@google/gemini-cli-core 0.37.0-preview.2 → 0.38.0-preview.0

package/dist/src/sandbox/linux/bwrapArgsBuilder.js

@@ -0,0 +1,200 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import fs from 'node:fs';
+import { join, dirname, normalize } from 'node:path';
+import { GOVERNANCE_FILES, getSecretFileFindArgs, sanitizePaths, } from '../../services/sandboxManager.js';
+import { tryRealpath, resolveGitWorktreePaths, isErrnoException, } from '../utils/fsUtils.js';
+import { spawnAsync } from '../../utils/shell-utils.js';
+import { debugLogger } from '../../utils/debugLogger.js';
+/**
+ * Builds the list of bubblewrap arguments based on the provided options.
+ */
+export async function buildBwrapArgs(options) {
+    const bwrapArgs = [
+        '--unshare-all',
+        '--new-session', // Isolate session
+        '--die-with-parent', // Prevent orphaned runaway processes
+    ];
+    if (options.networkAccess || options.additionalPermissions.network) {
+        bwrapArgs.push('--share-net');
+    }
+    bwrapArgs.push('--ro-bind', '/', '/', '--dev', // Creates a safe, minimal /dev (replaces --dev-bind)
+    '/dev', '--proc', // Creates a fresh procfs for the unshared PID namespace
+    '/proc', '--tmpfs', // Provides an isolated, writable /tmp directory
+    '/tmp');
+    const workspacePath = tryRealpath(options.workspace);
+    const bindFlag = options.workspaceWrite ? '--bind-try' : '--ro-bind-try';
+    if (options.workspaceWrite) {
+        bwrapArgs.push('--bind-try', options.workspace, options.workspace);
+        if (workspacePath !== options.workspace) {
+            bwrapArgs.push('--bind-try', workspacePath, workspacePath);
+        }
+    }
+    else {
+        bwrapArgs.push('--ro-bind-try', options.workspace, options.workspace);
+        if (workspacePath !== options.workspace) {
+            bwrapArgs.push('--ro-bind-try', workspacePath, workspacePath);
+        }
+    }
+    const { worktreeGitDir, mainGitDir } = resolveGitWorktreePaths(workspacePath);
+    if (worktreeGitDir) {
+        bwrapArgs.push(bindFlag, worktreeGitDir, worktreeGitDir);
+    }
+    if (mainGitDir) {
+        bwrapArgs.push(bindFlag, mainGitDir, mainGitDir);
+    }
+    const includeDirs = sanitizePaths(options.includeDirectories);
+    for (const includeDir of includeDirs) {
+        try {
+            const resolved = tryRealpath(includeDir);
+            bwrapArgs.push('--ro-bind-try', resolved, resolved);
+        }
+        catch {
+            // Ignore
+        }
+    }
+    const normalizedWorkspace = normalize(workspacePath).replace(/\/$/, '');
+    for (const allowedPath of options.allowedPaths) {
+        const resolved = tryRealpath(allowedPath);
+        if (!fs.existsSync(resolved)) {
+            // If the path doesn't exist, we still want to allow access to its parent
+            // if it's explicitly allowed, to enable creating it.
+            try {
+                const resolvedParent = tryRealpath(dirname(resolved));
+                bwrapArgs.push(options.isWriteCommand ? '--bind-try' : bindFlag, resolvedParent, resolvedParent);
+            }
+            catch {
+                // Ignore
+            }
+            continue;
+        }
+        const normalizedAllowedPath = normalize(resolved).replace(/\/$/, '');
+        if (normalizedAllowedPath !== normalizedWorkspace) {
+            bwrapArgs.push('--bind-try', resolved, resolved);
+        }
+    }
+    const additionalReads = sanitizePaths(options.additionalPermissions.fileSystem?.read);
+    for (const p of additionalReads) {
+        try {
+            const safeResolvedPath = tryRealpath(p);
+            bwrapArgs.push('--ro-bind-try', safeResolvedPath, safeResolvedPath);
+        }
+        catch (e) {
+            debugLogger.warn(e instanceof Error ? e.message : String(e));
+        }
+    }
+    const additionalWrites = sanitizePaths(options.additionalPermissions.fileSystem?.write);
+    for (const p of additionalWrites) {
+        try {
+            const safeResolvedPath = tryRealpath(p);
+            bwrapArgs.push('--bind-try', safeResolvedPath, safeResolvedPath);
+        }
+        catch (e) {
+            debugLogger.warn(e instanceof Error ? e.message : String(e));
+        }
+    }
+    for (const file of GOVERNANCE_FILES) {
+        const filePath = join(options.workspace, file.path);
+        const realPath = tryRealpath(filePath);
+        bwrapArgs.push('--ro-bind', filePath, filePath);
+        if (realPath !== filePath) {
+            bwrapArgs.push('--ro-bind', realPath, realPath);
+        }
+    }
+    for (const p of options.forbiddenPaths) {
+        let resolved;
+        try {
+            resolved = tryRealpath(p); // Forbidden paths should still resolve to block the real path
+            if (!fs.existsSync(resolved))
+                continue;
+        }
+        catch (e) {
+            debugLogger.warn(`Failed to resolve forbidden path ${p}: ${e instanceof Error ? e.message : String(e)}`);
+            bwrapArgs.push('--ro-bind', '/dev/null', p);
+            continue;
+        }
+        try {
+            const stat = fs.statSync(resolved);
+            if (stat.isDirectory()) {
+                bwrapArgs.push('--tmpfs', resolved, '--remount-ro', resolved);
+            }
+            else {
+                bwrapArgs.push('--ro-bind', '/dev/null', resolved);
+            }
+        }
+        catch (e) {
+            if (isErrnoException(e) && e.code === 'ENOENT') {
+                bwrapArgs.push('--symlink', '/dev/null', resolved);
+            }
+            else {
+                debugLogger.warn(`Failed to stat forbidden path ${resolved}: ${e instanceof Error ? e.message : String(e)}`);
+                bwrapArgs.push('--ro-bind', '/dev/null', resolved);
+            }
+        }
+    }
+    // Mask secret files (.env, .env.*)
+    const secretArgs = await getSecretFilesArgs(options.workspace, options.allowedPaths, options.maskFilePath);
+    bwrapArgs.push(...secretArgs);
+    return bwrapArgs;
+}
+/**
+ * Generates bubblewrap arguments to mask secret files.
+ */
+async function getSecretFilesArgs(workspace, allowedPaths, maskPath) {
+    const args = [];
+    const searchDirs = new Set([workspace, ...allowedPaths]);
+    const findPatterns = getSecretFileFindArgs();
+    for (const dir of searchDirs) {
+        try {
+            // Use the native 'find' command for performance and to catch nested secrets.
+            // We limit depth to 3 to keep it fast while covering common nested structures.
+            // We use -prune to skip heavy directories efficiently while matching dotfiles.
