@opencoven/coven-code 0.0.1

package/src/commands/agents.mjs

@@ -0,0 +1,53 @@
+import { existsSync } from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { CONFIG_SUBDIR } from '../constants.mjs';
+import { configDir } from '../settings/paths.mjs';
+import { UsageError } from '../cli/parse.mjs';
+
+export async function runAgents(args) {
+  if ((args[0] ?? 'list') !== 'list') throw new UsageError(`Unknown agents command: ${args[0] ?? ''}`);
+  for (const filePath of discoverAgentFiles(process.cwd())) {
+    console.log(filePath);
+  }
+}
+
+export function discoverAgentFiles(cwd) {
+  const files = [];
+  addFirstGuidanceInDir(files, path.join(configDir(), CONFIG_SUBDIR));
+  addFirstGuidanceInDir(files, configDir());
+  addFirstGuidanceInDir(files, path.join(os.homedir(), '.config', CONFIG_SUBDIR));
+  addFirstGuidanceInDir(files, path.join(os.homedir(), '.config'));
+  addFirstGuidanceInDir(files, '/etc/coven-code');
+  addFirstGuidanceInDir(files, '/Library/Application Support/coven-code');
+  if (process.env.ProgramData) addFirstGuidanceInDir(files, path.join(process.env.ProgramData, CONFIG_SUBDIR));
+  if (process.env.PROGRAMDATA) addFirstGuidanceInDir(files, path.join(process.env.PROGRAMDATA, CONFIG_SUBDIR));
+
+  const home = os.homedir();
+  let current = path.resolve(cwd);
+  while (true) {
+    addFirstGuidanceInDir(files, current);
+    if (current === home || current === path.dirname(current)) break;
+    current = path.dirname(current);
+  }
+
+  return [...new Set(files)];
+}
+
+function addFirstGuidanceInDir(files, dir) {
+  for (const name of ['AGENTS.md', 'AGENT.md', 'CLAUDE.md']) {
+    const filePath = path.join(dir, name);
+    if (existsSync(filePath)) {
+      files.push(filePath);
+      return;
+    }
+  }
+}
+
+export function firstGuidanceInDir(dir) {
+  for (const name of ['AGENTS.md', 'AGENT.md', 'CLAUDE.md']) {
+    const filePath = path.join(dir, name);
+    if (existsSync(filePath)) return filePath;
+  }
+  return undefined;
+}

package/src/commands/config.mjs

@@ -0,0 +1,27 @@
+import { spawnSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { findWorkspaceSettingsFile, settingsFile, workspaceSettingsFile } from '../settings/paths.mjs';
+import { writeSettingsFile } from '../settings/load.mjs';
+import { shellQuote } from '../util/shell.mjs';
+import { UsageError } from '../cli/parse.mjs';
+
+export async function runConfig(args, parsed = {}) {
+  const subcommand = args[0] ?? 'edit';
+  if (subcommand !== 'edit') throw new UsageError(`Unknown config command: ${subcommand}`);
+
+  const workspace = args.includes('--workspace');
+  const filePath = workspace
+    ? findWorkspaceSettingsFile(process.cwd()) ?? workspaceSettingsFile(process.cwd())
+    : settingsFile(parsed);
+  if (!existsSync(filePath)) await writeSettingsFile(filePath, {});
+
+  const editor = process.env.EDITOR || process.env.VISUAL;
+  if (!editor) throw new UsageError('config edit requires $EDITOR or $VISUAL');
+
+  const result = spawnSync(`${editor} ${shellQuote(filePath)}`, {
+    stdio: 'inherit',
+    shell: true,
+  });
+  if (result.error) throw new UsageError(`Unable to run editor: ${result.error.message}`);
+  if ((result.status ?? 0) !== 0) throw new UsageError(`Editor exited with status ${result.status}`);
+}

package/src/commands/ide.mjs

@@ -0,0 +1,17 @@
+import { UsageError } from '../cli/parse.mjs';
+
+export function runIde(args = []) {
+  const subcommand = args[0] ?? 'connect';
+  if (subcommand !== 'connect') throw new UsageError(`Unknown ide command: ${subcommand}`);
+  runIdeConnect(args[1] ?? 'auto');
