@element47/ag 4.5.1 → 4.5.2

package/README.md

@@ -127,6 +127,46 @@ export default {
 
 That's it. No config, no registry. Use `/tools` in the REPL to see what's loaded.
 
+### Permission Keys
+
+By default, custom tools require approval for every call (or you allow all calls with `toolname(*)`). To enable fine-grained permission patterns, add a `permissionKey` to your tool:
+
+```js
+// .ag/tools/deploy.mjs
+export default {
+  type: "function",
+  function: {
+    name: "deploy",
+    description: "Deploy to an environment",
+    parameters: {
+      type: "object",
+      properties: {
+        target: { type: "string", enum: ["staging", "production"] },
+        branch: { type: "string" }
+      },
+      required: ["target"]
+    }
+  },
+  permissionKey: { qualifier: "target" },
+  execute: async ({ target, branch }) => { /* ... */ }
+};
+```
+
+Now permission patterns can target specific argument values:
+
+| Pattern | Effect |
+|---------|--------|
+| `deploy(staging)` | Allow staging deploys |
+| `deploy(production)` | Allow production deploys |
+| `deploy(*)` | Allow all deploys |
+
+**`permissionKey` fields:**
+
+- `qualifier` (required) — arg name whose value becomes the pattern qualifier. E.g., `{ qualifier: "target" }` + `target: "staging"` produces `deploy(staging)`.
+- `value` (optional) — arg name whose value is matched by the glob portion. E.g., `{ qualifier: "action", value: "path" }` produces `mytool(read:configs/**)`.
+
+Without `permissionKey`, the only available pattern is `toolname(*)`.
+
 ## Skills
 
 Skills are reusable prompt instructions (with optional tools) that the agent activates on-demand. Browse and install from [skills.sh](https://skills.sh):
@@ -234,22 +274,84 @@ Or set it permanently:
 
 ## Permissions
 
-In REPL mode, ag prompts before executing mutating operations:
+In REPL mode, ag prompts before executing mutating operations. You can allow once, remember for the session, or save to the project:
 
 ```
-  ? bash: npm test (y/n) y
+  ? bash: npm test (y)es / (a)lways / (p)roject / (n)o a
+  + Session rule: bash(npm:*)
   ✓ [bash] All tests passed
-  ? file(write): src/utils.ts (y/n) y
+  ? file(write): src/utils.ts (y)es / (a)lways / (p)roject / (n)o p
+  + Saved to .ag/permissions.json: file(write:src/**)
   ✓ [file] Wrote src/utils.ts (24 lines, 680B)
 ```
 
+**Prompt options:**
+- **y** — allow this one time
+- **a** — allow and remember the pattern for this session
+- **p** — allow and save the pattern to project (`.ag/permissions.json`)
+- **n** — deny this one time
+
+### Pattern Syntax
+
+Patterns use `Tool(qualifier:glob)` format:
+
+| Pattern | Matches |
+|---------|---------|
+| `bash(npm:*)` | Any bash command starting with `npm` |
+| `bash(git:*)` | Any bash command starting with `git` |
+| `file(write:src/**)` | File writes anywhere under `src/` |
+| `file(edit:*)` | All file edits |
+| `git(commit)` | Git commit |
+| `web(fetch:*github.com*)` | Fetch from GitHub domains |
+| `bash(*)` | All bash commands |
+| `*` | Everything |
+
+### Rule Scopes
+
+| Scope | Storage | Lifetime |
+|-------|---------|----------|
+| Session | In-memory | Until REPL exits |
+| Project | `.ag/permissions.json` | Persists across sessions |
+| Global | `~/.ag/permissions.json` | Persists everywhere |
+
+Deny rules always override allow rules. Use `/permissions` to manage rules interactively.
+
+### Built-in Classifications
+
 **Always allowed (no prompt):** `file(read)`, `file(list)`, `grep(*)`, `memory(*)`, `plan(*)`, `skill(*)`, `git(status)`, `web(search)`
 
