opencode-swarm 7.35.0 → 7.36.0

package/dist/sandbox/macos/sandbox-exec-executor.d.ts

@@ -0,0 +1,68 @@
+/**
+ * macOS sandbox-exec sandbox executor.
+ *
+ * Wraps shell commands with sandbox-exec(8) to restrict process capabilities
+ * using a profile-based deny-by-default policy.
+ *
+ * Profile allows:
+ *   - Read-only access to essential system paths (/usr, /bin, /sbin, /lib)
+ *   - Read-write access to each scope path
+ *   - Read-write access to the temp directory (500MB bounded)
+ *   - Denies all other file writes
+ */
+import { type SandboxExecutor } from '../executor';
+/**
+ * Check whether the sandbox-exec binary is present and functional.
+ * Uses spawnSync to probe synchronously without throwing.
+ */
+declare function probeSandboxExec(): boolean;
+/**
+ * DI seam for testability. Exposes probeSandboxExec so tests can simulate
+ * ENOENT / EACCES / ENOSPC error conditions without requiring a real sandbox-exec binary.
+ */
+export declare const _internals: {
+    probeSandboxExec: typeof probeSandboxExec;
+};
+/**
+ * macOS sandbox-exec sandbox executor.
+ */
+export declare class MacOSSandboxExecutor implements SandboxExecutor {
+    /** Human-readable mechanism identifier */
+    readonly mechanism = "sandbox-exec";
+    private readonly _scopePaths;
+    private readonly _tempDir;
+    private _available;
+    private _disabledReason;
+    /**
+     * @param scopePaths - Absolute paths the sandboxed process may write to
+     * @param tempDir   - Optional temp directory path (defaults to system temp)
+     */
+    constructor(scopePaths?: string[], tempDir?: string);
+    /**
+     * Returns true when sandbox-exec is available and the sandbox has not been disabled.
+     */
+    isAvailable(): boolean;
+    /**
+     * Disable the sandbox with a reason.
+     */
+    disable(reason: string): void;
+    /**
+     * Wrap a shell command string with sandbox-exec.
+     *
+     * @param command   - Raw shell command to execute inside the sandbox
+     * @param scopePaths - Additional scope paths to bind (merged with constructor scope)
+     * @param tempDir   - Optional temp directory override
+     * @returns A sandbox-exec wrapped command string ready for shell execution,
+     *          or the raw command string when the sandbox is unavailable (passthrough mode)
+     */
+    wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
+    /**
+     * Return environment variable overrides required for the macOS sandbox.
+     *
+     * DYLD_INSERT_LIBRARIES, DYLD_LIBRARY_PATH, DYLD_FRAMEWORK_PATH, and
+     * DYLD_ROOT_PATH can be used to bypass sandbox restrictions by injecting
+     * dynamic libraries. Unsetting them improves sandbox enforcement (defense in depth).
+     */
+    getEnvOverrides(): Record<string, string | null>;
+}
+export {};

package/dist/sandbox/scope-resolver.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Result of resolving scope paths for sandbox enforcement.
+ */
+export interface ResolvedScope {
+    /** Absolute paths that the sandbox will allow writes to */
+    paths: string[];
+    /** Any warnings about paths that were modified or skipped */
+    warnings: string[];
+    /** Paths that were rejected (e.g., non-existent, traversal attempts) */
+    rejected: {
+        path: string;
+        reason: string;
+    }[];
+}
+/**
+ * Resolve scope paths for sandbox enforcement.
+ *
+ * Converts relative scope paths to absolute, validates against traversal attacks,
+ * checks existence, deduplicates, and normalizes path separators.
+ *
+ * @param rawPaths - Paths from the task scope declaration (may be relative or absolute)
+ * @param projectRoot - The project root directory (for resolving relative paths)
+ * @returns ResolvedScope with absolute paths, warnings, and rejections
+ */
+export declare function resolveScopePaths(rawPaths: string[], projectRoot: string): ResolvedScope;
+/**
+ * DI seam for testability. Contains all test-mocked exports.
+ * Internal calls should use _internals.fn() instead of fn() directly.
+ */
+export declare const _internals: {
+    resolveScopePaths: typeof resolveScopePaths;
+};

