@phuetz/code-buddy 0.1.18 → 0.1.20

package/dist/security/permission-patterns.js

@@ -0,0 +1,171 @@
+/**
+ * Pattern-based Permissions
+ *
+ * Provides fine-grained permission control for tool executions using
+ * glob-pattern matching. Rules are evaluated in order; first match wins.
+ *
+ * Tool specifier format:
+ *   Bash(npm run *)     → matches Bash tool with commands starting "npm run "
+ *   Edit(./src/**)      → matches Edit tool with paths under ./src/
+ *   Read(./.env)        → matches Read tool on exactly ./.env
+ *   WebFetch(domain:example.com) → matches WebFetch for a specific domain
+ *   Bash                → matches all Bash invocations (no pattern)
+ *
+ * Pattern rules:
+ *   *  → matches any characters except /
+ *   ** → matches anything including /
+ */
+import { logger } from '../utils/logger.js';
+// ============================================================================
+// Pattern Matching
+// ============================================================================
+/**
+ * Convert a glob pattern to a RegExp.
+ *   ** → matches anything (including /)
+ *   *  → matches anything except /
+ */
+function globToRegex(pattern) {
+    let result = '';
+    let i = 0;
+    while (i < pattern.length) {
+        const char = pattern[i];
+        if (char === '*' && pattern[i + 1] === '*') {
+            // ** matches anything including /
+            result += '.*';
+            i += 2;
+            // skip trailing / after **
+            if (pattern[i] === '/') {
+                i++;
+            }
+        }
+        else if (char === '*') {
+            // * matches anything except /
+            result += '[^/]*';
+            i++;
+        }
+        else if (char === '?') {
+            result += '[^/]';
+            i++;
+        }
+        else {
+            // Escape regex special characters
+            result += char.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+            i++;
+        }
+    }
+    return new RegExp('^' + result + '$');
+}
+// ============================================================================
+// PermissionPatternMatcher
+// ============================================================================
+export class PermissionPatternMatcher {
+    rules = [];
+    /**
+     * Add a permission rule.
+     */
+    addRule(rule) {
+        this.rules.push(rule);
+    }
+    /**
+     * Check permission for a tool call. Evaluates rules in order; first match wins.
+     * If no rule matches, returns 'ask' as default.
+     */
+    checkPermission(tool, input) {
+        for (const rule of this.rules) {
+            if (rule.tool !== tool) {
+                continue;
+            }
+            // If rule has no pattern, it matches all invocations of this tool
+            if (!rule.pattern) {
+                return rule.action;
+            }
+            // Domain-based matching for WebFetch
+            if (rule.pattern.startsWith('domain:')) {
+                const domain = rule.pattern.slice('domain:'.length);
+                if (input.includes(domain)) {
+                    return rule.action;
+                }
+                continue;
+            }
+            // Glob pattern matching
+            const regex = globToRegex(rule.pattern);
+            if (regex.test(input)) {
+                return rule.action;
+            }
+        }
+        // Default: ask
+        return 'ask';
+    }
+    /**
+     * Parse a tool specifier string like "Bash(npm run *)" into components.
+     */
+    parseToolSpecifier(spec) {
+        const match = spec.match(/^([A-Za-z_]+)(?:\((.+)\))?$/);
+        if (!match) {
+            throw new Error(`Invalid tool specifier: ${spec}`);
+        }
+        return {
+            tool: match[1],
+            pattern: match[2] || undefined,
+        };
+    }
+    /**
+     * Load rules from an array of strings like "allow:Bash(npm run *)".
+     */
+    loadRules(ruleStrings) {
+        for (const ruleStr of ruleStrings) {
+            const colonIndex = ruleStr.indexOf(':');
+            if (colonIndex === -1) {
+                logger.warn('Invalid rule string (missing action prefix)', { rule: ruleStr });
+                continue;
+            }
+            const action = ruleStr.slice(0, colonIndex);
+            if (action !== 'allow' && action !== 'ask' && action !== 'deny') {
+                logger.warn('Invalid permission action', { action, rule: ruleStr });
+                continue;
+            }
+            const specStr = ruleStr.slice(colonIndex + 1);
+            const spec = this.parseToolSpecifier(specStr);
+            this.addRule({
+                tool: spec.tool,
+                pattern: spec.pattern,
+                action,
+            });
+        }
+    }
+    /**
+     * Get all current rules.
+     */
+    getRules() {
+        return [...this.rules];
+    }
+    /**
+     * Clear all rules.
+     */
+    clearRules() {
+        this.rules = [];
+    }
+    /**
+     * Remove a rule by index.
+     */
+    removeRule(index) {
+        if (index < 0 || index >= this.rules.length) {
+            throw new Error(`Rule index out of bounds: ${index}`);
+        }
+        this.rules.splice(index, 1);
+    }
+}
+// ============================================================================
+// Singleton
+// ============================================================================
+let instance = null;
+export function getPermissionMatcher() {
+    if (!instance) {
+        instance = new PermissionPatternMatcher();
+    }
+    return instance;
+}
+export function resetPermissionMatcher() {
+    instance = null;
+}
+//# sourceMappingURL=permission-patterns.js.map

