@agenshield/daemon 0.6.1 → 0.6.2

package/acl.d.ts

@@ -1,7 +1,7 @@
 /**
  * macOS ACL utilities for filesystem policies.
  *
- * Uses `chmod +a / -a` to grant/revoke group-level ACLs on paths
+ * Uses `chmod +a / -a` to grant/revoke user-level ACLs on paths
  * derived from policy patterns. Failures are logged but never thrown.
  */
 import type { PolicyConfig } from '@agenshield/ipc';
@@ -21,24 +21,27 @@ export declare function stripGlobToBasePath(pattern: string): string;
  */
 export declare function operationsToAclPerms(operations: string[]): string;
 /**
- * Add a group ACL entry to a path.
+ * Add a user ACL entry to a path.
  */
-export declare function addGroupAcl(targetPath: string, groupName: string, permissions: string, log?: Logger): void;
+export declare function addUserAcl(targetPath: string, userName: string, permissions: string, log?: Logger): void;
 /**
- * Remove all ACL entries for a group from a path.
+ * Remove all ACL entries for a user from a path.
  *
- * Reads current ACL entries via `ls -le`, finds entries matching the group,
- * and removes them by index (highest-first so indices stay valid).
+ * Reads current ACL entries via `ls -le`, finds entries matching the user
+ * (both allow and deny), and removes them by index (highest-first so indices
+ * stay valid). This ensures a clean slate before reapplying permissions.
  */
-export declare function removeGroupAcl(targetPath: string, groupName: string, log?: Logger): void;
+export declare function removeUserAcl(targetPath: string, userName: string, log?: Logger): void;
 /**
  * Synchronise filesystem policy ACLs after a config change.
  *
- * Compares old and new policy arrays, and for filesystem-target policies:
- *   - Removed policies → revoke ACLs for each pattern
- *   - Added policies   → apply ACLs for each pattern
- *   - Changed policies → revoke old patterns, apply new ones
+ * For every path in the union of old and new ACL maps:
+ *   1. Remove all existing user ACLs (clean slate)
+ *   2. Reapply permissions if the path is in the new map
+ *
+ * This "wipe then reapply" strategy avoids stale permission accumulation
+ * and the deny+allow conflict where layering ACLs produces wrong results.
  */
-export declare function syncFilesystemPolicyAcls(oldPolicies: PolicyConfig[], newPolicies: PolicyConfig[], groupName: string, logger?: Logger): void;
+export declare function syncFilesystemPolicyAcls(oldPolicies: PolicyConfig[], newPolicies: PolicyConfig[], userName: string, logger?: Logger): void;
 export {};
 //# sourceMappingURL=acl.d.ts.map

package/acl.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"acl.d.ts","sourceRoot":"","sources":["../src/acl.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,UAAU,MAAM;IACd,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAC7C;AAoBD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAe3D;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,CASjE;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,GAAE,MAAa,GAAG,IAAI,CAahH;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,GAAE,MAAa,GAAG,IAAI,CAoC9F;AAmED;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,YAAY,EAAE,EAC3B,WAAW,EAAE,YAAY,EAAE,EAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CAoBN"}
+{"version":3,"file":"acl.d.ts","sourceRoot":"","sources":["../src/acl.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAEpD,UAAU,MAAM;IACd,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAC7C;AAoBD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAe3D;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,MAAM,CASjE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,GAAE,MAAa,GAAG,IAAI,CAa9G;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAE,MAAa,GAAG,IAAI,CAqC5F;AAmED;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,YAAY,EAAE,EAC3B,WAAW,EAAE,YAAY,EAAE,EAC3B,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CAsBN"}

