@vigil-guard/vge-cc-guard 0.9.0-beta.1

package/dist/tui/lib/cc-permissions-defaults.js

@@ -0,0 +1,171 @@
+import fs from 'fs';
+import * as path from 'path';
+import { resolveVgeDir } from '../../commands/_lib/install-paths.js';
+import { chmodPrivateSync, writePrivateFileSync } from '../../shared/private-file.js';
+export const MANAGED_DEFAULT_DENY_RULES = [
+    'Bash(rm -rf *)',
+    'Bash(rm -rf /*)',
+    'Bash(sudo *)',
+    'Bash(dd if=* of=/dev/*)',
+    'Bash(mkfs*)',
+    'Bash(chmod -R 777 *)',
+    'Bash(curl * | sh)',
+    'Bash(curl * | bash)',
+    'Bash(wget * | sh)',
+];
+const BASELINE_VERSION = 1;
+const EMPTY_MANAGED = { allow: [], ask: [], deny: [] };
+function defaultsPath() {
+    return path.join(resolveVgeDir(), 'cc-permissions-defaults.json');
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function stringArray(value) {
+    return Array.isArray(value) && value.every((entry) => typeof entry === 'string')
+        ? [...value]
+        : [];
+}
+function emptyEntry(settingsPath) {
+    return {
+        enabled: false,
+        settingsPath,
+        baselineVersion: BASELINE_VERSION,
+        managed: {
+            allow: [...EMPTY_MANAGED.allow],
+            ask: [...EMPTY_MANAGED.ask],
+            deny: [...EMPTY_MANAGED.deny],
+        },
+    };
+}
+function emptyState() {
+    return { version: 1, installs: {} };
+}
+function readState() {
+    const file = defaultsPath();
+    if (!fs.existsSync(file))
+        return { state: emptyState() };
+    try {
+        const raw = JSON.parse(fs.readFileSync(file, 'utf-8'));
+        if (!isRecord(raw) || !isRecord(raw['installs'])) {
+            return {
+                state: emptyState(),
+                warning: `${file} is not a valid managed defaults tracking file.`,
+            };
+        }
+        const installs = {};
+        for (const [key, value] of Object.entries(raw['installs'])) {
+            if (!isRecord(value) || !isRecord(value['managed']))
+                continue;
+            installs[key] = {
+                enabled: value['enabled'] === true,
+                settingsPath: typeof value['settingsPath'] === 'string' ? value['settingsPath'] : '',
+                baselineVersion: typeof value['baselineVersion'] === 'number'
+                    ? value['baselineVersion']
+                    : BASELINE_VERSION,
+                managed: {
+                    allow: stringArray(value['managed']['allow']),
+                    ask: stringArray(value['managed']['ask']),
+                    deny: stringArray(value['managed']['deny']),
+                },
+            };
+        }
+        return { state: { version: 1, installs } };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            state: emptyState(),
+            warning: `${file} is unreadable or invalid JSON: ${message}`,
+        };
+    }
+}
+function writeState(state) {
+    const file = defaultsPath();
+    const tmp = `${file}.tmp`;
+    try {
+        fs.mkdirSync(path.dirname(file), { recursive: true });
+        writePrivateFileSync(tmp, `${JSON.stringify(state, null, 2)}\n`);
+        fs.renameSync(tmp, file);
+        chmodPrivateSync(file);
+    }
+    catch (err) {
+        fs.rmSync(tmp, { force: true });
+        const message = err instanceof Error ? err.message : String(err);
+        return { ok: false, message: `${file}: ${message}` };
+    }
+    return { ok: true };
+}
+export function readManagedDefaults(installKey, settingsPath) {
+    return readManagedDefaultsWithStatus(installKey, settingsPath).entry;
+}
+export function readManagedDefaultsWithStatus(installKey, settingsPath) {
+    const read = readState();
+    return {
+        entry: read.state.installs[installKey] ?? emptyEntry(settingsPath),
+        warning: read.warning,
+    };
+}
+export function saveManagedDefaults(installKey, entry) {
+    const read = readState();
+    if (read.warning)
+        return { ok: false, message: read.warning };
+    const state = read.state;
+    state.installs[installKey] = entry;
+    return writeState(state);
+}
+export function isManagedRule(entry, kind, rule) {
+    return entry.managed[kind].includes(rule);
+}
+export function enableManagedDefaults(permissions, settingsPath) {
+    const deny = [...permissions.deny];
+    const managedDeny = [];
+    let alreadyPresent = 0;
+    for (const rule of MANAGED_DEFAULT_DENY_RULES) {
+        if (deny.includes(rule)) {
+            alreadyPresent += 1;
+            continue;
+        }
+        deny.push(rule);
+        managedDeny.push(rule);
+    }
+    return {
+        permissions: { ...permissions, deny },
+        entry: {
+            enabled: true,
+            settingsPath,
+            baselineVersion: BASELINE_VERSION,
+            managed: { allow: [], ask: [], deny: managedDeny },
+        },
+        alreadyPresent,
+    };
+}
+export function disableManagedDefaults(permissions, entry) {
+    return {
+        permissions: {
+            allow: removeManaged(permissions.allow, entry.managed.allow),
+            ask: removeManaged(permissions.ask, entry.managed.ask),
+            deny: removeManaged(permissions.deny, entry.managed.deny),
+        },
+        entry: {
+            ...entry,
+            enabled: false,
+            managed: { allow: [], ask: [], deny: [] },
+        },
+    };
+}
+export function unmanageRule(entry, rule) {
+    return {
+        ...entry,
+        managed: {
+            allow: entry.managed.allow.filter((value) => value !== rule),
+            ask: entry.managed.ask.filter((value) => value !== rule),
+            deny: entry.managed.deny.filter((value) => value !== rule),
+        },
+    };
+}
+function removeManaged(rules, managed) {
+    const tracked = new Set(managed);
+    return rules.filter((rule) => !tracked.has(rule));
+}
+//# sourceMappingURL=cc-permissions-defaults.js.map

