@anthropic-ai/sandbox-runtime 0.0.34 → 0.0.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/README.md +4 -1
  2. package/dist/cli.js +4 -0
  3. package/dist/cli.js.map +1 -1
  4. package/dist/sandbox/linux-sandbox-utils.d.ts +15 -0
  5. package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -1
  6. package/dist/sandbox/linux-sandbox-utils.js +197 -38
  7. package/dist/sandbox/linux-sandbox-utils.js.map +1 -1
  8. package/dist/sandbox/macos-sandbox-utils.d.ts +1 -18
  9. package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -1
  10. package/dist/sandbox/macos-sandbox-utils.js +40 -48
  11. package/dist/sandbox/macos-sandbox-utils.js.map +1 -1
  12. package/dist/sandbox/sandbox-config.d.ts +3 -0
  13. package/dist/sandbox/sandbox-config.d.ts.map +1 -1
  14. package/dist/sandbox/sandbox-config.js +7 -0
  15. package/dist/sandbox/sandbox-config.js.map +1 -1
  16. package/dist/sandbox/sandbox-manager.d.ts +1 -0
  17. package/dist/sandbox/sandbox-manager.d.ts.map +1 -1
  18. package/dist/sandbox/sandbox-manager.js +49 -19
  19. package/dist/sandbox/sandbox-manager.js.map +1 -1
  20. package/dist/sandbox/sandbox-utils.d.ts +26 -0
  21. package/dist/sandbox/sandbox-utils.d.ts.map +1 -1
  22. package/dist/sandbox/sandbox-utils.js +85 -0
  23. package/dist/sandbox/sandbox-utils.js.map +1 -1
  24. package/dist/utils/ripgrep.d.ts.map +1 -1
  25. package/dist/utils/ripgrep.js +2 -11
  26. package/dist/utils/ripgrep.js.map +1 -1
  27. package/dist/utils/which.d.ts +9 -0
  28. package/dist/utils/which.d.ts.map +1 -0
  29. package/dist/utils/which.js +25 -0
  30. package/dist/utils/which.js.map +1 -0
  31. package/package.json +1 -1
package/README.md CHANGED
@@ -270,7 +270,8 @@ srt --settings /path/to/srt-settings.json <command>
270
270
  "git push": ["/usr/bin/nc"],
271
271
  "npm": ["/private/tmp"]
272
272
  },
273
- "enableWeakerNestedSandbox": false
273
+ "enableWeakerNestedSandbox": false,
274
+ "enableWeakerNetworkIsolation": false
274
275
  }
275
276
  ```
276
277
 
@@ -341,6 +342,7 @@ Examples:
341
342
 
342
343
  - `ignoreViolations` - Object mapping command patterns to arrays of paths where violations should be ignored
343
344
  - `enableWeakerNestedSandbox` - Enable weaker sandbox mode for Docker environments (boolean, default: false)
345
+ - `enableWeakerNetworkIsolation` - Allow access to `com.apple.trustd.agent` in the macOS sandbox (boolean, default: false). This is needed for Go programs (`gh`, `gcloud`, `terraform`, `kubectl`, etc.) to verify TLS certificates when using `httpProxyPort` with a MITM proxy and custom CA. **Security warning:** enabling this opens a potential data exfiltration vector through the trustd service.
344
346
 
345
347
  ### Common Configuration Recipes
346
348
 
@@ -637,6 +639,7 @@ Users should be aware of potential risks that come from allowing broad domains l
637
639
  - Privilege Escalation via Unix Sockets: The `allowUnixSockets` configuration can inadvertently grant access to powerful system services that could lead to sandbox bypasses. For example, if it is used to allow access to `/var/run/docker.sock` this would effectively grant access to the host system through exploiting the docker socket. Users are encouraged to carefully consider any unix sockets that they allow through the sandbox.
638
640
  - Filesystem Permission Escalation: Overly broad filesystem write permissions can enable privilege escalation attacks. Allowing writes to directories containing executables in `$PATH`, system configuration directories, or user shell configuration files (`.bashrc`, `.zshrc`) can lead to code execution in different security contexts when other users or system processes access these files.
639
641
  - Linux Sandbox Strength: The Linux implementation provides strong filesystem and network isolation but includes an `enableWeakerNestedSandbox` mode that enables it to work inside of Docker environments without privileged namespaces. This option considerably weakens security and should only be used incases where additional isolation is otherwise enforced.
642
+ - Weaker Network Isolation (macOS): The `enableWeakerNetworkIsolation` option re-enables access to `com.apple.trustd.agent`, which is needed for Go programs to verify TLS certificates via the macOS Security framework. This opens a potential data exfiltration vector through the trustd service and should only be enabled when Go TLS verification is required (e.g., when using `httpProxyPort` with a MITM proxy and custom CA).
640
643
 
641
644
  ### Known Limitations and Future Work
642
645
 
package/dist/cli.js CHANGED
@@ -121,6 +121,10 @@ async function main() {
121
121
  });
122
122
  // Handle process exit
123
123
  child.on('exit', (code, signal) => {
124
+ // Clean up bwrap mount point artifacts before exiting.
125
+ // On Linux, bwrap creates empty files on the host when protecting
126
+ // non-existent deny paths. This removes them.
127
+ SandboxManager.cleanupAfterCommand();
124
128
  if (signal) {
125
129
  if (signal === 'SIGINT' || signal === 'SIGTERM') {
126
130
  process.exit(0);
package/dist/cli.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAC3E,OAAO,KAAK,QAAQ,MAAM,UAAU,CAAA;AACpC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AAExB;;GAEG;AACH,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,oBAAoB,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;QACL,OAAO,EAAE;YACP,cAAc,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE;SAClB;QACD,UAAU,EAAE;YACV,QAAQ,EAAE,EAAE;YACZ,UAAU,EAAE,EAAE;YACd,SAAS,EAAE,EAAE;SACd;KACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAE7B,OAAO;SACJ,IAAI,CAAC,KAAK,CAAC;SACX,WAAW,CACV,oEAAoE,CACrE;SACA,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,OAAO,CAAC,CAAA;IAEtD,2CAA2C;IAC3C,OAAO;SACJ,QAAQ,CAAC,cAAc,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,aAAa,EAAE,sBAAsB,CAAC;SAC7C,MAAM,CACL,uBAAuB,EACvB,qDAAqD,CACtD;SACA,MAAM,CACL,cAAc,EACd,+DAA+D,CAChE;SACA,MAAM,CACL,mBAAmB,EACnB,gEAAgE,EAChE,QAAQ,CACT;SACA,kBAAkB,EAAE;SACpB,MAAM,CACL,KAAK,EACH,WAAqB,EACrB,OAKC,EACD,EAAE;QACF,IAAI,CAAC;YACH,oCAAoC;YACpC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,MAAM,CAAA;YAC5B,CAAC;YAED,wBAAwB;YACxB,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,oBAAoB,EAAE,CAAA;YAC7D,IAAI,aAAa,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;YAE1C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,eAAe,CACb,sBAAsB,UAAU,wBAAwB,CACzD,CAAA;gBACD,aAAa,GAAG,gBAAgB,EAAE,CAAA;YACpC,CAAC;YAED,iCAAiC;YACjC,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC1C,MAAM,cAAc,CAAC,UAAU,CAAC,aAAa,CAAC,CAAA;YAE9C,4DAA4D;YAC5D,IAAI,aAAa,GAA8B,IAAI,CAAA;YACnD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,aAAa,GAAG,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE;wBAC5C,EAAE,EAAE,OAAO,CAAC,SAAS;qBACtB,CAAC,CAAA;oBACF,aAAa,GAAG,QAAQ,CAAC,eAAe,CAAC;wBACvC,KAAK,EAAE,aAAa;wBACpB,SAAS,EAAE,QAAQ;qBACpB,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE;wBAC9B,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAA;wBAC5C,IAAI,SAAS,EAAE,CAAC;4BACd,eAAe,CACb,mCAAmC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAC/D,CAAA;4BACD,cAAc,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;wBACxC,CAAC;6BAAM,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;4BACvB,gDAAgD;4BAChD,eAAe,CACb,2CAA2C,IAAI,EAAE,CAClD,CAAA;wBACH,CAAC;oBACH,CAAC,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;wBAC9B,eAAe,CAAC,qBAAqB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;oBACrD,CAAC,CAAC,CAAA;oBAEF,eAAe,CACb,sCAAsC,OAAO,CAAC,SAAS,EAAE,CAC1D,CAAA;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,eAAe,CACb,6BAA6B,OAAO,CAAC,SAAS,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACtG,CAAA;gBACH,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;gBACtB,aAAa,EAAE,KAAK,EAAE,CAAA;YACxB,CAAC,CAAC,CAAA;YAEF,yCAAyC;YACzC,IAAI,OAAe,CAAA;YACnB,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;gBACd,oDAAoD;gBACpD,OAAO,GAAG,OAAO,CAAC,CAAC,CAAA;gBACnB,eAAe,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,4BAA4B;gBAC5B,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC/B,eAAe,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAA;YACjD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CACX,6EAA6E,CAC9E,CAAA;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YAED,eAAe,CACb,IAAI,CAAC,SAAS,CACZ,cAAc,CAAC,2BAA2B,EAAE,EAC5C,IAAI,EACJ,CAAC,CACF,CACF,CAAA;YAED,6CAA6C;YAC7C,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;YAEtE,gCAAgC;YAChC,MAAM,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE;gBACpC,KAAK,EAAE,IAAI;gBACX,KAAK,EAAE,SAAS;aACjB,CAAC,CAAA;YAEF,sBAAsB;YACtB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBAChC,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;wBAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;wBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;YAEF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE;gBACxB,OAAO,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;gBAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC,CAAC,CAAA;YAEF,8BAA8B;YAC9B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACtB,CAAC,CAAC,CAAA;YAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACzB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACvB,CAAC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnE,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CACF,CAAA;IAEH,OAAO,CAAC,KAAK,EAAE,CAAA;AACjB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
1
