@mcpher/gas-fakes 1.0.16 → 1.0.18

package/gasmess/tanaike/for_simple_test.js

@@ -1,12 +1,7 @@
 import "../../main.js";
-import { FakeSpreadsheetApp } from "../../src/services/spreadsheetapp/fakespreadsheetapp.js";
-import { moveToTempFolder, deleteTempFile } from "./tempfolder.js";
 
-const spreadsheet = SpreadsheetApp.openById("###");
+ScriptApp.__behavior.sandBoxMode = true;
+const spreadsheet = SpreadsheetApp.create("sample1");
 const sheet = spreadsheet.getSheets()[0];
 sheet.setName("sample");
-
-const r = spreadsheet.getRangeByName("test111");
-if (r) {
-  console.log(r.getA1Notation());
-}
+ScriptApp.__behavior.trash();

package/gasmess/tanaike/sample5.js

@@ -0,0 +1,63 @@
+import "../../main.js";
+
+ScriptApp.__behavior.sandBoxMode = true;
+sample();
+ScriptApp.__behavior.trash();
+
+function sample() {
+  const spreadsheet = SpreadsheetApp.create("sample");
+  const sheet = spreadsheet.getSheets()[0];
+
+  // Create protected sheet.
+  // For Class Sheet
+  const unprotectedRanges = [sheet.getRange("A1:B1")];
+  const p1 = sheet
+    .protect()
+    .setDescription("sample1")
+    .setWarningOnly(true)
+    .setUnprotectedRanges(unprotectedRanges);
+  console.log(p1.getDescription()); // "sample1"
+  console.log(p1.getUnprotectedRanges()[0].getA1Notation()); // "A1:B1"
+  console.log(p1.canEdit()); // true
+  console.log(p1.getEditors().length); // 1
+  console.log(p1.getProtectionType().toString()); // SHEET
+  console.log(p1.isWarningOnly()); // true
+
+  // For Class Spreadsheet
+  const protections = spreadsheet.getProtections(
+    SpreadsheetApp.ProtectionType.SHEET
+  );
+  console.log(protections.some((p) => p.getDescription() == "sample1")); // true
+
+  p1.remove();
+
+  // Create protected range with a range.
+  // For Class Range
+  const p2 = sheet.getRange("A1:D5").protect().setDescription("sample2");
+  p2.setRange(sheet.getRange("B2:E6"));
+  console.log(p2.getRange().getA1Notation()); // "B2:E6"
+  console.log(p2.getProtectionType().toString()); // RANGE
+  p2.remove();
+
+  // Create named range.
+  const rangeName = "sampleNamedRange1";
+  const range1 = sheet.getRange("C3:F7");
+  spreadsheet.setNamedRange(rangeName, range1);
+  const namedRange = spreadsheet
+    .getNamedRanges()
+    .find((e) => e.getName() == rangeName);
+
+  // Create protected range with named range 1.
+  const p3 = sheet.getRange("A1:D5").protect().setDescription("sample2");
+  p3.setRangeName(rangeName);
+  console.log(p3.getRangeName()); // sampleNamedRange1
+  p3.remove();
+
+  // Create protected range with named range 2.
+  const p4 = sheet.getRange("A1:D5").protect().setDescription("sample2");
+  p4.setNamedRange(namedRange);
+  console.log(p4.getRangeName()); // sampleNamedRange1
+  p4.remove();
+
+  namedRange.remove();
+}

