-
Notifications
You must be signed in to change notification settings - Fork 515
Expand file tree
/
Copy pathprocess.rs
More file actions
697 lines (616 loc) · 23.8 KB
/
process.rs
File metadata and controls
697 lines (616 loc) · 23.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
// SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
// SPDX-License-Identifier: Apache-2.0
//! Process management and signal handling.
use crate::child_env;
use crate::policy::{NetworkMode, SandboxPolicy};
use crate::sandbox;
#[cfg(target_os = "linux")]
use crate::sandbox::linux::netns::NetworkNamespace;
#[cfg(target_os = "linux")]
use crate::{register_managed_child, unregister_managed_child};
use miette::{IntoDiagnostic, Result};
use nix::sys::signal::{self, Signal};
use nix::unistd::{Group, Pid, User};
use std::collections::HashMap;
use std::ffi::CString;
#[cfg(target_os = "linux")]
use std::os::unix::io::RawFd;
use std::path::PathBuf;
use std::process::Stdio;
use tokio::process::{Child, Command};
use tracing::debug;
const SSH_HANDSHAKE_SECRET_ENV: &str = "OPENSHELL_SSH_HANDSHAKE_SECRET";
fn inject_provider_env(cmd: &mut Command, provider_env: &HashMap<String, String>) {
for (key, value) in provider_env {
cmd.env(key, value);
}
}
fn scrub_sensitive_env(cmd: &mut Command) {
cmd.env_remove(SSH_HANDSHAKE_SECRET_ENV);
}
/// Handle to a running process.
pub struct ProcessHandle {
child: Child,
pid: u32,
}
impl ProcessHandle {
/// Spawn a new process.
///
/// # Errors
///
/// Returns an error if the process fails to start.
#[cfg(target_os = "linux")]
#[allow(clippy::too_many_arguments)]
pub fn spawn(
program: &str,
args: &[String],
workdir: Option<&str>,
interactive: bool,
policy: &SandboxPolicy,
netns: Option<&NetworkNamespace>,
ca_paths: Option<&(PathBuf, PathBuf)>,
provider_env: &HashMap<String, String>,
) -> Result<Self> {
Self::spawn_impl(
program,
args,
workdir,
interactive,
policy,
netns.and_then(NetworkNamespace::ns_fd),
ca_paths,
provider_env,
)
}
/// Spawn a new process (non-Linux platforms).
///
/// # Errors
///
/// Returns an error if the process fails to start.
#[cfg(not(target_os = "linux"))]
pub fn spawn(
program: &str,
args: &[String],
workdir: Option<&str>,
interactive: bool,
policy: &SandboxPolicy,
ca_paths: Option<&(PathBuf, PathBuf)>,
provider_env: &HashMap<String, String>,
) -> Result<Self> {
Self::spawn_impl(
program,
args,
workdir,
interactive,
policy,
ca_paths,
provider_env,
)
}
#[cfg(target_os = "linux")]
#[allow(clippy::too_many_arguments)]
fn spawn_impl(
program: &str,
args: &[String],
workdir: Option<&str>,
interactive: bool,
policy: &SandboxPolicy,
netns_fd: Option<RawFd>,
ca_paths: Option<&(PathBuf, PathBuf)>,
provider_env: &HashMap<String, String>,
) -> Result<Self> {
let mut cmd = Command::new(program);
cmd.args(args)
.stdin(Stdio::inherit())
.stdout(Stdio::inherit())
.stderr(Stdio::inherit())
.kill_on_drop(true)
.env("OPENSHELL_SANDBOX", "1");
scrub_sensitive_env(&mut cmd);
inject_provider_env(&mut cmd, provider_env);
if let Some(dir) = workdir {
cmd.current_dir(dir);
}
if matches!(policy.network.mode, NetworkMode::Proxy) {
let proxy = policy.network.proxy.as_ref().ok_or_else(|| {
miette::miette!(
"Network mode is set to proxy but no proxy configuration was provided"
)
})?;
// When using network namespace, set proxy URL to the veth host IP
if netns_fd.is_some() {
// The proxy is on 10.200.0.1:3128 (or configured port)
let port = proxy.http_addr.map_or(3128, |addr| addr.port());
let proxy_url = format!("http://10.200.0.1:{port}");
// Both uppercase and lowercase variants: curl/wget use uppercase,
// gRPC C-core (libgrpc) checks lowercase http_proxy/https_proxy.
