@google/gemini-cli-core 0.0.3-preview.4

package/dist/src/utils/secure-browser-launcher.js

@@ -0,0 +1,165 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { platform } from 'node:os';
+import { URL } from 'node:url';
+const execFileAsync = promisify(execFile);
+/**
+ * Validates that a URL is safe to open in a browser.
+ * Only allows HTTP and HTTPS URLs to prevent command injection.
+ *
+ * @param url The URL to validate
+ * @throws Error if the URL is invalid or uses an unsafe protocol
+ */
+function validateUrl(url) {
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(url);
+    }
+    catch (_error) {
+        throw new Error(`Invalid URL: ${url}`);
+    }
+    // Only allow HTTP and HTTPS protocols
+    if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+        throw new Error(`Unsafe protocol: ${parsedUrl.protocol}. Only HTTP and HTTPS are allowed.`);
+    }
+    // Additional validation: ensure no newlines or control characters
+    // eslint-disable-next-line no-control-regex
+    if (/[\r\n\x00-\x1f]/.test(url)) {
+        throw new Error('URL contains invalid characters');
+    }
+}
+/**
+ * Opens a URL in the default browser using platform-specific commands.
+ * This implementation avoids shell injection vulnerabilities by:
+ * 1. Validating the URL to ensure it's HTTP/HTTPS only
+ * 2. Using execFile instead of exec to avoid shell interpretation
+ * 3. Passing the URL as an argument rather than constructing a command string
+ *
+ * @param url The URL to open
+ * @throws Error if the URL is invalid or if opening the browser fails
+ */
+export async function openBrowserSecurely(url) {
+    // Validate the URL first
+    validateUrl(url);
+    const platformName = platform();
+    let command;
+    let args;
+    switch (platformName) {
+        case 'darwin':
+            // macOS
+            command = 'open';
+            args = [url];
+            break;
+        case 'win32':
+            // Windows - use PowerShell with Start-Process
+            // This avoids the cmd.exe shell which is vulnerable to injection
+            command = 'powershell.exe';
+            args = [
+                '-NoProfile',
+                '-NonInteractive',
+                '-WindowStyle',
+                'Hidden',
+                '-Command',
+                `Start-Process '${url.replace(/'/g, "''")}'`,
+            ];
+            break;
+        case 'linux':
+        case 'freebsd':
+        case 'openbsd':
+            // Linux and BSD variants
+            // Try xdg-open first, fall back to other options
+            command = 'xdg-open';
+            args = [url];
+            break;
+        default:
+            throw new Error(`Unsupported platform: ${platformName}`);
+    }
+    const options = {
+        // Don't inherit parent's environment to avoid potential issues
+        env: {
+            ...process.env,
+            // Ensure we're not in a shell that might interpret special characters
+            SHELL: undefined,
+        },
+        // Detach the browser process so it doesn't block
+        detached: true,
+        stdio: 'ignore',
+    };
+    try {
+        await execFileAsync(command, args, options);
+    }
+    catch (error) {
+        // For Linux, try fallback commands if xdg-open fails
+        if ((platformName === 'linux' ||
+            platformName === 'freebsd' ||
+            platformName === 'openbsd') &&
+            command === 'xdg-open') {
+            const fallbackCommands = [
+                'gnome-open',
+                'kde-open',
+                'firefox',
+                'chromium',
+                'google-chrome',
+            ];
+            for (const fallbackCommand of fallbackCommands) {
+                try {
+                    await execFileAsync(fallbackCommand, [url], options);
+                    return; // Success!
+                }
+                catch {
+                    // Try next command
+                    continue;
+                }
+            }
+        }
+        // Re-throw the error if all attempts failed
+        throw new Error(`Failed to open browser: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+}
+/**
+ * Checks if the current environment should attempt to launch a browser.
+ * This is the same logic as in browser.ts for consistency.
+ *
+ * @returns True if the tool should attempt to launch a browser
+ */
+export function shouldLaunchBrowser() {
+    // A list of browser names that indicate we should not attempt to open a
+    // web browser for the user.
