seclaw-agent 0.1.0

package/SECURITY.md

@@ -0,0 +1,253 @@
+# 🛡️ SeClaw Security
+
+This document describes the security mechanisms implemented in the current SeClaw codebase.
+
+---
+
+## 1) Security Goals and Boundaries
+
+SeClaw focuses on four practical goals:
+
+1. **Constrain unsafe agent actions** before tool execution.
+2. **Isolate execution** (when Docker sandbox is enabled).
+3. **Detect and sanitize prompt-injection content** in tool outputs.
+4. **Keep actions auditable and reversible** via logs, audits, and snapshots.
+
+Key boundary conditions:
+
+- If Docker sandbox is disabled, tools execute on the host.
+- Several controls are **LLM-assisted** (probabilistic), not formal verification.
+- Security is strongest when hardening options in config are enabled together.
+
+---
+
+## 2) Runtime Security Pipeline
+
+For each user task, SeClaw applies the following sequence:
+
+1. *(Optional)* Pre-task snapshot (when Docker snapshotting is enabled).
+2. Task analysis, control-flow integrity (CFI), and information-flow integrity (IFI) validation.
+3. Tool execution.
+4. Tool output sanitization.
+5. Execution logging and post-task risk audit.
+
+---
+
+## 3) Prompt Injection Defense (Input Validation)
+
+Implemented in `src/agent/security/input_validation/`.
+
+### 3.1 Control-Flow Integrity (CFI)
+
+- Before tool execution, SeClaw builds an expected tool-call trajectory from:
+  - The current conversation history (excluding system prompt and tool output)
+  - Static tool definitions
+- The validator then checks each actual tool call against this expected trajectory.
+- For `exec` and `spawn`, **key parameters** must also match expected values:
+  - `exec.command`
+  - `spawn.message`
+
+### 3.2 Information-Flow Integrity (IFI)
+
+- Tool parameters are validated against source/type/value constraints represented in a program graph.
+- Supported constraint types include: `email`, `url`, `file_path`, `directory`, `integer`, `string`, `boolean`, `json`.
+- If required source data has not been produced yet, the user confirmation is required.
+
+### 3.3 Deviation Handling
+
+- If a call is not in the expected trajectory:
+  - Read-only deviations can proceed.
+  - Write/execute deviations go through intent-alignment validation.
+  - Non-aligned deviations trigger `USER_CONFIRMATION_REQUEST`.
+
+
+### 3.4 Prohibited Command Gate
+
+- `security.prohibitedCommands` is matched against tool name/arguments.
+- Matching calls require explicit user approval; otherwise execution is blocked with confirmation request.
+
+### 3.5 Resume-on-Confirmation
+
+- When confirmation is needed, the pending execution state is saved at:
+  `~/.seclaw/security/EXECUTION_RESUME.json`
+
+    This allows the execution to be resumed after the user responds.
+
+
+---
+
+## 4) Prompt Injection Defense (Output Validation)
+
+After each tool returns output, SeClaw can run a guard-model pass (using the configured provider/model) to detect and sanitize injection content.
+
+Detection covers patterns such as:
+
+- Attempts to override original task goals
+- Requests to reveal internal prompts/state
+- Behavior-manipulation instructions (e.g., “ignore previous instructions”)
+- Social-engineering style bypass attempts
+
+When detected, sanitized output is fed back to the reasoning loop with a security notice.
+
+---
+
+## 5) Execution Isolation (Docker Sandbox)
+
+Implemented in `src/agent/docker_sandbox.ts`.
+
+When enabled, SeClaw can run tool execution in a Docker container with controlled mounts/env/network.
+
+Important current behavior:
+
+- Workspace mount is read-only by default (`workspaceReadOnly = true`, mount mode `:ro`).
+- You can allow writes by setting `security.dockerSandbox.workspaceReadOnly = false` (mount mode `:rw`).
+- Additional writable mounts must be explicitly granted via `extraMounts`.
+- `exec` and filesystem tools use container execution when sandbox is active.
