abbyswag/qwen-code
1
0
Fork 0
mirror of https://github.com/QwenLM/qwen-code.git synced 2025-12-19 09:33:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix debugging with seatbelt, including in strict profile (#300)

Browse Source
This commit is contained in:
Olcan
2025-05-09 08:44:40 -07:00
committed by GitHub
parent baa26e9e2e
commit b35a3856a2
4 changed files with 42 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/cli/src/utils/sandbox-macos-strict.sb
View File

@@ -76,6 +76,9 @@
;; allow outbound network connections
(allow network-outbound)
;; allow inbound network connections to debugging port
(allow network-inbound (local ip (string-append "*:" "9229")))
;; allow communication with sysmond for process listing (e.g. for pgrep)
(allow mach-lookup (global-name "com.apple.sysmond"))

19
packages/cli/src/utils/sandbox.ts
View File

@@ -46,6 +46,7 @@ export function sandbox_command(sandbox?: string | boolean): string {
}
} else {
// if we are on macOS (Darwin) and sandbox-exec is available, use that for minimal sandboxing
// unless SEATBELT_PROFILE is set to 'none', which we allow as an escape hatch
if (
os.platform() === 'darwin' &&
execSync('command -v sandbox-exec || true').toString().trim() &&
@@ -145,8 +146,18 @@ function entrypoint(workdir: string): string[] {
export async function start_sandbox(sandbox: string) {
if (sandbox === 'sandbox-exec') {
// disallow BUILD_SANDBOX
if (process.env.BUILD_SANDBOX) {
console.error('ERROR: cannot BUILD_SANDBOX when using MacOC Seatbelt');
process.exit(1);
}
const profile = (process.env.SEATBELT_PROFILE ??= 'minimal');
console.log(`using macos seatbelt (profile: ${profile}) ...`);
// if DEBUG is set, convert to --inspect-brk in NODE_OPTIONS
if (process.env.DEBUG) {
process.env.NODE_OPTIONS ??= '';
process.env.NODE_OPTIONS += ` --inspect-brk`;
}
const args = [
'-D',
`TARGET_DIR=${fs.realpathSync(process.cwd())}`,
@@ -158,8 +169,11 @@ export async function start_sandbox(sandbox: string) {
new URL(`sandbox-macos-${profile}.sb`, import.meta.url).pathname,
'bash',
'-c',
`SANDBOX=sandbox-exec NODE_OPTIONS="${process.env.NODE_OPTIONS}" ` +
process.argv.map((arg) => quote([arg])).join(' '),
[
`SANDBOX=sandbox-exec`,
`NODE_OPTIONS="${process.env.NODE_OPTIONS}"`,
...process.argv.map((arg) => quote([arg])),
].join(' '),
];
spawnSync(sandbox, args, { stdio: 'inherit' });
return;
@@ -268,6 +282,7 @@ export async function start_sandbox(sandbox: string) {
// expose env-specified ports on the sandbox
ports().forEach((p) => args.push('--publish', `${p}:${p}`));
// if DEBUG is set, expose debugging port
if (process.env.DEBUG) {
const debugPort = process.env.DEBUG_PORT || '9229';
args.push(`--publish`, `${debugPort}:${debugPort}`);