package/dist/tui/lib/cc-permissions-defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-permissions-defaults.js","sourceRoot":"","sources":["../../../src/tui/lib/cc-permissions-defaults.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAGtF,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,gBAAgB;IAChB,iBAAiB;IACjB,cAAc;IACd,yBAAyB;IACzB,aAAa;IACb,sBAAsB;IACtB,mBAAmB;IACnB,qBAAqB;IACrB,mBAAmB;CACX,CAAC;AAwBX,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAC3B,MAAM,aAAa,GAAuB,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AAE3E,SAAS,YAAY;IACnB,OAAO,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,8BAA8B,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC;QAC9E,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;QACZ,CAAC,CAAC,EAAE,CAAC;AACT,CAAC;AAED,SAAS,UAAU,CAAC,YAAoB;IACtC,OAAO;QACL,OAAO,EAAE,KAAK;QACd,YAAY;QACZ,eAAe,EAAE,gBAAgB;QACjC,OAAO,EAAE;YACP,KAAK,EAAE,CAAC,GAAG,aAAa,CAAC,KAAK,CAAC;YAC/B,GAAG,EAAE,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC;YAC3B,IAAI,EAAE,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC;SAC9B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;AACtC,CAAC;AAED,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAY,CAAC;QAClE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YACjD,OAAO;gBACL,KAAK,EAAE,UAAU,EAAE;gBACnB,OAAO,EAAE,GAAG,IAAI,iDAAiD;aAClE,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAyC,EAAE,CAAC;QAC1D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;gBAAE,SAAS;YAC9D,QAAQ,CAAC,GAAG,CAAC,GAAG;gBACd,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,KAAK,IAAI;gBAClC,YAAY,EAAE,OAAO,KAAK,CAAC,cAAc,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE;gBACpF,eAAe,EAAE,OAAO,KAAK,CAAC,iBAAiB,CAAC,KAAK,QAAQ;oBAC3D,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC;oBAC1B,CAAC,CAAC,gBAAgB;gBACpB,OAAO,EAAE;oBACP,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC;oBAC7C,GAAG,EAAE,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC;oBACzC,IAAI,EAAE,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC;iBAC5C;aACF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,CAAC;IAC7C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,KAAK,EAAE,UAAU,EAAE;YACnB,OAAO,EAAE,GAAG,IAAI,mCAAmC,OAAO,EAAE;SAC7D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,KAAoB;IACtC,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;IAC5B,MAAM,GAAG,GAAG,GAAG,IAAI,MAAM,CAAC;IAC1B,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,oBAAoB,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QACjE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACzB,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAChC,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,KAAK,OAAO,EAAE,EAAE,CAAC;IACvD,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,UAAkB,EAAE,YAAoB;IAC1E,OAAO,6BAA6B,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC,KAAK,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,UAAkB,EAClB,YAAoB;IAEpB,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC;IACzB,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,YAAY,CAAC;QAClE,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,UAAkB,EAClB,KAA2B;IAE3B,MAAM,IAAI,GAAG,SAAS,EAAE,CAAC;IACzB,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;IAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACzB,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;IACnC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,KAA2B,EAC3B,IAAsB,EACtB,IAAY;IAEZ,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,WAA+B,EAC/B,YAAoB;IAEpB,MAAM,IAAI,GAAG,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,KAAK,MAAM,IAAI,IAAI,0BAA0B,EAAE,CAAC;QAC9C,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,cAAc,IAAI,CAAC,CAAC;YACpB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC;IAED,OAAO;QACL,WAAW,EAAE,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE;QACrC,KAAK,EAAE;YACL,OAAO,EAAE,IAAI;YACb,YAAY;YACZ,eAAe,EAAE,gBAAgB;YACjC,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE;SACnD;QACD,cAAc;KACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,WAA+B,EAC/B,KAA2B;IAE3B,OAAO;QACL,WAAW,EAAE;YACX,KAAK,EAAE,aAAa,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAC5D,GAAG,EAAE,aAAa,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;YACtD,IAAI,EAAE,aAAa,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;SAC1D;QACD,KAAK,EAAE;YACL,GAAG,KAAK;YACR,OAAO,EAAE,KAAK;YACd,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;SAC1C;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAA2B,EAAE,IAAY;IACpE,OAAO;QACL,GAAG,KAAK;QACR,OAAO,EAAE;YACP,KAAK,EAAE,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC;YAC5D,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC;YACxD,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC;SAC3D;KACF,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAe,EAAE,OAAiB;IACvD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC"}