package/index.js

@@ -975,21 +975,21 @@ function operationsToAclPerms(operations) {
   }
   return perms.join(",");
 }
-function addGroupAcl(targetPath, groupName, permissions, log = noop) {
+function addUserAcl(targetPath, userName, permissions, log = noop) {
   try {
     if (!fs4.existsSync(targetPath)) {
       log.warn(`[acl] skipping non-existent path: ${targetPath}`);
       return;
     }
     execSync2(
-      `sudo chmod +a "group:${groupName} allow ${permissions}" "${targetPath}"`,
+      `sudo chmod +a "user:${userName} allow ${permissions}" "${targetPath}"`,
       { stdio: "pipe" }
     );
   } catch (err) {
     log.warn(`[acl] failed to add ACL on ${targetPath}: ${err.message}`);
   }
 }
-function removeGroupAcl(targetPath, groupName, log = noop) {
+function removeUserAcl(targetPath, userName, log = noop) {
   try {
     if (!fs4.existsSync(targetPath)) {
       log.warn(`[acl] skipping non-existent path: ${targetPath}`);
@@ -1001,8 +1001,8 @@ function removeGroupAcl(targetPath, groupName, log = noop) {
     });
     const indices = [];
     for (const line of output.split("\n")) {
-      const match = line.match(/^\s*(\d+):\s+group:(\S+)\s+allow/);
-      if (match && match[2] === groupName) {
+      const match = line.match(/^\s*(\d+):\s+user:(\S+)\s+/);
+      if (match && match[2] === userName) {
         indices.push(Number(match[1]));
       }
     }
@@ -1065,20 +1065,20 @@ function computeAclMap(policies) {
   }
   return aclMap;
 }
-function syncFilesystemPolicyAcls(oldPolicies, newPolicies, groupName, logger) {
+function syncFilesystemPolicyAcls(oldPolicies, newPolicies, userName, logger) {
   const log = logger ?? noop;
   const oldFs = oldPolicies.filter((p) => p.target === "filesystem");
   const newFs = newPolicies.filter((p) => p.target === "filesystem");
   const oldAclMap = computeAclMap(oldFs);
   const newAclMap = computeAclMap(newFs);
-  for (const oldPath of oldAclMap.keys()) {
-    if (!newAclMap.has(oldPath)) {
-      removeGroupAcl(oldPath, groupName, log);
+  const allPaths = /* @__PURE__ */ new Set([...oldAclMap.keys(), ...newAclMap.keys()]);
+  for (const targetPath of allPaths) {
+    removeUserAcl(targetPath, userName, log);
+    const newPerms = newAclMap.get(targetPath);
+    if (newPerms) {
+      addUserAcl(targetPath, userName, newPerms, log);
     }
   }
-  for (const [targetPath, perms] of newAclMap) {
-    addGroupAcl(targetPath, groupName, perms, log);
-  }
 }
 
 // libs/shield-daemon/src/routes/config.ts
@@ -1100,9 +1100,9 @@ async function configRoutes(app) {
         const updated = updateConfig(request.body);
         if (request.body.policies) {
           const state = loadState();
-          const wsGroup = state.groups.find((g) => g.type === "workspace");
-          if (wsGroup) {
-            syncFilesystemPolicyAcls(oldPolicies, updated.policies, wsGroup.name, app.log);
+          const agentUser = state.users.find((u) => u.type === "agent");
+          if (agentUser) {
+            syncFilesystemPolicyAcls(oldPolicies, updated.policies, agentUser.username, app.log);
           }
           syncCommandPoliciesAndWrappers(updated.policies, state, app.log);
         }
@@ -1125,9 +1125,9 @@ async function configRoutes(app) {
     try {
       const oldConfig = loadConfig();
       const state = loadState();
-      const wsGroup = state.groups.find((g) => g.type === "workspace");
-      if (wsGroup) {
-        syncFilesystemPolicyAcls(oldConfig.policies, [], wsGroup.name, app.log);
+      const agentUser = state.users.find((u) => u.type === "agent");
+      if (agentUser) {
+        syncFilesystemPolicyAcls(oldConfig.policies, [], agentUser.username, app.log);
       }
       syncCommandPoliciesAndWrappers([], state, app.log);
       saveConfig(getDefaultConfig());