 **Prompted:** `bash`, `file(write)`, `file(edit)`, `git(commit/push/branch)`, `web(fetch)`
 
 **Always blocked:** `rm -rf /`, fork bombs, `sudo rm`, pipe-to-shell (enforced in code regardless of approval)
 
-Skip prompts with `ag -y` or `--yes`. One-shot mode (`ag "query"`) auto-approves.
+Skip all prompts with `ag -y` or `--yes`. One-shot mode (`ag "query"`) auto-approves.
+
+## Guardrails
+
+All externally-loaded tools and skills are scanned at load time for prompt injection and other security issues. This applies to:
+
+- Custom tools (`.mjs` files in `~/.ag/tools/` and `.ag/tools/`)
+- Skills (`SKILL.md` files in `~/.ag/skills/` and `.ag/skills/`)
+- Skills installed from the registry via `/skill add`
+
+**What gets checked:**
+
+| Category | Severity | Examples |
+|----------|----------|---------|
+| Direct injection | Block | "ignore previous instructions", "system override", "reveal prompt" |
+| Encoded payloads | Block | Base64-encoded injection attempts, HTML entity obfuscation |
+| Hidden content | Block | HTML comments with instructions, zero-width characters, control chars |
+| Exfiltration | Block/Warn | `fetch()` calls in descriptions (block), URLs/emails (warn) |
+| Suspicious overrides | Warn | "bypass security", "auto-approve", "run without permission" |
+
+**Blocked** items are skipped entirely with a warning. **Warned** items still load but emit a warning to stderr:
+
+```
+Warning: evil-tool.mjs blocked by guardrails: tool "evil" description: prompt injection: "ignore previous instructions"
+Warning: shady-tool.mjs: tool "shady" description: description contains URL
+```
+
+When installing a skill from the registry, files are scanned before being written to disk. If the core `SKILL.md` is blocked, the entire installation is aborted.
 
 ## Streaming
 

package/dist/cli/repl.d.ts

@@ -1,14 +1,19 @@
 import { Interface } from 'node:readline';
 import { Agent } from '../core/agent.js';
+import { PermissionManager } from '../core/permissions.js';
 import type { ConfirmToolCall } from '../core/types.js';
 export declare function createConfirmCallback(sharedRl?: Interface): ConfirmToolCall & {
     pauseSpinner: (() => void) | null;
 };
+export declare function createPermissionCallback(pm: PermissionManager, sharedRl?: Interface): ConfirmToolCall & {
+    pauseSpinner: (() => void) | null;
+};
 export declare class REPL {
     private readonly agent;
     private readonly rl;
-    private readonly confirmCb;
-    constructor(agent: Agent, confirmCb?: ReturnType<typeof createConfirmCallback>);
+    private readonly pm;
+    private confirmCb;
+    constructor(agent: Agent, pm?: PermissionManager, confirmCb?: ReturnType<typeof createPermissionCallback>);
     start(): Promise<void>;
     private handleCommand;
     private ask;

package/dist/cli/repl.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"repl.d.ts","sourceRoot":"","sources":["../../src/cli/repl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,SAAS,EAAsB,MAAM,eAAe,CAAC;AAC/E,OAAO,EAAE,KAAK,EAA0B,MAAM,kBAAkB,CAAC;AAKjE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAoBxD,wBAAgB,qBAAqB,CAAC,QAAQ,CAAC,EAAE,SAAS,GAAG,eAAe,GAAG;IAAE,YAAY,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAA;CAAE,CAuBnH;AA8GD,qBAAa,IAAI;IACf,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAY;IAC/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAkD;gBAEhE,KAAK,EAAE,KAAK,EAAE,SAAS,CAAC,EAAE,UAAU,CAAC,OAAO,qBAAqB,CAAC;IAcxE,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YA6Ld,aAAa;IAwU3B,OAAO,CAAC,GAAG;CAGZ"}
+{"version":3,"file":"repl.d.ts","sourceRoot":"","sources":["../../src/cli/repl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,SAAS,EAAsB,MAAM,eAAe,CAAC;AAC/E,OAAO,EAAE,KAAK,EAA0B,MAAM,kBAAkB,CAAC;AAKjE,OAAO,EAAE,iBAAiB,EAAgB,MAAM,wBAAwB,CAAC;AACzE,OAAO,KAAK,EAAE,eAAe,EAAiB,MAAM,kBAAkB,CAAC;AAqCvE,wBAAgB,qBAAqB,CAAC,QAAQ,CAAC,EAAE,SAAS,GAAG,eAAe,GAAG;IAAE,YAAY,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAA;CAAE,CAgBnH;AAED,wBAAgB,wBAAwB,CAAC,EAAE,EAAE,iBAAiB,EAAE,QAAQ,CAAC,EAAE,SAAS,GAAG,eAAe,GAAG;IAAE,YAAY,EAAE,CAAC,MAAM,IAAI,CAAC,GAAG,IAAI,CAAA;CAAE,CAiD7I;AA8GD,qBAAa,IAAI;IACf,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAC9B,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAY;IAC/B,OAAO,CAAC,QAAQ,CAAC,EAAE,CAA2B;IAC9C,OAAO,CAAC,SAAS,CAAqD;gBAE1D,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,iBAAiB,EAAE,SAAS,CAAC,EAAE,UAAU,CAAC,OAAO,wBAAwB,CAAC;IAqBnG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;YAwMd,aAAa;IA8Y3B,OAAO,CAAC,GAAG;CAGZ"}

