@mohanscodex/spectra-code 0.4.5

package/dist/src/security/doom-loop.js

@@ -0,0 +1,72 @@
+export class DoomLoopDetector {
+    callHistory = [];
+    consecutiveReads = 0;
+    patchFailures = new Map();
+    writeThreshold;
+    readOnlyThreshold;
+    patchThreshold;
+    constructor(config) {
+        this.writeThreshold = config?.writeRepeatThreshold ?? 3;
+        this.readOnlyThreshold = config?.readOnlyRepeatThreshold ?? 8;
+        this.patchThreshold = config?.patchSpiralThreshold ?? 4;
+    }
+    recordToolCall(tool, args) {
+        const argsKey = JSON.stringify(args);
+        const now = Date.now();
+        const recent = this.callHistory.filter((c) => now - c.firstTime < 60000);
+        this.callHistory = recent;
+        const existing = this.callHistory.find((c) => c.tool === tool && c.args === argsKey);
+        if (existing) {
+            existing.count++;
+            if (existing.count >= this.writeThreshold) {
+                return {
+                    ok: false,
+                    action: "stop",
+                    message: `Doom loop detected: '${tool}' called ${existing.count} times with identical arguments. Breaking loop.`,
+                };
+            }
+        }
+        else {
+            this.callHistory.push({ tool, args: argsKey, count: 1, firstTime: now });
+        }
+        return { ok: true };
+    }
+    recordToolResult(tool, isSuccess) {
+        const writeTools = new Set(["edit", "write", "apply_patch", "bash"]);
+        if (isSuccess && writeTools.has(tool)) {
+            this.consecutiveReads = 0;
+        }
+        else if (!writeTools.has(tool)) {
+            this.consecutiveReads++;
+        }
+        if (this.consecutiveReads >= this.readOnlyThreshold) {
+            return {
+                ok: false,
+                action: "warn",
+                message: `Read-only loop detected: ${this.consecutiveReads} consecutive reads with no writes. Consider switching agents or stopping.`,
+            };
+        }
+        return { ok: true };
+    }
+    recordPatchFailure(filePath) {
+        const failures = (this.patchFailures.get(filePath) ?? 0) + 1;
+        this.patchFailures.set(filePath, failures);
+        if (failures >= this.patchThreshold) {
+            return {
+                ok: false,
+                action: "warn",
+                message: `Patch spiral on '${filePath}': ${failures} consecutive failures. Consider using write instead of edit.`,
+            };
+        }
+        return { ok: true };
+    }
+    recordPatchSuccess(filePath) {
+        this.patchFailures.delete(filePath);
+    }
+    reset() {
+        this.callHistory = [];
+        this.consecutiveReads = 0;
+        this.patchFailures.clear();
+    }
+}
+//# sourceMappingURL=doom-loop.js.map

package/dist/src/security/doom-loop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doom-loop.js","sourceRoot":"","sources":["../../../src/security/doom-loop.ts"],"names":[],"mappings":"AAeA,MAAM,OAAO,gBAAgB;IACnB,WAAW,GAAmB,EAAE,CAAA;IAChC,gBAAgB,GAAG,CAAC,CAAA;IACpB,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAA;IACzC,cAAc,CAAQ;IACtB,iBAAiB,CAAQ;IACzB,cAAc,CAAQ;IAE9B,YAAY,MAAuB;QACjC,IAAI,CAAC,cAAc,GAAG,MAAM,EAAE,oBAAoB,IAAI,CAAC,CAAA;QACvD,IAAI,CAAC,iBAAiB,GAAG,MAAM,EAAE,uBAAuB,IAAI,CAAC,CAAA;QAC7D,IAAI,CAAC,cAAc,GAAG,MAAM,EAAE,oBAAoB,IAAI,CAAC,CAAA;IACzD,CAAC;IAED,cAAc,CACZ,IAAY,EACZ,IAA6B;QAE7B,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;QACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QAEtB,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAA;QACxE,IAAI,CAAC,WAAW,GAAG,MAAM,CAAA;QAEzB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CACpC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,CAC7C,CAAA;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,KAAK,EAAE,CAAA;YAChB,IAAI,QAAQ,CAAC,KAAK,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC1C,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,wBAAwB,IAAI,YAAY,QAAQ,CAAC,KAAK,iDAAiD;iBACjH,CAAA;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAA;QAC1E,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;IACrB,CAAC;IAED,gBAAgB,CAAC,IAAY,EAAE,SAAkB;QAC/C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC,CAAA;QAEpE,IAAI,SAAS,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACtC,IAAI,CAAC,gBAAgB,GAAG,CAAC,CAAA;QAC3B,CAAC;aAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,IAAI,CAAC,gBAAgB,EAAE,CAAA;QACzB,CAAC;QAED,IAAI,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACpD,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,4BAA4B,IAAI,CAAC,gBAAgB,2EAA2E;aACtI,CAAA;QACH,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;IACrB,CAAC;IAED,kBAAkB,CAAC,QAAgB;QACjC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;QAC5D,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;QAE1C,IAAI,QAAQ,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACpC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,oBAAoB,QAAQ,MAAM,QAAQ,8DAA8D;aAClH,CAAA;QACH,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;IACrB,CAAC;IAED,kBAAkB,CAAC,QAAgB;QACjC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACrC,CAAC;IAED,KAAK;QACH,IAAI,CAAC,WAAW,GAAG,EAAE,CAAA;QACrB,IAAI,CAAC,gBAAgB,GAAG,CAAC,CAAA;QACzB,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAA;IAC5B,CAAC;CACF"}