package/dist/security/permission-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-patterns.js","sourceRoot":"","sources":["../../src/security/permission-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAmB5C,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;;;GAIG;AACH,SAAS,WAAW,CAAC,OAAe;IAClC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,CAAC,GAAG,CAAC,CAAC;IAEV,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAExB,IAAI,IAAI,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC3C,kCAAkC;YAClC,MAAM,IAAI,IAAI,CAAC;YACf,CAAC,IAAI,CAAC,CAAC;YACP,2BAA2B;YAC3B,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACvB,CAAC,EAAE,CAAC;YACN,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACxB,8BAA8B;YAC9B,MAAM,IAAI,OAAO,CAAC;YAClB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACxB,MAAM,IAAI,MAAM,CAAC;YACjB,CAAC,EAAE,CAAC;QACN,CAAC;aAAM,CAAC;YACN,kCAAkC;YAClC,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;YACpD,CAAC,EAAE,CAAC;QACN,CAAC;IACH,CAAC;IAED,OAAO,IAAI,MAAM,CAAC,GAAG,GAAG,MAAM,GAAG,GAAG,CAAC,CAAC;AACxC,CAAC;AAED,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E,MAAM,OAAO,wBAAwB;IAC3B,KAAK,GAAqB,EAAE,CAAC;IAErC;;OAEG;IACH,OAAO,CAAC,IAAoB;QAC1B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,IAAY,EAAE,KAAa;QACzC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;gBACvB,SAAS;YACX,CAAC;YAED,kEAAkE;YAClE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClB,OAAO,IAAI,CAAC,MAAM,CAAC;YACrB,CAAC;YAED,qCAAqC;YACrC,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;gBACpD,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC3B,OAAO,IAAI,CAAC,MAAM,CAAC;gBACrB,CAAC;gBACD,SAAS;YACX,CAAC;YAED,wBAAwB;YACxB,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACxC,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtB,OAAO,IAAI,CAAC,MAAM,CAAC;YACrB,CAAC;QACH,CAAC;QAED,eAAe;QACf,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,IAAY;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACxD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,EAAE,CAAC,CAAC;QACrD,CAAC;QAED,OAAO;YACL,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;YACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,SAAS;SAC/B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,WAAqB;QAC7B,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACxC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;gBACtB,MAAM,CAAC,IAAI,CAAC,6CAA6C,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBAC9E,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAqB,CAAC;YAChE,IAAI,MAAM,KAAK,OAAO,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBAChE,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;gBACpE,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;YAE9C,IAAI,CAAC,OAAO,CAAC;gBACX,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM;aACP,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,KAAa;QACtB,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YAC5C,MAAM,IAAI,KAAK,CAAC,6BAA6B,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;CACF;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,IAAI,QAAQ,GAAoC,IAAI,CAAC;AAErD,MAAM,UAAU,oBAAoB;IAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,IAAI,wBAAwB,EAAE,CAAC;IAC5C,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,QAAQ,GAAG,IAAI,CAAC;AAClB,CAAC"}

