npm - @codemcp/ade-core - Versions diffs - 0.0.2 → 0.1.0 - Mend

@codemcp/ade-core 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/.turbo/turbo-build.log +1 -1
package/.turbo/turbo-format.log +1 -1
package/.turbo/turbo-lint.log +1 -1
package/.turbo/turbo-test.log +12 -12
package/.turbo/turbo-typecheck.log +1 -1
package/dist/catalog/facets/autonomy.d.ts +2 -0
package/dist/catalog/facets/autonomy.js +85 -0
package/dist/catalog/index.js +8 -1
package/dist/index.d.ts +2 -1
package/dist/index.js +1 -0
package/dist/registry.js +2 -0
package/dist/resolver.js +49 -22
package/dist/types.d.ts +15 -2
package/dist/writers/permission-policy.d.ts +2 -0
package/dist/writers/permission-policy.js +6 -0
package/package.json +1 -1
package/src/catalog/catalog.spec.ts +39 -0
package/src/catalog/facets/autonomy.ts +106 -0
package/src/catalog/index.ts +8 -1
package/src/index.ts +7 -1
package/src/registry.spec.ts +4 -3
package/src/registry.ts +2 -0
package/src/resolver.spec.ts +45 -0
package/src/resolver.ts +67 -23
package/src/types.ts +30 -2
package/src/writers/permission-policy.ts +8 -0
package/tsconfig.tsbuildinfo +1 -1

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,4 +1,4 @@
-> @codemcp/ade-core@0.0.2 build /home/runner/work/ade/ade/packages/core
+> @codemcp/ade-core@0.1.0 build /home/runner/work/ade/ade/packages/core
 > tsc -p tsconfig.build.json

package/.turbo/turbo-format.log CHANGED Viewed

@@ -1,5 +1,5 @@
-> @codemcp/ade-core@0.0.2 format /home/runner/work/ade/ade/packages/core
+> @codemcp/ade-core@0.1.0 format /home/runner/work/ade/ade/packages/core
 > prettier --check .
 Checking formatting...

package/.turbo/turbo-lint.log CHANGED Viewed

@@ -1,4 +1,4 @@
-> @codemcp/ade-core@0.0.2 lint /home/runner/work/ade/ade/packages/core
+> @codemcp/ade-core@0.1.0 lint /home/runner/work/ade/ade/packages/core
 > eslint .

