35.0 → 7.36.0

package/dist/memory/curator-decision-helpers.d.ts

@@ -0,0 +1,14 @@
+import type { AppliedMemoryChange, MemoryPatch, MemoryProposal, MemoryRecord, ResolvedCuratorMemoryDecision } from './types';
+export declare function validateDecisionMatchesProposal(decision: ResolvedCuratorMemoryDecision, proposal: MemoryProposal): void;
+export declare function applyPatchToMemory(existing: MemoryRecord, patch: MemoryPatch, updatedAt: string): MemoryRecord;
+export declare function markProposalReviewed(proposal: MemoryProposal, decision: ResolvedCuratorMemoryDecision, status: MemoryProposal['status'], reviewedAt: string, ids: {
+    memoryId?: string;
+    targetMemoryId?: string;
+    oldMemoryId?: string;
+    replacementMemoryId?: string;
+}): MemoryProposal;
+export declare function curatorDecisionReason(decision: ResolvedCuratorMemoryDecision): string | undefined;
+export declare function buildCuratorDecisionEvent(change: AppliedMemoryChange, proposal: MemoryProposal): AppliedMemoryChange & {
+    proposalOperation: MemoryProposal['operation'];
+};
+export declare function normalizeTags(tags: string[]): string[];

package/dist/memory/gateway.d.ts

@@ -1,6 +1,6 @@
 import { type MemoryConfig } from './config';
 import type { MemoryProposalStore, MemoryProvider } from './provider';
-import type { MemoryContext, MemoryKind, MemoryProposal, MemoryRecord, MemoryScopeRef, MemorySource, RecallBundle, RecallMode } from './types';
+import type { AppliedMemoryChange, CuratorMemoryDecision, MemoryContext, MemoryKind, MemoryProposal, MemoryRecord, MemoryScopeRef, MemorySource, RecallBundle, RecallMode } from './types';
 export interface MemoryGatewayOptions {
     config?: Partial<MemoryConfig>;
     provider?: MemoryProvider & Partial<MemoryProposalStore>;
@@ -39,6 +39,7 @@ export declare class MemoryGateway {
     recall(input: RecallMemoryInput): Promise<RecallBundle>;
     propose(input: ProposeMemoryInput): Promise<MemoryProposal>;
     upsertCurated(record: MemoryRecord): Promise<MemoryRecord>;
+    applyCuratorDecision(decision: CuratorMemoryDecision): Promise<AppliedMemoryChange>;
     createRecord(input: {
         kind: MemoryKind;
         text: string;
@@ -50,6 +51,9 @@ export declare class MemoryGateway {
         tags?: string[];
         metadata?: Record<string, unknown>;
     }): MemoryRecord;
+    private resolveCuratorDecision;
+    private createRecordFromNew;
+    private resolveRecordScope;
     private assertEnabled;
 }
 export declare function createMemoryGateway(context: MemoryContext, options?: MemoryGatewayOptions): MemoryGateway;

package/dist/memory/index.d.ts

@@ -12,6 +12,6 @@ export { buildMemoryRecallPlan, type MemoryRecallPlan, type MemoryRecallPlannerI
 export { findSecrets, redactSecrets } from './redaction';
 export { MEMORY_RECALL_PROFILES, type MemoryRecallProfile, normalizeMemoryAgentRole, resolveMemoryRecallProfile, } from './role-profiles';
 export { appendMemoryRunLog, sanitizeRunId } from './run-log';
-export { computeMemoryContentHash, createBundleId, createMemoryId, createProposalId, isExpired, normalizeMemoryText, validateMemoryProposal, validateMemoryRecordRules, } from './schema';
+export { computeMemoryContentHash, createBundleId, createMemoryId, createProposalId, isExpired, normalizeMemoryText, validateCuratorMemoryDecision, validateMemoryProposal, validateMemoryRecordRules, } from './schema';
 export { SQLiteMemoryProvider } from './sqlite-provider';
-export type { MemoryContext, MemoryKind, MemoryListFilter, MemoryProposal, MemoryRecord, MemoryScopeRef, MemoryScopeType, RecallBundle, RecallInjectionSkipReason, RecallMode, RecallRequest, RecallResultItem, } from './types';
+export type { AppliedMemoryChange, CuratorMemoryDecision, MemoryContext, MemoryKind, MemoryListFilter, MemoryPatch, MemoryProposal, MemoryRecord, MemoryScopeRef, MemoryScopeType, NewMemoryRecord, RecallBundle, RecallInjectionSkipReason, RecallMode, RecallRequest, RecallResultItem, ResolvedCuratorMemoryDecision, } from './types';

