@google/gemini-cli-core 0.15.0-preview.3 → 0.16.0-nightly.20251113.ad1f0d99

package/dist/src/policy/types.d.ts

@@ -3,6 +3,7 @@
  * Copyright 2025 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
+import type { SafetyCheckInput } from '../safety/protocol.js';
 export declare enum PolicyDecision {
     ALLOW = "allow",
     DENY = "deny",
@@ -13,6 +14,44 @@ export declare enum ApprovalMode {
     AUTO_EDIT = "autoEdit",
     YOLO = "yolo"
 }
+/**
+ * Configuration for the built-in allowed-path checker.
+ */
+export interface AllowedPathConfig {
+    /**
+     * Explicitly include argument keys to be checked as paths.
+     */
+    included_args?: string[];
+    /**
+     * Explicitly exclude argument keys from being checked as paths.
+     */
+    excluded_args?: string[];
+}
+/**
+ * Base interface for external checkers.
+ */
+export interface ExternalCheckerConfig {
+    type: 'external';
+    name: string;
+    config?: unknown;
+    required_context?: Array<keyof SafetyCheckInput['context']>;
+}
+export declare enum InProcessCheckerType {
+    ALLOWED_PATH = "allowed-path"
+}
+/**
+ * Base interface for in-process checkers.
+ */
+export interface InProcessCheckerConfig {
+    type: 'in-process';
+    name: InProcessCheckerType;
+    config?: AllowedPathConfig;
+    required_context?: Array<keyof SafetyCheckInput['context']>;
+}
+/**
+ * A discriminated union for all safety checker configurations.
+ */
+export type SafetyCheckerConfig = ExternalCheckerConfig | InProcessCheckerConfig;
 export interface PolicyRule {
     /**
      * The name of the tool this rule applies to.
@@ -34,11 +73,37 @@ export interface PolicyRule {
      */
     priority?: number;
 }
+export interface SafetyCheckerRule {
+    /**
+     * The name of the tool this rule applies to.
+     * If undefined, the rule applies to all tools.
+     */
+    toolName?: string;
+    /**
+     * Pattern to match against tool arguments.
+     * Can be used for more fine-grained control.
+     */
+    argsPattern?: RegExp;
+    /**
+     * Priority of this checker. Higher numbers run first.
+     * Default is 0.
+     */
+    priority?: number;
+    /**
+     * Specifies an external or built-in safety checker to execute for
+     * additional validation of a tool call.
+     */
+    checker: SafetyCheckerConfig;
+}
 export interface PolicyEngineConfig {
     /**
      * List of policy rules to apply.
      */
     rules?: PolicyRule[];
+    /**
+     * List of safety checkers to apply.
+     */
+    checkers?: SafetyCheckerRule[];
     /**
      * Default decision when no rules match.
      * Defaults to ASK_USER.

package/dist/src/policy/types.js

@@ -15,4 +15,8 @@ export var ApprovalMode;
     ApprovalMode["AUTO_EDIT"] = "autoEdit";
     ApprovalMode["YOLO"] = "yolo";
 })(ApprovalMode || (ApprovalMode = {}));
+export var InProcessCheckerType;
+(function (InProcessCheckerType) {
+    InProcessCheckerType["ALLOWED_PATH"] = "allowed-path";
+})(InProcessCheckerType || (InProcessCheckerType = {}));
 //# sourceMappingURL=types.js.map

