@codemcp/ade-harnesses 0.0.2 → 0.1.0

package/dist/writers/roo-code.js

@@ -1,15 +1,51 @@
 import { join } from "node:path";
-import { writeMcpServers, alwaysAllowEntry, writeRulesFile, writeGitHooks } from "../util.js";
+import { readJsonOrEmpty, writeMcpServers, alwaysAllowEntry, writeRulesFile, writeGitHooks, writeJson } from "../util.js";
+import { allowsCapability, hasPermissionPolicy } from "../permission-policy.js";
 export const rooCodeWriter = {
     id: "roo-code",
     label: "Roo Code",
-    description: "AI coding agent — .roo/mcp.json + .roorules",
+    description: "AI coding agent — .roo/mcp.json + .roomodes + .roorules",
     async install(config, projectRoot) {
         await writeMcpServers(config.mcp_servers, {
             path: join(projectRoot, ".roo", "mcp.json"),
             transform: alwaysAllowEntry
         });
+        await writeRooModes(config, projectRoot);
         await writeRulesFile(config.instructions, join(projectRoot, ".roorules"));
         await writeGitHooks(config.git_hooks, projectRoot);
     }
 };
+async function writeRooModes(config, projectRoot) {
+    if (!hasPermissionPolicy(config)) {
+        return;
+    }
+    const roomodesPath = join(projectRoot, ".roomodes");
+    const existing = await readJsonOrEmpty(roomodesPath);
+    const existingCustomModes = asRecord(existing.customModes);
+    await writeJson(roomodesPath, {
+        ...existing,
+        customModes: {
+            ...existingCustomModes,
+            ade: {
+                slug: "ade",
+                name: "ADE",
+                roleDefinition: "ADE — Agentic Development Environment mode generated by ADE.",
+                groups: getRooModeGroups(config),
+                source: "project"
+            }
+        }
+    });
+}
+function asRecord(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value)
+        ? value
+        : {};
+}
+function getRooModeGroups(config) {
+    return [
+        ...(allowsCapability(config, "read") ? ["read"] : []),
+        ...(allowsCapability(config, "edit_write") ? ["edit"] : []),
+        ...(allowsCapability(config, "bash_unsafe") ? ["command"] : []),
+        ...(config.mcp_servers.length > 0 ? ["mcp"] : [])
+    ];
+}

package/dist/writers/universal.js

@@ -1,16 +1,54 @@
 import { join } from "node:path";
 import { writeFile } from "node:fs/promises";
 import { writeMcpServers, writeGitHooks } from "../util.js";
+const CAPABILITY_ORDER = [
+    "read",
+    "edit_write",
+    "search_list",
+    "bash_safe",
+    "bash_unsafe",
+    "web",
+    "task_agent"
+];
+function formatCapabilityGuidance(capability, decision) {
+    return `- \`${capability}\`: ${decision}`;
+}
+function renderAutonomyGuidance(config) {
+    const policy = config.permission_policy;
+    if (!policy) {
+        return undefined;
+    }
+    const capabilityLines = CAPABILITY_ORDER.map((capability) => formatCapabilityGuidance(capability, policy.capabilities[capability]));
+    return [
+        "## Autonomy",
+        "",
+        "Universal harness limitation: `AGENTS.md` + `.mcp.json` provide documentation and server registration only; there is no enforceable harness-level permission schema here.",
+        "",
+        "Treat this autonomy profile as documentation-only guidance for built-in/basic operations.",
+        "",
+        `Profile: \`${policy.profile}\``,
+        "",
+        "Built-in/basic capability guidance:",
+        ...capabilityLines,
+        "",
+        "MCP permissions are not re-modeled by autonomy here; any MCP approvals must come from provisioning-aware consuming harnesses rather than the Universal writer."
+    ].join("\n");
+}
 export const universalWriter = {
     id: "universal",
     label: "Universal (AGENTS.md + .mcp.json)",
-    description: "Cross-tool standard — AGENTS.md + .mcp.json (works with any agent)",
+    description: "Cross-tool standard — AGENTS.md + .mcp.json (portable instructions and MCP registration, not enforceable permissions)",
     async install(config, projectRoot) {
-        if (config.instructions.length > 0) {
+        const autonomyGuidance = renderAutonomyGuidance(config);
+        const instructionSections = [...config.instructions];
+        if (autonomyGuidance) {
+            instructionSections.push(autonomyGuidance);
+        }
+        if (instructionSections.length > 0) {
             const lines = [
                 "# AGENTS",
                 "",
-                ...config.instructions.flatMap((i) => [i, ""])
+                ...instructionSections.flatMap((instruction) => [instruction, ""])
             ];
             await writeFile(join(projectRoot, "AGENTS.md"), lines.join("\n"), "utf-8");
         }

