@knpkv/codecommit-core 0.5.1 → 0.7.0

package/dist/PermissionService/AuditLog.d.ts

@@ -0,0 +1,63 @@
+/**
+ * @title AuditLogRepo — records every AWS API call
+ *
+ * Every call through the permission gate gets recorded — allowed, denied,
+ * or timed out.
+ *
+ * Design constraints:
+ *   - MUST never block API calls (catchAll on write failures at call site)
+ *   - MUST handle high volume (~17 ops per refresh × every 5min)
+ *   - MUST auto-prune (150k entries/month without pruning)
+ *   - MUST support filtered queries (for the audit log UI page)
+ *
+ * `durationMs` is null when the API call was denied/timed out (never ran).
+ * When present, it reflects actual AWS API latency — not permission prompt wait.
+ *
+ * @module
+ */
+import * as SqlClient from "@effect/sql/SqlClient";
+import { Effect, Schema } from "effect";
+import { CacheError } from "../CacheService/CacheError.js";
+export declare const AuditLogEntry: Schema.Struct<{
+    id: typeof Schema.Number;
+    timestamp: typeof Schema.String;
+    operation: typeof Schema.String;
+    accountProfile: typeof Schema.String;
+    region: typeof Schema.String;
+    permissionState: Schema.Literal<["allowed", "always_allowed", "denied", "timed_out"]>;
+    context: typeof Schema.String;
+    durationMs: Schema.NullOr<typeof Schema.Number>;
+}>;
+export type AuditLogEntry = typeof AuditLogEntry.Type;
+export type NewAuditLogEntry = Omit<AuditLogEntry, "id">;
+export interface PaginatedAuditLog {
+    readonly items: ReadonlyArray<AuditLogEntry>;
+    readonly total: number;
+    readonly nextCursor?: number;
+}
+declare const AuditLogRepo_base: Effect.Service.Class<AuditLogRepo, "AuditLogRepo", {
+    readonly dependencies: readonly [import("effect/Layer").Layer<SqlClient.SqlClient | import("@effect/sql-libsql/LibsqlClient").LibsqlClient, import("@effect/sql/SqlError").SqlError | import("effect/ConfigError").ConfigError | import("@effect/sql/Migrator").MigrationError, import("@effect/platform/FileSystem").FileSystem>];
+    readonly effect: Effect.Effect<{
+        log: (entry: NewAuditLogEntry) => Effect.Effect<void, CacheError, never>;
+        findAll: (opts?: {
+            readonly limit?: number | undefined;
+            readonly offset?: number | undefined;
+            readonly operation?: string | undefined;
+            readonly accountProfile?: string | undefined;
+            readonly permissionState?: string | undefined;
+            readonly from?: string | undefined;
+            readonly to?: string | undefined;
+            readonly search?: string | undefined;
+        }) => Effect.Effect<PaginatedAuditLog, CacheError>;
+        prune: (retentionDays: number) => Effect.Effect<number, CacheError>;
+        clearAll: () => Effect.Effect<number, CacheError>;
+        exportAll: (opts?: {
+            readonly from?: string | undefined;
+            readonly to?: string | undefined;
+        }) => Effect.Effect<ReadonlyArray<AuditLogEntry>, CacheError>;
+    }, never, SqlClient.SqlClient>;
+}>;
+export declare class AuditLogRepo extends AuditLogRepo_base {
+}
+export {};
+//# sourceMappingURL=AuditLog.d.ts.map

package/dist/PermissionService/AuditLog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuditLog.d.ts","sourceRoot":"","sources":["../../src/PermissionService/AuditLog.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,KAAK,SAAS,MAAM,uBAAuB,CAAA;AAGlD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAG1D,eAAO,MAAM,aAAa;;;;;;;;;EASxB,CAAA;AAEF,MAAM,MAAM,aAAa,GAAG,OAAO,aAAa,CAAC,IAAI,CAAA;AAErD,MAAM,MAAM,gBAAgB,GAAG,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,CAAA;AAExD,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,aAAa,CAAC,CAAA;IAC5C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAC7B;;;;qBAmCkB,gBAAgB;yBAQZ;YACf,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;YACnC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;YACpC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;YACvC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;YAC5C,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;YAC7C,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;YAClC,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;YAChC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;SACrC,KAAG,MAAM,CAAC,MAAM,CAAC,iBAAiB,EAAE,UAAU,CAAC;+BAmDzB,MAAM,KAAG,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC;wBAWnD,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC;2BAO5B;YACjB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;YAClC,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;SACjC,KAAG,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,aAAa,CAAC,EAAE,UAAU,CAAC;;;AApHjE,qBAAa,YAAa,SAAQ,iBAmIhC;CAAG"}