+ {"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE3C,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAA;AACrC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAA;AAClD,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAC3E,OAAO,KAAK,QAAQ,MAAM,UAAU,CAAA;AACpC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAC5B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AAExB;;GAEG;AACH,SAAS,oBAAoB;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,oBAAoB,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB;IACvB,OAAO;QACL,OAAO,EAAE;YACP,cAAc,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE;SAClB;QACD,UAAU,EAAE;YACV,QAAQ,EAAE,EAAE;YACZ,UAAU,EAAE,EAAE;YACd,SAAS,EAAE,EAAE;SACd;KACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAE7B,OAAO;SACJ,IAAI,CAAC,KAAK,CAAC;SACX,WAAW,CACV,oEAAoE,CACrE;SACA,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,OAAO,CAAC,CAAA;IAEtD,2CAA2C;IAC3C,OAAO;SACJ,QAAQ,CAAC,cAAc,EAAE,+BAA+B,CAAC;SACzD,MAAM,CAAC,aAAa,EAAE,sBAAsB,CAAC;SAC7C,MAAM,CACL,uBAAuB,EACvB,qDAAqD,CACtD;SACA,MAAM,CACL,cAAc,EACd,+DAA+D,CAChE;SACA,MAAM,CACL,mBAAmB,EACnB,gEAAgE,EAChE,QAAQ,CACT;SACA,kBAAkB,EAAE;SACpB,MAAM,CACL,KAAK,EACH,WAAqB,EACrB,OAKC,EACD,EAAE;QACF,IAAI,CAAC;YACH,oCAAoC;YACpC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,MAAM,CAAA;YAC5B,CAAC;YAED,wBAAwB;YACxB,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,IAAI,oBAAoB,EAAE,CAAA;YAC7D,IAAI,aAAa,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;YAE1C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,eAAe,CACb,sBAAsB,UAAU,wBAAwB,CACzD,CAAA;gBACD,aAAa,GAAG,gBAAgB,EAAE,CAAA;YACpC,CAAC;YAED,iCAAiC;YACjC,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC1C,MAAM,cAAc,CAAC,UAAU,CAAC,aAAa,CAAC,CAAA;YAE9C,4DAA4D;YAC5D,IAAI,aAAa,GAA8B,IAAI,CAAA;YACnD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,MAAM,aAAa,GAAG,EAAE,CAAC,gBAAgB,CAAC,EAAE,EAAE;wBAC5C,EAAE,EAAE,OAAO,CAAC,SAAS;qBACtB,CAAC,CAAA;oBACF,aAAa,GAAG,QAAQ,CAAC,eAAe,CAAC;wBACvC,KAAK,EAAE,aAAa;wBACpB,SAAS,EAAE,QAAQ;qBACpB,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE;wBAC9B,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAA;wBAC5C,IAAI,SAAS,EAAE,CAAC;4BACd,eAAe,CACb,mCAAmC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAC/D,CAAA;4BACD,cAAc,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;wBACxC,CAAC;6BAAM,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;4BACvB,gDAAgD;4BAChD,eAAe,CACb,2CAA2C,IAAI,EAAE,CAClD,CAAA;wBACH,CAAC;oBACH,CAAC,CAAC,CAAA;oBAEF,aAAa,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;wBAC9B,eAAe,CAAC,qBAAqB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;oBACrD,CAAC,CAAC,CAAA;oBAEF,eAAe,CACb,sCAAsC,OAAO,CAAC,SAAS,EAAE,CAC1D,CAAA;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,eAAe,CACb,6BAA6B,OAAO,CAAC,SAAS,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACtG,CAAA;gBACH,CAAC;YACH,CAAC;YAED,iCAAiC;YACjC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;gBACtB,aAAa,EAAE,KAAK,EAAE,CAAA;YACxB,CAAC,CAAC,CAAA;YAEF,yCAAyC;YACzC,IAAI,OAAe,CAAA;YACnB,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;gBACd,oDAAoD;gBACpD,OAAO,GAAG,OAAO,CAAC,CAAC,CAAA;gBACnB,eAAe,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAA;YACzD,CAAC;iBAAM,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClC,4BAA4B;gBAC5B,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBAC/B,eAAe,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAA;YACjD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CACX,6EAA6E,CAC9E,CAAA;gBACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC;YAED,eAAe,CACb,IAAI,CAAC,SAAS,CACZ,cAAc,CAAC,2BAA2B,EAAE,EAC5C,IAAI,EACJ,CAAC,CACF,CACF,CAAA;YAED,6CAA6C;YAC7C,MAAM,gBAAgB,GAAG,MAAM,cAAc,CAAC,eAAe,CAAC,OAAO,CAAC,CAAA;YAEtE,gCAAgC;YAChC,MAAM,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE;gBACpC,KAAK,EAAE,IAAI;gBACX,KAAK,EAAE,SAAS;aACjB,CAAC,CAAA;YAEF,sBAAsB;YACtB,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;gBAChC,uDAAuD;gBACvD,kEAAkE;gBAClE,8CAA8C;gBAC9C,cAAc,CAAC,mBAAmB,EAAE,CAAA;gBAEpC,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;wBAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAA;wBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;oBACjB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;YAEF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE;gBACxB,OAAO,CAAC,KAAK,CAAC,8BAA8B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAA;gBAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACjB,CAAC,CAAC,CAAA;YAEF,8BAA8B;YAC9B,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE;gBACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YACtB,CAAC,CAAC,CAAA;YAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACzB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;YACvB,CAAC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CACX,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACnE,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC,CACF,CAAA;IAEH,OAAO,CAAC,KAAK,EAAE,CAAA;AACjB,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAA"}
package/dist/sandbox/linux-sandbox-utils.d.ts CHANGED
@@ -36,6 +36,21 @@ export interface LinuxSandboxParams {
36
36
  /** Abort signal to cancel the ripgrep scan */
37
37
  abortSignal?: AbortSignal;
38
38
  }
39
+ /**
40
+ * Clean up mount point files created by bwrap for non-existent deny paths.
41
+ *
42
+ * When protecting non-existent deny paths, bwrap creates empty files on the
43
+ * host filesystem as mount points for --ro-bind. These files persist after
44
+ * bwrap exits. This function removes them.
45
+ *
46
+ * This should be called after each sandboxed command completes to prevent
47
+ * ghost dotfiles (e.g. .bashrc, .gitconfig) from appearing in the working
48
+ * directory. It is also called automatically on process exit as a safety net.
49
+ *
50
+ * Safe to call at any time — it only removes files that were tracked during
51
+ * generateFilesystemArgs() and skips any that no longer exist.
52
+ */
53
+ export declare function cleanupBwrapMountPoints(): void;
39
54
  /**
40
55
  * Detailed status of Linux sandbox dependencies
41
56
  */
package/dist/sandbox/linux-sandbox-utils.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"linux-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAWtD,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAQ7B,MAAM,WAAW,yBAAyB;IACxC,cAAc,EAAE,MAAM,CAAA;IACtB,eAAe,EAAE,MAAM,CAAA;IACvB,iBAAiB,EAAE,YAAY,CAAA;IAC/B,kBAAkB,EAAE,YAAY,CAAA;IAChC,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,UAAU,CAAC,EAAE,uBAAuB,CAAA;IACpC,WAAW,CAAC,EAAE,wBAAwB,CAAA;IACtC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAA;IACpD,yEAAyE;IACzE,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,yDAAyD;IACzD,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,kCAAkC;IAClC,aAAa,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;IACxD,8CAA8C;IAC9C,WAAW,CAAC,EAAE,WAAW,CAAA;CAC1B;AAmLD;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,EAAE,OAAO,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;IACjB,aAAa,EAAE,OAAO,CAAA;IACtB,eAAe,EAAE,OAAO,CAAA;CACzB,CAAA;AAED;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAAG;IACnC,QAAQ,EAAE,MAAM,EAAE,CAAA;IAClB,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB,CAAA;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,aAAa,CAAC,EAAE;IACvD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GAAG,qBAAqB,CAiBxB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,aAAa,CAAC,EAAE;IACrD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GAAG,sBAAsB,CAuBzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,yBAAyB,CAAC,CA2HpC;AA4MD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CA2PjB"}
1
+ {"version":3,"file":"linux-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAYtD,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAQ7B,MAAM,WAAW,yBAAyB;IACxC,cAAc,EAAE,MAAM,CAAA;IACtB,eAAe,EAAE,MAAM,CAAA;IACvB,iBAAiB,EAAE,YAAY,CAAA;IAC/B,kBAAkB,EAAE,YAAY,CAAA;IAChC,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,UAAU,CAAC,EAAE,uBAAuB,CAAA;IACpC,WAAW,CAAC,EAAE,wBAAwB,CAAA;IACtC,yBAAyB,CAAC,EAAE,OAAO,CAAA;IACnC,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAA;IACpD,yEAAyE;IACzE,wBAAwB,CAAC,EAAE,MAAM,CAAA;IACjC,yDAAyD;IACzD,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,kCAAkC;IAClC,aAAa,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;IACxD,8CAA8C;IAC9C,WAAW,CAAC,EAAE,WAAW,CAAA;CAC1B;AAiQD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,uBAAuB,IAAI,IAAI,CA2B9C;AAED;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC,QAAQ,EAAE,OAAO,CAAA;IACjB,QAAQ,EAAE,OAAO,CAAA;IACjB,aAAa,EAAE,OAAO,CAAA;IACtB,eAAe,EAAE,OAAO,CAAA;CACzB,CAAA;AAED;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAAG;IACnC,QAAQ,EAAE,MAAM,EAAE,CAAA;IAClB,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB,CAAA;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,aAAa,CAAC,EAAE;IACvD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GAAG,qBAAqB,CAQxB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,aAAa,CAAC,EAAE;IACrD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB,GAAG,sBAAsB,CAezB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAsB,4BAA4B,CAChD,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,yBAAyB,CAAC,CA2HpC;AAgSD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,wBAAsB,2BAA2B,CAC/C,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,MAAM,CAAC,CAwPjB"}
package/dist/sandbox/linux-sandbox-utils.js CHANGED
@@ -1,12 +1,13 @@
1
1
  import shellquote from 'shell-quote';
2
2
  import { logForDebugging } from '../utils/debug.js';
3
+ import { whichSync } from '../utils/which.js';
3
4
  import { randomBytes } from 'node:crypto';
4
5
  import * as fs from 'fs';
5
- import { spawn, spawnSync } from 'node:child_process';
6
+ import { spawn } from 'node:child_process';
6
7
  import { tmpdir } from 'node:os';
7
8
  import path, { join } from 'node:path';
8
9
  import { ripGrep } from '../utils/ripgrep.js';
9
- import { generateProxyEnvVars, normalizePathForSandbox, normalizeCaseForComparison, DANGEROUS_FILES, getDangerousDirectories, } from './sandbox-utils.js';
10
+ import { generateProxyEnvVars, normalizePathForSandbox, normalizeCaseForComparison, isSymlinkOutsideBoundary, DANGEROUS_FILES, getDangerousDirectories, } from './sandbox-utils.js';
10
11
  import { generateSeccompFilter, cleanupSeccompFilter, getPreGeneratedBpfPath, getApplySeccompBinaryPath, } from './generate-seccomp-filter.js';
11
12
  /** Default max depth for searching dangerous files */
12
13
  const DEFAULT_MANDATORY_DENY_SEARCH_DEPTH = 3;
@@ -42,6 +43,57 @@ function findSymlinkInPath(targetPath, allowedWritePaths) {
42
43
  }
43
44
  return null;
44
45
  }
46
+ /**
47
+ * Check if any existing component in the path is a file (not a directory).
48
+ * If so, the target path can never be created because you can't mkdir under a file.
49
+ *
50
+ * This handles the git worktree case: .git is a file, so .git/hooks can never
51
+ * exist and there's nothing to deny.
52
+ */
53
+ function hasFileAncestor(targetPath) {
54
+ const parts = targetPath.split(path.sep);
55
+ let currentPath = '';
56
+ for (const part of parts) {
57
+ if (!part)
58
+ continue; // Skip empty parts (leading /)
59
+ const nextPath = currentPath + path.sep + part;
60
+ try {
61
+ const stat = fs.statSync(nextPath);
62
+ if (stat.isFile() || stat.isSymbolicLink()) {
63
+ // This component exists as a file — nothing below it can be created
64
+ return true;
65
+ }
66
+ }
67
+ catch {
68
+ // Path doesn't exist — stop checking
69
+ break;
70
+ }
71
+ currentPath = nextPath;
72
+ }
73
+ return false;
74
+ }
75
+ /**
76
+ * Find the first non-existent path component.