package/dist/security/safe-binaries.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Safe Binaries System
+ *
+ * Maintains a list of commands that are safe to execute without
+ * user approval. These are read-only or informational commands
+ * that cannot modify the filesystem or system state.
+ */
+export declare const SAFE_BINARIES: readonly string[];
+export declare class SafeBinariesChecker {
+    private static instance;
+    private safeBinaries;
+    private customized;
+    private constructor();
+    static getInstance(): SafeBinariesChecker;
+    static resetInstance(): void;
+    isSafe(command: string): boolean;
+    isSafeChain(command: string): boolean;
+    getSafeBinaries(): string[];
+    addSafeBinary(name: string): void;
+    removeSafeBinary(name: string): void;
+    isCustomized(): boolean;
+    private extractFirstWord;
+}

package/dist/security/safe-binaries.js

@@ -0,0 +1,96 @@
+/**
+ * Safe Binaries System
+ *
+ * Maintains a list of commands that are safe to execute without
+ * user approval. These are read-only or informational commands
+ * that cannot modify the filesystem or system state.
+ */
+import { logger } from '../utils/logger.js';
+// ============================================================================
+// Safe Binaries List
+// ============================================================================
+export const SAFE_BINARIES = [
+    'ls', 'cat', 'head', 'tail', 'wc', 'grep', 'rg', 'find',
+    'which', 'whoami', 'pwd', 'echo', 'date', 'uname', 'hostname',
+    'env', 'printenv', 'file', 'stat', 'du', 'df', 'free', 'uptime',
+    'id', 'groups', 'locale', 'tty', 'stty', 'basename', 'dirname',
+    'realpath', 'readlink', 'md5sum', 'sha256sum', 'sort', 'uniq',
+    'tr', 'cut', 'paste', 'diff', 'comm', 'tee', 'xargs', 'seq',
+    'yes', 'true', 'false', 'test', 'expr',
+];
+// ============================================================================
+// SafeBinariesChecker
+// ============================================================================
+export class SafeBinariesChecker {
+    static instance = null;
+    safeBinaries;
+    customized = false;
+    constructor() {
+        this.safeBinaries = new Set(SAFE_BINARIES);
+    }
+    static getInstance() {
+        if (!SafeBinariesChecker.instance) {
+            SafeBinariesChecker.instance = new SafeBinariesChecker();
+        }
+        return SafeBinariesChecker.instance;
+    }
+    static resetInstance() {
+        SafeBinariesChecker.instance = null;
+    }
+    isSafe(command) {
+        const trimmed = command.trim();
+        if (!trimmed)
+            return false;
+        const firstWord = this.extractFirstWord(trimmed);
+        return this.safeBinaries.has(firstWord);
+    }
+    isSafeChain(command) {
+        const trimmed = command.trim();
+        if (!trimmed)
+            return false;
+        // Split on pipes, &&, ||, and ;
+        const parts = trimmed.split(/\s*(?:\|{1,2}|&&|;)\s*/);
+        for (const part of parts) {
+            const cleaned = part.trim();
+            if (!cleaned)
+                continue;
+            if (!this.isSafe(cleaned)) {
+                return false;
+            }
+        }
+        return true;
+    }
+    getSafeBinaries() {
+        return Array.from(this.safeBinaries).sort();
+    }
+    addSafeBinary(name) {
+        this.safeBinaries.add(name);
+        this.customized = true;
+        logger.debug('Added safe binary', { name });
+    }
+    removeSafeBinary(name) {
+        this.safeBinaries.delete(name);
+        this.customized = true;
+        logger.debug('Removed safe binary', { name });
+    }
+    isCustomized() {
+        return this.customized;
+    }
+    extractFirstWord(command) {
+        // Handle env var prefixes like FOO=bar cmd
+        let cmd = command;
+        while (/^\w+=\S*\s+/.test(cmd)) {
+            cmd = cmd.replace(/^\w+=\S*\s+/, '');
+        }
+        // Handle sudo/command prefixes
+        const prefixes = ['sudo', 'command', 'builtin'];
+        let firstWord = cmd.split(/\s+/)[0];
+        if (prefixes.includes(firstWord) && cmd.split(/\s+/).length > 1) {
+            firstWord = cmd.split(/\s+/)[1];
+        }
+        // Strip path prefix (e.g., /usr/bin/ls -> ls)
+        const basename = firstWord.split('/').pop() || firstWord;
+        return basename;
+    }
+}
+//# sourceMappingURL=safe-binaries.js.map

