npm - @elliotding/ai-agent-mcp - Versions diffs - 0.1.25 → 0.1.26 - Mend

@elliotding/ai-agent-mcp 0.1.25 → 0.1.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (237) hide show

package/package.json +4 -1
package/.prompt-cache/cmd-cmd-client-sdk-ai-hub-generate-testcase.md +0 -101
package/.prompt-cache/cmd-cmd-client-sdk-ai-hub-submit_zct_job.md +0 -158
package/.prompt-cache/skill-skill-client-sdk-ai-hub-analyze-conf-status.md +0 -311
package/.prompt-cache/skill-skill-client-sdk-ai-hub-analyze-sdk-log.md +0 -64
package/.prompt-cache/skill-skill-client-sdk-ai-hub-analyze-zmb-log-errors.md +0 -84
package/ai-resource-telemetry.json +0 -40
package/dist/api/cached-client.d.ts +0 -48
package/dist/api/cached-client.d.ts.map +0 -1
package/dist/api/cached-client.js +0 -126
package/dist/api/cached-client.js.map +0 -1
package/dist/api/client.d.ts +0 -281
package/dist/api/client.d.ts.map +0 -1
package/dist/api/client.js +0 -371
package/dist/api/client.js.map +0 -1
package/dist/auth/index.d.ts +0 -8
package/dist/auth/index.d.ts.map +0 -1
package/dist/auth/index.js +0 -26
package/dist/auth/index.js.map +0 -1
package/dist/auth/middleware.d.ts +0 -36
package/dist/auth/middleware.d.ts.map +0 -1
package/dist/auth/middleware.js +0 -194
package/dist/auth/middleware.js.map +0 -1
package/dist/auth/permissions.d.ts +0 -60
package/dist/auth/permissions.d.ts.map +0 -1
package/dist/auth/permissions.js +0 -262
package/dist/auth/permissions.js.map +0 -1
package/dist/auth/token-validator.d.ts +0 -52
package/dist/auth/token-validator.d.ts.map +0 -1
package/dist/auth/token-validator.js +0 -215
package/dist/auth/token-validator.js.map +0 -1
package/dist/cache/cache-manager.d.ts +0 -49
package/dist/cache/cache-manager.d.ts.map +0 -1
package/dist/cache/cache-manager.js +0 -191
package/dist/cache/cache-manager.js.map +0 -1
package/dist/cache/index.d.ts +0 -6
package/dist/cache/index.d.ts.map +0 -1
package/dist/cache/index.js +0 -12
package/dist/cache/index.js.map +0 -1
package/dist/cache/redis-client.d.ts +0 -45
package/dist/cache/redis-client.d.ts.map +0 -1
package/dist/cache/redis-client.js +0 -210
package/dist/cache/redis-client.js.map +0 -1
package/dist/config/constants.d.ts +0 -28
package/dist/config/constants.d.ts.map +0 -1
package/dist/config/constants.js +0 -31
package/dist/config/constants.js.map +0 -1
package/dist/config/index.d.ts +0 -71
package/dist/config/index.d.ts.map +0 -1
package/dist/config/index.js +0 -190
package/dist/config/index.js.map +0 -1
package/dist/filesystem/manager.d.ts +0 -45
package/dist/filesystem/manager.d.ts.map +0 -1
package/dist/filesystem/manager.js +0 -246
package/dist/filesystem/manager.js.map +0 -1
package/dist/git/multi-source-manager.d.ts +0 -78
package/dist/git/multi-source-manager.d.ts.map +0 -1
package/dist/git/multi-source-manager.js +0 -577
package/dist/git/multi-source-manager.js.map +0 -1
package/dist/git/operations.d.ts +0 -27
package/dist/git/operations.d.ts.map +0 -1
package/dist/git/operations.js +0 -83
package/dist/git/operations.js.map +0 -1
package/dist/index.d.ts +0 -6
package/dist/index.d.ts.map +0 -1
package/dist/index.js +0 -122
package/dist/index.js.map +0 -1
package/dist/monitoring/health.d.ts +0 -35
package/dist/monitoring/health.d.ts.map +0 -1
package/dist/monitoring/health.js +0 -105
package/dist/monitoring/health.js.map +0 -1
package/dist/prompts/cache.d.ts +0 -69
package/dist/prompts/cache.d.ts.map +0 -1
package/dist/prompts/cache.js +0 -163
package/dist/prompts/cache.js.map +0 -1
package/dist/prompts/generator.d.ts +0 -49
package/dist/prompts/generator.d.ts.map +0 -1
package/dist/prompts/generator.js +0 -160
package/dist/prompts/generator.js.map +0 -1
