@google/gemini-cli-core 0.36.0-preview.8 → 0.37.0-preview.0

package/dist/src/sandbox/windows/WindowsSandboxManager.test.js

@@ -8,17 +8,29 @@ import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
 import { WindowsSandboxManager } from './WindowsSandboxManager.js';
+import * as sandboxManager from '../../services/sandboxManager.js';
 import { spawnAsync } from '../../utils/shell-utils.js';
-vi.mock('../../utils/shell-utils.js', () => ({
-    spawnAsync: vi.fn(),
-}));
+vi.mock('../../utils/shell-utils.js', async (importOriginal) => {
+    const actual = await importOriginal();
+    return {
+        ...actual,
+        spawnAsync: vi.fn(),
+        initializeShellParsers: vi.fn(),
+        isStrictlyApproved: vi.fn().mockResolvedValue(true),
+    };
+});
 describe('WindowsSandboxManager', () => {
     let manager;
     let testCwd;
     beforeEach(() => {
         vi.spyOn(os, 'platform').mockReturnValue('win32');
+        vi.spyOn(sandboxManager, 'tryRealpath').mockImplementation(async (p) => p.toString());
         testCwd = fs.mkdtempSync(path.join(os.tmpdir(), 'gemini-cli-test-'));
-        manager = new WindowsSandboxManager({ workspace: testCwd });
+        manager = new WindowsSandboxManager({
+            workspace: testCwd,
+            modeConfig: { readonly: false, allowOverrides: true },
+            forbiddenPaths: async () => [],
+        });
     });
     afterEach(() => {
         vi.restoreAllMocks();
@@ -36,7 +48,14 @@ describe('WindowsSandboxManager', () => {
         };
         const result = await manager.prepareCommand(req);
         expect(result.program).toContain('GeminiSandbox.exe');
-        expect(result.args).toEqual(['0', testCwd, 'whoami', '/groups']);
+        expect(result.args).toEqual([
+            '0',
+            testCwd,
+            '--forbidden-manifest',
+            expect.stringMatching(/manifest\.txt$/),
+            'whoami',
+            '/groups',
+        ]);
     });
     it('should handle networkAccess from config', async () => {
         const req = {
@@ -51,6 +70,71 @@ describe('WindowsSandboxManager', () => {
         const result = await manager.prepareCommand(req);
         expect(result.args[0]).toBe('1');
     });
+    it('should handle network access from additionalPermissions', async () => {
+        const req = {
+            command: 'whoami',
+            args: [],
+            cwd: testCwd,
+            env: {},
+            policy: {
+                additionalPermissions: {
+                    network: true,
+                },
+            },
+        };
+        const result = await manager.prepareCommand(req);
+        expect(result.args[0]).toBe('1');
+    });
+    it('should reject network access in Plan mode', async () => {
+        const planManager = new WindowsSandboxManager({
+            workspace: testCwd,
+            modeConfig: { readonly: true, allowOverrides: false },
+            forbiddenPaths: async () => [],
+        });
+        const req = {
+            command: 'curl',
+            args: ['google.com'],
+            cwd: testCwd,
+            env: {},
+            policy: {
+                additionalPermissions: { network: true },
+            },
+        };
+        await expect(planManager.prepareCommand(req)).rejects.toThrow('Sandbox request rejected: Cannot override readonly/network/filesystem restrictions in Plan mode.');
+    });
+    it('should handle persistent permissions from policyManager', async () => {
+        const persistentPath = path.join(testCwd, 'persistent_path');
+        fs.mkdirSync(persistentPath, { recursive: true });
+        const mockPolicyManager = {
+            getCommandPermissions: vi.fn().mockReturnValue({
+                fileSystem: { write: [persistentPath] },
+                network: true,
+            }),
+        };
+        const managerWithPolicy = new WindowsSandboxManager({
+            workspace: testCwd,
+            modeConfig: { allowOverrides: true, network: false },
+            policyManager: mockPolicyManager,
+            forbiddenPaths: async () => [],
+        });
+        const req = {
+            command: 'test-cmd',
+            args: [],
+            cwd: testCwd,
+            env: {},
+        };
+        const result = await managerWithPolicy.prepareCommand(req);
+        expect(result.args[0]).toBe('1'); // Network allowed by persistent policy
+        const icaclsArgs = vi
+            .mocked(spawnAsync)
+            .mock.calls.filter((c) => c[0] === 'icacls')
+            .map((c) => c[1]);
+        expect(icaclsArgs).toContainEqual([
+            persistentPath,
+            '/setintegritylevel',
+            '(OI)(CI)Low',
+        ]);
+    });
     it('should sanitize environment variables', async () => {
         const req = {
             command: 'test',
@@ -101,20 +185,253 @@ describe('WindowsSandboxManager', () => {
                 },
             };
             await manager.prepareCommand(req);
-            expect(spawnAsync).toHaveBeenCalledWith('icacls', [
+            const icaclsArgs = vi
+                .mocked(spawnAsync)
