@bastani/atomic 0.9.0-alpha.1 → 0.9.0-alpha.2

package/dist/core/tools/bash-policy-evaluate.js

@@ -1,92 +0,0 @@
-import { compilePolicy, invalidPolicyMode } from "./bash-policy-compile.js";
-import { parseBashCommandSegments, wholeCommandTarget } from "./bash-policy-parser.js";
-function ruleMatches(rule, target) {
-    switch (rule.kind) {
-        case "exact":
-            return target === rule.value;
-        case "prefix":
-            return target.startsWith(rule.value);
-        case "glob":
-            return rule.value.test(target);
-        case "regex":
-            return rule.value.test(target);
-    }
-}
-function firstMatchingRule(rules, target) {
-    for (const rule of rules) {
-        if (ruleMatches(rule, target))
-            return rule.source;
-    }
-    return undefined;
-}
-function isNoRuleDefaultAllowPolicy(policy) {
-    return policy.defaultDecision === "allow" && policy.allow.length === 0 && policy.deny.length === 0;
-}
-export function evaluateBashCommandPolicy(command, policy) {
-    if (policy === undefined) {
-        return { allowed: true, mode: "segments", targets: [] };
-    }
-    const compiled = compilePolicy(policy);
-    if (!compiled.ok) {
-        return {
-            allowed: false,
-            mode: invalidPolicyMode(policy),
-            targets: [],
-            rejection: {
-                reason: "invalid-policy",
-                message: compiled.message,
-            },
-        };
-    }
-    const activePolicy = compiled.policy;
-    if (isNoRuleDefaultAllowPolicy(activePolicy)) {
-        return { allowed: true, mode: activePolicy.match, targets: [] };
-    }
-    const targetsResult = activePolicy.match === "whole"
-        ? { ok: true, segments: [wholeCommandTarget(command)] }
-        : parseBashCommandSegments(command);
-    if (!targetsResult.ok) {
-        return {
-            allowed: false,
-            mode: activePolicy.match,
-            targets: [],
-            rejection: {
-                reason: "unsupported-shell-syntax",
-                message: targetsResult.error.reason,
-                parseError: targetsResult.error,
-            },
-        };
-    }
-    for (const target of targetsResult.segments) {
-        const denyRule = firstMatchingRule(activePolicy.deny, target.target);
-        if (denyRule !== undefined) {
-            return {
-                allowed: false,
-                mode: activePolicy.match,
-                targets: targetsResult.segments,
-                rejection: {
-                    reason: "matched-deny",
-                    message: `command ${JSON.stringify(target.head)} matched a deny rule`,
-                    target,
-                    matchedRule: denyRule,
-                },
-            };
-        }
-        const allowRule = firstMatchingRule(activePolicy.allow, target.target);
-        if (allowRule !== undefined || activePolicy.defaultDecision === "allow") {
-            continue;
-        }
-        return {
-            allowed: false,
-            mode: activePolicy.match,
-            targets: targetsResult.segments,
-            rejection: {
-                reason: "default-deny",
-                message: `command ${JSON.stringify(target.head)} is not permitted by default-deny bash policy`,
-                target,
-            },
-        };
-    }
-    return { allowed: true, mode: activePolicy.match, targets: targetsResult.segments };
-}
-//# sourceMappingURL=bash-policy-evaluate.js.map

package/dist/core/tools/bash-policy-evaluate.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"bash-policy-evaluate.js","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-evaluate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC5E,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAUvF,SAAS,WAAW,CAAC,IAAkB,EAAE,MAAc;IACtD,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;QACnB,KAAK,OAAO;YACX,OAAO,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC;QAC9B,KAAK,QAAQ;YACZ,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtC,KAAK,MAAM;YACV,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChC,KAAK,OAAO;YACX,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;AACF,CAAC;AAED,SAAS,iBAAiB,CAAC,KAA8B,EAAE,MAAc;IACxE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QAC1B,IAAI,WAAW,CAAC,IAAI,EAAE,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC,MAAM,CAAC;IACnD,CAAC;IACD,OAAO,SAAS,CAAC;AAClB,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAiC;IACpE,OAAO,MAAM,CAAC,eAAe,KAAK,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC;AACpG,CAAC;AAED,MAAM,UAAU,yBAAyB,CACxC,OAAe,EACf,MAAqC;IAErC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACzD,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,OAAO;YACN,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,iBAAiB,CAAC,MAAM,CAAC;YAC/B,OAAO,EAAE,EAAE;YACX,SAAS,EAAE;gBACV,MAAM,EAAE,gBAAgB;gBACxB,OAAO,EAAE,QAAQ,CAAC,OAAO;aACzB;SACD,CAAC;IACH,CAAC;IAED,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC;IACrC,IAAI,0BAA0B,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACjE,CAAC;IAED,MAAM,aAAa,GAA2B,YAAY,CAAC,KAAK,KAAK,OAAO;QAC3E,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,EAAE;QACvD,CAAC,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;IAErC,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACvB,OAAO;YACN,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,YAAY,CAAC,KAAK;YACxB,OAAO,EAAE,EAAE;YACX,SAAS,EAAE;gBACV,MAAM,EAAE,0BAA0B;gBAClC,OAAO,EAAE,aAAa,CAAC,KAAK,CAAC,MAAM;gBACnC,UAAU,EAAE,aAAa,CAAC,KAAK;aAC/B;SACD,CAAC;IACH,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;QAC7C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QACrE,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACN,OAAO,EAAE,KAAK;gBACd,IAAI,EAAE,YAAY,CAAC,KAAK;gBACxB,OAAO,EAAE,aAAa,CAAC,QAAQ;gBAC/B,SAAS,EAAE;oBACV,MAAM,EAAE,cAAc;oBACtB,OAAO,EAAE,WAAW,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,sBAAsB;oBACrE,MAAM;oBACN,WAAW,EAAE,QAAQ;iBACrB;aACD,CAAC;QACH,CAAC;QAED,MAAM,SAAS,GAAG,iBAAiB,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QACvE,IAAI,SAAS,KAAK,SAAS,IAAI,YAAY,CAAC,eAAe,KAAK,OAAO,EAAE,CAAC;YACzE,SAAS;QACV,CAAC;QAED,OAAO;YACN,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,YAAY,CAAC,KAAK;YACxB,OAAO,EAAE,aAAa,CAAC,QAAQ;YAC/B,SAAS,EAAE;gBACV,MAAM,EAAE,cAAc;gBACtB,OAAO,EAAE,WAAW,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,+CAA+C;gBAC9F,MAAM;aACN;SACD,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,KAAK,EAAE,OAAO,EAAE,aAAa,CAAC,QAAQ,EAAE,CAAC;AACrF,CAAC","sourcesContent":["import { compilePolicy, invalidPolicyMode } from \"./bash-policy-compile.ts\";\nimport { parseBashCommandSegments, wholeCommandTarget } from \"./bash-policy-parser.ts\";\nimport type {\n\tBashCommandParseResult,\n\tBashCommandPolicy,\n\tBashCommandPolicyDecision,\n\tBashCommandRule,\n\tCompiledBashCommandPolicy,\n\tCompiledRule,\n} from \"./bash-policy-types.ts\";\n\nfunction ruleMatches(rule: CompiledRule, target: string): boolean {\n\tswitch (rule.kind) {\n\t\tcase \"exact\":\n\t\t\treturn target === rule.value;\n\t\tcase \"prefix\":\n\t\t\treturn target.startsWith(rule.value);\n\t\tcase \"glob\":\n\t\t\treturn rule.value.test(target);\n\t\tcase \"regex\":\n\t\t\treturn rule.value.test(target);\n\t}\n}\n\nfunction firstMatchingRule(rules: readonly CompiledRule[], target: string): BashCommandRule | undefined {\n\tfor (const rule of rules) {\n\t\tif (ruleMatches(rule, target)) return rule.source;\n\t}\n\treturn undefined;\n}\n\nfunction isNoRuleDefaultAllowPolicy(policy: CompiledBashCommandPolicy): boolean {\n\treturn policy.defaultDecision === \"allow\" && policy.allow.length === 0 && policy.deny.length === 0;\n}\n\nexport function evaluateBashCommandPolicy(\n\tcommand: string,\n\tpolicy: BashCommandPolicy | undefined,\n): BashCommandPolicyDecision {\n\tif (policy === undefined) {\n\t\treturn { allowed: true, mode: \"segments\", targets: [] };\n\t}\n\n\tconst compiled = compilePolicy(policy);\n\tif (!compiled.ok) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\tmode: invalidPolicyMode(policy),\n\t\t\ttargets: [],\n\t\t\trejection: {\n\t\t\t\treason: \"invalid-policy\",\n\t\t\t\tmessage: compiled.message,\n\t\t\t},\n\t\t};\n\t}\n\n\tconst activePolicy = compiled.policy;\n\tif (isNoRuleDefaultAllowPolicy(activePolicy)) {\n\t\treturn { allowed: true, mode: activePolicy.match, targets: [] };\n\t}\n\n\tconst targetsResult: BashCommandParseResult = activePolicy.match === \"whole\"\n\t\t? { ok: true, segments: [wholeCommandTarget(command)] }\n\t\t: parseBashCommandSegments(command);\n\n\tif (!targetsResult.ok) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\tmode: activePolicy.match,\n\t\t\ttargets: [],\n\t\t\trejection: {\n\t\t\t\treason: \"unsupported-shell-syntax\",\n\t\t\t\tmessage: targetsResult.error.reason,\n\t\t\t\tparseError: targetsResult.error,\n\t\t\t},\n\t\t};\n\t}\n\n\tfor (const target of targetsResult.segments) {\n\t\tconst denyRule = firstMatchingRule(activePolicy.deny, target.target);\n\t\tif (denyRule !== undefined) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\tmode: activePolicy.match,\n\t\t\t\ttargets: targetsResult.segments,\n\t\t\t\trejection: {\n\t\t\t\t\treason: \"matched-deny\",\n\t\t\t\t\tmessage: `command ${JSON.stringify(target.head)} matched a deny rule`,\n\t\t\t\t\ttarget,\n\t\t\t\t\tmatchedRule: denyRule,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst allowRule = firstMatchingRule(activePolicy.allow, target.target);\n\t\tif (allowRule !== undefined || activePolicy.defaultDecision === \"allow\") {\n\t\t\tcontinue;\n\t\t}\n\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\tmode: activePolicy.match,\n\t\t\ttargets: targetsResult.segments,\n\t\t\trejection: {\n\t\t\t\treason: \"default-deny\",\n\t\t\t\tmessage: `command ${JSON.stringify(target.head)} is not permitted by default-deny bash policy`,\n\t\t\t\ttarget,\n\t\t\t},\n\t\t};\n\t}\n\n\treturn { allowed: true, mode: activePolicy.match, targets: targetsResult.segments };\n}\n"]}