package/dist/PermissionService/AuditLog.js

@@ -0,0 +1,127 @@
+/**
+ * @title AuditLogRepo — records every AWS API call
+ *
+ * Every call through the permission gate gets recorded — allowed, denied,
+ * or timed out.
+ *
+ * Design constraints:
+ *   - MUST never block API calls (catchAll on write failures at call site)
+ *   - MUST handle high volume (~17 ops per refresh × every 5min)
+ *   - MUST auto-prune (150k entries/month without pruning)
+ *   - MUST support filtered queries (for the audit log UI page)
+ *
+ * `durationMs` is null when the API call was denied/timed out (never ran).
+ * When present, it reflects actual AWS API latency — not permission prompt wait.
+ *
+ * @module
+ */
+import * as SqlClient from "@effect/sql/SqlClient";
+import * as SqlSchema from "@effect/sql/SqlSchema";
+import * as Statement from "@effect/sql/Statement";
+import { Effect, Schema } from "effect";
+import { CacheError } from "../CacheService/CacheError.js";
+import { DatabaseLive } from "../CacheService/Database.js";
+export const AuditLogEntry = Schema.Struct({
+    id: Schema.Number,
+    timestamp: Schema.String,
+    operation: Schema.String,
+    accountProfile: Schema.String,
+    region: Schema.String,
+    permissionState: Schema.Literal("allowed", "always_allowed", "denied", "timed_out"),
+    context: Schema.String,
+    durationMs: Schema.NullOr(Schema.Number)
+});
+const cacheError = (op) => (effect) => effect.pipe(Effect.mapError((cause) => new CacheError({ operation: `AuditLogRepo.${op}`, cause })), Effect.withSpan(`AuditLogRepo.${op}`, { captureStackTrace: false }));
+export class AuditLogRepo extends Effect.Service()("AuditLogRepo", {
+    dependencies: [DatabaseLive],
+    effect: Effect.gen(function* () {
+        const sql = yield* SqlClient.SqlClient;
+        const findAll_ = SqlSchema.findAll({
+            Result: AuditLogEntry,
+            Request: Schema.Struct({
+                limit: Schema.Number,
+                offset: Schema.Number
+            }),
+            execute: (req) => sql `SELECT * FROM audit_log ORDER BY id DESC LIMIT ${req.limit} OFFSET ${req.offset}`
+        });
+        const countAll = SqlSchema.single({
+            Result: Schema.Struct({ count: Schema.Number }),
+            Request: Schema.Void,
+            execute: () => sql `SELECT count(*) as count FROM audit_log`
+        });
+        const exportAllQuery = SqlSchema.findAll({
+            Result: AuditLogEntry,
+            Request: Schema.Void,
+            execute: () => sql `SELECT * FROM audit_log ORDER BY id DESC`
+        });
+        return {
+            log: (entry) => sql `INSERT INTO audit_log (timestamp, operation, account_profile, region, permission_state, context, duration_ms)
+            VALUES (${entry.timestamp}, ${entry.operation}, ${entry.accountProfile}, ${entry.region}, ${entry.permissionState}, ${entry.context}, ${entry.durationMs})`
+                .pipe(Effect.asVoid, cacheError("log")),
+            findAll: (opts) => {
+                // Clamp numeric params
+                const limit = Math.max(1, Math.min(200, Math.floor(opts?.limit ?? 50)));
+                const offset = Math.max(0, Math.floor(opts?.offset ?? 0));
+                // Compose parameterized WHERE using Statement.and
+                const hasFilter = opts?.operation || opts?.accountProfile || opts?.permissionState
+                    || opts?.from || opts?.to || opts?.search;
+                if (hasFilter) {
+                    const conditions = [];
+                    if (opts?.operation)
+                        conditions.push(sql `operation = ${opts.operation}`);
+                    if (opts?.accountProfile)
+                        conditions.push(sql `account_profile = ${opts.accountProfile}`);
+                    if (opts?.permissionState)
+                        conditions.push(sql `permission_state = ${opts.permissionState}`);
+                    if (opts?.from)
+                        conditions.push(sql `timestamp >= ${opts.from}`);
+                    if (opts?.to)
+                        conditions.push(sql `timestamp <= ${opts.to}`);
+                    if (opts?.search) {
+                        const pattern = `%${opts.search}%`;
+                        conditions.push(sql `(operation LIKE ${pattern} OR context LIKE ${pattern})`);
+                    }
+                    const where = Statement.and(conditions);
+                    return Effect.all([
+                        sql `SELECT * FROM audit_log WHERE ${where} ORDER BY id DESC LIMIT ${limit} OFFSET ${offset}`.pipe(Effect.map((rows) => rows.map((r) => Schema.decodeUnknownSync(AuditLogEntry)(r)))),
+                        sql `SELECT count(*) as count FROM audit_log WHERE ${where}`.pipe(Effect.map((rows) => rows[0]?.count ?? 0))
+                    ]).pipe(Effect.map(([items, total]) => ({
+                        items,
+                        total,
+                        ...(items.length === limit ? { nextCursor: offset + limit } : {})
+                    })), cacheError("findAll"));
+                }
+                return Effect.all([
+                    findAll_({ limit, offset }),
+                    countAll(undefined)
+                ]).pipe(Effect.map(([items, { count }]) => ({
+                    items,
+                    total: count,
+                    ...(items.length === limit ? { nextCursor: offset + limit } : {})
+                })), cacheError("findAll"));
+            },
+            prune: (retentionDays) => {
+                const days = Math.max(1, Math.floor(retentionDays));
+                const modifier = `-${days} days`;
+                return sql `DELETE FROM audit_log WHERE timestamp < datetime('now', ${modifier})`.pipe(
+                // DELETE returns no rows — use changes() to get actual deleted count
+                Effect.flatMap(() => sql `SELECT changes() as n`), Effect.map((rows) => rows[0]?.n ?? 0), cacheError("prune"));
+            },
+            clearAll: () => sql `DELETE FROM audit_log`.pipe(Effect.flatMap(() => sql `SELECT changes() as n`), Effect.map((rows) => rows[0]?.n ?? 0), cacheError("clearAll")),
+            exportAll: (opts) => {
+                if (opts?.from && opts?.to) {
+                    const exportFiltered = SqlSchema.findAll({
+                        Result: AuditLogEntry,
+                        Request: Schema.Void,
+                        execute: () => sql `SELECT * FROM audit_log WHERE timestamp >= ${opts.from} AND timestamp <= ${opts
+                            .to} ORDER BY id DESC`
+                    });
+                    return exportFiltered(undefined).pipe(cacheError("exportAll"));
+                }
+                return exportAllQuery(undefined).pipe(cacheError("exportAll"));
+            }
+        };
+    })
+}) {
+}
+//# sourceMappingURL=AuditLog.js.map

