@structured-world/gitlab-mcp 6.23.2 → 6.24.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +5 -2
- package/dist/src/entities/context/context-manager.d.ts +30 -0
- package/dist/src/entities/context/context-manager.js +270 -0
- package/dist/src/entities/context/context-manager.js.map +1 -0
- package/dist/src/entities/context/handlers.d.ts +10 -0
- package/dist/src/entities/context/handlers.js +60 -0
- package/dist/src/entities/context/handlers.js.map +1 -0
- package/dist/src/entities/context/index.d.ts +11 -0
- package/dist/src/entities/context/index.js +34 -0
- package/dist/src/entities/context/index.js.map +1 -0
- package/dist/src/entities/context/registry.d.ts +5 -0
- package/dist/src/entities/context/registry.js +73 -0
- package/dist/src/entities/context/registry.js.map +1 -0
- package/dist/src/entities/context/schema.d.ts +54 -0
- package/dist/src/entities/context/schema.js +52 -0
- package/dist/src/entities/context/schema.js.map +1 -0
- package/dist/src/entities/context/types.d.ts +49 -0
- package/dist/src/entities/context/types.js +3 -0
- package/dist/src/entities/context/types.js.map +1 -0
- package/dist/src/entities/index.d.ts +1 -0
- package/dist/src/entities/index.js +1 -0
- package/dist/src/entities/index.js.map +1 -1
- package/dist/src/entities/search/schema-readonly.d.ts +7 -7
- package/dist/src/profiles/scope-enforcer.d.ts +10 -6
- package/dist/src/profiles/scope-enforcer.js +115 -9
- package/dist/src/profiles/scope-enforcer.js.map +1 -1
- package/dist/src/profiles/types.d.ts +20 -5
- package/dist/src/profiles/types.js +34 -19
- package/dist/src/profiles/types.js.map +1 -1
- package/dist/src/registry-manager.js +5 -0
- package/dist/src/registry-manager.js.map +1 -1
- package/dist/src/server.d.ts +1 -0
- package/dist/src/server.js +13 -1
- package/dist/src/server.js.map +1 -1
- package/dist/structured-world-gitlab-mcp-6.24.0.tgz +0 -0
- package/dist/tsconfig.build.tsbuildinfo +1 -1
- package/package.json +1 -1
- package/dist/structured-world-gitlab-mcp-6.23.2.tgz +0 -0
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.ManageContextSchema = void 0;
|
|
4
|
+
const zod_1 = require("zod");
|
|
5
|
+
const ShowContextSchema = zod_1.z.object({
|
|
6
|
+
action: zod_1.z
|
|
7
|
+
.literal("show")
|
|
8
|
+
.describe("Display current context including host, preset, scope, and mode"),
|
|
9
|
+
});
|
|
10
|
+
const ListPresetsSchema = zod_1.z.object({
|
|
11
|
+
action: zod_1.z.literal("list_presets").describe("List all available presets with descriptions"),
|
|
12
|
+
});
|
|
13
|
+
const ListProfilesSchema = zod_1.z.object({
|
|
14
|
+
action: zod_1.z
|
|
15
|
+
.literal("list_profiles")
|
|
16
|
+
.describe("List available OAuth profiles - only works in OAuth mode"),
|
|
17
|
+
});
|
|
18
|
+
const SwitchPresetSchema = zod_1.z.object({
|
|
19
|
+
action: zod_1.z.literal("switch_preset").describe("Switch to a different preset configuration"),
|
|
20
|
+
preset: zod_1.z.string().min(1).describe("Name of the preset to activate"),
|
|
21
|
+
});
|
|
22
|
+
const SwitchProfileSchema = zod_1.z.object({
|
|
23
|
+
action: zod_1.z
|
|
24
|
+
.literal("switch_profile")
|
|
25
|
+
.describe("Switch to a different OAuth profile - OAuth mode only"),
|
|
26
|
+
profile: zod_1.z.string().min(1).describe("Name of the profile to activate"),
|
|
27
|
+
});
|
|
28
|
+
const SetScopeSchema = zod_1.z.object({
|
|
29
|
+
action: zod_1.z.literal("set_scope").describe("Set scope to restrict operations to a namespace"),
|
|
30
|
+
namespace: zod_1.z
|
|
31
|
+
.string()
|
|
32
|
+
.min(1)
|
|
33
|
+
.describe("Namespace path (e.g., 'my-group' or 'group/project') - type is auto-detected"),
|
|
34
|
+
includeSubgroups: zod_1.z
|
|
35
|
+
.boolean()
|
|
36
|
+
.optional()
|
|
37
|
+
.default(true)
|
|
38
|
+
.describe("Include subgroups when scope is a group (default: true)"),
|
|
39
|
+
});
|
|
40
|
+
const ResetContextSchema = zod_1.z.object({
|
|
41
|
+
action: zod_1.z.literal("reset").describe("Reset context to initial state from session start"),
|
|
42
|
+
});
|
|
43
|
+
exports.ManageContextSchema = zod_1.z.discriminatedUnion("action", [
|
|
44
|
+
ShowContextSchema,
|
|
45
|
+
ListPresetsSchema,
|
|
46
|
+
ListProfilesSchema,
|
|
47
|
+
SwitchPresetSchema,
|
|
48
|
+
SwitchProfileSchema,
|
|
49
|
+
SetScopeSchema,
|
|
50
|
+
ResetContextSchema,
|
|
51
|
+
]);
|
|
52
|
+