package/dist/core/tools/bash-policy-format.d.ts

@@ -1,5 +0,0 @@
-import type { BashCommandPolicyDecision } from "./bash-policy-types.ts";
-export declare function formatBashCommandPolicyRejection(decision: Extract<BashCommandPolicyDecision, {
-    readonly allowed: false;
-}>, policyLabel?: string): string;
-//# sourceMappingURL=bash-policy-format.d.ts.map

package/dist/core/tools/bash-policy-format.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"bash-policy-format.d.ts","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-format.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAmB,MAAM,wBAAwB,CAAC;AAkBzF,wBAAgB,gCAAgC,CAC/C,QAAQ,EAAE,OAAO,CAAC,yBAAyB,EAAE;IAAE,QAAQ,CAAC,OAAO,EAAE,KAAK,CAAA;CAAE,CAAC,EACzE,WAAW,SAAwB,GACjC,MAAM,CAsCR","sourcesContent":["import type { BashCommandPolicyDecision, BashCommandRule } from \"./bash-policy-types.ts\";\n\nconst DIAGNOSTIC_TEXT_LIMIT = 220;\n\nfunction truncateDiagnostic(text: string): string {\n\tif (text.length <= DIAGNOSTIC_TEXT_LIMIT) return text;\n\treturn `${text.slice(0, DIAGNOSTIC_TEXT_LIMIT - 1)}…`;\n}\n\nfunction formatRule(rule: BashCommandRule): string {\n\tif (typeof rule === \"string\") return JSON.stringify(rule);\n\tif (\"prefix\" in rule) return `{ prefix: ${JSON.stringify(rule.prefix)} }`;\n\tif (\"glob\" in rule) return `{ glob: ${JSON.stringify(rule.glob)} }`;\n\treturn rule.flags === undefined\n\t\t? `{ regex: ${JSON.stringify(rule.regex)} }`\n\t\t: `{ regex: ${JSON.stringify(rule.regex)}, flags: ${JSON.stringify(rule.flags)} }`;\n}\n\nexport function formatBashCommandPolicyRejection(\n\tdecision: Extract<BashCommandPolicyDecision, { readonly allowed: false }>,\n\tpolicyLabel = \"bash command policy\",\n): string {\n\tconst lines = [`Bash command blocked by ${policyLabel}.`, \"\"];\n\tconst rejection = decision.rejection;\n\n\tif (rejection.reason === \"unsupported-shell-syntax\") {\n\t\tlines.push(\n\t\t\t\"The command uses shell syntax that Atomic cannot safely parse in `segments` mode.\",\n\t\t\t`Reason: ${rejection.message}.`,\n\t\t);\n\t\tif (rejection.parseError) {\n\t\t\tlines.push(`Parser source: ${rejection.parseError.source} at offset ${rejection.parseError.offset}.`);\n\t\t}\n\t\tlines.push(\n\t\t\t\"Use match: \\\"whole\\\" only if the caller intentionally accepts raw-command matching semantics.\",\n\t\t);\n\t} else if (rejection.reason === \"invalid-policy\") {\n\t\tlines.push(\"The configured bash command policy is invalid.\", `Reason: ${rejection.message}.`);\n\t} else {\n\t\tconst target = rejection.target;\n\t\tif (target) {\n\t\t\tlines.push(\n\t\t\t\t`Command head: \\`${truncateDiagnostic(target.head)}\\``,\n\t\t\t\t`Rejected ${decision.mode === \"whole\" ? \"command\" : \"segment\"}: \\`${truncateDiagnostic(target.target)}\\``,\n\t\t\t\t`Segment source: ${target.source}`,\n\t\t\t);\n\t\t}\n\t\tif (rejection.reason === \"matched-deny\") {\n\t\t\tlines.push(\"Reason: matched a deny rule; deny rules take precedence over allow rules.\");\n\t\t\tif (rejection.matchedRule !== undefined) {\n\t\t\t\tlines.push(`Matched deny rule: ${formatRule(rejection.matchedRule)}`);\n\t\t\t}\n\t\t} else {\n\t\t\tlines.push(\"Reason: no allow rule matched and the policy default is deny.\");\n\t\t}\n\t}\n\n\tlines.push(`Policy mode: ${decision.mode}.`, \"\", \"No shell process was started.\");\n\treturn lines.join(\"\\n\");\n}\n"]}

