daycare-cli 2026.2.26 → 2026.2.27

package/dist/sandbox/sandbox.js

@@ -0,0 +1,466 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { resolveWorkspacePath } from "../engine/permissions.js";
+import { envNormalize } from "../util/envNormalize.js";
+import { isWithinSecure, openSecure } from "./pathResolveSecure.js";
+import { runInSandbox } from "./runtime.js";
+import { sandboxAllowedDomainsResolve } from "./sandboxAllowedDomainsResolve.js";
+import { sandboxAllowedDomainsValidate } from "./sandboxAllowedDomainsValidate.js";
+import { sandboxCanRead } from "./sandboxCanRead.js";
+import { sandboxCanWrite } from "./sandboxCanWrite.js";
+import { sandboxFilesystemPolicyBuild } from "./sandboxFilesystemPolicyBuild.js";
+const READ_MAX_LINES = 2000;
+const READ_MAX_BYTES = 50 * 1024;
+const DEFAULT_EXEC_TIMEOUT = 30_000;
+const MAX_EXEC_BUFFER = 1_000_000;
+const UNICODE_SPACES = /[\u00A0\u2000-\u200A\u202F\u205F\u3000]/g;
+const NARROW_NO_BREAK_SPACE = "\u202F";
+export class Sandbox {
+    homeDir;
+    workingDir;
+    permissions;
+    constructor(config) {
+        this.homeDir = path.resolve(config.homeDir);
+        this.workingDir = path.resolve(config.permissions.workingDir);
+        this.permissions = config.permissions;
+    }
+    /**
+     * Read from the host filesystem with sandbox read checks.
+     * Expects: args.path is absolute or relative to workingDir.
+     */
+    async read(args) {
+        const permissions = this.permissionsEffectiveResolve();
+        const targetPath = await this.readInputPathResolve(args.path);
+        await pathRejectIfSymlink(targetPath, "Cannot read symbolic link directly.");
+        const resolvedPath = await sandboxCanRead(permissions, targetPath);
+        const stats = await fs.lstat(resolvedPath);
+        if (stats.isSymbolicLink()) {
+            throw new Error("Cannot read symbolic link directly.");
+        }
+        if (!stats.isFile()) {
+            throw new Error("Path is not a file.");
+        }
+        const displayPath = sandboxDisplayPath(this.workingDir, resolvedPath);
+        if (args.binary === true) {
+            const binaryContent = await readBinaryFileSecure(resolvedPath);
+            return {
+                type: "binary",
+                content: binaryContent,
+                bytes: stats.size,
+                resolvedPath,
+                displayPath
+            };
+        }
+        const mimeType = await detectSupportedImageMimeTypeFromFile(resolvedPath);
+        if (mimeType) {
+            const imageContent = await readBinaryFileSecure(resolvedPath);
+            return {
+                type: "image",
+                content: imageContent,
+                bytes: stats.size,
+                mimeType,
+                resolvedPath,
+                displayPath
+            };
+        }
+        const textContent = await readTextFileSecure(resolvedPath);
+        const allLines = textContent.split("\n");
+        const totalFileLines = allLines.length;
+        const startLine = args.offset ? Math.max(0, args.offset - 1) : 0;
+        if (startLine >= allLines.length) {
+            throw new Error(`Offset ${args.offset} is beyond end of file (${allLines.length} lines total)`);
+        }
+        let selectedContent = allLines.slice(startLine).join("\n");
+        let userLimitedLines;
+        if (args.limit !== undefined) {
+            const endLine = Math.min(startLine + args.limit, allLines.length);
+            selectedContent = allLines.slice(startLine, endLine).join("\n");
+            userLimitedLines = endLine - startLine;
+        }
+        if (args.raw === true) {
+            return {
+                type: "text",
+                content: selectedContent,
+                bytes: stats.size,
+                totalLines: totalFileLines,
+                outputLines: selectedContent.split("\n").length,
+                truncated: false,
+                truncatedBy: null,
+                resolvedPath,
+                displayPath
+            };
+        }
+        const startLineDisplay = startLine + 1;
+        const truncation = truncateHead(selectedContent);
+        const outputText = sandboxReadOutputBuild({
+            truncation,
+            allLines,
+            requestedPath: args.path,
+            totalFileLines,
+            startLine,
+            startLineDisplay,
+            userLimitedLines
+        });
+        return {
+            type: "text",
+            content: outputText,
+            bytes: stats.size,
+            totalLines: totalFileLines,
+            outputLines: truncation.outputLines,
+            truncated: truncation.truncated,
+            truncatedBy: truncation.truncatedBy,
+            resolvedPath,
+            displayPath
+        };
+    }
+    /**
+     * Write UTF-8 content to host filesystem with sandbox write checks.
+     * Expects: args.path is an absolute path.