package/dist/sandbox/win32/edge-cases.d.ts

@@ -0,0 +1,90 @@
+/**
+ * Edge case handling utilities for Windows sandbox.
+ *
+ * This module provides functions to detect and prevent:
+ * - Path traversal attacks
+ * - Registry escape attempts
+ * - PowerShell command bypass
+ * - WMI command execution bypass
+ * - Windows service escalation
+ * - DLL search order hijacking
+ * - Token manipulation attacks
+ */
+/**
+ * Detects Windows path traversal patterns that could escape sandbox containment.
+ *
+ * Attack: Attackers use `..`, absolute paths, or extended-length paths
+ * to access files outside the intended sandbox scope.
+ *
+ * @param command - The command string to analyze
+ * @returns true if path traversal patterns are detected
+ */
+export declare function detectPathTraversal(command: string): boolean;
+/**
+ * Detects registry manipulation attempts to bypass sandbox restrictions.
+ *
+ * Attack: Modifying the registry can disable security policies,
+ * create startup entries, or alter system behavior.
+ *
+ * @param command - The command string to analyze
+ * @returns true if registry manipulation is detected
+ */
+export declare function detectRegistryEscape(command: string): boolean;
+/**
+ * Detects PowerShell command execution patterns that could bypass sandbox restrictions.
+ *
+ * Attack: PowerShell's flexibility allows executing encoded commands, remote scripts,
+ * and leveraging various execution policy bypasses.
+ *
+ * @param command - The command string to analyze
+ * @returns true if PowerShell escape patterns are detected
+ */
+export declare function detectPowerShellEscape(command: string): boolean;
+/**
+ * Detects WMI command execution that could bypass sandbox restrictions.
+ *
+ * Attack: WMI can be used for remote execution, process creation,
+ * and querying system information.
+ *
+ * @param command - The command string to analyze
+ * @returns true if WMI escape patterns are detected
+ */
+export declare function detectWMIEscape(command: string): boolean;
+/**
+ * Alias for detectServiceManipulation for API compatibility.
+ * @param command - The command string to analyze
+ * @returns true if service manipulation is detected
+ */
+export declare function detectServiceEscalation(command: string): boolean;
+/**
+ * Detects Windows service manipulation attempts.
+ *
+ * Attack: Creating or modifying Windows services can establish
+ * persistent execution with elevated privileges.
+ *
+ * @param command - The command string to analyze
+ * @returns true if service manipulation is detected
+ */
+export declare function detectServiceManipulation(command: string): boolean;
+/**
+ * Detects DLL search order hijacking via PATH manipulation.
+ *
+ * Attack: If the PATH contains ".", current directory, or writable
+ * system paths, an attacker can place a malicious DLL that gets loaded
+ * by a legitimate binary.
+ *
+ * @param command - The command string to analyze
+ * @param env - The environment variables to check
+ * @returns true if DLL hijacking via PATH manipulation is detected
+ */
+export declare function detectDLLHijacking(command: string, env?: Record<string, string | undefined>): boolean;
+/**
+ * Detects attempts to manipulate process tokens or create processes with elevated privileges.
+ *
+ * Attack: Token manipulation allows a process to acquire elevated privileges
+ * or the privileges of another user, enabling privilege escalation.
+ *
+ * @param command - The command string to analyze
+ * @returns true if token manipulation is detected
+ */
+export declare function detectTokenManipulation(command: string): boolean;