package/dist/memory/injector.d.ts

@@ -14,7 +14,7 @@ export interface MemoryLifecycleHookOptions {
         runId?: string;
     }, options: {
         config?: Partial<MemoryConfig>;
-    }) => Pick<MemoryGateway, 'isEnabled' | 'deriveAllowedScopes' | 'recall' | 'propose'>;
+    }) => Pick<MemoryGateway, 'isEnabled' | 'deriveAllowedScopes' | 'recall' | 'propose'> & Partial<Pick<MemoryGateway, 'applyCuratorDecision' | 'dispose'>>;
     appendRunLog?: typeof appendMemoryRunLog;
 }
 export interface MemoryLifecycleHooks {

package/dist/memory/local-jsonl-provider.d.ts

@@ -1,7 +1,7 @@
 import { type MemoryConfig } from './config';
 import type { MemoryProposalStore, MemoryProvider, MemoryRecallUsageEvent } from './provider';
 import type { RecallScoringDiagnostics } from './scoring';
-import type { MemoryListFilter, MemoryProposal, MemoryRecord, RecallRequest, RecallResultItem } from './types';
+import type { AppliedMemoryChange, MemoryListFilter, MemoryProposal, MemoryRecord, RecallRequest, RecallResultItem, ResolvedCuratorMemoryDecision } from './types';
 export declare class LocalJsonlMemoryProvider implements MemoryProvider, MemoryProposalStore {
     readonly name = "local-jsonl";
     private readonly rootDirectory;
@@ -27,6 +27,9 @@ export declare class LocalJsonlMemoryProvider implements MemoryProvider, MemoryP
         status?: MemoryProposal['status'];
         limit?: number;
     }): Promise<MemoryProposal[]>;
+    applyCuratorDecision(decision: ResolvedCuratorMemoryDecision): Promise<AppliedMemoryChange>;
     compact(): Promise<void>;
     private audit;
+    private activeMemory;
+    private validateDecisionMemory;
 }

package/dist/memory/provider.d.ts

@@ -1,5 +1,5 @@
 import type { RecallScoringDiagnostics } from './scoring';
-import type { MemoryListFilter, MemoryProposal, MemoryRecord, RecallRequest, RecallResultItem } from './types';
+import type { AppliedMemoryChange, MemoryListFilter, MemoryProposal, MemoryRecord, RecallRequest, RecallResultItem, ResolvedCuratorMemoryDecision } from './types';
 export interface MemoryRecallResult {
     items: RecallResultItem[];
     diagnostics?: RecallScoringDiagnostics;
@@ -34,4 +34,5 @@ export interface MemoryProposalStore {
         status?: MemoryProposal['status'];
         limit?: number;
     }): Promise<MemoryProposal[]>;
+    applyCuratorDecision?(decision: ResolvedCuratorMemoryDecision): Promise<AppliedMemoryChange>;
 }

package/dist/memory/run-log.d.ts

@@ -1,4 +1,4 @@
-export type MemoryRunLogEventName = 'recall_requested' | 'recall_returned' | 'prompt_injection_skipped' | 'prompt_injected' | 'proposal_created' | 'proposal_rejected_by_validation';
+export type MemoryRunLogEventName = 'recall_requested' | 'recall_returned' | 'prompt_injection_skipped' | 'prompt_injected' | 'proposal_created' | 'proposal_rejected_by_validation' | 'curator_decision_applied' | 'curator_decision_rejected_by_validation';
 export interface MemoryRunLogEvent {
     event: MemoryRunLogEventName;
     runId: string;