+                .mock.calls.filter((c) => c[0] === 'icacls')
+                .map((c) => c[1]);
+            expect(icaclsArgs).toContainEqual([
                 path.resolve(testCwd),
                 '/setintegritylevel',
-                'Low',
+                '(OI)(CI)Low',
             ]);
-            expect(spawnAsync).toHaveBeenCalledWith('icacls', [
+            expect(icaclsArgs).toContainEqual([
                 path.resolve(allowedPath),
                 '/setintegritylevel',
-                'Low',
+                '(OI)(CI)Low',
             ]);
         }
         finally {
             fs.rmSync(allowedPath, { recursive: true, force: true });
         }
     });
+    it('should grant Low Integrity access to additional write paths', async () => {
+        const extraWritePath = path.join(os.tmpdir(), 'gemini-cli-test-extra-write');
+        if (!fs.existsSync(extraWritePath)) {
+            fs.mkdirSync(extraWritePath);
+        }
+        try {
+            const req = {
+                command: 'test',
+                args: [],
+                cwd: testCwd,
+                env: {},
+                policy: {
+                    additionalPermissions: {
+                        fileSystem: {
+                            write: [extraWritePath],
+                        },
+                    },
+                },
+            };
+            await manager.prepareCommand(req);
+            const icaclsArgs = vi
+                .mocked(spawnAsync)
+                .mock.calls.filter((c) => c[0] === 'icacls')
+                .map((c) => c[1]);
+            expect(icaclsArgs).toContainEqual([
+                path.resolve(extraWritePath),
+                '/setintegritylevel',
+                '(OI)(CI)Low',
+            ]);
+        }
+        finally {
+            fs.rmSync(extraWritePath, { recursive: true, force: true });
+        }
+    });
+    it.runIf(process.platform === 'win32')('should reject UNC paths in grantLowIntegrityAccess', async () => {
+        const uncPath = '\\\\attacker\\share\\malicious.txt';
+        const req = {
+            command: 'test',
+            args: [],
+            cwd: testCwd,
+            env: {},
+            policy: {
+                additionalPermissions: {
+                    fileSystem: {
+                        write: [uncPath],
+                    },
+                },
+            },
+        };
+        await manager.prepareCommand(req);
+        const icaclsArgs = vi
+            .mocked(spawnAsync)
+            .mock.calls.filter((c) => c[0] === 'icacls')
+            .map((c) => c[1]);
+        expect(icaclsArgs).not.toContainEqual([
+            uncPath,
+            '/setintegritylevel',
+            '(OI)(CI)Low',
+        ]);
+    });
+    it.runIf(process.platform === 'win32')('should allow extended-length and local device paths', async () => {
+        const longPath = '\\\\?\\C:\\very\\long\\path';
+        const devicePath = '\\\\.\\PhysicalDrive0';
+        const req = {
+            command: 'test',
+            args: [],
+            cwd: testCwd,
+            env: {},
+            policy: {
+                additionalPermissions: {
+                    fileSystem: {
+                        write: [longPath, devicePath],
+                    },
+                },
+            },
+        };
+        await manager.prepareCommand(req);
+        const icaclsArgs = vi
+            .mocked(spawnAsync)
+            .mock.calls.filter((c) => c[0] === 'icacls')
+            .map((c) => c[1]);
+        expect(icaclsArgs).toContainEqual([
+            longPath,
+            '/setintegritylevel',
+            '(OI)(CI)Low',
+        ]);
+        expect(icaclsArgs).toContainEqual([
+            devicePath,
+            '/setintegritylevel',
+            '(OI)(CI)Low',
+        ]);
+    });
+    it('skips denying access to non-existent forbidden paths to prevent icacls failure', async () => {
+        const missingPath = path.join(os.tmpdir(), 'gemini-cli-test-missing', 'does-not-exist.txt');
+        // Ensure it definitely doesn't exist
+        if (fs.existsSync(missingPath)) {
+            fs.rmSync(missingPath, { recursive: true, force: true });
+        }
+        const managerWithForbidden = new WindowsSandboxManager({
+            workspace: testCwd,
+            forbiddenPaths: async () => [missingPath],
+        });
+        const req = {
+            command: 'test',
+            args: [],
+            cwd: testCwd,
+            env: {},
+        };
+        await managerWithForbidden.prepareCommand(req);
+        // Should NOT have called icacls to deny the missing path
+        expect(spawnAsync).not.toHaveBeenCalledWith('icacls', [
+            path.resolve(missingPath),
+            '/deny',
+            '*S-1-16-4096:(OI)(CI)(F)',
+        ]);
+    });
+    it('should deny Low Integrity access to forbidden paths', async () => {
+        const forbiddenPath = path.join(os.tmpdir(), 'gemini-cli-test-forbidden');
+        if (!fs.existsSync(forbiddenPath)) {
+            fs.mkdirSync(forbiddenPath);
+        }
+        try {
