MCPcopy Index your code
hub / github.com/ChinaSiro/claude-code-sourcemap / oG8

Function oG8

package/cli.js:778–778  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

776`)}),z.on("error",(H)=>{O7(`Client socket error: ${H.message}`,{level:"error"}),j.destroy()}),z.on("end",()=>j.end()),j.on("end",()=>z.end())}}catch(Y){O7(`Error handling CONNECT: ${Y}`,{level:"error"}),z.end(`HTTP/1.1 500 Internal Server Error\r
777\r
778`)}}),K.on("request",async(_,z)=>{try{let Y=new fS_(_.url),$=Y.hostname,A=Y.port?parseInt(Y.port,10):Y.protocol==="https:"?443:80;if(!await q.filter(A,$,_.socket)){O7(`HTTP request blocked to ${$}:${A}`,{level:"error"}),z.writeHead(403,{"Content-Type":"text/plain","X-Proxy-Error":"blocked-by-allowlist"}),z.end("Connection blocked by network allowlist");return}let w=q.getMitmSocketPath?.($);if(w){O7(`Routing HTTP ${_.method} ${$}:${A} through MITM proxy at ${w}`);let j=new PS_({socketPath:w}),H=vK4({agent:j,path:_.url,method:_.method,headers:{..._.headers,host:Y.host}},(J)=>{z.writeHead(J.statusCode,J.headers),J.pipe(z)});H.on("error",(J)=>{if(O7(`MITM proxy request failed: ${J.message}`,{level:"error"}),!z.headersSent)z.writeHead(502,{"Content-Type":"text/plain"}),z.end("Bad Gateway")}),_.pipe(H)}else{let H=(Y.protocol==="https:"?DS_:vK4)({hostname:$,port:A,path:Y.pathname+Y.search,method:_.method,headers:{..._.headers,host:Y.host}},(J)=>{z.writeHead(J.statusCode,J.headers),J.pipe(z)});H.on("error",(J)=>{if(O7(`Proxy request failed: ${J.message}`,{level:"error"}),!z.headersSent)z.writeHead(502,{"Content-Type":"text/plain"}),z.end("Bad Gateway")}),_.pipe(H)}}catch(Y){O7(`Error handling HTTP request: ${Y}`,{level:"error"}),z.writeHead(500,{"Content-Type":"text/plain"}),z.end("Internal Server Error")}}),K}var NK4=()=>{};var CK4=m((MgA,SK4)=>{var{create:ZS_,defineProperty:cG8,getOwnPropertyDescriptor:GS_,getOwnPropertyNames:TS_,getPrototypeOf:vS_}=Object,kS_=Object.prototype.hasOwnProperty,VS_=(q,K)=>{for(var _ in K)cG8(q,_,{get:K[_],enumerable:!0})},yK4=(q,K,_,z)=>{if(K&&typeof K==="object"||typeof K==="function"){for(let Y of TS_(K))if(!kS_.call(q,Y)&&Y!==_)cG8(q,Y,{get:()=>K[Y],enumerable:!(z=GS_(K,Y))||z.enumerable})}return q},EK4=(q,K,_)=>(_=q!=null?ZS_(vS_(q)):{},yK4(K||!q||!q.__esModule?cG8(_,"default",{value:q,enumerable:!0}):_,q)),NS_=(q)=>yK4(cG8({},"__esModule",{value:!0}),q),LK4={};VS_(LK4,{Socks5Server:()=>hK4,createServer:()=>RS_,defaultConnectionHandler:()=>Sh1});SK4.exports=NS_(LK4);var yS_=EK4(U6("net")),RK4=((q)=>{return q[q.connect=1]="connect",q[q.bind=2]="bind",q[q.udp=3]="udp",q})(RK4||{}),hh1=((q)=>{return q[q.REQUEST_GRANTED=0]="REQUEST_GRANTED",q[q.GENERAL_FAILURE=1]="GENERAL_FAILURE",q[q.CONNECTION_NOT_ALLOWED=2]="CONNECTION_NOT_ALLOWED",q[q.NETWORK_UNREACHABLE=3]="NETWORK_UNREACHABLE",q[q.HOST_UNREACHABLE=4]="HOST_UNREACHABLE",q[q.CONNECTION_REFUSED=5]="CONNECTION_REFUSED",q[q.TTL_EXPIRED=6]="TTL_EXPIRED",q[q.COMMAND_NOT_SUPPORTED=7]="COMMAND_NOT_SUPPORTED",q[q.ADDRESS_TYPE_NOT_SUPPORTED=8]="ADDRESS_TYPE_NOT_SUPPORTED",q})(hh1||{}),ES_=class{constructor(q,K){this.errorHandler=()=>{},this.metadata={},this.socket=K,this.server=q,K.on("error",this.errorHandler),K.pause(),this.handleGreeting()}readBytes(q){return new Promise((K)=>{let _=Buffer.allocUnsafe(q),z=0,Y=($)=>{let A=Math.min($.length,q-z);if($.copy(_,z,0,A),z+=A,z<q)return;this.socket.removeListener("data",Y),this.socket.push($.subarray(A)),K(_),this.socket.pause()};this.socket.on("data",Y),this.socket.resume()})}async handleGreeting(){if((await this.readBytes(1)).readUInt8()!==5)return this.socket.destroy();let K=(await this.readBytes(1)).readUInt8();if(K>128||K===0)return this.socket.destroy();let _=await this.readBytes(K),z=this.server.authHandler?2:0;if(!_.includes(z))return this.socket.write(Buffer.from([5,255])),this.socket.destroy();if(this.socket.write(Buffer.from([5,z])),this.server.authHandler)this.handleUserPassword();else this.handleConnectionRequest()}async handleUserPassword(){await this.readBytes(1);let q=(await this.readBytes(1)).readUint8(),K=(await this.readBytes(q)).toString(),_=(await this.readBytes(1)).readUint8(),z=(await this.readBytes(_)).toString();this.username=K,this.password=z;let Y=!1,$=()=>{if(Y)return;Y=!0,this.socket.write(Buffer.from([1,0])),this.handleConnectionRequest()},A=()=>{if(Y)return;Y=!0,this.socket.write(Buffer.from([1,1])),this.socket.destroy()},O=await this.server.authHandler(this,$,A);if(O===!0)$();else if(O===!1)A()}async handleConnectionRequest(){await this.readBytes(1);let q=(await this.readBytes(1))[0],K=RK4[q];if(!K)return this.socket.destroy();this.command=K,await this.readBytes(1);let _=(await this.readBytes(1)).readUInt8(),z="";switch(_){case 1:z=(await this.readBytes(4)).join(".");break;case 3:let j=(await this.readBytes(1)).readUInt8();z=(await this.readBytes(j)).toString();break;case 4:let H=await this.readBytes(16);for(let J=0;J<16;J++){if(J%2===0&&J>0)z+=":";z+=`${H[J]<16?"0":""}${H[J].toString(16)}`}break;default:this.socket.destroy();return}let Y=(await this.readBytes(2)).readUInt16BE();if(!this.server.supportedCommands.has(K))return this.socket.write(Buffer.from([5,7])),this.socket.destroy();this.destAddress=z,this.destPort=Y;let $=!1,A=()=>{if($)return;$=!0,this.connect()};if(!this.server.rulesetValidator)return A();let O=()=>{if($)return;$=!0,this.socket.write(Buffer.from([5,2,0,1,0,0,0,0,0,0])),this.socket.destroy()},w=await this.server.rulesetValidator(this,A,O);if(w===!0)A();else if(w===!1)O()}connect(){this.socket.removeListener("error",this.errorHandler),this.server.connectionHandler(this,(q)=>{if(hh1[q]===void 0)throw Error(`"${q}" is not a valid status.