@schuttdev/gigai 0.3.5 → 0.4.0-beta.1

package/dist/{chunk-GIUPSQGA.js → chunk-NFKBLW3D.js}

@@ -1,50 +1,39 @@
 #!/usr/bin/env node
 import {
   ErrorCode,
-  GigaiError
-} from "./chunk-P53UVHTF.js";
+  GigaiError,
+  canExecuteCommand,
+  canUseSudo,
+  expandTilde,
+  validateCommandArgs
+} from "./chunk-ROMGFLOH.js";
 
-// ../server/dist/chunk-APX4HM32.mjs
+// ../server/dist/chunk-BO7QE6T2.mjs
 import { spawn } from "child_process";
-var SHELL_INTERPRETERS = /* @__PURE__ */ new Set([
-  "sh",
-  "bash",
-  "zsh",
-  "fish",
-  "csh",
-  "tcsh",
-  "dash",
-  "ksh",
-  "env",
-  "xargs",
-  "nohup",
-  "strace",
-  "ltrace"
-]);
 var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
-async function execCommandSafe(command, args, config) {
-  if (!config.allowlist.includes(command)) {
-    throw new GigaiError(
-      ErrorCode.COMMAND_NOT_ALLOWED,
-      `Command not in allowlist: ${command}. Allowed: ${config.allowlist.join(", ")}`
-    );
+async function execCommandSafe(command, args, config, tier = "strict") {
+  if (command === "sudo") {
+    const sudoCheck = canUseSudo(config.allowSudo);
+    if (!sudoCheck.allowed) {
+      throw new GigaiError(ErrorCode.COMMAND_NOT_ALLOWED, sudoCheck.reason);
+    }
   }
-  if (command === "sudo" && !config.allowSudo) {
-    throw new GigaiError(ErrorCode.COMMAND_NOT_ALLOWED, "sudo is not allowed");
+  const check = canExecuteCommand(tier, command, config.allowlist);
+  if (!check.allowed) {
+    throw new GigaiError(ErrorCode.COMMAND_NOT_ALLOWED, check.reason);
   }
-  if (SHELL_INTERPRETERS.has(command)) {
-    throw new GigaiError(
-      ErrorCode.COMMAND_NOT_ALLOWED,
-      `Shell interpreter not allowed: ${command}`
-    );
+  const argCheck = validateCommandArgs(tier, command, args);
+  if (!argCheck.allowed) {
+    throw new GigaiError(ErrorCode.COMMAND_NOT_ALLOWED, argCheck.reason);
   }
   for (const arg of args) {
     if (arg.includes("\0")) {
       throw new GigaiError(ErrorCode.VALIDATION_ERROR, "Null byte in argument");
     }
   }
+  const expandedArgs = args.map(expandTilde);
   return new Promise((resolve, reject) => {
-    const child = spawn(command, ["--", ...args], {
+    const child = spawn(command, expandedArgs, {
       shell: false,
       stdio: ["ignore", "pipe", "pipe"]
     });