package/dist/writers/windsurf.js

@@ -1,5 +1,6 @@
 import { join } from "node:path";
 import { writeMcpServers, alwaysAllowEntry, writeRulesFile, writeGitHooks } from "../util.js";
+import { hasPermissionPolicy } from "../permission-policy.js";
 export const windsurfWriter = {
     id: "windsurf",
     label: "Windsurf",
@@ -9,7 +10,48 @@ export const windsurfWriter = {
             path: join(projectRoot, ".windsurf", "mcp.json"),
             transform: alwaysAllowEntry
         });
-        await writeRulesFile(config.instructions, join(projectRoot, ".windsurfrules"));
+        await writeRulesFile(getWindsurfRules(config), join(projectRoot, ".windsurfrules"));
         await writeGitHooks(config.git_hooks, projectRoot);
     }
 };
+function getWindsurfRules(config) {
+    if (!hasPermissionPolicy(config)) {
+        return config.instructions;
+    }
+    const { capabilities } = config.permission_policy;
+    const allow = listCapabilities(capabilities, "allow");
+    const ask = listCapabilities(capabilities, "ask");
+    const deny = listCapabilities(capabilities, "deny");
+    const autonomyGuidance = [
+        "Windsurf limitation: ADE could not verify a stable committed project-local permission schema for Windsurf built-in tools, so this autonomy policy is advisory only and should be applied conservatively.",
+        formatGuidance(allow, ask, deny)
+    ];
+    return [...autonomyGuidance, ...config.instructions];
+}
+function listCapabilities(capabilities, decision) {
+    return Object.entries(capabilities)
+        .filter(([, value]) => value === decision)
+        .map(([capability]) => CAPABILITY_LABELS[capability]);
+}
+function formatGuidance(allow, ask, deny) {
+    const lines = ["Autonomy guidance for Windsurf built-in capabilities:"];
+    if (allow.length > 0) {
+        lines.push(`- May proceed without extra approval: ${allow.join(", ")}.`);
+    }
+    if (ask.length > 0) {
+        lines.push(`- Ask before: ${ask.join(", ")}.`);
+    }
+    if (deny.length > 0) {
+        lines.push(`- Do not use unless the user explicitly overrides: ${deny.join(", ")}.`);
+    }
+    return lines.join("\n");
+}
+const CAPABILITY_LABELS = {
+    read: "read files",
+    edit_write: "edit and write files",
+    search_list: "search and list files",
+    bash_safe: "safe local shell commands",
+    bash_unsafe: "unsafe local shell commands",
+    web: "web and network access",
+    task_agent: "task or agent delegation"
+};

package/package.json

@@ -8,7 +8,7 @@
   },
   "dependencies": {
     "@codemcp/skills": "^2.3.0",
-    "@codemcp/ade-core": "0.0.2"
+    "@codemcp/ade-core": "0.1.0"
   },
   "devDependencies": {
     "@typescript-eslint/eslint-plugin": "^8.21.0",
@@ -19,7 +19,7 @@
     "rimraf": "^6.0.1",
     "typescript": "^5.7.3"
   },
-  "version": "0.0.2",
+  "version": "0.1.0",
   "scripts": {
     "build": "tsc -p tsconfig.build.json",
     "clean:build": "rimraf ./dist",