`);if(this.socket.write(Buffer.from([5,hh1[q],0,1,0,0,0,0,0,0])),q!=="REQUEST_GRANTED")this.socket.destroy()}),this.socket.resume()}},LS_=EK4(U6("net"));function Sh1(q,K){if(q.command!=="connect")return K("COMMAND_NOT_SUPPORTED");q.socket.on("error",()=>{});let _=LS_.default.createConnection({host:q.destAddress,port:q.destPort});_.setNoDelay();let z=!1;return _.on("error",(Y)=>{if(!z)switch(Y.code){case"EINVAL":case"ENOENT":case"ENOTFOUND":case"ETIMEDOUT":case"EADDRNOTAVAIL":case"EHOSTUNREACH":K("HOST_UNREACHABLE");break;case"ENETUNREACH":K("NETWORK_UNREACHABLE");break;case"ECONNREFUSED":K("CONNECTION_REFUSED");break;default:K("GENERAL_FAILURE")}}),_.on("ready",()=>{z=!0,K("REQUEST_GRANTED"),q.socket.pipe(_).pipe(q.socket)}),q.socket.on("close",()=>_.destroy()),_}var hK4=class{constructor(){this.supportedCommands=new Set(["connect"]),this.connectionHandler=Sh1,this.server=yS_.default.createServer((q)=>{q.setNoDelay(),this._handleConnection(q)})}listen(...q){return this.server.listen(...q),this}close(q){return this.server.close(q),this}setAuthHandler(q){return this.authHandler=q,this}disableAuthHandler(){return this.authHandler=void 0,this}setRulesetValidator(q){return this.rulesetValidator=q,this}disableRulesetValidator(){return this.rulesetValidator=void 0,this}setConnectionHandler(q){return this.connectionHandler=q,this}useDefaultConnectionHandler(){return this.connectionHandler=Sh1,this}_handleConnection(q){return new ES_(this,q),this}};function RS_(q){let K=new hK4;if(q?.auth)K.setAuthHandler((_)=>{return _.username===q.auth.username&&_.password===q.auth.password});if(q?.port)K.listen(q.port,q.hostname);return K}});function xK4(q){let K=bK4.createServer();return K.setRulesetValidator(async(_)=>{try{let{destAddress:z,destPort:Y}=_;if(O7(`Connection request to ${z}:${Y}`),!await q.filter(Y,z))return O7(`Connection blocked to ${z}:${Y}`,{level:"error"}),!1;return O7(`Connection allowed to ${z}:${Y}`),!0}catch(z){return O7(`Error validating connection: ${z}`,{level:"error"}),!1}}),{server:K,getPort(){try{let _=K?.server;if(_&&typeof _?.address==="function"){let z=_.address();if(z&&typeof z==="object"&&"port"in z)return z.port}}catch(_){O7(`Error getting port: ${_}`,{level:"error"})}return},listen(_,z){return new Promise((Y,$)=>{let A=()=>{let O=this.getPort();if(O)O7(`SOCKS proxy listening on ${z}:${O}`),Y(O);else $(Error("Failed to get SOCKS proxy server port"))};K.listen(_,z,A)})},async close(){return new Promise((_,z)=>{K.close((Y)=>{if(Y){let $=Y.message?.toLowerCase()||"";if(!($.includes("not running")||$.includes("already closed")||$.includes("not listening"))){z(Y);return}}_()})})},unref(){try{let _=K?.server;if(_&&typeof _?.unref==="function")_.unref()}catch(_){O7(`Error calling unref: ${_}`,{level:"error"})}}}}var bK4;var IK4=y(()=>{bK4=O6(CK4(),1)});import{spawnSync as hS_}from"node:child_process";function ai(q){if(typeof globalThis.Bun<"u")return globalThis.Bun.which(q);let K=hS_("which",[q],{encoding:"utf8",stdio:["ignore","pipe","ignore"],timeout:1000});if(K.status===0&&K.stdout)return K.stdout.trim();return null}var Vn6=()=>{};import*as uK4 from"fs";function Ch1(){if(process.platform!=="linux")return;try{let q=uK4.readFileSync("/proc/version",{encoding:"utf8"}),K=q.match(/WSL(\d+)/i);if(K&&K[1])return K[1];if(q.toLowerCase().includes("microsoft"))return"1";return}catch{return}}function ZG(){switch(process.platform){case"darwin":return"macos";case"linux":return"linux";case"win32":return"windows";default:return"unknown"}}var lG8=()=>{};var pK4=m((TgA,mK4)=>{mK4.exports=function(K){return K.map(function(_){if(_==="")return"''";if(_&&typeof _==="object")return _.op.replace(/(.)/g,"\\$1");if(/["\s\\]/.test(_)&&!/'/.test(_))return"'"+_.replace(/(['])/g,"\\$1")+"'";if(/["'\s]/.test(_))return'"'+_.replace(/(["\\$`!])/g,"\\$1")+'"';return String(_).replace(/([A-Za-z]:)?([#!"$&'()*,:;<=>?@[\\\]^`{|}])/g,"$1\\$2")}).join(" ")}});var cK4=m((vgA,dK4)=>{var QK4="(?:"+["\\|\\|","\\&\\&",";;","\\|\\&","\\<\\(","\\<\\<\\<",">>",">\\&","<\\&","[&;()|<>]"].join("|")+")",BK4=new RegExp("^"+QK4+"$"),gK4="|&;()<> \\t",SS_='"((\\\\"|[^"])*?)"',CS_="'((\\\\'|[^'])*?)'",bS_=/^#$/,FK4="'",UK4='"',bh1="$",pA6="",xS_=4294967296;for(nG8=0;nG8<4;nG8++)pA6+=(xS_*Math.random()).toString(16);var nG8,IS_=new RegExp("^"+pA6);function uS_(q,K){var _=K.lastIndex,z=[],Y;while(Y=K.exec(q))if(z.push(Y),K.lastIndex===Y.index)K.lastIndex+=1;return K.lastIndex=_,z}function mS_(q,K,_){var z=typeof q==="function"?q(_):q[_];if(typeof z>"u"&&_!