@frontmcp/plugins 0.4.1 → 0.5.1

package/src/codecall/providers/code-call.config.js

@@ -0,0 +1,120 @@
+"use strict";
+// file: libs/plugins/src/codecall/providers/code-call.config.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+const sdk_1 = require("@frontmcp/sdk");
+const codecall_types_1 = require("../codecall.types");
+/**
+ * CodeCall configuration provider with convict-like API
+ * Extends BaseConfig to provide type-safe dotted path access
+ *
+ * @example
+ * // Get values with dotted path notation
+ * config.get('vm.preset') // returns 'secure'
+ * config.get('embedding.strategy') // returns 'tfidf'
+ * config.get('directCalls.enabled') // returns true
+ *
+ * // Get with default value
+ * config.get('vm.timeoutMs', 5000) // returns value or 5000
+ *
+ * // Get entire sections
+ * config.getSection('vm') // returns entire vm config
+ * config.getAll() // returns complete config
+ *
+ * // Require values (throws if undefined)
+ * config.getOrThrow('mode') // throws if undefined
+ * config.getRequired('topK') // same as getOrThrow
+ */
+let CodeCallConfig = class CodeCallConfig extends sdk_1.BaseConfig {
+    constructor(options = {}) {
+        // Parse and validate options with Zod schema to apply all defaults
+        const parsedConfig = codecall_types_1.codeCallPluginOptionsSchema.parse(options);
+        // Resolve VM options with preset defaults
+        const resolvedVm = resolveVmOptions(parsedConfig.vm);
+        super({ ...parsedConfig, resolvedVm });
+    }
+};
+CodeCallConfig = tslib_1.__decorate([
+    (0, sdk_1.Provider)({
+        name: 'codecall:config',
+        description: 'CodeCall plugin configuration with validated defaults',
+        scope: sdk_1.ProviderScope.GLOBAL,
+    }),
+    tslib_1.__metadata("design:paramtypes", [Object])
+], CodeCallConfig);
+exports.default = CodeCallConfig;
+// ---- VM Options Resolution ----
+function resolveVmOptions(vmOptions) {
+    const preset = vmOptions?.preset ?? 'secure';
+    const base = presetDefaults(preset);
+    return {
+        ...base,
+        ...vmOptions,
+        disabledBuiltins: vmOptions?.disabledBuiltins ?? base.disabledBuiltins,
+        disabledGlobals: vmOptions?.disabledGlobals ?? base.disabledGlobals,
+    };
+}
+function presetDefaults(preset) {
+    switch (preset) {
+        case 'locked_down':
+            return {
+                preset,
+                timeoutMs: 2000,
+                allowLoops: false,
+                allowConsole: false,
+                maxSteps: 2000,
+                disabledBuiltins: ['eval', 'Function', 'AsyncFunction'],
+                disabledGlobals: [
+                    'require',
+                    'process',
+                    'fetch',
+                    'setTimeout',
+                    'setInterval',
+                    'setImmediate',
+                    'global',
+                    'globalThis',
+                ],
+            };
+        case 'balanced':
+            return {
+                preset,
+                timeoutMs: 5000,
+                allowLoops: true,
+                allowConsole: true,
+                maxSteps: 10000,
+                disabledBuiltins: ['eval', 'Function', 'AsyncFunction'],
+                disabledGlobals: ['require', 'process', 'fetch'],
+            };
+        case 'experimental':
+            return {
+                preset,
+                timeoutMs: 10000,
+                allowLoops: true,
+                allowConsole: true,
+                maxSteps: 20000,
+                disabledBuiltins: ['eval', 'Function', 'AsyncFunction'],
+                disabledGlobals: ['require', 'process'],
+            };
+        case 'secure':
+        default:
+            return {
+                preset: 'secure',
+                timeoutMs: 3500,
+                allowLoops: false,
+                allowConsole: true,
+                maxSteps: 5000,
+                disabledBuiltins: ['eval', 'Function', 'AsyncFunction'],
+                disabledGlobals: [
+                    'require',
+                    'process',
+                    'fetch',
+                    'setTimeout',
+                    'setInterval',
+                    'setImmediate',
+                    'global',
+                    'globalThis',
+                ],
+            };
+    }
+}
+//# sourceMappingURL=code-call.config.js.map