package/dist/src/security/index.d.ts

@@ -0,0 +1,46 @@
+import type { Rule, Ruleset, PermissionAction, PermissionConfig, PermissionRequest, PermissionResponse, SecurityConfig, ToolCapabilities } from "./types.js";
+import { PathSafety } from "./path-safety.js";
+import { ReadTracker } from "./read-tracker.js";
+import { DoomLoopDetector } from "./doom-loop.js";
+import { SsrfGuard } from "./ssrf-guard.js";
+export type { Rule, Ruleset, PermissionAction, SecurityConfig, ToolCapabilities };
+export { evaluate, fromConfig } from "./permissions.js";
+export { PathSafety } from "./path-safety.js";
+export { ReadTracker } from "./read-tracker.js";
+export { DoomLoopDetector } from "./doom-loop.js";
+export { SsrfGuard } from "./ssrf-guard.js";
+export declare class PermissionDeniedError extends Error {
+    readonly permission: string;
+    readonly pattern: string;
+    constructor(permission: string, pattern: string);
+}
+type PermissionListener = (req: PermissionRequest) => void;
+interface PermissionManagerOptions {
+    config?: PermissionConfig;
+    security?: SecurityConfig;
+    sessionRuleset?: Ruleset;
+    restoredApprovals?: Ruleset;
+    cwd?: string;
+    onPersist?: (approvedRules: Ruleset) => void;
+}
+export declare function createSecurityManager(options?: PermissionManagerOptions): {
+    getReadTracker: () => ReadTracker;
+    getDoomLoop: () => DoomLoopDetector;
+    getSsrfGuard: () => SsrfGuard;
+    getPathSafety: () => PathSafety;
+    checkPath: (rawPath: string) => void;
+    checkPermission: (permission: string, patterns: string[], tool?: string, details?: string) => Promise<void>;
+    extractToolPatterns: (toolName: string, args: Record<string, unknown>) => {
+        toolPatterns: string[];
+        externalPaths: string[];
+        pathPatterns: string[];
+    };
+    setListener: (fn: PermissionListener | null) => void;
+    addApproval: (rules: Rule[]) => void;
+    respondToRequest: (id: string, response: PermissionResponse) => void;
+    getRuleset: () => Ruleset;
+    getApprovedConfig: () => PermissionConfig;
+    readonly pendingCount: number;
+};
+export type SecurityManager = ReturnType<typeof createSecurityManager>;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EACjD,iBAAiB,EAAE,kBAAkB,EACrC,cAAc,EAAE,gBAAgB,EACjC,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAM3C,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,gBAAgB,EAAE,CAAA;AACjF,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAwF3C,qBAAa,qBAAsB,SAAQ,KAAK;aAE5B,UAAU,EAAE,MAAM;aAClB,OAAO,EAAE,MAAM;gBADf,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM;CAKlC;AAaD,KAAK,kBAAkB,GAAG,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,CAAA;AAE1D,UAAU,wBAAwB;IAChC,MAAM,CAAC,EAAE,gBAAgB,CAAA;IACzB,QAAQ,CAAC,EAAE,cAAc,CAAA;IACzB,cAAc,CAAC,EAAE,OAAO,CAAA;IACxB,iBAAiB,CAAC,EAAE,OAAO,CAAA;IAC3B,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,SAAS,CAAC,EAAE,CAAC,aAAa,EAAE,OAAO,KAAK,IAAI,CAAA;CAC7C;AAED,wBAAgB,qBAAqB,CAAC,OAAO,GAAE,wBAA6B;0BAmC/C,WAAW;uBACd,gBAAgB;wBACf,SAAS;yBACR,UAAU;yBAgBR,MAAM,KAAG,IAAI;kCAkB3B,MAAM,YACR,MAAM,EAAE,SACX,MAAM,YACH,MAAM,KACf,OAAO,CAAC,IAAI,CAAC;oCAgJJ,MAAM,QACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC5B;QAAE,YAAY,EAAE,MAAM,EAAE,CAAC;QAAC,aAAa,EAAE,MAAM,EAAE,CAAC;QAAC,YAAY,EAAE,MAAM,EAAE,CAAA;KAAE;sBAnMrD,kBAAkB,GAAG,IAAI,KAAG,IAAI;yBAI7B,IAAI,EAAE,KAAG,IAAI;2BAyHX,MAAM,YAAY,kBAAkB,KAAG,IAAI;sBAjIlD,OAAO;6BAiBA,gBAAgB;;EA6Q/C;AAED,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,qBAAqB,CAAC,CAAA"}