package/dist/security/safe-binaries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-binaries.js","sourceRoot":"","sources":["../../src/security/safe-binaries.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAE5C,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,MAAM,CAAC,MAAM,aAAa,GAAsB;IAC9C,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;IACvD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU;IAC7D,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ;IAC/D,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS;IAC9D,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM;IAC7D,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;IAC3D,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM;CAC9B,CAAC;AAEX,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,MAAM,OAAO,mBAAmB;IACtB,MAAM,CAAC,QAAQ,GAA+B,IAAI,CAAC;IAEnD,YAAY,CAAc;IAC1B,UAAU,GAAG,KAAK,CAAC;IAE3B;QACE,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,mBAAmB,CAAC,QAAQ,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAC3D,CAAC;QACD,OAAO,mBAAmB,CAAC,QAAQ,CAAC;IACtC,CAAC;IAED,MAAM,CAAC,aAAa;QAClB,mBAAmB,CAAC,QAAQ,GAAG,IAAI,CAAC;IACtC,CAAC;IAED,MAAM,CAAC,OAAe;QACpB,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC/B,IAAI,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAE3B,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC1C,CAAC;IAED,WAAW,CAAC,OAAe;QACzB,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC/B,IAAI,CAAC,OAAO;YAAE,OAAO,KAAK,CAAC;QAE3B,gCAAgC;QAChC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAEtD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,eAAe;QACb,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9C,CAAC;IAED,aAAa,CAAC,IAAY;QACxB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,gBAAgB,CAAC,IAAY;QAC3B,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,YAAY;QACV,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAEO,gBAAgB,CAAC,OAAe;QACtC,2CAA2C;QAC3C,IAAI,GAAG,GAAG,OAAO,CAAC;QAClB,OAAO,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,+BAA+B;QAC/B,MAAM,QAAQ,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAChD,IAAI,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpC,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChE,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,8CAA8C;QAC9C,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC;QACzD,OAAO,QAAQ,CAAC;IAClB,CAAC"}

package/dist/security/sender-policies.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Per-Sender Policies & Agents List
+ * Tool access control per sender identity and agent registry.
+ */
+export interface SenderIdentity {
+    username?: string;
+    userId?: string;
+    phone?: string;
+    displayName?: string;
+}
+export interface SenderPolicy {
+    identity: SenderIdentity;
+    allowedTools: string[];
+    deniedTools: string[];
+    maxTurns?: number;
+}
+export declare class SenderPolicyManager {
+    private static instance;
+    private policies;
+    static getInstance(): SenderPolicyManager;
+    static resetInstance(): void;
+    addPolicy(policy: SenderPolicy): void;
+    removePolicy(identity: SenderIdentity): boolean;
+    getPolicy(identity: SenderIdentity): SenderPolicy | undefined;
+    isToolAllowed(identity: SenderIdentity, tool: string): boolean;
+    matchIdentity(sender: SenderIdentity, policy: SenderPolicy): boolean;
+    listPolicies(): SenderPolicy[];
+    clearPolicies(): void;
+}
+interface AgentInfo {
+    name: string;
+    description: string;
+    status: 'active' | 'inactive';
+}
+export declare class AgentListTool {
+    private static instance;
+    private agents;
+    static getInstance(): AgentListTool;
+    static resetInstance(): void;
+    listAgents(): AgentInfo[];
+    addAgent(name: string, description: string): void;
+    removeAgent(name: string): boolean;
+    getAgent(name: string): AgentInfo | undefined;
+    getAgentCount(): number;
+}
+export {};

