MCPcopy Index your code
hub / github.com/ChinaSiro/claude-code-sourcemap / mS_

Function mS_

package/cli.js:777–777  ·  view source on GitHub ↗
(q,K,_)

Source from the content-addressed store, hash-verified

775\r
776`)}),z.on("error",(H)=>{O7(`Client socket error: ${H.message}`,{level:"error"}),j.destroy()}),z.on("end",()=>j.end()),j.on("end",()=>z.end())}}catch(Y){O7(`Error handling CONNECT: ${Y}`,{level:"error"}),z.end(`HTTP/1.1 500 Internal Server Error\r
777\r
778`)}}),K.on("request",async(_,z)=>{try{let Y=new fS_(_.url),$=Y.hostname,A=Y.port?parseInt(Y.port,10):Y.protocol==="https:"?443:80;if(!await q.filter(A,$,_.socket)){O7(`HTTP request blocked to ${$}:${A}`,{level:"error"}),z.writeHead(403,{"Content-Type":"text/plain","X-Proxy-Error":"blocked-by-allowlist"}),z.end("Connection blocked by network allowlist");return}let w=q.getMitmSocketPath?.($);if(w){O7(`Routing HTTP ${_.method} ${$}:${A} through MITM proxy at ${w}`);let j=new PS_({socketPath:w}),H=vK4({agent:j,path:_.url,method:_.method,headers:{..._.headers,host:Y.host}},(J)=>{z.writeHead(J.statusCode,J.headers),J.pipe(z)});H.on("error",(J)=>{if(O7(`MITM proxy request failed: ${J.message}`,{level:"error"}),!z.headersSent)z.writeHead(502,{"Content-Type":"text/plain"}),z.end("Bad Gateway")}),_.pipe(H)}else{let H=(Y.protocol==="https:"?DS_:vK4)({hostname:$,port:A,path:Y.pathname+Y.search,method:_.method,headers:{..._.headers,host:Y.host}},(J)=>{z.writeHead(J.statusCode,J.headers),J.pipe(z)});H.on("error",(J)=>{if(O7(`Proxy request failed: ${J.message}`,{level:"error"}),!z.headersSent)z.writeHead(502,{"Content-Type":"text/plain"}),z.end("Bad Gateway")}),_.pipe(H)}}catch(Y){O7(`Error handling HTTP request: ${Y}`,{level:"error"}),z.writeHead(500,{"Content-Type":"text/plain"}),z.end("Internal Server Error")}}),K}var NK4=()=>{};var CK4=m((MgA,SK4)=>{var{create:ZS_,defineProperty:cG8,getOwnPropertyDescriptor:GS_,getOwnPropertyNames:TS_,getPrototypeOf:vS_}=Object,kS_=Object.prototype.hasOwnProperty,VS_=(q,K)=>{for(var _ in K)cG8(q,_,{get:K[_],enumerable:!0})},yK4=(q,K,_,z)=>{if(K&&typeof K==="object"||typeof K==="function"){for(let Y of TS_(K))if(!kS_.call(q,Y)&&Y!==_)cG8(q,Y,{get:()=>K[Y],enumerable:!(z=GS_(K,Y))||z.enumerable})}return q},EK4=(q,K,_)=>(_=q!=null?ZS_(vS_(q)):{},yK4(K||!q||!q.__esModule?cG8(_,"default",{value:q,enumerable:!0}):_,q)),NS_=(q)=>yK4(cG8({},"__esModule",{value:!0}),q),LK4={};VS_(LK4,{Socks5Server:()=>hK4,createServer:()=>RS_,defaultConnectionHandler:()=>Sh1});SK4.exports=NS_(LK4);var yS_=EK4(U6("net")),RK4=((q)=>{return q[q.connect=1]="connect",q[q.bind=2]="bind",q[q.udp=3]="udp",q})(RK4||{}),hh1=((q)=>{return q[q.REQUEST_GRANTED=0]="REQUEST_GRANTED",q[q.GENERAL_FAILURE=1]="GENERAL_FAILURE",q[q.CONNECTION_NOT_ALLOWED=2]="CONNECTION_NOT_ALLOWED",q[q.NETWORK_UNREACHABLE=3]="NETWORK_UNREACHABLE",q[q.HOST_UNREACHABLE=4]="HOST_UNREACHABLE",q[q.CONNECTION_REFUSED=5]="CONNECTION_REFUSED",q[q.TTL_EXPIRED=6]="TTL_EXPIRED",q[q.COMMAND_NOT_SUPPORTED=7]="COMMAND_NOT_SUPPORTED",q[q.ADDRESS_TYPE_NOT_SUPPORTED=8]="ADDRESS_TYPE_NOT_SUPPORTED",q})(hh1||{}),ES_=class{constructor(q,K){this.errorHandler=()=>{},this.metadata={},this.socket=K,this.server=q,K.on("error",this.errorHandler),K.pause(),this.handleGreeting()}readBytes(q){return new Promise((K)=>{let _=Buffer.allocUnsafe(q),z=0,Y=($)=>{let A=Math.min($.length,q-z);if($.copy(_,z,0,A),z+=A,z<q)return;this.socket.removeListener("data",Y),this.socket.push($.subarray(A)),K(_),this.socket.pause()};this.socket.on("data",Y),this.socket.resume()})}async handleGreeting(){if((await this.readBytes(1)).readUInt8()!