@pugi/cli 0.1.0-alpha.9 → 0.1.0-beta.2

package/dist/core/edits/marker-parser.js

@@ -0,0 +1,401 @@
+export class MarkerParseError extends Error {
+    code = 'MARKER_PARSE_ERROR';
+    modelHint;
+    atLine;
+    constructor(message, modelHint, atLine) {
+        super(message);
+        this.name = 'MarkerParseError';
+        this.modelHint = modelHint;
+        this.atLine = atLine;
+    }
+}
+/**
+ * Convert a raw LLM response into parsed edits. Marker family routes
+ * by tag; `auto` triggers detection.
+ *
+ * Layer C/D markers ALWAYS use the universal `@@@` envelope (vendor-
+ * neutral) because their wire format is heavy enough that re-emitting
+ * per-vendor would invite drift. Layer A/B follow the per-vendor
+ * SEARCH/REPLACE convention.
+ */
+export function parseMarkers(raw, family) {
+    if (typeof raw !== 'string') {
+        throw new MarkerParseError('parseMarkers requires a string input', family);
+    }
+    const effective = family === 'auto' ? detectFamily(raw) : family;
+    // Layer C and Layer D envelopes are vendor-neutral and trimmed out
+    // before per-vendor Layer A/B parsing so the per-vendor pass cannot
+    // accidentally tokenise the rewrite/AST body.
+    const universalEdits = [];
+    const stripped = extractUniversalBlocks(raw, universalEdits, family);
+    const familyEdits = parseFamilyMarkers(stripped, effective);
+    return [...universalEdits, ...familyEdits];
+}
+/**
+ * Heuristic auto-detection — looks for the first distinctive marker
+ * and routes accordingly. Cheap to compute (single linear scan via
+ * `indexOf`) so we run it whenever the dispatcher gets `modelTag:
+ * undefined`.
+ */
+export function detectFamily(raw) {
+    // Order matters: Gemini's `<<<<<<< SEARCH` is distinctive enough to
+    // win even when the same payload contains a unified diff in a
+    // comment block.
+    if (raw.includes('<<<<<<< SEARCH'))
+        return 'gemini';
+    if (raw.includes('+++ NEW') && raw.includes('--- OLD'))
+        return 'anthropic';
+    // Unified-diff signature: `--- a/` immediately followed by `+++ b/`
+    // somewhere in the payload. Looser than Anthropic's `+++ NEW`.
+    if (/^--- a\//m.test(raw) && /^\+\+\+ b\//m.test(raw))
+        return 'openai';
+    // Default to Anthropic — covers the Claude family which is the
+    // primary alpha target.
+    return 'anthropic';
+}
+// ---------------------------------------------------------------------------
+// Universal Layer C / Layer D envelope extractor.
+// ---------------------------------------------------------------------------
+function extractUniversalBlocks(raw, out, family) {
+    const lines = raw.split('\n');
+    const kept = [];
+    let i = 0;
+    while (i < lines.length) {
+        const line = lines[i] ?? '';
+        const rewrite = line.match(/^@@@ REWRITE\s+(\S+)\s+sha256=([a-f0-9]+)\s*$/);
+        if (rewrite) {
+            const file = rewrite[1] ?? '';
+            const baseSha256 = (rewrite[2] ?? '').toLowerCase();
+            const bodyStart = i + 1;
+            let bodyEnd = bodyStart;
+            while (bodyEnd < lines.length && lines[bodyEnd] !== '@@@ END')
+                bodyEnd += 1;
+            if (bodyEnd >= lines.length) {
+                throw new MarkerParseError(`Layer C REWRITE block for ${file} missing '@@@ END' terminator`, family, i + 1);
+            }
+            const newContents = lines.slice(bodyStart, bodyEnd).join('\n');
+            out.push({
+                kind: 'layer-c',
+                edit: { file, baseSha256, newContents },
+            });
+            i = bodyEnd + 1;
+            continue;
+        }
+        const ast = line.match(/^@@@ AST\s+(\S+)\s+op=(\S+)\s*$/);
+        if (ast) {
+            const file = ast[1] ?? '';
+            const operation = (ast[2] ?? '');
+            const bodyStart = i + 1;
+            let bodyEnd = bodyStart;
+            while (bodyEnd < lines.length && lines[bodyEnd] !== '@@@ END')
+                bodyEnd += 1;
+            if (bodyEnd >= lines.length) {
+                throw new MarkerParseError(`Layer D AST block for ${file} missing '@@@ END' terminator`, family, i + 1);
+            }
+            const paramsRaw = lines.slice(bodyStart, bodyEnd).join('\n').trim();
+            let params = {};
+            if (paramsRaw.length > 0) {
+                try {
+                    const parsed = JSON.parse(paramsRaw);
+                    if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+                        params = parsed;
+                    }
+                }
+                catch (error) {
+                    throw new MarkerParseError(`Layer D AST params JSON parse failed for ${file}: ${error instanceof Error ? error.message : String(error)}`, family, bodyStart + 1);
+                }
+            }
+            out.push({
+                kind: 'layer-d',
+                edit: { file, operation, params },
+            });
+            i = bodyEnd + 1;
+            continue;
+        }
+        kept.push(line);
+        i += 1;
+    }
+    return kept.join('\n');
+}
+// ---------------------------------------------------------------------------
+// Per-family Layer A / Layer B parsers.