package/dist/PermissionService/AuditLog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuditLog.js","sourceRoot":"","sources":["../../src/PermissionService/AuditLog.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,KAAK,SAAS,MAAM,uBAAuB,CAAA;AAClD,OAAO,KAAK,SAAS,MAAM,uBAAuB,CAAA;AAClD,OAAO,KAAK,SAAS,MAAM,uBAAuB,CAAA;AAClD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAA;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAA;AAE1D,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;IACzC,EAAE,EAAE,MAAM,CAAC,MAAM;IACjB,SAAS,EAAE,MAAM,CAAC,MAAM;IACxB,SAAS,EAAE,MAAM,CAAC,MAAM;IACxB,cAAc,EAAE,MAAM,CAAC,MAAM;IAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;IACrB,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,gBAAgB,EAAE,QAAQ,EAAE,WAAW,CAAC;IACnF,OAAO,EAAE,MAAM,CAAC,MAAM;IACtB,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;CACzC,CAAC,CAAA;AAYF,MAAM,UAAU,GAAG,CAAC,EAAU,EAAE,EAAE,CAAC,CAAU,MAA8B,EAAE,EAAE,CAC7E,MAAM,CAAC,IAAI,CACT,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,UAAU,CAAC,EAAE,SAAS,EAAE,gBAAgB,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,EACtF,MAAM,CAAC,QAAQ,CAAC,gBAAgB,EAAE,EAAE,EAAE,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAC,CACpE,CAAA;AAEH,MAAM,OAAO,YAAa,SAAQ,MAAM,CAAC,OAAO,EAAgB,CAAC,cAAc,EAAE;IAC/E,YAAY,EAAE,CAAC,YAAY,CAAC;IAC5B,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC1B,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,SAAS,CAAC,SAAS,CAAA;QAEtC,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC;YACjC,MAAM,EAAE,aAAa;YACrB,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC;gBACrB,KAAK,EAAE,MAAM,CAAC,MAAM;gBACpB,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC;YACF,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAA,kDAAkD,GAAG,CAAC,KAAK,WAAW,GAAG,CAAC,MAAM,EAAE;SACxG,CAAC,CAAA;QAEF,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC;YAChC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;YAC/C,OAAO,EAAE,MAAM,CAAC,IAAI;YACpB,OAAO,EAAE,GAAG,EAAE,CAAC,GAAG,CAAA,yCAAyC;SAC5D,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,CAAC;YACvC,MAAM,EAAE,aAAa;YACrB,OAAO,EAAE,MAAM,CAAC,IAAI;YACpB,OAAO,EAAE,GAAG,EAAE,CAAC,GAAG,CAAA,0CAA0C;SAC7D,CAAC,CAAA;QAEF,OAAO;YACL,GAAG,EAAE,CAAC,KAAuB,EAAE,EAAE,CAC/B,GAAG,CAAA;sBACW,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,cAAc,KAAK,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,eAAe,KAAK,KAAK,CAAC,OAAO,KAAK,KAAK,CAAC,UAAU,GAAG;iBAC5J,IAAI,CACH,MAAM,CAAC,MAAM,EACb,UAAU,CAAC,KAAK,CAAC,CAClB;YAEL,OAAO,EAAE,CAAC,IAST,EAAgD,EAAE;gBACjD,uBAAuB;gBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;gBACvE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC,CAAC,CAAA;gBAEzD,kDAAkD;gBAClD,MAAM,SAAS,GAAG,IAAI,EAAE,SAAS,IAAI,IAAI,EAAE,cAAc,IAAI,IAAI,EAAE,eAAe;uBAC7E,IAAI,EAAE,IAAI,IAAI,IAAI,EAAE,EAAE,IAAI,IAAI,EAAE,MAAM,CAAA;gBAC3C,IAAI,SAAS,EAAE,CAAC;oBACd,MAAM,UAAU,GAA8B,EAAE,CAAA;oBAChD,IAAI,IAAI,EAAE,SAAS;wBAAE,UAAU,CAAC,IAAI,CAAC,GAAG,CAAA,eAAe,IAAI,CAAC,SAAS,EAAE,CAAC,CAAA;oBACxE,IAAI,IAAI,EAAE,cAAc;wBAAE,UAAU,CAAC,IAAI,CAAC,GAAG,CAAA,qBAAqB,IAAI,CAAC,cAAc,EAAE,CAAC,CAAA;oBACxF,IAAI,IAAI,EAAE,eAAe;wBAAE,UAAU,CAAC,IAAI,CAAC,GAAG,CAAA,sBAAsB,IAAI,CAAC,eAAe,EAAE,CAAC,CAAA;oBAC3F,IAAI,IAAI,EAAE,IAAI;wBAAE,UAAU,CAAC,IAAI,CAAC,GAAG,CAAA,gBAAgB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAA;oBAC/D,IAAI,IAAI,EAAE,EAAE;wBAAE,UAAU,CAAC,IAAI,CAAC,GAAG,CAAA,gBAAgB,IAAI,CAAC,EAAE,EAAE,CAAC,CAAA;oBAC3D,IAAI,IAAI,EAAE,MAAM,EAAE,CAAC;wBACjB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,MAAM,GAAG,CAAA;wBAClC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAA,mBAAmB,OAAO,oBAAoB,OAAO,GAAG,CAAC,CAAA;oBAC9E,CAAC;oBACD,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;oBAEvC,OAAO,MAAM,CAAC,GAAG,CAAC;wBAChB,GAAG,CAAA,iCAAiC,KAAK,2BAA2B,KAAK,WAAW,MAAM,EAAE,CAAC,IAAI,CAC/F,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAClF;wBACD,GAAG,CAAA,iDAAiD,KAAK,EAAE,CAAC,IAAI,CAC9D,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAE,IAAI,CAAC,CAAC,CAAkC,EAAE,KAAK,IAAI,CAAC,CAAC,CAC5E;qBACF,CAAC,CAAC,IAAI,CACL,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;wBAC9B,KAAK;wBACL,KAAK;wBACL,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBAClE,CAAC,CAAC,EACH,UAAU,CAAC,SAAS,CAAC,CACtB,CAAA;gBACH,CAAC;gBAED,OAAO,MAAM,CAAC,GAAG,CAAC;oBAChB,QAAQ,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,SAAiB,CAAC;iBAC5B,CAAC,CAAC,IAAI,CACL,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;oBAClC,KAAK;oBACL,KAAK,EAAE,KAAK;oBACZ,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAClE,CAAC,CAAC,EACH,UAAU,CAAC,SAAS,CAAC,CACtB,CAAA;YACH,CAAC;YAED,KAAK,EAAE,CAAC,aAAqB,EAAqC,EAAE;gBAClE,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAA;gBACnD,MAAM,QAAQ,GAAG,IAAI,IAAI,OAAO,CAAA;gBAChC,OAAO,GAAG,CAAA,2DAA2D,QAAQ,GAAG,CAAC,IAAI;gBACnF,qEAAqE;gBACrE,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,GAAG,CAAe,uBAAuB,CAAC,EAC/D,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,EACrC,UAAU,CAAC,OAAO,CAAC,CACpB,CAAA;YACH,CAAC;YAED,QAAQ,EAAE,GAAsC,EAAE,CAChD,GAAG,CAAA,uBAAuB,CAAC,IAAI,CAC7B,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,GAAG,CAAe,uBAAuB,CAAC,EAC/D,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,EACrC,UAAU,CAAC,UAAU,CAAC,CACvB;YAEH,SAAS,EAAE,CAAC,IAGX,EAA2D,EAAE;gBAC5D,IAAI,IAAI,EAAE,IAAI,IAAI,IAAI,EAAE,EAAE,EAAE,CAAC;oBAC3B,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,CAAC;wBACvC,MAAM,EAAE,aAAa;wBACrB,OAAO,EAAE,MAAM,CAAC,IAAI;wBACpB,OAAO,EAAE,GAAG,EAAE,CACZ,GAAG,CAAA,8CAA8C,IAAI,CAAC,IAAK,qBAAqB,IAAI;6BACjF,EAAG,mBAAmB;qBAC5B,CAAC,CAAA;oBACF,OAAO,cAAc,CAAC,SAAiB,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAA;gBACxE,CAAC;gBACD,OAAO,cAAc,CAAC,SAAiB,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAA;YACxE,CAAC;SACF,CAAA;IACH,CAAC,CAAC;CACH,CAAC;CAAG"}

