| |
| |
| |
| |
| |
| |
|
|
| import { z } from 'zod/v4' |
| import { lazySchema } from '../utils/lazySchema.js' |
|
|
| |
| |
| |
| export const SandboxNetworkConfigSchema = lazySchema(() => |
| z |
| .object({ |
| allowedDomains: z.array(z.string()).optional(), |
| allowManagedDomainsOnly: z |
| .boolean() |
| .optional() |
| .describe( |
| 'When true (and set in managed settings), only allowedDomains and WebFetch(domain:...) allow rules from managed settings are respected. ' + |
| 'User, project, local, and flag settings domains are ignored. Denied domains are still respected from all sources.', |
| ), |
| allowUnixSockets: z |
| .array(z.string()) |
| .optional() |
| .describe( |
| 'macOS only: Unix socket paths to allow. Ignored on Linux (seccomp cannot filter by path).', |
| ), |
| allowAllUnixSockets: z |
| .boolean() |
| .optional() |
| .describe( |
| 'If true, allow all Unix sockets (disables blocking on both platforms).', |
| ), |
| allowLocalBinding: z.boolean().optional(), |
| httpProxyPort: z.number().optional(), |
| socksProxyPort: z.number().optional(), |
| }) |
| .optional(), |
| ) |
|
|
| |
| |
| |
| export const SandboxFilesystemConfigSchema = lazySchema(() => |
| z |
| .object({ |
| allowWrite: z |
| .array(z.string()) |
| .optional() |
| .describe( |
| 'Additional paths to allow writing within the sandbox. ' + |
| 'Merged with paths from Edit(...) allow permission rules.', |
| ), |
| denyWrite: z |
| .array(z.string()) |
| .optional() |
| .describe( |
| 'Additional paths to deny writing within the sandbox. ' + |
| 'Merged with paths from Edit(...) deny permission rules.', |
| ), |
| denyRead: z |
| .array(z.string()) |
| .optional() |
| .describe( |
| 'Additional paths to deny reading within the sandbox. ' + |
| 'Merged with paths from Read(...) deny permission rules.', |
| ), |
| allowRead: z |
| .array(z.string()) |
| .optional() |
| .describe( |
| 'Paths to re-allow reading within denyRead regions. ' + |
| 'Takes precedence over denyRead for matching paths.', |
| ), |
| allowManagedReadPathsOnly: z |
| .boolean() |
| .optional() |
| .describe( |
| 'When true (set in managed settings), only allowRead paths from policySettings are used.', |
| ), |
| }) |
| .optional(), |
| ) |
|
|
| |
| |
| |
| export const SandboxSettingsSchema = lazySchema(() => |
| z |
| .object({ |
| enabled: z.boolean().optional(), |
| failIfUnavailable: z |
| .boolean() |
| .optional() |
| .describe( |
| 'Exit with an error at startup if sandbox.enabled is true but the sandbox cannot start ' + |
| '(missing dependencies, unsupported platform, or platform not in enabledPlatforms). ' + |
| 'When false (default), a warning is shown and commands run unsandboxed. ' + |
| 'Intended for managed-settings deployments that require sandboxing as a hard gate.', |
| ), |
| |
| |
| |
| |
| |
| |
| |
| |
| autoAllowBashIfSandboxed: z.boolean().optional(), |
| allowUnsandboxedCommands: z |
| .boolean() |
| .optional() |
| .describe( |
| 'Allow commands to run outside the sandbox via the dangerouslyDisableSandbox parameter. ' + |
| 'When false, the dangerouslyDisableSandbox parameter is completely ignored and all commands must run sandboxed. ' + |
| 'Default: true.', |
| ), |
| network: SandboxNetworkConfigSchema(), |
| filesystem: SandboxFilesystemConfigSchema(), |
| ignoreViolations: z.record(z.string(), z.array(z.string())).optional(), |
| enableWeakerNestedSandbox: z.boolean().optional(), |
| enableWeakerNetworkIsolation: z |
| .boolean() |
| .optional() |
| .describe( |
| 'macOS only: Allow access to com.apple.trustd.agent in the sandbox. ' + |
| 'Needed for Go-based CLI tools (gh, gcloud, terraform, etc.) to verify TLS certificates ' + |
| 'when using httpProxyPort with a MITM proxy and custom CA. ' + |
| '**Reduces security** — opens a potential data exfiltration vector through the trustd service. Default: false', |
| ), |
| excludedCommands: z.array(z.string()).optional(), |
| ripgrep: z |
| .object({ |
| command: z.string(), |
| args: z.array(z.string()).optional(), |
| }) |
| .optional() |
| .describe('Custom ripgrep configuration for bundled ripgrep support'), |
| }) |
| .passthrough(), |
| ) |
|
|
| |
| export type SandboxSettings = z.infer<ReturnType<typeof SandboxSettingsSchema>> |
| export type SandboxNetworkConfig = NonNullable< |
| z.infer<ReturnType<typeof SandboxNetworkConfigSchema>> |
| > |
| export type SandboxFilesystemConfig = NonNullable< |
| z.infer<ReturnType<typeof SandboxFilesystemConfigSchema>> |
| > |
| export type SandboxIgnoreViolations = NonNullable< |
| SandboxSettings['ignoreViolations'] |
| > |
|
|