+}
+
+export function runIdeConnect(name) {
+  console.log(`ide: ${name}`);
+  console.log('status: unavailable (local recreation)');
+  if (name === 'jetbrains') {
+    console.log('hint: run Coven Code from the JetBrains terminal or install the Coven Code IDE plugin');
+  } else {
+    console.log('hint: run Coven Code from a supported IDE terminal or install the Coven Code IDE plugin');
+  }
+}

package/src/commands/login.mjs

@@ -0,0 +1,84 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { chmod, mkdir, rm, writeFile } from 'node:fs/promises';
+import path from 'node:path';
+import { UsageError } from '../cli/parse.mjs';
+import { configDir } from '../settings/paths.mjs';
+
+const API_KEY_ENV = 'COVEN_CODE_API_KEY';
+const CONFIG_SUBDIR = 'coven-code';
+
+export async function runLogin(args = []) {
+  const subcommand = args[0] ?? '';
+  if (subcommand === 'status') {
+    printLoginStatus();
+    return;
+  }
+  if (subcommand === 'logout') {
+    await rm(authFile(), { force: true });
+    console.log('Logged out locally');
+    return;
+  }
+  if (subcommand) throw new UsageError(`Unknown login command: ${subcommand}`);
+
+  const apiKey = envApiKey();
+  if (!apiKey) {
+    console.log('Create or retrieve a Coven Code access token.');
+    console.log(`Then run: export ${API_KEY_ENV}=<token>`);
+    console.log(`Or set ${API_KEY_ENV} and run \`coven-code login\` to store it locally.`);
+    return;
+  }
+
+  await writeAuth({ accessToken: apiKey.token, source: apiKey.source });
+  console.log(`Logged in with ${apiKey.source} (${maskToken(apiKey.token)})`);
+}
+
+function printLoginStatus() {
+  const apiKey = envApiKey();
+  if (apiKey) {
+    console.log('auth_status: logged_in');
+    console.log(`source: ${apiKey.source}`);
+    console.log(`token: ${maskToken(apiKey.token)}`);
+    return;
+  }
+  const auth = readAuth();
+  if (auth?.accessToken) {
+    console.log('auth_status: logged_in');
+    console.log(`source: ${auth.source ?? 'local'}`);
+    console.log(`token: ${maskToken(auth.accessToken)}`);
+    return;
+  }
+  console.log('auth_status: logged_out');
+  console.log('source: none');
+}
+
+async function writeAuth(auth) {
+  const filePath = authFile();
+  await mkdir(path.dirname(filePath), { recursive: true });
+  await writeFile(filePath, `${JSON.stringify(auth, null, 2)}\n`, 'utf8');
+  await chmod(filePath, 0o600);
+}
+
+function readAuth() {
+  const filePath = authFile();
+  if (!existsSync(filePath)) return undefined;
+  try {
+    return JSON.parse(readFileSync(filePath, 'utf8'));
+  } catch {
+    return undefined;
+  }
+}
+
+function envApiKey() {
+  const token = process.env[API_KEY_ENV]?.trim();
+  if (token) return { token, source: API_KEY_ENV };
+  return undefined;
+}
+
+function authFile(subdir = CONFIG_SUBDIR) {
+  return path.join(configDir(), subdir, 'auth.json');
+}
+
+function maskToken(token = '') {
+  if (token.length <= 8) return '<redacted>';
+  return `${token.slice(0, 13)}…${token.slice(-4)}`;
+}

package/src/commands/mcp.mjs

@@ -0,0 +1,176 @@
+import { rm } from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { settingsFile, workspaceSettingsFile } from '../settings/paths.mjs';
+import { readSettingsFile, writeSettingsFile } from '../settings/load.mjs';
+import { formatMcpServerCommand, listConfiguredMcpServers } from '../mcp/discover.mjs';
+import { readWorkspaceMcpApprovals, writeWorkspaceMcpApprovals } from '../mcp/permissions.mjs';
+import { mcpServerHealth } from '../mcp/probe.mjs';
+import { UsageError } from '../cli/parse.mjs';