+// ---------------------------------------------------------------------------
+function parseFamilyMarkers(raw, family) {
+    switch (family) {
+        case 'anthropic':
+            return parseAnthropic(raw);
+        case 'gemini':
+            return parseGemini(raw);
+        case 'openai':
+            return parseOpenAI(raw);
+        case 'auto':
+            // Unreachable — `parseMarkers` resolves `auto` to a concrete
+            // family before calling this. We keep the case so the switch is
+            // exhaustive under `noFallthroughCasesInSwitch` / `noImplicitReturns`.
+            return [];
+    }
+}
+/**
+ * Anthropic / Claude — Cline three-segment envelope:
+ *   +++ NEW <file>
+ *   <new>
+ *   --- OLD <file>
+ *   <old>
+ *   ===
+ *
+ * Multiple blocks targeting the same `<file>` collapse into a single
+ * Layer B batch (preserving order). Single blocks return as Layer A.
+ */
+// Shared between the body-terminator scan and the header-match check
+// below so the two cannot drift. Triple-review 2026-05-25 P1 (Claude):
+// the previous implementation used `lines[i].startsWith('--- OLD')`
+// for the terminator and the regex below only for the header, so a
+// model-emitted line like `// --- OLD usage was foo` inside the NEW
+// body would falsely terminate the body.
+const ANTHROPIC_OLD_HEADER = /^--- OLD\s+(\S+)\s*$/;
+function parseAnthropic(raw) {
+    const blocks = [];
+    const lines = raw.split('\n');
+    let i = 0;
+    while (i < lines.length) {
+        const line = lines[i] ?? '';
+        const newHeader = line.match(/^\+\+\+ NEW\s+(\S+)\s*$/);
+        if (!newHeader) {
+            i += 1;
+            continue;
+        }
+        const file = newHeader[1] ?? '';
+        const startedAt = i + 1;
+        const newBody = [];
+        i += 1;
+        // Body terminator MUST match the same exact regex as `oldHeader`
+        // below (`/^--- OLD\s+\S+$/`), not a loose `startsWith('--- OLD')`.
+        // Triple-review 2026-05-25 P1 (Claude): a NEW body that contains a
+        // comment line beginning with `--- OLD foo` (e.g. a git-diff
+        // excerpt in a TypeScript comment, a markdown code fence showing
+        // what an old patch looked like) would falsely terminate the body
+        // and rip the rest of the NEW segment into the OLD segment, then
+        // throw a misleading "file mismatch" or write half-edits to disk.
+        while (i < lines.length && !ANTHROPIC_OLD_HEADER.test(lines[i] ?? '')) {
+            newBody.push(lines[i] ?? '');
+            i += 1;
+        }
+        if (i >= lines.length) {
+            throw new MarkerParseError(`Anthropic block for ${file} missing '--- OLD' segment`, 'anthropic', startedAt);
+        }
+        const oldHeader = (lines[i] ?? '').match(ANTHROPIC_OLD_HEADER);
+        if (!oldHeader || oldHeader[1] !== file) {
+            throw new MarkerParseError(`Anthropic block file mismatch: NEW ${file} vs OLD ${oldHeader?.[1] ?? '?'}`, 'anthropic', i + 1);
+        }
+        i += 1;
+        const oldBody = [];
+        while (i < lines.length && (lines[i] ?? '') !== '===') {
+            oldBody.push(lines[i] ?? '');
+            i += 1;
+        }
+        if (i >= lines.length) {
+            throw new MarkerParseError(`Anthropic block for ${file} missing '===' terminator`, 'anthropic', startedAt);
+        }
+        // Anthropic emits the bodies WITHOUT trailing newlines on the
+        // last line; our `.join('\n')` produces the same shape so a
+        // round-trip is byte-for-byte stable.
