@machina.ai/cell-cli-core 1.36.0-rc1 → 1.38.1-rc2

package/dist/src/sandbox/linux/LinuxSandboxManager.test.js

@@ -3,9 +3,10 @@
  * Copyright 2026 Google LLC
  * SPDX-License-Identifier: Apache-2.0
  */
-import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import { LinuxSandboxManager } from './LinuxSandboxManager.js';
 import fs from 'node:fs';
+import path from 'node:path';
 vi.mock('node:fs', async () => {
     const actual = await vi.importActual('node:fs');
     return {
@@ -15,17 +16,38 @@ vi.mock('node:fs', async () => {
             ...actual.default,
             existsSync: vi.fn(() => true),
             realpathSync: vi.fn((p) => p.toString()),
+            statSync: vi.fn(() => ({ isDirectory: () => true })),
             mkdirSync: vi.fn(),
+            mkdtempSync: vi.fn((prefix) => prefix + 'mocked'),
             openSync: vi.fn(),
             closeSync: vi.fn(),
             writeFileSync: vi.fn(),
+            readdirSync: vi.fn(() => []),
+            chmodSync: vi.fn(),
+            unlinkSync: vi.fn(),
+            rmSync: vi.fn(),
         },
         existsSync: vi.fn(() => true),
         realpathSync: vi.fn((p) => p.toString()),
+        statSync: vi.fn(() => ({ isDirectory: () => true })),
         mkdirSync: vi.fn(),
+        mkdtempSync: vi.fn((prefix) => prefix + 'mocked'),
         openSync: vi.fn(),
         closeSync: vi.fn(),
         writeFileSync: vi.fn(),
+        readdirSync: vi.fn(() => []),
+        chmodSync: vi.fn(),
+        unlinkSync: vi.fn(),
+        rmSync: vi.fn(),
+    };
+});
+vi.mock('../../utils/shell-utils.js', async (importOriginal) => {
+    const actual = await importOriginal();
+    return {
+        ...actual,
+        spawnAsync: vi.fn(() => Promise.resolve({ status: 0, stdout: Buffer.from('') })),
+        initializeShellParsers: vi.fn(),
+        isStrictlyApproved: vi.fn().mockResolvedValue(true),
     };
 });
 describe('LinuxSandboxManager', () => {
@@ -37,149 +59,70 @@ describe('LinuxSandboxManager', () => {
         vi.mocked(fs.realpathSync).mockImplementation((p) => p.toString());
         manager = new LinuxSandboxManager({ workspace });
     });
-    const getBwrapArgs = async (req) => {
-        const result = await manager.prepareCommand(req);
-        expect(result.program).toBe('sh');
-        expect(result.args[0]).toBe('-c');
-        expect(result.args[1]).toBe('bpf_path="$1"; shift; exec bwrap "$@" 9< "$bpf_path"');
-        expect(result.args[2]).toBe('_');
-        expect(result.args[3]).toMatch(/gemini-cli-seccomp-.*\.bpf$/);
-        return result.args.slice(4);
-    };
-    it('correctly outputs bwrap as the program with appropriate isolation flags', async () => {
-        const bwrapArgs = await getBwrapArgs({
-            command: 'ls',
-            args: ['-la'],
-            cwd: workspace,
-            env: {},
-        });
-        expect(bwrapArgs).toEqual([
-            '--unshare-all',
-            '--new-session',
-            '--die-with-parent',
-            '--ro-bind',
-            '/',
-            '/',
-            '--dev',
-            '/dev',
-            '--proc',
-            '/proc',
-            '--tmpfs',
-            '/tmp',
-            '--bind',
-            workspace,
-            workspace,
-            '--ro-bind',
-            `${workspace}/.gitignore`,
-            `${workspace}/.gitignore`,
-            '--ro-bind',
-            `${workspace}/.geminiignore`,
-            `${workspace}/.geminiignore`,
-            '--ro-bind',
-            `${workspace}/.git`,
-            `${workspace}/.git`,
-            '--seccomp',
-            '9',
-            '--',
-            'ls',
-            '-la',
-        ]);
-    });
-    it('maps allowedPaths to bwrap binds', async () => {
-        const bwrapArgs = await getBwrapArgs({
-            command: 'node',
-            args: ['script.js'],
-            cwd: workspace,
-            env: {},
-            policy: {
-                allowedPaths: ['/tmp/cache', '/opt/tools', workspace],
-            },
-        });
-        // Verify the specific bindings were added correctly
-        const bindsIndex = bwrapArgs.indexOf('--seccomp');
-        const binds = bwrapArgs.slice(bwrapArgs.indexOf('--bind'), bindsIndex);
-        expect(binds).toEqual([
-            '--bind',