package/dist/cli/repl.js

@@ -3,6 +3,7 @@ import { loadConfig, saveConfig, configPath } from '../core/config.js';
 import { searchRegistry, installSkill, removeSkill, formatInstalls } from '../core/registry.js';
 import { C, renderMarkdown } from '../core/colors.js';
 import { VERSION } from '../core/version.js';
+import { inferPattern } from '../core/permissions.js';
 function truncateCommand(command, maxLen = 80) {
     const firstLine = command.split('\n')[0];
     if (firstLine.length <= maxLen) {
@@ -19,29 +20,90 @@ function formatToolSummary(toolName, args) {
         default: return `${toolName}(${JSON.stringify(args).slice(0, 80)})`;
     }
 }
+function promptQuestion(prompt, sharedRl) {
+    if (sharedRl) {
+        // Shared readline already manages terminal — no raw mode changes needed
+        return new Promise(resolve => sharedRl.question(prompt, resolve));
+    }
+    // Fallback: create a temporary readline; exit raw mode so it can work properly
+    const wasRaw = process.stdin.isTTY && process.stdin.isRaw;
+    if (wasRaw)
+        process.stdin.setRawMode(false);
+    return new Promise(resolve => {
+        const rl = createInterface({ input: process.stdin, output: process.stderr });
+        rl.question(prompt, a => { rl.close(); resolve(a); });
+    }).finally(() => { if (wasRaw)
+        process.stdin.setRawMode(true); });
+}
+const SIMPLE_OPTS = `    ${C.cyan}y${C.reset}/${C.cyan}n${C.reset} > `;
+const FULL_OPTS = `    ${C.cyan}y${C.reset}/${C.cyan}n${C.reset}  ${C.dim}a${C.reset}=${C.dim}always  ${C.dim}p${C.reset}=${C.dim}project  ${C.dim}d${C.reset}=${C.dim}deny session  ${C.dim}D${C.reset}=${C.dim}deny project${C.reset} > `;
 export function createConfirmCallback(sharedRl) {
     const cb = async (toolName, args) => {
-        // Stop any active spinner before prompting
+        // Stop any active spinner before prompting — clear line to avoid garbled output
         if (cb.pauseSpinner) {
             cb.pauseSpinner();
             cb.pauseSpinner = null;
         }
+        process.stderr.write('\x1b[K'); // ensure current line is clear
         const summary = formatToolSummary(toolName, args);
-        if (sharedRl) {
-            return new Promise(resolve => {
-                sharedRl.question(`  ${C.yellow}?${C.reset} ${C.dim}${summary}${C.reset} ${C.yellow}(y/n)${C.reset} `, answer => {
-                    resolve(answer.trim().toLowerCase() === 'n' ? 'deny' : 'allow');
-                });
-            });
+        process.stderr.write(`  ${C.yellow}?${C.reset} ${C.dim}${summary}${C.reset}\n`);
+        const answer = await promptQuestion(SIMPLE_OPTS, sharedRl);
+        if (answer.trim().toLowerCase() === 'n') {
+            process.stderr.write(`  ${C.red}−${C.reset} ${C.dim}Denied${C.reset}\n`);
+            return 'deny';
+        }
+        return 'allow';
+    };
+    cb.pauseSpinner = null;
+    return cb;
+}
+export function createPermissionCallback(pm, sharedRl) {
+    const cb = async (toolName, args, permissionKey) => {
+        // Check permission rules first
+        const decision = pm.check(toolName, args, permissionKey);
+        if (decision === 'allow')
+            return 'allow';
+        if (decision === 'deny')
+            return 'deny';
+        // Stop any active spinner before prompting — clear line to avoid garbled output
+        if (cb.pauseSpinner) {
+            cb.pauseSpinner();
+            cb.pauseSpinner = null;
+        }
+        process.stderr.write('\x1b[K'); // ensure current line is clear
+        const summary = formatToolSummary(toolName, args);
+        const pattern = inferPattern(toolName, args, permissionKey);
+        process.stderr.write(`  ${C.yellow}?${C.reset} ${C.dim}${summary}${C.reset}\n`);
+        const answer = await promptQuestion(FULL_OPTS, sharedRl);
+        // Check for uppercase D before lowercasing
+        const raw = answer.trim();
+        if (raw === 'D') {
+            pm.addRule({ pattern, effect: 'deny' }, 'project');
+            pm.save('project');
