@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.2

package/dist/core/edits/marker-parser.js

@@ -1,401 +0,0 @@
-export class MarkerParseError extends Error {
-    code = 'MARKER_PARSE_ERROR';
-    modelHint;
-    atLine;
-    constructor(message, modelHint, atLine) {
-        super(message);
-        this.name = 'MarkerParseError';
-        this.modelHint = modelHint;
-        this.atLine = atLine;
-    }
-}
-/**
- * Convert a raw LLM response into parsed edits. Marker family routes
- * by tag; `auto` triggers detection.
- *
- * Layer C/D markers ALWAYS use the universal `@@@` envelope (vendor-
- * neutral) because their wire format is heavy enough that re-emitting
- * per-vendor would invite drift. Layer A/B follow the per-vendor
- * SEARCH/REPLACE convention.
- */
-export function parseMarkers(raw, family) {
-    if (typeof raw !== 'string') {
-        throw new MarkerParseError('parseMarkers requires a string input', family);
-    }
-    const effective = family === 'auto' ? detectFamily(raw) : family;
-    // Layer C and Layer D envelopes are vendor-neutral and trimmed out
-    // before per-vendor Layer A/B parsing so the per-vendor pass cannot
-    // accidentally tokenise the rewrite/AST body.
-    const universalEdits = [];
-    const stripped = extractUniversalBlocks(raw, universalEdits, family);
-    const familyEdits = parseFamilyMarkers(stripped, effective);
-    return [...universalEdits, ...familyEdits];
-}
-/**
- * Heuristic auto-detection — looks for the first distinctive marker
- * and routes accordingly. Cheap to compute (single linear scan via
- * `indexOf`) so we run it whenever the dispatcher gets `modelTag:
- * undefined`.
- */
-export function detectFamily(raw) {
-    // Order matters: Gemini's `<<<<<<< SEARCH` is distinctive enough to
-    // win even when the same payload contains a unified diff in a
-    // comment block.
-    if (raw.includes('<<<<<<< SEARCH'))
-        return 'gemini';
-    if (raw.includes('+++ NEW') && raw.includes('--- OLD'))
-        return 'anthropic';
-    // Unified-diff signature: `--- a/` immediately followed by `+++ b/`
-    // somewhere in the payload. Looser than Anthropic's `+++ NEW`.
-    if (/^--- a\//m.test(raw) && /^\+\+\+ b\//m.test(raw))
-        return 'openai';
-    // Default to Anthropic — covers the Claude family which is the
-    // primary alpha target.
-    return 'anthropic';
-}
-// ---------------------------------------------------------------------------
-// Universal Layer C / Layer D envelope extractor.
-// ---------------------------------------------------------------------------
-function extractUniversalBlocks(raw, out, family) {
-    const lines = raw.split('\n');
-    const kept = [];
-    let i = 0;
-    while (i < lines.length) {
-        const line = lines[i] ?? '';
-        const rewrite = line.match(/^@@@ REWRITE\s+(\S+)\s+sha256=([a-f0-9]+)\s*$/);
-        if (rewrite) {
-            const file = rewrite[1] ?? '';
-            const baseSha256 = (rewrite[2] ?? '').toLowerCase();
-            const bodyStart = i + 1;
-            let bodyEnd = bodyStart;
-            while (bodyEnd < lines.length && lines[bodyEnd] !== '@@@ END')
-                bodyEnd += 1;
-            if (bodyEnd >= lines.length) {
-                throw new MarkerParseError(`Layer C REWRITE block for ${file} missing '@@@ END' terminator`, family, i + 1);
-            }
-            const newContents = lines.slice(bodyStart, bodyEnd).join('\n');
-            out.push({
-                kind: 'layer-c',
-                edit: { file, baseSha256, newContents },
-            });
-            i = bodyEnd + 1;
-            continue;
-        }
-        const ast = line.match(/^@@@ AST\s+(\S+)\s+op=(\S+)\s*$/);
-        if (ast) {
-            const file = ast[1] ?? '';
-            const operation = (ast[2] ?? '');
-            const bodyStart = i + 1;
-            let bodyEnd = bodyStart;
-            while (bodyEnd < lines.length && lines[bodyEnd] !== '@@@ END')
-                bodyEnd += 1;
-            if (bodyEnd >= lines.length) {
-                throw new MarkerParseError(`Layer D AST block for ${file} missing '@@@ END' terminator`, family, i + 1);
-            }
-            const paramsRaw = lines.slice(bodyStart, bodyEnd).join('\n').trim();
-            let params = {};
-            if (paramsRaw.length > 0) {
-                try {
-                    const parsed = JSON.parse(paramsRaw);
-                    if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-                        params = parsed;
-                    }
-                }
-                catch (error) {
-                    throw new MarkerParseError(`Layer D AST params JSON parse failed for ${file}: ${error instanceof Error ? error.message : String(error)}`, family, bodyStart + 1);
-                }
-            }
-            out.push({
-                kind: 'layer-d',
-                edit: { file, operation, params },
-            });
-            i = bodyEnd + 1;
-            continue;
-        }
-        kept.push(line);
-        i += 1;
-    }
-    return kept.join('\n');
-}
-// ---------------------------------------------------------------------------
-// Per-family Layer A / Layer B parsers.