package/dist/core/tools/bash-policy-format.js

@@ -1,49 +0,0 @@
-const DIAGNOSTIC_TEXT_LIMIT = 220;
-function truncateDiagnostic(text) {
-    if (text.length <= DIAGNOSTIC_TEXT_LIMIT)
-        return text;
-    return `${text.slice(0, DIAGNOSTIC_TEXT_LIMIT - 1)}…`;
-}
-function formatRule(rule) {
-    if (typeof rule === "string")
-        return JSON.stringify(rule);
-    if ("prefix" in rule)
-        return `{ prefix: ${JSON.stringify(rule.prefix)} }`;
-    if ("glob" in rule)
-        return `{ glob: ${JSON.stringify(rule.glob)} }`;
-    return rule.flags === undefined
-        ? `{ regex: ${JSON.stringify(rule.regex)} }`
-        : `{ regex: ${JSON.stringify(rule.regex)}, flags: ${JSON.stringify(rule.flags)} }`;
-}
-export function formatBashCommandPolicyRejection(decision, policyLabel = "bash command policy") {
-    const lines = [`Bash command blocked by ${policyLabel}.`, ""];
-    const rejection = decision.rejection;
-    if (rejection.reason === "unsupported-shell-syntax") {
-        lines.push("The command uses shell syntax that Atomic cannot safely parse in `segments` mode.", `Reason: ${rejection.message}.`);
-        if (rejection.parseError) {
-            lines.push(`Parser source: ${rejection.parseError.source} at offset ${rejection.parseError.offset}.`);
-        }
-        lines.push("Use match: \"whole\" only if the caller intentionally accepts raw-command matching semantics.");
-    }
-    else if (rejection.reason === "invalid-policy") {
-        lines.push("The configured bash command policy is invalid.", `Reason: ${rejection.message}.`);
-    }
-    else {
-        const target = rejection.target;
-        if (target) {
-            lines.push(`Command head: \`${truncateDiagnostic(target.head)}\``, `Rejected ${decision.mode === "whole" ? "command" : "segment"}: \`${truncateDiagnostic(target.target)}\``, `Segment source: ${target.source}`);
-        }
-        if (rejection.reason === "matched-deny") {
-            lines.push("Reason: matched a deny rule; deny rules take precedence over allow rules.");
-            if (rejection.matchedRule !== undefined) {
-                lines.push(`Matched deny rule: ${formatRule(rejection.matchedRule)}`);
-            }
-        }
-        else {
-            lines.push("Reason: no allow rule matched and the policy default is deny.");
-        }
-    }
-    lines.push(`Policy mode: ${decision.mode}.`, "", "No shell process was started.");
-    return lines.join("\n");
-}
-//# sourceMappingURL=bash-policy-format.js.map

package/dist/core/tools/bash-policy-format.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"bash-policy-format.js","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-format.ts"],"names":[],"mappings":"AAEA,MAAM,qBAAqB,GAAG,GAAG,CAAC;AAElC,SAAS,kBAAkB,CAAC,IAAY;IACvC,IAAI,IAAI,CAAC,MAAM,IAAI,qBAAqB;QAAE,OAAO,IAAI,CAAC;IACtD,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,qBAAqB,GAAG,CAAC,CAAC,GAAG,CAAC;AACvD,CAAC;AAED,SAAS,UAAU,CAAC,IAAqB;IACxC,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,QAAQ,IAAI,IAAI;QAAE,OAAO,aAAa,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1E,IAAI,MAAM,IAAI,IAAI;QAAE,OAAO,WAAW,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;IACpE,OAAO,IAAI,CAAC,KAAK,KAAK,SAAS;QAC9B,CAAC,CAAC,YAAY,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI;QAC5C,CAAC,CAAC,YAAY,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;AACrF,CAAC;AAED,MAAM,UAAU,gCAAgC,CAC/C,QAAyE,EACzE,WAAW,GAAG,qBAAqB;IAEnC,MAAM,KAAK,GAAG,CAAC,2BAA2B,WAAW,GAAG,EAAE,EAAE,CAAC,CAAC;IAC9D,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IAErC,IAAI,SAAS,CAAC,MAAM,KAAK,0BAA0B,EAAE,CAAC;QACrD,KAAK,CAAC,IAAI,CACT,mFAAmF,EACnF,WAAW,SAAS,CAAC,OAAO,GAAG,CAC/B,CAAC;QACF,IAAI,SAAS,CAAC,UAAU,EAAE,CAAC;YAC1B,KAAK,CAAC,IAAI,CAAC,kBAAkB,SAAS,CAAC,UAAU,CAAC,MAAM,cAAc,SAAS,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC;QACvG,CAAC;QACD,KAAK,CAAC,IAAI,CACT,+FAA+F,CAC/F,CAAC;IACH,CAAC;SAAM,IAAI,SAAS,CAAC,MAAM,KAAK,gBAAgB,EAAE,CAAC;QAClD,KAAK,CAAC,IAAI,CAAC,gDAAgD,EAAE,WAAW,SAAS,CAAC,OAAO,GAAG,CAAC,CAAC;IAC/F,CAAC;SAAM,CAAC;QACP,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC;QAChC,IAAI,MAAM,EAAE,CAAC;YACZ,KAAK,CAAC,IAAI,CACT,mBAAmB,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EACtD,YAAY,QAAQ,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,OAAO,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EACzG,mBAAmB,MAAM,CAAC,MAAM,EAAE,CAClC,CAAC;QACH,CAAC;QACD,IAAI,SAAS,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YACzC,KAAK,CAAC,IAAI,CAAC,2EAA2E,CAAC,CAAC;YACxF,IAAI,SAAS,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;gBACzC,KAAK,CAAC,IAAI,CAAC,sBAAsB,UAAU,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;YACvE,CAAC;QACF,CAAC;aAAM,CAAC;YACP,KAAK,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;QAC7E,CAAC;IACF,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,gBAAgB,QAAQ,CAAC,IAAI,GAAG,EAAE,EAAE,EAAE,+BAA+B,CAAC,CAAC;IAClF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACzB,CAAC","sourcesContent":["import type { BashCommandPolicyDecision, BashCommandRule } from \"./bash-policy-types.ts\";\n\nconst DIAGNOSTIC_TEXT_LIMIT = 220;\n\nfunction truncateDiagnostic(text: string): string {\n\tif (text.length <= DIAGNOSTIC_TEXT_LIMIT) return text;\n\treturn `${text.slice(0, DIAGNOSTIC_TEXT_LIMIT - 1)}…`;\n}\n\nfunction formatRule(rule: BashCommandRule): string {\n\tif (typeof rule === \"string\") return JSON.stringify(rule);\n\tif (\"prefix\" in rule) return `{ prefix: ${JSON.stringify(rule.prefix)} }`;\n\tif (\"glob\" in rule) return `{ glob: ${JSON.stringify(rule.glob)} }`;\n\treturn rule.flags === undefined\n\t\t? `{ regex: ${JSON.stringify(rule.regex)} }`\n\t\t: `{ regex: ${JSON.stringify(rule.regex)}, flags: ${JSON.stringify(rule.flags)} }`;\n}\n\nexport function formatBashCommandPolicyRejection(\n\tdecision: Extract<BashCommandPolicyDecision, { readonly allowed: false }>,\n\tpolicyLabel = \"bash command policy\",\n): string {\n\tconst lines = [`Bash command blocked by ${policyLabel}.`, \"\"];\n\tconst rejection = decision.rejection;\n\n\tif (rejection.reason === \"unsupported-shell-syntax\") {\n\t\tlines.push(\n\t\t\t\"The command uses shell syntax that Atomic cannot safely parse in `segments` mode.\",\n\t\t\t`Reason: ${rejection.message}.`,\n\t\t);\n\t\tif (rejection.parseError) {\n\t\t\tlines.push(`Parser source: ${rejection.parseError.source} at offset ${rejection.parseError.offset}.`);\n\t\t}\n\t\tlines.push(\n\t\t\t\"Use match: \\\"whole\\\" only if the caller intentionally accepts raw-command matching semantics.\",\n\t\t);\n\t} else if (rejection.reason === \"invalid-policy\") {\n\t\tlines.push(\"The configured bash command policy is invalid.\", `Reason: ${rejection.message}.`);\n\t} else {\n\t\tconst target = rejection.target;\n\t\tif (target) {\n\t\t\tlines.push(\n\t\t\t\t`Command head: \\`${truncateDiagnostic(target.head)}\\``,\n\t\t\t\t`Rejected ${decision.mode === \"whole\" ? \"command\" : \"segment\"}: \\`${truncateDiagnostic(target.target)}\\``,\n\t\t\t\t`Segment source: ${target.source}`,\n\t\t\t);\n\t\t}\n\t\tif (rejection.reason === \"matched-deny\") {\n\t\t\tlines.push(\"Reason: matched a deny rule; deny rules take precedence over allow rules.\");\n\t\t\tif (rejection.matchedRule !== undefined) {\n\t\t\t\tlines.push(`Matched deny rule: ${formatRule(rejection.matchedRule)}`);\n\t\t\t}\n\t\t} else {\n\t\t\tlines.push(\"Reason: no allow rule matched and the policy default is deny.\");\n\t\t}\n\t}\n\n\tlines.push(`Policy mode: ${decision.mode}.`, \"\", \"No shell process was started.\");\n\treturn lines.join(\"\\n\");\n}\n"]}