+            process.stderr.write(`  ${C.red}−${C.reset} ${C.dim}Saved deny to .ag/permissions.json: ${pattern}${C.reset}\n`);
+            return 'deny';
+        }
+        const choice = raw.toLowerCase();
+        switch (choice) {
+            case 'a':
+                pm.addRule({ pattern, effect: 'allow' }, 'session');
+                process.stderr.write(`  ${C.green}+${C.reset} ${C.dim}Session rule: ${pattern}${C.reset}\n`);
+                return 'allow';
+            case 'p':
+                pm.addRule({ pattern, effect: 'allow' }, 'project');
+                pm.save('project');
+                process.stderr.write(`  ${C.green}+${C.reset} ${C.dim}Saved to .ag/permissions.json: ${pattern}${C.reset}\n`);
+                return 'allow';
+            case 'n':
+                process.stderr.write(`  ${C.red}−${C.reset} ${C.dim}Denied: ${pattern}${C.reset}\n`);
+                return 'deny';
+            case 'd':
+                pm.addRule({ pattern, effect: 'deny' }, 'session');
+                process.stderr.write(`  ${C.red}−${C.reset} ${C.dim}Session deny: ${pattern}${C.reset}\n`);
+                return 'deny';
+            default: // 'y' or anything else = allow once
+                return 'allow';
         }
-        // Fallback: create a temporary readline (non-REPL usage)
-        const rl = createInterface({ input: process.stdin, output: process.stderr });
-        return new Promise(resolve => {
-            rl.question(`  ${C.yellow}?${C.reset} ${C.dim}${summary}${C.reset} ${C.yellow}(y/n)${C.reset} `, answer => {
-                rl.close();
-                resolve(answer.trim().toLowerCase() === 'n' ? 'deny' : 'allow');
-            });
-        });
     };
     cb.pauseSpinner = null;
     return cb;
@@ -145,12 +207,21 @@ function maskKey(key) {
 export class REPL {
     agent;
     rl;
+    pm;
     confirmCb;
-    constructor(agent, confirmCb) {
+    constructor(agent, pm, confirmCb) {
         this.agent = agent;
+        this.pm = pm ?? null;
         this.rl = createInterface({ input: process.stdin, output: process.stderr });
         // Rebind the confirm callback to use the shared readline
-        if (confirmCb) {
+        if (confirmCb && pm) {
+            const shared = createPermissionCallback(pm, this.rl);
+            shared.pauseSpinner = confirmCb.pauseSpinner;
+            this.confirmCb = shared;
+            this.agent.setConfirmToolCall(shared);
+        }
+        else if (confirmCb) {
+            // Fallback: no permission manager, use basic confirm
             const shared = createConfirmCallback(this.rl);
             shared.pauseSpinner = confirmCb.pauseSpinner;
             this.confirmCb = shared;
@@ -163,16 +234,28 @@ export class REPL {
     async start() {
         const stats = this.agent.getStats();
         const skills = this.agent.getSkills();
+        console.error('');
         console.error(`${C.bold}ag v${VERSION}${C.reset} ${C.dim}(${this.agent.getModel()} via OpenRouter)${C.reset}`);
+        const customTools = this.agent.getTools().filter(t => !t.isBuiltin);
         const loaded = [
             stats.globalMemory && 'global',
             stats.projectMemory && 'project',
             stats.planCount > 0 && `${stats.planCount} plan(s)`,
             skills.length > 0 && `${skills.length} skill(s)`,
+            customTools.length > 0 && `${customTools.length} tool(s)`,
         ].filter(Boolean);
         if (loaded.length > 0) {
             console.error(`${C.dim}Loaded: ${loaded.join(', ')}${C.reset}`);
         }
+        for (const t of customTools) {
+            const desc = t.description.slice(0, 60) + (t.description.length > 60 ? '...' : '');
+            console.error(`  ${C.green}+${C.reset} ${C.cyan}${t.name}${C.reset}  ${C.dim}${desc}${C.reset}`);
+        }
+        for (const f of this.agent.getToolFailures()) {
+            const label = f.name ?? f.file;
+            const reason = f.reason.split('\n')[0].slice(0, 60) + (f.reason.length > 60 ? '...' : '');
+            console.error(`  ${C.red}−${C.reset} ${C.cyan}${label}${C.reset}  ${C.red}${reason}${C.reset}`);