+    const browserBlocklist = ['www-browser'];
+    const browserEnv = process.env['BROWSER'];
+    if (browserEnv && browserBlocklist.includes(browserEnv)) {
+        return false;
+    }
+    // Common environment variables used in CI/CD or other non-interactive shells.
+    if (process.env['CI'] ||
+        process.env['DEBIAN_FRONTEND'] === 'noninteractive') {
+        return false;
+    }
+    // The presence of SSH_CONNECTION indicates a remote session.
+    // We should not attempt to launch a browser unless a display is explicitly available
+    // (checked below for Linux).
+    const isSSH = !!process.env['SSH_CONNECTION'];
+    // On Linux, the presence of a display server is a strong indicator of a GUI.
+    if (platform() === 'linux') {
+        // These are environment variables that can indicate a running compositor on Linux.
+        const displayVariables = ['DISPLAY', 'WAYLAND_DISPLAY', 'MIR_SOCKET'];
+        const hasDisplay = displayVariables.some((v) => !!process.env[v]);
+        if (!hasDisplay) {
+            return false;
+        }
+    }
+    // If in an SSH session on a non-Linux OS (e.g., macOS), don't launch browser.
+    // The Linux case is handled above (it's allowed if DISPLAY is set).
+    if (isSSH && platform() !== 'linux') {
+        return false;
+    }
+    // For non-Linux OSes, we generally assume a GUI is available
+    // unless other signals (like SSH) suggest otherwise.
+    return true;
+}
+//# sourceMappingURL=secure-browser-launcher.js.map

package/dist/src/utils/secure-browser-launcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-browser-launcher.js","sourceRoot":"","sources":["../../../src/utils/secure-browser-launcher.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAE/B,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C;;;;;;GAMG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,SAAc,CAAC;IAEnB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,MAAM,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,gBAAgB,GAAG,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,sCAAsC;IACtC,IAAI,SAAS,CAAC,QAAQ,KAAK,OAAO,IAAI,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CACb,oBAAoB,SAAS,CAAC,QAAQ,oCAAoC,CAC3E,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,4CAA4C;IAC5C,IAAI,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAW;IACnD,yBAAyB;IACzB,WAAW,CAAC,GAAG,CAAC,CAAC;IAEjB,MAAM,YAAY,GAAG,QAAQ,EAAE,CAAC;IAChC,IAAI,OAAe,CAAC;IACpB,IAAI,IAAc,CAAC;IAEnB,QAAQ,YAAY,EAAE,CAAC;QACrB,KAAK,QAAQ;YACX,QAAQ;YACR,OAAO,GAAG,MAAM,CAAC;YACjB,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACb,MAAM;QAER,KAAK,OAAO;YACV,8CAA8C;YAC9C,iEAAiE;YACjE,OAAO,GAAG,gBAAgB,CAAC;YAC3B,IAAI,GAAG;gBACL,YAAY;gBACZ,iBAAiB;gBACjB,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,kBAAkB,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG;aAC7C,CAAC;YACF,MAAM;QAER,KAAK,OAAO,CAAC;QACb,KAAK,SAAS,CAAC;QACf,KAAK,SAAS;YACZ,yBAAyB;YACzB,iDAAiD;YACjD,OAAO,GAAG,UAAU,CAAC;YACrB,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YACb,MAAM;QAER;YACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,YAAY,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,OAAO,GAA4B;QACvC,+DAA+D;QAC/D,GAAG,EAAE;YACH,GAAG,OAAO,CAAC,GAAG;YACd,sEAAsE;YACtE,KAAK,EAAE,SAAS;SACjB;QACD,iDAAiD;QACjD,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,QAAQ;KAChB,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,qDAAqD;QACrD,IACE,CAAC,YAAY,KAAK,OAAO;YACvB,YAAY,KAAK,SAAS;YAC1B,YAAY,KAAK,SAAS,CAAC;YAC7B,OAAO,KAAK,UAAU,EACtB,CAAC;YACD,MAAM,gBAAgB,GAAG;gBACvB,YAAY;gBACZ,UAAU;gBACV,SAAS;gBACT,UAAU;gBACV,eAAe;aAChB,CAAC;YAEF,KAAK,MAAM,eAAe,IAAI,gBAAgB,EAAE,CAAC;gBAC/C,IAAI,CAAC;oBACH,MAAM,aAAa,CAAC,eAAe,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,CAAC;oBACrD,OAAO,CAAC,WAAW;gBACrB,CAAC;gBAAC,MAAM,CAAC;oBACP,mBAAmB;oBACnB,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,MAAM,IAAI,KAAK,CACb,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB;IACjC,wEAAwE;IACxE,4BAA4B;IAC5B,MAAM,gBAAgB,GAAG,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC1C,IAAI,UAAU,IAAI,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,8EAA8E;IAC9E,IACE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,KAAK,gBAAgB,EACnD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,6DAA6D;IAC7D,qFAAqF;IACrF,6BAA6B;IAC7B,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAE9C,6EAA6E;IAC7E,IAAI,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;QAC3B,mFAAmF;QACnF,MAAM,gBAAgB,GAAG,CAAC,SAAS,EAAE,iBAAiB,EAAE,YAAY,CAAC,CAAC;QACtE,MAAM,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,8EAA8E;IAC9E,oEAAoE;IACpE,IAAI,KAAK,IAAI,QAAQ,EAAE,KAAK,OAAO,EAAE,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,6DAA6D;IAC7D,qDAAqD;IACrD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/utils/secure-browser-launcher.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/utils/secure-browser-launcher.test.js

@@ -0,0 +1,149 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { openBrowserSecurely } from './secure-browser-launcher.js';
+// Create mock function using vi.hoisted
+const mockExecFile = vi.hoisted(() => vi.fn());
+// Mock modules
+vi.mock('node:child_process');
+vi.mock('node:util', () => ({
+    promisify: () => mockExecFile,
+}));
+describe('secure-browser-launcher', () => {
+    let originalPlatform;
+    beforeEach(() => {
+        vi.clearAllMocks();
+        mockExecFile.mockResolvedValue({ stdout: '', stderr: '' });
+        originalPlatform = Object.getOwnPropertyDescriptor(process, 'platform');
+    });
+    afterEach(() => {
+        if (originalPlatform) {
+            Object.defineProperty(process, 'platform', originalPlatform);
+        }
+    });
+    function setPlatform(platform) {
+        Object.defineProperty(process, 'platform', {
+            value: platform,
+            configurable: true,
+        });
+    }
+    describe('URL validation', () => {
+        it('should allow valid HTTP URLs', async () => {
+            setPlatform('darwin');
+            await openBrowserSecurely('http://example.com');
+            expect(mockExecFile).toHaveBeenCalledWith('open', ['http://example.com'], expect.any(Object));
+        });
+        it('should allow valid HTTPS URLs', async () => {
+            setPlatform('darwin');
+            await openBrowserSecurely('https://example.com');
+            expect(mockExecFile).toHaveBeenCalledWith('open', ['https://example.com'], expect.any(Object));
+        });
+        it('should reject non-HTTP(S) protocols', async () => {
+            await expect(openBrowserSecurely('file:///etc/passwd')).rejects.toThrow('Unsafe protocol');
+            await expect(openBrowserSecurely('javascript:alert(1)')).rejects.toThrow('Unsafe protocol');
+            await expect(openBrowserSecurely('ftp://example.com')).rejects.toThrow('Unsafe protocol');
+        });
+        it('should reject invalid URLs', async () => {
+            await expect(openBrowserSecurely('not-a-url')).rejects.toThrow('Invalid URL');
+            await expect(openBrowserSecurely('')).rejects.toThrow('Invalid URL');
+        });
+        it('should reject URLs with control characters', async () => {
+            await expect(openBrowserSecurely('http://example.com\nmalicious-command')).rejects.toThrow('invalid characters');
+            await expect(openBrowserSecurely('http://example.com\rmalicious-command')).rejects.toThrow('invalid characters');
+            await expect(openBrowserSecurely('http://example.com\x00')).rejects.toThrow('invalid characters');
+        });
+    });
+    describe('Command injection prevention', () => {
