Documentation
¶
Index ¶
- Variables
- type AuditEntry
- type CommandStats
- type ExecOptions
- type ExecResult
- type Factory
- type FileChangeEvent
- type FileChangeListener
- type FileInfo
- type GlobOptions
- type LocalFS
- func (lfs *LocalFS) Glob(ctx context.Context, pattern string, opts *GlobOptions) ([]string, error)
- func (lfs *LocalFS) IsInside(path string) bool
- func (lfs *LocalFS) Read(ctx context.Context, path string) (string, error)
- func (lfs *LocalFS) Resolve(path string) string
- func (lfs *LocalFS) Stat(ctx context.Context, path string) (FileInfo, error)
- func (lfs *LocalFS) Temp(name string) string
- func (lfs *LocalFS) Write(ctx context.Context, path string, content string) error
- type LocalSandbox
- func (ls *LocalSandbox) AddBlockedCommand(cmd string)
- func (ls *LocalSandbox) CheckNetworkAccess(host string, port int) bool
- func (ls *LocalSandbox) CheckUnixSocketAccess(socketPath string) bool
- func (ls *LocalSandbox) Dispose() error
- func (ls *LocalSandbox) Exec(ctx context.Context, cmd string, opts *ExecOptions) (*ExecResult, error)
- func (ls *LocalSandbox) FS() SandboxFS
- func (ls *LocalSandbox) GetAuditLog() []AuditEntry
- func (ls *LocalSandbox) GetCommandStats() map[string]*CommandStats
- func (ls *LocalSandbox) GetSecurityLevel() SecurityLevel
- func (ls *LocalSandbox) GetSettings() *types.SandboxSettings
- func (ls *LocalSandbox) IsEnabled() bool
- func (ls *LocalSandbox) Kind() string
- func (ls *LocalSandbox) RemoveBlockedCommand(cmd string)
- func (ls *LocalSandbox) SetSecurityLevel(level SecurityLevel)
- func (ls *LocalSandbox) ShouldIgnoreViolation(violationType, path string) bool
- func (ls *LocalSandbox) Unwatch(watchID string) error
- func (ls *LocalSandbox) Watch(paths []string, listener FileChangeListener) (string, error)
- func (ls *LocalSandbox) WorkDir() string
- type LocalSandboxConfig
- type MockFS
- func (mfs *MockFS) Glob(ctx context.Context, pattern string, opts *GlobOptions) ([]string, error)
- func (mfs *MockFS) IsInside(path string) bool
- func (mfs *MockFS) Read(ctx context.Context, path string) (string, error)
- func (mfs *MockFS) Resolve(path string) string
- func (mfs *MockFS) Stat(ctx context.Context, path string) (FileInfo, error)
- func (mfs *MockFS) Temp(name string) string
- func (mfs *MockFS) Write(ctx context.Context, path string, content string) error
- type MockSandbox
- func (ms *MockSandbox) Dispose() error
- func (ms *MockSandbox) Exec(ctx context.Context, cmd string, opts *ExecOptions) (*ExecResult, error)
- func (ms *MockSandbox) FS() SandboxFS
- func (ms *MockSandbox) Kind() string
- func (ms *MockSandbox) Unwatch(watchID string) error
- func (ms *MockSandbox) Watch(paths []string, listener FileChangeListener) (string, error)
- func (ms *MockSandbox) WorkDir() string
- type RemoteClient
- type RemoteClientConfig
- type RemoteFS
- func (rfs *RemoteFS) Glob(ctx context.Context, pattern string, opts *GlobOptions) ([]string, error)
- func (rfs *RemoteFS) IsInside(path string) bool
- func (rfs *RemoteFS) Read(ctx context.Context, path string) (string, error)
- func (rfs *RemoteFS) Resolve(path string) string
- func (rfs *RemoteFS) Stat(ctx context.Context, path string) (FileInfo, error)
- func (rfs *RemoteFS) Temp(name string) string
- func (rfs *RemoteFS) Write(ctx context.Context, path string, content string) error
- type RemoteResponse
- type RemoteSandbox
- func (rs *RemoteSandbox) Dispose() error
- func (rs *RemoteSandbox) Exec(ctx context.Context, cmd string, opts *ExecOptions) (*ExecResult, error)
- func (rs *RemoteSandbox) FS() SandboxFS
- func (rs *RemoteSandbox) Kind() string
- func (rs *RemoteSandbox) SessionID() string
- func (rs *RemoteSandbox) SetSessionID(id string)
- func (rs *RemoteSandbox) Unwatch(watchID string) error
- func (rs *RemoteSandbox) Watch(paths []string, listener FileChangeListener) (string, error)
- func (rs *RemoteSandbox) WorkDir() string
- type RemoteSandboxConfig
- type ResourceLimits
- type Sandbox
- type SandboxFS
- type SecurityLevel
Constants ¶
This section is empty.