package/dist/src/security/index.js

@@ -0,0 +1,362 @@
+import { evaluate, fromConfig } from "./permissions.js";
+import { PathSafety } from "./path-safety.js";
+import { ReadTracker } from "./read-tracker.js";
+import { DoomLoopDetector } from "./doom-loop.js";
+import { SsrfGuard } from "./ssrf-guard.js";
+import { isInsideWorkingDir, canonicalPath, matchWildcard, ensureDirGlob } from "./wildcard.js";
+import { resolve, dirname } from "path";
+import { URL } from "url";
+import { statSync } from "fs";
+export { evaluate, fromConfig } from "./permissions.js";
+export { PathSafety } from "./path-safety.js";
+export { ReadTracker } from "./read-tracker.js";
+export { DoomLoopDetector } from "./doom-loop.js";
+export { SsrfGuard } from "./ssrf-guard.js";
+const BASHLIST_COMMANDS = new Set([
+    "shutdown", "reboot", "halt", "poweroff",
+    "mkfs", "fdisk", "mkswap", "swapon",
+    "telnet", "chroot",
+]);
+const BASHLIST_PATTERNS = [
+    "rm -rf /*", "sudo rm -rf /*", "doas rm -rf /*", "rm -rf ~",
+    "rm -rf /home*", "rm -rf /root*",
+    "dd if=*of=/dev/*",
+    "> /dev/sd*", "> /dev/hd*", "> /dev/nvme*",
+    ":(){ :|:& };:*",
+    "curl * | sh", "curl * | bash", "curl * | zsh",
+    "wget * | sh", "wget * | bash", "wget * | zsh",
+    "sudo chmod 777 /*", "sudo chown -R /*", "sudo chown -R /",
+    "cat .env | curl *", "cat .env | wget *",
+    "git push --force origin main", "git push --force origin master",
+    "git push -f origin main", "git push -f origin master",
+    "git push --force --no-verify origin main",
+    "git push --force --no-verify origin master",
+];
+const FILE_COMMANDS = new Set([
+    "cat", "cp", "mv", "rm", "mkdir", "touch", "chmod", "chown",
+    "ls", "less", "more", "head", "tail", "file", "stat",
+    "diff", "cmp", "find", "ln",
+]);
+const FILE_TOOL_NAMES = new Set(["read", "write", "edit", "grep", "glob"]);
+function unquoteShell(s) {
+    if (s.length >= 2) {
+        const first = s[0], last = s[s.length - 1];
+        if ((first === "'" && last === "'") || (first === '"' && last === '"')) {
+            return s.slice(1, -1);
+        }
+    }
+    return s;
+}
+function extractBashPaths(command, cwd) {
+    const externalPaths = [];
+    const pathPatterns = [];
+    for (const firstLine of command.split("\n")) {
+        const trimmed = firstLine.trim();
+        if (!trimmed)
+            continue;
+        const segments = trimmed.split(/(?<!\\);/);
+        for (const segment of segments) {
+            const parts = segment.trim().split(/\s+/).filter(Boolean);
+            if (parts.length < 2)
+                continue;
+            const cmd = (parts[0] || "").toLowerCase();
+            if (!FILE_COMMANDS.has(cmd))
+                continue;
+            for (const arg of parts.slice(1)) {
+                if (arg.startsWith("-") || arg.startsWith("--"))
+                    continue;
+                const unquoted = unquoteShell(arg);
+                try {
+                    const resolved = resolve(cwd, unquoted);
+                    pathPatterns.push(resolved);
+                    if (!isInsideWorkingDir(unquoted, cwd)) {
+                        externalPaths.push(resolved);
+                    }
+                }
+                catch { }
+            }
+        }
+    }
+    return { externalPaths, pathPatterns };
+}
+function isBashBlocked(command) {
+    const firstWord = command.trim().split(/\s+/)[0] || "";
+    if (BASHLIST_COMMANDS.has(firstWord))
+        return true;
+    const normalized = command.trim();
+    return BASHLIST_PATTERNS.some((p) => matchWildcard(p, normalized));
+}
+export class PermissionDeniedError extends Error {
+    permission;
+    pattern;
+    constructor(permission, pattern) {
+        super(`Permission denied: '${permission}' for '${pattern}'`);
+        this.permission = permission;
+        this.pattern = pattern;
+        this.name = "PermissionDeniedError";
+    }
+}
+export function createSecurityManager(options = {}) {
+    const configRuleset = options.config ? fromConfig(options.config) : [];
+    const sessionRuleset = options.sessionRuleset ?? [];
+    const restoredFromDisk = options.restoredApprovals ?? [];
+    const pathSafety = new PathSafety({
+        blockedPaths: options.security?.blockedPaths,
+        allowedPaths: options.security?.allowedPaths,
+    });
+    const readTracker = new ReadTracker({
+        mode: options.security?.writeGuard ?? "soft",
+        exclude: options.security?.writeGuardExclude,
+    });
+    const doomLoop = new DoomLoopDetector(options.security?.doomLoop);
+    const ssrfGuard = new SsrfGuard(options.security?.ssrf);
+    const cwd = options.cwd ?? process.cwd();
+    let approvedRuleset = [...restoredFromDisk];
+    const pendingRequests = new Map();
+    let listener = null;
+    const onPersist = options.onPersist;
+    function getRuleset() {
+        return [...configRuleset, ...approvedRuleset, ...sessionRuleset];
+    }
+    function setListener(fn) {
+        listener = fn;
+    }
+    function addApproval(rules) {
+        approvedRuleset.push(...rules);
+    }
+    function getReadTracker() { return readTracker; }
+    function getDoomLoop() { return doomLoop; }
+    function getSsrfGuard() { return ssrfGuard; }
+    function getPathSafety() { return pathSafety; }
+    function getApprovedConfig() {
+        const config = {};
+        for (const rule of approvedRuleset) {
+            if (rule.action !== "allow")
+                continue;
+            const existing = config[rule.permission];
+            if (typeof existing === "object" && existing !== null) {
+                ;
+                existing[rule.pattern] = "allow";
+            }
+            else {
+                config[rule.permission] = { [rule.pattern]: "allow" };
+            }
+        }
+        return config;
+    }
+    function checkPath(rawPath) {
+        const result = pathSafety.check(rawPath, cwd);
+        if (!result.ok) {
+            throw new PermissionDeniedError("path_safety", rawPath);
+        }
+    }
+    function internalPathsOnly(permission, patterns) {
+        if (!FILE_TOOL_NAMES.has(permission) && permission !== "external_directory") {
+            return false;
+        }
+        return patterns.every((p) => {
+            if (p === "*")
+                return false;
+            try {
+                return isInsideWorkingDir(p, cwd);