+
+Mode caveat:
+
+- `seclaw gateway` initializes Docker sandbox (if enabled in config).
+- `seclaw agent` currently runs without Docker sandbox initialization.
+
+---
+
+## 6) Snapshot & Rollback
+
+Implemented in `src/agent/security/snapshot_and_rollback/` and Docker snapshot manager.
+
+### 6.1 Automatic task snapshots (gateway flow)
+
+- If Docker sandbox snapshotting is enabled, SeClaw snapshots before processing user messages.
+- Snapshot includes:
+  - Docker container image (`docker commit`)
+  - Optional host-dir snapshots for configured mounts (backend-dependent)
+  - Snapshot frequency is throttled by ```security.dockerSandbox.snapshotMinIntervalSeconds```. For efficiency, snapshots are only taken when the time interval between the current conversation and the previous conversation is greater than ```security.dockerSandbox.snapshotMinIntervalSeconds```. You can also use `/take_snapshot` to manually take the snapshot.
+
+### 6.2 Snapshot Frequency
+
+- ```security.dockerSandbox.```
+
+### 6.3 Host snapshot backends
+
+- **macOS:** APFS local snapshot backend (`tmutil localsnapshot`, restore via `mount_apfs` + `rsync`)
+- **Linux:** btrfs CoW snapshot backend (`btrfs subvolume snapshot -r`, restore via `rsync`)
+- **Other platforms:** `rsync` backend if available
+- If platform-preferred backend is unavailable, SeClaw falls back to `rsync` (when installed)
+- If no host backend exists, Docker image snapshot still works (host-dir rollback unavailable)
+
+### 6.4 User-facing snapshot commands
+
+In chat channels:
+
+- `/take_snapshot [label]`
+- `/snapshot_list`
+- `/snapshot_restore <TAG>`
+
+CLI:
+
+- `seclaw snapshot list`
+- `seclaw snapshot take [label]`
+- `seclaw snapshot restore <tag>`
+
+
+---
+
+## 7) Auditing and Logging
+
+### 7.1 Execution logs
+
+- Trajectory logs are written during execution every `executionLogStep` iterations.
+- Final execution trace is also saved at task completion.
+
+### 7.2 Post-execution risk audit
+
+- If enabled and tools were used, SeClaw launches an execution trace audit after the task finished.
+- Detected risks can produce a channel alert and a JSON report.
+
+### 7.3 On-demand security audits
+
+- `/skill_audit`
+  - Scans loaded skill definitions for risky instructions.
+- `/memory_audit`
+  - Scans `MEMORY.md`, `HISTORY.md`, and recent daily memory notes.
+
+---
+
+## 8) Security Configuration Reference
+
+Config file:
+
+- `~/.seclaw/config.json`
+
+### 8.1 `security` fields
+
+| Field | Type | Default | Effect |
+|---|---|---:|---|
+| `prohibitedCommands` | `string[]` | `[]` | Tokens that require explicit user confirmation before execution |
+| `inputValidationEnabled` | `boolean` | `true` | Enables CFI/IFI + deviation validation gate |
+| `outputValidationEnabled` | `boolean` | `true` | Enables tool-output guard-model sanitization |
+| `executionLogEnabled` | `boolean` | `true` | Persists execution trajectory logs |
+| `executionLogStep` | `number` | `1` | Log every N loop iterations |
+| `postExecutionAuditEnabled` | `boolean` | `true` | Runs post-task risk audit |
+| `skillAuditEnabled` | `boolean` | `true` | Present in schema (currently not used as a gate in runtime flow) |
+
+### 8.2 `security.dockerSandbox` fields
+
+| Field | Type | Default | Effect |
+|---|---|---:|---|
+| `enabled` | `boolean` | `false` | Enables Docker sandbox mode |
+| `image` | `string` | `ubuntu:22.04` | Container image |
+| `containerName` | `string` | `seclaw` | Container name |
+| `workspaceContainer` | `string` | `/workspace` | Workspace path inside container |
+| `workspaceReadOnly` | `boolean` | `true` | Mount workspace as read-only (`true`) or read-write (`false`) |
+| `extraMounts` | `string[]` | `[]` | Extra bind mounts (`host:container:mode`) |
+| `extraEnv` | `Record<string,string>` | `{}` | Extra environment variables |
+| `memoryLimit` | `string \| null` | `null` | Optional memory cap |
+| `network` | `string` | `bridge` | Docker network mode |
+| `snapshotEnabled` | `boolean` | `true` | Enables Docker snapshot manager |
+| `snapshotMax` | `number` | `10` | Max retained snapshots |
+| `snapshotMinIntervalSeconds` | `number` | `1800` | Minimum interval between auto-snapshots |
+
+> Onboarding note: `seclaw onboard` overrides some defaults in generated config (for example enabling docker sandbox and setting snapshot/prohibited command starter values).
