/** * Dangerous files that should be protected from writes. * These files can be used for code execution or data exfiltration. */ export declare const DANGEROUS_FILES: readonly [".gitconfig", ".gitmodules", ".bashrc", ".bash_profile", ".zshrc", ".zprofile", ".profile", ".ripgreprc", ".mcp.json"]; /** * Dangerous directories that should be protected from writes. * These directories contain sensitive configuration or executable files. */ export declare const DANGEROUS_DIRECTORIES: readonly [".git", ".vscode", ".idea"]; /** * Get the list of dangerous directories to deny writes to. * Excludes .git since we need it writable for git operations - * instead we block specific paths within .git (hooks and config). */ export declare function getDangerousDirectories(): string[]; /** * Normalizes a path for case-insensitive comparison. * This prevents bypassing security checks using mixed-case paths on case-insensitive * filesystems (macOS/Windows) like `.cLauDe/Settings.locaL.json`. * * We always normalize to lowercase regardless of platform for consistent security. * @param path The path to normalize * @returns The lowercase path for safe comparison */ export declare function normalizeCaseForComparison(pathStr: string): string; /** * Check if a path pattern contains glob characters */ export declare function containsGlobChars(pathPattern: string): boolean; /** * Remove trailing /** glob suffix from a path pattern * Used to normalize path patterns since /** just means "directory and everything under it" */ export declare function removeTrailingGlobSuffix(pathPattern: string): string; /** * Check if a symlink resolution crosses expected path boundaries. * * When resolving symlinks for sandbox path normalization, we need to ensure * the resolved path doesn't unexpectedly broaden the scope. This function * returns true if the resolved path is an ancestor of the original path * or resolves to a system root, which would indicate the symlink points * outside expected boundaries. * * @param originalPath - The original path before symlink resolution * @param resolvedPath - The path after fs.realpathSync() resolution * @returns true if the resolved path is outside expected boundaries */ export declare function isSymlinkOutsideBoundary(originalPath: string, resolvedPath: string): boolean; /** * Normalize a path for use in sandbox configurations * Handles: * - Tilde (~) expansion for home directory * - Relative paths (./foo, ../foo, etc.) converted to absolute * - Absolute paths remain unchanged * - Symlinks are resolved to their real paths for non-glob patterns * - Glob patterns preserve wildcards after path normalization * * Returns the absolute path with symlinks resolved (or normalized glob pattern) */ export declare function normalizePathForSandbox(pathPattern: string): string; /** * Get recommended system paths that should be writable for commands to work properly * * WARNING: These default paths are intentionally broad for compatibility but may * allow access to files from other processes. In highly security-sensitive * environments, you should configure more restrictive write paths. */ export declare function getDefaultWritePaths(): string[]; /** * Generate proxy environment variables for sandboxed processes */ export declare function generateProxyEnvVars(httpProxyPort?: number, socksProxyPort?: number): string[]; /** * Encode a command for sandbox monitoring * Truncates to 100 chars and base64 encodes to avoid parsing issues */ export declare function encodeSandboxedCommand(command: string): string; /** * Decode a base64-encoded command from sandbox monitoring */ export declare function decodeSandboxedCommand(encodedCommand: string): string; /** * Convert a glob pattern to a regular expression * * This implements gitignore-style pattern matching to match the behavior of the * `ignore` library used by the permission system. * * Supported patterns: * - * matches any characters except / (e.g., *.ts matches foo.ts but not foo/bar.ts) * - ** matches any characters including / (e.g., src/**\/*.ts matches all .ts files in src/) * - ? matches any single character except / (e.g., file?.txt matches file1.txt) * - [abc] matches any character in the set (e.g., file[0-9].txt matches file3.txt) * * Exported for testing and shared between macOS sandbox profiles and Linux glob expansion. */ export declare function globToRegex(globPattern: string): string; /** * Expand a glob pattern into concrete file paths. * * Used on Linux where bubblewrap doesn't support glob patterns natively. * Resolves the static directory prefix, lists files recursively, and filters * using globToRegex(). * * @param globPath - A path pattern containing glob characters (e.g., ~/test/*.env) * @returns Array of absolute paths matching the glob pattern */ export declare function expandGlobPattern(globPath: string): string[]; //# sourceMappingURL=sandbox-utils.d.ts.map