package/dist/security/sender-policies.js

@@ -0,0 +1,90 @@
+/**
+ * Per-Sender Policies & Agents List
+ * Tool access control per sender identity and agent registry.
+ */
+import { logger } from '../utils/logger.js';
+export class SenderPolicyManager {
+    static instance = null;
+    policies = [];
+    static getInstance() {
+        if (!SenderPolicyManager.instance) {
+            SenderPolicyManager.instance = new SenderPolicyManager();
+        }
+        return SenderPolicyManager.instance;
+    }
+    static resetInstance() {
+        SenderPolicyManager.instance = null;
+    }
+    addPolicy(policy) {
+        // Remove existing policy for same identity
+        this.policies = this.policies.filter(p => !this.matchIdentity(policy.identity, p));
+        this.policies.push(policy);
+        logger.debug(`Added policy for sender: ${JSON.stringify(policy.identity)}`);
+    }
+    removePolicy(identity) {
+        const before = this.policies.length;
+        this.policies = this.policies.filter(p => !this.matchIdentity(identity, p));
+        return this.policies.length < before;
+    }
+    getPolicy(identity) {
+        return this.policies.find(p => this.matchIdentity(identity, p));
+    }
+    isToolAllowed(identity, tool) {
+        const policy = this.getPolicy(identity);
+        if (!policy)
+            return true; // No policy means no restrictions
+        if (policy.deniedTools.includes(tool))
+            return false;
+        if (policy.allowedTools.length > 0 && !policy.allowedTools.includes(tool))
+            return false;
+        return true;
+    }
+    matchIdentity(sender, policy) {
+        const pi = policy.identity;
+        if (sender.username && pi.username && sender.username === pi.username)
+            return true;
+        if (sender.userId && pi.userId && sender.userId === pi.userId)
+            return true;
+        if (sender.phone && pi.phone && sender.phone === pi.phone)
+            return true;
+        if (sender.displayName && pi.displayName && sender.displayName === pi.displayName)
+            return true;
+        return false;
+    }
+    listPolicies() {
+        return [...this.policies];
+    }
+    clearPolicies() {
+        this.policies = [];
+    }
+}
+export class AgentListTool {
+    static instance = null;
+    agents = new Map();
+    static getInstance() {
+        if (!AgentListTool.instance) {
+            AgentListTool.instance = new AgentListTool();
+        }
+        return AgentListTool.instance;
+    }
+    static resetInstance() {
+        AgentListTool.instance = null;
+    }
+    listAgents() {
+        return Array.from(this.agents.values());
+    }
+    addAgent(name, description) {
+        this.agents.set(name, { name, description, status: 'active' });
+        logger.debug(`Registered agent: ${name}`);
+    }
+    removeAgent(name) {
+        return this.agents.delete(name);
+    }
+    getAgent(name) {
+        return this.agents.get(name);
+    }
+    getAgentCount() {
+        return this.agents.size;
+    }
+}
+//# sourceMappingURL=sender-policies.js.map

package/dist/security/sender-policies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sender-policies.js","sourceRoot":"","sources":["../../src/security/sender-policies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAgB5C,MAAM,OAAO,mBAAmB;IACtB,MAAM,CAAC,QAAQ,GAA+B,IAAI,CAAC;IACnD,QAAQ,GAAmB,EAAE,CAAC;IAEtC,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,mBAAmB,CAAC,QAAQ,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAC3D,CAAC;QACD,OAAO,mBAAmB,CAAC,QAAQ,CAAC;IACtC,CAAC;IAED,MAAM,CAAC,aAAa;QAClB,mBAAmB,CAAC,QAAQ,GAAG,IAAI,CAAC;IACtC,CAAC;IAED,SAAS,CAAC,MAAoB;QAC5B,2CAA2C;QAC3C,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC;QACnF,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,MAAM,CAAC,KAAK,CAAC,4BAA4B,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,YAAY,CAAC,QAAwB;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QACpC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC;IACvC,CAAC;IAED,SAAS,CAAC,QAAwB;QAChC,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC;IAClE,CAAC;IAED,aAAa,CAAC,QAAwB,EAAE,IAAY;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,CAAC,kCAAkC;QAE5D,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACpD,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACxF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,aAAa,CAAC,MAAsB,EAAE,MAAoB;QACxD,MAAM,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC3B,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,EAAE,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QACnF,IAAI,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAC3E,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,KAAK,EAAE,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACvE,IAAI,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,KAAK,EAAE,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAC/F,OAAO,KAAK,CAAC;IACf,CAAC;IAED,YAAY;QACV,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC;IAED,aAAa;QACX,IAAI,CAAC,QAAQ,GAAG,EAAE,CAAC;IACrB,CAAC;;AASH,MAAM,OAAO,aAAa;IAChB,MAAM,CAAC,QAAQ,GAAyB,IAAI,CAAC;IAC7C,MAAM,GAA2B,IAAI,GAAG,EAAE,CAAC;IAEnD,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5B,aAAa,CAAC,QAAQ,GAAG,IAAI,aAAa,EAAE,CAAC;QAC/C,CAAC;QACD,OAAO,aAAa,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED,MAAM,CAAC,aAAa;QAClB,aAAa,CAAC,QAAQ,GAAG,IAAI,CAAC;IAChC,CAAC;IAED,UAAU;QACR,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,QAAQ,CAAC,IAAY,EAAE,WAAmB;QACxC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC/D,MAAM,CAAC,KAAK,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,WAAW,CAAC,IAAY;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,QAAQ,CAAC,IAAY;QACnB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,aAAa;QACX,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;IAC1B,CAAC"}