//# sourceMappingURL=schema.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/entities/context/schema.ts"],"names":[],"mappings":";;;AAaA,6BAAwB;AASxB,MAAM,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACjC,MAAM,EAAE,OAAC;SACN,OAAO,CAAC,MAAM,CAAC;SACf,QAAQ,CAAC,iEAAiE,CAAC;CAC/E,CAAC,CAAC;AAKH,MAAM,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACjC,MAAM,EAAE,OAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,8CAA8C,CAAC;CAC3F,CAAC,CAAC;AAKH,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,MAAM,EAAE,OAAC;SACN,OAAO,CAAC,eAAe,CAAC;SACxB,QAAQ,CAAC,0DAA0D,CAAC;CACxE,CAAC,CAAC;AAKH,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,MAAM,EAAE,OAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,QAAQ,CAAC,4CAA4C,CAAC;IACzF,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,gCAAgC,CAAC;CACrE,CAAC,CAAC;AAKH,MAAM,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IACnC,MAAM,EAAE,OAAC;SACN,OAAO,CAAC,gBAAgB,CAAC;SACzB,QAAQ,CAAC,uDAAuD,CAAC;IACpE,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,iCAAiC,CAAC;CACvE,CAAC,CAAC;AAKH,MAAM,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9B,MAAM,EAAE,OAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,iDAAiD,CAAC;IAC1F,SAAS,EAAE,OAAC;SACT,MAAM,EAAE;SACR,GAAG,CAAC,CAAC,CAAC;SACN,QAAQ,CAAC,8EAA8E,CAAC;IAC3F,gBAAgB,EAAE,OAAC;SAChB,OAAO,EAAE;SACT,QAAQ,EAAE;SACV,OAAO,CAAC,IAAI,CAAC;SACb,QAAQ,CAAC,yDAAyD,CAAC;CACvE,CAAC,CAAC;AAKH,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,MAAM,EAAE,OAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,mDAAmD,CAAC;CACzF,CAAC,CAAC;AASU,QAAA,mBAAmB,GAAG,OAAC,CAAC,kBAAkB,CAAC,QAAQ,EAAE;IAChE,iBAAiB;IACjB,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,mBAAmB;IACnB,cAAc;IACd,kBAAkB;CACnB,CAAC,CAAC"}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
import { ProfileInfo, Preset, ScopeConfig } from "../../profiles/types";
|
|
2
|
+
export interface RuntimeScope {
|
|
3
|
+
type: "project" | "group";
|
|
4
|
+
path: string;
|
|
5
|
+
additionalPaths?: string[];
|
|
6
|
+
includeSubgroups: boolean;
|
|
7
|
+
detected: boolean;
|
|
8
|
+
}
|
|
9
|
+
export interface SessionContext {
|
|
10
|
+
host: string;
|
|
11
|
+
apiUrl: string;
|
|
12
|
+
profileName?: string;
|
|
13
|
+
presetName?: string;
|
|
14
|
+
readOnly: boolean;
|
|
15
|
+
scope?: RuntimeScope;
|
|
16
|
+
oauthMode: boolean;
|
|
17
|
+
initialContext?: Omit<SessionContext, "initialContext">;
|
|
18
|
+
}
|
|
19
|
+
export interface SetScopeResult {
|
|
20
|
+
success: boolean;
|
|
21
|
+
scope: RuntimeScope;
|
|
22
|
+
message: string;
|
|
23
|
+
}
|
|
24
|
+
export interface SwitchResult {
|
|
25
|
+
success: boolean;
|
|
26
|
+
previous?: string;
|
|
27
|
+
current: string;
|
|
28
|
+
message: string;
|
|
29
|
+
}
|
|
30
|
+
export interface ResetResult {
|
|
31
|
+
success: boolean;
|
|
32
|
+
message: string;
|
|
33
|
+
context: SessionContext;
|
|
34
|
+
}
|
|
35
|
+
export interface PresetInfo {
|
|
36
|
+
name: string;
|
|
37
|
+
description?: string;
|
|
38
|
+
readOnly: boolean;
|
|
39
|
+
isBuiltIn: boolean;
|
|
40
|
+
scope?: ScopeConfig;
|
|
41
|
+
features?: Record<string, boolean>;
|
|
42
|
+
}
|
|
43
|
+
export interface ContextState {
|
|
44
|
+
currentPreset?: Preset;
|
|
45
|
+
currentPresetName?: string;
|
|
46
|
+
currentScope?: ScopeConfig;
|
|
47
|
+
initialState?: ContextState;
|
|
48
|
+
}
|
|
49
|
+
export type { ProfileInfo };
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/entities/context/types.ts"],"names":[],"mappings":""}
|
|
@@ -29,4 +29,5 @@ __exportStar(require("./releases"), exports);
|
|
|
29
29
|
__exportStar(require("./refs"), exports);
|
|
30
30
|
__exportStar(require("./members"), exports);
|
|
31
31
|
__exportStar(require("./search"), exports);
|
|
32
|
+
__exportStar(require("./context"), exports);
|
|
32
33
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/entities/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAyB;AACzB,yCAAuB;AACvB,yCAAuB;AACvB,+CAA6B;AAC7B,8CAA4B;AAC5B,8CAA4B;AAC5B,2CAAyB;AACzB,wCAAsB;AACtB,0CAAwB;AACxB,8CAA4B;AAC5B,6CAA2B;AAC3B,6CAA2B;AAC3B,yCAAuB;AACvB,4CAA0B;AAC1B,2CAAyB"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/entities/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAyB;AACzB,yCAAuB;AACvB,yCAAuB;AACvB,+CAA6B;AAC7B,8CAA4B;AAC5B,8CAA4B;AAC5B,2CAAyB;AACzB,wCAAsB;AACtB,0CAAwB;AACxB,8CAA4B;AAC5B,6CAA2B;AAC3B,6CAA2B;AAC3B,yCAAuB;AACvB,4CAA0B;AAC1B,2CAAyB;AACzB,4CAA0B"}
|
|
@@ -2,11 +2,11 @@ import { z } from "zod";
|
|
|
2
2
|
export declare const SearchScopeSchema: z.ZodEnum<{
|
|
3
3
|
milestones: "milestones";
|
|
4
4
|
projects: "projects";
|
|
5
|
+
groups: "groups";
|
|
5
6
|
issues: "issues";
|
|
6
7
|
merge_requests: "merge_requests";
|
|
7
8
|
commits: "commits";
|
|
8
9
|
users: "users";
|
|
9
|
-
groups: "groups";
|
|
10
10
|
snippet_titles: "snippet_titles";
|
|
11
11
|
blobs: "blobs";
|
|
12
12
|
wiki_blobs: "wiki_blobs";
|
|
