@vfarcic/dot-ai 1.7.0 → 1.9.0

package/dist/tools/operate.js

@@ -46,6 +46,8 @@ exports.handleOperateTool = handleOperateTool;
 const zod_1 = require("zod");
 const error_handling_1 = require("../core/error-handling");
 const generic_session_manager_1 = require("../core/generic-session-manager");
+const request_context_1 = require("../interfaces/request-context");
+const rbac_1 = require("../core/rbac");
 const pattern_vector_service_1 = require("../core/pattern-vector-service");
 const policy_vector_service_1 = require("../core/policy-vector-service");
 const capability_vector_service_1 = require("../core/capability-vector-service");
@@ -260,7 +262,42 @@ async function operate(args, pluginManager) {
  * PRD #343: pluginManager is required - all kubectl operations go through plugin.
  */
 async function handleOperateTool(args, pluginManager) {
+    // PRD #392 Milestone 2: execution route requires 'apply' verb
+    if (args.sessionId && args.executeChoice) {
+        const identity = (0, request_context_1.getCurrentIdentity)();
+        const rbacResult = await (0, rbac_1.checkToolAccess)(identity, {
+            toolName: 'operate',
+            verb: 'apply',
+        });
+        if (!rbacResult.allowed) {
+            return {
+                content: [
+                    {
+                        type: 'text',
+                        text: JSON.stringify({
+                            error: 'FORBIDDEN',
+                            message: `Access denied: executing operations requires 'apply' permission on 'operate'. You can analyze and plan operations, but applying changes requires additional authorization.`,
+                            tool: 'operate',
+                            user: identity?.email,
+                        }),
+                    },
+                ],
+            };
+        }
+    }
     const result = await operate(args, pluginManager);
+    // PRD #392 Milestone 2: If analysis complete, check apply permission to adjust guidance
+    if (result.status === 'awaiting_user_approval') {
+        const identity = (0, request_context_1.getCurrentIdentity)();
+        const applyResult = await (0, rbac_1.checkToolAccess)(identity, {
+            toolName: 'operate',
+            verb: 'apply',
+        });
+        if (!applyResult.allowed) {
+            result.message = `Operational proposal generated successfully. Executing operations requires 'apply' permission on 'operate', which is not granted for the current user. Review the proposed changes and apply them manually using kubectl or your GitOps workflow.`;
+            result.nextAction = `Review the proposed changes. To apply them, use kubectl or push to Git — executing via operate requires 'apply' permission.`;
+        }
+    }
     // Build content blocks - JSON for REST API, agent instruction for MCP agents
     const content = [
         {

package/dist/tools/organizational-data.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"organizational-data.d.ts","sourceRoot":"","sources":["../../src/tools/organizational-data.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAehD,eAAO,MAAM,6BAA6B,kBAAkB,CAAC;AAC7D,eAAO,MAAM,oCAAoC,+jBAAyjB,CAAC;AAG3mB,eAAO,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+BjD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,SAAS,GAAG,QAAQ,GAAG,cAAc,CAAC;IAChD,SAAS,EAAE,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,WAAW,GAAG,MAAM,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;IAC3G,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAstBD;;;GAGG;AACH,wBAAsB,4BAA4B,CAChD,IAAI,EAAE,uBAAuB,EAC7B,MAAM,EAAE,KAAK,GAAG,IAAI,EACpB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC,CA4H7D"}
+{"version":3,"file":"organizational-data.d.ts","sourceRoot":"","sources":["../../src/tools/organizational-data.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAiBhD,eAAO,MAAM,6BAA6B,kBAAkB,CAAC;AAC7D,eAAO,MAAM,oCAAoC,+jBAAyjB,CAAC;AAG3mB,eAAO,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+BjD,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,SAAS,GAAG,QAAQ,GAAG,cAAc,CAAC;IAChD,SAAS,EAAE,QAAQ,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,WAAW,GAAG,MAAM,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;IAC3G,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE;QACT,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAstBD;;;GAGG;AACH,wBAAsB,4BAA4B,CAChD,IAAI,EAAE,uBAAuB,EAC7B,MAAM,EAAE,KAAK,GAAG,IAAI,EACpB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,CAAC,CAsJ7D"}