package/dist/tui/lib/cc-permissions-io.d.ts

@@ -0,0 +1,33 @@
+export type CcPermissionKind = 'allow' | 'ask' | 'deny';
+export interface CcPermissionsDraft {
+    allow: string[];
+    ask: string[];
+    deny: string[];
+}
+export type CcSettingsReadState = {
+    ok: true;
+    settings: Record<string, unknown>;
+    permissions: CcPermissionsDraft;
+} | {
+    ok: false;
+    mode: 'read-only';
+    reason: string;
+};
+export type SaveOutcome = {
+    ok: true;
+    backupPath: string | null;
+    warning?: string;
+} | {
+    ok: false;
+    message: string;
+};
+export declare function parseCcPermissionsSettings(parsedSettings: unknown): CcSettingsReadState;
+export declare function readCcPermissionsSettings(settingsPath: string): CcSettingsReadState;
+export declare function mergeCcPermissionsSettings(settings: Record<string, unknown>, permissions: CcPermissionsDraft): Record<string, unknown>;
+export declare function saveCcPermissions(input: {
+    settingsPath: string;
+    installKey: string;
+    settings: Record<string, unknown>;
+    permissions: CcPermissionsDraft;
+}): SaveOutcome;
+//# sourceMappingURL=cc-permissions-io.d.ts.map

