@google/gemini-cli-core 0.21.0-nightly.20251212.54de67536 → 0.21.0-nightly.20251216.bb0c0d8ee

package/dist/src/utils/shell-permissions.test.js

@@ -0,0 +1,342 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { expect, describe, it, beforeEach, beforeAll, vi, afterEach, } from 'vitest';
+import { initializeShellParsers } from './shell-utils.js';
+import { checkCommandPermissions, isCommandAllowed, isShellInvocationAllowlisted, } from './shell-permissions.js';
+const mockPlatform = vi.hoisted(() => vi.fn());
+const mockHomedir = vi.hoisted(() => vi.fn());
+vi.mock('os', () => ({
+    default: {
+        platform: mockPlatform,
+        homedir: mockHomedir,
+    },
+    platform: mockPlatform,
+    homedir: mockHomedir,
+}));
+const mockQuote = vi.hoisted(() => vi.fn());
+vi.mock('shell-quote', () => ({
+    quote: mockQuote,
+}));
+let config;
+const isWindowsRuntime = process.platform === 'win32';
+const describeWindowsOnly = isWindowsRuntime ? describe : describe.skip;
+beforeAll(async () => {
+    mockPlatform.mockReturnValue('linux');
+    await initializeShellParsers();
+});
+beforeEach(() => {
+    mockPlatform.mockReturnValue('linux');
+    mockQuote.mockImplementation((args) => args.map((arg) => `'${arg}'`).join(' '));
+    config = {
+        getCoreTools: () => [],
+        getExcludeTools: () => new Set([]),
+        getAllowedTools: () => [],
+        getApprovalMode: () => 'strict',
+        isInteractive: () => false,
+    };
+});
+afterEach(() => {
+    vi.clearAllMocks();
+});
+describe('isCommandAllowed', () => {
+    it('should allow a command if no restrictions are provided', () => {
+        const result = isCommandAllowed('goodCommand --safe', config);
+        expect(result.allowed).toBe(true);
+    });
+    it('should allow a command if it is in the global allowlist', () => {
+        config.getCoreTools = () => ['ShellTool(goodCommand)'];
+        const result = isCommandAllowed('goodCommand --safe', config);
+        expect(result.allowed).toBe(true);
+    });
+    it('should block a command if it is not in a strict global allowlist', () => {
+        config.getCoreTools = () => ['ShellTool(goodCommand --safe)'];
+        const result = isCommandAllowed('badCommand --danger', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "badCommand --danger"`);
+    });
+    it('should block a command if it is in the blocked list', () => {
+        config.getExcludeTools = () => new Set(['ShellTool(badCommand --danger)']);
+        const result = isCommandAllowed('badCommand --danger', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command 'badCommand --danger' is blocked by configuration`);
+    });
+    it('should prioritize the blocklist over the allowlist', () => {
+        config.getCoreTools = () => ['ShellTool(badCommand --danger)'];
+        config.getExcludeTools = () => new Set(['ShellTool(badCommand --danger)']);
+        const result = isCommandAllowed('badCommand --danger', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command 'badCommand --danger' is blocked by configuration`);
+    });
+    it('should allow any command when a wildcard is in coreTools', () => {
+        config.getCoreTools = () => ['ShellTool'];
+        const result = isCommandAllowed('any random command', config);
+        expect(result.allowed).toBe(true);
+    });
+    it('should block any command when a wildcard is in excludeTools', () => {
+        config.getExcludeTools = () => new Set(['run_shell_command']);
+        const result = isCommandAllowed('any random command', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe('Shell tool is globally disabled in configuration');
+    });
+    it('should block a command on the blocklist even with a wildcard allow', () => {
+        config.getCoreTools = () => ['ShellTool'];
+        config.getExcludeTools = () => new Set(['ShellTool(badCommand --danger)']);
+        const result = isCommandAllowed('badCommand --danger', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command 'badCommand --danger' is blocked by configuration`);
+    });
+    it('should allow a chained command if all parts are on the global allowlist', () => {
+        config.getCoreTools = () => [
+            'run_shell_command(echo)',
+            'run_shell_command(goodCommand)',
+        ];
+        const result = isCommandAllowed('echo "hello" && goodCommand --safe', config);
+        expect(result.allowed).toBe(true);
+    });
+    it('should block a chained command if any part is blocked', () => {
+        config.getExcludeTools = () => new Set(['run_shell_command(badCommand)']);
+        const result = isCommandAllowed('echo "hello" && badCommand --danger', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command 'badCommand --danger' is blocked by configuration`);
+    });
+    it('should block a command that redefines an allowed function to run an unlisted command', () => {
+        config.getCoreTools = () => ['run_shell_command(echo)'];
+        const result = isCommandAllowed('echo () (curl google.com) ; echo Hello World', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block a multi-line function body that runs an unlisted command', () => {