package/dist/memory/schema.d.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import type { MemoryKind, MemoryProposal, MemoryRecord, MemoryScopeRef } from './types';
+import type { CuratorMemoryDecision, MemoryKind, MemoryPatch, MemoryProposal, MemoryRecord, MemoryScopeRef, NewMemoryRecord } from './types';
 export declare const MemoryScopeTypeSchema: z.ZodEnum<{
     agent: "agent";
     project: "project";
@@ -230,6 +230,9 @@ export declare const MemoryProposalSchema: z.ZodObject<{
     createdAt: z.ZodString;
     metadata: z.ZodRecord<z.ZodString, z.ZodUnknown>;
 }, z.core.$strict>;
+export declare const NewMemoryRecordSchema: z.ZodType<NewMemoryRecord>;
+export declare const MemoryPatchSchema: z.ZodType<MemoryPatch>;
+export declare const CuratorMemoryDecisionSchema: z.ZodType<CuratorMemoryDecision>;
 export declare function normalizeMemoryText(text: string): string;
 export declare function stableScopeKey(scope: MemoryScopeRef): string;
 export declare function computeMemoryContentHash(recordLike: {
@@ -254,3 +257,4 @@ export declare function validateMemoryRecordRules(record: MemoryRecord, options:
     rejectDurableSecrets: boolean;
 }): MemoryRecord;
 export declare function validateMemoryProposal(proposal: MemoryProposal): MemoryProposal;
+export declare function validateCuratorMemoryDecision(decision: unknown): CuratorMemoryDecision;

package/dist/memory/sqlite-provider.d.ts

@@ -2,7 +2,7 @@ import { type MemoryConfig } from './config';
 import { type JsonlMigrationReport } from './jsonl-migration';
 import type { MemoryProposalStore, MemoryProvider, MemoryRecallUsageEvent } from './provider';
 import type { RecallScoringDiagnostics } from './scoring';
-import type { MemoryListFilter, MemoryProposal, MemoryRecord, RecallRequest, RecallResultItem } from './types';
+import type { AppliedMemoryChange, MemoryListFilter, MemoryProposal, MemoryRecord, RecallRequest, RecallResultItem, ResolvedCuratorMemoryDecision } from './types';
 export interface SQLiteJsonlImportResult {
     importedMemories: number;
     importedProposals: number;
@@ -36,6 +36,7 @@ export declare class SQLiteMemoryProvider implements MemoryProvider, MemoryPropo
         status?: MemoryProposal['status'];
         limit?: number;
     }): Promise<MemoryProposal[]>;
+    applyCuratorDecision(decision: ResolvedCuratorMemoryDecision): Promise<AppliedMemoryChange>;
     close(): void;
     importJsonl(): Promise<SQLiteJsonlImportResult>;
     exportJsonl(): Promise<{
@@ -52,6 +53,10 @@ export declare class SQLiteMemoryProvider implements MemoryProvider, MemoryPropo
     private loadProposals;
     private writeMemory;
     private writeProposal;
+    private applyDecisionToStorage;
+    private readPendingProposal;
+    private readActiveMemory;
+    private validateDecisionMemory;
     private migrateLegacyJsonlIfNeeded;
     private importLegacyJsonlRows;
     private event;