package/dist/src/policy/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/policy/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,CAAN,IAAY,cAIX;AAJD,WAAY,cAAc;IACxB,iCAAe,CAAA;IACf,+BAAa,CAAA;IACb,uCAAqB,CAAA;AACvB,CAAC,EAJW,cAAc,KAAd,cAAc,QAIzB;AAED,MAAM,CAAN,IAAY,YAIX;AAJD,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,sCAAsB,CAAA;IACtB,6BAAa,CAAA;AACf,CAAC,EAJW,YAAY,KAAZ,YAAY,QAIvB"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/policy/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAN,IAAY,cAIX;AAJD,WAAY,cAAc;IACxB,iCAAe,CAAA;IACf,+BAAa,CAAA;IACb,uCAAqB,CAAA;AACvB,CAAC,EAJW,cAAc,KAAd,cAAc,QAIzB;AAED,MAAM,CAAN,IAAY,YAIX;AAJD,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,sCAAsB,CAAA;IACtB,6BAAa,CAAA;AACf,CAAC,EAJW,YAAY,KAAZ,YAAY,QAIvB;AA2BD,MAAM,CAAN,IAAY,oBAEX;AAFD,WAAY,oBAAoB;IAC9B,qDAA6B,CAAA;AAC/B,CAAC,EAFW,oBAAoB,KAApB,oBAAoB,QAE/B"}

package/dist/src/prompts/mcp-prompts.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/prompts/mcp-prompts.test.js

@@ -0,0 +1,40 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, vi } from 'vitest';
+import { getMCPServerPrompts } from './mcp-prompts.js';
+import { PromptRegistry } from './prompt-registry.js';
+describe('getMCPServerPrompts', () => {
+    it('should return prompts from the registry for a given server', () => {
+        const mockPrompts = [
+            {
+                name: 'prompt1',
+                serverName: 'server1',
+                tool: { name: 'p1', description: '', inputSchema: {} },
+                invoke: async () => ({
+                    messages: [
+                        { role: 'assistant', content: { type: 'text', text: '' } },
+                    ],
+                }),
+            },
+        ];
+        const mockRegistry = new PromptRegistry();
+        vi.spyOn(mockRegistry, 'getPromptsByServer').mockReturnValue(mockPrompts);
+        const mockConfig = {
+            getPromptRegistry: () => mockRegistry,
+        };
+        const result = getMCPServerPrompts(mockConfig, 'server1');
+        expect(mockRegistry.getPromptsByServer).toHaveBeenCalledWith('server1');
+        expect(result).toEqual(mockPrompts);
+    });
+    it('should return an empty array if there is no prompt registry', () => {
+        const mockConfig = {
+            getPromptRegistry: () => undefined,
+        };
+        const result = getMCPServerPrompts(mockConfig, 'server1');
+        expect(result).toEqual([]);
+    });
+});
+//# sourceMappingURL=mcp-prompts.test.js.map

package/dist/src/prompts/mcp-prompts.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-prompts.test.js","sourceRoot":"","sources":["../../../src/prompts/mcp-prompts.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAEvD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGtD,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,WAAW,GAA0B;YACzC;gBACE,IAAI,EAAE,SAAS;gBACf,UAAU,EAAE,SAAS;gBACrB,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE;gBACtD,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;oBACnB,QAAQ,EAAE;wBACR,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE;qBAC3D;iBACF,CAAC;aACH;SACF,CAAC;QAEF,MAAM,YAAY,GAAG,IAAI,cAAc,EAAE,CAAC;QAC1C,EAAE,CAAC,KAAK,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAE1E,MAAM,UAAU,GAAG;YACjB,iBAAiB,EAAE,GAAG,EAAE,CAAC,YAAY;SACjB,CAAC;QAEvB,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QAE1D,MAAM,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC;QACxE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,UAAU,GAAG;YACjB,iBAAiB,EAAE,GAAG,EAAE,CAAC,SAAS;SACd,CAAC;QAEvB,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QAE1D,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/prompts/prompt-registry.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/prompts/prompt-registry.test.js