package/dist/{chunk-P53UVHTF.js → chunk-ROMGFLOH.js}

@@ -1,5 +1,192 @@
 #!/usr/bin/env node
 
+// ../server/dist/chunk-NO4R43QM.mjs
+import { resolve } from "path";
+import { homedir } from "os";
+var DEFAULT_SECURITY = { default: "strict", overrides: {} };
+function getEffectiveTier(config, toolName) {
+  const c = config ?? DEFAULT_SECURITY;
+  return c.overrides[toolName] ?? c.default;
+}
+var STANDARD_DENYLIST = /* @__PURE__ */ new Set([
+  "dd",
+  // raw disk I/O
+  "mkfs",
+  // format filesystem
+  "fdisk",
+  // partition editor
+  "parted",
+  // partition editor
+  "mkswap",
+  // overwrite partition with swap
+  "mount",
+  // arbitrary fs mounting
+  "umount",
+  // unmount filesystems
+  "insmod",
+  // load kernel modules
+  "rmmod",
+  // remove kernel modules
+  "modprobe",
+  // kernel module loader
+  "iptables",
+  // firewall rules
+  "ip6tables",
+  // ipv6 firewall
+  "reboot",
+  // reboot machine
+  "shutdown",
+  // power off
+  "halt",
+  // halt machine
+  "poweroff",
+  // power off
+  "init",
+  // change runlevel
+  "telinit",
+  // change runlevel
+  "systemctl",
+  // service management (can make remote machine unreachable)
+  "chown"
+  // change file ownership
+]);
+var SHELL_INTERPRETERS = /* @__PURE__ */ new Set([
+  "sh",
+  "bash",
+  "zsh",
+  "fish",
+  "csh",
+  "tcsh",
+  "dash",
+  "ksh",
+  "env",
+  "xargs",
+  "nohup",
+  "strace",
+  "ltrace"
+]);
+function canExecuteCommand(tier, command, allowlist) {
+  if (command.includes("\0")) {
+    return { allowed: false, reason: "Null byte in command" };
+  }
+  switch (tier) {
+    case "strict": {
+      const list = allowlist ?? [];
+      if (list.length > 0 && !list.includes(command)) {
+        return { allowed: false, reason: `Command not in allowlist: ${command}. Allowed: ${list.join(", ")}` };
+      }
+      if (SHELL_INTERPRETERS.has(command)) {
+        return { allowed: false, reason: `Shell interpreter not allowed: ${command}` };
+      }
+      return { allowed: true };
+    }
+    case "standard": {
+      if (STANDARD_DENYLIST.has(command)) {
+        return { allowed: false, reason: `Command blocked by security policy: ${command}` };
+      }
+      if (SHELL_INTERPRETERS.has(command)) {
+        return { allowed: false, reason: `Shell interpreter not allowed: ${command}` };
+      }
+      return { allowed: true };
+    }
+    case "unrestricted":
+      return { allowed: true };
+  }
+}
+var PROTECTED_PATHS = /* @__PURE__ */ new Set([
+  "/",
+  "/bin",
+  "/boot",
+  "/dev",
+  "/etc",
+  "/home",
+  "/lib",
+  "/opt",
+  "/proc",
+  "/root",
+  "/sbin",
+  "/sys",
+  "/usr",
+  "/var",
+  "/Users",
+  "/System",
+  "/Library",
+  "/Applications"
+]);
+function hasRecursiveFlag(args) {
+  for (const a of args) {
+    if (a === "--") break;
+    if (a === "-r" || a === "-R" || a === "--recursive") return true;
+    if (a.startsWith("-") && !a.startsWith("--") && /[rR]/.test(a)) return true;
+  }
+  return false;
+}
+function validateCommandArgs(tier, command, args) {
+  if (tier === "unrestricted") return { allowed: true };
+  if (command === "rm" && hasRecursiveFlag(args)) {
+    const home = homedir();
+    for (const arg of args) {
+      if (arg.startsWith("-")) continue;
+      const resolved = resolve(arg);
+      if (PROTECTED_PATHS.has(resolved) || resolved === home) {
+        return { allowed: false, reason: `Refusing to recursively remove critical path: ${resolved}` };
+      }
+    }
+  }
+  return { allowed: true };
+}
+function canUseSudo(allowSudo) {
+  if (allowSudo === false) return { allowed: false, reason: "sudo is not allowed" };
+  return { allowed: true };
+}
+var STANDARD_BLOCKED_PATHS = [
+  ".ssh",
+  ".gnupg",
+  ".gpg",
+  ".config/gigai",
+  ".aws",
+  ".azure",
+  ".gcloud",
+  ".kube",
+  ".docker"
+];
+function canAccessPath(tier, resolvedPath, allowedPaths) {
+  switch (tier) {
+    case "strict": {
+      const paths = allowedPaths ?? [];
+      if (paths.length === 0) {
+        return { allowed: true };
+      }
+      const ok = paths.some((allowed) => {
+        const r = resolve(allowed);
+        return resolvedPath === r || resolvedPath.startsWith(r.endsWith("/") ? r : r + "/");
+      });
+      if (!ok) return { allowed: false, reason: `Path not within allowed directories: ${resolvedPath}` };
+      return { allowed: true };
+    }
+    case "standard": {
+      const home = homedir();
+      for (const blocked of STANDARD_BLOCKED_PATHS) {
+        const full = resolve(home, blocked);
+        if (resolvedPath === full || resolvedPath.startsWith(full + "/")) {
+          return { allowed: false, reason: `Path blocked by security policy: ${blocked}` };
+        }
+      }
+      return { allowed: true };
+    }
+    case "unrestricted":
+      return { allowed: true };
+  }
+}
+function expandTilde(p) {
+  if (p === "~") return homedir();
+  if (p.startsWith("~/")) return homedir() + p.slice(1);
+  return p;
+}
+function shouldInjectSeparator(tier) {
+  return tier === "strict";
+}
+
 // ../shared/dist/index.mjs
 import { randomBytes, createCipheriv, createDecipheriv } from "crypto";
 import { z } from "zod";
@@ -252,14 +439,27 @@ var ServerConfigSchema = z.object({
   host: z.string().default("0.0.0.0"),
   https: HttpsConfigSchema.optional()
 });
+var SecurityTierSchema = z.enum(["strict", "standard", "unrestricted"]);
+var SecurityConfigSchema = z.object({
+  default: SecurityTierSchema.default("strict"),
+  overrides: z.record(SecurityTierSchema).default({})
+});
 var GigaiConfigSchema = z.object({
   serverName: z.string().optional(),
   server: ServerConfigSchema,
   auth: AuthConfigSchema,
-  tools: z.array(ToolConfigSchema).default([])
+  tools: z.array(ToolConfigSchema).default([]),
+  security: SecurityConfigSchema.optional()
 });
 