+            const findResult = await spawnAsync('find', [
+                dir,
+                '-maxdepth',
+                '3',
+                '-type',
+                'd',
+                '(',
+                '-name',
+                '.git',
+                '-o',
+                '-name',
+                'node_modules',
+                '-o',
+                '-name',
+                '.venv',
+                '-o',
+                '-name',
+                '__pycache__',
+                '-o',
+                '-name',
+                'dist',
+                '-o',
+                '-name',
+                'build',
+                ')',
+                '-prune',
+                '-o',
+                '-type',
+                'f',
+                ...findPatterns,
+                '-print0',
+            ]);
+            const files = findResult.stdout.toString().split('\0');
+            for (const file of files) {
+                if (file.trim()) {
+                    args.push('--bind', maskPath, file.trim());
+                }
+            }
+        }
+        catch (e) {
+            debugLogger.log(`LinuxSandboxManager: Failed to find or mask secret files in ${dir}`, e);
+        }
+    }
+    return args;
+}
+//# sourceMappingURL=bwrapArgsBuilder.js.map

package/dist/src/sandbox/linux/bwrapArgsBuilder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bwrapArgsBuilder.js","sourceRoot":"","sources":["../../../../src/sandbox/linux/bwrapArgsBuilder.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,EAEL,gBAAgB,EAChB,qBAAqB,EACrB,aAAa,GACd,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACL,WAAW,EACX,uBAAuB,EACvB,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAiBzD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAyB;IAEzB,MAAM,SAAS,GAAa;QAC1B,eAAe;QACf,eAAe,EAAE,kBAAkB;QACnC,mBAAmB,EAAE,qCAAqC;KAC3D,CAAC;IAEF,IAAI,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,qBAAqB,CAAC,OAAO,EAAE,CAAC;QACnE,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAChC,CAAC;IAED,SAAS,CAAC,IAAI,CACZ,WAAW,EACX,GAAG,EACH,GAAG,EACH,OAAO,EAAE,qDAAqD;IAC9D,MAAM,EACN,QAAQ,EAAE,wDAAwD;IAClE,OAAO,EACP,SAAS,EAAE,gDAAgD;IAC3D,MAAM,CACP,CAAC;IAEF,MAAM,aAAa,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAErD,MAAM,QAAQ,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,eAAe,CAAC;IAEzE,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACnE,IAAI,aAAa,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;SAAM,CAAC;QACN,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACtE,IAAI,aAAa,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,uBAAuB,CAAC,aAAa,CAAC,CAAC;IAC9E,IAAI,cAAc,EAAE,CAAC;QACnB,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC9D,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YACzC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,SAAS,CAAC,aAAa,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxE,KAAK,MAAM,WAAW,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;QAC1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,yEAAyE;YACzE,qDAAqD;YACrD,IAAI,CAAC;gBACH,MAAM,cAAc,GAAG,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;gBACtD,SAAS,CAAC,IAAI,CACZ,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,EAChD,cAAc,EACd,cAAc,CACf,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,SAAS;QACX,CAAC;QACD,MAAM,qBAAqB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACrE,IAAI,qBAAqB,KAAK,mBAAmB,EAAE,CAAC;YAClD,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,aAAa,CACnC,OAAO,CAAC,qBAAqB,CAAC,UAAU,EAAE,IAAI,CAC/C,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,gBAAgB,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;QACtE,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,GAAG,aAAa,CACpC,OAAO,CAAC,qBAAqB,CAAC,UAAU,EAAE,KAAK,CAChD,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,gBAAgB,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,gBAAgB,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;QACnE,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;QACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QACvC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAChD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QACvC,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACH,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,8DAA8D;YACzF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,SAAS;QACzC,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CACd,oCAAoC,CAAC,KAAK,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACvF,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;YAC5C,SAAS;QACX,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;gBACvB,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAC;YAChE,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,IAAI,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC/C,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,WAAW,CAAC,IAAI,CACd,iCAAiC,QAAQ,KAAK,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC3F,CAAC;gBACF,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,MAAM,UAAU,GAAG,MAAM,kBAAkB,CACzC,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,YAAY,EACpB,OAAO,CAAC,YAAY,CACrB,CAAC;IACF,SAAS,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;IAE9B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,SAAiB,EACjB,YAAsB,EACtB,QAAgB;IAEhB,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,qBAAqB,EAAE,CAAC;IAE7C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,6EAA6E;YAC7E,+EAA+E;YAC/E,+EAA+E;YAC/E,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE;gBAC1C,GAAG;gBACH,WAAW;gBACX,GAAG;gBACH,OAAO;gBACP,GAAG;gBACH,GAAG;gBACH,OAAO;gBACP,MAAM;gBACN,IAAI;gBACJ,OAAO;gBACP,cAAc;gBACd,IAAI;gBACJ,OAAO;gBACP,OAAO;gBACP,IAAI;gBACJ,OAAO;gBACP,aAAa;gBACb,IAAI;gBACJ,OAAO;gBACP,MAAM;gBACN,IAAI;gBACJ,OAAO;gBACP,OAAO;gBACP,GAAG;gBACH,QAAQ;gBACR,IAAI;gBACJ,OAAO;gBACP,GAAG;gBACH,GAAG,YAAY;gBACf,SAAS;aACV,CAAC,CAAC;YAEH,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACvD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;oBAChB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7C,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,WAAW,CAAC,GAAG,CACb,+DAA+D,GAAG,EAAE,EACpE,CAAC,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/sandbox/linux/bwrapArgsBuilder.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};

package/dist/src/sandbox/linux/bwrapArgsBuilder.test.js

@@ -0,0 +1,247 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { buildBwrapArgs } from './bwrapArgsBuilder.js';
+import fs from 'node:fs';
+import * as shellUtils from '../../utils/shell-utils.js';
+import os from 'node:os';
+vi.mock('node:fs', async () => {
+    const actual = await vi.importActual('node:fs');
+    return {
+        ...actual,
+        default: {
+            // @ts-expect-error - Property 'default' does not exist on type 'typeof import("node:fs")'
+            ...actual.default,
+            existsSync: vi.fn(() => true),
+            realpathSync: vi.fn((p) => p.toString()),
+            statSync: vi.fn(() => ({ isDirectory: () => true })),
+            mkdirSync: vi.fn(),