@@ -0,0 +1,111 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { PromptRegistry } from './prompt-registry.js';
+import { debugLogger } from '../utils/debugLogger.js';
+vi.mock('../utils/debugLogger.js', () => ({
+    debugLogger: {
+        warn: vi.fn(),
+    },
+}));
+describe('PromptRegistry', () => {
+    let registry;
+    const prompt1 = {
+        name: 'prompt1',
+        serverName: 'server1',
+        tool: {
+            name: 'prompt1',
+            description: 'Prompt 1',
+            inputSchema: {},
+        },
+        invoke: async () => ({
+            messages: [
+                { role: 'assistant', content: { type: 'text', text: 'response1' } },
+            ],
+        }),
+    };
+    const prompt2 = {
+        name: 'prompt2',
+        serverName: 'server1',
+        tool: {
+            name: 'prompt2',
+            description: 'Prompt 2',
+            inputSchema: {},
+        },
+        invoke: async () => ({
+            messages: [
+                { role: 'assistant', content: { type: 'text', text: 'response2' } },
+            ],
+        }),
+    };
+    const prompt3 = {
+        name: 'prompt1',
+        serverName: 'server2',
+        tool: {
+            name: 'prompt1',
+            description: 'Prompt 3',
+            inputSchema: {},
+        },
+        invoke: async () => ({
+            messages: [
+                { role: 'assistant', content: { type: 'text', text: 'response3' } },
+            ],
+        }),
+    };
+    beforeEach(() => {
+        registry = new PromptRegistry();
+        vi.clearAllMocks();
+    });
+    it('should register a prompt', () => {
+        registry.registerPrompt(prompt1);
+        expect(registry.getPrompt('prompt1')).toEqual(prompt1);
+    });
+    it('should get all prompts, sorted by name', () => {
+        registry.registerPrompt(prompt2);
+        registry.registerPrompt(prompt1);
+        expect(registry.getAllPrompts()).toEqual([prompt1, prompt2]);
+    });
+    it('should get a specific prompt by name', () => {
+        registry.registerPrompt(prompt1);
+        expect(registry.getPrompt('prompt1')).toEqual(prompt1);
+        expect(registry.getPrompt('non-existent')).toBeUndefined();
+    });
+    it('should get prompts by server, sorted by name', () => {
+        registry.registerPrompt(prompt1);
+        registry.registerPrompt(prompt2);
+        registry.registerPrompt(prompt3); // different server
+        expect(registry.getPromptsByServer('server1')).toEqual([prompt1, prompt2]);
+        expect(registry.getPromptsByServer('server2')).toEqual([
+            { ...prompt3, name: 'server2_prompt1' },
+        ]);
+    });
+    it('should handle prompt name collision by renaming', () => {
+        registry.registerPrompt(prompt1);
+        registry.registerPrompt(prompt3);
+        expect(registry.getPrompt('prompt1')).toEqual(prompt1);
+        const renamedPrompt = { ...prompt3, name: 'server2_prompt1' };
+        expect(registry.getPrompt('server2_prompt1')).toEqual(renamedPrompt);
+        expect(debugLogger.warn).toHaveBeenCalledWith('Prompt with name "prompt1" is already registered. Renaming to "server2_prompt1".');
+    });
+    it('should clear all prompts', () => {
+        registry.registerPrompt(prompt1);
+        registry.registerPrompt(prompt2);
+        registry.clear();
+        expect(registry.getAllPrompts()).toEqual([]);
+    });
+    it('should remove prompts by server', () => {
+        registry.registerPrompt(prompt1);
+        registry.registerPrompt(prompt2);
+        registry.registerPrompt(prompt3);
+        registry.removePromptsByServer('server1');
+        const renamedPrompt = { ...prompt3, name: 'server2_prompt1' };
+        expect(registry.getAllPrompts()).toEqual([renamedPrompt]);
+        expect(registry.getPrompt('prompt1')).toBeUndefined();
+        expect(registry.getPrompt('prompt2')).toBeUndefined();
+        expect(registry.getPrompt('server2_prompt1')).toEqual(renamedPrompt);
+    });
+});
+//# sourceMappingURL=prompt-registry.test.js.map