+        it('should prevent PowerShell command injection on Windows', async () => {
+            setPlatform('win32');
+            // The POC from the vulnerability report
+            const maliciousUrl = "http://127.0.0.1:8080/?param=example#$(Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Y2FsYy5leGU='))))";
+            await openBrowserSecurely(maliciousUrl);
+            // Verify that execFile was called (not exec) and the URL is passed safely
+            expect(mockExecFile).toHaveBeenCalledWith('powershell.exe', [
+                '-NoProfile',
+                '-NonInteractive',
+                '-WindowStyle',
+                'Hidden',
+                '-Command',
+                `Start-Process '${maliciousUrl.replace(/'/g, "''")}'`,
+            ], expect.any(Object));
+        });
+        it('should handle URLs with special shell characters safely', async () => {
+            setPlatform('darwin');
+            const urlsWithSpecialChars = [
+                'http://example.com/path?param=value&other=$value',
+                'http://example.com/path#fragment;command',
+                'http://example.com/$(whoami)',
+                'http://example.com/`command`',
+                'http://example.com/|pipe',
+                'http://example.com/>redirect',
+            ];
+            for (const url of urlsWithSpecialChars) {
+                await openBrowserSecurely(url);
+                // Verify the URL is passed as an argument, not interpreted by shell
+                expect(mockExecFile).toHaveBeenCalledWith('open', [url], expect.any(Object));
+            }
+        });
+        it('should properly escape single quotes in URLs on Windows', async () => {
+            setPlatform('win32');
+            const urlWithSingleQuotes = "http://example.com/path?name=O'Brien&test='value'";
+            await openBrowserSecurely(urlWithSingleQuotes);
+            // Verify that single quotes are escaped by doubling them
+            expect(mockExecFile).toHaveBeenCalledWith('powershell.exe', [
+                '-NoProfile',
+                '-NonInteractive',
+                '-WindowStyle',
+                'Hidden',
+                '-Command',
+                `Start-Process 'http://example.com/path?name=O''Brien&test=''value'''`,
+            ], expect.any(Object));
+        });
+    });
+    describe('Platform-specific behavior', () => {
+        it('should use correct command on macOS', async () => {
+            setPlatform('darwin');
+            await openBrowserSecurely('https://example.com');
+            expect(mockExecFile).toHaveBeenCalledWith('open', ['https://example.com'], expect.any(Object));
+        });
+        it('should use PowerShell on Windows', async () => {
+            setPlatform('win32');
+            await openBrowserSecurely('https://example.com');
+            expect(mockExecFile).toHaveBeenCalledWith('powershell.exe', expect.arrayContaining([
+                '-Command',
+                `Start-Process 'https://example.com'`,
+            ]), expect.any(Object));
+        });
+        it('should use xdg-open on Linux', async () => {
+            setPlatform('linux');
+            await openBrowserSecurely('https://example.com');
+            expect(mockExecFile).toHaveBeenCalledWith('xdg-open', ['https://example.com'], expect.any(Object));
+        });
+        it('should throw on unsupported platforms', async () => {
+            setPlatform('aix');
+            await expect(openBrowserSecurely('https://example.com')).rejects.toThrow('Unsupported platform');
+        });
+    });
+    describe('Error handling', () => {
+        it('should handle browser launch failures gracefully', async () => {
+            setPlatform('darwin');