package/dist/PermissionService/PermissionGate.d.ts

@@ -0,0 +1,47 @@
+/**
+ * @title PermissionGate — abstract "ask the user" interface
+ *
+ * Context.Tag (not Effect.Service) so different environments can
+ * provide different implementations:
+ *   - Web: Deferred + SSE push (PermissionGateLive.ts)
+ *   - TUI: stdin prompt (future)
+ *   - Test: auto-allow Layer
+ *
+ * Only exposes `request` — the caller's view. The concrete implementation
+ * (PermissionGateLive) adds `resolve` and `getFirstPending` for the
+ * HTTP handler and SSE builder.
+ *
+ * @module
+ */
+import type { Effect } from "effect";
+import { Context, Schema } from "effect";
+import type { PermissionDeniedError } from "../Errors.js";
+declare const PermissionPrompt_base: Schema.Class<PermissionPrompt, {
+    id: typeof Schema.String;
+    operation: typeof Schema.String;
+    category: Schema.Literal<["read", "write"]>;
+    context: typeof Schema.String;
+}, Schema.Struct.Encoded<{
+    id: typeof Schema.String;
+    operation: typeof Schema.String;
+    category: Schema.Literal<["read", "write"]>;
+    context: typeof Schema.String;
+}>, never, {
+    readonly id: string;
+} & {
+    readonly operation: string;
+} & {
+    readonly context: string;
+} & {
+    readonly category: "read" | "write";
+}, {}, {}>;
+export declare class PermissionPrompt extends PermissionPrompt_base {
+}
+export type PermissionResponse = "allow_once" | "always_allow" | "deny";
+declare const PermissionGate_base: Context.TagClass<PermissionGate, "@knpkv/codecommit-core/PermissionGate", {
+    readonly request: (prompt: PermissionPrompt) => Effect.Effect<PermissionResponse, PermissionDeniedError>;
+}>;
+export declare class PermissionGate extends PermissionGate_base {
+}
+export {};
+//# sourceMappingURL=PermissionGate.d.ts.map

package/dist/PermissionService/PermissionGate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionGate.d.ts","sourceRoot":"","sources":["../../src/PermissionService/PermissionGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AACxC,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;;;;;;;;;;;;;;;;;;;;AAGzD,qBAAa,gBAAiB,SAAQ,qBAKpC;CAAG;AAEL,MAAM,MAAM,kBAAkB,GAAG,YAAY,GAAG,cAAc,GAAG,MAAM,CAAA;;sBAOjD,CAAC,MAAM,EAAE,gBAAgB,KAAK,MAAM,CAAC,MAAM,CAAC,kBAAkB,EAAE,qBAAqB,CAAC;;AAH5G,qBAAa,cAAe,SAAQ,mBAKjC;CAAG"}

package/dist/PermissionService/PermissionGate.js

@@ -0,0 +1,14 @@
+import { Context, Schema } from "effect";
+// UUID correlates the SSE prompt → client modal → POST response
+export class PermissionPrompt extends Schema.Class("PermissionPrompt")({
+    id: Schema.String,
+    operation: Schema.String,
+    category: Schema.Literal("read", "write"),
+    context: Schema.String
+}) {
+}
+// Blocks the calling fiber until user responds or 30s timeout.
+// Returns the response, or fails with PermissionDeniedError.
+export class PermissionGate extends Context.Tag("@knpkv/codecommit-core/PermissionGate")() {
+}
+//# sourceMappingURL=PermissionGate.js.map

package/dist/PermissionService/PermissionGate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionGate.js","sourceRoot":"","sources":["../../src/PermissionService/PermissionGate.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAGxC,gEAAgE;AAChE,MAAM,OAAO,gBAAiB,SAAQ,MAAM,CAAC,KAAK,CAAmB,kBAAkB,CAAC,CAAC;IACvF,EAAE,EAAE,MAAM,CAAC,MAAM;IACjB,SAAS,EAAE,MAAM,CAAC,MAAM;IACxB,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC,MAAM;CACvB,CAAC;CAAG;AAIL,+DAA+D;AAC/D,6DAA6D;AAC7D,MAAM,OAAO,cAAe,SAAQ,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,EAKrF;CAAG"}

package/dist/PermissionService/PermissionGateLive.d.ts

@@ -0,0 +1,41 @@
+/**
+ * @title PermissionGateLive — Deferred-based prompt flow
+ *
+ * One `Deferred<PermissionResponse>` per prompt.
+ *
+ * Flow:
+ *   1. API call fiber creates Deferred, stores in pending Map
+ *   2. Publishes PermissionRequired → SSE rebuilds payload with prompt
+ *   3. Fiber blocks on Deferred.await (up to 30s)
+ *   4. User clicks modal → POST /api/permissions/respond
+ *   5. HTTP handler calls resolve() → Deferred.succeed → fiber unblocks
+ *   6. Publishes PermissionResolved → SSE removes prompt from payload
+ *
+ * Multi-tab: Deferred.succeed is idempotent — first responder wins,
+ * second tab's POST is a no-op. Both see prompt disappear via SSE.
+ *
+ * Separate Effect.Service tag (not just PermissionGate) because the
+ * HTTP handler and SSE builder need `resolve` and `getFirstPending`
+ * which the abstract interface doesn't expose.
+ *
+ * @module
+ */
+import { Effect, Layer } from "effect";
+import { EventsHub } from "../CacheService/EventsHub.js";
+import { PermissionDeniedError } from "../Errors.js";
+import { PermissionGate, type PermissionPrompt, type PermissionResponse } from "./PermissionGate.js";
+export interface PermissionGateLive {
+    readonly request: (prompt: PermissionPrompt) => Effect.Effect<PermissionResponse, PermissionDeniedError>;
+    readonly resolve: (promptId: string, response: PermissionResponse) => Effect.Effect<void>;
+    readonly getFirstPending: () => Effect.Effect<PermissionPrompt | undefined>;
+}
+export declare const PermissionGateLiveTag: Effect.Service.Class<PermissionGateLive, "PermissionGateLive", {
+    readonly dependencies: readonly [Layer.Layer<EventsHub, never, never>];
+    readonly effect: Effect.Effect<{
+        request: (prompt: PermissionPrompt) => Effect.Effect<PermissionResponse, PermissionDeniedError>;
+        resolve: (promptId: string, response: PermissionResponse) => Effect.Effect<void>;
+        getFirstPending: () => Effect.Effect<PermissionPrompt | undefined>;
+    }, never, EventsHub>;
+}>;
+export declare const PermissionGateLiveLayer: Layer.Layer<PermissionGate, never, PermissionGateLive>;
+//# sourceMappingURL=PermissionGateLive.d.ts.map