package/src/codecall/providers/code-call.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"code-call.config.js","sourceRoot":"","sources":["../../../../src/codecall/providers/code-call.config.ts"],"names":[],"mappings":";AAAA,gEAAgE;;;AAEhE,uCAAoE;AACpE,sDAK2B;AAG3B;;;;;;;;;;;;;;;;;;;;GAoBG;AAMY,IAAM,cAAc,GAApB,MAAM,cAAe,SAAQ,gBAE3C;IACC,YAAY,UAA0C,EAAE;QACtD,mEAAmE;QACnE,MAAM,YAAY,GAAG,4CAA2B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAEhE,0CAA0C;QAC1C,MAAM,UAAU,GAAG,gBAAgB,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QAErD,KAAK,CAAC,EAAE,GAAG,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC;IACzC,CAAC;CACF,CAAA;AAZoB,cAAc;IALlC,IAAA,cAAQ,EAAC;QACR,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,uDAAuD;QACpE,KAAK,EAAE,mBAAa,CAAC,MAAM;KAC5B,CAAC;;GACmB,cAAc,CAYlC;kBAZoB,cAAc;AAcnC,kCAAkC;AAElC,SAAS,gBAAgB,CAAC,SAA6B;IACrD,MAAM,MAAM,GAAqB,SAAS,EAAE,MAAM,IAAI,QAAQ,CAAC;IAE/D,MAAM,IAAI,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO;QACL,GAAG,IAAI;QACP,GAAG,SAAS;QACZ,gBAAgB,EAAE,SAAS,EAAE,gBAAgB,IAAI,IAAI,CAAC,gBAAgB;QACtE,eAAe,EAAE,SAAS,EAAE,eAAe,IAAI,IAAI,CAAC,eAAe;KACpE,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,MAAwB;IAC9C,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,aAAa;YAChB,OAAO;gBACL,MAAM;gBACN,SAAS,EAAE,IAAI;gBACf,UAAU,EAAE,KAAK;gBACjB,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,IAAI;gBACd,gBAAgB,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,eAAe,CAAC;gBACvD,eAAe,EAAE;oBACf,SAAS;oBACT,SAAS;oBACT,OAAO;oBACP,YAAY;oBACZ,aAAa;oBACb,cAAc;oBACd,QAAQ;oBACR,YAAY;iBACb;aACF,CAAC;QAEJ,KAAK,UAAU;YACb,OAAO;gBACL,MAAM;gBACN,SAAS,EAAE,IAAI;gBACf,UAAU,EAAE,IAAI;gBAChB,YAAY,EAAE,IAAI;gBAClB,QAAQ,EAAE,KAAK;gBACf,gBAAgB,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,eAAe,CAAC;gBACvD,eAAe,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;aACjD,CAAC;QAEJ,KAAK,cAAc;YACjB,OAAO;gBACL,MAAM;gBACN,SAAS,EAAE,KAAK;gBAChB,UAAU,EAAE,IAAI;gBAChB,YAAY,EAAE,IAAI;gBAClB,QAAQ,EAAE,KAAK;gBACf,gBAAgB,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,eAAe,CAAC;gBACvD,eAAe,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;aACxC,CAAC;QAEJ,KAAK,QAAQ,CAAC;QACd;YACE,OAAO;gBACL,MAAM,EAAE,QAAQ;gBAChB,SAAS,EAAE,IAAI;gBACf,UAAU,EAAE,KAAK;gBACjB,YAAY,EAAE,IAAI;gBAClB,QAAQ,EAAE,IAAI;gBACd,gBAAgB,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,eAAe,CAAC;gBACvD,eAAe,EAAE;oBACf,SAAS;oBACT,SAAS;oBACT,OAAO;oBACP,YAAY;oBACZ,aAAa;oBACb,cAAc;oBACd,QAAQ;oBACR,YAAY;iBACb;aACF,CAAC;IACN,CAAC;AACH,CAAC","sourcesContent":["// file: libs/plugins/src/codecall/providers/code-call.config.ts\n\nimport { Provider, ProviderScope, BaseConfig } from '@frontmcp/sdk';\nimport {\n  CodeCallPluginOptions,\n  CodeCallVmOptions,\n  CodeCallVmPreset,\n  codeCallPluginOptionsSchema,\n} from '../codecall.types';\nimport { ResolvedCodeCallVmOptions } from '../codecall.symbol';\n\n/**\n * CodeCall configuration provider with convict-like API\n * Extends BaseConfig to provide type-safe dotted path access\n *\n * @example\n * // Get values with dotted path notation\n * config.get('vm.preset') // returns 'secure'\n * config.get('embedding.strategy') // returns 'tfidf'\n * config.get('directCalls.enabled') // returns true\n *\n * // Get with default value\n * config.get('vm.timeoutMs', 5000) // returns value or 5000\n *\n * // Get entire sections\n * config.getSection('vm') // returns entire vm config\n * config.getAll() // returns complete config\n *\n * // Require values (throws if undefined)\n * config.getOrThrow('mode') // throws if undefined\n * config.getRequired('topK') // same as getOrThrow\n */\n@Provider({\n  name: 'codecall:config',\n  description: 'CodeCall plugin configuration with validated defaults',\n  scope: ProviderScope.GLOBAL,\n})\nexport default class CodeCallConfig extends BaseConfig<\n  CodeCallPluginOptions & { resolvedVm: ResolvedCodeCallVmOptions }\n> {\n  constructor(options: Partial<CodeCallPluginOptions> = {}) {\n    // Parse and validate options with Zod schema to apply all defaults\n    const parsedConfig = codeCallPluginOptionsSchema.parse(options);\n\n    // Resolve VM options with preset defaults\n    const resolvedVm = resolveVmOptions(parsedConfig.vm);\n\n    super({ ...parsedConfig, resolvedVm });\n  }\n}\n\n// ---- VM Options Resolution ----\n\nfunction resolveVmOptions(vmOptions?: CodeCallVmOptions): ResolvedCodeCallVmOptions {\n  const preset: CodeCallVmPreset = vmOptions?.preset ?? 'secure';\n\n  const base = presetDefaults(preset);\n\n  return {\n    ...base,\n    ...vmOptions,\n    disabledBuiltins: vmOptions?.disabledBuiltins ?? base.disabledBuiltins,\n    disabledGlobals: vmOptions?.disabledGlobals ?? base.disabledGlobals,\n  };\n}\n\nfunction presetDefaults(preset: CodeCallVmPreset): ResolvedCodeCallVmOptions {\n  switch (preset) {\n    case 'locked_down':\n      return {\n        preset,\n        timeoutMs: 2000,\n        allowLoops: false,\n        allowConsole: false,\n        maxSteps: 2000,\n        disabledBuiltins: ['eval', 'Function', 'AsyncFunction'],\n        disabledGlobals: [\n          'require',\n          'process',\n          'fetch',\n          'setTimeout',\n          'setInterval',\n          'setImmediate',\n          'global',\n          'globalThis',\n        ],\n      };\n\n    case 'balanced':\n      return {\n        preset,\n        timeoutMs: 5000,\n        allowLoops: true,\n        allowConsole: true,\n        maxSteps: 10000,\n        disabledBuiltins: ['eval', 'Function', 'AsyncFunction'],\n        disabledGlobals: ['require', 'process', 'fetch'],\n      };\n\n    case 'experimental':\n      return {\n        preset,\n        timeoutMs: 10000,\n        allowLoops: true,\n        allowConsole: true,\n        maxSteps: 20000,\n        disabledBuiltins: ['eval', 'Function', 'AsyncFunction'],\n        disabledGlobals: ['require', 'process'],\n      };\n\n    case 'secure':\n    default:\n      return {\n        preset: 'secure',\n        timeoutMs: 3500,\n        allowLoops: false,\n        allowConsole: true,\n        maxSteps: 5000,\n        disabledBuiltins: ['eval', 'Function', 'AsyncFunction'],\n        disabledGlobals: [\n          'require',\n          'process',\n          'fetch',\n          'setTimeout',\n          'setInterval',\n          'setImmediate',\n          'global',\n          'globalThis',\n        ],\n      };\n  }\n}\n"]}