package/dist/server/dashboard.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Web Control UI Dashboard
+ *
+ * Provides an HTTP-based admin dashboard for monitoring
+ * agent status, sessions, channels, tools, and system health.
+ */
+export interface DashboardConfig {
+    port?: number;
+    authToken?: string;
+}
+export interface DashboardStatus {
+    running: boolean;
+    port: number;
+    uptime: number;
+    connectedClients: number;
+}
+export interface DashboardMetrics {
+    agent: {
+        status: string;
+        model: string;
+        mode: string;
+    };
+    sessions: number;
+    channels: string[];
+    tools: number;
+    memory: {
+        used: number;
+        total: number;
+    };
+    system: {
+        cpuPercent: number;
+        memoryPercent: number;
+    };
+}
+export declare class Dashboard {
+    private static instance;
+    private config;
+    private running;
+    private startTime;
+    private connectedClients;
+    constructor(config?: DashboardConfig);
+    static getInstance(config?: DashboardConfig): Dashboard;
+    static resetInstance(): void;
+    start(port?: number): void;
+    stop(): void;
+    isRunning(): boolean;
+    getPort(): number;
+    getUrl(): string;
+    getStatus(): DashboardStatus;
+    generateDashboardHtml(): string;
+    getMetrics(): DashboardMetrics;
+    setConnectedClients(count: number): void;
+}

package/dist/server/dashboard.js

@@ -0,0 +1,93 @@
+/**
+ * Web Control UI Dashboard
+ *
+ * Provides an HTTP-based admin dashboard for monitoring
+ * agent status, sessions, channels, tools, and system health.
+ */
+import { logger } from '../utils/logger.js';
+// ============================================================================
+// Dashboard
+// ============================================================================
+export class Dashboard {
+    static instance = null;
+    config;
+    running = false;
+    startTime = 0;
+    connectedClients = 0;
+    constructor(config) {
+        this.config = config || { port: 8080 };
+    }
+    static getInstance(config) {
+        if (!Dashboard.instance) {
+            Dashboard.instance = new Dashboard(config);
+        }
+        return Dashboard.instance;
+    }
+    static resetInstance() {
+        Dashboard.instance = null;
+    }
+    start(port) {
+        if (port !== undefined) {
+            this.config.port = port;
+        }
+        logger.info(`Starting dashboard on port ${this.config.port || 8080}`);
+        this.running = true;
+        this.startTime = Date.now();
+        this.connectedClients = 0;
+    }
+    stop() {
+        logger.info('Stopping dashboard');
+        this.running = false;
+        this.startTime = 0;
+        this.connectedClients = 0;
+    }
+    isRunning() {
+        return this.running;
+    }
+    getPort() {
+        return this.config.port || 8080;
+    }
+    getUrl() {
+        return `http://localhost:${this.getPort()}`;
+    }
+    getStatus() {
+        return {
+            running: this.running,
+            port: this.getPort(),
+            uptime: this.running ? Math.floor((Date.now() - this.startTime) / 1000) : 0,
+            connectedClients: this.connectedClients,
+        };
+    }
+    generateDashboardHtml() {
+        return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Code Buddy Dashboard</title>
+</head>
+<body>
+  <h1>Code Buddy Admin Dashboard</h1>
+  <section id="agent-status"><h2>Agent Status</h2></section>
+  <section id="active-sessions"><h2>Active Sessions</h2></section>
+  <section id="channel-status"><h2>Channel Status</h2></section>
+  <section id="tool-usage"><h2>Tool Usage</h2></section>
+  <section id="memory-stats"><h2>Memory Stats</h2></section>
+  <section id="system-health"><h2>System Health</h2></section>
+</body>
+</html>`;
+    }
+    getMetrics() {
+        return {
+            agent: { status: 'idle', model: 'grok-3', mode: 'code' },
+            sessions: 0,
+            channels: ['telegram', 'discord', 'slack'],
+            tools: 25,
+            memory: { used: 0, total: 1024 },
+            system: { cpuPercent: 0, memoryPercent: 0 },
+        };
+    }
+    setConnectedClients(count) {
+        this.connectedClients = count;
+    }
+}
+//# sourceMappingURL=dashboard.js.map

