npm - @tankpkg/cli - Versions diffs - 0.8.1 → 0.9.0 - Mend

@tankpkg/cli 0.8.1 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/bin/tank.js +130 -36
package/dist/bin/tank.js.map +1 -1
package/dist/{debug-logger-BjGZcIhg.js → debug-logger-BJzuguP3.js} +2 -2
package/dist/{debug-logger-BjGZcIhg.js.map → debug-logger-BJzuguP3.js.map} +1 -1
package/dist/index.js +1 -1
package/dist/package.json +1 -1
package/package.json +1 -1

package/dist/bin/tank.js CHANGED Viewed

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { a as VERSION, c as getConfigDir, i as USER_AGENT, n as flushLogs, o as logger, s as getConfig, t as authFlowLog, u as setConfig } from "../debug-logger-BjGZcIhg.js";
+import { a as VERSION, c as getConfigDir, i as USER_AGENT, n as flushLogs, o as logger, s as getConfig, t as authFlowLog, u as setConfig } from "../debug-logger-BJzuguP3.js";
 import { Command } from "commander";
 import chalk from "chalk";
 import fs from "node:fs";
@@ -1291,26 +1291,6 @@ function getResolvedNodesInOrder(nodes, installOrder) {
 //#endregion
 //#region src/lib/permission-checker.ts
 /**
-* Check if a skill's permissions fit within the project's permission budget.
-* Throws if any permission exceeds the budget.
-*/
-function checkPermissionBudget(budget, skillPerms, skillName) {
-	if (!skillPerms) return;
-	if (skillPerms.subprocess === true && budget.subprocess !== true) throw new Error(`Permission denied: ${skillName} requires subprocess access, but project budget does not allow it`);
-	if (skillPerms.network?.outbound && skillPerms.network.outbound.length > 0) {
-		const budgetDomains = budget.network?.outbound ?? [];
-		for (const domain of skillPerms.network.outbound) if (!isDomainAllowed$1(domain, budgetDomains)) throw new Error(`Permission denied: ${skillName} requests network access to "${domain}", which is not in the project's permission budget`);
-	}
-	if (skillPerms.filesystem?.read && skillPerms.filesystem.read.length > 0) {
-		const budgetPaths = budget.filesystem?.read ?? [];
-		for (const p of skillPerms.filesystem.read) if (!isPathAllowed$1(p, budgetPaths)) throw new Error(`Permission denied: ${skillName} requests filesystem read access to "${p}", which is not in the project's permission budget`);
-	}
-	if (skillPerms.filesystem?.write && skillPerms.filesystem.write.length > 0) {
-		const budgetPaths = budget.filesystem?.write ?? [];
-		for (const p of skillPerms.filesystem.write) if (!isPathAllowed$1(p, budgetPaths)) throw new Error(`Permission denied: ${skillName} requests filesystem write access to "${p}", which is not in the project's permission budget`);
-	}
-}
-/**
 * Check if a domain is allowed by the budget's domain list.
 * Supports wildcard matching: *.example.com matches sub.example.com
 */
@@ -1339,6 +1319,91 @@ function isPathAllowed$1(requestedPath, allowedPaths) {
 	}
 	return false;
 }
+/**
+* Collect all permission violations without throwing.
+* Mirrors checkPermissionBudget() logic but returns violations as an array.