+
+---
+
+## 9) Security Artifacts and Paths
+
+SeClaw writes security artifacts to both the data root and workspace.
+
+Common paths:
+
+- `~/.seclaw/config.json`
+- `~/.seclaw/security/execution_logs/`
+- `~/.seclaw/security/audit_reports/`
+- `~/.seclaw/security/graphs/expected_trajectory.md`
+- `~/.seclaw/security/graphs/expected_trajectory.json`
+- `~/.seclaw/security/EXECUTION_RESUME.json`
+- `~/.seclaw/snapshots/docker_snapshots.json`
+- `~/.seclaw/snapshots/<timestamp>/...` (host snapshots, backend-dependent)
+- `~/.seclaw/workspace/security/SECURITY_POLICY.md` (policy file used by input-validation policy manager)
+
+---
+
+## 10) Hardening Recommendations
+
+For production-like deployment:
+
+1. Keep `security.inputValidationEnabled = true`.
+2. Keep `security.outputValidationEnabled = true`.
+3. Keep `security.executionLogEnabled = true` and `security.postExecutionAuditEnabled = true`.
+4. Enable Docker sandbox and avoid writable broad mounts.
+5. Set `tools.restrictToWorkspace = true`.
+6. Define a strict `security.prohibitedCommands` list.
+7. Restrict channel senders using each channel’s `allowFrom` controls.
+8. Run `/skill_audit` and `/memory_audit` regularly.
+
+---
+
+## 11) Current Limitations (Important)
+
+- LLM-based validators/guards can reduce risk, but cannot guarantee perfect detection.
+- `security.skillAuditEnabled` exists in config schema, but the current runtime does not use it to block/allow `/skill_audit`.
+- Without Docker sandbox (or when running direct agent mode), execution is host-level.
+- `prohibitedCommands` matching is token/string-based, not full shell AST parsing.

package/dist/agent/context.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Context builder
+ */
+import { MemoryStore } from "./memory";
+import { SkillsLoader } from "./skills";
+export interface DockerSandboxConfig {
+    image: string;
+}
+export declare class ContextBuilder {
+    static BOOTSTRAP_FILES: string[];
+    workspace: string;
+    effectiveWorkspace: string;
+    dockerSandbox?: DockerSandboxConfig;
+    memory: MemoryStore;
+    skills: SkillsLoader;
+    constructor(opts: {
+        workspace: string;
+        containerWorkspace?: string;
+        pathTranslator?: (p: string) => string;
+        dockerSandbox?: DockerSandboxConfig;
+    });
+    buildSystemPrompt(skillNames?: string[]): string;
+    private getIdentity;
+    private loadBootstrapFiles;
+    buildMessages(opts: {
+        history: Record<string, unknown>[];
+        currentMessage: string;
+        skillNames?: string[];
+        media?: string[];
+        channel?: string;
+        chatId?: string;
+    }): Record<string, unknown>[];
+    private buildUserContent;
+    addToolResult(messages: Record<string, unknown>[], toolCallId: string, toolName: string, result: string): Record<string, unknown>[];
+    addAssistantMessage(messages: Record<string, unknown>[], content: string | null, toolCalls?: Record<string, unknown>[], reasoningContent?: string): Record<string, unknown>[];
+}
+//# sourceMappingURL=context.d.ts.map

package/dist/agent/context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../../src/agent/context.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAwBxC,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,cAAc;IACzB,MAAM,CAAC,eAAe,WAAkE;IAExF,SAAS,EAAE,MAAM,CAAC;IAClB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,aAAa,CAAC,EAAE,mBAAmB,CAAC;IACpC,MAAM,EAAE,WAAW,CAAC;IACpB,MAAM,EAAE,YAAY,CAAC;gBAET,IAAI,EAAE;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,cAAc,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;QACvC,aAAa,CAAC,EAAE,mBAAmB,CAAC;KACrC;IAaD,iBAAiB,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM;IA8BhD,OAAO,CAAC,WAAW;IAiDnB,OAAO,CAAC,kBAAkB;IAY1B,aAAa,CAAC,IAAI,EAAE;QAClB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;QACnC,cAAc,EAAE,MAAM,CAAC;QACvB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;IAiB7B,OAAO,CAAC,gBAAgB;IAiBxB,aAAa,CACX,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EACnC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,GACb,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;IAK5B,mBAAmB,CACjB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EACnC,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EACrC,gBAAgB,CAAC,EAAE,MAAM,GACxB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;CAO7B"}

package/dist/agent/context.js

@@ -0,0 +1,211 @@
+"use strict";
+/**
+ * Context builder
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ContextBuilder = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const mime = __importStar(require("mime-types"));
+const memory_1 = require("./memory");
+const skills_1 = require("./skills");
+function runtimeFromImage(image) {
+    const name = image.split("/").pop() ?? image;
+    const colonIdx = name.indexOf(":");
+    const base = colonIdx > 0 ? name.slice(0, colonIdx) : name;
+    const tag = colonIdx > 0 ? name.slice(colonIdx + 1) : "latest";
+    const OS_MAP = {
+        ubuntu: "Ubuntu",
+        debian: "Debian",
+        alpine: "Alpine Linux",
+        fedora: "Fedora",
+        centos: "CentOS",
+        rockylinux: "Rocky Linux",
+        almalinux: "AlmaLinux",
+        amazonlinux: "Amazon Linux",
+        archlinux: "Arch Linux",
+        python: "Python",
+        node: "Node.js",
+    };
+    const osName = OS_MAP[base.toLowerCase()] ?? (base.charAt(0).toUpperCase() + base.slice(1));
+    return `${osName} ${tag} (Docker)`;
+}
+class ContextBuilder {
+    static BOOTSTRAP_FILES = ["AGENTS.md", "SOUL.md", "USER.md", "TOOLS.md", "IDENTITY.md"];
+    workspace;
+    effectiveWorkspace;
+    dockerSandbox;
+    memory;
+    skills;
+    constructor(opts) {
+        this.workspace = opts.workspace;
+        this.effectiveWorkspace =
+            opts.containerWorkspace ?? path.resolve(opts.workspace.replace(/^~/, os.homedir()));
+        this.dockerSandbox = opts.dockerSandbox;
+        this.memory = new memory_1.MemoryStore(opts.workspace, opts.containerWorkspace);
+        this.skills = new skills_1.SkillsLoader({
+            workspace: opts.workspace,
+            containerWorkspace: opts.containerWorkspace,
+            pathTranslator: opts.pathTranslator,
+        });
+    }
+    buildSystemPrompt(skillNames) {
+        const parts = [];
+        parts.push(this.getIdentity());
+        const bootstrap = this.loadBootstrapFiles();
+        if (bootstrap)
+            parts.push(bootstrap);
+        const memoryCtx = this.memory.getMemoryContext();
+        if (memoryCtx)
+            parts.push(`# Memory\n\n${memoryCtx}`);
+        const alwaysSkills = this.skills.getAlwaysSkills();
+        if (alwaysSkills.length > 0) {
+            const alwaysContent = this.skills.loadSkillsForContext(alwaysSkills);
+            if (alwaysContent)
+                parts.push(`# Active Skills\n\n${alwaysContent}`);
+        }
+        const skillsSummary = this.skills.buildSkillsSummary();
+        if (skillsSummary) {
+            parts.push(`# Skills\n\nThe following skills extend your capabilities. ` +
+                `To use a skill, read its SKILL.md file using the read_file tool.\n` +
+                `Skills with available="false" need dependencies installed first - ` +
+                `you can try installing them with apt/brew.\n\n${skillsSummary}`);
+        }
+        return parts.join("\n\n---\n\n");
+    }
+    getIdentity() {
+        const now = new Date().toLocaleString("en-US", {
+            year: "numeric",
+            month: "2-digit",
+            day: "2-digit",