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+    async function checkPermission(permission, patterns, tool, details) {
+        const isBash = permission === "bash" || permission === "shell";
+        if (isBash) {
+            const command = patterns[0] ?? "";
+            if (isBashBlocked(command)) {
+                throw new PermissionDeniedError(permission, command);
+            }
+        }
+        const ruleset = getRuleset();
+        for (const pattern of patterns) {
+            const rule = evaluate(permission, pattern, ruleset);
+            if (rule.action === "deny") {
+                throw new PermissionDeniedError(permission, pattern);
+            }
+            if (rule.action === "allow") {
+                return;
+            }
+        }
+        if (isBash) {
+            return;
+        }
+        if (internalPathsOnly(permission, patterns)) {
+            return;
+        }
+        await requestApproval(permission, patterns[0], tool, details ?? patterns[0]);
+    }
+    async function requestApproval(permission, pattern, tool, details) {
+        return new Promise((resolve, reject) => {
+            const id = Math.random().toString(36).slice(2, 10);
+            const alwaysPatterns = generateAlwaysPatterns(permission, pattern);
+            const pending = {
+                id,
+                permission,
+                pattern,
+                tool: tool ?? permission,
+                details: details ?? pattern,
+                always: alwaysPatterns,
+                resolve,
+                reject,
+            };
+            pendingRequests.set(id, pending);
+            listener?.({
+                id,
+                permission,
+                pattern,
+                tool: tool ?? permission,
+                details: details ?? pattern,
+                always: alwaysPatterns,
+            });
+            setTimeout(() => {
+                if (pendingRequests.has(id)) {
+                    pendingRequests.delete(id);
+                    reject(new PermissionDeniedError(permission, pattern));
+                }
+            }, 120000);
+        });
+    }
+    function respondToRequest(id, response) {
+        const pending = pendingRequests.get(id);
+        if (!pending)
+            return;
+        pendingRequests.delete(id);
+        if (response.action === "deny") {
+            pending.reject(new PermissionDeniedError(pending.permission, pending.pattern));
+            return;
+        }
+        if (response.action === "always") {
+            for (const alwaysPattern of pending.always) {
+                approvedRuleset.push({
+                    permission: pending.permission,
+                    pattern: alwaysPattern,
+                    action: "allow",
+                });
+            }
+            cascadeAutoResolve();
+            onPersist?.(approvedRuleset);
+        }
+        pending.resolve();
+    }
+    function cascadeAutoResolve() {
+        const ruleset = getRuleset();
+        for (const [pid, entry] of pendingRequests) {
+            const allAllowed = entry.always.every((ap) => evaluate(entry.permission, ap, ruleset).action === "allow");
+            if (allAllowed) {
+                pendingRequests.delete(pid);
+                entry.resolve();
+            }
+        }
+    }
+    function generateAlwaysPatterns(permission, pattern) {
+        if (permission === "external_directory") {
+            const resolved = canonicalPath(pattern, cwd);
+            let dir;
+            try {
+                const st = statSync(resolved);
+                dir = st.isDirectory() ? resolved : dirname(resolved);
+            }
+            catch {
+                dir = dirname(resolved);
+            }
+            return [pattern, ensureDirGlob(dir)];
+        }
+        if (FILE_TOOL_NAMES.has(permission)) {
+            return ["*"];
+        }
+        if (permission === "bash") {
+            const parts = pattern.split(/\s+/);
+            if (parts.length >= 2) {
+                return [pattern, `${parts[0]} ${parts[1]} *`, `${parts[0]} *`];
+            }
+            return [`${pattern} *`];
+        }
+        return [pattern];
+    }
+    function extractToolPatterns(toolName, args) {
+        const toolPatterns = [];
+        const externalPaths = [];
+        const pathPatterns = [];
+        const rawPath = (args.path || args.file_path || args.filePath);
+        if (rawPath) {
+            pathPatterns.push(rawPath);
+            try {
+                const abs = resolve(cwd, rawPath);
+                pathPatterns.push(abs);
+                if (!isInsideWorkingDir(rawPath, cwd)) {
+                    externalPaths.push(rawPath);
+                    externalPaths.push(abs);
+                }
+            }
+            catch { }
+        }
+        if (toolName === "bash" || toolName === "shell") {
+            const command = args.command;
+            if (command) {
+                const firstLine = command.split("\n")[0].trim();
+                toolPatterns.push(firstLine);
+                const parts = firstLine.split(/\s+/).filter(Boolean);
+                if (parts.length >= 2) {
+                    toolPatterns.push(`${parts[0]} ${parts[1]} *`);
+                }
+                toolPatterns.push(`${parts[0]} *`);
+                const { externalPaths: bashExtPaths, pathPatterns: bashPathPatterns } = extractBashPaths(command, cwd);
+                if (bashExtPaths.length > 0) {
+                    for (const ep of bashExtPaths) {
+                        if (!externalPaths.some((e) => resolve(cwd, e) === ep)) {
+                            externalPaths.push(ep);
+                        }
+                    }
+                }
+                for (const pp of bashPathPatterns) {
+                    if (!pathPatterns.some((p) => resolve(cwd, p) === pp)) {
+                        pathPatterns.push(pp);
+                    }
+                }
+            }
+        }
+        if (toolName === "web_fetch" || toolName === "webfetch") {
+            const url = args.url;
+            if (url) {
+                try {
+                    toolPatterns.push(new URL(url).hostname);
+                }
+                catch { }
+            }
+        }
+        if (toolName === "task") {
+            const subagent = (args.subagent_name || args.subagent_type);
+            if (subagent)
