@trops/dash-core 0.1.496 → 0.1.498

package/dist/electron/index.js

@@ -17,7 +17,7 @@ var require$$0$5 = require('@modelcontextprotocol/sdk/client/index.js');
 var require$$1$4 = require('@modelcontextprotocol/sdk/client/stdio.js');
 var require$$0$4 = require('pkce-challenge');
 var require$$2$1 = require('os');
-var require$$11 = require('child_process');
+var require$$12 = require('child_process');
 var require$$3$2 = require('adm-zip');
 var require$$4$1 = require('url');
 var require$$2$2 = require('vm');
@@ -1873,7 +1873,7 @@ var safePath_1 = {
 // it can mark the relative import as transitive-external and then fail
 // to resolve back. Deferring the require breaks the static-analysis
 // chain so the rollup build resolves cleanly.
-const DEFAULT_TIMEOUT_MS = 1000;
+const DEFAULT_TIMEOUT_MS$1 = 1000;
 const DEFAULT_MEMORY_BYTES = 32 * 1024 * 1024; // 32 MB
 
 let _modulePromise = null;
@@ -1936,7 +1936,7 @@ async function runOnce({
   body,
   args = [],
   inputs = [],
-  timeoutMs = DEFAULT_TIMEOUT_MS,
+  timeoutMs = DEFAULT_TIMEOUT_MS$1,
   memoryBytes = DEFAULT_MEMORY_BYTES,
 }) {
   if (typeof body !== "string" || !body.trim()) {
@@ -2007,7 +2007,7 @@ async function createCompiled({
   let disposed = false;
 
   return {
-    run(inputs, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    run(inputs, timeoutMs = DEFAULT_TIMEOUT_MS$1) {
       if (disposed) {
         return { error: "executor already disposed" };
       }
@@ -2048,7 +2048,7 @@ async function createCompiled({
 var safeJsExecutor$1 = {
   runOnce,
   createCompiled,
-  DEFAULT_TIMEOUT_MS,
+  DEFAULT_TIMEOUT_MS: DEFAULT_TIMEOUT_MS$1,
   DEFAULT_MEMORY_BYTES,
 };
 
@@ -21235,13 +21235,23 @@ function writeToDisk(data) {
   fs$b.renameSync(tmp, p);
 }
 
-// Recognized origins for a persisted grant. "declared" means the user
-// approved against the developer's declared dash.permissions.mcp block;
-// "discovered" means the install-time scanner produced a synthetic
-// manifest the user approved; "manual" means the user typed entries
-// themselves in Settings → Privacy & Security with no manifest backing.
+// Recognized origins for a persisted grant.
+//   "declared"   — user approved against the developer's declared
+//                  dash.permissions.mcp block at install time.
+//   "discovered" — install-time scanner produced a synthetic manifest
+//                  the user approved.
+//   "manual"     — user typed entries themselves in
+//                  Settings → Privacy & Security with no manifest backing.
+//   "live"       — user approved a just-in-time consent prompt at
+//                  runtime when a tool call hit the gate without a
+//                  matching grant.
 // Other values are dropped on persist (legacy grants stay null).
-const ALLOWED_GRANT_ORIGINS = new Set(["declared", "discovered", "manual"]);
+const ALLOWED_GRANT_ORIGINS = new Set([
+  "declared",
+  "discovered",
+  "manual",
+  "live",
+]);
 
 /**
  * Sanitize a perms object before persisting. Drops unknown keys, coerces
@@ -21289,7 +21299,7 @@ function getGrant$2(widgetId) {
   return all[widgetId] || null;
 }
 
-function setGrant$1(widgetId, perms) {
+function setGrant$2(widgetId, perms) {
   if (typeof widgetId !== "string" || !widgetId) return false;
   const sanitized = sanitizePerms(perms);
   if (!sanitized) return false;
@@ -21371,7 +21381,7 @@ function clearCache$1() {
 
 var grantedPermissions = {
   getGrant: getGrant$2,
-  setGrant: setGrant$1,
+  setGrant: setGrant$2,
   revokeGrant: revokeGrant$1,
   revokeServer: revokeServer$1,
   listAllGrants: listAllGrants$1,
@@ -21379,6 +21389,218 @@ var grantedPermissions = {
   ALLOWED_GRANT_ORIGINS,
 };
 
