@24klynx/permissions 0.1.0

package/dist/index.d.mts

@@ -0,0 +1,244 @@
+import { CommandSafety, ToolDescriptor, ToolInvocation } from "@lynx/tools";
+
+//#region src/modes.d.ts
+/**
+ * Permission modes — the 6 operating modes that control how
+ * tool execution permissions are resolved.
+ *
+ *   default   — ask user for every RequiresApproval tool
+ *   auto      — LLM YOLO classifier decides, user can override
+ *   yolo      — auto‑approve everything, max throughput
+ *   dontAsk   — deny all RequiresApproval tools silently
+ *   headless  — no TUI, auto‑deny interactive prompts
+ *   plan      — read‑only mode, all mutating tools denied
+ */
+type PermissionMode = "default" | "auto" | "yolo" | "dontAsk" | "headless" | "plan";
+interface ModeBehavior {
+  /** Auto‑approve Safe tools without asking. */
+  autoApproveSafe: boolean;
+  /** Auto‑approve WorkspaceSafe tools. */
+  autoApproveWorkspaceSafe: boolean;
+  /** Auto‑deny Dangerous tools. */
+  autoDenyDangerous: boolean;
+  /** Use LLM classifier for RequiresApproval tools. */
+  useClassifier: boolean;
+  /** Show interactive prompts to the user. */
+  showPrompts: boolean;
+  /** Allow any file‑modifying tools. */
+  allowWrites: boolean;
+}
+/** Get the behavior profile for a given mode. */
+declare function getModeBehavior(mode: PermissionMode): ModeBehavior;
+/** List all valid mode names. */
+declare function listModes(): PermissionMode[];
+/** Validate that a string is a recognized mode. */
+declare function isValidMode(value: string): value is PermissionMode;
+//#endregion
+//#region src/rules.d.ts
+interface PermissionRule {
+  /** Glob pattern matching tool names (e.g. "bash", "read_*", "*"). */
+  glob: string;
+  /** Optional argument pattern for tool‑specific rules (e.g. "git push *"). */
+  args?: string;
+  /** Override the safety classification for matched tools. */
+  safety?: CommandSafety;
+  /** Explicitly allow matched tools. */
+  allow?: boolean;
+  /** Explicitly deny matched tools. */
+  deny?: boolean;
+  /** Human‑readable reason shown to the user. */
+  reason?: string;
+}
+interface RuleMatch {
+  rule: PermissionRule;
+  source: RuleSource;
+}
+type RuleSource = "blocklist" | "builtin" | "plugin" | "config" | "workspace" | "project" | "user" | "session";
+interface RuleEngine {
+  /** Register a rule from a specific source. */
+  add(source: RuleSource, rule: PermissionRule): void;
+  /** Remove all rules from a source. */
+  clearSource(source: RuleSource): void;
+  /** Find all rules that match a tool name, sorted by priority (highest first). */
+  match(toolName: string): RuleMatch[];
+  /** Check if any matching rule explicitly denies the tool. */
+  isDenied(toolName: string): boolean;
+  /** Check if any matching rule explicitly allows the tool. */
+  isAllowed(toolName: string): boolean;
+}
+/**
+ * Create a rule matching engine.
+ *
+ * Rules are evaluated lazily — each match() call re‑scans
+ * the rule set for the given tool name.
+ */
+declare function createRuleEngine(): RuleEngine;
+//#endregion
+//#region src/denial.d.ts
+/**
+ * Denial tracker with circuit breaker.
+ *
+ * When a user denies 3 consecutive tool requests within the same
+ * turn, the circuit breaker trips and auto‑denies all subsequent
+ * requests for the rest of that turn.
+ *
+ * The breaker resets at the start of each new turn.
+ */
+interface DenialTracker {
+  /** Record a denial from the user. */
+  recordDenial(): void;
+  /** Record an approval (resets the consecutive count). */
+  recordApproval(): void;
+  /** Check whether the circuit breaker has tripped. */
+  isTripped(): boolean;
+  /** Reset the tracker for a new turn. */
+  resetTurn(): void;
+  /** Current consecutive denial count. */
+  readonly consecutiveDenials: number;
+}
+/**
+ * Create a denial tracker.
+ *
+ * One instance per session — it tracks user behavior across
+ * multiple tool invocations within a single turn.
+ */
+declare function createDenialTracker(): DenialTracker;
+//#endregion
+//#region src/pipeline.d.ts
+interface PipelineContext {
+  mode: PermissionMode;
+  behavior: ModeBehavior;
+  ruleEngine: RuleEngine;
+  denialTracker: DenialTracker;
+  /** User callback — returns true to allow, false to deny. */
+  askUser?: (invocation: ToolInvocation) => Promise<boolean>;
+  /** LLM classifier callback — returns true to allow. */
+  classify?: (invocation: ToolInvocation) => Promise<boolean>;
+}
+interface PipelineResult {
+  allowed: boolean;
+  reason: string;
+  step: number;
+  /** If true, the result was determined without user interaction. */
+  automatic: boolean;
+}
+/**
+ * Run a tool invocation through the 14‑step permission pipeline.
+ *
+ * Each step is an independent function. The pipeline short‑circuits
+ * on the first non‑null result.
+ */
+declare function runPipeline(tool: ToolDescriptor, invocation: ToolInvocation, ctx: PipelineContext): Promise<PipelineResult>;
+//#endregion
+//#region src/classifier.d.ts
+interface YoloClassifier {
+  /**
+   * Ask the classifier whether a tool invocation should be allowed.
+   *
+   * Returns true if the invocation looks safe, false otherwise.
+   * Never throws — on error, falls back to a conservative heuristic.
+   */
+  classify(tool: ToolDescriptor, invocation: ToolInvocation): Promise<boolean>;
+}
+/** LLM completion function signature — injected via DI. */
+type ClassifyLlmCall = (prompt: string) => Promise<string>;
+/** Options for creating the classifier. */
+interface CreateYoloClassifierOptions {
+  /**
+   * Optional LLM completion function.
+   *
+   * When provided, the classifier sends a ~200‑token prompt to a
+   * fast model (e.g. Haiku / Flash) and parses "allow" / "deny".
+   * When omitted, falls back to the heuristic classifier only.
+   */
+  llmCall?: ClassifyLlmCall;
+  /** Timeout in milliseconds for the LLM call. Default 500. */
+  timeoutMs?: number;
+}
+/**
+ * Create a YOLO classifier.
+ *
+ * When `llmCall` is provided, prompts a fast LLM to decide each
+ * classification. A cache avoids redundant calls for identical
+ * (tool, safety, args) combinations within the same session.
+ *
+ * Falls back to a heuristic classifier on timeout or error.
+ */
+declare function createYoloClassifier(opts?: CreateYoloClassifierOptions): YoloClassifier;
+//#endregion
+//#region src/sources.d.ts
+interface RulesLoader {
+  /** Load all rules from a source into the engine. */
+  load(source: RuleSource, rules: PermissionRule[]): void;
+  /** Reload rules from a source (clears previous entries). */
+  reload(source: RuleSource, rules: PermissionRule[]): void;
+}
+/**
+ * Create a rules loader that populates a RuleEngine from
+ * configuration sources.
+ *
+ * Call load() for each source at startup, then reload() if
+ * the user edits their settings mid‑session.
+ */
+declare function createRulesLoader(engine: RuleEngine): RulesLoader;
+/**
+ * Load permission rules from the user's config directory.
+ *
+ * Reads two files:
+ *   - ~/.lynx/settings.json → `permissions.rules` array
+ *   - <workspace>/.lynx/permissions.json → top‑level rules array
+ *
+ * Parsing errors are silently ignored (don't block startup).
+ *
+ * @returns Number of rules loaded, or 0 if no files found.
+ */
+declare function loadFromDisk(loader: RulesLoader, workspace?: string): number;
+//#endregion
+//#region src/mcp-channel.d.ts
+/**
+ * MCP 频道权限 — 按频道限制可用的 MCP 服务器和工具。
+ *
+ * 每个频道可配置允许的服务器列表和工具列表，
+ * 以及是否需要用户批准。未匹配频道时回退到默认策略。
+ */
+/** MCP 频道权限策略 — 每条规则绑定一个频道。 */
+interface McpChannelPolicy {
+  /** 频道名称（"wechat"、"feishu"、"web" 等）。 */
+  channelName: string;
+  /** 允许的 MCP 服务器名称列表。 */
+  allowedServers: string[];
+  /** 允许的工具名列表（原始名称，非命名空间格式）。 */
+  allowedTools: string[];
+  /** 是否需要用户批准。 */
+  requireApproval: boolean;
+}
+/** 权限检查结果。 */
+interface McpCheckResult {
+  allowed: boolean;
+  reason: string;
+}
+/**
+ * 默认策略 — 无限制（所有频道可访问所有 MCP 工具）。
+ *
+ * 适用于内部工具和未明确配置频道的场景。
+ */
+declare const DEFAULT_MCP_CHANNEL_POLICY: McpChannelPolicy[];
+/**
+ * 创建 MCP 频道权限检查器。
+ *
+ * 返回一个函数：给定频道名和工具名，返回是否允许及原因。
+ * 检查逻辑：
+ *   1. 如果 channel 为 undefined，使用默认策略（全部允许）
+ *   2. 查找匹配 channelName 的策略
+ *   3. 未找到匹配策略 → 回退到第一个匹配的频道或拒绝
+ *   4. 找到匹配策略 → 检查 server 是否在 allowedServers 中
+ *   5. 检查 toolName 是否在 allowedTools 中（或 allowedTools 包含 "*"）
+ *   6. 全部通过 → 返回 allowed: true，附带是否需要批准的信息
+ *
+ * @param policies - 频道权限策略列表
+ * @returns 权限检查函数
+ */
+declare function createMcpChannelChecker(policies: McpChannelPolicy[]): (channel: string | undefined, toolName: string, serverName?: string) => McpCheckResult;
+//#endregion
+export { DEFAULT_MCP_CHANNEL_POLICY, type DenialTracker, type McpChannelPolicy, type McpCheckResult, type ModeBehavior, type PermissionMode, type PermissionRule, type PipelineContext, type PipelineResult, type RuleEngine, type RuleMatch, type RuleSource, type RulesLoader, type YoloClassifier, createDenialTracker, createMcpChannelChecker, createRuleEngine, createRulesLoader, createYoloClassifier, getModeBehavior, isValidMode, listModes, loadFromDisk, runPipeline };
+//# sourceMappingURL=index.d.mts.map