+                toolPatterns.push(subagent);
+        }
+        if (toolPatterns.length === 0 && pathPatterns.length > 0) {
+            toolPatterns.push(...pathPatterns);
+        }
+        if (toolPatterns.length === 0) {
+            toolPatterns.push("*");
+        }
+        return { toolPatterns, externalPaths, pathPatterns };
+    }
+    return {
+        getReadTracker,
+        getDoomLoop,
+        getSsrfGuard,
+        getPathSafety,
+        checkPath,
+        checkPermission,
+        extractToolPatterns,
+        setListener,
+        addApproval,
+        respondToRequest,
+        getRuleset,
+        getApprovedConfig,
+        get pendingCount() { return pendingRequests.size; },
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/src/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/security/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAC/F,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACvC,OAAO,EAAE,GAAG,EAAE,MAAM,KAAK,CAAA;AACzB,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAA;AAG7B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAE3C,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU;IACxC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ;IACnC,QAAQ,EAAE,QAAQ;CACnB,CAAC,CAAA;AAEF,MAAM,iBAAiB,GAAG;IACxB,WAAW,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,UAAU;IAC3D,eAAe,EAAE,eAAe;IAChC,kBAAkB;IAClB,YAAY,EAAE,YAAY,EAAE,cAAc;IAC1C,gBAAgB;IAChB,aAAa,EAAE,eAAe,EAAE,cAAc;IAC9C,aAAa,EAAE,eAAe,EAAE,cAAc;IAC9C,mBAAmB,EAAE,kBAAkB,EAAE,iBAAiB;IAC1D,mBAAmB,EAAE,mBAAmB;IACxC,8BAA8B,EAAE,gCAAgC;IAChE,yBAAyB,EAAE,2BAA2B;IACtD,0CAA0C;IAC1C,4CAA4C;CAC7C,CAAA;AAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;IAC3D,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IACpD,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI;CAC5B,CAAC,CAAA;AAEF,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAA;AAE1E,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QAC1C,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;QACvB,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,SAAS,gBAAgB,CACvB,OAAe,EACf,GAAW;IAEX,MAAM,aAAa,GAAa,EAAE,CAAA;IAClC,MAAM,YAAY,GAAa,EAAE,CAAA;IAEjC,KAAK,MAAM,SAAS,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAA;QAChC,IAAI,CAAC,OAAO;YAAE,SAAQ;QAEtB,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;QAC1C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;YACzD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;gBAAE,SAAQ;YAE9B,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAA;YAC1C,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAQ;YAErC,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjC,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;oBAAE,SAAQ;gBACzD,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;gBAElC,IAAI,CAAC;oBACH,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;oBACvC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;oBAC3B,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,GAAG,CAAC,EAAE,CAAC;wBACvC,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;oBAC9B,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC,CAAA,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,aAAa,CAAC,OAAe;IACpC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;IAEtD,IAAI,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAA;IAEjD,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IACjC,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAA;AACpE,CAAC;AAED,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAE5B;IACA;IAFlB,YACkB,UAAkB,EAClB,OAAe;QAE/B,KAAK,CAAC,uBAAuB,UAAU,UAAU,OAAO,GAAG,CAAC,CAAA;QAH5C,eAAU,GAAV,UAAU,CAAQ;QAClB,YAAO,GAAP,OAAO,CAAQ;QAG/B,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAA;IACrC,CAAC;CACF;AAwBD,MAAM,UAAU,qBAAqB,CAAC,UAAoC,EAAE;IAC1E,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IACtE,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAA;IACnD,MAAM,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,IAAI,EAAE,CAAA;IAExD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC;QAChC,YAAY,EAAE,OAAO,CAAC,QAAQ,EAAE,YAAY;QAC5C,YAAY,EAAE,OAAO,CAAC,QAAQ,EAAE,YAAY;KAC7C,CAAC,CAAA;IACF,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC;QAClC,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,UAAU,IAAI,MAAM;QAC5C,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,iBAAiB;KAC7C,CAAC,CAAA;IACF,MAAM,QAAQ,GAAG,IAAI,gBAAgB,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IACjE,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA;IAEvD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAA;IAExC,IAAI,eAAe,GAAY,CAAC,GAAG,gBAAgB,CAAC,CAAA;IACpD,MAAM,eAAe,GAAG,IAAI,GAAG,EAA0B,CAAA;IACzD,IAAI,QAAQ,GAA8B,IAAI,CAAA;IAC9C,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAEnC,SAAS,UAAU;QACjB,OAAO,CAAC,GAAG,aAAa,EAAE,GAAG,eAAe,EAAE,GAAG,cAAc,CAAC,CAAA;IAClE,CAAC;IAED,SAAS,WAAW,CAAC,EAA6B;QAChD,QAAQ,GAAG,EAAE,CAAA;IACf,CAAC;IAED,SAAS,WAAW,CAAC,KAAa;QAChC,eAAe,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAA;IAChC,CAAC;IAED,SAAS,cAAc,KAAkB,OAAO,WAAW,CAAA,CAAC,CAAC;IAC7D,SAAS,WAAW,KAAuB,OAAO,QAAQ,CAAA,CAAC,CAAC;IAC5D,SAAS,YAAY,KAAgB,OAAO,SAAS,CAAA,CAAC,CAAC;IACvD,SAAS,aAAa,KAAiB,OAAO,UAAU,CAAA,CAAC,CAAC;IAE1D,SAAS,iBAAiB;QACxB,MAAM,MAAM,GAAqB,EAAE,CAAA;QACnC,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO;gBAAE,SAAQ;YACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;YACxC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBACtD,CAAC;gBAAC,QAA6C,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,OAAO,CAAA;YACzE,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,CAAA;YACvD,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAA;IACf,CAAC;IAED,SAAS,SAAS,CAAC,OAAe;QAChC,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;QAC7C,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,qBAAqB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,SAAS,iBAAiB,CAAC,UAAkB,EAAE,QAAkB;QAC/D,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,UAAU,KAAK,oBAAoB,EAAE,CAAC;YAC5E,OAAO,KAAK,CAAA;QACd,CAAC;QACD,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;YAC1B,IAAI,CAAC,KAAK,GAAG;gBAAE,OAAO,KAAK,CAAA;YAC3B,IAAI,CAAC;gBAAC,OAAO,kBAAkB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;YAAC,CAAC;YAAC,MAAM,CAAC;gBAAC,OAAO,KAAK,CAAA;YAAC,CAAC;QAClE,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,UAAU,eAAe,CAC5B,UAAkB,EAClB,QAAkB,EAClB,IAAa,EACb,OAAgB;QAEhB,MAAM,MAAM,GAAG,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