+/**
+ * jitConsent.js
+ *
+ * Just-in-time permission consent for widget→backend calls.
+ *
+ * When a widget hits a gate without an existing grant for the requested
+ * (domain, action, args), the gate calls `requestApproval` which:
+ *   1. Synchronously emits `widget:permission-required` to all
+ *      BrowserWindows with a unique requestId.
+ *   2. Returns a Promise that resolves on user response or rejects on
+ *      timeout.
+ *   3. Coalesces requests with the same coalescing key so a widget
+ *      bursting identical calls produces one prompt, not many.
+ *
+ * The renderer's JitConsentModal subscribes to the event, presents the
+ * user with granularity options (this once / this tool / this tool +
+ * parent dir), and replies via `widget:permission-response` with
+ * `{ requestId, decision }`. main.js wires the IPC handler back to
+ * `_handleResponse`.
+ *
+ * The module is intentionally domain-agnostic in shape — the request
+ * payload carries `domain` so future plug-ins (fs, algolia, llm) reuse
+ * the same machinery. Phase 1 only emits with `domain: "mcp"`.
+ *
+ * Public surface:
+ *   requestApproval(req, opts) → Promise<{ approve, scope?, ... }>
+ *   _handleResponse({ requestId, decision }) → void   (called from main.js IPC)
+ *   _resetForTest() → void                            (test-only)
+ */
+
+const { BrowserWindow: BrowserWindow$2, ipcMain: ipcMain$2 } = require$$0$1;
+
+const REQUEST_CHANNEL = "widget:permission-required";
+const RESPONSE_CHANNEL = "widget:permission-response";
+const DEFAULT_TIMEOUT_MS = 60_000;
+
+// requestId → { resolve, reject, timeout, coalesceKey, joinedResolvers }
+const _pending = new Map();
+// coalesceKey → requestId (so duplicate requests join the live one)
+const _coalesce = new Map();
+let _idCounter = 0;
+
+function nextRequestId() {
+  _idCounter += 1;
+  return `jit-${Date.now()}-${_idCounter}`;
+}
+
+/**
+ * Build a coalescing key from the request. Two requests share the same
+ * key iff they're "the same prompt" — same widget, same domain+action,
+ * same target server/tool. Args beyond that (e.g. exact path) DON'T
+ * differentiate; if the user is being asked about read_file already,
+ * approving handles all current paths.
+ */
+function coalesceKeyOf(req) {
+  if (req.domain === "mcp") {
+    const innerArgs = req.args || {};
+    return [
+      req.widgetId,
+      "mcp",
+      innerArgs.serverName || "",
+      innerArgs.toolName || "",
+    ].join("::");
+  }
+  // Default: domain + action + serialized top-level args
+  return [
+    req.widgetId,
+    req.domain,
+    req.action,
+    JSON.stringify(req.args || {}),
+  ].join("::");
+}
+
+function emitEvent(payload) {
+  let wins = [];
+  try {
+    wins = BrowserWindow$2.getAllWindows() || [];
+  } catch {
+    wins = [];
+  }
+  for (const w of wins) {
+    try {
+      w?.webContents?.send?.(REQUEST_CHANNEL, payload);
+    } catch {
+      // best-effort broadcast
+    }
+  }
+}
+
+function validateRequest(req) {
+  if (!req || typeof req !== "object") return "invalid request: not an object";
+  if (typeof req.widgetId !== "string" || !req.widgetId)
+    return "invalid request: widgetId required";
+  if (typeof req.domain !== "string" || !req.domain)
+    return "invalid request: domain required";
+  if (typeof req.action !== "string" || !req.action)
+    return "invalid request: action required";
+  return null;
+}
+
+/**