-            workspace,
-            workspace,
-            '--ro-bind',
-            `${workspace}/.gitignore`,
-            `${workspace}/.gitignore`,
-            '--ro-bind',
-            `${workspace}/.geminiignore`,
-            `${workspace}/.geminiignore`,
-            '--ro-bind',
-            `${workspace}/.git`,
-            `${workspace}/.git`,
-            '--bind-try',
-            '/tmp/cache',
-            '/tmp/cache',
-            '--bind-try',
-            '/opt/tools',
-            '/opt/tools',
-        ]);
+    afterEach(() => {
+        vi.restoreAllMocks();
     });
-    it('protects real paths of governance files if they are symlinks', async () => {
-        vi.mocked(fs.realpathSync).mockImplementation((p) => {
-            if (p.toString() === `${workspace}/.gitignore`)
-                return '/shared/global.gitignore';
-            return p.toString();
+    describe('prepareCommand', () => {
+        it('wraps the command and arguments correctly using a temporary file', async () => {
+            const result = await manager.prepareCommand({
+                command: 'ls',
+                args: ['-la'],
+                cwd: workspace,
+                env: { PATH: '/usr/bin' },
+            });
+            expect(result.program).toBe('sh');
+            expect(result.args[0]).toBe('-c');
+            expect(result.args[1]).toContain('exec bwrap --args 8 "$@" 8< "$args_path" 9< "$bpf_path"');
+            expect(result.args[result.args.length - 3]).toBe('--');
+            expect(result.args[result.args.length - 2]).toBe('ls');
+            expect(result.args[result.args.length - 1]).toBe('-la');
+            expect(result.env['PATH']).toBe('/usr/bin');
         });
-        const bwrapArgs = await getBwrapArgs({
-            command: 'ls',
-            args: [],
-            cwd: workspace,
-            env: {},
+        it('cleans up the temporary arguments file', async () => {
+            const result = await manager.prepareCommand({
+                command: 'ls',
+                args: [],
+                cwd: workspace,
+                env: {},
+            });
+            expect(result.cleanup).toBeDefined();
+            result.cleanup();
+            expect(fs.unlinkSync).toHaveBeenCalled();
+            const unlinkCall = vi.mocked(fs.unlinkSync).mock.calls[0];
+            expect(unlinkCall[0]).toMatch(/gemini-cli-bwrap-args-.*\.args$/);
         });
-        expect(bwrapArgs).toContain('--ro-bind');
-        expect(bwrapArgs).toContain(`${workspace}/.gitignore`);
-        expect(bwrapArgs).toContain('/shared/global.gitignore');
-        // Check that both are bound
-        const gitignoreIndex = bwrapArgs.indexOf(`${workspace}/.gitignore`);
-        expect(bwrapArgs[gitignoreIndex - 1]).toBe('--ro-bind');
-        expect(bwrapArgs[gitignoreIndex + 1]).toBe(`${workspace}/.gitignore`);
-        const realGitignoreIndex = bwrapArgs.indexOf('/shared/global.gitignore');
-        expect(bwrapArgs[realGitignoreIndex - 1]).toBe('--ro-bind');
-        expect(bwrapArgs[realGitignoreIndex + 1]).toBe('/shared/global.gitignore');
-    });
-    it('touches governance files if they do not exist', async () => {
-        vi.mocked(fs.existsSync).mockReturnValue(false);
-        await getBwrapArgs({
-            command: 'ls',
-            args: [],
-            cwd: workspace,
-            env: {},
+        it('translates virtual commands', async () => {
+            const readResult = await manager.prepareCommand({
+                command: '__read',
+                args: [path.join(workspace, 'file.txt')],
+                cwd: workspace,
+                env: {},
+            });
+            // Length is 8: ['-c', '...', '_', bpf, args, '--', '/bin/cat', file]
+            expect(readResult.args[readResult.args.length - 2]).toBe('/bin/cat');
+            const writeResult = await manager.prepareCommand({
+                command: '__write',
+                args: [path.join(workspace, 'file.txt')],
+                cwd: workspace,
+                env: {},
+            });
+            // Length is 11: ['-c', '...', '_', bpf, args, '--', '/bin/sh', '-c', '...', '_', file]
+            expect(writeResult.args[writeResult.args.length - 5]).toBe('/bin/sh');