="")z="";else if(typeof z>"u")z="$";if(typeof z==="object")return K+pA6+JSON.stringify(z)+pA6;return K+z}function pS_(q,K,_){if(!_)_={};var z=_.escape||"\\",Y="(\\"+z+`['"`+gK4+`]|[^\\s'"`+gK4+"])+",$=new RegExp(["("+QK4+")","("+Y+"|"+SS_+"|"+CS_+")+"].join("|"),"g"),A=uS_(q,$);if(A.length===0)return[];if(!K)K={};var O=!1;return A.map(function(w){var j=w[0];if(!j||O)return;if(BK4.test(j))return{op:j};var H=!1,J=!1,M="",X=!1,P;function W(){P+=1;var G,Z,T=j.charAt(P);if(T==="{"){if(P+=1,j.charAt(P)==="}")throw Error("Bad substitution: "+j.slice(P-2,P+1));if(G=j.indexOf("}",P),G<0)throw Error("Bad substitution: "+j.slice(P));Z=j.slice(P,G),P=G}else if(/[*@#?$!_-]/.test(T))Z=T,P+=1;else{var v=j.slice(P);if(G=v.match(/[^\w\d_]/),!G)Z=v,P=j.length;else Z=v.slice(0,G.index),P+=G.index-1}return mS_(K,"",Z)}for(P=0;P<j.length;P++){var D=j.charAt(P);if(X=X||!H&&(D==="*"||D==="?"),J)M+=D,J=!1;else if(H)if(D===H)H=!1;else if(H==FK4)M+=D;else if(D===z)if(P+=1,D=j.charAt(P),D===UK4||D===z||D===bh1)M+=D;else M+=z+D;else if(D===bh1)M+=W();else M+=D;else if(D===UK4||D===FK4)H=D;else if(BK4.test(D))return{op:j};else if(bS_.test(D)){O=!0;var f={comment:q.slice(w.index+P+1)};if(M.length)return[M,f];return[f]}else if(D===z)J=!0;else if(D===bh1)M+=W();else M+=D}if(X)return{op:"glob",pattern:M};return M}).reduce(function(w,j){return typeof j>"u"?w:w.concat(j)},[])}dK4.exports=function(K,_,z){var Y=pS_(K,_,z);if(typeof _!=="function")return Y;return Y.reduce(function($,A){if(typeof A==="object")return $.concat(A);var O=A.split(RegExp("("+pA6+".*?"+pA6+")","g"));if(O.length===1)return $.concat(O[0]);return $.concat(O.filter(Boolean).map(function(w){if(IS_.test(w))return JSON.parse(w.split(pA6)[1]);return w}))},[])}});var iG8=m((BS_)=>{BS_.quote=pK4();BS_.parse=cK4()});import{spawn as US_}from"child_process";import{text as lK4}from"node:stream/consumers";async function nK4(q,K,_,z={command:"rg"}){let{command:Y,args:$=[],argv0:A}=z,O=US_(Y,[...$,...q,K],{argv0:A,signal:_,timeout:1e4,windowsHide:!0}),[w,j,H]=await Promise.all([lK4(O.stdout),lK4(O.stderr),new Promise((J,M)=>{O.on("close",J),O.on("error",M)})]);if(H===0)return w.trim().split(`
779`).filter(Boolean);if(H===1)return[];throw Error(`ripgrep failed with exit code ${H}: ${j}`)}var iK4=y(()=>{Vn6()});import{homedir as xh1}from"os";import*as Lv from"path";import*as BA6 from"fs";function oG8(){return[...QS_.filter((q)=>q!==".git"),".claude/commands",".claude/agents"]}function Ih1(q){return q.toLowerCase()}function GG(q){return q.includes("*")||q.includes("?")||q.includes("[")||q.includes("]")}function si(q){return q.replace(/\/\*\*$/,"")||"/"}function rG8(q,K){let _=Lv.normalize(q),z=Lv.normalize(K);if(z===_)return!1;if(_.startsWith("/tmp/")&&z==="/private"+_)return!1;if(_.startsWith("/var/")&&z==="/private"+_)return!1;if(_.startsWith("/private/tmp/")&&z===_)return!1;if(_.startsWith("/private/var/")&&z===_)return!1;if(z==="/")return!0;if(z.split("/").filter(Boolean).length<=1)return!0;if(_.startsWith(z+"/"))return!0;let $=_;if(_.startsWith("/tmp/"))$="/private"+_;else if(_.startsWith("/var/"))$="/private"+_;if($!==_&&$.startsWith(z+"/"))return!0;let A=z.startsWith(_+"/"),O=$!==_&&z.startsWith($+"/");if(z!==_&&!($!==_&&z===$)&&!A&&!O)return!0;return!1}function oV(q){let K=process.cwd(),_=q;if(q==="~")_=xh1();else if(q.startsWith("~/"))_=xh1()+q.slice(1);else if(q.startsWith("./")||q.startsWith("../"))_=Lv.resolve(K,q);else if(!Lv.isAbsolute(q))_=Lv.resolve(K,q);if(GG(_)){let z=_.split(/[*?[\]]/)[0];if(z&&z!=="/"){let Y=z.endsWith("/")?z.slice(0,-1):Lv.dirname(z);try{let $=BA6.realpathSync(Y);if(!rG8(Y,$)){let A=_.slice(Y.length);return $+A}}catch{}}return _}try{let z=BA6.realpathSync(_);if(rG8(_,z));else _=z}catch{}return _}function yn6(){let q=xh1();return["/dev/stdout","/dev/stderr","/dev/null","/dev/tty","/dev/dtracehelper","/dev/autofs_nowait","/tmp/claude","/private/tmp/claude",Lv.join(q,".npm/_logs"),Lv.join(q,".claude/debug")]}function aG8(q,K){let z=["SANDBOX_RUNTIME=1",`TMPDIR=${process.env.CLAUDE_TMPDIR||"/tmp/claude"}`];if(!q&&!K)return z;let Y=["localhost","127.0.0.1","::1","*.local",".local","169.254.0.0/16","10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"].join(",");if(z.push(`NO_PROXY=${Y}`),z.push(`no_proxy=${Y}`),q)z.push(`HTTP_PROXY=http://localhost:${q}`),z.push(`HTTPS_PROXY=http://localhost:${q}`),z.push(`http_proxy=http://localhost:${q}`),z.push(`https_proxy=http://localhost:${q}`);if(K){z.push(`ALL_PROXY=socks5h://localhost:${K}`),z.push(`all_proxy=socks5h://localhost:${K}`);let $=ZG();if($==="macos")z.push(`GIT_SSH_COMMAND=ssh -o ProxyCommand='nc -X 5 -x localhost:${K} %h %p'`);else if($==="linux"&&q)z.push(`GIT_SSH_COMMAND=ssh -o ProxyCommand='socat - PROXY:localhost:%h:%p,proxyport=${q}'`);if(z.push(`FTP_PROXY=socks5h://localhost:${K}`),z.push(`ftp_proxy=socks5h://localhost:${K}`),z.push(`RSYNC_PROXY=localhost:${K}`),z.push(`DOCKER_HTTP_PROXY=http://localhost:${q||K}`),z.push(`DOCKER_HTTPS_PROXY=http://localhost:${q||K}`),q)z.push("CLOUDSDK_PROXY_TYPE=https"),z.push("CLOUDSDK_PROXY_ADDRESS=localhost"),z.push(`CLOUDSDK_PROXY_PORT=${q}`);z.push(`GRPC_PROXY=socks5h://localhost:${K}`),z.push(`grpc_proxy=socks5h://localhost:${K}`)}return z}function sG8(q){let K=q.slice(0,100);return Buffer.from(K).toString("base64")}function rK4(q){return Buffer.from(q,"base64").toString("utf8")}function gA6(q){return"^"+q.replace(/[.^$+{}()|\\]/g,"\\$&").replace(/\[([^\]]*?)$/g,"\\[$1").replace(/\*\*\//g,"__GLOBSTAR_SLASH__").replace(/\*\*/g,"__GLOBSTAR__").replace(/\*/g,"[^/]*").replace(/\?/g,"[^/]").replace(/__GLOBSTAR_SLASH__/g,"(.*/)?").replace(/__GLOBSTAR__/g,".*")+"$"}function En6(q){let K=oV(q),_=K.split(/[*?[\]]/)[0];if(!_||_==="/")return O7(`[Sandbox] Glob pattern too broad, skipping: ${q}`),[];let z=_.endsWith("/")?_.slice(0,-1):Lv.dirname(_);if(!BA6.existsSync(z))return O7(`[Sandbox] Base directory for glob does not exist: ${z}`),[];let Y=new RegExp(gA6(K)),$=[];try{let A=BA6.readdirSync(z,{recursive:!0,withFileTypes:!0});for(let O of A){let w=O.parentPath??O.path??z,j=Lv.join(w,O.name);if(Y.test(j))$.push(j)}}catch(A){O7(`[Sandbox] Error expanding glob pattern ${q}: ${A}`)}return $}var Nn6,QS_;var fv6=y(()=>{lG8();Nn6=[".gitconfig",".gitmodules",".bashrc",".bash_profile",".zshrc",".zprofile",".profile",".ripgreprc",".mcp.json"],QS_=[".git",".vscode",".idea"]});import{join as YC,dirname as dS_}from"node:path";import{fileURLToPath as cS_}from"node:url";import*as FA6 from"node:fs";import{execSync as lS_}from"node:child_process";import{homedir as nS_}from"node:os";function oK4(){if(ph1)return ph1;let q=[];try{let _=lS_("npm root -g",{encoding:"utf8",timeout:5000,stdio:["pipe","pipe","ignore"]}).trim();if(_)q.push(YC(_,"@anthropic-ai","sandbox-runtime"))}catch{}let K=nS_();return q.push(YC("/usr","lib","node_modules","@anthropic-ai","sandbox-runtime"),YC("/usr","local","lib","node_modules","@anthropic-ai","sandbox-runtime"),YC("/opt","homebrew","lib","node_modules","@anthropic-ai","sandbox-runtime"),YC(K,".npm","lib","node_modules","@anthropic-ai","sandbox-runtime"),YC(K,".npm-global","lib","node_modules","@anthropic-ai","sandbox-runtime")),ph1=q,q}function Bh1(){let q=process.arch;switch(q){case"x64":case"x86_64":return"x64";case"arm64":case"aarch64":return"arm64";case"ia32":case"x86":return O7("[SeccompFilter] 32-bit x86 (ia32) is not currently supported due to missing socketcall() syscall blocking. The current seccomp filter only blocks socket(AF_UNIX, ...), but on 32-bit x86, socketcall() can be used to bypass this.",{level:"error"}),null;default:return O7(`[SeccompFilter] Unsupported architecture: ${q}. Only x64 and arm64 are supported.`),null}}function aK4(q){let K=Bh1();if(!K)return[];let _=dS_(cS_(import.meta.url)),z=YC("vendor","seccomp",K,q);return[YC(_,z),YC(_,"..","..",z),YC(_,"..",z)]}function gh1(q){let K=q??"";if(uh1.has(K))return uh1.get(K);let _=iS_(q);return uh1.set(K,_),_}function iS_(q){if(q){if(FA6.existsSync(q))return O7(`[SeccompFilter] Using BPF filter from explicit path: ${q}`),q;O7(`[SeccompFilter] Explicit path provided but file not found: ${q}`)}let K=Bh1();if(!K)return O7(`[SeccompFilter] Cannot find pre-generated BPF filter: unsupported architecture ${process.arch}`),null;O7(`[SeccompFilter] Detected architecture: ${K}`);for(let _ of aK4("unix-block.bpf"))if(FA6.existsSync(_))return O7(`[SeccompFilter] Found pre-generated BPF filter: ${_} (${K})`),_;for(let _ of oK4()){let z=YC(_,"vendor","seccomp",K,"unix-block.bpf");if(FA6.existsSync(z))return O7(`[SeccompFilter] Found pre-generated BPF filter in global install: ${z} (${K})`),z}return O7(`[SeccompFilter] Pre-generated BPF filter not found in any expected location (${K})`),null}function Ln6(q){let K=q??"";if(mh1.has(K))return mh1.get(K);let _=rS_(q);return mh1.set(K,_),_}function rS_(q){if(q){if(FA6.existsSync(q))return O7(`[SeccompFilter] Using apply-seccomp binary from explicit path: ${q}`),q;O7(`[SeccompFilter] Explicit path provided but file not found: ${q}`)}let K=Bh1();if(!K)return O7(`[SeccompFilter] Cannot find apply-seccomp binary: unsupported architecture ${process.arch}`),null;O7(`[SeccompFilter] Looking for apply-seccomp binary for architecture: ${K}`);for(let _ of aK4("apply-seccomp"))if(FA6.existsSync(_))return O7(`[SeccompFilter] Found apply-seccomp binary: ${_} (${K})`),_;for(let _ of oK4()){let z=YC(_,"vendor","seccomp",K,"apply-seccomp");if(FA6.existsSync(z))return O7(`[SeccompFilter] Found apply-seccomp binary in global install: ${z} (${K})`),z}return O7(`[SeccompFilter] apply-seccomp binary not