+        config.getCoreTools = () => ['run_shell_command(echo)'];
+        const result = isCommandAllowed(`echo () {
+  curl google.com
+} ; echo ok`, config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block a function keyword declaration that runs an unlisted command', () => {
+        config.getCoreTools = () => ['run_shell_command(echo)'];
+        const result = isCommandAllowed('function echo { curl google.com; } ; echo hi', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block command substitution that invokes an unlisted command', () => {
+        config.getCoreTools = () => ['run_shell_command(echo)'];
+        const result = isCommandAllowed('echo $(curl google.com)', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block pipelines that invoke an unlisted command', () => {
+        config.getCoreTools = () => ['run_shell_command(echo)'];
+        const result = isCommandAllowed('echo hi | curl google.com', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block background jobs that invoke an unlisted command', () => {
+        config.getCoreTools = () => ['run_shell_command(echo)'];
+        const result = isCommandAllowed('echo hi & curl google.com', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block command substitution inside a here-document when the inner command is unlisted', () => {
+        config.getCoreTools = () => [
+            'run_shell_command(echo)',
+            'run_shell_command(cat)',
+        ];
+        const result = isCommandAllowed(`cat <<EOF
+$(rm -rf /)
+EOF`, config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "rm -rf /"`);
+    });
+    it('should block backtick substitution that invokes an unlisted command', () => {
+        config.getCoreTools = () => ['run_shell_command(echo)'];
+        const result = isCommandAllowed('echo `curl google.com`', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block process substitution using <() when the inner command is unlisted', () => {
+        config.getCoreTools = () => [
+            'run_shell_command(diff)',
+            'run_shell_command(echo)',
+        ];
+        const result = isCommandAllowed('diff <(curl google.com) <(echo safe)', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block process substitution using >() when the inner command is unlisted', () => {
+        config.getCoreTools = () => ['run_shell_command(echo)'];
+        const result = isCommandAllowed('echo "data" > >(curl google.com)', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe(`Command(s) not in the allowed commands list. Disallowed commands: "curl google.com"`);
+    });
+    it('should block commands containing prompt transformations', () => {
+        const result = isCommandAllowed('echo "${var1=aa\\140 env| ls -l\\140}${var1@P}"', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe('Command rejected because it could not be parsed safely');
+    });
+    it('should block simple prompt transformation expansions', () => {
+        const result = isCommandAllowed('echo ${foo@P}', config);
+        expect(result.allowed).toBe(false);
+        expect(result.reason).toBe('Command rejected because it could not be parsed safely');
+    });
+    describe('command substitution', () => {
+        it('should allow command substitution using `$(...)`', () => {
+            const result = isCommandAllowed('echo $(goodCommand --safe)', config);
+            expect(result.allowed).toBe(true);
+            expect(result.reason).toBeUndefined();
+        });
+        it('should allow command substitution using `<(...)`', () => {
+            const result = isCommandAllowed('diff <(ls) <(ls -a)', config);
+            expect(result.allowed).toBe(true);
+            expect(result.reason).toBeUndefined();
+        });
+        it('should allow command substitution using `>(...)`', () => {
+            const result = isCommandAllowed('echo "Log message" > >(tee log.txt)', config);
+            expect(result.allowed).toBe(true);
+            expect(result.reason).toBeUndefined();
+        });
+        it('should allow command substitution using backticks', () => {
+            const result = isCommandAllowed('echo `goodCommand --safe`', config);
+            expect(result.allowed).toBe(true);
+            expect(result.reason).toBeUndefined();
+        });
+        it('should allow substitution-like patterns inside single quotes', () => {
+            config.getCoreTools = () => ['ShellTool(echo)'];
+            const result = isCommandAllowed("echo '$(pwd)'", config);
+            expect(result.allowed).toBe(true);
+        });
+        it('should block a command when parsing fails', () => {
+            const result = isCommandAllowed('ls &&', config);
+            expect(result.allowed).toBe(false);
+            expect(result.reason).toBe('Command rejected because it could not be parsed safely');
+        });
+    });
+});
+describe('checkCommandPermissions', () => {
+    describe('in "Default Allow" mode (no sessionAllowlist)', () => {
+        it('should return a detailed success object for an allowed command', () => {