+     */
+    async write(args) {
+        const permissions = this.permissionsEffectiveResolve();
+        sandboxPathAbsoluteEnsure(args.path);
+        await pathRejectIfSymlink(args.path, "Cannot write to symbolic link.");
+        const resolvedPath = await sandboxCanWrite(permissions, args.path);
+        await fs.mkdir(path.dirname(resolvedPath), { recursive: true });
+        try {
+            const stats = await fs.lstat(resolvedPath);
+            if (stats.isSymbolicLink()) {
+                throw new Error("Cannot write to symbolic link.");
+            }
+        }
+        catch (error) {
+            if (error.code !== "ENOENT") {
+                throw error;
+            }
+        }
+        const handle = await fs.open(resolvedPath, args.append ? "a" : "w");
+        try {
+            await handle.writeFile(args.content);
+        }
+        finally {
+            await handle.close();
+        }
+        return {
+            bytes: Buffer.isBuffer(args.content) ? args.content.byteLength : Buffer.byteLength(args.content, "utf8"),
+            resolvedPath,
+            sandboxPath: sandboxHomePath(this.homeDir, resolvedPath)
+        };
+    }
+    /**
+     * Execute a shell command inside sandbox-runtime.
+     * Expects: args.command is non-empty and network allowlist is explicit.
+     */
+    async exec(args) {
+        const permissions = this.permissionsEffectiveResolve();
+        const cwd = sandboxExecCwdResolve(this.workingDir, args.cwd);
+        const allowedDomains = sandboxAllowedDomainsResolve(args.allowedDomains, args.packageManagers);
+        const domainIssues = sandboxAllowedDomainsValidate(allowedDomains);
+        if (domainIssues.length > 0) {
+            throw new Error(domainIssues.join(" "));
+        }
+        const envOverrides = envNormalize(args.env);
+        const env = envOverrides ? { ...process.env, ...envOverrides } : process.env;
+        const filesystem = sandboxFilesystemPolicyBuild({
+            writeDirs: permissions.writeDirs,
+            workingDir: permissions.workingDir,
+            homeDir: this.homeDir
+        });
+        try {
+            const result = await runInSandbox(args.command, {
+                filesystem,
+                network: {
+                    allowedDomains,
+                    deniedDomains: []
+                },
+                enableWeakerNestedSandbox: true
+            }, {
+                cwd,
+                env,
+                home: this.homeDir,
+                timeoutMs: args.timeoutMs ?? DEFAULT_EXEC_TIMEOUT,
+                maxBufferBytes: MAX_EXEC_BUFFER
+            });
+            return {
+                stdout: sandboxText(result.stdout),
+                stderr: sandboxText(result.stderr),
+                exitCode: 0,
+                signal: null,
+                failed: false,
+                cwd
+            };
+        }
+        catch (error) {
+            const execError = error;
+            return {
+                stdout: sandboxText(execError.stdout),
+                stderr: sandboxText(execError.stderr),
+                exitCode: typeof execError.code === "number" ? execError.code : null,
+                signal: typeof execError.signal === "string" ? execError.signal : null,
+                failed: true,
+                cwd
+            };
+        }
+    }
+    permissionsEffectiveResolve() {
+        const readDirs = this.permissions.readDirs
+            ? this.permissions.readDirs.map((entry) => path.resolve(entry))
+            : undefined;
+        return {
+            workingDir: this.workingDir,
+            writeDirs: Array.from(new Set([...this.permissions.writeDirs.map((entry) => path.resolve(entry)), this.homeDir])),
+            ...(readDirs ? { readDirs } : {})
+        };
+    }
+    async readInputPathResolve(rawPath) {
+        const normalized = sandboxReadPathNormalize(rawPath, this.homeDir);
+        const resolved = path.isAbsolute(normalized) ? normalized : path.resolve(this.workingDir, normalized);
+        if (await pathExists(resolved)) {
+            return resolved;
+        }
+        const amPmVariant = sandboxReadPathMacOSVariant(resolved);
+        if (amPmVariant !== resolved && (await pathExists(amPmVariant))) {
+            return amPmVariant;
+        }
+        const nfdVariant = resolved.normalize("NFD");
+        if (nfdVariant !== resolved && (await pathExists(nfdVariant))) {
+            return nfdVariant;
+        }
+        const curlyVariant = resolved.replace(/'/g, "\u2019");
+        if (curlyVariant !== resolved && (await pathExists(curlyVariant))) {
+            return curlyVariant;
+        }
+        const nfdCurlyVariant = nfdVariant.replace(/'/g, "\u2019");
+        if (nfdCurlyVariant !== resolved && (await pathExists(nfdCurlyVariant))) {
+            return nfdCurlyVariant;
+        }
+        return resolved;
+    }
+}
+function sandboxReadPathNormalize(rawPath, homeDir) {