Variables ¶
View Source
var DefaultResourceLimits = &ResourceLimits{ MaxCPUTime: 5 * time.Minute, MaxMemoryMB: 512, MaxFileSizeMB: 100, MaxProcesses: 50, MaxOpenFiles: 1024, MaxOutputBytes: 10 * 1024 * 1024, }
DefaultResourceLimits 默认资源限制
Functions ¶
This section is empty.
Types ¶
type AuditEntry ¶ added in v0.31.0
type AuditEntry struct {
Timestamp time.Time `json:"timestamp"`
Command string `json:"command"`
WorkDir string `json:"work_dir"`
ExitCode int `json:"exit_code"`
Duration time.Duration `json:"duration"`
Blocked bool `json:"blocked"`
BlockReason string `json:"block_reason,omitempty"`
UserID string `json:"user_id,omitempty"`
SessionID string `json:"session_id,omitempty"`
Metadata map[string]string `json:"metadata,omitempty"`
}
AuditEntry 审计日志条目
type CommandStats ¶ added in v0.31.0
type CommandStats struct {
TotalCalls int64
BlockedCalls int64
TotalTime time.Duration
LastCall time.Time
}
CommandStats 命令统计
type ExecOptions ¶
ExecOptions 命令执行选项
type FileChangeEvent ¶
FileChangeEvent 文件变更事件
type FileChangeListener ¶
type FileChangeListener func(event FileChangeEvent)
FileChangeListener 文件变更监听器
type GlobOptions ¶
GlobOptions Glob选项
type LocalFS ¶
type LocalFS struct {
// contains filtered or unexported fields
}
LocalFS 本地文件系统实现
func (*LocalFS) IsInside ¶
IsInside 检查路径是否在沙箱内 如果传入的是绝对路径,直接检查该路径是否在 workDir 或白名单内 如果传入的是相对路径,先解析为绝对路径再检查
type LocalSandbox ¶
type LocalSandbox struct {
// contains filtered or unexported fields
}
LocalSandbox 本地沙箱实现
func NewLocalSandbox ¶
func NewLocalSandbox(config *LocalSandboxConfig) (*LocalSandbox, error)
NewLocalSandbox 创建本地沙箱
func (*LocalSandbox) AddBlockedCommand ¶ added in v0.31.0
func (ls *LocalSandbox) AddBlockedCommand(cmd string)
AddBlockedCommand 添加阻止命令
func (*LocalSandbox) CheckNetworkAccess ¶ added in v0.31.0
func (ls *LocalSandbox) CheckNetworkAccess(host string, port int) bool
CheckNetworkAccess 检查网络访问权限
func (*LocalSandbox) CheckUnixSocketAccess ¶ added in v0.31.0
func (ls *LocalSandbox) CheckUnixSocketAccess(socketPath string) bool
CheckUnixSocketAccess 检查 Unix Socket 访问权限
func (*LocalSandbox) Exec ¶
func (ls *LocalSandbox) Exec(ctx context.Context, cmd string, opts *ExecOptions) (*ExecResult, error)
Exec 执行命令
func (*LocalSandbox) GetAuditLog ¶ added in v0.31.0
func (ls *LocalSandbox) GetAuditLog() []AuditEntry
GetAuditLog 获取审计日志
func (*LocalSandbox) GetCommandStats ¶ added in v0.31.0
func (ls *LocalSandbox) GetCommandStats() map[string]*CommandStats
GetCommandStats 获取命令统计
func (*LocalSandbox) GetSecurityLevel ¶ added in v0.31.0
func (ls *LocalSandbox) GetSecurityLevel() SecurityLevel
GetSecurityLevel 获取安全级别
func (*LocalSandbox) GetSettings ¶ added in v0.31.0
func (ls *LocalSandbox) GetSettings() *types.SandboxSettings
GetSettings 获取沙箱安全设置
func (*LocalSandbox) IsEnabled ¶ added in v0.31.0
func (ls *LocalSandbox) IsEnabled() bool
IsEnabled 检查沙箱是否启用
func (*LocalSandbox) RemoveBlockedCommand ¶ added in v0.31.0
func (ls *LocalSandbox) RemoveBlockedCommand(cmd string)
RemoveBlockedCommand 移除阻止命令
func (*LocalSandbox) SetSecurityLevel ¶ added in v0.31.0
func (ls *LocalSandbox) SetSecurityLevel(level SecurityLevel)
SetSecurityLevel 设置安全级别
func (*LocalSandbox) ShouldIgnoreViolation ¶ added in v0.31.0
func (ls *LocalSandbox) ShouldIgnoreViolation(violationType, path string) bool
ShouldIgnoreViolation 检查是否应忽略违规
func (*LocalSandbox) Watch ¶
func (ls *LocalSandbox) Watch(paths []string, listener FileChangeListener) (string, error)
Watch 监听文件变更
type LocalSandboxConfig ¶
type LocalSandboxConfig struct {
WorkDir string
EnforceBoundary bool
AllowPaths []string
WatchFiles bool
// Claude Agent SDK 风格的安全配置
Settings *types.SandboxSettings
// 增强安全配置
SecurityLevel SecurityLevel
ResourceLimits *ResourceLimits
BlockedCommands []string
MaxAuditEntries int
}
LocalSandboxConfig 本地沙箱配置
type MockFS ¶
type MockFS struct {
// contains filtered or unexported fields
}
MockFS 模拟文件系统
type MockSandbox ¶
type MockSandbox struct {
// contains filtered or unexported fields
}
MockSandbox 模拟沙箱(用于测试)
func (*MockSandbox) Dispose ¶
func (ms *MockSandbox) Dispose() error
func (*MockSandbox) Exec ¶
func (ms *MockSandbox) Exec(ctx context.Context, cmd string, opts *ExecOptions) (*ExecResult, error)
func (*MockSandbox) FS ¶
func (ms *MockSandbox) FS() SandboxFS
func (*MockSandbox) Kind ¶
func (ms *MockSandbox) Kind() string
func (*MockSandbox) Unwatch ¶
func (ms *MockSandbox) Unwatch(watchID string) error
func (*MockSandbox) Watch ¶
func (ms *MockSandbox) Watch(paths []string, listener FileChangeListener) (string, error)
func (*MockSandbox) WorkDir ¶
func (ms *MockSandbox) WorkDir() string
type RemoteClient ¶
type RemoteClient struct {
// contains filtered or unexported fields
}
RemoteClient 远程沙箱客户端
func NewRemoteClient ¶
func NewRemoteClient(config *RemoteClientConfig) *RemoteClient
NewRemoteClient 创建远程客户端
func (*RemoteClient) Call ¶
func (rc *RemoteClient) Call(ctx context.Context, method, path string, body any) (*RemoteResponse, error)
Call 调用远程 API
type RemoteClientConfig ¶
type RemoteClientConfig struct {
BaseURL string
APIKey string
APISecret string
Timeout time.Duration
Headers map[string]string
}
RemoteClientConfig 远程客户端配置
type RemoteFS ¶
type RemoteFS struct {
// contains filtered or unexported fields
}
RemoteFS 远程文件系统
type RemoteResponse ¶
RemoteResponse 远程响应