+            const result = checkCommandPermissions('goodCommand --safe', config);
+            expect(result).toEqual({
+                allAllowed: true,
+                disallowedCommands: [],
+            });
+        });
+        it('should block commands that cannot be parsed safely', () => {
+            const result = checkCommandPermissions('ls &&', config);
+            expect(result).toEqual({
+                allAllowed: false,
+                disallowedCommands: ['ls &&'],
+                blockReason: 'Command rejected because it could not be parsed safely',
+                isHardDenial: true,
+            });
+        });
+        it('should return a detailed failure object for a blocked command', () => {
+            config.getExcludeTools = () => new Set(['ShellTool(badCommand)']);
+            const result = checkCommandPermissions('badCommand --danger', config);
+            expect(result).toEqual({
+                allAllowed: false,
+                disallowedCommands: ['badCommand --danger'],
+                blockReason: `Command 'badCommand --danger' is blocked by configuration`,
+                isHardDenial: true,
+            });
+        });
+        it('should return a detailed failure object for a command not on a strict allowlist', () => {
+            config.getCoreTools = () => ['ShellTool(goodCommand)'];
+            const result = checkCommandPermissions('git status && goodCommand', config);
+            expect(result).toEqual({
+                allAllowed: false,
+                disallowedCommands: ['git status'],
+                blockReason: `Command(s) not in the allowed commands list. Disallowed commands: "git status"`,
+                isHardDenial: false,
+            });
+        });
+    });
+    describe('in "Default Deny" mode (with sessionAllowlist)', () => {
+        it('should allow a command on the sessionAllowlist', () => {
+            const result = checkCommandPermissions('goodCommand --safe', config, new Set(['goodCommand --safe']));
+            expect(result.allAllowed).toBe(true);
+        });
+        it('should block a command not on the sessionAllowlist or global allowlist', () => {
+            const result = checkCommandPermissions('badCommand --danger', config, new Set(['goodCommand --safe']));
+            expect(result.allAllowed).toBe(false);
+            expect(result.blockReason).toContain('not on the global or session allowlist');
+            expect(result.disallowedCommands).toEqual(['badCommand --danger']);
+        });
+        it('should allow a command on the global allowlist even if not on the session allowlist', () => {
+            config.getCoreTools = () => ['ShellTool(git status)'];
+            const result = checkCommandPermissions('git status', config, new Set(['goodCommand --safe']));
+            expect(result.allAllowed).toBe(true);
+        });
+        it('should allow a chained command if parts are on different allowlists', () => {
+            config.getCoreTools = () => ['ShellTool(git status)'];
+            const result = checkCommandPermissions('git status && git commit', config, new Set(['git commit']));
+            expect(result.allAllowed).toBe(true);
+        });
+        it('should block a command on the sessionAllowlist if it is also globally blocked', () => {
+            config.getExcludeTools = () => new Set(['run_shell_command(badCommand)']);
+            const result = checkCommandPermissions('badCommand --danger', config, new Set(['badCommand --danger']));
+            expect(result.allAllowed).toBe(false);
+            expect(result.blockReason).toContain('is blocked by configuration');
+        });
+        it('should block a chained command if one part is not on any allowlist', () => {
+            config.getCoreTools = () => ['run_shell_command(echo)'];
+            const result = checkCommandPermissions('echo "hello" && badCommand --danger', config, new Set(['echo']));
+            expect(result.allAllowed).toBe(false);
+            expect(result.disallowedCommands).toEqual(['badCommand --danger']);
+        });
+    });
+});
+describeWindowsOnly('PowerShell integration', () => {
+    const originalComSpec = process.env['ComSpec'];
+    beforeEach(() => {
+        mockPlatform.mockReturnValue('win32');
+        const systemRoot = process.env['SystemRoot'] || 'C:\\Windows';
+        process.env['ComSpec'] =
+            `${systemRoot}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`;
+    });
+    afterEach(() => {
+        if (originalComSpec === undefined) {
+            delete process.env['ComSpec'];
+        }
+        else {
+            process.env['ComSpec'] = originalComSpec;
+        }
+    });
+    it('should block commands when PowerShell parser reports errors', () => {
+        const { allowed, reason } = isCommandAllowed('Get-ChildItem |', config);
+        expect(allowed).toBe(false);
+        expect(reason).toBe('Command rejected because it could not be parsed safely');
+    });
+});
+describe('isShellInvocationAllowlisted', () => {
+    function createInvocation(command) {
+        return { params: { command } };
+    }