package/dist/prompts/index.d.ts +0 -13
package/dist/prompts/index.d.ts.map +0 -1
package/dist/prompts/index.js +0 -24
package/dist/prompts/index.js.map +0 -1
package/dist/prompts/manager.d.ts +0 -207
package/dist/prompts/manager.d.ts.map +0 -1
package/dist/prompts/manager.js +0 -566
package/dist/prompts/manager.js.map +0 -1
package/dist/resources/index.d.ts +0 -6
package/dist/resources/index.d.ts.map +0 -1
package/dist/resources/index.js +0 -10
package/dist/resources/index.js.map +0 -1
package/dist/resources/loader.d.ts +0 -88
package/dist/resources/loader.d.ts.map +0 -1
package/dist/resources/loader.js +0 -492
package/dist/resources/loader.js.map +0 -1
package/dist/server/http.d.ts +0 -57
package/dist/server/http.d.ts.map +0 -1
package/dist/server/http.js +0 -435
package/dist/server/http.js.map +0 -1
package/dist/server.d.ts +0 -13
package/dist/server.d.ts.map +0 -1
package/dist/server.js +0 -201
package/dist/server.js.map +0 -1
package/dist/session/manager.d.ts +0 -91
package/dist/session/manager.d.ts.map +0 -1
package/dist/session/manager.js +0 -251
package/dist/session/manager.js.map +0 -1
package/dist/telemetry/index.d.ts +0 -3
package/dist/telemetry/index.d.ts.map +0 -1
package/dist/telemetry/index.js +0 -7
package/dist/telemetry/index.js.map +0 -1
package/dist/telemetry/manager.d.ts +0 -151
package/dist/telemetry/manager.d.ts.map +0 -1
package/dist/telemetry/manager.js +0 -367
package/dist/telemetry/manager.js.map +0 -1
package/dist/tools/index.d.ts +0 -13
package/dist/tools/index.d.ts.map +0 -1
package/dist/tools/index.js +0 -29
package/dist/tools/index.js.map +0 -1
package/dist/tools/manage-subscription.d.ts +0 -47
package/dist/tools/manage-subscription.d.ts.map +0 -1
package/dist/tools/manage-subscription.js +0 -317
package/dist/tools/manage-subscription.js.map +0 -1
package/dist/tools/registry.d.ts +0 -40
package/dist/tools/registry.d.ts.map +0 -1
package/dist/tools/registry.js +0 -85
package/dist/tools/registry.js.map +0 -1
package/dist/tools/resolve-prompt-content.d.ts +0 -35
package/dist/tools/resolve-prompt-content.d.ts.map +0 -1
package/dist/tools/resolve-prompt-content.js +0 -99
package/dist/tools/resolve-prompt-content.js.map +0 -1
package/dist/tools/search-resources.d.ts +0 -35
package/dist/tools/search-resources.d.ts.map +0 -1
package/dist/tools/search-resources.js +0 -159
package/dist/tools/search-resources.js.map +0 -1
package/dist/tools/sync-resources.d.ts +0 -54
package/dist/tools/sync-resources.d.ts.map +0 -1
package/dist/tools/sync-resources.js +0 -735
package/dist/tools/sync-resources.js.map +0 -1
package/dist/tools/track-usage.d.ts +0 -63
package/dist/tools/track-usage.d.ts.map +0 -1
package/dist/tools/track-usage.js +0 -90
package/dist/tools/track-usage.js.map +0 -1
package/dist/tools/uninstall-resource.d.ts +0 -30
package/dist/tools/uninstall-resource.d.ts.map +0 -1
package/dist/tools/uninstall-resource.js +0 -174
package/dist/tools/uninstall-resource.js.map +0 -1
package/dist/tools/upload-resource.d.ts +0 -81
package/dist/tools/upload-resource.d.ts.map +0 -1
package/dist/tools/upload-resource.js +0 -393
package/dist/tools/upload-resource.js.map +0 -1
package/dist/transport/sse.d.ts +0 -29
package/dist/transport/sse.d.ts.map +0 -1
package/dist/transport/sse.js +0 -271
package/dist/transport/sse.js.map +0 -1
package/dist/types/errors.d.ts +0 -60
package/dist/types/errors.d.ts.map +0 -1
package/dist/types/errors.js +0 -112
package/dist/types/errors.js.map +0 -1
package/dist/types/index.d.ts +0 -7
package/dist/types/index.d.ts.map +0 -1
package/dist/types/index.js +0 -23
package/dist/types/index.js.map +0 -1
package/dist/types/mcp.d.ts +0 -50
package/dist/types/mcp.d.ts.map +0 -1