+ * Request user approval for an out-of-grant call. Returns a promise
+ * that resolves with the user's decision or rejects on timeout / bad
+ * input.
+ *
+ * decision shape (resolved value):
+ *   { approve: true, scope: "once" | "tool" | "parent" | "custom", ...extras }
+ *   { approve: false, reason?: string }
+ *
+ * `scope` informs the caller how to write the resulting grant.
+ */
+function requestApproval$1(req, opts = {}) {
+  const validation = validateRequest(req);
+  if (validation) {
+    return Promise.reject(new Error(validation));
+  }
+
+  const timeoutMs = Number.isFinite(opts.timeoutMs)
+    ? opts.timeoutMs
+    : DEFAULT_TIMEOUT_MS;
+
+  // If a prompt for the same coalesce key is already pending, join it.
+  const key = coalesceKeyOf(req);
+  if (_coalesce.has(key)) {
+    const existingId = _coalesce.get(key);
+    const existing = _pending.get(existingId);
+    if (existing) {
+      return new Promise((resolve, reject) => {
+        existing.joinedResolvers.push({ resolve, reject });
+      });
+    }
+    // Stale coalesce entry; drop and fall through to a fresh request.
+    _coalesce.delete(key);
+  }
+
+  return new Promise((resolve, reject) => {
+    const requestId = nextRequestId();
+    const timeout = setTimeout(() => {
+      const entry = _pending.get(requestId);
+      if (!entry) return;
+      _pending.delete(requestId);
+      _coalesce.delete(entry.coalesceKey);
+      const err = new Error(
+        `JIT consent timed out for ${req.widgetId} (${req.domain}/${req.action}) after ${timeoutMs}ms`,
+      );
+      reject(err);
+      for (const j of entry.joinedResolvers) j.reject(err);
+    }, timeoutMs);
+
+    _pending.set(requestId, {
+      resolve,
+      reject,
+      timeout,
+      coalesceKey: key,
+      joinedResolvers: [],
+    });
+    _coalesce.set(key, requestId);
+
+    emitEvent({
+      requestId,
+      widgetId: req.widgetId,
+      domain: req.domain,
+      action: req.action,
+      args: req.args || {},
+    });
+  });
+}
+
+function _handleResponse({ requestId, decision } = {}) {
+  if (!requestId || typeof requestId !== "string") return;
+  const entry = _pending.get(requestId);
+  if (!entry) return; // unknown request — drop silently
+  clearTimeout(entry.timeout);
+  _pending.delete(requestId);
+  _coalesce.delete(entry.coalesceKey);
+  const safe =
+    decision && typeof decision === "object" ? decision : { approve: false };
+  entry.resolve(safe);
+  for (const j of entry.joinedResolvers) j.resolve(safe);
+}
+
+function _resetForTest() {
+  for (const entry of _pending.values()) clearTimeout(entry.timeout);
+  _pending.clear();
+  _coalesce.clear();
+  _idCounter = 0;
+}
+
+let _handlersRegistered = false;
+/**
+ * Wire the renderer→main response IPC. Idempotent.
+ * Call once from main.js alongside other ipcMain setup.
+ */
+function setupJitConsentHandlers() {
+  if (_handlersRegistered) return;
+  if (!ipcMain$2 || typeof ipcMain$2.on !== "function") return;
+  ipcMain$2.on(RESPONSE_CHANNEL, (_event, payload) => {
+    _handleResponse(payload);
+  });
+  _handlersRegistered = true;
+}
+
+var jitConsent$1 = {
+  requestApproval: requestApproval$1,
+  setupJitConsentHandlers,
+  _handleResponse,
+  _resetForTest,
+  REQUEST_CHANNEL,
+  RESPONSE_CHANNEL,
+  DEFAULT_TIMEOUT_MS,
+};
+
 /**
  * permissionGate.js
  *
@@ -21418,8 +21640,9 @@ var grantedPermissions = {
  * dispatch goes through this gate.
  */
 