package/dist/memory/types.d.ts

@@ -56,6 +56,80 @@ export interface MemoryProposal {
     createdAt: string;
     metadata: Record<string, unknown>;
 }
+export interface NewMemoryRecord {
+    scope?: MemoryScopeRef;
+    kind: MemoryKind;
+    text: string;
+    tags?: string[];
+    confidence?: number;
+    stability?: MemoryRecord['stability'];
+    source?: MemorySource;
+    expiresAt?: string;
+    metadata?: Record<string, unknown>;
+}
+export type MemoryPatch = Partial<Pick<NewMemoryRecord, 'scope' | 'kind' | 'text' | 'tags' | 'confidence' | 'stability' | 'source' | 'expiresAt' | 'metadata'>>;
+export type CuratorMemoryDecision = {
+    action: 'add';
+    proposalId: string;
+    memory: NewMemoryRecord;
+} | {
+    action: 'update';
+    proposalId: string;
+    targetMemoryId: string;
+    patch: MemoryPatch;
+    reason: string;
+} | {
+    action: 'supersede';
+    proposalId: string;
+    oldMemoryId: string;
+    replacement: NewMemoryRecord;
+    reason: string;
+} | {
+    action: 'reject';
+    proposalId: string;
+    reason: string;
+} | {
+    action: 'noop';
+    proposalId: string;
+    reason: string;
+};
+export type ResolvedCuratorMemoryDecision = {
+    action: 'add';
+    proposalId: string;
+    memory: MemoryRecord;
+} | {
+    action: 'update';
+    proposalId: string;
+    targetMemoryId: string;
+    patch: MemoryPatch;
+    reason: string;
+} | {
+    action: 'supersede';
+    proposalId: string;
+    oldMemoryId: string;
+    replacement: MemoryRecord;
+    reason: string;
+} | {
+    action: 'reject';
+    proposalId: string;
+    reason: string;
+} | {
+    action: 'noop';
+    proposalId: string;
+    reason: string;
+};
+export interface AppliedMemoryChange {
+    action: CuratorMemoryDecision['action'];
+    proposalId: string;
+    proposalStatus: MemoryProposal['status'];
+    appliedAt: string;
+    eventId?: string;
+    memoryId?: string;
+    targetMemoryId?: string;
+    oldMemoryId?: string;
+    replacementMemoryId?: string;
+    reason?: string;
+}
 export type RecallMode = 'manual' | 'injection' | 'curator' | 'evaluation';
 export type RecallInjectionSkipReason = 'disabled' | 'no_signal' | 'below_threshold' | 'no_results';
 export interface RecallRequest {

package/dist/sandbox/capability-probe.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Platform sandbox capability probe.
+ *
+ * Detects OS-native sandbox mechanism availability for each platform:
+ *   - Linux:   Bubblewrap (bwrap)
+ *   - macOS:   sandbox-exec
+ *   - Windows: PowerShell-based wrapper (not a native OS sandbox mechanism)
+ *
+ * Each probe is bounded to 2 seconds via AbortController to satisfy
+ * Invariant 1 (plugin init is fast, bounded, fail-open).
+ */
+/** Possible sandbox status values. */
+export type SandboxStatus = 'enabled' | 'disabled' | 'unsupported';
+/** Result of a sandbox capability probe. */
+export interface SandboxCapability {
+    /** Whether the sandbox mechanism is available. */
+    status: SandboxStatus;
+    /** Human-readable mechanism name, e.g. "Bubblewrap". */
+    mechanism: string;
+    /** Current process.platform value. */
+    platform: 'linux' | 'darwin' | 'win32';
+    /** Error message from the probe, if any. */
+    error?: string;
+}
+/**
+ * Detects the availability of OS-native sandbox mechanisms.
+ *
+ * Results are cached for the session lifetime (module-level variable).
+ */
+/**
+ * Synchronous check whether Bubblewrap was detected as available.
+ * Must be called after detect() has resolved — returns false if detect()
+ * has not yet been called or if the cached result is not Linux/enabled.
+ */
+export declare function isBubblewrapAvailable(): boolean;
+/**
+ * Synchronous check whether sandbox-exec was detected as available.
+ * Must be called after detect() has resolved — returns false if detect()
+ * has not yet been called or if the cached result is not macOS/enabled.
+ */
+export declare function isSandboxExecAvailable(): boolean;
+/**
+ * Synchronous check whether Windows Restricted Token support is available.
+ * Must be called after detect() has resolved — returns false if detect()
+ * has not yet been called or if the cached result is not win32/enabled.
+ */
+export declare function isWindowsSandboxAvailable(): boolean;
+export declare class SandboxCapabilityProbe {
+    /**
+     * Detect sandbox capability for the current platform.
+     *
+     * @returns A promise that resolves to the sandbox capability result.
+     */
+    detect(): Promise<SandboxCapability>;
+}

