sb dec drops (with no-report) modifier from deny terminals/actions

[retsl]

What happened?

For the below profile, ipsw drops the (with no-report) modifier on deny:

(version 1)
(extends "foo")
(allow default)
(deny device* (with no-report))

How can we reproduce this?

$ bash -c 'export IPSW=./ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(extends "foo")
(allow default)
(deny device* (with no-report))
EOF
cat > degr.sb <<"EOF"
(version 1)
(extends "foo")
(allow default)
(deny device*)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin
cat orig.dec.sb | grep device'
   • Compiling profile to orig/profile.bin
   • Compiling profile to degr/profile.bin
   • Parsing sandbox profile data
   • Compiling profile to rt/profile.bin
f45522c280b099af43e5a958fea89b6b3d49e8b2  orig/profile.bin
829b30b0db5c501b99fb58b53e22f506ef995865  degr/profile.bin
829b30b0db5c501b99fb58b53e22f506ef995865  rt/profile.bin
(deny device*)

allow (with report) seems to be working correctly:

$ bash -c 'export IPSW=./ipsw
export OPS=./ops.txt
export DARWIN="25.5.0"
cat > orig.sb <<"EOF"
(version 1)
(extends "foo")
(deny default)
(allow device* (with report))
EOF
cat > degr.sb <<"EOF"
(version 1)
(extends "foo")
(deny default)
(allow device*)
EOF
"$IPSW" sb cmpl orig.sb -o orig
"$IPSW" sb cmpl degr.sb -o degr
"$IPSW" sb dec --type profile -i orig/profile.bin --operations "$OPS" --darwin-version "$DARWIN" -O orig.dec.sb
"$IPSW" sb cmpl orig.dec.sb -o rt
shasum orig/profile.bin degr/profile.bin rt/profile.bin
cat orig.dec.sb | grep device -A 2'
   • Compiling profile to orig/profile.bin
   • Compiling profile to degr/profile.bin
   • Parsing sandbox profile data
   • Compiling profile to rt/profile.bin
066c0eb476f4ade01ac6131ce393dcd9a86ac9d2  orig/profile.bin
5f4cb917787bfc1d77375e863d4408c9239e6464  degr/profile.bin
066c0eb476f4ade01ac6131ce393dcd9a86ac9d2  rt/profile.bin
(allow device*
        (with report)
)

ipsw version

Version: 3.1.696, BuildCommit: 343f09c8580f1774e7c0308e3ab798915c380b10

Search

• I did search for other open and closed issues before opening this

AI assistance

Claude Code helped with creating code for roundtrip testing ipsw which identified this issue.

Code of Conduct

• I agree to follow this project's Code of Conduct

AI Policy

• I understand and agree to follow this project's AI Usage Policy

Additional context

No response

[blacktop]

Should be fixed in latest release; please test and let me know AND thank you so much for reporting. Please keep these coming ❤️