+            expect(writeResult.args[writeResult.args.length - 1]).toBe(path.join(workspace, 'file.txt'));
         });
-        expect(fs.mkdirSync).toHaveBeenCalled();
-        expect(fs.openSync).toHaveBeenCalled();
-    });
-    it('should not bind the workspace twice even if it has a trailing slash in allowedPaths', async () => {
-        const bwrapArgs = await getBwrapArgs({
-            command: 'ls',
-            args: ['-la'],
-            cwd: workspace,
-            env: {},
-            policy: {
-                allowedPaths: [workspace + '/'],
-            },
+        it('rejects overrides in plan mode', async () => {
+            const customManager = new LinuxSandboxManager({
+                workspace,
+                modeConfig: { allowOverrides: false },
+            });
+            await expect(customManager.prepareCommand({
+                command: 'ls',
+                args: [],
+                cwd: workspace,
+                env: {},
+                policy: { networkAccess: true },
+            })).rejects.toThrow(/Cannot override/);
         });
-        const bindsIndex = bwrapArgs.indexOf('--seccomp');
-        const binds = bwrapArgs.slice(bwrapArgs.indexOf('--bind'), bindsIndex);
-        // Should only contain the primary workspace bind and governance files, not the second workspace bind with a trailing slash
-        expect(binds).toEqual([
-            '--bind',
-            workspace,
-            workspace,
-            '--ro-bind',
-            `${workspace}/.gitignore`,
-            `${workspace}/.gitignore`,
-            '--ro-bind',
-            `${workspace}/.geminiignore`,
-            `${workspace}/.geminiignore`,
-            '--ro-bind',
-            `${workspace}/.git`,
-            `${workspace}/.git`,
-        ]);
     });
 });
 //# sourceMappingURL=LinuxSandboxManager.test.js.map

package/dist/src/sandbox/linux/LinuxSandboxManager.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"LinuxSandboxManager.test.js","sourceRoot":"","sources":["../../../../src/sandbox/linux/LinuxSandboxManager.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAE/D,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE;IAC5B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,YAAY,CAA2B,SAAS,CAAC,CAAC;IAC1E,OAAO;QACL,GAAG,MAAM;QACT,OAAO,EAAE;YACP,0FAA0F;YAC1F,GAAG,MAAM,CAAC,OAAO;YACjB,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;YAC7B,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAkB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;YACzD,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE;YACjB,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;SACvB;QACD,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;QAC7B,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAkB,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QACzD,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;QAClB,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE;QACjB,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;QAClB,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;KACvB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,MAAM,SAAS,GAAG,sBAAsB,CAAC;IACzC,IAAI,OAA4B,CAAC;IAEjC,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAC;QACnB,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAC/C,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACnE,OAAO,GAAG,IAAI,mBAAmB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,KAAK,EAAE,GAAmB,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CACzB,sDAAsD,CACvD,CAAC;QACF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,6BAA6B,CAAC,CAAC;QAC9D,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC,CAAC;IAEF,EAAE,CAAC,yEAAyE,EAAE,KAAK,IAAI,EAAE;QACvF,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC;YACnC,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,CAAC,KAAK,CAAC;YACb,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,EAAE;SACR,CAAC,CAAC;QAEH,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC;YACxB,eAAe;YACf,eAAe;YACf,mBAAmB;YACnB,WAAW;YACX,GAAG;YACH,GAAG;YACH,OAAO;YACP,MAAM;YACN,QAAQ;YACR,OAAO;YACP,SAAS;YACT,MAAM;YACN,QAAQ;YACR,SAAS;YACT,SAAS;YACT,WAAW;YACX,GAAG,SAAS,aAAa;YACzB,GAAG,SAAS,aAAa;YACzB,WAAW;YACX,GAAG,SAAS,gBAAgB;YAC5B,GAAG,SAAS,gBAAgB;YAC5B,WAAW;YACX,GAAG,SAAS,OAAO;YACnB,GAAG,SAAS,OAAO;YACnB,WAAW;YACX,GAAG;YACH,IAAI;YACJ,IAAI;YACJ,KAAK;SACN,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC;YACnC,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,CAAC,WAAW,CAAC;YACnB,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,EAAE;YACP,MAAM,EAAE;gBACN,YAAY,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,SAAS,CAAC;aACtD;SACF,CAAC,CAAC;QAEH,oDAAoD;QACpD,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;QAEvE,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC;YACpB,QAAQ;YACR,SAAS;YACT,SAAS;YACT,WAAW;YACX,GAAG,SAAS,aAAa;YACzB,GAAG,SAAS,aAAa;YACzB,WAAW;YACX,GAAG,SAAS,gBAAgB;YAC5B,GAAG,SAAS,gBAAgB;YAC5B,WAAW;YACX,GAAG,SAAS,OAAO;YACnB,GAAG,SAAS,OAAO;YACnB,YAAY;YACZ,YAAY;YACZ,YAAY;YACZ,YAAY;YACZ,YAAY;YACZ,YAAY;SACb,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,KAAK,IAAI,EAAE;QAC5E,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE;YAClD,IAAI,CAAC,CAAC,QAAQ,EAAE,KAAK,GAAG,SAAS,aAAa;gBAC5C,OAAO,0BAA0B,CAAC;YACpC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtB,CAAC,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC;YACnC,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,EAAE;SACR,CAAC,CAAC;QAEH,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACzC,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,GAAG,SAAS,aAAa,CAAC,CAAC;QACvD,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;QAExD,4BAA4B;QAC5B,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,SAAS,aAAa,CAAC,CAAC;QACpE,MAAM,CAAC,SAAS,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxD,MAAM,CAAC,SAAS,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,SAAS,aAAa,CAAC,CAAC;QAEtE,MAAM,kBAAkB,GAAG,SAAS,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;QACzE,MAAM,CAAC,SAAS,CAAC,kBAAkB,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,CAAC,SAAS,CAAC,kBAAkB,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAEhD,MAAM,YAAY,CAAC;YACjB,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,EAAE;YACR,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,EAAE;SACR,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACxC,MAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,CAAC,gBAAgB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qFAAqF,EAAE,KAAK,IAAI,EAAE;QACnG,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC;YACnC,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,CAAC,KAAK,CAAC;YACb,GAAG,EAAE,SAAS;YACd,GAAG,EAAE,EAAE;YACP,MAAM,EAAE;gBACN,YAAY,EAAE,CAAC,SAAS,GAAG,GAAG,CAAC;aAChC;SACF,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAC;QAEvE,2HAA2H;QAC3H,MAAM,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC;YACpB,QAAQ;YACR,SAAS;YACT,SAAS;YACT,WAAW;YACX,GAAG,SAAS,aAAa;YACzB,GAAG,SAAS,aAAa;YACzB,WAAW;YACX,GAAG,SAAS,gBAAgB;YAC5B,GAAG,SAAS,gBAAgB;YAC5B,WAAW;YACX,GAAG,SAAS,OAAO;YACnB,GAAG,SAAS,OAAO;SACpB,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"LinuxSandboxManager.test.js","sourceRoot":"","sources":["../../../../src/sandbox/linux/LinuxSandboxManager.test.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,IAAI,EAAE;IAC5B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,YAAY,CAA2B,SAAS,CAAC,CAAC;IAC1E,OAAO;QACL,GAAG,MAAM;QACT,OAAO,EAAE;YACP,0FAA0F;YAC1F,GAAG,MAAM,CAAC,OAAO;YACjB,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;YAC7B,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;YACxC,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAa,CAAC;YAChE,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,MAAc,EAAE,EAAE,CAAC,MAAM,GAAG,QAAQ,CAAC;YACzD,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE;YACjB,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;YACtB,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;YAC5B,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;YAClB,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;YACnB,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE;SAChB;QACD,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;QAC7B,YAAY,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxC,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAa,CAAC;QAChE,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;QAClB,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,MAAc,EAAE,EAAE,CAAC,MAAM,GAAG,QAAQ,CAAC;QACzD,QAAQ,EAAE,EAAE,CAAC,EAAE,EAAE;QACjB,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;QAClB,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