-// ---------------------------------------------------------------------------
-function parseFamilyMarkers(raw, family) {
-    switch (family) {
-        case 'anthropic':
-            return parseAnthropic(raw);
-        case 'gemini':
-            return parseGemini(raw);
-        case 'openai':
-            return parseOpenAI(raw);
-        case 'auto':
-            // Unreachable — `parseMarkers` resolves `auto` to a concrete
-            // family before calling this. We keep the case so the switch is
-            // exhaustive under `noFallthroughCasesInSwitch` / `noImplicitReturns`.
-            return [];
-    }
-}
-/**
- * Anthropic / Claude — Cline three-segment envelope:
- *  +++ NEW <file>
- *  <new>
- *  --- OLD <file>
- *  <old>
- *  ===
- *
- * Multiple blocks targeting the same `<file>` collapse into a single
- * Layer B batch (preserving order). Single blocks return as Layer A.
- */
-// Shared between the body-terminator scan and the header-match check
-// below so the two cannot drift. Triple-review P1 (Claude):
-// the previous implementation used `lines[i].startsWith('--- OLD')`
-// for the terminator and the regex below only for the header, so a
-// model-emitted line like `// --- OLD usage was foo` inside the NEW
-// body would falsely terminate the body.
-const ANTHROPIC_OLD_HEADER = /^--- OLD\s+(\S+)\s*$/;
-function parseAnthropic(raw) {
-    const blocks = [];
-    const lines = raw.split('\n');
-    let i = 0;
-    while (i < lines.length) {
-        const line = lines[i] ?? '';
-        const newHeader = line.match(/^\+\+\+ NEW\s+(\S+)\s*$/);
-        if (!newHeader) {
-            i += 1;
-            continue;
-        }
-        const file = newHeader[1] ?? '';
-        const startedAt = i + 1;
-        const newBody = [];
-        i += 1;
-        // Body terminator MUST match the same exact regex as `oldHeader`
-        // below (`/^--- OLD\s+\S+$/`), not a loose `startsWith('--- OLD')`.
-        // Triple-review P1 (Claude): a NEW body that contains a
-        // comment line beginning with `--- OLD foo` (e.g. a git-diff
-        // excerpt in a TypeScript comment, a markdown code fence showing
-        // what an old patch looked like) would falsely terminate the body
-        // and rip the rest of the NEW segment into the OLD segment, then
-        // throw a misleading "file mismatch" or write half-edits to disk.
-        while (i < lines.length && !ANTHROPIC_OLD_HEADER.test(lines[i] ?? '')) {
-            newBody.push(lines[i] ?? '');
-            i += 1;
-        }
-        if (i >= lines.length) {
-            throw new MarkerParseError(`Anthropic block for ${file} missing '--- OLD' segment`, 'anthropic', startedAt);
-        }
-        const oldHeader = (lines[i] ?? '').match(ANTHROPIC_OLD_HEADER);
-        if (!oldHeader || oldHeader[1] !== file) {
-            throw new MarkerParseError(`Anthropic block file mismatch: NEW ${file} vs OLD ${oldHeader?.[1] ?? '?'}`, 'anthropic', i + 1);
-        }
-        i += 1;
-        const oldBody = [];
-        while (i < lines.length && (lines[i] ?? '') !== '===') {
-            oldBody.push(lines[i] ?? '');
-            i += 1;
-        }
-        if (i >= lines.length) {
-            throw new MarkerParseError(`Anthropic block for ${file} missing '===' terminator`, 'anthropic', startedAt);
-        }
-        // Anthropic emits the bodies WITHOUT trailing newlines on the
-        // last line; our `.join('\n')` produces the same shape so a
-        // round-trip is byte-for-byte stable.
