oppi.li
source dump of claude code
1/**
2 * Sandbox types for the Claude Code Agent SDK
3 *
4 * This file is the single source of truth for sandbox configuration types.
5 * Both the SDK and the settings validation import from here.
6 */
7
8import { z } from 'zod/v4'
9import { lazySchema } from '../utils/lazySchema.js'
10
11/**
12 * Network configuration schema for sandbox.
13 */
14export const SandboxNetworkConfigSchema = lazySchema(() =>
15 z
16 .object({
17 allowedDomains: z.array(z.string()).optional(),
18 allowManagedDomainsOnly: z
19 .boolean()
20 .optional()
21 .describe(
22 'When true (and set in managed settings), only allowedDomains and WebFetch(domain:...) allow rules from managed settings are respected. ' +
23 'User, project, local, and flag settings domains are ignored. Denied domains are still respected from all sources.',
24 ),
25 allowUnixSockets: z
26 .array(z.string())
27 .optional()
28 .describe(
29 'macOS only: Unix socket paths to allow. Ignored on Linux (seccomp cannot filter by path).',
30 ),
31 allowAllUnixSockets: z
32 .boolean()
33 .optional()
34 .describe(
35 'If true, allow all Unix sockets (disables blocking on both platforms).',
36 ),
37 allowLocalBinding: z.boolean().optional(),
38 httpProxyPort: z.number().optional(),
39 socksProxyPort: z.number().optional(),
40 })
41 .optional(),
42)
43
44/**
45 * Filesystem configuration schema for sandbox.
46 */
47export const SandboxFilesystemConfigSchema = lazySchema(() =>
48 z
49 .object({
50 allowWrite: z
51 .array(z.string())
52 .optional()
53 .describe(
54 'Additional paths to allow writing within the sandbox. ' +
55 'Merged with paths from Edit(...) allow permission rules.',
56 ),
57 denyWrite: z
58 .array(z.string())
59 .optional()
60 .describe(
61 'Additional paths to deny writing within the sandbox. ' +
62 'Merged with paths from Edit(...) deny permission rules.',
63 ),
64 denyRead: z
65 .array(z.string())
66 .optional()
67 .describe(
68 'Additional paths to deny reading within the sandbox. ' +
69 'Merged with paths from Read(...) deny permission rules.',
70 ),
71 allowRead: z
72 .array(z.string())
73 .optional()
74 .describe(
75 'Paths to re-allow reading within denyRead regions. ' +
76 'Takes precedence over denyRead for matching paths.',
77 ),
78 allowManagedReadPathsOnly: z
79 .boolean()
80 .optional()
81 .describe(
82 'When true (set in managed settings), only allowRead paths from policySettings are used.',
83 ),
84 })
85 .optional(),
86)
87
88/**
89 * Sandbox settings schema.
90 */
91export const SandboxSettingsSchema = lazySchema(() =>
92 z
93 .object({
94 enabled: z.boolean().optional(),
95 failIfUnavailable: z
96 .boolean()
97 .optional()
98 .describe(
99 'Exit with an error at startup if sandbox.enabled is true but the sandbox cannot start ' +
100 '(missing dependencies, unsupported platform, or platform not in enabledPlatforms). ' +
101 'When false (default), a warning is shown and commands run unsandboxed. ' +
102 'Intended for managed-settings deployments that require sandboxing as a hard gate.',
103 ),
104 // Note: enabledPlatforms is an undocumented setting read via .passthrough()
105 // It restricts sandboxing to specific platforms (e.g., ["macos"]).
106 //
107 // Added to unblock NVIDIA enterprise rollout: they want to enable
108 // autoAllowBashIfSandboxed but only on macOS initially, since Linux/WSL
109 // sandbox support is newer and less battle-tested. This allows them to
110 // set enabledPlatforms: ["macos"] to disable sandbox (and auto-allow)
111 // on other platforms until they're ready to expand.
112 autoAllowBashIfSandboxed: z.boolean().optional(),
113 allowUnsandboxedCommands: z
114 .boolean()
115 .optional()
116 .describe(
117 'Allow commands to run outside the sandbox via the dangerouslyDisableSandbox parameter. ' +
118 'When false, the dangerouslyDisableSandbox parameter is completely ignored and all commands must run sandboxed. ' +
119 'Default: true.',
120 ),
121 network: SandboxNetworkConfigSchema(),
122 filesystem: SandboxFilesystemConfigSchema(),
123 ignoreViolations: z.record(z.string(), z.array(z.string())).optional(),
124 enableWeakerNestedSandbox: z.boolean().optional(),
125 enableWeakerNetworkIsolation: z
126 .boolean()
127 .optional()
128 .describe(
129 'macOS only: Allow access to com.apple.trustd.agent in the sandbox. ' +
130 'Needed for Go-based CLI tools (gh, gcloud, terraform, etc.) to verify TLS certificates ' +
131 'when using httpProxyPort with a MITM proxy and custom CA. ' +
132 '**Reduces security** — opens a potential data exfiltration vector through the trustd service. Default: false',
133 ),
134 excludedCommands: z.array(z.string()).optional(),
135 ripgrep: z
136 .object({
137 command: z.string(),
138 args: z.array(z.string()).optional(),
139 })
140 .optional()
141 .describe('Custom ripgrep configuration for bundled ripgrep support'),
142 })
143 .passthrough(),
144)
145
146// Inferred types from schemas
147export type SandboxSettings = z.infer<ReturnType<typeof SandboxSettingsSchema>>
148export type SandboxNetworkConfig = NonNullable<
149 z.infer<ReturnType<typeof SandboxNetworkConfigSchema>>
150>
151export type SandboxFilesystemConfig = NonNullable<
152 z.infer<ReturnType<typeof SandboxFilesystemConfigSchema>>
153>
154export type SandboxIgnoreViolations = NonNullable<
155 SandboxSettings['ignoreViolations']
156>