package/ghissues/image-size-inconsistency-issue.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# A shell script to create a GitHub issue for the image sizing inconsistency.
+
+# Issue title
+TITLE="Investigate and Align Image Insertion Sizing Behavior"
+
+# Issue body in markdown
+BODY=$(cat <<'EOF'
+## Summary
+
+There is a significant and inconsistent discrepancy in how the live `DocumentApp` service and the `gas-fakes` emulation (via the Docs API) handle the dimensions of an image when it is inserted using `body.insertImage(image.copy())` or `body.appendImage(image.copy())`.
+
+The `testdocsimages.js` test suite has repeatedly failed and required adjustments because the expected dimensions of the inserted image are unpredictable in the live environment.
+
+## Observed Behaviors in Live Apps Script
+
+Our testing has revealed several conflicting behaviors from the live API:
+
+1.  **Intrinsic Size:** Sometimes, the API ignores the dimensions of the copied `InlineImage` object and re-fetches the image from its source URI, using its original intrinsic dimensions (e.g., `544x184` for the Google logo).
+2.  **Copied Object Size:** At other times, the API correctly respects the dimensions of the copied `InlineImage` object (e.g., `61x181` in our tests).
+3.  **Default/Fixed Size:** On at least one occasion, the API appeared to resize the image to a seemingly arbitrary fixed size (e.g., `240x80`).
+4.  **State-Dependent:** The behavior seems to be dependent on the state of the document. A brand-new document might exhibit one behavior, while a reused document (even after `doc.clear()`) exhibits another.
+
+## Current Workaround
+
+The current test (`insertImage behavior on new documents` in `testdocsimages.js`) has been made more robust by:
+- Forcing the creation of a new document for the test using `maketdoc(..., { forceNew: true })`.
+- Abandoning exact dimension checks in the live environment and instead verifying the image's **aspect ratio** within a tolerance.
+
+While this makes the test pass, it highlights a core emulation inaccuracy.
+
+## TODO
+
+1.  **Investigate Further:** Conduct a definitive set of tests to determine if there is *any* predictable pattern to the live API's behavior.
+2.  **Decide on Emulation Strategy:**
+    - Should `gas-fakes` emulate the most common or most "correct" behavior (i.e., respecting the copied object's dimensions)?
+    - Or should it attempt to mimic the most recently observed "new document" behavior (using intrinsic size)?
+3.  **Document the Oddity:** Regardless of the chosen strategy, this inconsistency is a significant "oddity" and should be thoroughly documented in `oddities.md` to inform users who might encounter similar issues when working with images in `DocumentApp`.
+
+This will improve the accuracy of the fake environment and provide valuable documentation for the community.
+EOF
+)
+
+# Create the issue using GitHub CLI
+gh issue create --title "$TITLE" --body "$BODY" --label "bug" --label "emulation-accuracy" --label "document-app"

package/ghissues/review-sandbox-listing-issue.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# A shell script to create a GitHub issue for reviewing sandbox listing behavior.
+
+# Issue title
+TITLE="Review Sandbox Strategy for File Listing Operations"
+
+# Issue body in markdown
+BODY=$(cat <<'EOF'
+## Summary
+
+Currently, tests that perform broad file/folder listing operations (e.g., `DriveApp.getFiles()`, `someFolder.getFolders()`) fail when `strictSandbox` is `true`. This is because the underlying iterators may need to access metadata of parent folders that are not explicitly whitelisted, causing the sandbox to correctly deny access.
+
+The current workaround, as implemented in `testdrive.js`, is to temporarily disable `strictSandbox` for the duration of these tests:
+
+```javascript
+const wasStrict = behavior.strictSandbox;
+behavior.strictSandbox = false;
+try {
+  // ... listing operations ...
+} finally {
+  behavior.strictSandbox = wasStrict;
+}
+```
+
+While this works, it feels like a patch rather than a fundamental solution. We should review if there's a more robust and elegant way to handle this.
+
+## TODO
+
+Investigate and decide on the best long-term strategy for handling file listings in strict sandbox mode.
+
+### Options to Consider:
+
+1.  **Implicit Parent Whitelisting:** Could the file/folder iterators be enhanced to automatically (and temporarily) whitelist parent folders as they are encountered? This would keep the sandbox strict for all other operations but allow listings to complete. This seems like the most robust solution if feasible.
+
+2.  **Refined Iterator Logic:** Can the iterators be modified to avoid the specific checks that cause the failure when in strict mode? This might involve fetching less metadata for items outside the session/whitelist scope.
+
+3.  **Accept and Document:** If the current `try...finally` workaround is deemed the most practical approach, we should formally document it in `sandbox.md` as the recommended pattern for this scenario.
+
+This review will help ensure the sandbox feature is both as secure and as user-friendly as possible.
+EOF
+)
+
+# Create the issue using GitHub CLI
+gh issue create --title "$TITLE" --body "$BODY" --label "enhancement"