package/dist/types/mcp.js +0 -6
package/dist/types/mcp.js.map +0 -1
package/dist/types/resources.d.ts +0 -109
package/dist/types/resources.d.ts.map +0 -1
package/dist/types/resources.js +0 -7
package/dist/types/resources.js.map +0 -1
package/dist/types/tools.d.ts +0 -253
package/dist/types/tools.d.ts.map +0 -1
package/dist/types/tools.js +0 -6
package/dist/types/tools.js.map +0 -1
package/dist/utils/cursor-paths.d.ts +0 -84
package/dist/utils/cursor-paths.d.ts.map +0 -1
package/dist/utils/cursor-paths.js +0 -166
package/dist/utils/cursor-paths.js.map +0 -1
package/dist/utils/log-cleaner.d.ts +0 -18
package/dist/utils/log-cleaner.d.ts.map +0 -1
package/dist/utils/log-cleaner.js +0 -112
package/dist/utils/log-cleaner.js.map +0 -1
package/dist/utils/logger.d.ts +0 -59
package/dist/utils/logger.d.ts.map +0 -1
package/dist/utils/logger.js +0 -292
package/dist/utils/logger.js.map +0 -1
package/dist/utils/validation.d.ts +0 -58
package/dist/utils/validation.d.ts.map +0 -1
package/dist/utils/validation.js +0 -214
package/dist/utils/validation.js.map +0 -1
package/src/api/cached-client.ts +0 -144
package/src/api/client.ts +0 -697
package/src/auth/index.ts +0 -11
package/src/auth/middleware.ts +0 -244
package/src/auth/permissions.ts +0 -323
package/src/auth/token-validator.ts +0 -292
package/src/cache/cache-manager.ts +0 -243
package/src/cache/index.ts +0 -6
package/src/cache/redis-client.ts +0 -249
package/src/config/constants.ts +0 -33
package/src/config/index.ts +0 -269
package/src/filesystem/manager.ts +0 -235
package/src/git/multi-source-manager.ts +0 -654
package/src/git/operations.ts +0 -93
package/src/index.ts +0 -157
package/src/monitoring/health.ts +0 -132
package/src/prompts/cache.ts +0 -140
package/src/prompts/generator.ts +0 -143
package/src/prompts/index.ts +0 -20
package/src/prompts/manager.ts +0 -718
package/src/resources/index.ts +0 -13
package/src/resources/loader.ts +0 -563
package/src/server/http.ts +0 -549
package/src/server.ts +0 -206
package/src/session/manager.ts +0 -296
package/src/telemetry/index.ts +0 -10
package/src/telemetry/manager.ts +0 -419
package/src/tools/index.ts +0 -13
package/src/tools/manage-subscription.ts +0 -388
package/src/tools/registry.ts +0 -97
package/src/tools/resolve-prompt-content.ts +0 -113
package/src/tools/search-resources.ts +0 -185
package/src/tools/sync-resources.ts +0 -829
package/src/tools/track-usage.ts +0 -113
package/src/tools/uninstall-resource.ts +0 -199
package/src/tools/upload-resource.ts +0 -431
package/src/transport/sse.ts +0 -308
package/src/types/errors.ts +0 -146
package/src/types/index.ts +0 -7
package/src/types/mcp.ts +0 -61
package/src/types/resources.ts +0 -141
package/src/types/tools.ts +0 -305
package/src/utils/cursor-paths.ts +0 -135
package/src/utils/log-cleaner.ts +0 -92
package/src/utils/logger.ts +0 -333
package/src/utils/validation.ts +0 -262

package/src/auth/middleware.ts DELETED Viewed

@@ -1,244 +0,0 @@
-/**
- * Authentication and Permission Middlewares
- * Token authentication and permission checking for HTTP endpoints
- */
-import { FastifyRequest, FastifyReply } from 'fastify';
-import { verifyToken, TokenPayload } from './token-validator';
-import { checkPermission } from './permissions';
-import { logger } from '../utils/logger';
-/**
- * Extended request with user info
- */
-export interface AuthenticatedRequest extends FastifyRequest {
-  user?: TokenPayload;
-}
-/**
- * Token Authentication Middleware
- * Verifies token via external REST API
- */
-export async function tokenAuthMiddleware(
-  request: AuthenticatedRequest,
-  reply: FastifyReply
-): Promise<void> {
-  try {
-    // Extract token from Authorization header
