zerobox 0.1.4 โ 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +216 -54
- package/dist/flags.d.ts.map +1 -1
- package/dist/flags.js +61 -19
- package/dist/flags.js.map +1 -1
- package/dist/flags.test.js +112 -1
- package/dist/flags.test.js.map +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/sandbox.test.js +138 -0
- package/dist/sandbox.test.js.map +1 -1
- package/dist/types.d.ts +18 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +7 -7
package/README.md
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
<div align="center">
|
|
2
|
-
<h1
|
|
2
|
+
<h1>zerobox</h1>
|
|
3
3
|
<p><strong>Run any command in a sandbox. Control what it can read, write, and connect to.</strong></p>
|
|
4
4
|
<p>
|
|
5
5
|
<a href="https://www.npmjs.com/package/zerobox" target="_blank">
|
|
@@ -18,11 +18,13 @@
|
|
|
18
18
|
|
|
19
19
|
Cross-platform process sandboxing powered by [OpenAI Codex](https://github.com/openai/codex)'s production sandbox runtime. Uses seatbelt on macOS and bubblewrap + seccomp on Linux.
|
|
20
20
|
|
|
21
|
-
- ๐ **Deny by default.** Writes and
|
|
21
|
+
- ๐ **Deny by default.** Writes, network, and environment variables are blocked unless you allow them.
|
|
22
22
|
- ๐ **File access control.** Allow or deny reads and writes to specific paths.
|
|
23
23
|
- ๐ **Network filtering.** Allow or deny by domain, powered by a real HTTP/SOCKS proxy.
|
|
24
|
+
- ๐ **Secret management.** Pass API keys to specific hosts without exposing them to the sandboxed process.
|
|
25
|
+
- ๐งน **Clean environment.** Only essential env vars (PATH, HOME, etc.) are inherited by default.
|
|
24
26
|
- ๐งฉ **TypeScript SDK.** `import { Sandbox } from "zerobox"` with a Deno-style API.
|
|
25
|
-
- ๐ฅ๏ธ **Cross-platform.** macOS
|
|
27
|
+
- ๐ฅ๏ธ **Cross-platform.** macOS and Linux. Windows support planned.
|
|
26
28
|
- ๐ฆ **Single binary.** No runtime dependencies, no Docker, no VMs.
|
|
27
29
|
|
|
28
30
|
<p align="center">
|
|
@@ -31,45 +33,193 @@ Cross-platform process sandboxing powered by [OpenAI Codex](https://github.com/o
|
|
|
31
33
|
|
|
32
34
|
## Install
|
|
33
35
|
|
|
36
|
+
### Shell (macOS / Linux)
|
|
37
|
+
|
|
34
38
|
```bash
|
|
35
|
-
# Shell (macOS / Linux)
|
|
36
39
|
curl -fsSL https://raw.githubusercontent.com/afshinm/zerobox/main/install.sh | sh
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
### npm
|
|
37
43
|
|
|
38
|
-
|
|
44
|
+
```bash
|
|
39
45
|
npm install -g zerobox
|
|
46
|
+
```
|
|
40
47
|
|
|
41
|
-
|
|
48
|
+
### From source
|
|
49
|
+
|
|
50
|
+
```bash
|
|
42
51
|
git clone https://github.com/afshinm/zerobox && cd zerobox
|
|
43
52
|
./scripts/sync.sh && cargo build --release -p zerobox
|
|
44
53
|
```
|
|
45
54
|
|
|
46
55
|
## Quick start
|
|
47
56
|
|
|
57
|
+
Run a command with no writes and no network (the default):
|
|
58
|
+
|
|
48
59
|
```bash
|
|
49
|
-
# Writes and network are blocked by default
|
|
50
60
|
zerobox -- node -e "console.log('hello')"
|
|
61
|
+
```
|
|
51
62
|
|
|
52
|
-
|
|
63
|
+
Allow writes to a directory:
|
|
64
|
+
|
|
65
|
+
```bash
|
|
53
66
|
zerobox --allow-write=. -- node script.js
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
Allow network to specific domains:
|
|
54
70
|
|
|
55
|
-
|
|
71
|
+
```bash
|
|
56
72
|
zerobox --allow-net=api.openai.com -- node agent.js
|
|
57
73
|
```
|
|
58
74
|
|
|
75
|
+
Pass a secret to a specific host (the process never sees the real value):
|
|
76
|
+
|
|
77
|
+
```bash
|
|
78
|
+
zerobox --secret OPENAI_API_KEY=sk-proj-123 --secret-host OPENAI_API_KEY=api.openai.com -- node agent.js
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
Same thing with the TypeScript SDK:
|
|
82
|
+
|
|
83
|
+
```ts
|
|
84
|
+
import { Sandbox } from "zerobox";
|
|
85
|
+
|
|
86
|
+
const sandbox = Sandbox.create({
|
|
87
|
+
secrets: {
|
|
88
|
+
OPENAI_API_KEY: {
|
|
89
|
+
value: process.env.OPENAI_API_KEY,
|
|
90
|
+
hosts: ["api.openai.com"],
|
|
91
|
+
},
|
|
92
|
+
},
|
|
93
|
+
});
|
|
94
|
+
|
|
95
|
+
const output = await sandbox.sh`node agent.js`.text();
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
## Secrets
|
|
99
|
+
|
|
100
|
+
Secrets are API keys, tokens, or credentials that should never be visible inside the sandbox. The sandboxed process sees a random placeholder in the environment variable. The real value is substituted at the network proxy level, only for approved hosts.
|
|
101
|
+
|
|
102
|
+
```
|
|
103
|
+
sandbox process: echo $OPENAI_API_KEY
|
|
104
|
+
-> ZEROBOX_SECRET_a1b2c3d4e5... (placeholder)
|
|
105
|
+
|
|
106
|
+
sandbox process: curl -H "Authorization: Bearer $OPENAI_API_KEY" https://api.openai.com/...
|
|
107
|
+
-> proxy intercepts, replaces placeholder with real key
|
|
108
|
+
-> server receives: Authorization: Bearer sk-proj-123
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
### CLI
|
|
112
|
+
|
|
113
|
+
Pass a secret with `--secret` and restrict it to specific hosts with `--secret-host`:
|
|
114
|
+
|
|
115
|
+
```bash
|
|
116
|
+
zerobox --secret OPENAI_API_KEY=sk-proj-123 --secret-host OPENAI_API_KEY=api.openai.com -- node app.js
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
Without `--secret-host`, the secret is substituted for all hosts:
|
|
120
|
+
|
|
121
|
+
```bash
|
|
122
|
+
zerobox --secret TOKEN=abc123 -- node app.js
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
Multiple secrets with different hosts:
|
|
126
|
+
|
|
127
|
+
```bash
|
|
128
|
+
zerobox \
|
|
129
|
+
--secret OPENAI_API_KEY=sk-proj-123 --secret-host OPENAI_API_KEY=api.openai.com \
|
|
130
|
+
--secret GITHUB_TOKEN=ghp-456 --secret-host GITHUB_TOKEN=api.github.com \
|
|
131
|
+
-- node app.js
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
### Node.js proxy support
|
|
135
|
+
|
|
136
|
+
Node.js `fetch` does not respect `HTTPS_PROXY` by default. When running Node.js inside a sandbox with secrets, add `--use-env-proxy`:
|
|
137
|
+
|
|
138
|
+
```bash
|
|
139
|
+
zerobox --secret API_KEY=sk-123 --secret-host API_KEY=api.openai.com \
|
|
140
|
+
-- node --use-env-proxy app.js
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
Programs that use `curl`, Python `requests`, or other HTTP clients that respect proxy env vars work without this flag.