 export {
+  getEffectiveTier,
+  canExecuteCommand,
+  validateCommandArgs,
+  canUseSudo,
+  canAccessPath,
+  expandTilde,
+  shouldInjectSeparator,
   encrypt,
   decrypt,
   generateEncryptionKey,

package/dist/{chunk-75GPR4GR.js → chunk-VCFG6XXN.js}

@@ -1,10 +1,12 @@
 #!/usr/bin/env node
 import {
   ErrorCode,
-  GigaiError
-} from "./chunk-P53UVHTF.js";
+  GigaiError,
+  canAccessPath,
+  expandTilde
+} from "./chunk-ROMGFLOH.js";
 
-// ../server/dist/chunk-OZTLH66B.mjs
+// ../server/dist/chunk-HXHM5BKW.mjs
 import {
   readFile as fsReadFile,
   writeFile as fsWriteFile,
@@ -15,41 +17,34 @@ import { realpath } from "fs/promises";
 import { spawn } from "child_process";
 var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
 var MAX_READ_SIZE = 2 * 1024 * 1024;
-async function validatePath(targetPath, allowedPaths) {
-  const resolved = resolve(targetPath);
+async function validatePath(targetPath, allowedPaths, tier = "strict") {
+  const resolved = resolve(expandTilde(targetPath));
   let real;
   try {
     real = await realpath(resolved);
   } catch {
     real = resolved;
   }
-  const isAllowed = allowedPaths.some((allowed) => {
-    const resolvedAllowed = resolve(allowed);
-    const allowedPrefix = resolvedAllowed.endsWith("/") ? resolvedAllowed : resolvedAllowed + "/";
-    return real === resolvedAllowed || real.startsWith(allowedPrefix);
-  });
-  if (!isAllowed) {
-    throw new GigaiError(
-      ErrorCode.PATH_NOT_ALLOWED,
-      `Path not within allowed directories: ${targetPath}`
-    );
+  const check = canAccessPath(tier, real, allowedPaths);
+  if (!check.allowed) {
+    throw new GigaiError(ErrorCode.PATH_NOT_ALLOWED, check.reason);
   }
   return real;
 }
-async function readFileSafe(path, allowedPaths) {
-  const safePath = await validatePath(path, allowedPaths);
+async function readFileSafe(path, allowedPaths, tier = "strict") {
+  const safePath = await validatePath(path, allowedPaths, tier);
   return fsReadFile(safePath, "utf8");
 }
-async function listDirSafe(path, allowedPaths) {
-  const safePath = await validatePath(path, allowedPaths);
+async function listDirSafe(path, allowedPaths, tier = "strict") {
+  const safePath = await validatePath(path, allowedPaths, tier);
   const entries = await readdir(safePath, { withFileTypes: true });
   return entries.map((e) => ({
     name: e.name,
     type: e.isDirectory() ? "directory" : "file"
   }));
 }
-async function searchFilesSafe(path, pattern, allowedPaths) {
-  const safePath = await validatePath(path, allowedPaths);
+async function searchFilesSafe(path, pattern, allowedPaths, tier = "strict") {
+  const safePath = await validatePath(path, allowedPaths, tier);
   const results = [];
   let regex;
   try {
@@ -72,12 +67,12 @@ async function searchFilesSafe(path, pattern, allowedPaths) {
   await walk(safePath);
   return results;
 }
-async function readBuiltin(args, allowedPaths) {
+async function readBuiltin(args, allowedPaths, tier = "strict") {
   const filePath = args[0];
   if (!filePath) {
     throw new GigaiError(ErrorCode.VALIDATION_ERROR, "Usage: read <file> [offset] [limit]");
   }
-  const safePath = await validatePath(filePath, allowedPaths);
+  const safePath = await validatePath(filePath, allowedPaths, tier);
   const content = await fsReadFile(safePath, "utf8");