-    const authHeader = request.headers.authorization;
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      logger.warn(
-        {
-          type: 'auth',
-          operation: 'middleware',
-          ip: request.ip,
-          url: request.url
-        },
-        'Missing or invalid Authorization header'
-      );
-      reply.code(401).send({
-        error: 'Unauthorized',
-        message: 'Missing or invalid Authorization header. Expected: Bearer <token>',
-      });
-      return;
-    }
-    const token = authHeader.substring(7); // Remove 'Bearer ' prefix
-    // Verify token via external API
-    const payload = await verifyToken(token);
-    if (!payload) {
-      logger.warn(
-        {
-          type: 'auth',
-          operation: 'middleware',
-          ip: request.ip,
-          url: request.url
-        },
-        'Token validation failed'
-      );
-      reply.code(401).send({
-        error: 'Unauthorized',
-        message: 'Invalid or expired token',
-      });
-      return;
-    }
-    // Attach user info to request
-    request.user = payload;
-    logger.debug(
-      {
-        type: 'auth',
-        operation: 'middleware',
-        userId: payload.userId,
-        email: payload.email,
-        groups: payload.groups
-      },
-      `Token authentication successful for user ${payload.userId}`
-    );
-  } catch (error) {
-    logger.error({
-      type: 'auth',
-      operation: 'middleware',
-      error: error instanceof Error ? error.message : 'Unknown error'
-    }, 'Token authentication error');
-    reply.code(500).send({
-      error: 'Internal Server Error',
-      message: 'Authentication failed',
-    });
-  }
-}
-/**
- * Token Authentication Middleware with Legacy Bearer Token Support
- * Supports both token validation via API and legacy bearer tokens
- */
-export async function tokenAuthOrLegacyMiddleware(
-  request: AuthenticatedRequest,
-  reply: FastifyReply
-): Promise<void> {
-  try {
-    const authHeader = request.headers.authorization;
-    if (!authHeader || !authHeader.startsWith('Bearer ')) {
-      logger.warn(
-        {
-          type: 'auth',
-          operation: 'middleware_legacy',
-          ip: request.ip,
-          url: request.url
-        },
-        'Missing or invalid Authorization header'
-      );
-      reply.code(401).send({
-        error: 'Unauthorized',
-        message: 'Missing or invalid Authorization header',
-      });
-      return;
-    }
-    const token = authHeader.substring(7);
-    // Try to validate via API first
-    const payload = await verifyToken(token);
-    if (payload) {
-      // API validation successful
-      request.user = payload;
-      logger.debug(
-        {
-          type: 'auth',
-          operation: 'middleware_legacy',
-          userId: payload.userId,
-          email: payload.email,
-          groups: payload.groups
-        },
-        `Token validated via API for user ${payload.userId}`
-      );
-      return;
-    }
-    // Fallback to legacy bearer token (for backward compatibility)
-    logger.debug(
-      {
-        type: 'auth',
-        operation: 'middleware_legacy',
-        ip: request.ip
-      },
-      'API validation failed, using legacy bearer token mode'
-    );
-    // In legacy mode, we don't have user info, so continue without setting request.user
-    // The endpoint will handle the legacy token separately
-  } catch (error) {
-    logger.error({
-      type: 'auth',
-      operation: 'middleware_legacy',
-      error: error instanceof Error ? error.message : 'Unknown error'
-    }, 'Token authentication error');