-        blocks.push({
-            file,
-            newString: newBody.join('\n'),
-            oldString: oldBody.join('\n'),
-            atLine: startedAt,
-        });
-        i += 1; // consume '==='
-    }
-    return collapseByFile(blocks);
-}
-/**
- * Gemini / xAI — GitHub-conflict-marker envelope:
- *  <<<<<<< SEARCH [file]
- *  <old>
- *  =======
- *  <new>
- *  >>>>>>> REPLACE [file]
- *
- * `[file]` may appear on the SEARCH line, the REPLACE line, or BOTH.
- * If both are present they must match.
- */
-function parseGemini(raw) {
-    const blocks = [];
-    const lines = raw.split('\n');
-    let i = 0;
-    while (i < lines.length) {
-        const line = lines[i] ?? '';
-        const search = line.match(/^<<<<<<< SEARCH(?:\s+(\S+))?\s*$/);
-        if (!search) {
-            i += 1;
-            continue;
-        }
-        const startedAt = i + 1;
-        const searchFile = search[1] ?? '';
-        i += 1;
-        const oldBody = [];
-        while (i < lines.length && (lines[i] ?? '') !== '=======') {
-            oldBody.push(lines[i] ?? '');
-            i += 1;
-        }
-        if (i >= lines.length) {
-            throw new MarkerParseError(`Gemini SEARCH block missing '=======' divider`, 'gemini', startedAt);
-        }
-        i += 1; // consume '======='
-        const newBody = [];
-        while (i < lines.length && !(lines[i] ?? '').startsWith('>>>>>>> REPLACE')) {
-            newBody.push(lines[i] ?? '');
-            i += 1;
-        }
-        if (i >= lines.length) {
-            throw new MarkerParseError(`Gemini SEARCH block missing '>>>>>>> REPLACE' terminator`, 'gemini', startedAt);
-        }
-        const replace = (lines[i] ?? '').match(/^>>>>>>> REPLACE(?:\s+(\S+))?\s*$/);
-        const replaceFile = replace?.[1] ?? '';
-        const file = searchFile || replaceFile;
-        if (!file) {
-            throw new MarkerParseError(`Gemini block missing file path on both SEARCH and REPLACE lines`, 'gemini', startedAt);
-        }
-        if (searchFile && replaceFile && searchFile !== replaceFile) {
-            throw new MarkerParseError(`Gemini SEARCH/REPLACE file mismatch: ${searchFile} vs ${replaceFile}`, 'gemini', i + 1);
-        }
-        i += 1; // consume REPLACE line
-        blocks.push({
-            file,
-            oldString: oldBody.join('\n'),
-            newString: newBody.join('\n'),
-            atLine: startedAt,
-        });
-    }
-    return collapseByFile(blocks);
-}
-/**
- * OpenAI / generic — unified diff. We parse a single contiguous hunk
- * per file into a Layer A block by collapsing all `-` lines into
- * oldString and all `+` lines into newString, preserving leading
- * context. Multi-hunk files become a Layer B batch (one sub-edit per
- * hunk). The grammar is intentionally minimal — Pugi does not need
- * full GNU diff compatibility because the model owns the format
- * choice.
- */
-function parseOpenAI(raw) {
-    const blocks = [];
-    const lines = raw.split('\n');
-    let i = 0;
-    let currentFile = null;
-    while (i < lines.length) {
-        const line = lines[i] ?? '';
-        const aHeader = line.match(/^--- a\/(.+)$/);
-        if (aHeader) {
-            // Expect the matching `+++ b/<file>` on the next line.
-            const next = lines[i + 1] ?? '';
-            const bHeader = next.match(/^\+\+\+ b\/(.+)$/);
-            if (!bHeader) {
-                throw new MarkerParseError(`OpenAI unified diff: '--- a/${aHeader[1]}' not followed by '+++ b/'`, 'openai', i + 1);
-            }
-            if (aHeader[1] !== bHeader[1]) {
-                throw new MarkerParseError(`OpenAI unified diff file mismatch: a/${aHeader[1]} vs b/${bHeader[1]}`, 'openai', i + 2);
-            }
-            currentFile = bHeader[1] ?? '';
-            i += 2;
-            continue;
-        }
-        if (line.startsWith('@@') && currentFile) {
-            const startedAt = i + 1;
-            i += 1;
-            const oldLines = [];
-            const newLines = [];
-            while (i < lines.length &&
-                !(lines[i] ?? '').startsWith('@@') &&
-                !(lines[i] ?? '').startsWith('--- a/')) {
-                const hl = lines[i] ?? '';
-                if (hl.startsWith('+'))
-                    newLines.push(hl.slice(1));
-                else if (hl.startsWith('-'))
-                    oldLines.push(hl.slice(1));
-                else if (hl.startsWith(' ')) {
-                    // Context line — preserved in both sides to keep the
-                    // oldString unique. Strip the leading space.
-                    const ctx = hl.slice(1);
-                    oldLines.push(ctx);
-                    newLines.push(ctx);
-                }
-                else if (hl === '') {
-                    // Bare empty lines in a unified diff are ambiguous — some
-                    // emitters use them as a terminator, others as a literal
-                    // empty context line. We treat them as context (preserved
-                    // on both sides) which is the conservative choice; if the
-                    // model meant terminator the next `@@` or `--- a/` will
-                    // catch it.
-                    oldLines.push('');
-                    newLines.push('');
-                }
-                else {
-                    // `\` lines ('') and any other
-                    // metadata are ignored.
-                }
-                i += 1;
-            }
-            blocks.push({
-                file: currentFile,
-                oldString: oldLines.join('\n'),
-                newString: newLines.join('\n'),
-                atLine: startedAt,
-            });
-            continue;
-        }
-        i += 1;
-    }
-    if (blocks.length === 0 && raw.includes('--- a/')) {
-        throw new MarkerParseError('OpenAI unified diff parsed zero hunks — payload may be malformed', 'openai');
-    }
-    return collapseByFile(blocks);
-}
-/**
- * Collapse N blocks-per-file into either a single Layer A (N=1) or a
- * single Layer B batch (N>1). The dispatcher routes Layer A and
- * Layer B differently; we make that choice at parse time so the
- * dispatcher stays format-agnostic.
- */
-function collapseByFile(blocks) {
-    const byFile = new Map();
-    // Preserve first-seen order across files.
-    const order = [];
-    for (const block of blocks) {
-        const list = byFile.get(block.file);
-        if (list) {
-            list.push({ oldString: block.oldString, newString: block.newString });
-        }
-        else {
-            byFile.set(block.file, [{ oldString: block.oldString, newString: block.newString }]);
-            order.push(block.file);
-        }
-    }
-    const out = [];
-    for (const file of order) {
-        const subs = byFile.get(file) ?? [];
-        if (subs.length === 1) {
-            const only = subs[0];
-            out.push({
-                kind: 'layer-a',
-                edit: {
-                    file,
-                    oldString: only.oldString,
-                    newString: only.newString,
-                },
-            });
-        }
-        else {
-            out.push({
-                kind: 'layer-b',
-                edit: {
-                    file,
-                    edits: subs,
-                },
-            });
-        }
-    }
-    return out;
-}
-//# sourceMappingURL=marker-parser.js.map

package/dist/core/edits/security-gate.js

@@ -1,223 +0,0 @@
-/**
- * Shared security gate for the diff escalation Layer A/B/C
- * applicators.
- *
- * Before (triple-review remediation) every layer
- * built its own path resolver via `isAbsolute(file) ? file : resolve(cwd, file)`.
- * That bypassed the workspace-scoped resolver + protected-basename
- * gate + symlink-escape check used by the `edit`/`write` tools in
- * `apps/pugi-cli/src/tools/file-tools.ts`. A model that emitted
- * `+++ NEW ../../../../etc/passwd` (or `+++ NEW .env`) would have
- * happily landed an atomic write outside the workspace or onto a
- * protected basename.
- *
- * This module is the single chokepoint every layer goes through.
- * Centralised here so:
- *
- *  1. Future layers (D = AST, planned β-tier) inherit the gate for
- *     free instead of re-implementing it.
- *  2. New protected-file rules added to `decidePermission` propagate
- *     to dispatcher writes uniformly.
- *  3. A single spec surface covers every layer's path-handling
- *     contract (`apps/pugi-cli/test/edits-security-gate.spec.ts`).