found in any expected location (${K})`),null}function sK4(q){let K=gh1(q);if(K)return O7("[SeccompFilter] Using pre-generated BPF filter"),K;return O7("[SeccompFilter] Pre-generated BPF filter not available for this architecture. Only x64 and arm64 are supported.",{level:"error"}),null}function Fh1(q){}var uh1,mh1,ph1=null;var tK4=y(()=>{uh1=new Map,mh1=new Map});import{randomBytes as oS_}from"node:crypto";import*as KO from"fs";import{spawn as eK4}from"node:child_process";import{tmpdir as Uh1}from"node:os";import ZX,{join as q54}from"node:path";function aS_(q,K){let _=q.split(ZX.sep),z="";for(let Y of _){if(!Y)continue;let $=z+ZX.sep+Y;try{if(KO.lstatSync($).isSymbolicLink()){if(K.some((w)=>$.startsWith(w+"/")||$===w))return $}}catch{break}z=$}return null}function sS_(q){let K=q.split(ZX.sep),_="";for(let z of K){if(!z)continue;let Y=_+ZX.sep+z;try{let $=KO.statSync(Y);if($.isFile()||$.isSymbolicLink())return!0}catch{break}_=Y}return!1}function tS_(q){let K=q.split(ZX.sep),_="";for(let z of K){if(!z)continue;let Y=_+ZX.sep+z;if(!KO.existsSync(Y))return Y;_=Y}return q}async function eS_(q={command:"rg"},K=ch1,_=!1,z){let Y=process.cwd(),$=new AbortController,A=z??$.signal,O=oG8(),w=[...Nn6.map((X)=>ZX.resolve(Y,X)),...O.map((X)=>ZX.resolve(Y,X))],j=ZX.resolve(Y,".git"),H=!1;try{H=KO.statSync(j).isDirectory()}catch{}if(H){if(w.push(ZX.resolve(Y,".git/hooks")),!_)w.push(ZX.resolve(Y,".git/config"))}let J=[];for(let X of Nn6)J.push("--iglob",X);for(let X of O)J.push("--iglob",`**/${X}/**`);if(J.push("--iglob","**/.git/hooks/**"),!_)J.push("--iglob","**/.git/config");let M=[];try{M=await nK4(["--files","--hidden","--max-depth",String(K),...J,"-g","!**/node_modules/**"],Y,A,q)}catch(X){O7(`[Sandbox] ripgrep scan failed: ${X}`)}for(let X of M){let P=ZX.resolve(Y,X),W=!1;for(let D of[...O,".git"]){let f=Ih1(D),G=P.split(ZX.sep),Z=G.findIndex((T)=>Ih1(T)===f);if(Z!==-1){if(D===".git"){let T=G.slice(0,Z+1).join(ZX.sep);if(X.includes(".git/hooks"))w.push(ZX.join(T,"hooks"));else if(X.includes(".git/config"))w.push(ZX.join(T,"config"))}else w.push(G.slice(0,Z+1).join(ZX.sep));W=!0;break}}if(!W)w.push(P)}return[...new Set(w)]}function dh1(){if(K54)return;process.on("exit",()=>{for(let q of Qh1)try{Fh1(q)}catch{}lh1()}),K54=!0}function lh1(){for(let q of tG8)try{let K=KO.statSync(q);if(K.isFile()&&K.size===0)KO.unlinkSync(q),O7(`[Sandbox Linux] Cleaned up bwrap mount point (file): ${q}`);else if(K.isDirectory()){if(KO.readdirSync(q).length===0)KO.rmdirSync(q),O7(`[Sandbox Linux] Cleaned up bwrap mount point (dir): ${q}`)}}catch{}tG8.clear()}function _54(q){let K=[],_=[];if(ai("bwrap")===null)K.push("bubblewrap (bwrap) not installed");if(ai("socat")===null)K.push("socat not installed");let z=gh1(q?.bpfPath)!==null,Y=Ln6(q?.applyPath)!==null;if(!z||!Y)_.push("seccomp not available - unix socket access not restricted");return{warnings:_,errors:K}}async function z54(q,K){let _=oS_(8).toString("hex"),z=q54(Uh1(),`claude-http-${_}.sock`),Y=q54(Uh1(),`claude-socks-${_}.sock`),$=[`UNIX-LISTEN:${z},fork,reuseaddr`,`TCP:localhost:${q},keepalive,keepidle=10,keepintvl=5,keepcnt=3`];O7(`Starting HTTP bridge: socat ${$.join(" ")}`);let A=eK4("socat",$,{stdio:"ignore"});if(!A.pid)throw Error("Failed to start HTTP bridge process");A.on("error",(H)=>{O7(`HTTP bridge process error: ${H}`,{level:"error"})}),A.on("exit",(H,J)=>{O7(`HTTP bridge process exited with code ${H}, signal ${J}`,{level:H===0?"info":"error"})});let O=[`UNIX-LISTEN:${Y},fork,reuseaddr`,`TCP:localhost:${K},keepalive,keepidle=10,keepintvl=5,keepcnt=3`];O7(`Starting SOCKS bridge: socat ${O.join(" ")}`);let w=eK4("socat",O,{stdio:"ignore"});if(!w.pid){if(A.pid)try{process.kill(A.pid,"SIGTERM")}catch{}throw Error("Failed to start SOCKS bridge process")}w.on("error",(H)=>{O7(`SOCKS bridge process error: ${H}`,{level:"error"})}),w.on("exit",(H,J)=>{O7(`SOCKS bridge process exited with code ${H}, signal ${J}`,{level:H===0?"info":"error"})});let j=5;for(let H=0;H<j;H++){if(!A.pid||A.killed||!w.pid||w.killed)throw Error("Linux bridge process died unexpectedly");try{if(KO.existsSync(z)&&KO.existsSync(Y)){O7(`Linux bridges ready after ${H+1} attempts`);break}}catch(J){O7(`Error checking sockets (attempt ${H+1}): ${J}`,{level:"error"})}if(H===j-1){if(A.pid)try{process.kill(A.pid,"SIGTERM")}catch{}if(w.pid)try{process.kill(w.pid,"SIGTERM")}catch{}throw Error(`Failed to create bridge sockets after ${j} attempts`)}await new Promise((J)=>setTimeout(J,H*100))}return{httpSocketPath:z,socksSocketPath:Y,httpBridgeProcess:A,socksBridgeProcess:w,httpProxyPort:q,socksProxyPort:K}}function qC_(q,K,_,z,Y,$){let A=Y||"bash",O=[`socat TCP-LISTEN:3128,fork,reuseaddr UNIX-CONNECT:${q} >/dev/null 2>&1 &`,`socat TCP-LISTEN:1080,fork,reuseaddr UNIX-CONNECT:${K} >/dev/null 2>&1 &`,'trap "kill %1 %2 2>/dev/null; exit" EXIT'];if(z){let w=Ln6($);if(!w)throw Error("apply-seccomp binary not found. This should have been caught earlier. Ensure vendor/seccomp/{x64,arm64}/apply-seccomp binaries are included in the package.");let j=UA6.default.quote([w,z,A,"-c",_]),H=[...O,j].join(`