+            mkdtempSync: vi.fn((prefix) => prefix + 'mocked'),
+            openSync: vi.fn(),
+            closeSync: vi.fn(),
+            writeFileSync: vi.fn(),
+            readdirSync: vi.fn(() => []),
+            chmodSync: vi.fn(),
+            unlinkSync: vi.fn(),
+            rmSync: vi.fn(),
+        },
+        existsSync: vi.fn(() => true),
+        realpathSync: vi.fn((p) => p.toString()),
+        statSync: vi.fn(() => ({ isDirectory: () => true })),
+        mkdirSync: vi.fn(),
+        mkdtempSync: vi.fn((prefix) => prefix + 'mocked'),
+        openSync: vi.fn(),
+        closeSync: vi.fn(),
+        writeFileSync: vi.fn(),
+        readdirSync: vi.fn(() => []),
+        chmodSync: vi.fn(),
+        unlinkSync: vi.fn(),
+        rmSync: vi.fn(),
+    };
+});
+vi.mock('../../utils/shell-utils.js', async (importOriginal) => {
+    const actual = await importOriginal();
+    return {
+        ...actual,
+        spawnAsync: vi.fn(() => Promise.resolve({ status: 0, stdout: Buffer.from('') })),
+        initializeShellParsers: vi.fn(),
+        isStrictlyApproved: vi.fn().mockResolvedValue(true),
+    };
+});
+describe.skipIf(os.platform() === 'win32')('buildBwrapArgs', () => {
+    const workspace = '/home/user/workspace';
+    beforeEach(() => {
+        vi.clearAllMocks();
+        vi.mocked(fs.existsSync).mockReturnValue(true);
+        vi.mocked(fs.realpathSync).mockImplementation((p) => p.toString());
+    });
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+    const defaultOptions = {
+        workspace,
+        workspaceWrite: false,
+        networkAccess: false,
+        allowedPaths: [],
+        forbiddenPaths: [],
+        additionalPermissions: {},
+        includeDirectories: [],
+        maskFilePath: '/tmp/mask',
+        isWriteCommand: false,
+    };
+    it('should correctly format the base arguments', async () => {
+        const args = await buildBwrapArgs(defaultOptions);
+        expect(args).toEqual([
+            '--unshare-all',
+            '--new-session',
+            '--die-with-parent',
+            '--ro-bind',
+            '/',
+            '/',
+            '--dev',
+            '/dev',
+            '--proc',
+            '/proc',
+            '--tmpfs',
+            '/tmp',
+            '--ro-bind-try',
+            workspace,
+            workspace,
+            '--ro-bind',
+            `${workspace}/.gitignore`,
+            `${workspace}/.gitignore`,
+            '--ro-bind',
+            `${workspace}/.geminiignore`,
+            `${workspace}/.geminiignore`,
+            '--ro-bind',
+            `${workspace}/.git`,
+            `${workspace}/.git`,
+        ]);
+    });
+    it('binds workspace read-write when workspaceWrite is true', async () => {
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            workspaceWrite: true,
+        });
+        expect(args).toContain('--bind-try');
+        const bindIndex = args.indexOf('--bind-try');
+        expect(args[bindIndex + 1]).toBe(workspace);
+    });
+    it('maps network permissions to --share-net', async () => {
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            networkAccess: true,
+        });
+        expect(args).toContain('--share-net');
+    });
+    it('maps explicit write permissions to --bind-try', async () => {
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            additionalPermissions: {
+                fileSystem: { write: ['/home/user/workspace/out/dir'] },
+            },
+        });
+        const index = args.indexOf('--bind-try');
+        expect(index).not.toBe(-1);
+        expect(args[index + 1]).toBe('/home/user/workspace/out/dir');
+    });
+    it('should protect both the symlink and the real path of governance files', async () => {
+        vi.mocked(fs.realpathSync).mockImplementation((p) => {
+            if (p.toString() === `${workspace}/.gitignore`)
+                return '/shared/global.gitignore';
+            return p.toString();
+        });
+        const args = await buildBwrapArgs(defaultOptions);
+        expect(args).toContain('--ro-bind');
+        expect(args).toContain(`${workspace}/.gitignore`);
+        expect(args).toContain('/shared/global.gitignore');
+    });
+    it('should parameterize allowed paths and normalize them', async () => {
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            allowedPaths: ['/tmp/cache', '/opt/tools', workspace],
+        });
+        expect(args).toContain('--bind-try');
+        expect(args[args.indexOf('/tmp/cache') - 1]).toBe('--bind-try');
+        expect(args[args.indexOf('/opt/tools') - 1]).toBe('--bind-try');
+    });
+    it('should bind the parent directory of a non-existent path', async () => {
+        vi.mocked(fs.existsSync).mockImplementation((p) => {
+            if (p === '/home/user/workspace/new-file.txt')
+                return false;
+            return true;
+        });
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            allowedPaths: ['/home/user/workspace/new-file.txt'],
+            isWriteCommand: true,
+        });
+        const parentDir = '/home/user/workspace';
+        const bindIndex = args.lastIndexOf(parentDir);
+        expect(bindIndex).not.toBe(-1);
+        expect(args[bindIndex - 2]).toBe('--bind-try');
+    });
+    it('should parameterize forbidden paths and explicitly deny them', async () => {
+        vi.mocked(fs.statSync).mockImplementation((p) => {
+            if (p.toString().includes('cache')) {
+                return { isDirectory: () => true };
+            }
+            return { isDirectory: () => false };
+        });
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            forbiddenPaths: ['/tmp/cache', '/opt/secret.txt'],
+        });
+        const cacheIndex = args.indexOf('/tmp/cache');
+        expect(args[cacheIndex - 1]).toBe('--tmpfs');
+        const secretIndex = args.indexOf('/opt/secret.txt');
+        expect(args[secretIndex - 2]).toBe('--ro-bind');
+        expect(args[secretIndex - 1]).toBe('/dev/null');
+    });
+    it('resolves forbidden symlink paths to their real paths', async () => {
+        vi.mocked(fs.statSync).mockImplementation(() => ({ isDirectory: () => false }));
+        vi.mocked(fs.realpathSync).mockImplementation((p) => {
+            if (p === '/tmp/forbidden-symlink')
+                return '/opt/real-target.txt';
+            return p.toString();
+        });
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            forbiddenPaths: ['/tmp/forbidden-symlink'],
+        });
+        const secretIndex = args.indexOf('/opt/real-target.txt');
+        expect(args[secretIndex - 2]).toBe('--ro-bind');
+        expect(args[secretIndex - 1]).toBe('/dev/null');
+    });
+    it('masks directory symlinks with tmpfs for both paths', async () => {
+        vi.mocked(fs.statSync).mockImplementation(() => ({ isDirectory: () => true }));
+        vi.mocked(fs.realpathSync).mockImplementation((p) => {
+            if (p === '/tmp/dir-link')
+                return '/opt/real-dir';