+import { printRows } from '../util/table.mjs';
+
+const MCP_SERVERS_SETTING = 'covenCode.mcpServers';
+
+export async function runMcp(args, parsed = {}) {
+  const subcommand = args[0] ?? 'list';
+
+  if (subcommand === 'oauth') {
+    await runMcpOauth(args.slice(1));
+    return;
+  }
+
+  if (subcommand === 'add') {
+    const workspace = args.includes('--workspace');
+    const tokens = args.slice(1).filter((arg) => arg !== '--workspace');
+    const separator = tokens.indexOf('--');
+    const name = tokens[0];
+    if (!name) throw new UsageError('mcp add requires a server name');
+    const specArgs = separator === -1 ? tokens.slice(1) : tokens.slice(separator + 1);
+    const settingsPath = workspace ? workspaceSettingsFile(process.cwd()) : settingsFile(parsed);
+    const settings = readSettingsFile(settingsPath);
+    settings[MCP_SERVERS_SETTING] = {
+      ...(settings[MCP_SERVERS_SETTING] ?? {}),
+      [name]: parseMcpServerSpec(specArgs),
+    };
+    await writeSettingsFile(settingsPath, settings);
+    console.log(`Added MCP server ${name} to ${workspace ? 'workspace' : 'user'} settings.`);
+    return;
+  }
+
+  if (subcommand === 'list') {
+    const rows = listConfiguredMcpServers(parsed).map((server) => [
+      server.name,
+      server.source,
+      server.status,
+      formatMcpServerCommand(server.config),
+    ]);
+    printRows(rows.length ? rows : [['(none)', '-', '-', '-']]);
+    return;
+  }
+
+  if (subcommand === 'doctor') {
+    const rows = [];
+    for (const server of listConfiguredMcpServers(parsed)) {
+      rows.push([
+        server.name,
+        server.source,
+        server.status,
+        server.status === 'approved' ? await mcpServerHealth(server.config, server.name) : 'not probed',
+        formatMcpServerCommand(server.config),
+      ]);
+    }
+    printRows(rows.length ? rows : [['(none)', '-', '-', '-', '-']]);
+    return;
+  }
+
+  if (subcommand === 'approve') {
+    const name = args[1];
+    if (!name) throw new UsageError('mcp approve requires a server name');
+    const approvals = readWorkspaceMcpApprovals(process.cwd());
+    approvals[name] = true;
+    await writeWorkspaceMcpApprovals(process.cwd(), approvals);
+    console.log(`Approved workspace MCP server ${name}.`);
+    return;
+  }
+
+  throw new UsageError(`Unknown mcp command: ${subcommand}`);
+}
+
+async function runMcpOauth(args) {
+  const subcommand = args[0] ?? '';
+  if (subcommand === 'login') {
+    const parsed = parseMcpOauthLoginArgs(args.slice(1));
+    await writeSettingsFile(mcpOauthCredentialFile(parsed.name), {
+      serverUrl: parsed.serverUrl,
+      clientId: parsed.clientId,
+      clientSecret: parsed.clientSecret,
+      scopes: parsed.scopes,
+    });
+    console.log(`Stored OAuth credentials for ${parsed.name}.`);
+    return;
+  }
+
+  if (subcommand === 'logout') {
+    const name = args[1];
+    if (!name) throw new UsageError('mcp oauth logout requires a server name');
+    await rm(mcpOauthCredentialFile(name), { force: true });
+    console.log(`Removed OAuth credentials for ${name}.`);
+    return;
+  }
+
+  throw new UsageError(`Unknown mcp oauth command: ${subcommand}`);
+}
+
+function parseMcpOauthLoginArgs(args) {
+  const name = args[0];
+  if (!name || name.startsWith('-')) throw new UsageError('mcp oauth login requires a server name');
+  const flags = parseFlagPairs(args.slice(1));
+  const serverUrl = flags.get('server-url') ?? flags.get('serverUrl');
+  const clientId = flags.get('client-id') ?? flags.get('clientId');
+  const clientSecret = flags.get('client-secret') ?? flags.get('clientSecret');