;QACtB,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;QAC5B,SAAS,EAAE,EAAE,CAAC,EAAE,EAAE;QAClB,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;QACnB,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE;KAChB,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,EAAE,CAAC,IAAI,CAAC,4BAA4B,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;IAC7D,MAAM,MAAM,GACV,MAAM,cAAc,EAA+C,CAAC;IACtE,OAAO;QACL,GAAG,MAAM;QACT,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CACrB,OAAO,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,CACxD;QACD,sBAAsB,EAAE,EAAE,CAAC,EAAE,EAAE;QAC/B,kBAAkB,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC;KACpD,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,MAAM,SAAS,GAAG,sBAAsB,CAAC;IACzC,IAAI,OAA4B,CAAC;IAEjC,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,aAAa,EAAE,CAAC;QACnB,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAC/C,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACnE,OAAO,GAAG,IAAI,mBAAmB,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,eAAe,EAAE,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;YAChF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC1C,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE,CAAC,KAAK,CAAC;gBACb,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE;aAC1B,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAC9B,yDAAyD,CAC1D,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC1C,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE,EAAE;gBACR,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,EAAE;aACR,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,CAAC,OAAQ,EAAE,CAAC;YAElB,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,gBAAgB,EAAE,CAAC;YACzC,MAAM,UAAU,GAAG,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1D,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,iCAAiC,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC9C,OAAO,EAAE,QAAQ;gBACjB,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;gBACxC,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,EAAE;aACR,CAAC,CAAC;YACH,qEAAqE;YACrE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAErE,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,cAAc,CAAC;gBAC/C,OAAO,EAAE,SAAS;gBAClB,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;gBACxC,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,EAAE;aACR,CAAC,CAAC;YACH,uFAAuF;YACvF,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACtE,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CACxD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CACjC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;gBAC5C,SAAS;gBACT,UAAU,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE;aACtC,CAAC,CAAC;YACH,MAAM,MAAM,CACV,aAAa,CAAC,cAAc,CAAC;gBAC3B,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE,EAAE;gBACR,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE;aAChC,CAAC,CACH,CAAC,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/src/sandbox/linux/bwrapArgsBuilder.d.ts

@@ -0,0 +1,24 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { type SandboxPermissions } from '../../services/sandboxManager.js';
+/**
+ * Options for building bubblewrap (bwrap) arguments.
+ */
+export interface BwrapArgsOptions {
+    workspace: string;
+    workspaceWrite: boolean;
+    networkAccess: boolean;
+    allowedPaths: string[];
+    forbiddenPaths: string[];
+    additionalPermissions: SandboxPermissions;
+    includeDirectories: string[];
+    maskFilePath: string;
+    isWriteCommand: boolean;
+}
+/**
+ * Builds the list of bubblewrap arguments based on the provided options.
+ */
+export declare function buildBwrapArgs(options: BwrapArgsOptions): Promise<string[]>;

package/dist/src/sandbox/linux/bwrapArgsBuilder.js

@@ -0,0 +1,200 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import fs from 'node:fs';
+import { join, dirname, normalize } from 'node:path';
+import { GOVERNANCE_FILES, getSecretFileFindArgs, sanitizePaths, } from '../../services/sandboxManager.js';
+import { tryRealpath, resolveGitWorktreePaths, isErrnoException, } from '../utils/fsUtils.js';
+import { spawnAsync } from '../../utils/shell-utils.js';
+import { debugLogger } from '../../utils/debugLogger.js';
+/**
+ * Builds the list of bubblewrap arguments based on the provided options.