==5)return this.socket.destroy();let K=(await this.readBytes(1)).readUInt8();if(K>128||K===0)return this.socket.destroy();let _=await this.readBytes(K),z=this.server.authHandler?2:0;if(!_.includes(z))return this.socket.write(Buffer.from([5,255])),this.socket.destroy();if(this.socket.write(Buffer.from([5,z])),this.server.authHandler)this.handleUserPassword();else this.handleConnectionRequest()}async handleUserPassword(){await this.readBytes(1);let q=(await this.readBytes(1)).readUint8(),K=(await this.readBytes(q)).toString(),_=(await this.readBytes(1)).readUint8(),z=(await this.readBytes(_)).toString();this.username=K,this.password=z;let Y=!1,$=()=>{if(Y)return;Y=!0,this.socket.write(Buffer.from([1,0])),this.handleConnectionRequest()},A=()=>{if(Y)return;Y=!0,this.socket.write(Buffer.from([1,1])),this.socket.destroy()},O=await this.server.authHandler(this,$,A);if(O===!0)$();else if(O===!1)A()}async handleConnectionRequest(){await this.readBytes(1);let q=(await this.readBytes(1))[0],K=RK4[q];if(!K)return this.socket.destroy();this.command=K,await this.readBytes(1);let _=(await this.readBytes(1)).readUInt8(),z="";switch(_){case 1:z=(await this.readBytes(4)).join(".");break;case 3:let j=(await this.readBytes(1)).readUInt8();z=(await this.readBytes(j)).toString();break;case 4:let H=await this.readBytes(16);for(let J=0;J<16;J++){if(J%2===0&&J>0)z+=":";z+=`${H[J]<16?"0":""}${H[J].toString(16)}`}break;default:this.socket.destroy();return}let Y=(await this.readBytes(2)).readUInt16BE();if(!this.server.supportedCommands.has(K))return this.socket.write(Buffer.from([5,7])),this.socket.destroy();this.destAddress=z,this.destPort=Y;let $=!1,A=()=>{if($)return;$=!0,this.connect()};if(!this.server.rulesetValidator)return A();let O=()=>{if($)return;$=!0,this.socket.write(Buffer.from([5,2,0,1,0,0,0,0,0,0])),this.socket.destroy()},w=await this.server.rulesetValidator(this,A,O);if(w===!0)A();else if(w===!1)O()}connect(){this.socket.removeListener("error",this.errorHandler),this.server.connectionHandler(this,(q)=>{if(hh1[q]===void 0)throw Error(`"${q}" is not a valid status.`);if(this.socket.write(Buffer.from([5,hh1[q],0,1,0,0,0,0,0,0])),q!=="REQUEST_GRANTED")this.socket.destroy()}),this.socket.resume()}},LS_=EK4(U6("net"));function Sh1(q,K){if(q.command!