@anthropic-ai/sandbox-runtime 0.0.16 → 0.0.18

package/README.md

@@ -36,7 +36,6 @@ Running: cat ~/.ssh/id_rsa
 cat: /Users/ollie/.ssh/id_rsa: Operation not permitted  # Specific file blocked
 ```
 
-
 ## Overview
 
 This package provides a standalone sandbox implementation that can be used as both a CLI tool and a library. It's designed with a **secure-by-default** philosophy tailored for common developer use cases: processes start with minimal access, and you explicitly poke only the holes you need.
@@ -53,6 +52,7 @@ This package provides a standalone sandbox implementation that can be used as bo
 A key use case is sandboxing Model Context Protocol (MCP) servers to restrict their capabilities. For example, to sandbox the filesystem MCP server:
 
 **Without sandboxing** (`.mcp.json`):
+
 ```json
 {
   "mcpServers": {
@@ -65,6 +65,7 @@ A key use case is sandboxing Model Context Protocol (MCP) servers to restrict th
 ```
 
 **With sandboxing** (`.mcp.json`):
+
 ```json
 {
   "mcpServers": {
@@ -77,6 +78,7 @@ A key use case is sandboxing Model Context Protocol (MCP) servers to restrict th
 ```
 
 Then configure restrictions in `~/.srt-settings.json`:
+
 ```json
 {
   "filesystem": {
@@ -92,6 +94,7 @@ Then configure restrictions in `~/.srt-settings.json`:
 ```
 
 Now the MCP server will be blocked from writing to the denied path:
+
 ```
 > Write a file to ~/sensitive-folder
 ✗ Error: EPERM: operation not permitted, open '/Users/ollie/sensitive-folder/test.txt'
@@ -106,7 +109,6 @@ The sandbox uses OS-level primitives to enforce restrictions that apply to the e
 
 ![0d1c612947c798aef48e6ab4beb7e8544da9d41a-4096x2305](https://github.com/user-attachments/assets/76c838a9-19ef-4d0b-90bb-cbe1917b3551)
 
-
 ### Dual Isolation Model
 
 Both filesystem and network isolation are required for effective sandboxing. Without file isolation, a compromised process could exfiltrate SSH keys or other sensitive files. Without network isolation, a process could escape the sandbox and gain unrestricted network access.
@@ -125,6 +127,7 @@ Both filesystem and network isolation are required for effective sandboxing. Wit
 Both HTTP/HTTPS (via HTTP proxy) and other TCP traffic (via SOCKS5 proxy) are mediated by these proxies, which enforce your domain allowlists and denylists.
 
 For more details on sandboxing in Claude Code, see:
+
 - [Claude Code Sandboxing Documentation](https://docs.claude.com/en/docs/claude-code/sandboxing)
 - [Beyond Permission Prompts: Making Claude Code More Secure and Autonomous](https://www.anthropic.com/engineering/claude-code-sandboxing)
 
@@ -170,33 +173,38 @@ srt --settings /path/to/srt-settings.json npm install
 ### As a library
 
 ```typescript
-import { SandboxManager, type SandboxRuntimeConfig } from '@anthropic-ai/sandbox-runtime'
+import {
+  SandboxManager,
+  type SandboxRuntimeConfig,
+} from '@anthropic-ai/sandbox-runtime'
 import { spawn } from 'child_process'
 
 // Define your sandbox configuration
 const config: SandboxRuntimeConfig = {
   network: {
     allowedDomains: ['example.com', 'api.github.com'],
-    deniedDomains: []
+    deniedDomains: [],
   },
   filesystem: {
     denyRead: ['~/.ssh'],
     allowWrite: ['.', '/tmp'],
-    denyWrite: ['.env']
-  }
+    denyWrite: ['.env'],
+  },
 }
 
 // Initialize the sandbox (starts proxy servers, etc.)
 await SandboxManager.initialize(config)
 
 // Wrap a command with sandbox restrictions
-const sandboxedCommand = await SandboxManager.wrapWithSandbox('curl https://example.com')
+const sandboxedCommand = await SandboxManager.wrapWithSandbox(
+  'curl https://example.com',
+)
 
 // Execute the sandboxed command
 const child = spawn(sandboxedCommand, { shell: true, stdio: 'inherit' })
 
 // Handle exit
-child.on('exit', (code) => {
+child.on('exit', code => {
   console.log(`Command exited with code ${code}`)
 })
 
@@ -249,26 +257,14 @@ srt --settings /path/to/srt-settings.json <command>
       "npmjs.org",
       "*.npmjs.org"
     ],
-    "deniedDomains": [
-      "malicious.com"
-    ],
+    "deniedDomains": ["malicious.com"],
     "allowUnixSockets": ["/var/run/docker.sock"],
     "allowLocalBinding": false
   },
   "filesystem": {
-    "denyRead": [
-      "~/.ssh"
-    ],
-    "allowWrite": [
-      ".",
-      "src/",
-      "test/",
-      "/tmp"
-    ],
-    "denyWrite": [
-      ".env",
-      "config/production.json"
-    ]
+    "denyRead": ["~/.ssh"],
+    "allowWrite": [".", "src/", "test/", "/tmp"],
+    "denyWrite": [".env", "config/production.json"]
   },
   "ignoreViolations": {
     "*": ["/usr/bin", "/System"],
@@ -295,9 +291,11 @@ Uses an **allow-only pattern** - all network access is denied by default.
 Uses two different patterns:
 
 **Read restrictions** (deny-only pattern) - all reads allowed by default:
+
 - `filesystem.denyRead` - Array of paths to deny read access. Empty array = full read access.
 
 **Write restrictions** (allow-only pattern) - all writes denied by default:
+
 - `filesystem.allowWrite` - Array of paths to allow write access. Empty array = no write access.
 - `filesystem.denyWrite` - Array of paths to deny write access within allowed paths (takes precedence over allowWrite)
 
@@ -311,6 +309,7 @@ Paths support git-style glob patterns on macOS, similar to `.gitignore` syntax:
 - `[abc]` - Matches any character in the set (e.g., `file[0-9].txt` matches `file3.txt`)
 
 Examples:
+
 - `"allowWrite": ["src/"]` - Allow write to entire `src/` directory
 - `"allowWrite": ["src/**/*.ts"]` - Allow write to all `.ts` files in `src/` and subdirectories
 - `"denyRead": ["~/.ssh"]` - Deny read to SSH directory
@@ -319,10 +318,12 @@ Examples:
 **Path Syntax (Linux):**
 
 **Linux currently does not support glob matching.** Use literal paths only:
+
 - `"allowWrite": ["src/"]` - Allow write to `src/` directory
 - `"denyRead": ["/home/user/.ssh"]` - Deny read to SSH directory
 
 **All platforms:**
+
 - Paths can be absolute (e.g., `/home/user/.ssh`) or relative to the current working directory (e.g., `./src`)
 - `~` expands to the user's home directory
 
@@ -334,6 +335,7 @@ Examples:
 ### Common Configuration Recipes
 
 **Allow GitHub access** (all necessary endpoints):
+
 ```json
 {
   "network": {
@@ -354,6 +356,7 @@ Examples:
 ```
 
 **Restrict to specific directories:**
+
 ```json
 {
   "network": {
@@ -371,6 +374,7 @@ Examples:
 ### Common Issues and Tips
 
 **Running Jest:** Use `--no-watchman` flag to avoid sandbox violations:
+
 ```bash
 srt "jest --no-watchman"
 ```
@@ -386,6 +390,7 @@ Watchman accesses files outside the sandbox boundaries, which will trigger permi
 ### Platform-Specific Dependencies
 
 **Linux requires:**
+
 - `bubblewrap` - Container runtime
   - Ubuntu/Debian: `apt-get install bubblewrap`
   - Fedora: `dnf install bubblewrap`
@@ -402,6 +407,7 @@ Watchman accesses files outside the sandbox boundaries, which will trigger permi
 **Optional Linux dependencies (for seccomp fallback):**
 
 The package includes pre-generated seccomp BPF filters for x86-64 and arm architectures. These dependencies are only needed if you are on a different architecture where pre-generated filters are not available:
+
 - `gcc` or `clang` - C compiler
 - `libseccomp-dev` - Seccomp library development files
   - Ubuntu/Debian: `apt-get install gcc libseccomp-dev`
@@ -409,6 +415,7 @@ The package includes pre-generated seccomp BPF filters for x86-64 and arm archit
   - Arch: `pacman -S gcc libseccomp`
 
 **macOS requires:**
+
 - `ripgrep` - Fast search tool for deny path detection
   - Install via Homebrew: `brew install ripgrep`
   - Or download from: https://github.com/BurntSushi/ripgrep/releases
@@ -450,6 +457,7 @@ npm run build:seccomp
 ```
 
 This script uses Docker to cross-compile seccomp binaries for multiple architectures:
+
 - x64 (x86-64)
 - arm64 (aarch64)
 
@@ -481,6 +489,7 @@ Filesystem restrictions are enforced at the OS level:
 **Default filesystem permissions:**
 
 - **Read** (deny-only): Allowed everywhere by default. You can deny specific paths.