+ */
+export async function buildBwrapArgs(options) {
+    const bwrapArgs = [
+        '--unshare-all',
+        '--new-session', // Isolate session
+        '--die-with-parent', // Prevent orphaned runaway processes
+    ];
+    if (options.networkAccess || options.additionalPermissions.network) {
+        bwrapArgs.push('--share-net');
+    }
+    bwrapArgs.push('--ro-bind', '/', '/', '--dev', // Creates a safe, minimal /dev (replaces --dev-bind)
+    '/dev', '--proc', // Creates a fresh procfs for the unshared PID namespace
+    '/proc', '--tmpfs', // Provides an isolated, writable /tmp directory
+    '/tmp');
+    const workspacePath = tryRealpath(options.workspace);
+    const bindFlag = options.workspaceWrite ? '--bind-try' : '--ro-bind-try';
+    if (options.workspaceWrite) {
+        bwrapArgs.push('--bind-try', options.workspace, options.workspace);
+        if (workspacePath !== options.workspace) {
+            bwrapArgs.push('--bind-try', workspacePath, workspacePath);
+        }
+    }
+    else {
+        bwrapArgs.push('--ro-bind-try', options.workspace, options.workspace);
+        if (workspacePath !== options.workspace) {
+            bwrapArgs.push('--ro-bind-try', workspacePath, workspacePath);
+        }
+    }
+    const { worktreeGitDir, mainGitDir } = resolveGitWorktreePaths(workspacePath);
+    if (worktreeGitDir) {
+        bwrapArgs.push(bindFlag, worktreeGitDir, worktreeGitDir);
+    }
+    if (mainGitDir) {
+        bwrapArgs.push(bindFlag, mainGitDir, mainGitDir);
+    }
+    const includeDirs = sanitizePaths(options.includeDirectories);
+    for (const includeDir of includeDirs) {
+        try {
+            const resolved = tryRealpath(includeDir);
+            bwrapArgs.push('--ro-bind-try', resolved, resolved);
+        }
+        catch {
+            // Ignore
+        }
+    }
+    const normalizedWorkspace = normalize(workspacePath).replace(/\/$/, '');
+    for (const allowedPath of options.allowedPaths) {
+        const resolved = tryRealpath(allowedPath);
+        if (!fs.existsSync(resolved)) {
+            // If the path doesn't exist, we still want to allow access to its parent
+            // if it's explicitly allowed, to enable creating it.
+            try {
+                const resolvedParent = tryRealpath(dirname(resolved));
+                bwrapArgs.push(options.isWriteCommand ? '--bind-try' : bindFlag, resolvedParent, resolvedParent);
+            }
+            catch {
+                // Ignore
+            }
+            continue;
+        }
+        const normalizedAllowedPath = normalize(resolved).replace(/\/$/, '');
+        if (normalizedAllowedPath !== normalizedWorkspace) {
+            bwrapArgs.push('--bind-try', resolved, resolved);
+        }
+    }
+    const additionalReads = sanitizePaths(options.additionalPermissions.fileSystem?.read);
+    for (const p of additionalReads) {
+        try {
+            const safeResolvedPath = tryRealpath(p);
+            bwrapArgs.push('--ro-bind-try', safeResolvedPath, safeResolvedPath);
+        }
+        catch (e) {
+            debugLogger.warn(e instanceof Error ? e.message : String(e));
+        }
+    }
+    const additionalWrites = sanitizePaths(options.additionalPermissions.fileSystem?.write);
+    for (const p of additionalWrites) {
+        try {
+            const safeResolvedPath = tryRealpath(p);
+            bwrapArgs.push('--bind-try', safeResolvedPath, safeResolvedPath);
+        }
+        catch (e) {
+            debugLogger.warn(e instanceof Error ? e.message : String(e));
+        }
+    }
+    for (const file of GOVERNANCE_FILES) {
+        const filePath = join(options.workspace, file.path);
+        const realPath = tryRealpath(filePath);
+        bwrapArgs.push('--ro-bind', filePath, filePath);
+        if (realPath !== filePath) {
+            bwrapArgs.push('--ro-bind', realPath, realPath);
+        }
+    }
+    for (const p of options.forbiddenPaths) {
+        let resolved;
+        try {
+            resolved = tryRealpath(p); // Forbidden paths should still resolve to block the real path
+            if (!fs.existsSync(resolved))
+                continue;