77
+ * E.g., for "/existing/parent/nonexistent/child/file.txt" where /existing/parent exists,
78
+ * returns "/existing/parent/nonexistent"
79
+ *
80
+ * This is used to block creation of non-existent deny paths by mounting /dev/null
81
+ * at the first missing component, preventing mkdir from creating the parent directories.
82
+ */
83
+ function findFirstNonExistentComponent(targetPath) {
84
+ const parts = targetPath.split(path.sep);
85
+ let currentPath = '';
86
+ for (const part of parts) {
87
+ if (!part)
88
+ continue; // Skip empty parts (leading /)
89
+ const nextPath = currentPath + path.sep + part;
90
+ if (!fs.existsSync(nextPath)) {
91
+ return nextPath;
92
+ }
93
+ currentPath = nextPath;
94
+ }
95
+ return targetPath; // Shouldn't reach here if called correctly
96
+ }
45
97
  /**
46
98
  * Get mandatory deny paths using ripgrep (Linux only).
47
99
  * Uses a SINGLE ripgrep call with multiple glob patterns for efficiency.
@@ -59,12 +111,27 @@ async function linuxGetMandatoryDenyPaths(ripgrepConfig = { command: 'rg' }, max
59
111
  ...DANGEROUS_FILES.map(f => path.resolve(cwd, f)),
60
112
  // Dangerous directories in CWD
61
113
  ...dangerousDirectories.map(d => path.resolve(cwd, d)),
62
- // Git hooks always blocked for security
63
- path.resolve(cwd, '.git/hooks'),
64
114
  ];
65
- // Git config conditionally blocked based on allowGitConfig setting
66
- if (!allowGitConfig) {
67
- denyPaths.push(path.resolve(cwd, '.git/config'));
115
+ // Git hooks and config are only denied when .git exists as a directory.
116
+ // In git worktrees, .git is a file (e.g., "gitdir: /path/..."), so
117
+ // .git/hooks can never exist — denying it would cause bwrap to fail.
118
+ // When .git doesn't exist at all, mounting at .git would block its
119
+ // creation and break git init.
120
+ const dotGitPath = path.resolve(cwd, '.git');
121
+ let dotGitIsDirectory = false;
122
+ try {
123
+ dotGitIsDirectory = fs.statSync(dotGitPath).isDirectory();
124
+ }
125
+ catch {
126
+ // .git doesn't exist
127
+ }
128
+ if (dotGitIsDirectory) {
129
+ // Git hooks always blocked for security
130
+ denyPaths.push(path.resolve(cwd, '.git/hooks'));
131
+ // Git config conditionally blocked based on allowGitConfig setting
132
+ if (!allowGitConfig) {
133
+ denyPaths.push(path.resolve(cwd, '.git/config'));
134
+ }
68
135
  }
69
136
  // Build iglob args for all patterns in one ripgrep call
70
137
  const iglobArgs = [];
@@ -134,11 +201,16 @@ async function linuxGetMandatoryDenyPaths(ripgrepConfig = { command: 'rg' }, max
134
201
  }
135
202
  // Track generated seccomp filters for cleanup on process exit
136
203
  const generatedSeccompFilters = new Set();
204
+ // Track mount points created by bwrap for non-existent deny paths.
205
+ // When bwrap does --ro-bind /dev/null /nonexistent/path, it creates an empty
206
+ // file on the host as a mount point. These persist after bwrap exits and must
207
+ // be cleaned up explicitly.
208
+ const bwrapMountPoints = new Set();
137
209
  let exitHandlerRegistered = false;
138
210
  /**
139
- * Register cleanup handler for generated seccomp filters
211
+ * Register cleanup handler for generated seccomp filters and bwrap mount points
140
212
  */
141
- function registerSeccompCleanupHandler() {
213
+ function registerExitCleanupHandler() {
142
214
  if (exitHandlerRegistered) {
143
215
  return;
144
216
  }
@@ -151,24 +223,57 @@ function registerSeccompCleanupHandler() {
151
223
  // Ignore cleanup errors during exit
152
224
  }
153
225
  }
226
+ cleanupBwrapMountPoints();
154
227
  });
155
228
  exitHandlerRegistered = true;
156
229
  }
230
+ /**
231
+ * Clean up mount point files created by bwrap for non-existent deny paths.
232
+ *
233
+ * When protecting non-existent deny paths, bwrap creates empty files on the
234
+ * host filesystem as mount points for --ro-bind. These files persist after
235
+ * bwrap exits. This function removes them.
236
+ *
237
+ * This should be called after each sandboxed command completes to prevent
238
+ * ghost dotfiles (e.g. .bashrc, .gitconfig) from appearing in the working
239
+ * directory. It is also called automatically on process exit as a safety net.
240
+ *
241
+ * Safe to call at any time — it only removes files that were tracked during
242
+ * generateFilesystemArgs() and skips any that no longer exist.
243
+ */
244
+ export function cleanupBwrapMountPoints() {
245
+ for (const mountPoint of bwrapMountPoints) {
246
+ try {
247
+ // Only remove if it's still the empty file/directory bwrap created.
248
+ // If something else has written real content, leave it alone.
249
+ const stat = fs.statSync(mountPoint);
250
+ if (stat.isFile() && stat.size === 0) {
251
+ fs.unlinkSync(mountPoint);
252
+ logForDebugging(`[Sandbox Linux] Cleaned up bwrap mount point (file): ${mountPoint}`);
253
+ }
254
+ else if (stat.isDirectory()) {
255
+ // Empty directory mount points are created for intermediate
256
+ // components (Fix 2). Only remove if still empty.
257
+ const entries = fs.readdirSync(mountPoint);
258
+ if (entries.length === 0) {
259
+ fs.rmdirSync(mountPoint);
260
+ logForDebugging(`[Sandbox Linux] Cleaned up bwrap mount point (dir): ${mountPoint}`);
261
+ }
262
+ }
263
+ }
264
+ catch {
265
+ // Ignore cleanup errors — the file may have already been removed
266
+ }
267
+ }
268
+ bwrapMountPoints.clear();
269
+ }
157
270
  /**
158
271
  * Get detailed status of Linux sandbox dependencies
159
272
  */
160
273
  export function getLinuxDependencyStatus(seccompConfig) {
161
- const bwrapResult = spawnSync('which', ['bwrap'], {
162
- stdio: 'ignore',
163
- timeout: 1000,
164
- });
165
- const socatResult = spawnSync('which', ['socat'], {
166
- stdio: 'ignore',
167
- timeout: 1000,
168
- });
169
274
  return {
170
- hasBwrap: bwrapResult.status === 0,
171
- hasSocat: socatResult.status === 0,
275
+ hasBwrap: whichSync('bwrap') !== null,
276
+ hasSocat: whichSync('socat') !== null,
172
277
  hasSeccompBpf: getPreGeneratedBpfPath(seccompConfig?.bpfPath) !== null,
173
278
  hasSeccompApply: getApplySeccompBinaryPath(seccompConfig?.applyPath) !== null,
174
279
  };
@@ -179,17 +284,9 @@ export function getLinuxDependencyStatus(seccompConfig) {
179
284
  export function checkLinuxDependencies(seccompConfig) {
180
285
  const errors = [];
181
286
  const warnings = [];
182
- const bwrap = spawnSync('which', ['bwrap'], {
183
- stdio: 'ignore',
184
- timeout: 1000,
185
- });
186
- const socat = spawnSync('which', ['socat'], {
187
- stdio: 'ignore',
188
- timeout: 1000,
189
- });
190
- if (bwrap.status !== 0)
287
+ if (whichSync('bwrap') === null)
191
288
  errors.push('bubblewrap (bwrap) not installed');
192
- if (socat.status !== 0)
289
+ if (whichSync('socat') === null)
193
290
  errors.push('socat not installed');
194
291
  const hasBpf = getPreGeneratedBpfPath(seccompConfig?.bpfPath) !== null;
195
292
  const hasApply = getApplySeccompBinaryPath(seccompConfig?.applyPath) !== null;
@@ -401,6 +498,26 @@ async function generateFilesystemArgs(readConfig, writeConfig, ripgrepConfig = {
401
498
  logForDebugging(`[Sandbox Linux] Skipping non-existent write path: ${normalizedPath}`);
402
499
  continue;
403
500
  }
501
+ // Check if path is a symlink pointing outside expected boundaries
502
+ // bwrap follows symlinks, so --bind on a symlink makes the target writable
503
+ // This could unexpectedly expose paths the user didn't intend to allow
504
+ try {
505
+ const resolvedPath = fs.realpathSync(normalizedPath);
506
+ // Trim trailing slashes before comparing: realpathSync never returns
507
+ // a trailing slash, but normalizedPath may have one, which would cause
508
+ // a false mismatch and incorrectly treat the path as a symlink.
509
+ const normalizedForComparison = normalizedPath.replace(/\/+$/, '');
510
+ if (resolvedPath !== normalizedForComparison &&
511
+ isSymlinkOutsideBoundary(normalizedPath, resolvedPath)) {
512
+ logForDebugging(`[Sandbox Linux] Skipping symlink write path pointing outside expected location: ${pathPattern} -> ${resolvedPath}`);
513
+ continue;
514
+ }
515
+ }
516
+ catch {
517
+ // realpathSync failed - path might not exist or be accessible, skip it
518
+ logForDebugging(`[Sandbox Linux] Skipping write path that could not be resolved: ${normalizedPath}`);
519
+ continue;
520
+ }
404
521
  args.push('--bind', normalizedPath, normalizedPath);
405
522
  allowedWritePaths.push(normalizedPath);
406
523
  }
@@ -425,10 +542,55 @@ async function generateFilesystemArgs(readConfig, writeConfig, ripgrepConfig = {
425
542
  logForDebugging(`[Sandbox Linux] Mounted /dev/null at symlink ${symlinkInPath} to prevent symlink replacement attack`);
426
543
  continue;
427
544
  }
428
- // Skip non-existent paths - no protection needed
429
- // Mounting /dev/null over non-existent paths creates empty files on host
545
+ // Handle non-existent paths by mounting /dev/null to block creation.
546
+ // Without this, a sandboxed process could mkdir+write a denied path that
547
+ // doesn't exist yet, bypassing the deny rule entirely.
548
+ //
549
+ // bwrap creates empty files on the host as mount points for these binds.
550
+ // We track them in bwrapMountPoints so cleanupBwrapMountPoints() can
551
+ // remove them after the command exits.
430
552
  if (!fs.existsSync(normalizedPath)) {
431
- logForDebugging(`[Sandbox Linux] Skipping non-existent deny path: ${normalizedPath}`);
553
+ // Fix 1 (worktree): If any existing component in the deny path is a
554
+ // file (not a directory), skip the deny entirely. You can't mkdir
555
+ // under a file, so the deny path can never be created. This handles
556
+ // git worktrees where .git is a file.