package/dist/PermissionService/PermissionGateLive.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionGateLive.d.ts","sourceRoot":"","sources":["../../src/PermissionService/PermissionGateLive.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAY,MAAM,EAAE,KAAK,EAAO,MAAM,QAAQ,CAAA;AACrD,OAAO,EAAE,SAAS,EAAc,MAAM,8BAA8B,CAAA;AACpE,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,KAAK,gBAAgB,EAAE,KAAK,kBAAkB,EAAE,MAAM,qBAAqB,CAAA;AAOpG,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,OAAO,EAAE,CAAC,MAAM,EAAE,gBAAgB,KAAK,MAAM,CAAC,MAAM,CAAC,kBAAkB,EAAE,qBAAqB,CAAC,CAAA;IACxG,QAAQ,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,kBAAkB,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;IACzF,QAAQ,CAAC,eAAe,EAAE,MAAM,MAAM,CAAC,MAAM,CAAC,gBAAgB,GAAG,SAAS,CAAC,CAAA;CAC5E;AAED,eAAO,MAAM,qBAAqB;;;0BAWL,gBAAgB,KAAG,MAAM,CAAC,MAAM,CAAC,kBAAkB,EAAE,qBAAqB,CAAC;4BAqCzE,MAAM,YAAY,kBAAkB,KAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;+BAUzD,MAAM,CAAC,MAAM,CAAC,gBAAgB,GAAG,SAAS,CAAC;;EAUzE,CAAA;AAKF,eAAO,MAAM,uBAAuB,wDAGnC,CAAA"}

package/dist/PermissionService/PermissionGateLive.js

@@ -0,0 +1,83 @@
+/**
+ * @title PermissionGateLive — Deferred-based prompt flow
+ *
+ * One `Deferred<PermissionResponse>` per prompt.
+ *
+ * Flow:
+ *   1. API call fiber creates Deferred, stores in pending Map
+ *   2. Publishes PermissionRequired → SSE rebuilds payload with prompt
+ *   3. Fiber blocks on Deferred.await (up to 30s)
+ *   4. User clicks modal → POST /api/permissions/respond
+ *   5. HTTP handler calls resolve() → Deferred.succeed → fiber unblocks
+ *   6. Publishes PermissionResolved → SSE removes prompt from payload
+ *
+ * Multi-tab: Deferred.succeed is idempotent — first responder wins,
+ * second tab's POST is a no-op. Both see prompt disappear via SSE.
+ *
+ * Separate Effect.Service tag (not just PermissionGate) because the
+ * HTTP handler and SSE builder need `resolve` and `getFirstPending`
+ * which the abstract interface doesn't expose.
+ *
+ * @module
+ */
+import { Deferred, Effect, Layer, Ref } from "effect";
+import { EventsHub, RepoChange } from "../CacheService/EventsHub.js";
+import { PermissionDeniedError } from "../Errors.js";
+import { PermissionGate } from "./PermissionGate.js";
+export const PermissionGateLiveTag = Effect.Service()("PermissionGateLive", {
+    // EventsHub needed to publish PermissionRequired/Resolved events
+    // that trigger SSE payload rebuilds
+    dependencies: [EventsHub.Default],
+    effect: Effect.gen(function* () {
+        const hub = yield* EventsHub;
+        // Map<promptId, { deferred, prompt }>. Concurrent-safe via Ref.
+        // Multiple prompts can be pending simultaneously (e.g. initial
+        // refresh triggers getCallerIdentity + listRepositories at once).
+        const pending = yield* Ref.make(new Map());
+        const request = (prompt) => Effect.gen(function* () {
+            const deferred = yield* Deferred.make();
+            yield* Ref.update(pending, (m) => new Map(m).set(prompt.id, { deferred, prompt }));
+            yield* hub.publish(RepoChange.PermissionRequired());
+            const response = yield* Deferred.await(deferred).pipe(Effect.timeout("30 seconds"), Effect.catchTag("TimeoutException", () => {
+                return Effect.gen(function* () {
+                    yield* Ref.update(pending, (m) => {
+                        const n = new Map(m);
+                        n.delete(prompt.id);
+                        return n;
+                    });
+                    yield* hub.publish(RepoChange.PermissionResolved());
+                    return yield* new PermissionDeniedError({ operation: prompt.operation, reason: "timeout" });
+                });
+            }));
+            yield* Ref.update(pending, (m) => {
+                const n = new Map(m);
+                n.delete(prompt.id);
+                return n;
+            });
+            yield* hub.publish(RepoChange.PermissionResolved());
+            if (response === "deny") {
+                return yield* new PermissionDeniedError({ operation: prompt.operation, reason: "denied" });
+            }
+            return response;
+        });
+        // Called by POST /api/permissions/respond handler.
+        // Deferred.succeed is idempotent — second call is a no-op.
+        // This is how multi-tab "first responder wins" works.
+        const resolve = (promptId, response) => Ref.get(pending).pipe(Effect.flatMap((m) => {
+            const entry = m.get(promptId);
+            return entry ? Deferred.succeed(entry.deferred, response) : Effect.void;
+        }));
+        // For SSE payload builder — shows one prompt at a time (FIFO).
+        // Remaining prompts queue behind; they'll surface as each resolves.
+        const getFirstPending = () => Ref.get(pending).pipe(Effect.map((m) => {
+            const first = m.values().next();
+            return first.done ? undefined : first.value.prompt;
+        }));
+        return { request, resolve, getFirstPending };
+    })
+});
+// Bridge: concrete service → abstract Context.Tag.
+// Handlers use PermissionGateLiveTag (for resolve/getFirstPending),
+// AwsClientGated uses PermissionGate (for request only).
+export const PermissionGateLiveLayer = Layer.effect(PermissionGate, Effect.map(PermissionGateLiveTag, (live) => ({ request: live.request })));
+//# sourceMappingURL=PermissionGateLive.js.map