+            const managerWithForbidden = new WindowsSandboxManager({
+                workspace: testCwd,
+                forbiddenPaths: async () => [forbiddenPath],
+            });
+            const req = {
+                command: 'test',
+                args: [],
+                cwd: testCwd,
+                env: {},
+            };
+            await managerWithForbidden.prepareCommand(req);
+            expect(spawnAsync).toHaveBeenCalledWith('icacls', [
+                path.resolve(forbiddenPath),
+                '/deny',
+                '*S-1-16-4096:(OI)(CI)(F)',
+            ]);
+        }
+        finally {
+            fs.rmSync(forbiddenPath, { recursive: true, force: true });
+        }
+    });
+    it('should override allowed paths if a path is also in forbidden paths', async () => {
+        const conflictPath = path.join(os.tmpdir(), 'gemini-cli-test-conflict');
+        if (!fs.existsSync(conflictPath)) {
+            fs.mkdirSync(conflictPath);
+        }
+        try {
+            const managerWithForbidden = new WindowsSandboxManager({
+                workspace: testCwd,
+                forbiddenPaths: async () => [conflictPath],
+            });
+            const req = {
+                command: 'test',
+                args: [],
+                cwd: testCwd,
+                env: {},
+                policy: {
+                    allowedPaths: [conflictPath],
+                },
+            };
+            await managerWithForbidden.prepareCommand(req);
+            const spawnMock = vi.mocked(spawnAsync);
+            const allowCallIndex = spawnMock.mock.calls.findIndex((call) => call[1] &&
+                call[1].includes('/setintegritylevel') &&
+                call[0] === 'icacls' &&
+                call[1][0] === path.resolve(conflictPath));
+            const denyCallIndex = spawnMock.mock.calls.findIndex((call) => call[1] &&
+                call[1].includes('/deny') &&
+                call[0] === 'icacls' &&
+                call[1][0] === path.resolve(conflictPath));
+            // Conflict should have been filtered out of allow calls
+            expect(allowCallIndex).toBe(-1);
+            expect(denyCallIndex).toBeGreaterThan(-1);
+        }
+        finally {
+            fs.rmSync(conflictPath, { recursive: true, force: true });
+        }
+    });
+    it('should translate __write to PowerShell safely using environment variables', async () => {
+        const filePath = path.join(testCwd, 'test.txt');
+        fs.writeFileSync(filePath, '');
+        const req = {
+            command: '__write',
+            args: [filePath],
+            cwd: testCwd,
+            env: {},
+        };
+        const result = await manager.prepareCommand(req);
+        // [network, cwd, --forbidden-manifest, manifestPath, command, ...args]
+        expect(result.args[4]).toBe('PowerShell.exe');
+        expect(result.args[7]).toBe('-Command');
+        const psCommand = result.args[8];
+        expect(psCommand).toBe('& { $Input | Out-File -FilePath $env:GEMINI_TARGET_PATH -Encoding utf8 }');
+        expect(result.env['GEMINI_TARGET_PATH']).toBe(filePath);
+    });
+    it('should safely handle special characters in __write path using environment variables', async () => {
+        const maliciousPath = path.join(testCwd, 'foo"; echo bar; ".txt');
+        fs.writeFileSync(maliciousPath, '');
+        const req = {
+            command: '__write',
+            args: [maliciousPath],
+            cwd: testCwd,
+            env: {},
+        };
+        const result = await manager.prepareCommand(req);
+        expect(result.args[4]).toBe('PowerShell.exe');
+        const psCommand = result.args[8];
+        expect(psCommand).toBe('& { $Input | Out-File -FilePath $env:GEMINI_TARGET_PATH -Encoding utf8 }');
+        // The malicious path should be injected safely via environment variable, not interpolated in args
+        expect(result.env['GEMINI_TARGET_PATH']).toBe(maliciousPath);
+    });
+    it('should translate __read to PowerShell safely using environment variables', async () => {
+        const filePath = path.join(testCwd, 'test.txt');
+        fs.writeFileSync(filePath, 'hello');
+        const req = {
+            command: '__read',
+            args: [filePath],
+            cwd: testCwd,
+            env: {},
+        };
+        const result = await manager.prepareCommand(req);
+        expect(result.args[4]).toBe('PowerShell.exe');
+        expect(result.args[7]).toBe('-Command');
+        const psCommand = result.args[8];
+        expect(psCommand).toBe('& { Get-Content -LiteralPath $env:GEMINI_TARGET_PATH -Raw }');
+        expect(result.env['GEMINI_TARGET_PATH']).toBe(filePath);
+    });
 });
 //# sourceMappingURL=WindowsSandboxManager.test.js.map