557
+ if (hasFileAncestor(normalizedPath)) {
558
+ logForDebugging(`[Sandbox Linux] Skipping deny path with file ancestor (cannot create paths under a file): ${normalizedPath}`);
559
+ continue;
560
+ }
561
+ // Find the deepest existing ancestor directory
562
+ let ancestorPath = path.dirname(normalizedPath);
563
+ while (ancestorPath !== '/' && !fs.existsSync(ancestorPath)) {
564
+ ancestorPath = path.dirname(ancestorPath);
565
+ }
566
+ // Only protect if the existing ancestor is within an allowed write path.
567
+ // If not, the path is already read-only from --ro-bind / /.
568
+ const ancestorIsWithinAllowedPath = allowedWritePaths.some(allowedPath => ancestorPath.startsWith(allowedPath + '/') ||
569
+ ancestorPath === allowedPath ||
570
+ normalizedPath.startsWith(allowedPath + '/'));
571
+ if (ancestorIsWithinAllowedPath) {
572
+ const firstNonExistent = findFirstNonExistentComponent(normalizedPath);
573
+ // Fix 2: If firstNonExistent is an intermediate component (not the
574
+ // leaf deny path itself), mount a read-only empty directory instead
575
+ // of /dev/null. This prevents the component from appearing as a file
576
+ // which breaks tools that expect to traverse it as a directory.
577
+ if (firstNonExistent !== normalizedPath) {
578
+ const emptyDir = fs.mkdtempSync(path.join(tmpdir(), 'claude-empty-'));
579
+ args.push('--ro-bind', emptyDir, firstNonExistent);
580
+ bwrapMountPoints.add(firstNonExistent);
581
+ registerExitCleanupHandler();
582
+ logForDebugging(`[Sandbox Linux] Mounted empty dir at ${firstNonExistent} to block creation of ${normalizedPath}`);
583
+ }
584
+ else {
585
+ args.push('--ro-bind', '/dev/null', firstNonExistent);
586
+ bwrapMountPoints.add(firstNonExistent);
587
+ registerExitCleanupHandler();
588
+ logForDebugging(`[Sandbox Linux] Mounted /dev/null at ${firstNonExistent} to block creation of ${normalizedPath}`);
589
+ }
590
+ }
591
+ else {
592
+ logForDebugging(`[Sandbox Linux] Skipping non-existent deny path not within allowed paths: ${normalizedPath}`);
593
+ }
432
594
  continue;
433
595
  }
434
596
  // Only add deny binding if this path is within an allowed write path
@@ -555,7 +717,7 @@ export async function wrapCommandWithSandboxLinux(params) {
555
717
  // Only track runtime-generated filters (not pre-generated ones from vendor/)
556
718
  if (!seccompFilterPath.includes('/vendor/seccomp/')) {
557
719
  generatedSeccompFilters.add(seccompFilterPath);
558
- registerSeccompCleanupHandler();
720
+ registerExitCleanupHandler();
559
721
  }
560
722
  logForDebugging('[Sandbox Linux] Generated seccomp BPF filter for Unix socket blocking');
561
723
  }
@@ -627,13 +789,10 @@ export async function wrapCommandWithSandboxLinux(params) {
627
789
  // Use the user's shell (zsh, bash, etc.) to ensure aliases/snapshots work
628
790
  // Resolve the full path to the shell binary since bwrap doesn't use $PATH
629
791
  const shellName = binShell || 'bash';
630
- const shellPathResult = spawnSync('which', [shellName], {
631
- encoding: 'utf8',
632
- });
633
- if (shellPathResult.status !== 0) {
792
+ const shell = whichSync(shellName);
793
+ if (!shell) {
634
794
  throw new Error(`Shell '${shellName}' not found in PATH`);
635
795
  }
636
- const shell = shellPathResult.stdout.trim();
637
796
  bwrapArgs.push('--', shell, '-c');
638
797
  // If we have network restrictions, use the network bridge setup with apply-seccomp for seccomp
639
798
  // Otherwise, just run the command directly with apply-seccomp if needed
package/dist/sandbox/linux-sandbox-utils.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"linux-sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAErD,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAC7C,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,eAAe,EACf,uBAAuB,GACxB,MAAM,oBAAoB,CAAA;AAK3B,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAA;AAkCrC,sDAAsD;AACtD,MAAM,mCAAmC,GAAG,CAAC,CAAA;AAE7C;;;;;;GAMG;AACH,SAAS,iBAAiB,CACxB,UAAkB,EAClB,iBAA2B;IAE3B,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,WAAW,GAAG,EAAE,CAAA;IAEpB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,SAAQ,CAAC,+BAA+B;QACnD,MAAM,QAAQ,GAAG,WAAW,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAA;QAE9C,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;YACpC,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;gBAC3B,wDAAwD;gBACxD,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAChD,WAAW,CAAC,EAAE,CACZ,QAAQ,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC,IAAI,QAAQ,KAAK,WAAW,CACrE,CAAA;gBACD,IAAI,mBAAmB,EAAE,CAAC;oBACxB,OAAO,QAAQ,CAAA;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;YAC7C,MAAK;QACP,CAAC;QACD,WAAW,GAAG,QAAQ,CAAA;IACxB,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,0BAA0B,CACvC,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE,EACvE,WAAmB,mCAAmC,EACtD,cAAc,GAAG,KAAK,EACtB,WAAyB;IAEzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,sDAAsD;IACtD,MAAM,kBAAkB,GAAG,IAAI,eAAe,EAAE,CAAA;IAChD,MAAM,MAAM,GAAG,WAAW,IAAI,kBAAkB,CAAC,MAAM,CAAA;IACvD,MAAM,oBAAoB,GAAG,uBAAuB,EAAE,CAAA;IAEtD,uEAAuE;IACvE,MAAM,SAAS,GAAG;QAChB,yBAAyB;QACzB,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACjD,+BAA+B;QAC/B,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACtD,wCAAwC;QACxC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC;KAChC,CAAA;IAED,mEAAmE;IACnE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC,CAAA;IAClD,CAAC;IAED,wDAAwD;IACxD,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;QACvC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAA;IACrC,CAAC;IACD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,OAAO,KAAK,CAAC,CAAA;IAC/C,CAAC;IACD,2CAA2C;IAC3C,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;IAE7C,mDAAmD;IACnD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAA;IAC7C,CAAC;IAED,oEAAoE;IACpE,uEAAuE;IACvE,8DAA8D;IAC9D,IAAI,OAAO,GAAa,EAAE,CAAA;IAC1B,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CACrB;YACE,SAAS;YACT,UAAU;YACV,aAAa;YACb,MAAM,CAAC,QAAQ,CAAC;YAChB,GAAG,SAAS;YACZ,IAAI;YACJ,qBAAqB;SACtB,EACD,GAAG,EACH,MAAM,EACN,aAAa,CACd,CAAA;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAe,CAAC,kCAAkC,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;IAED,kBAAkB;IAClB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QAE7C,8DAA8D;QAC9D,IAAI,QAAQ,GAAG,KAAK,CAAA;QACpB,KAAK,MAAM,OAAO,IAAI,CAAC,GAAG,oBAAoB,EAAE,MAAM,CAAC,EAAE,CAAC;YACxD,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;YAC7D,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC7C,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CACjC,CAAC,CAAC,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC,KAAK,iBAAiB,CACzD,CAAA;YACD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;gBACpB,6DAA6D;gBAC7D,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;oBACvB,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAC7D,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;wBACjC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;oBAC5C,CAAC;yBAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;wBACzC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;oBAC7C,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;gBAChE,CAAC;gBACD,QAAQ,GAAG,IAAI,CAAA;gBACf,MAAK;YACP,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;AAChC,CAAC;AAED,8DAA8D;AAC9D,MAAM,uBAAuB,GAAgB,IAAI,GAAG,EAAE,CAAA;AACtD,IAAI,qBAAqB,GAAG,KAAK,CAAA;AAEjC;;GAEG;AACH,SAAS,6BAA6B;IACpC,IAAI,qBAAqB,EAAE,CAAC;QAC1B,OAAM;IACR,CAAC;IAED,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;QACtB,KAAK,MAAM,UAAU,IAAI,uBAAuB,EAAE,CAAC;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,UAAU,CAAC,CAAA;YAClC,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,qBAAqB,GAAG,IAAI,CAAA;AAC9B,CAAC;AAoBD;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,aAGxC;IACC,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;QAChD,KAAK,EAAE,QAAQ;QACf,OAAO,EAAE,IAAI;KACd,CAAC,CAAA;IACF,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;QAChD,KAAK,EAAE,QAAQ;QACf,OAAO,EAAE,IAAI;KACd,CAAC,CAAA;IAEF,OAAO;QACL,QAAQ,EAAE,WAAW,CAAC,MAAM,KAAK,CAAC;QAClC,QAAQ,EAAE,WAAW,CAAC,MAAM,KAAK,CAAC;QAClC,aAAa,EAAE,sBAAsB,CAAC,aAAa,EAAE,OAAO,CAAC,KAAK,IAAI;QACtE,eAAe,EACb,yBAAyB,CAAC,aAAa,EAAE,SAAS,CAAC,KAAK,IAAI;KAC/D,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,aAGtC;IACC,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,MAAM,QAAQ,GAAa,EAAE,CAAA;IAE7B,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1C,KAAK,EAAE,QAAQ;QACf,OAAO,EAAE,IAAI;KACd,CAAC,CAAA;IACF,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;QAC1C,KAAK,EAAE,QAAQ;QACf,OAAO,EAAE,IAAI;KACd,CAAC,CAAA;IAEF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;IACvE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IAE1D,MAAM,MAAM,GAAG,sBAAsB,CAAC,aAAa,EAAE,OAAO,CAAC,KAAK,IAAI,CAAA;IACtE,MAAM,QAAQ,GAAG,yBAAyB,CAAC,aAAa,EAAE,SAAS,CAAC,KAAK,IAAI,CAAA;IAC7E,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAA;IAC5E,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAA;AAC7B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,aAAqB,EACrB,cAAsB;IAEtB,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,QAAQ,OAAO,CAAC,CAAA;IACrE,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,QAAQ,OAAO,CAAC,CAAA;IAEvE,oBAAoB;IACpB,MAAM,aAAa,GAAG;QACpB,eAAe,cAAc,iBAAiB;QAC9C,iBAAiB,aAAa,8CAA8C;KAC7E,CAAA;IAED,eAAe,CAAC,+BAA+B,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAEzE,MAAM,iBAAiB,GAAG,