package/dist/src/prompts/prompt-registry.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt-registry.test.js","sourceRoot":"","sources":["../../../src/prompts/prompt-registry.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD,EAAE,CAAC,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC;IACxC,WAAW,EAAE;QACX,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE;KACd;CACF,CAAC,CAAC,CAAC;AAEJ,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,IAAI,QAAwB,CAAC;IAE7B,MAAM,OAAO,GAAwB;QACnC,IAAI,EAAE,SAAS;QACf,UAAU,EAAE,SAAS;QACrB,IAAI,EAAE;YACJ,IAAI,EAAE,SAAS;YACf,WAAW,EAAE,UAAU;YACvB,WAAW,EAAE,EAAE;SAChB;QACD,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;YACnB,QAAQ,EAAE;gBACR,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE;aACpE;SACF,CAAC;KACH,CAAC;IAEF,MAAM,OAAO,GAAwB;QACnC,IAAI,EAAE,SAAS;QACf,UAAU,EAAE,SAAS;QACrB,IAAI,EAAE;YACJ,IAAI,EAAE,SAAS;YACf,WAAW,EAAE,UAAU;YACvB,WAAW,EAAE,EAAE;SAChB;QACD,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;YACnB,QAAQ,EAAE;gBACR,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE;aACpE;SACF,CAAC;KACH,CAAC;IAEF,MAAM,OAAO,GAAwB;QACnC,IAAI,EAAE,SAAS;QACf,UAAU,EAAE,SAAS;QACrB,IAAI,EAAE;YACJ,IAAI,EAAE,SAAS;YACf,WAAW,EAAE,UAAU;YACvB,WAAW,EAAE,EAAE;SAChB;QACD,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;YACnB,QAAQ,EAAE;gBACR,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE;aACpE;SACF,CAAC;KACH,CAAC;IAEF,UAAU,CAAC,GAAG,EAAE;QACd,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;QAChC,EAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB;QACrD,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;QAC3E,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC;YACrD,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE;SACxC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAEjC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACvD,MAAM,aAAa,GAAG,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC;QAC9D,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QACrE,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,oBAAoB,CAC3C,kFAAkF,CACnF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0BAA0B,EAAE,GAAG,EAAE;QAClC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACjC,QAAQ,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC;QAE1C,MAAM,aAAa,GAAG,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC;QAC9D,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;QAC1D,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QACtD,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/safety/built-in.d.ts

@@ -0,0 +1,21 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import type { SafetyCheckInput, SafetyCheckResult } from './protocol.js';
+/**
+ * Interface for all in-process safety checkers.
+ */
+export interface InProcessChecker {
+    check(input: SafetyCheckInput): Promise<SafetyCheckResult>;
+}
+/**
+ * An in-process checker to validate file paths.
+ */
+export declare class AllowedPathChecker implements InProcessChecker {
+    check(input: SafetyCheckInput): Promise<SafetyCheckResult>;
+    private safelyResolvePath;
+    private isPathAllowed;
+    private collectPathsToCheck;
+}