|
|
144
|
+
|
|
145
|
+
### TypeScript SDK
|
|
146
|
+
|
|
147
|
+
```ts
|
|
148
|
+
import { Sandbox } from "zerobox";
|
|
149
|
+
|
|
150
|
+
const sandbox = Sandbox.create({
|
|
151
|
+
secrets: {
|
|
152
|
+
OPENAI_API_KEY: {
|
|
153
|
+
value: process.env.OPENAI_API_KEY,
|
|
154
|
+
hosts: ["api.openai.com"],
|
|
155
|
+
},
|
|
156
|
+
GITHUB_TOKEN: {
|
|
157
|
+
value: process.env.GITHUB_TOKEN,
|
|
158
|
+
hosts: ["api.github.com"],
|
|
159
|
+
},
|
|
160
|
+
},
|
|
161
|
+
});
|
|
162
|
+
|
|
163
|
+
await sandbox.sh`node agent.js`.text();
|
|
164
|
+
```
|
|
165
|
+
|
|
166
|
+
## Environment variables
|
|
167
|
+
|
|
168
|
+
By default, only essential variables are inherited: `PATH`, `HOME`, `USER`, `SHELL`, `TERM`, `LANG`. Everything else is blocked.
|
|
169
|
+
|
|
170
|
+
### Inherit all parent env vars
|
|
171
|
+
|
|
172
|
+
```bash
|
|
173
|
+
zerobox --allow-env -- node app.js
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
### Inherit specific vars only
|
|
177
|
+
|
|
178
|
+
```bash
|
|
179
|
+
zerobox --allow-env=PATH,HOME,DATABASE_URL -- node app.js
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
### Block specific vars
|
|
183
|
+
|
|
184
|
+
```bash
|
|
185
|
+
zerobox --allow-env --deny-env=AWS_SECRET_ACCESS_KEY -- node app.js
|
|
186
|
+
```
|
|
187
|
+
|
|
188
|
+
### Set explicit env vars
|
|
189
|
+
|
|
190
|
+
```bash
|
|
191
|
+
zerobox --env NODE_ENV=production --env DEBUG=false -- node app.js
|
|
192
|
+
```
|
|
193
|
+
|
|
194
|
+
### TypeScript SDK
|
|
195
|
+
|
|
196
|
+
```ts
|
|
197
|
+
const sandbox = Sandbox.create({
|
|
198
|
+
env: { NODE_ENV: "production" },
|
|
199
|
+
allowEnv: ["PATH", "HOME"],
|
|
200
|
+
denyEnv: ["AWS_SECRET_ACCESS_KEY"],
|
|
201
|
+
});
|
|
202
|
+
```
|
|
203
|
+
|
|
59
204
|
## Examples
|
|
60
205
|
|
|
61
206
|
### Run AI-generated code safely
|
|
62
207
|
|
|
63
|
-
An LLM generates code.
|
|
208
|
+
An LLM generates code. Run it without risking file corruption or data exfiltration.
|
|
64
209
|
|
|
65
210
|
```bash
|
|
66
|
-
# LLM writes code to /tmp/task.py. Run it with no writes, no network.
|
|
67
211
|
zerobox -- python3 /tmp/task.py
|
|
212
|
+
```
|
|
68
213
|
|
|
69
|
-
|
|
214
|
+
Allow writes only to an output directory:
|
|
215
|
+
|
|
216
|
+
```bash
|
|
70
217
|
zerobox --allow-write=/tmp/output -- python3 /tmp/task.py
|
|
218
|
+
```
|
|
219
|
+
|
|
220
|
+
Allow the script to call a specific API:
|
|
71
221
|
|
|
72
|
-
|
|
222
|
+
```bash
|
|
73
223
|
zerobox --allow-write=/tmp/output --allow-net=api.openai.com -- python3 /tmp/task.py
|
|
74
224
|
```
|
|
75
225
|
|
|
@@ -87,20 +237,6 @@ const result = await sandbox.sh`python3 /tmp/task.py`.output();
|
|
|
87
237
|
console.log(result.code, result.stdout);
|
|
88
238
|
```
|
|
89
239
|
|
|
90
|
-
### Sandbox a browser agent
|
|
91
|
-
|
|
92
|
-
Use [LightPanda](https://lightpanda.io), a headless browser, for fully sandboxed web browsing. The agent can only reach the domains you allow.
|
|
93
|
-
|
|
94
|
-
```bash
|
|
95
|
-
# Fetch a page as markdown (only example.com is reachable)
|
|
96
|
-
zerobox --allow-net=example.com -- lightpanda fetch --dump markdown https://example.com
|
|
97
|
-
|
|
98
|
-
# Allow write access for saving results
|
|
99
|
-
zerobox --allow-net=example.com --allow-write=/tmp -- lightpanda fetch --dump html https://example.com
|
|
100
|
-
```
|
|
101
|
-
|
|
102
|
-
> **Note:** GUI browsers like Chrome and Firefox cannot run inside the sandbox. They require macOS WindowServer access and Unix socket IPC that the sandbox blocks by design. Use a headless engine like LightPanda, or run the browser outside the sandbox and connect via CDP.
|
|
103
|
-
|
|
104
240
|
### Restrict LLM tool calls
|
|
105
241
|
|
|
106
242
|
Each tool call can be sandboxed individually. The agent runs normally. Only the dangerous operations are sandboxed.
|
|
@@ -108,24 +244,20 @@ Each tool call can be sandboxed individually. The agent runs normally. Only the
|
|
|
108
244
|
```ts
|
|
109
245
|
import { Sandbox } from "zerobox";
|
|
110
246
|
|
|
111
|
-
|
|
112
|
-
const
|
|
113
|
-
const
|
|
114
|
-
const fetcher = Sandbox.create({ allowNet: ["example.com"] }); // one domain
|
|
247
|
+
const reader = Sandbox.create();
|
|
248
|
+
const writer = Sandbox.create({ allowWrite: ["/tmp"] });
|
|
249
|
+
const fetcher = Sandbox.create({ allowNet: ["example.com"] });
|
|
115
250
|
|
|
116
|
-
// Read a file inside the sandbox
|
|
117
251
|
const data = await reader.js`
|
|
118
252
|
const content = require("fs").readFileSync("/tmp/input.txt", "utf8");
|
|
119
253
|
console.log(JSON.stringify({ content }));
|
|
120
254
|
`.json();
|
|
121
255
|
|
|
122
|
-
// Write a file (only /tmp is writable)
|
|
123
256
|
await writer.js`
|
|
124
257
|
require("fs").writeFileSync("/tmp/output.txt", "result");
|
|
125
258
|
console.log("ok");
|
|
126
259
|
`.text();
|
|
127
260
|
|
|
128
|
-
// Fetch a URL (only example.com is reachable)
|
|
129
261
|
const result = await fetcher.js`
|
|
130
262
|
const res = await fetch("https://example.com");
|
|
131
263
|
console.log(JSON.stringify({ status: res.status }));
|
|
@@ -133,7 +265,8 @@ const result = await fetcher.js`
|
|
|
133
265
|
```
|
|
134
266
|
|
|
135
267
|
Full working examples:
|
|
136
|
-
- [`examples/ai-agent`](examples/ai-agent) --
|
|
268
|
+
- [`examples/ai-agent-sandboxed`](examples/ai-agent-sandboxed) -- Entire agent process sandboxed with secrets (API key never visible)
|
|
269
|
+
- [`examples/ai-agent`](examples/ai-agent) -- Vercel AI SDK with per-tool sandboxing and secrets
|
|
137
270
|
- [`examples/workflow`](examples/workflow) -- [Vercel Workflow](https://useworkflow.dev/) with sandboxed durable steps
|
|
138
271
|
|
|
139
272
|
### Protect your repo during builds
|
|
@@ -141,48 +274,65 @@ Full working examples:
|
|
|
141
274
|
Run package installs and build scripts without risking your `.git` history or config files.