package/src/codecall/security/index.d.ts

@@ -0,0 +1,2 @@
+export * from './self-reference-guard';
+export * from './tool-access-control.service';

package/src/codecall/security/index.js

@@ -0,0 +1,7 @@
+"use strict";
+// file: libs/plugins/src/codecall/security/index.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./self-reference-guard"), exports);
+tslib_1.__exportStar(require("./tool-access-control.service"), exports);
+//# sourceMappingURL=index.js.map

package/src/codecall/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/codecall/security/index.ts"],"names":[],"mappings":";AAAA,oDAAoD;;;AAEpD,iEAAuC;AACvC,wEAA8C","sourcesContent":["// file: libs/plugins/src/codecall/security/index.ts\n\nexport * from './self-reference-guard';\nexport * from './tool-access-control.service';\n"]}

package/src/codecall/security/self-reference-guard.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Check if a tool name is a CodeCall plugin tool that should be blocked.
+ *
+ * SECURITY: This is the FIRST check in callTool before ANY other processing.
+ * It prevents:
+ * - Recursive execution attacks (codecall:execute calling itself)
+ * - Privilege escalation via nested tool calls
+ * - Resource exhaustion through self-invocation loops
+ *
+ * @param toolName - The name of the tool being called
+ * @returns true if the tool is a blocked CodeCall tool
+ */
+export declare function isBlockedSelfReference(toolName: string): boolean;
+/**
+ * Assert that a tool call is not a self-reference.
+ * Throws SelfReferenceError if the tool is blocked.
+ *
+ * SECURITY: This function MUST be called at the very start of callTool,
+ * before any other validation or processing.
+ *
+ * @param toolName - The name of the tool being called
+ * @throws SelfReferenceError if the tool is a blocked CodeCall tool
+ */
+export declare function assertNotSelfReference(toolName: string): void;
+/**
+ * Get the list of blocked tool patterns for documentation/testing.
+ * This is informational only - the actual blocking uses isBlockedSelfReference().
+ */
+export declare function getBlockedPatterns(): {
+    prefix: string;
+    explicit: readonly string[];
+};

package/src/codecall/security/self-reference-guard.js

@@ -0,0 +1,70 @@
+"use strict";
+// file: libs/plugins/src/codecall/security/self-reference-guard.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isBlockedSelfReference = isBlockedSelfReference;
+exports.assertNotSelfReference = assertNotSelfReference;
+exports.getBlockedPatterns = getBlockedPatterns;
+const tool_call_errors_1 = require("../errors/tool-call.errors");
+/**
+ * HARDCODED list of CodeCall plugin tool names that MUST be blocked from self-reference.
+ *
+ * SECURITY: This list is NOT configurable to prevent bypass attempts.
+ * Any tool with the 'codecall:' prefix is blocked.
+ */
+const CODECALL_TOOL_PREFIX = 'codecall:';
+/**
+ * Explicitly blocked tool names for additional safety.
+ * Even if a tool doesn't have the prefix, these are always blocked.
+ */
+const BLOCKED_CODECALL_TOOLS = Object.freeze(new Set(['codecall:search', 'codecall:describe', 'codecall:execute', 'codecall:invoke']));
+/**
+ * Check if a tool name is a CodeCall plugin tool that should be blocked.
+ *
+ * SECURITY: This is the FIRST check in callTool before ANY other processing.
+ * It prevents:
+ * - Recursive execution attacks (codecall:execute calling itself)
+ * - Privilege escalation via nested tool calls
+ * - Resource exhaustion through self-invocation loops
+ *
+ * @param toolName - The name of the tool being called
+ * @returns true if the tool is a blocked CodeCall tool
+ */
+function isBlockedSelfReference(toolName) {
+    // Normalize tool name (case-insensitive check for prefix)
+    const normalizedName = toolName.toLowerCase().trim();
+    // Check for codecall: prefix
+    if (normalizedName.startsWith(CODECALL_TOOL_PREFIX)) {
+        return true;
+    }
+    // Check explicit blocklist
+    if (BLOCKED_CODECALL_TOOLS.has(toolName)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Assert that a tool call is not a self-reference.
+ * Throws SelfReferenceError if the tool is blocked.
+ *
+ * SECURITY: This function MUST be called at the very start of callTool,
+ * before any other validation or processing.
+ *
+ * @param toolName - The name of the tool being called
+ * @throws SelfReferenceError if the tool is a blocked CodeCall tool
+ */
+function assertNotSelfReference(toolName) {
+    if (isBlockedSelfReference(toolName)) {
+        throw new tool_call_errors_1.SelfReferenceError(toolName);
+    }
+}
+/**
+ * Get the list of blocked tool patterns for documentation/testing.
+ * This is informational only - the actual blocking uses isBlockedSelfReference().
+ */
+function getBlockedPatterns() {
+    return {
+        prefix: CODECALL_TOOL_PREFIX,
+        explicit: Array.from(BLOCKED_CODECALL_TOOLS),
+    };
+}
+//# sourceMappingURL=self-reference-guard.js.map