+  if (!serverUrl) throw new UsageError('mcp oauth login requires --server-url');
+  if (!clientId) throw new UsageError('mcp oauth login requires --client-id');
+  if (!clientSecret) throw new UsageError('mcp oauth login requires --client-secret');
+  return {
+    name,
+    serverUrl,
+    clientId,
+    clientSecret,
+    scopes: splitScopes(flags.get('scopes') ?? ''),
+  };
+}
+
+function parseFlagPairs(args) {
+  const flags = new Map();
+  for (let index = 0; index < args.length; index += 1) {
+    const key = args[index];
+    if (!key.startsWith('--')) continue;
+    flags.set(key.slice(2), args[index + 1] ?? '');
+    index += 1;
+  }
+  return flags;
+}
+
+function splitScopes(value) {
+  return String(value).split(/[,\s]+/).map((scope) => scope.trim()).filter(Boolean);
+}
+
+function mcpOauthCredentialFile(name) {
+  return path.join(os.homedir(), '.coven-code', 'oauth', `${name}.json`);
+}
+
+function parseMcpServerSpec(args) {
+  if (isRemoteMcpServerSpec(args)) return parseRemoteMcpServerSpec(args);
+  const [command, ...commandArgs] = args;
+  if (!command) throw new UsageError('mcp add requires a command or URL after --');
+  return { command, args: commandArgs };
+}
+
+function isRemoteMcpServerSpec(args) {
+  return /^https?:\/\//.test(args[0] ?? '') || args[0] === '--header';
+}
+
+function parseRemoteMcpServerSpec(args) {
+  const headers = {};
+  const endpoints = [];
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === '--header') {
+      const header = args[index + 1];
+      if (!header) throw new UsageError('mcp add --header requires NAME=VALUE');
+      const separator = header.indexOf('=');
+      if (separator <= 0) throw new UsageError('mcp add --header requires NAME=VALUE');
+      headers[header.slice(0, separator).trim()] = header.slice(separator + 1).trim();
+      index += 1;
+    } else {
+      endpoints.push(arg);
+    }
+  }
+  if (endpoints.length !== 1 || !/^https?:\/\//.test(endpoints[0])) {
+    throw new UsageError('mcp add remote servers require exactly one HTTP URL');
+  }
+  return {
+    url: endpoints[0],
+    ...(Object.keys(headers).length ? { headers } : {}),
+  };
+}

package/src/commands/permissions.mjs

@@ -0,0 +1,328 @@
+import { spawnSync } from 'node:child_process';
+import { BUILTIN_PERMISSIONS } from '../constants.mjs';
+import { readSettings, readEffectiveSettings, writeSettings } from '../settings/load.mjs';
+import { globMatch } from '../util/glob.mjs';
+import { shellQuote, splitShellWords } from '../util/shell.mjs';
+import { UsageError } from '../cli/parse.mjs';
+
+const PERMISSIONS_SETTING = 'covenCode.permissions';
+const COMMAND_ALLOWLIST_SETTING = 'covenCode.commands.allowlist';
+const DANGEROUSLY_ALLOW_ALL_SETTING = 'covenCode.dangerouslyAllowAll';
+const GUARDED_FILES_ALLOWLIST_SETTING = 'covenCode.guardedFiles.allowlist';
+const UNDEFINED_MATCH_VALUE = Object.freeze({ __covenCodeLiteral: 'undefined' });
+
+export async function runPermissions(args, stdin = '', parsed = {}) {
+  const subcommand = args[0] ?? 'list';
+  if (subcommand === 'list') {
+    const rules = args.includes('--builtin')
+      ? builtinPermissionRules()
+      : [...loadUserPermissionRules(parsed), ...builtinPermissionRules()];
+    for (const rule of rules) console.log(formatPermissionRule(rule));
+    return;
+  }
+
+  if (subcommand === 'add') {
+    const settings = readSettings(parsed);
+    const rule = parsePermissionRule(args.slice(1));
+    settings[PERMISSIONS_SETTING] = [rule, ...(settings[PERMISSIONS_SETTING] ?? [])];