|
|
142
275
|
|
|
143
276
|
```bash
|
|
144
|
-
# npm install can write to node_modules but not .git or .env
|
|
145
277
|
zerobox --allow-write=./node_modules,./package-lock.json --deny-write=./.git,./.env -- npm install
|
|
278
|
+
```
|
|
279
|
+
|
|
280
|
+
Run a build script with network access:
|
|
146
281
|
|
|
147
|
-
|
|
282
|
+
```bash
|
|
148
283
|
zerobox --allow-write=./dist --allow-net -- npm run build
|
|
284
|
+
```
|
|
149
285
|
|
|
150
|
-
|
|
286
|
+
Run tests with no network (catch accidental external calls):
|
|
287
|
+
|
|
288
|
+
```bash
|
|
151
289
|
zerobox --allow-write=/tmp -- npm test
|
|
152
290
|
```
|
|
153
291
|
|
|
154
|
-
## SDK
|
|
292
|
+
## SDK reference
|
|
155
293
|
|
|
156
294
|
```bash
|
|
157
295
|
npm install zerobox
|
|
158
296
|
```
|
|
159
297
|
|
|
298
|
+
### Shell commands
|
|
299
|
+
|
|
160
300
|
```ts
|
|
161
301
|
import { Sandbox } from "zerobox";
|
|
162
302
|
|
|
163
|
-
const sandbox = Sandbox.create({
|
|
164
|
-
allowWrite: ["/tmp"],
|
|
165
|
-
allowNet: ["example.com"],
|
|
166
|
-
});
|
|
167
|
-
|
|
168
|
-
// Shell commands via tagged template
|
|
303
|
+
const sandbox = Sandbox.create({ allowWrite: ["/tmp"] });
|
|
169
304
|
const output = await sandbox.sh`echo hello`.text();
|
|
305
|
+
```
|
|
306
|
+
|
|
307
|
+
### JSON output
|
|
170
308
|
|
|
171
|
-
|
|
309
|
+
```ts
|
|
172
310
|
const data = await sandbox.sh`cat data.json`.json();
|
|
311
|
+
```
|
|
173
312
|
|
|
174
|
-
|
|
313
|
+
### Raw output (doesn't throw on non-zero exit)
|
|
314
|
+
|
|
315
|
+
```ts
|
|
175
316
|
const result = await sandbox.sh`exit 42`.output();
|
|
176
317
|
// { code: 42, stdout: "", stderr: "" }
|
|
318
|
+
```
|
|
319
|
+
|
|
320
|
+
### Explicit command + args
|
|
177
321
|
|
|
178
|
-
|
|
322
|
+
```ts
|
|
179
323
|
await sandbox.exec("node", ["-e", "console.log('hi')"]).text();
|
|
324
|
+
```
|
|
180
325
|
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
326
|
+
### Inline JavaScript
|
|
327
|
+
|
|
328
|
+
```ts
|
|
329
|
+
const data = await sandbox.js`
|
|
330
|
+
console.log(JSON.stringify({ sum: 1 + 2 }));
|
|
331
|
+
`.json();
|
|
184
332
|
```
|
|
185
333
|
|
|
334
|
+
### Error handling
|
|
335
|
+
|
|
186
336
|
Non-zero exit codes throw `SandboxCommandError`:
|
|
187
337
|
|
|
188
338
|
```ts
|
|
@@ -194,11 +344,18 @@ try {
|
|
|
194
344
|
} catch (e) {
|
|
195
345
|
if (e instanceof SandboxCommandError) {
|
|
196
346
|
console.log(e.code); // 1
|
|
197
|
-
console.log(e.stderr);
|
|
347
|
+
console.log(e.stderr);
|
|
198
348
|
}
|
|
199
349
|
}
|
|
200
350
|
```
|
|
201
351
|
|
|
352
|
+
### Cancellation
|
|
353
|
+
|
|
354
|
+
```ts
|
|
355
|
+
const controller = new AbortController();
|
|
356
|
+
await sandbox.sh`sleep 60`.text({ signal: controller.signal });
|
|
357
|
+
```
|
|
358
|
+
|
|
202
359
|
## Performance
|
|
203
360
|
|
|
204
361
|
Sandbox overhead is minimal, typically ~10ms and ~7MB:
|
|
@@ -219,7 +376,7 @@ Sandbox overhead is minimal, typically ~10ms and ~7MB:
|
|
|
219
376
|
|----------|---------|--------|
|
|
220
377
|
| macOS | Seatbelt (`sandbox-exec`) | Fully supported |
|
|
221
378
|
| Linux | Bubblewrap + Seccomp + Namespaces | Fully supported |
|
|
222
|
-
| Windows | Restricted Tokens + ACLs + Firewall |
|
|
379
|
+
| Windows | Restricted Tokens + ACLs + Firewall | Planned |
|
|
223
380
|
|
|
224
381
|
## CLI reference
|
|
225
382
|
|
|
@@ -231,7 +388,12 @@ Sandbox overhead is minimal, typically ~10ms and ~7MB:
|
|
|
231
388
|
| `--deny-write <paths>` | `--deny-write=./.git` | Block writing to these paths. Takes precedence over `--allow-write`. |
|
|
232
389
|
| `--allow-net [domains]` | `--allow-net=example.com` | Allow outbound network. Without a value, allows all domains. Default: no network. |
|
|
233
390
|
| `--deny-net <domains>` | `--deny-net=evil.com` | Block network to these domains. Takes precedence over `--allow-net`. |
|
|
234
|
-
|
|
|
391
|
+
| `--env <KEY=VALUE>` | `--env NODE_ENV=prod` | Set env var in the sandbox. Can be repeated. |
|
|
392
|
+
| `--allow-env [keys]` | `--allow-env=PATH,HOME` | Inherit parent env vars. Without a value, inherits all. Default: only PATH, HOME, USER, SHELL, TERM, LANG. |
|
|
393
|
+
| `--deny-env <keys>` | `--deny-env=SECRET` | Drop these parent env vars. Takes precedence over `--allow-env`. |
|
|
394
|
+
| `--secret <KEY=VALUE>` | `--secret API_KEY=sk-123` | Pass a secret. The process sees a placeholder; the real value is injected at the proxy for approved hosts. |
|
|
395
|
+
| `--secret-host <KEY=HOSTS>` | `--secret-host API_KEY=api.openai.com` | Restrict a secret to specific hosts. Without this, the secret is substituted for all hosts. |
|
|
396
|
+
| `-A`, `--allow-all` | `-A` | Grant all filesystem and network permissions. Env and secrets still apply. |
|
|
235
397
|
| `--no-sandbox` | `--no-sandbox` | Disable the sandbox entirely. |
|
|
236
398
|
| `-C <dir>` | `-C /workspace` | Set working directory for the sandboxed command. |
|
|
237
399
|
| `-V`, `--version` | `--version` | Print version. |
|
package/dist/flags.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"flags.d.ts","sourceRoot":"","sources":["../src/flags.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,2CAA2C;AAC3C,wBAAgB,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM,EAAE,
|
|
1
|
+
{"version":3,"file":"flags.d.ts","sourceRoot":"","sources":["../src/flags.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,2CAA2C;AAC3C,wBAAgB,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,MAAM,EAAE,CA+E5D"}
|
package/dist/flags.js
CHANGED
|
@@ -1,34 +1,76 @@
|
|
|
1
1
|
/** Build CLI flags from SandboxOptions. */
|
|
2
2
|
export function buildFlags(options) {
|
|
3
3
|
const flags = [];
|
|
4
|
+
// Collect secret hosts for network permission merging.
|
|
5
|
+
const secretHosts = [];
|
|
6
|
+
if (options.secrets) {
|
|
7
|
+
for (const [key, config] of Object.entries(options.secrets)) {
|
|
8
|
+
flags.push("--secret", `${key}=${config.value}`);
|
|
9
|
+
if (config.hosts.length > 0) {
|
|
10
|
+
flags.push("--secret-host", `${key}=${config.hosts.join(",")}`);
|
|
11
|
+
secretHosts.push(...config.hosts);
|
|
12
|
+
}
|
|
13
|
+
}
|
|
14
|
+
}
|
|
4
15
|
if (options.allowAll) {
|
|
5
16
|
flags.push("--allow-all");
|
|
6
|
-
|
|
17
|
+
// Still emit env/secret flags โ allowAll controls fs/net, not env.