package/dist/index.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.mts","names":[],"sources":["../src/modes.ts","../src/rules.ts","../src/denial.ts","../src/pipeline.ts","../src/classifier.ts","../src/sources.ts","../src/mcp-channel.ts"],"mappings":";;;;;;AAcA;;;;AAA0B;AAE1B;;;KAFY,cAAA;AAAA,UAEK,YAAA;EAIf;EAFA,eAAA;EAMA;EAJA,wBAAA;EAQA;EANA,iBAAA;EAMW;EAJX,aAAA;EA+D6B;EA7D7B,WAAA;EA6DiE;EA3DjE,WAAA;AAAA;;iBA2Dc,eAAA,CAAgB,IAAA,EAAM,cAAA,GAAiB,YAAY;AAAA;AAAA,iBAKnD,SAAA,IAAa,cAAc;;iBAK3B,WAAA,CAAY,KAAA,WAAgB,KAAA,IAAS,cAAc;;;UC7ElD,cAAA;EDQf;ECNA,IAAA;EDMW;ECJX,IAAA;ED+D6B;EC7D7B,MAAA,GAAS,aAAa;ED6D2C;EC3DjE,KAAA;ED2D8B;ECzD9B,IAAA;EDyDiE;ECvDjE,MAAA;AAAA;AAAA,UAGe,SAAA;EACf,IAAA,EAAM,cAAA;EACN,MAAA,EAAQ,UAAU;AAAA;AAAA,KAGR,UAAA;AAAA,UAmCK,UAAA;;EAEf,GAAA,CAAI,MAAA,EAAQ,UAAA,EAAY,IAAA,EAAM,cAAA;EDoBJ;ECjB1B,WAAA,CAAY,MAAA,EAAQ,UAAA;EDiB+B;ECdnD,KAAA,CAAM,QAAA,WAAmB,SAAA;EDcwC;ECXjE,QAAA,CAAS,QAAA;;EAGT,SAAA,CAAU,QAAA;AAAA;;;;;;;iBASI,gBAAA,IAAoB,UAAU;;;;;;ADpF9C;;;;AAA0B;AAE1B;UEJiB,aAAA;;EAEf,YAAA;EFIA;EEFA,cAAA;EFMA;EEJA,SAAA;EFQA;EENA,SAAA;EFQW;EAAA,SENF,kBAAA;AAAA;;;;;;;iBAgBK,mBAAA,IAAuB,aAAa;;;UCTnC,eAAA;EACf,IAAA,EAAM,cAAA;EACN,QAAA,EAAU,YAAA;EACV,UAAA,EAAY,UAAA;EACZ,aAAA,EAAe,aAAA;EH2DQ;EGzDvB,OAAA,IAAW,UAAA,EAAY,cAAA,KAAmB,OAAA;EHyDD;EGvDzC,QAAA,IAAY,UAAA,EAAY,cAAA,KAAmB,OAAA;AAAA;AAAA,UAG5B,cAAA;EACf,OAAA;EACA,MAAA;EACA,IAAA;EHsD0C;EGpD1C,SAAA;AAAA;AHoDiE;;;;AC7EnE;;AD6EmE,iBG4J7C,WAAA,CACpB,IAAA,EAAM,cAAA,EACN,UAAA,EAAY,cAAA,EACZ,GAAA,EAAK,eAAA,GACJ,OAAA,CAAQ,cAAA;;;UC7OM,cAAA;EJQf;;AAAW;AA2Db;;;EI5DE,QAAA,CAAS,IAAA,EAAM,cAAA,EAAgB,UAAA,EAAY,cAAA,GAAiB,OAAA;AAAA;;KAIlD,eAAA,IAAmB,MAAA,aAAmB,OAAO;;UAGxC,2BAAA;EJ0DD;;;;AAA2B;AAK3C;;EIvDE,OAAA,GAAU,eAAe;EJuDwC;EIpDjE,SAAA;AAAA;;;AJoDiE;;;;AC7EnE;;;iBG6HgB,oBAAA,CAAqB,IAAA,GAAM,2BAAA,GAAmC,cAAc;;;UC3H3E,WAAA;ELIf;EKFA,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,KAAA,EAAO,cAAA;ELIrB;EKFX,MAAA,CAAO,MAAA,EAAQ,UAAA,EAAY,KAAA,EAAO,cAAA;AAAA;;;;;;;;iBAqFpB,iBAAA,CAAkB,MAAA,EAAQ,UAAA,GAAa,WAAW;ALnBlE;;;;AAA2C;AAK3C;;;;;;AALA,iBKqDgB,YAAA,CAAa,MAAA,EAAQ,WAAW,EAAE,SAAA;;;;;;ALnIlD;;;;UMJiB,gBAAA;ENMA;EMJf,WAAA;;EAEA,cAAA;ENIA;EMFA,YAAA;ENMA;EMJA,eAAA;AAAA;;UAIe,cAAA;EACf,OAAA;EACA,MAAM;AAAA;;;;;;cAUK,0BAAA,EAA4B,gBAAgB;ANqDU;AAKnE;;;;AAA2C;AAK3C;;;;;;;;AAAmE;AAVA,iBMlCnD,uBAAA,CACd,QAAA,EAAU,gBAAA,MACR,OAAA,sBAA6B,QAAA,UAAkB,UAAA,cAAwB,cAAc"}

package/dist/index.mjs

@@ -0,0 +1,666 @@
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+//#region src/modes.ts
+const MODE_TABLE = {
+	default: {
+		autoApproveSafe: true,
+		autoApproveWorkspaceSafe: false,
+		autoDenyDangerous: true,
+		useClassifier: false,
+		showPrompts: true,
+		allowWrites: true
+	},
+	auto: {
+		autoApproveSafe: true,
+		autoApproveWorkspaceSafe: true,
+		autoDenyDangerous: true,
+		useClassifier: true,
+		showPrompts: false,
+		allowWrites: true
+	},
+	yolo: {
+		autoApproveSafe: true,
+		autoApproveWorkspaceSafe: true,
+		autoDenyDangerous: false,
+		useClassifier: false,
+		showPrompts: false,
+		allowWrites: true
+	},
+	dontAsk: {
+		autoApproveSafe: true,
+		autoApproveWorkspaceSafe: false,
+		autoDenyDangerous: true,
+		useClassifier: false,
+		showPrompts: false,
+		allowWrites: false
+	},
+	headless: {
+		autoApproveSafe: true,
+		autoApproveWorkspaceSafe: false,
+		autoDenyDangerous: true,
+		useClassifier: false,
+		showPrompts: false,
+		allowWrites: true
+	},
+	plan: {
+		autoApproveSafe: true,
+		autoApproveWorkspaceSafe: false,
+		autoDenyDangerous: true,
+		useClassifier: false,
+		showPrompts: false,
+		allowWrites: false
+	}
+};
+/** Get the behavior profile for a given mode. */
+function getModeBehavior(mode) {
+	return MODE_TABLE[mode];
+}
+/** List all valid mode names. */
+function listModes() {
+	return Object.keys(MODE_TABLE);
+}
+/** Validate that a string is a recognized mode. */
+function isValidMode(value) {
+	return value in MODE_TABLE;
+}
+//#endregion
+//#region src/rules.ts
+/** Priority weight — higher number = higher priority. */
+const SOURCE_PRIORITY = {
+	blocklist: 0,
+	builtin: 1,
+	plugin: 2,
+	config: 3,
+	workspace: 4,
+	project: 5,
+	user: 6,
+	session: 7
+};
+function globMatch(pattern, value) {
+	const regex = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
+	return new RegExp(`^${regex}$`).test(value);
+}
+/**
+* Create a rule matching engine.
+*
+* Rules are evaluated lazily — each match() call re‑scans
+* the rule set for the given tool name.
+*/
+function createRuleEngine() {
+	const rulesBySource = /* @__PURE__ */ new Map();
+	for (const rule of [
+		{
+			glob: "sudo",
+			deny: true,
+			reason: "Privilege escalation is forbidden"
+		},
+		{
+			glob: "su",
+			deny: true,
+			reason: "Privilege escalation is forbidden"
+		},
+		{
+			glob: "doas",
+			deny: true,
+			reason: "Privilege escalation is forbidden"
+		}
+	]) {
+		const existing = rulesBySource.get("blocklist") ?? [];
+		existing.push(rule);
+		rulesBySource.set("blocklist", existing);
+	}
+	return {
+		add(source, rule) {
+			const existing = rulesBySource.get(source) ?? [];
+			existing.push(rule);
+			rulesBySource.set(source, existing);
+		},
+		clearSource(source) {
+			rulesBySource.delete(source);
+		},
+		match(toolName) {
+			const matches = [];
+			for (const [source, rules] of rulesBySource) for (const rule of rules) if (globMatch(rule.glob, toolName)) matches.push({
+				rule,
+				source
+			});
+			matches.sort((a, b) => SOURCE_PRIORITY[b.source] - SOURCE_PRIORITY[a.source]);
+			return matches;
+		},
+		isDenied(toolName) {
+			const matches = this.match(toolName);
+			if (matches.length === 0) return false;
+			return matches[0].rule.deny === true;
+		},
+		isAllowed(toolName) {
+			const matches = this.match(toolName);
+			if (matches.length === 0) return false;
+			return matches[0].rule.allow === true;
+		}
+	};
+}
+//#endregion
+//#region src/pipeline.ts
+function step1_unknownTool(tool) {
+	if (!tool) return {
+		allowed: false,
+		reason: "未知工具",
+		step: 1,
+		automatic: true
+	};
+	return null;
+}
+function step2_safeTool(tool) {
+	if (tool.safety === "Safe") return {
+		allowed: true,
+		reason: "安全工具 — 始终允许",
+		step: 2,
+		automatic: true
+	};
+	return null;
+}
+function step3_dangerousTool(tool, _inv, ctx) {
+	if (tool.safety === "Dangerous" && ctx.behavior.autoDenyDangerous) return {
+		allowed: false,
+		reason: "危险工具 — 已自动拒绝",
+		step: 3,
+		automatic: true
+	};
+	return null;
+}
+function step4_ruleDeny(_tool, invocation, ctx) {
+	if (ctx.ruleEngine.isDenied(invocation.toolName)) return {
+		allowed: false,
+		reason: "被权限规则拒绝",
+		step: 4,
+		automatic: true
+	};
+	return null;
+}
+function step5_ruleAllow(_tool, invocation, ctx) {
+	if (ctx.ruleEngine.isAllowed(invocation.toolName)) return {
+		allowed: true,
+		reason: "被权限规则允许",
+		step: 5,
+		automatic: true
+	};
+	return null;
+}
+function step6_planModeDeniesWrites(tool, _inv, ctx) {
+	if (ctx.mode === "plan" && tool.kind !== "ReadOnly") return {
+		allowed: false,
+		reason: `写入工具 "${tool.name}" 在计划模式下被拒绝`,
+		step: 6,
+		automatic: true
+	};
+	return null;
+}
+function step7_circuitBreaker(_tool, _inv, ctx) {
+	if (ctx.denialTracker.isTripped()) return {
+		allowed: false,
+		reason: "熔断器已触发 — 自动拒绝",
+		step: 7,
+		automatic: true
+	};
+	return null;
+}
+function step8_yolo(_tool, _inv, ctx) {
+	if (ctx.mode === "yolo") return {
+		allowed: true,
+		reason: "YOLO 模式 — 已自动批准",
+		step: 8,
+		automatic: true
+	};
+	return null;
+}
+function step9_dontAsk(_tool, _inv, ctx) {
+	if (ctx.mode === "dontAsk") return {
+		allowed: false,
+		reason: "免问模式 — 已自动拒绝",
+		step: 9,
+		automatic: true
+	};
+	return null;
+}
+function step10_headless(_tool, _inv, ctx) {
+	if (ctx.mode === "headless") return {
+		allowed: false,
+		reason: "无头模式 — 无交互式提示",
+		step: 10,
+		automatic: true
+	};
+	return null;
+}
+async function step11_autoClassify(_tool, invocation, ctx) {
+	if (ctx.mode !== "auto" || !ctx.classify) return null;
+	try {
+		const allowed = await ctx.classify(invocation);
+		return {
+			allowed,
+			reason: allowed ? "自动分类为安全" : "自动分类为不安全",
+			step: 11,
+			automatic: true
+		};
+	} catch {
+		return null;
+	}
+}
+async function step12_defaultAskUser(_tool, invocation, ctx) {
+	if (ctx.mode !== "default") return null;
+	if (!ctx.askUser) return {
+		allowed: false,
+		reason: "默认模式 — 无用户提示可用",
+		step: 12,
+		automatic: true
+	};
+	try {
+		const allowed = await ctx.askUser(invocation);
+		return {
+			allowed,
+			reason: allowed ? "用户已批准" : "用户已拒绝",
+			step: 13,
+			automatic: false
+		};
+	} catch {
+		return {
+			allowed: false,
+			reason: "用户提示失败",
+			step: 13,
+			automatic: false
+		};
+	}
+}
+/** 兜底步骤 — 始终返回结果。 */
+function step14_defaultDeny() {
+	return {
+		allowed: false,
+		reason: "默认拒绝 — 无规则匹配",
+		step: 14,
+		automatic: true
+	};
+}
+const PIPELINE = [
+	step1_unknownTool,
+	step2_safeTool,
+	step3_dangerousTool,
+	step4_ruleDeny,
+	step5_ruleAllow,
+	step6_planModeDeniesWrites,
+	step7_circuitBreaker,
+	step8_yolo,
+	step9_dontAsk,
+	step10_headless,
+	step11_autoClassify,
+	step12_defaultAskUser,
+	step14_defaultDeny
+];
+/**
+* Run a tool invocation through the 14‑step permission pipeline.