package/dist/src/safety/built-in.js

@@ -0,0 +1,106 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import * as path from 'node:path';
+import * as fs from 'node:fs';
+import { SafetyCheckDecision } from './protocol.js';
+/**
+ * An in-process checker to validate file paths.
+ */
+export class AllowedPathChecker {
+    async check(input) {
+        const { toolCall, context } = input;
+        const config = input.config;
+        // Build list of allowed directories
+        const allowedDirs = [
+            context.environment.cwd,
+            ...context.environment.workspaces,
+        ];
+        // Find all arguments that look like paths
+        const includedArgs = config?.included_args ?? [];
+        const excludedArgs = config?.excluded_args ?? [];
+        const pathsToCheck = this.collectPathsToCheck(toolCall.args, includedArgs, excludedArgs);
+        // Check each path
+        for (const { path: p, argName } of pathsToCheck) {
+            const resolvedPath = this.safelyResolvePath(p, context.environment.cwd);
+            if (!resolvedPath) {
+                // If path cannot be resolved, deny it
+                return {
+                    decision: SafetyCheckDecision.DENY,
+                    reason: `Cannot resolve path "${p}" in argument "${argName}"`,
+                };
+            }
+            const isAllowed = allowedDirs.some((dir) => {
+                // Also resolve allowed directories to handle symlinks
+                const resolvedDir = this.safelyResolvePath(dir, context.environment.cwd);
+                if (!resolvedDir)
+                    return false;
+                return this.isPathAllowed(resolvedPath, resolvedDir);
+            });
+            if (!isAllowed) {
+                return {
+                    decision: SafetyCheckDecision.DENY,
+                    reason: `Path "${p}" in argument "${argName}" is outside of the allowed workspace directories.`,
+                };
+            }
+        }
+        return { decision: SafetyCheckDecision.ALLOW };
+    }
+    safelyResolvePath(inputPath, cwd) {
+        try {
+            const resolved = path.resolve(cwd, inputPath);
+            // Walk up the directory tree until we find a path that exists
+            let current = resolved;
+            // Stop at root (dirname(root) === root on many systems, or it becomes empty/'.' depending on implementation)
+            while (current && current !== path.dirname(current)) {
+                if (fs.existsSync(current)) {
+                    const canonical = fs.realpathSync(current);
+                    // Re-construct the full path from this canonical base
+                    const relative = path.relative(current, resolved);
+                    // path.join handles empty relative paths correctly (returns canonical)
+                    return path.join(canonical, relative);
+                }
+                current = path.dirname(current);
+            }
+            // Fallback if nothing exists (unlikely if root exists)
+            return resolved;
+        }
+        catch (_error) {
+            return null;
+        }
+    }
+    isPathAllowed(targetPath, allowedDir) {
+        const relative = path.relative(allowedDir, targetPath);
+        return (relative === '' ||
+            (!relative.startsWith('..') && !path.isAbsolute(relative)));
+    }
+    collectPathsToCheck(args, includedArgs, excludedArgs, prefix = '') {
+        const paths = [];
+        if (typeof args !== 'object' || args === null) {
+            return paths;
+        }
+        for (const [key, value] of Object.entries(args)) {
+            const fullKey = prefix ? `${prefix}.${key}` : key;
+            if (excludedArgs.includes(fullKey)) {
+                continue;
+            }
+            if (typeof value === 'string') {
+                if (includedArgs.includes(fullKey) ||
+                    key.includes('path') ||
+                    key.includes('directory') ||
+                    key.includes('file') ||
+                    key === 'source' ||
+                    key === 'destination') {
+                    paths.push({ path: value, argName: fullKey });
+                }
+            }
+            else if (typeof value === 'object') {
+                paths.push(...this.collectPathsToCheck(value, includedArgs, excludedArgs, fullKey));
+            }
+        }
+        return paths;
+    }
+}
+//# sourceMappingURL=built-in.js.map