package/.turbo/turbo-test.log CHANGED Viewed

@@ -1,21 +1,21 @@
-> @codemcp/ade-core@0.0.2 test /home/runner/work/ade/ade/packages/core
+> @codemcp/ade-core@0.1.0 test /home/runner/work/ade/ade/packages/core
 > vitest --run
 [1m[46m RUN [49m[22m [36mv3.2.4 [39m[90m/home/runner/work/ade/ade/packages/core[39m
- [32m✓[39m src/registry.spec.ts [2m([22m[2m8 tests[22m[2m)[22m[32m 51[2mms[22m[39m
- [32m✓[39m src/resolver.spec.ts [2m([22m[2m19 tests[22m[2m)[22m[32m 54[2mms[22m[39m
- [32m✓[39m src/catalog/catalog.spec.ts [2m([22m[2m41 tests[22m[2m)[22m[32m 106[2mms[22m[39m
- [32m✓[39m src/writers/skills.spec.ts [2m([22m[2m6 tests[22m[2m)[22m[32m 36[2mms[22m[39m
- [32m✓[39m src/writers/workflows.spec.ts [2m([22m[2m6 tests[22m[2m)[22m[32m 22[2mms[22m[39m
- [32m✓[39m src/config.spec.ts [2m([22m[2m7 tests[22m[2m)[22m[32m 86[2mms[22m[39m
- [32m✓[39m src/writers/instruction.spec.ts [2m([22m[2m5 tests[22m[2m)[22m[32m 20[2mms[22m[39m
- [32m✓[39m src/writers/knowledge.spec.ts [2m([22m[2m2 tests[22m[2m)[22m[32m 6[2mms[22m[39m
+ [32m✓[39m src/registry.spec.ts [2m([22m[2m8 tests[22m[2m)[22m[32m 36[2mms[22m[39m
+ [32m✓[39m src/resolver.spec.ts [2m([22m[2m21 tests[22m[2m)[22m[32m 67[2mms[22m[39m
+ [32m✓[39m src/catalog/catalog.spec.ts [2m([22m[2m43 tests[22m[2m)[22m[32m 113[2mms[22m[39m
+ [32m✓[39m src/writers/workflows.spec.ts [2m([22m[2m6 tests[22m[2m)[22m[32m 25[2mms[22m[39m
+ [32m✓[39m src/writers/skills.spec.ts [2m([22m[2m6 tests[22m[2m)[22m[32m 32[2mms[22m[39m
+ [32m✓[39m src/config.spec.ts [2m([22m[2m7 tests[22m[2m)[22m[32m 117[2mms[22m[39m
+ [32m✓[39m src/writers/instruction.spec.ts [2m([22m[2m5 tests[22m[2m)[22m[32m 12[2mms[22m[39m
+ [32m✓[39m src/writers/knowledge.spec.ts [2m([22m[2m2 tests[22m[2m)[22m[32m 19[2mms[22m[39m
 [2m Test Files [22m [1m[32m8 passed[39m[22m[90m (8)[39m
-[2m      Tests [22m [1m[32m94 passed[39m[22m[90m (94)[39m
-[2m   Start at [22m 06:53:29
-[2m   Duration [22m 3.21s[2m (transform 1.20s, setup 0ms, collect 2.14s, tests 382ms, environment 4ms, prepare 2.43s)[22m
+[2m      Tests [22m [1m[32m98 passed[39m[22m[90m (98)[39m
+[2m   Start at [22m 12:11:20
+[2m   Duration [22m 3.08s[2m (transform 930ms, setup 0ms, collect 1.94s, tests 420ms, environment 8ms, prepare 2.09s)[22m

package/.turbo/turbo-typecheck.log CHANGED Viewed

@@ -1,4 +1,4 @@
-> @codemcp/ade-core@0.0.2 typecheck /home/runner/work/ade/ade/packages/core
+> @codemcp/ade-core@0.1.0 typecheck /home/runner/work/ade/ade/packages/core
 > tsc

package/dist/catalog/facets/autonomy.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { Facet } from "../../types.js";
2	+ export declare const autonomyFacet: Facet;

package/dist/catalog/facets/autonomy.js ADDED Viewed

@@ -0,0 +1,85 @@
+const ALL_CAPABILITIES = [
+    "read",
+    "edit_write",
+    "search_list",
+    "bash_safe",
+    "bash_unsafe",
+    "web",
+    "task_agent"
+];
+function capabilityMap(defaultDecision, overrides = {}) {
+    return Object.fromEntries(ALL_CAPABILITIES.map((capability) => [
+        capability,
+        overrides[capability] ?? defaultDecision
+    ]));
+}
+function autonomyPolicy(profile) {
+    switch (profile) {
+        case "rigid":
+            return {
+                profile,
+                capabilities: capabilityMap("ask")
+            };
+        case "sensible-defaults":
+            return {
+                profile,
+                capabilities: capabilityMap("ask", {
+                    read: "allow",
+                    edit_write: "allow",
+                    search_list: "allow",
+                    bash_safe: "allow",
+                    task_agent: "allow",
+                    web: "ask"
+                })
+            };
+        case "max-autonomy":
+            return {
+                profile,
+                capabilities: capabilityMap("allow", {
+                    web: "ask"
+                })
+            };
+    }
+}
+export const autonomyFacet = {
+    id: "autonomy",
+    label: "Autonomy",
+    description: "How much initiative and execution freedom the agent should have",
+    required: false,
+    multiSelect: false,
+    options: [
+        {
+            id: "rigid",
+            label: "Rigid",
+            description: "Keep built-in capabilities approval-gated and require confirmation before acting",
+            recipe: [
+                {
+                    writer: "permission-policy",
+                    config: autonomyPolicy("rigid")
+                }
+            ]
+        },
+        {
+            id: "sensible-defaults",
+            label: "Sensible defaults",
+            description: "Allow a curated low-risk built-in capability set while keeping web access approval-gated",
+            recipe: [
+                {
+                    writer: "permission-policy",
+                    config: autonomyPolicy("sensible-defaults")
+                }
+            ]
+        },
+        {
+            id: "max-autonomy",
+            label: "Max autonomy",
+            description: "Allow broad local built-in autonomy while keeping web access approval-gated",
+            recipe: [
+                {
+                    writer: "permission-policy",
+                    config: autonomyPolicy("max-autonomy")
+                }
+            ]
+        }
+    ]
+};