+*
+* Each step is an independent function. The pipeline short‑circuits
+* on the first non‑null result.
+*/
+async function runPipeline(tool, invocation, ctx) {
+	for (const step of PIPELINE) {
+		const result = await step(tool, invocation, ctx);
+		if (result) return result;
+	}
+	return {
+		allowed: false,
+		reason: "默认拒绝 — 无规则匹配",
+		step: 14,
+		automatic: true
+	};
+}
+//#endregion
+//#region src/classifier.ts
+const DEFAULT_TIMEOUT_MS = 500;
+/** Compact prompt template (~200 tokens). */
+const CLASSIFIER_PROMPT = `You are a security classifier. Given a tool invocation, respond with ONLY "allow" or "deny".
+
+Rules:
+- Read-only operations (read_file, ls, grep, search) → allow
+- File writes within the workspace → allow
+- Network requests → allow
+- Shell commands that modify system state → deny
+- Commands that delete files outside the workspace → deny
+- Commands that install packages → deny
+- Escalation commands (sudo, su) → deny
+
+Tool: {toolName}
+Description: {toolDescription}
+Input: {toolInput}
+
+Response:`;
+/** Patterns that always result in deny. */
+const DENY_PATTERNS = [
+	"sudo",
+	"rm -rf /",
+	"chmod 777",
+	"DROP TABLE",
+	"DELETE FROM",
+	"shutdown",
+	"reboot",
+	"format",
+	"mkfs",
+	"curl | bash",
+	"wget -O - |",
+	"> /dev/sda",
+	"dd if="
+];
+/** Patterns that indicate safe dev workflows. */
+const ALLOW_PATTERNS = [
+	"npm test",
+	"npm run",
+	"pnpm test",
+	"pnpm build",
+	"git ",
+	"node ",
+	"tsc",
+	"vitest",
+	"eslint",
+	"prettier"
+];
+function heuristicClassify(tool, invocation) {
+	if (tool.kind === "ReadOnly") return true;
+	const payload = JSON.stringify(invocation.payload).toLowerCase();
+	for (const pattern of DENY_PATTERNS) if (payload.includes(pattern.toLowerCase())) return false;
+	for (const pattern of ALLOW_PATTERNS) if (payload.includes(pattern.toLowerCase())) return true;
+	return tool.safety === "Safe";
+}
+/** Cache key derived from tool identity + input hash. */
+function cacheKey(tool, invocation) {
+	const inputHash = JSON.stringify(invocation.payload);
+	return `${tool.name}:${tool.safety}:${inputHash}`;
+}
+/**
+* Create a YOLO classifier.
+*
+* When `llmCall` is provided, prompts a fast LLM to decide each
+* classification. A cache avoids redundant calls for identical
+* (tool, safety, args) combinations within the same session.
+*
+* Falls back to a heuristic classifier on timeout or error.
+*/
+function createYoloClassifier(opts = {}) {
+	const { llmCall, timeoutMs = DEFAULT_TIMEOUT_MS } = opts;
+	const cache = /* @__PURE__ */ new Map();
+	return { async classify(tool, invocation) {
+		const key = cacheKey(tool, invocation);
+		const cached = cache.get(key);
+		if (cached !== void 0) return cached;
+		if (llmCall) try {
+			const prompt = CLASSIFIER_PROMPT.replace("{toolName}", tool.name).replace("{toolDescription}", tool.description).replace("{toolInput}", JSON.stringify(invocation.payload));
+			const decision = (await Promise.race([llmCall(prompt), new Promise((_, reject) => setTimeout(() => reject(/* @__PURE__ */ new Error("Classifier timeout")), timeoutMs))])).trim().toLowerCase().startsWith("allow");
+			cache.set(key, decision);
+			return decision;
+		} catch {}
+		const decision = heuristicClassify(tool, invocation);
+		cache.set(key, decision);
+		return decision;
+	} };
+}
+//#endregion
+//#region src/denial.ts
+/** Number of consecutive denials before the breaker trips. */
+const DENIAL_THRESHOLD = 3;
+/**
+* Create a denial tracker.
+*
+* One instance per session — it tracks user behavior across
+* multiple tool invocations within a single turn.
+*/
+function createDenialTracker() {
+	let consecutive = 0;
+	return {
+		get consecutiveDenials() {
+			return consecutive;
+		},
+		recordDenial() {
+			consecutive++;
+		},
+		recordApproval() {
+			consecutive = 0;
+		},
+		isTripped() {
+			return consecutive >= DENIAL_THRESHOLD;
+		},
+		resetTurn() {
+			consecutive = 0;
+		}
+	};
+}
+//#endregion
+//#region src/sources.ts
+/**
+* Permission rule source loading — reads rules from each of the
+* 7 priority layers and feeds them into the RuleEngine.
+*
+* Sources (lowest to highest priority):
+*   0. blocklist — hardcoded (loaded by RuleEngine at construction)
+*   1. builtin   — default safety rules
+*   2. plugin    — plugin‑declared rules
+*   3. config    — ~/.lynx/config.json permissions.allow/deny
+*   4. workspace — .lynx/permissions.json in the session workspace
+*   5. project   — directive files (CLAUDE.md)
+*   6. user      — ~/.lynx/settings.json
+*   7. session   — runtime overrides (set via /permissions command)
+*/
+const BUILTIN_RULES = [
+	{
+		glob: "read_file",
+		allow: true,
+		reason: "Read‑only file access"
+	},
+	{
+		glob: "write_file",
+		allow: true,
+		reason: "Workspace‑scoped file write"
+	},
+	{
+		glob: "glob",
+		allow: true,
+		reason: "File pattern matching"
+	},
+	{
+		glob: "grep",
+		allow: true,
+		reason: "Content search"
+	},
+	{
+		glob: "ls",
+		allow: true,
+		reason: "Directory listing"
+	},
+	{
+		glob: "bash",
+		allow: true,
+		reason: "Shell access (permission‑gated)"
+	},
+	{
+		glob: "rm",
+		deny: true,
+		reason: "File deletion requires confirmation"
+	}
+];
+/** 常见工具名映射（config.json 友好名 → 实际工具名）。 */
+const TOOL_NAME_MAP = {
+	Bash: "bash",
+	Read: "read_file",
+	Write: "write_file",
+	Edit: "edit",
+	Glob: "glob",
+	Grep: "grep",
+	Web: "web_fetch",
+	WebSearch: "web_search",
+	Task: "task",
+	Ask: "ask_user_question"
+};
+/**
+* 解析 config.json 权限条目。
+*
+* 格式：
+*   "ToolName"           → { glob: "tool_name", allow: true/false }
+*   "ToolName(args)"     → { glob: "tool_name", args: "args", allow: true/false }
+*
+* 友好名（如 Bash、Read）会自动映射为实际工具名。
+*/
+function parsePermissionEntry(raw, allow) {
+	const match = raw.match(/^(\w+)(?:\((.+)\))?$/);
+	if (!match) return null;
+	const friendlyName = match[1];
+	const toolName = TOOL_NAME_MAP[friendlyName] ?? friendlyName.toLowerCase();
+	const args = match[2]?.trim();
+	const rule = {
+		glob: toolName,
+		allow
+	};
+	if (args) rule.args = args;
+	return rule;
+}
+/**
+* 从 config.json 的 permissions.allow/deny 解析权限规则。
+* 返回解析出的规则数组；解析失败静默跳过。
+*/
+function parseConfigPermissions(raw) {
+	if (!raw || typeof raw !== "object") return [];
+	const perms = raw;
+	const allowEntries = Array.isArray(perms.allow) ? perms.allow : [];
+	const denyEntries = Array.isArray(perms.deny) ? perms.deny : [];
+	const rules = [];
+	for (const entry of allowEntries) {
+		const rule = parsePermissionEntry(entry, true);
+		if (rule) rules.push(rule);
+	}
+	for (const entry of denyEntries) {
+		const rule = parsePermissionEntry(entry, false);
+		if (rule) rules.push(rule);
+	}
+	return rules;
+}
+/**
+* Create a rules loader that populates a RuleEngine from
+* configuration sources.
+*
+* Call load() for each source at startup, then reload() if
+* the user edits their settings mid‑session.
+*/
+function createRulesLoader(engine) {
+	const loader = {
+		load(source, rules) {
+			for (const rule of rules) engine.add(source, rule);
+		},
+		reload(source, rules) {
+			engine.clearSource(source);
+			loader.load(source, rules);
+		}
+	};
+	engine.clearSource("builtin");
+	for (const rule of BUILTIN_RULES) engine.add("builtin", rule);
+	return loader;
+}
+/**
+* Load permission rules from the user's config directory.
+*
+* Reads two files:
+*   - ~/.lynx/settings.json → `permissions.rules` array
+*   - <workspace>/.lynx/permissions.json → top‑level rules array
+*
+* Parsing errors are silently ignored (don't block startup).
+*
+* @returns Number of rules loaded, or 0 if no files found.