=="connect")return K("COMMAND_NOT_SUPPORTED");q.socket.on("error",()=>{});let _=LS_.default.createConnection({host:q.destAddress,port:q.destPort});_.setNoDelay();let z=!1;return _.on("error",(Y)=>{if(!z)switch(Y.code){case"EINVAL":case"ENOENT":case"ENOTFOUND":case"ETIMEDOUT":case"EADDRNOTAVAIL":case"EHOSTUNREACH":K("HOST_UNREACHABLE");break;case"ENETUNREACH":K("NETWORK_UNREACHABLE");break;case"ECONNREFUSED":K("CONNECTION_REFUSED");break;default:K("GENERAL_FAILURE")}}),_.on("ready",()=>{z=!0,K("REQUEST_GRANTED"),q.socket.pipe(_).pipe(q.socket)}),q.socket.on("close",()=>_.destroy()),_}var hK4=class{constructor(){this.supportedCommands=new Set(["connect"]),this.connectionHandler=Sh1,this.server=yS_.default.createServer((q)=>{q.setNoDelay(),this._handleConnection(q)})}listen(...q){return this.server.listen(...q),this}close(q){return this.server.close(q),this}setAuthHandler(q){return this.authHandler=q,this}disableAuthHandler(){return this.authHandler=void 0,this}setRulesetValidator(q){return this.rulesetValidator=q,this}disableRulesetValidator(){return this.rulesetValidator=void 0,this}setConnectionHandler(q){return this.connectionHandler=q,this}useDefaultConnectionHandler(){return this.connectionHandler=Sh1,this}_handleConnection(q){return new ES_(this,q),this}};function RS_(q){let K=new hK4;if(q?.auth)K.setAuthHandler((_)=>{return _.username===q.auth.username&&_.password===q.auth.password});if(q?.port)K.listen(q.port,q.hostname);return K}});function xK4(q){let K=bK4.createServer();return K.setRulesetValidator(async(_)=>{try{let{destAddress:z,destPort:Y}=_;if(O7(`Connection request to ${z}:${Y}`),!await q.filter(Y,z))return O7(`Connection blocked to ${z}:${Y}`,{level:"error"}),!1;return O7(`Connection allowed to ${z}:${Y}`),!0}catch(z){return O7(`Error validating connection: ${z}`,{level:"error"}),!1}}),{server:K,getPort(){try{let _=K?.server;if(_&&typeof _?.address==="function"){let z=_.address();if(z&&typeof z==="object"&&"port"in z)return z.port}}catch(_){O7(`Error getting port: ${_}`,{level:"error"})}return},listen(_,z){return new Promise((Y,$)=>{let A=()=>{let O=this.getPort();if(O)O7(`SOCKS proxy listening on ${z}:${O}`),Y(O);else $(Error("Failed to get SOCKS proxy server port"))};K.listen(_,z,A)})},async close(){return new Promise((_,z)=>{K.close((Y)=>{if(Y){let $=Y.message?.toLowerCase()||"";if(!($.includes("not running")||$.includes("already closed")||$.includes("not listening"))){z(Y);return}}_()})})},unref(){try{let _=K?.server;if(_&&typeof _?.unref==="function")_.unref()}catch(_){O7(`Error calling unref: ${_}`,{level:"error"})}}}}var bK4;var IK4=y(()=>{bK4=O6(CK4(),1)});import{spawnSync as hS_}from"node:child_process";function ai(q){if(typeof globalThis.Bun<"u")return globalThis.Bun.which(q);let K=hS_("which",[q],{encoding:"utf8",stdio:["ignore","pipe","ignore"],timeout:1000});if(K.status===0&&K.stdout)return K.stdout.trim();return null}var Vn6=()=>{};import*as uK4 from"fs";function Ch1(){if(process.platform!=="linux")return;try{let q=uK4.readFileSync("/proc/version",{encoding:"utf8"}),K=q.match(/WSL(\d+)/i);if(K&&K[1])return K[1];if(q.toLowerCase().includes("microsoft"))return"1";return}catch{return}}function ZG(){switch(process.platform){case"darwin":return"macos";case"linux":return"linux";case"win32":return"windows";default:return"unknown"}}var lG8=()=>{};var pK4=m((TgA,mK4)=>{mK4.exports=function(K){return K.map(function(_){if(_==="")return"''";if(_&&typeof _==="object")return _.op.replace(/(.)/g,"\\$1");if(/["\s\\]/.test(_)&&!