package/dist/catalog/index.js CHANGED Viewed

@@ -2,9 +2,16 @@ import { processFacet } from "./facets/process.js";
 import { architectureFacet } from "./facets/architecture.js";
 import { practicesFacet } from "./facets/practices.js";
 import { backpressureFacet } from "./facets/backpressure.js";
+import { autonomyFacet } from "./facets/autonomy.js";
 export function getDefaultCatalog() {
     return {
-        facets: [processFacet, architectureFacet, practicesFacet, backpressureFacet]
+        facets: [
+            processFacet,
+            architectureFacet,
+            practicesFacet,
+            backpressureFacet,
+            autonomyFacet
+        ]
     };
 }
 export function getFacet(catalog, id) {

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 export { type Catalog, type Facet, type Option, type Provision, type DocsetDef } from "./types.js";
-export { type LogicalConfig, type McpServerEntry, type CliAction, type KnowledgeSource, type SkillDefinition, type InlineSkill, type ExternalSkill, type GitHook } from "./types.js";
+export { type LogicalConfig, type McpServerEntry, type CliAction, type KnowledgeSource, type SkillDefinition, type InlineSkill, type ExternalSkill, type GitHook, type PermissionPolicy, type AutonomyProfile, type AutonomyCapability, type PermissionDecision, type PermissionRule } from "./types.js";
 export { type ResolutionContext, type ResolvedFacet } from "./types.js";
 export { type UserConfig, type LockFile } from "./types.js";
 export { type ProvisionWriter } from "./types.js";
@@ -10,3 +10,4 @@ export { resolve, collectDocsets } from "./resolver.js";
 export { getDefaultCatalog, getFacet, getOption, sortFacets, getVisibleOptions } from "./catalog/index.js";
 export { skillsWriter } from "./writers/skills.js";
 export { knowledgeWriter } from "./writers/knowledge.js";
+export { permissionPolicyWriter } from "./writers/permission-policy.js";

package/dist/index.js CHANGED Viewed

@@ -4,3 +4,4 @@ export { resolve, collectDocsets } from "./resolver.js";
 export { getDefaultCatalog, getFacet, getOption, sortFacets, getVisibleOptions } from "./catalog/index.js";
 export { skillsWriter } from "./writers/skills.js";
 export { knowledgeWriter } from "./writers/knowledge.js";
+export { permissionPolicyWriter } from "./writers/permission-policy.js";

package/dist/registry.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { skillsWriter } from "./writers/skills.js";
 import { knowledgeWriter } from "./writers/knowledge.js";
 import { gitHooksWriter } from "./writers/git-hooks.js";
 import { setupNoteWriter } from "./writers/setup-note.js";
+import { permissionPolicyWriter } from "./writers/permission-policy.js";
 export function createRegistry() {
     return {
         provisions: new Map(),
@@ -30,6 +31,7 @@ export function createDefaultRegistry() {
     registerProvisionWriter(registry, knowledgeWriter);
     registerProvisionWriter(registry, gitHooksWriter);
     registerProvisionWriter(registry, setupNoteWriter);
+    registerProvisionWriter(registry, permissionPolicyWriter);
     // Stub writers for types not yet implemented
     for (const id of ["mcp-server", "installable"]) {
         registerProvisionWriter(registry, {