@@ -17,11 +17,11 @@ declare const GlobalSearchSchema: z.ZodObject<{
|
|
|
17
17
|
scope: z.ZodEnum<{
|
|
18
18
|
milestones: "milestones";
|
|
19
19
|
projects: "projects";
|
|
20
|
+
groups: "groups";
|
|
20
21
|
issues: "issues";
|
|
21
22
|
merge_requests: "merge_requests";
|
|
22
23
|
commits: "commits";
|
|
23
24
|
users: "users";
|
|
24
|
-
groups: "groups";
|
|
25
25
|
snippet_titles: "snippet_titles";
|
|
26
26
|
blobs: "blobs";
|
|
27
27
|
wiki_blobs: "wiki_blobs";
|
|
@@ -52,11 +52,11 @@ declare const ProjectSearchSchema: z.ZodObject<{
|
|
|
52
52
|
scope: z.ZodEnum<{
|
|
53
53
|
milestones: "milestones";
|
|
54
54
|
projects: "projects";
|
|
55
|
+
groups: "groups";
|
|
55
56
|
issues: "issues";
|
|
56
57
|
merge_requests: "merge_requests";
|
|
57
58
|
commits: "commits";
|
|
58
59
|
users: "users";
|
|
59
|
-
groups: "groups";
|
|
60
60
|
snippet_titles: "snippet_titles";
|
|
61
61
|
blobs: "blobs";
|
|
62
62
|
wiki_blobs: "wiki_blobs";
|
|
@@ -88,11 +88,11 @@ declare const GroupSearchSchema: z.ZodObject<{
|
|
|
88
88
|
scope: z.ZodEnum<{
|
|
89
89
|
milestones: "milestones";
|
|
90
90
|
projects: "projects";
|
|
91
|
+
groups: "groups";
|
|
91
92
|
issues: "issues";
|
|
92
93
|
merge_requests: "merge_requests";
|
|
93
94
|
commits: "commits";
|
|
94
95
|
users: "users";
|
|
95
|
-
groups: "groups";
|
|
96
96
|
snippet_titles: "snippet_titles";
|
|
97
97
|
blobs: "blobs";
|
|
98
98
|
wiki_blobs: "wiki_blobs";
|
|
@@ -122,11 +122,11 @@ export declare const BrowseSearchSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
|
|
|
122
122
|
scope: z.ZodEnum<{
|
|
123
123
|
milestones: "milestones";
|
|
124
124
|
projects: "projects";
|
|
125
|
+
groups: "groups";
|
|
125
126
|
issues: "issues";
|
|
126
127
|
merge_requests: "merge_requests";
|
|
127
128
|
commits: "commits";
|
|
128
129
|
users: "users";
|
|
129
|
-
groups: "groups";
|
|
130
130
|
snippet_titles: "snippet_titles";
|
|
131
131
|
blobs: "blobs";
|
|
132
132
|
wiki_blobs: "wiki_blobs";
|
|
@@ -156,11 +156,11 @@ export declare const BrowseSearchSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
|
|
|
156
156
|
scope: z.ZodEnum<{
|
|
157
157
|
milestones: "milestones";
|
|
158
158
|
projects: "projects";
|
|
159
|
+
groups: "groups";
|
|
159
160
|
issues: "issues";
|
|
160
161
|
merge_requests: "merge_requests";
|
|
161
162
|
commits: "commits";
|
|
162
163
|
users: "users";
|
|
163
|
-
groups: "groups";
|
|
164
164
|
snippet_titles: "snippet_titles";
|
|
165
165
|
blobs: "blobs";
|
|
166
166
|
wiki_blobs: "wiki_blobs";
|
|
@@ -191,11 +191,11 @@ export declare const BrowseSearchSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
|
|
|
191
191
|
scope: z.ZodEnum<{
|
|
192
192
|
milestones: "milestones";
|
|
193
193
|
projects: "projects";
|
|
194
|
+
groups: "groups";
|
|
194
195
|
issues: "issues";
|
|
195
196
|
merge_requests: "merge_requests";
|
|
196
197
|
commits: "commits";
|
|
197
198
|
users: "users";
|
|
198
|
-
groups: "groups";
|
|
199
199
|
snippet_titles: "snippet_titles";
|
|
200
200
|
blobs: "blobs";
|
|
201
201
|
wiki_blobs: "wiki_blobs";
|
|
@@ -1,24 +1,28 @@
|
|
|
1
|
-
import { ProjectPreset } from "./types";
|
|
2
|
-
export
|
|
3
|
-
project?: string;
|
|
4
|
-
namespace?: string;
|
|
5
|
-
projects?: string[];
|
|
6
|
-
}
|
|
1
|
+
import { ProjectPreset, ScopeConfig } from "./types";
|
|
2
|
+
export type { ScopeConfig } from "./types";
|
|
7
3
|
export declare class ScopeViolationError extends Error {
|
|
8
4
|
readonly attemptedTarget: string;
|
|
9
5
|
readonly allowedScope: ScopeConfig;
|
|
10
6
|
constructor(attemptedTarget: string, allowedScope: ScopeConfig);
|
|
11
7
|
}
|
|
8
|
+
export declare function isInNamespace(projectPath: string, namespace: string): boolean;
|
|
12
9
|
export declare class ScopeEnforcer {
|
|
13
10
|
private readonly scope;
|
|
14
11
|
private readonly allowedProjectsSet;
|
|
12
|
+
private readonly allowedGroupsSet;
|
|
13
|
+
private readonly includeSubgroups;
|
|
15
14
|
constructor(scope: ScopeConfig);
|
|
16
15
|
static fromPreset(preset: ProjectPreset): ScopeEnforcer | null;
|
|
17
16
|
isAllowed(projectPath: string): boolean;
|
|
17
|
+
isGroupAllowed(groupPath: string): boolean;
|
|
18
18
|
enforce(projectPath: string): void;
|
|
19
|
+
enforceGroup(groupPath: string): void;
|
|
19
20
|
getScope(): ScopeConfig;
|
|
20
21
|
getScopeDescription(): string;
|
|
22
|
+
hasProjectRestrictions(): boolean;
|
|
23
|
+
hasGroupRestrictions(): boolean;
|
|
21
24
|
hasRestrictions(): boolean;
|
|
22
25
|
}
|
|
23
26
|
export declare function extractProjectsFromArgs(args: Record<string, unknown>): string[];
|
|
27
|
+