/'/.test(_))return"'"+_.replace(/(['])/g,"\\$1")+"'";if(/["'\s]/.test(_))return'"'+_.replace(/(["\\$`!])/g,"\\$1")+'"';return String(_).replace(/([A-Za-z]:)?([#!"$&'()*,:;<=>?@[\\\]^`{|}])/g,"$1\\$2")}).join(" ")}});var cK4=m((vgA,dK4)=>{var QK4="(?:"+["\\|\\|","\\&\\&",";;","\\|\\&","\\<\\(","\\<\\<\\<",">>",">\\&","<\\&","[&;()|<>]"].join("|")+")",BK4=new RegExp("^"+QK4+"$"),gK4="|&;()<> \\t",SS_='"((\\\\"|[^"])*?)"',CS_="'((\\\\'|[^'])*?)'",bS_=/^#$/,FK4="'",UK4='"',bh1="$",pA6="",xS_=4294967296;for(nG8=0;nG8<4;nG8++)pA6+=(xS_*Math.random()).toString(16);var nG8,IS_=new RegExp("^"+pA6);function uS_(q,K){var _=K.lastIndex,z=[],Y;while(Y=K.exec(q))if(z.push(Y),K.lastIndex===Y.index)K.lastIndex+=1;return K.lastIndex=_,z}function mS_(q,K,_){var z=typeof q==="function"?q(_):q[_];if(typeof z>"u"&&_!="")z="";else if(typeof z>"u")z="$";if(typeof z==="object")return K+pA6+JSON.stringify(z)+pA6;return K+z}function pS_(q,K,_){if(!_)_={};var z=_.escape||"\\",Y="(\\"+z+`['"`+gK4+`]|[^\\s'"`+gK4+"])+",$=new RegExp(["("+QK4+")","("+Y+"|"+SS_+"|"+CS_+")+"].join("|"),"g"),A=uS_(q,$);if(A.length===0)return[];if(!K)K={};var O=!1;return A.map(function(w){var j=w[0];if(!j||O)return;if(BK4.test(j))return{op:j};var H=!1,J=!1,M="",X=!1,P;function W(){P+=1;var G,Z,T=j.charAt(P);if(T==="{"){if(P+=1,j.charAt(P)==="}")throw Error("Bad substitution: "+j.slice(P-2,P+1));if(G=j.indexOf("}",P),G<0)throw Error("Bad substitution: "+j.slice(P));Z=j.slice(P,G),P=G}else if(/[*@#?$!_-]/.test(T))Z=T,P+=1;else{var v=j.slice(P);if(G=v.match(/[^\w\d_]/),!G)Z=v,P=j.length;else Z=v.slice(0,G.index),P+=G.index-1}return mS_(K,"",Z)}for(P=0;P<j.length;P++){var D=j.charAt(P);if(X=X||!H&&(D==="*"||D==="?"),J)M+=D,J=!1;else if(H)if(D===H)H=!1;else if(H==FK4)M+=D;else if(D===z)if(P+=1,D=j.charAt(P),D===UK4||D===z||D===bh1)M+=D;else M+=z+D;else if(D===bh1)M+=W();else M+=D;else if(D===UK4||D===FK4)H=D;else if(BK4.test(D))return{op:j};else if(bS_.test(D)){O=!0;var f={comment:q.slice(w.index+P+1)};if(M.length)return[M,f];return[f]}else if(D===z)J=!0;else if(D===bh1)M+=W();else M+=D}if(X)return{op:"glob",pattern:M};return M}).reduce(function(w,j){return typeof j>"u"?w:w.concat(j)},[])}dK4.exports=function(K,_,z){var Y=pS_(K,_,z);if(typeof _!=="function")return Y;return Y.reduce(function($,A){if(typeof A==="object")return $.concat(A);var O=A.split(RegExp("("+pA6+".*?"+pA6+")","g"));if(O.length===1)return $.concat(O[0]);return $.concat(O.filter(Boolean).map(function(w){if(IS_.test(w))return JSON.parse(w.split(pA6)[1]);return w}))},[])}});var iG8=m((BS_)=>{BS_.quote=pK4();BS_.parse=cK4()});import{spawn as US_}from"child_process";import{text as lK4}from"node:stream/consumers";async function nK4(q,K,_,z={command:"rg"}){let{command:Y,args:$=[],argv0:A}=z,O=US_(Y,[...$,...q,K],{argv0:A,signal:_,timeout:1e4,windowsHide:!0}),[w,j,H]=await Promise.all([lK4(O.stdout),lK4(O.stderr),new Promise((J,M)=>{O.on("close",J),O.on("error",M)})]);if(H===0)return w.trim().split(`