package/dist/resolver.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { getFacet, getOption } from "./catalog/index.js";
 import { getProvisionWriter } from "./registry.js";
+import { permissionPolicyWriter } from "./writers/permission-policy.js";
 export async function resolve(userConfig, catalog, registry) {
     const result = {
         mcp_servers: [],
@@ -24,32 +25,13 @@ export async function resolve(userConfig, catalog, registry) {
             }
             context.resolved[facetId] = { optionId: selectedId, option };
             for (const provision of option.recipe) {
-                const writer = getProvisionWriter(registry, provision.writer);
+                const writer = getProvisionWriter(registry, provision.writer) ??
+                    getBuiltInProvisionWriter(provision);
                 if (!writer) {
                     continue;
                 }
                 const partial = await writer.write(provision.config, context);
-                if (partial.mcp_servers) {
-                    result.mcp_servers.push(...partial.mcp_servers);
-                }
-                if (partial.instructions) {
-                    result.instructions.push(...partial.instructions);
-                }
-                if (partial.cli_actions) {
-                    result.cli_actions.push(...partial.cli_actions);
-                }
-                if (partial.knowledge_sources) {
-                    result.knowledge_sources.push(...partial.knowledge_sources);
-                }
-                if (partial.skills) {
-                    result.skills.push(...partial.skills);
-                }
-                if (partial.git_hooks) {
-                    result.git_hooks.push(...partial.git_hooks);
-                }
-                if (partial.setup_notes) {
-                    result.setup_notes.push(...partial.setup_notes);
-                }
+                mergeLogicalConfig(result, partial);
             }
         }
     }
@@ -116,6 +98,51 @@ export async function resolve(userConfig, catalog, registry) {
     result.mcp_servers = Array.from(serversByRef.values());
     return result;
 }
+function getBuiltInProvisionWriter(provision) {
+    if (provision.writer === "permission-policy") {
+        return permissionPolicyWriter;
+    }
+    return undefined;
+}
+function mergeLogicalConfig(result, partial) {
+    if (partial.mcp_servers) {
+        result.mcp_servers.push(...partial.mcp_servers);
+    }
+    if (partial.instructions) {
+        result.instructions.push(...partial.instructions);
+    }
+    if (partial.cli_actions) {
+        result.cli_actions.push(...partial.cli_actions);
+    }
+    if (partial.knowledge_sources) {
+        result.knowledge_sources.push(...partial.knowledge_sources);
+    }
+    if (partial.skills) {
+        result.skills.push(...partial.skills);
+    }
+    if (partial.git_hooks) {
+        result.git_hooks.push(...partial.git_hooks);
+    }
+    if (partial.setup_notes) {
+        result.setup_notes.push(...partial.setup_notes);
+    }
+    if (partial.permission_policy) {
+        result.permission_policy = mergePermissionPolicy(result.permission_policy, partial.permission_policy);
+    }
+}
+function mergePermissionPolicy(existing, incoming) {
+    if (!existing) {
+        return incoming;
+    }
+    return {
+        ...existing,
+        ...incoming,
+        capabilities: {
+            ...existing.capabilities,
+            ...incoming.capabilities
+        }
+    };
+}
 /**
  * Collect all unique docsets implied by the given choices.
  * Used by the TUI to present docsets for confirmation before resolution.