package/dist/core/tools/bash-policy-parser.d.ts

@@ -1,4 +0,0 @@
-import type { BashCommandParseResult, BashCommandSegment } from "./bash-policy-types.ts";
-export declare function parseBashCommandSegments(command: string): BashCommandParseResult;
-export declare function wholeCommandTarget(command: string): BashCommandSegment;
-//# sourceMappingURL=bash-policy-parser.d.ts.map

package/dist/core/tools/bash-policy-parser.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"bash-policy-parser.d.ts","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-parser.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACX,sBAAsB,EACtB,kBAAkB,EAGlB,MAAM,wBAAwB,CAAC;AA+IhC,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,sBAAsB,CAEhF;AAED,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,kBAAkB,CActE","sourcesContent":["import type {\n\tBashCommandParseResult,\n\tBashCommandSegment,\n\tBashCommandSegmentSource,\n\tShellQuoteState,\n} from \"./bash-policy-types.ts\";\nimport { buildSegment } from \"./bash-policy-segment.ts\";\nimport {\n\tfindClosingBacktick,\n\tfindClosingParen,\n\tisCommandSubstitutionAt,\n\tisHereDocumentAt,\n\tisProcessSubstitutionAt,\n\tlineTerminatorLengthAt,\n\toperatorLengthAt,\n} from \"./bash-policy-shell.ts\";\n\nfunction shellError(reason: string, offset: number, source: BashCommandSegmentSource): BashCommandParseResult {\n\treturn { ok: false, error: { reason, offset, source } };\n}\n\nfunction parseSegmentsInSource(\n\tinput: string,\n\tbaseOffset: number,\n\tsource: BashCommandSegmentSource,\n): BashCommandParseResult {\n\tconst segments: BashCommandSegment[] = [];\n\tlet quote: ShellQuoteState = \"none\";\n\tlet segmentStart = 0;\n\tlet nestedForCurrentSegment: BashCommandSegment[] = [];\n\n\tconst commitSegment = (end: number): BashCommandParseResult | undefined => {\n\t\tconst built = buildSegment(input.slice(segmentStart, end), baseOffset + segmentStart, baseOffset + end, source);\n\t\tif (!built.ok) return { ok: false, error: built.error };\n\t\tif (built.segment) segments.push(built.segment);\n\t\tsegments.push(...nestedForCurrentSegment);\n\t\tnestedForCurrentSegment = [];\n\t\treturn undefined;\n\t};\n\n\tfor (let i = 0; i < input.length; i += 1) {\n\t\tconst char = input[i]!;\n\n\t\tif (quote === \"single\") {\n\t\t\tif (char === \"'\") quote = \"none\";\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (char === \"\\\\\") {\n\t\t\tif (i + 1 >= input.length) {\n\t\t\t\treturn shellError(\"trailing escape\", baseOffset + i, source);\n\t\t\t}\n\t\t\ti += 1;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (quote === \"double\") {\n\t\t\tif (char === \"\\\"\") {\n\t\t\t\tquote = \"none\";\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (isCommandSubstitutionAt(input, i)) {\n\t\t\t\tconst close = findClosingParen(input, i + 1, \"command substitution `$(`\");\n\t\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, \"command-substitution\");\n\t\t\t\tif (!nested.ok) return nested;\n\t\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\t\ti = close.closeIndex;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (char === \"`\") {\n\t\t\t\tconst close = findClosingBacktick(input, i);\n\t\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 1, close.closeIndex), baseOffset + i + 1, \"backtick\");\n\t\t\t\tif (!nested.ok) return nested;\n\t\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\t\ti = close.closeIndex;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (char === \"'\") {\n\t\t\tquote = \"single\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"\\\"\") {\n\t\t\tquote = \"double\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (isHereDocumentAt(input, i)) {\n\t\t\treturn shellError(\"here-documents are not supported by bash policy segments mode\", baseOffset + i, source);\n\t\t}\n\t\tif (isCommandSubstitutionAt(input, i)) {\n\t\t\tconst close = findClosingParen(input, i + 1, \"command substitution `$(`\");\n\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, \"command-substitution\");\n\t\t\tif (!nested.ok) return nested;\n\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\ti = close.closeIndex;\n\t\t\tcontinue;\n\t\t}\n\t\tif (isProcessSubstitutionAt(input, i)) {\n\t\t\tconst close = findClosingParen(input, i + 1, \"process substitution\");\n\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, \"process-substitution\");\n\t\t\tif (!nested.ok) return nested;\n\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\ti = close.closeIndex;\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"`\") {\n\t\t\tconst close = findClosingBacktick(input, i);\n\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 1, close.closeIndex), baseOffset + i + 1, \"backtick\");\n\t\t\tif (!nested.ok) return nested;\n\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\ti = close.closeIndex;\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"(\" || char === \")\") {\n\t\t\treturn shellError(\"unsupported shell grouping parentheses\", baseOffset + i, source);\n\t\t}\n\n\t\tconst lineTerminatorLength = lineTerminatorLengthAt(input, i);\n\t\tif (lineTerminatorLength > 0) {\n\t\t\tconst committed = commitSegment(i);\n\t\t\tif (committed) return committed;\n\t\t\ti += lineTerminatorLength - 1;\n\t\t\tsegmentStart = i + 1;\n\t\t\tcontinue;\n\t\t}\n\n\t\tconst operatorLength = operatorLengthAt(input, i);\n\t\tif (operatorLength > 0) {\n\t\t\tconst committed = commitSegment(i);\n\t\t\tif (committed) return committed;\n\t\t\ti += operatorLength - 1;\n\t\t\tsegmentStart = i + 1;\n\t\t}\n\t}\n\n\tif (quote === \"single\") return shellError(\"unclosed single quote\", baseOffset + input.length, source);\n\tif (quote === \"double\") return shellError(\"unclosed double quote\", baseOffset + input.length, source);\n\tconst committed = commitSegment(input.length);\n\tif (committed) return committed;\n\treturn { ok: true, segments };\n}\n\nexport function parseBashCommandSegments(command: string): BashCommandParseResult {\n\treturn parseSegmentsInSource(command, 0, \"top-level\");\n}\n\nexport function wholeCommandTarget(command: string): BashCommandSegment {\n\tconst target = command;\n\tconst trimmed = command.trimStart();\n\tconst leading = command.length - trimmed.length;\n\tconst firstSpace = trimmed.search(/\\s/);\n\tconst head = firstSpace === -1 ? trimmed : trimmed.slice(0, firstSpace);\n\treturn {\n\t\traw: command,\n\t\ttarget,\n\t\thead,\n\t\tstart: leading,\n\t\tend: command.length,\n\t\tsource: \"top-level\",\n\t};\n}\n"]}