+    it('should return false when any chained command segment is not allowlisted', () => {
+        const invocation = createInvocation('git status && rm -rf /tmp/should-not-run');
+        expect(isShellInvocationAllowlisted(invocation, ['run_shell_command(git)'])).toBe(false);
+    });
+    it('should return true when every segment is explicitly allowlisted', () => {
+        const invocation = createInvocation('git status && rm -rf /tmp/should-run && git diff');
+        expect(isShellInvocationAllowlisted(invocation, [
+            'run_shell_command(git)',
+            'run_shell_command(rm -rf)',
+        ])).toBe(true);
+    });
+    it('should return true when the allowlist contains a wildcard shell entry', () => {
+        const invocation = createInvocation('git status && rm -rf /tmp/should-run');
+        expect(isShellInvocationAllowlisted(invocation, ['run_shell_command'])).toBe(true);
+    });
+    it('should treat piped commands as separate segments that must be allowlisted', () => {
+        const invocation = createInvocation('git status | tail -n 1');
+        expect(isShellInvocationAllowlisted(invocation, ['run_shell_command(git)'])).toBe(false);
+        expect(isShellInvocationAllowlisted(invocation, [
+            'run_shell_command(git)',
+            'run_shell_command(tail)',
+        ])).toBe(true);
+    });
+});
+//# sourceMappingURL=shell-permissions.test.js.map

package/dist/src/utils/shell-permissions.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell-permissions.test.js","sourceRoot":"","sources":["../../../src/utils/shell-permissions.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,MAAM,EACN,QAAQ,EACR,EAAE,EACF,UAAU,EACV,SAAS,EACT,EAAE,EACF,SAAS,GACV,MAAM,QAAQ,CAAC;AAChB,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,4BAA4B,GAC7B,MAAM,wBAAwB,CAAC;AAIhC,MAAM,YAAY,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;AAC/C,MAAM,WAAW,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;AAC9C,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IACnB,OAAO,EAAE;QACP,QAAQ,EAAE,YAAY;QACtB,OAAO,EAAE,WAAW;KACrB;IACD,QAAQ,EAAE,YAAY;IACtB,OAAO,EAAE,WAAW;CACrB,CAAC,CAAC,CAAC;AAEJ,MAAM,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;AAC5C,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC,CAAC;IAC5B,KAAK,EAAE,SAAS;CACjB,CAAC,CAAC,CAAC;AAEJ,IAAI,MAAc,CAAC;AACnB,MAAM,gBAAgB,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AACtD,MAAM,mBAAmB,GAAG,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;AAExE,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,YAAY,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,sBAAsB,EAAE,CAAC;AACjC,CAAC,CAAC,CAAC;AAEH,UAAU,CAAC,GAAG,EAAE;IACd,YAAY,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;IACtC,SAAS,CAAC,kBAAkB,CAAC,CAAC,IAAc,EAAE,EAAE,CAC9C,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CACxC,CAAC;IACF,MAAM,GAAG;QACP,YAAY,EAAE,GAAG,EAAE,CAAC,EAAE;QACtB,eAAe,EAAE,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAClC,eAAe,EAAE,GAAG,EAAE,CAAC,EAAE;QACzB,eAAe,EAAE,GAAG,EAAE,CAAC,QAAQ;QAC/B,aAAa,EAAE,GAAG,EAAE,CAAC,KAAK;KACN,CAAC;AACzB,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,GAAG,EAAE;IACb,EAAE,CAAC,aAAa,EAAE,CAAC;AACrB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,MAAM,GAAG,gBAAgB,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,wBAAwB,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,gBAAgB,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,GAAG,EAAE;QAC1E,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,+BAA+B,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,gBAAgB,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,yFAAyF,CAC1F,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC;QAC3E,MAAM,MAAM,GAAG,gBAAgB,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,2DAA2D,CAC5D,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,gCAAgC,CAAC,CAAC;QAC/D,MAAM,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC;QAC3E,MAAM,MAAM,GAAG,gBAAgB,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,2DAA2D,CAC5D,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,WAAW,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,gBAAgB,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,gBAAgB,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,kDAAkD,CACnD,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,WAAW,CAAC,CAAC;QAC1C,MAAM,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC;QAC3E,MAAM,MAAM,GAAG,gBAAgB,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;QAC/D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,2DAA2D,CAC5D,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yEAAyE,EAAE,GAAG,EAAE;QACjF,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC;YAC1B,yBAAyB;YACzB,gCAAgC;SACjC,CAAC;QACF,MAAM,MAAM,GAAG,gBAAgB,CAC7B,oCAAoC,EACpC,MAAM,CACP,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC;QAC1E,MAAM,MAAM,GAAG,gBAAgB,CAC7B,qCAAqC,EACrC,MAAM,CACP,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,2DAA2D,CAC5D,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sFAAsF,EAAE,GAAG,EAAE;QAC9F,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,CAC7B,8CAA8C,EAC9C,MAAM,CACP,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,CAC7B;;YAEM,EACN,MAAM,CACP,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,CAC7B,8CAA8C,EAC9C,MAAM,CACP,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,CAAC,yBAAyB,EAAE,MAAM,CAAC,CAAC;QACnE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,EAAE,MAAM,CAAC,CAAC;QACrE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,EAAE,MAAM,CAAC,CAAC;QACrE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6FAA6F,EAAE,GAAG,EAAE;QACrG,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC;YAC1B,yBAAyB;YACzB,wBAAwB;SACzB,CAAC;QACF,MAAM,MAAM,GAAG,gBAAgB,CAC7B;;IAEF,EACE,MAAM,CACP,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,8EAA8E,CAC/E,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC;QAClE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gFAAgF,EAAE,GAAG,EAAE;QACxF,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC;YAC1B,yBAAyB;YACzB,yBAAyB;SAC1B,CAAC;QACF,MAAM,MAAM,GAAG,gBAAgB,CAC7B,sCAAsC,EACtC,MAAM,CACP,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gFAAgF,EAAE,GAAG,EAAE;QACxF,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,gBAAgB,CAAC,kCAAkC,EAAE,MAAM,CAAC,CAAC;QAC5E,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,qFAAqF,CACtF,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,MAAM,GAAG,gBAAgB,CAC7B,iDAAiD,EACjD,MAAM,CACP,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,wDAAwD,CACzD,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,MAAM,GAAG,gBAAgB,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACzD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,wDAAwD,CACzD,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACpC,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,4BAA4B,EAAE,MAAM,CAAC,CAAC;YACtE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,MAAM,GAAG,gBAAgB,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;YAC/D,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,MAAM,MAAM,GAAG,gBAAgB,CAC7B,qCAAqC,EACrC,MAAM,CACP,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;YAC3D,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,EAAE,MAAM,CAAC,CAAC;YACrE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;YACtE,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,iBAAiB,CAAC,CAAC;YAChD,MAAM,MAAM,GAAG,gBAAgB,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;YACzD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;YACnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACxB,wDAAwD,CACzD,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,QAAQ,CAAC,+CAA+C,EAAE,GAAG,EAAE;QAC7D,EAAE,CAAC,gEAAgE,EAAE,GAAG,EAAE;YACxE,MAAM,MAAM,GAAG,uBAAuB,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;YACrE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;gBACrB,UAAU,EAAE,IAAI;gBAChB,kBAAkB,EAAE,EAAE;aACvB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,MAAM,GAAG,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;gBACrB,UAAU,EAAE,KAAK;gBACjB,kBAAkB,EAAE,CAAC,OAAO,CAAC;gBAC7B,WAAW,EAAE,wDAAwD;gBACrE,YAAY,EAAE,IAAI;aACnB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;YACvE,MAAM,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC;YAClE,MAAM,MAAM,GAAG,uBAAuB,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;YACtE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;gBACrB,UAAU,EAAE,KAAK;gBACjB,kBAAkB,EAAE,CAAC,qBAAqB,CAAC;gBAC3C,WAAW,EAAE,2DAA2D;gBACxE,YAAY,EAAE,IAAI;aACnB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iFAAiF,EAAE,GAAG,EAAE;YACzF,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,wBAAwB,CAAC,CAAC;YACvD,MAAM,MAAM,GAAG,uBAAuB,CACpC,2BAA2B,EAC3B,MAAM,CACP,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;gBACrB,UAAU,EAAE,KAAK;gBACjB,kBAAkB,EAAE,CAAC,YAAY,CAAC;gBAClC,WAAW,EAAE,gFAAgF;gBAC7F,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gDAAgD,EAAE,GAAG,EAAE;QAC9D,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,MAAM,GAAG,uBAAuB,CACpC,oBAAoB,EACpB,MAAM,EACN,IAAI,GAAG,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAChC,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wEAAwE,EAAE,GAAG,EAAE;YAChF,MAAM,MAAM,GAAG,uBAAuB,CACpC,qBAAqB,EACrB,MAAM,EACN,IAAI,GAAG,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAChC,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACtC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAClC,wCAAwC,CACzC,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qFAAqF,EAAE,GAAG,EAAE;YAC7F,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,uBAAuB,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,uBAAuB,CACpC,YAAY,EACZ,MAAM,EACN,IAAI,GAAG,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAChC,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qEAAqE,EAAE,GAAG,EAAE;YAC7E,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,uBAAuB,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,uBAAuB,CACpC,0BAA0B,EAC1B,MAAM,EACN,IAAI,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC,CACxB,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+EAA+E,EAAE,GAAG,EAAE;YACvF,MAAM,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC;YAC1E,MAAM,MAAM,GAAG,uBAAuB,CACpC,qBAAqB,EACrB,MAAM,EACN,IAAI,GAAG,CAAC,CAAC,qBAAqB,CAAC,CAAC,CACjC,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACtC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,SAAS,CAAC,6BAA6B,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;YAC5E,MAAM,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC,CAAC,yBAAyB,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,uBAAuB,CACpC,qCAAqC,EACrC,MAAM,EACN,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAClB,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACtC,MAAM,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC;QACrE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,mBAAmB,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACjD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/C,UAAU,CAAC,GAAG,EAAE;QACd,YAAY,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,aAAa,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;YACpB,GAAG,UAAU,qDAAqD,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,eAAe,CAAC;QAC3C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACxE,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACjB,wDAAwD,CACzD,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,SAAS,gBAAgB,CAAC,OAAe;QACvC,OAAO,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,EAAkC,CAAC;IACjE,CAAC;IAED,EAAE,CAAC,yEAAyE,EAAE,GAAG,EAAE;QACjF,MAAM,UAAU,GAAG,gBAAgB,CACjC,0CAA0C,CAC3C,CAAC;QACF,MAAM,CACJ,4BAA4B,CAAC,UAAU,EAAE,CAAC,wBAAwB,CAAC,CAAC,CACrE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,UAAU,GAAG,gBAAgB,CACjC,kDAAkD,CACnD,CAAC;QACF,MAAM,CACJ,4BAA4B,CAAC,UAAU,EAAE;YACvC,wBAAwB;YACxB,2BAA2B;SAC5B,CAAC,CACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,UAAU,GAAG,gBAAgB,CAAC,sCAAsC,CAAC,CAAC;QAC5E,MAAM,CACJ,4BAA4B,CAAC,UAAU,EAAE,CAAC,mBAAmB,CAAC,CAAC,CAChE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,GAAG,EAAE;QACnF,MAAM,UAAU,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,CAAC;QAC9D,MAAM,CACJ,4BAA4B,CAAC,UAAU,EAAE,CAAC,wBAAwB,CAAC,CAAC,CACrE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,MAAM,CACJ,4BAA4B,CAAC,UAAU,EAAE;YACvC,wBAAwB;YACxB,yBAAyB;SAC1B,CAAC,CACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/utils/shell-utils.d.ts

@@ -3,8 +3,6 @@
  * Copyright 2025 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
-import type { AnyToolInvocation } from '../index.js';
-import type { Config } from '../config/config.js';
 import { type SpawnOptionsWithoutStdio } from 'node:child_process';
 export declare const SHELL_TOOL_NAMES: string[];
 /**
@@ -25,6 +23,15 @@ export interface ShellConfiguration {
     shell: ShellType;
 }
 export declare function initializeShellParsers(): Promise<void>;
+export interface ParsedCommandDetail {
+    name: string;
+    text: string;
+}
+interface CommandParseResult {
+    details: ParsedCommandDetail[];
+    hasError: boolean;
+}
+export declare function parseCommandDetails(command: string): CommandParseResult | null;
 /**
  * Determines the appropriate shell configuration for the current platform.
  *
@@ -73,36 +80,6 @@ export declare function stripShellWrapper(command: string): string;
  * @param command The shell command string to check
  * @returns true if command substitution would be executed by bash
  */
-/**
- * Checks a shell command against security policies and allowlists.
- *
- * This function operates in one of two modes depending on the presence of
- * the `sessionAllowlist` parameter:
- *
- * 1.  **"Default Deny" Mode (sessionAllowlist is provided):** This is the
- *     strictest mode, used for user-defined scripts like custom commands.
- *     A command is only permitted if it is found on the global `coreTools`
- *     allowlist OR the provided `sessionAllowlist`. It must not be on the
- *     global `excludeTools` blocklist.
- *
- * 2.  **"Default Allow" Mode (sessionAllowlist is NOT provided):** This mode
- *     is used for direct tool invocations (e.g., by the model). If a strict
- *     global `coreTools` allowlist exists, commands must be on it. Otherwise,
- *     any command is permitted as long as it is not on the `excludeTools`
- *     blocklist.
- *
- * @param command The shell command string to validate.
- * @param config The application configuration.
- * @param sessionAllowlist A session-level list of approved commands. Its
- *   presence activates "Default Deny" mode.
- * @returns An object detailing which commands are not allowed.
- */
-export declare function checkCommandPermissions(command: string, config: Config, sessionAllowlist?: Set<string>): {
-    allAllowed: boolean;
-    disallowedCommands: string[];
-    blockReason?: string;
-    isHardDenial?: boolean;
-};
 /**
  * Determines whether a given shell command is allowed to execute based on
  * the tool's configuration including allowlists and blocklists.
@@ -118,18 +95,4 @@ export declare const spawnAsync: (command: string, args: string[], options?: Spa
     stdout: string;
     stderr: string;
 }>;
-export declare function isCommandAllowed(command: string, config: Config): {
-    allowed: boolean;
-    reason?: string;
-};
-/**
- * Determines whether a shell invocation should be auto-approved based on an allowlist.
- *
- * This reuses the same parsing logic as command-permission enforcement so that
- * chained commands must be individually covered by the allowlist.