+        blocks.push({
+            file,
+            newString: newBody.join('\n'),
+            oldString: oldBody.join('\n'),
+            atLine: startedAt,
+        });
+        i += 1; // consume '==='
+    }
+    return collapseByFile(blocks);
+}
+/**
+ * Gemini / xAI — GitHub-conflict-marker envelope:
+ *   <<<<<<< SEARCH [file]
+ *   <old>
+ *   =======
+ *   <new>
+ *   >>>>>>> REPLACE [file]
+ *
+ * `[file]` may appear on the SEARCH line, the REPLACE line, or BOTH.
+ * If both are present they must match.
+ */
+function parseGemini(raw) {
+    const blocks = [];
+    const lines = raw.split('\n');
+    let i = 0;
+    while (i < lines.length) {
+        const line = lines[i] ?? '';
+        const search = line.match(/^<<<<<<< SEARCH(?:\s+(\S+))?\s*$/);
+        if (!search) {
+            i += 1;
+            continue;
+        }
+        const startedAt = i + 1;
+        const searchFile = search[1] ?? '';
+        i += 1;
+        const oldBody = [];
+        while (i < lines.length && (lines[i] ?? '') !== '=======') {
+            oldBody.push(lines[i] ?? '');
+            i += 1;
+        }
+        if (i >= lines.length) {
+            throw new MarkerParseError(`Gemini SEARCH block missing '=======' divider`, 'gemini', startedAt);
+        }
+        i += 1; // consume '======='
+        const newBody = [];
+        while (i < lines.length && !(lines[i] ?? '').startsWith('>>>>>>> REPLACE')) {
+            newBody.push(lines[i] ?? '');
+            i += 1;
+        }
+        if (i >= lines.length) {
+            throw new MarkerParseError(`Gemini SEARCH block missing '>>>>>>> REPLACE' terminator`, 'gemini', startedAt);
+        }
+        const replace = (lines[i] ?? '').match(/^>>>>>>> REPLACE(?:\s+(\S+))?\s*$/);
+        const replaceFile = replace?.[1] ?? '';
+        const file = searchFile || replaceFile;
+        if (!file) {
+            throw new MarkerParseError(`Gemini block missing file path on both SEARCH and REPLACE lines`, 'gemini', startedAt);
+        }
+        if (searchFile && replaceFile && searchFile !== replaceFile) {
+            throw new MarkerParseError(`Gemini SEARCH/REPLACE file mismatch: ${searchFile} vs ${replaceFile}`, 'gemini', i + 1);
+        }
+        i += 1; // consume REPLACE line
+        blocks.push({
+            file,
+            oldString: oldBody.join('\n'),
+            newString: newBody.join('\n'),
+            atLine: startedAt,
+        });
+    }
+    return collapseByFile(blocks);
+}
+/**
+ * OpenAI / generic — unified diff. We parse a single contiguous hunk
+ * per file into a Layer A block by collapsing all `-` lines into
+ * oldString and all `+` lines into newString, preserving leading
+ * context. Multi-hunk files become a Layer B batch (one sub-edit per
+ * hunk). The grammar is intentionally minimal — Pugi does not need
+ * full GNU diff compatibility because the model owns the format
+ * choice.
+ */
+function parseOpenAI(raw) {
+    const blocks = [];
+    const lines = raw.split('\n');
+    let i = 0;
+    let currentFile = null;
+    while (i < lines.length) {
+        const line = lines[i] ?? '';
+        const aHeader = line.match(/^--- a\/(.+)$/);
+        if (aHeader) {
+            // Expect the matching `+++ b/<file>` on the next line.