   if (content.length > MAX_READ_SIZE) {
     throw new GigaiError(
@@ -96,20 +91,20 @@ async function readBuiltin(args, allowedPaths) {
   }
   return { stdout: content, stderr: "", exitCode: 0 };
 }
-async function writeBuiltin(args, allowedPaths) {
+async function writeBuiltin(args, allowedPaths, tier = "strict") {
   const filePath = args[0];
   const content = args[1];
   if (!filePath || content === void 0) {
     throw new GigaiError(ErrorCode.VALIDATION_ERROR, "Usage: write <file> <content>");
   }
-  const safePath = await validatePath(filePath, allowedPaths);
+  const safePath = await validatePath(filePath, allowedPaths, tier);
   const { mkdir } = await import("fs/promises");
   const { dirname } = await import("path");
   await mkdir(dirname(safePath), { recursive: true });
   await fsWriteFile(safePath, content, "utf8");
   return { stdout: `Written: ${safePath}`, stderr: "", exitCode: 0 };
 }
-async function editBuiltin(args, allowedPaths) {
+async function editBuiltin(args, allowedPaths, tier = "strict") {
   const filePath = args[0];
   const oldStr = args[1];
   const newStr = args[2];
@@ -117,7 +112,7 @@ async function editBuiltin(args, allowedPaths) {
   if (!filePath || oldStr === void 0 || newStr === void 0) {
     throw new GigaiError(ErrorCode.VALIDATION_ERROR, "Usage: edit <file> <old_string> <new_string> [--all]");
   }
-  const safePath = await validatePath(filePath, allowedPaths);
+  const safePath = await validatePath(filePath, allowedPaths, tier);
   const content = await fsReadFile(safePath, "utf8");
   if (!content.includes(oldStr)) {
     throw new GigaiError(ErrorCode.VALIDATION_ERROR, "old_string not found in file");
@@ -137,13 +132,13 @@ async function editBuiltin(args, allowedPaths) {
   const count = replaceAll ? content.split(oldStr).length - 1 : 1;
   return { stdout: `Replaced ${count} occurrence(s) in ${safePath}`, stderr: "", exitCode: 0 };
 }
-async function globBuiltin(args, allowedPaths) {
+async function globBuiltin(args, allowedPaths, tier = "strict") {
   const pattern = args[0];
   if (!pattern) {
     throw new GigaiError(ErrorCode.VALIDATION_ERROR, "Usage: glob <pattern> [path]");
   }
   const searchPath = args[1] ?? ".";
-  const safePath = await validatePath(searchPath, allowedPaths);
+  const safePath = await validatePath(searchPath, allowedPaths, tier);
   const results = [];
   const globRegex = globToRegex(pattern);
   async function walk(dir) {
@@ -168,7 +163,7 @@ async function globBuiltin(args, allowedPaths) {
   await walk(safePath);
   return { stdout: results.join("\n"), stderr: "", exitCode: 0 };
 }
-async function grepBuiltin(args, allowedPaths) {
+async function grepBuiltin(args, allowedPaths, tier = "strict") {
   if (args.length === 0) {
     throw new GigaiError(ErrorCode.VALIDATION_ERROR, "Usage: grep <pattern> [path] [--glob <filter>] [-i] [-n] [-C <num>]");
   }
@@ -199,7 +194,7 @@ async function grepBuiltin(args, allowedPaths) {
     throw new GigaiError(ErrorCode.VALIDATION_ERROR, "No search pattern provided");
   }
   const searchPath = positional[1] ?? ".";
-  const safePath = await validatePath(searchPath, allowedPaths);
+  const safePath = await validatePath(searchPath, allowedPaths, tier);
   try {
     return await spawnGrep("rg", [pattern, safePath, "-n", ...flags]);
   } catch {