- *
- * Defense layers, in order (fail-fast — first reject wins):
- *
- *  a. `resolveWorkspacePath` — workspace-scoped resolver with URL-decode
- *     and realpath gate at the target. Throws on traversal; we
- *     translate the throw into `path_outside_workspace`.
- *  b. `decidePermission` (kind: 'edit') — protected basename / suffix /
- *     credential-path check (`.env`, `*.pem`, `id_rsa`, `~/.ssh/**`,
- *     etc.). Mirrors what `writeTool` / `editTool` already enforce.
- *  c. Explicit `realpathSync.native` re-check on the target (or
- *     target's parent when the target does not yet exist) to defend
- *     against TOCTOU symlink swap between `resolveWorkspacePath` and
- *     the apply-time write.
- *  d. Re-run `decidePermission` on the REAL target's workspace-relative
- *     form. R2 triple-review (2026-05-25, Codex P1) caught the
- *     symlink → protected-file bypass: a workspace-local symlink
- *     `alias -> .env` passes step (b) because `alias` is not a
- *     protected basename, and passes step (c) because `.env`
- *     legitimately lives inside the workspace realpath. Without step
- *     (d) the gate would allow the atomic write to land on `.env`
- *     via the symlink's resolved target. Re-running the protected-file
- *     check against the resolved name closes that loop.
- */
-import { realpathSync } from 'node:fs';
-import { basename, resolve, sep, relative } from 'node:path';
-import { decidePermission } from '../permission.js';
-import { resolveWorkspacePath } from '../path-security.js';
-import { loadSettings } from '../settings.js';
-/**
- * Apply the full path-traversal + protected-file + symlink-escape gate
- * for an inbound edit request. Returns the resolved absolute path on
- * success; never throws on the security-relevant rejections. Filesystem
- * errors that are NOT security-relevant (an unexpected EACCES on a
- * realpath that doesn't involve a symlink, etc.) are re-thrown so the
- * layer's existing error path records them as `write_error`.
- */
-export function applySecurityGate(inputPath, opts) {
-    // (a) Workspace-scoped path resolution. `resolveWorkspacePath`
-    // throws on URL-encoded traversal, parent-chain escapes via `..`,
-    // and target-symlinks that point outside the workspace root. We
-    // funnel the throw into a structured rejection so the dispatcher
-    // can render a deterministic operator-facing message.
-    let resolved;
-    try {
-        resolved = resolveWorkspacePath(opts.cwd, inputPath);
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        return {
-            ok: false,
-            reason: 'path_outside_workspace',
-            detail: `${message}`,
-        };
-    }
-    // (b) Protected-file gate. The same `decidePermission` call the
-    // `edit` / `write` tools make. We pass the workspace-relative form
-    // because `protectedTargetReason` uses `basename(resolve(root, target))`
-    // internally — passing an absolute path that already lives under
-    // `root` works because Node's `resolve` is idempotent, but the
-    // workspace-relative form keeps the audit log compact.
-    const settings = opts.settings ?? loadSettings(opts.cwd);
-    const targetForPermission = isInsideRoot(resolved, opts.cwd)
-        ? relative(opts.cwd, resolved) || inputPath
-        : inputPath;
-    const decision = decidePermission({ tool: opts.toolName, kind: 'edit', target: targetForPermission }, settings, opts.cwd);
-    if (decision.decision !== 'allow') {
-        return {
-            ok: false,
-            reason: 'protected_file',
-            detail: `${decision.decision} for ${targetForPermission}: ${decision.reason}`,
-        };
-    }
-    // (c) Symlink-escape re-check. Closes the TOCTOU window between
-    // `resolveWorkspacePath` and the apply-time write. If the target
-    // file does not yet exist (legitimate for any future "create"
-    // path), we walk up to the parent — realpathSync throws ENOENT on
-    // a missing leaf — and require the parent realpath to live inside
-    // the workspace realpath. The target's basename is then anchored to
-    // the parent realpath so a final-segment symlink swap cannot escape.