package/dist/PermissionService/PermissionGateLive.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionGateLive.js","sourceRoot":"","sources":["../../src/PermissionService/PermissionGateLive.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,QAAQ,CAAA;AACrD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,8BAA8B,CAAA;AACpE,OAAO,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAA;AACpD,OAAO,EAAE,cAAc,EAAkD,MAAM,qBAAqB,CAAA;AAapG,MAAM,CAAC,MAAM,qBAAqB,GAAG,MAAM,CAAC,OAAO,EAAsB,CAAC,oBAAoB,EAAE;IAC9F,iEAAiE;IACjE,oCAAoC;IACpC,YAAY,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC;IACjC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC1B,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,SAAS,CAAA;QAC5B,gEAAgE;QAChE,+DAA+D;QAC/D,kEAAkE;QAClE,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,EAAwB,CAAC,CAAA;QAEhE,MAAM,OAAO,GAAG,CAAC,MAAwB,EAA4D,EAAE,CACrG,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;YAClB,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAsB,CAAA;YAC3D,KAAK,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;YAClF,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAA;YAEnD,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,IAAI,CACnD,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAC5B,MAAM,CAAC,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;gBACvC,OAAO,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;oBACzB,KAAK,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;wBAC/B,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAA;wBACpB,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;wBACnB,OAAO,CAAC,CAAA;oBACV,CAAC,CAAC,CAAA;oBACF,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAA;oBACnD,OAAO,KAAK,CAAC,CAAC,IAAI,qBAAqB,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAA;gBAC7F,CAAC,CAAC,CAAA;YACJ,CAAC,CAAC,CACH,CAAA;YAED,KAAK,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;gBAC/B,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAA;gBACpB,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;gBACnB,OAAO,CAAC,CAAA;YACV,CAAC,CAAC,CAAA;YACF,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,kBAAkB,EAAE,CAAC,CAAA;YAEnD,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACxB,OAAO,KAAK,CAAC,CAAC,IAAI,qBAAqB,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAA;YAC5F,CAAC;YACD,OAAO,QAAQ,CAAA;QACjB,CAAC,CAAC,CAAA;QAEJ,mDAAmD;QACnD,2DAA2D;QAC3D,sDAAsD;QACtD,MAAM,OAAO,GAAG,CAAC,QAAgB,EAAE,QAA4B,EAAuB,EAAE,CACtF,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CACnB,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YACnB,MAAM,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;YAC7B,OAAO,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAA;QACzE,CAAC,CAAC,CACH,CAAA;QAEH,+DAA+D;QAC/D,oEAAoE;QACpE,MAAM,eAAe,GAAG,GAAgD,EAAE,CACxE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CACnB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACf,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAA;YAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAA;QACpD,CAAC,CAAC,CACH,CAAA;QAEH,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,EAA+B,CAAA;IAC3E,CAAC,CAAC;CACH,CAAC,CAAA;AAEF,mDAAmD;AACnD,oEAAoE;AACpE,yDAAyD;AACzD,MAAM,CAAC,MAAM,uBAAuB,GAAG,KAAK,CAAC,MAAM,CACjD,cAAc,EACd,MAAM,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CACzE,CAAA"}

package/dist/PermissionService/index.d.ts

@@ -0,0 +1,39 @@
+/**
+ * @title PermissionService — permission state management
+ *
+ * Ref<Config> backed by `~/.codecommit/permissions.json`.
+ *
+ * On construction (Layer build time), reads the file
+ * into a Ref. All subsequent `check()` calls are O(1) Ref lookups — no disk
+ * I/O. Only `set()` mutates the Ref AND writes to disk (atomic: tmp → rename).
+ *
+ * Key invariant: an operation missing from the file defaults to `"allow"`,
+ * which means "prompt the user". A fresh install with empty permissions.json
+ * prompts for every API call — zero-trust by default.
+ *
+ * @module
+ */
+import { FileSystem } from "@effect/platform";
+import { Effect, Schema } from "effect";
+import { allOperations, getOperationMeta, type OperationName, registerOperation } from "./operations.js";
+export type { BuiltinOperation, OperationMeta, OperationName } from "./operations.js";
+export { allOperations, getOperationMeta, registerOperation };
+export declare const PermissionState: Schema.Literal<["always_allow", "allow", "deny"]>;
+export type PermissionState = typeof PermissionState.Type;
+declare const PermissionService_base: Effect.Service.Class<PermissionService, "PermissionService", {
+    readonly effect: Effect.Effect<{
+        check: (operation: OperationName) => Effect.Effect<PermissionState>;
+        set: (operation: OperationName, state: PermissionState) => Effect.Effect<void>;
+        getAll: () => Effect.Effect<Record<string, PermissionState>>;
+        resetAll: () => Effect.Effect<void>;
+        isAuditEnabled: () => Effect.Effect<boolean>;
+        getAuditRetention: () => Effect.Effect<number>;
+        setAudit: (opts: {
+            enabled?: boolean | undefined;
+            retentionDays?: number | undefined;
+        }) => Effect.Effect<void>;
+    }, never, FileSystem.FileSystem>;
+}>;
+export declare class PermissionService extends PermissionService_base {
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/PermissionService/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/PermissionService/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAU,MAAM,EAAO,MAAM,EAAE,MAAM,QAAQ,CAAA;AACpD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,KAAK,aAAa,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAA;AAExG,YAAY,EAAE,gBAAgB,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAA;AACrF,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAA;AAK7D,eAAO,MAAM,eAAe,mDAAkD,CAAA;AAC9E,MAAM,MAAM,eAAe,GAAG,OAAO,eAAe,CAAC,IAAI,CAAA;;;2BA6D3B,aAAa,KAAG,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC;yBAGhD,aAAa,SAAS,eAAe,KAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;sBAShE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;wBAG5C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;8BAMb,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;iCAEnB,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;yBAI3C;YAAE,OAAO,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;SAAE,KAC1E,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;;;AAzC1B,qBAAa,iBAAkB,SAAQ,sBAuDrC;CAAG"}