780`);return`${A} -c ${UA6.default.quote([H])}`}else{let w=[...O,`eval ${UA6.default.quote([_])}`].join(`
781`);return`${A} -c ${UA6.default.quote([w])}`}}async function KC_(q,K,_={command:"rg"},z=ch1,Y=!1,$){let A=[];if(K){A.push("--ro-bind","/","/");let j=[];for(let J of K.allowOnly||[]){let M=oV(J);if(O7(`[Sandbox Linux] Processing write path: ${J} -> ${M}`),M.startsWith("/dev/")){O7(`[Sandbox Linux] Skipping /dev path: ${M}`);continue}if(!KO.existsSync(M)){O7(`[Sandbox Linux] Skipping non-existent write path: ${M}`);continue}try{let X=KO.realpathSync(M),P=M.replace(/\/+$/,"");if(X!==P&&rG8(M,X)){O7(`[Sandbox Linux] Skipping symlink write path pointing outside expected location: ${J} -> ${X}`);continue}}catch{O7(`[Sandbox Linux] Skipping write path that could not be resolved: ${M}`);continue}A.push("--bind",M,M),j.push(M)}let H=[...K.denyWithinAllow||[],...await eS_(_,z,Y,$)];for(let J of H){let M=oV(J);if(M.startsWith("/dev/"))continue;let X=aS_(M,j);if(X){A.push("--ro-bind","/dev/null",X),O7(`[Sandbox Linux] Mounted /dev/null at symlink ${X} to prevent symlink replacement attack`);continue}if(!KO.existsSync(M)){if(sS_(M)){O7(`[Sandbox Linux] Skipping deny path with file ancestor (cannot create paths under a file): ${M}`);continue}let W=ZX.dirname(M);while(W!=="/"&&!KO.existsSync(W))W=ZX.dirname(W);if(j.some((f)=>W.startsWith(f+"/")||W===f||M.startsWith(f+"/"))){let f=tS_(M);if(f!==M){let G=KO.mkdtempSync(ZX.join(Uh1(),"claude-empty-"));A.push("--ro-bind",G,f),tG8.add(f),dh1(),O7(`[Sandbox Linux] Mounted empty dir at ${f} to block creation of ${M}`)}else A.push("--ro-bind","/dev/null",f),tG8.add(f),dh1(),O7(`[Sandbox Linux] Mounted /dev/null at ${f} to block creation of ${M}`)}else O7(`[Sandbox Linux] Skipping non-existent deny path not within allowed paths: ${M}`);continue}if(j.some((W)=>M.startsWith(W+"/")||M===W))A.push("--ro-bind",M,M);else O7(`[Sandbox Linux] Skipping deny path not within allowed paths: ${M}`)}}else A.push("--bind","/","/");let O=[...q?.denyOnly||[]],w=(q?.allowWithinDeny||[]).map((j)=>oV(j));if(KO.existsSync("/etc/ssh/ssh_config.d"))O.push("/etc/ssh/ssh_config.d");for(let j of O){let H=oV(j);if(!KO.existsSync(H)){O7(`[Sandbox Linux] Skipping non-existent read deny path: ${H}`);continue}if(KO.statSync(H).isDirectory()){A.push("--tmpfs",H);for(let M of w)if(M.startsWith(H+"/")||M===H){if(!KO.existsSync(M)){O7(`[Sandbox Linux] Skipping non-existent read allow path: ${M}`);continue}A.push("--ro-bind",M,M),O7(`[Sandbox Linux] Re-allowed read access within denied region: ${M}`)}}else{if(w.some((X)=>H===X||H.startsWith(X+"/"))){O7(`[Sandbox Linux] Skipping read deny for re-allowed path: ${H}`);continue}A.push("--ro-bind","/dev/null",H)}}return A}async function Y54(q){let{command:K,needsNetworkRestriction:_,httpSocketPath:z,socksSocketPath:Y,httpProxyPort:$,socksProxyPort:A,readConfig:O,writeConfig:w,enableWeakerNestedSandbox:j,allowAllUnixSockets:H,binShell:J,ripgrepConfig:M={command:"rg"},mandatoryDenySearchDepth:X=ch1,allowGitConfig:P=!1,seccompConfig:W,abortSignal:D}=q,f=O&&O.denyOnly.length>0,G=w!==void 0;if(!_&&!f&&!G)return K;let Z=["--new-session","--die-with-parent"],T=void 0;try{if(!H){T=sK4(W?.bpfPath)??void 0;let x=Ln6(W?.applyPath);if(!T||!x)O7("[Sandbox Linux] Seccomp binaries not available - unix socket blocking disabled. Install @anthropic-ai/sandbox-runtime globally for full protection.",{level:"warn"}),T=void 0;else{if(!T.includes("/vendor/seccomp/"))Qh1.add(T),dh1();O7("[Sandbox Linux] Generated seccomp BPF filter for Unix socket blocking")}}else O7("[Sandbox Linux] Skipping seccomp filter - allowAllUnixSockets is enabled");if(_){if(Z.push("--unshare-net"),z&&Y){if(!KO.existsSync(z))throw Error(`Linux HTTP bridge socket does not exist: ${z}. The bridge process may have died. Try reinitializing the sandbox.`);if(!KO.existsSync(Y))throw Error(`Linux SOCKS bridge socket does not exist: ${Y}. The bridge process may have died. Try reinitializing the sandbox.`);Z.push("--bind",z,z),Z.push("--bind",Y,Y);let x=aG8(3128,1080);if(Z.push(...x.flatMap((I)=>{let B=I.indexOf("="),p=I.slice(0,B),C=I.slice(B+1);return["--setenv",p,C]})),$!==void 0)Z.push("--setenv","CLAUDE_CODE_HOST_HTTP_PROXY_PORT",String($));if(A!