package/dist/tui/lib/cc-permissions-io.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-permissions-io.d.ts","sourceRoot":"","sources":["../../../src/tui/lib/cc-permissions-io.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,gBAAgB,GAAG,OAAO,GAAG,KAAK,GAAG,MAAM,CAAC;AAExD,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB;AAED,MAAM,MAAM,mBAAmB,GAC3B;IACE,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,WAAW,EAAE,kBAAkB,CAAC;CACjC,GACD;IACE,EAAE,EAAE,KAAK,CAAC;IACV,IAAI,EAAE,WAAW,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEN,MAAM,MAAM,WAAW,GACnB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GACzD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AA2BnC,wBAAgB,0BAA0B,CAAC,cAAc,EAAE,OAAO,GAAG,mBAAmB,CAgCvF;AAED,wBAAgB,yBAAyB,CAAC,YAAY,EAAE,MAAM,GAAG,mBAAmB,CA2BnF;AAED,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,WAAW,EAAE,kBAAkB,GAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAczB;AAsCD,wBAAgB,iBAAiB,CAAC,KAAK,EAAE;IACvC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,WAAW,EAAE,kBAAkB,CAAC;CACjC,GAAG,WAAW,CAwCd"}

package/dist/tui/lib/cc-permissions-io.js

@@ -0,0 +1,165 @@
+import fs from 'fs';
+import * as path from 'path';
+import { resolveVgeDir } from '../../commands/_lib/install-paths.js';
+import { chmodPrivateSync, writePrivateFileSync } from '../../shared/private-file.js';
+const EDITED_PERMISSION_KEYS = ['allow', 'ask', 'deny'];
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function emptyDraft() {
+    return { allow: [], ask: [], deny: [] };
+}
+function readPermissionArray(permissions, key) {
+    const value = permissions[key];
+    if (value === undefined)
+        return { ok: true, rules: [] };
+    if (!Array.isArray(value)) {
+        return { ok: false, reason: `permissions.${key} must be an array.` };
+    }
+    if (!value.every((entry) => typeof entry === 'string')) {
+        return { ok: false, reason: `permissions.${key} must contain only strings.` };
+    }
+    return { ok: true, rules: [...value] };
+}
+export function parseCcPermissionsSettings(parsedSettings) {
+    if (!isRecord(parsedSettings)) {
+        return {
+            ok: false,
+            mode: 'read-only',
+            reason: 'settings.json must contain a JSON object.',
+        };
+    }
+    const permissionsValue = parsedSettings['permissions'];
+    if (permissionsValue === undefined) {
+        return { ok: true, settings: parsedSettings, permissions: emptyDraft() };
+    }
+    if (!isRecord(permissionsValue)) {
+        return {
+            ok: false,
+            mode: 'read-only',
+            reason: 'permissions must be a JSON object.',
+        };
+    }
+    const draft = emptyDraft();
+    for (const key of EDITED_PERMISSION_KEYS) {
+        const parsedArray = readPermissionArray(permissionsValue, key);
+        if (!parsedArray.ok) {
+            return { ok: false, mode: 'read-only', reason: parsedArray.reason };
+        }
+        draft[key] = parsedArray.rules;
+    }
+    return { ok: true, settings: parsedSettings, permissions: draft };
+}
+export function readCcPermissionsSettings(settingsPath) {
+    if (!fs.existsSync(settingsPath)) {
+        return { ok: true, settings: {}, permissions: emptyDraft() };
+    }
+    let rawSettings;
+    try {
+        rawSettings = fs.readFileSync(settingsPath, 'utf-8');
+    }
+    catch (error) {
+        return {
+            ok: false,
+            mode: 'read-only',
+            reason: error instanceof Error
+                ? `settings.json cannot be read: ${error.message}`