package/dist/sandbox/win32/restricted-token-executor.d.ts

@@ -0,0 +1,94 @@
+/**
+ * Windows Restricted Token sandbox executor.
+ *
+ * Wraps shell commands with a PowerShell-based sandbox approach to restrict
+ * process capabilities on Windows.
+ *
+ * Windows does not have a native sandbox mechanism equivalent to Linux bwrap
+ * or macOS sandbox-exec that is accessible from Node.js without native bindings.
+ * This executor provides best-effort sandboxing via:
+ *   - Environment variable scrubbing (removing dangerous vars)
+ *   - PATH restriction to safe system paths only
+ *   - Scoped temp directory
+ *   - PowerShell wrapper for command execution
+ *
+ * For true OS-level sandboxing (AppContainer, Restricted Token, Low Integrity),
+ * native Windows APIs (CreateAppContainerToken, CreateRestrictedToken) are required.
+ */
+import type { SandboxExecutor } from '../executor';
+/**
+ * Check whether the Windows sandbox mechanism is present and functional.
+ * Uses spawnSync to probe synchronously without throwing.
+ *
+ * On Windows, this verifies that basic command execution works.
+ * A failure here indicates the sandbox cannot be initialized and should
+ * degrade gracefully to passthrough mode.
+ */
+declare function probeWindowsSandbox(): boolean;
+/**
+ * DI seam for testability. Exposes the probe function so tests can simulate
+ * unavailable sandbox conditions without requiring a real Windows environment.
+ */
+export declare const _internals: {
+    probeWindowsSandbox: typeof probeWindowsSandbox;
+};
+/**
+ * Windows Restricted Token sandbox executor.
+ *
+ * Provides best-effort process sandboxing via PowerShell environment restrictions.
+ * True OS-level sandboxing requires native Windows API bindings.
+ */
+export declare class WindowsSandboxExecutor implements SandboxExecutor {
+    /** Human-readable mechanism identifier */
+    readonly mechanism = "powershell-wrapper";
+    private readonly _scopePaths;
+    private readonly _tempDir;
+    private _available;
+    private _disabled;
+    private _disabledReason;
+    /**
+     * @param scopePaths - Absolute paths the sandboxed process may write to
+     * @param tempDir   - Optional temp directory path (defaults to system temp)
+     */
+    constructor(scopePaths?: string[], tempDir?: string);
+    /**
+     * Returns true when the Windows sandbox is available and has not been disabled.
+     */
+    isAvailable(): boolean;
+    /**
+     * Disable the sandbox with a reason. Allows external code to force
+     * fallback to unwrapped execution (e.g., for testing, explicit opt-out,
+     * or when initialization fails).
+     *
+     * After calling disable():
+     * - isAvailable() returns false
+     * - wrapCommand() returns the raw command unchanged (passthrough)
+     */
+    disable(reason: string): void;
+    /**
+     * Wrap a shell command string with PowerShell-based sandbox restrictions.
+     *
+     * The wrapper:
+     *   - Sets scoped temp directory (%TEMP%, %TMP%)
+     *   - Restricts PATH to safe system paths only
+     *   - Removes dangerous environment variables that could be used to bypass restrictions
+     *   - Executes the command via cmd /c inside a PowerShell script
+     *
+     * @param command   - Raw shell command to execute inside the sandbox
+     * @param scopePaths - Additional scope paths to allow (merged with constructor scope)
+     * @param tempDir   - Optional temp directory override
+     * @returns A PowerShell-wrapped command string ready for shell execution,
+     *          or the raw command string when the sandbox is unavailable (passthrough mode)
+     */
+    wrapCommand(command: string, scopePaths: string[], tempDir?: string): string;
+    /**
+     * Return environment variable overrides required for the Windows sandbox.
+     *
+     * Security measures:
+     *   - PATH is restricted to essential Windows system directories only
+     *   - TEMP/TMP are set to null (will be set to scoped temp at runtime via wrapCommand)
+     *   - Dangerous variables that don't apply to Windows are cleared for completeness
+     */
+    getEnvOverrides(): Record<string, string | null>;
+}
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "7.35.0",
+	"version": "7.36.0",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",