package/package.json

@@ -4,7 +4,6 @@
   },
   "dependencies": {
     "@mcpher/fake-gasenum": "^1.0.2",
-    "@mcpher/gas-fakes": "^1.0.14",
     "@mcpher/unit": "^1.1.11",
     "@sindresorhus/is": "^7.0.1",
     "archiver": "^7.0.1",
@@ -54,13 +53,14 @@
     "testdocsfooters": "cp mainlocal.js main.js &&  node --env-file=.env ./test/testdocsfooters.js execute",
     "testdocsfootnotes": "cp mainlocal.js main.js &&  node --env-file=.env ./test/testdocsfootnotes.js execute",
     "testdocsimages": "cp mainlocal.js main.js &&  node --env-file=.env ./test/testdocsimages.js execute",
+    "testsandbox": "cp mainlocal.js main.js &&  node --env-file=.env ./test/testsandbox.js execute",
     "pub": "cp mainlocal.js main.js && npm publish --access public"
   },
   "name": "@mcpher/gas-fakes",
-  "version": "1.0.16",
+  "version": "1.0.18",
   "license": "MIT",
   "main": "main.js",
   "description": "A proof of concept implementation of Apps Script Environment on Node",
   "repository": "github:brucemcpherson/gas-fakes",
   "homepage": "https://ramblings.mcpher.com/a-proof-of-concept-implementation-of-apps-script-environment-on-node/"
-}
+}

package/src/services/advdocs/fakeadvdocs.js

@@ -628,7 +628,12 @@ class FakeAdvDocs {
   __getDocsPerformance() {
     return docsCacher.getPerformance()
   }
+  __addAllowed(id) {
+    if (ScriptApp.__behavior.sandBoxMode) {
+      ScriptApp.__behavior.addFile(id);
+    }
+    return id
+  }
 }
 
 export const newFakeAdvDocs = (...args) => Proxies.guard(new FakeAdvDocs(...args))
-

package/src/services/advdocs/fakeadvdocuments.js

@@ -17,19 +17,7 @@ class FakeAdvDocuments extends FakeAdvResource {
   constructor(docs) {
     super(docs, 'documents', Syncit.fxDocs);
     this.__fakeObjectType = "Docs.Documents";
-  }
-  // in sandbox mode only files created in this instance are
-  __allowed(id) {
-    if (!ScriptApp.__behavior.isAccessible(id)) {
-      throw new Error(`Access to document ${id} is not allowed in sandbox mode`);
-    }
-    return id
-  }
-  __addAllowed(id) {
-    if (ScriptApp.__behavior.sandBoxMode) {
-      ScriptApp.__behavior.addFile(id);
-    }
-    return id
+    this.docs = docs;
   }
 
   create(resource, options) {
@@ -44,7 +32,7 @@ class FakeAdvDocuments extends FakeAdvResource {
 
     // maybe we need to throw an error
     gError(response, 'docs.documents', "create")
-    this.__addAllowed(data.documentId);
+    this.docs.__addAllowed(data.documentId);
     return data
   }
 
@@ -55,12 +43,14 @@ class FakeAdvDocuments extends FakeAdvResource {
       matchThrow("API call to docs.documents.batchUpdate failed with error: Invalid JSON payload received.");
     }
 
+    // any update to a doc is a write
+    ScriptApp.__behavior.isAccessible(documentId, 'Docs', 'write');
 
     // Invalidate the cache for this document since we are updating it.
     docsCacher.clear(documentId);
     // console.log (JSON.stringify(requests))
     const { response, data } = this._call("batchUpdate", {
-      documentId: this.__allowed(documentId),
+      documentId,
       requestBody: requests
     });
 
@@ -101,7 +91,8 @@ class FakeAdvDocuments extends FakeAdvResource {
 
     if (is.nonEmptyObject(options) && !Reflect.ownKeys(options || {}).every(f => optionsSet.has(f))) matchThrow();
 