+                : 'settings.json cannot be read.',
+        };
+    }
+    try {
+        return parseCcPermissionsSettings(JSON.parse(rawSettings));
+    }
+    catch {
+        return {
+            ok: false,
+            mode: 'read-only',
+            reason: 'settings.json is not valid JSON.',
+        };
+    }
+}
+export function mergeCcPermissionsSettings(settings, permissions) {
+    const existingPermissions = isRecord(settings['permissions'])
+        ? settings['permissions']
+        : {};
+    return {
+        ...settings,
+        permissions: {
+            ...existingPermissions,
+            allow: [...permissions.allow],
+            ask: [...permissions.ask],
+            deny: [...permissions.deny],
+        },
+    };
+}
+function timestampForBackup(now) {
+    return now.toISOString().replace(/[:.]/g, '-');
+}
+function writeFileWithFsync(filePath, content) {
+    writePrivateFileSync(filePath, content);
+}
+function backupPathForInstall(backupDir, key) {
+    const stamp = timestampForBackup(new Date());
+    let backupPath = path.join(backupDir, `${key}-${stamp}.json`);
+    let counter = 1;
+    while (fs.existsSync(backupPath)) {
+        backupPath = path.join(backupDir, `${key}-${stamp}-${counter}.json`);
+        counter++;
+    }
+    return backupPath;
+}
+function pruneOldBackups(backupDir, key) {
+    if (!fs.existsSync(backupDir))
+        return;
+    const prefix = `${key}-`;
+    const backups = fs.readdirSync(backupDir)
+        .filter((name) => name.startsWith(prefix) && name.endsWith('.json'))
+        .map((name) => ({
+        name,
+        mtimeMs: fs.statSync(path.join(backupDir, name)).mtimeMs,
+    }))
+        .sort((left, right) => left.mtimeMs - right.mtimeMs || left.name.localeCompare(right.name));
+    for (const backup of backups.slice(0, Math.max(0, backups.length - 10))) {
+        fs.rmSync(path.join(backupDir, backup.name), { force: true });
+    }
+}
+export function saveCcPermissions(input) {
+    const nextSettings = mergeCcPermissionsSettings(input.settings, input.permissions);
+    const nextContent = `${JSON.stringify(nextSettings, null, 2)}\n`;
+    const targetDir = path.dirname(input.settingsPath);
+    const tempPath = `${input.settingsPath}.tmp`;
+    const backupDir = path.join(resolveVgeDir(), 'cc-settings-backups');
+    let backupPath = null;
+    try {
+        fs.mkdirSync(targetDir, { recursive: true });
+        writeFileWithFsync(tempPath, nextContent);
+        if (fs.existsSync(input.settingsPath)) {
+            fs.mkdirSync(backupDir, { recursive: true });
+            backupPath = backupPathForInstall(backupDir, input.installKey);
+            writeFileWithFsync(backupPath, fs.readFileSync(input.settingsPath, 'utf-8'));
+        }
+        fs.renameSync(tempPath, input.settingsPath);
+    }
+    catch (error) {
+        fs.rmSync(tempPath, { force: true });
+        return {
+            ok: false,
+            message: error instanceof Error ? error.message : 'Unable to save Claude Code permissions.',
+        };
+    }
+    chmodPrivateSync(input.settingsPath);
+    try {
+        pruneOldBackups(backupDir, input.installKey);
+    }
+    catch (error) {
+        return {
+            ok: true,
+            backupPath,
+            warning: error instanceof Error
+                ? `Saved permissions, but backup retention cleanup failed: ${error.message}`
+                : 'Saved permissions, but backup retention cleanup failed.',
+        };
+    }
+    return { ok: true, backupPath };
+}
+//# sourceMappingURL=cc-permissions-io.js.map