- *
- * @param invocation The shell tool invocation being evaluated.
- * @param allowedPatterns The configured allowlist patterns (e.g. `run_shell_command(git)`).
- * @returns True if every parsed command segment is allowed by the patterns; false otherwise.
- */
-export declare function isShellInvocationAllowlisted(invocation: AnyToolInvocation, allowedPatterns: string[]): boolean;
+export {};

package/dist/src/utils/shell-utils.js

@@ -5,7 +5,6 @@
  */
 import os from 'node:os';
 import { quote } from 'shell-quote';
-import { doesToolInvocationMatch } from './tool-utils.js';
 import { spawn, spawnSync, } from 'node:child_process';
 import { Language, Parser } from 'web-tree-sitter';
 import { loadWasmBinary } from './fileUtils.js';
@@ -298,7 +297,7 @@ function parsePowerShellCommandDetails(command, executable) {
         return null;
     }
 }
-function parseCommandDetails(command) {
+export function parseCommandDetails(command) {
     const configuration = getShellConfiguration();
     if (configuration.shell === 'powershell') {
         return parsePowerShellCommandDetails(command, configuration.executable);
@@ -428,132 +427,6 @@ export function stripShellWrapper(command) {
  * @param command The shell command string to check
  * @returns true if command substitution would be executed by bash
  */
-/**
- * Checks a shell command against security policies and allowlists.
- *
- * This function operates in one of two modes depending on the presence of
- * the `sessionAllowlist` parameter:
- *
- * 1.  **"Default Deny" Mode (sessionAllowlist is provided):** This is the
- *     strictest mode, used for user-defined scripts like custom commands.
- *     A command is only permitted if it is found on the global `coreTools`
- *     allowlist OR the provided `sessionAllowlist`. It must not be on the
- *     global `excludeTools` blocklist.
- *
- * 2.  **"Default Allow" Mode (sessionAllowlist is NOT provided):** This mode
- *     is used for direct tool invocations (e.g., by the model). If a strict
- *     global `coreTools` allowlist exists, commands must be on it. Otherwise,
- *     any command is permitted as long as it is not on the `excludeTools`
- *     blocklist.
- *
- * @param command The shell command string to validate.
- * @param config The application configuration.
- * @param sessionAllowlist A session-level list of approved commands. Its
- *   presence activates "Default Deny" mode.
- * @returns An object detailing which commands are not allowed.
- */
-export function checkCommandPermissions(command, config, sessionAllowlist) {
-    const parseResult = parseCommandDetails(command);
-    if (!parseResult || parseResult.hasError) {
-        return {
-            allAllowed: false,
-            disallowedCommands: [command],
-            blockReason: 'Command rejected because it could not be parsed safely',
-            isHardDenial: true,
-        };
-    }
-    const normalize = (cmd) => cmd.trim().replace(/\s+/g, ' ');
-    const commandsToValidate = parseResult.details
-        .map((detail) => normalize(detail.text))
-        .filter(Boolean);
-    const invocation = {
-        params: { command: '' },
-    };
-    // 1. Blocklist Check (Highest Priority)
-    const excludeTools = config.getExcludeTools() || new Set([]);
-    const isWildcardBlocked = SHELL_TOOL_NAMES.some((name) => excludeTools.has(name));
-    if (isWildcardBlocked) {
-        return {
-            allAllowed: false,
-            disallowedCommands: commandsToValidate,
-            blockReason: 'Shell tool is globally disabled in configuration',
-            isHardDenial: true,
-        };
-    }
-    for (const cmd of commandsToValidate) {
-        invocation.params['command'] = cmd;
-        if (doesToolInvocationMatch('run_shell_command', invocation, [
-            ...excludeTools,
-        ])) {
-            return {
-                allAllowed: false,
-                disallowedCommands: [cmd],
-                blockReason: `Command '${cmd}' is blocked by configuration`,
-                isHardDenial: true,
-            };
-        }
-    }
-    const coreTools = config.getCoreTools() || [];
-    const isWildcardAllowed = SHELL_TOOL_NAMES.some((name) => coreTools.includes(name));
-    // If there's a global wildcard, all commands are allowed at this point
-    // because they have already passed the blocklist check.
-    if (isWildcardAllowed) {
-        return { allAllowed: true, disallowedCommands: [] };
-    }
-    const disallowedCommands = [];
-    if (sessionAllowlist) {
-        // "DEFAULT DENY" MODE: A session allowlist is provided.
-        // All commands must be in either the session or global allowlist.