+*/
+function collectPermissionViolations(budget, skillPerms, skillName) {
+	if (!skillPerms) return [];
+	const violations = [];
+	if (skillPerms.subprocess === true && budget.subprocess !== true) violations.push({
+		skillName,
+		type: "subprocess",
+		requested: "true"
+	});
+	if (skillPerms.network?.outbound && skillPerms.network.outbound.length > 0) {
+		const budgetDomains = budget.network?.outbound ?? [];
+		for (const domain of skillPerms.network.outbound) if (!isDomainAllowed$1(domain, budgetDomains)) violations.push({
+			skillName,
+			type: "network.outbound",
+			requested: domain
+		});
+	}
+	if (skillPerms.filesystem?.read && skillPerms.filesystem.read.length > 0) {
+		const budgetPaths = budget.filesystem?.read ?? [];
+		for (const p of skillPerms.filesystem.read) if (!isPathAllowed$1(p, budgetPaths)) violations.push({
+			skillName,
+			type: "filesystem.read",
+			requested: p
+		});
+	}
+	if (skillPerms.filesystem?.write && skillPerms.filesystem.write.length > 0) {
+		const budgetPaths = budget.filesystem?.write ?? [];
+		for (const p of skillPerms.filesystem.write) if (!isPathAllowed$1(p, budgetPaths)) violations.push({
+			skillName,
+			type: "filesystem.write",
+			requested: p
+		});
+	}
+	return violations;
+}
+//#endregion
+//#region src/lib/permission-prompt.ts
+async function promptForPermissionExpansion(violations, options) {
+	if (options.yes === true) return "accept";
+	if (options.isInteractive === false) return "decline";
+	logger.warn("The following permissions exceed your project budget:");
+	for (const v of violations) logger.warn(`  ${v.skillName}: ${v.type} → ${v.requested}`);
+	return await confirm({
+		message: "Would you like to add these permissions to tank.json?",
+		default: true
+	}) ? "accept" : "decline";
+}
+function mergePermissionsIntoBudget(currentBudget, violations) {
+	const result = {
+		...currentBudget,
+		network: currentBudget.network ? {
+			...currentBudget.network,
+			outbound: [...currentBudget.network.outbound ?? []]
+		} : void 0,
+		filesystem: currentBudget.filesystem ? {
+			...currentBudget.filesystem,
+			read: currentBudget.filesystem.read ? [...currentBudget.filesystem.read] : void 0,
+			write: currentBudget.filesystem.write ? [...currentBudget.filesystem.write] : void 0
+		} : void 0
+	};
+	for (const v of violations) switch (v.type) {
+		case "filesystem.read":
+			if (!result.filesystem) result.filesystem = {};
+			if (!result.filesystem.read) result.filesystem.read = [];
+			if (!result.filesystem.read.includes(v.requested)) result.filesystem.read.push(v.requested);
+			break;
+		case "filesystem.write":
+			if (!result.filesystem) result.filesystem = {};
+			if (!result.filesystem.write) result.filesystem.write = [];
+			if (!result.filesystem.write.includes(v.requested)) result.filesystem.write.push(v.requested);
+			break;
+		case "network.outbound":
+			if (!result.network) result.network = {};
+			if (!result.network.outbound) result.network.outbound = [];
+			if (!result.network.outbound.includes(v.requested)) result.network.outbound.push(v.requested);
+			break;
+		case "subprocess":
+			result.subprocess = true;
+			break;
+	}
+	return result;
+}
 //#endregion
 //#region src/commands/install.ts
 function createRegistryFetcher(registry, headers) {
@@ -1432,15 +1497,30 @@ function buildLockedVersionByName(lock) {
 function createExtractDirResolver(directory, global, resolvedHome) {
 	return (skillName) => global ? getGlobalExtractDir(resolvedHome, skillName) : getExtractDir$1(directory, skillName);
 }
-function validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore) {
+async function validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore, options) {
 	if (!projectPermissions) logger.warn(`No permission budget defined in ${MANIFEST_FILENAME}. Install proceeding without permission checks.`);
-	for (const node of resolvedNodes) {
-		if (projectPermissions) checkPermissionBudget(projectPermissions, node.meta.permissions, node.name);
-		if (auditMinScore !== void 0) {
-			if (node.meta.auditScore === null || node.meta.auditScore === void 0) logger.warn(`Audit score not yet available for ${node.name}. Install proceeding without audit score check.`);
-			else if (node.meta.auditScore < auditMinScore) throw new Error(`Audit score ${node.meta.auditScore} for ${node.name} is below minimum threshold ${auditMinScore} defined in ${MANIFEST_FILENAME}`);
+	if (projectPermissions) {
+		const allViolations = resolvedNodes.flatMap((node) => collectPermissionViolations(projectPermissions, node.meta.permissions, node.name));
+		if (allViolations.length > 0) {
+			const isInteractive = !process.env.CI && process.stdout.isTTY === true;
+			const decision = await promptForPermissionExpansion(allViolations, {
+				yes: options?.yes,
+				isInteractive
+			});
+			if (decision === "accept" && options?.skillsJsonPath && options?.skillsJson) {