package/dist/core/tools/bash-policy-parser.js

@@ -1,155 +0,0 @@
-import { buildSegment } from "./bash-policy-segment.js";
-import { findClosingBacktick, findClosingParen, isCommandSubstitutionAt, isHereDocumentAt, isProcessSubstitutionAt, lineTerminatorLengthAt, operatorLengthAt, } from "./bash-policy-shell.js";
-function shellError(reason, offset, source) {
-    return { ok: false, error: { reason, offset, source } };
-}
-function parseSegmentsInSource(input, baseOffset, source) {
-    const segments = [];
-    let quote = "none";
-    let segmentStart = 0;
-    let nestedForCurrentSegment = [];
-    const commitSegment = (end) => {
-        const built = buildSegment(input.slice(segmentStart, end), baseOffset + segmentStart, baseOffset + end, source);
-        if (!built.ok)
-            return { ok: false, error: built.error };
-        if (built.segment)
-            segments.push(built.segment);
-        segments.push(...nestedForCurrentSegment);
-        nestedForCurrentSegment = [];
-        return undefined;
-    };
-    for (let i = 0; i < input.length; i += 1) {
-        const char = input[i];
-        if (quote === "single") {
-            if (char === "'")
-                quote = "none";
-            continue;
-        }
-        if (char === "\\") {
-            if (i + 1 >= input.length) {
-                return shellError("trailing escape", baseOffset + i, source);
-            }
-            i += 1;
-            continue;
-        }
-        if (quote === "double") {
-            if (char === "\"") {
-                quote = "none";
-                continue;
-            }
-            if (isCommandSubstitutionAt(input, i)) {
-                const close = findClosingParen(input, i + 1, "command substitution `$(`");
-                if (!close.ok)
-                    return shellError(close.reason, baseOffset + close.offset, source);
-                const nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, "command-substitution");
-                if (!nested.ok)
-                    return nested;
-                nestedForCurrentSegment.push(...nested.segments);
-                i = close.closeIndex;
-                continue;
-            }
-            if (char === "`") {
-                const close = findClosingBacktick(input, i);
-                if (!close.ok)
-                    return shellError(close.reason, baseOffset + close.offset, source);
-                const nested = parseSegmentsInSource(input.slice(i + 1, close.closeIndex), baseOffset + i + 1, "backtick");
-                if (!nested.ok)
-                    return nested;
-                nestedForCurrentSegment.push(...nested.segments);
-                i = close.closeIndex;
-            }
-            continue;
-        }
-        if (char === "'") {
-            quote = "single";
-            continue;
-        }
-        if (char === "\"") {
-            quote = "double";
-            continue;
-        }
-        if (isHereDocumentAt(input, i)) {
-            return shellError("here-documents are not supported by bash policy segments mode", baseOffset + i, source);
-        }
-        if (isCommandSubstitutionAt(input, i)) {
-            const close = findClosingParen(input, i + 1, "command substitution `$(`");
-            if (!close.ok)
-                return shellError(close.reason, baseOffset + close.offset, source);
-            const nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, "command-substitution");
-            if (!nested.ok)
-                return nested;
-            nestedForCurrentSegment.push(...nested.segments);
-            i = close.closeIndex;
-            continue;
-        }
-        if (isProcessSubstitutionAt(input, i)) {
-            const close = findClosingParen(input, i + 1, "process substitution");
-            if (!close.ok)
-                return shellError(close.reason, baseOffset + close.offset, source);
-            const nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, "process-substitution");
-            if (!nested.ok)
-                return nested;
-            nestedForCurrentSegment.push(...nested.segments);
-            i = close.closeIndex;
-            continue;
-        }
-        if (char === "`") {
-            const close = findClosingBacktick(input, i);
-            if (!close.ok)
-                return shellError(close.reason, baseOffset + close.offset, source);
-            const nested = parseSegmentsInSource(input.slice(i + 1, close.closeIndex), baseOffset + i + 1, "backtick");
-            if (!nested.ok)
-                return nested;
-            nestedForCurrentSegment.push(...nested.segments);
-            i = close.closeIndex;
-            continue;
-        }
-        if (char === "(" || char === ")") {
-            return shellError("unsupported shell grouping parentheses", baseOffset + i, source);
-        }
-        const lineTerminatorLength = lineTerminatorLengthAt(input, i);
-        if (lineTerminatorLength > 0) {
-            const committed = commitSegment(i);
-            if (committed)
-                return committed;
-            i += lineTerminatorLength - 1;
-            segmentStart = i + 1;
-            continue;
-        }
-        const operatorLength = operatorLengthAt(input, i);
-        if (operatorLength > 0) {
-            const committed = commitSegment(i);
-            if (committed)
-                return committed;
-            i += operatorLength - 1;
-            segmentStart = i + 1;
-        }
-    }
-    if (quote === "single")
-        return shellError("unclosed single quote", baseOffset + input.length, source);
-    if (quote === "double")
-        return shellError("unclosed double quote", baseOffset + input.length, source);
-    const committed = commitSegment(input.length);
-    if (committed)
-        return committed;
-    return { ok: true, segments };
-}
-export function parseBashCommandSegments(command) {
-    return parseSegmentsInSource(command, 0, "top-level");
-}
-export function wholeCommandTarget(command) {
-    const target = command;
-    const trimmed = command.trimStart();
-    const leading = command.length - trimmed.length;
-    const firstSpace = trimmed.search(/\s/);
-    const head = firstSpace === -1 ? trimmed : trimmed.slice(0, firstSpace);
-    return {
-        raw: command,
-        target,
-        head,
-        start: leading,
-        end: command.length,
-        source: "top-level",
-    };
-}
-//# sourceMappingURL=bash-policy-parser.js.map

