afterburner 0.1.2

Afterburner - JS ~> WASM Sandboxed Execution VM
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

// SPDX-License-Identifier: BUSL-1.1
// Copyright (c) 2026 vertexclique
// Licensed under the Business Source License 1.1.
// Change Date: 4 years after this version's release. Change License: Apache-2.0.

//! `--allow-*` flag translation into a [`Manifold`].
//!
//! * `--allow-all` / `-A` → `Manifold::open()` (every flap wide open).
//! * Each of `--allow-net`, `--allow-listen`, `--allow-fs`,
//!   `--allow-env` grants exactly the capability it names. Absent
//!   flags stay at the `sealed()` default - `PermissionDenied` on use.
//! * `*` in the value = unrestricted for that capability. Otherwise
//!   the value is a comma-separated allow-list (hosts / ports / paths /
//!   var names). Net entries may pin a port (`host:port`); see
//!   [`parse_allow_net_arg`]. Listen takes ports or a single `lo-hi`
//!   range; see [`parse_allow_listen_arg`].

use crate::{EnvAccess, FsAccess, ListenAccess, Manifold, NetAccess};
use std::path::PathBuf;

use super::args::Cli;

/// Assemble the Manifold the CLI will run under, per Q1-D:
///
/// * No flags at all → `Manifold::open()` (CLI-only default - the
///   library API still defaults to `sealed`). [`banner::maybe_show`]
///   prints a one-time warning at startup.
/// * `--sandbox` or any `--allow-*` flag → start from `sealed()` and
///   apply the specific grants. Presence of `--allow-*` implicitly
///   sandboxes; you don't need to repeat `--sandbox` alongside it.
/// * `-A` / `--allow-all` → explicit `open()`; no banner (user opted
///   in).
pub fn build_manifold(cli: &Cli) -> Manifold {
    if cli.allow_all {
        return Manifold::open();
    }
    // The Permission Model flags (`--allow-fs-read` / `--allow-fs-write`
    // / `--allow-child-process` / `--allow-worker`) are first-class
    // sandbox triggers too - they imply `--sandbox` even when the
    // legacy `--allow-net` / `--allow-fs` / `--allow-env` flags are
    // absent.
    let any_allow = cli.allow_net.is_some()
        || cli.allow_listen.is_some()
        || cli.allow_fs.is_some()
        || cli.allow_env.is_some()
        || cli.allow_fs_read.is_some()
        || cli.allow_fs_write.is_some()
        || cli.allow_child_process
        || cli.allow_worker
        || cli.allow_crypto
        || cli.permission;
    let explicit_sandbox = cli.sandbox || any_allow;
    if !explicit_sandbox {
        // The CLI-flip: implicit open. Banner triggers separately in
        // `maybe_show_open_banner` when this path is taken.
        return Manifold::open();
    }
    let mut m = Manifold::sealed();

    if let Some(s) = cli.allow_net.as_deref() {
        let hosts = parse_allow_list(s);
        // Wildcard or empty list → unrestricted. We keep `OutboundFull`
        // rather than `OutboundHttp` so scripts that talk raw TCP in a
        // future host expansion don't need a migration.
        m.net = if hosts.is_empty() || has_wildcard(&hosts) {
            NetAccess::OutboundFull(None)
        } else {
            NetAccess::OutboundFull(Some(hosts))
        };
    }

    // Permission-Model flags collapse onto the existing FS gate:
    // burn doesn't model read-vs-write separately at the manifold
    // layer, so granting either implies ReadWrite on the named roots.
    // The granularity is preserved on the JS-side
    // `process.permission.has` map for libraries that introspect.
    let fs_paths: Option<Vec<String>> =
        if cli.allow_fs.is_some() || cli.allow_fs_read.is_some() || cli.allow_fs_write.is_some() {
            let mut combined: Vec<String> = Vec::new();
            for src in [
                cli.allow_fs.as_deref(),
                cli.allow_fs_read.as_deref(),
                cli.allow_fs_write.as_deref(),
            ]
            .iter()
            .flatten()
            {
                combined.extend(parse_allow_list(src));
            }
            // Deduplicate while preserving order.
            let mut seen = std::collections::BTreeSet::new();
            combined.retain(|p| seen.insert(p.clone()));
            Some(combined)
        } else {
            None
        };
    if let Some(paths) = fs_paths {
        let roots: Vec<PathBuf> = if paths.is_empty() || has_wildcard(&paths) {
            vec![PathBuf::from("/")]
        } else {
            paths.into_iter().map(PathBuf::from).collect()
        };
        m.fs = FsAccess::ReadWrite(roots);
    }