+        }
+        catch (e) {
+            debugLogger.warn(`Failed to resolve forbidden path ${p}: ${e instanceof Error ? e.message : String(e)}`);
+            bwrapArgs.push('--ro-bind', '/dev/null', p);
+            continue;
+        }
+        try {
+            const stat = fs.statSync(resolved);
+            if (stat.isDirectory()) {
+                bwrapArgs.push('--tmpfs', resolved, '--remount-ro', resolved);
+            }
+            else {
+                bwrapArgs.push('--ro-bind', '/dev/null', resolved);
+            }
+        }
+        catch (e) {
+            if (isErrnoException(e) && e.code === 'ENOENT') {
+                bwrapArgs.push('--symlink', '/dev/null', resolved);
+            }
+            else {
+                debugLogger.warn(`Failed to stat forbidden path ${resolved}: ${e instanceof Error ? e.message : String(e)}`);
+                bwrapArgs.push('--ro-bind', '/dev/null', resolved);
+            }
+        }
+    }
+    // Mask secret files (.env, .env.*)
+    const secretArgs = await getSecretFilesArgs(options.workspace, options.allowedPaths, options.maskFilePath);
+    bwrapArgs.push(...secretArgs);
+    return bwrapArgs;
+}
+/**
+ * Generates bubblewrap arguments to mask secret files.
+ */
+async function getSecretFilesArgs(workspace, allowedPaths, maskPath) {
+    const args = [];
+    const searchDirs = new Set([workspace, ...allowedPaths]);
+    const findPatterns = getSecretFileFindArgs();
+    for (const dir of searchDirs) {
+        try {
+            // Use the native 'find' command for performance and to catch nested secrets.
+            // We limit depth to 3 to keep it fast while covering common nested structures.
+            // We use -prune to skip heavy directories efficiently while matching dotfiles.
+            const findResult = await spawnAsync('find', [
+                dir,
+                '-maxdepth',
+                '3',
+                '-type',
+                'd',
+                '(',
+                '-name',
+                '.git',
+                '-o',
+                '-name',
+                'node_modules',
+                '-o',
+                '-name',
+                '.venv',
+                '-o',
+                '-name',
+                '__pycache__',
+                '-o',
+                '-name',
+                'dist',
+                '-o',
+                '-name',
+                'build',
+                ')',
+                '-prune',
+                '-o',
+                '-type',
+                'f',
+                ...findPatterns,
+                '-print0',
+            ]);
+            const files = findResult.stdout.toString().split('\0');
+            for (const file of files) {
+                if (file.trim()) {
+                    args.push('--bind', maskPath, file.trim());
+                }
+            }
+        }
+        catch (e) {
+            debugLogger.log(`LinuxSandboxManager: Failed to find or mask secret files in ${dir}`, e);
+        }
+    }
+    return args;
+}
+//# sourceMappingURL=bwrapArgsBuilder.js.map

package/dist/src/sandbox/linux/bwrapArgsBuilder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bwrapArgsBuilder.js","sourceRoot":"","sources":["../../../../src/sandbox/linux/bwrapArgsBuilder.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,EAEL,gBAAgB,EAChB,qBAAqB,EACrB,aAAa,GACd,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EACL,WAAW,EACX,uBAAuB,EACvB,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAiBzD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAyB;IAEzB,MAAM,SAAS,GAAa;QAC1B,eAAe;QACf,eAAe,EAAE,kBAAkB;QACnC,mBAAmB,EAAE,qCAAqC;KAC3D,CAAC;IAEF,IAAI,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,qBAAqB,CAAC,OAAO,EAAE,CAAC;QACnE,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAChC,CAAC;IAED,SAAS,CAAC,IAAI,CACZ,WAAW,EACX,GAAG,EACH,GAAG,EACH,OAAO,EAAE,qDAAqD;IAC9D,MAAM,EACN,QAAQ,EAAE,wDAAwD;IAClE,OAAO,EACP,SAAS,EAAE,gDAAgD;IAC3D,MAAM,CACP,CAAC;IAEF,MAAM,aAAa,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAErD,MAAM,QAAQ,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,eAAe,CAAC;IAEzE,