type RemoteSandbox ¶
type RemoteSandbox struct {
// contains filtered or unexported fields
}
RemoteSandbox 远程沙箱基础实现
func NewRemoteSandbox ¶
func NewRemoteSandbox(config *RemoteSandboxConfig) (*RemoteSandbox, error)
NewRemoteSandbox 创建远程沙箱
func (*RemoteSandbox) Exec ¶
func (rs *RemoteSandbox) Exec(ctx context.Context, cmd string, opts *ExecOptions) (*ExecResult, error)
Exec 执行命令 (需要子类实现具体的 API 调用)
func (*RemoteSandbox) SetSessionID ¶
func (rs *RemoteSandbox) SetSessionID(id string)
SetSessionID 设置会话 ID
func (*RemoteSandbox) Unwatch ¶
func (rs *RemoteSandbox) Unwatch(watchID string) error
Unwatch 取消监听 (远程沙箱通常不支持)
func (*RemoteSandbox) Watch ¶
func (rs *RemoteSandbox) Watch(paths []string, listener FileChangeListener) (string, error)
Watch 监听文件变化 (远程沙箱通常不支持)
type RemoteSandboxConfig ¶
type RemoteSandboxConfig struct {
BaseURL string
APIKey string
APISecret string
WorkDir string
Image string // 沙箱镜像
Region string // 区域
Timeout time.Duration // 超时时间
Environment map[string]string // 环境变量
Properties map[string]any
}
RemoteSandboxConfig 远程沙箱配置
type ResourceLimits ¶ added in v0.31.0
type ResourceLimits struct {
MaxCPUTime time.Duration // 最大 CPU 时间
MaxMemoryMB int // 最大内存 (MB)
MaxFileSizeMB int // 最大文件大小 (MB)
MaxProcesses int // 最大进程数
MaxOpenFiles int // 最大打开文件数
MaxOutputBytes int // 最大输出字节数
}
ResourceLimits 资源限制配置
type Sandbox ¶
type Sandbox interface {
// Kind 返回沙箱类型
Kind() string
// WorkDir 返回工作目录
WorkDir() string
// FS 返回文件系统接口
FS() SandboxFS
// Exec 执行命令
Exec(ctx context.Context, cmd string, opts *ExecOptions) (*ExecResult, error)
// Watch 监听文件变更
Watch(paths []string, listener FileChangeListener) (watchID string, err error)
// Unwatch 取消监听
Unwatch(watchID string) error
// Dispose 释放资源
Dispose() error
}
Sandbox 沙箱接口
type SandboxFS ¶
type SandboxFS interface {
// Resolve 解析路径为绝对路径
Resolve(path string) string
// IsInside 检查路径是否在沙箱内
IsInside(path string) bool
// Read 读取文件内容
Read(ctx context.Context, path string) (string, error)
// Write 写入文件内容
Write(ctx context.Context, path string, content string) error
// Temp 生成临时文件路径
Temp(name string) string
// Stat 获取文件状态
Stat(ctx context.Context, path string) (FileInfo, error)
// Glob 文件匹配
Glob(ctx context.Context, pattern string, opts *GlobOptions) ([]string, error)
}
SandboxFS 沙箱文件系统接口
type SecurityLevel ¶ added in v0.31.0
type SecurityLevel int
SecurityLevel 安全级别
const ( // SecurityLevelNone 无安全限制 SecurityLevelNone SecurityLevel = iota // SecurityLevelBasic 基础安全(危险命令检测) SecurityLevelBasic // SecurityLevelStrict 严格安全(路径限制+资源限制) SecurityLevelStrict // SecurityLevelParanoid 偏执安全(最严格) SecurityLevelParanoid )
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.