export declare function extractGroupsFromArgs(args: Record<string, unknown>): string[];
|
|
24
28
|
export declare function enforceArgsScope(enforcer: ScopeEnforcer, args: Record<string, unknown>): void;
|
|
@@ -1,7 +1,9 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.ScopeEnforcer = exports.ScopeViolationError = void 0;
|
|
4
|
+
exports.isInNamespace = isInNamespace;
|
|
4
5
|
exports.extractProjectsFromArgs = extractProjectsFromArgs;
|
|
6
|
+
exports.extractGroupsFromArgs = extractGroupsFromArgs;
|
|
5
7
|
exports.enforceArgsScope = enforceArgsScope;
|
|
6
8
|
const logger_1 = require("../logger");
|
|
7
9
|
class ScopeViolationError extends Error {
|
|
@@ -17,19 +19,34 @@ class ScopeViolationError extends Error {
|
|
|
17
19
|
}
|
|
18
20
|
exports.ScopeViolationError = ScopeViolationError;
|
|
19
21
|
function getScopeDescription(scope) {
|
|
22
|
+
const parts = [];
|
|
20
23
|
if (scope.project) {
|
|
21
|
-
|
|
24
|
+
parts.push(`project: ${scope.project}`);
|
|
25
|
+
}
|
|
26
|
+
if (scope.group) {
|
|
27
|
+
const subgroupSuffix = scope.includeSubgroups !== false ? "/*" : "";
|
|
28
|
+
parts.push(`group: ${scope.group}${subgroupSuffix}`);
|
|
22
29
|
}
|
|
23
30
|
if (scope.namespace) {
|
|
24
|
-
|
|
31
|
+
parts.push(`namespace: ${scope.namespace}/*`);
|
|
25
32
|
}
|
|
26
33
|
if (scope.projects && scope.projects.length > 0) {
|
|
27
34
|
if (scope.projects.length <= 3) {
|
|
28
|
-
|
|
35
|
+
parts.push(`projects: ${scope.projects.join(", ")}`);
|
|
36
|
+
}
|
|
37
|
+
else {
|
|
38
|
+
parts.push(`${scope.projects.length} allowed projects`);
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
if (scope.groups && scope.groups.length > 0) {
|
|
42
|
+
if (scope.groups.length <= 3) {
|
|
43
|
+
parts.push(`groups: ${scope.groups.join(", ")}`);
|
|
44
|
+
}
|
|
45
|
+
else {
|
|
46
|
+
parts.push(`${scope.groups.length} allowed groups`);
|
|
29
47
|
}
|
|
30
|
-
return `${scope.projects.length} allowed projects`;
|
|
31
48
|
}
|
|
32
|
-
return "unrestricted";
|
|
49
|
+
return parts.length > 0 ? parts.join("; ") : "unrestricted";
|
|
33
50
|
}
|
|
34
51
|
function normalizeProjectPath(path) {
|
|
35
52
|
const trimmed = path.trim().replace(/^\/+|\/+$/g, "");
|
|
@@ -47,15 +64,24 @@ function isInNamespace(projectPath, namespace) {
|
|
|
47
64
|
class ScopeEnforcer {
|
|
48
65
|
scope;
|
|
49
66
|
allowedProjectsSet;
|
|
67
|
+
allowedGroupsSet;
|
|
68
|
+
includeSubgroups;
|
|
50
69
|
constructor(scope) {
|
|
51
70
|
this.scope = scope;
|
|
71
|
+
this.includeSubgroups = scope.includeSubgroups !== false;
|
|
52
72
|
this.allowedProjectsSet = new Set((scope.projects ?? []).map(p => normalizeProjectPath(p)));
|
|
53
73
|
if (scope.project) {
|
|
54
74
|
this.allowedProjectsSet.add(normalizeProjectPath(scope.project));
|
|
55
75
|
}
|
|
76
|
+
this.allowedGroupsSet = new Set((scope.groups ?? []).map(g => normalizeProjectPath(g)));
|
|
77
|
+
if (scope.group) {
|
|
78
|
+
this.allowedGroupsSet.add(normalizeProjectPath(scope.group));
|
|
79
|
+
}
|
|
56
80
|
logger_1.logger.debug({
|
|
57
81
|
scope: getScopeDescription(scope),
|
|
58
|
-
|
|
82
|
+
allowedProjectsCount: this.allowedProjectsSet.size,
|
|
83
|
+
allowedGroupsCount: this.allowedGroupsSet.size,
|
|
84
|
+
includeSubgroups: this.includeSubgroups,
|
|
59
85
|
}, "ScopeEnforcer initialized");
|
|
60
86
|
}
|
|
61
87
|
static fromPreset(preset) {
|
|
@@ -65,6 +91,9 @@ class ScopeEnforcer {
|
|
|
65
91
|
return new ScopeEnforcer(preset.scope);
|
|
66
92
|
}
|
|
67
93
|
isAllowed(projectPath) {
|
|
94
|
+
if (!this.hasProjectRestrictions()) {
|
|
95
|
+
return true;
|
|
96
|
+
}
|
|
68
97
|
const normalized = normalizeProjectPath(projectPath);
|
|
69
98
|
if (this.allowedProjectsSet.size > 0 && this.allowedProjectsSet.has(normalized)) {
|
|
70
99
|
return true;
|
|
@@ -72,32 +101,94 @@ class ScopeEnforcer {
|
|
|
72
101
|
if (this.scope.namespace && isInNamespace(projectPath, this.scope.namespace)) {
|
|
73
102
|
return true;
|
|
74
103
|
}
|
|
104
|
+
if (this.allowedGroupsSet.size > 0) {
|
|
105
|
+
for (const allowedGroup of this.allowedGroupsSet) {
|
|
106
|
+
if (this.includeSubgroups) {
|
|
107
|
+
if (isInNamespace(projectPath, allowedGroup)) {
|
|
108
|
+
return true;
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
else {
|
|
112
|
+
const parts = normalized.split("/");
|
|
113
|
+
if (parts.length >= 2) {
|
|
114
|
+
const projectGroup = parts.slice(0, -1).join("/");
|
|
115
|
+
if (projectGroup === allowedGroup) {
|
|
116
|
+
return true;
|
|
117
|
+
}
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
}
|
|
75
122
|
if (/^\d+$/.test(normalized)) {
|
|
76
123