+*/
+function loadFromDisk(loader, workspace) {
+	let loaded = 0;
+	const userSettingsPath = join(homedir(), ".lynx", "settings.json");
+	try {
+		if (existsSync(userSettingsPath)) {
+			const raw = readFileSync(userSettingsPath, "utf-8");
+			const rules = JSON.parse(raw)?.permissions?.rules;
+			if (Array.isArray(rules) && rules.length > 0) {
+				loader.reload("user", rules);
+				loaded += rules.length;
+			}
+		}
+	} catch {}
+	const configPath = join(homedir(), ".lynx", "config.json");
+	try {
+		if (existsSync(configPath)) {
+			const raw = readFileSync(configPath, "utf-8");
+			const configRules = parseConfigPermissions(JSON.parse(raw).permissions ?? {});
+			if (configRules.length > 0) {
+				loader.reload("config", configRules);
+				loaded += configRules.length;
+			}
+		}
+	} catch {}
+	if (workspace) {
+		const projectSettingsPath = join(workspace, ".lynx", "permissions.json");
+		try {
+			if (existsSync(projectSettingsPath)) {
+				const raw = readFileSync(projectSettingsPath, "utf-8");
+				const rules = JSON.parse(raw)?.rules;
+				if (Array.isArray(rules) && rules.length > 0) {
+					loader.reload("workspace", rules);
+					loaded += rules.length;
+				}
+			}
+		} catch {}
+	}
+	return loaded;
+}
+//#endregion
+//#region src/mcp-channel.ts
+/**
+* 默认策略 — 无限制（所有频道可访问所有 MCP 工具）。
+*
+* 适用于内部工具和未明确配置频道的场景。
+*/
+const DEFAULT_MCP_CHANNEL_POLICY = [];
+/**
+* 创建 MCP 频道权限检查器。
+*
+* 返回一个函数：给定频道名和工具名，返回是否允许及原因。
+* 检查逻辑：
+*   1. 如果 channel 为 undefined，使用默认策略（全部允许）
+*   2. 查找匹配 channelName 的策略
+*   3. 未找到匹配策略 → 回退到第一个匹配的频道或拒绝
+*   4. 找到匹配策略 → 检查 server 是否在 allowedServers 中
+*   5. 检查 toolName 是否在 allowedTools 中（或 allowedTools 包含 "*"）
+*   6. 全部通过 → 返回 allowed: true，附带是否需要批准的信息
+*
+* @param policies - 频道权限策略列表
+* @returns 权限检查函数
+*/
+function createMcpChannelChecker(policies) {
+	return function checkChannel(channel, toolName, serverName) {
+		if (!channel) return {
+			allowed: true,
+			reason: "无频道限制（channel 未指定）"
+		};
+		const policy = policies.find((p) => p.channelName === channel);
+		if (!policy) return {
+			allowed: false,
+			reason: `频道 "${channel}" 未配置 MCP 权限策略`
+		};
+		if (serverName && policy.allowedServers.length > 0) {
+			if (!policy.allowedServers.some((s) => s === serverName || s === "*")) return {
+				allowed: false,
+				reason: `MCP 服务器 "${serverName}" 不在频道 "${channel}" 的允许列表中`
+			};
+		}
+		if (!policy.allowedTools.some((t) => t === toolName || t === "*")) return {
+			allowed: false,
+			reason: `工具 "${toolName}" 不在频道 "${channel}" 的允许列表中`
+		};
+		return {
+			allowed: true,
+			reason: `频道 "${channel}" 允许使用 "${toolName}"${policy.requireApproval ? "（需要用户批准）" : ""}`
+		};
+	};
+}
+//#endregion
+export { DEFAULT_MCP_CHANNEL_POLICY, createDenialTracker, createMcpChannelChecker, createRuleEngine, createRulesLoader, createYoloClassifier, getModeBehavior, isValidMode, listModes, loadFromDisk, runPipeline };
+
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../src/modes.ts","../src/rules.ts","../src/pipeline.ts","../src/classifier.ts","../src/denial.ts","../src/sources.ts","../src/mcp-channel.ts"],"sourcesContent":["/**\n * Permission modes — the 6 operating modes that control how\n * tool execution permissions are resolved.\n *\n *   default   — ask user for every RequiresApproval tool\n *   auto      — LLM YOLO classifier decides, user can override\n *   yolo      — auto‑approve everything, max throughput\n *   dontAsk   — deny all RequiresApproval tools silently\n *   headless  — no TUI, auto‑deny interactive prompts\n *   plan      — read‑only mode, all mutating tools denied\n */\n\n// ── Types ────────────────────────────────────────────\n\nexport type PermissionMode = \"default\" | \"auto\" | \"yolo\" | \"dontAsk\" | \"headless\" | \"plan\";\n\nexport interface ModeBehavior {\n  /** Auto‑approve Safe tools without asking. */\n  autoApproveSafe: boolean;\n  /** Auto‑approve WorkspaceSafe tools. */\n  autoApproveWorkspaceSafe: boolean;\n  /** Auto‑deny Dangerous tools. */\n  autoDenyDangerous: boolean;\n  /** Use LLM classifier for RequiresApproval tools. */\n  useClassifier: boolean;\n  /** Show interactive prompts to the user. */\n  showPrompts: boolean;\n  /** Allow any file‑modifying tools. */\n  allowWrites: boolean;\n}\n\n// ── Mode table ───────────────────────────────────────\n\nconst MODE_TABLE: Record<PermissionMode, ModeBehavior> = {\n  default: {\n    autoApproveSafe: true,\n    autoApproveWorkspaceSafe: false,\n    autoDenyDangerous: true,\n    useClassifier: false,\n    showPrompts: true,\n    allowWrites: true,\n  },\n  auto: {\n    autoApproveSafe: true,\n    autoApproveWorkspaceSafe: true,\n    autoDenyDangerous: true,\n    useClassifier: true,\n    showPrompts: false,\n    allowWrites: true,\n  },\n  yolo: {\n    autoApproveSafe: true,\n    autoApproveWorkspaceSafe: true,\n    autoDenyDangerous: false,\n    useClassifier: false,\n    showPrompts: false,\n    allowWrites: true,\n  },\n  dontAsk: {\n    autoApproveSafe: true,\n    autoApproveWorkspaceSafe: false,\n    autoDenyDangerous: true,\n    useClassifier: false,\n    showPrompts: false,\n    allowWrites: false,\n  },\n  headless: {\n    autoApproveSafe: true,\n    autoApproveWorkspaceSafe: false,\n    autoDenyDangerous: true,\n    useClassifier: false,\n    showPrompts: false,\n    allowWrites: true,\n  },\n  plan: {\n    autoApproveSafe: true,\n    autoApproveWorkspaceSafe: false,\n    autoDenyDangerous: true,\n    useClassifier: false,\n    showPrompts: false,\n    allowWrites: false,\n  },\n};\n\n// ── Public API ───────────────────────────────────────\n\n/** Get the behavior profile for a given mode. */\nexport function getModeBehavior(mode: PermissionMode): ModeBehavior {\n  return MODE_TABLE[mode];\n}\n\n/** List all valid mode names. */\nexport function listModes(): PermissionMode[] {\n  return Object.keys(MODE_TABLE) as PermissionMode[];\n}\n\n/** Validate that a string is a recognized mode. */\nexport function isValidMode(value: string): value is PermissionMode {\n  return value in MODE_TABLE;\n}\n","/**\n * Permission rule matching engine.\n *\n * Rules are evaluated in priority order from multiple sources:\n *   1. Session overrides      (highest)\n *   2. User settings\n *   3. Project settings\n *   4. Workspace settings\n *   5. Plugin defaults\n *   6. Built‑in defaults\n *   7. Hardcoded blocklist    (lowest — always evaluated first)\n *\n * Each rule has a glob pattern that matches tool names.\n * When multiple rules match, higher‑priority sources win.\n */\n\nimport type { CommandSafety } from \"@lynx/tools\";\n\n// ── Types ────────────────────────────────────────────\n\nexport interface PermissionRule {\n  /** Glob pattern matching tool names (e.g. \"bash\", \"read_*\", \"*\"). */\n  glob: string;\n  /** Optional argument pattern for tool‑specific rules (e.g. \"git push *\"). */\n  args?: string;\n  /** Override the safety classification for matched tools. */\n  safety?: CommandSafety;\n  /** Explicitly allow matched tools. */\n  allow?: boolean;\n  /** Explicitly deny matched tools. */\n  deny?: boolean;\n  /** Human‑readable reason shown to the user. */\n  reason?: string;\n}\n\nexport interface RuleMatch {\n  rule: PermissionRule;\n  source: RuleSource;\n}\n\nexport type RuleSource =\n  | \"blocklist\" // 0 — hardcoded, always deny\n  | \"builtin\" // 1 — built‑in defaults\n  | \"plugin\" // 2 — plugin‑provided rules\n  | \"config\" // 3 — ~/.lynx/config.json permissions.allow/deny\n  | \"workspace\" // 4 — .lynx/permissions.json in the workspace\n  | \"project\" // 5 — CLAUDE.md project settings\n  | \"user\" // 6 — ~/.lynx/settings.json\n  | \"session\"; // 7 — runtime session override\n\n/** Priority weight — higher number = higher priority. */\nconst SOURCE_PRIORITY: Record<RuleSource, number> = {\n  blocklist: 0,\n  builtin: 1,\n  plugin: 2,\n  config: 3,\n  workspace: 4,\n  project: 5,\n  user: 6,\n  session: 7,\n};\n\n// ── Glob matching ────────────────────────────────────\n\nfunction globMatch(pattern: string, value: string): boolean {\n  // Simple wildcard matching: * matches any sequence, ? matches one char\n  const regex = pattern\n    .replace(/[.+^${}()|[\\]\\\\]/g, \"\\\\$&\")\n    .replace(/\\*/g, \".*\")\n    .replace(/\\?/g, \".\");\n  return new RegExp(`^${regex}$`).test(value);\n}\n\n// ── Public API ───────────────────────────────────────\n\nexport interface RuleEngine {\n  /** Register a rule from a specific source. */\n  add(source: RuleSource, rule: PermissionRule): void;\n\n  /** Remove all rules from a source. */\n  clearSource(source: RuleSource): void;\n\n  /** Find all rules that match a tool name, sorted by priority (highest first). */\n  match(toolName: string): RuleMatch[];\n\n  /** Check if any matching rule explicitly denies the tool. */\n  isDenied(toolName: string): boolean;\n\n  /** Check if any matching rule explicitly allows the tool. */\n  isAllowed(toolName: string): boolean;\n}\n\n/**\n * Create a rule matching engine.