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE;QACtD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,uDAAuD;IACvD,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QAClC,eAAe,CAAC,8BAA8B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC1E,CAAC,CAAC,CAAA;IACF,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QAC5C,eAAe,CACb,wCAAwC,IAAI,YAAY,MAAM,EAAE,EAChE,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CACzC,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,qBAAqB;IACrB,MAAM,cAAc,GAAG;QACrB,eAAe,eAAe,iBAAiB;QAC/C,iBAAiB,cAAc,8CAA8C;KAC9E,CAAA;IAED,eAAe,CAAC,gCAAgC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAE3E,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,EAAE,cAAc,EAAE;QACxD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC;QAC5B,uBAAuB;QACvB,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB;YAClB,CAAC;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IACzD,CAAC;IAED,uDAAuD;IACvD,kBAAkB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QACnC,eAAe,CAAC,+BAA+B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC3E,CAAC,CAAC,CAAA;IACF,kBAAkB,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QAC7C,eAAe,CACb,yCAAyC,IAAI,YAAY,MAAM,EAAE,EACjE,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CACzC,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,oCAAoC;IACpC,MAAM,WAAW,GAAG,CAAC,CAAA;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IACE,CAAC,iBAAiB,CAAC,GAAG;YACtB,iBAAiB,CAAC,MAAM;YACxB,CAAC,kBAAkB,CAAC,GAAG;YACvB,kBAAkB,CAAC,MAAM,EACzB,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,CAAC;YACH,sBAAsB;YACtB,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBACpE,eAAe,CAAC,6BAA6B,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;gBAC9D,MAAK;YACP,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE;gBACnE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,WAAW,GAAG,CAAC,EAAE,CAAC;YAC1B,0BAA0B;YAC1B,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,IAAI,kBAAkB,CAAC,GAAG,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBACjD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yCAAyC,WAAW,WAAW,CAChE,CAAA;QACH,CAAC;QAED,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO;QACL,cAAc;QACd,eAAe;QACf,iBAAiB;QACjB,kBAAkB;QAClB,aAAa;QACb,cAAc;KACf,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAC1B,cAAsB,EACtB,eAAuB,EACvB,WAAmB,EACnB,iBAAqC,EACrC,KAAc,EACd,gBAAyB;IAEzB,6CAA6C;IAC7C,MAAM,SAAS,GAAG,KAAK,IAAI,MAAM,CAAA;IACjC,MAAM,aAAa,GAAG;QACpB,qDAAqD,cAAc,oBAAoB;QACvF,qDAAqD,eAAe,oBAAoB;QACxF,0CAA0C;KAC3C,CAAA;IAED,+DAA+D;IAC/D,IAAI,iBAAiB,EAAE,CAAC;QACtB,0BAA0B;QAC1B,qEAAqE;QACrE,kEAAkE;QAClE,kEAAkE;QAClE,EAAE;QACF,4CAA4C;QAC5C,6BAA6B;QAC7B,6DAA6D;QAC7D,2BAA2B;QAC3B,EAAE;QACF,oFAAoF;QACpF,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,gBAAgB,CAAC,CAAA;QACtE,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;gBACtE,uFAAuF,CAC1F,CAAA;QACH,CAAC;QAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;YACvC,kBAAkB;YAClB,iBAAiB;YACjB,SAAS;YACT,IAAI;YACJ,WAAW;SACZ,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,CAAC,GAAG,aAAa,EAAE,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAClE,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;SAAM,CAAC;QACN,gDAAgD;QAChD,MAAM,WAAW,GAAG;YAClB,GAAG,aAAa;YAChB,QAAQ,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE;SAC1C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,sBAAsB,CACnC,UAA+C,EAC/C,WAAiD,EACjD,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE,EACvE,2BAAmC,mCAAmC,EACtE,cAAc,GAAG,KAAK,EACtB,WAAyB;IAEzB,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,sBAAsB;IAEtB,2DAA2D;IAC3D,IAAI,WAAW,EAAE,CAAC;QAChB,qFAAqF;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;QAEhC,4DAA4D;QAC5D,MAAM,iBAAiB,GAAa,EAAE,CAAA;QAEtC,iCAAiC;QACjC,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,eAAe,CACb,0CAA0C,WAAW,OAAO,cAAc,EAAE,CAC7E,CAAA;YAED,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,eAAe,CAAC,uCAAuC,cAAc,EAAE,CAAC,CAAA;gBACxE,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,qDAAqD,cAAc,EAAE,CACtE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACnD,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxC,CAAC;QAED,uEAAuE;QACvE,MAAM,SAAS,GAAG;YAChB,GAAG,CAAC,WAAW,CAAC,eAAe,IAAI,EAAE,CAAC;YACtC,GAAG,CAAC,MAAM,0BAA0B,CAClC,aAAa,EACb,wBAAwB,EACxB,cAAc,EACd,WAAW,CACZ,CAAC;SACH,CAAA;QAED,KAAK,MAAM,WAAW,IAAI,SAAS,EAAE,CAAC;YACpC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,SAAQ;YACV,CAAC;YAED,yEAAyE;YACzE,gEAAgE;YAChE,sEAAsE;YACtE,uEAAuE;YACvE,MAAM,aAAa,GAAG,iBAAiB,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAA;YAC1E,IAAI,aAAa,EAAE,CAAC;gBAClB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,aAAa,CAAC,CAAA;gBAClD,eAAe,CACb,gDAAgD,aAAa,wCAAwC,CACtG,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,iDAAiD;YACjD,yEAAyE;YACzE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,oDAAoD,cAAc,EAAE,CACrE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,qEAAqE;YACrE,kEAAkE;YAClE,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAChD,WAAW,CAAC,EAAE,CACZ,cAAc,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC;gBAC5C,cAAc,KAAK,WAAW,CACjC,CAAA;YAED,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACxD,CAAC;iBAAM,CAAC;gBACN,eAAe,CACb,gEAAgE,cAAc,EAAE,CACjF,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;IAC/B,CAAC;IAED,+DAA+D;IAC/D,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAA;IAEvD,6EAA6E;IAC7E,+EAA+E;IAC/E,4EAA4E;IAC5E,IAAI,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC3C,aAAa,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAC7C,CAAC;IAED,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE,CAAC;QACxC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,eAAe,CACb,yDAAyD,cAAc,EAAE,CAC1E,CAAA;YACD,SAAQ;QACV,CAAC;QAED,MAAM,YAAY,GAAG,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;QAChD,IAAI,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,cAAc,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B;IAE1B,MAAM,EACJ,OAAO,EACP,uBAAuB,EACvB,cAAc,EACd,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,WAAW,EACX,yBAAyB,EACzB,mBAAmB,EACnB,QAAQ,EACR,aAAa,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,EACjC,wBAAwB,GAAG,mCAAmC,EAC9D,cAAc,GAAG,KAAK,EACtB,aAAa,EACb,WAAW,GACZ,GAAG,MAAM,CAAA;IAEV,6CAA6C;IAC7C,6DAA6D;IAC7D,4FAA4F;IAC5F,MAAM,mBAAmB,GAAG,UAAU,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IACxE,MAAM,oBAAoB,GAAG,WAAW,KAAK,SAAS,CAAA;IAEtD,kCAAkC;IAClC,IACE,CAAC,uBAAuB;QACxB,CAAC,mBAAmB;QACpB,CAAC,oBAAoB,EACrB,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,SAAS,GAAa,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAA;IAClE,IAAI,iBAAiB,GAAuB,SAAS,CAAA;IAErD,IAAI,CAAC;QACH,8DAA8D;QAC9D,kFAAkF;QAClF,EAAE;QACF,4EAA4E;QAC5E,wCAAwC;QACxC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,iBAAiB;gBACf,qBAAqB,CAAC,aAAa,EAAE,OAAO,CAAC,IAAI,SAAS,CAAA;YAC5D,MAAM,kBAAkB,GAAG,yBAAyB,CAClD,aAAa,EAAE,SAAS,CACzB,CAAA;YAED,IAAI,CAAC,iBAAiB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC9C,8EAA8E;gBAC9E,eAAe,CACb,kFAAkF;oBAChF,qEAAqE,EACvE,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;gBACD,kDAAkD;gBAClD,iBAAiB,GAAG,SAAS,CAAA;YAC/B,CAAC;iBAAM,CAAC;gBACN,qDAAqD;gBACrD,6EAA6E;gBAC7E,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBACpD,uBAAuB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;oBAC9C,6BAA6B,EAAE,CAAA;gBACjC,CAAC;gBAED,eAAe,CACb,uEAAuE,CACxE,CAAA;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,eAAe,CACb,0EAA0E,CAC3E,CAAA;QACH,CAAC;QAED,6CAA6C;QAC7C,IAAI,uBAAuB,EAAE,CAAC;YAC5B,6DAA6D;YAC7D,wEAAwE;YACxE,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;YAE/B,qEAAqE;YACrE,sEAAsE;YACtE,2DAA2D;YAC3D,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;gBACtC,6DAA6D;gBAC7D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;oBACnC,MAAM,IAAI,KAAK,CACb,4CAA4C,cAAc,IAAI;wBAC5D,mEAAmE,CACtE,CAAA;gBACH,CAAC;gBACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,KAAK,CACb,6CAA6C,eAAe,IAAI;wBAC9D,mEAAmE,CACtE,CAAA;gBACH,CAAC;gBAED,qCAAqC;gBACrC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;gBACxD,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,eAAe,CAAC,CAAA;gBAE1D,kCAAkC;gBAClC,yEAAyE;gBACzE,4EAA4E;gBAC5E,MAAM,QAAQ,GAAG,oBAAoB,CACnC,IAAI,EAAE,8BAA8B;gBACpC,IAAI,CACL,CAAA;gBACD,SAAS,CAAC,IAAI,CACZ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,GAAW,EAAE,EAAE;oBAClC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBAChC,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAA;oBACjC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;oBACpC,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;gBACjC,CAAC,CAAC,CACH,CAAA;gBAED,uEAAuE;gBACvE,iEAAiE;gBACjE,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;oBAChC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,kCAAkC,EAClC,MAAM,CAAC,aAAa,CAAC,CACtB,CAAA;gBACH,CAAC;gBACD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;oBACjC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,mCAAmC,EACnC,MAAM,CAAC,cAAc,CAAC,CACvB,CAAA;gBACH,CAAC;YACH,CAAC;YACD,sFAAsF;QACxF,CAAC;QAED,gDAAgD;QAChD,MAAM,MAAM,GAAG,MAAM,sBAAsB,CACzC,UAAU,EACV,WAAW,EACX,aAAa,EACb,wBAAwB,EACxB,cAAc,EACd,WAAW,CACZ,CAAA;QACD,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAA;QAEzB,mBAAmB;QACnB,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAE/B,gDAAgD;QAChD,6EAA6E;QAC7E,kEAAkE;QAClE,wEAAwE;QACxE,qGAAqG;QACrG,mGAAmG;QACnG,4DAA4D;QAC5D,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC/B,