package/dist/PermissionService/index.js

@@ -0,0 +1,87 @@
+/**
+ * @title PermissionService — permission state management
+ *
+ * Ref<Config> backed by `~/.codecommit/permissions.json`.
+ *
+ * On construction (Layer build time), reads the file
+ * into a Ref. All subsequent `check()` calls are O(1) Ref lookups — no disk
+ * I/O. Only `set()` mutates the Ref AND writes to disk (atomic: tmp → rename).
+ *
+ * Key invariant: an operation missing from the file defaults to `"allow"`,
+ * which means "prompt the user". A fresh install with empty permissions.json
+ * prompts for every API call — zero-trust by default.
+ *
+ * @module
+ */
+import { FileSystem } from "@effect/platform";
+import { Config, Effect, Ref, Schema } from "effect";
+import { allOperations, getOperationMeta, registerOperation } from "./operations.js";
+export { allOperations, getOperationMeta, registerOperation };
+// On-disk format. Schema.decodeUnknownSync with defaults means
+// corrupt or missing files gracefully degrade to empty state (everything prompts).
+export const PermissionState = Schema.Literal("always_allow", "allow", "deny");
+const AuditConfig = Schema.Struct({
+    enabled: Schema.Boolean.pipe(Schema.optionalWith({ default: () => false })),
+    retentionDays: Schema.Number.pipe(Schema.optionalWith({ default: () => 30 }))
+});
+const PermissionsConfig = Schema.Struct({
+    permissions: Schema.Record({ key: Schema.String, value: PermissionState }).pipe(Schema.optionalWith({ default: () => ({}) })),
+    audit: AuditConfig.pipe(Schema.optionalWith({ default: () => Schema.decodeSync(AuditConfig)({}) }))
+});
+const decodeConfig = Schema.decodeUnknownSync(PermissionsConfig);
+// Uses @effect/platform FileSystem — works in Bun, Node, tests.
+// Atomic write: write to .tmp, then rename. Prevents corruption on crash.
+const resolvePermissionsPath = Config.string("HOME").pipe(Config.orElse(() => Config.string("USERPROFILE")), Config.map((h) => `${h}/.codecommit/permissions.json`));
+const loadFromDisk = (fs, path) => fs.readFileString(path).pipe(Effect.map((content) => decodeConfig(JSON.parse(content))), 
+// Any failure → empty config → everything prompts
+Effect.catchAll(() => Effect.succeed(decodeConfig({}))));
+const saveToDisk = (fs, path, config) => Effect.gen(function* () {
+    const dir = path.replace(/\/[^/]+$/, "");
+    yield* fs.makeDirectory(dir, { recursive: true }).pipe(Effect.catchAll(() => Effect.void));
+    const tmpPath = `${path}.tmp`;
+    yield* fs.writeFileString(tmpPath, JSON.stringify(config, null, 2));
+    yield* fs.rename(tmpPath, path);
+}).pipe(Effect.catchAll(() => Effect.void));
+// Effect.Service (not Context.Tag) — auto-generates `.Default` layer.
+// The effect block runs once at Layer construction: reads file, creates Ref.
+// FileSystem comes from the providing layer (PlatformLive in Server.ts).
+export class PermissionService extends Effect.Service()("PermissionService", {
+    effect: Effect.gen(function* () {
+        const fs = yield* FileSystem.FileSystem;
+        const permPath = yield* Effect.configProviderWith((p) => p.load(resolvePermissionsPath)).pipe(Effect.catchAll(() => Effect.succeed("/tmp/.codecommit/permissions.json")));
+        // In-memory state. All check() calls read from here.
+        // Only set() mutates it AND writes to disk.
+        const initial = yield* loadFromDisk(fs, permPath);
+        const configRef = yield* Ref.make(initial);
+        // O(1) — Ref.get + property lookup. The "allow" default is the key invariant:
+        // missing operation → prompt the user.
+        const check = (operation) => Ref.get(configRef).pipe(Effect.map((c) => c.permissions[operation] ?? "allow"));
+        const set = (operation, state) => Effect.gen(function* () {
+            yield* Ref.update(configRef, (c) => ({
+                ...c,
+                permissions: { ...c.permissions, [operation]: state }
+            }));
+            yield* saveToDisk(fs, permPath, yield* Ref.get(configRef));
+        });
+        const getAll = () => Ref.get(configRef).pipe(Effect.map((c) => c.permissions));
+        const resetAll = () => Effect.gen(function* () {
+            yield* Ref.update(configRef, (c) => ({ ...c, permissions: {} }));
+            yield* saveToDisk(fs, permPath, yield* Ref.get(configRef));
+        });
+        const isAuditEnabled = () => Ref.get(configRef).pipe(Effect.map((c) => c.audit.enabled));
+        const getAuditRetention = () => Ref.get(configRef).pipe(Effect.map((c) => c.audit.retentionDays));
+        const setAudit = (opts) => Effect.gen(function* () {
+            yield* Ref.update(configRef, (c) => ({
+                ...c,
+                audit: {
+                    enabled: opts.enabled ?? c.audit.enabled,
+                    retentionDays: opts.retentionDays ?? c.audit.retentionDays
+                }
+            }));
+            yield* saveToDisk(fs, permPath, yield* Ref.get(configRef));
+        });
+        return { check, set, getAll, resetAll, isAuditEnabled, getAuditRetention, setAudit };
+    })
+}) {
+}
+//# sourceMappingURL=index.js.map