package/dist/{dist-2BIIMXAI.js → dist-XQICZQ57.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   execCommandSafe
-} from "./chunk-GIUPSQGA.js";
+} from "./chunk-NFKBLW3D.js";
 import {
   editBuiltin,
   globBuiltin,
@@ -11,15 +11,17 @@ import {
   readFileSafe,
   searchFilesSafe,
   writeBuiltin
-} from "./chunk-75GPR4GR.js";
+} from "./chunk-VCFG6XXN.js";
 import {
   ErrorCode,
   GigaiConfigSchema,
   GigaiError,
   decrypt,
   encrypt,
-  generateEncryptionKey
-} from "./chunk-P53UVHTF.js";
+  generateEncryptionKey,
+  getEffectiveTier,
+  shouldInjectSeparator
+} from "./chunk-ROMGFLOH.js";
 
 // ../server/dist/index.mjs
 import { parseArgs } from "util";
@@ -46,7 +48,7 @@ import { nanoid as nanoid3 } from "nanoid";
 import { dirname as dirname2 } from "path";
 import { readFileSync } from "fs";
 import { resolve as resolve2 } from "path";
-import { platform, hostname as hostname2 } from "os";
+import { platform, hostname as hostname2, userInfo } from "os";
 import { platform as platform2 } from "os";
 import { writeFile as writeFile2, readFile as readFile2, unlink, mkdir } from "fs/promises";
 import { join } from "path";
@@ -357,7 +359,7 @@ function sanitizeArgs(args) {
 var DEFAULT_TIMEOUT = 3e4;
 var KILL_GRACE_PERIOD = 5e3;
 var MAX_OUTPUT_SIZE = 10 * 1024 * 1024;
-function executeTool(entry, args, timeout) {
+function executeTool(entry, args, timeout, tier = "strict") {
   const sanitized = sanitizeArgs(args);
   const effectiveTimeout = timeout ?? DEFAULT_TIMEOUT;
   let command;
@@ -367,7 +369,11 @@ function executeTool(entry, args, timeout) {
   switch (entry.type) {
     case "cli":
       command = entry.config.command;
-      spawnArgs = [...entry.config.args ?? [], "--", ...sanitized];
+      spawnArgs = [...entry.config.args ?? []];
+      if (shouldInjectSeparator(tier)) {
+        spawnArgs.push("--");
+      }
+      spawnArgs.push(...sanitized);
       cwd = entry.config.cwd;
       env = entry.config.env;
       break;
@@ -794,7 +800,7 @@ var cronPlugin = fp5(async (server, opts) => {
   const executor = async (tool, args) => {
     const entry = server.registry.get(tool);
     if (entry.type === "builtin") {
-      const { execCommandSafe: execCommandSafe2 } = await import("./shell-Z3WUF2GW-TVEYB5OM.js");
+      const { execCommandSafe: execCommandSafe2 } = await import("./shell-IBJTGIEW-UEOHS5M2.js");
       const {
         readFileSafe: readFileSafe2,
         listDirSafe: listDirSafe2,
@@ -804,7 +810,7 @@ var cronPlugin = fp5(async (server, opts) => {
         editBuiltin: editBuiltin2,
         globBuiltin: globBuiltin2,
         grepBuiltin: grepBuiltin2
-      } = await import("./filesystem-FWNLRLL6-LQG7PWAF.js");
+      } = await import("./filesystem-CVLQFP7T-VBJWEKEE.js");
       const builtinConfig = entry.config.config ?? {};
       switch (entry.config.builtin) {
         case "filesystem": {
@@ -885,7 +891,8 @@ async function healthRoutes(server) {
       version: startupVersion,
       uptime: Date.now() - startTime,
       platform: platform(),
-      hostname: hostname2()
+      hostname: hostname2(),
+      homeDir: userInfo().homedir
     };
   });
 }
@@ -955,10 +962,11 @@ async function execRoutes(server) {
   }, async (request) => {
     const { tool, args, timeout } = request.body;
     const entry = server.registry.get(tool);
+    const tier = getEffectiveTier(server.securityConfig, tool);
     if (entry.type === "builtin") {
-      return handleBuiltin(entry.config, args);
+      return handleBuiltin(entry.config, args, tier);
     }
-    const result = await server.executor.execute(entry, args, timeout);
+    const result = await server.executor.execute(entry, args, timeout, tier);
     return result;
   });
   server.post("/exec/mcp", {
@@ -992,65 +1000,65 @@ async function execRoutes(server) {
     };
   });
 }
-async function handleBuiltin(config, args) {
+async function handleBuiltin(config, args, tier) {
   const builtinConfig = config.config ?? {};
   switch (config.builtin) {
     // Legacy combined filesystem tool
     case "filesystem": {