for (key, value) in child_env::proxy_env_vars(&proxy_url) {
cmd.env(key, value);
}
} else if let Some(http_addr) = proxy.http_addr {
let proxy_url = format!("http://{http_addr}");
for (key, value) in child_env::proxy_env_vars(&proxy_url) {
cmd.env(key, value);
}
}
}
// Set TLS trust store env vars so sandbox processes trust the ephemeral CA
if let Some((ca_cert_path, combined_bundle_path)) = ca_paths {
for (key, value) in child_env::tls_env_vars(ca_cert_path, combined_bundle_path) {
cmd.env(key, value);
}
}
// Probe Landlock availability and emit OCSF logs from the parent
// process where the tracing subscriber is functional. The child's
// pre_exec context cannot reliably emit structured logs.
#[cfg(target_os = "linux")]
sandbox::linux::log_sandbox_readiness(policy, workdir);
// Phase 1 (as root): Prepare Landlock ruleset by opening PathFds.
// This MUST happen before drop_privileges() so that root-only paths
// (e.g. mode 700 directories) can be opened. See issue #803.
#[cfg(target_os = "linux")]
let prepared_sandbox = sandbox::linux::prepare(policy, workdir)
.map_err(|err| miette::miette!("Failed to prepare sandbox: {err}"))?;
// Set up process group for signal handling (non-interactive mode only).
// In interactive mode, we inherit the parent's process group to maintain
// proper terminal control for shells and interactive programs.
// SAFETY: pre_exec runs after fork but before exec in the child process.
// setpgid and setns are async-signal-safe and safe to call in this context.
{
let policy = policy.clone();
// Wrap in Option so we can .take() it out of the FnMut closure.
// pre_exec is only called once (after fork, before exec).
#[cfg(target_os = "linux")]
let mut prepared_sandbox = Some(prepared_sandbox);
#[allow(unsafe_code)]
unsafe {
cmd.pre_exec(move || {
if !interactive {
// Create new process group
libc::setpgid(0, 0);
}
// Enter network namespace before applying other restrictions
if let Some(fd) = netns_fd {
let result = libc::setns(fd, libc::CLONE_NEWNET);
if result != 0 {
return Err(std::io::Error::last_os_error());
}
}
// Drop privileges. initgroups/setgid/setuid need access to
// /etc/group and /etc/passwd which would be blocked if
// Landlock were already enforced.
drop_privileges(&policy)
.map_err(|err| std::io::Error::other(err.to_string()))?;
// Phase 2 (as unprivileged user): Enforce the prepared
// Landlock ruleset via restrict_self() + apply seccomp.
// restrict_self() does not require root.
#[cfg(target_os = "linux")]
if let Some(prepared) = prepared_sandbox.take() {
sandbox::linux::enforce(prepared)
.map_err(|err| std::io::Error::other(err.to_string()))?;
}
Ok(())
});
}
}
let child = cmd.spawn().into_diagnostic()?;
let pid = child.id().unwrap_or(0);
register_managed_child(pid);
debug!(pid, program, "Process spawned");
Ok(Self { child, pid })
}
#[cfg(not(target_os = "linux"))]
fn spawn_impl(
program: &str,
args: &[String],
workdir: Option<&str>,
interactive: bool,
policy: &SandboxPolicy,
ca_paths: Option<&(PathBuf, PathBuf)>,
provider_env: &HashMap<String, String>,
) -> Result<Self> {
let mut cmd = Command::new(program);
cmd.args(args)
.stdin(Stdio::inherit())
.stdout(Stdio::inherit())
.stderr(Stdio::inherit())
.kill_on_drop(true)
.env("OPENSHELL_SANDBOX", "1");
scrub_sensitive_env(&mut cmd);
inject_provider_env(&mut cmd, provider_env);
if let Some(dir) = workdir {
cmd.current_dir(dir);
}
if matches!(policy.network.mode, NetworkMode::Proxy) {
let proxy = policy.network.proxy.as_ref().ok_or_else(|| {
miette::miette!(
"Network mode is set to proxy but no proxy configuration was provided"
)
})?;
if let Some(http_addr) = proxy.http_addr {
let proxy_url = format!("http://{http_addr}");
for (key, value) in child_env::proxy_env_vars(&proxy_url) {
cmd.env(key, value);
}
}
}
// Set TLS trust store env vars so sandbox processes trust the ephemeral CA
if let Some((ca_cert_path, combined_bundle_path)) = ca_paths {
for (key, value) in child_env::tls_env_vars(ca_cert_path, combined_bundle_path) {
cmd.env(key, value);
}
}
// Set up process group for signal handling (non-interactive mode only).