package/dist/PermissionService/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/PermissionService/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AACpD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAsB,iBAAiB,EAAE,MAAM,iBAAiB,CAAA;AAGxG,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAA;AAE7D,+DAA+D;AAC/D,mFAAmF;AAEnF,MAAM,CAAC,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;AAG9E,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC;IAChC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC;IAC3E,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;CAC9E,CAAC,CAAA;AAEF,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,CAAC;IACtC,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC,IAAI,CAC7E,MAAM,CAAC,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAoC,EAAE,CAAC,CAChF;IACD,KAAK,EAAE,WAAW,CAAC,IAAI,CACrB,MAAM,CAAC,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAC3E;CACF,CAAC,CAAA;AAIF,MAAM,YAAY,GAAG,MAAM,CAAC,iBAAiB,CAAC,iBAAiB,CAAC,CAAA;AAEhE,gEAAgE;AAChE,0EAA0E;AAE1E,MAAM,sBAAsB,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CACvD,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,EACjD,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,+BAA+B,CAAC,CACvD,CAAA;AAED,MAAM,YAAY,GAAG,CAAC,EAAyB,EAAE,IAAY,EAAoC,EAAE,CACjG,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,IAAI,CAC1B,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;AAC1D,kDAAkD;AAClD,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CACxD,CAAA;AAEH,MAAM,UAAU,GAAG,CAAC,EAAyB,EAAE,IAAY,EAAE,MAAyB,EAAuB,EAAE,CAC7G,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;IAClB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA;IACxC,KAAK,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAA;IAC1F,MAAM,OAAO,GAAG,GAAG,IAAI,MAAM,CAAA;IAC7B,KAAK,CAAC,CAAC,EAAE,CAAC,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IACnE,KAAK,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;AACjC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAA;AAE7C,sEAAsE;AACtE,6EAA6E;AAC7E,yEAAyE;AAEzE,MAAM,OAAO,iBAAkB,SAAQ,MAAM,CAAC,OAAO,EAAqB,CAAC,mBAAmB,EAAE;IAC9F,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC1B,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,UAAU,CAAC,UAAU,CAAA;QACvC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAC3F,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC,CAC3E,CAAA;QACD,qDAAqD;QACrD,4CAA4C;QAC5C,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,YAAY,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAA;QACjD,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAoB,OAAO,CAAC,CAAA;QAE7D,8EAA8E;QAC9E,uCAAuC;QACvC,MAAM,KAAK,GAAG,CAAC,SAAwB,EAAkC,EAAE,CACzE,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,IAAK,OAAiB,CAAC,CAAC,CAAA;QAE5F,MAAM,GAAG,GAAG,CAAC,SAAwB,EAAE,KAAsB,EAAuB,EAAE,CACpF,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;YAClB,KAAK,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACnC,GAAG,CAAC;gBACJ,WAAW,EAAE,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE;aACtD,CAAC,CAAC,CAAA;YACH,KAAK,CAAC,CAAC,UAAU,CAAC,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;QAC5D,CAAC,CAAC,CAAA;QAEJ,MAAM,MAAM,GAAG,GAAmD,EAAE,CAClE,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAA;QAE3D,MAAM,QAAQ,GAAG,GAAwB,EAAE,CACzC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;YAClB,KAAK,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC,CAAA;YAChE,KAAK,CAAC,CAAC,UAAU,CAAC,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;QAC5D,CAAC,CAAC,CAAA;QAEJ,MAAM,cAAc,GAAG,GAA2B,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAA;QAEhH,MAAM,iBAAiB,GAAG,GAA0B,EAAE,CACpD,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAA;QAEnE,MAAM,QAAQ,GAAG,CACf,IAA2E,EACtD,EAAE,CACvB,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;YAClB,KAAK,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACnC,GAAG,CAAC;gBACJ,KAAK,EAAE;oBACL,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO;oBACxC,aAAa,EAAE,IAAI,CAAC,aAAa,IAAI,CAAC,CAAC,KAAK,CAAC,aAAa;iBAC3D;aACF,CAAC,CAAC,CAAA;YACH,KAAK,CAAC,CAAC,UAAU,CAAC,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAA;QAC5D,CAAC,CAAC,CAAA;QAEJ,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,iBAAiB,EAAE,QAAQ,EAAE,CAAA;IACtF,CAAC,CAAC;CACH,CAAC;CAAG"}

package/dist/PermissionService/operations.d.ts

@@ -0,0 +1,53 @@
+/**
+ * @title Operation registry — maps operation names to metadata
+ *
+ * Every AWS API call has a named operation with a category (read/write)
+ * and human-readable description. The gate uses the category for UI
+ * badge color; the description appears in the permission prompt modal.
+ *
+ * `OperationName` is a union of known builtin operations + `(string & {})`
+ * for runtime extensions. This gives autocomplete for known ops while
+ * allowing {@link registerOperation} to extend at runtime.
+ *
+ * Builtin operations cover reads (getPullRequests, listBranches, etc.)
+ * and writes (createPullRequest, updatePullRequestTitle, and approval
+ * rule CRUD: createApprovalRule, updateApprovalRule, deleteApprovalRule).
+ *
+ * **Common tasks**
+ *
+ * - Get operation metadata: {@link getOperationMeta}
+ * - List all operations: {@link allOperations}
+ * - Register new operation: {@link registerOperation}
+ *
+ * @internal
+ */
+export interface OperationMeta {
+    readonly category: "read" | "write";
+    readonly description: string;
+}
+declare const BuiltinOperations: {
+    readonly getCallerIdentity: OperationMeta;
+    readonly listRepositories: OperationMeta;
+    readonly listPullRequests: OperationMeta;
+    readonly getPullRequests: OperationMeta;
+    readonly getPullRequest: OperationMeta;
+    readonly evaluatePullRequestApprovalRules: OperationMeta;
+    readonly getPullRequestApprovalStates: OperationMeta;
+    readonly getMergeConflicts: OperationMeta;
+    readonly getCommentsForPullRequest: OperationMeta;
+    readonly listBranches: OperationMeta;
+    readonly getDifferences: OperationMeta;
+    readonly createPullRequest: OperationMeta;
+    readonly updatePullRequestTitle: OperationMeta;
+    readonly updatePullRequestDescription: OperationMeta;
+    readonly createApprovalRule: OperationMeta;
+    readonly updateApprovalRule: OperationMeta;
+    readonly deleteApprovalRule: OperationMeta;
+};
+export type BuiltinOperation = keyof typeof BuiltinOperations;
+export type OperationName = BuiltinOperation | (string & {});
+export declare const getOperationMeta: (name: OperationName) => OperationMeta;
+export declare const allOperations: () => ReadonlyArray<readonly [string, OperationMeta]>;
+export declare const registerOperation: (name: string, meta: OperationMeta) => void;
+export {};
+//# sourceMappingURL=operations.d.ts.map

package/dist/PermissionService/operations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"operations.d.ts","sourceRoot":"","sources":["../../src/PermissionService/operations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAA;IACnC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;CAC7B;AAID,QAAA,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;CAkB2B,CAAA;AAElD,MAAM,MAAM,gBAAgB,GAAG,MAAM,OAAO,iBAAiB,CAAA;AAG7D,MAAM,MAAM,aAAa,GAAG,gBAAgB,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAA;AAM5D,eAAO,MAAM,gBAAgB,GAAI,MAAM,aAAa,KAAG,aAAuD,CAAA;AAE9G,eAAO,MAAM,aAAa,QAAO,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,aAAa,CAAC,CAA8B,CAAA;AAE7G,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,EAAE,MAAM,aAAa,KAAG,IAErE,CAAA"}