-      const allowedPaths = builtinConfig.allowedPaths ?? ["."];
+      const allowedPaths = builtinConfig.allowedPaths;
       const subcommand = args[0];
       const target = args[1] ?? ".";
       switch (subcommand) {
         case "read":
-          return { stdout: await readFileSafe(target, allowedPaths), stderr: "", exitCode: 0, durationMs: 0 };
+          return { stdout: await readFileSafe(target, allowedPaths ?? [], tier), stderr: "", exitCode: 0, durationMs: 0 };
         case "list":
-          return { stdout: JSON.stringify(await listDirSafe(target, allowedPaths), null, 2), stderr: "", exitCode: 0, durationMs: 0 };
+          return { stdout: JSON.stringify(await listDirSafe(target, allowedPaths ?? [], tier), null, 2), stderr: "", exitCode: 0, durationMs: 0 };
         case "search":
-          return { stdout: JSON.stringify(await searchFilesSafe(target, args[2] ?? ".*", allowedPaths), null, 2), stderr: "", exitCode: 0, durationMs: 0 };
+          return { stdout: JSON.stringify(await searchFilesSafe(target, args[2] ?? ".*", allowedPaths ?? [], tier), null, 2), stderr: "", exitCode: 0, durationMs: 0 };
         default:
           throw new GigaiError(ErrorCode.VALIDATION_ERROR, `Unknown filesystem subcommand: ${subcommand}. Use: read, list, search`);
       }
     }
     // Legacy shell tool
     case "shell": {
-      const allowlist = builtinConfig.allowlist ?? [];
-      const allowSudo = builtinConfig.allowSudo ?? false;
+      const allowlist = builtinConfig.allowlist;
+      const allowSudo = builtinConfig.allowSudo;
       const command = args[0];
       if (!command) {
         throw new GigaiError(ErrorCode.VALIDATION_ERROR, "No command specified");
       }
-      const result = await execCommandSafe(command, args.slice(1), { allowlist, allowSudo });
+      const result = await execCommandSafe(command, args.slice(1), { allowlist, allowSudo }, tier);
       return { ...result, durationMs: 0 };
     }
     // --- New builtins ---
     case "read": {
-      const allowedPaths = builtinConfig.allowedPaths ?? ["."];
-      return { ...await readBuiltin(args, allowedPaths), durationMs: 0 };
+      const allowedPaths = builtinConfig.allowedPaths;
+      return { ...await readBuiltin(args, allowedPaths ?? [], tier), durationMs: 0 };
     }
     case "write": {
-      const allowedPaths = builtinConfig.allowedPaths ?? ["."];
-      return { ...await writeBuiltin(args, allowedPaths), durationMs: 0 };
+      const allowedPaths = builtinConfig.allowedPaths;
+      return { ...await writeBuiltin(args, allowedPaths ?? [], tier), durationMs: 0 };
     }
     case "edit": {
-      const allowedPaths = builtinConfig.allowedPaths ?? ["."];
-      return { ...await editBuiltin(args, allowedPaths), durationMs: 0 };
+      const allowedPaths = builtinConfig.allowedPaths;
+      return { ...await editBuiltin(args, allowedPaths ?? [], tier), durationMs: 0 };
     }
     case "glob": {
-      const allowedPaths = builtinConfig.allowedPaths ?? ["."];
-      return { ...await globBuiltin(args, allowedPaths), durationMs: 0 };
+      const allowedPaths = builtinConfig.allowedPaths;
+      return { ...await globBuiltin(args, allowedPaths ?? [], tier), durationMs: 0 };
     }
     case "grep": {
-      const allowedPaths = builtinConfig.allowedPaths ?? ["."];
-      return { ...await grepBuiltin(args, allowedPaths), durationMs: 0 };
+      const allowedPaths = builtinConfig.allowedPaths;
+      return { ...await grepBuiltin(args, allowedPaths ?? [], tier), durationMs: 0 };
     }
     case "bash": {
-      const allowlist = builtinConfig.allowlist ?? [];
-      const allowSudo = builtinConfig.allowSudo ?? false;
+      const allowlist = builtinConfig.allowlist;
+      const allowSudo = builtinConfig.allowSudo;
       const command = args[0];
       if (!command) {
         throw new GigaiError(ErrorCode.VALIDATION_ERROR, "No command specified");
       }
-      const result = await execCommandSafe(command, args.slice(1), { allowlist, allowSudo });
+      const result = await execCommandSafe(command, args.slice(1), { allowlist, allowSudo }, tier);