package/dist/core/tools/bash-policy-parser.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"bash-policy-parser.js","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-parser.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EACN,mBAAmB,EACnB,gBAAgB,EAChB,uBAAuB,EACvB,gBAAgB,EAChB,uBAAuB,EACvB,sBAAsB,EACtB,gBAAgB,GAChB,MAAM,wBAAwB,CAAC;AAEhC,SAAS,UAAU,CAAC,MAAc,EAAE,MAAc,EAAE,MAAgC;IACnF,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,qBAAqB,CAC7B,KAAa,EACb,UAAkB,EAClB,MAAgC;IAEhC,MAAM,QAAQ,GAAyB,EAAE,CAAC;IAC1C,IAAI,KAAK,GAAoB,MAAM,CAAC;IACpC,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,uBAAuB,GAAyB,EAAE,CAAC;IAEvD,MAAM,aAAa,GAAG,CAAC,GAAW,EAAsC,EAAE;QACzE,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE,UAAU,GAAG,YAAY,EAAE,UAAU,GAAG,GAAG,EAAE,MAAM,CAAC,CAAC;QAChH,IAAI,CAAC,KAAK,CAAC,EAAE;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,OAAO;YAAE,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAChD,QAAQ,CAAC,IAAI,CAAC,GAAG,uBAAuB,CAAC,CAAC;QAC1C,uBAAuB,GAAG,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAC;IAClB,CAAC,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QAEvB,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxB,IAAI,IAAI,KAAK,GAAG;gBAAE,KAAK,GAAG,MAAM,CAAC;YACjC,SAAS;QACV,CAAC;QAED,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YACnB,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBAC3B,OAAO,UAAU,CAAC,iBAAiB,EAAE,UAAU,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;YAC9D,CAAC;YACD,CAAC,IAAI,CAAC,CAAC;YACP,SAAS;QACV,CAAC;QAED,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxB,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBACnB,KAAK,GAAG,MAAM,CAAC;gBACf,SAAS;YACV,CAAC;YACD,IAAI,uBAAuB,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,2BAA2B,CAAC,CAAC;gBAC1E,IAAI,CAAC,KAAK,CAAC,EAAE;oBAAE,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAClF,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,sBAAsB,CAAC,CAAC;gBACvH,IAAI,CAAC,MAAM,CAAC,EAAE;oBAAE,OAAO,MAAM,CAAC;gBAC9B,uBAAuB,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACjD,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC;gBACrB,SAAS;YACV,CAAC;YACD,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;gBAClB,MAAM,KAAK,GAAG,mBAAmB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;gBAC5C,IAAI,CAAC,KAAK,CAAC,EAAE;oBAAE,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBAClF,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC;gBAC3G,IAAI,CAAC,MAAM,CAAC,EAAE;oBAAE,OAAO,MAAM,CAAC;gBAC9B,uBAAuB,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACjD,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC;YACtB,CAAC;YACD,SAAS;QACV,CAAC;QAED,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAClB,KAAK,GAAG,QAAQ,CAAC;YACjB,SAAS;QACV,CAAC;QACD,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YACnB,KAAK,GAAG,QAAQ,CAAC;YACjB,SAAS;QACV,CAAC;QACD,IAAI,gBAAgB,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC;YAChC,OAAO,UAAU,CAAC,+DAA+D,EAAE,UAAU,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;QAC5G,CAAC;QACD,IAAI,uBAAuB,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,2BAA2B,CAAC,CAAC;YAC1E,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAClF,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,sBAAsB,CAAC,CAAC;YACvH,IAAI,CAAC,MAAM,CAAC,EAAE;gBAAE,OAAO,MAAM,CAAC;YAC9B,uBAAuB,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;YACjD,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC;YACrB,SAAS;QACV,CAAC;QACD,IAAI,uBAAuB,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,sBAAsB,CAAC,CAAC;YACrE,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAClF,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,sBAAsB,CAAC,CAAC;YACvH,IAAI,CAAC,MAAM,CAAC,EAAE;gBAAE,OAAO,MAAM,CAAC;YAC9B,uBAAuB,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;YACjD,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC;YACrB,SAAS;QACV,CAAC;QACD,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAClB,MAAM,KAAK,GAAG,mBAAmB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;YAC5C,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAClF,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,UAAU,GAAG,CAAC,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC;YAC3G,IAAI,CAAC,MAAM,CAAC,EAAE;gBAAE,OAAO,MAAM,CAAC;YAC9B,uBAAuB,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;YACjD,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC;YACrB,SAAS;QACV,CAAC;QACD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAClC,OAAO,UAAU,CAAC,wCAAwC,EAAE,UAAU,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,oBAAoB,GAAG,sBAAsB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC9D,IAAI,oBAAoB,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,SAAS;gBAAE,OAAO,SAAS,CAAC;YAChC,CAAC,IAAI,oBAAoB,GAAG,CAAC,CAAC;YAC9B,YAAY,GAAG,CAAC,GAAG,CAAC,CAAC;YACrB,SAAS;QACV,CAAC;QAED,MAAM,cAAc,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAClD,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,SAAS;gBAAE,OAAO,SAAS,CAAC;YAChC,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC;YACxB,YAAY,GAAG,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;IACF,CAAC;IAED,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,UAAU,CAAC,uBAAuB,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtG,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,UAAU,CAAC,uBAAuB,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtG,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAChC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,OAAe;IACvD,OAAO,qBAAqB,CAAC,OAAO,EAAE,CAAC,EAAE,WAAW,CAAC,CAAC;AACvD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,OAAe;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC;IACvB,MAAM,OAAO,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IACpC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAChD,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,UAAU,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IACxE,OAAO;QACN,GAAG,EAAE,OAAO;QACZ,MAAM;QACN,IAAI;QACJ,KAAK,EAAE,OAAO;QACd,GAAG,EAAE,OAAO,CAAC,MAAM;QACnB,MAAM,EAAE,WAAW;KACnB,CAAC;AACH,CAAC","sourcesContent":["import type {\n\tBashCommandParseResult,\n\tBashCommandSegment,\n\tBashCommandSegmentSource,\n\tShellQuoteState,\n} from \"./bash-policy-types.ts\";\nimport { buildSegment } from \"./bash-policy-segment.ts\";\nimport {\n\tfindClosingBacktick,\n\tfindClosingParen,\n\tisCommandSubstitutionAt,\n\tisHereDocumentAt,\n\tisProcessSubstitutionAt,\n\tlineTerminatorLengthAt,\n\toperatorLengthAt,\n} from \"./bash-policy-shell.ts\";\n\nfunction shellError(reason: string, offset: number, source: BashCommandSegmentSource): BashCommandParseResult {\n\treturn { ok: false, error: { reason, offset, source } };\n}\n\nfunction parseSegmentsInSource(\n\tinput: string,\n\tbaseOffset: number,\n\tsource: BashCommandSegmentSource,\n): BashCommandParseResult {\n\tconst segments: BashCommandSegment[] = [];\n\tlet quote: ShellQuoteState = \"none\";\n\tlet segmentStart = 0;\n\tlet nestedForCurrentSegment: BashCommandSegment[] = [];\n\n\tconst commitSegment = (end: number): BashCommandParseResult | undefined => {\n\t\tconst built = buildSegment(input.slice(segmentStart, end), baseOffset + segmentStart, baseOffset + end, source);\n\t\tif (!built.ok) return { ok: false, error: built.error };\n\t\tif (built.segment) segments.push(built.segment);\n\t\tsegments.push(...nestedForCurrentSegment);\n\t\tnestedForCurrentSegment = [];\n\t\treturn undefined;\n\t};\n\n\tfor (let i = 0; i < input.length; i += 1) {\n\t\tconst char = input[i]!;\n\n\t\tif (quote === \"single\") {\n\t\t\tif (char === \"'\") quote = \"none\";\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (char === \"\\\\\") {\n\t\t\tif (i + 1 >= input.length) {\n\t\t\t\treturn shellError(\"trailing escape\", baseOffset + i, source);\n\t\t\t}\n\t\t\ti += 1;\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (quote === \"double\") {\n\t\t\tif (char === \"\\\"\") {\n\t\t\t\tquote = \"none\";\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (isCommandSubstitutionAt(input, i)) {\n\t\t\t\tconst close = findClosingParen(input, i + 1, \"command substitution `$(`\");\n\t\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, \"command-substitution\");\n\t\t\t\tif (!nested.ok) return nested;\n\t\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\t\ti = close.closeIndex;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (char === \"`\") {\n\t\t\t\tconst close = findClosingBacktick(input, i);\n\t\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 1, close.closeIndex), baseOffset + i + 1, \"backtick\");\n\t\t\t\tif (!nested.ok) return nested;\n\t\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\t\ti = close.closeIndex;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (char === \"'\") {\n\t\t\tquote = \"single\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"\\\"\") {\n\t\t\tquote = \"double\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (isHereDocumentAt(input, i)) {\n\t\t\treturn shellError(\"here-documents are not supported by bash policy segments mode\", baseOffset + i, source);\n\t\t}\n\t\tif (isCommandSubstitutionAt(input, i)) {\n\t\t\tconst close = findClosingParen(input, i + 1, \"command substitution `$(`\");\n\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, \"command-substitution\");\n\t\t\tif (!nested.ok) return nested;\n\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\ti = close.closeIndex;\n\t\t\tcontinue;\n\t\t}\n\t\tif (isProcessSubstitutionAt(input, i)) {\n\t\t\tconst close = findClosingParen(input, i + 1, \"process substitution\");\n\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 2, close.closeIndex), baseOffset + i + 2, \"process-substitution\");\n\t\t\tif (!nested.ok) return nested;\n\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\ti = close.closeIndex;\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"`\") {\n\t\t\tconst close = findClosingBacktick(input, i);\n\t\t\tif (!close.ok) return shellError(close.reason, baseOffset + close.offset, source);\n\t\t\tconst nested = parseSegmentsInSource(input.slice(i + 1, close.closeIndex), baseOffset + i + 1, \"backtick\");\n\t\t\tif (!nested.ok) return nested;\n\t\t\tnestedForCurrentSegment.push(...nested.segments);\n\t\t\ti = close.closeIndex;\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"(\" || char === \")\") {\n\t\t\treturn shellError(\"unsupported shell grouping parentheses\", baseOffset + i, source);\n\t\t}\n\n\t\tconst lineTerminatorLength = lineTerminatorLengthAt(input, i);\n\t\tif (lineTerminatorLength > 0) {\n\t\t\tconst committed = commitSegment(i);\n\t\t\tif (committed) return committed;\n\t\t\ti += lineTerminatorLength - 1;\n\t\t\tsegmentStart = i + 1;\n\t\t\tcontinue;\n\t\t}\n\n\t\tconst operatorLength = operatorLengthAt(input, i);\n\t\tif (operatorLength > 0) {\n\t\t\tconst committed = commitSegment(i);\n\t\t\tif (committed) return committed;\n\t\t\ti += operatorLength - 1;\n\t\t\tsegmentStart = i + 1;\n\t\t}\n\t}\n\n\tif (quote === \"single\") return shellError(\"unclosed single quote\", baseOffset + input.length, source);\n\tif (quote === \"double\") return shellError(\"unclosed double quote\", baseOffset + input.length, source);\n\tconst committed = commitSegment(input.length);\n\tif (committed) return committed;\n\treturn { ok: true, segments };\n}\n\nexport function parseBashCommandSegments(command: string): BashCommandParseResult {\n\treturn parseSegmentsInSource(command, 0, \"top-level\");\n}\n\nexport function wholeCommandTarget(command: string): BashCommandSegment {\n\tconst target = command;\n\tconst trimmed = command.trimStart();\n\tconst leading = command.length - trimmed.length;\n\tconst firstSpace = trimmed.search(/\\s/);\n\tconst head = firstSpace === -1 ? trimmed : trimmed.slice(0, firstSpace);\n\treturn {\n\t\traw: command,\n\t\ttarget,\n\t\thead,\n\t\tstart: leading,\n\t\tend: command.length,\n\t\tsource: \"top-level\",\n\t};\n}\n"]}