779`).filter(Boolean);if(H===1)return[];throw Error(`ripgrep failed with exit code ${H}: ${j}`)}var iK4=y(()=>{Vn6()});import{homedir as xh1}from"os";import*as Lv from"path";import*as BA6 from"fs";function oG8(){return[...QS_.filter((q)=>q!==".git"),".claude/commands",".claude/agents"]}function Ih1(q){return q.toLowerCase()}function GG(q){return q.includes("*")||q.includes("?")||q.includes("[")||q.includes("]")}function si(q){return q.replace(/\/\*\*$/,"")||"/"}function rG8(q,K){let _=Lv.normalize(q),z=Lv.normalize(K);if(z===_)return!1;if(_.startsWith("/tmp/")&&z==="/private"+_)return!1;if(_.startsWith("/var/")&&z==="/private"+_)return!1;if(_.startsWith("/private/tmp/")&&z===_)return!1;if(_.startsWith("/private/var/")&&z===_)return!1;if(z==="/")return!0;if(z.split("/").filter(Boolean).length<=1)return!0;if(_.startsWith(z+"/"))return!0;let $=_;if(_.startsWith("/tmp/"))$="/private"+_;else if(_.startsWith("/var/"))$="/private"+_;if($!==_&&$.startsWith(z+"/"))return!0;let A=z.startsWith(_+"/"),O=$!==_&&z.startsWith($+"/");if(z!==_&&!($!==_&&z===$)&&!A&&!O)return!0;return!1}function oV(q){let K=process.cwd(),_=q;if(q==="~")_=xh1();else if(q.startsWith("~/"))_=xh1()+q.slice(1);else if(q.startsWith("./")||q.startsWith("../"))_=Lv.resolve(K,q);else if(!Lv.isAbsolute(q))_=Lv.resolve(K,q);if(GG(_)){let z=_.split(/[*?[\]]/)[0];if(z&&z!=="/"){let Y=z.endsWith("/")?z.slice(0,-1):Lv.dirname(z);try{let $=BA6.realpathSync(Y);if(!rG8(Y,$)){let A=_.slice(Y.length);return $+A}}catch{}}return _}try{let z=BA6.realpathSync(_);if(rG8(_,z));else _=z}catch{}return _}function yn6(){let q=xh1();return["/dev/stdout","/dev/stderr","/dev/null","/dev/tty","/dev/dtracehelper","/dev/autofs_nowait","/tmp/claude","/private/tmp/claude",Lv.join(q,".npm/_logs"),Lv.join(q,".claude/debug")]}function aG8(q,K){let z=["SANDBOX_RUNTIME=1",`TMPDIR=${process.env.CLAUDE_TMPDIR||"/tmp/claude"}`];if(!q&&!K)return z;let Y=["localhost","127.0.0.1","::1","*.local",".local","169.254.0.0/16","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"].join(",");if(z.push(`NO_PROXY=${Y}`),z.push(`no_proxy=${Y}`),q)z.push(`HTTP_PROXY=http://localhost:${q}`),z.push(`HTTPS_PROXY=http://localhost:${q}`),z.push(`http_proxy=http://localhost:${q}`),z.push(`https_proxy=http://localhost:${q}`);if(K){z.push(`ALL_PROXY=socks5h://localhost:${K}`),z.push(`all_proxy=socks5h://localhost:${K}`);let $=ZG();if($==="macos")z.push(`GIT_SSH_COMMAND=ssh -o ProxyCommand='nc -X 5 -x localhost:${K} %h %p'`);else if($==="linux"&&q)z.push(`GIT_SSH_COMMAND=ssh -o ProxyCommand='socat - PROXY:localhost:%h:%p,proxyport=${q}'`);if(z.push(`FTP_PROXY=socks5h://localhost:${K}`),z.push(`ftp_proxy=socks5h://localhost:${K}`),z.push(`RSYNC_PROXY=localhost:${K}`),z.push(`DOCKER_HTTP_PROXY=http://localhost:${q||K}`),z.push(`DOCKER_HTTPS_PROXY=http://localhost:${q||K}`),q)z.push("CLOUDSDK_PROXY_TYPE=https"),z.push("CLOUDSDK_PROXY_ADDRESS=localhost"),z.push(`CLOUDSDK_PROXY_PORT=${q}`);z.push(`GRPC_PROXY=socks5h://localhost:${K}`),z.push(`grpc_proxy=socks5h://localhost:${K}`)}return z}function sG8(q){let K=q.slice(0,100);return Buffer.from(K).toString("base64")}function rK4(q){return Buffer.from(q,"base64").toString("utf8")}function gA6(q){return"^"+q.replace(/[.^$+{}()|\\]/g,"\\$&").replace(/\[([^\]]*?)