mirror of
https://github.com/sanbuphy/claude-code-source-code.git
synced 2026-04-04 12:04:56 +08:00
a988ee13cb
从 npm 包 @anthropic-ai/claude-code 2.1.88 版本提取的反编译源码 包含 src/ 目录下的 TypeScript 源文件及 vendor/ 原生模块源码 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
157 lines
5.6 KiB
TypeScript
157 lines
5.6 KiB
TypeScript
/**
|
|
* Sandbox types for the Claude Code Agent SDK
|
|
*
|
|
* This file is the single source of truth for sandbox configuration types.
|
|
* Both the SDK and the settings validation import from here.
|
|
*/
|
|
|
|
import { z } from 'zod/v4'
|
|
import { lazySchema } from '../utils/lazySchema.js'
|
|
|
|
/**
|
|
* Network configuration schema for sandbox.
|
|
*/
|
|
export const SandboxNetworkConfigSchema = lazySchema(() =>
|
|
z
|
|
.object({
|
|
allowedDomains: z.array(z.string()).optional(),
|
|
allowManagedDomainsOnly: z
|
|
.boolean()
|
|
.optional()
|
|
.describe(
|
|
'When true (and set in managed settings), only allowedDomains and WebFetch(domain:...) allow rules from managed settings are respected. ' +
|
|
'User, project, local, and flag settings domains are ignored. Denied domains are still respected from all sources.',
|
|
),
|
|
allowUnixSockets: z
|
|
.array(z.string())
|
|
.optional()
|
|
.describe(
|
|
'macOS only: Unix socket paths to allow. Ignored on Linux (seccomp cannot filter by path).',
|
|
),
|
|
allowAllUnixSockets: z
|
|
.boolean()
|
|
.optional()
|
|
.describe(
|
|
'If true, allow all Unix sockets (disables blocking on both platforms).',
|
|
),
|
|
allowLocalBinding: z.boolean().optional(),
|
|
httpProxyPort: z.number().optional(),
|
|
socksProxyPort: z.number().optional(),
|
|
})
|
|
.optional(),
|
|
)
|
|
|
|
/**
|
|
* Filesystem configuration schema for sandbox.
|
|
*/
|
|
export const SandboxFilesystemConfigSchema = lazySchema(() =>
|
|
z
|
|
.object({
|
|
allowWrite: z
|
|
.array(z.string())
|
|
.optional()
|
|
.describe(
|
|
'Additional paths to allow writing within the sandbox. ' +
|
|
'Merged with paths from Edit(...) allow permission rules.',
|
|
),
|
|
denyWrite: z
|
|
.array(z.string())
|
|
.optional()
|
|
.describe(
|
|
'Additional paths to deny writing within the sandbox. ' +
|
|
'Merged with paths from Edit(...) deny permission rules.',
|
|
),
|
|
denyRead: z
|
|
.array(z.string())
|
|
.optional()
|
|
.describe(
|
|
'Additional paths to deny reading within the sandbox. ' +
|
|
'Merged with paths from Read(...) deny permission rules.',
|
|
),
|
|
allowRead: z
|
|
.array(z.string())
|
|
.optional()
|
|
.describe(
|
|
'Paths to re-allow reading within denyRead regions. ' +
|
|
'Takes precedence over denyRead for matching paths.',
|
|
),
|
|
allowManagedReadPathsOnly: z
|
|
.boolean()
|
|
.optional()
|
|
.describe(
|
|
'When true (set in managed settings), only allowRead paths from policySettings are used.',
|
|
),
|
|
})
|
|
.optional(),
|
|
)
|
|
|
|
/**
|
|
* Sandbox settings schema.
|
|
*/
|
|
export const SandboxSettingsSchema = lazySchema(() =>
|
|
z
|
|
.object({
|
|
enabled: z.boolean().optional(),
|
|
failIfUnavailable: z
|
|
.boolean()
|
|
.optional()
|
|
.describe(
|
|
'Exit with an error at startup if sandbox.enabled is true but the sandbox cannot start ' +
|
|
'(missing dependencies, unsupported platform, or platform not in enabledPlatforms). ' +
|
|
'When false (default), a warning is shown and commands run unsandboxed. ' +
|
|
'Intended for managed-settings deployments that require sandboxing as a hard gate.',
|
|
),
|
|
// Note: enabledPlatforms is an undocumented setting read via .passthrough()
|
|
// It restricts sandboxing to specific platforms (e.g., ["macos"]).
|
|
//
|
|
// Added to unblock NVIDIA enterprise rollout: they want to enable
|
|
// autoAllowBashIfSandboxed but only on macOS initially, since Linux/WSL
|
|
// sandbox support is newer and less battle-tested. This allows them to
|
|
// set enabledPlatforms: ["macos"] to disable sandbox (and auto-allow)
|
|
// on other platforms until they're ready to expand.
|
|
autoAllowBashIfSandboxed: z.boolean().optional(),
|
|
allowUnsandboxedCommands: z
|
|
.boolean()
|
|
.optional()
|
|
.describe(
|
|
'Allow commands to run outside the sandbox via the dangerouslyDisableSandbox parameter. ' +
|
|
'When false, the dangerouslyDisableSandbox parameter is completely ignored and all commands must run sandboxed. ' +
|
|
'Default: true.',
|
|
),
|
|
network: SandboxNetworkConfigSchema(),
|
|
filesystem: SandboxFilesystemConfigSchema(),
|
|
ignoreViolations: z.record(z.string(), z.array(z.string())).optional(),
|
|
enableWeakerNestedSandbox: z.boolean().optional(),
|
|
enableWeakerNetworkIsolation: z
|
|
.boolean()
|
|
.optional()
|
|
.describe(
|
|
'macOS only: Allow access to com.apple.trustd.agent in the sandbox. ' +
|
|
'Needed for Go-based CLI tools (gh, gcloud, terraform, etc.) to verify TLS certificates ' +
|
|
'when using httpProxyPort with a MITM proxy and custom CA. ' +
|
|
'**Reduces security** — opens a potential data exfiltration vector through the trustd service. Default: false',
|
|
),
|
|
excludedCommands: z.array(z.string()).optional(),
|
|
ripgrep: z
|
|
.object({
|
|
command: z.string(),
|
|
args: z.array(z.string()).optional(),
|
|
})
|
|
.optional()
|
|
.describe('Custom ripgrep configuration for bundled ripgrep support'),
|
|
})
|
|
.passthrough(),
|
|
)
|
|
|
|
// Inferred types from schemas
|
|
export type SandboxSettings = z.infer<ReturnType<typeof SandboxSettingsSchema>>
|
|
export type SandboxNetworkConfig = NonNullable<
|
|
z.infer<ReturnType<typeof SandboxNetworkConfigSchema>>
|
|
>
|
|
export type SandboxFilesystemConfig = NonNullable<
|
|
z.infer<ReturnType<typeof SandboxFilesystemConfigSchema>>
|
|
>
|
|
export type SandboxIgnoreViolations = NonNullable<
|
|
SandboxSettings['ignoreViolations']
|
|
>
|