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAC/B,+DAA+D;YAC/D,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QACnC,CAAC;QAED,gCAAgC;QAChC,0EAA0E;QAC1E,0EAA0E;QAC1E,MAAM,SAAS,GAAG,QAAQ,IAAI,MAAM,CAAA;QACpC,MAAM,eAAe,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE;YACtD,QAAQ,EAAE,MAAM;SACjB,CAAC,CAAA;QACF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,UAAU,SAAS,qBAAqB,CAAC,CAAA;QAC3D,CAAC;QACD,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;QAC3C,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;QAEjC,+FAA+F;QAC/F,wEAAwE;QACxE,IAAI,uBAAuB,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;YACjE,2EAA2E;YAC3E,uDAAuD;YACvD,MAAM,cAAc,GAAG,mBAAmB,CACxC,cAAc,EACd,eAAe,EACf,OAAO,EACP,iBAAiB,EACjB,KAAK,EACL,aAAa,EAAE,SAAS,CACzB,CAAA;YACD,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QAChC,CAAC;aAAM,IAAI,iBAAiB,EAAE,CAAC;YAC7B,2EAA2E;YAC3E,4FAA4F;YAC5F,MAAM,kBAAkB,GAAG,yBAAyB,CAClD,aAAa,EAAE,SAAS,CACzB,CAAA;YACD,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;oBACtE,uFAAuF,CAC1F,CAAA;YACH,CAAC;YAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;gBACvC,kBAAkB;gBAClB,iBAAiB;gBACjB,KAAK;gBACL,IAAI;gBACJ,OAAO;aACR,CAAC,CAAA;YACF,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QACjC,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACzB,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC,CAAA;QAEhE,MAAM,YAAY,GAAG,EAAE,CAAA;QACvB,IAAI,uBAAuB;YAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACzD,IAAI,mBAAmB,IAAI,oBAAoB;YAC7C,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QACjC,IAAI,iBAAiB;YAAE,YAAY,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;QAE/D,eAAe,CACb,+CAA+C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CACvF,CAAA;QAED,OAAO,cAAc,CAAA;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,mCAAmC;QACnC,IAAI,iBAAiB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzE,uBAAuB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAA;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,iBAAiB,CAAC,CAAA;YACzC,CAAC;YAAC,OAAO,YAAY,EAAE,CAAC;gBACtB,eAAe,CACb,+DAA+D,YAAY,EAAE,EAC7E,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACH,CAAC;QACH,CAAC;QACD,8BAA8B;QAC9B,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"linux-sandbox-utils.js","sourceRoot":"","sources":["../../src/sandbox/linux-sandbox-utils.ts"],"names":[],"mappings":"AAAA,OAAO,UAAU,MAAM,aAAa,CAAA;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAA;AAE1C,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAChC,OAAO,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAA;AAC7C,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,eAAe,EACf,uBAAuB,GACxB,MAAM,oBAAoB,CAAA;AAK3B,OAAO,EACL,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,8BAA8B,CAAA;AAkCrC,sDAAsD;AACtD,MAAM,mCAAmC,GAAG,CAAC,CAAA;AAE7C;;;;;;GAMG;AACH,SAAS,iBAAiB,CACxB,UAAkB,EAClB,iBAA2B;IAE3B,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,WAAW,GAAG,EAAE,CAAA;IAEpB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,SAAQ,CAAC,+BAA+B;QACnD,MAAM,QAAQ,GAAG,WAAW,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAA;QAE9C,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;YACpC,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;gBAC3B,wDAAwD;gBACxD,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAChD,WAAW,CAAC,EAAE,CACZ,QAAQ,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC,IAAI,QAAQ,KAAK,WAAW,CACrE,CAAA;gBACD,IAAI,mBAAmB,EAAE,CAAC;oBACxB,OAAO,QAAQ,CAAA;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;YAC7C,MAAK;QACP,CAAC;QACD,WAAW,GAAG,QAAQ,CAAA;IACxB,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;GAMG;AACH,SAAS,eAAe,CAAC,UAAkB;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,WAAW,GAAG,EAAE,CAAA;IAEpB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,SAAQ,CAAC,+BAA+B;QACnD,MAAM,QAAQ,GAAG,WAAW,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAA;QAC9C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;YAClC,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,IAAI,CAAC,cAAc,EAAE,EAAE,CAAC;gBAC3C,oEAAoE;gBACpE,OAAO,IAAI,CAAA;YACb,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;YACrC,MAAK;QACP,CAAC;QACD,WAAW,GAAG,QAAQ,CAAA;IACxB,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,6BAA6B,CAAC,UAAkB;IACvD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,WAAW,GAAG,EAAE,CAAA;IAEpB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,SAAQ,CAAC,+BAA+B;QACnD,MAAM,QAAQ,GAAG,WAAW,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAA;QAC9C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,QAAQ,CAAA;QACjB,CAAC;QACD,WAAW,GAAG,QAAQ,CAAA;IACxB,CAAC;IAED,OAAO,UAAU,CAAA,CAAC,2CAA2C;AAC/D,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,0BAA0B,CACvC,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE,EACvE,WAAmB,mCAAmC,EACtD,cAAc,GAAG,KAAK,EACtB,WAAyB;IAEzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,sDAAsD;IACtD,MAAM,kBAAkB,GAAG,IAAI,eAAe,EAAE,CAAA;IAChD,MAAM,MAAM,GAAG,WAAW,IAAI,kBAAkB,CAAC,MAAM,CAAA;IACvD,MAAM,oBAAoB,GAAG,uBAAuB,EAAE,CAAA;IAEtD,uEAAuE;IACvE,MAAM,SAAS,GAAG;QAChB,yBAAyB;QACzB,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACjD,+BAA+B;QAC/B,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;KACvD,CAAA;IAED,wEAAwE;IACxE,mEAAmE;IACnE,qEAAqE;IACrE,mEAAmE;IACnE,+BAA+B;IAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAC5C,IAAI,iBAAiB,GAAG,KAAK,CAAA;IAC7B,IAAI,CAAC;QACH,iBAAiB,GAAG,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAA;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,qBAAqB;IACvB,CAAC;IAED,IAAI,iBAAiB,EAAE,CAAC;QACtB,wCAAwC;QACxC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,CAAA;QAE/C,mEAAmE;QACnE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC,CAAA;QAClD,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,MAAM,SAAS,GAAa,EAAE,CAAA;IAC9B,KAAK,MAAM,QAAQ,IAAI,eAAe,EAAE,CAAC;QACvC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAA;IACrC,CAAC;IACD,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QAC3C,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,OAAO,KAAK,CAAC,CAAA;IAC/C,CAAC;IACD,2CAA2C;IAC3C,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAA;IAE7C,mDAAmD;IACnD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAA;IAC7C,CAAC;IAED,oEAAoE;IACpE,uEAAuE;IACvE,8DAA8D;IAC9D,IAAI,OAAO,GAAa,EAAE,CAAA;IAC1B,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CACrB;YACE,SAAS;YACT,UAAU;YACV,aAAa;YACb,MAAM,CAAC,QAAQ,CAAC;YAChB,GAAG,SAAS;YACZ,IAAI;YACJ,qBAAqB;SACtB,EACD,GAAG,EACH,MAAM,EACN,aAAa,CACd,CAAA;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAe,CAAC,kCAAkC,KAAK,EAAE,CAAC,CAAA;IAC5D,CAAC;IAED,kBAAkB;IAClB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QAE7C,8DAA8D;QAC9D,IAAI,QAAQ,GAAG,KAAK,CAAA;QACpB,KAAK,MAAM,OAAO,IAAI,CAAC,GAAG,oBAAoB,EAAE,MAAM,CAAC,EAAE,CAAC;YACxD,MAAM,iBAAiB,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;YAC7D,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC7C,MAAM,QAAQ,GAAG,QAAQ,CAAC,SAAS,CACjC,CAAC,CAAC,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC,KAAK,iBAAiB,CACzD,CAAA;YACD,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;gBACpB,6DAA6D;gBAC7D,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;oBACvB,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;oBAC7D,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;wBACjC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;oBAC5C,CAAC;yBAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;wBACzC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAA;oBAC7C,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;gBAChE,CAAC;gBACD,QAAQ,GAAG,IAAI,CAAA;gBACf,MAAK;YACP,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC9B,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;AAChC,CAAC;AAED,8DAA8D;AAC9D,MAAM,uBAAuB,GAAgB,IAAI,GAAG,EAAE,CAAA;AAEtD,mEAAmE;AACnE,6EAA6E;AAC7E,8EAA8E;AAC9E,4BAA4B;AAC5B,MAAM,gBAAgB,GAAgB,IAAI,GAAG,EAAE,CAAA;AAE/C,IAAI,qBAAqB,GAAG,KAAK,CAAA;AAEjC;;GAEG;AACH,SAAS,0BAA0B;IACjC,IAAI,qBAAqB,EAAE,CAAC;QAC1B,OAAM;IACR,CAAC;IAED,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;QACtB,KAAK,MAAM,UAAU,IAAI,uBAAuB,EAAE,CAAC;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,UAAU,CAAC,CAAA;YAClC,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;QACD,uBAAuB,EAAE,CAAA;IAC3B,CAAC,CAAC,CAAA;IAEF,qBAAqB,GAAG,IAAI,CAAA;AAC9B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,uBAAuB;IACrC,KAAK,MAAM,UAAU,IAAI,gBAAgB,EAAE,CAAC;QAC1C,IAAI,CAAC;YACH,oEAAoE;YACpE,8DAA8D;YAC9D,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;YACpC,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,IAAI,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBACrC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAA;gBACzB,eAAe,CACb,wDAAwD,UAAU,EAAE,CACrE,CAAA;YACH,CAAC;iBAAM,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC9B,4DAA4D;gBAC5D,kDAAkD;gBAClD,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,CAAA;gBAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACzB,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAA;oBACxB,eAAe,CACb,uDAAuD,UAAU,EAAE,CACpE,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IACD,gBAAgB,CAAC,KAAK,EAAE,CAAA;AAC1B,CAAC;AAoBD;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,aAGxC;IACC,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,OAAO,CAAC,KAAK,IAAI;QACrC,QAAQ,EAAE,SAAS,CAAC,OAAO,CAAC,KAAK,IAAI;QACrC,aAAa,EAAE,sBAAsB,CAAC,aAAa,EAAE,OAAO,CAAC,KAAK,IAAI;QACtE,eAAe,EACb,yBAAyB,CAAC,aAAa,EAAE,SAAS,CAAC,KAAK,IAAI;KAC/D,