+				const merged = mergePermissionsIntoBudget(projectPermissions, allViolations);
+				options.skillsJson.permissions = merged;
+				fs.writeFileSync(options.skillsJsonPath, `${JSON.stringify(options.skillsJson, null, 2)}\n`);
+			} else if (decision === "decline") {
+				const first = allViolations[0];
+				throw new Error(`Permission denied: ${first.skillName} requests ${first.type} access to "${first.requested}", which is not in the project's permission budget`);
+			}
 		}
 	}
+	for (const node of resolvedNodes) if (auditMinScore !== void 0) {
+		if (node.meta.auditScore === null || node.meta.auditScore === void 0) logger.warn(`Audit score not yet available for ${node.name}. Install proceeding without audit score check.`);
+		else if (node.meta.auditScore < auditMinScore) throw new Error(`Audit score ${node.meta.auditScore} for ${node.name} is below minimum threshold ${auditMinScore} defined in ${MANIFEST_FILENAME}`);
+	}
 }
 async function runLegacyFallback(options) {
 	const { rootSkillNames, resolvedNodeByName, extractDirForSkill, directory, configDir, global, homedir } = options;
@@ -1490,8 +1570,12 @@ function linkInstalledRoots(options) {
 	if (detectInstalledAgents(homedir).length === 0) logger.warn("No agents detected for linking");
 }
 async function executeInstallPipeline(options) {
-	const { directory, configDir, global, homedir, resolvedHome, lock, lockPath, resolvedNodes, nodesToInstall, rootSkillNames, projectPermissions, auditMinScore, spinner } = options;
-	if (!global) validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore);
+	const { directory, configDir, global, homedir, resolvedHome, lock, lockPath, resolvedNodes, nodesToInstall, rootSkillNames, projectPermissions, auditMinScore, spinner, yes, skillsJsonPath, skillsJson } = options;
+	if (!global) await validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore, {
+		yes,
+		skillsJsonPath,
+		skillsJson
+	});
 	const extractDirForSkill = createExtractDirResolver(directory, global, resolvedHome);
 	const resolvedNodeByName = new Map(resolvedNodes.map((node) => [node.name, node]));
 	const downloaded = await downloadAllParallel(nodesToInstall, spinner);
@@ -1529,7 +1613,7 @@ async function executeInstallPipeline(options) {
 	return updatedLock;
 }
 async function installCommand(options) {
-	const { name, versionRange = "*", directory = process.cwd(), configDir, global = false, homedir, isTransitive = false } = options;
+	const { name, versionRange = "*", directory = process.cwd(), configDir, global = false, homedir, isTransitive = false, yes } = options;
 	const config = getConfig(configDir);
 	const resolvedHome = homedir ?? os.homedir();
 	const requestHeaders = { "User-Agent": USER_AGENT };
@@ -1585,7 +1669,10 @@ async function installCommand(options) {
 			rootSkillNames: [name],
 			projectPermissions,
 			auditMinScore,
-			spinner
+			spinner,
+			yes,
+			skillsJsonPath,
+			skillsJson
 		});
 		if (!global && !isTransitive) {
 			const skills = skillsJson.skills ?? {};
@@ -1683,7 +1770,7 @@ async function installFromLockfile(options) {
 	}
 }
 async function installAll(options) {
-	const { directory = process.cwd(), configDir, global = false, homedir } = options;
+	const { directory = process.cwd(), configDir, global = false, homedir, yes } = options;
 	const resolvedHome = homedir ?? os.homedir();
 	const config = getConfig(configDir);
 	const requestHeaders = { "User-Agent": USER_AGENT };
@@ -1738,7 +1825,10 @@ async function installAll(options) {
 			rootSkillNames: skillEntries.map(([skillName]) => skillName),
 			projectPermissions,
 			auditMinScore,
-			spinner
+			spinner,
+			yes,
+			skillsJsonPath,
+			skillsJson
 		});
 		spinner.succeed(`Installed ${skillEntries.length} root skill${skillEntries.length === 1 ? "" : "s"}`);
 	} catch (err) {
@@ -3294,14 +3384,18 @@ program.command("publish").alias("pub").description("Pack and publish a skill to
 		process.exit(1);
 	}
 });
-program.command("install").alias("i").description("Install a skill from the Tank registry, or all skills from lockfile").argument("[name]", "Skill name (e.g., @org/skill-name). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").action(async (name, versionRange, opts) => {
+program.command("install").alias("i").description("Install a skill from the Tank registry, or all skills from lockfile").argument("[name]", "Skill name (e.g., @org/skill-name). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").option("-y, --yes", "Auto-accept permission budget expansion").action(async (name, versionRange, opts) => {
 	try {
 		if (name) await installCommand({
 			name,
 			versionRange,
-			global: opts.global
+			global: opts.global,
+			yes: opts.yes
+		});
+		else await installAll({
+			global: opts.global,
+			yes: opts.yes
 		});
-		else await installAll({ global: opts.global });
 	} catch (err) {
 		const msg = err instanceof Error ? err.message : String(err);
 		console.error(`Install failed: ${msg}`);