+            mockExecFile.mockRejectedValueOnce(new Error('Command not found'));
+            await expect(openBrowserSecurely('https://example.com')).rejects.toThrow('Failed to open browser');
+        });
+        it('should try fallback browsers on Linux', async () => {
+            setPlatform('linux');
+            // First call to xdg-open fails
+            mockExecFile.mockRejectedValueOnce(new Error('Command not found'));
+            // Second call to gnome-open succeeds
+            mockExecFile.mockResolvedValueOnce({ stdout: '', stderr: '' });
+            await openBrowserSecurely('https://example.com');
+            expect(mockExecFile).toHaveBeenCalledTimes(2);
+            expect(mockExecFile).toHaveBeenNthCalledWith(1, 'xdg-open', ['https://example.com'], expect.any(Object));
+            expect(mockExecFile).toHaveBeenNthCalledWith(2, 'gnome-open', ['https://example.com'], expect.any(Object));
+        });
+    });
+});
+//# sourceMappingURL=secure-browser-launcher.test.js.map

package/dist/src/utils/secure-browser-launcher.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-browser-launcher.test.js","sourceRoot":"","sources":["../../../src/utils/secure-browser-launcher.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAEnE,wCAAwC;AACxC,MAAM,YAAY,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;AAE/C,eAAe;AACf,EAAE,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;AAC9B,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,CAAC;IAC1B,SAAS,EAAE,GAAG,EAAE,CAAC,YAAY;CAC9B,CAAC,CAAC,CAAC;AAEJ,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,IAAI,gBAAgD,CAAC;IAErD,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAC;QACnB,YAAY,CAAC,iBAAiB,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;QAC3D,gBAAgB,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,UAAU,EAAE,gBAAgB,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,SAAS,WAAW,CAAC,QAAgB;QACnC,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,UAAU,EAAE;YACzC,KAAK,EAAE,QAAQ;YACf,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC5C,WAAW,CAAC,QAAQ,CAAC,CAAC;YACtB,MAAM,mBAAmB,CAAC,oBAAoB,CAAC,CAAC;YAChD,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,MAAM,EACN,CAAC,oBAAoB,CAAC,EACtB,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;YAC7C,WAAW,CAAC,QAAQ,CAAC,CAAC;YACtB,MAAM,mBAAmB,CAAC,qBAAqB,CAAC,CAAC;YACjD,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,MAAM,EACN,CAAC,qBAAqB,CAAC,EACvB,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACrE,iBAAiB,CAClB,CAAC;YACF,MAAM,MAAM,CAAC,mBAAmB,CAAC,qBAAqB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACtE,iBAAiB,CAClB,CAAC;YACF,MAAM,MAAM,CAAC,mBAAmB,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACpE,iBAAiB,CAClB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC1C,MAAM,MAAM,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC5D,aAAa,CACd,CAAC;YACF,MAAM,MAAM,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;YAC1D,MAAM,MAAM,CACV,mBAAmB,CAAC,uCAAuC,CAAC,CAC7D,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;YACxC,MAAM,MAAM,CACV,mBAAmB,CAAC,uCAAuC,CAAC,CAC7D,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;YACxC,MAAM,MAAM,CACV,mBAAmB,CAAC,wBAAwB,CAAC,CAC9C,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;QAC5C,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;YACtE,WAAW,CAAC,OAAO,CAAC,CAAC;YAErB,wCAAwC;YACxC,MAAM,YAAY,GAChB,uJAAuJ,CAAC;YAE1J,MAAM,mBAAmB,CAAC,YAAY,CAAC,CAAC;YAExC,0EAA0E;YAC1E,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,gBAAgB,EAChB;gBACE,YAAY;gBACZ,iBAAiB;gBACjB,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,kBAAkB,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG;aACtD,EACD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;YACvE,WAAW,CAAC,QAAQ,CAAC,CAAC;YAEtB,MAAM,oBAAoB,GAAG;gBAC3B,kDAAkD;gBAClD,0CAA0C;gBAC1C,8BAA8B;gBAC9