+
   - Example: `denyRead: ["~/.ssh"]` to block access to SSH keys
   - Empty `denyRead: []` = full read access (nothing denied)
 
@@ -491,6 +500,50 @@ Filesystem restrictions are enforced at the OS level:
 
 This model lets you start with broad read access but maximally restricted write access, then explicitly open the holes you need.
 
+### Mandatory Deny Paths (Auto-Protected Files)
+
+Certain sensitive files and directories are **always blocked from writes**, even if they fall within an allowed write path. This provides defense-in-depth against sandbox escapes and configuration tampering.
+
+**Always-blocked files:**
+
+- Shell config files: `.bashrc`, `.bash_profile`, `.zshrc`, `.zprofile`, `.profile`
+- Git config files: `.gitconfig`, `.gitmodules`
+- Other sensitive files: `.ripgreprc`, `.mcp.json`
+
+**Always-blocked directories:**
+
+- IDE directories: `.vscode/`, `.idea/`
+- Claude config directories: `.claude/commands/`, `.claude/agents/`
+- Git hooks and config: `.git/hooks/`, `.git/config`
+
+These paths are blocked automatically - you don't need to add them to `denyWrite`. For example, even with `allowWrite: ["."]`, writing to `.bashrc` or `.git/hooks/pre-commit` will fail:
+
+```bash
+$ srt 'echo "malicious" >> .bashrc'
+/bin/bash: .bashrc: Operation not permitted
+
+$ srt 'echo "bad" > .git/hooks/pre-commit'
+/bin/bash: .git/hooks/pre-commit: Operation not permitted
+```
+
+**Note (Linux):** On Linux, mandatory deny paths only block files that already exist. Non-existent files in these patterns cannot be blocked by bubblewrap's bind-mount approach. macOS uses glob patterns which block both existing and new files.
+
+**Linux search depth:** On Linux, the sandbox uses `ripgrep` to scan for dangerous files in subdirectories within allowed write paths. By default, it searches up to 3 levels deep for performance. You can configure this with `mandatoryDenySearchDepth`:
+
+```json
+{
+  "mandatoryDenySearchDepth": 5,
+  "filesystem": {
+    "allowWrite": ["."]
+  }
+}
+```
+
+- Default: `3` (searches up to 3 levels deep)
+- Range: `1` to `10`
+- Higher values provide more protection but slower performance
+- Files in CWD (depth 0) are always protected regardless of this setting
+
 ### Unix Socket Restrictions (Linux)
 
 On Linux, the sandbox uses **seccomp BPF (Berkeley Packet Filter)** to block Unix domain socket creation at the syscall level. This provides an additional layer of security to prevent processes from creating new Unix domain sockets for local IPC (unless explicitly allowed).
@@ -565,15 +618,15 @@ Note: Custom proxy configuration is not yet supported in the new configuration f
 
 ### Security Limitations
 
-* Network Sandboxing Limitations: The network filtering system operates by restricting the domains that processes are allowed to connect to. It does not otherwise inspect the traffic passing through the proxy and users are responsible for ensuring they only allow trusted domains in their policy. 
+- Network Sandboxing Limitations: The network filtering system operates by restricting the domains that processes are allowed to connect to. It does not otherwise inspect the traffic passing through the proxy and users are responsible for ensuring they only allow trusted domains in their policy.
 
 <Warning>
 Users should be aware of potential risks that come from allowing broad domains like `github.com` that may allow for data exfiltration. Also, in some cases it may be possible to bypass the network filtering through [domain fronting](https://en.wikipedia.org/wiki/Domain_fronting).   
 </Warning>
 
-* Privilege Escalation via Unix Sockets: The `allowUnixSockets` configuration can inadvertently grant access to powerful system services that could lead to sandbox bypasses. For example, if it is used to allow access to `/var/run/docker.sock` this would effectively grant access to the host system through exploiting the docker socket. Users are encouraged to carefully consider any unix sockets that they allow through the sandbox. 
-* Filesystem Permission Escalation: Overly broad filesystem write permissions can enable privilege escalation attacks. Allowing writes to directories containing executables in `$PATH`, system configuration directories, or user shell configuration files (`.bashrc`, `.zshrc`) can lead to code execution in different security contexts when other users or system processes access these files.
-* Linux Sandbox Strength: The Linux implementation provides strong filesystem and network isolation but includes an `enableWeakerNestedSandbox` mode that enables it to work inside of Docker environments without privileged namespaces. This option considerably weakens security and should only be used incases where additional isolation is otherwise enforced.
+- Privilege Escalation via Unix Sockets: The `allowUnixSockets` configuration can inadvertently grant access to powerful system services that could lead to sandbox bypasses. For example, if it is used to allow access to `/var/run/docker.sock` this would effectively grant access to the host system through exploiting the docker socket. Users are encouraged to carefully consider any unix sockets that they allow through the sandbox.
+- Filesystem Permission Escalation: Overly broad filesystem write permissions can enable privilege escalation attacks. Allowing writes to directories containing executables in `$PATH`, system configuration directories, or user shell configuration files (`.bashrc`, `.zshrc`) can lead to code execution in different security contexts when other users or system processes access these files.
+- Linux Sandbox Strength: The Linux implementation provides strong filesystem and network isolation but includes an `enableWeakerNestedSandbox` mode that enables it to work inside of Docker environments without privileged namespaces. This option considerably weakens security and should only be used incases where additional isolation is otherwise enforced.