-    reply.code(500).send({
-      error: 'Internal Server Error',
-      message: 'Authentication failed',
-    });
-  }
-}
-/**
- * Permission Check Middleware Factory
- * Creates middleware to check permissions for a specific tool
- */
-export function requirePermission(toolName: string) {
-  return async (request: AuthenticatedRequest, reply: FastifyReply): Promise<void> => {
-    try {
-      if (!request.user) {
-        logger.error(
-          {
-            type: 'auth',
-            operation: 'permission_check',
-            url: request.url
-          },
-          'Permission check called without authentication'
-        );
-        reply.code(401).send({
-          error: 'Unauthorized',
-          message: 'Authentication required',
-        });
-        return;
-      }
-      // Check permission
-      const permissionCheck = checkPermission(toolName, request.user.groups);
-      if (!permissionCheck.allowed) {
-        logger.warn(
-          {
-            type: 'auth',
-            operation: 'permission_check',
-            userId: request.user.userId,
-            email: request.user.email,
-            groups: request.user.groups,
-            toolName,
-            reason: permissionCheck.reason,
-          },
-          `Permission denied for user ${request.user.userId} to access tool ${toolName}`
-        );
-        reply.code(403).send({
-          error: 'Forbidden',
-          message: permissionCheck.reason || 'Insufficient permissions',
-        });
-        return;
-      }
-      logger.debug(
-        {
-          type: 'auth',
-          operation: 'permission_check',
-          userId: request.user.userId,
-          toolName
-        },
-        `Permission granted for user ${request.user.userId} to access tool ${toolName}`
-      );
-    } catch (error) {
-      logger.error({
-        type: 'auth',
-        operation: 'permission_check',
-        toolName,
-        error: error instanceof Error ? error.message : 'Unknown error'
-      }, 'Permission check error');
-      reply.code(500).send({
-        error: 'Internal Server Error',
-        message: 'Permission check failed',
-      });
-    }
-  };
-}
-/**
- * Permission Check for Tool Call
- * Checks permission when tools/call is invoked
- */
-export function checkToolCallPermission(
-  toolName: string,
-  user: TokenPayload
-): { allowed: boolean; reason?: string } {
-  return checkPermission(toolName, user.groups);
-}

package/src/auth/permissions.ts DELETED Viewed

@@ -1,323 +0,0 @@
-/**
- * Permission Control System
- * Group-based access control for MCP tools
- * Groups are obtained from CSP API /user/permissions (e.g., "zNet", "Client-Public")
- */
-import { logger, logAuthAttempt } from '../utils/logger';
-/**
- * Known groups from CSP
- * Users may belong to one or more groups
- */
-export const KnownGroups = {
-  ZNET: 'zNet',                      // zNet team - full access
-  CLIENT_PUBLIC: 'Client-Public',    // Client-Public team - standard access
-  ADMIN: 'admin',                    // Admin group - full access (if exists)
-} as const;
-/**
- * Permission level for operations
- */
-export enum PermissionLevel {
-  READ = 'read',
-  WRITE = 'write',
-  ADMIN = 'admin',
-}
-/**
- * Tool permission configuration
- */
-export interface ToolPermission {
-  tool: string;
-  allowedGroups: string[];  // Changed from requiredRole to allowedGroups
-  requiredPermission: PermissionLevel;
-}
-/**
- * Default permission rules for each tool
- * All authenticated users (with valid groups) can use these tools
- */
-const defaultPermissions: ToolPermission[] = [
-  // sync_resources - available to all authenticated users