    if let Some(s) = cli.allow_env.as_deref() {
        let vars = parse_allow_list(s);
        m.env = if vars.is_empty() || has_wildcard(&vars) {
            EnvAccess::Full
        } else {
            EnvAccess::AllowList(vars)
        };
    }

    if let Some(s) = cli.allow_listen.as_deref() {
        m.listen = listen_from_arg(s);
    }

    if cli.allow_crypto {
        m.crypto = true;
    }

    m
}

/// Translate a validated `--allow-listen` value into a [`ListenAccess`].
/// `*` (or an empty value) = any port; `lo-hi` as the single entry = a
/// range; otherwise a comma-separated port allow-list. The value has
/// already passed [`parse_allow_listen_arg`], so unparseable entries
/// only arise if the two functions drift - those entries are dropped
/// (narrowing, never widening).
fn listen_from_arg(s: &str) -> ListenAccess {
    let entries = parse_allow_list(s);
    if entries.is_empty() || has_wildcard(&entries) {
        return ListenAccess::Any;
    }
    if let [only] = entries.as_slice()
        && let Some((lo, hi)) = parse_port_range(only)
    {
        return ListenAccess::PortRange(lo, hi);
    }
    ListenAccess::Ports(
        entries
            .iter()
            .filter_map(|e| e.parse::<u16>().ok())
            .collect(),
    )
}

/// `"9000-9100"` → `Some((9000, 9100))`; anything else → `None`.
fn parse_port_range(entry: &str) -> Option<(u16, u16)> {
    let (lo, hi) = entry.split_once('-')?;
    Some((lo.trim().parse().ok()?, hi.trim().parse().ok()?))
}

/// Clap value-parser for `--allow-listen`: `*`, a comma-separated list
/// of ports, or a single inclusive `lo-hi` range. Mirrors the
/// `--allow-net` philosophy - reject unmatchable entries at parse time
/// rather than producing a silent deny-everything grant.
pub fn parse_allow_listen_arg(s: &str) -> Result<String, String> {
    let entries = parse_allow_list(s);
    if has_wildcard(&entries) {
        return Ok(s.to_string());
    }
    if let [only] = entries.as_slice()
        && only.contains('-')
    {
        let (lo, hi) = parse_port_range(only).ok_or_else(|| {
            format!("invalid --allow-listen range '{only}': expected LO-HI with ports in 1-65535")
        })?;
        if lo == 0 || lo > hi {
            return Err(format!(
                "invalid --allow-listen range '{only}': expected 1 <= LO <= HI <= 65535"
            ));
        }
        return Ok(s.to_string());
    }
    for entry in &entries {
        match entry.parse::<u16>() {
            Ok(0) | Err(_) => {
                return Err(format!(
                    "invalid --allow-listen entry '{entry}': expected a port (1-65535), \
                     a comma-separated port list, a single LO-HI range, or *"
                ));
            }
            Ok(_) => {}
        }
    }
    Ok(s.to_string())
}