package/src/codecall/security/self-reference-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"self-reference-guard.js","sourceRoot":"","sources":["../../../../src/codecall/security/self-reference-guard.ts"],"names":[],"mappings":";AAAA,mEAAmE;;AAgCnE,wDAeC;AAYD,wDAIC;AAMD,gDAKC;AAxED,iEAAgE;AAEhE;;;;;GAKG;AACH,MAAM,oBAAoB,GAAG,WAAW,CAAC;AAEzC;;;GAGG;AACH,MAAM,sBAAsB,GAAwB,MAAM,CAAC,MAAM,CAC/D,IAAI,GAAG,CAAC,CAAC,iBAAiB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,iBAAiB,CAAC,CAAC,CACzF,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,SAAgB,sBAAsB,CAAC,QAAgB;IACrD,0DAA0D;IAC1D,MAAM,cAAc,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IAErD,6BAA6B;IAC7B,IAAI,cAAc,CAAC,UAAU,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2BAA2B;IAC3B,IAAI,sBAAsB,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,sBAAsB,CAAC,QAAgB;IACrD,IAAI,sBAAsB,CAAC,QAAQ,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,qCAAkB,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB;IAChC,OAAO;QACL,MAAM,EAAE,oBAAoB;QAC5B,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC;KAC7C,CAAC;AACJ,CAAC","sourcesContent":["// file: libs/plugins/src/codecall/security/self-reference-guard.ts\n\nimport { SelfReferenceError } from '../errors/tool-call.errors';\n\n/**\n * HARDCODED list of CodeCall plugin tool names that MUST be blocked from self-reference.\n *\n * SECURITY: This list is NOT configurable to prevent bypass attempts.\n * Any tool with the 'codecall:' prefix is blocked.\n */\nconst CODECALL_TOOL_PREFIX = 'codecall:';\n\n/**\n * Explicitly blocked tool names for additional safety.\n * Even if a tool doesn't have the prefix, these are always blocked.\n */\nconst BLOCKED_CODECALL_TOOLS: ReadonlySet<string> = Object.freeze(\n  new Set(['codecall:search', 'codecall:describe', 'codecall:execute', 'codecall:invoke']),\n);\n\n/**\n * Check if a tool name is a CodeCall plugin tool that should be blocked.\n *\n * SECURITY: This is the FIRST check in callTool before ANY other processing.\n * It prevents:\n * - Recursive execution attacks (codecall:execute calling itself)\n * - Privilege escalation via nested tool calls\n * - Resource exhaustion through self-invocation loops\n *\n * @param toolName - The name of the tool being called\n * @returns true if the tool is a blocked CodeCall tool\n */\nexport function isBlockedSelfReference(toolName: string): boolean {\n  // Normalize tool name (case-insensitive check for prefix)\n  const normalizedName = toolName.toLowerCase().trim();\n\n  // Check for codecall: prefix\n  if (normalizedName.startsWith(CODECALL_TOOL_PREFIX)) {\n    return true;\n  }\n\n  // Check explicit blocklist\n  if (BLOCKED_CODECALL_TOOLS.has(toolName)) {\n    return true;\n  }\n\n  return false;\n}\n\n/**\n * Assert that a tool call is not a self-reference.\n * Throws SelfReferenceError if the tool is blocked.\n *\n * SECURITY: This function MUST be called at the very start of callTool,\n * before any other validation or processing.\n *\n * @param toolName - The name of the tool being called\n * @throws SelfReferenceError if the tool is a blocked CodeCall tool\n */\nexport function assertNotSelfReference(toolName: string): void {\n  if (isBlockedSelfReference(toolName)) {\n    throw new SelfReferenceError(toolName);\n  }\n}\n\n/**\n * Get the list of blocked tool patterns for documentation/testing.\n * This is informational only - the actual blocking uses isBlockedSelfReference().\n */\nexport function getBlockedPatterns(): { prefix: string; explicit: readonly string[] } {\n  return {\n    prefix: CODECALL_TOOL_PREFIX,\n    explicit: Array.from(BLOCKED_CODECALL_TOOLS),\n  };\n}\n"]}