package/main.js

@@ -966,21 +966,21 @@ function operationsToAclPerms(operations) {
   }
   return perms.join(",");
 }
-function addGroupAcl(targetPath, groupName, permissions, log = noop) {
+function addUserAcl(targetPath, userName, permissions, log = noop) {
   try {
     if (!fs4.existsSync(targetPath)) {
       log.warn(`[acl] skipping non-existent path: ${targetPath}`);
       return;
     }
     execSync2(
-      `sudo chmod +a "group:${groupName} allow ${permissions}" "${targetPath}"`,
+      `sudo chmod +a "user:${userName} allow ${permissions}" "${targetPath}"`,
       { stdio: "pipe" }
     );
   } catch (err) {
     log.warn(`[acl] failed to add ACL on ${targetPath}: ${err.message}`);
   }
 }
-function removeGroupAcl(targetPath, groupName, log = noop) {
+function removeUserAcl(targetPath, userName, log = noop) {
   try {
     if (!fs4.existsSync(targetPath)) {
       log.warn(`[acl] skipping non-existent path: ${targetPath}`);
@@ -992,8 +992,8 @@ function removeGroupAcl(targetPath, groupName, log = noop) {
     });
     const indices = [];
     for (const line of output.split("\n")) {
-      const match = line.match(/^\s*(\d+):\s+group:(\S+)\s+allow/);
-      if (match && match[2] === groupName) {
+      const match = line.match(/^\s*(\d+):\s+user:(\S+)\s+/);
+      if (match && match[2] === userName) {
         indices.push(Number(match[1]));
       }
     }
@@ -1056,20 +1056,20 @@ function computeAclMap(policies) {
   }
   return aclMap;
 }
-function syncFilesystemPolicyAcls(oldPolicies, newPolicies, groupName, logger) {
+function syncFilesystemPolicyAcls(oldPolicies, newPolicies, userName, logger) {
   const log = logger ?? noop;
   const oldFs = oldPolicies.filter((p) => p.target === "filesystem");
   const newFs = newPolicies.filter((p) => p.target === "filesystem");
   const oldAclMap = computeAclMap(oldFs);
   const newAclMap = computeAclMap(newFs);
-  for (const oldPath of oldAclMap.keys()) {
-    if (!newAclMap.has(oldPath)) {
-      removeGroupAcl(oldPath, groupName, log);
+  const allPaths = /* @__PURE__ */ new Set([...oldAclMap.keys(), ...newAclMap.keys()]);
+  for (const targetPath of allPaths) {
+    removeUserAcl(targetPath, userName, log);
+    const newPerms = newAclMap.get(targetPath);
+    if (newPerms) {
+      addUserAcl(targetPath, userName, newPerms, log);
     }
   }
-  for (const [targetPath, perms] of newAclMap) {
-    addGroupAcl(targetPath, groupName, perms, log);
-  }
 }
 
 // libs/shield-daemon/src/routes/config.ts
@@ -1091,9 +1091,9 @@ async function configRoutes(app) {
         const updated = updateConfig(request.body);
         if (request.body.policies) {
           const state = loadState();
-          const wsGroup = state.groups.find((g) => g.type === "workspace");
-          if (wsGroup) {
-            syncFilesystemPolicyAcls(oldPolicies, updated.policies, wsGroup.name, app.log);
+          const agentUser = state.users.find((u) => u.type === "agent");
+          if (agentUser) {
+            syncFilesystemPolicyAcls(oldPolicies, updated.policies, agentUser.username, app.log);
           }
           syncCommandPoliciesAndWrappers(updated.policies, state, app.log);
         }
@@ -1116,9 +1116,9 @@ async function configRoutes(app) {
     try {
       const oldConfig = loadConfig();
       const state = loadState();
-      const wsGroup = state.groups.find((g) => g.type === "workspace");
-      if (wsGroup) {
-        syncFilesystemPolicyAcls(oldConfig.policies, [], wsGroup.name, app.log);
+      const agentUser = state.users.find((u) => u.type === "agent");
+      if (agentUser) {
+        syncFilesystemPolicyAcls(oldConfig.policies, [], agentUser.username, app.log);
       }
       syncCommandPoliciesAndWrappers([], state, app.log);
       saveConfig(getDefaultConfig());

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agenshield/daemon",
-  "version": "0.6.1",
+  "version": "0.6.2",
   "type": "module",
   "description": "AgenShield HTTP daemon server with embedded UI",
   "main": "./index.js",
@@ -24,9 +24,9 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@agenshield/ipc": "0.6.1",
-    "@agenshield/broker": "0.6.1",
-    "@agenshield/sandbox": "0.6.1",
+    "@agenshield/ipc": "0.6.2",
+    "@agenshield/broker": "0.6.2",
+    "@agenshield/sandbox": "0.6.2",
     "@modelcontextprotocol/sdk": "^1.26.0",
     "fastify": "^5.7.0",
     "zod": "^4.3.6",