 
 ### Known Limitations and Future Work
 

package/dist/sandbox/linux-sandbox-utils.d.ts

@@ -24,6 +24,12 @@ export interface LinuxSandboxParams {
         command: string;
         args?: string[];
     };
+    /** Maximum directory depth to search for dangerous files (default: 3) */
+    mandatoryDenySearchDepth?: number;
+    /** Allow writes to .git/config files (default: false) */
+    allowGitConfig?: boolean;
+    /** Abort signal to cancel the ripgrep scan */
+    abortSignal?: AbortSignal;
 }
 /**
  * Check if Linux sandbox dependencies are available (synchronous)

package/dist/sandbox/linux-sandbox-utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"linux-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAQtD,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAQ7B,MAAM,WAAW,yBAAyB;IACxC,cAAc,EAAE,MAAM,CAAA;IACtB,eAAe,EAAE,MAAM,CAAA;IACvB,iBAAiB,EAAE,YAAY,CAAA;IAC/B,kBAAkB,EAAE,YAAY,CAAA;IAChC,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,UAAU,CAAC,EAAE,uBAAuB,CAAA;IACpC,WAAW,CAAC,EAAE,wBAAwB,CAAA;IACtC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAA;CACrD;AA2BD;;;GAGG;AACH,wBAAgB,+BAA+B,CAC7C,mBAAmB,UAAQ,GAC1B,OAAO,CAqCT;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,yBAAyB,CAAC,CA2HpC;AAqLD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CA4OjB"}
+{"version":3,"file":"linux-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAWtD,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAQ7B,MAAM,WAAW,yBAAyB;IACxC,cAAc,EAAE,MAAM,CAAA;IACtB,eAAe,EAAE,MAAM,CAAA;IACvB,iBAAiB,EAAE,YAAY,CAAA;IAC/B,kBAAkB,EAAE,YAAY,CAAA;IAChC,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,UAAU,CAAC,EAAE,uBAAuB,CAAA;IACpC,WAAW,CAAC,EAAE,wBAAwB,CAAA;IACtC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAA;IACpD,yEAAyE;IACzE,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,yDAAyD;IACzD,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,8CAA8C;IAC9C,WAAW,CAAC,EAAE,WAAW,CAAA;CAC1B;AA2ID;;;GAGG;AACH,wBAAgB,+BAA+B,CAC7C,mBAAmB,UAAQ,GAC1B,OAAO,CAqCT;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,yBAAyB,CAAC,CA2HpC;AA6LD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CAkPjB"}

package/dist/sandbox/linux-sandbox-utils.js

@@ -4,9 +4,102 @@ import { randomBytes } from 'node:crypto';
 import * as fs from 'fs';
 import { spawn, spawnSync } from 'node:child_process';
 import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-import { generateProxyEnvVars, normalizePathForSandbox, getMandatoryDenyWithinAllow, } from './sandbox-utils.js';
+import path, { join } from 'node:path';
+import { ripGrep } from '../utils/ripgrep.js';
+import { generateProxyEnvVars, normalizePathForSandbox, normalizeCaseForComparison, DANGEROUS_FILES, getDangerousDirectories, } from './sandbox-utils.js';
 import { generateSeccompFilter, cleanupSeccompFilter, getPreGeneratedBpfPath, getApplySeccompBinaryPath, } from './generate-seccomp-filter.js';
+/** Default max depth for searching dangerous files */
+const DEFAULT_MANDATORY_DENY_SEARCH_DEPTH = 3;
+/**
+ * Get mandatory deny paths using ripgrep (Linux only).
+ * Uses a SINGLE ripgrep call with multiple glob patterns for efficiency.
+ * With --max-depth limiting, this is fast enough to run on each command without memoization.
+ */
+async function linuxGetMandatoryDenyPaths(ripgrepConfig = { command: 'rg' }, maxDepth = DEFAULT_MANDATORY_DENY_SEARCH_DEPTH, allowGitConfig = false, abortSignal) {
+    const cwd = process.cwd();
+    // Use provided signal or create a fallback controller
+    const fallbackController = new AbortController();
+    const signal = abortSignal ?? fallbackController.signal;
+    const dangerousDirectories = getDangerousDirectories();
+    // Note: Settings files are added at the callsite in sandbox-manager.ts
+    const denyPaths = [
+        // Dangerous files in CWD
+        ...DANGEROUS_FILES.map(f => path.resolve(cwd, f)),
+        // Dangerous directories in CWD
+        ...dangerousDirectories.map(d => path.resolve(cwd, d)),
+        // Git hooks always blocked for security
+        path.resolve(cwd, '.git/hooks'),
+    ];
+    // Git config conditionally blocked based on allowGitConfig setting
+    if (!allowGitConfig) {
+        denyPaths.push(path.resolve(cwd, '.git/config'));
+    }
+    // Build iglob args for all patterns in one ripgrep call
+    const iglobArgs = [];
+    for (const fileName of DANGEROUS_FILES) {
+        iglobArgs.push('--iglob', fileName);
+    }
+    for (const dirName of dangerousDirectories) {
+        iglobArgs.push('--iglob', `**/${dirName}/**`);
+    }
+    // Git hooks always blocked in nested repos
+    iglobArgs.push('--iglob', '**/.git/hooks/**');
+    // Git config conditionally blocked in nested repos
+    if (!allowGitConfig) {
+        iglobArgs.push('--iglob', '**/.git/config');
+    }
+    // Single ripgrep call to find all dangerous paths in subdirectories
+    // Limit depth for performance - deeply nested dangerous files are rare
+    // and the security benefit doesn't justify the traversal cost
+    let matches = [];
+    try {
+        matches = await ripGrep([
+            '--files',
+            '--hidden',
+            '--max-depth',
+            String(maxDepth),
+            ...iglobArgs,
+            '-g',
+            '!**/node_modules/**',
+        ], cwd, signal, ripgrepConfig);
+    }
+    catch (error) {
+        logForDebugging(`[Sandbox] ripgrep scan failed: ${error}`);
+    }
+    // Process matches
+    for (const match of matches) {
+        const absolutePath = path.resolve(cwd, match);
+        // File inside a dangerous directory -> add the directory path
+        let foundDir = false;
+        for (const dirName of [...dangerousDirectories, '.git']) {
+            const normalizedDirName = normalizeCaseForComparison(dirName);
+            const segments = absolutePath.split(path.sep);
+            const dirIndex = segments.findIndex(s => normalizeCaseForComparison(s) === normalizedDirName);
+            if (dirIndex !== -1) {
+                // For .git, we want hooks/ or config, not the whole .git dir
+                if (dirName === '.git') {
+                    const gitDir = segments.slice(0, dirIndex + 1).join(path.sep);
+                    if (match.includes('.git/hooks')) {
+                        denyPaths.push(path.join(gitDir, 'hooks'));
+                    }
+                    else if (match.includes('.git/config')) {
+                        denyPaths.push(path.join(gitDir, 'config'));
+                    }
+                }
+                else {
+                    denyPaths.push(segments.slice(0, dirIndex + 1).join(path.sep));
+                }
+                foundDir = true;
+                break;
+            }
+        }
+        // Dangerous file match
+        if (!foundDir) {
+            denyPaths.push(absolutePath);
+        }
+    }
+    return [...new Set(denyPaths)];
+}
 // Track generated seccomp filters for cleanup on process exit
 const generatedSeccompFilters = new Set();
 let exitHandlerRegistered = false;
@@ -245,7 +338,7 @@ function buildSandboxCommand(httpSocketPath, socksSocketPath, userCommand, secco
 /**
  * Generate filesystem bind mount arguments for bwrap
  */
-async function generateFilesystemArgs(readConfig, writeConfig, ripgrepConfig = { command: 'rg' }) {
+async function generateFilesystemArgs(readConfig, writeConfig, ripgrepConfig = { command: 'rg' }, mandatoryDenySearchDepth = DEFAULT_MANDATORY_DENY_SEARCH_DEPTH, allowGitConfig = false, abortSignal) {
     const args = [];
     // fs already imported
     // Determine initial root mount based on write restrictions
@@ -273,7 +366,7 @@ async function generateFilesystemArgs(readConfig, writeConfig, ripgrepConfig = {
         // Deny writes within allowed paths (user-specified + mandatory denies)
         const denyPaths = [
             ...(writeConfig.denyWithinAllow || []),
-            ...(await getMandatoryDenyWithinAllow(ripgrepConfig)),
+            ...(await linuxGetMandatoryDenyPaths(ripgrepConfig, mandatoryDenySearchDepth, allowGitConfig, abortSignal)),
         ];
         for (const pathPattern of denyPaths) {
             const normalizedPath = normalizePathForSandbox(pathPattern);
@@ -374,7 +467,7 @@ async function generateFilesystemArgs(readConfig, writeConfig, ripgrepConfig = {
  * Dependencies are checked by hasLinuxSandboxDependenciesSync() before enabling the sandbox.