package/src/codecall/security/tool-access-control.service.d.ts

@@ -0,0 +1,104 @@
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+/**
+ * Tool access control modes:
+ * - whitelist: Only explicitly allowed tools can be called (most secure)
+ * - blacklist: All tools allowed except explicitly blocked (default, more flexible)
+ * - dynamic: Evaluate access per-call based on custom function
+ */
+export type ToolAccessMode = 'whitelist' | 'blacklist' | 'dynamic';
+/**
+ * Tool access policy configuration.
+ */
+export interface ToolAccessPolicy {
+    /**
+     * Access control mode.
+     * @default 'blacklist'
+     */
+    mode: ToolAccessMode;
+    /**
+     * Tools explicitly allowed (for whitelist mode).
+     * Supports exact names and glob patterns (e.g., 'users:*').
+     */
+    whitelist?: string[];
+    /**
+     * Tools explicitly blocked (for blacklist mode).
+     * Supports exact names and glob patterns (e.g., 'admin:*').
+     */
+    blacklist?: string[];
+    /**
+     * Pattern-based rules that apply in addition to whitelist/blacklist.
+     */
+    patterns?: {
+        allow?: string[];
+        deny?: string[];
+    };
+    /**
+     * Custom evaluator function for dynamic mode.
+     * Called for each tool access request.
+     */
+    evaluator?: (context: ToolAccessContext) => Promise<ToolAccessDecision>;
+}
+/**
+ * Context provided to the access evaluator.
+ */
+export interface ToolAccessContext {
+    toolName: string;
+    authInfo?: AuthInfo;
+    executionId?: string;
+    callDepth: number;
+    timestamp: number;
+}
+/**
+ * Decision from the access control check.
+ */
+export interface ToolAccessDecision {
+    allowed: boolean;
+    reason?: string;
+}
+/**
+ * Tool Access Control Service
+ *
+ * Provides centralized access control for tool calls within CodeCall.
+ * Implements a layered security model:
+ *
+ * 1. Self-reference blocking (handled separately in self-reference-guard.ts)
+ * 2. Default blacklist (always enforced)
+ * 3. User-configured whitelist/blacklist
+ * 4. Pattern matching (glob patterns)
+ * 5. Dynamic evaluation (if configured)
+ */
+export declare class ToolAccessControlService {
+    private readonly policy;
+    private readonly whitelistSet;
+    private readonly blacklistSet;
+    private readonly allowPatterns;
+    private readonly denyPatterns;
+    constructor(policy?: ToolAccessPolicy);
+    /**
+     * Check if a tool can be accessed.
+     *
+     * @param toolName - The tool being accessed
+     * @param context - Optional access context for dynamic evaluation
+     * @returns Decision indicating if access is allowed
+     */
+    checkAccess(toolName: string, context?: Partial<ToolAccessContext>): Promise<ToolAccessDecision>;
+    private checkWhitelistMode;
+    private checkBlacklistMode;
+    private checkDynamicMode;
+    /**
+     * Check if a tool name matches any entry in a set (supports glob patterns).
+     */
+    private isInSet;
+    /**
+     * Convert a glob pattern to a RegExp.
+     * Supports: * (any characters), ? (single character)
+     *
+     * Security: Prevents ReDoS by limiting pattern complexity and using non-greedy matching.
+     */
+    private globToRegex;
+    /**
+     * Get the current policy configuration (for debugging/testing).
+     */
+    getPolicy(): Readonly<ToolAccessPolicy>;
+}
+export default ToolAccessControlService;