package/dist/core/tools/bash-policy-segment.d.ts

@@ -1,3 +0,0 @@
-import type { SegmentBuildResult } from "./bash-policy-types.ts";
-export declare function buildSegment(rawSegment: string, absoluteStart: number, absoluteEnd: number, source: "top-level" | "command-substitution" | "process-substitution" | "backtick"): SegmentBuildResult;
-//# sourceMappingURL=bash-policy-segment.d.ts.map

package/dist/core/tools/bash-policy-segment.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"bash-policy-segment.d.ts","sourceRoot":"","sources":["../../../src/core/tools/bash-policy-segment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAsC,MAAM,wBAAwB,CAAC;AAyMrG,wBAAgB,YAAY,CAC3B,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,WAAW,GAAG,sBAAsB,GAAG,sBAAsB,GAAG,UAAU,GAChF,kBAAkB,CA0FpB","sourcesContent":["import type { SegmentBuildResult, ShellQuoteState, ShellWordMetadata } from \"./bash-policy-types.ts\";\nimport {\n\tfindClosingBacktick,\n\tfindClosingParen,\n\tisCommandSubstitutionAt,\n\tisProcessSubstitutionAt,\n\tisWhitespace,\n\treadShellWord,\n} from \"./bash-policy-shell.ts\";\n\nconst UNSUPPORTED_CONTROL_HEADS = new Set([\n\t\"!\",\n\t\"[[\",\n\t\"]]\",\n\t\"case\",\n\t\"coproc\",\n\t\"do\",\n\t\"done\",\n\t\"elif\",\n\t\"else\",\n\t\"esac\",\n\t\"fi\",\n\t\"for\",\n\t\"function\",\n\t\"if\",\n\t\"in\",\n\t\"select\",\n\t\"then\",\n\t\"time\",\n\t\"until\",\n\t\"while\",\n\t\"{\",\n\t\"}\",\n]);\n\ntype LiteralCommandHeadValidation =\n\t| { readonly ok: true }\n\t| { readonly ok: false; readonly reason: string };\n\ninterface AttachedRedirectionToken {\n\treadonly token: string;\n\treadonly offset: number;\n}\n\nfunction isAsciiDigit(char: string | undefined): boolean {\n\treturn char !== undefined && char >= \"0\" && char <= \"9\";\n}\n\nfunction leadingRedirectionTokenAt(input: string, index: number): string | undefined {\n\tlet operatorStart = index;\n\twhile (isAsciiDigit(input[operatorStart])) operatorStart += 1;\n\n\tconst hasDescriptorPrefix = operatorStart > index;\n\tconst char = input[operatorStart];\n\tconst next = input[operatorStart + 1];\n\tconst afterNext = input[operatorStart + 2];\n\n\tif (char === undefined) return undefined;\n\tif (hasDescriptorPrefix && char !== \"<\" && char !== \">\") return undefined;\n\n\tif (!hasDescriptorPrefix && (char === \"<\" || char === \">\") && next === \"(\") {\n\t\treturn undefined;\n\t}\n\n\tlet operator: string | undefined;\n\tif (char === \"&\" && next === \">\") {\n\t\toperator = afterNext === \">\" ? \"&>>\" : \"&>\";\n\t} else if (char === \"<\") {\n\t\tif (next === \"<\") operator = \"<<\";\n\t\telse if (next === \"&\") operator = \"<&\";\n\t\telse if (next === \">\") operator = \"<>\";\n\t\telse operator = \"<\";\n\t} else if (char === \">\") {\n\t\tif (next === \">\") operator = \">>\";\n\t\telse if (next === \"|\") operator = \">|\";\n\t\telse if (next === \"&\") operator = \">&\";\n\t\telse operator = \">\";\n\t}\n\n\treturn operator === undefined ? undefined : `${input.slice(index, operatorStart)}${operator}`;\n}\n\nfunction isEnvAssignmentWord(word: string): boolean {\n\treturn /^[A-Za-z_][A-Za-z0-9_]*(?:\\+)?=/.test(word);\n}\n\nfunction attachedRedirectionOperatorAt(input: string, index: number): string | undefined {\n\tconst char = input[index];\n\tconst next = input[index + 1];\n\tconst afterNext = input[index + 2];\n\n\tif ((char === \"<\" || char === \">\") && next === \"(\") {\n\t\treturn undefined;\n\t}\n\tif (char === \"&\" && next === \">\") {\n\t\treturn afterNext === \">\" ? \"&>>\" : \"&>\";\n\t}\n\tif (char === \"<\") {\n\t\tif (next === \"<\") return \"<<\";\n\t\tif (next === \"&\") return \"<&\";\n\t\tif (next === \">\") return \"<>\";\n\t\treturn \"<\";\n\t}\n\tif (char === \">\") {\n\t\tif (next === \">\") return \">>\";\n\t\tif (next === \"|\") return \">|\";\n\t\tif (next === \"&\") return \">&\";\n\t\treturn \">\";\n\t}\n\treturn undefined;\n}\n\nfunction attachedCommandHeadRedirection(\n\tinput: string,\n\tstart: number,\n\tend: number,\n): AttachedRedirectionToken | undefined {\n\tlet quote: ShellQuoteState = \"none\";\n\n\tfor (let i = start; i < end; i += 1) {\n\t\tconst char = input[i]!;\n\t\tif (quote === \"single\") {\n\t\t\tif (char === \"'\") quote = \"none\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"\\\\\") {\n\t\t\ti += 1;\n\t\t\tcontinue;\n\t\t}\n\t\tif (quote === \"double\") {\n\t\t\tif (char === \"\\\"\") {\n\t\t\t\tquote = \"none\";\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (isCommandSubstitutionAt(input, i) || isProcessSubstitutionAt(input, i)) {\n\t\t\t\tconst close = findClosingParen(input, i + 1, isCommandSubstitutionAt(input, i) ? \"command substitution `$(`\" : \"process substitution\");\n\t\t\t\tif (close.ok) i = close.closeIndex;\n\t\t\t\tcontinue;\n\t\t\t}\n\t\t\tif (char === \"`\") {\n\t\t\t\tconst close = findClosingBacktick(input, i);\n\t\t\t\tif (close.ok) i = close.closeIndex;\n\t\t\t}\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"'\") {\n\t\t\tquote = \"single\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"\\\"\") {\n\t\t\tquote = \"double\";\n\t\t\tcontinue;\n\t\t}\n\t\tif (isCommandSubstitutionAt(input, i) || isProcessSubstitutionAt(input, i)) {\n\t\t\tconst close = findClosingParen(input, i + 1, isCommandSubstitutionAt(input, i) ? \"command substitution `$(`\" : \"process substitution\");\n\t\t\tif (close.ok) i = close.closeIndex;\n\t\t\tcontinue;\n\t\t}\n\t\tif (char === \"`\") {\n\t\t\tconst close = findClosingBacktick(input, i);\n\t\t\tif (close.ok) i = close.closeIndex;\n\t\t\tcontinue;\n\t\t}\n\n\t\tconst operator = attachedRedirectionOperatorAt(input, i);\n\t\tif (operator !