/// Clap value-parser for `--allow-net`: accept the comma-separated
/// host list, rejecting entries whose `:port` suffix is not a valid
/// port number. Without this gate a typo like `--allow-net
/// host:90o0` would produce an allow-list entry that can never match,
/// i.e. a silent deny-everything sandbox.
///
/// Entry grammar (shared with the runtime matcher,
/// `afterburner_node_compat::http_host::split_host_port_pattern`):
/// `host`, `host:port`, `*.suffix[:port]`, `*`, `[v6][:port]`, or a
/// bare IPv6 host (two or more colons, any port).
pub fn parse_allow_net_arg(s: &str) -> Result<String, String> {
    for entry in parse_allow_list(s) {
        // Bracketed IPv6 with a non-numeric port and `host:NaN` both
        // reduce to the same check: a declared port part must parse.
        let port_part = if let Some(v6) = entry.strip_prefix('[') {
            match v6.split_once(']') {
                Some((_, after)) => after.strip_prefix(':'),
                None => {
                    return Err(format!(
                        "invalid --allow-net entry '{entry}': unterminated '[' in IPv6 host"
                    ));
                }
            }
        } else if entry.matches(':').count() == 1 {
            entry.split_once(':').map(|(_, p)| p)
        } else {
            // No colon (bare host) or ≥2 colons (bare IPv6 host).
            None
        };
        if let Some(p) = port_part
            && p.parse::<u16>().is_err()
        {
            return Err(format!(
                "invalid --allow-net entry '{entry}': '{p}' is not a valid port \
                 (use host, host:port, *.suffix[:port], or [v6][:port])"
            ));
        }
    }
    Ok(s.to_string())
}

/// Split `"a,b, c"` into `["a", "b", "c"]`, trimming whitespace and
/// dropping empty segments. `""` returns `[]`.
pub fn parse_allow_list(s: &str) -> Vec<String> {
    s.split(',')
        .map(str::trim)
        .filter(|p| !p.is_empty())
        .map(String::from)
        .collect()
}

pub fn has_wildcard(list: &[String]) -> bool {
    list.iter().any(|s| s == "*")
}

/// True when the CLI is running under the implicit open-capabilities
/// default - i.e. the user supplied neither `--sandbox` nor any
/// `--allow-*` flag and didn't explicitly set `-A`. The banner shows
/// only in this case, so callers who set `-A` don't get warned twice.
pub fn is_implicit_open(cli: &Cli) -> bool {
    if cli.allow_all {
        return false;
    }
    let any_allow = cli.allow_net.is_some()
        || cli.allow_listen.is_some()
        || cli.allow_fs.is_some()
        || cli.allow_env.is_some()
        || cli.allow_fs_read.is_some()
        || cli.allow_fs_write.is_some()
        || cli.allow_child_process
        || cli.allow_worker
        || cli.allow_crypto
        || cli.permission;
    !(cli.sandbox || any_allow)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn allow_net_accepts_hosts_and_host_port_entries() {
        for ok in [
            "api.example.com",
            "*.trusted.io",
            "*",
            "127.0.0.1:9000",
            "*.trusted.io:8443",
            "a.com,b.com:81, c.com",
            "[::1]:9000",
            "[::1]",
            "::1", // bare IPv6 host - colons are not a port suffix
        ] {
            assert!(
                parse_allow_net_arg(ok).is_ok(),
                "expected '{ok}' to be accepted"
            );
        }
    }

    #[test]
    fn allow_listen_accepts_ports_ranges_and_wildcard() {
        for ok in [
            "8080",
            "8080,9090",
            " 80 , 443 ",
            "9000-9100",
            "1-65535",
            "*",
        ] {
            assert!(
                parse_allow_listen_arg(ok).is_ok(),
                "expected '{ok}' to be accepted"
            );
        }
    }

    #[test]
    fn allow_listen_rejects_invalid_entries() {
        for bad in [
            "0",
            "65536",
            "http",
            "8o80",
            "8080,nope",
            "9100-9000", // inverted range
            "0-100",     // port 0 in a range
            "80-90,100", // a range must be the single entry
            "-1",
        ] {
            assert!(
                parse_allow_listen_arg(bad).is_err(),
                "expected '{bad}' to be rejected"
            );
        }
    }

    #[test]
    fn allow_net_rejects_invalid_port_suffixes() {
        for bad in [
            "127.0.0.1:90o0",
            "host:",
            "host:-1",
            "host:65536",
            "good.com,host:nope",
            "[::1]:abc",
            "[::1",
        ] {
            assert!(
                parse_allow_net_arg(bad).is_err(),
                "expected '{bad}' to be rejected"
            );
        }
    }
}