+    const withoutAtPrefix = rawPath.startsWith("@") ? rawPath.slice(1) : rawPath;
+    const normalized = withoutAtPrefix.replace(UNICODE_SPACES, " ");
+    if (normalized === "~") {
+        return homeDir;
+    }
+    if (normalized.startsWith("~/")) {
+        return homeDir + normalized.slice(1);
+    }
+    return normalized;
+}
+function sandboxReadPathMacOSVariant(target) {
+    return target.replace(/ (AM|PM)\./g, `${NARROW_NO_BREAK_SPACE}$1.`);
+}
+function sandboxReadOutputBuild(input) {
+    const { truncation, allLines, requestedPath, totalFileLines, startLine, startLineDisplay, userLimitedLines } = input;
+    if (truncation.firstLineExceedsLimit) {
+        const firstLineSize = sandboxSizeFormat(Buffer.byteLength(allLines[startLine] ?? "", "utf8"));
+        return `[Line ${startLineDisplay} is ${firstLineSize}, exceeds ${sandboxSizeFormat(READ_MAX_BYTES)} limit. Use bash: sed -n '${startLineDisplay}p' ${requestedPath} | head -c ${READ_MAX_BYTES}]`;
+    }
+    if (truncation.truncated) {
+        const endLineDisplay = startLineDisplay + truncation.outputLines - 1;
+        const nextOffset = endLineDisplay + 1;
+        if (truncation.truncatedBy === "lines") {
+            return `${truncation.content}\n\n[Showing lines ${startLineDisplay}-${endLineDisplay} of ${totalFileLines}. Use offset=${nextOffset} to continue.]`;
+        }
+        return `${truncation.content}\n\n[Showing lines ${startLineDisplay}-${endLineDisplay} of ${totalFileLines} (${sandboxSizeFormat(READ_MAX_BYTES)} limit). Use offset=${nextOffset} to continue.]`;
+    }
+    if (userLimitedLines !== undefined && startLine + userLimitedLines < allLines.length) {
+        const remaining = allLines.length - (startLine + userLimitedLines);
+        const nextOffset = startLine + userLimitedLines + 1;
+        return `${truncation.content}\n\n[${remaining} more lines in file. Use offset=${nextOffset} to continue.]`;
+    }
+    return truncation.content;
+}
+function sandboxPathAbsoluteEnsure(target) {
+    if (!path.isAbsolute(target)) {
+        throw new Error("Path must be absolute.");
+    }
+}
+async function pathRejectIfSymlink(target, message) {
+    try {
+        const stats = await fs.lstat(target);
+        if (stats.isSymbolicLink()) {
+            throw new Error(message);
+        }
+    }
+    catch (error) {
+        if (error.code !== "ENOENT") {
+            throw error;
+        }
+    }
+}
+function sandboxDisplayPath(workingDir, target) {
+    if (isWithinSecure(workingDir, target)) {
+        return path.relative(workingDir, target) || ".";
+    }
+    return target;
+}
+function sandboxHomePath(homeDir, target) {
+    const homeVariants = sandboxMacPathVariants(homeDir);
+    const targetVariants = sandboxMacPathVariants(target);
+    for (const homeVariant of homeVariants) {
+        for (const targetVariant of targetVariants) {
+            if (!isWithinSecure(homeVariant, targetVariant)) {
+                continue;
+            }
+            const relative = path.relative(homeVariant, targetVariant);
+            if (relative.length === 0) {
+                return "~";
+            }
+            return `~/${relative}`;
+        }
+    }
+    return target;
+}
+function sandboxMacPathVariants(target) {
+    const resolved = path.resolve(target);
+    if (resolved.startsWith("/private/")) {
+        return [resolved, resolved.slice("/private".length)];
+    }
+    return [resolved, path.join("/private", resolved)];
+}
+function sandboxExecCwdResolve(workingDir, requestedCwd) {
+    if (!requestedCwd) {
+        return workingDir;
+    }
+    const candidate = path.isAbsolute(requestedCwd)
+        ? path.resolve(requestedCwd)
+        : path.resolve(workingDir, requestedCwd);
+    return resolveWorkspacePath(workingDir, candidate);
+}
+function sandboxText(value) {
+    if (!value) {
+        return "";
+    }
+    return typeof value === "string" ? value : value.toString("utf8");
+}
+async function pathExists(target) {
+    try {
+        await fs.access(target);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function readTextFileSecure(resolvedPath) {
+    const handle = await openSecure(resolvedPath, "r");
+    try {
+        return await handle.readFile("utf8");
+    }
+    finally {
+        await handle.close();
+    }
+}
+async function readBinaryFileSecure(resolvedPath) {
+    const handle = await openSecure(resolvedPath, "r");
+    try {
+        return await handle.readFile();
+    }
+    finally {
+        await handle.close();
+    }
+}
+async function detectSupportedImageMimeTypeFromFile(resolvedPath) {
+    const handle = await openSecure(resolvedPath, "r");
+    try {
+        const header = Buffer.alloc(16);
+        const { bytesRead } = await handle.read(header, 0, header.length, 0);
+        if (bytesRead === 0) {
+            return null;
+        }
+        return detectSupportedImageMimeTypeFromHeader(header.subarray(0, bytesRead));
+    }
+    finally {