package/dist/types.d.ts CHANGED Viewed

@@ -28,7 +28,7 @@ export interface Provision {
     writer: ProvisionWriter;
     config: Record<string, unknown>;
 }
-export type ProvisionWriter = "workflows" | "skills" | "knowledge" | "mcp-server" | "instruction" | "installable" | "git-hooks" | "setup-note";
+export type ProvisionWriter = "workflows" | "skills" | "knowledge" | "mcp-server" | "instruction" | "installable" | "git-hooks" | "setup-note" | "permission-policy";
 export interface InlineSkill {
     name: string;
     description: string;
@@ -43,7 +43,19 @@ export interface GitHook {
     phase: "pre-commit" | "pre-push";
     script: string;
 }
-export interface LogicalConfig {
+export type AutonomyProfile = "rigid" | "sensible-defaults" | "max-autonomy";
+export type PermissionDecision = "ask" | "allow" | "deny";
+export type AutonomyCapability = "read" | "edit_write" | "search_list" | "bash_safe" | "bash_unsafe" | "web" | "task_agent";
+/**
+ * @deprecated Harness-specific tool-level rules are no longer produced by core.
+ * Kept temporarily as a compatibility type for downstream packages.
+ */
+export type PermissionRule = PermissionDecision | Record<string, PermissionDecision>;
+export interface PermissionPolicy extends Record<string, unknown> {
+    profile: AutonomyProfile;
+    capabilities: Record<AutonomyCapability, PermissionDecision>;
+}
+export interface LogicalConfig extends Record<string, unknown> {
     mcp_servers: McpServerEntry[];
     instructions: string[];
     cli_actions: CliAction[];
@@ -51,6 +63,7 @@ export interface LogicalConfig {
     skills: SkillDefinition[];
     git_hooks: GitHook[];
     setup_notes: string[];
+    permission_policy?: PermissionPolicy;
 }
 export interface McpServerEntry {
     ref: string;

package/dist/writers/permission-policy.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { ProvisionWriterDef } from "../types.js";
2	+ export declare const permissionPolicyWriter: ProvisionWriterDef;

package/dist/writers/permission-policy.js ADDED Viewed

@@ -0,0 +1,6 @@
+export const permissionPolicyWriter = {
+    id: "permission-policy",
+    async write(config) {
+        return { permission_policy: config };
+    }
+};

package/package.json CHANGED Viewed

@@ -18,7 +18,7 @@
   "dependencies": {
     "yaml": "^2.8.2"
   },
-  "version": "0.0.2",
+  "version": "0.1.0",
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
     "clean:build": "rimraf ./dist",

package/src/catalog/catalog.spec.ts CHANGED Viewed

@@ -461,6 +461,45 @@ describe("catalog", () => {
     });
   });
+  describe("autonomy facet", () => {
+    it("exists in the default catalog with the supported autonomy profiles", () => {
+      const catalog = getDefaultCatalog();
+      const autonomy = getFacet(catalog, "autonomy");
+      expect(autonomy).toBeDefined();
+      expect(autonomy!.required).toBe(false);
+      expect(autonomy!.multiSelect).toBe(false);
+      expect(autonomy!.options.map((option) => option.id)).toEqual([
+        "rigid",
+        "sensible-defaults",
+        "max-autonomy"
+      ]);
+    });
+    it("uses the abstract capability model for autonomy recipes", () => {
+      const catalog = getDefaultCatalog();
+      const autonomy = getFacet(catalog, "autonomy")!;
+      const sensibleDefaults = getOption(autonomy, "sensible-defaults")!;
+      const provision = sensibleDefaults.recipe.find(
+        (entry) => entry.writer === "permission-policy"
+      );
+      expect(provision).toBeDefined();
+      expect(provision!.config).toEqual({
+        profile: "sensible-defaults",
+        capabilities: {
+          read: "allow",
+          edit_write: "allow",
+          search_list: "allow",
+          bash_safe: "allow",
+          bash_unsafe: "ask",
+          web: "ask",
+          task_agent: "allow"
+        }
+      });
+    });
+  });
   describe("sortFacets", () => {
     it("returns all facets", () => {
       const catalog = getDefaultCatalog();