package/dist/src/safety/built-in.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"built-in.js","sourceRoot":"","sources":["../../../src/safety/built-in.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAUpD;;GAEG;AACH,MAAM,OAAO,kBAAkB;IAC7B,KAAK,CAAC,KAAK,CAAC,KAAuB;QACjC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC;QACpC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAuC,CAAC;QAE7D,oCAAoC;QACpC,MAAM,WAAW,GAAG;YAClB,OAAO,CAAC,WAAW,CAAC,GAAG;YACvB,GAAG,OAAO,CAAC,WAAW,CAAC,UAAU;SAClC,CAAC;QAEF,0CAA0C;QAC1C,MAAM,YAAY,GAAG,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC;QACjD,MAAM,YAAY,GAAG,MAAM,EAAE,aAAa,IAAI,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAC3C,QAAQ,CAAC,IAAI,EACb,YAAY,EACZ,YAAY,CACb,CAAC;QAEF,kBAAkB;QAClB,KAAK,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,YAAY,EAAE,CAAC;YAChD,MAAM,YAAY,GAAG,IAAI,CAAC,iBAAiB,CAAC,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;YAExE,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,sCAAsC;gBACtC,OAAO;oBACL,QAAQ,EAAE,mBAAmB,CAAC,IAAI;oBAClC,MAAM,EAAE,wBAAwB,CAAC,kBAAkB,OAAO,GAAG;iBAC9D,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;gBACzC,sDAAsD;gBACtD,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,CACxC,GAAG,EACH,OAAO,CAAC,WAAW,CAAC,GAAG,CACxB,CAAC;gBACF,IAAI,CAAC,WAAW;oBAAE,OAAO,KAAK,CAAC;gBAC/B,OAAO,IAAI,CAAC,aAAa,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;YACvD,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO;oBACL,QAAQ,EAAE,mBAAmB,CAAC,IAAI;oBAClC,MAAM,EAAE,SAAS,CAAC,kBAAkB,OAAO,oDAAoD;iBAChG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,mBAAmB,CAAC,KAAK,EAAE,CAAC;IACjD,CAAC;IAEO,iBAAiB,CAAC,SAAiB,EAAE,GAAW;QACtD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YAE9C,8DAA8D;YAC9D,IAAI,OAAO,GAAG,QAAQ,CAAC;YACvB,6GAA6G;YAC7G,OAAO,OAAO,IAAI,OAAO,KAAK,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpD,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3B,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;oBAC3C,sDAAsD;oBACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;oBAClD,uEAAuE;oBACvE,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;gBACxC,CAAC;gBACD,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;YAED,uDAAuD;YACvD,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,MAAM,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,UAAkB,EAAE,UAAkB;QAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACvD,OAAO,CACL,QAAQ,KAAK,EAAE;YACf,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAC3D,CAAC;IACJ,CAAC;IAEO,mBAAmB,CACzB,IAAa,EACb,YAAsB,EACtB,YAAsB,EACtB,MAAM,GAAG,EAAE;QAEX,MAAM,KAAK,GAA6C,EAAE,CAAC;QAE3D,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAC9C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;YAElD,IAAI,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnC,SAAS;YACX,CAAC;YAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,IACE,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAC9B,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACpB,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACzB,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACpB,GAAG,KAAK,QAAQ;oBAChB,GAAG,KAAK,aAAa,EACrB,CAAC;oBACD,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;gBAChD,CAAC;YACH,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACrC,KAAK,CAAC,IAAI,CACR,GAAG,IAAI,CAAC,mBAAmB,CACzB,KAAK,EACL,YAAY,EACZ,YAAY,EACZ,OAAO,CACR,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/src/safety/built-in.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/safety/built-in.test.js