// In interactive mode, we inherit the parent's process group to maintain
// proper terminal control for shells and interactive programs.
// SAFETY: pre_exec runs after fork but before exec in the child process.
// setpgid is async-signal-safe and safe to call in this context.
#[cfg(unix)]
{
let policy = policy.clone();
let workdir = workdir.map(str::to_string);
#[allow(unsafe_code)]
unsafe {
cmd.pre_exec(move || {
if !interactive {
// Create new process group
libc::setpgid(0, 0);
}
// Drop privileges before applying sandbox restrictions.
// initgroups/setgid/setuid need access to /etc/group and /etc/passwd
// which may be blocked by Landlock.
drop_privileges(&policy)
.map_err(|err| std::io::Error::other(err.to_string()))?;
sandbox::apply(&policy, workdir.as_deref())
.map_err(|err| std::io::Error::other(err.to_string()))?;
Ok(())
});
}
}
let child = cmd.spawn().into_diagnostic()?;
let pid = child.id().unwrap_or(0);
#[cfg(target_os = "linux")]
register_managed_child(pid);
debug!(pid, program, "Process spawned");
Ok(Self { child, pid })
}
/// Get the process ID.
#[must_use]
pub const fn pid(&self) -> u32 {
self.pid
}
/// Wait for the process to exit.
///
/// # Errors
///
/// Returns an error if waiting fails.
pub async fn wait(&mut self) -> std::io::Result<ProcessStatus> {
let status = self.child.wait().await;
#[cfg(target_os = "linux")]
unregister_managed_child(self.pid);
let status = status?;
Ok(ProcessStatus::from(status))
}
/// Send a signal to the process.
///
/// # Errors
///
/// Returns an error if the signal cannot be sent.
pub fn signal(&self, sig: Signal) -> Result<()> {
let pid = i32::try_from(self.pid).unwrap_or(i32::MAX);
signal::kill(Pid::from_raw(pid), sig).into_diagnostic()
}
/// Kill the process.
///
/// # Errors
///
/// Returns an error if the process cannot be killed.
pub fn kill(&mut self) -> Result<()> {
// First try SIGTERM
if let Err(e) = self.signal(Signal::SIGTERM) {
openshell_ocsf::ocsf_emit!(
openshell_ocsf::ProcessActivityBuilder::new(crate::ocsf_ctx())
.activity(openshell_ocsf::ActivityId::Close)
.severity(openshell_ocsf::SeverityId::Medium)
.status(openshell_ocsf::StatusId::Failure)
.message(format!("Failed to send SIGTERM: {e}"))
.build()
);
}
// Give the process a moment to terminate gracefully
std::thread::sleep(std::time::Duration::from_millis(100));
// Force kill if still running
if let Some(id) = self.child.id() {
debug!(pid = id, "Sending SIGKILL");
let pid = i32::try_from(id).unwrap_or(i32::MAX);
let _ = signal::kill(Pid::from_raw(pid), Signal::SIGKILL);
}
Ok(())
}
}
impl Drop for ProcessHandle {
fn drop(&mut self) {
#[cfg(target_os = "linux")]
unregister_managed_child(self.pid);
}
}
#[cfg(unix)]
pub fn drop_privileges(policy: &SandboxPolicy) -> Result<()> {
let user_name = match policy.process.run_as_user.as_deref() {
Some(name) if !name.is_empty() => Some(name),
_ => None,
};
let group_name = match policy.process.run_as_group.as_deref() {
Some(name) if !name.is_empty() => Some(name),
_ => None,
};
// If no user/group is configured and we are running as root, fall back to
// "sandbox:sandbox" instead of silently keeping root. This covers the
// local/dev-mode path where policies are loaded from disk and never pass
// through the server-side `ensure_sandbox_process_identity` normalization.
// For non-root runtimes, the no-op is safe -- we are already unprivileged.
if user_name.is_none() && group_name.is_none() {
if nix::unistd::geteuid().is_root() {
let mut fallback = policy.clone();
fallback.process.run_as_user = Some("sandbox".into());
fallback.process.run_as_group = Some("sandbox".into());
return drop_privileges(&fallback);
}
return Ok(());
}
let user = if let Some(name) = user_name {
User::from_name(name)
.into_diagnostic()?