  */
 export async function wrapCommandWithSandboxLinux(params) {
-    const { command, needsNetworkRestriction, httpSocketPath, socksSocketPath, httpProxyPort, socksProxyPort, readConfig, writeConfig, enableWeakerNestedSandbox, allowAllUnixSockets, binShell, ripgrepConfig = { command: 'rg' }, } = params;
+    const { command, needsNetworkRestriction, httpSocketPath, socksSocketPath, httpProxyPort, socksProxyPort, readConfig, writeConfig, enableWeakerNestedSandbox, allowAllUnixSockets, binShell, ripgrepConfig = { command: 'rg' }, mandatoryDenySearchDepth = DEFAULT_MANDATORY_DENY_SEARCH_DEPTH, allowGitConfig = false, abortSignal, } = params;
     // Determine if we have restrictions to apply
     // Read: denyOnly pattern - empty array means no restrictions
     // Write: allowOnly pattern - undefined means no restrictions, any config means restrictions
@@ -460,7 +553,7 @@ export async function wrapCommandWithSandboxLinux(params) {
             // If no sockets provided, network is completely blocked (--unshare-net without proxy)
         }
         // ========== FILESYSTEM RESTRICTIONS ==========
-        const fsArgs = await generateFilesystemArgs(readConfig, writeConfig, ripgrepConfig);
+        const fsArgs = await generateFilesystemArgs(readConfig, writeConfig, ripgrepConfig, mandatoryDenySearchDepth, allowGitConfig, abortSignal);
         bwrapArgs.push(...fsArgs);
         // Always bind /dev
         bwrapArgs.push('--dev', '/dev');

package/dist/sandbox/linux-sandbox-utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"linux-sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAErD,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,oBAAoB,CAAA;AAK3B,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAA;AA0BrC,8DAA8D;AAC9D,MAAM,uBAAuB,GAAgB,IAAI,GAAG,EAAE,CAAA;AACtD,IAAI,qBAAqB,GAAG,KAAK,CAAA;AAEjC;;GAEG;AACH,SAAS,6BAA6B;IACpC,IAAI,qBAAqB,EAAE,CAAC;QAC1B,OAAM;IACR,CAAC;IAED,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;QACtB,KAAK,MAAM,UAAU,IAAI,uBAAuB,EAAE,CAAC;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,UAAU,CAAC,CAAA;YAClC,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,qBAAqB,GAAG,IAAI,CAAA;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,+BAA+B,CAC7C,mBAAmB,GAAG,KAAK;IAE3B,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QACF,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QAEF,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,CAAA;QAEzE,6DAA6D;QAC7D,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,oEAAoE;YACpE,MAAM,kBAAkB,GAAG,sBAAsB,EAAE,KAAK,IAAI,CAAA;YAE5D,kEAAkE;YAClE,MAAM,qBAAqB,GAAG,yBAAyB,EAAE,KAAK,IAAI,CAAA;YAElE,IAAI,CAAC,kBAAkB,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBAClD,sEAAsE;gBACtE,oEAAoE;gBACpE,eAAe,CACb,yEAAyE,OAAO,CAAC,IAAI,KAAK;oBACxF,4EAA4E;oBAC5E,+EAA+E,EACjF,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;YACH,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,aAAqB,EACrB,cAAsB;IAEtB,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,QAAQ,OAAO,CAAC,CAAA;IACrE,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,QAAQ,OAAO,CAAC,CAAA;IAEvE,oBAAoB;IACpB,MAAM,aAAa,GAAG;QACpB,eAAe,cAAc,iBAAiB;QAC9C,iBAAiB,aAAa,8CAA8C;KAC7E,CAAA;IAED,eAAe,CAAC,+BAA+B,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAEzE,MAAM,iBAAiB,GAAG,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE;QACtD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,uDAAuD;IACvD,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QAClC,eAAe,CAAC,8BAA8B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC1E,CAAC,CAAC,CAAA;IACF,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QAC5C,eAAe,CACb,wCAAwC,IAAI,YAAY,MAAM,EAAE,EAChE,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CACzC,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,qBAAqB;IACrB,MAAM,cAAc,GAAG;QACrB,eAAe,eAAe,iBAAiB;QAC/C,iBAAiB,cAAc,8CAA8C;KAC9E,CAAA;IAED,eAAe,CAAC,gCAAgC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAE3E,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,EAAE,cAAc,EAAE;QACxD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC;QAC5B,uBAAuB;QACvB,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB;YAClB,CAAC;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IACzD,CAAC;IAED,uDAAuD;IACvD,kBAAkB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QACnC,eAAe,CAAC,+BAA+B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC3E,CAAC,CAAC,CAAA;IACF,kBAAkB,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QAC7C,eAAe,CACb,yCAAyC,IAAI,YAAY,MAAM,EAAE,EACjE,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CACzC,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,oCAAoC;IACpC,MAAM,WAAW,GAAG,CAAC,CAAA;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IACE,CAAC,iBAAiB,CAAC,GAAG;YACtB,iBAAiB,CAAC,MAAM;YACxB,CAAC,kBAAkB,CAAC,GAAG;YACvB,kBAAkB,CAAC,MAAM,EACzB,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,CAAC;YACH,sBAAsB;YACtB,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBACpE,eAAe,CAAC,6BAA6B,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;gBAC9D,MAAK;YACP,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE;gBACnE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,WAAW,GAAG,CAAC,EAAE,CAAC;YAC1B,0BAA0B;YAC1B,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,IAAI,kBAAkB,CAAC,GAAG,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBACjD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yCAAyC,WAAW,WAAW,CAChE,CAAA;QACH,CAAC;QAED,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO;QACL,cAAc;QACd,eAAe;QACf,iBAAiB;QACjB,kBAAkB;QAClB,aAAa;QACb,cAAc;KACf,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAC1B,cAAsB,EACtB,eAAuB,EACvB,WAAmB,EACnB,iBAAqC,EACrC,KAAc;IAEd,6CAA6C;IAC7C,MAAM,SAAS,GAAG,KAAK,IAAI,MAAM,CAAA;IACjC,MAAM,aAAa,GAAG;QACpB,qDAAqD,cAAc,oBAAoB;QACvF,qDAAqD,eAAe,oBAAoB;QACxF,0CAA0C;KAC3C,CAAA;IAED,+DAA+D;IAC/D,IAAI,iBAAiB,EAAE,CAAC;QACtB,0BAA0B;QAC1B,qEAAqE;QACrE,kEAAkE;QAClE,kEAAkE;QAClE,EAAE;QACF,4CAA4C;QAC5C,6BAA6B;QAC7B,6DAA6D;QAC7D,2BAA2B;QAC3B,EAAE;QACF,oFAAoF;QACpF,MAAM,kBAAkB,GAAG,yBAAyB,EAAE,CAAA;QACtD,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;gBACtE,uFAAuF,CAC1F,CAAA;QACH,CAAC;QAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;YACvC,kBAAkB;YAClB,iBAAiB;YACjB,SAAS;YACT,IAAI;YACJ,WAAW;SACZ,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,CAAC,GAAG,aAAa,EAAE,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAClE,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;SAAM,CAAC;QACN,gDAAgD;QAChD,MAAM,WAAW,GAAG;YAClB,GAAG,