+            hour: "2-digit",
+            minute: "2-digit",
+            weekday: "long",
+        });
+        const workspacePath = this.effectiveWorkspace;
+        const runtime = this.dockerSandbox
+            ? runtimeFromImage(this.dockerSandbox.image)
+            : `${process.platform === "darwin" ? "macOS" : process.platform} ${process.arch}, Node.js ${process.version}`;
+        const homePath = this.dockerSandbox ? "/root" : os.homedir();
+        return `# seclaw 🦾
+
+You are seclaw, a helpful AI assistant. You have access to tools that allow you to:
+- Read, write, and edit files
+- Execute shell commands
+- Search the web and fetch web pages
+- Send messages to users on chat channels
+- Spawn subagents for complex background tasks
+
+You have been deployed on the user's personal computer and have permission to access the user's machine. You should utilize the provided tools to help the user accomplish their tasks.
+
+## Current Time
+${now}
+
+## Runtime
+${runtime}
+
+## HOME
+$HOME is at: ${homePath}
+
+## Workspace
+Your workspace is at: ${workspacePath}
+- Memory files: ${workspacePath}/memory/MEMORY.md
+- Daily notes: ${workspacePath}/memory/YYYY-MM-DD.md
+- Custom skills: ${workspacePath}/skills/{skill-name}/SKILL.md
+
+IMPORTANT: When responding to direct questions or conversations, reply directly with your text response.
+Only use the 'message' tool when you need to send a message to a specific chat channel (like WhatsApp).
+For normal conversation, just respond with text - do not call the message tool.
+
+Always be helpful, accurate, and concise. When using tools, explain what you're doing.
+When remembering something, write to ${workspacePath}/memory/MEMORY.md`;
+    }
+    loadBootstrapFiles() {
+        const parts = [];
+        for (const filename of ContextBuilder.BOOTSTRAP_FILES) {
+            const filePath = path.join(this.workspace, filename);
+            if (fs.existsSync(filePath)) {
+                const content = fs.readFileSync(filePath, "utf-8");
+                parts.push(`## ${filename}\n\n${content}`);
+            }
+        }
+        return parts.join("\n\n");
+    }
+    buildMessages(opts) {
+        const { history, currentMessage, media, channel, chatId } = opts;
+        const messages = [];
+        let systemPrompt = this.buildSystemPrompt(opts.skillNames);
+        if (channel && chatId) {
+            systemPrompt += `\n\n## Current Session\nChannel: ${channel}\nChat ID: ${chatId}`;
+        }
+        messages.push({ role: "system", content: systemPrompt });
+        messages.push(...history);
+        const userContent = this.buildUserContent(currentMessage, media);
+        messages.push({ role: "user", content: userContent });
+        return messages;
+    }
+    buildUserContent(text, media) {
+        if (!media || media.length === 0)
+            return text;
+        const images = [];
+        for (const filePath of media) {
+            const mimeType = mime.lookup(filePath) || "";
+            if (!fs.existsSync(filePath) || !mimeType.startsWith("image/"))
+                continue;
+            const b64 = fs.readFileSync(filePath).toString("base64");
+            images.push({ type: "image_url", image_url: { url: `data:${mimeType};base64,${b64}` } });
+        }
+        if (images.length === 0)
+            return text;
+        return [...images, { type: "text", text }];
+    }
+    addToolResult(messages, toolCallId, toolName, result) {
+        messages.push({ role: "tool", tool_call_id: toolCallId, name: toolName, content: result });
+        return messages;
+    }
+    addAssistantMessage(messages, content, toolCalls, reasoningContent) {
+        const msg = { role: "assistant", content: content ?? "" };
+        if (toolCalls)