package/dist/tools/organizational-data.js

@@ -58,6 +58,8 @@ const capability_scan_workflow_1 = require("../core/capability-scan-workflow");
 const crypto_1 = require("crypto");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const request_context_1 = require("../interfaces/request-context");
+const rbac_1 = require("../core/rbac");
 // Tool metadata for MCP registration
 exports.ORGANIZATIONAL_DATA_TOOL_NAME = 'manageOrgData';
 exports.ORGANIZATIONAL_DATA_TOOL_DESCRIPTION = 'Unified tool for managing cluster data: organizational patterns, policy intents, and resource capabilities. For patterns and policies: supports create, list, get, delete, deleteAll, and search operations (patterns also support step-by-step creation workflow). For capabilities: supports scan, list, get, delete, deleteAll, and progress operations for cluster resource capability discovery and management. Use dataType parameter to specify what to manage: "pattern" for organizational patterns, "policy" for policy intents, "capabilities" for resource capabilities.';
@@ -668,6 +670,31 @@ async function handleOrganizationalDataTool(args, _dotAI, logger, requestId) {
                 input: args
             });
         }
+        // PRD #392 Milestone 8: Mutating operations require 'apply' verb
+        const MUTATING_OPERATIONS = new Set(['create', 'delete', 'deleteAll']);
+        if (MUTATING_OPERATIONS.has(args.operation)) {
+            const identity = (0, request_context_1.getCurrentIdentity)();
+            const rbacResult = await (0, rbac_1.checkToolAccess)(identity, {
+                toolName: 'manageOrgData',
+                verb: 'apply',
+            });
+            if (!rbacResult.allowed) {
+                return {
+                    content: [
+                        {
+                            type: 'text',
+                            text: JSON.stringify({
+                                error: 'FORBIDDEN',
+                                message: `Access denied: '${args.operation}' on organizational data requires 'apply' permission on 'manageOrgData'. Read operations (list, get, search) are available with 'execute' permission.`,
+                                tool: 'manageOrgData',
+                                operation: args.operation,
+                                user: identity?.email,
+                            }),
+                        },
+                    ],
+                };
+            }
+        }
         // Route to appropriate handler based on data type
         let result;
         switch (args.dataType) {

package/dist/tools/recommend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"recommend.d.ts","sourceRoot":"","sources":["../../src/tools/recommend.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAuB,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC/D,OAAO,EAAE,KAAK,EAA0B,MAAM,eAAe,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAUhD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAM5D,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAC/C,eAAO,MAAM,0BAA0B,yXAAyX,CAAC;AAGja,eAAO,MAAM,2BAA2B;;;;;;;;CAWvC,CAAC;AAIF,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,WAAW,CAAC;IACtB,KAAK,CAAC,EAAE,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,UAAU,CAAC;IAC7D,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAElB,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC,CAAC;IAEH,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,SAAS,EAAE;QACT,QAAQ,CAAC,EAAE,QAAQ,EAAE,CAAC;QACtB,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC;QACnB,QAAQ,CAAC,EAAE,QAAQ,EAAE,CAAC;QACtB,IAAI,CAAC,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,WAAW,EAAE,MAAM,CAAC;YAAC,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAClE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;KAC7B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B,kBAAkB,CAAC,EAAE;QACnB,IAAI,EAAE,KAAK,GAAG,MAAM,GAAG,WAAW,CAAC;QACnC,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,KAAK,CAAC;YAAE,YAAY,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACzD,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE;YACN,UAAU,EAAE,MAAM,CAAC;YACnB,cAAc,EAAE,MAAM,CAAC;YACvB,SAAS,EAAE,MAAM,CAAC;YAClB,OAAO,EAAE,MAAM,CAAC;SACjB,CAAC;QACF,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;IAEF,oBAAoB,CAAC,EAAE,UAAU,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;IAClE,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,YAAY,CAAC,EAAE,KAAK,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;QACpB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC,CAAC;IACH,qBAAqB,CAAC,EAAE;QACtB,sBAAsB,EAAE,MAAM,CAAC;QAC/B,cAAc,EAAE,MAAM,CAAC;QACvB,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;CACH;AAiCD;;GAEG;AACH,UAAU,iBAAiB;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,iBAAiB,EACvB,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,aAAa,GAC3B,OAAO,CAAC;IAAE,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,CAAC,CAuZxD"}
+{"version":3,"file":"recommend.d.ts","sourceRoot":"","sources":["../../src/tools/recommend.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAuB,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC/D,OAAO,EAAE,KAAK,EAA0B,MAAM,eAAe,CAAC;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAYhD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAM5D,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAC/C,eAAO,MAAM,0BAA0B,yXAAyX,CAAC;AAGja,eAAO,MAAM,2BAA2B;;;;;;;;CAWvC,CAAC;AAIF,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,WAAW,CAAC;IACtB,KAAK,CAAC,EAAE,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,UAAU,CAAC;IAC7D,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAElB,SAAS,CAAC,EAAE,KAAK,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC,CAAC;IAEH,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,SAAS,EAAE;QACT,QAAQ,CAAC,EAAE,QAAQ,EAAE,CAAC;QACtB,KAAK,CAAC,EAAE,QAAQ,EAAE,CAAC;QACnB,QAAQ,CAAC,EAAE,QAAQ,EAAE,CAAC;QACtB,IAAI,CAAC,EAAE;YAAE,QAAQ,EAAE,MAAM,CAAC;YAAC,WAAW,EAAE,MAAM,CAAC;YAAC,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC;QAClE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;KAC7B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B,kBAAkB,CAAC,EAAE;QACnB,IAAI,EAAE,KAAK,GAAG,MAAM,GAAG,WAAW,CAAC;QACnC,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAE,KAAK,CAAC;YAAE,YAAY,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACzD,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,KAAK,CAAC,EAAE;YACN,UAAU,EAAE,MAAM,CAAC;YACnB,cAAc,EAAE,MAAM,CAAC;YACvB,SAAS,EAAE,MAAM,CAAC;YAClB,OAAO,EAAE,MAAM,CAAC;SACjB,CAAC;QACF,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;IAEF,oBAAoB,CAAC,EAAE,UAAU,GAAG,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;IAClE,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,YAAY,CAAC,EAAE,KAAK,CAAC;QACnB,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;QACpB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC,CAAC;IACH,qBAAqB,CAAC,EAAE;QACtB,sBAAsB,EAAE,MAAM,CAAC;QAC/B,cAAc,EAAE,MAAM,CAAC;QACvB,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;CACH;AAiCD;;GAEG;AACH,UAAU,iBAAiB;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,iBAAiB,EACvB,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,aAAa,EAAE,aAAa,GAC3B,OAAO,CAAC;IAAE,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,CAAC,CA6axD"}