B,8BAA8B;gBAC9B,0BAA0B;gBAC1B,8BAA8B;aAC/B,CAAC;YAEF,KAAK,MAAM,GAAG,IAAI,oBAAoB,EAAE,CAAC;gBACvC,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;gBAC/B,oEAAoE;gBACpE,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,MAAM,EACN,CAAC,GAAG,CAAC,EACL,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;YACvE,WAAW,CAAC,OAAO,CAAC,CAAC;YAErB,MAAM,mBAAmB,GACvB,mDAAmD,CAAC;YACtD,MAAM,mBAAmB,CAAC,mBAAmB,CAAC,CAAC;YAE/C,yDAAyD;YACzD,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,gBAAgB,EAChB;gBACE,YAAY;gBACZ,iBAAiB;gBACjB,cAAc;gBACd,QAAQ;gBACR,UAAU;gBACV,sEAAsE;aACvE,EACD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;QAC1C,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,WAAW,CAAC,QAAQ,CAAC,CAAC;YACtB,MAAM,mBAAmB,CAAC,qBAAqB,CAAC,CAAC;YACjD,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,MAAM,EACN,CAAC,qBAAqB,CAAC,EACvB,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,WAAW,CAAC,OAAO,CAAC,CAAC;YACrB,MAAM,mBAAmB,CAAC,qBAAqB,CAAC,CAAC;YACjD,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,gBAAgB,EAChB,MAAM,CAAC,eAAe,CAAC;gBACrB,UAAU;gBACV,qCAAqC;aACtC,CAAC,EACF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;YAC5C,WAAW,CAAC,OAAO,CAAC,CAAC;YACrB,MAAM,mBAAmB,CAAC,qBAAqB,CAAC,CAAC;YACjD,MAAM,CAAC,YAAY,CAAC,CAAC,oBAAoB,CACvC,UAAU,EACV,CAAC,qBAAqB,CAAC,EACvB,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,WAAW,CAAC,KAAK,CAAC,CAAC;YACnB,MAAM,MAAM,CAAC,mBAAmB,CAAC,qBAAqB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACtE,sBAAsB,CACvB,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;YAChE,WAAW,CAAC,QAAQ,CAAC,CAAC;YACtB,YAAY,CAAC,qBAAqB,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,CAAC;YAEnE,MAAM,MAAM,CAAC,mBAAmB,CAAC,qBAAqB,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CACtE,wBAAwB,CACzB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,WAAW,CAAC,OAAO,CAAC,CAAC;YAErB,+BAA+B;YAC/B,YAAY,CAAC,qBAAqB,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,CAAC;YACnE,qCAAqC;YACrC,YAAY,CAAC,qBAAqB,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;YAE/D,MAAM,mBAAmB,CAAC,qBAAqB,CAAC,CAAC;YAEjD,MAAM,CAAC,YAAY,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,YAAY,CAAC,CAAC,uBAAuB,CAC1C,CAAC,EACD,UAAU,EACV,CAAC,qBAAqB,CAAC,EACvB,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;YACF,MAAM,CAAC,YAAY,CAAC,CAAC,uBAAuB,CAC1C,CAAC,EACD,YAAY,EACZ,CAAC,qBAAqB,CAAC,EACvB,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/utils/session.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export declare const sessionId: `${string}-${string}-${string}-${string}-${string}`;

package/dist/src/utils/session.js

@@ -0,0 +1,8 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { randomUUID } from 'node:crypto';
+export const sessionId = randomUUID();
+//# sourceMappingURL=session.js.map

package/dist/src/utils/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../src/utils/session.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,CAAC,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC"}

package/dist/src/utils/shell-utils.d.ts

@@ -0,0 +1,117 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import type { Config } from '../config/config.js';
+/**
+ * An identifier for the shell type.
+ */
+export type ShellType = 'cmd' | 'powershell' | 'bash';
+/**
+ * Defines the configuration required to execute a command string within a specific shell.
+ */
+export interface ShellConfiguration {
+    /** The path or name of the shell executable (e.g., 'bash', 'cmd.exe'). */
+    executable: string;
+    /**
+     * The arguments required by the shell to execute a subsequent string argument.
+     */
+    argsPrefix: string[];
+    /** An identifier for the shell type. */
+    shell: ShellType;
+}
+/**
+ * Determines the appropriate shell configuration for the current platform.