+            return p.toString();
+        });
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            forbiddenPaths: ['/tmp/dir-link'],
+        });
+        const idx = args.indexOf('/opt/real-dir');
+        expect(args[idx - 1]).toBe('--tmpfs');
+    });
+    it('should override allowed paths if a path is also in forbidden paths', async () => {
+        vi.mocked(fs.statSync).mockImplementation(() => ({ isDirectory: () => true }));
+        const args = await buildBwrapArgs({
+            ...defaultOptions,
+            forbiddenPaths: ['/tmp/conflict'],
+            allowedPaths: ['/tmp/conflict'],
+        });
+        const bindIndex = args.findIndex((a, i) => a === '--bind-try' && args[i + 1] === '/tmp/conflict');
+        const tmpfsIndex = args.findIndex((a, i) => a === '--tmpfs' && args[i + 1] === '/tmp/conflict');
+        expect(bindIndex).toBeGreaterThan(-1);
+        expect(tmpfsIndex).toBeGreaterThan(bindIndex);
+        expect(args[tmpfsIndex + 1]).toBe('/tmp/conflict');
+    });
+    it('blocks .env and .env.* files', async () => {
+        vi.mocked(shellUtils.spawnAsync).mockImplementation((cmd, args) => {
+            if (cmd === 'find' && args?.[0] === workspace) {
+                return Promise.resolve({
+                    status: 0,
+                    stdout: Buffer.from(`${workspace}/.env\0${workspace}/.env.local\0`),
+                });
+            }
+            return Promise.resolve({
+                status: 0,
+                stdout: Buffer.from(''),
+            });
+        });
+        const args = await buildBwrapArgs(defaultOptions);
+        expect(args).toContain(`${workspace}/.env`);
+        expect(args).toContain(`${workspace}/.env.local`);
+        const envIndex = args.indexOf(`${workspace}/.env`);
+        expect(args[envIndex - 2]).toBe('--bind');
+        expect(args[envIndex - 1]).toBe('/tmp/mask');
+    });
+});
+//# sourceMappingURL=bwrapArgsBuilder.test.js.map

package/dist/src/sandbox/linux/bwrapArgsBuilder.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bwrapArgsBuilder.test.js","sourceRoot":"","sources":["../../../../src/sandbox/linux/bwrapArgsBuilder.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,cAAc,EAAyB,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE;IAC5B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,YAAY,CAA2B,SAAS,CAAC,CAAC;IAC1E,OAAO;QACL,GAAG,MAAM;QACT,OAAO,EAAE;YACP,0FAA0F;YAC1F,GAAG,MAAM,CAAC,OAAO;YACjB,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;YAC7B,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;YACxC,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAa,CAAC;YAChE,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,MAAc,EAAE,EAAE,CAAC,MAAM,GAAG,QAAQ,CAAC;YACzD,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE;YACjB,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;YACtB,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;YAC5B,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;YACnB,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE;SAChB;QACD,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;QAC7B,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxC,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAa,CAAC;QAChE,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;QAClB,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,MAAc,EAAE,EAAE,CAAC,MAAM,GAAG,QAAQ,CAAC;QACzD,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE;QACjB,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;QAClB,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;QACtB,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;QAC5B,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;QAClB,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;QACnB,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE;KAChB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,EAAE,CAAC,IAAI,CAAC,4BAA4B,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;IAC7D,MAAM,MAAM,GACV,MAAM,cAAc,EAA+C,CAAC;IACtE,OAAO;QACL,GAAG,MAAM;QACT,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CACrB,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,CACxD;QACD,sBAAsB,EAAE,EAAE,CAAC,EAAE,EAAE;QAC/B,kBAAkB,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC;KACpD,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,CAAC,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAChE,MAAM,SAAS,GAAG,sBAAsB,CAAC;IAEzC,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAC;QACnB,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAC/C,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,MAAM,cAAc,GAAqB;QACvC,SAAS;QACT,cAAc,EAAE,KAAK;QACrB,aAAa,EAAE,KAAK;QACpB,YAAY,EAAE,EAAE;QAChB,cAAc,EAAE,EAAE;QAClB,qBAAqB,EAAE,EAAE;QACzB,kBAAkB,EAAE,EAAE;QACtB,YAAY,EAAE,WAAW;QACzB,cAAc,EAAE,KAAK;KACtB,CAAC;IAEF,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,cAAc,CAAC,CAAC;QAElD,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;YACnB,eAAe;YACf,eAAe;YACf,mBAAmB;YACnB,WAAW;YACX,GAAG;YACH,GAAG;YACH,OAAO;YACP,MAAM;YACN,QAAQ;YACR,OAAO;YACP,SAAS;YACT,MAAM;YACN,eAAe;YACf,SAAS;YACT,SAAS;YACT,WAAW;YACX,GAAG,SAAS,aAAa;YACzB,GAAG,SAAS,aAAa;YACzB,WAAW;YACX,GAAG,SAAS,gBAAgB;YAC5B,GAAG,SAAS,gBAAgB;YAC5B,WAAW;YACX,GAAG,SAAS,OAAO;YACnB,GAAG,SAAS,OAAO;SACpB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,cAAc,EAAE,IAAI;SACrB,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,aAAa,EAAE,IAAI;SACpB,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,qBAAqB,EAAE;gBACrB,UAAU,EAAE,EAAE,KAAK,EAAE,CAAC,8BAA8B,CAAC,EAAE;aACxD;SACF,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACzC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE;YAClD,IAAI,CAAC,CAAC,QAAQ,EAAE,KAAK,GAAG,SAAS,aAAa;gBAC5C,OAAO,0BAA0B,CAAC;YACpC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,cAAc,CAAC,CAAC;QAElD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,GAAG,SAAS,aAAa,CAAC,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,YAAY,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,SAAS,CAAC;SACtD,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAChE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE;YAChD,IAAI,CAAC,KAAK,mCAAmC;gBAAE,OAAO,KAAK,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,YAAY,EAAE,CAAC,mCAAmC,CAAC;YACnD,cAAc,EAAE,IAAI;SACrB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,sBAAsB,CAAC;QACzC,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE;YAC9C,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnC,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,EAAc,CAAC;YACjD,CAAC;YACD,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK,EAAc,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,cAAc,EAAE,CAAC,YAAY,EAAE,iBAAiB,CAAC;SAClD,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,kBAAkB,CACvC,GAAG,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,CAAa,CACjD,CAAC;QACF,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE;YAClD,IAAI,CAAC,KAAK,wBAAwB;gBAAE,OAAO,sBAAsB,CAAC;YAClE,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,cAAc,EAAE,CAAC,wBAAwB,CAAC;SAC3C,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACzD,MAAM,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAChD,MAAM,CAAC,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,kBAAkB,CACvC,GAAG,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAa,CAChD,CAAC;QACF,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE;YAClD,IAAI,CAAC,KAAK,eAAe;gBAAE,OAAO,eAAe,CAAC;YAClD,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,cAAc,EAAE,CAAC,eAAe,CAAC;SAClC,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,kBAAkB,CACvC,GAAG,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAa,CAChD,CAAC;QAEF,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC;YAChC,GAAG,cAAc;YACjB,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,YAAY,EAAE,CAAC,eAAe,CAAC;SAChC,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAC9B,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,YAAY,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,eAAe,CAChE,CAAC;QACF,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAC/B,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,eAAe,CAC7D,CAAC;QAEF,MAAM,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,CAAC,UAAU,CAAC,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,KAAK,IAAI,EAAE;QAC5C,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,kBAAkB,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;YAChE,IAAI,GAAG,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC9C,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,MAAM,EAAE,CAAC;oBACT,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,UAAU,SAAS,eAAe,CAAC;iBACb,CAAC,CAAC;YAC5D,CAAC;YACD,OAAO,OAAO,CAAC,OAAO,CAAC;gBACrB,MAAM,EAAE,CAAC;gBACT,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;aAC+B,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,cAAc,CAAC,CAAC;QAElD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,GAAG,SAAS,OAAO,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,GAAG,SAAS,aAAa,CAAC,CAAC;QAElD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,SAAS,OAAO,CAAC,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/sandbox/macos/MacOsSandboxManager.d.ts

@@ -7,10 +7,13 @@ import { type SandboxManager, type SandboxRequest, type SandboxedCommand, type G
 import type { ShellExecutionResult } from '../../services/shellExecutionService.js';
 export declare class MacOsSandboxManager implements SandboxManager {
     private readonly options;
+    private readonly denialCache;
     constructor(options: GlobalSandboxOptions);
     isKnownSafeCommand(args: string[]): boolean;
     isDangerousCommand(args: string[]): boolean;
     parseDenials(result: ShellExecutionResult): ParsedSandboxDenial | undefined;
+    getWorkspace(): string;
+    getOptions(): GlobalSandboxOptions;
     prepareCommand(req: SandboxRequest): Promise<SandboxedCommand>;
     private writeProfileToTempFile;
 }

package/dist/src/sandbox/macos/MacOsSandboxManager.js

@@ -12,10 +12,11 @@ import { buildSeatbeltProfile } from './seatbeltArgsBuilder.js';
 import { initializeShellParsers } from '../../utils/shell-utils.js';
 import { isKnownSafeCommand, isDangerousCommand, } from '../utils/commandSafety.js';
 import { verifySandboxOverrides, getCommandName as getFullCommandName, isStrictlyApproved, } from '../utils/commandUtils.js';
-import { parsePosixSandboxDenials } from '../utils/sandboxDenialUtils.js';
+import { parsePosixSandboxDenials, createSandboxDenialCache, } from '../utils/sandboxDenialUtils.js';
 import { handleReadWriteCommands } from '../utils/sandboxReadWriteUtils.js';
 export class MacOsSandboxManager {
     options;
+    denialCache = createSandboxDenialCache();
     constructor(options) {
         this.options = options;
     }
@@ -31,7 +32,13 @@ export class MacOsSandboxManager {
         return isDangerousCommand(args);
     }
     parseDenials(result) {
-        return parsePosixSandboxDenials(result);
+        return parsePosixSandboxDenials(result, this.denialCache);
+    }
+    getWorkspace() {
+        return this.options.workspace;
+    }
+    getOptions() {
+        return this.options;
     }
     async prepareCommand(req) {
         await initializeShellParsers();
@@ -56,15 +63,15 @@ export class MacOsSandboxManager {
         const isApproved = allowOverrides
             ? await isStrictlyApproved(currentReq, this.options.modeConfig?.approvedTools)
             : false;
-        const workspaceWrite = !isReadonlyMode || isApproved;
-        const defaultNetwork = this.options.modeConfig?.network || req.policy?.networkAccess || false;
+        const isYolo = this.options.modeConfig?.yolo ?? false;
+        const workspaceWrite = !isReadonlyMode || isApproved || isYolo;
+        const defaultNetwork = this.options.modeConfig?.network || req.policy?.networkAccess || isYolo;
         const { allowed: allowedPaths, forbidden: forbiddenPaths } = await resolveSandboxPaths(this.options, req);
         // Fetch persistent approvals for this command
         const commandName = await getFullCommandName(currentReq);
         const persistentPermissions = allowOverrides
             ? this.options.policyManager?.getCommandPermissions(commandName)
             : undefined;
-        // Merge all permissions
         const mergedAdditional = {
             fileSystem: {
                 read: [

package/dist/src/sandbox/macos/MacOsSandboxManager.js.map

@@ -1 +1 @@
-{"version":3,"file":"MacOsSandboxManager.js","sourceRoot":"","sources":["../../../../src/sandbox/macos/MacOsSandboxManager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAOL,mBAAmB,GACpB,MAAM,kCAAkC,CAAC;AAE1C,OAAO,EACL,mBAAmB,EACnB,2BAA2B,GAC5B,MAAM,2CAA2C,CAAC;AACnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,sBAAsB,EACtB,cAAc,IAAI,kBAAkB,EACpC,kBAAkB,GACnB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAC;AAC1E,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAE5E,MAAM,OAAO,mBAAmB;IACD;IAA7B,YAA6B,OAA6B;QAA7B,YAAO,GAAP,OAAO,CAAsB;IAAG,CAAC;IAE9D,kBAAkB,CAAC,IAAc;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,aAAa,IAAI,EAAE,CAAC;QACnE,IAAI,QAAQ,IAAI,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,kBAAkB,CAAC,IAAc;QAC/B,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,YAAY,CAAC,MAA4B;QACvC,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,GAAmB;QACtC,MAAM,sBAAsB,EAAE,CAAC;QAC/B,MAAM,kBAAkB,GAAG,2BAA2B,CACpD,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAC/B,CAAC;QAEF,MAAM,YAAY,GAAG,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;QAEtE,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,QAAQ,IAAI,IAAI,CAAC;QACjE,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,cAAc,IAAI,IAAI,CAAC;QAEvE,wCAAwC;QACxC,sBAAsB,CAAC,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QAEnD,IAAI,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;QAC1B,IAAI,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QAEpB,8DAA8D;QAC9D,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;YACzB,OAAO,GAAG,UAAU,CAAC;QACvB,CAAC;aAAM,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,GAAG,SAAS,CAAC;YACpB,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAE7C,uFAAuF;QACvF,MAAM,UAAU,GAAG,cAAc;YAC/B,CAAC,CAAC,MAAM,kBAAkB,CACtB,UAAU,EACV,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,aAAa,CACvC;YACH,CAAC,CAAC,KAAK,CAAC;QAEV,MAAM,cAAc,GAAG,CAAC,cAAc,IAAI,UAAU,CAAC;QACrD,MAAM,cAAc,GAClB,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,IAAI,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,KAAK,CAAC;QAEzE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,GACxD,MAAM,mBAAmB,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAE/C,8CAA8C;QAC9C,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACzD,MAAM,qBAAqB,GAAG,cAAc;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,qBAAqB,CAAC,WAAW,CAAC;YAChE,CAAC,CAAC,SAAS,CAAC;QAEd,wBAAwB;QACxB,MAAM,gBAAgB,GAAuB;YAC3C,UAAU,EAAE;gBACV,IAAI,EAAE;oBACJ,GAAG,CAAC,qBAAqB,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC;oBAClD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC;iBAC/D;gBACD,KAAK,EAAE;oBACL,GAAG,CAAC,qBAAqB,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;oBACnD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;iBAChE;aACF;YACD,OAAO,EACL,cAAc;gBACd,qBAAqB,EAAE,OAAO;gBAC9B,GAAG,CAAC,MAAM,EAAE,qBAAqB,EAAE,OAAO;gBAC1C,KAAK;SACR,CAAC;QAEF,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,uBAAuB,CACxE,GAAG,EACH,gBAAgB,EAChB,IAAI,CAAC,OAAO,CAAC,SAAS,EACtB,GAAG,CAAC,MAAM,EAAE,YAAY,CACzB,CAAC;QAEF,MAAM,WAAW,GAAG,oBAAoB,CAAC;YACvC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,YAAY,EAAE;gBACZ,GAAG,YAAY;gBACf,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,IAAI,EAAE,CAAC;aAC3C;YACD,cAAc;YACd,aAAa,EAAE,gBAAgB,CAAC,OAAO;YACvC,cAAc;YACd,qBAAqB,EAAE,gBAAgB;SACxC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,sBAAsB,CAAC,WAAW,CAAC,CAAC;QAE1D,OAAO;YACL,OAAO,EAAE,uBAAuB;YAChC,IAAI,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,SAAS,CAAC;YACxD,GAAG,EAAE,YAAY;YACjB,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,OAAO,EAAE,GAAG,EAAE;gBACZ,IAAI,CAAC;oBACH,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAC1B,CAAC;gBAAC,MAAM,CAAC;oBACP,wBAAwB;gBAC1B,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;IAEO,sBAAsB,CAAC,OAAe;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,EAAE,CAAC,MAAM,EAAE,EACX,uBAAuB,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAC9E,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACrD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
+{"version":3,"file":"MacOsSandboxManager.js","sourceRoot":"","sources":["../../../../src/sandbox/macos/MacOsSandboxManager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAOL,mBAAmB,GACpB,MAAM,kCAAkC,CAAC;AAE1C,OAAO,EACL,mBAAmB,EACnB,2BAA2B,GAC5B,MAAM,2CAA2C,CAAC;AACnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EACL,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EACL,sBAAsB,EACtB,cAAc,IAAI,kBAAkB,EACpC,kBAAkB,GACnB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,wBAAwB,EACxB,wBAAwB,GAEzB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAE5E,MAAM,OAAO,mBAAmB;IAGD;IAFZ,WAAW,GAAuB,wBAAwB,EAAE,CAAC;IAE9E,YAA6B,OAA6B;QAA7B,YAAO,GAAP,OAAO,CAAsB;IAAG,CAAC;IAE9D,kBAAkB,CAAC,IAAc;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,aAAa,IAAI,EAAE,CAAC;QACnE,IAAI,QAAQ,IAAI,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,kBAAkB,CAAC,IAAc;QAC/B,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,YAAY,CAAC,MAA4B;QACvC,OAAO,wBAAwB,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5D,CAAC;IAED,YAAY;QACV,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;IAChC,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,GAAmB;QACtC,MAAM,sBAAsB,EAAE,CAAC;QAC/B,MAAM,kBAAkB,GAAG,2BAA2B,CACpD,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAC/B,CAAC;QAEF,MAAM,YAAY,GAAG,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;QAEtE,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,QAAQ,IAAI,IAAI,CAAC;QACjE,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,cAAc,IAAI,IAAI,CAAC;QAEvE,wCAAwC;QACxC,sBAAsB,CAAC,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QAEnD,IAAI,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;QAC1B,IAAI,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QAEpB,8DAA8D;QAC9D,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;YACzB,OAAO,GAAG,UAAU,CAAC;QACvB,CAAC;aAAM,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO,GAAG,SAAS,CAAC;YACpB,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAE7C,uFAAuF;QACvF,MAAM,UAAU,GAAG,cAAc;YAC/B,CAAC,CAAC,MAAM,kBAAkB,CACtB,UAAU,EACV,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,aAAa,CACvC;YACH,CAAC,CAAC,KAAK,CAAC;QAEV,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,IAAI,KAAK,CAAC;QACtD,MAAM,cAAc,GAAG,CAAC,cAAc,IAAI,UAAU,IAAI,MAAM,CAAC;QAE/D,MAAM,cAAc,GAClB,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,IAAI,GAAG,CAAC,MAAM,EAAE,aAAa,IAAI,MAAM,CAAC;QAE1E,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,GACxD,MAAM,mBAAmB,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAE/C,8CAA8C;QAC9C,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACzD,MAAM,qBAAqB,GAAG,cAAc;YAC1C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,qBAAqB,CAAC,WAAW,CAAC;YAChE,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,gBAAgB,GAAuB;YAC3C,UAAU,EAAE;gBACV,IAAI,EAAE;oBACJ,GAAG,CAAC,qBAAqB,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC;oBAClD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC;iBAC/D;gBACD,KAAK,EAAE;oBACL,GAAG,CAAC,qBAAqB,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;oBACnD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,EAAE,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;iBAChE;aACF;YACD,OAAO,EACL,cAAc;gBACd,qBAAqB,EAAE,OAAO;gBAC9B,GAAG,CAAC,MAAM,EAAE,qBAAqB,EAAE,OAAO;gBAC1C,KAAK;SACR,CAAC;QAEF,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,uBAAuB,CACxE,GAAG,EACH,gBAAgB,EAChB,IAAI,CAAC,OAAO,CAAC,SAAS,EACtB,GAAG,CAAC,MAAM,EAAE,YAAY,CACzB,CAAC;QAEF,MAAM,WAAW,GAAG,oBAAoB,CAAC;YACvC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,YAAY,EAAE;gBACZ,GAAG,YAAY;gBACf,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,IAAI,EAAE,CAAC;aAC3C;YACD,cAAc;YACd,aAAa,EAAE,gBAAgB,CAAC,OAAO;YACvC,cAAc;YACd,qBAAqB,EAAE,gBAAgB;SACxC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,sBAAsB,CAAC,WAAW,CAAC,CAAC;QAE1D,OAAO;YACL,OAAO,EAAE,uBAAuB;YAChC,IAAI,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,EAAE,GAAG,SAAS,CAAC;YACxD,GAAG,EAAE,YAAY;YACjB,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,OAAO,EAAE,GAAG,EAAE;gBACZ,IAAI,CAAC;oBACH,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAC1B,CAAC;gBAAC,MAAM,CAAC;oBACP,wBAAwB;gBAC1B,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;IAEO,sBAAsB,CAAC,OAAe;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,EAAE,CAAC,MAAM,EAAE,EACX,uBAAuB,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAC9E,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACrD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/src/sandbox/macos/MacOsSandboxManager.test.js

@@ -110,6 +110,26 @@ describe('MacOsSandboxManager', () => {
             });
             expect(seatbeltArgsBuilder.buildSeatbeltProfile).toHaveBeenCalledWith(expect.objectContaining({ networkAccess: true }));