.ok_or_else(|| miette::miette!("Sandbox user not found: {name}"))?
} else {
User::from_uid(nix::unistd::geteuid())
.into_diagnostic()?
.ok_or_else(|| miette::miette!("Failed to resolve current user"))?
};
let group = if let Some(name) = group_name {
Group::from_name(name)
.into_diagnostic()?
.ok_or_else(|| miette::miette!("Sandbox group not found: {name}"))?
} else {
Group::from_gid(user.gid)
.into_diagnostic()?
.ok_or_else(|| miette::miette!("Failed to resolve user primary group"))?
};
if user_name.is_some() {
let user_cstr =
CString::new(user.name.clone()).map_err(|_| miette::miette!("Invalid user name"))?;
#[cfg(any(
target_os = "macos",
target_os = "ios",
target_os = "haiku",
target_os = "redox"
))]
{
let _ = user_cstr;
}
#[cfg(not(any(
target_os = "macos",
target_os = "ios",
target_os = "haiku",
target_os = "redox"
)))]
{
nix::unistd::initgroups(user_cstr.as_c_str(), group.gid).into_diagnostic()?;
}
}
nix::unistd::setgid(group.gid).into_diagnostic()?;
// Verify effective GID actually changed (defense-in-depth, CWE-250 / CERT POS37-C)
let effective_gid = nix::unistd::getegid();
if effective_gid != group.gid {
return Err(miette::miette!(
"Privilege drop verification failed: expected effective GID {}, got {}",
group.gid,
effective_gid
));
}
if user_name.is_some() {
nix::unistd::setuid(user.uid).into_diagnostic()?;
// Verify effective UID actually changed (defense-in-depth, CWE-250 / CERT POS37-C)
let effective_uid = nix::unistd::geteuid();
if effective_uid != user.uid {
return Err(miette::miette!(
"Privilege drop verification failed: expected effective UID {}, got {}",
user.uid,
effective_uid
));
}
// Verify root cannot be re-acquired (CERT POS37-C hardening).
// If we dropped from root, setuid(0) must fail; success means privileges
// were not fully relinquished.
if nix::unistd::setuid(nix::unistd::Uid::from_raw(0)).is_ok() && user.uid.as_raw() != 0 {
return Err(miette::miette!(
"Privilege drop verification failed: process can still re-acquire root (UID 0) \
after switching to UID {}",
user.uid
));
}
}
Ok(())
}
/// Process exit status.
#[derive(Debug, Clone, Copy)]
pub struct ProcessStatus {
code: Option<i32>,
signal: Option<i32>,
}
impl ProcessStatus {
/// Get the exit code, or 128 + signal number if killed by signal.
#[must_use]
pub fn code(&self) -> i32 {
self.code
.or_else(|| self.signal.map(|s| 128 + s))
.unwrap_or(-1)
}
/// Check if the process exited successfully.
#[must_use]
pub fn success(&self) -> bool {
self.code == Some(0)
}
/// Get the signal that killed the process, if any.
#[must_use]
pub const fn signal(&self) -> Option<i32> {
self.signal
}
}
impl From<std::process::ExitStatus> for ProcessStatus {
fn from(status: std::process::ExitStatus) -> Self {
#[cfg(unix)]
{
use std::os::unix::process::ExitStatusExt;
Self {
code: status.code(),
signal: status.signal(),
}
}
#[cfg(not(unix))]
{
Self {
code: status.code(),
signal: None,
}
}
}
}
#[cfg(test)]
mod tests {
use super::*;
use crate::policy::{
FilesystemPolicy, LandlockPolicy, NetworkPolicy, ProcessPolicy, SandboxPolicy,
};
use std::process::Stdio as StdStdio;
/// Helper to create a minimal `SandboxPolicy` with the given process policy.
fn policy_with_process(process: ProcessPolicy) -> SandboxPolicy {
SandboxPolicy {
version: 1,
filesystem: FilesystemPolicy::default(),
network: NetworkPolicy::default(),
landlock: LandlockPolicy::default(),
process,
}
}
#[test]
fn drop_privileges_noop_when_no_user_or_group() {
let policy = policy_with_process(ProcessPolicy {
run_as_user: None,
run_as_group: None,
});
if nix::unistd::geteuid().is_root() {
// As root, drop_privileges falls back to "sandbox:sandbox".