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,aAGtC;IACC,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,MAAM,QAAQ,GAAa,EAAE,CAAA;IAE7B,IAAI,SAAS,CAAC,OAAO,CAAC,KAAK,IAAI;QAC7B,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;IACjD,IAAI,SAAS,CAAC,OAAO,CAAC,KAAK,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IAEnE,MAAM,MAAM,GAAG,sBAAsB,CAAC,aAAa,EAAE,OAAO,CAAC,KAAK,IAAI,CAAA;IACtE,MAAM,QAAQ,GAAG,yBAAyB,CAAC,aAAa,EAAE,SAAS,CAAC,KAAK,IAAI,CAAA;IAC7E,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAA;IAC5E,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAA;AAC7B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,aAAqB,EACrB,cAAsB;IAEtB,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAC/C,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,QAAQ,OAAO,CAAC,CAAA;IACrE,MAAM,eAAe,GAAG,IAAI,CAAC,MAAM,EAAE,EAAE,gBAAgB,QAAQ,OAAO,CAAC,CAAA;IAEvE,oBAAoB;IACpB,MAAM,aAAa,GAAG;QACpB,eAAe,cAAc,iBAAiB;QAC9C,iBAAiB,aAAa,8CAA8C;KAC7E,CAAA;IAED,eAAe,CAAC,+BAA+B,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAEzE,MAAM,iBAAiB,GAAG,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE;QACtD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,uDAAuD;IACvD,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QAClC,eAAe,CAAC,8BAA8B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC1E,CAAC,CAAC,CAAA;IACF,iBAAiB,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QAC5C,eAAe,CACb,wCAAwC,IAAI,YAAY,MAAM,EAAE,EAChE,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CACzC,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,qBAAqB;IACrB,MAAM,cAAc,GAAG;QACrB,eAAe,eAAe,iBAAiB;QAC/C,iBAAiB,cAAc,8CAA8C;KAC9E,CAAA;IAED,eAAe,CAAC,gCAAgC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAE3E,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,EAAE,cAAc,EAAE;QACxD,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;IAEF,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC;QAC5B,uBAAuB;QACvB,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;YAC1B,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB;YAClB,CAAC;QACH,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAA;IACzD,CAAC;IAED,uDAAuD;IACvD,kBAAkB,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;QACnC,eAAe,CAAC,+BAA+B,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAA;IAC3E,CAAC,CAAC,CAAA;IACF,kBAAkB,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;QAC7C,eAAe,CACb,yCAAyC,IAAI,YAAY,MAAM,EAAE,EACjE,EAAE,KAAK,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CACzC,CAAA;IACH,CAAC,CAAC,CAAA;IAEF,oCAAoC;IACpC,MAAM,WAAW,GAAG,CAAC,CAAA;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IACE,CAAC,iBAAiB,CAAC,GAAG;YACtB,iBAAiB,CAAC,MAAM;YACxB,CAAC,kBAAkB,CAAC,GAAG;YACvB,kBAAkB,CAAC,MAAM,EACzB,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,CAAC;YACH,sBAAsB;YACtB,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBACpE,eAAe,CAAC,6BAA6B,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;gBAC9D,MAAK;YACP,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAe,CAAC,mCAAmC,CAAC,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE;gBACnE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,WAAW,GAAG,CAAC,EAAE,CAAC;YAC1B,0BAA0B;YAC1B,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,IAAI,kBAAkB,CAAC,GAAG,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBACjD,CAAC;gBAAC,MAAM,CAAC;oBACP,gBAAgB;gBAClB,CAAC;YACH,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yCAAyC,WAAW,WAAW,CAChE,CAAA;QACH,CAAC;QAED,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO;QACL,cAAc;QACd,eAAe;QACf,iBAAiB;QACjB,kBAAkB;QAClB,aAAa;QACb,cAAc;KACf,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,mBAAmB,CAC1B,cAAsB,EACtB,eAAuB,EACvB,WAAmB,EACnB,iBAAqC,EACrC,KAAc,EACd,gBAAyB;IAEzB,6CAA6C;IAC7C,MAAM,SAAS,GAAG,KAAK,IAAI,MAAM,CAAA;IACjC,MAAM,aAAa,GAAG;QACpB,qDAAqD,cAAc,oBAAoB;QACvF,qDAAqD,eAAe,oBAAoB;QACxF,0CAA0C;KAC3C,CAAA;IAED,+DAA+D;IAC/D,IAAI,iBAAiB,EAAE,CAAC;QACtB,0BAA0B;QAC1B,qEAAqE;QACrE,kEAAkE;QAClE,kEAAkE;QAClE,EAAE;QACF,4CAA4C;QAC5C,6BAA6B;QAC7B,6DAA6D;QAC7D,2BAA2B;QAC3B,EAAE;QACF,oFAAoF;QACpF,MAAM,kBAAkB,GAAG,yBAAyB,CAAC,gBAAgB,CAAC,CAAA;QACtE,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;gBACtE,uFAAuF,CAC1F,CAAA;QACH,CAAC;QAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;YACvC,kBAAkB;YAClB,iBAAiB;YACjB,SAAS;YACT,IAAI;YACJ,WAAW;SACZ,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,CAAC,GAAG,aAAa,EAAE,eAAe,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAClE,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;SAAM,CAAC;QACN,gDAAgD;QAChD,MAAM,WAAW,GAAG;YAClB,GAAG,aAAa;YAChB,QAAQ,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE;SAC1C,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEZ,OAAO,GAAG,SAAS,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,EAAE,CAAA;IAC7D,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,sBAAsB,CACnC,UAA+C,EAC/C,WAAiD,EACjD,gBAAsD,EAAE,OAAO,EAAE,IAAI,EAAE,EACvE,2BAAmC,mCAAmC,EACtE,cAAc,GAAG,KAAK,EACtB,WAAyB;IAEzB,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,sBAAsB;IAEtB,2DAA2D;IAC3D,IAAI,WAAW,EAAE,CAAC;QAChB,qFAAqF;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;QAEhC,4DAA4D;QAC5D,MAAM,iBAAiB,GAAa,EAAE,CAAA;QAEtC,iCAAiC;QACjC,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,SAAS,IAAI,EAAE,EAAE,CAAC;YACtD,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,eAAe,CACb,0CAA0C,WAAW,OAAO,cAAc,EAAE,CAC7E,CAAA;YAED,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,eAAe,CAAC,uCAAuC,cAAc,EAAE,CAAC,CAAA;gBACxE,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,eAAe,CACb,qDAAqD,cAAc,EAAE,CACtE,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,kEAAkE;YAClE,2EAA2E;YAC3E,uEAAuE;YACvE,IAAI,CAAC;gBACH,MAAM,YAAY,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,CAAC,CAAA;gBACpD,qEAAqE;gBACrE,uEAAuE;gBACvE,gEAAgE;gBAChE,MAAM,uBAAuB,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;gBAClE,IACE,YAAY,KAAK,uBAAuB;oBACxC,wBAAwB,CAAC,cAAc,EAAE,YAAY,CAAC,EACtD,CAAC;oBACD,eAAe,CACb,mFAAmF,WAAW,OAAO,YAAY,EAAE,CACpH,CAAA;oBACD,SAAQ;gBACV,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,uEAAuE;gBACvE,eAAe,CACb,mEAAmE,cAAc,EAAE,CACpF,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACnD,iBAAiB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxC,CAAC;QAED,uEAAuE;QACvE,MAAM,SAAS,GAAG;YAChB,GAAG,CAAC,WAAW,CAAC,eAAe,IAAI,EAAE,CAAC;YACtC,GAAG,CAAC,MAAM,0BAA0B,CAClC,aAAa,EACb,wBAAwB,EACxB,cAAc,EACd,WAAW,CACZ,CAAC;SACH,CAAA;QAED,KAAK,MAAM,WAAW,IAAI,SAAS,EAAE,CAAC;YACpC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;YAE3D,0DAA0D;YAC1D,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvC,SAAQ;YACV,CAAC;YAED,yEAAyE;YACzE,gEAAgE;YAChE,sEAAsE;YACtE,uEAAuE;YACvE,MAAM,aAAa,GAAG,iBAAiB,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAA;YAC1E,IAAI,aAAa,EAAE,CAAC;gBAClB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,aAAa,CAAC,CAAA;gBAClD,eAAe,CACb,gDAAgD,aAAa,wCAAwC,CACtG,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,qEAAqE;YACrE,yEAAyE;YACzE,uDAAuD;YACvD,EAAE;YACF,yEAAyE;YACzE,qEAAqE;YACrE,uCAAuC;YACvC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;gBACnC,oEAAoE;gBACpE,kEAAkE;gBAClE,oEAAoE;gBACpE,sCAAsC;gBACtC,IAAI,eAAe,CAAC,cAAc,CAAC,EAAE,CAAC;oBACpC,eAAe,CACb,6FAA6F,cAAc,EAAE,CAC9G,CAAA;oBACD,SAAQ;gBACV,CAAC;gBAED,+CAA+C;gBAC/C,IAAI,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAA;gBAC/C,OAAO,YAAY,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;oBAC5D,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAA;gBAC3C,CAAC;gBAED,yEAAyE;gBACzE,4DAA4D;gBAC5D,MAAM,2BAA2B,GAAG,iBAAiB,CAAC,IAAI,CACxD,WAAW,CAAC,EAAE,CACZ,YAAY,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC;oBAC1C,YAAY,KAAK,WAAW;oBAC5B,cAAc,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC,CAC/C,CAAA;gBAED,IAAI,2BAA2B,EAAE,CAAC;oBAChC,MAAM,gBAAgB,GAAG,6BAA6B,CAAC,cAAc,CAAC,CAAA;oBAEtE,mEAAmE;oBACnE,oEAAoE;oBACpE,qEAAqE;oBACrE,gEAAgE;oBAChE,IAAI,gBAAgB,KAAK,cAAc,EAAE,CAAC;wBACxC,MAAM,QAAQ,GAAG,EAAE,CAAC,WAAW,CAC7B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,eAAe,CAAC,CACrC,CAAA;wBACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAA;wBAClD,gBAAgB,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;wBACtC,0BAA0B,EAAE,CAAA;wBAC5B,eAAe,CACb,wCAAwC,gBAAgB,yBAAyB,cAAc,EAAE,CAClG,CAAA;oBACH,CAAC;yBAAM,CAAC;wBACN,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,gBAAgB,CAAC,CAAA;wBACrD,gBAAgB,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;wBACtC,0BAA0B,EAAE,CAAA;wBAC5B,eAAe,CACb,wCAAwC,gBAAgB,yBAAyB,cAAc,EAAE,CAClG,CAAA;oBACH,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,eAAe,CACb,6EAA6E,cAAc,EAAE,CAC9F,CAAA;gBACH,CAAC;gBACD,SAAQ;YACV,CAAC;YAED,qEAAqE;YACrE,kEAAkE;YAClE,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,IAAI,CAChD,WAAW,CAAC,EAAE,CACZ,cAAc,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC;gBAC5C,cAAc,KAAK,WAAW,CACjC,CAAA;YAED,IAAI,mBAAmB,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;YACxD,CAAC;iBAAM,CAAC;gBACN,eAAe,CACb,gEAAgE,cAAc,EAAE,CACjF,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,0CAA0C;QAC1C,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;IAC/B,CAAC;IAED,+DAA+D;IAC/D,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAA;IAEvD,6EAA6E;IAC7E,+EAA+E;IAC/E,4EAA4E;IAC5E,IAAI,EAAE,CAAC,UAAU,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC3C,aAAa,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAC7C,CAAC;IAED,KAAK,MAAM,WAAW,IAAI,aAAa,EAAE,CAAC;QACxC,MAAM,cAAc,