package/src/codecall/security/tool-access-control.service.js

@@ -0,0 +1,170 @@
+"use strict";
+// file: libs/plugins/src/codecall/security/tool-access-control.service.ts
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ToolAccessControlService = void 0;
+const tslib_1 = require("tslib");
+const sdk_1 = require("@frontmcp/sdk");
+/**
+ * Default blacklist - tools that are always blocked regardless of configuration.
+ * These are security-sensitive and should never be accessible via CodeCall.
+ */
+const DEFAULT_BLACKLIST = Object.freeze(new Set([
+    // Internal system tools
+    'system:*',
+    'internal:*',
+    '__*', // Any tool starting with __
+]));
+/**
+ * Tool Access Control Service
+ *
+ * Provides centralized access control for tool calls within CodeCall.
+ * Implements a layered security model:
+ *
+ * 1. Self-reference blocking (handled separately in self-reference-guard.ts)
+ * 2. Default blacklist (always enforced)
+ * 3. User-configured whitelist/blacklist
+ * 4. Pattern matching (glob patterns)
+ * 5. Dynamic evaluation (if configured)
+ */
+let ToolAccessControlService = class ToolAccessControlService {
+    policy;
+    whitelistSet;
+    blacklistSet;
+    allowPatterns;
+    denyPatterns;
+    constructor(policy) {
+        this.policy = policy || { mode: 'blacklist' };
+        // Pre-compile sets and patterns for fast lookup
+        this.whitelistSet = new Set(this.policy.whitelist || []);
+        this.blacklistSet = new Set([...(this.policy.blacklist || []), ...Array.from(DEFAULT_BLACKLIST)]);
+        this.allowPatterns = (this.policy.patterns?.allow || []).map(this.globToRegex);
+        this.denyPatterns = (this.policy.patterns?.deny || []).map(this.globToRegex);
+    }
+    /**
+     * Check if a tool can be accessed.
+     *
+     * @param toolName - The tool being accessed
+     * @param context - Optional access context for dynamic evaluation
+     * @returns Decision indicating if access is allowed
+     */
+    async checkAccess(toolName, context) {
+        const fullContext = {
+            toolName,
+            authInfo: context?.authInfo,
+            executionId: context?.executionId,
+            callDepth: context?.callDepth ?? 0,
+            timestamp: Date.now(),
+        };
+        // Step 1: Check deny patterns first (highest priority)
+        for (const pattern of this.denyPatterns) {
+            if (pattern.test(toolName)) {
+                return { allowed: false, reason: `Tool matches deny pattern` };
+            }
+        }
+        // Step 2: Check explicit blacklist
+        if (this.isInSet(toolName, this.blacklistSet)) {
+            return { allowed: false, reason: `Tool is explicitly blocked` };
+        }
+        // Step 3: Mode-specific checks
+        switch (this.policy.mode) {
+            case 'whitelist':
+                return this.checkWhitelistMode(toolName, fullContext);
+            case 'blacklist':
+                return this.checkBlacklistMode(toolName, fullContext);
+            case 'dynamic':
+                return this.checkDynamicMode(toolName, fullContext);
+            default:
+                // Default to deny for unknown modes (fail-secure)
+                return { allowed: false, reason: 'Unknown access control mode' };
+        }
+    }
+    async checkWhitelistMode(toolName, context) {
+        // In whitelist mode, tool must be explicitly allowed
+        if (this.isInSet(toolName, this.whitelistSet)) {
+            return { allowed: true };
+        }
+        // Check allow patterns
+        for (const pattern of this.allowPatterns) {
+            if (pattern.test(toolName)) {
+                return { allowed: true };
+            }
+        }
+        // Check dynamic evaluator as fallback
+        if (this.policy.evaluator) {
+            return this.policy.evaluator(context);
+        }
+        return { allowed: false, reason: 'Tool not in whitelist' };
+    }
+    async checkBlacklistMode(toolName, context) {
+        // In blacklist mode, tool is allowed unless blocked
+        // (blacklist already checked above)
+        // Check dynamic evaluator for additional restrictions
+        if (this.policy.evaluator) {
+            const dynamicDecision = await this.policy.evaluator(context);
+            if (!dynamicDecision.allowed) {
+                return dynamicDecision;
+            }
+        }
+        return { allowed: true };
+    }
+    async checkDynamicMode(toolName, context) {
+        if (!this.policy.evaluator) {
+            // No evaluator configured - fail-secure
+            return { allowed: false, reason: 'No dynamic evaluator configured' };
+        }
+        return this.policy.evaluator(context);
+    }
+    /**
+     * Check if a tool name matches any entry in a set (supports glob patterns).
+     */
+    isInSet(toolName, set) {
+        // Direct match
+        if (set.has(toolName)) {
+            return true;
+        }
+        // Check glob patterns in the set
+        for (const pattern of set) {
+            if (pattern.includes('*')) {
+                const regex = this.globToRegex(pattern);
+                if (regex.test(toolName)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    /**
+     * Convert a glob pattern to a RegExp.
+     * Supports: * (any characters), ? (single character)
+     *
+     * Security: Prevents ReDoS by limiting pattern complexity and using non-greedy matching.
+     */
+    globToRegex(pattern) {
+        // Prevent ReDoS: limit pattern complexity
+        const wildcardCount = (pattern.match(/\*/g) || []).length;
+        if (wildcardCount > 3 || pattern.length > 100) {
+            throw new Error(`Pattern too complex: ${pattern}`);
+        }
+        const escaped = pattern
+            .replace(/[.+^${}()|[\]\\]/g, '\\$&') // Escape special regex chars
+            .replace(/\*/g, '.*?') // * -> .*? (non-greedy to prevent backtracking)
+            .replace(/\?/g, '.'); // ? -> .
+        return new RegExp(`^${escaped}$`, 'i');
+    }
+    /**
+     * Get the current policy configuration (for debugging/testing).
+     */
+    getPolicy() {
+        return Object.freeze({ ...this.policy });
+    }
+};
+exports.ToolAccessControlService = ToolAccessControlService;
+exports.ToolAccessControlService = ToolAccessControlService = tslib_1.__decorate([
+    (0, sdk_1.Provider)({
+        name: 'codecall:tool-access-control',
+        scope: sdk_1.ProviderScope.GLOBAL,
+    }),
+    tslib_1.__metadata("design:paramtypes", [Object])
+], ToolAccessControlService);
+exports.default = ToolAccessControlService;
+//# sourceMappingURL=tool-access-control.service.js.map