+        await handle.close();
+    }
+}
+function detectSupportedImageMimeTypeFromHeader(header) {
+    if (header.length >= 3 && header[0] === 0xff && header[1] === 0xd8 && header[2] === 0xff) {
+        return "image/jpeg";
+    }
+    if (header.length >= 8 &&
+        header[0] === 0x89 &&
+        header[1] === 0x50 &&
+        header[2] === 0x4e &&
+        header[3] === 0x47 &&
+        header[4] === 0x0d &&
+        header[5] === 0x0a &&
+        header[6] === 0x1a &&
+        header[7] === 0x0a) {
+        return "image/png";
+    }
+    if (header.length >= 6) {
+        const signature = header.subarray(0, 6).toString("ascii");
+        if (signature === "GIF87a" || signature === "GIF89a") {
+            return "image/gif";
+        }
+    }
+    if (header.length >= 12 &&
+        header.subarray(0, 4).toString("ascii") === "RIFF" &&
+        header.subarray(8, 12).toString("ascii") === "WEBP") {
+        return "image/webp";
+    }
+    return null;
+}
+function sandboxSizeFormat(bytes) {
+    if (bytes < 1024) {
+        return `${bytes}B`;
+    }
+    if (bytes < 1024 * 1024) {
+        return `${(bytes / 1024).toFixed(1)}KB`;
+    }
+    return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
+}
+function truncateHead(content) {
+    const lines = content.split("\n");
+    const totalLines = lines.length;
+    const totalBytes = Buffer.byteLength(content, "utf8");
+    if (totalLines <= READ_MAX_LINES && totalBytes <= READ_MAX_BYTES) {
+        return {
+            content,
+            truncated: false,
+            truncatedBy: null,
+            totalLines,
+            outputLines: totalLines,
+            firstLineExceedsLimit: false
+        };
+    }
+    const firstLineBytes = Buffer.byteLength(lines[0] ?? "", "utf8");
+    if (firstLineBytes > READ_MAX_BYTES) {
+        return {
+            content: "",
+            truncated: true,
+            truncatedBy: "bytes",
+            totalLines,
+            outputLines: 0,
+            firstLineExceedsLimit: true
+        };
+    }
+    const outputLines = [];
+    let outputBytes = 0;
+    let truncatedBy = "lines";
+    for (let index = 0; index < lines.length && index < READ_MAX_LINES; index += 1) {
+        const line = lines[index] ?? "";
+        const lineBytes = Buffer.byteLength(line, "utf8") + (index > 0 ? 1 : 0);
+        if (outputBytes + lineBytes > READ_MAX_BYTES) {
+            truncatedBy = "bytes";
+            break;
+        }
+        outputLines.push(line);
+        outputBytes += lineBytes;
+    }
+    if (outputLines.length >= READ_MAX_LINES && outputBytes <= READ_MAX_BYTES) {
+        truncatedBy = "lines";
+    }
+    return {
+        content: outputLines.join("\n"),
+        truncated: true,
+        truncatedBy,
+        totalLines,
+        outputLines: outputLines.length,
+        firstLineExceedsLimit: false
+    };
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/sandbox/sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.js","sourceRoot":"","sources":["../../sources/sandbox/sandbox.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,OAAO,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACjF,OAAO,EAAE,6BAA6B,EAAE,MAAM,oCAAoC,CAAC;AACnF,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAWjF,MAAM,cAAc,GAAG,IAAI,CAAC;AAC5B,MAAM,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC;AACjC,MAAM,oBAAoB,GAAG,MAAM,CAAC;AACpC,MAAM,eAAe,GAAG,SAAS,CAAC;AAClC,MAAM,cAAc,GAAG,0CAA0C,CAAC;AAClE,MAAM,qBAAqB,GAAG,QAAQ,CAAC;AAWvC,MAAM,OAAO,OAAO;IACP,OAAO,CAAS;IAChB,UAAU,CAAS;IACnB,WAAW,CAAqB;IAEzC,YAAY,MAAqB;QAC7B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CAAC,IAAqB;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,2BAA2B,EAAE,CAAC;QACvD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,MAAM,mBAAmB,CAAC,UAAU,EAAE,qCAAqC,CAAC,CAAC;QAC7E,MAAM,YAAY,GAAG,MAAM,cAAc,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAEnE,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAC3C,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACtE,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,aAAa,GAAG,MAAM,oBAAoB,CAAC,YAAY,CAAC,CAAC;YAC/D,OAAO;gBACH,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,aAAa;gBACtB,KAAK,EAAE,KAAK,CAAC,IAAI;gBACjB,YAAY;gBACZ,WAAW;aACd,CAAC;QACN,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,oCAAoC,CAAC,YAAY,CAAC,CAAC;QAC1E,IAAI,QAAQ,EAAE,CAAC;YACX,MAAM,YAAY,GAAG,MAAM,oBAAoB,CAAC,YAAY,CAAC,CAAC;YAC9D,OAAO;gBACH,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,YAAY;gBACrB,KAAK,EAAE,KAAK,CAAC,IAAI;gBACjB,QAAQ;gBACR,YAAY;gBACZ,WAAW;aACd,CAAC;QACN,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,YAAY,CAAC,CAAC;QAC3D,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC;QACvC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjE,IAAI,SAAS,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,UAAU,IAAI,CAAC,MAAM,2BAA2B,QAAQ,CAAC,MAAM,eAAe,CAAC,CAAC;QACpG,CAAC;QAED,IAAI,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