package/src/permission-policy.ts

@@ -0,0 +1,173 @@
+import type {
+  AutonomyCapability,
+  LogicalConfig,
+  PermissionDecision,
+  PermissionRule
+} from "@codemcp/ade-core";
+
+const SENSIBLE_DEFAULTS_RULES: Record<string, PermissionRule> = {
+  read: {
+    "*": "allow",
+    "*.env": "deny",
+    "*.env.*": "deny",
+    "*.env.example": "allow"
+  },
+  edit: "allow",
+  glob: "allow",
+  grep: "allow",
+  list: "allow",
+  lsp: "allow",
+  task: "allow",
+  todoread: "deny",
+  todowrite: "deny",
+  skill: "deny",
+  webfetch: "ask",
+  websearch: "ask",
+  codesearch: "ask",
+  bash: {
+    "*": "deny",
+    "grep *": "allow",
+    "rg *": "allow",
+    "find *": "allow",
+    "fd *": "allow",
+    ls: "allow",
+    "ls *": "allow",
+    "cat *": "allow",
+    "head *": "allow",
+    "tail *": "allow",
+    "wc *": "allow",
+    "sort *": "allow",
+    "uniq *": "allow",
+    "diff *": "allow",
+    "echo *": "allow",
+    "printf *": "allow",
+    pwd: "allow",
+    "which *": "allow",
+    "type *": "allow",
+    whoami: "allow",
+    date: "allow",
+    "date *": "allow",
+    env: "allow",
+    "tree *": "allow",
+    "file *": "allow",
+    "stat *": "allow",
+    "readlink *": "allow",
+    "realpath *": "allow",
+    "dirname *": "allow",
+    "basename *": "allow",
+    "sed *": "allow",
+    "awk *": "allow",
+    "cut *": "allow",
+    "tr *": "allow",
+    "tee *": "allow",
+    "xargs *": "allow",
+    "jq *": "allow",
+    "yq *": "allow",
+    "mkdir *": "allow",
+    "touch *": "allow",
+    "cp *": "ask",
+    "mv *": "ask",
+    "ln *": "ask",
+    "npm *": "ask",
+    "node *": "ask",
+    "pip *": "ask",
+    "python *": "ask",
+    "python3 *": "ask",
+    "rm *": "deny",
+    "rmdir *": "deny",
+    "curl *": "deny",
+    "wget *": "deny",
+    "chmod *": "deny",
+    "chown *": "deny",
+    "sudo *": "deny",
+    "su *": "deny",
+    "sh *": "deny",
+    "bash *": "deny",
+    "zsh *": "deny",
+    "eval *": "deny",
+    "exec *": "deny",
+    "source *": "deny",
+    ". *": "deny",
+    "nohup *": "deny",
+    "dd *": "deny",
+    "mkfs *": "deny",
+    "mount *": "deny",
+    "umount *": "deny",
+    "kill *": "deny",
+    "killall *": "deny",
+    "pkill *": "deny",
+    "nc *": "deny",
+    "ncat *": "deny",
+    "ssh *": "deny",
+    "scp *": "deny",
+    "rsync *": "deny",
+    "docker *": "deny",
+    "kubectl *": "deny",
+    "systemctl *": "deny",
+    "service *": "deny",
+    "crontab *": "deny",
+    reboot: "deny",
+    "shutdown *": "deny",
+    "passwd *": "deny",
+    "useradd *": "deny",
+    "userdel *": "deny",
+    "iptables *": "deny"
+  },
+  external_directory: "deny",
+  doom_loop: "deny"
+};
+
+export function getAutonomyProfile(config: LogicalConfig) {
+  return config.permission_policy?.profile;
+}
+
+export function hasPermissionPolicy(config: LogicalConfig): boolean {
+  return config.permission_policy !== undefined;
+}
+
+export function getCapabilityDecision(
+  config: LogicalConfig,
+  capability: AutonomyCapability
+): PermissionDecision | undefined {
+  return config.permission_policy?.capabilities?.[capability];
+}
+
+export function allowsCapability(
+  config: LogicalConfig,
+  capability: AutonomyCapability
+): boolean {
+  return getCapabilityDecision(config, capability) === "allow";
+}
+
+export function keepsWebOnAsk(config: LogicalConfig): boolean {
+  return getCapabilityDecision(config, "web") === "ask";
+}
+
+export function getHarnessPermissionRules(
+  config: LogicalConfig
+): Record<string, PermissionRule> | undefined {
+  switch (config.permission_policy?.profile) {
+    case "rigid":
+      return {
+        "*": "ask",
+        webfetch: "ask",
+        websearch: "ask",
+        codesearch: "ask",
+        external_directory: "deny",
+        doom_loop: "deny"
+      };
+    case "sensible-defaults":
+      return SENSIBLE_DEFAULTS_RULES;
+    case "max-autonomy":
+      return {
+        "*": "allow",
+        webfetch: "ask",
+        websearch: "ask",
+        codesearch: "ask",
+        external_directory: "deny",
+        doom_loop: "deny"
+      };
+    default:
+      return undefined;
+  }
+}

package/src/writers/claude-code.spec.ts

@@ -2,9 +2,57 @@ import { describe, it, expect, beforeEach, afterEach } from "vitest";
 import { mkdtemp, rm, readFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
-import type { LogicalConfig } from "@codemcp/ade-core";
+import type {
+  AutonomyProfile,
+  LogicalConfig,
+  PermissionPolicy
+} from "@codemcp/ade-core";
 import { claudeCodeWriter } from "./claude-code.js";
 