$/g,"\\[$1").replace(/\*\*\//g,"__GLOBSTAR_SLASH__").replace(/\*\*/g,"__GLOBSTAR__").replace(/\*/g,"[^/]*").replace(/\?/g,"[^/]").replace(/__GLOBSTAR_SLASH__/g,"(.*/)?").replace(/__GLOBSTAR__/g,".*")+"$"}function En6(q){let K=oV(q),_=K.split(/[*?[\]]/)[0];if(!_||_==="/")return O7(`[Sandbox] Glob pattern too broad, skipping: ${q}`),[];let z=_.endsWith("/")?_.slice(0,-1):Lv.dirname(_);if(!BA6.existsSync(z))return O7(`[Sandbox] Base directory for glob does not exist: ${z}`),[];let Y=new RegExp(gA6(K)),$=[];try{let A=BA6.readdirSync(z,{recursive:!0,withFileTypes:!0});for(let O of A){let w=O.parentPath??O.path??z,j=Lv.join(w,O.name);if(Y.test(j))$.push(j)}}catch(A){O7(`[Sandbox] Error expanding glob pattern ${q}: ${A}`)}return $}var Nn6,QS_;var fv6=y(()=>{lG8();Nn6=[".gitconfig",".gitmodules",".bashrc",".bash_profile",".zshrc",".zprofile",".profile",".ripgreprc",".mcp.json"],QS_=[".git",".vscode",".idea"]});import{join as YC,dirname as dS_}from"node:path";import{fileURLToPath as cS_}from"node:url";import*as FA6 from"node:fs";import{execSync as lS_}from"node:child_process";import{homedir as nS_}from"node:os";function oK4(){if(ph1)return ph1;let q=[];try{let _=lS_("npm root -g",{encoding:"utf8",timeout:5000,stdio:["pipe","pipe","ignore"]}).trim();if(_)q.push(YC(_,"@anthropic-ai","sandbox-runtime"))}catch{}let K=nS_();return q.push(YC("/usr","lib","node_modules","@anthropic-ai","sandbox-runtime"),YC("/usr","local","lib","node_modules","@anthropic-ai","sandbox-runtime"),YC("/opt","homebrew","lib","node_modules","@anthropic-ai","sandbox-runtime"),YC(K,".npm","lib","node_modules","@anthropic-ai","sandbox-runtime"),YC(K,".npm-global","lib","node_modules","@anthropic-ai","sandbox-runtime")),ph1=q,q}function Bh1(){let q=process.arch;switch(q){case"x64":case"x86_64":return"x64";case"arm64":case"aarch64":return"arm64";case"ia32":case"x86":return O7("[SeccompFilter] 32-bit x86 (ia32) is not currently supported due to missing socketcall() syscall blocking. The current seccomp filter only blocks socket(AF_UNIX, ...), but on 32-bit x86, socketcall() can be used to bypass this.",{level:"error"}),null;default:return O7(`[SeccompFilter] Unsupported architecture: ${q}. Only x64 and arm64 are supported.`),null}}function aK4(q){let K=Bh1();if(!K)return[];let _=dS_(cS_(import.meta.url)),z=YC("vendor","seccomp",K,q);return[YC(_,z),YC(_,"..","..",z),YC(_,"..",z)]}function gh1(q){let K=q??"";if(uh1.has(K))return uh1.get(K);let _=iS_(q);return uh1.set(K,_),_}function iS_(q){if(q){if(FA6.existsSync(q))return O7(`[SeccompFilter] Using BPF filter from explicit path: ${q}`),q;O7(`[SeccompFilter] Explicit path provided but file not found: ${q}`)}let K=Bh1();if(!K)return O7(`[SeccompFilter] Cannot find pre-generated BPF filter: unsupported architecture ${process.arch}`),null;O7(`[SeccompFilter] Detected architecture: ${K}`);for(let _ of aK4("unix-block.bpf"))if(FA6.existsSync(_))return O7(`[SeccompFilter] Found pre-generated BPF filter: ${_} (${K})`),_;for(let _ of oK4()){let z=YC(_,"vendor","seccomp",K,"unix-block.bpf");if(FA6.existsSync(z))return O7(`[SeccompFilter] Found pre-generated BPF filter in global install: ${z} (${K})`),z}return O7(`[SeccompFilter] Pre-generated BPF filter not found in any expected location (${K})`),null}function Ln6(q){let K=q??"";if(mh1.has(K))return mh1.get(K);let _=rS_(q);return mh1.set(K,_),_}function rS_(q){if(q){if(FA6.existsSync(q))return O7(`[SeccompFilter] Using apply-seccomp binary from explicit path: ${q}`),q;O7(`[SeccompFilter] Explicit path provided but file not found: ${q}`)}let K=Bh1();if(!K)return O7(`[SeccompFilter] Cannot find apply-seccomp binary: unsupported architecture ${process.arch}`),null;O7(`[SeccompFilter] Looking for apply-seccomp binary for architecture: ${K}`);for(let _ of aK4("apply-seccomp"))if(FA6.existsSync(_))return O7(`[SeccompFilter] Found apply-seccomp binary: ${_} (${K})`),_;for(let _ of oK4()){let z=YC(_,"vendor","seccomp",K,"apply-seccomp");if(FA6.existsSync(z))return O7(`[SeccompFilter] Found apply-seccomp binary in global install: ${z} (${K})`),z}return O7(`[SeccompFilter] apply-seccomp binary not found in any expected location (${K})`),null}function sK4(q){let K=gh1(q);if(K)return O7("[SeccompFilter] Using pre-generated BPF filter"),K;return O7("[SeccompFilter] Pre-generated BPF filter not available for this architecture. Only x64 and arm64 are supported.",{level:"error"}),null}function Fh1(q){}var uh1,mh1,ph1=null;var tK4=y(()=>{uh1=new Map,mh1=new Map});import{randomBytes as oS_}from"node:crypto";import*as KO from"fs";import{spawn as eK4}from"node:child_process";import{tmpdir as Uh1}from"node:os";import ZX,{join as q54}from"node:path";function aS_(q,K){let _=q.split(ZX.sep),z="";for(let Y of _){if(!Y)continue;let $=z+ZX.sep+Y;try{if(KO.lstatSync($).isSymbolicLink()){if(K.some((w)=>$.startsWith(w+"/")||$===w))return $}}catch{break}z=$}return null}function sS_(q){let K=q.split(ZX.sep),_="";for(let z of K){if(!z)continue;let Y=_+ZX.sep+z;try{let $=KO.statSync(Y);if($.isFile()||$.isSymbolicLink())return!0}catch{break}_=Y}return!1}function tS_(q){let K=q.split(ZX.sep),_="";for(let z of K){if(!z)continue;let Y=_+ZX.sep+z;if(!KO.existsSync(Y))return Y;_=Y}return q}async function eS_(q={command:"rg"},K=ch1,_=!1,z){let Y=process.cwd(),$=new AbortController,A=z??$.signal,O=oG8(),w=[...Nn6.map((X)=>ZX.resolve(Y,X)),...O.map((X)=>ZX.resolve(Y,X))],j=ZX.resolve(Y,".git"),H=!1;try{H=KO.statSync(j).isDirectory()}catch{}if(H){if(w.push(ZX.resolve(Y,".git/hooks")),!_)w.push(ZX.resolve(Y,".git/config"))}let J=[];for(let X of Nn6)J.push("--iglob",X);for(let X of O)J.push("--iglob",`**/${X}/**`);if(J.push("--iglob","**/.git/hooks/**"),!_)J.push("--iglob","**/.git/config");let M=[];try{M=await nK4(["--files","--hidden","--max-depth",String(K),...J,"-g","!**/node_modules/**"],Y,A,q)}catch(X){O7(`[Sandbox] ripgrep scan failed: ${X}`)}for(let X of M){let P=ZX.resolve(Y,X),W=!1;for(let D of[...O,".git"]){let f=Ih1(D),G=P.split(ZX.sep),Z=G.findIndex((T)=>Ih1(T)===f);if(Z!