,gBAAoC,CAAC;QACzC,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;YAClE,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChE,gBAAgB,GAAG,OAAO,GAAG,SAAS,CAAC;QAC3C,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO;gBACH,IAAI,EAAE,MAAM;gBACZ,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,KAAK,CAAC,IAAI;gBACjB,UAAU,EAAE,cAAc;gBAC1B,WAAW,EAAE,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM;gBAC/C,SAAS,EAAE,KAAK;gBAChB,WAAW,EAAE,IAAI;gBACjB,YAAY;gBACZ,WAAW;aACd,CAAC;QACN,CAAC;QAED,MAAM,gBAAgB,GAAG,SAAS,GAAG,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;QACjD,MAAM,UAAU,GAAG,sBAAsB,CAAC;YACtC,UAAU;YACV,QAAQ;YACR,aAAa,EAAE,IAAI,CAAC,IAAI;YACxB,cAAc;YACd,SAAS;YACT,gBAAgB;YAChB,gBAAgB;SACnB,CAAC,CAAC;QAEH,OAAO;YACH,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,UAAU;YACnB,KAAK,EAAE,KAAK,CAAC,IAAI;YACjB,UAAU,EAAE,cAAc;YAC1B,WAAW,EAAE,UAAU,CAAC,WAAW;YACnC,SAAS,EAAE,UAAU,CAAC,SAAS;YAC/B,WAAW,EAAE,UAAU,CAAC,WAAW;YACnC,YAAY;YACZ,WAAW;SACd,CAAC;IACN,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,KAAK,CAAC,IAAsB;QAC9B,MAAM,WAAW,GAAG,IAAI,CAAC,2BAA2B,EAAE,CAAC;QACvD,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,mBAAmB,CAAC,IAAI,CAAC,IAAI,EAAE,gCAAgC,CAAC,CAAC;QACvE,MAAM,YAAY,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhE,IAAI,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3C,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACtD,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACrD,MAAM,KAAK,CAAC;YAChB,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACpE,IAAI,CAAC;YACD,MAAM,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzC,CAAC;gBAAS,CAAC;YACP,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;QACzB,CAAC;QAED,OAAO;YACH,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC;YACxG,YAAY;YACZ,WAAW,EAAE,eAAe,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC;SAC3D,CAAC;IACN,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CAAC,IAAqB;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,2BAA2B,EAAE,CAAC;QACvD,MAAM,GAAG,GAAG,qBAAqB,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,cAAc,GAAG,4BAA4B,CAAC,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;QAC/F,MAAM,YAAY,GAAG,6BAA6B,CAAC,cAAc,CAAC,CAAC;QACnE,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5C,CAAC;QACD,MAAM,YAAY,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,YAAY,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;QAC7E,MAAM,UAAU,GAAG,4BAA4B,CAAC;YAC5C,SAAS,EAAE,WAAW,CAAC,SAAS;YAChC,UAAU,EAAE,WAAW,CAAC,UAAU;YAClC,OAAO,EAAE,IAAI,CAAC,OAAO;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,YAAY,CAC7B,IAAI,CAAC,OAAO,EACZ;gBACI,UAAU;gBACV,OAAO,EAAE;oBACL,cAAc;oBACd,aAAa,EAAE,EAAE;iBACpB;gBACD,yBAAyB,EAAE,IAAI;aAClC,EACD;gBACI,GAAG;gBACH,GAAG;gBACH,IAAI,EAAE,IAAI,CAAC,OAAO;gBAClB,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,oBAAoB;gBACjD,cAAc,EAAE,eAAe;aAClC,CACJ,CAAC;YACF,OAAO;gBACH,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC;gBAClC,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,MAAM,CAAC;gBAClC,QAAQ,EAAE,CAAC;gBACX,MAAM,EAAE,IAAI;gBACZ,MAAM,EAAE,KAAK;gBACb,GAAG;aACN,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,SAAS,GAAG,KAKjB,CAAC;YACF,OAAO;gBACH,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC,MAAM,CAAC;gBACrC,MAAM,EAAE,WAAW,CAAC,SAAS,CAAC,MAAM,CAAC;gBACrC,QAAQ,EAAE,OAAO,SAAS,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;gBACpE,MAAM,EAAE,OAAO,SAAS,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI;gBACtE,MAAM,EAAE,IAAI;gBACZ,GAAG;aACN,CAAC;QACN,CAAC;IACL,CAAC;IAEO,2BAA2B;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ;YACtC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC/D,CAAC,CAAC,SAAS,CAAC;QAChB,OAAO;YACH,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,KAAK,CAAC,IAAI,CACjB,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAC7F;YACD,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACpC,CAAC;IACN,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAAC,OAAe;QAC9C,MAAM,UAAU,GAAG,wBAAwB,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACtG,IAAI,MAAM,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,QAAQ,CAAC;QACpB,CAAC;QACD,MAAM,WAAW,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC;QAC1D,IAAI,WAAW,KAAK,QAAQ,IAAI,CAAC,MAAM,UAAU,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAC9D,OAAO,WAAW,CAAC;QACvB,CAAC;QACD,MAAM,UAAU,GAAG,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC7C,IAAI,UAAU,KAAK,QAAQ,IAAI,CAAC,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAC5D,OAAO,UAAU,CAAC;QACtB,CAAC;QACD,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QACtD,IAAI,YAAY,KAAK,QAAQ,IAAI,CAAC,MAAM,UAAU,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YAChE,OAAO,YAAY,CAAC;QACxB,CAAC;QACD,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAC3D,IAAI,eAAe,KAAK,QAAQ,IAAI,CAAC,MAAM,UAAU,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC;YACtE,OAAO,eAAe,CAAC;QAC3B,CAAC;QACD,OAAO,QAAQ,CAAC;IACpB,CAAC;CACJ;AAED,SAAS,wBAAwB,CAAC,