+function autonomyPolicy(profile: AutonomyProfile): PermissionPolicy {
+  switch (profile) {
+    case "rigid":
+      return {
+        profile,
+        capabilities: {
+          read: "ask",
+          edit_write: "ask",
+          search_list: "ask",
+          bash_safe: "ask",
+          bash_unsafe: "ask",
+          web: "ask",
+          task_agent: "ask"
+        }
+      };
+    case "sensible-defaults":
+      return {
+        profile,
+        capabilities: {
+          read: "allow",
+          edit_write: "allow",
+          search_list: "allow",
+          bash_safe: "allow",
+          bash_unsafe: "ask",
+          web: "ask",
+          task_agent: "allow"
+        }
+      };
+    case "max-autonomy":
+      return {
+        profile,
+        capabilities: {
+          read: "allow",
+          edit_write: "allow",
+          search_list: "allow",
+          bash_safe: "allow",
+          bash_unsafe: "allow",
+          web: "ask",
+          task_agent: "allow"
+        }
+      };
+  }
+}
+
 describe("claudeCodeWriter", () => {
   let dir: string;
 
@@ -80,7 +128,38 @@ describe("claudeCodeWriter", () => {
     });
   });
 
-  it("writes .claude/settings.json with MCP tool permissions", async () => {
+  it("forwards explicit MCP tool permissions using Claude rule names", async () => {
+    const config: LogicalConfig = {
+      mcp_servers: [
+        {
+          ref: "workflows",
+          command: "npx",
+          args: ["-y", "@codemcp/workflows"],
+          env: {},
+          allowedTools: ["use_skill", "whats_next"]
+        }
+      ],
+      instructions: [],
+      cli_actions: [],
+      knowledge_sources: [],
+      skills: [],
+      git_hooks: [],
+      setup_notes: []
+    };
+
+    await claudeCodeWriter.install(config, dir);
+
+    const raw = await readFile(join(dir, ".claude", "settings.json"), "utf-8");
+    const settings = JSON.parse(raw);
+    expect(settings.permissions.allow).toEqual(
+      expect.arrayContaining([
+        "mcp__workflows__use_skill",
+        "mcp__workflows__whats_next"
+      ])
+    );
+  });
+
+  it("does not invent wildcard MCP permission rules", async () => {
     const config: LogicalConfig = {
       mcp_servers: [
         {
@@ -102,7 +181,85 @@ describe("claudeCodeWriter", () => {
 
     const raw = await readFile(join(dir, ".claude", "settings.json"), "utf-8");
     const settings = JSON.parse(raw);
-    expect(settings.permissions.allow).toContain("MCP(workflows:*)");
+    expect(settings.permissions.allow ?? []).toEqual([]);
+  });
+
+  it("keeps web on ask for rigid autonomy without broad built-in allows", async () => {
+    const config: LogicalConfig = {
+      mcp_servers: [],
+      instructions: [],
+      cli_actions: [],
+      knowledge_sources: [],
+      skills: [],
+      git_hooks: [],
+      setup_notes: [],
+      permission_policy: autonomyPolicy("rigid")
+    };
+
+    await claudeCodeWriter.install(config, dir);
+
+    const raw = await readFile(join(dir, ".claude", "settings.json"), "utf-8");
+    const settings = JSON.parse(raw);
+    expect(settings.permissions.allow ?? []).toEqual([]);
+    expect(settings.permissions.ask).toEqual(
+      expect.arrayContaining(["WebFetch", "WebSearch"])
+    );
+  });
+
+  it("maps sensible-defaults to Claude built-in permission rules", async () => {
+    const config: LogicalConfig = {
+      mcp_servers: [],
+      instructions: [],
+      cli_actions: [],
+      knowledge_sources: [],
+      skills: [],
+      git_hooks: [],
+      setup_notes: [],
+      permission_policy: autonomyPolicy("sensible-defaults")
+    };
+
+    await claudeCodeWriter.install(config, dir);
+
+    const raw = await readFile(join(dir, ".claude", "settings.json"), "utf-8");
+    const settings = JSON.parse(raw);
+    expect(settings.permissions.allow).toEqual(
+      expect.arrayContaining(["Read", "Edit", "Glob", "Grep", "TodoWrite"])
+    );
+    expect(settings.permissions.allow).not.toContain("Bash");
+    expect(settings.permissions.ask).toEqual(
+      expect.arrayContaining(["WebFetch", "WebSearch"])
+    );
+  });
+
+  it("maps max-autonomy to broad Claude built-in permission rules while preserving web ask", async () => {
+    const config: LogicalConfig = {
+      mcp_servers: [],
+      instructions: [],
+      cli_actions: [],
+      knowledge_sources: [],
+      skills: [],
+      git_hooks: [],
+      setup_notes: [],
+      permission_policy: autonomyPolicy("max-autonomy")
+    };
+
+    await claudeCodeWriter.install(config, dir);
+
+    const raw = await readFile(join(dir, ".claude", "settings.json"), "utf-8");
+    const settings = JSON.parse(raw);
+    expect(settings.permissions.allow).toEqual(
+      expect.arrayContaining([
+        "Read",
+        "Edit",
+        "Bash",
+        "Glob",
+        "Grep",
+        "TodoWrite"
+      ])
+    );
+    expect(settings.permissions.ask).toEqual(
+      expect.arrayContaining(["WebFetch", "WebSearch"])
+    );
   });
 