-  {
-    tool: 'sync_resources',
-    allowedGroups: ['*'],  // * means all authenticated users
-    requiredPermission: PermissionLevel.WRITE,
-  },
-  // manage_subscription - available to all authenticated users
-  {
-    tool: 'manage_subscription',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.WRITE,
-  },
-  // search_resources - read-only, all authenticated users
-  {
-    tool: 'search_resources',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.READ,
-  },
-  // upload_resource - requires write permission
-  {
-    tool: 'upload_resource',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.WRITE,
-  },
-  // uninstall_resource - requires write permission
-  {
-    tool: 'uninstall_resource',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.WRITE,
-  },
-  // track_usage - internal telemetry tool, always allowed for all authenticated users
-  {
-    tool: 'track_usage',
-    allowedGroups: ['*'],
-    requiredPermission: PermissionLevel.WRITE,
-  },
-];
-/**
- * Custom permission rules (can be overridden via config)
- */
-let permissionRules: Map<string, ToolPermission> = new Map();
-/**
- * Initialize permission system
- */
-export function initializePermissions(customRules?: ToolPermission[]): void {
-  // Load default permissions
-  for (const perm of defaultPermissions) {
-    permissionRules.set(perm.tool, perm);
-  }
-  // Override with custom rules if provided
-  if (customRules && customRules.length > 0) {
-    logger.info(
-      { count: customRules.length },
-      'Loading custom permission rules'
-    );
-    for (const perm of customRules) {
-      permissionRules.set(perm.tool, perm);
-    }
-  }
-  logger.info(
-    { toolCount: permissionRules.size },
-    'Permission system initialized'
-  );
-}
-/**
- * Check if a user has permission to access a tool
- * @param toolName - The name of the tool to check
- * @param userGroups - The groups the user belongs to (from CSP API)
- */
-export function checkPermission(
-  toolName: string,
-  userGroups: string[]
-): { allowed: boolean; reason?: string } {
-  const checkStartTime = Date.now();
-  logger.debug({
-    type: 'permission_check',
-    toolName,
-    userGroups,
-    timestamp: new Date().toISOString()
-  }, `Checking permission for tool: ${toolName}`);
-  // Check if tool has permission rules
-  const permission = permissionRules.get(toolName);
-  if (!permission) {
-    // If no permission rule defined, deny by default
-    logger.warn({
-      type: 'permission_check',
-      toolName,
-      userGroups,
-      result: 'denied',
-      reason: 'no_rule',
-      timestamp: new Date().toISOString()
-    }, 'No permission rule found for tool, denying access');
-    logAuthAttempt('permission_check', false, {
-      toolName,
-      userGroups,
-      reason: 'no_rule',
-      duration: Date.now() - checkStartTime
-    });
-    return {
-      allowed: false,
-      reason: `Tool '${toolName}' has no permission rule defined`,
-    };
-  }
-  // If no groups provided, deny access
-  if (!userGroups || userGroups.length === 0) {
-    logger.warn(
-      {
-        type: 'permission_check',
-        toolName,
-        result: 'denied',
-        reason: 'no_groups',
-        timestamp: new Date().toISOString()
-      },
-      'Permission denied: user has no groups'
-    );
-    logAuthAttempt('permission_check', false, {
-      toolName,
-      reason: 'no_groups',
-      duration: Date.now() - checkStartTime
-    });
-    return {
-      allowed: false,
-      reason: `User must belong to at least one group to access tools`,
-    };
-  }
-  // Admin group bypasses all checks