OAAe,EAAE,OAAe;IAC9D,MAAM,eAAe,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAC7E,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IAChE,IAAI,UAAU,KAAK,GAAG,EAAE,CAAC;QACrB,OAAO,OAAO,CAAC;IACnB,CAAC;IACD,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,OAAO,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,UAAU,CAAC;AACtB,CAAC;AAED,SAAS,2BAA2B,CAAC,MAAc;IAC/C,OAAO,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,qBAAqB,KAAK,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,sBAAsB,CAAC,KAQ/B;IACG,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,GACxG,KAAK,CAAC;IACV,IAAI,UAAU,CAAC,qBAAqB,EAAE,CAAC;QACnC,MAAM,aAAa,GAAG,iBAAiB,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;QAC9F,OAAO,SAAS,gBAAgB,OAAO,aAAa,aAAa,iBAAiB,CAAC,cAAc,CAAC,6BAA6B,gBAAgB,MAAM,aAAa,cAAc,cAAc,GAAG,CAAC;IACtM,CAAC;IACD,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,cAAc,GAAG,gBAAgB,GAAG,UAAU,CAAC,WAAW,GAAG,CAAC,CAAC;QACrE,MAAM,UAAU,GAAG,cAAc,GAAG,CAAC,CAAC;QACtC,IAAI,UAAU,CAAC,WAAW,KAAK,OAAO,EAAE,CAAC;YACrC,OAAO,GAAG,UAAU,CAAC,OAAO,sBAAsB,gBAAgB,IAAI,cAAc,OAAO,cAAc,gBAAgB,UAAU,gBAAgB,CAAC;QACxJ,CAAC;QACD,OAAO,GAAG,UAAU,CAAC,OAAO,sBAAsB,gBAAgB,IAAI,cAAc,OAAO,cAAc,KAAK,iBAAiB,CAAC,cAAc,CAAC,uBAAuB,UAAU,gBAAgB,CAAC;IACrM,CAAC;IACD,IAAI,gBAAgB,KAAK,SAAS,IAAI,SAAS,GAAG,gBAAgB,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;QACnF,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,SAAS,GAAG,gBAAgB,CAAC,CAAC;QACnE,MAAM,UAAU,GAAG,SAAS,GAAG,gBAAgB,GAAG,CAAC,CAAC;QACpD,OAAO,GAAG,UAAU,CAAC,OAAO,QAAQ,SAAS,mCAAmC,UAAU,gBAAgB,CAAC;IAC/G,CAAC;IACD,OAAO,UAAU,CAAC,OAAO,CAAC;AAC9B,CAAC;AAED,SAAS,yBAAyB,CAAC,MAAc;IAC7C,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC9C,CAAC;AACL,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,MAAc,EAAE,OAAe;IAC9D,IAAI,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,cAAc,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,KAAK,CAAC;QAChB,CAAC;IACL,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAkB,EAAE,MAAc;IAC1D,IAAI,cAAc,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,GAAG,CAAC;IACpD,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CAAC,OAAe,EAAE,MAAc;IACpD,MAAM,YAAY,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,cAAc,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;IACtD,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACrC,KAAK,MAAM,aAAa,IAAI,cAAc,EAAE,CAAC;YACzC,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE,CAAC;gBAC9C,SAAS;YACb,CAAC;YACD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;YAC3D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxB,OAAO,GAAG,CAAC;YACf,CAAC;YACD,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC3B,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAc;IAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,qBAAqB,CAAC,UAAkB,EAAE,YAAqB;IACpE,IAAI,CAAC,YAAY,EAAE,CAAC;QAChB,OAAO,UAAU,CAAC;IACtB,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAC3C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC;QAC5B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAC7C,OAAO,oBAAoB,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,WAAW,CAAC,KAAkC;IACnD,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,OAAO,EAAE,CAAC;IACd,CAAC;IACD,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,MAAc;IACpC,IAAI,CAAC;QACD,MAAM,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACxB,OAAO,IAAI,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,KAAK,CAAC;IACjB,CAAC;AACL,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,YAAoB;IAClD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC;QACD,OAAO,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;YAAS,CAAC;QACP,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;AACL,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,YAAoB;IACpD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC;QACD,OAAO,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC;IACnC,CAAC;YAAS,CAAC;QACP,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;AACL,CAAC;AAED,KAAK,UAAU,oCAAoC,CAAC,YAAoB;IACpE,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACnD,IAAI,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAChC,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACrE,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QAChB,CAAC;QACD,OAAO,sCAAsC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IACjF,CAAC;YAAS,CAAC;QACP,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;AACL,CAAC;AAED,SAAS,sCAAsC,CAAC,MAAc;IAC1D,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvF,OAAO,YAAY,CAAC;IACxB,CAAC;IACD,IACI,MAAM,CAAC,MAAM,IAAI,CAAC;QAClB,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;QAClB,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;QAClB,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;QAClB,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;QAClB,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;QAClB,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;QAClB,