+            const next = lines[i + 1] ?? '';
+            const bHeader = next.match(/^\+\+\+ b\/(.+)$/);
+            if (!bHeader) {
+                throw new MarkerParseError(`OpenAI unified diff: '--- a/${aHeader[1]}' not followed by '+++ b/'`, 'openai', i + 1);
+            }
+            if (aHeader[1] !== bHeader[1]) {
+                throw new MarkerParseError(`OpenAI unified diff file mismatch: a/${aHeader[1]} vs b/${bHeader[1]}`, 'openai', i + 2);
+            }
+            currentFile = bHeader[1] ?? '';
+            i += 2;
+            continue;
+        }
+        if (line.startsWith('@@') && currentFile) {
+            const startedAt = i + 1;
+            i += 1;
+            const oldLines = [];
+            const newLines = [];
+            while (i < lines.length &&
+                !(lines[i] ?? '').startsWith('@@') &&
+                !(lines[i] ?? '').startsWith('--- a/')) {
+                const hl = lines[i] ?? '';
+                if (hl.startsWith('+'))
+                    newLines.push(hl.slice(1));
+                else if (hl.startsWith('-'))
+                    oldLines.push(hl.slice(1));
+                else if (hl.startsWith(' ')) {
+                    // Context line — preserved in both sides to keep the
+                    // oldString unique. Strip the leading space.
+                    const ctx = hl.slice(1);
+                    oldLines.push(ctx);
+                    newLines.push(ctx);
+                }
+                else if (hl === '') {
+                    // Bare empty lines in a unified diff are ambiguous — some
+                    // emitters use them as a terminator, others as a literal
+                    // empty context line. We treat them as context (preserved
+                    // on both sides) which is the conservative choice; if the
+                    // model meant terminator the next `@@` or `--- a/` will
+                    // catch it.
+                    oldLines.push('');
+                    newLines.push('');
+                }
+                else {
+                    // `\` lines ('') and any other
+                    // metadata are ignored.
+                }
+                i += 1;
+            }
+            blocks.push({
+                file: currentFile,
+                oldString: oldLines.join('\n'),
+                newString: newLines.join('\n'),
+                atLine: startedAt,
+            });
+            continue;
+        }
+        i += 1;
+    }
+    if (blocks.length === 0 && raw.includes('--- a/')) {
+        throw new MarkerParseError('OpenAI unified diff parsed zero hunks — payload may be malformed', 'openai');
+    }
+    return collapseByFile(blocks);
+}
+/**
+ * Collapse N blocks-per-file into either a single Layer A (N=1) or a
+ * single Layer B batch (N>1). The dispatcher routes Layer A and
+ * Layer B differently; we make that choice at parse time so the
+ * dispatcher stays format-agnostic.
+ */
+function collapseByFile(blocks) {
+    const byFile = new Map();
+    // Preserve first-seen order across files.
+    const order = [];
+    for (const block of blocks) {
+        const list = byFile.get(block.file);
+        if (list) {
+            list.push({ oldString: block.oldString, newString: block.newString });
+        }
+        else {
+            byFile.set(block.file, [{ oldString: block.oldString, newString: block.newString }]);
+            order.push(block.file);
+        }
+    }
+    const out = [];
+    for (const file of order) {
+        const subs = byFile.get(file) ?? [];
+        if (subs.length === 1) {
+            const only = subs[0];
+            out.push({
+                kind: 'layer-a',
+                edit: {
+                    file,
+                    oldString: only.oldString,
+                    newString: only.newString,
+                },
+            });
+        }
+        else {
+            out.push({
+                kind: 'layer-b',
+                edit: {
+                    file,
+                    edits: subs,
+                },
+            });
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=marker-parser.js.map

package/dist/core/edits/security-gate.js

@@ -0,0 +1,223 @@
+/**
+ * Shared security gate for the α6.6 diff escalation Layer A/B/C
+ * applicators.
+ *
+ * Before α6.6.1 (triple-review remediation 2026-05-25) every layer
+ * built its own path resolver via `isAbsolute(file) ? file : resolve(cwd, file)`.
+ * That bypassed the workspace-scoped resolver + protected-basename
+ * gate + symlink-escape check used by the `edit`/`write` tools in
+ * `apps/pugi-cli/src/tools/file-tools.ts`. A model that emitted
+ * `+++ NEW ../../../../etc/passwd` (or `+++ NEW .env`) would have
+ * happily landed an atomic write outside the workspace or onto a
+ * protected basename.
+ *
+ * This module is the single chokepoint every layer goes through.
+ * Centralised here so:
+ *
+ *   1. Future layers (D = AST, planned β-tier) inherit the gate for
+ *      free instead of re-implementing it.
+ *   2. New protected-file rules added to `decidePermission` propagate
+ *      to dispatcher writes uniformly.