==-1){if(D===".git"){let T=G.slice(0,Z+1).join(ZX.sep);if(X.includes(".git/hooks"))w.push(ZX.join(T,"hooks"));else if(X.includes(".git/config"))w.push(ZX.join(T,"config"))}else w.push(G.slice(0,Z+1).join(ZX.sep));W=!0;break}}if(!W)w.push(P)}return[...new Set(w)]}function dh1(){if(K54)return;process.on("exit",()=>{for(let q of Qh1)try{Fh1(q)}catch{}lh1()}),K54=!0}function lh1(){for(let q of tG8)try{let K=KO.statSync(q);if(K.isFile()&&K.size===0)KO.unlinkSync(q),O7(`[Sandbox Linux] Cleaned up bwrap mount point (file): ${q}`);else if(K.isDirectory()){if(KO.readdirSync(q).length===0)KO.rmdirSync(q),O7(`[Sandbox Linux] Cleaned up bwrap mount point (dir): ${q}`)}}catch{}tG8.clear()}function _54(q){let K=[],_=[];if(ai("bwrap")===null)K.push("bubblewrap (bwrap) not installed");if(ai("socat")===null)K.push("socat not installed");let z=gh1(q?.bpfPath)!==null,Y=Ln6(q?.applyPath)!==null;if(!z||!Y)_.push("seccomp not available - unix socket access not restricted");return{warnings:_,errors:K}}async function z54(q,K){let _=oS_(8).toString("hex"),z=q54(Uh1(),`claude-http-${_}.sock`),Y=q54(Uh1(),`claude-socks-${_}.sock`),$=[`UNIX-LISTEN:${z},fork,reuseaddr`,`TCP:localhost:${q},keepalive,keepidle=10,keepintvl=5,keepcnt=3`];O7(`Starting HTTP bridge: socat ${$.join(" ")}`);let A=eK4("socat",$,{stdio:"ignore"});if(!A.pid)throw Error("Failed to start HTTP bridge process");A.on("error",(H)=>{O7(`HTTP bridge process error: ${H}`,{level:"error"})}),A.on("exit",(H,J)=>{O7(`HTTP bridge process exited with code ${H}, signal ${J}`,{level:H===0?"info":"error"})});let O=[`UNIX-LISTEN:${Y},fork,reuseaddr`,`TCP:localhost:${K},keepalive,keepidle=10,keepintvl=5,keepcnt=3`];O7(`Starting SOCKS bridge: socat ${O.join(" ")}`);let w=eK4("socat",O,{stdio:"ignore"});if(!w.pid){if(A.pid)try{process.kill(A.pid,"SIGTERM")}catch{}throw Error("Failed to start SOCKS bridge process")}w.on("error",(H)=>{O7(`SOCKS bridge process error: ${H}`,{level:"error"})}),w.on("exit",(H,J)=>{O7(`SOCKS bridge process exited with code ${H}, signal ${J}`,{level:H===0?"info":"error"})});let j=5;for(let H=0;H<j;H++){if(!A.pid||A.killed||!w.pid||w.killed)throw Error("Linux bridge process died unexpectedly");try{if(KO.existsSync(z)&&KO.existsSync(Y)){O7(`Linux bridges ready after ${H+1} attempts`);break}}catch(J){O7(`Error checking sockets (attempt ${H+1}): ${J}`,{level:"error"})}if(H===j-1){if(A.pid)try{process.kill(A.pid,"SIGTERM")}catch{}if(w.pid)try{process.kill(w.pid,"SIGTERM")}catch{}throw Error(`Failed to create bridge sockets after ${j} attempts`)}await new Promise((J)=>setTimeout(J,H*100))}return{httpSocketPath:z,socksSocketPath:Y,httpBridgeProcess:A,socksBridgeProcess:w,httpProxyPort:q,socksProxyPort:K}}function qC_(q,K,_,z,Y,$){let A=Y||"bash",O=[`socat TCP-LISTEN:3128,fork,reuseaddr UNIX-CONNECT:${q} >/dev/null 2>&1 &`,`socat TCP-LISTEN:1080,fork,reuseaddr UNIX-CONNECT:${K} >/dev/null 2>&1 &`,'trap "kill %1 %2 2>/dev/null; exit" EXIT'];if(z){let w=Ln6($);if(!w)throw Error("apply-seccomp binary not found. This should have been caught earlier. Ensure vendor/seccomp/{x64,arm64}/apply-seccomp binaries are included in the package.");let j=UA6.default.quote([w,z,A,"-c",_]),H=[...O,j].join(`
780`);return`${A} -c ${UA6.default.quote([H])}`}else{let w=[...O,`eval ${UA6.default.quote([_])}`].join(`

Callers 1

WFunction · 0.85

Calls 1

qFunction · 0.70

Tested by

no test coverage detected