|
logger_1.logger.warn({ projectId: normalized }, "Numeric project ID not in allowed scope - denying access");
|
|
77
124
|
return false;
|
|
78
125
|
}
|
|
79
126
|
return false;
|
|
80
127
|
}
|
|
128
|
+
isGroupAllowed(groupPath) {
|
|
129
|
+
if (!this.hasGroupRestrictions()) {
|
|
130
|
+
return true;
|
|
131
|
+
}
|
|
132
|
+
const normalized = normalizeProjectPath(groupPath);
|
|
133
|
+
if (this.allowedGroupsSet.size > 0 && this.allowedGroupsSet.has(normalized)) {
|
|
134
|
+
return true;
|
|
135
|
+
}
|
|
136
|
+
if (this.includeSubgroups && this.allowedGroupsSet.size > 0) {
|
|
137
|
+
for (const allowedGroup of this.allowedGroupsSet) {
|
|
138
|
+
if (isInNamespace(groupPath, allowedGroup)) {
|
|
139
|
+
return true;
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
if (this.scope.namespace && isInNamespace(groupPath, this.scope.namespace)) {
|
|
144
|
+
return true;
|
|
145
|
+
}
|
|
146
|
+
if (/^\d+$/.test(normalized)) {
|
|
147
|
+
logger_1.logger.warn({ groupId: normalized }, "Numeric group ID not in allowed scope - denying access");
|
|
148
|
+
return false;
|
|
149
|
+
}
|
|
150
|
+
return false;
|
|
151
|
+
}
|
|
81
152
|
enforce(projectPath) {
|
|
82
153
|
if (!this.isAllowed(projectPath)) {
|
|
83
154
|
logger_1.logger.warn({
|
|
84
155
|
attempted: projectPath,
|
|
85
156
|
scope: getScopeDescription(this.scope),
|
|
86
|
-
}, "
|
|
157
|
+
}, "Project scope violation attempted");
|
|
87
158
|
throw new ScopeViolationError(projectPath, this.scope);
|
|
88
159
|
}
|
|
89
160
|
}
|
|
161
|
+
enforceGroup(groupPath) {
|
|
162
|
+
if (!this.isGroupAllowed(groupPath)) {
|
|
163
|
+
logger_1.logger.warn({
|
|
164
|
+
attempted: groupPath,
|
|
165
|
+
scope: getScopeDescription(this.scope),
|
|
166
|
+
}, "Group scope violation attempted");
|
|
167
|
+
throw new ScopeViolationError(groupPath, this.scope);
|
|
168
|
+
}
|
|
169
|
+
}
|
|
90
170
|
getScope() {
|
|
91
171
|
return this.scope;
|
|
92
172
|
}
|
|
93
173
|
getScopeDescription() {
|
|
94
174
|
return getScopeDescription(this.scope);
|
|
95
175
|
}
|
|
96
|
-
|
|
176
|
+
hasProjectRestrictions() {
|
|
97
177
|
const hasProject = Boolean(this.scope.project);
|
|
98
178
|
const hasNamespace = Boolean(this.scope.namespace);
|
|
99
179
|
const hasProjects = Boolean(this.scope.projects && this.scope.projects.length > 0);
|
|
100
|
-
|
|
180
|
+
const hasGroup = Boolean(this.scope.group);
|
|
181
|
+
const hasGroups = Boolean(this.scope.groups && this.scope.groups.length > 0);
|
|
182
|
+
return hasProject || hasNamespace || hasProjects || hasGroup || hasGroups;
|
|
183
|
+
}
|
|
184
|
+
hasGroupRestrictions() {
|
|
185
|
+
const hasGroup = Boolean(this.scope.group);
|
|
186
|
+
const hasNamespace = Boolean(this.scope.namespace);
|
|
187
|
+
const hasGroups = Boolean(this.scope.groups && this.scope.groups.length > 0);
|
|
188
|
+
return hasGroup || hasNamespace || hasGroups;
|
|
189
|
+
}
|
|
190
|
+
hasRestrictions() {
|
|
191
|
+
return this.hasProjectRestrictions() || this.hasGroupRestrictions();
|
|
101
192
|
}
|
|
102
193
|
}
|
|
103
194
|
exports.ScopeEnforcer = ScopeEnforcer;
|
|
@@ -119,10 +210,25 @@ function extractProjectsFromArgs(args) {
|
|
|
119
210
|
}
|
|
120
211
|
return projects;
|
|
121
212
|
}
|
|
213
|
+
function extractGroupsFromArgs(args) {
|
|
214
|
+
const groups = [];
|
|
215
|
+
const groupFields = ["group_id", "groupId", "group"];
|
|
216
|
+
for (const field of groupFields) {
|
|
217
|
+
const value = args[field];
|
|
218
|
+
if (typeof value === "string" && value.trim()) {
|
|
219
|
+
groups.push(value.trim());
|
|
220
|
+
}
|
|
221
|
+
}
|
|
222
|
+
return groups;
|
|
223
|
+
}
|
|
122
224
|
function enforceArgsScope(enforcer, args) {
|
|
123
225
|
const projects = extractProjectsFromArgs(args);
|
|
124
226
|
for (const project of projects) {
|
|
125
227
|
enforcer.enforce(project);
|
|
126
228
|
}
|
|
229
|
+
const groups = extractGroupsFromArgs(args);
|
|
230
|
+
for (const group of groups) {
|
|
231
|
+
enforcer.enforceGroup(group);
|
|
232
|
+
}
|
|
127
233
|
}
|
|
128
234
|