+ *
+ * This ensures we can execute command strings predictably and securely across platforms
+ * using the `spawn(executable, [...argsPrefix, commandString], { shell: false })` pattern.
+ *
+ * @returns The ShellConfiguration for the current environment.
+ */
+export declare function getShellConfiguration(): ShellConfiguration;
+/**
+ * Export the platform detection constant for use in process management (e.g., killing processes).
+ */
+export declare const isWindows: () => boolean;
+/**
+ * Escapes a string so that it can be safely used as a single argument
+ * in a shell command, preventing command injection.
+ *
+ * @param arg The argument string to escape.
+ * @param shell The type of shell the argument is for.
+ * @returns The shell-escaped string.
+ */
+export declare function escapeShellArg(arg: string, shell: ShellType): string;
+/**
+ * Splits a shell command into a list of individual commands, respecting quotes.
+ * This is used to separate chained commands (e.g., using &&, ||, ;).
+ * @param command The shell command string to parse
+ * @returns An array of individual command strings
+ */
+export declare function splitCommands(command: string): string[];
+/**
+ * Extracts the root command from a given shell command string.
+ * This is used to identify the base command for permission checks.
+ * @param command The shell command string to parse
+ * @returns The root command name, or undefined if it cannot be determined
+ * @example getCommandRoot("ls -la /tmp") returns "ls"
+ * @example getCommandRoot("git status && npm test") returns "git"
+ */
+export declare function getCommandRoot(command: string): string | undefined;
+export declare function getCommandRoots(command: string): string[];
+export declare function stripShellWrapper(command: string): string;
+/**
+ * Detects command substitution patterns in a shell command, following bash quoting rules:
+ * - Single quotes ('): Everything literal, no substitution possible
+ * - Double quotes ("): Command substitution with $() and backticks unless escaped with \
+ * - No quotes: Command substitution with $(), <(), and backticks
+ * @param command The shell command string to check
+ * @returns true if command substitution would be executed by bash
+ */
+export declare function detectCommandSubstitution(command: string): boolean;
+/**
+ * Checks a shell command against security policies and allowlists.
+ *
+ * This function operates in one of two modes depending on the presence of
+ * the `sessionAllowlist` parameter:
+ *
+ * 1.  **"Default Deny" Mode (sessionAllowlist is provided):** This is the
+ *     strictest mode, used for user-defined scripts like custom commands.
+ *     A command is only permitted if it is found on the global `coreTools`
+ *     allowlist OR the provided `sessionAllowlist`. It must not be on the
+ *     global `excludeTools` blocklist.
+ *
+ * 2.  **"Default Allow" Mode (sessionAllowlist is NOT provided):** This mode
+ *     is used for direct tool invocations (e.g., by the model). If a strict
+ *     global `coreTools` allowlist exists, commands must be on it. Otherwise,
+ *     any command is permitted as long as it is not on the `excludeTools`
+ *     blocklist.
+ *
+ * @param command The shell command string to validate.
+ * @param config The application configuration.
+ * @param sessionAllowlist A session-level list of approved commands. Its
+ *   presence activates "Default Deny" mode.
+ * @returns An object detailing which commands are not allowed.
+ */
+export declare function checkCommandPermissions(command: string, config: Config, sessionAllowlist?: Set<string>): {
+    allAllowed: boolean;
+    disallowedCommands: string[];
+    blockReason?: string;
+    isHardDenial?: boolean;
+};
+/**
+ * Determines whether a given shell command is allowed to execute based on
+ * the tool's configuration including allowlists and blocklists.
+ *
+ * This function operates in "default allow" mode. It is a wrapper around
+ * `checkCommandPermissions`.
+ *
+ * @param command The shell command string to validate.
+ * @param config The application configuration.
+ * @returns An object with 'allowed' boolean and optional 'reason' string if not allowed.
+ */
+export declare function isCommandAllowed(command: string, config: Config): {
+    allowed: boolean;
+    reason?: string;
+};