==void 0)Z.push("--setenv","CLAUDE_CODE_HOST_SOCKS_PROXY_PORT",String(A))}}let v=await KC_(O,w,M,X,P,D);if(Z.push(...v),Z.push("--dev","/dev"),Z.push("--unshare-pid"),!j)Z.push("--proc","/proc");let V=J||"bash",E=ai(V);if(!E)throw Error(`Shell '${V}' not found in PATH`);if(Z.push("--",E,"-c"),_&&z&&Y){let x=qC_(z,Y,K,T,E,W?.applyPath);Z.push(x)}else if(T){let x=Ln6(W?.applyPath);if(!x)throw Error("apply-seccomp binary not found. This should have been caught earlier. Ensure vendor/seccomp/{x64,arm64}/apply-seccomp binaries are included in the package.");let I=UA6.default.quote([x,T,E,"-c",K]);Z.push(I)}else Z.push(K);let S=UA6.default.quote(["bwrap",...Z]),R=[];if(_)R.push("network");if(f||G)R.push("filesystem");if(T)R.push("seccomp(unix-block)");return O7(`[Sandbox Linux] Wrapped command with bwrap (${R.join(", ")} restrictions)`),S}catch(v){if(T&&!T.includes("/vendor/seccomp/")){Qh1.delete(T);try{Fh1(T)}catch(V){O7(`[Sandbox Linux] Failed to clean up seccomp filter on error: ${V}`,{level:"error"})}}throw v}}var UA6,ch1=3,Qh1,tG8,K54=!1;var $54=y(()=>{Vn6();iK4();fv6();tK4();UA6=O6(iG8(),1);Qh1=new Set,tG8=new Set});import{spawn as _C_}from"child_process";import*as ti from"path";function zC_(q=!1){let K=process.cwd(),_=[];for(let z of Nn6)_.push(ti.resolve(K,z)),_.push(`**/${z}`);for(let z of oG8())_.push(ti.resolve(K,z)),_.push(`**/${z}/**`);if(_.push(ti.resolve(K,".git/hooks")),_.push("**/.git/hooks/**"),!q)_.push(ti.resolve(K,".git/config")),_.push("**/.git/config");return[...new Set(_)]}function YC_(q){return`CMD64_${sG8(q)}_END_${w54}`}function A54(q){let K=[],_=ti.dirname(q);while(_!=="/"&&_!=="."){K.push(_);let z=ti.dirname(_);if(z===_)break;_=z}return K}function j54(q,K){let _=[];for(let z of q){let Y=oV(z);if(GG(Y)){let $=gA6(Y);_.push("(deny file-write-unlink",` (regex ${TG($)})`,` (with message "${K}"))`);let A=Y.split(/[*?[\]]/)[0];if(A&&A!=="/"){let O=A.endsWith("/")?A.slice(0,-1):ti.dirname(A);_.push("(deny file-write-unlink",` (literal ${TG(O)})`,` (with message "${K}"))`);for(let w of A54(O))_.push("(deny file-write-unlink",` (literal ${TG(w)})`,` (with message "${K}"))`)}}else{_.push("(deny file-write-unlink",` (subpath ${TG(Y)})`,` (with message "${K}"))`);for(let $ of A54(Y))_.push("(deny file-write-unlink",` (literal ${TG($)})`,` (with message "${K}"))`)}}return _}function $C_(q,K){if(!q)return["(allow file-read*)"];let _=[];_.push("(allow file-read*)");for(let z of q.denyOnly||[]){let Y=oV(z);if(GG(Y)){let $=gA6(Y);_.push("(deny file-read*",` (regex ${TG($)})`,` (with message "${K}"))`)}else _.push("(deny file-read*",` (subpath ${TG(Y)})`,` (with message "${K}"))`)}for(let z of q.allowWithinDeny||[]){let Y=oV(z);if(GG(Y)){let $=gA6(Y);_.push("(allow file-read*",` (regex ${TG($)})`,` (with message "${K}"))`)}else _.push("(allow file-read*",` (subpath ${TG(Y)})`,` (with message "${K}"))`)}if(q.denyOnly.length>0)_.push("(allow file-read-metadata"," (vnode-type DIRECTORY))");return _.push(...j54(q.denyOnly||[],K)),_}function AC_(q,K,_=!1){if(!q)return["(allow file-write*)"];let z=[],Y=wC_();for(let A of Y){let O=oV(A);z.push("(allow file-write*",` (subpath ${TG(O)})`,` (with message "${K}"))`)}for(let A of q.allowOnly||[]){let O=oV(A);if(GG(O)){let w=gA6(O);z.push("(allow file-write*",` (regex ${TG(w)})`,` (with message "${K}"))`)}else z.push("(allow file-write*",` (subpath ${TG(O)})`,` (with message "${K}"))`)}let $=[...q.denyWithinAllow||[],...zC_(_)];for(let A of $){let O=oV(A);if(GG(O)){let w=gA6(O);z.push("(deny file-write*",` (regex ${TG(w)})`,` (with message "${K}"))`)}else z.push("(deny file-write*",` (subpath ${TG(O)})`,` (with message "${K}"))`)}return z.push(...j54($,K)),z}function OC_({readConfig:q,writeConfig:K,httpProxyPort:_,socksProxyPort:z,needsNetworkRestriction:Y,allowUnixSockets:$,allowAllUnixSockets:A,allowLocalBinding:O,allowPty:w,allowGitConfig:j=!1,enableWeakerNetworkIsolation:H=!1,logTag:J}){let M=["(version 1)",`(deny default (with message "${J}"))`,"",`; LogTag: ${J}`,"","; Essential permissions - based on Chrome sandbox policy","; Process permissions","(allow process-exec)","(allow process-fork)","(allow process-info* (target same-sandbox))","(allow signal (target same-sandbox))","(allow mach-priv-task-port (target same-sandbox))","","; User preferences","(allow user-preference-read)","","; Mach IPC - specific services only (no wildcard)","(allow mach-lookup",' (global-name "com.apple.audio.systemsoundserver")',' (global-name "com.apple.distributed_notifications@Uv3")',' (global-name "com.apple.FontObjectsServer")',' (global-name "com.apple.fonts")',' (global-name "com.apple.logd")',' (global-name "com.apple.lsd.mapdb")',' (global-name "com.apple.PowerManagement.control")',' (global-name "com.apple.system.logger")',' (global-name "com.apple.system.notification_center")',' (global-name "com.apple.system.opendirectoryd.libinfo")',' (global-name "com.apple.system.opendirectoryd.membership")',' (global-name "com.apple.bsd.dirhelper")',' (global-name "com.apple.securityd.xpc")',' (global-name "com.apple.coreservices.launchservicesd")',")","",...H?