+    await writeSettings(settings, parsed);
+    console.log(`Added permission rule: ${rule.action} ${rule.tool}`);
+    return;
+  }
+
+  if (subcommand === 'edit') {
+    const settings = readSettings(parsed);
+    settings[PERMISSIONS_SETTING] = parsePermissionText(stdin);
+    await writeSettings(settings, parsed);
+    console.log(`Wrote ${settings[PERMISSIONS_SETTING].length} permission rule(s).`);
+    return;
+  }
+
+  if (subcommand === 'test') {
+    const tool = args[1];
+    if (!tool) throw new UsageError('permissions test requires a tool name');
+    const toolArgs = parseFlagMatches(args.slice(2));
+    const context = typeof toolArgs.context === 'string' ? toolArgs.context : 'thread';
+    delete toolArgs.context;
+    const decision = evaluatePermission(tool, toolArgs, parsed, { context });
+    console.log(`tool: ${tool}`);
+    console.log(`arguments: ${JSON.stringify(toolArgs)}`);
+    console.log(`action: ${decision.action}`);
+    if (decision.to) console.log(`to: ${decision.to}`);
+    if (decision.matchedRule !== undefined) console.log(`matched-rule: ${decision.matchedRule}`);
+    console.log(`source: ${decision.source}`);
+    return;
+  }
+
+  throw new UsageError(`Unknown permissions command: ${subcommand}`);
+}
+
+export function loadUserPermissionRules(parsed = {}) {
+  const settings = readEffectiveSettings(parsed);
+  return Array.isArray(settings[PERMISSIONS_SETTING]) ? settings[PERMISSIONS_SETTING] : [];
+}
+
+function formatPermissionRule(rule) {
+  const parts = [rule.action];
+  for (const key of ['context', 'to', 'message']) {
+    if (rule[key] !== undefined) parts.push(`--${key}`, formatPermissionToken(rule[key]));
+  }
+  parts.push(formatPermissionToken(rule.tool));
+  for (const [key, value] of flattenMatches(rule.matches)) {
+    parts.push(`--${key}`, formatPermissionToken(value));
+  }
+  return parts.join(' ');
+}
+
+function flattenMatches(matches, prefix = '') {
+  if (!matches) return [];
+  const entries = [];
+  for (const [key, value] of Object.entries(matches)) {
+    const fullKey = prefix ? `${prefix}.${key}` : key;
+    if (Array.isArray(value)) {
+      for (const entry of value) entries.push(...flattenMatchValue(fullKey, entry));
+    } else {
+      entries.push(...flattenMatchValue(fullKey, value));
+    }
+  }
+  return entries;
+}
+
+function flattenMatchValue(key, value) {
+  if (isUndefinedMatchValue(value)) return [[key, value]];
+  if (value && typeof value === 'object' && !Array.isArray(value)) return flattenMatches(value, key);
+  return [[key, value]];
+}
+
+function formatPermissionToken(value) {
+  if (isUndefinedMatchValue(value)) return 'undefined';
+  if (value === null) return 'null';
+  if (value === undefined) return 'undefined';
+  if (typeof value === 'boolean' || typeof value === 'number') return String(value);
+  const text = String(value);
+  return /^[A-Za-z0-9_./:@=-]+$/.test(text) ? text : shellQuote(text);
+}
+
+function parsePermissionText(input) {
+  return input
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter((line) => line && !line.startsWith('#'))
+    .map((line) => parsePermissionRule(splitShellWords(line)));
+}
+
+function parsePermissionRule(tokens) {
+  const [action] = tokens;
+  const { flags: actionArgs, index: toolIndex } = parseActionArgs(tokens, 1);
+  const tool = tokens[toolIndex];
+  const rest = tokens.slice(toolIndex + 1);
+  if (!action || !tool) throw new UsageError('permission rules require: <action> <tool>');
+  const rule = { action, tool, ...actionArgs };
+  const matches = parseFlagMatches(rest, { undefinedPattern: true });