|
|
7
18
|
}
|
|
8
|
-
if (options.noSandbox) {
|
|
19
|
+
else if (options.noSandbox) {
|
|
9
20
|
flags.push("--no-sandbox");
|
|
10
|
-
return flags;
|
|
11
|
-
}
|
|
12
|
-
if (options.allowRead?.length) {
|
|
13
|
-
flags.push(`--allow-read=${options.allowRead.join(",")}`);
|
|
14
|
-
}
|
|
15
|
-
if (options.denyRead?.length) {
|
|
16
|
-
flags.push(`--deny-read=${options.denyRead.join(",")}`);
|
|
17
21
|
}
|
|
18
|
-
|
|
19
|
-
|
|
22
|
+
else {
|
|
23
|
+
if (options.allowRead?.length) {
|
|
24
|
+
flags.push(`--allow-read=${options.allowRead.join(",")}`);
|
|
25
|
+
}
|
|
26
|
+
if (options.denyRead?.length) {
|
|
27
|
+
flags.push(`--deny-read=${options.denyRead.join(",")}`);
|
|
28
|
+
}
|
|
29
|
+
if (options.allowWrite?.length) {
|
|
30
|
+
flags.push(`--allow-write=${options.allowWrite.join(",")}`);
|
|
31
|
+
}
|
|
32
|
+
if (options.denyWrite?.length) {
|
|
33
|
+
flags.push(`--deny-write=${options.denyWrite.join(",")}`);
|
|
34
|
+
}
|
|
35
|
+
// Merge secret hosts into allowNet (secrets auto-enable network for their hosts).
|
|
36
|
+
// The CLI also does this, but we emit it here so --allow-net reflects the full picture.
|
|
37
|
+
let effectiveAllowNet = options.allowNet;
|
|
38
|
+
if (secretHosts.length > 0) {
|
|
39
|
+
if (effectiveAllowNet === true) {
|
|
40
|
+
// Already allowing all network.
|
|
41
|
+
}
|
|
42
|
+
else if (Array.isArray(effectiveAllowNet)) {
|
|
43
|
+
effectiveAllowNet = [...effectiveAllowNet, ...secretHosts];
|
|
44
|
+
}
|
|
45
|
+
else {
|
|
46
|
+
// Network was not explicitly enabled; secrets handle it via --secret-host.
|
|
47
|
+
// Don't emit --allow-net here โ the CLI enables network implicitly for secret hosts.
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
if (effectiveAllowNet === true) {
|
|
51
|
+
flags.push("--allow-net");
|
|
52
|
+
}
|
|
53
|
+
else if (Array.isArray(effectiveAllowNet) && effectiveAllowNet.length > 0) {
|
|
54
|
+
flags.push(`--allow-net=${effectiveAllowNet.join(",")}`);
|
|
55
|
+
}
|
|
56
|
+
if (options.denyNet?.length) {
|
|
57
|
+
flags.push(`--deny-net=${options.denyNet.join(",")}`);
|
|
58
|
+
}
|
|
20
59
|
}
|
|
21
|
-
|
|
22
|
-
|
|
60
|
+
// Env flags โ emitted for all modes (including allowAll).
|
|
61
|
+
if (options.allowEnv === true) {
|
|
62
|
+
flags.push("--allow-env");
|
|
23
63
|
}
|
|
24
|
-
if (options.
|
|
25
|
-
flags.push(
|
|
64
|
+
else if (Array.isArray(options.allowEnv) && options.allowEnv.length > 0) {
|
|
65
|
+
flags.push(`--allow-env=${options.allowEnv.join(",")}`);
|
|
26
66
|
}
|
|
27
|
-
|
|
28
|
-
flags.push(`--
|
|
67
|
+
if (options.denyEnv?.length) {
|
|
68
|
+
flags.push(`--deny-env=${options.denyEnv.join(",")}`);
|
|
29
69
|
}
|
|
30
|
-
if (options.
|
|
31
|
-
|
|
70
|
+
if (options.env) {
|
|
71
|
+
for (const [key, value] of Object.entries(options.env)) {
|
|
72
|
+
flags.push("--env", `${key}=${value}`);
|
|
73
|
+
}
|
|
32
74
|
}
|
|
33
75
|
if (options.cwd) {
|
|
34
76
|
flags.push("-C", options.cwd);
|
package/dist/flags.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"flags.js","sourceRoot":"","sources":["../src/flags.ts"],"names":[],"mappings":"AAEA,2CAA2C;AAC3C,MAAM,UAAU,UAAU,CAAC,OAAuB;IAChD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,OAAO,CAAC,
|
|
1
|
+
{"version":3,"file":"flags.js","sourceRoot":"","sources":["../src/flags.ts"],"names":[],"mappings":"AAEA,2CAA2C;AAC3C,MAAM,UAAU,UAAU,CAAC,OAAuB;IAChD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,uDAAuD;IACvD,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5D,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,GAAG,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;YACjD,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5B,KAAK,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChE,WAAW,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC1B,mEAAmE;IACrE,CAAC;SAAM,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,IAAI,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC;YAC9B,KAAK,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,eAAe,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,IAAI,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,CAAC;YAC9B,KAAK,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,kFAAkF;QAClF,wFAAwF;QACxF,IAAI,iBAAiB,GAAG,OAAO,CAAC,QAAQ,CAAC;QACzC,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,IAAI,iBAAiB,KAAK,IAAI,EAAE,CAAC;gBAC/B,gCAAgC;YAClC,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBAC5C,iBAAiB,GAAG,CAAC,GAAG,iBAAiB,EAAE,GAAG,WAAW,CAAC,CAAC;YAC7D,CAAC;iBAAM,CAAC;gBACN,2EAA2E;gBAC3E,qFAAqF;YACvF,CAAC;QACH,CAAC;QAED,IAAI,iBAAiB,KAAK,IAAI,EAAE,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC5B,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,iBAAiB,CAAC,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5E,KAAK,CAAC,IAAI,CAAC,eAAe,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,cAAc,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,IAAI,OAAO,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC5B,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1E,KAAK,CAAC,IAAI,CAAC,eAAe,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,cAAc,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACvD,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|
package/dist/flags.test.js
CHANGED
|
@@ -4,7 +4,7 @@ describe("buildFlags", () => {
|
|
|
4
4
|
it("returns empty array for default options", () => {
|
|
5
5
|
expect(buildFlags({})).toEqual([]);
|
|
6
6
|
});
|
|
7
|
-
it("returns --allow-all
|
|
7
|
+
it("returns --allow-all without fs/net flags", () => {
|
|
8
8
|
expect(buildFlags({ allowAll: true, allowWrite: ["/tmp"] })).toEqual(["--allow-all"]);
|
|
9
9
|
});
|
|
10
10
|
it("returns --no-sandbox and nothing else", () => {
|
|
@@ -66,5 +66,116 @@ describe("buildFlags", () => {
|
|
|
66
66
|
it("skips empty arrays", () => {
|
|
67
67
|
expect(buildFlags({ allowRead: [], denyRead: [], allowWrite: [], denyWrite: [] })).toEqual([]);
|
|
68
68
|
});
|
|
69
|
+
// โโ env โโ
|
|
70
|
+
it("builds --env flags", () => {
|
|
71
|
+
expect(buildFlags({ env: { FOO: "bar" } })).toEqual(["--env", "FOO=bar"]);
|
|
72
|
+
});
|
|
73
|
+
it("builds multiple --env flags", () => {
|
|
74
|
+
const flags = buildFlags({ env: { A: "1", B: "2" } });
|
|
75
|
+
expect(flags).toContain("--env");
|
|
76
|
+
expect(flags).toContain("A=1");
|
|
77
|
+
expect(flags).toContain("B=2");
|
|
78
|
+
});
|
|
79
|
+
it("builds --allow-env as boolean", () => {
|
|
80
|
+
expect(buildFlags({ allowEnv: true })).toEqual(["--allow-env"]);
|
|
81
|
+
});
|
|
82
|
+
it("builds --allow-env with keys", () => {
|
|
83
|
+
expect(buildFlags({ allowEnv: ["PATH", "HOME"] })).toEqual(["--allow-env=PATH,HOME"]);
|
|
84
|
+
});
|
|
85
|
+
it("builds --deny-env", () => {