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACnE,IAAI,aAAa,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;SAAM,CAAC;QACN,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QACtE,IAAI,aAAa,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,uBAAuB,CAAC,aAAa,CAAC,CAAC;IAC9E,IAAI,cAAc,EAAE,CAAC;QACnB,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC9D,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;YACzC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,SAAS,CAAC,aAAa,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxE,KAAK,MAAM,WAAW,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;QAC1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,yEAAyE;YACzE,qDAAqD;YACrD,IAAI,CAAC;gBACH,MAAM,cAAc,GAAG,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;gBACtD,SAAS,CAAC,IAAI,CACZ,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,EAChD,cAAc,EACd,cAAc,CACf,CAAC;YACJ,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YACD,SAAS;QACX,CAAC;QACD,MAAM,qBAAqB,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACrE,IAAI,qBAAqB,KAAK,mBAAmB,EAAE,CAAC;YAClD,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,aAAa,CACnC,OAAO,CAAC,qBAAqB,CAAC,UAAU,EAAE,IAAI,CAC/C,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,gBAAgB,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;QACtE,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,MAAM,gBAAgB,GAAG,aAAa,CACpC,OAAO,CAAC,qBAAqB,CAAC,UAAU,EAAE,KAAK,CAChD,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,gBAAgB,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,gBAAgB,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YACxC,SAAS,CAAC,IAAI,CAAC,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,CAAC,CAAC;QACnE,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;QACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACpD,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QACvC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAChD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QACvC,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACH,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,8DAA8D;YACzF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;gBAAE,SAAS;QACzC,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,WAAW,CAAC,IAAI,CACd,oCAAoC,CAAC,KAAK,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACvF,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;YAC5C,SAAS;QACX,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;gBACvB,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAC;YAChE,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAAC,OAAO,CAAU,EAAE,CAAC;YACpB,IAAI,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC/C,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,WAAW,CAAC,IAAI,CACd,iCAAiC,QAAQ,KAAK,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAC3F,CAAC;gBACF,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,MAAM,UAAU,GAAG,MAAM,kBAAkB,CACzC,OAAO,CAAC,SAAS,EACjB,OAAO,CAAC,YAAY,EACpB,OAAO,CAAC,YAAY,CACrB,CAAC;IACF,SAAS,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;IAE9B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,SAAiB,EACjB,YAAsB,EACtB,QAAgB;IAEhB,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,qBAAqB,EAAE,CAAC;IAE7C,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,6EAA6E;YAC7E,+EAA+E;YAC/E,+EAA+E;YAC/E,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE;gBAC1C,GAAG;gBACH,WAAW;gBACX,GAAG;gBACH,OAAO;gBACP,GAAG;gBACH,GAAG;gBACH,OAAO;gBACP,MAAM;gBACN,IAAI;gBACJ,OAAO;gBACP,cAAc;gBACd,IAAI;gBACJ,OAAO;gBACP,OAAO;gBACP,IAAI;gBACJ,OAAO;gBACP,aAAa;gBACb,IAAI;gBACJ,OAAO;gBACP,MAAM;gBACN,IAAI;gBACJ,OAAO;gBACP,OAAO;gBACP,GAAG;gBACH,QAAQ;gBACR,IAAI;gBACJ,OAAO;gBACP,GAAG;gBACH,GAAG,YAAY;gBACf,SAAS;aACV,CAAC,CAAC;YAEH,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACvD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;oBAChB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7C,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,WAAW,CAAC,GAAG,CACb,+DAA+D,GAAG,EAAE,EACpE,CAAC,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/sandbox/linux/bwrapArgsBuilder.test.d.ts

@@ -0,0 +1,6 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};