+        }
         const activePlan = this.agent.getActivePlanName();
         if (activePlan) {
             const label = activePlan.replace(/^\d{4}-\d{2}-\d{2}T[\d-]+-?/, '').replace(/-/g, ' ').trim() || activePlan;
@@ -253,8 +336,7 @@ export class REPL {
                         const parts = lineBuf.split('\n');
                         lineBuf = final ? '' : (parts.pop() || '');
                         for (let i = 0; i < parts.length; i++) {
-                            const rendered = renderMarkdown(parts[i]);
-                            process.stderr.write(rendered + '\n');
+                            process.stderr.write(renderMarkdown(parts[i]) + '\n');
                         }
                         if (final && lineBuf) {
                             process.stderr.write(renderMarkdown(lineBuf));
@@ -403,6 +485,11 @@ export class REPL {
                 console.error(`  ${C.cyan}/skill search [query]${C.reset}  Search skills.sh`);
                 console.error(`  ${C.cyan}/skill add <source>${C.reset}    Install skill from registry`);
                 console.error(`  ${C.cyan}/skill remove <name>${C.reset}   Uninstall a skill`);
+                console.error(`  ${C.cyan}/permissions${C.reset}            Show permission rules`);
+                console.error(`  ${C.cyan}/permissions allow <p>${C.reset}  Add allow rule (session)`);
+                console.error(`  ${C.cyan}/permissions deny <p>${C.reset}   Add deny rule (session)`);
+                console.error(`  ${C.cyan}/permissions save${C.reset}       Save session rules to project`);
+                console.error(`  ${C.cyan}/permissions clear${C.reset}      Clear session rules`);
                 console.error(`  ${C.cyan}/exit${C.reset}                  Exit`);
                 console.error('');
                 break;
@@ -599,12 +686,16 @@ export class REPL {
                         // Apply immediately: toggle confirmation prompts in this session
                         if (parsed) {
                             this.agent.setConfirmToolCall(null);
+                            this.confirmCb = null;
                             console.error(`${C.green}Auto-approve enabled — tool calls will no longer prompt.${C.reset}`);
                         }
                         else {
-                            const freshCb = createConfirmCallback(this.rl);
+                            const freshCb = this.pm
+                                ? createPermissionCallback(this.pm, this.rl)
+                                : createConfirmCallback(this.rl);
                             if (this.confirmCb)
                                 freshCb.pauseSpinner = this.confirmCb.pauseSpinner;
+                            this.confirmCb = freshCb;
                             this.agent.setConfirmToolCall(freshCb);
                             console.error(`${C.yellow}Auto-approve disabled — tool calls will prompt again.${C.reset}`);
                         }
@@ -628,9 +719,12 @@ export class REPL {
                         this.agent.setModel('anthropic/claude-sonnet-4.6');
                     }
                     if (key === 'autoApprove') {
-                        const freshCb = createConfirmCallback(this.rl);
+                        const freshCb = this.pm
+                            ? createPermissionCallback(this.pm, this.rl)
+                            : createConfirmCallback(this.rl);
                         if (this.confirmCb)
                             freshCb.pauseSpinner = this.confirmCb.pauseSpinner;
+                        this.confirmCb = freshCb;
                         this.agent.setConfirmToolCall(freshCb);
                     }
                     console.error(`${C.yellow}Config: ${key} removed${C.reset}\n`);
@@ -670,7 +764,8 @@ export class REPL {
                 const tools = this.agent.getTools();
                 console.error(`${C.bold}Tools (${tools.length}):${C.reset}`);
                 for (const t of tools) {