-        const normalizedSessionAllowlist = new Set([...sessionAllowlist].flatMap((cmd) => SHELL_TOOL_NAMES.map((name) => `${name}(${cmd})`)));
-        for (const cmd of commandsToValidate) {
-            invocation.params['command'] = cmd;
-            const isSessionAllowed = doesToolInvocationMatch('run_shell_command', invocation, [...normalizedSessionAllowlist]);
-            if (isSessionAllowed)
-                continue;
-            const isGloballyAllowed = doesToolInvocationMatch('run_shell_command', invocation, coreTools);
-            if (isGloballyAllowed)
-                continue;
-            disallowedCommands.push(cmd);
-        }
-        if (disallowedCommands.length > 0) {
-            return {
-                allAllowed: false,
-                disallowedCommands,
-                blockReason: `Command(s) not on the global or session allowlist. Disallowed commands: ${disallowedCommands
-                    .map((c) => JSON.stringify(c))
-                    .join(', ')}`,
-                isHardDenial: false, // This is a soft denial; confirmation is possible.
-            };
-        }
-    }
-    else {
-        // "DEFAULT ALLOW" MODE: No session allowlist.
-        const hasSpecificAllowedCommands = coreTools.filter((tool) => SHELL_TOOL_NAMES.some((name) => tool.startsWith(`${name}(`))).length > 0;
-        if (hasSpecificAllowedCommands) {
-            for (const cmd of commandsToValidate) {
-                invocation.params['command'] = cmd;
-                const isGloballyAllowed = doesToolInvocationMatch('run_shell_command', invocation, coreTools);
-                if (!isGloballyAllowed) {
-                    disallowedCommands.push(cmd);
-                }
-            }
-            if (disallowedCommands.length > 0) {
-                return {
-                    allAllowed: false,
-                    disallowedCommands,
-                    blockReason: `Command(s) not in the allowed commands list. Disallowed commands: ${disallowedCommands
-                        .map((c) => JSON.stringify(c))
-                        .join(', ')}`,
-                    isHardDenial: false, // This is a soft denial.
-                };
-            }
-        }
-        // If no specific global allowlist exists, and it passed the blocklist,
-        // the command is allowed by default.
-    }
-    // If all checks for the current mode pass, the command is allowed.
-    return { allAllowed: true, disallowedCommands: [] };
-}
 /**
  * Determines whether a given shell command is allowed to execute based on
  * the tool's configuration including allowlists and blocklists.
@@ -587,58 +460,4 @@ export const spawnAsync = (command, args, options) => new Promise((resolve, reje
         reject(err);
     });
 });
-export function isCommandAllowed(command, config) {
-    // By not providing a sessionAllowlist, we invoke "default allow" behavior.
-    const { allAllowed, blockReason } = checkCommandPermissions(command, config);
-    if (allAllowed) {
-        return { allowed: true };
-    }
-    return { allowed: false, reason: blockReason };
-}
-/**
- * Determines whether a shell invocation should be auto-approved based on an allowlist.
- *
- * This reuses the same parsing logic as command-permission enforcement so that
- * chained commands must be individually covered by the allowlist.
- *
- * @param invocation The shell tool invocation being evaluated.
- * @param allowedPatterns The configured allowlist patterns (e.g. `run_shell_command(git)`).
- * @returns True if every parsed command segment is allowed by the patterns; false otherwise.
- */
-export function isShellInvocationAllowlisted(invocation, allowedPatterns) {
-    if (!allowedPatterns.length) {
-        return false;
-    }
-    const hasShellWildcard = allowedPatterns.some((pattern) => SHELL_TOOL_NAMES.includes(pattern));
-    const hasShellSpecificPattern = allowedPatterns.some((pattern) => SHELL_TOOL_NAMES.some((name) => pattern.startsWith(`${name}(`)));
-    if (!hasShellWildcard && !hasShellSpecificPattern) {
-        return false;
-    }
-    if (hasShellWildcard) {
-        return true;
-    }
-    if (!('params' in invocation) ||
-        typeof invocation.params !== 'object' ||
-        invocation.params === null ||
-        !('command' in invocation.params)) {
-        return false;
-    }
-    const commandValue = invocation.params.command;
-    if (typeof commandValue !== 'string' || !commandValue.trim()) {
-        return false;
-    }
-    const command = commandValue.trim();
-    const parseResult = parseCommandDetails(command);
-    if (!parseResult || parseResult.hasError) {
-        return false;
-    }
-    const normalize = (cmd) => cmd.trim().replace(/\s+/g, ' ');
-    const commandsToValidate = parseResult.details
-        .map((detail) => normalize(detail.text))
-        .filter(Boolean);
-    if (commandsToValidate.length === 0) {
-        return false;
-    }
-    return commandsToValidate.every((commandSegment) => doesToolInvocationMatch(SHELL_TOOL_NAMES[0], { params: { command: commandSegment } }, allowedPatterns));
-}
 //# sourceMappingURL=shell-utils.js.map