   it("includes agentskills server from mcp_servers", async () => {

package/src/writers/claude-code.ts

@@ -9,6 +9,7 @@ import {
   writeInlineSkills,
   writeGitHooks
 } from "../util.js";
+import { allowsCapability, keepsWebOnAsk } from "../permission-policy.js";
 
 export const claudeCodeWriter: HarnessWriter = {
   id: "claude-code",
@@ -35,30 +36,74 @@ async function writeClaudeSettings(
   config: LogicalConfig,
   projectRoot: string
 ): Promise<void> {
-  const servers = config.mcp_servers;
-  if (servers.length === 0) return;
-
   const settingsPath = join(projectRoot, ".claude", "settings.json");
   const existing = await readJsonOrEmpty(settingsPath);
+  const existingPerms = (existing.permissions as Record<string, unknown>) ?? {};
+  const existingAllow = asStringArray(existingPerms.allow);
+  const existingAsk = asStringArray(existingPerms.ask);
 
-  const allowRules: string[] = [];
-  for (const server of servers) {
-    const allowed = server.allowedTools ?? ["*"];
-    if (allowed.includes("*")) {
-      allowRules.push(`MCP(${server.ref}:*)`);
-    } else {
-      for (const tool of allowed) {
-        allowRules.push(`MCP(${server.ref}:${tool})`);
-      }
-    }
-  }
+  const autonomyRules = getClaudeAutonomyRules(config);
+  const mcpRules = getClaudeMcpAllowRules(config);
+  const allowRules = [
+    ...new Set([...existingAllow, ...autonomyRules.allow, ...mcpRules])
+  ];
+  const askRules = [...new Set([...existingAsk, ...autonomyRules.ask])];
 
-  const existingPerms = (existing.permissions as Record<string, unknown>) ?? {};
-  const existingAllow = (existingPerms.allow as string[]) ?? [];
-  const mergedAllow = [...new Set([...existingAllow, ...allowRules])];
+  if (
+    allowRules.length === 0 &&
+    askRules.length === 0 &&
+    config.mcp_servers.length === 0
+  ) {
+    return;
+  }
 
   await writeJson(settingsPath, {
     ...existing,
-    permissions: { ...existingPerms, allow: mergedAllow }
+    permissions: {
+      ...existingPerms,
+      ...(allowRules.length > 0 ? { allow: allowRules } : {}),
+      ...(askRules.length > 0 ? { ask: askRules } : {})
+    }
   });
 }
+
+function asStringArray(value: unknown): string[] {
+  return Array.isArray(value)
+    ? value.filter((entry): entry is string => typeof entry === "string")
+    : [];
+}
+
+function getClaudeMcpAllowRules(config: LogicalConfig): string[] {
+  const allowRules: string[] = [];
+
+  for (const server of config.mcp_servers) {
+    const allowedTools = server.allowedTools;
+    if (!allowedTools || allowedTools.includes("*")) {
+      continue;
+    }
+
+    for (const tool of allowedTools) {
+      allowRules.push(`mcp__${server.ref}__${tool}`);
+    }
+  }
+
+  return allowRules;
+}
+
+function getClaudeAutonomyRules(config: LogicalConfig): {
+  allow: string[];
+  ask: string[];
+} {
+  const ask = keepsWebOnAsk(config) ? ["WebFetch", "WebSearch"] : [];
+
+  return {
+    allow: [
+      ...(allowsCapability(config, "read") ? ["Read"] : []),
+      ...(allowsCapability(config, "edit_write") ? ["Edit"] : []),
+      ...(allowsCapability(config, "search_list") ? ["Glob", "Grep"] : []),
+      ...(allowsCapability(config, "bash_unsafe") ? ["Bash"] : []),
+      ...(allowsCapability(config, "task_agent") ? ["TodoWrite"] : [])
+    ],
+    ask
+  };
+}