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAA;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,eAAe,CACb,yDAAyD,cAAc,EAAE,CAC1E,CAAA;YACD,SAAQ;QACV,CAAC;QAED,MAAM,YAAY,GAAG,EAAE,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAA;QAChD,IAAI,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;QACtC,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,cAAc,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B;IAE1B,MAAM,EACJ,OAAO,EACP,uBAAuB,EACvB,cAAc,EACd,eAAe,EACf,aAAa,EACb,cAAc,EACd,UAAU,EACV,WAAW,EACX,yBAAyB,EACzB,mBAAmB,EACnB,QAAQ,EACR,aAAa,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,EACjC,wBAAwB,GAAG,mCAAmC,EAC9D,cAAc,GAAG,KAAK,EACtB,aAAa,EACb,WAAW,GACZ,GAAG,MAAM,CAAA;IAEV,6CAA6C;IAC7C,6DAA6D;IAC7D,4FAA4F;IAC5F,MAAM,mBAAmB,GAAG,UAAU,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAA;IACxE,MAAM,oBAAoB,GAAG,WAAW,KAAK,SAAS,CAAA;IAEtD,kCAAkC;IAClC,IACE,CAAC,uBAAuB;QACxB,CAAC,mBAAmB;QACpB,CAAC,oBAAoB,EACrB,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,SAAS,GAAa,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAA;IAClE,IAAI,iBAAiB,GAAuB,SAAS,CAAA;IAErD,IAAI,CAAC;QACH,8DAA8D;QAC9D,kFAAkF;QAClF,EAAE;QACF,4EAA4E;QAC5E,wCAAwC;QACxC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,iBAAiB;gBACf,qBAAqB,CAAC,aAAa,EAAE,OAAO,CAAC,IAAI,SAAS,CAAA;YAC5D,MAAM,kBAAkB,GAAG,yBAAyB,CAClD,aAAa,EAAE,SAAS,CACzB,CAAA;YAED,IAAI,CAAC,iBAAiB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC9C,8EAA8E;gBAC9E,eAAe,CACb,kFAAkF;oBAChF,qEAAqE,EACvE,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAA;gBACD,kDAAkD;gBAClD,iBAAiB,GAAG,SAAS,CAAA;YAC/B,CAAC;iBAAM,CAAC;gBACN,qDAAqD;gBACrD,6EAA6E;gBAC7E,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;oBACpD,uBAAuB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;oBAC9C,0BAA0B,EAAE,CAAA;gBAC9B,CAAC;gBAED,eAAe,CACb,uEAAuE,CACxE,CAAA;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,eAAe,CACb,0EAA0E,CAC3E,CAAA;QACH,CAAC;QAED,6CAA6C;QAC7C,IAAI,uBAAuB,EAAE,CAAC;YAC5B,6DAA6D;YAC7D,wEAAwE;YACxE,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;YAE/B,qEAAqE;YACrE,sEAAsE;YACtE,2DAA2D;YAC3D,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;gBACtC,6DAA6D;gBAC7D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;oBACnC,MAAM,IAAI,KAAK,CACb,4CAA4C,cAAc,IAAI;wBAC5D,mEAAmE,CACtE,CAAA;gBACH,CAAC;gBACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;oBACpC,MAAM,IAAI,KAAK,CACb,6CAA6C,eAAe,IAAI;wBAC9D,mEAAmE,CACtE,CAAA;gBACH,CAAC;gBAED,qCAAqC;gBACrC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAA;gBACxD,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,eAAe,CAAC,CAAA;gBAE1D,kCAAkC;gBAClC,yEAAyE;gBACzE,4EAA4E;gBAC5E,MAAM,QAAQ,GAAG,oBAAoB,CACnC,IAAI,EAAE,8BAA8B;gBACpC,IAAI,CACL,CAAA;gBACD,SAAS,CAAC,IAAI,CACZ,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,GAAW,EAAE,EAAE;oBAClC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBAChC,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAA;oBACjC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAA;oBACpC,OAAO,CAAC,UAAU,EAAE,GAAG,EAAE,KAAK,CAAC,CAAA;gBACjC,CAAC,CAAC,CACH,CAAA;gBAED,uEAAuE;gBACvE,iEAAiE;gBACjE,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;oBAChC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,kCAAkC,EAClC,MAAM,CAAC,aAAa,CAAC,CACtB,CAAA;gBACH,CAAC;gBACD,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;oBACjC,SAAS,CAAC,IAAI,CACZ,UAAU,EACV,mCAAmC,EACnC,MAAM,CAAC,cAAc,CAAC,CACvB,CAAA;gBACH,CAAC;YACH,CAAC;YACD,sFAAsF;QACxF,CAAC;QAED,gDAAgD;QAChD,MAAM,MAAM,GAAG,MAAM,sBAAsB,CACzC,UAAU,EACV,WAAW,EACX,aAAa,EACb,wBAAwB,EACxB,cAAc,EACd,WAAW,CACZ,CAAA;QACD,SAAS,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAA;QAEzB,mBAAmB;QACnB,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAE/B,gDAAgD;QAChD,6EAA6E;QAC7E,kEAAkE;QAClE,wEAAwE;QACxE,qGAAqG;QACrG,mGAAmG;QACnG,4DAA4D;QAC5D,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QAC/B,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAC/B,+DAA+D;YAC/D,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QACnC,CAAC;QAED,gCAAgC;QAChC,0EAA0E;QAC1E,0EAA0E;QAC1E,MAAM,SAAS,GAAG,QAAQ,IAAI,MAAM,CAAA;QACpC,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,CAAC,CAAA;QAClC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,UAAU,SAAS,qBAAqB,CAAC,CAAA;QAC3D,CAAC;QACD,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;QAEjC,+FAA+F;QAC/F,wEAAwE;QACxE,IAAI,uBAAuB,IAAI,cAAc,IAAI,eAAe,EAAE,CAAC;YACjE,2EAA2E;YAC3E,uDAAuD;YACvD,MAAM,cAAc,GAAG,mBAAmB,CACxC,cAAc,EACd,eAAe,EACf,OAAO,EACP,iBAAiB,EACjB,KAAK,EACL,aAAa,EAAE,SAAS,CACzB,CAAA;YACD,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QAChC,CAAC;aAAM,IAAI,iBAAiB,EAAE,CAAC;YAC7B,2EAA2E;YAC3E,4FAA4F;YAC5F,MAAM,kBAAkB,GAAG,yBAAyB,CAClD,aAAa,EAAE,SAAS,CACzB,CAAA;YACD,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CACb,wEAAwE;oBACtE,uFAAuF,CAC1F,CAAA;YACH,CAAC;YAED,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC;gBACvC,kBAAkB;gBAClB,iBAAiB;gBACjB,KAAK;gBACL,IAAI;gBACJ,OAAO;aACR,CAAC,CAAA;YACF,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;QACjC,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACzB,CAAC;QAED,gCAAgC;QAChC,MAAM,cAAc,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,GAAG,SAAS,CAAC,CAAC,CAAA;QAEhE,MAAM,YAAY,GAAG,EAAE,CAAA;QACvB,IAAI,uBAAuB;YAAE,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACzD,IAAI,mBAAmB,IAAI,oBAAoB;YAC7C,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QACjC,IAAI,iBAAiB;YAAE,YAAY,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;QAE/D,eAAe,CACb,+CAA+C,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CACvF,CAAA;QAED,OAAO,cAAc,CAAA;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,mCAAmC;QACnC,IAAI,iBAAiB,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzE,uBAAuB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAA;YACjD,IAAI,CAAC;gBACH,oBAAoB,CAAC,iBAAiB,CAAC,CAAA;YACzC,CAAC;YAAC,OAAO,YAAY,EAAE,CAAC;gBACtB,eAAe,CACb,+DAA+D,YAAY,EAAE,EAC7E,EAAE,KAAK,EAAE,OAAO,EAAE,CACnB,CAAA;YACH,CAAC;QACH,CAAC;QACD,8BAA8B;QAC9B,MAAM,KAAK,CAAA;IACb,CAAC;AACH,CAAC"}
package/dist/sandbox/macos-sandbox-utils.d.ts CHANGED
@@ -13,6 +13,7 @@ export interface MacOSSandboxParams {
13
13
  ignoreViolations?: IgnoreViolationsConfig | undefined;
14
14
  allowPty?: boolean;
15
15
  allowGitConfig?: boolean;
16
+ enableWeakerNetworkIsolation?: boolean;
16
17
  binShell?: string;
17
18
  }
18
19
  /**
@@ -27,24 +28,6 @@ export interface SandboxViolationEvent {
27
28
  timestamp: Date;
28
29
  }
29
30
  export type SandboxViolationCallback = (violation: SandboxViolationEvent) => void;
30
- /**
31
- * Convert a glob pattern to a regular expression for macOS sandbox profiles
32
- *
33
- * This implements gitignore-style pattern matching to match the behavior of the
34
- * `ignore` library used by the permission system/
35
- *
36
- * Supported patterns:
37
- * - * matches any characters except / (e.g., *.ts matches foo.ts but not foo/bar.ts)
38
- * - ** matches any characters including / (e.g., src/** /*.ts matches all .ts files in src/)
39
- * - ? matches any single character except / (e.g., file?.txt matches file1.txt)
40
- * - [abc] matches any character in the set (e.g., file[0-9].txt matches file3.txt)
41
- *
42
- * Note: This is designed for macOS sandbox (regex ...) syntax. The resulting regex
43
- * will be used in sandbox profiles like: (deny file-write* (regex "pattern"))
44
- *
45
- * Exported for testing purposes.
46
- */
47
- export declare function globToRegex(globPattern: string): string;
48
31
  /**
49
32
  * Wrap command with macOS sandbox
50
33
  */
package/dist/sandbox/macos-sandbox-utils.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"macos-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox-utils.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAA;AAEjE,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,UAAU,EAAE,uBAAuB,GAAG,SAAS,CAAA;IAC/C,WAAW,EAAE,wBAAwB,GAAG,SAAS,CAAA;IACjD,gBAAgB,CAAC,EAAE,sBAAsB,GAAG,SAAS,CAAA;IACrD,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,cAAc,UAAQ,GAAG,MAAM,EAAE,CA2B5E;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,MAAM,wBAAwB,GAAG,CACrC,SAAS,EAAE,qBAAqB,KAC7B,IAAI,CAAA;AAIT;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAkBvD;AAqgBD;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,kBAAkB,GACzB,MAAM,CAyFR;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,wBAAwB,EAClC,gBAAgB,CAAC,EAAE,sBAAsB,GACxC,MAAM,IAAI,CA8GZ"}
1
+ {"version":3,"file":"macos-sandbox-utils.d.ts","sourceRoot":"","sources":["../../src/sandbox/macos-sandbox-utils.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACzB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAA;AAEjE,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAA;IACf,uBAAuB,EAAE,OAAO,CAAA;IAChC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,UAAU,EAAE,uBAAuB,GAAG,SAAS,CAAA;IAC/C,WAAW,EAAE,wBAAwB,GAAG,SAAS,CAAA;IACjD,gBAAgB,CAAC,EAAE,sBAAsB,GAAG,SAAS,CAAA;IACrD,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,4BAA4B,CAAC,EAAE,OAAO,CAAA;IACtC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CAAC,cAAc,UAAQ,GAAG,MAAM,EAAE,CA2B5E;AAED,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,EAAE,IAAI,CAAA;CAChB;AAED,MAAM,MAAM,wBAAwB,GAAG,CACrC,SAAS,EAAE,qBAAqB,KAC7B,IAAI,CAAA;AA0iBT;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,kBAAkB,GACzB,MAAM,CA0FR;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,wBAAwB,EAClC,gBAAgB,CAAC,EAAE,sBAAsB,GACxC,MAAM,IAAI,CA8GZ"}