,OAAO,CAAA;QAE9D,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;YACjC,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3B,MAAM,IAAI,qBAAqB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;YACtD,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,UAAU,EAAE,CAAA;QAE5B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,EAAE,OAAO,EAAE,OAAO,CAAC,CAAA;YAEnD,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC3B,MAAM,IAAI,qBAAqB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;YACtD,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC5B,OAAM;YACR,CAAC;QACH,CAAC;QAED,IAAI,MAAM,EAAE,CAAC;YACX,OAAM;QACR,CAAC;QAED,IAAI,iBAAiB,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC5C,OAAM;QACR,CAAC;QAED,MAAM,eAAe,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,IAAI,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;IAC9E,CAAC;IAED,KAAK,UAAU,eAAe,CAC5B,UAAkB,EAClB,OAAe,EACf,IAAa,EACb,OAAgB;QAEhB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;YAClD,MAAM,cAAc,GAAG,sBAAsB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAA;YAElE,MAAM,OAAO,GAAmB;gBAC9B,EAAE;gBACF,UAAU;gBACV,OAAO;gBACP,IAAI,EAAE,IAAI,IAAI,UAAU;gBACxB,OAAO,EAAE,OAAO,IAAI,OAAO;gBAC3B,MAAM,EAAE,cAAc;gBACtB,OAAO;gBACP,MAAM;aACP,CAAA;YAED,eAAe,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAA;YAEhC,QAAQ,EAAE,CAAC;gBACT,EAAE;gBACF,UAAU;gBACV,OAAO;gBACP,IAAI,EAAE,IAAI,IAAI,UAAU;gBACxB,OAAO,EAAE,OAAO,IAAI,OAAO;gBAC3B,MAAM,EAAE,cAAc;aACvB,CAAC,CAAA;YAEF,UAAU,CAAC,GAAG,EAAE;gBACd,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC5B,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;oBAC1B,MAAM,CAAC,IAAI,qBAAqB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAA;gBACxD,CAAC;YACH,CAAC,EAAE,MAAM,CAAC,CAAA;QACZ,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,SAAS,gBAAgB,CAAC,EAAU,EAAE,QAA4B;QAChE,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACvC,IAAI,CAAC,OAAO;YAAE,OAAM;QACpB,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;QAE1B,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,IAAI,qBAAqB,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAA;YAC9E,OAAM;QACR,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACjC,KAAK,MAAM,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBAC3C,eAAe,CAAC,IAAI,CAAC;oBACnB,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,OAAO,EAAE,aAAa;oBACtB,MAAM,EAAE,OAAO;iBAChB,CAAC,CAAA;YACJ,CAAC;YAED,kBAAkB,EAAE,CAAA;YACpB,SAAS,EAAE,CAAC,eAAe,CAAC,CAAA;QAC9B,CAAC;QAED,OAAO,CAAC,OAAO,EAAE,CAAA;IACnB,CAAC;IAED,SAAS,kBAAkB;QACzB,MAAM,OAAO,GAAG,UAAU,EAAE,CAAA;QAC5B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,eAAe,EAAE,CAAC;YAC3C,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAC3C,QAAQ,CAAC,KAAK,CAAC,UAAU,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC,MAAM,KAAK,OAAO,CAC3D,CAAA;YACD,IAAI,UAAU,EAAE,CAAC;gBACf,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC3B,KAAK,CAAC,OAAO,EAAE,CAAA;YACjB,CAAC;QACH,CAAC;IACH,CAAC;IAED,SAAS,sBAAsB,CAAC,UAAkB,EAAE,OAAe;QACjE,IAAI,UAAU,KAAK,oBAAoB,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;YAC5C,IAAI,GAAW,CAAA;YACf,IAAI,CAAC;gBACH,MAAM,EAAE,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAA;gBAC7B,GAAG,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;YACvD,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAA;YACzB,CAAC;YACD,OAAO,CAAC,OAAO,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAA;QACtC,CAAC;QAED,IAAI,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,CAAA;QACd,CAAC;QAED,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;YAClC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBACtB,OAAO,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;YAChE,CAAC;YACD,OAAO,CAAC,GAAG,OAAO,IAAI,CAAC,CAAA;QACzB,CAAC;QAED,OAAO,CAAC,OAAO,CAAC,CAAA;IAClB,CAAC;IAED,SAAS,mBAAmB,CAC1B,QAAgB,EAChB,IAA6B;QAE7B,MAAM,YAAY,GAAa,EAAE,CAAA;QACjC,MAAM,aAAa,GAAa,EAAE,CAAA;QAClC,MAAM,YAAY,GAAa,EAAE,CAAA;QAEjC,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ,CAAuB,CAAA;QAEpF,IAAI,OAAO,EAAE,CAAC;YACZ,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YAC1B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;gBACjC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACtB,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;oBACtC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;oBAC3B,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACzB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACZ,CAAC;QAED,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,IAAI,CAAC,OAA6B,CAAA;YAClD,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;gBAC/C,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;gBAC5B,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;gBACpD,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;oBACtB,YAAY,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;gBAChD,CAAC;gBACD,YAAY,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;gBAElC,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE,GACnE,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;gBAChC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC5B,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;wBAC9B,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;4BACvD,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;wBACxB,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,KAAK,MAAM,EAAE,IAAI,gBAAgB,EAAE,CAAC;oBAClC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;wBACtD,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;oBACvB,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;YACxD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAyB,CAAA;YAC1C,IAAI,GAAG,EAAE,CAAC;gBACR,IAAI,CAAC;oBACH,YAAY,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAA;gBAC1C,CAAC;gBAAC,MAAM,CAAC,CAAA,CAAC;YACZ,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa,CAAuB,CAAA;YACjF,IAAI,QAAQ;gBAAE,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAC3C,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzD,YAAY,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAA;QACpC,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9B,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACxB,CAAC;QAED,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,CAAA;IACtD,CAAC;IAED,OAAO;QACL,cAAc;QACd,WAAW;QACX,YAAY;QACZ,aAAa;QACb,SAAS;QACT,eAAe;QACf,mBAAmB;QACnB,WAAW;QACX,WAAW;QACX,gBAAgB;QAChB,UAAU;QACV,iBAAiB;QACjB,IAAI,YAAY,KAAK,OAAO,eAAe,CAAC,IAAI,CAAA,CAAC,CAAC;KACnD,CAAA;AACH,CAAC"}