         });
+        it('should NOT whitelist root in YOLO mode', async () => {
+            manager = new MacOsSandboxManager({
+                workspace: mockWorkspace,
+                modeConfig: { readonly: false, allowOverrides: true, yolo: true },
+            });
+            await manager.prepareCommand({
+                command: 'ls',
+                args: ['/'],
+                cwd: mockWorkspace,
+                env: {},
+            });
+            expect(seatbeltArgsBuilder.buildSeatbeltProfile).toHaveBeenCalledWith(expect.objectContaining({
+                additionalPermissions: expect.objectContaining({
+                    fileSystem: expect.objectContaining({
+                        read: expect.not.arrayContaining(['/']),
+                        write: expect.not.arrayContaining(['/']),
+                    }),
+                }),
+            }));
+        });
         describe('virtual commands', () => {
             it('should translate __read to /bin/cat', async () => {
                 const testFile = path.join(mockWorkspace, 'file.txt');

package/dist/src/sandbox/macos/MacOsSandboxManager.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"MacOsSandboxManager.test.js","sourceRoot":"","sources":["../../../../src/sandbox/macos/MacOsSandboxManager.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAE/D,OAAO,KAAK,mBAAmB,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,IAAI,aAAqB,CAAC;IAC1B,IAAI,gBAA0B,CAAC;IAC/B,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAE/B,IAAI,UAA2B,CAAC;IAChC,IAAI,OAA4B,CAAC;IAEjC,UAAU,CAAC,GAAG,EAAE;QACd,aAAa,GAAG,EAAE,CAAC,YAAY,CAC7B,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,wBAAwB,CAAC,CAAC,CACjE,CAAC;QAEF,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAC/B,EAAE,CAAC,MAAM,EAAE,EACX,gCAAgC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CACvE,CAAC;QACF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACpC,EAAE,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAChC,CAAC;QACD,gBAAgB,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;QAEtD,UAAU,GAAG;YACX,YAAY,EAAE,gBAAgB;YAC9B,aAAa,EAAE,iBAAiB;SACjC,CAAC;QAEF,OAAO,GAAG,IAAI,mBAAmB,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CAAC;QAEhE,0DAA0D;QAC1D,EAAE,CAAC,KAAK,CAAC,mBAAmB,EAAE,sBAAsB,CAAC,CAAC,eAAe,CACnE,gBAAgB,CACjB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;QACrB,EAAE,CAAC,MAAM,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,IAAI,gBAAgB,IAAI,gBAAgB,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC1C,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,CAAC;gBACf,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE,UAAU;aACnB,CAAC,CAAC;YAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CAAC;gBACpE,SAAS,EAAE,aAAa;gBACxB,YAAY,EAAE,gBAAgB;gBAC9B,cAAc,EAAE,EAAE;gBAClB,aAAa,EAAE,iBAAiB;gBAChC,cAAc,EAAE,KAAK;gBACrB,qBAAqB,EAAE;oBACrB,UAAU,EAAE;wBACV,IAAI,EAAE,EAAE;wBACR,KAAK,EAAE,EAAE;qBACV;oBACD,OAAO,EAAE,IAAI;iBACd;aACF,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACrD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,6BAA6B,CAAC,CAAC;YAC9D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;YAE9D,+BAA+B;YAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAEjE,2CAA2C;YAC3C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,CAAC,OAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;YAC9E,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC1C,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,CAAC;gBACf,GAAG,EAAE,qBAAqB;gBAC1B,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE,UAAU;aACnB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;YAChF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC1C,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,CAAC;gBACf,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE;oBACH,QAAQ,EAAE,GAAG;oBACb,YAAY,EAAE,WAAW;iBAC1B;gBACD,MAAM,EAAE;oBACN,GAAG,UAAU;oBACb,kBAAkB,EAAE,EAAE,kCAAkC,EAAE,IAAI,EAAE;iBACjE;aACF,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC3B,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,CAAC;gBACf,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE,EAAE,GAAG,UAAU,EAAE,aAAa,EAAE,IAAI,EAAE;aAC/C,CAAC,CAAC;YAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CACjD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;gBACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;gBACtD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;oBAC1C,OAAO,EAAE,QAAQ;oBACjB,IAAI,EAAE,CAAC,QAAQ,CAAC;oBAChB,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC7D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC7D,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;gBAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;gBACtD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;oBAC1C,OAAO,EAAE,SAAS;oBAClB,IAAI,EAAE,CAAC,QAAQ,CAAC;oBAChB,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAC5D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACvD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAC9C,yBAAyB,CAC1B,CAAC;gBACF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACtD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC7D,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;gBACpD,MAAM,OAAO,CAAC,cAAc,CAAC;oBAC3B,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,gFAAgF;gBAChF,oDAAoD;gBACpD,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CACtD,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;YAC5B,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;gBACpE,MAAM,OAAO,CAAC,cAAc,CAAC;oBAC3B,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE;wBACN,GAAG,UAAU;wBACb,YAAY,EAAE,CAAC,eAAe,EAAE,eAAe,CAAC;qBACjD;iBACF,CAAC,CAAC;gBAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;oBACtB,YAAY,EAAE,CAAC,eAAe,EAAE,eAAe,CAAC;iBACjD,CAAC,CACH,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;YAC9B,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;gBAC5E,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;oBAC5C,SAAS,EAAE,aAAa;oBACxB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,iBAAiB,CAAC;iBAChD,CAAC,CAAC;gBACH,MAAM,aAAa,CAAC,cAAc,CAAC;oBACjC,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;oBACtB,cAAc,EAAE,CAAC,iBAAiB,CAAC;iBACpC,CAAC,CACH,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;gBAClF,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;oBAC5C,SAAS,EAAE,aAAa;oBACxB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,qBAAqB,CAAC;iBACpD,CAAC,CAAC;gBACH,MAAM,aAAa,CAAC,cAAc,CAAC;oBACjC,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;oBACtB,cAAc,EAAE,CAAC,qBAAqB,CAAC;iBACxC,CAAC,CACH,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;gBAClF,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;oBAC5C,SAAS,EAAE,aAAa;oBACxB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,eAAe,CAAC;iBAC9C,CAAC,CAAC;gBACH,MAAM,aAAa,CAAC,cAAc,CAAC;oBACjC,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE;wBACN,GAAG,UAAU;wBACb,YAAY,EAAE,CAAC,eAAe,CAAC;qBAChC;iBACF,CAAC,CAAC;gBAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;oBACtB,YAAY,EAAE,EAAE;oBAChB,cAAc,EAAE,CAAC,eAAe,CAAC;iBAClC,CAAC,CACH,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"MacOsSandboxManager.test.js","sourceRoot":"","sources":["../../../../src/sandbox/macos/MacOsSandboxManager.