From 62c1ba33772573d61d9334f7342f126964fb3e01 Mon Sep 17 00:00:00 2001
From: Christophe Dervieux <christophe.dervieux@gmail.com>
Date: Thu, 16 Apr 2026 09:10:08 +0100
Subject: [PATCH 1/2] Fall back to direct sass.bat execution when
 safeWindowsExec fails

Enterprise Windows environments with Group Policy / AppLocker rules
that block .bat execution from %TEMP% cause the safeWindowsExec temp
wrapper to fail, breaking dart-sass invocation (regression from #14002).

Try safeWindowsExec first (handles spaces in paths), then fall back to
direct execProcess call (v1.8 behavior) when it fails.

Fixes #14367
---
 src/core/dart-sass.ts | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/core/dart-sass.ts b/src/core/dart-sass.ts
index 0c8e39c9795..1d925889a06 100644
--- a/src/core/dart-sass.ts
+++ b/src/core/dart-sass.ts
@@ -125,7 +125,22 @@ export async function dartCommand(
         });
       },
     );
-    return processResult(result);
+    if (result.success) {
+      return processResult(result);
+    }
+
+    // safeWindowsExec failed — fall back to direct execution (v1.8 behavior).
+    // Enterprise environments may block .bat execution from %TEMP% via
+    // Group Policy / AppLocker, causing the temp wrapper to fail.
+    // See https://github.com/quarto-dev/quarto-cli/issues/14367
+    debug("[DART] safeWindowsExec failed, falling back to direct execution");
+    const directResult = await execProcess({
+      cmd: sass,
+      args,
+      stdout: "piped",
+      stderr: "piped",
+    });
+    return processResult(directResult);
   }
 
   // Non-Windows: direct execution

From d56d32539f5ade3f97f75bf07e92c92300d8df6d Mon Sep 17 00:00:00 2001
From: Christophe Dervieux <christophe.dervieux@gmail.com>
Date: Thu, 16 Apr 2026 09:15:48 +0100
Subject: [PATCH 2/2] Add changelog entry for #14367

---
 news/changelog-1.9.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/news/changelog-1.9.md b/news/changelog-1.9.md
index 61dbbb8dd59..fc6030c262a 100644
--- a/news/changelog-1.9.md
+++ b/news/changelog-1.9.md
@@ -3,6 +3,7 @@
 ## In this release
 
 - ([#14304](https://github.com/quarto-dev/quarto-cli/issues/14304)): Fix `quarto install tinytex` silently ignoring extraction failures. When archive extraction fails (e.g., `.tar.xz` on a system without `xz-utils`), the installer now reports a clear error instead of proceeding and failing with a confusing `NotFound` message.
+- ([#14367](https://github.com/quarto-dev/quarto-cli/issues/14367)): Fix Dart Sass invocation failing on enterprise Windows systems where Group Policy blocks `.bat` execution from `%TEMP%`. When the `safeWindowsExec` temp wrapper is blocked, Quarto now falls back to calling `sass.bat` directly.
 
 ## In previous releases