package/dist/src/security/path-safety.d.ts

@@ -0,0 +1,15 @@
+import type { PathSafetyResult } from "./types.js";
+interface PathSafetyConfig {
+    blockedPaths: string[];
+    allowedPaths: string[];
+}
+export declare class PathSafety {
+    private blocked;
+    private allowed;
+    constructor(config?: Partial<PathSafetyConfig>);
+    check(rawPath: string, cwd?: string): PathSafetyResult;
+    private isBlocked;
+    private isAllowed;
+}
+export {};
+//# sourceMappingURL=path-safety.d.ts.map

package/dist/src/security/path-safety.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-safety.d.ts","sourceRoot":"","sources":["../../../src/security/path-safety.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAiBlD,UAAU,gBAAgB;IACxB,YAAY,EAAE,MAAM,EAAE,CAAA;IACtB,YAAY,EAAE,MAAM,EAAE,CAAA;CACvB;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAU;IACzB,OAAO,CAAC,OAAO,CAAU;gBAEb,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC;IAK9C,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,GAAE,MAAsB,GAAG,gBAAgB;IAkBrE,OAAO,CAAC,SAAS;IAajB,OAAO,CAAC,SAAS;CAQlB"}

package/dist/src/security/path-safety.js

@@ -0,0 +1,57 @@
+import { resolve, relative } from "path";
+import { matchWildcard } from "./wildcard.js";
+const DEFAULT_BLOCKED = [
+    "**/.ssh/**",
+    "**/.aws/credentials",
+    "**/.aws/config",
+    "**/.gnupg/**",
+    "**/.netrc",
+    "**/etc/shadow",
+    "**/etc/gshadow",
+    "**/etc/sudoers",
+    "**/.password-store/**",
+    "**/.docker/config.json",
+    "**/.kube/config",
+];
+export class PathSafety {
+    blocked;
+    allowed;
+    constructor(config) {
+        this.blocked = config?.blockedPaths ?? [...DEFAULT_BLOCKED];
+        this.allowed = config?.allowedPaths ?? [];
+    }
+    check(rawPath, cwd = process.cwd()) {
+        if (rawPath.includes("\0")) {
+            return { ok: false, reason: "Path contains null bytes" };
+        }
+        const resolved = resolve(cwd, rawPath);
+        if (this.isAllowed(resolved)) {
+            return { ok: true, resolvedPath: resolved, displayPath: relative(cwd, resolved) || resolved };
+        }
+        if (this.isBlocked(resolved)) {
+            return { ok: false, reason: `Access denied to sensitive path: ${relative(cwd, resolved) || resolved}` };
+        }
+        return { ok: true, resolvedPath: resolved, displayPath: relative(cwd, resolved) || resolved };
+    }
+    isBlocked(fullPath) {
+        for (const pattern of this.blocked) {
+            if (matchWildcard("**/" + pattern, fullPath) || matchWildcard(pattern, fullPath)) {
+                return true;
+            }
+            const suffixIdx = pattern.replace(/^(\*\*\/)+/, "");
+            if (fullPath.replace(/\\/g, "/").endsWith("/" + suffixIdx)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    isAllowed(fullPath) {
+        for (const pattern of this.allowed) {
+            if (matchWildcard(pattern, fullPath) || matchWildcard("**/" + pattern, fullPath)) {
+                return true;
+            }
+        }
+        return false;
+    }
+}
+//# sourceMappingURL=path-safety.js.map