package/dist/sandbox/executor.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Platform-agnostic sandbox execution abstraction.
+ *
+ * Provides a unified interface for sandboxed shell command execution across
+ * Linux (Bubblewrap), macOS (sandbox-exec), and Windows (restricted token/Low Integrity).
+ */
+/**
+ * Error thrown when sandbox operations fail.
+ */
+export declare class SandboxError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Interface for platform-specific sandbox executors.
+ */
+export interface SandboxExecutor {
+    /** Human-readable name of the sandbox mechanism */
+    readonly mechanism: string;
+    /** Whether this executor is available on the current platform */
+    isAvailable(): boolean;
+    /**
+     * Wrap a shell command with sandbox prefix.
+     * @param command - The raw shell command string to execute
+     * @param scopePaths - Absolute paths the coder is allowed to write to
+     * @param tempDir - Optional temporary directory path (platform default if omitted)
+     * @returns The wrapped command string with sandbox prefix
+     * @throws SandboxError if sandbox cannot wrap the command
+     */
+    wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
+    /**
+     * Get the environment variable overrides for this sandbox.
+     * Returns a record of env vars to set/unset.
+     */
+    getEnvOverrides(): Record<string, string | null>;
+}
+/**
+ * Get the platform-appropriate sandbox executor.
+ *
+ * Returns null if no sandbox mechanism is available for the current platform.
+ * The result is cached after the first call for fast subsequent access.
+ *
+ * Lazily imports platform-specific executor modules to avoid import-time
+ * failures on platforms where they don't exist.
+ */
+export declare function getExecutor(): Promise<SandboxExecutor | null>;
+/**
+ * Reset the cached executor — useful for testing.
+ * @internal
+ */
+export declare function _resetExecutorCache(): void;

package/dist/sandbox/executors/bubblewrap.d.ts

@@ -0,0 +1 @@
+export { BubblewrapSandboxExecutor } from '../linux/bubblewrap-executor';

package/dist/sandbox/executors/macos.d.ts

@@ -0,0 +1 @@
+export { MacOSSandboxExecutor } from '../macos/sandbox-exec-executor';

package/dist/sandbox/executors/windows.d.ts

@@ -0,0 +1 @@
+export { WindowsSandboxExecutor } from '../win32/restricted-token-executor';

package/dist/sandbox/linux/bubblewrap-executor.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Linux Bubblewrap sandbox executor.
+ *
+ * Wraps shell commands with bwrap (Bubblewrap) to restrict process capabilities.
+ * Uses --bind to mount scope paths read-write, --tmpfs for /tmp, and --ro-bind
+ * for essential read-only system paths.
+ */
+import { type SandboxExecutor } from '../executor';
+/**
+ * Check whether the bwrap binary is present on PATH.
+ * Uses spawnSync to probe synchronously without throwing.
+ * Logs specific error codes when bwrap is found but unusable.
+ */
+declare function probeBwrap(): boolean;
+/**
+ * DI seam for testability. Exposes probeBwrap so tests can simulate
+ * ENOENT / EACCES / ENOSPC error conditions without requiring a real bwrap binary.
+ * Internal calls use probeBwrap() directly; tests replace _internals.probeBwrap.
+ */
+export declare const _internals: {
+    probeBwrap: typeof probeBwrap;
+};
+/**
+ * Linux Bubblewrap sandbox executor.
+ *
+ * Instantiated with scope paths and an optional temp directory override.
+ * wrapCommand() returns a bwrap-wrapped command string that:
+ *   - bind-mounts each scope path read-write
+ *   - mounts a tmpfs at /tmp (writable temporary storage)
+ *   - bind-mounts essential system paths read-only
+ *   - spawns the raw command via `bash -c '<command>'`
+ */
+export declare class BubblewrapSandboxExecutor implements SandboxExecutor {
+    /** Human-readable mechanism identifier */
+    readonly mechanism = "Bubblewrap";
+    private readonly _scopePaths;
+    private readonly _tempDir;
+    private _available;
+    private _disabledReason;
+    /**
+     * @param scopePaths - Absolute paths the sandboxed process may write to (default: empty array)
+     * @param tempDir   - Optional temp directory path (defaults to /tmp)
+     */
+    constructor(scopePaths?: string[], tempDir?: string);
+    /**
+     * Returns true when the bwrap binary is found on PATH and the sandbox
+     * has not been disabled.
+     */
+    isAvailable(): boolean;
+    /**
+     * Disable the sandbox with a reason. Allows external code to force
+     * fallback to unwrapped execution (e.g., for testing, explicit opt-out,
+     * or when initialization fails).
+     *
+     * After calling disable():
+     * - isAvailable() returns false
+     * - wrapCommand() returns the raw command unchanged (passthrough)
+     */
+    disable(reason: string): void;
+    /**
+     * Wrap a shell command string with bwrap sandbox arguments.
+     *
+     * @param command   - Raw shell command to execute inside the sandbox
+     * @param scopePaths - Additional scope paths to bind (merged with constructor scope)
+     * @param tempDir   - Optional temp directory override
+     * @returns A bwrap-wrapped command string ready for shell execution,
+     *          or the raw command string when the sandbox is unavailable (passthrough mode)
+     */
+    wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
+    /**
+     * Return environment variable overrides required for the bubblewrap sandbox.
+     *
+     * Security is achieved through bwrap CLI flags (--unshare-user, --unshare-net,
+     * --unshare-ipc, --die-with-parent, --new-session), not environment variables.
+     * bwrap ignores unknown environment variables.
+     */
+    getEnvOverrides(): Record<string, string | null>;
+}
+export {};