package/dist/tools/recommend.js

@@ -15,6 +15,8 @@ const answer_question_1 = require("./answer-question");
 const generate_manifests_1 = require("./generate-manifests");
 const deploy_manifests_1 = require("./deploy-manifests");
 const shared_prompt_loader_1 = require("../core/shared-prompt-loader");
+const request_context_1 = require("../interfaces/request-context");
+const rbac_1 = require("../core/rbac");
 const platform_utils_1 = require("../core/platform-utils");
 const visualization_1 = require("../core/visualization");
 const artifacthub_1 = require("../core/artifacthub");
@@ -90,6 +92,28 @@ async function handleRecommendTool(args, dotAI, logger, requestId, pluginManager
             return await (0, generate_manifests_1.handleGenerateManifestsTool)(args, dotAI, logger, requestId, pluginManager);
         }
         if (stage === 'deployManifests') {
+            // PRD #392 Milestone 2: deployManifests requires 'apply' verb
+            const identity = (0, request_context_1.getCurrentIdentity)();
+            const rbacResult = await (0, rbac_1.checkToolAccess)(identity, {
+                toolName: 'recommend',
+                verb: 'apply',
+            });
+            if (!rbacResult.allowed) {
+                return {
+                    content: [
+                        {
+                            type: 'text',
+                            text: JSON.stringify({
+                                error: 'FORBIDDEN',
+                                message: `Access denied: deploying manifests requires 'apply' permission on 'recommend'. Save the files locally or push to Git to apply them through your own workflow.`,
+                                tool: 'recommend',
+                                stage: 'deployManifests',
+                                user: identity?.email,
+                            }),
+                        },
+                    ],
+                };
+            }
             // PRD #359: Uses unified plugin registry for kubectl operations
             return await (0, deploy_manifests_1.handleDeployManifestsTool)(args, dotAI, logger, requestId);
         }