       return { ...result, durationMs: 0 };
     }
     default:
@@ -1224,6 +1232,7 @@ async function createServer(opts) {
   await server.register(registryPlugin, { config });
   await server.register(executorPlugin);
   await server.register(mcpPlugin, { config });
+  server.decorate("securityConfig", config.security);
   if (configPath) {
     await server.register(cronPlugin, { configPath });
   }
@@ -1486,6 +1495,15 @@ async function runInit() {
     default: "7443"
   });
   const port = parseInt(portStr, 10);
+  const securityTier = await select({
+    message: "Security tier:",
+    choices: [
+      { name: "Strict \u2014 allowlist-only, explicit path restrictions (most secure)", value: "strict" },
+      { name: "Standard \u2014 denylist blocks catastrophic commands, home dir open (recommended)", value: "standard" },
+      { name: "Unrestricted \u2014 no restrictions, development only", value: "unrestricted" }
+    ],
+    default: "standard"
+  });
   const selectedBuiltins = await checkbox({
     message: "Built-in tools to enable:",
     choices: [
@@ -1495,35 +1513,59 @@ async function runInit() {
   });
   const tools = [];
   if (selectedBuiltins.includes("filesystem")) {
-    const pathsStr = await input({
-      message: "Allowed filesystem paths (comma-separated):",
-      default: process.env.HOME ?? "~"
-    });
-    const allowedPaths = pathsStr.split(",").map((p) => p.trim());
-    tools.push({
-      type: "builtin",
-      name: "fs",
-      builtin: "filesystem",
-      description: "Read, list, and search files",
-      config: { allowedPaths }
+    const restrictPaths = await confirm({
+      message: "Restrict filesystem to specific paths?",
+      default: false
     });
+    if (restrictPaths) {
+      const pathsStr = await input({
+        message: "Allowed paths (comma-separated):",
+        default: process.env.HOME ?? "~"
+      });
+      const allowedPaths = pathsStr.split(",").map((p) => p.trim());
+      tools.push({
+        type: "builtin",
+        name: "fs",
+        builtin: "filesystem",
+        description: "Read, list, and search files",
+        config: { allowedPaths }
+      });
+    } else {
+      tools.push({
+        type: "builtin",
+        name: "fs",
+        builtin: "filesystem",
+        description: "Read, list, and search files",
+        config: {}
+      });
+    }
   }
   if (selectedBuiltins.includes("shell")) {
-    const allowlistStr = await input({
-      message: "Allowed shell commands (comma-separated):",
-      default: "ls,cat,head,tail,grep,find,wc,echo,date,whoami,pwd,git,npm,node"
+    const restrictCommands = await confirm({
+      message: "Restrict shell to a command allowlist?",
+      default: false
     });
-    const allowlist = allowlistStr.split(",").map((c) => c.trim());
-    const allowSudo = await confirm({
-      message: "Allow sudo?",
+    const shellConfig = {};
+    if (restrictCommands) {
+      const allowlistStr = await input({
+        message: "Allowed commands (comma-separated):",
+        default: "ls,cat,head,tail,grep,find,wc,echo,date,whoami,pwd,git,npm,node"
+      });
+      shellConfig.allowlist = allowlistStr.split(",").map((c) => c.trim());
+    }
+    const blockSudo = await confirm({
+      message: "Block sudo?",
       default: false
     });
+    if (blockSudo) {
+      shellConfig.allowSudo = false;
+    }
     tools.push({
       type: "builtin",
       name: "shell",
       builtin: "shell",
-      description: "Execute allowed shell commands",
-      config: { allowlist, allowSudo }
+      description: "Execute shell commands",
+      config: shellConfig
     });
   }
   const configFilePath = await detectClaudeDesktopConfig();
@@ -1603,7 +1645,8 @@ async function runInit() {
       pairingTtlSeconds: 300,
       sessionTtlSeconds: 14400
     },
-    tools
+    tools,
+    security: { default: securityTier, overrides: {} }
   };
   const configPath = resolve4("gigai.config.json");
   await writeFile3(configPath, JSON.stringify(config, null, 2) + "\n", { mode: 384 });