package/src/codecall/security/tool-access-control.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-access-control.service.js","sourceRoot":"","sources":["../../../../src/codecall/security/tool-access-control.service.ts"],"names":[],"mappings":";AAAA,0EAA0E;;;;AAE1E,uCAAwD;AAmExD;;;GAGG;AACH,MAAM,iBAAiB,GAAwB,MAAM,CAAC,MAAM,CAC1D,IAAI,GAAG,CAAC;IACN,wBAAwB;IACxB,UAAU;IACV,YAAY;IACZ,KAAK,EAAE,4BAA4B;CACpC,CAAC,CACH,CAAC;AAEF;;;;;;;;;;;GAWG;AAKI,IAAM,wBAAwB,GAA9B,MAAM,wBAAwB;IAClB,MAAM,CAAmB;IACzB,YAAY,CAAc;IAC1B,YAAY,CAAc;IAC1B,aAAa,CAAW;IACxB,YAAY,CAAW;IAExC,YAAY,MAAyB;QACnC,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;QAE9C,gDAAgD;QAChD,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;QACzD,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC;QAElG,IAAI,CAAC,aAAa,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC/E,IAAI,CAAC,YAAY,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/E,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,WAAW,CAAC,QAAgB,EAAE,OAAoC;QACtE,MAAM,WAAW,GAAsB;YACrC,QAAQ;YACR,QAAQ,EAAE,OAAO,EAAE,QAAQ;YAC3B,WAAW,EAAE,OAAO,EAAE,WAAW;YACjC,SAAS,EAAE,OAAO,EAAE,SAAS,IAAI,CAAC;YAClC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,uDAAuD;QACvD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACxC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;YACjE,CAAC;QACH,CAAC;QAED,mCAAmC;QACnC,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;QAClE,CAAC;QAED,+BAA+B;QAC/B,QAAQ,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACzB,KAAK,WAAW;gBACd,OAAO,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YAExD,KAAK,WAAW;gBACd,OAAO,IAAI,CAAC,kBAAkB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YAExD,KAAK,SAAS;gBACZ,OAAO,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YAEtD;gBACE,kDAAkD;gBAClD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;QACrE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE,OAA0B;QAC3E,qDAAqD;QACrD,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,uBAAuB;QACvB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACzC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC3B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;IAC7D,CAAC;IAEO,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE,OAA0B;QAC3E,oDAAoD;QACpD,oCAAoC;QAEpC,sDAAsD;QACtD,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC1B,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;YAC7D,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;gBAC7B,OAAO,eAAe,CAAC;YACzB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,OAA0B;QACzE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC3B,wCAAwC;YACxC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;QACvE,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,QAAgB,EAAE,GAAgB;QAChD,eAAe;QACf,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,iCAAiC;QACjC,KAAK,MAAM,OAAO,IAAI,GAAG,EAAE,CAAC;YAC1B,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;gBACxC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzB,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;OAKG;IACK,WAAW,CAAC,OAAe;QACjC,0CAA0C;QAC1C,MAAM,aAAa,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QAC1D,IAAI,aAAa,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,wBAAwB,OAAO,EAAE,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,OAAO,GAAG,OAAO;aACpB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,6BAA6B;aAClE,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,gDAAgD;aACtE,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,SAAS;QAEjC,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;CACF,CAAA;AA7JY,4DAAwB;mCAAxB,wBAAwB;IAJpC,IAAA,cAAQ,EAAC;QACR,IAAI,EAAE,8BAA8B;QACpC,KAAK,EAAE,mBAAa,CAAC,MAAM;KAC5B,CAAC;;GACW,wBAAwB,CA6JpC;AAED,kBAAe,wBAAwB,CAAC","sourcesContent":["// file: libs/plugins/src/codecall/security/tool-access-control.service.ts\n\nimport { Provider, ProviderScope } from '@frontmcp/sdk';\nimport type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';\n\n/**\n * Tool access control modes:\n * - whitelist: Only explicitly allowed tools can be called (most secure)\n * - blacklist: All tools allowed except explicitly blocked (default, more flexible)\n * - dynamic: Evaluate access per-call based on custom function\n */\nexport type ToolAccessMode = 'whitelist' | 'blacklist' | 'dynamic';\n\n/**\n * Tool access policy configuration.\n */\nexport interface ToolAccessPolicy {\n  /**\n   * Access control mode.\n   * @default 'blacklist'\n   */\n  mode: ToolAccessMode;\n\n  /**\n   * Tools explicitly allowed (for whitelist mode).\n   * Supports exact names and glob patterns (e.g., 'users:*').\n   */\n  whitelist?: string[];\n\n  /**\n   * Tools explicitly blocked (for blacklist mode).\n   * Supports exact names and glob patterns (e.g., 'admin:*').\n   */\n  blacklist?: string[];\n\n  /**\n   * Pattern-based rules that apply in addition to whitelist/blacklist.\n   */\n  patterns?: {\n    allow?: string[];\n    deny?: string[];\n  };\n\n  /**\n   * Custom evaluator function for dynamic mode.\n   * Called for each tool access request.\n   */\n  evaluator?: (context: ToolAccessContext) => Promise<ToolAccessDecision>;\n}\n\n/**\n * Context provided to the access evaluator.\n */\nexport interface ToolAccessContext {\n  toolName: string;\n  authInfo?: AuthInfo;\n  executionId?: string;\n  callDepth: number;\n  timestamp: number;\n}\n\n/**\n * Decision from the access control check.\n */\nexport interface ToolAccessDecision {\n  allowed: boolean;\n  reason?: string;\n}\n\n/**\n * Default blacklist - tools that are always blocked regardless of configuration.\n * These are security-sensitive and should never be accessible via CodeCall.\n */\nconst DEFAULT_BLACKLIST: ReadonlySet<string> = Object.freeze(\n  new Set([\n    // Internal system tools\n    'system:*',\n    'internal:*',\n    '__*', // Any tool starting with __\n  ]),\n);\n\n/**\n * Tool Access Control Service\n *\n * Provides centralized access control for tool calls within CodeCall.