|
|
86
|
+
expect(buildFlags({ denyEnv: ["SECRET"] })).toEqual(["--deny-env=SECRET"]);
|
|
87
|
+
});
|
|
88
|
+
// โโ secrets โโ
|
|
89
|
+
it("emits --secret and --secret-host flags", () => {
|
|
90
|
+
const flags = buildFlags({
|
|
91
|
+
secrets: { API_KEY: { value: "sk-123", hosts: ["api.example.com"] } },
|
|
92
|
+
});
|
|
93
|
+
expect(flags).toContain("--secret");
|
|
94
|
+
expect(flags).toContain("API_KEY=sk-123");
|
|
95
|
+
expect(flags).toContain("--secret-host");
|
|
96
|
+
expect(flags).toContain("API_KEY=api.example.com");
|
|
97
|
+
});
|
|
98
|
+
it("secret without hosts emits only --secret", () => {
|
|
99
|
+
const flags = buildFlags({
|
|
100
|
+
secrets: { TOKEN: { value: "abc", hosts: [] } },
|
|
101
|
+
});
|
|
102
|
+
expect(flags).toContain("--secret");
|
|
103
|
+
expect(flags).toContain("TOKEN=abc");
|
|
104
|
+
expect(flags).not.toContain("--secret-host");
|
|
105
|
+
});
|
|
106
|
+
it("merges secret hosts with existing allowNet domains", () => {
|
|
107
|
+
const flags = buildFlags({
|
|
108
|
+
allowNet: ["other.com"],
|
|
109
|
+
secrets: { KEY: { value: "v", hosts: ["api.com"] } },
|
|
110
|
+
});
|
|
111
|
+
expect(flags).toContain("--allow-net=other.com,api.com");
|
|
112
|
+
});
|
|
113
|
+
it("secrets with allowNet: true do not duplicate net flag", () => {
|
|
114
|
+
const flags = buildFlags({
|
|
115
|
+
allowNet: true,
|
|
116
|
+
secrets: { KEY: { value: "v", hosts: ["api.com"] } },
|
|
117
|
+
});
|
|
118
|
+
expect(flags).toContain("--allow-net");
|
|
119
|
+
expect(flags.filter((f) => f.startsWith("--allow-net")).length).toBe(1);
|
|
120
|
+
});
|
|
121
|
+
it("multiple secrets produce multiple --secret flags", () => {
|
|
122
|
+
const flags = buildFlags({
|
|
123
|
+
secrets: {
|
|
124
|
+
A: { value: "v1", hosts: ["h1.com"] },
|
|
125
|
+
B: { value: "v2", hosts: ["h2.com"] },
|
|
126
|
+
},
|
|
127
|
+
});
|
|
128
|
+
expect(flags.filter((f) => f === "--secret").length).toBe(2);
|
|
129
|
+
expect(flags).toContain("A=v1");
|
|
130
|
+
expect(flags).toContain("B=v2");
|
|
131
|
+
});
|
|
132
|
+
it("env flags are emitted even with allowAll", () => {
|
|
133
|
+
const flags = buildFlags({ allowAll: true, env: { FOO: "bar" } });
|
|
134
|
+
expect(flags).toContain("--allow-all");
|
|
135
|
+
expect(flags).toContain("--env");
|
|
136
|
+
expect(flags).toContain("FOO=bar");
|
|
137
|
+
});
|
|
138
|
+
it("secrets are emitted even with allowAll", () => {
|
|
139
|
+
const flags = buildFlags({
|
|
140
|
+
allowAll: true,
|
|
141
|
+
secrets: { KEY: { value: "v", hosts: ["h.com"] } },
|
|
142
|
+
});
|
|
143
|
+
expect(flags).toContain("--allow-all");
|
|
144
|
+
expect(flags).toContain("--secret");
|
|
145
|
+
expect(flags).toContain("KEY=v");
|
|
146
|
+
});
|
|
147
|
+
it("denyEnv combined with secrets", () => {
|
|
148
|
+
const flags = buildFlags({
|
|
149
|
+
denyEnv: ["HOME"],
|
|
150
|
+
secrets: { KEY: { value: "v", hosts: ["h.com"] } },
|
|
151
|
+
});
|
|
152
|
+
expect(flags).toContain("--deny-env=HOME");
|
|
153
|
+
expect(flags).toContain("--secret");
|
|
154
|
+
expect(flags).toContain("KEY=v");
|
|
155
|
+
});
|
|
156
|
+
it("noSandbox still emits secret flags", () => {
|
|
157
|
+
const flags = buildFlags({
|
|
158
|
+
noSandbox: true,
|
|
159
|
+
secrets: { KEY: { value: "v", hosts: ["h.com"] } },
|
|
160
|
+
});
|
|
161
|
+
expect(flags).toContain("--no-sandbox");
|
|
162
|
+
expect(flags).toContain("--secret");
|
|
163
|
+
expect(flags).toContain("KEY=v");
|
|
164
|
+
});
|
|
165
|
+
it("secrets without allowNet do not emit --allow-net", () => {
|
|
166
|
+
const flags = buildFlags({
|
|
167
|
+
secrets: { KEY: { value: "v", hosts: ["h.com"] } },
|
|
168
|
+
});
|
|
169
|
+
expect(flags).toContain("--secret");
|
|
170
|
+
expect(flags).toContain("--secret-host");
|
|
171
|
+
// No --allow-net โ CLI handles network implicitly for secret hosts.
|
|
172
|
+
expect(flags.filter((f) => f.startsWith("--allow-net")).length).toBe(0);
|
|
173
|
+
});
|
|
174
|
+
it("allowEnv: false does not emit flag", () => {
|
|
175
|
+
expect(buildFlags({ allowEnv: false })).toEqual([]);
|
|
176
|
+
});
|
|
177
|
+
it("allowEnv: [] does not emit flag", () => {
|
|
178
|
+
expect(buildFlags({ allowEnv: [] })).toEqual([]);
|
|
179
|
+
});
|
|
69
180
|
});
|
|
70
181
|
//# sourceMappingURL=flags.test.js.map
|
package/dist/flags.test.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"flags.test.js","sourceRoot":"","sources":["../src/flags.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,
|
|
1
|
+
{"version":3,"file":"flags.test.js","sourceRoot":"","sources":["../src/flags.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAExC,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;IAC1B,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,UAAU,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,CAAC,UAAU,CAAC,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,MAAM,CAAC,UAAU,CAAC,EAAE,SAAS,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,aAAa,EAAE,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;YAC3E,yCAAyC;SAC1C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;IACjF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,SAAS,EAAE,CAAC,MAAM,CAAC;YACnB,QAAQ,EAAE,CAAC,aAAa,CAAC;YACzB,UAAU,EAAE,CAAC,MAAM,CAAC;YACpB,SAAS,EAAE,CAAC,WAAW,CAAC;YACxB,QAAQ,EAAE,CAAC,aAAa,CAAC;YACzB,OAAO,EAAE,CAAC,UAAU,CAAC;YACrB,GAAG,EAAE,YAAY;SAClB,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC;YACpB,mBAAmB;YACnB,yBAAyB;YACzB,oBAAoB;YACpB,wBAAwB;YACxB,yBAAyB;YACzB,qBAAqB;YACrB,IAAI;YACJ,YAAY;SACb,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,MAAM,CAAC,UAAU,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACjG,CAAC,CAAC,CAAC;IAEH,YAAY;IAEZ,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAC5B,MAAM,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACtD,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mBAAmB,EAAE,GAAG,EAAE;QAC3B,MAAM,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,gBAAgB;IAEhB,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE;SACtE,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QAC1C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QACzC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;SAChD,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACrC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,QAAQ,EAAE,CAAC,WAAW,CAAC;YACvB,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE;SACrD,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,+BAA+B,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE;SACrD,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,OAAO,EAAE;gBACP,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE;gBACrC,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE;aACtC;SACF,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAChC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE;SACnD,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,OAAO,EAAE,CAAC,MAAM,CAAC;YACjB,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE;SACnD,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAC3C,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE;SACnD,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,KAAK,GAAG,UAAU,CAAC;YACvB,OAAO,EAAE,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE;SACnD,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QACzC,oEAAoE;QACpE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -3,5 +3,5 @@ export { ShellCommand } from "./command.js";