package/dist/tools/remediate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"remediate.d.ts","sourceRoot":"","sources":["../../src/tools/remediate.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAYxB,OAAO,EAEL,qBAAqB,EACtB,MAAM,uBAAuB,CAAC;AAoB/B,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAC/C,eAAO,MAAM,0BAA0B,yfACgd,CAAC;AAGxf,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;CAsDvC,CAAC;AAGF,MAAM,WAAW,cAAc;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,QAAQ,GAAG,WAAW,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,YAAY,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAID,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;IACjE,QAAQ,EAAE,WAAW,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,WAAW,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,eAAe,CAAC;IAChC,MAAM,EACF,eAAe,GACf,mBAAmB,GACnB,QAAQ,GACR,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,CAAC;IAChB,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;CACtC;AAGD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,oBAAoB,CAAC;CAC5B,CAAC;AAEF,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,wBAAwB,GAAG,oBAAoB,CAAC;IAC/E,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,QAAQ,EAAE;QACR,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,WAAW,EAAE;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,iBAAiB,EAAE,CAAC;QAC7B,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;KACjC,CAAC;IAEF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;IACrC,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,eAAe,EAAE,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,IAAI,CAAC,EAAE,QAAQ,GAAG,WAAW,CAAC;CAC/B;AAID;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChD;AA4ND;;GAEG;AACH,UAAU,uBAAuB;IAC/B,WAAW,EAAE,QAAQ,GAAG,UAAU,GAAG,cAAc,CAAC;IACpD,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,iBAAiB,EAAE,CAAC;QAC7B,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;KACjC,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,GACjB,uBAAuB,CAyHzB;AAqcD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,qBAAqB,CAAC,CAgOhC"}
+{"version":3,"file":"remediate.d.ts","sourceRoot":"","sources":["../../src/tools/remediate.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAYxB,OAAO,EAEL,qBAAqB,EACtB,MAAM,uBAAuB,CAAC;AAsB/B,eAAO,MAAM,mBAAmB,cAAc,CAAC;AAC/C,eAAO,MAAM,0BAA0B,yfACgd,CAAC;AAGxf,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;CAsDvC,CAAC;AAGF,MAAM,WAAW,cAAc;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,QAAQ,GAAG,WAAW,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,YAAY,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAID,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;IACjE,QAAQ,EAAE,WAAW,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,WAAW,CAAC;IAC7B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,eAAe,CAAC;IAChC,MAAM,EACF,eAAe,GACf,mBAAmB,GACnB,QAAQ,GACR,uBAAuB,GACvB,sBAAsB,GACtB,WAAW,CAAC;IAChB,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;CACtC;AAGD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,oBAAoB,CAAC;CAC5B,CAAC;AAEF,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,wBAAwB,GAAG,oBAAoB,CAAC;IAC/E,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,QAAQ,EAAE;QACR,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,EAAE,MAAM,CAAC;QACnB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF,WAAW,EAAE;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,iBAAiB,EAAE,CAAC;QAC7B,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;KACjC,CAAC;IAEF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;IACrC,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,eAAe,EAAE,CAAC;IAC5B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,IAAI,CAAC,EAAE,QAAQ,GAAG,WAAW,CAAC;CAC/B;AAID;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAChD;AA4ND;;GAEG;AACH,UAAU,uBAAuB;IAC/B,WAAW,EAAE,QAAQ,GAAG,UAAU,GAAG,cAAc,CAAC;IACpD,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE;QACX,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,iBAAiB,EAAE,CAAC;QAC7B,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;KACjC,CAAC;IACF,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,MAAM,GACjB,uBAAuB,CAyHzB;AAqcD;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,qBAAqB,CAAC,CA8QhC"}