-  if (userGroups.includes(KnownGroups.ADMIN) || userGroups.includes('admin')) {
-    logger.info(
-      {
-        type: 'permission_check',
-        toolName,
-        userGroups,
-        result: 'granted',
-        reason: 'admin_bypass',
-        duration: Date.now() - checkStartTime,
-        timestamp: new Date().toISOString()
-      },
-      'Admin group access granted'
-    );
-    logAuthAttempt('permission_check', true, {
-      toolName,
-      userGroups,
-      reason: 'admin',
-      duration: Date.now() - checkStartTime
-    });
-    return { allowed: true };
-  }
-  // Check if tool allows all authenticated users
-  if (permission.allowedGroups.includes('*')) {
-    logger.info(
-      {
-        type: 'permission_check',
-        toolName,
-        userGroups,
-        allowedGroups: permission.allowedGroups,
-        result: 'granted',
-        reason: 'wildcard',
-        duration: Date.now() - checkStartTime,
-        timestamp: new Date().toISOString()
-      },
-      'Permission granted (tool allows all authenticated users)'
-    );
-    logAuthAttempt('permission_check', true, {
-      toolName,
-      userGroups,
-      reason: 'wildcard',
-      duration: Date.now() - checkStartTime
-    });
-    return { allowed: true };
-  }
-  // Check if user belongs to any of the allowed groups
-  const hasAllowedGroup = userGroups.some((group) =>
-    permission.allowedGroups.includes(group)
-  );
-  if (!hasAllowedGroup) {
-    logger.warn(
-      {
-        type: 'permission_check',
-        toolName,
-        userGroups,
-        allowedGroups: permission.allowedGroups,
-        result: 'denied',
-        reason: 'group_mismatch',
-        duration: Date.now() - checkStartTime,
-        timestamp: new Date().toISOString()
-      },
-      'Permission denied: user not in allowed groups'
-    );
-    logAuthAttempt('permission_check', false, {
-      toolName,
-      userGroups,
-      allowedGroups: permission.allowedGroups,
-      reason: 'group_mismatch',
-      duration: Date.now() - checkStartTime
-    });
-    return {
-      allowed: false,
-      reason: `Tool '${toolName}' requires membership in one of: ${permission.allowedGroups.join(', ')}`,
-    };
-  }
-  logger.info(
-    {
-      type: 'permission_check',
-      toolName,
-      userGroups,
-      allowedGroups: permission.allowedGroups,
-      result: 'granted',
-      reason: 'group_match',
-      duration: Date.now() - checkStartTime,
-      timestamp: new Date().toISOString()
-    },
-    'Permission granted (user in allowed groups)'
-  );
-  logAuthAttempt('permission_check', true, {
-    toolName,
-    userGroups,
-    matchedGroups: userGroups.filter(g => permission.allowedGroups.includes(g)),
-    duration: Date.now() - checkStartTime
-  });
-  return { allowed: true };
-}
-/**
- * Get permission info for a tool
- */
-export function getToolPermission(toolName: string): ToolPermission | undefined {
-  return permissionRules.get(toolName);
-}
-/**
- * Get all permission rules
- */
-export function getAllPermissions(): ToolPermission[] {
-  return Array.from(permissionRules.values());
-}
-/**
- * Update permission rule for a tool
- */
-export function updatePermission(permission: ToolPermission): void {
-  permissionRules.set(permission.tool, permission);
-  logger.info(
-    { tool: permission.tool, permission },
-    'Permission rule updated'
-  );
-}
-/**
- * Remove permission rule for a tool
- */
-export function removePermission(toolName: string): void {
-  permissionRules.delete(toolName);
-  logger.info({ toolName }, 'Permission rule removed');
-}
-// Initialize with default permissions
-initializePermissions();