|
|
|
3
3
|
export { SandboxCommandError } from "./errors.js";
|
|
4
4
|
export { buildFlags } from "./flags.js";
|
|
5
5
|
export { resolveBinary } from "./binary.js";
|
|
6
|
-
export type { SandboxOptions, CommandOutput, CommandOptions } from "./types.js";
|
|
6
|
+
export type { SandboxOptions, SecretConfig, CommandOutput, CommandOptions } from "./types.js";
|
|
7
7
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,YAAY,EAAE,cAAc,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,YAAY,EAAE,cAAc,EAAE,YAAY,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC"}
|
package/dist/sandbox.test.js
CHANGED
|
@@ -174,5 +174,143 @@ console.log(r.join(','))`,
|
|
|
174
174
|
expect(existsSync("/tmp/zerobox-sdk-aa")).toBe(true);
|
|
175
175
|
expect(readFileSync("/tmp/zerobox-sdk-aa", "utf8").trim()).toBe("ok");
|
|
176
176
|
}));
|
|
177
|
+
// โโ env vars โโ
|
|
178
|
+
it("default env excludes custom parent vars", async () => {
|
|
179
|
+
const sandbox = Sandbox.create();
|
|
180
|
+
const output = await sandbox.sh `echo $ZEROBOX_TEST_CUSTOM`.text();
|
|
181
|
+
expect(output.trim()).toBe("");
|
|
182
|
+
});
|
|
183
|
+
it("default env includes PATH", async () => {
|
|
184
|
+
const sandbox = Sandbox.create();
|
|
185
|
+
const output = await sandbox.sh `echo $PATH`.text();
|
|
186
|
+
expect(output.trim()).not.toBe("");
|
|
187
|
+
});
|
|
188
|
+
it("env option sets explicit vars", async () => {
|
|
189
|
+
const sandbox = Sandbox.create({ env: { MY_VAR: "hello" } });
|
|
190
|
+
const output = await sandbox.sh `echo $MY_VAR`.text();
|
|
191
|
+
expect(output.trim()).toBe("hello");
|
|
192
|
+
});
|
|
193
|
+
it("env option with multiple vars", async () => {
|
|
194
|
+
const sandbox = Sandbox.create({ env: { A: "1", B: "2" } });
|
|
195
|
+
const output = await sandbox.sh `echo $A $B`.text();
|
|
196
|
+
expect(output.trim()).toBe("1 2");
|
|
197
|
+
});
|
|
198
|
+
it("allowEnv: true inherits all parent vars", async () => {
|
|
199
|
+
const sandbox = Sandbox.create({ allowEnv: true });
|
|
200
|
+
const output = await sandbox.sh `env`.text();
|
|
201
|
+
const count = output.trim().split("\n").length;
|
|
202
|
+
expect(count).toBeGreaterThan(10);
|
|
203
|
+
});
|
|
204
|
+
it("allowEnv with specific keys inherits only those", async () => {
|
|
205
|
+
const sandbox = Sandbox.create({ allowEnv: ["PATH"] });
|
|
206
|
+
const output = await sandbox.sh `env`.text();
|
|
207
|
+
const lines = output.trim().split("\n");
|
|
208
|
+
expect(lines.some((l) => l.startsWith("PATH="))).toBe(true);
|
|
209
|
+
// HOME should not be its own env var (CODEX_HOME is different and OK).
|
|
210
|
+
expect(lines.some((l) => l.startsWith("HOME="))).toBe(false);
|
|
211
|
+
});
|
|
212
|
+
it("denyEnv removes vars", async () => {
|
|
213
|
+
const sandbox = Sandbox.create({ allowEnv: true, denyEnv: ["HOME"] });
|
|
214
|
+
const output = await sandbox.sh `echo "HOME=$HOME"`.text();
|
|
215
|
+
expect(output.trim()).toBe("HOME=");
|
|
216
|
+
});
|
|
217
|
+
it("denyEnv does not block explicit env", async () => {
|
|
218
|
+
const sandbox = Sandbox.create({ denyEnv: ["FOO"], env: { FOO: "override" } });
|
|
219
|
+
const output = await sandbox.sh `echo $FOO`.text();
|
|
220
|
+
expect(output.trim()).toBe("override");
|
|
221
|
+
});
|
|
222
|
+
it("env value with equals sign", async () => {
|
|
223
|
+
const sandbox = Sandbox.create({ env: { DATA: "a=b=c" } });
|
|
224
|
+
const output = await sandbox.sh `echo $DATA`.text();
|
|
225
|
+
expect(output.trim()).toBe("a=b=c");
|
|
226
|
+
});
|
|
227
|
+
// โโ secrets โโ
|
|
228
|
+
it("secret env var contains placeholder, not real value", async () => {
|
|
229
|
+
const sandbox = Sandbox.create({
|
|
230
|
+
secrets: {
|
|
231
|
+
API_KEY: { value: "sk-test-123", hosts: ["example.com"] },
|
|
232
|
+
},
|
|
233
|
+
});
|
|
234
|
+
const output = await sandbox.sh `echo $API_KEY`.text();
|
|
235
|
+
expect(output.trim()).toMatch(/^ZEROBOX_SECRET_[0-9a-f]{64}$/);
|
|
236
|
+
expect(output.trim()).not.toBe("sk-test-123");
|
|
237
|
+
});
|
|
238
|
+
it("secrets auto-enable network for their hosts", async () => {
|
|
239
|
+
const sandbox = Sandbox.create({
|
|
240
|
+
secrets: {
|
|
241
|
+
TOKEN: { value: "t", hosts: ["httpbin.org"] },
|
|
242
|
+
},
|
|
243
|
+
});
|
|
244
|
+
// -k: accept MITM proxy cert (secrets enable MITM for header substitution)
|
|
245
|
+
const result = await sandbox
|
|
246
|
+
.exec("curl", ["-sk", "-o", "/dev/null", "-w", "%{http_code}", "https://httpbin.org/get"])
|
|
247
|
+
.text();
|
|
248
|
+
expect(result.trim()).toBe("200");
|
|
249
|
+
});
|
|
250
|
+
it("secret header substituted for matching host", async () => {
|
|
251
|
+
const sandbox = Sandbox.create({
|
|
252
|
+
secrets: {
|
|
253
|
+
MY_SECRET: { value: "real-value", hosts: ["httpbin.org"] },
|
|
254
|
+
},
|
|
255
|
+
});
|
|
256
|
+
const output = await sandbox.sh `curl -sk -H "X-Test: $MY_SECRET" https://httpbin.org/headers`.json();
|
|
257
|
+
expect(output.headers["X-Test"]).toBe("real-value");
|
|
258
|
+
});
|
|
259
|
+
it("secret NOT substituted for wrong host", async () => {
|
|
260
|
+
const sandbox = Sandbox.create({
|
|
261
|
+
allowNet: true,
|
|
262
|
+
secrets: {
|
|
263
|
+
MY_SECRET: { value: "real-value", hosts: ["other.com"] },
|
|
264
|
+
},
|
|
265
|
+
});
|
|
266
|
+
const output = await sandbox.sh `curl -sk -H "X-Test: $MY_SECRET" https://httpbin.org/headers`.json();
|
|
267
|
+
expect(output.headers["X-Test"]).toMatch(/^ZEROBOX_SECRET_/);
|
|
268
|
+
});
|
|
269
|
+
it("multiple secrets with different hosts", async () => {
|
|
270
|
+
const sandbox = Sandbox.create({
|
|
271
|
+
secrets: {
|
|
272
|
+
SECRET_A: { value: "value-a", hosts: ["httpbin.org"] },
|
|
273
|
+
SECRET_B: { value: "value-b", hosts: ["other.com"] },
|
|
274
|
+
},
|
|
275
|
+
allowNet: true,
|
|
276
|
+
});
|
|
277
|
+
const output = await sandbox.sh `curl -sk -H "X-A: $SECRET_A" -H "X-B: $SECRET_B" https://httpbin.org/headers`.json();
|
|
278
|
+
// A is for httpbin.org โ substituted. B is for other.com โ placeholder.