-const { getGrant: getGrant$1 } = grantedPermissions;
+const { getGrant: getGrant$1, setGrant: setGrant$1 } = grantedPermissions;
 const { safePath: safePath$1 } = safePath_1;
+const { requestApproval } = jitConsent$1;
 
 // Argument keys that look like paths. Different MCP servers use
 // different conventions; this list covers the common filesystem-style
@@ -21535,8 +21758,148 @@ function gateToolCall$1({ widgetId, serverName, toolName, args }) {
   return { allow: true };
 }
 
+/**
+ * Heuristic — "no grant" is the only denial reason JIT can recover.
+ * Other denials (missing widgetId, malformed args, server-not-declared
+ * post-grant, path-traversal-rejected) are bugs or attempted abuse,
+ * not consent gaps; the user shouldn't be prompted about those.
+ */
+function _isNoGrantDenial(reason) {
+  return (
+    typeof reason === "string" && /no MCP permissions granted/i.test(reason)
+  );
+}
+
+/**
+ * Merge `addition` (a grant blob) into the widget's existing grant. Used
+ * by the JIT path to extend an existing grant with a new tool/path
+ * without clobbering grants for other servers.
+ */
+function _mergeGrant(current, addition) {
+  const out = {
+    grantOrigin: addition.grantOrigin || current?.grantOrigin || null,
+    servers: { ...(current?.servers || {}) },
+  };
+  for (const [name, perms] of Object.entries(addition.servers || {})) {
+    const existing = out.servers[name] || {
+      tools: [],
+      readPaths: [],
+      writePaths: [],
+    };
+    out.servers[name] = {
+      tools: [...new Set([...(existing.tools || []), ...(perms.tools || [])])],
+      readPaths: [
+        ...new Set([...(existing.readPaths || []), ...(perms.readPaths || [])]),
+      ],
+      writePaths: [
+        ...new Set([
+          ...(existing.writePaths || []),
+          ...(perms.writePaths || []),
+        ]),
+      ],
+    };
+  }
+  return out;
+}
+
+/**
+ * Async wrapper around gateToolCall that escalates "no grant" denials
+ * to a just-in-time consent prompt when `opts.enableJit` is true.
+ * On approval, the user's chosen grant shape (carried on
+ * `decision.granted`) is merged into the persisted grant and the gate
+ * re-evaluates. On denial / timeout / disabled-flag, returns the
+ * synchronous decision unchanged.
+ *
+ * @returns {Promise<{ allow: true } | { allow: false, reason: string }>}
+ */
+async function gateToolCallWithJit$1(req, opts = {}) {
+  const initial = gateToolCall$1(req);
+  if (initial.allow) return initial;
+  if (!opts.enableJit) return initial;
+  if (!_isNoGrantDenial(initial.reason)) return initial;
+
+  let decision;
+  try {
+    decision = await requestApproval(
+      {
+        widgetId: req.widgetId,
+        domain: "mcp",
+        action: "callTool",
+        args: {
+          serverName: req.serverName,
+          toolName: req.toolName,
+          args: req.args || {},
+        },
+      },
+      { timeoutMs: opts.timeoutMs },
+    );
+  } catch (e) {
+    return {
+      allow: false,
+      reason:
+        "JIT consent " +
+        (e && e.message ? e.message : "failed") +
+        "; original denial: " +
+        initial.reason,
+    };
+  }
+
+  if (!decision || decision.approve !== true) {
+    return {
+      allow: false,
+      reason:
+        "user declined JIT consent for widget '" +
+        req.widgetId +
+        "' calling '" +
+        req.toolName +
+        "' on '" +
+        req.serverName +
+        "'",
+    };
+  }
+
+  // The renderer is expected to carry the chosen grant shape on
+  // decision.granted. Fall back to a minimal tool-level grant if the
+  // shape is missing — never silently grant paths the user didn't
+  // explicitly approve.
+  const addition =
+    decision.granted && typeof decision.granted === "object"
+      ? decision.granted
+      : {
+          grantOrigin: "live",
+          servers: {
+            [req.serverName]: {
+              tools: [req.toolName],
+              readPaths: [],
+              writePaths: [],
+            },
+          },
+        };
+  // Force grantOrigin: "live" regardless of what the renderer sent.
+  addition.grantOrigin = "live";
+
+  try {
+    const current = getGrant$1(req.widgetId);
+    const merged = _mergeGrant(current, addition);
+    setGrant$1(req.widgetId, merged);
+  } catch (e) {
+    return {
+      allow: false,
+      reason:
+        "JIT consent: failed to persist grant: " +
+        (e && e.message ? e.message : String(e)),
+    };
+  }
+
+  // Re-evaluate against the freshly-persisted grant. If the user's
+  // grant shape didn't actually cover the requested call (e.g. they
+  // approved a different tool or path), the gate denies as usual.
+  return gateToolCall$1(req);
+}
+
 var permissionGate = {
   gateToolCall: gateToolCall$1,
+  gateToolCallWithJit: gateToolCallWithJit$1,
   isWriteTool,
   PATH_ARG_KEYS,
 };
@@ -21718,6 +22081,37 @@ var mcpScopeResolver = {
   applyPathScopeToCredentials: applyPathScopeToCredentials$1,
 };
 
