forked from sanbuphy/learn-coding-agent
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsandboxTypes.ts
More file actions
156 lines (151 loc) · 5.6 KB
/
sandboxTypes.ts
File metadata and controls
156 lines (151 loc) · 5.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
/**
* Sandbox types for the Claude Code Agent SDK
*
* This file is the single source of truth for sandbox configuration types.
* Both the SDK and the settings validation import from here.
*/
import { z } from 'zod/v4'
import { lazySchema } from '../utils/lazySchema.js'
/**
* Network configuration schema for sandbox.
*/
export const SandboxNetworkConfigSchema = lazySchema(() =>
z
.object({
allowedDomains: z.array(z.string()).optional(),
allowManagedDomainsOnly: z
.boolean()
.optional()
.describe(
'When true (and set in managed settings), only allowedDomains and WebFetch(domain:...) allow rules from managed settings are respected. ' +
'User, project, local, and flag settings domains are ignored. Denied domains are still respected from all sources.',
),
allowUnixSockets: z
.array(z.string())
.optional()
.describe(
'macOS only: Unix socket paths to allow. Ignored on Linux (seccomp cannot filter by path).',
),
allowAllUnixSockets: z
.boolean()
.optional()
.describe(
'If true, allow all Unix sockets (disables blocking on both platforms).',
),
allowLocalBinding: z.boolean().optional(),
httpProxyPort: z.number().optional(),
socksProxyPort: z.number().optional(),
})
.optional(),
)
/**
* Filesystem configuration schema for sandbox.
*/
export const SandboxFilesystemConfigSchema = lazySchema(() =>
z
.object({
allowWrite: z
.array(z.string())
.optional()
.describe(
'Additional paths to allow writing within the sandbox. ' +
'Merged with paths from Edit(...) allow permission rules.',
),
denyWrite: z
.array(z.string())
.optional()
.describe(
'Additional paths to deny writing within the sandbox. ' +
'Merged with paths from Edit(...) deny permission rules.',
),
denyRead: z
.array(z.string())
.optional()
.describe(
'Additional paths to deny reading within the sandbox. ' +
'Merged with paths from Read(...) deny permission rules.',
),
allowRead: z
.array(z.string())
.optional()
.describe(
'Paths to re-allow reading within denyRead regions. ' +
'Takes precedence over denyRead for matching paths.',
),
allowManagedReadPathsOnly: z
.boolean()
.optional()
.describe(
'When true (set in managed settings), only allowRead paths from policySettings are used.',
),
})
.optional(),
)
/**
* Sandbox settings schema.
*/
export const SandboxSettingsSchema = lazySchema(() =>
z
.object({
enabled: z.boolean().optional(),
failIfUnavailable: z
.boolean()
.optional()
.describe(
'Exit with an error at startup if sandbox.enabled is true but the sandbox cannot start ' +
'(missing dependencies, unsupported platform, or platform not in enabledPlatforms). ' +
'When false (default), a warning is shown and commands run unsandboxed. ' +
'Intended for managed-settings deployments that require sandboxing as a hard gate.',
),
// Note: enabledPlatforms is an undocumented setting read via .passthrough()
// It restricts sandboxing to specific platforms (e.g., ["macos"]).
//
// Added to unblock NVIDIA enterprise rollout: they want to enable
// autoAllowBashIfSandboxed but only on macOS initially, since Linux/WSL
// sandbox support is newer and less battle-tested. This allows them to
// set enabledPlatforms: ["macos"] to disable sandbox (and auto-allow)
// on other platforms until they're ready to expand.
autoAllowBashIfSandboxed: z.boolean().optional(),
allowUnsandboxedCommands: z
.boolean()
.optional()
.describe(
'Allow commands to run outside the sandbox via the dangerouslyDisableSandbox parameter. ' +
'When false, the dangerouslyDisableSandbox parameter is completely ignored and all commands must run sandboxed. ' +
'Default: true.',
),
network: SandboxNetworkConfigSchema(),
filesystem: SandboxFilesystemConfigSchema(),
ignoreViolations: z.record(z.string(), z.array(z.string())).optional(),
enableWeakerNestedSandbox: z.boolean().optional(),
enableWeakerNetworkIsolation: z
.boolean()
.optional()
.describe(
'macOS only: Allow access to com.apple.trustd.agent in the sandbox. ' +
'Needed for Go-based CLI tools (gh, gcloud, terraform, etc.) to verify TLS certificates ' +
'when using httpProxyPort with a MITM proxy and custom CA. ' +
'**Reduces security** — opens a potential data exfiltration vector through the trustd service. Default: false',
),
excludedCommands: z.array(z.string()).optional(),
ripgrep: z
.object({
command: z.string(),
args: z.array(z.string()).optional(),
})
.optional()
.describe('Custom ripgrep configuration for bundled ripgrep support'),
})
.passthrough(),
)
// Inferred types from schemas
export type SandboxSettings = z.infer<ReturnType<typeof SandboxSettingsSchema>>
export type SandboxNetworkConfig = NonNullable<
z.infer<ReturnType<typeof SandboxNetworkConfigSchema>>
>
export type SandboxFilesystemConfig = NonNullable<
z.infer<ReturnType<typeof SandboxFilesystemConfigSchema>>
>
export type SandboxIgnoreViolations = NonNullable<
SandboxSettings['ignoreViolations']
>