-    let realRoot;
-    try {
-        realRoot = realpathSync.native(opts.cwd);
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        return {
-            ok: false,
-            reason: 'symlink_escape',
-            detail: `cannot realpath workspace root: ${message}`,
-        };
-    }
-    let realTarget;
-    try {
-        realTarget = realpathSync.native(resolved);
-    }
-    catch (error) {
-        const code = error.code;
-        if (code !== 'ENOENT' && code !== 'ENOTDIR') {
-            // Unexpected filesystem error — re-throw so the layer records
-            // it as `write_error` rather than silently rejecting as
-            // `symlink_escape` (which would mis-attribute the cause to the
-            // operator).
-            throw error;
-        }
-        // Target does not exist — anchor against the parent's realpath.
-        let realParent;
-        try {
-            realParent = realpathSync.native(resolve(resolved, '..'));
-        }
-        catch (parentError) {
-            const parentCode = parentError.code;
-            if (parentCode !== 'ENOENT' && parentCode !== 'ENOTDIR')
-                throw parentError;
-            return {
-                ok: false,
-                reason: 'symlink_escape',
-                detail: `parent directory does not exist for ${inputPath}`,
-            };
-        }
-        if (!isInsideRoot(realParent, realRoot)) {
-            return {
-                ok: false,
-                reason: 'symlink_escape',
-                detail: `parent realpath ${realParent} escapes workspace ${realRoot}`,
-            };
-        }
-        // (d) Re-run the protected-file check against the parent's
-        // realpath-anchored basename. The basename of `resolved` is the
-        // final path segment the write will land on; pairing it with the
-        // resolved parent gives the workspace-relative form the
-        // protected-basename matcher needs. Closes the "create-new-file
-        // symlink-parent" variant: a dir symlink whose realpath stays
-        // inside the workspace must not let an attacker create a new
-        // `.env` (or any other protected basename) via a non-protected
-        // relative path.
-        const realCreateTarget = resolve(realParent, basename(resolved));
-        const recheck = recheckProtectedOnReal(realCreateTarget, realRoot, opts);
-        if (recheck)
-            return recheck;
-        return { ok: true, absPath: resolved };
-    }
-    if (!isInsideRoot(realTarget, realRoot)) {
-        return {
-            ok: false,
-            reason: 'symlink_escape',
-            detail: `target realpath ${realTarget} escapes workspace ${realRoot}`,
-        };
-    }
-    // (d) Re-run the protected-file check on the resolved target. The
-    // pre-fix gate only checked the operator-supplied path; a symlink
-    // `alias -> .env` would slip through because `alias` is not
-    // protected. Now we re-key the permission decision on the realpath's
-    // workspace-relative form so the basename matcher sees `.env` (or
-    // any other protected suffix) the symlink points at. The settings
-    // pull is free — it is the same `settings` we loaded at step (b).
-    const recheck = recheckProtectedOnReal(realTarget, realRoot, opts);
-    if (recheck)
-        return recheck;
-    return { ok: true, absPath: resolved };
-}
-/**
- * Helper for step (d) of the gate. Re-runs `decidePermission` on the
- * real (symlink-resolved) target's workspace-relative form and returns
- * a `protected_file` rejection when the basename matches a protected
- * pattern. Returns null when the recheck passes; the caller continues
- * to `ok: true`.
- *
- * Lifted into a helper because both the existing-target branch and the
- * missing-target (create) branch in `applySecurityGate` need the same
- * check, and inlining it twice would invite drift the next time the
- * protected-file rules grow.
- */
-function recheckProtectedOnReal(realTarget, realRoot, opts) {
-    if (!isInsideRoot(realTarget, realRoot))
-        return null;
-    const realRelative = relative(realRoot, realTarget);
-    if (realRelative === '')
-        return null;
-    const settings = opts.settings ?? loadSettings(opts.cwd);
-    const realDecision = decidePermission({ tool: opts.toolName, kind: 'edit', target: realRelative }, settings, realRoot);
-    if (realDecision.decision !== 'allow') {
-        return {
-            ok: false,
-            reason: 'protected_file',
-            detail: `${realDecision.decision} for symlink target ${realRelative}: ${realDecision.reason}`,
-        };
-    }
-    return null;
-}
-/**
- * True iff `child` is `root` or strictly nested inside it. Uses the
- * platform separator + a trailing `sep` guard to avoid the
- * `/workspace` vs `/workspace-evil` false-positive that a naive
- * `startsWith` check would produce.
- */
-function isInsideRoot(child, root) {
-    if (child === root)
-        return true;
-    return child.startsWith(root + sep);
-}
-//# sourceMappingURL=security-gate.js.map