//# sourceMappingURL=scope-enforcer.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scope-enforcer.js","sourceRoot":"","sources":["../../../src/profiles/scope-enforcer.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"scope-enforcer.js","sourceRoot":"","sources":["../../../src/profiles/scope-enforcer.ts"],"names":[],"mappings":";;;AA2FA,sCASC;AA+PD,0DAqBC;AAaD,sDAcC;AAWD,4CAYC;AA7ZD,sCAAmC;AAQnC,MAAa,mBAAoB,SAAQ,KAAK;IAE1B;IACA;IAFlB,YACkB,eAAuB,EACvB,YAAyB;QAEzC,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;QAC3D,KAAK,CAAC,iBAAiB,eAAe,mCAAmC,gBAAgB,GAAG,CAAC,CAAC;QAJ9E,oBAAe,GAAf,eAAe,CAAQ;QACvB,iBAAY,GAAZ,YAAY,CAAa;QAIzC,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AATD,kDASC;AAKD,SAAS,mBAAmB,CAAC,KAAkB;IAC7C,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,YAAY,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,cAAc,GAAG,KAAK,CAAC,gBAAgB,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,KAAK,CAAC,IAAI,CAAC,UAAU,KAAK,CAAC,KAAK,GAAG,cAAc,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,SAAS,IAAI,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,aAAa,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,mBAAmB,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5C,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnD,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,iBAAiB,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC;AAC9D,CAAC;AASD,SAAS,oBAAoB,CAAC,IAAY;IACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IAEtD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;AAC/B,CAAC;AAWD,SAAgB,aAAa,CAAC,WAAmB,EAAE,SAAiB;IAClE,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAC5D,MAAM,mBAAmB,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;IAG5D,OAAO,CACL,iBAAiB,KAAK,mBAAmB;QACzC,iBAAiB,CAAC,UAAU,CAAC,mBAAmB,GAAG,GAAG,CAAC,CACxD,CAAC;AACJ,CAAC;AASD,MAAa,aAAa;IACP,KAAK,CAAc;IACnB,kBAAkB,CAAc;IAChC,gBAAgB,CAAc;IAC9B,gBAAgB,CAAU;IAE3C,YAAY,KAAkB;QAC5B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,KAAK,KAAK,CAAC;QAGzD,IAAI,CAAC,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAG5F,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAClB,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QACnE,CAAC;QAGD,IAAI,CAAC,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAGxF,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,CAAC;QAED,eAAM,CAAC,KAAK,CACV;YACE,KAAK,EAAE,mBAAmB,CAAC,KAAK,CAAC;YACjC,oBAAoB,EAAE,IAAI,CAAC,kBAAkB,CAAC,IAAI;YAClD,kBAAkB,EAAE,IAAI,CAAC,gBAAgB,CAAC,IAAI;YAC9C,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;SACxC,EACD,2BAA2B,CAC5B,CAAC;IACJ,CAAC;IAMD,MAAM,CAAC,UAAU,CAAC,MAAqB;QACrC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAQD,SAAS,CAAC,WAAmB;QAE3B,IAAI,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,UAAU,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;QAGrD,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YAChF,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7E,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACnC,KAAK,MAAM,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACjD,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBAE1B,IAAI,aAAa,CAAC,WAAW,EAAE,YAAY,CAAC,EAAE,CAAC;wBAC7C,OAAO,IAAI,CAAC;oBACd,CAAC;gBACH,CAAC;qBAAM,CAAC;oBAEN,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBACpC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;wBACtB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;wBAClD,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;4BAClC,OAAO,IAAI,CAAC;wBACd,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAID,IAAI,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7B,eAAM,CAAC,IAAI,CACT,EAAE,SAAS,EAAE,UAAU,EAAE,EACzB,0DAA0D,CAC3D,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAQD,cAAc,CAAC,SAAiB;QAE9B,IAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,UAAU,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAGnD,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5E,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC5D,KAAK,MAAM,YAAY,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACjD,IAAI,aAAa,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,CAAC;oBAC3C,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAGD,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3E,OAAO,IAAI,CAAC;QACd,CAAC;QAID,IAAI,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YAC7B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,UAAU,EAAE,EACvB,wDAAwD,CACzD,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAQD,OAAO,CAAC,WAAmB;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;YACjC,eAAM,CAAC,IAAI,CACT;gBACE,SAAS,EAAE,WAAW;gBACtB,KAAK,EAAE,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;aACvC,EACD,mCAAmC,CACpC,CAAC;YACF,MAAM,IAAI,mBAAmB,CAAC,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAQD,YAAY,CAAC,SAAiB;QAC5B,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,eAAM,CAAC,IAAI,CACT;gBACE,SAAS,EAAE,SAAS;gBACpB,KAAK,EAAE,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;aACvC,EACD,iCAAiC,CAClC,CAAC;YACF,MAAM,IAAI,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAKD,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAKD,mBAAmB;QACjB,OAAO,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAKD,sBAAsB;QACpB,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACnF,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE7E,OAAO,UAAU,IAAI,YAAY,IAAI,WAAW,IAAI,QAAQ,IAAI,SAAS,CAAC;IAC5E,CAAC;IAKD,oBAAoB;QAClB,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC7E,OAAO,QAAQ,IAAI,YAAY,IAAI,SAAS,CAAC;IAC/C,CAAC;IAKD,eAAe;QACb,OAAO,IAAI,CAAC,sBAAsB,EAAE,IAAI,IAAI,CAAC,oBAAoB,EAAE,CAAC;IACtE,CAAC;CACF;AAzOD,sCAyOC;AAaD,SAAgB,uBAAuB,CAAC,IAA6B;IACnE,MAAM,QAAQ,GAAa,EAAE,CAAC;IAG9B,MAAM,aAAa,GAAG;QACpB,YAAY;QACZ,WAAW;QACX,SAAS;QACT,WAAW;QACX,eAAe;QACf,UAAU;KACX,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAaD,SAAgB,qBAAqB,CAAC,IAA6B;IACjE,MAAM,MAAM,GAAa,EAAE,CAAC;IAG5B,MAAM,WAAW,GAAG,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAErD,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAWD,SAAgB,gBAAgB,CAAC,QAAuB,EAAE,IAA6B;IAErF,MAAM,QAAQ,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAC/C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAGD,MAAM,MAAM,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;IAC3C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,QAAQ,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;AACH,CAAC"}
|
|
@@ -85,12 +85,28 @@ export declare const ProfileSchema: z.ZodObject<{
|
|
|
85
85
|
ssl_key_path: z.ZodOptional<z.ZodString>;
|
|
86
86
|
ca_cert_path: z.ZodOptional<z.ZodString>;
|
|
87
87
|
}, z.core.$strip>;
|
|
88
|
+
export declare const ScopeConfigSchema: z.ZodObject<{
|
|
89
|
+
project: z.ZodOptional<z.ZodString>;
|
|
90
|
+
group: z.ZodOptional<z.ZodString>;
|
|
91
|
+
namespace: z.ZodOptional<z.ZodString>;
|
|
92
|
+
projects: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
93
|
+
groups: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
94
|
+
includeSubgroups: z.ZodOptional<z.ZodBoolean>;
|
|
95
|
+
}, z.core.$strip>;
|
|
88
96
|
export declare const PresetSchema: z.ZodObject<{
|
|
89
97
|
description: z.ZodOptional<z.ZodString>;
|
|
90
98
|
read_only: z.ZodOptional<z.ZodBoolean>;
|
|
91
99
|
denied_tools_regex: z.ZodOptional<z.ZodString>;
|
|
92
100
|
allowed_tools: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
93
101
|
denied_actions: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
102
|
+
scope: z.ZodOptional<z.ZodObject<{
|
|
103
|
+
project: z.ZodOptional<z.ZodString>;
|
|
104
|
+
group: z.ZodOptional<z.ZodString>;
|
|
105
|
+
namespace: z.ZodOptional<z.ZodString>;
|
|
106
|
+
projects: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
107
|
+
groups: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
108
|
+
includeSubgroups: z.ZodOptional<z.ZodBoolean>;
|
|
109
|
+
}, z.core.$strip>>;
|
|
94
110
|
features: z.ZodOptional<z.ZodObject<{
|
|
95
111
|
wiki: z.ZodOptional<z.ZodBoolean>;
|
|
96
112
|
milestones: z.ZodOptional<z.ZodBoolean>;
|
|
@@ -158,17 +174,15 @@ export declare const ProfilesConfigSchema: z.ZodObject<{
|
|
|
158
174
|
}, z.core.$strip>>;
|
|
159
175
|
default_profile: z.ZodOptional<z.ZodString>;
|
|
160
176
|
}, z.core.$strip>;
|
|
161
|
-
export declare const ScopeConfigSchema: z.ZodObject<{
|
|
162
|
-
project: z.ZodOptional<z.ZodString>;
|
|
163
|
-
namespace: z.ZodOptional<z.ZodString>;
|
|
164
|
-
projects: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
165
|
-
}, z.core.$strip>;
|
|
166
177
|
export declare const ProjectPresetSchema: z.ZodObject<{
|
|
167
178
|
description: z.ZodOptional<z.ZodString>;
|
|
168
179
|
scope: z.ZodOptional<z.ZodObject<{
|
|
169
180
|
project: z.ZodOptional<z.ZodString>;
|
|
181
|
+
group: z.ZodOptional<z.ZodString>;
|
|
170
182
|
namespace: z.ZodOptional<z.ZodString>;
|
|
171
183
|
projects: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
184
|
+
groups: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
185
|
+
includeSubgroups: z.ZodOptional<z.ZodBoolean>;
|
|
172
186
|
}, z.core.$strip>>;
|
|
173
187
|
features: z.ZodOptional<z.ZodObject<{
|
|
174
188
|
wiki: z.ZodOptional<z.ZodBoolean>;
|
|
@@ -224,6 +238,7 @@ export type OAuthAuth = z.infer<typeof OAuthAuthSchema>;
|
|
|
224
238
|
export type CookieAuth = z.infer<typeof CookieAuthSchema>;
|
|
225
239
|
export type AuthConfig = z.infer<typeof AuthConfigSchema>;
|
|
226
240
|
export type FeatureFlags = z.infer<typeof FeatureFlagsSchema>;
|
|
241
|
+
export type ScopeConfig = z.infer<typeof ScopeConfigSchema>;
|
|
227
242
|
export type Profile = z.infer<typeof ProfileSchema>;
|
|
228
243
|
export type Preset = z.infer<typeof PresetSchema>;
|
|
229
244
|
export type ProfilesConfig = z.infer<typeof ProfilesConfigSchema>;
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.ProjectProfileSchema = exports.ProjectPresetSchema = exports.