\n *\n * Rules are evaluated lazily — each match() call re‑scans\n * the rule set for the given tool name.\n */\nexport function createRuleEngine(): RuleEngine {\n  const rulesBySource = new Map<RuleSource, PermissionRule[]>();\n\n  // Hardcoded blocklist — always denied\n  const BLOCKLIST: PermissionRule[] = [\n    { glob: \"sudo\", deny: true, reason: \"Privilege escalation is forbidden\" },\n    { glob: \"su\", deny: true, reason: \"Privilege escalation is forbidden\" },\n    { glob: \"doas\", deny: true, reason: \"Privilege escalation is forbidden\" },\n  ];\n\n  // Register the blocklist immediately\n  for (const rule of BLOCKLIST) {\n    const existing = rulesBySource.get(\"blocklist\") ?? [];\n    existing.push(rule);\n    rulesBySource.set(\"blocklist\", existing);\n  }\n\n  const engine: RuleEngine = {\n    add(source: RuleSource, rule: PermissionRule): void {\n      const existing = rulesBySource.get(source) ?? [];\n      existing.push(rule);\n      rulesBySource.set(source, existing);\n    },\n\n    clearSource(source: RuleSource): void {\n      rulesBySource.delete(source);\n    },\n\n    match(toolName: string): RuleMatch[] {\n      const matches: RuleMatch[] = [];\n\n      for (const [source, rules] of rulesBySource) {\n        for (const rule of rules) {\n          if (globMatch(rule.glob, toolName)) {\n            matches.push({ rule, source });\n          }\n        }\n      }\n\n      // Sort by source priority (highest first)\n      matches.sort((a, b) => SOURCE_PRIORITY[b.source] - SOURCE_PRIORITY[a.source]);\n\n      return matches;\n    },\n\n    isDenied(toolName: string): boolean {\n      const matches = this.match(toolName);\n      // Higher‑priority source wins\n      if (matches.length === 0) return false;\n      const top = matches[0];\n      return top.rule.deny === true;\n    },\n\n    isAllowed(toolName: string): boolean {\n      const matches = this.match(toolName);\n      if (matches.length === 0) return false;\n      const top = matches[0];\n      return top.rule.allow === true;\n    },\n  };\n\n  return engine;\n}\n","/**\n * 14‑step permission pipeline — evaluates every tool invocation\n * through a sequence of checks, short‑circuiting on the first\n * definitive answer.\n *\n * Steps:\n *   1.  Tool not found in registry → deny\n *   2.  Tool is Safe → auto‑approve\n *   3.  Tool is Dangerous → auto‑deny (unless yolo mode)\n *   4.  Rule engine explicit deny → deny\n *   5.  Rule engine explicit allow → allow\n *   6.  Mode behavior check (plan mode denies writes, etc.)\n *   7.  Denial tracker circuit breaker → deny\n *   8.  Mode: yolo → allow\n *   9.  Mode: dontAsk → deny\n *  10.  Mode: headless → deny (no interactive TUI)\n *  11.  Mode: auto → LLM classifier\n *  12.  Mode: default → ask user\n *  13.  User response → allow/deny\n *  14.  Default: deny\n */\n\nimport type { ToolDescriptor, ToolInvocation } from \"@lynx/tools\";\nimport type { PermissionMode, ModeBehavior } from \"./modes.js\";\nimport type { RuleEngine } from \"./rules.js\";\nimport type { DenialTracker } from \"./denial.js\";\n\n// ── Types ────────────────────────────────────────────\n\nexport interface PipelineContext {\n  mode: PermissionMode;\n  behavior: ModeBehavior;\n  ruleEngine: RuleEngine;\n  denialTracker: DenialTracker;\n  /** User callback — returns true to allow, false to deny. */\n  askUser?: (invocation: ToolInvocation) => Promise<boolean>;\n  /** LLM classifier callback — returns true to allow. */\n  classify?: (invocation: ToolInvocation) => Promise<boolean>;\n}\n\nexport interface PipelineResult {\n  allowed: boolean;\n  reason: string;\n  step: number;\n  /** If true, the result was determined without user interaction. */\n  automatic: boolean;\n}\n\n// ── Step function type ────────────────────────────────\n\n/** A single pipeline step. Returns a result to short‑circuit, or null to continue. */\ntype StepFn = (\n  tool: ToolDescriptor,\n  invocation: ToolInvocation,\n  ctx: PipelineContext,\n) => Promise<PipelineResult | null> | PipelineResult | null;\n\n// ── Step implementations ──────────────────────────────\n\nfunction step1_unknownTool(tool: ToolDescriptor): PipelineResult | null {\n  if (!tool) {\n    return { allowed: false, reason: \"未知工具\", step: 1, automatic: true };\n  }\n  return null;\n}\n\nfunction step2_safeTool(tool: ToolDescriptor): PipelineResult | null {\n  if (tool.safety === \"Safe\") {\n    return { allowed: true, reason: \"安全工具 — 始终允许\", step: 2, automatic: true };\n  }\n  return null;\n}\n\nfunction step3_dangerousTool(\n  tool: ToolDescriptor,\n  _inv: ToolInvocation,\n  ctx: PipelineContext,\n): PipelineResult | null {\n  if (tool.safety === \"Dangerous\" && ctx.behavior.autoDenyDangerous) {\n    return { allowed: false, reason: \"危险工具 — 已自动拒绝\", step: 3, automatic: true };\n  }\n  return null;\n}\n\nfunction step4_ruleDeny(\n  _tool: ToolDescriptor,\n  invocation: ToolInvocation,\n  ctx: PipelineContext,\n): PipelineResult | null {\n  if (ctx.ruleEngine.isDenied(invocation.toolName)) {\n    return { allowed: false, reason: \"被权限规则拒绝\", step: 4, automatic: true };\n  }\n  return null;\n}\n\nfunction step5_ruleAllow(\n  _tool: ToolDescriptor,\n  invocation: ToolInvocation,\n  ctx: PipelineContext,\n): PipelineResult | null {\n  if (ctx.ruleEngine.isAllowed(invocation.toolName)) {\n    return { allowed: true, reason: \"被权限规则允许\", step: 5, automatic: true };\n  }\n  return null;\n}\n\nfunction step6_planModeDeniesWrites(\n  tool: ToolDescriptor,\n  _inv: ToolInvocation,\n  ctx: PipelineContext,\n): PipelineResult | null {\n  if (ctx.mode === \"plan\" && tool.kind !== \"ReadOnly\") {\n    return {\n      allowed: false,\n      reason: `写入工具 \"${tool.name}\" 在计划模式下被拒绝`,\n      step: 6,\n      automatic: true,\n    };\n  }\n  return null;\n}\n\nfunction step7_circuitBreaker(\n  _tool: ToolDescriptor,\n  _inv: ToolInvocation,\n  ctx: PipelineContext,\n): PipelineResult | null {\n  if (ctx.denialTracker.isTripped()) {\n    return {\n      allowed: false,\n      reason: \"熔断器已触发 — 自动拒绝\",\n      step: 7,\n      automatic: true,\n    };\n  }\n  return null;\n}\n\nfunction step8_yolo(\n  _tool: ToolDescriptor,\n  _inv: ToolInvocation,\n  ctx: PipelineContext,\n): PipelineResult | null {\n  if (ctx.mode === \"yolo\") {\n    return { allowed: true, reason: \"YOLO 模式 — 已自动批准\", step: 8, automatic: true };\n  }\n  return null;\n}\n\nfunction step9_dontAsk(\n  _tool: ToolDescriptor,\n  _inv: ToolInvocation,\n  ctx: PipelineContext,\n): PipelineResult | null {\n  if (ctx.mode === \"dontAsk\") {\n    return { allowed: false, reason: \"免问模式 — 已自动拒绝\", step: 9, automatic: true };\n  }\n  return null;\n}\n\nfunction step10_headless(\n  _tool: ToolDescriptor,\n  _inv: ToolInvocation,\n  ctx: PipelineContext,\n): PipelineResult | null {\n  if (ctx.mode === \"headless\") {\n    return {\n      allowed: false,\n      reason: \"无头模式 — 无交互式提示\",\n      step: 10,\n      automatic: true,\n    };\n  }\n  return null;\n}\n\nasync function step11_autoClassify(\n  _tool: ToolDescriptor,\n  invocation: ToolInvocation,\n  ctx: PipelineContext,\n): Promise<PipelineResult | null> {\n  if (ctx.mode !== \"auto\" || !ctx.classify) return null;\n  try {\n    const allowed = await ctx.classify(invocation);\n    return {\n      allowed,\n      reason: allowed ? \"自动分类为安全\" : \"自动分类为不安全\",\n      step: 11,\n      automatic: true,\n    };\n  } catch {\n    return null; // Classifier failed — fall through\n  }\n}\n\nasync function step12_defaultAskUser(\n  _tool: ToolDescriptor,\n  invocation: ToolInvocation,\n  ctx: PipelineContext,\n): Promise<PipelineResult | null> {\n  if (ctx.mode !== \"default\") return null;\n  if (!ctx.askUser) {\n    return {\n      allowed: false,\n      reason: \"默认模式 — 无用户提示可用\",\n      step: 12,\n      automatic: true,\n    };\n  }\n  try {\n    const allowed = await ctx.askUser(invocation);\n    return {\n      allowed,\n      reason: allowed ? \"用户已批准\" : \"用户已拒绝\",\n      step: 13,\n      automatic: false,\n    };\n  } catch {\n    return { allowed: false, reason: \"用户提示失败\", step: 13, automatic: false };\n  }\n}\n\n/** 兜底步骤 — 始终返回结果。 */\nfunction step14_defaultDeny(): PipelineResult {\n  return { allowed: false, reason: \"默认拒绝 — 无规则匹配\", step: 14, automatic: true };\n}\n\n// ── Ordered pipeline ──────────────────────────────────\n\nconst PIPELINE: StepFn[] = [\n  step1_unknownTool,\n  step2_safeTool,\n  step3_dangerousTool,\n  step4_ruleDeny,\n  step5_ruleAllow,\n  step6_planModeDeniesWrites,\n  step7_circuitBreaker,\n  step8_yolo,\n  step9_dontAsk,\n  step10_headless,\n  step11_autoClassify,\n  step12_defaultAskUser,\n  step14_defaultDeny,\n];\n\n// ── Public API ───────────────────────────────────────\n\n/**\n * Run a tool invocation through the 14‑step permission pipeline.\n *\n * Each step is an independent function. The pipeline short‑circuits\n * on the first non‑null result.