+ *   3. A single spec surface covers every layer's path-handling
+ *      contract (`apps/pugi-cli/test/edits-security-gate.spec.ts`).
+ *
+ * Defense layers, in order (fail-fast — first reject wins):
+ *
+ *   a. `resolveWorkspacePath` — workspace-scoped resolver with URL-decode
+ *      and realpath gate at the target. Throws on traversal; we
+ *      translate the throw into `path_outside_workspace`.
+ *   b. `decidePermission` (kind: 'edit') — protected basename / suffix /
+ *      credential-path check (`.env`, `*.pem`, `id_rsa`, `~/.ssh/**`,
+ *      etc.). Mirrors what `writeTool` / `editTool` already enforce.
+ *   c. Explicit `realpathSync.native` re-check on the target (or
+ *      target's parent when the target does not yet exist) to defend
+ *      against TOCTOU symlink swap between `resolveWorkspacePath` and
+ *      the apply-time write.
+ *   d. Re-run `decidePermission` on the REAL target's workspace-relative
+ *      form. R2 triple-review (2026-05-25, Codex P1) caught the
+ *      symlink → protected-file bypass: a workspace-local symlink
+ *      `alias -> .env` passes step (b) because `alias` is not a
+ *      protected basename, and passes step (c) because `.env`
+ *      legitimately lives inside the workspace realpath. Without step
+ *      (d) the gate would allow the atomic write to land on `.env`
+ *      via the symlink's resolved target. Re-running the protected-file
+ *      check against the resolved name closes that loop.
+ */
+import { realpathSync } from 'node:fs';
+import { basename, resolve, sep, relative } from 'node:path';
+import { decidePermission } from '../permission.js';
+import { resolveWorkspacePath } from '../path-security.js';
+import { loadSettings } from '../settings.js';
+/**
+ * Apply the full path-traversal + protected-file + symlink-escape gate
+ * for an inbound edit request. Returns the resolved absolute path on
+ * success; never throws on the security-relevant rejections. Filesystem
+ * errors that are NOT security-relevant (an unexpected EACCES on a
+ * realpath that doesn't involve a symlink, etc.) are re-thrown so the
+ * layer's existing error path records them as `write_error`.
+ */
+export function applySecurityGate(inputPath, opts) {
+    // (a) Workspace-scoped path resolution. `resolveWorkspacePath`
+    // throws on URL-encoded traversal, parent-chain escapes via `..`,
+    // and target-symlinks that point outside the workspace root. We
+    // funnel the throw into a structured rejection so the dispatcher
+    // can render a deterministic operator-facing message.
+    let resolved;
+    try {
+        resolved = resolveWorkspacePath(opts.cwd, inputPath);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            ok: false,
+            reason: 'path_outside_workspace',
+            detail: `${message}`,
+        };
+    }
+    // (b) Protected-file gate. The same `decidePermission` call the
+    // `edit` / `write` tools make. We pass the workspace-relative form
+    // because `protectedTargetReason` uses `basename(resolve(root, target))`
+    // internally — passing an absolute path that already lives under
+    // `root` works because Node's `resolve` is idempotent, but the
+    // workspace-relative form keeps the audit log compact.
+    const settings = opts.settings ?? loadSettings(opts.cwd);
+    const targetForPermission = isInsideRoot(resolved, opts.cwd)
+        ? relative(opts.cwd, resolved) || inputPath
+        : inputPath;
+    const decision = decidePermission({ tool: opts.toolName, kind: 'edit', target: targetForPermission }, settings, opts.cwd);
+    if (decision.decision !== 'allow') {
+        return {
+            ok: false,
+            reason: 'protected_file',
+            detail: `${decision.decision} for ${targetForPermission}: ${decision.reason}`,
+        };
+    }
+    // (c) Symlink-escape re-check. Closes the TOCTOU window between
+    // `resolveWorkspacePath` and the apply-time write. If the target
+    // file does not yet exist (legitimate for any future "create"
+    // path), we walk up to the parent — realpathSync throws ENOENT on
+    // a missing leaf — and require the parent realpath to live inside
+    // the workspace realpath. The target's basename is then anchored to
+    // the parent realpath so a final-segment symlink swap cannot escape.