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;QAClB,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,EACpB,CAAC;QACC,OAAO,WAAW,CAAC;IACvB,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC1D,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;YACnD,OAAO,WAAW,CAAC;QACvB,CAAC;IACL,CAAC;IACD,IACI,MAAM,CAAC,MAAM,IAAI,EAAE;QACnB,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,MAAM;QAClD,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,MAAM,EACrD,CAAC;QACC,OAAO,YAAY,CAAC;IACxB,CAAC;IACD,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAa;IACpC,IAAI,KAAK,GAAG,IAAI,EAAE,CAAC;QACf,OAAO,GAAG,KAAK,GAAG,CAAC;IACvB,CAAC;IACD,IAAI,KAAK,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;QACtB,OAAO,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5C,CAAC;IACD,OAAO,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;AACrD,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACjC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC;IAChC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACtD,IAAI,UAAU,IAAI,cAAc,IAAI,UAAU,IAAI,cAAc,EAAE,CAAC;QAC/D,OAAO;YACH,OAAO;YACP,SAAS,EAAE,KAAK;YAChB,WAAW,EAAE,IAAI;YACjB,UAAU;YACV,WAAW,EAAE,UAAU;YACvB,qBAAqB,EAAE,KAAK;SAC/B,CAAC;IACN,CAAC;IACD,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IACjE,IAAI,cAAc,GAAG,cAAc,EAAE,CAAC;QAClC,OAAO;YACH,OAAO,EAAE,EAAE;YACX,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,OAAO;YACpB,UAAU;YACV,WAAW,EAAE,CAAC;YACd,qBAAqB,EAAE,IAAI;SAC9B,CAAC;IACN,CAAC;IAED,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,WAAW,GAAsB,OAAO,CAAC;IAC7C,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,GAAG,cAAc,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QAC7E,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxE,IAAI,WAAW,GAAG,SAAS,GAAG,cAAc,EAAE,CAAC;YAC3C,WAAW,GAAG,OAAO,CAAC;YACtB,MAAM;QACV,CAAC;QACD,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvB,WAAW,IAAI,SAAS,CAAC;IAC7B,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,IAAI,cAAc,IAAI,WAAW,IAAI,cAAc,EAAE,CAAC;QACxE,WAAW,GAAG,OAAO,CAAC;IAC1B,CAAC;IACD,OAAO;QACH,OAAO,EAAE,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;QAC/B,SAAS,EAAE,IAAI;QACf,WAAW;QACX,UAAU;QACV,WAAW,EAAE,WAAW,CAAC,MAAM;QAC/B,qBAAqB,EAAE,KAAK;KAC/B,CAAC;AACN,CAAC"}

package/dist/sandbox/sandbox.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=sandbox.spec.d.ts.map

package/dist/sandbox/sandbox.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.spec.d.ts","sourceRoot":"","sources":["../../sources/sandbox/sandbox.spec.ts"],"names":[],"mappings":""}

package/dist/sandbox/sandbox.spec.js

@@ -0,0 +1,167 @@
+import { promises as fs } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { Sandbox } from "./sandbox.js";
+const itIfSandbox = process.env.CI ? it.skip : it;
+describe("Sandbox", () => {
+    let rootDir;
+    let homeDir;
+    let workingDir;
+    let writeDir;
+    let outsideDir;
+    let permissions;
+    let sandbox;
+    beforeEach(async () => {
+        rootDir = await fs.mkdtemp(path.join(os.tmpdir(), "daycare-sandbox-"));
+        homeDir = path.join(rootDir, "home");
+        workingDir = path.join(homeDir, "desktop");
+        writeDir = path.join(homeDir, "documents");
+        outsideDir = path.join(rootDir, "outside");
+        await fs.mkdir(workingDir, { recursive: true });
+        await fs.mkdir(writeDir, { recursive: true });
+        await fs.mkdir(outsideDir, { recursive: true });
+        permissions = {
+            workingDir,
+            writeDirs: [homeDir]
+        };
+        sandbox = new Sandbox({
+            homeDir,
+            permissions
+        });
+    });
+    afterEach(async () => {
+        await fs.rm(rootDir, { recursive: true, force: true });
+    });
+    it("stores homeDir and resolves workingDir from permissions", () => {
+        expect(sandbox.homeDir).toBe(path.resolve(homeDir));
+        expect(sandbox.workingDir).toBe(path.resolve(workingDir));
+        expect(sandbox.permissions).toBe(permissions);
+    });
+    it("uses workingDir from permissions only", () => {
+        const fromPermissions = new Sandbox({
+            homeDir,
+            permissions: {
+                ...permissions,
+                workingDir: writeDir
+            }
+        });
+        expect(fromPermissions.workingDir).toBe(path.resolve(writeDir));
+    });
+    it("reads text with pagination", async () => {
+        const filePath = path.join(workingDir, "notes.txt");
+        await fs.writeFile(filePath, "line-1\nline-2\nline-3", "utf8");
+        const firstRead = await sandbox.read({ path: filePath, limit: 2 });
+        expect(firstRead.type).toBe("text");
+        if (firstRead.type !== "text") {
+            return;
+        }
+        expect(firstRead.content).toContain("line-1\nline-2");
+        expect(firstRead.content).toContain("Use offset=3 to continue.");
+        expect(firstRead.truncated).toBe(false);
+        const secondRead = await sandbox.read({ path: filePath, offset: 3, limit: 1 });