-                    console.error(`  ${C.cyan}${t.name}${C.reset}  ${C.dim}${t.description.slice(0, 60)}${t.description.length > 60 ? '...' : ''}${C.reset}`);
+                    const prefix = t.isBuiltin ? ' ' : `${C.green}+${C.reset}`;
+                    console.error(`  ${prefix} ${C.cyan}${t.name}${C.reset}  ${C.dim}${t.description.slice(0, 60)}${t.description.length > 60 ? '...' : ''}${C.reset}`);
                 }
                 console.error('');
                 break;
@@ -743,6 +838,69 @@ export class REPL {
                 }
                 break;
             }
+            // ── /permissions ────────────────────────────────────────────────────
+            case 'permissions':
+            case 'perms': {
+                if (!this.pm) {
+                    console.error(`${C.dim}Permissions not available (auto-approve mode).${C.reset}\n`);
+                    break;
+                }
+                const subCmd = args[0]?.toLowerCase();
+                if (subCmd === 'allow' && args[1]) {
+                    const pattern = args.slice(1).join(' ');
+                    this.pm.addRule({ pattern, effect: 'allow' }, 'session');
+                    console.error(`${C.green}+ Session allow: ${pattern}${C.reset}\n`);
+                }
+                else if (subCmd === 'deny' && args[1]) {
+                    const pattern = args.slice(1).join(' ');
+                    this.pm.addRule({ pattern, effect: 'deny' }, 'session');
+                    console.error(`${C.green}+ Session deny: ${pattern}${C.reset}\n`);
+                }
+                else if (subCmd === 'save') {
+                    const scope = args[1]?.toLowerCase() === 'global' ? 'global' : 'project';
+                    this.pm.save(scope);
+                    console.error(`${C.yellow}Saved to ${scope} permissions.${C.reset}\n`);
+                }
+                else if (subCmd === 'clear') {
+                    const scope = args[1]?.toLowerCase();
+                    if (scope === 'project' || scope === 'global') {
+                        this.pm.clear(scope);
+                        this.pm.save(scope);
+                        console.error(`${C.yellow}Cleared ${scope} permissions.${C.reset}\n`);
+                    }
+                    else {
+                        this.pm.clear('session');
+                        console.error(`${C.yellow}Cleared session permissions.${C.reset}\n`);
+                    }
+                }
+                else if (subCmd === 'remove' && args[1]) {
+                    const pattern = args.slice(1).join(' ');
+                    const removed = this.pm.removeRule(pattern, 'session')
+                        || this.pm.removeRule(pattern, 'project')
+                        || this.pm.removeRule(pattern, 'global');
+                    if (removed) {
+                        console.error(`${C.yellow}Removed: ${pattern}${C.reset}\n`);
+                    }
+                    else {
+                        console.error(`${C.dim}No matching rule found.${C.reset}\n`);
+                    }
+                }
+                else {
+                    // List all rules
+                    const rules = this.pm.getRules();
+                    if (rules.length === 0) {
+                        console.error(`${C.dim}No permission rules. Approve with (a)lways or (p)roject to add rules.${C.reset}\n`);
+                        break;
+                    }
+                    console.error(`${C.bold}Permission Rules:${C.reset}`);
+                    for (const r of rules) {
+                        const icon = r.effect === 'allow' ? `${C.green}✓` : `${C.red}✗`;
+                        console.error(`  ${icon} ${C.dim}[${r.scope}]${C.reset} ${r.effect} ${C.cyan}${r.pattern}${C.reset}`);
+                    }
+                    console.error('');
+                }
+                break;
+            }
             // ── /exit ─────────────────────────────────────────────────────────
             case 'exit':
             case 'quit':