-    const params = {documentId: this.__allowed(documentId), ...(options || {}) };
+    ScriptApp.__behavior.isAccessible(documentId, 'Docs', 'read');
+    const params = {documentId, ...(options || {}) };
 
     const { response, data } = this._call("get", params);
     gError(response, 'docs.documents', 'get');

package/src/services/advdrive/fakeadvdrivefiles.js

@@ -115,7 +115,8 @@ class FakeAdvDriveFiles {
    * @returns {Drive.File}
    */
   get(id, params = {}, { allow404 = true } = {}) {
-    const {data} = Syncit.fxDriveGet ({ id: this.drive.__allowed(id), prop: apiProp, method: 'get', params, allow404, allowCache: true }) 
+    ScriptApp.__behavior.isAccessible(id, 'Drive', 'read');
+    const {data} = Syncit.fxDriveGet ({ id, prop: apiProp, method: 'get', params, allow404, allowCache: true });
     return data
   }
 
@@ -156,7 +157,15 @@ class FakeAdvDriveFiles {
     if (!is.nonEmptyString(fileId)) {
       throw new Error(`API call to drive.files.update failed with error: Required`)
     }
-    return updateOrCreate ({method: 'update', file,  blob, fileId: this.drive.__allowed(fileId) , fields, params})
+    // sandbox checks
+    const isMetadataWrite = file && Object.keys(file).some(k => k !== 'trashed');
+    if (blob || isMetadataWrite) {
+      ScriptApp.__behavior.isAccessible(fileId, 'Drive', 'write');
+    }
+    if (file && typeof file.trashed === 'boolean') {
+      ScriptApp.__behavior.isAccessible(fileId, 'Drive', 'trash');
+    }
+    return updateOrCreate ({method: 'update', file,  blob, fileId, fields, params})
   }
   /**
    * ceate a file and optionally upload some data
@@ -169,10 +178,11 @@ class FakeAdvDriveFiles {
     if (!is.nonEmptyString(fileId)) {
       throw new Error(`API call to drive.files.copy failed with error: Required`)
     }
+    ScriptApp.__behavior.isAccessible(fileId, 'Drive', 'read');
     const fields = mergeParamStrings(options.fields || "",minFields)
     const params = {
       fields,
-      fileId: this.drive.__allowed(fileId),
+      fileId,
       resource: file
     }
 

package/src/services/advdrive/fakeadvdrivepermissions.js

@@ -21,9 +21,10 @@ class FakeAdvDrivePermissions extends FakeAdvResource {
     const { nargs, matchThrow } = signatureArgs(arguments, "Drive.Permissions.create");
     if (nargs < 2 || nargs > 3) matchThrow();
 
+    ScriptApp.__behavior.isAccessible(fileId, 'Drive', 'write');
     const params = {
       resource,
-      fileId: this.drive.__allowed(fileId),
+      fileId,
       ...(optionalArgs || {})
     };
     const { data } = this._call('create', params);
@@ -34,8 +35,9 @@ class FakeAdvDrivePermissions extends FakeAdvResource {
     const { nargs, matchThrow } = signatureArgs(arguments, "Drive.Permissions.delete");
     if (nargs < 2 || nargs > 3) matchThrow();
 
+    ScriptApp.__behavior.isAccessible(fileId, 'Drive', 'write');
     const params = {
-      fileId: this.drive.__allowed(fileId),
+      fileId,
       permissionId,
       ...(optionalArgs || {})
     };
@@ -47,7 +49,8 @@ class FakeAdvDrivePermissions extends FakeAdvResource {
     const { nargs, matchThrow } = signatureArgs(arguments, "Drive.Permissions.list");
     if (nargs < 1 || nargs > 2) matchThrow();
 
-    const params = { fileId: this.drive.__allowed(fileId), ...(optionalArgs || {}) };
+    ScriptApp.__behavior.isAccessible(fileId, 'Drive', 'read');
+    const params = { fileId, ...(optionalArgs || {}) };
     const { data } = this._call('list', params);
     return data;
   }

package/src/services/advsheets/fakeadvsheets.js

@@ -877,13 +877,6 @@ class FakeAdvSheets {
   // exposes cache performance to tests 
   __getSheetsPerformance() {
     return sheetsCacher.getPerformance()
-  }
-    // in sandbox mode only files created in this instance are
-  __allowed(id) {
-    if (!ScriptApp.__behavior.isAccessible(id)) {
-      throw new Error(`Access to document ${id} is not allowed in sandbox mode`);
-    }
-    return id
   }
   __addAllowed(id) {
     if (ScriptApp.__behavior.sandBoxMode) {