package/dist/tools/remediate.js

@@ -48,6 +48,8 @@ const visualization_1 = require("../core/visualization");
 const plugin_registry_1 = require("../core/plugin-registry");
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const request_context_1 = require("../interfaces/request-context");
+const rbac_1 = require("../core/rbac");
 // PRD #143 Milestone 1: Hybrid approach - AI can use kubectl_api_resources tool OR continue with JSON dataRequests
 // Tool metadata for direct MCP registration
 exports.REMEDIATE_TOOL_NAME = 'remediate';
@@ -718,6 +720,27 @@ async function handleRemediateTool(args) {
         const validatedInput = validateRemediateInput(args);
         // Handle choice execution if provided
         if (validatedInput.executeChoice && validatedInput.sessionId) {
+            // PRD #392 Milestone 2: execution requires 'apply' verb
+            const identity = (0, request_context_1.getCurrentIdentity)();
+            const rbacResult = await (0, rbac_1.checkToolAccess)(identity, {
+                toolName: 'remediate',
+                verb: 'apply',
+            });
+            if (!rbacResult.allowed) {
+                return {
+                    content: [
+                        {
+                            type: 'text',
+                            text: JSON.stringify({
+                                error: 'FORBIDDEN',
+                                message: `Access denied: executing remediation commands requires 'apply' permission on 'remediate'. You can diagnose issues, but applying fixes requires additional authorization.`,
+                                tool: 'remediate',
+                                user: identity?.email,
+                            }),
+                        },
+                    ],
+                };
+            }
             logger.info('Executing user choice from previous session', {
                 requestId,
                 choice: validatedInput.executeChoice,
@@ -800,27 +823,53 @@ async function handleRemediateTool(args) {
         };
         // Add execution choices for manual mode (awaiting_user_approval status)
         if (executionDecision.finalStatus === 'awaiting_user_approval') {
-            finalResult.executionChoices = [
-                {
-                    id: 1,
-                    label: 'Execute automatically via MCP',
-                    description: 'Run the kubectl commands shown above automatically via MCP\n',
-                    risk: finalAnalysis.remediation.risk,
-                },
-                {
-                    id: 2,
-                    label: 'Execute via agent',
-                    description: 'STEP 1: Execute the kubectl commands using your Bash tool\nSTEP 2: Call the remediate tool again for validation with the provided validation message\n',
-                    risk: finalAnalysis.remediation.risk, // Same risk - same commands being executed
-                },
-            ];
+            // PRD #392 Milestone 2: only offer execution choices if user has 'apply' permission
+            const identity = (0, request_context_1.getCurrentIdentity)();
+            const applyResult = await (0, rbac_1.checkToolAccess)(identity, {
+                toolName: 'remediate',
+                verb: 'apply',
+            });
+            if (applyResult.allowed) {
+                finalResult.executionChoices = [
+                    {
+                        id: 1,
+                        label: 'Execute automatically via MCP',
+                        description: 'Run the kubectl commands shown above automatically via MCP\n',
+                        risk: finalAnalysis.remediation.risk,
+                    },
+                    {
+                        id: 2,
+                        label: 'Execute via agent',
+                        description: 'STEP 1: Execute the kubectl commands using your Bash tool\nSTEP 2: Call the remediate tool again for validation with the provided validation message\n',
+                        risk: finalAnalysis.remediation.risk,
+                    },
+                ];
+            }
+            else {
+                finalResult.fallbackReason = `Executing remediation commands requires 'apply' permission on 'remediate', which is not granted for the current user. Review the proposed remediation and apply fixes manually using kubectl or your GitOps workflow.`;
+            }
         }
         // Execute remediation actions if automatic mode approves it
         if (executionDecision.shouldExecute) {
-            // Update session object with final analysis for execution
-            session.data.finalAnalysis = finalAnalysis;
-            // Execute commands and return the complete result (includes post-execution validation)
-            return await executeRemediationCommands(session, sessionManager, logger, requestId, validatedInput.interaction_id);
+            // PRD #392 Milestone 2: automatic execution also requires 'apply' verb
+            const identity = (0, request_context_1.getCurrentIdentity)();