package/dist/tui/lib/cc-permissions-io.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-permissions-io.js","sourceRoot":"","sources":["../../../src/tui/lib/cc-permissions-io.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AA0BtF,MAAM,sBAAsB,GAAuB,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;AAE5E,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,mBAAmB,CAC1B,WAAoC,EACpC,GAAqB;IAErB,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;IACxD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,GAAG,oBAAoB,EAAE,CAAC;IACvE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,EAAE,CAAC;QACvD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,GAAG,6BAA6B,EAAE,CAAC;IAChF,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,GAAG,KAAK,CAAC,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,cAAuB;IAChE,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC9B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,2CAA2C;SACpD,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,cAAc,CAAC,aAAa,CAAC,CAAC;IACvD,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACnC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE,CAAC;IAC3E,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,oCAAoC;SAC7C,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;IAC3B,KAAK,MAAM,GAAG,IAAI,sBAAsB,EAAE,CAAC;QACzC,MAAM,WAAW,GAAG,mBAAmB,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;QAC/D,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;YACpB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC;QACtE,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC;IACjC,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,YAAoB;IAC5D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE,CAAC;IAC/D,CAAC;IAED,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACH,WAAW,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,KAAK,YAAY,KAAK;gBAC5B,CAAC,CAAC,iCAAiC,KAAK,CAAC,OAAO,EAAE;gBAClD,CAAC,CAAC,+BAA+B;SACpC,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,OAAO,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAY,CAAC,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,kCAAkC;SAC3C,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,QAAiC,EACjC,WAA+B;IAE/B,MAAM,mBAAmB,GAAG,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC3D,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;QACzB,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO;QACL,GAAG,QAAQ;QACX,WAAW,EAAE;YACX,GAAG,mBAAmB;YACtB,KAAK,EAAE,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC;YAC7B,GAAG,EAAE,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC;YACzB,IAAI,EAAE,CAAC,GAAG,WAAW,CAAC,IAAI,CAAC;SAC5B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAS;IACnC,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAgB,EAAE,OAAe;IAC3D,oBAAoB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,oBAAoB,CAAC,SAAiB,EAAE,GAAW;IAC1D,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAC7C,IAAI,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,GAAG,IAAI,KAAK,OAAO,CAAC,CAAC;IAC9D,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,OAAO,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACjC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,GAAG,IAAI,KAAK,IAAI,OAAO,OAAO,CAAC,CAAC;QACrE,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,eAAe,CAAC,SAAiB,EAAE,GAAW;IACrD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO;IAEtC,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC;IACzB,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,SAAS,CAAC;SACtC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;SACnE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACd,IAAI;QACJ,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC,OAAO;KACzD,CAAC,CAAC;SACF,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IAE9F,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;QACxE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,KAKjC;IACC,MAAM,YAAY,GAAG,0BAA0B,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IACnF,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC;IACjE,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,YAAY,MAAM,CAAC;IAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,qBAAqB,CAAC,CAAC;IACpE,IAAI,UAAU,GAAkB,IAAI,CAAC;IAErC,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,kBAAkB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAE1C,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC;YACtC,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7C,UAAU,GAAG,oBAAoB,CAAC,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;YAC/D,kBAAkB,CAAC,UAAU,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QAC/E,CAAC;QAED,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,EAAE,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACrC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,yCAAyC;SAC5F,CAAC;IACJ,CAAC;IAED,gBAAgB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACrC,IAAI,CAAC;QACH,eAAe,CAAC,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,EAAE,EAAE,IAAI;YACR,UAAU;YACV,OAAO,EAAE,KAAK,YAAY,KAAK;gBAC7B,CAAC,CAAC,2DAA2D,KAAK,CAAC,OAAO,EAAE;gBAC5E,CAAC,CAAC,yDAAyD;SAC9D,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AAClC,CAAC"}

package/dist/tui/lib/cc-permissions-ops.d.ts

@@ -0,0 +1,19 @@
+import type { CcPermissionKind, CcPermissionsDraft } from './cc-permissions-io.js';
+export declare function cyclePermissionKind(kind: CcPermissionKind): CcPermissionKind;
+export declare function moveRule(draft: CcPermissionsDraft, rule: string, nextKind: CcPermissionKind): CcPermissionsDraft;
+export declare function addRule(draft: CcPermissionsDraft, kind: CcPermissionKind, rawRule: string): {
+    ok: true;
+    draft: CcPermissionsDraft;
+} | {
+    ok: false;
+    message: string;
+};
+export declare function updateRule(draft: CcPermissionsDraft, kind: CcPermissionKind, oldRule: string, rawRule: string): {
+    ok: true;
+    draft: CcPermissionsDraft;
+} | {
+    ok: false;
+    message: string;
+};
+export declare function deleteRule(draft: CcPermissionsDraft, rule: string): CcPermissionsDraft;
+//# sourceMappingURL=cc-permissions-ops.d.ts.map