aAAa;YAChB,QAAQ,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE;SAC1C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,sBAAsB,CACnC,UAA+C,EAC/C,WAAiD,EACjD,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE;IAEvE,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,sBAAsB;IAEtB,2DAA2D;IAC3D,IAAI,WAAW,EAAE,CAAC;QAChB,qFAAqF;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;QAEhC,4DAA4D;QAC5D,MAAM,iBAAiB,GAAa,EAAE,CAAA;QAEtC,iCAAiC;QACjC,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,eAAe,CACb,0CAA0C,WAAW,OAAO,cAAc,EAAE,CAC7E,CAAA;YAED,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,eAAe,CAAC,uCAAuC,cAAc,EAAE,CAAC,CAAA;gBACxE,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,qDAAqD,cAAc,EAAE,CACtE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACnD,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxC,CAAC;QAED,uEAAuE;QACvE,MAAM,SAAS,GAAG;YAChB,GAAG,CAAC,WAAW,CAAC,eAAe,IAAI,EAAE,CAAC;YACtC,GAAG,CAAC,MAAM,2BAA2B,CAAC,aAAa,CAAC,CAAC;SACtD,CAAA;QAED,KAAK,MAAM,WAAW,IAAI,SAAS,EAAE,CAAC;YACpC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,SAAQ;YACV,CAAC;YAED,0BAA0B;YAC1B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,oDAAoD,cAAc,EAAE,CACrE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,qEAAqE;YACrE,kEAAkE;YAClE,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAChD,WAAW,CAAC,EAAE,CACZ,cAAc,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC;gBAC5C,cAAc,KAAK,WAAW,CACjC,CAAA;YAED,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACxD,CAAC;iBAAM,CAAC;gBACN,eAAe,CACb,gEAAgE,cAAc,EAAE,CACjF,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;IAC/B,CAAC;IAED,+DAA+D;IAC/D,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAA;IAEvD,6EAA6E;IAC7E,+EAA+E;IAC/E,4EAA4E;IAC5E,IAAI,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC3C,aAAa,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAC7C,CAAC;IAED,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE,CAAC;QACxC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,eAAe,CACb,yDAAyD,cAAc,EAAE,CAC1E,CAAA;YACD,SAAQ;QACV,CAAC;QAED,MAAM,YAAY,GAAG,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;QAChD,IAAI,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,cAAc,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B;IAE1B,MAAM,EACJ,OAAO,EACP,uBAAuB,EACvB,cAAc,EACd,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,WAAW,EACX,yBAAyB,EACzB,mBAAmB,EACnB,QAAQ,EACR,aAAa,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,GAClC,GAAG,MAAM,CAAA;IAEV,6CAA6C;IAC7C,6DAA6D;IAC7D,4FAA4F;IAC5F,MAAM,mBAAmB,GAAG,UAAU,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IACxE,MAAM,oBAAoB,GAAG,WAAW,KAAK,SAAS,CAAA;IAEtD,kCAAkC;IAClC,IACE,CAAC,uBAAuB;QACxB,CAAC,mBAAmB;QACpB,CAAC,oBAAoB,EACrB,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,IAAI,iBAAiB,GAAuB,SAAS,CAAA;IAErD,IAAI,CAAC;QACH,8DAA8D;QAC9D,kFAAkF;QAClF,EAAE;QACF,4EAA4E;QAC5E,wCAAwC;QACxC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,iBAAiB,GAAG,qBAAqB,EAAE,IAAI,SAAS,CAAA;YACxD,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,8DAA8D;gBAC9D,yEAAyE;gBACzE,eAAe,CACb,mEAAmE;oBACjE,uEAAuE;oBACvE,oEAAoE,EACtE,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,qDAAqD;gBACrD,6EAA6E;gBAC7E,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBACpD,uBAAuB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;oBAC9C,6BAA6B,EAAE,CAAA;gBACjC,CAAC;gBAED,eAAe,CACb,uEAAuE,CACxE,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,mBAAmB,EAAE,CAAC;YAC/B,eAAe,CACb,0EAA0E,CAC3E,CAAA;QACH,CAAC;QAED,6CAA6C;QAC7C,IAAI,uBAAuB,EAAE,CAAC;YAC5B,6DAA6D;YAC7D,wEAAwE;YACxE,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;YAE/B,qEAAqE;YACrE,sEAAsE;YACtE,2DAA2D;YAC3D,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;gBACtC,6DAA6D;gBAC7D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;oBACnC,MAAM,IAAI,KAAK,CACb,4CAA4C,cAAc,IAAI;wBAC5D,mEAAmE,CACtE,CAAA;gBACH,CAAC;gBACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,KAAK,CACb,6CAA6C,eAAe,IAAI;wBAC9D,mEAAmE,CACtE,CAAA;gBACH,CAAC;gBAED,qCAAqC;gBACrC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;gBACxD,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,eAAe,CAAC,CAAA;gBAE1D,kCAAkC;gBAClC,yEAAyE;gBACzE,4EAA4E;gBAC5E,MAAM,QAAQ,GAAG,oBAAoB,CACnC,IAAI,EAAE,8BAA8B;gBACpC,IAAI,CACL,CAAA;gBACD,SAAS,CAAC,IAAI,CACZ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,GAAW,EAAE,EAAE;oBAClC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBAChC,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAA;oBACjC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;oBACpC,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;gBACjC,CAAC,CAAC,CACH,CAAA;gBAED,uEAAuE;gBACvE,iEAAiE;gBACjE,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;oBAChC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,kCAAkC,EAClC,MAAM,CAAC,aAAa,CAAC,CACtB,CAAA;gBACH,CAAC;gBACD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;oBACjC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,mCAAmC,EACnC,MAAM,CAAC,cAAc,CAAC,CACvB,CAAA;gBACH,CAAC;YACH,CAAC;YACD,sFAAsF;QACxF,CAAC;QAED,gDAAgD;QAChD,MAAM,MAAM,GAAG,MAAM,sBAAsB,CACzC,UAAU,EACV,WAAW,EACX,aAAa,CACd,CAAA;QACD,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAA;QAEzB,mBAAmB;QACnB,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAE/B,gDAAgD;QAChD,6EAA6E;QAC7E,kEAAkE;QAClE,wEAAwE;QACxE,qGAAqG;QACrG,mGAAmG;QACnG,4DAA4D;QAC5D,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC/B,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAC/B,+DAA+D;YAC/D,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QACnC,CAAC;QAED,gCAAgC;QAChC,0EAA0E;QAC1E,0EAA0E;QAC1E,MAAM,SAAS,GAAG,QAAQ,IAAI,MAAM,CAAA;QACpC,MAAM,eAAe,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE;YACtD,QAAQ,EAAE,MAAM;SACjB,CAAC,CAAA;QACF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,UAAU,SAAS,qBAAqB,CAAC,CAAA;QAC3D,CAAC;QACD,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;QAC3C,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;QAEjC,+FAA+F;QAC/F,wEAAwE;QACxE,IAAI,uBAAuB,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;YACjE,2EAA2E;YAC3E,uDAAuD;YACvD,MAAM,cAAc,GAAG,mBAAmB,CACxC,cAAc,EACd,eAAe,EACf,OAAO,EACP,iBAAiB,EACjB,KAAK,CACN,CAAA;YACD,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QAChC,CAAC;aAAM,IAAI,iBAAiB,EAAE,CAAC;YAC7B,2EAA2E;YAC3E,4FAA4F;YAC5F,MAAM,kBAAkB,GAAG,yBAAyB,EAAE,CAAA;YACtD,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;oBACtE,uFAAuF,CAC1F,CAAA;YACH,CAAC;YAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;gBACvC,kBAAkB;gBAClB,iBAAiB;gBACjB,KAAK;gBACL,IAAI;gBACJ,OAAO;aACR,CAAC,CAAA;YACF,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QACjC,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACzB,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC,CAAA;QAEhE,MAAM,YAAY,GAAG,EAAE,CAAA;QACvB,IAAI,uBAAuB;YAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACzD,IAAI,mBAAmB,IAAI,oBAAoB;YAC7C,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QACjC,IAAI,iBAAiB;YAAE,YAAY,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;QAE/D,eAAe,CACb,+CAA+C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CACvF,CAAA;QAED,OAAO,cAAc,CAAA;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,mCAAmC;QACnC,IAAI,iBAAiB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzE,uBAAuB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAA;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,iBAAiB,CAAC,CAAA;YACzC,CAAC;YAAC,OAAO,YAAY,EAAE,CAAC;gBACtB,eAAe,CACb,+DAA+D,YAAY,EAAE,EAC7E,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACH,CAAC;QACH,CAAC;QACD,8BAA8B;QAC9B,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC"}
+{"version":3,"file":"linux-sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAErD,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAC7C,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,eAAe,EACf,uBAAuB,GACxB,MAAM,oBAAoB,CAAA;AAK3B,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAA;AAgCrC,sDAAsD;AACtD,MAAM,mCAAmC,GAAG,CAAC,CAAA;AAE7C;;;;GAIG;AACH,KAAK,UAAU,0BAA0B,CACvC,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE,EACvE,WAAmB,mCAAmC,EACtD,cAAc,GAAG,KAAK,EACtB,WAAyB;IAEzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,sDAAsD;IACtD,MAAM,kBAAkB,GAAG,IAAI,eAAe,EAAE,CAAA;IAChD,MAAM,MAAM,GAAG,WAAW,IAAI,kBAAkB,CAAC,MAAM,CAAA;IACvD,MAAM,oBAAoB,GAAG,uBAAuB,EAAE,CAAA;IAEtD,uEAAuE;IACvE,MAAM,SAAS,GAAG;QAChB,yBAAyB;QACzB,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACjD,+BAA+B;QAC/B,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtD,wCAAwC;QACxC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC;KAChC,CAAA;IAED,mEAAmE;IACnE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC,CAAA;IAClD,CAAC;IAED,wDAAwD;IACxD,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;QACvC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAA;IACrC,CAAC;IACD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,OAAO,KAAK,CAAC,CAAA;IAC/C,CAAC;IACD,2CAA2C;IAC3C,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;IAE7C,mDAAmD;IACnD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAA;IAC7C,CAAC;IAED,oEAAoE;IACpE,uEAAuE;IACvE,8DAA8D;IAC9D,IAAI,OAAO,GAAa,EAAE,CAAA;IAC1B,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CACrB;YACE,SAAS;YACT,UAAU;YACV,aAAa;YACb,MAAM,CAAC,QAAQ,CAAC;YAChB,GAAG,SAAS;YACZ,IAAI;YACJ,qBAAqB;SACtB,EACD,GAAG,EACH,MAAM,EACN,aAAa,CACd,CAAA;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAe,CAAC,kCAAkC,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;IAED,kBAAkB;IAClB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QAE7C,8DAA8D;QAC9D,IAAI,QAAQ,GAAG,KAAK,CAAA;QACpB,KAAK,MAAM,OAAO,IAAI,CAAC,GAAG,oBAAoB,EAAE,MAAM,CAAC,EAAE,CAAC;YACxD,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;YAC7D,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC7C,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CACjC,CAAC,CAAC,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC,KAAK,iBAAiB,CACzD,CAAA;YACD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;gBACpB,6DAA6D;gBAC7D,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;oBACvB,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAC7D,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;wBACjC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;oBAC5C,CAAC;yBAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;wBACzC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;oBAC7C,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;gBAChE,CAAC;gBACD,QAAQ,GAAG,IAAI,CAAA;gBACf,MAAK;YACP,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;AAChC,CAAC;AAED,8DAA8D;AAC9D,MAAM,uBAAuB,GAAgB,IAAI,GAAG,EAAE,CAAA;AACtD,IAAI,qBAAqB,GAAG,KAAK,CAAA;AAEjC;;GAEG;AACH,SAAS,6BAA6B;IACpC,IAAI,qBAAqB,EAAE,CAAC;QAC1B,OAAM;IACR,CAAC;IAED,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;QACtB,KAAK,MAAM,UAAU,IAAI,uBAAuB,EAAE,CAAC;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,UAAU,CAAC,CAAA;YAClC,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,qBAAqB,GAAG,IAAI,CAAA;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,+BAA+B,CAC7C,mBAAmB,GAAG,KAAK;IAE3B,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QACF,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;YAChD,KAAK,EAAE,QAAQ;YACf,OAAO,EAAE,IAAI;SACd,CAAC,CAAA;QAEF,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,CAAA;QAEzE,6DAA6D;QAC7D,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,oEAAoE;YACpE,MAAM,kBAAkB,GAAG,sBAAsB,EAAE,KAAK,IAAI,CAAA;YAE5D,kEAAkE;YAClE,MAAM,qBAAqB,GAAG,yBAAyB,EAAE,KAAK,IAAI,CAAA;YAElE,IAAI,CAAC,kBAAkB,IAAI,CAAC,qBAAqB,EAAE,CAAC;gBAClD,sEAAsE;gBACtE,oEAAoE;gBACpE,eAAe,CACb,yEAAyE,OAAO,CAAC,IAAI,KAAK;oBACxF,4EAA4E;oBAC5E,+EAA+E,EACjF,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;YACH,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAA;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,aAAqB,EACrB,cAAsB;IAEtB,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,QAAQ,OAAO,CAAC,CAAA;IACrE,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,QAAQ,OAAO,CAAC,CAAA;IAEvE,oBAAoB;IACpB,MAAM,aAAa,GAAG;QACpB,eAAe,cAAc,iBAAiB;QAC9C,iBAAiB,aAAa,8CAA8C;KAC7E,CAAA;IAED,eAAe,CAAC,+BAA+B,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAEzE,MAAM,iBAAiB,GAAG,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE;QACtD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,uDAAuD;IACvD,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QAClC,eAAe,CAAC,8BAA8B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC1E,CAAC,CAAC,CAAA;IACF,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QAC5C,eAAe,CACb,wCAAwC,IAAI,YAAY,MAAM,EAAE,EAChE,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CACzC,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,qBAAqB;IACrB,MAAM,cAAc,GAAG;QACrB,eAAe,eAAe,iBAAiB;QAC/C,iBAAiB,cAAc,8CAA8C;KAC9E,CAAA;IAED,eAAe,CAAC,gCAAgC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAE3E,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,EAAE,cAAc,EAAE;QACxD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC;QAC5B,uBAAuB;QACvB,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB;YAClB,CAAC;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IACzD,CAAC;IAED,uDAAuD;IACvD,kBAAkB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QACnC,eAAe,CAAC,+BAA+B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC3E,CAAC,CAAC,CAAA;IACF,kBAAkB,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QAC7C,eAAe,CACb,yCAAyC,IAAI,YAAY,MAAM,EAAE,EACjE,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CACzC,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,oCAAoC;IACpC,MAAM,WAAW,GAAG,CAAC,CAAA;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IACE,CAAC,iBAAiB,CAAC,GAAG;YACtB,iBAAiB,CAAC,MAAM;YACxB,CAAC,kBAAkB,CAAC,GAAG;YACvB,kBAAkB,CAAC,MAAM,EACzB,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,CAAC;YACH,sBAAsB;YACtB,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBACpE,eAAe,CAAC,6BAA6B,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;gBAC9D,MAAK;YACP,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE;gBACnE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,WAAW,GAAG,CAAC,EAAE,CAAC;YAC1B,0BAA0B;YAC1B,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,IAAI,kBAAkB,CAAC,GAAG,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBACjD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yCAAyC,WAAW,WAAW,CAChE,CAAA;QACH,CAAC;QAED,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO;QACL,cAAc;QACd,eAAe;QACf,iBAAiB;QACjB,kBAAkB;QAClB,aAAa;QACb,cAAc;KACf,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAC1B,cAAsB,EACtB,eAAuB,EACvB,WAAmB,EACnB,iBAAqC,EACrC,KAAc;IAEd,6CAA6C;IAC7C,MAAM,SAAS,GAAG,KAAK,IAAI,MAAM,CAAA;IACjC,MAAM,aAAa,GAAG;QACpB,qDAAqD,cAAc,oBAAoB;QACvF,qDAAqD,eAAe,oBAAoB;QACxF,0CAA0C;KAC3C,CAAA;IAED,+DAA+D;IAC/D,IAAI,iBAAiB,EAAE,CAAC;QACtB,0BAA0B;QAC1B,qEAAqE;QACrE,kEAAkE;QAClE,kEAAkE;QAClE,EAAE;QACF,4CAA4C;QAC5C,6BAA6B;QAC7B,6DAA6D;QAC7D,2BAA2B;QAC3B,EAAE;QACF,oFAAoF;QACpF,MAAM,kBAAkB,GAAG,yBAAyB,EAAE,CAAA;QACtD,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;gBACtE,uFAAuF,CAC1F,CAAA;QACH,CAAC;QAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;YACvC,kBAAkB;YAClB,iBAAiB;YACjB,SAAS;YACT,IAAI;YACJ,WAAW;SACZ,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,CAAC,GAAG,aAAa,EAAE,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAClE,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;SAAM,CAAC;QACN,gDAAgD;QAChD,MAAM,WAAW,GAAG;YAClB,GAAG,aAAa;YAChB,QAAQ,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE;SAC1C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,sBAAsB,CACnC,UAA+C,EAC/C,WAAiD,EACjD,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE,EACvE,2BAAmC,mCAAmC,EACtE,cAAc,GAAG,KAAK,EACtB,WAAyB;IAEzB,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,sBAAsB;IAEtB,2DAA2D;IAC3D,IAAI,WAAW,EAAE,CAAC;QAChB,qFAAqF;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;QAEhC,4DAA4D;QAC5D,MAAM,iBAAiB,GAAa,EAAE,CAAA;QAEtC,iCAAiC;QACjC,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,eAAe,CACb,0CAA0C,WAAW,OAAO,cAAc,EAAE,CAC7E,CAAA;YAED,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,eAAe,CAAC,uCAAuC,cAAc,EAAE,CAAC,CAAA;gBACxE,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,qDAAqD,cAAc,EAAE,CACtE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACnD,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxC,CAAC;QAED,uEAAuE;QACvE,MAAM,SAAS,GAAG;YAChB,GAAG,CAAC,WAAW,CAAC,eAAe,IAAI,EAAE,CAAC;YACtC,GAAG,CAAC,MAAM,0BAA0B,CAClC,aAAa,EACb,wBAAwB,EACxB,cAAc,EACd,WAAW,CACZ,CAAC;SACH,CAAA;QAED,KAAK,MAAM,WAAW,IAAI,SAAS,EAAE,CAAC;YACpC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,SAAQ;YACV,CAAC;YAED,0BAA0B;YAC1B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,oDAAoD,cAAc,EAAE,CACrE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,qEAAqE;YACrE,kEAAkE;YAClE,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAChD,WAAW,CAAC,EAAE,CACZ,cAAc,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC;gBAC5C,cAAc,KAAK,WAAW,CACjC,CAAA;YAED,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACxD,CAAC;iBAAM,CAAC;gBACN,eAAe,CACb,gEAAgE,cAAc,EAAE,CACjF,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;IAC/B,CAAC;IAED,+DAA+D;IAC/D,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAA;IAEvD,6EAA6E;IAC7E,+EAA+E;IAC/E,4EAA4E;IAC5E,IAAI,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC3C,aAAa,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAC7C,CAAC;IAED,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE,CAAC;QACxC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,eAAe,CACb,yDAAyD,cAAc,EAAE,CAC1E,CAAA;YACD,SAAQ;QACV,CAAC;QAED,MAAM,YAAY,GAAG,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;QAChD,IAAI,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,cAAc,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B;IAE1B,MAAM,EACJ,OAAO,EACP,uBAAuB,EACvB,cAAc,EACd,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,WAAW,EACX,yBAAyB,EACzB,mBAAmB,EACnB,QAAQ,EACR,aAAa,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,EACjC,wBAAwB,GAAG,mCAAmC,EAC9D,cAAc,GAAG,KAAK,EACtB,WAAW,GACZ,GAAG,MAAM,CAAA;IAEV,6CAA6C;IAC7C,6DAA6D;IAC7D,4FAA4F;IAC5F,MAAM,mBAAmB,GAAG,UAAU,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IACxE,MAAM,oBAAoB,GAAG,WAAW,KAAK,SAAS,CAAA;IAEtD,kCAAkC;IAClC,IACE,CAAC,uBAAuB;QACxB,CAAC,mBAAmB;QACpB,CAAC,oBAAoB,EACrB,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,IAAI,iBAAiB,GAAuB,SAAS,CAAA;IAErD,IAAI,CAAC;QACH,8DAA8D;QAC9D,kFAAkF;QAClF,EAAE;QACF,4EAA4E;QAC5E,wCAAwC;QACxC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,iBAAiB,GAAG,qBAAqB,EAAE,IAAI,SAAS,CAAA;YACxD,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,8DAA8D;gBAC9D,yEAAyE;gBACzE,eAAe,CACb,mEAAmE;oBACjE,uEAAuE;oBACvE,oEAAoE,EACtE,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;YACH,CAAC;iBAAM,CAAC;gBACN,qDAAqD;gBACrD,6EAA6E;gBAC7E,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBACpD,uBAAuB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;oBAC9C,6BAA6B,EAAE,CAAA;gBACjC,CAAC;gBAED,eAAe,CACb,uEAAuE,CACxE,CAAA;YACH,CAAC;QACH,CAAC;aAAM,IAAI,mBAAmB,EAAE,CAAC;YAC/B,eAAe,CACb,0EAA0E,CAC3E,CAAA;QACH,CAAC;QAED,6CAA6C;QAC7C,IAAI,uBAAuB,EAAE,CAAC;YAC5B,6DAA6D;YAC7D,wEAAwE;YACxE,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;YAE/B,qEAAqE;YACrE,sEAAsE;YACtE,2DAA2D;YAC3D,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;gBACtC,6DAA6D;gBAC7D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;oBACnC,MAAM,IAAI,KAAK,CACb,4CAA4C,cAAc,IAAI;wBAC5D,mEAAmE,CACtE,CAAA;gBACH,CAAC;gBACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,KAAK,CACb,6CAA6C,eAAe,IAAI;