["; trustd.agent - needed for Go TLS certificate verification (weaker network isolation)",'(allow mach-lookup (global-name "com.apple.trustd.agent"))']:[],"","; POSIX IPC - shared memory","(allow ipc-posix-shm)","","; POSIX IPC - semaphores for Python multiprocessing","(allow ipc-posix-sem)","","; IOKit - specific operations only","(allow iokit-open",' (iokit-registry-entry-class "IOSurfaceRootUserClient")',' (iokit-registry-entry-class "RootDomainUserClient")',' (iokit-user-client-class "IOSurfaceSendRight")',")","","; IOKit properties","(allow iokit-get-properties)","","; Specific safe system-sockets, doesn't allow network access","(allow system-socket (require-all (socket-domain AF_SYSTEM) (socket-protocol 2)))","","; sysctl - specific sysctls only","(allow sysctl-read",' (sysctl-name "hw.activecpu")',' (sysctl-name "hw.busfrequency_compat")',' (sysctl-name "hw.byteorder")',' (sysctl-name "hw.cacheconfig")',' (sysctl-name "hw.cachelinesize_compat")',' (sysctl-name "hw.cpufamily")',' (sysctl-name "hw.cpufrequency")',' (sysctl-name "hw.cpufrequency_compat")',' (sysctl-name "hw.cputype")',' (sysctl-name "hw.l1dcachesize_compat")',' (sysctl-name "hw.l1icachesize_compat")',' (sysctl-name "hw.l2cachesize_compat")',' (sysctl-name "hw.l3cachesize_compat")',' (sysctl-name "hw.logicalcpu")',' (sysctl-name "hw.logicalcpu_max")',' (sysctl-name "hw.machine")',' (sysctl-name "hw.memsize")',' (sysctl-name "hw.ncpu")',' (sysctl-name "hw.nperflevels")',' (sysctl-name "hw.packages")',' (sysctl-name "hw.pagesize_compat")',' (sysctl-name "hw.pagesize")',' (sysctl-name "hw.physicalcpu")',' (sysctl-name "hw.physicalcpu_max")',' (sysctl-name "hw.tbfrequency_compat")',' (sysctl-name "hw.vectorunit")',' (sysctl-name "kern.argmax")',' (sysctl-name "kern.bootargs")',' (sysctl-name "kern.hostname")',' (sysctl-name "kern.maxfiles")',' (sysctl-name "kern.maxfilesperproc")',' (sysctl-name "kern.maxproc")',' (sysctl-name "kern.ngroups")',' (sysctl-name "kern.osproductversion")',' (sysctl-name "kern.osrelease")',' (sysctl-name "kern.ostype")',' (sysctl-name "kern.osvariant_status")',' (sysctl-name "kern.osversion")',' (sysctl-name "kern.secure_kernel")',' (sysctl-name "kern.tcsm_available")',' (sysctl-name "kern.tcsm_enable")',' (sysctl-name "kern.usrstack64")',' (sysctl-name "kern.version")',' (sysctl-name "kern.willshutdown")',' (sysctl-name "machdep.cpu.brand_string")',' (sysctl-name "machdep.ptrauth_enabled")',' (sysctl-name "security.mac.lockdown_mode_state")',' (sysctl-name "sysctl.proc_cputype")',' (sysctl-name "vm.loadavg")',' (sysctl-name-prefix "hw.optional.arm")',' (sysctl-name-prefix "hw.optional.arm.")',' (sysctl-name-prefix "hw.optional.armv8_")',' (sysctl-name-prefix "hw.perflevel")',' (sysctl-name-prefix "kern.proc.all")',' (sysctl-name-prefix "kern.proc.pgrp.")',' (sysctl-name-prefix "kern.proc.pid.")',' (sysctl-name-prefix "machdep.cpu.")',' (sysctl-name-prefix "net.routetable.")',")","","; V8 thread calculations","(allow sysctl-write",' (sysctl-name "kern.tcsm_enable")',")","","; Distributed notifications","(allow distributed-notification-post)","","; Specific mach-lookup permissions for security operations",'(allow mach-lookup (global-name "com.apple.SecurityServer"))',"","; File I/O on device files",'(allow file-ioctl (literal "/dev/null"))','(allow file-ioctl (literal "/dev/zero"))','(allow file-ioctl (literal "/dev/random"))','(allow file-ioctl (literal "/dev/urandom"))','(allow file-ioctl (literal "/dev/dtracehelper"))','(allow file-ioctl (literal "/dev/tty"))',"","(allow file-ioctl file-read-data file-write-data"," (require-all",' (literal "/dev/null")'," (vnode-type CHARACTER-DEVICE)"," )",")",""];if(M.push("; Network"),!Y)M.push("(allow network*)");else{if(O)M.push('(allow network-bind (local ip "*:*"))'),M.push('(allow network-inbound (local ip "*:*"))'),M.push('(allow network-outbound (local ip "*:*"))');if(A)M.push("(allow system-socket (socket-domain AF_UNIX))"),M.push('(allow network-bind (local unix-socket (path-regex #"^/")))'),M.push('(allow network-outbound (remote unix-socket (path-regex #"^/")))');else if($&&$.length>0){M.push("(allow system-socket (socket-domain AF_UNIX))");for(let X of $){let P=oV(X);M.push(`(allow network-bind (local unix-socket (subpath ${TG(P)})))`),M.push(`(allow network-outbound (remote unix-socket (subpath ${TG(P)})))`)}}if(_!==void 0)M.push(`(allow network-bind (local ip "localhost:${_}"))`),M.push(`(allow network-inbound (local ip "localhost:${_}"))`),M.push(`(allow network-outbound (remote ip "localhost:${_}"))`);if(z!==void 0)M.push(`(allow network-bind (local ip "localhost:${z}"))`),M.push(`(allow network-inbound (local ip "localhost:${z}"))`),M.push(`(allow network-outbound (remote ip "localhost:${z}"))`)}if(M.push(""),M.push("; File read"),M.push(...$C_(q,J)),M.push(""),M.push("; File write"),M.push(...AC_(K,J,j)),w)M.push(""),M.push("; Pseudo-terminal (pty) support"),M.push("(allow pseudo-tty)"),M.push("(allow file-ioctl"),M.push(' (literal "/dev/ptmx")'),M.push(' (regex #"^/dev/ttys")'),M.push(")"),M.push("(allow file-read* file-write*"),M.push(' (literal "/dev/ptmx")'),M.push(' (regex #"^/dev/ttys")'),M.push(")");return M.join(`

Callers 2

eS_Function · 0.85
zC_Function · 0.85

Calls 1

filterMethod · 0.80

Tested by

no test coverage detected