package/src/services/advsheets/fakeadvsheetsdevelopermetadata.js

@@ -32,8 +32,9 @@ class FakeAdvSheetsDeveloperMetadata extends FakeAdvResource {
    * @returns {object} DeveloperMetadata
    */
   get(spreadsheetId, metadataId) {
+    ScriptApp.__behavior.isAccessible(spreadsheetId, 'Sheets', 'read');
     const { response, data } = this._call("get", {
-      spreadsheetId: this.sheets.__allowed(spreadsheetId),
+      spreadsheetId,
       metadataId,
     }, null, 'developerMetadata');
     ssError(response, `spreadsheets.developerMetadata.get`);
@@ -41,8 +42,9 @@ class FakeAdvSheetsDeveloperMetadata extends FakeAdvResource {
   }
 
   search(requestBody, spreadsheetId) {
+    ScriptApp.__behavior.isAccessible(spreadsheetId, 'Sheets', 'read');
     const { response, data } = this._call("search", {
-      spreadsheetId: this.sheets.__allowed(spreadsheetId),
+      spreadsheetId,
       requestBody
     }, null, 'developerMetadata');
 

package/src/services/advsheets/fakeadvsheetsspreadsheets.js

@@ -18,10 +18,9 @@ class FakeAdvSheetsSpreadsheets extends FakeAdvResource {
     super(sheets, 'spreadsheets', Syncit.fxSheets);
     this.sheets = sheets
     this.__fakeObjectType = "Sheets.Spreadsheets";
-    this.sheets = sheets
     const props = [
       'getByDataFilter',
-      'Sheets']
+    ]
 
     props.forEach(f => {
       this[f] = () => {
@@ -56,11 +55,24 @@ class FakeAdvSheetsSpreadsheets extends FakeAdvResource {
    */
   __batchUpdate(requests, spreadsheetId, options, { ss = true } = {}) {
 
+    // sandbox check
+    if (requests && requests.requests) {
+      const hasWriteRequest = requests.requests.some(r => !r.deleteSheet);
+      const hasTrashRequest = requests.requests.some(r => r.deleteSheet);
+
+      if (hasWriteRequest) {
+        ScriptApp.__behavior.isAccessible(spreadsheetId, 'Sheets', 'write');
+      }
+      if (hasTrashRequest) {
+        ScriptApp.__behavior.isAccessible(spreadsheetId, 'Sheets', 'trash');
+      }
+    }
+
     // this is wrapper for batchupdate so we can alter the behavior depending on whether we're being called by spreadsheetapp
     // note that in GAS adv sheet service doesnt take the requestBody parameter - it just sends requests as the arg
     // so we need to wrap that in requestbody for the Node API
     const { response, data } = this._call("batchUpdate", {
-      spreadsheetId: this.sheets.__allowed(spreadsheetId),
+      spreadsheetId,
       requestBody: requests
     }, options);
 
@@ -76,7 +88,8 @@ class FakeAdvSheetsSpreadsheets extends FakeAdvResource {
    * @param {object} options 
    */
   get(id, options, { ss = false } = {}) {
-    const params = { spreadsheetId: this.sheets.__allowed(id), ...options };
+    ScriptApp.__behavior.isAccessible(id, 'Sheets', 'read');
+    const params = { spreadsheetId: id, ...options };
     const { response, data } = this._call("get", params);
 
     // maybe we need to throw an error
@@ -96,7 +109,7 @@ class FakeAdvSheetsSpreadsheets extends FakeAdvResource {
 