+  if (Object.keys(matches).length > 0) rule.matches = matches;
+  if (matches.to) {
+    rule.to = matches.to;
+    delete rule.matches.to;
+    if (Object.keys(rule.matches).length === 0) delete rule.matches;
+  }
+  return rule;
+}
+
+function parseActionArgs(tokens, startIndex) {
+  const flags = {};
+  let index = startIndex;
+  while (tokens[index]?.startsWith('--')) {
+    const key = tokens[index].slice(2);
+    flags[key] = parsePermissionValue(tokens[index + 1] ?? '');
+    index += 2;
+  }
+  return { flags, index };
+}
+
+export function parseFlagMatches(tokens, options = {}) {
+  return parseFlagMatchesWithOptions(tokens, options);
+}
+
+function parseFlagMatchesWithOptions(tokens, options = {}) {
+  const matches = {};
+  for (let index = 0; index < tokens.length; index += 1) {
+    const token = tokens[index];
+    if (!token.startsWith('--')) continue;
+    const key = token.slice(2);
+    const value = parsePermissionValue(tokens[index + 1] ?? '', options);
+    index += 1;
+    setMatchValue(matches, key, value);
+  }
+  return matches;
+}
+
+function parsePermissionValue(value, options = {}) {
+  if (value === 'undefined') return options.undefinedPattern ? { ...UNDEFINED_MATCH_VALUE } : undefined;
+  if (/^(?:true|false|null|-?\d+(?:\.\d+)?)$/.test(value)) return JSON.parse(value);
+  return value;
+}
+
+function setMatchValue(target, key, value) {
+  const parts = key.split('.').filter(Boolean);
+  let current = target;
+  for (const part of parts.slice(0, -1)) {
+    if (!current[part] || typeof current[part] !== 'object' || Array.isArray(current[part])) current[part] = {};
+    current = current[part];
+  }
+  const finalKey = parts.at(-1) ?? key;
+  if (!hasOwn(current, finalKey)) current[finalKey] = value;
+  else if (Array.isArray(current[finalKey])) current[finalKey].push(value);
+  else current[finalKey] = [current[finalKey], value];
+}
+
+export function evaluatePermission(tool, toolArgs, parsed = {}, options = {}) {
+  const ruleGroups = [
+    { source: 'user', rules: loadUserPermissionRules(parsed) },
+    { source: 'command-allowlist', rules: commandAllowlistPermissionRules(parsed) },
+    {
+      source: 'built-in',
+      rules: builtinPermissionRules(),
+    },
+  ];
+
+  for (const group of ruleGroups) {
+    for (const [index, rule] of group.rules.entries()) {
+      if (!globMatch(rule.tool, tool)) continue;
+      if (!matchesContext(rule.context, options.context ?? 'thread')) continue;
+      if (!matchesArguments(rule.matches, toolArgs)) continue;
+      return {
+        action: rule.action,
+        to: rule.to,
+        message: rule.message,
+        matchedRule: index,
+        source: group.source,
+      };
+    }
+  }
+
+  return { action: 'reject', source: 'default' };
+}
+
+function builtinPermissionRules() {
+  return BUILTIN_PERMISSIONS.map(([action, builtinTool, cmd]) => ({
+    action,
+    tool: builtinTool,
+    matches: builtinTool === 'Bash' ? { cmd: `${cmd}*` } : undefined,
+  }));
+}
+
+function commandAllowlistPermissionRules(parsed = {}) {
+  const allowlist = readEffectiveSettings(parsed)[COMMAND_ALLOWLIST_SETTING];
+  if (!Array.isArray(allowlist)) return [];
+  return allowlist
+    .map((command) => String(command).trim())
+    .filter(Boolean)
+    .map((command) => ({
+      action: 'allow',
+      tool: 'Bash',
+      matches: { cmd: commandAllowlistPattern(command) },
+    }));
+}
+
+function commandAllowlistPattern(command) {
+  return `/^${escapeRegex(command)}(?:\\s|$).*/`;
+}
+
+function escapeRegex(value) {