\n * Implements a layered security model:\n *\n * 1. Self-reference blocking (handled separately in self-reference-guard.ts)\n * 2. Default blacklist (always enforced)\n * 3. User-configured whitelist/blacklist\n * 4. Pattern matching (glob patterns)\n * 5. Dynamic evaluation (if configured)\n */\n@Provider({\n  name: 'codecall:tool-access-control',\n  scope: ProviderScope.GLOBAL,\n})\nexport class ToolAccessControlService {\n  private readonly policy: ToolAccessPolicy;\n  private readonly whitelistSet: Set<string>;\n  private readonly blacklistSet: Set<string>;\n  private readonly allowPatterns: RegExp[];\n  private readonly denyPatterns: RegExp[];\n\n  constructor(policy?: ToolAccessPolicy) {\n    this.policy = policy || { mode: 'blacklist' };\n\n    // Pre-compile sets and patterns for fast lookup\n    this.whitelistSet = new Set(this.policy.whitelist || []);\n    this.blacklistSet = new Set([...(this.policy.blacklist || []), ...Array.from(DEFAULT_BLACKLIST)]);\n\n    this.allowPatterns = (this.policy.patterns?.allow || []).map(this.globToRegex);\n    this.denyPatterns = (this.policy.patterns?.deny || []).map(this.globToRegex);\n  }\n\n  /**\n   * Check if a tool can be accessed.\n   *\n   * @param toolName - The tool being accessed\n   * @param context - Optional access context for dynamic evaluation\n   * @returns Decision indicating if access is allowed\n   */\n  async checkAccess(toolName: string, context?: Partial<ToolAccessContext>): Promise<ToolAccessDecision> {\n    const fullContext: ToolAccessContext = {\n      toolName,\n      authInfo: context?.authInfo,\n      executionId: context?.executionId,\n      callDepth: context?.callDepth ?? 0,\n      timestamp: Date.now(),\n    };\n\n    // Step 1: Check deny patterns first (highest priority)\n    for (const pattern of this.denyPatterns) {\n      if (pattern.test(toolName)) {\n        return { allowed: false, reason: `Tool matches deny pattern` };\n      }\n    }\n\n    // Step 2: Check explicit blacklist\n    if (this.isInSet(toolName, this.blacklistSet)) {\n      return { allowed: false, reason: `Tool is explicitly blocked` };\n    }\n\n    // Step 3: Mode-specific checks\n    switch (this.policy.mode) {\n      case 'whitelist':\n        return this.checkWhitelistMode(toolName, fullContext);\n\n      case 'blacklist':\n        return this.checkBlacklistMode(toolName, fullContext);\n\n      case 'dynamic':\n        return this.checkDynamicMode(toolName, fullContext);\n\n      default:\n        // Default to deny for unknown modes (fail-secure)\n        return { allowed: false, reason: 'Unknown access control mode' };\n    }\n  }\n\n  private async checkWhitelistMode(toolName: string, context: ToolAccessContext): Promise<ToolAccessDecision> {\n    // In whitelist mode, tool must be explicitly allowed\n    if (this.isInSet(toolName, this.whitelistSet)) {\n      return { allowed: true };\n    }\n\n    // Check allow patterns\n    for (const pattern of this.allowPatterns) {\n      if (pattern.test(toolName)) {\n        return { allowed: true };\n      }\n    }\n\n    // Check dynamic evaluator as fallback\n    if (this.policy.evaluator) {\n      return this.policy.evaluator(context);\n    }\n\n    return { allowed: false, reason: 'Tool not in whitelist' };\n  }\n\n  private async checkBlacklistMode(toolName: string, context: ToolAccessContext): Promise<ToolAccessDecision> {\n    // In blacklist mode, tool is allowed unless blocked\n    // (blacklist already checked above)\n\n    // Check dynamic evaluator for additional restrictions\n    if (this.policy.evaluator) {\n      const dynamicDecision = await this.policy.evaluator(context);\n      if (!dynamicDecision.allowed) {\n        return dynamicDecision;\n      }\n    }\n\n    return { allowed: true };\n  }\n\n  private async checkDynamicMode(toolName: string, context: ToolAccessContext): Promise<ToolAccessDecision> {\n    if (!this.policy.evaluator) {\n      // No evaluator configured - fail-secure\n      return { allowed: false, reason: 'No dynamic evaluator configured' };\n    }\n\n    return this.policy.evaluator(context);\n  }\n\n  /**\n   * Check if a tool name matches any entry in a set (supports glob patterns).\n   */\n  private isInSet(toolName: string, set: Set<string>): boolean {\n    // Direct match\n    if (set.has(toolName)) {\n      return true;\n    }\n\n    // Check glob patterns in the set\n    for (const pattern of set) {\n      if (pattern.includes('*')) {\n        const regex = this.globToRegex(pattern);\n        if (regex.test(toolName)) {\n          return true;\n        }\n      }\n    }\n\n    return false;\n  }\n\n  /**\n   * Convert a glob pattern to a RegExp.\n   * Supports: * (any characters), ? (single character)\n   *\n   * Security: Prevents ReDoS by limiting pattern complexity and using non-greedy matching.\n   */\n  private globToRegex(pattern: string): RegExp {\n    // Prevent ReDoS: limit pattern complexity\n    const wildcardCount = (pattern.match(/\\*/g) || []).length;\n    if (wildcardCount > 3 || pattern.length > 100) {\n      throw new Error(`Pattern too complex: ${pattern}`);\n    }\n\n    const escaped = pattern\n      .replace(/[.+^${}()|[\\]\\\\]/g, '\\\\$&') // Escape special regex chars\n      .replace(/\\*/g, '.*?') // * -> .*? (non-greedy to prevent backtracking)\n      .replace(/\\?/g, '.'); // ? -> .\n\n    return new RegExp(`^${escaped}$`, 'i');\n  }\n\n  /**\n   * Get the current policy configuration (for debugging/testing).\n   */\n  getPolicy(): Readonly<ToolAccessPolicy> {\n    return Object.freeze({ ...this.policy });\n  }\n}\n\nexport default ToolAccessControlService;\n"]}