|
|
3
|
+
exports.ProjectProfileSchema = exports.ProjectPresetSchema = exports.ProfilesConfigSchema = exports.PresetSchema = exports.ScopeConfigSchema = exports.ProfileSchema = void 0;
|
|
4
4
|
const zod_1 = require("zod");
|
|
5
5
|
const PatAuthSchema = zod_1.z.object({
|
|
6
6
|
type: zod_1.z.literal("pat"),
|
|
@@ -67,6 +67,38 @@ exports.ProfileSchema = zod_1.z.object({
|
|
|
67
67
|
ssl_key_path: zod_1.z.string().optional().describe("Path to SSL key"),
|
|
68
68
|
ca_cert_path: zod_1.z.string().optional().describe("Path to CA certificate"),
|
|
69
69
|
});
|
|
70
|
+
exports.ScopeConfigSchema = zod_1.z
|
|
71
|
+
.object({
|
|
72
|
+
project: zod_1.z.string().optional().describe("Single project path (e.g., group/project)"),
|
|
73
|
+
group: zod_1.z.string().optional().describe("Single group path (e.g., my-group or parent/child)"),
|
|
74
|
+
namespace: zod_1.z.string().optional().describe("Namespace/group path"),
|
|
75
|
+
projects: zod_1.z.array(zod_1.z.string()).optional().describe("List of allowed project paths"),
|
|
76
|
+
groups: zod_1.z.array(zod_1.z.string()).optional().describe("List of allowed group paths"),
|
|
77
|
+
includeSubgroups: zod_1.z
|
|
78
|
+
.boolean()
|
|
79
|
+
.optional()
|
|
80
|
+
.describe("Include subgroups when group scope is set (default: true)"),
|
|
81
|
+
})
|
|
82
|
+
.refine(data => {
|
|
83
|
+
const hasProject = data.project !== undefined;
|
|
84
|
+
const hasGroup = data.group !== undefined;
|
|
85
|
+
const hasNamespace = data.namespace !== undefined;
|
|
86
|
+
const hasProjects = data.projects !== undefined && data.projects.length > 0;
|
|
87
|
+
const hasGroups = data.groups !== undefined && data.groups.length > 0;
|
|
88
|
+
return hasProject || hasGroup || hasNamespace || hasProjects || hasGroups;
|
|
89
|
+
}, { message: "Scope must define at least one of: project, group, namespace, projects, or groups" })
|
|
90
|
+
.refine(data => {
|
|
91
|
+
if (data.project && data.projects && data.projects.length > 0) {
|
|
92
|
+
return false;
|
|
93
|
+
}
|
|
94
|
+
return true;
|
|
95
|
+
}, { message: "Cannot combine 'project' with 'projects' - use one or the other" })
|
|
96
|
+
.refine(data => {
|
|
97
|
+
if (data.group && data.groups && data.groups.length > 0) {
|
|
98
|
+
return false;
|
|
99
|
+
}
|
|
100
|
+
return true;
|
|
101
|
+
}, { message: "Cannot combine 'group' with 'groups' - use one or the other" });
|
|
70
102
|
exports.PresetSchema = zod_1.z
|
|
71
103
|
.object({
|
|
72
104
|
description: zod_1.z.string().optional().describe("Human-readable description of the preset"),
|
|
@@ -77,6 +109,7 @@ exports.PresetSchema = zod_1.z
|
|
|
77
109
|
.array(zod_1.z.string())
|
|
78
110
|
.optional()
|
|
79
111
|
.describe("Denied actions in format 'tool:action'"),
|
|
112
|
+
scope: exports.ScopeConfigSchema.optional().describe("Runtime scope restrictions for projects/groups"),
|
|
80
113
|
features: FeatureFlagsSchema,
|
|
81
114
|
timeout_ms: zod_1.z.number().int().positive().optional().describe("API timeout in milliseconds"),
|
|
82
115
|
})
|
|
@@ -85,24 +118,6 @@ exports.ProfilesConfigSchema = zod_1.z.object({
|
|
|
85
118
|
profiles: zod_1.z.record(zod_1.z.string(), exports.ProfileSchema).describe("Named profiles"),
|
|
86
119
|
default_profile: zod_1.z.string().optional().describe("Default profile when none specified"),
|
|
87
120
|
});
|
|
88
|
-
exports.ScopeConfigSchema = zod_1.z
|
|
89
|
-
.object({
|
|
90
|
-
project: zod_1.z.string().optional().describe("Single project path (e.g., group/project)"),
|
|
91
|
-
namespace: zod_1.z.string().optional().describe("Namespace/group path"),
|
|
92
|
-
projects: zod_1.z.array(zod_1.z.string()).optional().describe("List of allowed project paths"),
|
|
93
|
-
})
|
|
94
|
-
.refine(data => {
|
|
95
|
-
const hasProject = data.project !== undefined;
|
|
96
|
-
const hasNamespace = data.namespace !== undefined;
|
|
97
|
-
const hasProjects = data.projects !== undefined && data.projects.length > 0;
|
|
98
|
-
return hasProject || hasNamespace || hasProjects;
|
|
99
|
-
}, { message: "Scope must define at least one of: project, namespace, or projects" })
|
|
100
|
-
.refine(data => {
|
|
101
|
-
if (data.project && data.projects && data.projects.length > 0) {
|
|
102
|
-
return false;
|
|
103
|
-
}
|
|
104
|
-
return true;
|
|
105
|
-
}, { message: "Cannot combine 'project' with 'projects' - use one or the other" });
|
|
106
121
|
exports.ProjectPresetSchema = zod_1.z
|
|
107
122
|
.object({
|
|
108
123
|
description: zod_1.z.string().optional().describe("Description of project restrictions"),
|