+  return String(value).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+export function resolvePermissionDecision(tool, toolArgs, parsed = {}, options = {}) {
+  const settings = readEffectiveSettings(parsed);
+  if (isDangerouslyAllowAll(parsed, settings)) return { action: 'allow', source: 'dangerously-allow-all' };
+  if (!legacyPermissionsConfigured(settings)) return { action: 'allow', source: 'default-no-approval' };
+  const decision = evaluatePermission(tool, toolArgs, parsed, options);
+  if (decision.action !== 'delegate') return decision;
+  if (!decision.to) {
+    return { ...decision, action: 'reject', message: 'Delegate permission rule is missing a target program' };
+  }
+
+  const result = spawnSync(decision.to, {
+    input: `${JSON.stringify(toolArgs)}\n`,
+    env: {
+      ...process.env,
+      AGENT: 'coven-code',
+      AGENT_TOOL_NAME: tool,
+      COVEN_CODE_THREAD_ID: options.threadId ?? '',
+      AGENT_THREAD_ID: options.threadId ?? '',
+    },
+    encoding: 'utf8',
+    shell: false,
+  });
+
+  if (result.status === 0) return { ...decision, action: 'allow', delegatedAction: 'allow' };
+  if (result.status === 1) return { ...decision, action: 'ask', delegatedAction: 'ask' };
+  return {
+    ...decision,
+    action: 'reject',
+    delegatedAction: 'reject',
+    message: result.stderr.trim() || result.error?.message || `Permission delegate ${decision.to} rejected the tool call`,
+  };
+}
+
+function isDangerouslyAllowAll(parsed = {}, settings = readEffectiveSettings(parsed)) {
+  if (parsed.dangerouslyAllowAll) return true;
+  return settings[DANGEROUSLY_ALLOW_ALL_SETTING] === true;
+}
+
+function legacyPermissionsConfigured(settings = {}) {
+  return hasOwn(settings, PERMISSIONS_SETTING)
+    || hasOwn(settings, GUARDED_FILES_ALLOWLIST_SETTING)
+    || hasOwn(settings, COMMAND_ALLOWLIST_SETTING)
+    || settings[DANGEROUSLY_ALLOW_ALL_SETTING] === false;
+}
+
+function hasOwn(value, key) {
+  return Object.prototype.hasOwnProperty.call(value, key);
+}
+
+function matchesContext(ruleContext, actualContext) {
+  return !ruleContext || ruleContext === actualContext;
+}
+
+function matchesArguments(matches, toolArgs) {
+  if (!matches || Object.keys(matches).length === 0) return true;
+  for (const [key, pattern] of Object.entries(matches)) {
+    const actual = valueAtPath(toolArgs, key);
+    if (!matchesPattern(pattern, actual)) return false;
+  }
+  return true;
+}
+
+function matchesPattern(pattern, actual) {
+  if (isUndefinedMatchValue(pattern)) return actual === undefined;
+  if (Array.isArray(pattern)) return pattern.some((entry) => matchesPattern(entry, actual));
+  if (pattern && typeof pattern === 'object') {
+    if (!actual || typeof actual !== 'object') return false;
+    return Object.entries(pattern).every(([key, value]) => matchesPattern(value, valueAtPath(actual, key)));
+  }
+  if (typeof pattern === 'string') {
+    if (typeof actual !== 'string') return false;
+    if (isRegexPattern(pattern)) return new RegExp(pattern.slice(1, -1)).test(actual);
+    return globMatch(pattern, actual);
+  }
+  return Object.is(pattern, actual);
+}
+
+function isRegexPattern(value) {
+  return value.length >= 2 && value.startsWith('/') && value.endsWith('/');
+}
+
+function valueAtPath(value, key) {
+  return key.split('.').reduce((current, part) => current?.[part], value);
+}
+
+function isUndefinedMatchValue(value) {
+  return Boolean(
+    value
+      && typeof value === 'object'
+      && !Array.isArray(value)
+      && value.__covenCodeLiteral === 'undefined'
+      && Object.keys(value).length === 1,
+  );
+}