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAE/D,OAAO,KAAK,mBAAmB,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,IAAI,aAAqB,CAAC;IAC1B,IAAI,gBAA0B,CAAC;IAC/B,MAAM,iBAAiB,GAAG,IAAI,CAAC;IAE/B,IAAI,UAA2B,CAAC;IAChC,IAAI,OAA4B,CAAC;IAEjC,UAAU,CAAC,GAAG,EAAE;QACd,aAAa,GAAG,EAAE,CAAC,YAAY,CAC7B,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,wBAAwB,CAAC,CAAC,CACjE,CAAC;QAEF,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAC/B,EAAE,CAAC,MAAM,EAAE,EACX,gCAAgC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CACvE,CAAC;QACF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACpC,EAAE,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAChC,CAAC;QACD,gBAAgB,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;QAEtD,UAAU,GAAG;YACX,YAAY,EAAE,gBAAgB;YAC9B,aAAa,EAAE,iBAAiB;SACjC,CAAC;QAEF,OAAO,GAAG,IAAI,mBAAmB,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CAAC;QAEhE,0DAA0D;QAC1D,EAAE,CAAC,KAAK,CAAC,mBAAmB,EAAE,sBAAsB,CAAC,CAAC,eAAe,CACnE,gBAAgB,CACjB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;QACrB,EAAE,CAAC,MAAM,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,IAAI,gBAAgB,IAAI,gBAAgB,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;YACjE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC1C,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,CAAC;gBACf,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE,UAAU;aACnB,CAAC,CAAC;YAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CAAC;gBACpE,SAAS,EAAE,aAAa;gBACxB,YAAY,EAAE,gBAAgB;gBAC9B,cAAc,EAAE,EAAE;gBAClB,aAAa,EAAE,iBAAiB;gBAChC,cAAc,EAAE,KAAK;gBACrB,qBAAqB,EAAE;oBACrB,UAAU,EAAE;wBACV,IAAI,EAAE,EAAE;wBACR,KAAK,EAAE,EAAE;qBACV;oBACD,OAAO,EAAE,IAAI;iBACd;aACF,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACrD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,6BAA6B,CAAC,CAAC;YAC9D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;YAE9D,+BAA+B;YAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3C,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAEjE,2CAA2C;YAC3C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,CAAC,OAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;YAC9E,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC1C,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,CAAC;gBACf,GAAG,EAAE,qBAAqB;gBAC1B,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE,UAAU;aACnB,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;YAChF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC1C,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,CAAC;gBACf,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE;oBACH,QAAQ,EAAE,GAAG;oBACb,YAAY,EAAE,WAAW;iBAC1B;gBACD,MAAM,EAAE;oBACN,GAAG,UAAU;oBACb,kBAAkB,EAAE,EAAE,kCAAkC,EAAE,IAAI,EAAE;iBACjE;aACF,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QACrD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC3B,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,CAAC,OAAO,CAAC;gBACf,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE,EAAE,GAAG,UAAU,EAAE,aAAa,EAAE,IAAI,EAAE;aAC/C,CAAC,CAAC;YAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CACjD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,OAAO,GAAG,IAAI,mBAAmB,CAAC;gBAChC,SAAS,EAAE,aAAa;gBACxB,UAAU,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE;aAClE,CAAC,CAAC;YAEH,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC3B,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,GAAG,EAAE,aAAa;gBAClB,GAAG,EAAE,EAAE;aACR,CAAC,CAAC;YAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;gBACtB,qBAAqB,EAAE,MAAM,CAAC,gBAAgB,CAAC;oBAC7C,UAAU,EAAE,MAAM,CAAC,gBAAgB,CAAC;wBAClC,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,CAAC;wBACvC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,CAAC;qBACzC,CAAC;iBACH,CAAC;aACH,CAAC,CACH,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;gBACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;gBACtD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;oBAC1C,OAAO,EAAE,QAAQ;oBACjB,IAAI,EAAE,CAAC,QAAQ,CAAC;oBAChB,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC7D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC7D,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;gBAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;gBACtD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;oBAC1C,OAAO,EAAE,SAAS;oBAClB,IAAI,EAAE,CAAC,QAAQ,CAAC;oBAChB,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAC5D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACvD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAC9C,yBAAyB,CAC1B,CAAC;gBACF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACtD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC7D,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;YAChC,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;gBACpD,MAAM,OAAO,CAAC,cAAc,CAAC;oBAC3B,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,gFAAgF;gBAChF,oDAAoD;gBACpD,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CACtD,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;YAC5B,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;gBACpE,MAAM,OAAO,CAAC,cAAc,CAAC;oBAC3B,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE;wBACN,GAAG,UAAU;wBACb,YAAY,EAAE,CAAC,eAAe,EAAE,eAAe,CAAC;qBACjD;iBACF,CAAC,CAAC;gBAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;oBACtB,YAAY,EAAE,CAAC,eAAe,EAAE,eAAe,CAAC;iBACjD,CAAC,CACH,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;YAC9B,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;gBAC5E,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;oBAC5C,SAAS,EAAE,aAAa;oBACxB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,iBAAiB,CAAC;iBAChD,CAAC,CAAC;gBACH,MAAM,aAAa,CAAC,cAAc,CAAC;oBACjC,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;oBACtB,cAAc,EAAE,CAAC,iBAAiB,CAAC;iBACpC,CAAC,CACH,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;gBAClF,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;oBAC5C,SAAS,EAAE,aAAa;oBACxB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,qBAAqB,CAAC;iBACpD,CAAC,CAAC;gBACH,MAAM,aAAa,CAAC,cAAc,CAAC;oBACjC,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE,UAAU;iBACnB,CAAC,CAAC;gBAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;oBACtB,cAAc,EAAE,CAAC,qBAAqB,CAAC;iBACxC,CAAC,CACH,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;gBAClF,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;oBAC5C,SAAS,EAAE,aAAa;oBACxB,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,eAAe,CAAC;iBAC9C,CAAC,CAAC;gBACH,MAAM,aAAa,CAAC,cAAc,CAAC;oBACjC,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,EAAE;oBACR,GAAG,EAAE,aAAa;oBAClB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE;wBACN,GAAG,UAAU;wBACb,YAAY,EAAE,CAAC,eAAe,CAAC;qBAChC;iBACF,CAAC,CAAC;gBAEH,MAAM,CAAC,mBAAmB,CAAC,oBAAoB,CAAC,CAAC,oBAAoB,CACnE,MAAM,CAAC,gBAAgB,CAAC;oBACtB,YAAY,EAAE,EAAE;oBAChB,cAAc,EAAE,CAAC,eAAe,CAAC;iBAClC,CAAC,CACH,CAAC;YACJ,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}