package/dist/{filesystem-FWNLRLL6-LQG7PWAF.js → filesystem-CVLQFP7T-VBJWEKEE.js}

@@ -9,8 +9,8 @@ import {
   searchFilesSafe,
   validatePath,
   writeBuiltin
-} from "./chunk-75GPR4GR.js";
-import "./chunk-P53UVHTF.js";
+} from "./chunk-VCFG6XXN.js";
+import "./chunk-ROMGFLOH.js";
 export {
   editBuiltin,
   globBuiltin,

package/dist/index.js

@@ -4,12 +4,12 @@
 import { defineCommand, runMain } from "citty";
 
 // src/version.ts
-var VERSION = "0.3.5";
+var VERSION = "0.4.0-beta.1";
 
 // src/index.ts
 async function requireServer() {
   try {
-    return await import("./dist-2BIIMXAI.js");
+    return await import("./dist-XQICZQ57.js");
   } catch {
     console.error("Server dependencies not installed.");
     console.error("Run: npm install -g @schuttdev/gigai");

package/dist/{shell-Z3WUF2GW-TVEYB5OM.js → shell-IBJTGIEW-UEOHS5M2.js}

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 import {
   execCommandSafe
-} from "./chunk-GIUPSQGA.js";
-import "./chunk-P53UVHTF.js";
+} from "./chunk-NFKBLW3D.js";
+import "./chunk-ROMGFLOH.js";
 export {
   execCommandSafe
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@schuttdev/gigai",
-  "version": "0.3.5",
+  "version": "0.4.0-beta.1",
   "type": "module",
   "license": "MIT",
   "bin": {