// If that user exists, it succeeds; if not (e.g. CI), it
// must error rather than silently keep root.
let has_sandbox = User::from_name("sandbox").ok().flatten().is_some();
assert_eq!(drop_privileges(&policy).is_ok(), has_sandbox);
} else {
assert!(drop_privileges(&policy).is_ok());
}
}
#[test]
fn drop_privileges_noop_when_empty_strings() {
let policy = policy_with_process(ProcessPolicy {
run_as_user: Some(String::new()),
run_as_group: Some(String::new()),
});
if nix::unistd::geteuid().is_root() {
let has_sandbox = User::from_name("sandbox").ok().flatten().is_some();
assert_eq!(drop_privileges(&policy).is_ok(), has_sandbox);
} else {
assert!(drop_privileges(&policy).is_ok());
}
}
#[test]
fn drop_privileges_succeeds_for_current_group() {
// Set only run_as_group (no run_as_user) so that initgroups() is not
// called. initgroups(3) requires CAP_SETGID/root even when the target
// is the current user, so it cannot be exercised without elevated
// privileges. This test covers the setgid() + GID post-condition
// verification path without needing root.
let current_group = Group::from_gid(nix::unistd::getegid())
.expect("getgrgid")
.expect("current group entry");
let policy = policy_with_process(ProcessPolicy {
run_as_user: None,
run_as_group: Some(current_group.name),
});
assert!(drop_privileges(&policy).is_ok());
}
#[test]
#[ignore = "initgroups(3) requires CAP_SETGID; run as root: sudo cargo test -- --ignored"]
fn drop_privileges_succeeds_for_current_user() {
// Exercises the full privilege-drop path including initgroups(),
// setgid(), setuid(), and the root-reacquisition check. Requires
// CAP_SETGID (root) because initgroups(3) calls setgroups(2)
// internally. Fixes: https://github.com/NVIDIA/OpenShell/issues/622
let current_user = User::from_uid(nix::unistd::geteuid())
.expect("getpwuid")
.expect("current user entry");
let current_group = Group::from_gid(nix::unistd::getegid())
.expect("getgrgid")
.expect("current group entry");
let policy = policy_with_process(ProcessPolicy {
run_as_user: Some(current_user.name),
run_as_group: Some(current_group.name),
});
assert!(drop_privileges(&policy).is_ok());
}
#[test]
fn drop_privileges_fails_for_nonexistent_user() {
let policy = policy_with_process(ProcessPolicy {
run_as_user: Some("__nonexistent_test_user_42__".to_string()),
run_as_group: None,
});
let result = drop_privileges(&policy);
assert!(result.is_err());
let msg = format!("{}", result.unwrap_err());
assert!(
msg.contains("not found"),
"expected 'not found' in error: {msg}"
);
}
#[test]
fn drop_privileges_fails_for_nonexistent_group() {
let policy = policy_with_process(ProcessPolicy {
run_as_user: None,
run_as_group: Some("__nonexistent_test_group_42__".to_string()),
});
let result = drop_privileges(&policy);
assert!(result.is_err());
let msg = format!("{}", result.unwrap_err());
assert!(
msg.contains("not found"),
"expected 'not found' in error: {msg}"
);
}
#[tokio::test]
async fn scrub_sensitive_env_removes_ssh_handshake_secret() {
let mut cmd = Command::new("/usr/bin/env");
cmd.stdin(StdStdio::null())
.stdout(StdStdio::piped())
.stderr(StdStdio::null())
.env(SSH_HANDSHAKE_SECRET_ENV, "super-secret");
scrub_sensitive_env(&mut cmd);
let output = cmd.output().await.expect("spawn env");
let stdout = String::from_utf8(output.stdout).expect("utf8");
assert!(!stdout.contains(SSH_HANDSHAKE_SECRET_ENV));
}
#[tokio::test]
async fn inject_provider_env_sets_placeholder_values() {
let mut cmd = Command::new("/usr/bin/env");
cmd.stdin(StdStdio::null())
.stdout(StdStdio::piped())
.stderr(StdStdio::null());
let provider_env = std::iter::once((
"ANTHROPIC_API_KEY".to_string(),
"openshell:resolve:env:ANTHROPIC_API_KEY".to_string(),
))
.collect();
inject_provider_env(&mut cmd, &provider_env);
let output = cmd.output().await.expect("spawn env");
let stdout = String::from_utf8(output.stdout).expect("utf8");
assert!(stdout.contains("ANTHROPIC_API_KEY=openshell:resolve:env:ANTHROPIC_API_KEY"));
}
}