+    let realRoot;
+    try {
+        realRoot = realpathSync.native(opts.cwd);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            ok: false,
+            reason: 'symlink_escape',
+            detail: `cannot realpath workspace root: ${message}`,
+        };
+    }
+    let realTarget;
+    try {
+        realTarget = realpathSync.native(resolved);
+    }
+    catch (error) {
+        const code = error.code;
+        if (code !== 'ENOENT' && code !== 'ENOTDIR') {
+            // Unexpected filesystem error — re-throw so the layer records
+            // it as `write_error` rather than silently rejecting as
+            // `symlink_escape` (which would mis-attribute the cause to the
+            // operator).
+            throw error;
+        }
+        // Target does not exist — anchor against the parent's realpath.
+        let realParent;
+        try {
+            realParent = realpathSync.native(resolve(resolved, '..'));
+        }
+        catch (parentError) {
+            const parentCode = parentError.code;
+            if (parentCode !== 'ENOENT' && parentCode !== 'ENOTDIR')
+                throw parentError;
+            return {
+                ok: false,
+                reason: 'symlink_escape',
+                detail: `parent directory does not exist for ${inputPath}`,
+            };
+        }
+        if (!isInsideRoot(realParent, realRoot)) {
+            return {
+                ok: false,
+                reason: 'symlink_escape',
+                detail: `parent realpath ${realParent} escapes workspace ${realRoot}`,
+            };
+        }
+        // (d) Re-run the protected-file check against the parent's
+        // realpath-anchored basename. The basename of `resolved` is the
+        // final path segment the write will land on; pairing it with the
+        // resolved parent gives the workspace-relative form the
+        // protected-basename matcher needs. Closes the "create-new-file
+        // symlink-parent" variant: a dir symlink whose realpath stays
+        // inside the workspace must not let an attacker create a new
+        // `.env` (or any other protected basename) via a non-protected
+        // relative path.
+        const realCreateTarget = resolve(realParent, basename(resolved));
+        const recheck = recheckProtectedOnReal(realCreateTarget, realRoot, opts);
+        if (recheck)
+            return recheck;
+        return { ok: true, absPath: resolved };
+    }
+    if (!isInsideRoot(realTarget, realRoot)) {
+        return {
+            ok: false,
+            reason: 'symlink_escape',
+            detail: `target realpath ${realTarget} escapes workspace ${realRoot}`,
+        };
+    }
+    // (d) Re-run the protected-file check on the resolved target. The
+    // pre-fix gate only checked the operator-supplied path; a symlink
+    // `alias -> .env` would slip through because `alias` is not
+    // protected. Now we re-key the permission decision on the realpath's
+    // workspace-relative form so the basename matcher sees `.env` (or
+    // any other protected suffix) the symlink points at. The settings
+    // pull is free — it is the same `settings` we loaded at step (b).
+    const recheck = recheckProtectedOnReal(realTarget, realRoot, opts);
+    if (recheck)
+        return recheck;
+    return { ok: true, absPath: resolved };
+}
+/**
+ * Helper for step (d) of the gate. Re-runs `decidePermission` on the
+ * real (symlink-resolved) target's workspace-relative form and returns
+ * a `protected_file` rejection when the basename matches a protected
+ * pattern. Returns null when the recheck passes; the caller continues
+ * to `ok: true`.
+ *
+ * Lifted into a helper because both the existing-target branch and the
+ * missing-target (create) branch in `applySecurityGate` need the same
+ * check, and inlining it twice would invite drift the next time the
+ * protected-file rules grow.
+ */
+function recheckProtectedOnReal(realTarget, realRoot, opts) {
+    if (!isInsideRoot(realTarget, realRoot))
+        return null;
+    const realRelative = relative(realRoot, realTarget);
+    if (realRelative === '')
+        return null;
+    const settings = opts.settings ?? loadSettings(opts.cwd);
+    const realDecision = decidePermission({ tool: opts.toolName, kind: 'edit', target: realRelative }, settings, realRoot);
+    if (realDecision.decision !== 'allow') {
+        return {
+            ok: false,
+            reason: 'protected_file',
+            detail: `${realDecision.decision} for symlink target ${realRelative}: ${realDecision.reason}`,
+        };
+    }
+    return null;
+}
+/**
+ * True iff `child` is `root` or strictly nested inside it. Uses the
+ * platform separator + a trailing `sep` guard to avoid the
+ * `/workspace` vs `/workspace-evil` false-positive that a naive
+ * `startsWith` check would produce.
+ */
+function isInsideRoot(child, root) {
+    if (child === root)
+        return true;
+    return child.startsWith(root + sep);
+}
+//# sourceMappingURL=security-gate.js.map