+            msg["tool_calls"] = toolCalls;
+        if (reasoningContent)
+            msg["reasoning_content"] = reasoningContent;
+        messages.push(msg);
+        return messages;
+    }
+}
+exports.ContextBuilder = ContextBuilder;
+//# sourceMappingURL=context.js.map

package/dist/agent/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../../src/agent/context.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AACzB,iDAAmC;AACnC,qCAAuC;AACvC,qCAAwC;AAExC,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC;IAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3D,MAAM,GAAG,GAAG,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC/D,MAAM,MAAM,GAA2B;QACrC,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,QAAQ;QAChB,UAAU,EAAE,aAAa;QACzB,SAAS,EAAE,WAAW;QACtB,WAAW,EAAE,cAAc;QAC3B,SAAS,EAAE,YAAY;QACvB,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,SAAS;KAChB,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5F,OAAO,GAAG,MAAM,IAAI,GAAG,WAAW,CAAC;AACrC,CAAC;AAMD,MAAa,cAAc;IACzB,MAAM,CAAC,eAAe,GAAG,CAAC,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IAExF,SAAS,CAAS;IAClB,kBAAkB,CAAS;IAC3B,aAAa,CAAuB;IACpC,MAAM,CAAc;IACpB,MAAM,CAAe;IAErB,YAAY,IAKX;QACC,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,kBAAkB;YACrB,IAAI,CAAC,kBAAkB,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACtF,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,aAAa,CAAC;QACxC,IAAI,CAAC,MAAM,GAAG,IAAI,oBAAW,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM,GAAG,IAAI,qBAAY,CAAC;YAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;YAC3C,cAAc,EAAE,IAAI,CAAC,cAAc;SACpC,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB,CAAC,UAAqB;QACrC,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QAE/B,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5C,IAAI,SAAS;YAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAErC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;QACjD,IAAI,SAAS;YAAE,KAAK,CAAC,IAAI,CAAC,eAAe,SAAS,EAAE,CAAC,CAAC;QAEtD,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;QACnD,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,aAAa;gBAAE,KAAK,CAAC,IAAI,CAAC,sBAAsB,aAAa,EAAE,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;QACvD,IAAI,aAAa,EAAE,CAAC;YAClB,KAAK,CAAC,IAAI,CACR,6DAA6D;gBAC3D,oEAAoE;gBACpE,oEAAoE;gBACpE,iDAAiD,aAAa,EAAE,CACnE,CAAC;QACJ,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACnC,CAAC;IAEO,WAAW;QACjB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE;YAC7C,IAAI,EAAE,SAAS;YACf,KAAK,EAAE,SAAS;YAChB,GAAG,EAAE,SAAS;YACd,IAAI,EAAE,SAAS;YACf,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;QACH,MAAM,aAAa,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa;YAChC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC;YAC5C,CAAC,CAAC,GAAG,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,aAAa,OAAO,CAAC,OAAO,EAAE,CAAC;QAChH,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC;QAE7D,OAAO;;;;;;;;;;;;EAYT,GAAG;;;EAGH,OAAO;;;eAGM,QAAQ;;;wBAGC,aAAa;kBACnB,aAAa;iBACd,aAAa;mBACX,aAAa;;;;;;;uCAOO,aAAa,mBAAmB,CAAC;IACtE,CAAC;IAEO,kBAAkB;QACxB,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,QAAQ,IAAI,cAAc,CAAC,eAAe,EAAE,CAAC;YACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACrD,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBACnD,KAAK,CAAC,IAAI,CAAC,MAAM,QAAQ,OAAO,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa,CAAC,IAOb;QACC,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;QACjE,MAAM,QAAQ,GAA8B,EAAE,CAAC;QAE/C,IAAI,YAAY,GAAG,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC3D,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;YACtB,YAAY,IAAI,oCAAoC,OAAO,cAAc,MAAM,EAAE,CAAC;QACpF,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;QACzD,QAAQ,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