== undefined && i > start) {\n\t\t\treturn { token: operator, offset: i };\n\t\t}\n\t}\n\n\treturn undefined;\n}\n\nfunction validateLiteralCommandHead(head: string, metadata: ShellWordMetadata): LiteralCommandHeadValidation {\n\tif (head.length === 0) {\n\t\treturn { ok: false, reason: \"empty command heads are not supported by bash policy segments mode\" };\n\t}\n\tif (metadata.sawSingleQuote || metadata.sawDoubleQuote) {\n\t\treturn { ok: false, reason: \"quoted or quote-constructed command heads are not supported by bash policy segments mode\" };\n\t}\n\tif (metadata.sawEscape) {\n\t\treturn { ok: false, reason: \"escape-constructed command heads are not supported by bash policy segments mode\" };\n\t}\n\tif (metadata.sawCommandSubstitution || metadata.sawProcessSubstitution || metadata.sawBacktick) {\n\t\treturn { ok: false, reason: \"command, process, and backtick substitutions are not supported in command heads by bash policy segments mode\" };\n\t}\n\tif (metadata.sawParameterExpansion) {\n\t\treturn { ok: false, reason: \"parameter-expanded command heads are not supported by bash policy segments mode\" };\n\t}\n\tif (metadata.sawTildePrefix) {\n\t\treturn { ok: false, reason: \"tilde-expanded command heads are not supported by bash policy segments mode\" };\n\t}\n\tif (metadata.sawGlobPattern) {\n\t\treturn { ok: false, reason: \"glob-expanded command heads are not supported by bash policy segments mode\" };\n\t}\n\tif (metadata.sawBraceExpansion) {\n\t\treturn { ok: false, reason: \"brace-expanded command heads are not supported by bash policy segments mode\" };\n\t}\n\treturn { ok: true };\n}\n\nexport function buildSegment(\n\trawSegment: string,\n\tabsoluteStart: number,\n\tabsoluteEnd: number,\n\tsource: \"top-level\" | \"command-substitution\" | \"process-substitution\" | \"backtick\",\n): SegmentBuildResult {\n\tlet cursor = 0;\n\twhile (cursor < rawSegment.length && isWhitespace(rawSegment[cursor]!)) cursor += 1;\n\tif (cursor >= rawSegment.length) return { ok: true };\n\n\twhile (cursor < rawSegment.length) {\n\t\twhile (cursor < rawSegment.length && isWhitespace(rawSegment[cursor]!)) cursor += 1;\n\t\tif (cursor >= rawSegment.length) return { ok: true };\n\n\t\tconst leadingRedirection = leadingRedirectionTokenAt(rawSegment, cursor);\n\t\tif (leadingRedirection !== undefined) {\n\t\t\treturn {\n\t\t\t\tok: false,\n\t\t\t\terror: {\n\t\t\t\t\treason: `leading shell redirection ${JSON.stringify(leadingRedirection)} is not supported by bash policy segments mode`,\n\t\t\t\t\toffset: absoluteStart + cursor,\n\t\t\t\t\tsource,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst word = readShellWord(rawSegment, cursor);\n\t\tif (!word.ok) {\n\t\t\treturn {\n\t\t\t\tok: false,\n\t\t\t\terror: { reason: word.reason, offset: absoluteStart + word.offset, source },\n\t\t\t};\n\t\t}\n\n\t\tconst attachedRedirection = attachedCommandHeadRedirection(rawSegment, cursor, word.end);\n\t\tif (attachedRedirection !== undefined) {\n\t\t\treturn {\n\t\t\t\tok: false,\n\t\t\t\terror: {\n\t\t\t\t\treason: `attached shell redirection ${JSON.stringify(attachedRedirection.token)} in the command head is not supported by bash policy segments mode`,\n\t\t\t\t\toffset: absoluteStart + attachedRedirection.offset,\n\t\t\t\t\tsource,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tif (isEnvAssignmentWord(word.word)) {\n\t\t\treturn {\n\t\t\t\tok: false,\n\t\t\t\terror: {\n\t\t\t\t\treason: \"environment assignment words are not supported by bash policy segments mode\",\n\t\t\t\t\toffset: absoluteStart + cursor,\n\t\t\t\t\tsource,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst target = rawSegment.slice(cursor).trim();\n\t\tconst head = word.word;\n\t\tif (UNSUPPORTED_CONTROL_HEADS.has(head)) {\n\t\t\treturn {\n\t\t\t\tok: false,\n\t\t\t\terror: {\n\t\t\t\t\treason: `unsupported shell reserved or compound syntax starting with ${JSON.stringify(head)}`,\n\t\t\t\t\toffset: absoluteStart + cursor,\n\t\t\t\t\tsource,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\t\tconst literalHead = validateLiteralCommandHead(head, word.metadata);\n\t\tif (!literalHead.ok) {\n\t\t\treturn {\n\t\t\t\tok: false,\n\t\t\t\terror: {\n\t\t\t\t\treason: literalHead.reason,\n\t\t\t\t\toffset: absoluteStart + cursor,\n\t\t\t\t\tsource,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\treturn {\n\t\t\tok: true,\n\t\t\tsegment: {\n\t\t\t\traw: rawSegment.trim(),\n\t\t\t\ttarget,\n\t\t\t\thead,\n\t\t\t\tstart: absoluteStart + cursor,\n\t\t\t\tend: absoluteEnd,\n\t\t\t\tsource,\n\t\t\t},\n\t\t};\n\t}\n\n\treturn { ok: true };\n}\n"]}