package/dist/server/dashboard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dashboard.js","sourceRoot":"","sources":["../../src/server/dashboard.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AA2B5C,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,OAAO,SAAS;IACZ,MAAM,CAAC,QAAQ,GAAqB,IAAI,CAAC;IACzC,MAAM,CAAkB;IACxB,OAAO,GAAG,KAAK,CAAC;IAChB,SAAS,GAAG,CAAC,CAAC;IACd,gBAAgB,GAAG,CAAC,CAAC;IAE7B,YAAY,MAAwB;QAClC,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,WAAW,CAAC,MAAwB;QACzC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;YACxB,SAAS,CAAC,QAAQ,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;QAC7C,CAAC;QACD,OAAO,SAAS,CAAC,QAAQ,CAAC;IAC5B,CAAC;IAED,MAAM,CAAC,aAAa;QAClB,SAAS,CAAC,QAAQ,GAAG,IAAI,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,IAAa;QACjB,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC;QAC1B,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;QACtE,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC5B,IAAI,CAAC,gBAAgB,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,IAAI;QACF,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAClC,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC;QACrB,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;QACnB,IAAI,CAAC,gBAAgB,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,CAAC;IAED,MAAM;QACJ,OAAO,oBAAoB,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;IAC9C,CAAC;IAED,SAAS;QACP,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE;YACpB,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3E,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;SACxC,CAAC;IACJ,CAAC;IAED,qBAAqB;QACnB,OAAO;;;;;;;;;;;;;;;QAeH,CAAC;IACP,CAAC;IAED,UAAU;QACR,OAAO;YACL,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE;YACxD,QAAQ,EAAE,CAAC;YACX,QAAQ,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC;YAC1C,KAAK,EAAE,EAAE;YACT,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE;YAChC,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,EAAE;SAC5C,CAAC;IACJ,CAAC;IAED,mBAAmB,CAAC,KAAa;QAC/B,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAC;IAChC,CAAC"}

package/dist/services/system-prompt-override.d.ts

@@ -0,0 +1,34 @@
+/**
+ * System Prompt Override
+ *
+ * Handles CLI flags for replacing or appending to the system prompt:
+ * - --system-prompt <text>         → replace entire prompt
+ * - --system-prompt-file <path>    → replace from file
+ * - --append-system-prompt <text>  → append text to default prompt
+ * - --append-system-prompt-file <path> → append file contents
+ */
+export interface OverrideOptions {
+    /** Replace the entire system prompt with this text */
+    systemPrompt?: string;
+    /** Replace the entire system prompt with contents of this file */
+    systemPromptFile?: string;
+    /** Append this text to the default system prompt */
+    appendSystemPrompt?: string;
+    /** Append contents of this file to the default system prompt */
+    appendSystemPromptFile?: string;
+}
+export declare class SystemPromptOverride {
+    /**
+     * Apply override options to a base system prompt.
+     *
+     * - If systemPrompt or systemPromptFile is set, the base prompt is REPLACED.
+     * - If appendSystemPrompt or appendSystemPromptFile is set, content is APPENDED.
+     * - Cannot use both replace and append simultaneously.
+     * - If no overrides, returns the base prompt unchanged.
+     */
+    apply(basePrompt: string, options: OverrideOptions): string;
+    /**
+     * Read a file from disk. Throws if the file does not exist.
+     */
+    private readFile;
+}