wBAC9D,mEAAmE,CACtE,CAAA;gBACH,CAAC;gBAED,qCAAqC;gBACrC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;gBACxD,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,eAAe,CAAC,CAAA;gBAE1D,kCAAkC;gBAClC,yEAAyE;gBACzE,4EAA4E;gBAC5E,MAAM,QAAQ,GAAG,oBAAoB,CACnC,IAAI,EAAE,8BAA8B;gBACpC,IAAI,CACL,CAAA;gBACD,SAAS,CAAC,IAAI,CACZ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,GAAW,EAAE,EAAE;oBAClC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBAChC,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAA;oBACjC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;oBACpC,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;gBACjC,CAAC,CAAC,CACH,CAAA;gBAED,uEAAuE;gBACvE,iEAAiE;gBACjE,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;oBAChC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,kCAAkC,EAClC,MAAM,CAAC,aAAa,CAAC,CACtB,CAAA;gBACH,CAAC;gBACD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;oBACjC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,mCAAmC,EACnC,MAAM,CAAC,cAAc,CAAC,CACvB,CAAA;gBACH,CAAC;YACH,CAAC;YACD,sFAAsF;QACxF,CAAC;QAED,gDAAgD;QAChD,MAAM,MAAM,GAAG,MAAM,sBAAsB,CACzC,UAAU,EACV,WAAW,EACX,aAAa,EACb,wBAAwB,EACxB,cAAc,EACd,WAAW,CACZ,CAAA;QACD,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAA;QAEzB,mBAAmB;QACnB,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAE/B,gDAAgD;QAChD,6EAA6E;QAC7E,kEAAkE;QAClE,wEAAwE;QACxE,qGAAqG;QACrG,mGAAmG;QACnG,4DAA4D;QAC5D,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC/B,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAC/B,+DAA+D;YAC/D,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QACnC,CAAC;QAED,gCAAgC;QAChC,0EAA0E;QAC1E,0EAA0E;QAC1E,MAAM,SAAS,GAAG,QAAQ,IAAI,MAAM,CAAA;QACpC,MAAM,eAAe,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE;YACtD,QAAQ,EAAE,MAAM;SACjB,CAAC,CAAA;QACF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,UAAU,SAAS,qBAAqB,CAAC,CAAA;QAC3D,CAAC;QACD,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;QAC3C,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;QAEjC,+FAA+F;QAC/F,wEAAwE;QACxE,IAAI,uBAAuB,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;YACjE,2EAA2E;YAC3E,uDAAuD;YACvD,MAAM,cAAc,GAAG,mBAAmB,CACxC,cAAc,EACd,eAAe,EACf,OAAO,EACP,iBAAiB,EACjB,KAAK,CACN,CAAA;YACD,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QAChC,CAAC;aAAM,IAAI,iBAAiB,EAAE,CAAC;YAC7B,2EAA2E;YAC3E,4FAA4F;YAC5F,MAAM,kBAAkB,GAAG,yBAAyB,EAAE,CAAA;YACtD,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;oBACtE,uFAAuF,CAC1F,CAAA;YACH,CAAC;YAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;gBACvC,kBAAkB;gBAClB,iBAAiB;gBACjB,KAAK;gBACL,IAAI;gBACJ,OAAO;aACR,CAAC,CAAA;YACF,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QACjC,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACzB,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC,CAAA;QAEhE,MAAM,YAAY,GAAG,EAAE,CAAA;QACvB,IAAI,uBAAuB;YAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACzD,IAAI,mBAAmB,IAAI,oBAAoB;YAC7C,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QACjC,IAAI,iBAAiB;YAAE,YAAY,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;QAE/D,eAAe,CACb,+CAA+C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CACvF,CAAA;QAED,OAAO,cAAc,CAAA;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,mCAAmC;QACnC,IAAI,iBAAiB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzE,uBAAuB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAA;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,iBAAiB,CAAC,CAAA;YACzC,CAAC;YAAC,OAAO,YAAY,EAAE,CAAC;gBACtB,eAAe,CACb,+DAA+D,YAAY,EAAE,EAC7E,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACH,CAAC;QACH,CAAC;QACD,8BAA8B;QAC9B,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/sandbox/macos-sandbox-utils.d.ts

@@ -11,12 +11,15 @@ export interface MacOSSandboxParams {
     readConfig: FsReadRestrictionConfig | undefined;
     writeConfig: FsWriteRestrictionConfig | undefined;
     ignoreViolations?: IgnoreViolationsConfig | undefined;
+    allowPty?: boolean;
+    allowGitConfig?: boolean;
     binShell?: string;
-    ripgrepConfig?: {
-        command: string;
-        args?: string[];
-    };
 }
+/**
+ * Get mandatory deny patterns as glob patterns (no filesystem scanning).
+ * macOS sandbox profile supports regex/glob matching directly via globToRegex().
+ */
+export declare function macGetMandatoryDenyPatterns(allowGitConfig?: boolean): string[];
 export interface SandboxViolationEvent {
     line: string;
     command?: string;
@@ -45,7 +48,7 @@ export declare function globToRegex(globPattern: string): string;
 /**
  * Wrap command with macOS sandbox
  */
-export declare function wrapCommandWithSandboxMacOS(params: MacOSSandboxParams): Promise<string>;
+export declare function wrapCommandWithSandboxMacOS(params: MacOSSandboxParams): string;
 /**
  * Start monitoring macOS system logs for sandbox violations
  * Look for sandbox-related kernel deny events ending in {logTag}

package/dist/sandbox/macos-sandbox-utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"macos-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox-utils.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAA;AAEjE,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,UAAU,EAAE,uBAAuB,GAAG,SAAS,CAAA;IAC/C,WAAW,EAAE,wBAAwB,GAAG,SAAS,CAAA;IACjD,gBAAgB,CAAC,EAAE,sBAAsB,GAAG,SAAS,CAAA;IACrD,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAA;CACrD;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,MAAM,wBAAwB,GAAG,CACrC,SAAS,EAAE,qBAAqB,KAC7B,IAAI,CAAA;AAIT;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAkBvD;AAsfD;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CAmFjB;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,wBAAwB,EAClC,gBAAgB,CAAC,EAAE,sBAAsB,GACxC,MAAM,IAAI,CA8GZ"}
+{"version":3,"file":"macos-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox-utils.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAA;AAEjE,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,UAAU,EAAE,uBAAuB,GAAG,SAAS,CAAA;IAC/C,WAAW,EAAE,wBAAwB,GAAG,SAAS,CAAA;IACjD,gBAAgB,CAAC,EAAE,sBAAsB,GAAG,SAAS,CAAA;IACrD,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,cAAc,UAAQ,GAAG,MAAM,EAAE,CA2B5E;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,MAAM,wBAAwB,GAAG,CACrC,SAAS,EAAE,qBAAqB,KAC7B,IAAI,CAAA;AAIT;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAkBvD;AAugBD;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,kBAAkB,GACzB,MAAM,CAqFR;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,wBAAwB,EAClC,gBAAgB,CAAC,EAAE,sBAAsB,GACxC,MAAM,IAAI,CA8GZ"}