|
|
279
|
+
expect(output.headers["X-A"]).toBe("value-a");
|
|
280
|
+
expect(output.headers["X-B"]).toMatch(/^ZEROBOX_SECRET_/);
|
|
281
|
+
});
|
|
282
|
+
it("secret host restriction blocks other hosts", async () => {
|
|
283
|
+
const sandbox = Sandbox.create({
|
|
284
|
+
secrets: {
|
|
285
|
+
TOKEN: { value: "t", hosts: ["httpbin.org"] },
|
|
286
|
+
},
|
|
287
|
+
});
|
|
288
|
+
// httpbin.org should work (secret host), but example.com should be blocked.
|
|
289
|
+
const result = await sandbox
|
|
290
|
+
.exec("curl", [
|
|
291
|
+
"-sk",
|
|
292
|
+
"--max-time",
|
|
293
|
+
"3",
|
|
294
|
+
"-o",
|
|
295
|
+
"/dev/null",
|
|
296
|
+
"-w",
|
|
297
|
+
"%{http_code}",
|
|
298
|
+
"https://example.com",
|
|
299
|
+
])
|
|
300
|
+
.output();
|
|
301
|
+
expect(result.stdout.trim()).not.toBe("200");
|
|
302
|
+
});
|
|
303
|
+
it("env and secrets work together", async () => {
|
|
304
|
+
const sandbox = Sandbox.create({
|
|
305
|
+
env: { MY_VAR: "env-val" },
|
|
306
|
+
secrets: {
|
|
307
|
+
MY_SECRET: { value: "secret-val", hosts: ["httpbin.org"] },
|
|
308
|
+
},
|
|
309
|
+
});
|
|
310
|
+
const envOut = await sandbox.sh `echo $MY_VAR`.text();
|
|
311
|
+
expect(envOut.trim()).toBe("env-val");
|
|
312
|
+
const secretOut = await sandbox.sh `echo $MY_SECRET`.text();
|
|
313
|
+
expect(secretOut.trim()).toMatch(/^ZEROBOX_SECRET_/);
|
|
314
|
+
});
|
|
177
315
|
});
|
|
178
316
|
//# sourceMappingURL=sandbox.test.js.map
|
package/dist/sandbox.test.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sandbox.test.js","sourceRoot":"","sources":["../src/sandbox.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;AAEtC,6CAA6C;AAC7C,SAAS,WAAW,CAAC,IAAY,EAAE,EAAuB;IACxD,OAAO,KAAK,IAAI,EAAE;QAChB,MAAM,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,EAAE,EAAE,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,eAAe,EAAE,GAAG,EAAE;IAC1C,iBAAiB;IAEjB,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,YAAY,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,EAAE,CAAA,SAAS,CAAC,IAAI,EAAE,CAAC;YACjC,MAAM,CAAC,WAAW,CAAC,oBAAoB,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,mBAAmB,CAAC,CAAC;YAC9C,MAAM,CAAE,CAAyB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,iBAAiB;IAEjB,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,wBAAwB,CAAC,IAAI,EAAmB,CAAC;QAC9E,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,mBAAmB;IAEnB,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,SAAS,CAAC,MAAM,EAAE,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,0BAA0B,CAAC,MAAM,EAAE,CAAC;QACnE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAE1B,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,OAAO,CAAC;QACrB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,cAAc,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;QAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,WAAW;IAEX,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,oBAAoB,CAAC,IAAI,EAAE,CAAC;QAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA;;KAE5B,CAAC,IAAI,EAAmB,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,aAAa;IAEb,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAE1B,EAAE,CACA,0BAA0B,EAC1B,WAAW,CAAC,qBAAqB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,mDAAmD,CAAC,MAAM,EAAE,CAAC;QAC5F,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAC3C,8DAA8D,CAC/D,CAAC;QACF,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CACH,CAAC;IAEF,EAAE,CACA,+BAA+B,EAC/B,WAAW,CAAC,qBAAqB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACzD,MAAM,OAAO,CAAC,EAAE,CAAA,+BAA+B,CAAC,MAAM,EAAE,CAAC;QACzD,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,CAAC,YAAY,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC,CAAC,CACH,CAAC;IAEF,EAAE,CACA,+CAA+C,EAC/C,WAAW,CAAC,qBAAqB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,GAAG,GAAG,qBAAqB,CAAC;QAClC,SAAS,CAAC,GAAG,GAAG,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE9C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,SAAS,EAAE,CAAC,GAAG,GAAG,OAAO,CAAC;SAC3B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE;YACZ,IAAI;YACJ;;wBAEc,GAAG;wBACH,GAAG;yBACF;SAChB,CAAC;aACD,IAAI,EAAE,CAAC;QAEV,mCAAmC;QACnC,MAAM,CAAC,UAAU,CAAC,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC,CAAC,CACH,CAAC;IAEF,6BAA6B;IAE7B,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE;YACZ,IAAI;YACJ,4FAA4F;SAC7F,CAAC;aACD,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,cAAc,EAAE,qBAAqB,CAAC,CAAC;aACpF,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,cAAc,EAAE,qBAAqB,CAAC,CAAC;aACpF,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE;YACZ,IAAI;YACJ,YAAY;YACZ,GAAG;YACH,IAAI;YACJ,WAAW;YACX,IAAI;YACJ,cAAc;YACd,oBAAoB;SACrB,CAAC;aACD,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,qBAAqB;IAErB,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,UAAU,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,CAAA,UAAU,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACpF,SAAS,CACV,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAElB,EAAE,CACA,iCAAiC,EACjC,WAAW,CAAC,qBAAqB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,OAAO,CAAC,EAAE,CAAA,+BAA+B,CAAC,MAAM,EAAE,CAAC;QACzD,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,CAAC,YAAY,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"sandbox.test.js","sourceRoot":"","sources":["../src/sandbox.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;AAEtC,6CAA6C;AAC7C,SAAS,WAAW,CAAC,IAAY,EAAE,EAAuB;IACxD,OAAO,KAAK,IAAI,EAAE;QAChB,MAAM,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,EAAE,EAAE,CAAC;QACb,CAAC;gBAAS,CAAC;YACT,MAAM,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,eAAe,EAAE,GAAG,EAAE;IAC1C,iBAAiB;IAEjB,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,YAAY,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,EAAE,CAAA,SAAS,CAAC,IAAI,EAAE,CAAC;YACjC,MAAM,CAAC,WAAW,CAAC,oBAAoB,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,mBAAmB,CAAC,CAAC;YAC9C,MAAM,CAAE,CAAyB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,iBAAiB;IAEjB,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,wBAAwB,CAAC,IAAI,EAAmB,CAAC;QAC9E,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,mBAAmB;IAEnB,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,SAAS,CAAC,MAAM,EAAE,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,0BAA0B,CAAC,MAAM,EAAE,CAAC;QACnE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAE1B,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,OAAO,CAAC;QACrB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,cAAc,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;QAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,WAAW;IAEX,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,oBAAoB,CAAC,IAAI,EAAE,CAAC;QAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;QACjD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA;;KAE5B,CAAC,IAAI,EAAmB,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;IAEH,aAAa;IAEb,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,0BAA0B;IAE1B,EAAE,CACA,0BAA0B,EAC1B,WAAW,CAAC,qBAAqB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,mDAAmD,CAAC,MAAM,EAAE,CAAC;QAC5F,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAC3C,8DAA8D,CAC/D,CAAC;QACF,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CACH,CAAC;IAEF,EAAE,CACA,+BAA+B,EAC/B,WAAW,CAAC,qBAAqB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACzD,MAAM,OAAO,CAAC,EAAE,CAAA,+BAA+B,CAAC,MAAM,EAAE,CAAC;QACzD,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,CAAC,YAAY,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC,CAAC,CACH,CAAC;IAEF,EAAE,CACA,+CAA+C,EAC/C,WAAW,CAAC,qBAAqB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,GAAG,GAAG,qBAAqB,CAAC;QAClC,SAAS,CAAC,GAAG,GAAG,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE9C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,UAAU,EAAE,CAAC,GAAG,CAAC;YACjB,SAAS,EAAE,CAAC,GAAG,GAAG,OAAO,CAAC;SAC3B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE;YACZ,IAAI;YACJ;;wBAEc,GAAG;wBACH,GAAG;yBACF;SAChB,CAAC