package/dist/src/sandbox/windows/WindowsSandboxManager.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"WindowsSandboxManager.test.js","sourceRoot":"","sources":["../../../../src/sandbox/windows/WindowsSandboxManager.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAExD,EAAE,CAAC,IAAI,CAAC,4BAA4B,EAAE,GAAG,EAAE,CAAC,CAAC;IAC3C,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;CACpB,CAAC,CAAC,CAAC;AAEJ,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,IAAI,OAA8B,CAAC;IACnC,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAClD,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QACrE,OAAO,GAAG,IAAI,qBAAqB,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;QACrB,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,QAAQ;YACjB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE;YAC/B,MAAM,EAAE;gBACN,aAAa,EAAE,KAAK;aACrB;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAEjD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACtD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,QAAQ;YACjB,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;YACP,MAAM,EAAE;gBACN,aAAa,EAAE,IAAI;aACpB;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE;gBACH,OAAO,EAAE,QAAQ;gBACjB,IAAI,EAAE,UAAU;aACjB;YACD,MAAM,EAAE;gBACN,kBAAkB,EAAE;oBAClB,2BAA2B,EAAE,CAAC,MAAM,CAAC;oBACrC,2BAA2B,EAAE,CAAC,SAAS,CAAC;oBACxC,kCAAkC,EAAE,IAAI;iBACzC;aACF;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;SACR,CAAC;QAEF,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAElC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7D,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC;QACtE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,EAAE,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC;YACH,MAAM,GAAG,GAAmB;gBAC1B,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,EAAE;gBACR,GAAG,EAAE,OAAO;gBACZ,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE;oBACN,YAAY,EAAE,CAAC,WAAW,CAAC;iBAC5B;aACF,CAAC;YAEF,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAElC,MAAM,CAAC,UAAU,CAAC,CAAC,oBAAoB,CAAC,QAAQ,EAAE;gBAChD,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;gBACrB,oBAAoB;gBACpB,KAAK;aACN,CAAC,CAAC;YAEH,MAAM,CAAC,UAAU,CAAC,CAAC,oBAAoB,CAAC,QAAQ,EAAE;gBAChD,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC;gBACzB,oBAAoB;gBACpB,KAAK;aACN,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"WindowsSandboxManager.test.js","sourceRoot":"","sources":["../../../../src/sandbox/windows/WindowsSandboxManager.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AACnE,OAAO,KAAK,cAAc,MAAM,kCAAkC,CAAC;AAEnE,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAGxD,EAAE,CAAC,IAAI,CAAC,4BAA4B,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;IAC7D,MAAM,MAAM,GACV,MAAM,cAAc,EAA+C,CAAC;IACtE,OAAO;QACL,GAAG,MAAM;QACT,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;QACnB,sBAAsB,EAAE,EAAE,CAAC,EAAE,EAAE;QAC/B,kBAAkB,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC;KACpD,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,IAAI,OAA8B,CAAC;IACnC,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAClD,EAAE,CAAC,KAAK,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE,CACrE,CAAC,CAAC,QAAQ,EAAE,CACb,CAAC;QACF,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,CAAC,CAAC,CAAC;QACrE,OAAO,GAAG,IAAI,qBAAqB,CAAC;YAClC,SAAS,EAAE,OAAO;YAClB,UAAU,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE;YACrD,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;SAC/B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;QACrB,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,QAAQ;YACjB,IAAI,EAAE,CAAC,SAAS,CAAC;YACjB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE,QAAQ,EAAE,YAAY,EAAE;YAC/B,MAAM,EAAE;gBACN,aAAa,EAAE,KAAK;aACrB;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAEjD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACtD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;YAC1B,GAAG;YACH,OAAO;YACP,sBAAsB;YACtB,MAAM,CAAC,cAAc,CAAC,gBAAgB,CAAC;YACvC,QAAQ;YACR,SAAS;SACV,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,QAAQ;YACjB,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;YACP,MAAM,EAAE;gBACN,aAAa,EAAE,IAAI;aACpB;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,QAAQ;YACjB,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;YACP,MAAM,EAAE;gBACN,qBAAqB,EAAE;oBACrB,OAAO,EAAE,IAAI;iBACd;aACF;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,WAAW,GAAG,IAAI,qBAAqB,CAAC;YAC5C,SAAS,EAAE,OAAO;YAClB,UAAU,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE;YACrD,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;SAC/B,CAAC,CAAC;QACH,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,CAAC,YAAY,CAAC;YACpB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;YACP,MAAM,EAAE;gBACN,qBAAqB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;aACzC;SACF,CAAC;QAEF,MAAM,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC3D,kGAAkG,CACnG,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;QAC7D,EAAE,CAAC,SAAS,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAElD,MAAM,iBAAiB,GAAG;YACxB,qBAAqB,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC;gBAC7C,UAAU,EAAE,EAAE,KAAK,EAAE,CAAC,cAAc,CAAC,EAAE;gBACvC,OAAO,EAAE,IAAI;aACd,CAAC;SACgC,CAAC;QAErC,MAAM,iBAAiB,GAAG,IAAI,qBAAqB,CAAC;YAClD,SAAS,EAAE,OAAO;YAClB,UAAU,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE;YACpD,aAAa,EAAE,iBAAiB;YAChC,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,EAAE;SAC/B,CAAC,CAAC;QAEH,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