@@ -0,0 +1,199 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'node:fs/promises';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { AllowedPathChecker } from './built-in.js';
+import { SafetyCheckDecision } from './protocol.js';
+describe('AllowedPathChecker', () => {
+    let checker;
+    let testRootDir;
+    let mockCwd;
+    let mockWorkspaces;
+    beforeEach(async () => {
+        checker = new AllowedPathChecker();
+        testRootDir = await fs.mkdtemp(path.join(os.tmpdir(), 'safety-test-'));
+        mockCwd = path.join(testRootDir, 'home', 'user', 'project');
+        await fs.mkdir(mockCwd, { recursive: true });
+        mockWorkspaces = [
+            mockCwd,
+            path.join(testRootDir, 'home', 'user', 'other-project'),
+        ];
+        await fs.mkdir(mockWorkspaces[1], { recursive: true });
+    });
+    afterEach(async () => {
+        await fs.rm(testRootDir, { recursive: true, force: true });
+    });
+    const createInput = (toolArgs, config) => ({
+        protocolVersion: '1.0.0',
+        toolCall: {
+            name: 'test_tool',
+            args: toolArgs,
+        },
+        context: {
+            environment: {
+                cwd: mockCwd,
+                workspaces: mockWorkspaces,
+            },
+        },
+        config,
+    });
+    it('should allow paths within CWD', async () => {
+        const filePath = path.join(mockCwd, 'file.txt');
+        await fs.writeFile(filePath, 'test content');
+        const input = createInput({
+            path: filePath,
+        });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.ALLOW);
+    });
+    it('should allow paths within workspace roots', async () => {
+        const filePath = path.join(mockWorkspaces[1], 'data.json');
+        await fs.writeFile(filePath, 'test content');
+        const input = createInput({
+            path: filePath,
+        });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.ALLOW);
+    });
+    it('should deny paths outside allowed areas', async () => {
+        const outsidePath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(outsidePath), { recursive: true });
+        await fs.writeFile(outsidePath, 'secret');
+        const input = createInput({ path: outsidePath });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        expect(result.reason).toContain('outside of the allowed workspace');
+    });
+    it('should deny paths using ../ to escape', async () => {
+        const secretPath = path.join(testRootDir, 'home', 'user', 'secret.txt');
+        await fs.writeFile(secretPath, 'secret');
+        const input = createInput({
+            path: path.join(mockCwd, '..', 'secret.txt'),
+        });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+    });
+    it('should check multiple path arguments', async () => {
+        const passwdPath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(passwdPath), { recursive: true });
+        await fs.writeFile(passwdPath, 'secret');
+        const srcPath = path.join(mockCwd, 'src.txt');
+        await fs.writeFile(srcPath, 'source content');
+        const input = createInput({
+            source: srcPath,
+            destination: passwdPath,
+        });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        expect(result.reason).toContain(passwdPath);
+    });
+    it('should handle non-existent paths gracefully if they are inside allowed dir', async () => {
+        const input = createInput({
+            path: path.join(mockCwd, 'new-file.txt'),
+        });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.ALLOW);
+    });
+    it('should deny access if path contains a symlink pointing outside allowed directories', async () => {
+        const symlinkPath = path.join(mockCwd, 'symlink');
+        const targetPath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(targetPath), { recursive: true });
+        await fs.writeFile(targetPath, 'secret');
+        // Create symlink: mockCwd/symlink -> targetPath
+        await fs.symlink(targetPath, symlinkPath);
+        const input = createInput({ path: symlinkPath });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        expect(result.reason).toContain('outside of the allowed workspace directories');
+    });
+    it('should allow access if path contains a symlink pointing INSIDE allowed directories', async () => {
+        const symlinkPath = path.join(mockCwd, 'symlink-inside');
+        const realFilePath = path.join(mockCwd, 'real-file');
+        await fs.writeFile(realFilePath, 'real content');
+        // Create symlink: mockCwd/symlink-inside -> mockCwd/real-file
+        await fs.symlink(realFilePath, symlinkPath);
+        const input = createInput({ path: symlinkPath });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.ALLOW);
+    });
+    it('should check explicitly included arguments', async () => {
+        const outsidePath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(outsidePath), { recursive: true });
+        await fs.writeFile(outsidePath, 'secret');
+        const input = createInput({ custom_arg: outsidePath }, { included_args: ['custom_arg'] });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        expect(result.reason).toContain('outside of the allowed workspace');
+    });
+    it('should skip explicitly excluded arguments', async () => {
+        const outsidePath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(outsidePath), { recursive: true });
+        await fs.writeFile(outsidePath, 'secret');
+        // Normally 'path' would be checked, but we exclude it
+        const input = createInput({ path: outsidePath }, { excluded_args: ['path'] });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.ALLOW);
+    });
+    it('should handle both included and excluded arguments', async () => {
+        const outsidePath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(outsidePath), { recursive: true });
+        await fs.writeFile(outsidePath, 'secret');
+        const input = createInput({
+            path: outsidePath, // Excluded
+            custom_arg: outsidePath, // Included
+        }, {
+            excluded_args: ['path'],
+            included_args: ['custom_arg'],
+        });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        // Should be denied because of custom_arg, not path
+        expect(result.reason).toContain(outsidePath);
+    });
+    it('should check nested path arguments', async () => {
+        const outsidePath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(outsidePath), { recursive: true });
+        await fs.writeFile(outsidePath, 'secret');
+        const input = createInput({
+            nested: {
+                path: outsidePath,
+            },
+        });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        expect(result.reason).toContain(outsidePath);
+        expect(result.reason).toContain('nested.path');
+    });
+    it('should support dot notation for included_args', async () => {
+        const outsidePath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(outsidePath), { recursive: true });
+        await fs.writeFile(outsidePath, 'secret');
+        const input = createInput({
+            nested: {
+                custom: outsidePath,
+            },
+        }, { included_args: ['nested.custom'] });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.DENY);
+        expect(result.reason).toContain(outsidePath);
+        expect(result.reason).toContain('nested.custom');
+    });
+    it('should support dot notation for excluded_args', async () => {
+        const outsidePath = path.join(testRootDir, 'etc', 'passwd');
+        await fs.mkdir(path.dirname(outsidePath), { recursive: true });
+        await fs.writeFile(outsidePath, 'secret');
+        const input = createInput({
+            nested: {
+                path: outsidePath,
+            },
+        }, { excluded_args: ['nested.path'] });
+        const result = await checker.check(input);
+        expect(result.decision).toBe(SafetyCheckDecision.ALLOW);
+    });
+});
+//# sourceMappingURL=built-in.test.js.map