package/dist/src/security/path-safety.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-safety.js","sourceRoot":"","sources":["../../../src/security/path-safety.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,MAAM,CAAA;AAExC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAE7C,MAAM,eAAe,GAAG;IACtB,YAAY;IACZ,qBAAqB;IACrB,gBAAgB;IAChB,cAAc;IACd,WAAW;IACX,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,uBAAuB;IACvB,wBAAwB;IACxB,iBAAiB;CAClB,CAAA;AAOD,MAAM,OAAO,UAAU;IACb,OAAO,CAAU;IACjB,OAAO,CAAU;IAEzB,YAAY,MAAkC;QAC5C,IAAI,CAAC,OAAO,GAAG,MAAM,EAAE,YAAY,IAAI,CAAC,GAAG,eAAe,CAAC,CAAA;QAC3D,IAAI,CAAC,OAAO,GAAG,MAAM,EAAE,YAAY,IAAI,EAAE,CAAA;IAC3C,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,MAAc,OAAO,CAAC,GAAG,EAAE;QAChD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAA;QAC1D,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAEtC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,QAAQ,EAAE,CAAA;QAC/F,CAAC;QAED,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,oCAAoC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,QAAQ,EAAE,EAAE,CAAA;QACzG,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,QAAQ,EAAE,CAAA;IAC/F,CAAC;IAEO,SAAS,CAAC,QAAgB;QAChC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,aAAa,CAAC,KAAK,GAAG,OAAO,EAAE,QAAQ,CAAC,IAAI,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;gBACjF,OAAO,IAAI,CAAA;YACb,CAAC;YACD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAA;YACnD,IAAI,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,QAAQ,CAAC,GAAG,GAAG,SAAS,CAAC,EAAE,CAAC;gBAC3D,OAAO,IAAI,CAAA;YACb,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAEO,SAAS,CAAC,QAAgB;QAChC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,IAAI,aAAa,CAAC,KAAK,GAAG,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;gBACjF,OAAO,IAAI,CAAA;YACb,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;CACF"}

package/dist/src/security/permissions.d.ts

@@ -0,0 +1,7 @@
+import type { Rule, Ruleset, PermissionConfig } from "./types.js";
+export declare function evaluate(permission: string, pattern: string, ...rulesets: Ruleset[]): Rule;
+export declare function fromConfig(config: PermissionConfig): Ruleset;
+export declare function merge(...rulesets: Ruleset[]): Ruleset;
+export declare function disabled(toolNames: string[], ruleset: Ruleset): Set<string>;
+export declare function getCanonicalPermission(toolName: string): string;
+//# sourceMappingURL=permissions.d.ts.map

package/dist/src/security/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../../src/security/permissions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAoB,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAGnF,wBAAgB,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,OAAO,EAAE,GAAG,IAAI,CAM1F;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAc5D;AAED,wBAAgB,KAAK,CAAC,GAAG,QAAQ,EAAE,OAAO,EAAE,GAAG,OAAO,CAErD;AAID,wBAAgB,QAAQ,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,CAW3E;AAED,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE/D"}

package/dist/src/security/permissions.js

@@ -0,0 +1,41 @@
+import { matchWildcard } from "./wildcard.js";
+export function evaluate(permission, pattern, ...rulesets) {
+    const rules = rulesets.flat();
+    const match = [...rules].reverse().find((rule) => matchWildcard(rule.permission, permission) && matchWildcard(rule.pattern, pattern));
+    return match ?? { permission, pattern: "*", action: "ask" };
+}
+export function fromConfig(config) {
+    const ruleset = [];
+    for (const [key, value] of Object.entries(config)) {
+        if (typeof value === "string") {
+            ruleset.push({ permission: key, pattern: "*", action: value });
+        }
+        else if (typeof value === "object" && value !== null) {
+            for (const [pattern, action] of Object.entries(value)) {
+                ruleset.push({ permission: key, pattern, action });
+            }
+        }
+    }
+    return ruleset;
+}
+export function merge(...rulesets) {
+    return rulesets.flat();
+}
+const WRITE_TOOL_NAMES = ["edit", "write", "apply_patch"];
+export function disabled(toolNames, ruleset) {
+    const result = new Set();
+    for (const tool of toolNames) {
+        const permission = WRITE_TOOL_NAMES.includes(tool) ? "write" : tool;
+        const rule = [...ruleset].reverse().find((r) => matchWildcard(r.permission, permission));
+        if (!rule)
+            continue;
+        if (rule.pattern === "*" && rule.action === "deny") {
+            result.add(tool);
+        }
+    }
+    return result;
+}
+export function getCanonicalPermission(toolName) {
+    return WRITE_TOOL_NAMES.includes(toolName) ? "write" : toolName;
+}
+//# sourceMappingURL=permissions.js.map

package/dist/src/security/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../../src/security/permissions.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAE7C,MAAM,UAAU,QAAQ,CAAC,UAAkB,EAAE,OAAe,EAAE,GAAG,QAAmB;IAClF,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC7B,MAAM,KAAK,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,CACrC,CAAC,IAAU,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CACnG,CAAA;IACD,OAAO,KAAK,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAA;AAC7D,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAwB;IACjD,MAAM,OAAO,GAAY,EAAE,CAAA;IAE3B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAyB,EAAE,CAAC,CAAA;QACpF,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACvD,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAyC,CAAC,EAAE,CAAC;gBAC1F,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAA;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,MAAM,UAAU,KAAK,CAAC,GAAG,QAAmB;IAC1C,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAA;AACxB,CAAC;AAED,MAAM,gBAAgB,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,aAAa,CAAC,CAAA;AAEzD,MAAM,UAAU,QAAQ,CAAC,SAAmB,EAAE,OAAgB;IAC5D,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAA;IAChC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAA;QACnE,MAAM,IAAI,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC,CAAO,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC,CAAA;QAC9F,IAAI,CAAC,IAAI;YAAE,SAAQ;QACnB,IAAI,IAAI,CAAC,OAAO,KAAK,GAAG,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACnD,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QAClB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,OAAO,gBAAgB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAA;AACjE,CAAC"}