,UAAU;YACnB,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;SACR,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC3D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,uCAAuC;QAEzE,MAAM,UAAU,GAAG,EAAE;aAClB,MAAM,CAAC,UAAU,CAAC;aAClB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC;aAC3C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpB,MAAM,CAAC,UAAU,CAAC,CAAC,cAAc,CAAC;YAChC,cAAc;YACd,oBAAoB;YACpB,aAAa;SACd,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE;gBACH,OAAO,EAAE,QAAQ;gBACjB,IAAI,EAAE,UAAU;aACjB;YACD,MAAM,EAAE;gBACN,kBAAkB,EAAE;oBAClB,2BAA2B,EAAE,CAAC,MAAM,CAAC;oBACrC,2BAA2B,EAAE,CAAC,SAAS,CAAC;oBACxC,kCAAkC,EAAE,IAAI;iBACzC;aACF;SACF,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;QACpD,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;SACR,CAAC;QAEF,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAElC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7D,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,yBAAyB,CAAC,CAAC;QACtE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,EAAE,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC;YACH,MAAM,GAAG,GAAmB;gBAC1B,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,EAAE;gBACR,GAAG,EAAE,OAAO;gBACZ,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE;oBACN,YAAY,EAAE,CAAC,WAAW,CAAC;iBAC5B;aACF,CAAC;YAEF,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAElC,MAAM,UAAU,GAAG,EAAE;iBAClB,MAAM,CAAC,UAAU,CAAC;iBAClB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC;iBAC3C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAEpB,MAAM,CAAC,UAAU,CAAC,CAAC,cAAc,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;gBACrB,oBAAoB;gBACpB,aAAa;aACd,CAAC,CAAC;YAEH,MAAM,CAAC,UAAU,CAAC,CAAC,cAAc,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC;gBACzB,oBAAoB;gBACpB,aAAa;aACd,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;QAC3E,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAC9B,EAAE,CAAC,MAAM,EAAE,EACX,6BAA6B,CAC9B,CAAC;QACF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,EAAE,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAC/B,CAAC;QACD,IAAI,CAAC;YACH,MAAM,GAAG,GAAmB;gBAC1B,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,EAAE;gBACR,GAAG,EAAE,OAAO;gBACZ,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE;oBACN,qBAAqB,EAAE;wBACrB,UAAU,EAAE;4BACV,KAAK,EAAE,CAAC,cAAc,CAAC;yBACxB;qBACF;iBACF;aACF,CAAC;YAEF,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAElC,MAAM,UAAU,GAAG,EAAE;iBAClB,MAAM,CAAC,UAAU,CAAC;iBAClB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC;iBAC3C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAEpB,MAAM,CAAC,UAAU,CAAC,CAAC,cAAc,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC;gBAC5B,oBAAoB;gBACpB,aAAa;aACd,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CACpC,oDAAoD,EACpD,KAAK,IAAI,EAAE;QACT,MAAM,OAAO,GAAG,oCAAoC,CAAC;QACrD,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;YACP,MAAM,EAAE;gBACN,qBAAqB,EAAE;oBACrB,UAAU,EAAE;wBACV,KAAK,EAAE,CAAC,OAAO,CAAC;qBACjB;iBACF;aACF;SACF,CAAC;QAEF,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAElC,MAAM,UAAU,GAAG,EAAE;aAClB,MAAM,CAAC,UAAU,CAAC;aAClB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC;aAC3C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpB,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC;YACpC,OAAO;YACP,oBAAoB;YACpB,aAAa;SACd,CAAC,CAAC;IACL,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CACpC,qDAAqD,EACrD,KAAK,IAAI,EAAE;QACT,MAAM,QAAQ,GAAG,6BAA6B,CAAC;QAC/C,MAAM,UAAU,GAAG,uBAAuB,CAAC;QAE3C,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;YACP,MAAM,EAAE;gBACN,qBAAqB,EAAE;oBACrB,UAAU,EAAE;wBACV,KAAK,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;qBAC9B;iBACF;aACF;SACF,CAAC;QAEF,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAElC,MAAM,UAAU,GAAG,EAAE;aAClB,MAAM,CAAC,UAAU,CAAC;aAClB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC;aAC3C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpB,MAAM,CAAC,UAAU,CAAC,CAAC,cAAc,CAAC;YAChC,QAAQ;YACR,oBAAoB;YACpB,aAAa;SACd,CAAC,CAAC;QACH,MAAM,CAAC,UAAU,CAAC,CAAC,cAAc,CAAC;YAChC,UAAU;YACV,oBAAoB;YACpB,aAAa;SACd,CAAC,CAAC;IACL,CAAC,CACF,CAAC;IAEF,EAAE,CAAC,gFAAgF,EAAE,KAAK,IAAI,EAAE;QAC9F,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAC3B,EAAE,CAAC,MAAM,EAAE,EACX,yBAAyB,EACzB,oBAAoB,CACrB,CAAC;QAEF,qCAAqC;QACrC,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/B,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,oBAAoB,GAAG,IAAI,qBAAqB,CAAC;YACrD,SAAS,EAAE,OAAO;YAClB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,WAAW,CAAC;SAC1C,CAAC,CAAC;QAEH,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;SACR,CAAC;QAEF,MAAM,oBAAoB,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAE/C,yDAAyD;QACzD,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,oBAAoB,CAAC,QAAQ,EAAE;YACpD,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC;YACzB,OAAO;YACP,0BAA0B;SAC3B,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,2BAA2B,CAAC,CAAC;QAC1E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClC,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC9B,CAAC;QACD,IAAI,CAAC;YACH,MAAM,oBAAoB,GAAG,IAAI,qBAAqB,CAAC;gBACrD,SAAS,EAAE,OAAO;gBAClB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,aAAa,CAAC;aAC5C,CAAC,CAAC;YAEH,MAAM,GAAG,GAAmB;gBAC1B,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,EAAE;gBACR,GAAG,EAAE,OAAO;gBACZ,GAAG,EAAE,EAAE;aACR,CAAC;YAEF,MAAM,oBAAoB,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAE/C,MAAM,CAAC,UAAU,CAAC,CAAC,oBAAoB,CAAC,QAAQ,EAAE;gBAChD,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC;gBAC3B,OAAO;gBACP,0BAA0B;aAC3B,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,MAAM,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC;QACxE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACjC,EAAE,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,CAAC;YACH,MAAM,oBAAoB,GAAG,IAAI,qBAAqB,CAAC;gBACrD,SAAS,EAAE,OAAO;gBAClB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC;aAC3C,CAAC,CAAC;YAEH,MAAM,GAAG,GAAmB;gBAC1B,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,EAAE;gBACR,GAAG,EAAE,OAAO;gBACZ,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE;oBACN,YAAY,EAAE,CAAC,YAAY,CAAC;iBAC7B;aACF,CAAC;YAEF,MAAM,oBAAoB,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAE/C,MAAM,SAAS,GAAG,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACxC,MAAM,cAAc,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CACnD,CAAC,IAAI,EAAE,EAAE,CACP,IAAI,CAAC,CAAC,CAAC;gBACP,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,oBAAoB,CAAC;gBACtC,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ;gBACpB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAC5C,CAAC;YACF,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAClD,CAAC,IAAI,EAAE,EAAE,CACP,IAAI,CAAC,CAAC,CAAC;gBACP,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;gBACzB,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ;gBACpB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAC5C,CAAC;YAEF,wDAAwD;YACxD,MAAM,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAChC,MAAM,CAAC,aAAa,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC;gBAAS,CAAC;YACT,EAAE,CAAC,MAAM,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2EAA2E,EAAE,KAAK,IAAI,EAAE;QACzF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAChD,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,SAAS;YAClB,IAAI,EAAE,CAAC,QAAQ,CAAC;YAChB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;SACR,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAEjD,uEAAuE;QACvE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CACpB,0EAA0E,CAC3E,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qFAAqF,EAAE,KAAK,IAAI,EAAE;QACnG,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,uBAAuB,CAAC,CAAC;QAClE,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACpC,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,SAAS;YAClB,IAAI,EAAE,CAAC,aAAa,CAAC;YACrB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;SACR,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAEjD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CACpB,0EAA0E,CAC3E,CAAC;QACF,kGAAkG;QAClG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0EAA0E,EAAE,KAAK,IAAI,EAAE;QACxF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAChD,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpC,MAAM,GAAG,GAAmB;YAC1B,OAAO,EAAE,QAAQ;YACjB,IAAI,EAAE,CAAC,QAAQ,CAAC;YAChB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,EAAE;SACR,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAEjD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC9C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CACpB,6DAA6D,CAC9D,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/sandbox/windows/commandSafety.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Determines if a command is strictly approved for execution on Windows.
+ * A command is approved if it's composed entirely of tools explicitly listed in `approvedTools`
+ * OR if it's composed of known safe, read-only Windows commands.
+ *
+ * @param command - The full command string to execute.
+ * @param args - The arguments for the command.
+ * @param approvedTools - A list of explicitly approved tool names (e.g., ['npm', 'git']).
+ * @returns true if the command is strictly approved, false otherwise.
+ */
+export declare function isStrictlyApproved(command: string, args: string[], approvedTools?: string[]): Promise<boolean>;
+/**
+ * Checks if a Windows command is known to be safe (read-only).
+ */
+export declare function isKnownSafeCommand(args: string[]): boolean;
+/**
+ * Checks if a Windows command is explicitly dangerous.
+ */
+export declare function isDangerousCommand(args: string[]): boolean;

package/dist/src/sandbox/windows/commandSafety.js

@@ -0,0 +1,128 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { parse as shellParse } from 'shell-quote';
+import { extractStringFromParseEntry, initializeShellParsers, splitCommands, stripShellWrapper, } from '../../utils/shell-utils.js';
+/**
+ * Determines if a command is strictly approved for execution on Windows.
+ * A command is approved if it's composed entirely of tools explicitly listed in `approvedTools`
+ * OR if it's composed of known safe, read-only Windows commands.