;aACD,IAAI,EAAE,CAAC;QAEV,mCAAmC;QACnC,MAAM,CAAC,UAAU,CAAC,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC,CAAC,CACH,CAAC;IAEF,6BAA6B;IAE7B,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE;YACZ,IAAI;YACJ,4FAA4F;SAC7F,CAAC;aACD,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,cAAc,EAAE,qBAAqB,CAAC,CAAC;aACpF,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,cAAc,EAAE,qBAAqB,CAAC,CAAC;aACpF,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE;YACZ,IAAI;YACJ,YAAY;YACZ,GAAG;YACH,IAAI;YACJ,WAAW;YACX,IAAI;YACJ,cAAc;YACd,oBAAoB;SACrB,CAAC;aACD,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,qBAAqB;IAErB,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,UAAU,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,MAAM,CAAC,OAAO,CAAC,EAAE,CAAA,UAAU,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACpF,SAAS,CACV,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAElB,EAAE,CACA,iCAAiC,EACjC,WAAW,CAAC,qBAAqB,EAAE,KAAK,IAAI,EAAE;QAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,OAAO,CAAC,EAAE,CAAA,+BAA+B,CAAC,MAAM,EAAE,CAAC;QACzD,MAAM,CAAC,UAAU,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,CAAC,YAAY,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC,CAAC,CACH,CAAC;IAEF,iBAAiB;IAEjB,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,2BAA2B,CAAC,IAAI,EAAE,CAAC;QAClE,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2BAA2B,EAAE,KAAK,IAAI,EAAE;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,YAAY,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAC7D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,cAAc,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,YAAY,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,KAAK,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;QAC/C,MAAM,CAAC,KAAK,CAAC,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,KAAK,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,uEAAuE;QACvE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE;QACpC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,mBAAmB,CAAC,IAAI,EAAE,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC;QAC/E,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,WAAW,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;QAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,YAAY,CAAC,IAAI,EAAE,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,gBAAgB;IAEhB,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,OAAO,EAAE;gBACP,OAAO,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE;aAC1D;SACF,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,eAAe,CAAC,IAAI,EAAE,CAAC;QACtD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,+BAA+B,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,OAAO,EAAE;gBACP,KAAK,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE;aAC9C;SACF,CAAC,CAAC;QACH,2EAA2E;QAC3E,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,cAAc,EAAE,yBAAyB,CAAC,CAAC;aACzF,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,OAAO,EAAE;gBACP,SAAS,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE;aAC3D;SACF,CAAC,CAAC;QACH,MAAM,MAAM,GACV,MAAM,OAAO,CAAC,EAAE,CAAA,8DAA8D,CAAC,IAAI,EAE/E,CAAC;QACP,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE;gBACP,SAAS,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,EAAE;aACzD;SACF,CAAC,CAAC;QACH,MAAM,MAAM,GACV,MAAM,OAAO,CAAC,EAAE,CAAA,8DAA8D,CAAC,IAAI,EAE/E,CAAC;QACP,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,OAAO,EAAE;gBACP,QAAQ,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE;gBACtD,QAAQ,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,EAAE;aACrD;YACD,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;QACH,MAAM,MAAM,GACV,MAAM,OAAO,CAAC,EAAE,CAAA,8EAA8E,CAAC,IAAI,EAE/F,CAAC;QACP,wEAAwE;QACxE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,OAAO,EAAE;gBACP,KAAK,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE;aAC9C;SACF,CAAC,CAAC;QACH,4EAA4E;QAC5E,MAAM,MAAM,GAAG,MAAM,OAAO;aACzB,IAAI,CAAC,MAAM,EAAE;YACZ,KAAK;YACL,YAAY;YACZ,GAAG;YACH,IAAI;YACJ,WAAW;YACX,IAAI;YACJ,cAAc;YACd,qBAAqB;SACtB,CAAC;aACD,MAAM,EAAE,CAAC;QACZ,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;YAC7B,GAAG,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE;YAC1B,OAAO,EAAE;gBACP,SAAS,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,aAAa,CAAC,EAAE;aAC3D;SACF,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,cAAc,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACtC,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,EAAE,CAAA,iBAAiB,CAAC,IAAI,EAAE,CAAC;QAC3D,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
package/dist/types.d.ts
CHANGED
|
@@ -18,6 +18,24 @@ export interface SandboxOptions {
|
|
|
18
18
|
cwd?: string;
|
|
19
19
|
/** Disable the sandbox entirely. */
|
|
20
20
|
noSandbox?: boolean;
|
|
21
|
+
/** Explicit environment variables for the sandbox. */
|
|
22
|
+
env?: Record<string, string>;
|
|
23
|
+
/** Inherit parent env vars. true = all (default), string[] = only listed keys. */
|
|
24
|
+
allowEnv?: boolean | string[];
|
|
25
|
+
/** Drop these parent env vars. Takes precedence over allowEnv. */
|
|
26
|
+
denyEnv?: string[];
|
|
27
|
+
/**
|
|
28
|
+
* Secrets with host-scoped network access. Each key becomes an env var
|
|
29
|
+
* in the sandbox. The hosts are merged into network permissions.
|
|
30
|
+
*/
|
|
31
|
+
secrets?: Record<string, SecretConfig>;
|
|
32
|
+
}
|
|
33
|
+
/** Configuration for a secret passed to the sandbox. */
|
|
34
|
+
export interface SecretConfig {
|
|
35
|
+
/** The secret value (e.g., an API key). */
|
|
36
|
+
value: string;
|
|
37
|
+
/** Domains where this secret is needed. Merged into allowNet. */
|
|
38
|
+
hosts: string[];
|
|
21
39
|
}
|
|
22
40
|
/** Raw output from a sandboxed command. */
|
|
23
41
|
export interface CommandOutput {
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,uEAAuE;IACvE,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,oEAAoE;IACpE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,sEAAsE;IACtE,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,EAAE,CAAC;IAC9B,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,0CAA0C;IAC1C,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,oCAAoC;IACpC,SAAS,CAAC,EAAE,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,uEAAuE;IACvE,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,oEAAoE;IACpE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,sEAAsE;IACtE,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,EAAE,CAAC;IAC9B,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,0CAA0C;IAC1C,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,oCAAoC;IACpC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,sDAAsD;IACtD,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,kFAAkF;IAClF,QAAQ,CAAC,EAAE,OAAO,GAAG,MAAM,EAAE,CAAC;IAC9B,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;CACxC;AAED,wDAAwD;AACxD,MAAM,WAAW,YAAY;IAC3B,2CAA2C;IAC3C,KAAK,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qCAAqC;AACrC,MAAM,WAAW,cAAc;IAC7B,qCAAqC;IACrC,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "zerobox",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.6",
|
|
4
4
|
"description": "Run any command in a sandbox with file and network restrictions.",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"repository": {
|
|
@@ -32,12 +32,12 @@
|
|
|
32
32
|
"dist/"
|
|
33
33
|
],
|
|
34
34
|
"optionalDependencies": {
|
|
35
|
-
"@zerobox/cli-darwin-arm64": "0.1.
|
|
36
|
-
"@zerobox/cli-
|
|
37
|
-
"@zerobox/cli-linux-arm64
|
|
38
|
-
"@zerobox/cli-linux-x64": "0.1.
|
|
39
|
-
"@zerobox/cli-
|
|
40
|
-
"@zerobox/cli-linux-x64-musl": "0.1.
|
|
35
|
+
"@zerobox/cli-darwin-arm64": "0.1.6",
|
|
36
|
+
"@zerobox/cli-darwin-x64": "0.1.6",
|
|
37
|
+
"@zerobox/cli-linux-arm64": "0.1.6",
|
|
38
|
+
"@zerobox/cli-linux-x64": "0.1.6",
|
|
39
|
+
"@zerobox/cli-linux-arm64-musl": "0.1.6",
|
|
40
|
+
"@zerobox/cli-linux-x64-musl": "0.1.6"
|
|
41
41
|
},
|
|
42
42
|
"devDependencies": {
|
|
43
43
|
"@types/node": "^22.0.0",
|