package/src/catalog/facets/autonomy.ts ADDED Viewed

@@ -0,0 +1,106 @@
+import type {
+  AutonomyCapability,
+  Facet,
+  PermissionDecision,
+  PermissionPolicy
+} from "../../types.js";
+const ALL_CAPABILITIES: AutonomyCapability[] = [
+  "read",
+  "edit_write",
+  "search_list",
+  "bash_safe",
+  "bash_unsafe",
+  "web",
+  "task_agent"
+];
+function capabilityMap(
+  defaultDecision: PermissionDecision,
+  overrides: Partial<Record<AutonomyCapability, PermissionDecision>> = {}
+): Record<AutonomyCapability, PermissionDecision> {
+  return Object.fromEntries(
+    ALL_CAPABILITIES.map((capability) => [
+      capability,
+      overrides[capability] ?? defaultDecision
+    ])
+  ) as Record<AutonomyCapability, PermissionDecision>;
+}
+function autonomyPolicy(
+  profile: PermissionPolicy["profile"]
+): PermissionPolicy {
+  switch (profile) {
+    case "rigid":
+      return {
+        profile,
+        capabilities: capabilityMap("ask")
+      };
+    case "sensible-defaults":
+      return {
+        profile,
+        capabilities: capabilityMap("ask", {
+          read: "allow",
+          edit_write: "allow",
+          search_list: "allow",
+          bash_safe: "allow",
+          task_agent: "allow",
+          web: "ask"
+        })
+      };
+    case "max-autonomy":
+      return {
+        profile,
+        capabilities: capabilityMap("allow", {
+          web: "ask"
+        })
+      };
+  }
+}
+export const autonomyFacet: Facet = {
+  id: "autonomy",
+  label: "Autonomy",
+  description:
+    "How much initiative and execution freedom the agent should have",
+  required: false,
+  multiSelect: false,
+  options: [
+    {
+      id: "rigid",
+      label: "Rigid",
+      description:
+        "Keep built-in capabilities approval-gated and require confirmation before acting",
+      recipe: [
+        {
+          writer: "permission-policy",
+          config: autonomyPolicy("rigid")
+        }
+      ]
+    },
+    {
+      id: "sensible-defaults",
+      label: "Sensible defaults",
+      description:
+        "Allow a curated low-risk built-in capability set while keeping web access approval-gated",
+      recipe: [
+        {
+          writer: "permission-policy",
+          config: autonomyPolicy("sensible-defaults")
+        }
+      ]
+    },
+    {
+      id: "max-autonomy",
+      label: "Max autonomy",
+      description:
+        "Allow broad local built-in autonomy while keeping web access approval-gated",
+      recipe: [
+        {
+          writer: "permission-policy",
+          config: autonomyPolicy("max-autonomy")
+        }
+      ]
+    }
+  ]
+};

package/src/catalog/index.ts CHANGED Viewed

@@ -3,10 +3,17 @@ import { processFacet } from "./facets/process.js";
 import { architectureFacet } from "./facets/architecture.js";
 import { practicesFacet } from "./facets/practices.js";
 import { backpressureFacet } from "./facets/backpressure.js";
+import { autonomyFacet } from "./facets/autonomy.js";
 export function getDefaultCatalog(): Catalog {
   return {
-    facets: [processFacet, architectureFacet, practicesFacet, backpressureFacet]
+    facets: [
+      processFacet,
+      architectureFacet,
+      practicesFacet,
+      backpressureFacet,
+      autonomyFacet
+    ]
   };
 }