\n */\nexport async function runPipeline(\n  tool: ToolDescriptor,\n  invocation: ToolInvocation,\n  ctx: PipelineContext,\n): Promise<PipelineResult> {\n  for (const step of PIPELINE) {\n    const result = await step(tool, invocation, ctx);\n    if (result) return result;\n  }\n  // 不可达 — step14 始终返回结果\n  return { allowed: false, reason: \"默认拒绝 — 无规则匹配\", step: 14, automatic: true };\n}\n","/**\n * YOLO classifier — a lightweight LLM‑based permission decider\n * for \"auto\" mode. Uses a ~200‑token prompt and expects a\n * yes/no response within 500ms.\n *\n * Pattern (inspired by FengMing's `classifyPermissionTool` +\n * Claude Code's auto‑mode classifier):\n *   1. Check cache → return immediately if hit\n *   2. Call fast LLM with compact prompt → allow/deny\n *   3. On timeout or error → fall back to heuristic\n *\n * The classifier is stateless — each call is independent.\n * It should NOT be used for Dangerous tools (those are\n * auto‑denied regardless of classifier output).\n */\n\nimport type { ToolInvocation, ToolDescriptor } from \"@lynx/tools\";\n\n// ── Types ────────────────────────────────────────────\n\nexport interface YoloClassifier {\n  /**\n   * Ask the classifier whether a tool invocation should be allowed.\n   *\n   * Returns true if the invocation looks safe, false otherwise.\n   * Never throws — on error, falls back to a conservative heuristic.\n   */\n  classify(tool: ToolDescriptor, invocation: ToolInvocation): Promise<boolean>;\n}\n\n/** LLM completion function signature — injected via DI. */\nexport type ClassifyLlmCall = (prompt: string) => Promise<string>;\n\n/** Options for creating the classifier. */\nexport interface CreateYoloClassifierOptions {\n  /**\n   * Optional LLM completion function.\n   *\n   * When provided, the classifier sends a ~200‑token prompt to a\n   * fast model (e.g. Haiku / Flash) and parses \"allow\" / \"deny\".\n   * When omitted, falls back to the heuristic classifier only.\n   */\n  llmCall?: ClassifyLlmCall;\n\n  /** Timeout in milliseconds for the LLM call. Default 500. */\n  timeoutMs?: number;\n}\n\n// ── Constants ────────────────────────────────────────\n\nconst DEFAULT_TIMEOUT_MS = 500;\n\n/** Compact prompt template (~200 tokens). */\nconst CLASSIFIER_PROMPT = `You are a security classifier. Given a tool invocation, respond with ONLY \"allow\" or \"deny\".\n\nRules:\n- Read-only operations (read_file, ls, grep, search) → allow\n- File writes within the workspace → allow\n- Network requests → allow\n- Shell commands that modify system state → deny\n- Commands that delete files outside the workspace → deny\n- Commands that install packages → deny\n- Escalation commands (sudo, su) → deny\n\nTool: {toolName}\nDescription: {toolDescription}\nInput: {toolInput}\n\nResponse:`;\n\n// ── Heuristic fallback ───────────────────────────────\n\n/** Patterns that always result in deny. */\nconst DENY_PATTERNS = [\n  \"sudo\",\n  \"rm -rf /\",\n  \"chmod 777\",\n  \"DROP TABLE\",\n  \"DELETE FROM\",\n  \"shutdown\",\n  \"reboot\",\n  \"format\",\n  \"mkfs\",\n  \"curl | bash\",\n  \"wget -O - |\",\n  \"> /dev/sda\",\n  \"dd if=\",\n] as const;\n\n/** Patterns that indicate safe dev workflows. */\nconst ALLOW_PATTERNS = [\n  \"npm test\",\n  \"npm run\",\n  \"pnpm test\",\n  \"pnpm build\",\n  \"git \",\n  \"node \",\n  \"tsc\",\n  \"vitest\",\n  \"eslint\",\n  \"prettier\",\n] as const;\n\nfunction heuristicClassify(tool: ToolDescriptor, invocation: ToolInvocation): boolean {\n  // ReadOnly tools are always safe\n  if (tool.kind === \"ReadOnly\") return true;\n\n  // Check for dangerous patterns in the payload\n  const payload = JSON.stringify(invocation.payload).toLowerCase();\n\n  for (const pattern of DENY_PATTERNS) {\n    if (payload.includes(pattern.toLowerCase())) {\n      return false;\n    }\n  }\n\n  for (const pattern of ALLOW_PATTERNS) {\n    if (payload.includes(pattern.toLowerCase())) {\n      return true;\n    }\n  }\n\n  // Conservative default\n  return tool.safety === \"Safe\";\n}\n\n// ── Cache ────────────────────────────────────────────\n\n/** Cache key derived from tool identity + input hash. */\nfunction cacheKey(tool: ToolDescriptor, invocation: ToolInvocation): string {\n  const inputHash = JSON.stringify(invocation.payload);\n  return `${tool.name}:${tool.safety}:${inputHash}`;\n}\n\n// ── Public API ───────────────────────────────────────\n\n/**\n * Create a YOLO classifier.\n *\n * When `llmCall` is provided, prompts a fast LLM to decide each\n * classification. A cache avoids redundant calls for identical\n * (tool, safety, args) combinations within the same session.\n *\n * Falls back to a heuristic classifier on timeout or error.\n */\nexport function createYoloClassifier(opts: CreateYoloClassifierOptions = {}): YoloClassifier {\n  const { llmCall, timeoutMs = DEFAULT_TIMEOUT_MS } = opts;\n\n  // Session‑scoped cache\n  const cache = new Map<string, boolean>();\n\n  const classifier: YoloClassifier = {\n    async classify(tool: ToolDescriptor, invocation: ToolInvocation): Promise<boolean> {\n      // 1. Check cache\n      const key = cacheKey(tool, invocation);\n      const cached = cache.get(key);\n      if (cached !== undefined) return cached;\n\n      // 2. Try LLM classifier\n      if (llmCall) {\n        try {\n          const prompt = CLASSIFIER_PROMPT.replace(\"{toolName}\", tool.name)\n            .replace(\"{toolDescription}\", tool.description)\n            .replace(\"{toolInput}\", JSON.stringify(invocation.payload));\n\n          const raw = await Promise.race([\n            llmCall(prompt),\n            new Promise<string>((_, reject) =>\n              setTimeout(() => reject(new Error(\"Classifier timeout\")), timeoutMs),\n            ),\n          ]);\n\n          const decision = raw.trim().toLowerCase().startsWith(\"allow\");\n          cache.set(key, decision);\n          return decision;\n        } catch {\n          // Timeout or LLM error → fall through to heuristic\n        }\n      }\n\n      // 3. Heuristic fallback\n      const decision = heuristicClassify(tool, invocation);\n      cache.set(key, decision);\n      return decision;\n    },\n  };\n\n  return classifier;\n}\n","/**\n * Denial tracker with circuit breaker.\n *\n * When a user denies 3 consecutive tool requests within the same\n * turn, the circuit breaker trips and auto‑denies all subsequent\n * requests for the rest of that turn.\n *\n * The breaker resets at the start of each new turn.\n */\n\n// ── Types ────────────────────────────────────────────\n\nexport interface DenialTracker {\n  /** Record a denial from the user. */\n  recordDenial(): void;\n  /** Record an approval (resets the consecutive count). */\n  recordApproval(): void;\n  /** Check whether the circuit breaker has tripped. */\n  isTripped(): boolean;\n  /** Reset the tracker for a new turn. */\n  resetTurn(): void;\n  /** Current consecutive denial count. */\n  readonly consecutiveDenials: number;\n}\n\n// ── Constants ────────────────────────────────────────\n\n/** Number of consecutive denials before the breaker trips. */\nconst DENIAL_THRESHOLD = 3;\n\n// ── Public API ───────────────────────────────────────\n\n/**\n * Create a denial tracker.\n *\n * One instance per session — it tracks user behavior across\n * multiple tool invocations within a single turn.\n */\nexport function createDenialTracker(): DenialTracker {\n  let consecutive = 0;\n\n  const tracker: DenialTracker = {\n    get consecutiveDenials() {\n      return consecutive;\n    },\n\n    recordDenial(): void {\n      consecutive++;\n    },\n\n    recordApproval(): void {\n      consecutive = 0;\n    },\n\n    isTripped(): boolean {\n      return consecutive >= DENIAL_THRESHOLD;\n    },\n\n    resetTurn(): void {\n      consecutive = 0;\n    },\n  };\n\n  return tracker;\n}\n","/**\n * Permission rule source loading — reads rules from each of the\n * 7 priority layers and feeds them into the RuleEngine.\n *\n * Sources (lowest to highest priority):\n *   0. blocklist — hardcoded (loaded by RuleEngine at construction)\n *   1. builtin   — default safety rules\n *   2. plugin    — plugin‑declared rules\n *   3. config    — ~/.lynx/config.json permissions.allow/deny\n *   4. workspace — .lynx/permissions.json in the session workspace\n *   5. project   — directive files (CLAUDE.md)\n *   6. user      — ~/.lynx/settings.json\n *   7. session   — runtime overrides (set via /permissions command)\n */\n\nimport { existsSync, readFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\nimport type { RuleEngine, PermissionRule, RuleSource } from \"./rules.js\";\n\n// ── Types ────────────────────────────────────────────\n\nexport interface RulesLoader {\n  /** Load all rules from a source into the engine. */\n  load(source: RuleSource, rules: PermissionRule[]): void;\n  /** Reload rules from a source (clears previous entries). */\n  reload(source: RuleSource, rules: PermissionRule[]): void;\n}\n\n// ── Built‑in defaults ────────────────────────────────\n\nconst BUILTIN_RULES: PermissionRule[] = [\n  { glob: \"read_file\", allow: true, reason: \"Read‑only file access\" },\n  { glob: \"write_file\", allow: true, reason: \"Workspace‑scoped file write\" },\n  { glob: \"glob\", allow: true, reason: \"File pattern matching\" },\n  { glob: \"grep\", allow: true, reason: \"Content search\" },\n  { glob: \"ls\", allow: true, reason: \"Directory listing\" },\n  { glob: \"bash\", allow: true, reason: \"Shell access (permission‑gated)\" },\n  { glob: \"rm\", deny: true, reason: \"File deletion requires confirmation\" },\n];\n\n// ── Permission string parser ────────────────────────\n\n/** 常见工具名映射（config.json 友好名 → 实际工具名）。 */\nconst TOOL_NAME_MAP: Record<string, string> = {\n  Bash: \"bash\",\n  Read: \"read_file\",\n  Write: \"write_file\",\n  Edit: \"edit\",\n  Glob: \"glob\",\n  Grep: \"grep\",\n  Web: \"web_fetch\",\n  WebSearch: \"web_search\",\n  Task: \"task\",\n  Ask: \"ask_user_question\",\n};\n\n/**\n * 解析 config.json 权限条目。\n *\n * 格式：\n *   \"ToolName\"           → { glob: \"tool_name\", allow: true/false }\n *   \"ToolName(args)\"     → { glob: \"tool_name\", args: \"args\", allow: true/false }\n *\n * 友好名（如 Bash、Read）会自动映射为实际工具名。\n */\nfunction parsePermissionEntry(raw: string, allow: boolean): PermissionRule | null {\n  const match = raw.match(/^(\\w+)(?:\\((.+)\\))?$/);\n  if (!match) return null;\n\n  const friendlyName = match[1]!;\n  const toolName = TOOL_NAME_MAP[friendlyName] ?? friendlyName.toLowerCase();\n  const args = match[2]?.trim();\n\n  const rule: PermissionRule = { glob: toolName, allow };\n  if (args) rule.args = args;\n  return rule;\n}\n\n/**\n * 从 config.json 的 permissions.allow/deny 解析权限规则。\n * 返回解析出的规则数组；解析失败静默跳过。\n */\nfunction parseConfigPermissions(raw: unknown): PermissionRule[] {\n  if (!raw || typeof raw !== \"object\") return [];\n\n  const perms = raw as Record<string, unknown>;\n  const allowEntries = Array.isArray(perms.allow) ? (perms.allow as string[]) : [];\n  const denyEntries = Array.isArray(perms.deny) ? (perms.deny as string[]) : [];\n\n  const rules: PermissionRule[] = [];\n  for (const entry of allowEntries) {\n    const rule = parsePermissionEntry(entry, true);\n    if (rule) rules.push(rule);\n  }\n  for (const entry of denyEntries) {\n    const rule = parsePermissionEntry(entry, false);\n    if (rule) rules.push(rule);\n  }\n  return rules;\n}\n\n// ── Public API ───────────────────────────────────────\n\n/**\n * Create a rules loader that populates a RuleEngine from\n * configuration sources.\n *\n * Call load() for each source at startup, then reload() if\n * the user edits their settings mid‑session.\n */\nexport function createRulesLoader(engine: RuleEngine): RulesLoader {\n  const loader: RulesLoader = {\n    load(source: RuleSource, rules: PermissionRule[]): void {\n      for (const rule of rules) {\n        engine.add(source, rule);\n      }\n    },\n\n    reload(source: RuleSource, rules: PermissionRule[]): void {\n      engine.clearSource(source);\n      loader.load(source, rules);\n    },\n  };\n\n  // Load built‑in defaults immediately\n  engine.clearSource(\"builtin\");\n  for (const rule of BUILTIN_RULES) {\n    engine.add(\"builtin\", rule);\n  }\n\n  return loader;\n}\n\n/**\n * Load permission rules from the user's config directory.\n *\n * Reads two files:\n *   - ~/.lynx/settings.json → `permissions.rules` array\n *   - <workspace>/.lynx/permissions.json → top‑level rules array\n *\n * Parsing errors are silently ignored (don't block startup).\n *\n * @returns Number of rules loaded, or 0 if no files found.\n */\nexport function loadFromDisk(loader: RulesLoader, workspace?: string): number {\n  let loaded = 0;\n\n  // 1. User‑level settings (~/.lynx/settings.json)\n  const userSettingsPath = join(homedir(), \".lynx\", \"settings.json\");\n  try {\n    if (existsSync(userSettingsPath)) {\n      const raw = readFileSync(userSettingsPath, \"utf-8\");\n      const settings = JSON.parse(raw) as {\n        permissions?: { rules?: PermissionRule[] };\n      };\n      const rules = settings?.permissions?.rules;\n      if (Array.isArray(rules) && rules.length > 0) {\n        loader.reload(\"user\", rules);\n        loaded += rules.length;\n      }\n    }\n  } catch {\n    // Corrupt file or permission denied — don't block startup\n  }\n\n  // 2. Config‑level permissions (~/.lynx/config.json → permissions.allow/deny)\n  const configPath = join(homedir(), \".lynx\", \"config.json\");\n  try {\n    if (existsSync(configPath)) {\n      const raw = readFileSync(configPath, \"utf-8\");\n      const cfg = JSON.parse(raw) as { permissions?: { allow?: string[]; deny?: string[] } };\n      const configRules = parseConfigPermissions(cfg.permissions ?? {});\n      if (configRules.length > 0) {\n        loader.reload(\"config\", configRules);\n        loaded += configRules.length;\n      }\n    }\n  } catch {\n    // Corrupt config — don't block startup\n  }\n\n  // 3. Project‑level settings (<workspace>/.lynx/permissions.json)\n  if (workspace) {\n    const projectSettingsPath = join(workspace, \".lynx\", \"permissions.json\");\n    try {\n      if (existsSync(projectSettingsPath)) {\n        const raw = readFileSync(projectSettingsPath, \"utf-8\");\n        const settings = JSON.parse(raw) as { rules?: PermissionRule[] };\n        const rules = settings?.rules;\n        if (Array.isArray(rules) && rules.length > 0) {\n          loader.reload(\"workspace\", rules);\n          loaded += rules.length;\n        }\n      }\n    } catch {\n      // Corrupt file or permission denied — don't block startup\n    }\n  }\n\n  return loaded;\n}\n","/**\n * MCP 频道权限 — 按频道限制可用的 MCP 服务器和工具。\n *\n * 每个频道可配置允许的服务器列表和工具列表，\n * 以及是否需要用户批准。未匹配频道时回退到默认策略。\n */\n\n// ── Types ────────────────────────────────────────────\n\n/** MCP 频道权限策略 — 每条规则绑定一个频道。 */\nexport interface McpChannelPolicy {\n  /** 频道名称（\"wechat\"、\"feishu\"、\"web\" 等）。 */\n  channelName: string;\n  /** 允许的 MCP 服务器名称列表。 */\n  allowedServers: string[];\n  /** 允许的工具名列表（原始名称，非命名空间格式）。 */\n  allowedTools: string[];\n  /** 是否需要用户批准。 */\n  requireApproval: boolean;\n}\n\n/** 权限检查结果。 */\nexport interface McpCheckResult {\n  allowed: boolean;\n  reason: string;\n}\n\n// ── Constants ──────────────────────────────────────────\n\n/**\n * 默认策略 — 无限制（所有频道可访问所有 MCP 工具）。\n *\n * 适用于内部工具和未明确配置频道的场景。\n */\nexport const DEFAULT_MCP_CHANNEL_POLICY: McpChannelPolicy[] = [];\n\n// ── Public API ───────────────────────────────────────\n\n/**\n * 创建 MCP 频道权限检查器。\n *\n * 返回一个函数：给定频道名和工具名，返回是否允许及原因。\n * 检查逻辑：\n *   1. 如果 channel 为 undefined，使用默认策略（全部允许）\n *   2. 查找匹配 channelName 的策略\n *   3. 未找到匹配策略 → 回退到第一个匹配的频道或拒绝\n *   4. 找到匹配策略 → 检查 server 是否在 allowedServers 中\n *   5. 检查 toolName 是否在 allowedTools 中（或 allowedTools 包含 \"*\"）\n *   6. 全部通过 → 返回 allowed: true，附带是否需要批准的信息\n *\n * @param policies - 频道权限策略列表\n * @returns 权限检查函数\n */\nexport function createMcpChannelChecker(\n  policies: McpChannelPolicy[],\n): (channel: string | undefined, toolName: string, serverName?: string) => McpCheckResult {\n  return function checkChannel(\n    channel: string | undefined,\n    toolName: string,\n    serverName?: string,\n  ): McpCheckResult {\n    // 未指定频道 → 默认允许\n    if (!channel) {\n      return { allowed: true, reason: \"无频道限制（channel 未指定）\" };\n    }\n\n    // 查找匹配策略\n    const policy = policies.find((p) => p.channelName === channel);\n\n    if (!policy) {\n      // 无匹配策略 — 默认拒绝（安全优先）\n      return {\n        allowed: false,\n        reason: `频道 \"${channel}\" 未配置 MCP 权限策略`,\n      };\n    }\n\n    // 检查服务器\n    if (serverName && policy.allowedServers.length > 0) {\n      const serverAllowed = policy.allowedServers.some((s) => s === serverName || s === \"*\");\n      if (!serverAllowed) {\n        return {\n          allowed: false,\n          reason: `MCP 服务器 \"${serverName}\" 不在频道 \"${channel}\" 的允许列表中`,\n        };\n      }\n    }\n\n    // 检查工具\n    const toolAllowed = policy.allowedTools.some((t) => t === toolName || t === \"*\");\n    if (!toolAllowed) {\n      return {\n        allowed: false,\n        reason: `工具 \"${toolName}\" 不在频道 \"${channel}\" 的允许列表中`,\n      };\n    }\n\n    const approvalNote = policy.requireApproval ? \"（需要用户批准）\" : \"\";\n    return {\n      allowed: true,\n      reason: `频道 \"${channel}\" 允许使用 \"${toolName}\"${approvalNote}`,\n    };\n  };\n}\n"],"mappings":";;;;AAiCA,MAAM,aAAmD;CACvD,SAAS;EACP,iBAAiB;EACjB,0BAA0B;EAC1B,mBAAmB;EACnB,eAAe;EACf,aAAa;EACb,aAAa;CACf;CACA,MAAM;EACJ,iBAAiB;EACjB,0BAA0B;EAC1B,mBAAmB;EACnB,eAAe;EACf,aAAa;EACb,aAAa;CACf;CACA,MAAM;EACJ,iBAAiB;EACjB,0BAA0B;EAC1B,mBAAmB;EACnB,eAAe;EACf,aAAa;EACb,aAAa;CACf;CACA,SAAS;EACP,iBAAiB;EACjB,0BAA0B;EAC1B,mBAAmB;EACnB,eAAe;EACf,aAAa;EACb,aAAa;CACf;CACA,UAAU;EACR,iBAAiB;EACjB,0BAA0B;EAC1B,mBAAmB;EACnB,eAAe;EACf,aAAa;EACb,aAAa;CACf;CACA,MAAM;EACJ,iBAAiB;EACjB,0BAA0B;EAC1B,mBAAmB;EACnB,eAAe;EACf,aAAa;EACb,aAAa;CACf;AACF;;AAKA,SAAgB,gBAAgB,MAAoC;CAClE,OAAO,WAAW;AACpB;;AAGA,SAAgB,YAA8B;CAC5C,OAAO,OAAO,KAAK,UAAU;AAC/B;;AAGA,SAAgB,YAAY,OAAwC;CAClE,OAAO,SAAS;AAClB;;;;AChDA,MAAM,kBAA8C;CAClD,WAAW;CACX,SAAS;CACT,QAAQ;CACR,QAAQ;CACR,WAAW;CACX,SAAS;CACT,MAAM;CACN,SAAS;AACX;AAIA,SAAS,UAAU,SAAiB,OAAwB;CAE1D,MAAM,QAAQ,QACX,QAAQ,qBAAqB,MAAM,CAAC,CACpC,QAAQ,OAAO,IAAI,CAAC,CACpB,QAAQ,OAAO,GAAG;CACrB,OAAO,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC,CAAC,KAAK,KAAK;AAC5C;;;;;;;AA2BA,SAAgB,mBAA+B;CAC7C,MAAM,gCAAgB,IAAI,IAAkC;CAU5D,KAAK,MAAM,QAAQ;EANjB;GAAE,MAAM;GAAQ,MAAM;GAAM,QAAQ;EAAoC;EACxE;GAAE,MAAM;GAAM,MAAM;GAAM,QAAQ;EAAoC;EACtE;GAAE,MAAM;GAAQ,MAAM;GAAM,QAAQ;EAAoC;CAI/C,GAAG;EAC5B,MAAM,WAAW,cAAc,IAAI,WAAW,KAAK,CAAC;EACpD,SAAS,KAAK,IAAI;EAClB,cAAc,IAAI,aAAa,QAAQ;CACzC;CA8CA,OAAO;EA3CL,IAAI,QAAoB,MAA4B;GAClD,MAAM,WAAW,cAAc,IAAI,MAAM,KAAK,CAAC;GAC/C,SAAS,KAAK,IAAI;GAClB,cAAc,IAAI,QAAQ,QAAQ;EACpC;EAEA,YAAY,QAA0B;GACpC,cAAc,OAAO,MAAM;EAC7B;EAEA,MAAM,UAA+B;GACnC,MAAM,UAAuB,CAAC;GAE9B,KAAK,MAAM,CAAC,QAAQ,UAAU,eAC5B,KAAK,MAAM,QAAQ,OACjB,IAAI,UAAU,KAAK,MAAM,QAAQ,GAC/B,QAAQ,KAAK;IAAE;IAAM;GAAO,CAAC;GAMnC,QAAQ,MAAM,GAAG,MAAM,gBAAgB,EAAE,UAAU,gBAAgB,EAAE,OAAO;GAE5E,OAAO;EACT;EAEA,SAAS,UAA2B;GAClC,MAAM,UAAU,KAAK,MAAM,QAAQ;GAEnC,IAAI,QAAQ,WAAW,GAAG,OAAO;GAEjC,OADY,QAAQ,EACV,CAAC,KAAK,SAAS;EAC3B;EAEA,UAAU,UAA2B;GACnC,MAAM,UAAU,KAAK,MAAM,QAAQ;GACnC,IAAI,QAAQ,WAAW,GAAG,OAAO;GAEjC,OADY,QAAQ,EACV,CAAC,KAAK,UAAU;EAC5B;CAGU;AACd;;;ACrGA,SAAS,kBAAkB,MAA6C;CACtE,IAAI,CAAC,MACH,OAAO;EAAE,SAAS;EAAO,QAAQ;EAAQ,MAAM;EAAG,WAAW;CAAK;CAEpE,OAAO;AACT;AAEA,SAAS,eAAe,MAA6C;CACnE,IAAI,KAAK,WAAW,QAClB,OAAO;EAAE,SAAS;EAAM,QAAQ;EAAe,MAAM;EAAG,WAAW;CAAK;CAE1E,OAAO;AACT;AAEA,SAAS,oBACP,MACA,MACA,KACuB;CACvB,IAAI,KAAK,WAAW,eAAe,IAAI,SAAS,mBAC9C,OAAO;EAAE,SAAS;EAAO,QAAQ;EAAgB,MAAM;EAAG,WAAW;CAAK;CAE5E,OAAO;AACT;AAEA,SAAS,eACP,OACA,YACA,KACuB;CACvB,IAAI,IAAI,WAAW,SAAS,WAAW,QAAQ,GAC7C,OAAO;EAAE,SAAS;EAAO,QAAQ;EAAW,MAAM;EAAG,WAAW;CAAK;CAEvE,OAAO;AACT;AAEA,SAAS,gBACP,OACA,YACA,KACuB;CACvB,IAAI,IAAI,WAAW,UAAU,WAAW,QAAQ,GAC9C,OAAO;EAAE,SAAS;EAAM,QAAQ;EAAW,MAAM;EAAG,WAAW;CAAK;CAEtE,OAAO;AACT;AAEA,SAAS,2BACP,MACA,MACA,KACuB;CACvB,IAAI,IAAI,SAAS,UAAU,KAAK,SAAS,YACvC,OAAO;EACL,SAAS;EACT,QAAQ,SAAS,KAAK,KAAK;EAC3B,MAAM;EACN,WAAW;CACb;CAEF,OAAO;AACT;AAEA,SAAS,qBACP,OACA,MACA,KACuB;CACvB,IAAI,IAAI,cAAc,UAAU,GAC9B,OAAO;EACL,SAAS;EACT,QAAQ;EACR,MAAM;EACN,WAAW;CACb;CAEF,OAAO;AACT;AAEA,SAAS,WACP,OACA,MACA,KACuB;CACvB,IAAI,IAAI,SAAS,QACf,OAAO;EAAE,SAAS;EAAM,QAAQ;EAAmB,MAAM;EAAG,WAAW;CAAK;CAE9E,OAAO;AACT;AAEA,SAAS,cACP,OACA,MACA,KACuB;CACvB,IAAI,IAAI,SAAS,WACf,OAAO;EAAE,SAAS;EAAO,QAAQ;EAAgB,MAAM;EAAG,WAAW;CAAK;CAE5E,OAAO;AACT;AAEA,SAAS,gBACP,OACA,MACA,KACuB;CACvB,IAAI,IAAI,SAAS,YACf,OAAO;EACL,SAAS;EACT,QAAQ;EACR,MAAM;EACN,WAAW;CACb;CAEF,OAAO;AACT;AAEA,eAAe,oBACb,OACA,YACA,KACgC;CAChC,IAAI,IAAI,SAAS,UAAU,CAAC,IAAI,UAAU,OAAO;CACjD,IAAI;EACF,MAAM,UAAU,MAAM,IAAI,SAAS,UAAU;EAC7C,OAAO;GACL;GACA,QAAQ,UAAU,YAAY;GAC9B,MAAM;GACN,WAAW;EACb;CACF,QAAQ;EACN,OAAO;CACT;AACF;AAEA,eAAe,sBACb,OACA,YACA,KACgC;CAChC,IAAI,IAAI,SAAS,WAAW,OAAO;CACnC,IAAI,CAAC,IAAI,SACP,OAAO;EACL,SAAS;EACT,QAAQ;EACR,MAAM;EACN,WAAW;CACb;CAEF,IAAI;EACF,MAAM,UAAU,MAAM,IAAI,QAAQ,UAAU;EAC5C,OAAO;GACL;GACA,QAAQ,UAAU,UAAU;GAC5B,MAAM;GACN,WAAW;EACb;CACF,QAAQ;EACN,OAAO;GAAE,SAAS;GAAO,QAAQ;GAAU,MAAM;GAAI,WAAW;EAAM;CACxE;AACF;;AAGA,SAAS,qBAAqC;CAC5C,OAAO;EAAE,SAAS;EAAO,QAAQ;EAAgB,MAAM;EAAI,WAAW;CAAK;AAC7E;AAIA,MAAM,WAAqB;CACzB;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AACF;;;;;;;AAUA,eAAsB,YACpB,MACA,YACA,KACyB;CACzB,KAAK,MAAM,QAAQ,UAAU;EAC3B,MAAM,SAAS,MAAM,KAAK,MAAM,YAAY,GAAG;EAC/C,IAAI,QAAQ,OAAO;CACrB;CAEA,OAAO;EAAE,SAAS;EAAO,QAAQ;EAAgB,MAAM;EAAI,WAAW;CAAK;AAC7E;;;ACtNA,MAAM,qBAAqB;;AAG3B,MAAM,oBAAoB;;;;;;;;;;;;;;;;;AAoB1B,MAAM,gBAAgB;CACpB;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AACF;;AAGA,MAAM,iBAAiB;CACrB;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;AACF;AAEA,SAAS,kBAAkB,MAAsB,YAAqC;CAEpF,IAAI,KAAK,SAAS,YAAY,OAAO;CAGrC,MAAM,UAAU,KAAK,UAAU,WAAW,OAAO,CAAC,CAAC,YAAY;CAE/D,KAAK,MAAM,WAAW,eACpB,IAAI,QAAQ,SAAS,QAAQ,YAAY,CAAC,GACxC,OAAO;CAIX,KAAK,MAAM,WAAW,gBACpB,IAAI,QAAQ,SAAS,QAAQ,YAAY,CAAC,GACxC,OAAO;CAKX,OAAO,KAAK,WAAW;AACzB;;AAKA,SAAS,SAAS,MAAsB,YAAoC;CAC1E,MAAM,YAAY,KAAK,UAAU,WAAW,OAAO;CACnD,OAAO,GAAG,KAAK,KAAK,GAAG,KAAK,OAAO,GAAG;AACxC;;;;;;;;;;AAaA,SAAgB,qBAAqB,OAAoC,CAAC,GAAmB;CAC3F,MAAM,EAAE,SAAS,YAAY,uBAAuB;CAGpD,MAAM,wBAAQ,IAAI,IAAqB;CAsCvC,OAAO,EAnCL,MAAM,SAAS,MAAsB,YAA8C;EAEjF,MAAM,MAAM,SAAS,MAAM,UAAU;EACrC,MAAM,SAAS,MAAM,IAAI,GAAG;EAC5B,IAAI,WAAW,KAAA,GAAW,OAAO;EAGjC,IAAI,SACF,IAAI;GACF,MAAM,SAAS,kBAAkB,QAAQ,cAAc,KAAK,IAAI,CAAC,CAC9D,QAAQ,qBAAqB,KAAK,WAAW,CAAC,CAC9C,QAAQ,eAAe,KAAK,UAAU,WAAW,OAAO,CAAC;GAS5D,MAAM,YAAW,MAPC,QAAQ,KAAK,CAC7B,QAAQ,MAAM,GACd,IAAI,SAAiB,GAAG,WACtB,iBAAiB,uBAAO,IAAI,MAAM,oBAAoB,CAAC,GAAG,SAAS,CACrE,CACF,CAAC,EAAA,CAEoB,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,WAAW,OAAO;GAC5D,MAAM,IAAI,KAAK,QAAQ;GACvB,OAAO;EACT,QAAQ,CAER;EAIF,MAAM,WAAW,kBAAkB,MAAM,UAAU;EACnD,MAAM,IAAI,KAAK,QAAQ;EACvB,OAAO;CACT,EAGc;AAClB;;;;AChKA,MAAM,mBAAmB;;;;;;;AAUzB,SAAgB,sBAAqC;CACnD,IAAI,cAAc;CAwBlB,OAAO;EArBL,IAAI,qBAAqB;GACvB,OAAO;EACT;EAEA,eAAqB;GACnB;EACF;EAEA,iBAAuB;GACrB,cAAc;EAChB;EAEA,YAAqB;GACnB,OAAO,eAAe;EACxB;EAEA,YAAkB;GAChB,cAAc;EAChB;CAGW;AACf;;;;;;;;;;;;;;;;;ACjCA,MAAM,gBAAkC;CACtC;EAAE,MAAM;EAAa,OAAO;EAAM,QAAQ;CAAwB;CAClE;EAAE,MAAM;EAAc,OAAO;EAAM,QAAQ;CAA8B;CACzE;EAAE,MAAM;EAAQ,OAAO;EAAM,QAAQ;CAAwB;CAC7D;EAAE,MAAM;EAAQ,OAAO;EAAM,QAAQ;CAAiB;CACtD;EAAE,MAAM;EAAM,OAAO;EAAM,QAAQ;CAAoB;CACvD;EAAE,MAAM;EAAQ,OAAO;EAAM,QAAQ;CAAkC;CACvE;EAAE,MAAM;EAAM,MAAM;EAAM,QAAQ;CAAsC;AAC1E;;AAKA,MAAM,gBAAwC;CAC5C,MAAM;CACN,MAAM;CACN,OAAO;CACP,MAAM;CACN,MAAM;CACN,MAAM;CACN,KAAK;CACL,WAAW;CACX,MAAM;CACN,KAAK;AACP;;;;;;;;;;AAWA,SAAS,qBAAqB,KAAa,OAAuC;CAChF,MAAM,QAAQ,IAAI,MAAM,sBAAsB;CAC9C,IAAI,CAAC,OAAO,OAAO;CAEnB,MAAM,eAAe,MAAM;CAC3B,MAAM,WAAW,cAAc,iBAAiB,aAAa,YAAY;CACzE,MAAM,OAAO,MAAM,EAAE,EAAE,KAAK;CAE5B,MAAM,OAAuB;EAAE,MAAM;EAAU;CAAM;CACrD,IAAI,MAAM,KAAK,OAAO;CACtB,OAAO;AACT;;;;;AAMA,SAAS,uBAAuB,KAAgC;CAC9D,IAAI,CAAC,OAAO,OAAO,QAAQ,UAAU,OAAO,CAAC;CAE7C,MAAM,QAAQ;CACd,MAAM,eAAe,MAAM,QAAQ,MAAM,KAAK,IAAK,MAAM,QAAqB,CAAC;CAC/E,MAAM,cAAc,MAAM,QAAQ,MAAM,IAAI,IAAK,MAAM,OAAoB,CAAC;CAE5E,MAAM,QAA0B,CAAC;CACjC,KAAK,MAAM,SAAS,cAAc;EAChC,MAAM,OAAO,qBAAqB,OAAO,IAAI;EAC7C,IAAI,MAAM,MAAM,KAAK,IAAI;CAC3B;CACA,KAAK,MAAM,SAAS,aAAa;EAC/B,MAAM,OAAO,qBAAqB,OAAO,KAAK;EAC9C,IAAI,MAAM,MAAM,KAAK,IAAI;CAC3B;CACA,OAAO;AACT;;;;;;;;AAWA,SAAgB,kBAAkB,QAAiC;CACjE,MAAM,SAAsB;EAC1B,KAAK,QAAoB,OAA+B;GACtD,KAAK,MAAM,QAAQ,OACjB,OAAO,IAAI,QAAQ,IAAI;EAE3B;EAEA,OAAO,QAAoB,OAA+B;GACxD,OAAO,YAAY,MAAM;GACzB,OAAO,KAAK,QAAQ,KAAK;EAC3B;CACF;CAGA,OAAO,YAAY,SAAS;CAC5B,KAAK,MAAM,QAAQ,eACjB,OAAO,IAAI,WAAW,IAAI;CAG5B,OAAO;AACT;;;;;;;;;;;;AAaA,SAAgB,aAAa,QAAqB,WAA4B;CAC5E,IAAI,SAAS;CAGb,MAAM,mBAAmB,KAAK,QAAQ,GAAG,SAAS,eAAe;CACjE,IAAI;EACF,IAAI,WAAW,gBAAgB,GAAG;GAChC,MAAM,MAAM,aAAa,kBAAkB,OAAO;GAIlD,MAAM,QAHW,KAAK,MAAM,GAGP,CAAC,EAAE,aAAa;GACrC,IAAI,MAAM,QAAQ,KAAK,KAAK,MAAM,SAAS,GAAG;IAC5C,OAAO,OAAO,QAAQ,KAAK;IAC3B,UAAU,MAAM;GAClB;EACF;CACF,QAAQ,CAER;CAGA,MAAM,aAAa,KAAK,QAAQ,GAAG,SAAS,aAAa;CACzD,IAAI;EACF,IAAI,WAAW,UAAU,GAAG;GAC1B,MAAM,MAAM,aAAa,YAAY,OAAO;GAE5C,MAAM,cAAc,uBADR,KAAK,MAAM,GACsB,CAAC,CAAC,eAAe,CAAC,CAAC;GAChE,IAAI,YAAY,SAAS,GAAG;IAC1B,OAAO,OAAO,UAAU,WAAW;IACnC,UAAU,YAAY;GACxB;EACF;CACF,QAAQ,CAER;CAGA,IAAI,WAAW;EACb,MAAM,sBAAsB,KAAK,WAAW,SAAS,kBAAkB;EACvE,IAAI;GACF,IAAI,WAAW,mBAAmB,GAAG;IACnC,MAAM,MAAM,aAAa,qBAAqB,OAAO;IAErD,MAAM,QADW,KAAK,MAAM,GACP,CAAC,EAAE;IACxB,IAAI,MAAM,QAAQ,KAAK,KAAK,MAAM,SAAS,GAAG;KAC5C,OAAO,OAAO,aAAa,KAAK;KAChC,UAAU,MAAM;IAClB;GACF;EACF,QAAQ,CAER;CACF;CAEA,OAAO;AACT;;;;;;;;ACvKA,MAAa,6BAAiD,CAAC;;;;;;;;;;;;;;;;AAmB/D,SAAgB,wBACd,UACwF;CACxF,OAAO,SAAS,aACd,SACA,UACA,YACgB;EAEhB,IAAI,CAAC,SACH,OAAO;GAAE,SAAS;GAAM,QAAQ;EAAqB;EAIvD,MAAM,SAAS,SAAS,MAAM,MAAM,EAAE,gBAAgB,OAAO;EAE7D,IAAI,CAAC,QAEH,OAAO;GACL,SAAS;GACT,QAAQ,OAAO,QAAQ;EACzB;EAIF,IAAI,cAAc,OAAO,eAAe,SAAS;OAE3C,CADkB,OAAO,eAAe,MAAM,MAAM,MAAM,cAAc,MAAM,GACjE,GACf,OAAO;IACL,SAAS;IACT,QAAQ,YAAY,WAAW,UAAU,QAAQ;GACnD;EAAA;EAMJ,IAAI,CADgB,OAAO,aAAa,MAAM,MAAM,MAAM,YAAY,MAAM,GAC7D,GACb,OAAO;GACL,SAAS;GACT,QAAQ,OAAO,SAAS,UAAU,QAAQ;EAC5C;EAIF,OAAO;GACL,SAAS;GACT,QAAQ,OAAO,QAAQ,UAAU,SAAS,GAHvB,OAAO,kBAAkB,aAAa;EAI3D;CACF;AACF"}

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@24klynx/permissions",
+  "version": "0.1.0",
+  "description": "Permission system — 14-step pipeline, rule engine, YOLO classifier, denial tracker",
+  "type": "module",
+  "main": "./dist/index.mjs",
+  "types": "./dist/index.d.mts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.mjs",
+      "types": "./dist/index.d.mts"
+    }
+  },
+  "dependencies": {
+    "@24klynx/core": "0.1.0",
+    "@24klynx/tools": "0.1.0"
+  },
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsdown --config-loader tsx",
+    "test": "vitest run --passWithNoTests",
+    "typecheck": "tsgo --noEmit"
+  }
+}