+/**
+ * securityFlags.js
+ *
+ * Centralized readers for the two boolean security flags that gate the
+ * MCP allowlist stack:
+ *   - security.enforceWidgetMcpPermissions
+ *   - security.enableJitConsent
+ *
+ * **Default semantics: ON.** A missing settings.json, a missing
+ * `security` block, or an undefined field all yield `true`. Only an
+ * explicit `false` opts out. This is intentional — the security stack
+ * is on by default; users have to actively disable it. The
+ * Privacy & Security panel surfaces the toggles + a confirm-on-disable
+ * dialog so the disable path is deliberate.
+ *
+ * The readers are pure functions of a settings object so the
+ * default-on semantics are pinned by unit tests without touching the
+ * filesystem. The callers in mcpController.js wrap these with
+ * settings.json IO.
+ */
+
+function readEnforceFlag$1(settings) {
+  return settings?.security?.enforceWidgetMcpPermissions !== false;
+}
+
+function readJitFlag$1(settings) {
+  return settings?.security?.enableJitConsent !== false;
+}
+
+var securityFlags = { readEnforceFlag: readEnforceFlag$1, readJitFlag: readJitFlag$1 };
+
 /**
  * mcpController.js
  *
@@ -21742,31 +22136,47 @@ const path$e = require$$1$2;
 const fs$a = require$$0$2;
 const os$2 = require$$2$1;
 const responseCache$2 = responseCache_1;
-const { gateToolCall } = permissionGate;
+const { gateToolCall, gateToolCallWithJit } = permissionGate;
 const { serverKey, parseServerKey } = mcpServerKey;
 const { applyPathScopeToCredentials } = mcpScopeResolver;
+const { readEnforceFlag, readJitFlag } = securityFlags;
 const { app: app$7 } = require$$0$1;
 
-// Read the widget-MCP-enforcement feature flag from settings.json.
-// Default is OFF — flipping ON activates per-widget gating in
-// permissionGate.gateToolCall(). See docs/security/ipc-filesystem-audit.md
-// and electron/mcp/permissionGate.js for context.
-function isWidgetPermissionEnforcementEnabled() {
+/**
+ * Load the user's settings.json (or null on absence/parse error). The
+ * file is small; reading it on every MCP call is acceptable. If we
+ * ever care about overhead, cache + invalidate-on-change.
+ */
+function loadSettingsForFlags() {
   try {
     const settingsPath = path$e.join(
       app$7.getPath("userData"),
       "Dashboard",
       "settings.json",
     );
-    if (!fs$a.existsSync(settingsPath)) return false;
+    if (!fs$a.existsSync(settingsPath)) return null;
     const raw = fs$a.readFileSync(settingsPath, "utf8");
-    const settings = JSON.parse(raw);
-    return Boolean(settings?.security?.enforceWidgetMcpPermissions);
+    return JSON.parse(raw);
   } catch (_e) {
-    return false;
+    return null;
   }
 }
 