package/dist/tui/lib/cc-permissions-ops.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-permissions-ops.d.ts","sourceRoot":"","sources":["../../../src/tui/lib/cc-permissions-ops.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAKnF,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,gBAAgB,GAAG,gBAAgB,CAI5E;AAcD,wBAAgB,QAAQ,CACtB,KAAK,EAAE,kBAAkB,EACzB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,gBAAgB,GACzB,kBAAkB,CAMpB;AAED,wBAAgB,OAAO,CACrB,KAAK,EAAE,kBAAkB,EACzB,IAAI,EAAE,gBAAgB,EACtB,OAAO,EAAE,MAAM,GACd;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,kBAAkB,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAa1E;AAUD,wBAAgB,UAAU,CACxB,KAAK,EAAE,kBAAkB,EACzB,IAAI,EAAE,gBAAgB,EACtB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,kBAAkB,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAsB1E;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,kBAAkB,EAAE,IAAI,EAAE,MAAM,GAAG,kBAAkB,CAEtF"}

package/dist/tui/lib/cc-permissions-ops.js

@@ -0,0 +1,75 @@
+const MAX_RULE_LENGTH = 1024;
+const PERMISSION_KINDS = ['allow', 'ask', 'deny'];
+export function cyclePermissionKind(kind) {
+    if (kind === 'allow')
+        return 'ask';
+    if (kind === 'ask')
+        return 'deny';
+    return 'allow';
+}
+function copyWithoutRule(draft, rule) {
+    return {
+        allow: draft.allow.filter((entry) => entry !== rule),
+        ask: draft.ask.filter((entry) => entry !== rule),
+        deny: draft.deny.filter((entry) => entry !== rule),
+    };
+}
+function hasRule(draft, rule) {
+    return PERMISSION_KINDS.some((kind) => draft[kind].includes(rule));
+}
+export function moveRule(draft, rule, nextKind) {
+    const withoutRule = copyWithoutRule(draft, rule);
+    return {
+        ...withoutRule,
+        [nextKind]: [...withoutRule[nextKind], rule],
+    };
+}
+export function addRule(draft, kind, rawRule) {
+    const rule = rawRule.trim();
+    const validation = validateRule(rule);
+    if (!validation.ok)
+        return validation;
+    if (hasRule(draft, rule))
+        return { ok: true, draft };
+    return {
+        ok: true,
+        draft: {
+            ...draft,
+            [kind]: [...draft[kind], rule],
+        },
+    };
+}
+function validateRule(rule) {
+    if (rule.length === 0)
+        return { ok: false, message: 'Rule cannot be empty.' };
+    if (rule.length > MAX_RULE_LENGTH) {
+        return { ok: false, message: 'Rule cannot be longer than 1 KiB.' };
+    }
+    return { ok: true };
+}
+export function updateRule(draft, kind, oldRule, rawRule) {
+    const rule = rawRule.trim();
+    const validation = validateRule(rule);
+    if (!validation.ok)
+        return validation;
+    if (rule === oldRule)
+        return { ok: true, draft };
+    const withoutOld = copyWithoutRule(draft, oldRule);
+    if (hasRule(withoutOld, rule)) {
+        return { ok: false, message: 'Rule already exists.' };
+    }
+    const target = draft[kind].includes(oldRule)
+        ? draft[kind].map((entry) => entry === oldRule ? rule : entry)
+        : [...withoutOld[kind], rule];
+    return {
+        ok: true,
+        draft: {
+            ...withoutOld,
+            [kind]: target,
+        },
+    };
+}
+export function deleteRule(draft, rule) {
+    return copyWithoutRule(draft, rule);
+}
+//# sourceMappingURL=cc-permissions-ops.js.map