package/src/index.ts CHANGED Viewed

@@ -13,7 +13,12 @@ export {
   type SkillDefinition,
   type InlineSkill,
   type ExternalSkill,
-  type GitHook
+  type GitHook,
+  type PermissionPolicy,
+  type AutonomyProfile,
+  type AutonomyCapability,
+  type PermissionDecision,
+  type PermissionRule
 } from "./types.js";
 export { type ResolutionContext, type ResolvedFacet } from "./types.js";
 export { type UserConfig, type LockFile } from "./types.js";
@@ -47,3 +52,4 @@ export {
 } from "./catalog/index.js";
 export { skillsWriter } from "./writers/skills.js";
 export { knowledgeWriter } from "./writers/knowledge.js";
+export { permissionPolicyWriter } from "./writers/permission-policy.js";

package/src/registry.spec.ts CHANGED Viewed

@@ -115,7 +115,7 @@ describe("registry", () => {
   });
   describe("createDefaultRegistry", () => {
-    it("has all 8 built-in provision writer IDs registered", () => {
+    it("has all built-in provision writer IDs registered", () => {
       const registry = createDefaultRegistry();
       const expectedIds = [
         "workflows",
@@ -125,7 +125,8 @@ describe("registry", () => {
         "instruction",
         "installable",
         "git-hooks",
-        "setup-note"
+        "setup-note",
+        "permission-policy"
       ];
       for (const id of expectedIds) {
         expect(
@@ -133,7 +134,7 @@ describe("registry", () => {
           `expected provision writer "${id}" to be registered`
         ).toBeDefined();
       }
-      expect(registry.provisions.size).toBe(8);
+      expect(registry.provisions.size).toBe(expectedIds.length);
     });
     it("has no agent writers by default (moved to @ade/harnesses)", () => {

package/src/registry.ts CHANGED Viewed

@@ -9,6 +9,7 @@ import { skillsWriter } from "./writers/skills.js";
 import { knowledgeWriter } from "./writers/knowledge.js";
 import { gitHooksWriter } from "./writers/git-hooks.js";
 import { setupNoteWriter } from "./writers/setup-note.js";
+import { permissionPolicyWriter } from "./writers/permission-policy.js";
 export function createRegistry(): WriterRegistry {
   return {
@@ -55,6 +56,7 @@ export function createDefaultRegistry(): WriterRegistry {
   registerProvisionWriter(registry, knowledgeWriter);
   registerProvisionWriter(registry, gitHooksWriter);
   registerProvisionWriter(registry, setupNoteWriter);
+  registerProvisionWriter(registry, permissionPolicyWriter);
   // Stub writers for types not yet implemented
   for (const id of ["mcp-server", "installable"]) {

package/src/resolver.spec.ts CHANGED Viewed

@@ -578,4 +578,49 @@ describe("resolve", () => {
       expect(duplicates[0].env).toEqual({ CUSTOM: "true" });
     });
   });
+  describe("autonomy permission policy", () => {
+    it("adds a capability-based permission policy to LogicalConfig and keeps web access on ask", async () => {
+      const userConfig: UserConfig = {
+        choices: { autonomy: "rigid" }
+      };
+      const result = await resolve(userConfig, catalog, registry);
+      expect(result).toHaveProperty("permission_policy");
+      expect((result as Record<string, unknown>).permission_policy).toEqual({
+        profile: "rigid",
+        capabilities: {
+          read: "ask",
+          edit_write: "ask",
+          search_list: "ask",
+          bash_safe: "ask",
+          bash_unsafe: "ask",
+          web: "ask",
+          task_agent: "ask"
+        }
+      });
+    });
+    it("uses curated built-in defaults for the sensible-defaults autonomy profile", async () => {
+      const userConfig: UserConfig = {
+        choices: { autonomy: "sensible-defaults" }
+      };
+      const result = await resolve(userConfig, catalog, registry);
+      expect(result.permission_policy).toEqual({
+        profile: "sensible-defaults",
+        capabilities: {
+          read: "allow",
+          edit_write: "allow",
+          search_list: "allow",
+          bash_safe: "allow",
+          bash_unsafe: "ask",
+          web: "ask",
+          task_agent: "allow"
+        }
+      });
+    });
+  });
 });