package/dist/src/safety/built-in.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"built-in.test.js","sourceRoot":"","sources":["../../../src/safety/built-in.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAEnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAGpD,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAI,OAA2B,CAAC;IAChC,IAAI,WAAmB,CAAC;IACxB,IAAI,OAAe,CAAC;IACpB,IAAI,cAAwB,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACnC,WAAW,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;QACvE,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,cAAc,GAAG;YACf,OAAO;YACP,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,CAAC;SACxD,CAAC;QACF,MAAM,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,CAClB,QAAiC,EACjC,MAAgC,EACd,EAAE,CAAC,CAAC;QACtB,eAAe,EAAE,OAAO;QACxB,QAAQ,EAAE;YACR,IAAI,EAAE,WAAW;YACjB,IAAI,EAAE,QAAQ;SACY;QAC5B,OAAO,EAAE;YACP,WAAW,EAAE;gBACX,GAAG,EAAE,OAAO;gBACZ,UAAU,EAAE,cAAc;aAC3B;SACF;QACD,MAAM;KACP,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAChD,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,WAAW,CAAC;YACxB,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;QAC3D,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,WAAW,CAAC;YACxB,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QACxE,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,WAAW,CAAC;YACxB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,YAAY,CAAC;SAC7C,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC3D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9D,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QAE9C,MAAM,KAAK,GAAG,WAAW,CAAC;YACxB,MAAM,EAAE,OAAO;YACf,WAAW,EAAE,UAAU;SACxB,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,KAAK,IAAI,EAAE;QAC1F,MAAM,KAAK,GAAG,WAAW,CAAC;YACxB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC;SACzC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oFAAoF,EAAE,KAAK,IAAI,EAAE;QAClG,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC3D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9D,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAEzC,gDAAgD;QAChD,MAAM,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QAE1C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAC7B,8CAA8C,CAC/C,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oFAAoF,EAAE,KAAK,IAAI,EAAE;QAClG,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QACrD,MAAM,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;QAEjD,8DAA8D;QAC9D,MAAM,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAE5C,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,WAAW,CACvB,EAAE,UAAU,EAAE,WAAW,EAAE,EAC3B,EAAE,aAAa,EAAE,CAAC,YAAY,CAAC,EAAE,CAClC,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,sDAAsD;QACtD,MAAM,KAAK,GAAG,WAAW,CACvB,EAAE,IAAI,EAAE,WAAW,EAAE,EACrB,EAAE,aAAa,EAAE,CAAC,MAAM,CAAC,EAAE,CAC5B,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,WAAW,CACvB;YACE,IAAI,EAAE,WAAW,EAAE,WAAW;YAC9B,UAAU,EAAE,WAAW,EAAE,WAAW;SACrC,EACD;YACE,aAAa,EAAE,CAAC,MAAM,CAAC;YACvB,aAAa,EAAE,CAAC,YAAY,CAAC;SAC9B,CACF,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,mDAAmD;QACnD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,WAAW,CAAC;YACxB,MAAM,EAAE;gBACN,IAAI,EAAE,WAAW;aAClB;SACF,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,WAAW,CACvB;YACE,MAAM,EAAE;gBACN,MAAM,EAAE,WAAW;aACpB;SACF,EACD,EAAE,aAAa,EAAE,CAAC,eAAe,CAAC,EAAE,CACrC,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,WAAW,CACvB;YACE,MAAM,EAAE;gBACN,IAAI,EAAE,WAAW;aAClB;SACF,EACD,EAAE,aAAa,EAAE,CAAC,aAAa,CAAC,EAAE,CACnC,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}