package/dist/sandbox/linux/edge-cases.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Edge case handling utilities for Bubblewrap sandbox.
+ *
+ * This module provides functions to detect and prevent:
+ * - Symlink escape attacks
+ * - /proc/self/fd access
+ * - io_uring bypass
+ * - Namespace escape
+ * - Hard-link creation
+ * - Rename/move across scope boundary
+ * - mmap interception
+ */
+/**
+ * Check whether a path is a symlink and resolves to a location outside
+ * any of the configured scope paths.
+ *
+ * @param path        - The path to check (may be a symlink)
+ * @param scopePaths  - Array of absolute scope paths
+ * @returns true if the path is a symlink that escapes the sandbox
+ */
+export declare function detectSymlinkEscape(path: string, scopePaths: string[]): boolean;
+/**
+ * Check whether a path is under /proc/self/fd/, which provides
+ * file descriptor access that can bypass normal path checks.
+ *
+ * @param path - The path to check
+ * @returns true if the path is under /proc/self/fd/
+ */
+export declare function detectProcFdAccess(path: string): boolean;
+/**
+ * Detect whether io_uring is active on the system, which can be used
+ * to perform I/O operations that bypass the seccomp filter.
+ *
+ * Note: This is a detection function only — it does not prevent io_uring usage.
+ * Bubblewrap's --unshare-all combined with seccomp filtering can mitigate this.
+ *
+ * @returns true if io_uring appears to be active
+ */
+export declare function detectIoUringBypass(): boolean;
+/**
+ * Detect whether the current process is already running inside a user namespace.
+ *
+ * When a process is already inside a user namespace (rather than the initial
+ * namespace), it may have different privileges and isolation properties than
+ * expected. This can affect the security assumptions of a bubblewrap sandbox.
+ *
+ * @returns true if the current process is already inside a non-initial user namespace
+ */
+export declare function detectNamespaceEscape(): boolean;
+/**
+ * Check whether a path operation would create a hard link that escapes
+ * the sandbox scope.
+ *
+ * Hard links can allow a file inside the sandbox to be linked to a location
+ * outside the sandbox, potentially bypassing containment.
+ *
+ * @param path        - The path being linked to
+ * @param scopePaths  - Array of absolute scope paths
+ * @returns true if creating a hard link at path would escape the sandbox
+ */
+export declare function detectHardLinkEscape(path: string, scopePaths: string[]): boolean;
+/**
+ * Alias for detectHardLinkEscape for API compatibility.
+ * @param path        - The path being linked to
+ * @param scopePaths  - Array of absolute scope paths
+ * @returns true if creating a hard link at path would escape the sandbox
+ */
+export declare function detectHardLinkCreation(path: string, scopePaths: string[]): boolean;
+/**
+ * Check whether a rename or move operation crosses a scope boundary.
+ *
+ * Moving a file from inside a scope path to outside violates containment.
+ *
+ * @param oldPath    - The original path
+ * @param newPath    - The destination path after rename/move
+ * @param scopePaths - Array of absolute scope paths
+ * @returns true if the rename crosses a scope boundary
+ */
+export declare function detectRenameAcrossBoundary(oldPath: string, newPath: string, scopePaths: string[]): boolean;
+/**
+ * Check whether a path pattern suggests mmap interception attempts.
+ *
+ * mmap can be used to map device files or anonymous memory that bypasses
+ * normal file-based access controls.
+ *
+ * @param path - The path being accessed
+ * @returns true if the path suggests mmap interception
+ */
+export declare function detectMmapInterception(path: string): boolean;

