</array>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.application-groups</key>

<array>

<string>$(TeamIdentifierPrefix)com.coder.Coder-Desktop</string>

</array>

<key>com.apple.security.files.user-selected.read-only</key>

<true/>

<key>com.apple.security.network.client</key>

<true/>

</dict>

</plist>

/// An actor that handles configuring, enabling, and disabling the VPN tunnel via the

/// NetworkExtension APIs.

_=tryawaitgetTunnelManager()

neState=.disabled

serverAddress= tm.protocolConfiguration?.serverAddress

// only stores a weak reference to the delegate.

super.init()

neState=ifawaithasNetworkExtensionConfig(){

.disabled

.unconfigured

xpc.connect()

xpc.getPeerState()

func configureTunnelProviderProtocol(proto:NETunnelProviderProtocol?){

iflet proto{

serverAddress= proto.serverAddress

awaitconfigureNetworkExtension(proto: proto)

// this just configures the VPN, it doesn't enable it

tunnelState=.disabled

svc.onExtensionPeerUpdate(data)

// The NE has verified the dylib and knows better than mac's Gatekeeper

func removeQuarantine(path:String, reply:@escaping(Bool)->Void){

letreply=CallbackWrapper(reply)

\(svc.serverAddress??"the Coder deployment"). The code has been\

do shell script"xattr -d com.apple.quarantine\(path)"\

with prompt"\(prompt)"\

tryawaitwithCheckedThrowingContinuation{ continuationin

guardlet script=NSAppleScript(source: source)else{

// Run on a background thread

script.executeAndReturnError(&error)

continuation.resume()

throw.validation(error)

// HACK: The downloaded dylib may be quarantined, but we've validated it's signature

// so it's safe to execute. However, the SE must be sandboxed, so we defer to the app.

tryawaitremoveQuarantine(dest)

try tunnelHandle=TunnelHandle(dylibPath: dest)

case serverInfo(String)

case errorResponse(msg:String)

case noTunnelFileDescriptor

case noApp

case permissionDenied

msg

case.noTunnelFileDescriptor:

case.noApp:

case.permissionDenied:

letfields= log.fields.map{"\($0.name):\($0.value)"}.joined(separator:",")

logger.log(level: level,"\(log.message, privacy:.public):\(fields, privacy:.public)")

privatefunc removeQuarantine(_ dest:URL)asyncthrows(ManagerError){

letfile=NSURL(fileURLWithPath: dest.path)

try? file.getResourceValue(&flag, forKey: kCFURLQuarantinePropertiesKeyasURLResourceKey)

if flag!=nil{

guardlet conn= globalXPCListenerDelegate.connelse{

throw.noApp

// Wait for unsandboxed app to accept our file

tryawaitwithCheckedThrowingContinuation{[dest] continuationin

conn.removeQuarantine(path: dest.path){ _in

continuation.resume()

throw.permissionDenied

publicstructCallbackWrapper<T, U>:@uncheckedSendable{

publicinit(_ block:@escaping(T?)->U){

publicinit(_ block:@escaping(T)->U){

self.block= block

publicfunc callAsFunction(_ error:T?)->U{

publicfunc callAsFunction(_ error:T)->U{

block(error)

// data is a serialized `Vpn_PeerUpdate`

func onPeerUpdate(_ data:Data)

func removeQuarantine(path:String, reply:@escaping(Bool)->Void)