     // maybe we need to throw an error
     ssError(response, "create", ss)
-    this.sheets.__addAllowed  (data.spreadsheetId);
+    this.sheets.__addAllowed(data.spreadsheetId);
     return data
   }
 }

package/src/services/advsheets/fakeadvsheetsvalues.js

@@ -48,7 +48,8 @@ class FakeAdvSheetsValues extends FakeAdvResource {
 
 
   get(spreadsheetId, range, options = {}) {
-    const params = { spreadsheetId: this.sheets.__allowed(spreadsheetId), range, ...options };
+    ScriptApp.__behavior.isAccessible(spreadsheetId, 'Sheets', 'read');
+    const params = { spreadsheetId, range, ...options };
     const { response, data } = this._call("get", params, null, 'values');
     // maybe we need to throw an error
     ssError(response, "get")
@@ -56,9 +57,10 @@ class FakeAdvSheetsValues extends FakeAdvResource {
   }
 
   batchUpdate(requests, spreadsheetId, { ss = false } = {}) {
+    ScriptApp.__behavior.isAccessible(spreadsheetId, 'Sheets', 'write');
     const requestBody = requests
     const { response, data } = this._call("batchUpdate", {
-      spreadsheetId: this.sheets.__allowed(spreadsheetId),
+      spreadsheetId,
       requestBody
     }, null, 'values');
 

package/src/services/advslides/fakeadvslides.js

@@ -1,5 +1,6 @@
 import { FakeAdvResource } from '../common/fakeadvresource.js';
 import { Syncit } from '../../support/syncit.js';
+import { gError } from '../../support/helpers.js';
 import { slidesCacher } from '../../support/slidescacher.js';
 import { Proxies } from '../../support/proxies.js';
 
@@ -13,9 +14,11 @@ class FakeAdvSlidesPresentations extends FakeAdvResource {
   }
 
   // Override 'get' to use the caching-enabled function fxSlidesGet.
-  get(presentationId) {
-    const { data } = this._call('get', { presentationId: this.slides.__allowed(presentationId) }, Syncit.fxSlidesGet);
-    return data;
+  get(presentationId, options) {
+    ScriptApp.__behavior.isAccessible(presentationId, 'Slides', 'read');
+    const { response, data } = this._call('get', { presentationId, ...options }, Syncit.fxSlidesGet);
+    gError(response, 'slides.presentations', 'get');
+    return data;    
   }
 
   // Signature matches Apps Script advanced service.
@@ -30,10 +33,13 @@ class FakeAdvSlidesPresentations extends FakeAdvResource {
 
   // Signature matches Apps Script advanced service.
   batchUpdate(requests, presentationId) {
+    // for slides, any batch update is a write
+    ScriptApp.__behavior.isAccessible(presentationId, 'Slides', 'write');
     const result = this._call('batchUpdate', {
-      presentationId: this.slides.__allowed(presentationId),
+      presentationId,
       resource: { requests },
     });
+    gError(result.response, 'slides.presentations', 'batchUpdate');
 
     // Any update should invalidate the cache for that presentation.
     if (presentationId) {
@@ -53,14 +59,6 @@ class FakeAdvSlides {
     this.Presentations = Proxies.guard(new FakeAdvSlidesPresentations(this));
   }
 
-  // in sandbox mode only files created in this instance are
-  __allowed(id) {
-
-    if (!ScriptApp.__behavior.isAccessible(id)) {
-      throw new Error(`Access to slides ${id} is not allowed in sandbox mode`);
-    }
-    return id
-  }
   __addAllowed(id) {
     if (ScriptApp.__behavior.sandBoxMode) {
       ScriptApp.__behavior.addFile(id);

package/src/services/documentapp/app.js

@@ -11,13 +11,35 @@ import './elements.js'; // This ensures all element types register themselves be
 
 let _app = null;
 
-const name = "DocumentApp";
+const name = 'DocumentApp';
+const serviceName = 'DocumentApp';
+
 if (typeof globalThis[name] === typeof undefined) {
   // By importing this, we ensure all element types register themselves.
   const getApp = () => {
     if (!_app) {
-      console.log('...activating proxy for', name)
-      _app = newFakeDocumentApp();
+      const realApp = newFakeDocumentApp();
+
+      _app = new Proxy(realApp, {
+        get(target, prop, receiver) {
+          if (prop === 'toString') {
+            return () => name;
+          }
+
+          const serviceBehavior = ScriptApp.__behavior.sandboxService[serviceName];
+
+          if (!serviceBehavior.enabled) {
+            throw new Error(`${name} service is disabled by sandbox settings.`);
+          }
+
+          const allowedMethods = serviceBehavior.methods;
+          if (allowedMethods && typeof target[prop] === 'function' && !allowedMethods.includes(prop)) {
+            throw new Error(`Method ${name}.${prop} is not allowed by sandbox settings.`);
+          }
+
+          return Reflect.get(...arguments);
+        },
+      });
     }
     return _app;
   };

package/src/services/documentapp/elementhelpers.js

@@ -102,6 +102,12 @@ export const findItem = (elementMap, type, startIndex, segmentId) => {
       return false;
     }
 