+            const rbacResult = await (0, rbac_1.checkToolAccess)(identity, {
+                toolName: 'remediate',
+                verb: 'apply',
+            });
+            if (!rbacResult.allowed) {
+                // Downgrade to awaiting_user_approval with explanation
+                finalResult.status = 'awaiting_user_approval';
+                finalResult.executed = false;
+                finalResult.fallbackReason = `Automatic execution blocked: 'apply' permission on 'remediate' is required. You can review the proposed remediation but applying fixes requires additional authorization.`;
+                // Don't offer execution choices since user can't execute
+            }
+            else {
+                // Update session object with final analysis for execution
+                session.data.finalAnalysis = finalAnalysis;
+                // Execute commands and return the complete result (includes post-execution validation)
+                return await executeRemediationCommands(session, sessionManager, logger, requestId, validatedInput.interaction_id);
+            }
         }
         // Generate visualization URL for analysis response
         const visualizationUrl = (0, visualization_1.getVisualizationUrl)(session.sessionId);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vfarcic/dot-ai",
-  "version": "1.7.0",
+  "version": "1.9.0",
   "description": "AI-powered development productivity platform that enhances software development workflows through intelligent automation and AI-driven assistance",
   "mcpName": "io.github.vfarcic/dot-ai",
   "main": "dist/index.js",
@@ -27,7 +27,6 @@
     "test:integration:gemini-flash": "AI_PROVIDER=google_flash DEBUG_DOT_AI=true ./tests/integration/infrastructure/run-integration-tests.sh",
     "test:integration:grok": "AI_PROVIDER=xai DEBUG_DOT_AI=true ./tests/integration/infrastructure/run-integration-tests.sh",
     "test:integration:kimi": "AI_PROVIDER=kimi DEBUG_DOT_AI=true ./tests/integration/infrastructure/run-integration-tests.sh",
-    "test:integration:kimi-thinking": "AI_PROVIDER=kimi_thinking DEBUG_DOT_AI=true ./tests/integration/infrastructure/run-integration-tests.sh",
     "test:integration:bedrock": "AI_PROVIDER=amazon_bedrock AI_MODEL=global.anthropic.claude-sonnet-4-20250514-v1:0 DEBUG_DOT_AI=true ./tests/integration/infrastructure/run-integration-tests.sh",
     "test:integration:custom-endpoint": "AI_PROVIDER=openai DEBUG_DOT_AI=true ./tests/integration/infrastructure/run-integration-tests.sh",
     "eval:comparative": "DEBUG_DOT_AI=true npx tsx src/evaluation/eval-runner.ts",
@@ -107,16 +106,17 @@
     "vitest": "^3.2.4"
   },
   "dependencies": {
-    "@ai-sdk/amazon-bedrock": "^3.0.50",
-    "@ai-sdk/anthropic": "^2.0.23",
-    "@ai-sdk/google": "^2.0.17",
-    "@ai-sdk/openai": "^2.0.42",
-    "@ai-sdk/xai": "^2.0.26",
+    "@ai-sdk/amazon-bedrock": "^4.0.77",
+    "@ai-sdk/anthropic": "^3.0.58",
+    "@ai-sdk/google": "^3.0.43",
+    "@ai-sdk/openai": "^3.0.41",
+    "@ai-sdk/openai-compatible": "^2.0.35",
+    "@ai-sdk/xai": "^3.0.67",
     "@grpc/grpc-js": "^1.14.3",
     "@grpc/proto-loader": "^0.8.0",
     "@kubernetes/client-node": "^1.3.0",
     "@modelcontextprotocol/sdk": "^1.27.1",
-    "@openrouter/ai-sdk-provider": "^1.2.0",
+    "@openrouter/ai-sdk-provider": "^2.2.5",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/exporter-trace-otlp-http": "^0.207.0",
     "@opentelemetry/resources": "^2.2.0",
@@ -124,7 +124,7 @@
     "@opentelemetry/sdk-trace-node": "^2.2.0",
     "@opentelemetry/semantic-conventions": "^1.37.0",
     "@qdrant/js-client-rest": "^1.15.0",
-    "ai": "^5.0.60",
+    "ai": "^6.0.116",
     "bcryptjs": "^3.0.3",
     "handlebars": "^4.7.8",
     "jsonwebtoken": "^9.0.3",
@@ -133,6 +133,9 @@
     "simple-git": "^3.32.3",
     "yaml": "^2.8.0"
   },
+  "overrides": {
+    "express-rate-limit": "^8.2.2"
+  },
   "optionalDependencies": {
     "@rollup/rollup-linux-x64-gnu": "4.52.5"
   }

package/shared-prompts/prd-update-decisions.md

@@ -92,6 +92,13 @@ Update the appropriate PRD sections:
 - **Workflow Updates**: Update process examples when user interaction patterns or step sequences change
 - **Mark for Verification**: Flag code examples that need manual testing to ensure they still work
 
+### Task and Milestone Updates
+- **Create new tasks** when decisions introduce work not covered by existing tasks (e.g., a new integration, migration step, or validation requirement)
+- **Add new milestones** when decisions significantly change project scope or phasing (e.g., a new phase for a deferred feature, or an additional delivery checkpoint)
+- **Update existing tasks** when decisions change what a task requires or how it should be implemented
+- **Remove or defer tasks** that are no longer relevant due to scope changes or eliminated requirements
+- **Reorder priorities** when decisions shift what should be delivered first
+
 ### Risk and Dependency Updates
 - Add new risks introduced by design decisions
 - Update mitigation strategies if approach changed