+ *
+ * @param command - The full command string to execute.
+ * @param args - The arguments for the command.
+ * @param approvedTools - A list of explicitly approved tool names (e.g., ['npm', 'git']).
+ * @returns true if the command is strictly approved, false otherwise.
+ */
+export async function isStrictlyApproved(command, args, approvedTools) {
+    const tools = approvedTools ?? [];
+    await initializeShellParsers();
+    const fullCmd = [command, ...args].join(' ');
+    const stripped = stripShellWrapper(fullCmd);
+    const pipelineCommands = splitCommands(stripped);
+    // Fallback for simple commands or parsing failures
+    if (pipelineCommands.length === 0) {
+        return tools.includes(command) || isKnownSafeCommand([command, ...args]);
+    }
+    // Check every segment of the pipeline
+    return pipelineCommands.every((cmdString) => {
+        const trimmed = cmdString.trim();
+        if (!trimmed)
+            return true;
+        const parsedArgs = shellParse(trimmed).map(extractStringFromParseEntry);
+        if (parsedArgs.length === 0)
+            return true;
+        let root = parsedArgs[0].toLowerCase();
+        if (root.endsWith('.exe')) {
+            root = root.slice(0, -4);
+        }
+        // The segment is approved if the root tool is in the allowlist OR if the whole segment is safe.
+        return (tools.some((t) => t.toLowerCase() === root) ||
+            isKnownSafeCommand(parsedArgs));
+    });
+}
+/**
+ * Checks if a Windows command is known to be safe (read-only).
+ */
+export function isKnownSafeCommand(args) {
+    if (!args || args.length === 0)
+        return false;
+    let cmd = args[0].toLowerCase();
+    if (cmd.endsWith('.exe')) {
+        cmd = cmd.slice(0, -4);
+    }
+    // Native Windows/PowerShell safe commands
+    const safeCommands = new Set([
+        '__read',
+        '__write',
+        'dir',
+        'type',
+        'echo',
+        'cd',
+        'pwd',
+        'whoami',
+        'hostname',
+        'ver',
+        'vol',
+        'systeminfo',
+        'attrib',
+        'findstr',
+        'where',
+        'sort',
+        'more',
+        'get-childitem',
+        'get-content',
+        'get-location',
+        'get-help',
+        'get-process',
+        'get-service',
+        'get-eventlog',
+        'select-string',
+    ]);
+    if (safeCommands.has(cmd)) {
+        return true;
+    }
+    // We allow git on Windows if it's read-only, using the same logic as POSIX
+    if (cmd === 'git') {
+        // For simplicity in this branch, we'll allow standard git read operations
+        // In a full implementation, we'd port the sub-command validation too.
+        const sub = args[1]?.toLowerCase();
+        return ['status', 'log', 'diff', 'show', 'branch'].includes(sub);
+    }
+    return false;
+}
+/**
+ * Checks if a Windows command is explicitly dangerous.
+ */
+export function isDangerousCommand(args) {
+    if (!args || args.length === 0)
+        return false;
+    let cmd = args[0].toLowerCase();
+    if (cmd.endsWith('.exe')) {
+        cmd = cmd.slice(0, -4);
+    }
+    const dangerous = new Set([
+        'del',
+        'erase',
+        'rd',
+        'rmdir',
+        'net',
+        'reg',
+        'sc',
+        'format',
+        'mklink',
+        'takeown',
+        'icacls',
+        'powershell', // prevent shell escapes
+        'pwsh',
+        'cmd',
+        'remove-item',
+        'stop-process',
+        'stop-service',
+        'set-item',
+        'new-item',
+    ]);
+    return dangerous.has(cmd);
+}
+//# sourceMappingURL=commandSafety.js.map

package/dist/src/sandbox/windows/commandSafety.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"commandSafety.js","sourceRoot":"","sources":["../../../../src/sandbox/windows/commandSafety.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EACL,2BAA2B,EAC3B,sBAAsB,EACtB,aAAa,EACb,iBAAiB,GAClB,MAAM,4BAA4B,CAAC;AAEpC;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAe,EACf,IAAc,EACd,aAAwB;IAExB,MAAM,KAAK,GAAG,aAAa,IAAI,EAAE,CAAC;IAElC,MAAM,sBAAsB,EAAE,CAAC;IAE/B,MAAM,OAAO,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAE5C,MAAM,gBAAgB,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEjD,mDAAmD;IACnD,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,OAAO,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,kBAAkB,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAC3E,CAAC;IAED,sCAAsC;IACtC,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC,SAAS,EAAE,EAAE;QAC1C,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACxE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEzC,IAAI,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,gGAAgG;QAChG,OAAO,CACL,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC;YAC3C,kBAAkB,CAAC,UAAU,CAAC,CAC/B,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAc;IAC/C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACzB,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAED,0CAA0C;IAC1C,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