+    // For container elements that don't have a startIndex (like Header, Footer, Footnote),
+    // we can find them by type and segmentId alone.
+    if (is.undefined(startIndex)) {
+      return f.__type === type;
+    }
+
     // A ListItem is a specialized Paragraph. A search for a PARAGRAPH should also find a LIST_ITEM
     // at the given location.
     if (type === 'PARAGRAPH') {

package/src/services/documentapp/fakedocumentapp.js

@@ -40,21 +40,29 @@ class FakeDocumentApp {
       title: name,
     };
     const doc = Docs.Documents.create(resource);
+    ScriptApp.__behavior.addFile(doc.documentId);
     return newFakeDocument(doc.documentId);
   }
 
   openById(id) {
     const { nargs, matchThrow } = signatureArgs(arguments, "DocumentApp.openById");
     if (nargs !== 1 || !is.string(id)) matchThrow();
+
+    if (!ScriptApp.__behavior.isAccessible(id, 'DocumentApp')) {
+      throw new Error(`Access to document "${id}" is denied by sandbox rules.`);
+    }
+
     return newFakeDocument(id);
   }
 
   openByUrl(url) {
     const { nargs, matchThrow } = signatureArgs(arguments, "DocumentApp.openByUrl");
     if (nargs !== 1 || !is.string(url)) matchThrow();
-    const id = url.match(/\/d\/(.+?)\//)[1];
-    if (!id) throw new Error("Invalid document URL");
-    return this.openById(id);
+    const match = url.match(/\/document\/d\/([a-zA-Z0-9-_]+)/);
+    if (!match || !match[1]) {
+      throw new Error(`Invalid document URL: ${url}`);
+    }
+    return this.openById(match[1]);
   }
 
   getActiveDocument() {

package/src/services/documentapp/shadowdocument.js

@@ -242,6 +242,7 @@ class ShadowDocument {
           __name: sectionName,
           __twig: sectionTree,
           // also store the original resource item
+          __segmentId: sectionId,
           ...section,
         };
         this.__elementMap.set(sectionName, sectionElement);
@@ -280,6 +281,7 @@ class ShadowDocument {
           __type: 'FOOTNOTE',
           __name: footnoteName,
           __twig: footnoteTree,
+          __segmentId: footnoteId,
           ...footnote,
         };
         this.__elementMap.set(footnoteName, footnoteElement);

package/src/services/driveapp/fakedriveapp.js

@@ -46,12 +46,6 @@ export class FakeDriveApp {
     return file ? newFakeDriveFile(file) : null
   }
 
-  /**
-   * get folder by Id
-   * folders can get files
-   * @param {string} id 
-   * @returns {FakeDriveFolder|null}
-   */
   getFolderById(id) {
     const file = Drive.Files.get(id, {}, { allow404: true })
     return file ? newFakeDriveFolder(file) : null

package/src/services/driveapp/fakedrivefile.js

@@ -147,9 +147,8 @@ class FakeDriveFile extends FakeDriveMeta {
       name
     }, this.getId())
 
-
-    return newFakeDriveFile(data)
-
+    ScriptApp.__behavior.addFile(data.id);
+    return newFakeDriveFile(data);
   }
 
 }

package/src/services/driveapp/fakefolderapp.js

@@ -143,7 +143,7 @@ class FakeFolderApp {
     const result = Syncit.fxStreamUpMedia({ fields: minFields, blob, file: { mimeType, name, ...file } })
     const { data, response } = result
     checkResponse(data?.id, response, false)
-    Drive.__addAllowed(data.id)
+    ScriptApp.__behavior.addFile(data.id)
     improveFileCache(data.id, data)
     return DriveApp.__settleClass(result.data)