+        if (secondRead.type !== "text") {
+            throw new Error("Expected text read result.");
+        }
+        expect(secondRead.content).toContain("line-3");
+    });
+    it("reads image files as binary image payloads", async () => {
+        const imagePath = path.join(workingDir, "image.png");
+        const oneByOnePngBase64 = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/x8AAwMCAO5L5f8AAAAASUVORK5CYII=";
+        await fs.writeFile(imagePath, Buffer.from(oneByOnePngBase64, "base64"));
+        const read = await sandbox.read({ path: imagePath });
+        expect(read.type).toBe("image");
+        if (read.type !== "image") {
+            return;
+        }
+        expect(read.mimeType).toBe("image/png");
+        expect(read.content.length).toBeGreaterThan(0);
+    });
+    it("rejects reading symbolic links", async () => {
+        const target = path.join(workingDir, "target.txt");
+        const symlink = path.join(workingDir, "link.txt");
+        await fs.writeFile(target, "data", "utf8");
+        await fs.symlink(target, symlink);
+        await expect(sandbox.read({ path: symlink })).rejects.toThrow("Cannot read symbolic link directly.");
+    });
+    it("rejects non-app access to app directories", async () => {
+        const appPath = path.join(workingDir, "apps", "my-app", "APP.md");
+        await fs.mkdir(path.dirname(appPath), { recursive: true });
+        await fs.writeFile(appPath, "app", "utf8");
+        await expect(sandbox.read({ path: appPath })).rejects.toThrow("App directories are not accessible from non-app agents.");
+    });
+    it("writes new files and creates parent directories", async () => {
+        const outputPath = path.join(writeDir, "nested", "out.txt");
+        const writeResult = await sandbox.write({
+            path: outputPath,
+            content: "hello"
+        });
+        expect(writeResult.bytes).toBe(5);
+        expect(writeResult.resolvedPath).toBe(await fs.realpath(outputPath));
+        expect(writeResult.sandboxPath).toBe("~/documents/nested/out.txt");
+        await expect(fs.readFile(outputPath, "utf8")).resolves.toBe("hello");
+    });
+    it("appends to files when append is true", async () => {
+        const outputPath = path.join(writeDir, "append.txt");
+        await fs.writeFile(outputPath, "start", "utf8");
+        await sandbox.write({
+            path: outputPath,
+            content: "-end",
+            append: true
+        });
+        await expect(fs.readFile(outputPath, "utf8")).resolves.toBe("start-end");
+    });
+    it("rejects writing outside granted directories", async () => {
+        const outputPath = path.join(outsideDir, "out.txt");
+        await expect(sandbox.write({ path: outputPath, content: "nope" })).rejects.toThrow("Path is outside the allowed directories.");
+    });
+    it("rejects writing to symbolic links", async () => {
+        const target = path.join(writeDir, "target.txt");
+        const symlink = path.join(writeDir, "link.txt");
+        await fs.writeFile(target, "data", "utf8");
+        await fs.symlink(target, symlink);
+        await expect(sandbox.write({ path: symlink, content: "overwrite" })).rejects.toThrow("Cannot write to symbolic link.");
+    });
+    it("reads binary content when binary mode is enabled", async () => {
+        const binaryPath = path.join(workingDir, "file.bin");
+        await fs.writeFile(binaryPath, Buffer.from([0, 1, 2, 3]));
+        const read = await sandbox.read({ path: binaryPath, binary: true });
+        expect(read.type).toBe("binary");
+        if (read.type !== "binary") {
+            return;
+        }
+        expect(read.content.equals(Buffer.from([0, 1, 2, 3]))).toBe(true);
+    });
+    it("validates domain allowlist before execution", async () => {
+        await expect(sandbox.exec({
+            command: "echo ok"
+        })).rejects.toThrow("allowedDomains must include at least one explicit domain");
+    });
+    it("rejects wildcard domains", async () => {
+        await expect(sandbox.exec({
+            command: "echo ok",
+            allowedDomains: ["*"]
+        })).rejects.toThrow("Wildcard");
+    });
+    itIfSandbox("executes command with explicit domains", async () => {
+        const result = await sandbox.exec({
+            command: "echo ok",
+            allowedDomains: ["example.com"]
+        });
+        expect(result.failed).toBe(false);
+        expect(result.stdout).toContain("ok");
+        expect(result.exitCode).toBe(0);
+    });
+    itIfSandbox("supports cwd override", async () => {
+        const cwd = path.join(workingDir, "cwd");
+        await fs.mkdir(cwd, { recursive: true });
+        const result = await sandbox.exec({
+            command: "pwd",
+            cwd,
+            allowedDomains: ["example.com"]
+        });
+        expect(result.failed).toBe(false);
+        expect(result.cwd).toBe(cwd);
+    });
+});
+//# sourceMappingURL=sandbox.spec.js.map