package/dist/sandbox/macos/edge-cases.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Edge case handling utilities for macOS sandbox-exec.
+ *
+ * This module provides functions to detect and prevent:
+ * - DYLD injection attacks
+ * - Temp directory manipulation
+ * - Sandbox profile bypass attempts
+ * - SIP-protected path access
+ * - Entitlement escalation
+ * - Quarantine bypass
+ * - Nested sandbox execution
+ */
+/**
+ * Check whether the environment contains DYLD environment variables
+ * that can be used to inject code into sandboxed processes.
+ *
+ * These variables are ignored in SIP-protected processes but may
+ * work in some sandbox configurations.
+ *
+ * @param path - Unused, kept for signature compatibility
+ * @param env  - The environment variables to check
+ * @returns true if DYLD injection variables are present
+ */
+export declare function detectDyldInjection(_path: string, env: Record<string, string | undefined>): boolean;
+/**
+ * Check whether a command tries to escape the temp directory via
+ * symlinks, path traversal, or environment variable override.
+ *
+ * @param tempDir  - The allowed temp directory path
+ * @param command  - The command string to analyze
+ * @returns true if temp directory manipulation is detected
+ */
+export declare function detectTmpDirManipulation(tempDir: string, command: string): boolean;
+/**
+ * Check whether a command tries to bypass sandbox profile restrictions by:
+ * - Writing to paths outside scopePaths
+ * - Using mktemp in unusual locations
+ * - Creating hard/symbolic links to escape scope
+ *
+ * @param command     - The command string to analyze
+ * @param scopePaths  - Array of allowed scope paths
+ * @returns true if sandbox profile bypass is detected
+ */
+export declare function detectSandboxProfileBypass(command: string, scopePaths: string[]): boolean;
+/**
+ * Check whether a command tries to access System Integrity Protected (SIP) paths.
+ *
+ * SIP-protected paths on macOS include /System, /usr/libexec, /usr/sbin, /AppleInternal.
+ * Writing to these paths can compromise system security even in a sandbox.
+ *
+ * @param command - The command string to analyze
+ * @returns true if SIP-protected path access is detected
+ */
+export declare function detectSIPProtectedPathAccess(command: string): boolean;
+/**
+ * Check whether a command tries to escalate privileges or modify
+ * sandbox entitlements.
+ *
+ * @param command - The command string to analyze
+ * @returns true if entitlement escalation is detected
+ */
+export declare function detectEntitlementEscalation(command: string): boolean;
+/**
+ * Check whether a command tries to bypass macOS quarantine restrictions.
+ *
+ * Downloaded files have a quarantine attribute that gates execution.
+ * Removing this attribute allows unapproved software to run.
+ *
+ * @param command - The command string to analyze
+ * @returns true if quarantine bypass is detected
+ */
+export declare function detectQuarantineBypass(command: string): boolean;
+/**
+ * Alias for detectSIPProtectedPathAccess for API compatibility.
+ * @param command - The command string to analyze
+ * @returns true if SIP-protected path access is detected
+ */
+export declare function detectSIPSProtectedPath(command: string): boolean;
+/**
+ * Check whether a command tries to spawn another sandbox-exec instance
+ * (nested sandboxing).
+ *
+ * Nested sandbox execution can be used to escape restrictions by
+ * spawning a less-restricted sandbox within a sandbox.
+ *
+ * @param command - The command string to analyze
+ * @returns true if nested sandbox execution is detected
+ */
+export declare function detectSandboxExecItself(command: string): boolean;