+// MCP enforcement flag. **Default ON** — only an explicit
+// `security.enforceWidgetMcpPermissions: false` in settings.json opts
+// out. The Privacy & Security panel surfaces a UI toggle with a
+// confirm-on-disable dialog. See electron/utils/securityFlags.js for
+// the pinned default semantics.
+function isWidgetPermissionEnforcementEnabled() {
+  return readEnforceFlag(loadSettingsForFlags());
+}
+
+// JIT consent flag. **Default ON.** Same semantics as the enforcement
+// flag — explicit false to opt out, otherwise on.
+function isJitConsentEnabled() {
+  return readJitFlag(loadSettingsForFlags());
+}
+
 /**
  * Tool name prefixes considered safe to cache (read-only).
  * Writes/mutations are NOT cached so they always hit the source.
@@ -21901,7 +22311,7 @@ function getShellPath$1() {
     return _shellPath$1;
   }
 
-  const { execSync } = require$$11;
+  const { execSync } = require$$12;
   const fallbackDirs = ["/usr/local/bin", "/opt/homebrew/bin"];
 
   // Scan nvm versions, tracking both latest and best compatible version
@@ -22530,16 +22940,19 @@ const mcpController$3 = {
 
       // Per-widget manifest gate. Activated by the
       // security.enforceWidgetMcpPermissions setting. When enabled
-      // and a widgetId is supplied, the widget's installed
-      // package.json's dash.permissions.mcp block determines what
-      // tools and paths are allowed.
+      // and a widgetId is supplied, the widget's persisted grant
+      // determines what tools and paths are allowed.
+      //
+      // JIT consent: when security.enableJitConsent is also on, the
+      // gate escalates "no grant" denials into a runtime prompt
+      // (jitConsent.requestApproval → renderer modal → grant write +
+      // re-evaluate). Other denial reasons (path traversal, malformed
+      // args, etc.) stay synchronous.
       if (isWidgetPermissionEnforcementEnabled() && widgetId) {
-        const gate = gateToolCall({
-          widgetId,
-          serverName,
-          toolName,
-          args,
-        });
+        const gateReq = { widgetId, serverName, toolName, args };
+        const gate = isJitConsentEnabled()
+          ? await gateToolCallWithJit(gateReq, { enableJit: true })
+          : gateToolCall(gateReq);
         if (!gate.allow) {
           throw new Error(`Widget permission gate: ${gate.reason}`);
         }
@@ -22855,7 +23268,7 @@ const mcpController$3 = {
    * @returns {{ success } | { error, message }}
    */
   runAuth: async (win, mcpConfig, credentials, authCommand) => {
-    const { spawn } = require$$11;
+    const { spawn } = require$$12;
 
     const env = cleanEnvForChildProcess();
 
@@ -48255,7 +48668,7 @@ var mcpDashServerController_1 = mcpDashServerController$4;
  * can use the Chat widget without a separate API key.
  */
 
-const { spawn, execSync } = require$$11;
+const { spawn, execSync } = require$$12;
 const {
   LLM_STREAM_DELTA: LLM_STREAM_DELTA$2,
   LLM_STREAM_TOOL_CALL: LLM_STREAM_TOOL_CALL$2,
@@ -65573,6 +65986,7 @@ const webSocketController = webSocketController_1;
 const extractionCacheController = extractionCacheController_1;
 const mcpDashServerController = mcpDashServerController_1;
 const widgetMcpGrantsController = widgetMcpGrantsController$1;
+const jitConsent = jitConsent$1;
 
 // --- Errors ---
 const themeFromUrlErrors = themeFromUrlErrors$1;
@@ -65678,6 +66092,7 @@ var electron = {
   extractionCacheController,
   mcpDashServerController,
   widgetMcpGrantsController,
+  jitConsent,
 
   // Controller functions (flat) — spread for convenient destructuring
   ...controllers,