;QAE1B,MAAM,WAAW,GAAG,IAAI,CAAC,gBAAgB,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;QACjE,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;QAEtD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,gBAAgB,CACtB,IAAY,EACZ,KAAgB;QAEhB,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAE9C,MAAM,MAAM,GAA8B,EAAE,CAAC;QAC7C,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC7C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,SAAS;YACzE,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACzD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,GAAG,EAAE,QAAQ,QAAQ,WAAW,GAAG,EAAE,EAAE,EAAE,CAAC,CAAC;QAC3F,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACrC,OAAO,CAAC,GAAG,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,aAAa,CACX,QAAmC,EACnC,UAAkB,EAClB,QAAgB,EAChB,MAAc;QAEd,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3F,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,mBAAmB,CACjB,QAAmC,EACnC,OAAsB,EACtB,SAAqC,EACrC,gBAAyB;QAEzB,MAAM,GAAG,GAA4B,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,EAAE,CAAC;QACnF,IAAI,SAAS;YAAE,GAAG,CAAC,YAAY,CAAC,GAAG,SAAS,CAAC;QAC7C,IAAI,gBAAgB;YAAE,GAAG,CAAC,mBAAmB,CAAC,GAAG,gBAAgB,CAAC;QAClE,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,OAAO,QAAQ,CAAC;IAClB,CAAC;;AApLH,wCAqLC"}

package/dist/agent/docker_sandbox.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Docker sandbox
+ */
+export interface DockerSandboxOptions {
+    image?: string;
+    containerName?: string;
+    workspaceHost?: string;
+    workspaceContainer?: string;
+    workspaceReadOnly?: boolean;
+    extraMounts?: string[];
+    extraEnv?: Record<string, string>;
+    memoryLimit?: string;
+    network?: string;
+    snapshotEnabled?: boolean;
+    snapshotMax?: number;
+}
+export declare class DockerSandbox {
+    image: string;
+    containerName: string;
+    workspaceHost?: string;
+    workspaceContainer: string;
+    workspaceReadOnly: boolean;
+    extraMounts: string[];
+    extraEnv: Record<string, string>;
+    memoryLimit?: string;
+    network: string;
+    snapshotEnabled: boolean;
+    snapshotMax: number;
+    private containerId;
+    constructor(opts?: DockerSandboxOptions);
+    get isRunning(): boolean;
+    start(): void;
+    stop(): void;
+    destroy(): void;
+    buildRunCmd(imageOverride?: string): string[];
+    exec(command: string, workingDir?: string, timeout?: number): Promise<[string, string, number]>;
+    execWithStdin(command: string, stdinData: Buffer, workingDir?: string, timeout?: number): Promise<[string, string, number]>;
+    hostToContainer(hostPath: string): string;
+    containerToHost(containerPath: string): string;
+}
+//# sourceMappingURL=docker_sandbox.d.ts.map

package/dist/agent/docker_sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"docker_sandbox.d.ts","sourceRoot":"","sources":["../../src/agent/docker_sandbox.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH,MAAM,WAAW,oBAAoB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,aAAa;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,OAAO,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IAEpB,OAAO,CAAC,WAAW,CAAuB;gBAE9B,IAAI,GAAE,oBAAyB;IAc3C,IAAI,SAAS,IAAI,OAAO,CAEvB;IAED,KAAK,IAAI,IAAI;IAsDb,IAAI,IAAI,IAAI;IAOZ,OAAO,IAAI,IAAI;IAMf,WAAW,CAAC,aAAa,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE;IAevC,IAAI,CACR,OAAO,EAAE,MAAM,EACf,UAAU,CAAC,EAAE,MAAM,EACnB,OAAO,SAAK,GACX,OAAO,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IA0B9B,aAAa,CACjB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,UAAU,CAAC,EAAE,MAAM,EACnB,OAAO,SAAK,GACX,OAAO,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IA6BpC,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAgCzC,eAAe,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM;CAQ/C"}