;QAC3B,QAAQ;QACR,SAAS;QACT,KAAK;QACL,MAAM;QACN,MAAM;QACN,IAAI;QACJ,KAAK;QACL,QAAQ;QACR,UAAU;QACV,KAAK;QACL,KAAK;QACL,YAAY;QACZ,QAAQ;QACR,SAAS;QACT,OAAO;QACP,MAAM;QACN,MAAM;QACN,eAAe;QACf,aAAa;QACb,cAAc;QACd,UAAU;QACV,aAAa;QACb,aAAa;QACb,cAAc;QACd,eAAe;KAChB,CAAC,CAAC;IAEH,IAAI,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2EAA2E;IAC3E,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,0EAA0E;QAC1E,sEAAsE;QACtE,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;QACnC,OAAO,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAc;IAC/C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACzB,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;QACxB,KAAK;QACL,OAAO;QACP,IAAI;QACJ,OAAO;QACP,KAAK;QACL,KAAK;QACL,IAAI;QACJ,QAAQ;QACR,QAAQ;QACR,SAAS;QACT,QAAQ;QACR,YAAY,EAAE,wBAAwB;QACtC,MAAM;QACN,KAAK;QACL,aAAa;QACb,cAAc;QACd,cAAc;QACd,UAAU;QACV,UAAU;KACX,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC"}

package/dist/src/sandbox/windows/commandSafety.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/sandbox/windows/commandSafety.test.js

@@ -0,0 +1,42 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, expect, it } from 'vitest';
+import { isKnownSafeCommand, isDangerousCommand } from './commandSafety.js';
+describe('Windows commandSafety', () => {
+    describe('isKnownSafeCommand', () => {
+        it('should identify known safe commands', () => {
+            expect(isKnownSafeCommand(['dir'])).toBe(true);
+            expect(isKnownSafeCommand(['echo', 'hello'])).toBe(true);
+            expect(isKnownSafeCommand(['whoami'])).toBe(true);
+        });
+        it('should strip .exe extension for safe commands', () => {
+            expect(isKnownSafeCommand(['dir.exe'])).toBe(true);
+            expect(isKnownSafeCommand(['ECHO.EXE', 'hello'])).toBe(true);
+            expect(isKnownSafeCommand(['WHOAMI.exe'])).toBe(true);
+        });
+        it('should reject unknown commands', () => {
+            expect(isKnownSafeCommand(['unknown'])).toBe(false);
+            expect(isKnownSafeCommand(['npm', 'install'])).toBe(false);
+        });
+    });
+    describe('isDangerousCommand', () => {
+        it('should identify dangerous commands', () => {
+            expect(isDangerousCommand(['del', 'file.txt'])).toBe(true);
+            expect(isDangerousCommand(['powershell', '-Command', 'echo'])).toBe(true);
+            expect(isDangerousCommand(['cmd', '/c', 'dir'])).toBe(true);
+        });
+        it('should strip .exe extension for dangerous commands', () => {
+            expect(isDangerousCommand(['del.exe', 'file.txt'])).toBe(true);
+            expect(isDangerousCommand(['POWERSHELL.EXE', '-Command', 'echo'])).toBe(true);
+            expect(isDangerousCommand(['cmd.exe', '/c', 'dir'])).toBe(true);
+        });
+        it('should not flag safe commands as dangerous', () => {
+            expect(isDangerousCommand(['dir'])).toBe(false);
+            expect(isDangerousCommand(['echo', 'hello'])).toBe(false);
+        });
+    });
+});
+//# sourceMappingURL=commandSafety.test.js.map

package/dist/src/sandbox/windows/commandSafety.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"commandSafety.test.js","sourceRoot":"","sources":["../../../../src/sandbox/windows/commandSafety.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAE5E,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,CAAC,kBAAkB,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/C,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzD,MAAM,CAAC,kBAAkB,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,CAAC,kBAAkB,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnD,MAAM,CAAC,kBAAkB,CAAC,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7D,MAAM,CAAC,kBAAkB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,CAAC,kBAAkB,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,CAAC,kBAAkB,CAAC,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,CAAC,kBAAkB,CAAC,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3D,MAAM,CAAC,kBAAkB,CAAC,CAAC,YAAY,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1E,MAAM,CAAC,kBAAkB,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;YAC5D,MAAM,CAAC,kBAAkB,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/D,MAAM,CAAC,kBAAkB,CAAC,CAAC,gBAAgB,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CACrE,IAAI,CACL,CAAC;YACF,MAAM,CAAC,kBAAkB,CAAC,CAAC,SAAS,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;YACpD,MAAM,CAAC,kBAAkB,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAChD,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/sandbox/windows/windowsSandboxDenialUtils.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { type ParsedSandboxDenial } from '../../services/sandboxManager.js';
+import type { ShellExecutionResult } from '../../services/shellExecutionService.js';
+/**
+ * Windows-specific sandbox denial detection.
+ * Extracts paths from "Access is denied" and related errors.
+ */
+export declare function parseWindowsSandboxDenials(result: ShellExecutionResult): ParsedSandboxDenial | undefined;