package/dist/tui/lib/cc-permissions-ops.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-permissions-ops.js","sourceRoot":"","sources":["../../../src/tui/lib/cc-permissions-ops.ts"],"names":[],"mappings":"AAEA,MAAM,eAAe,GAAG,IAAI,CAAC;AAC7B,MAAM,gBAAgB,GAAuB,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;AAEtE,MAAM,UAAU,mBAAmB,CAAC,IAAsB;IACxD,IAAI,IAAI,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,MAAM,CAAC;IAClC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,KAAyB,EAAE,IAAY;IAC9D,OAAO;QACL,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC;QACpD,GAAG,EAAE,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC;QAChD,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC;KACnD,CAAC;AACJ,CAAC;AAED,SAAS,OAAO,CAAC,KAAyB,EAAE,IAAY;IACtD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,QAAQ,CACtB,KAAyB,EACzB,IAAY,EACZ,QAA0B;IAE1B,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACjD,OAAO;QACL,GAAG,WAAW;QACd,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,KAAyB,EACzB,IAAsB,EACtB,OAAe;IAEf,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,UAAU,CAAC,EAAE;QAAE,OAAO,UAAU,CAAC;IACtC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAErD,OAAO;QACL,EAAE,EAAE,IAAI;QACR,KAAK,EAAE;YACL,GAAG,KAAK;YACR,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC;SAC/B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;IAC9E,IAAI,IAAI,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;QAClC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,mCAAmC,EAAE,CAAC;IACrE,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,KAAyB,EACzB,IAAsB,EACtB,OAAe,EACf,OAAe;IAEf,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,UAAU,CAAC,EAAE;QAAE,OAAO,UAAU,CAAC;IACtC,IAAI,IAAI,KAAK,OAAO;QAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAEjD,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACnD,IAAI,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC;QAC9B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC1C,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QAC9D,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC;IAEhC,OAAO;QACL,EAAE,EAAE,IAAI;QACR,KAAK,EAAE;YACL,GAAG,UAAU;YACb,CAAC,IAAI,CAAC,EAAE,MAAM;SACf;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAyB,EAAE,IAAY;IAChE,OAAO,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACtC,CAAC"}

package/dist/tui/lib/cc-permissions-scope.d.ts

@@ -0,0 +1,15 @@
+export type CcPermissionsScope = 'user' | 'project';
+export type CcPermissionsTarget = {
+    ok: true;
+    scope: CcPermissionsScope;
+    settingsPath: string;
+    installKey: string;
+    source: 'install-metadata';
+} | {
+    ok: false;
+    mode: 'read-only';
+    reason: string;
+    candidates: string[];
+};
+export declare function resolveCcPermissionsTarget(): CcPermissionsTarget;
+//# sourceMappingURL=cc-permissions-scope.d.ts.map

package/dist/tui/lib/cc-permissions-scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-permissions-scope.d.ts","sourceRoot":"","sources":["../../../src/tui/lib/cc-permissions-scope.ts"],"names":[],"mappings":"AASA,MAAM,MAAM,kBAAkB,GAAG,MAAM,GAAG,SAAS,CAAC;AAEpD,MAAM,MAAM,mBAAmB,GAC3B;IACE,EAAE,EAAE,IAAI,CAAC;IACT,KAAK,EAAE,kBAAkB,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,kBAAkB,CAAC;CAC5B,GACD;IACE,EAAE,EAAE,KAAK,CAAC;IACV,IAAI,EAAE,WAAW,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB,CAAC;AAkEN,wBAAgB,0BAA0B,IAAI,mBAAmB,CA4ChE"}

package/dist/tui/lib/cc-permissions-scope.js

@@ -0,0 +1,97 @@
+import fs from 'fs';
+import * as path from 'path';
+import { installKey, installsDir, resolveSettingsPath, } from '../../commands/_lib/install-paths.js';
+function readInstallMetadata() {
+    const dir = installsDir();
+    if (!fs.existsSync(dir))
+        return { records: [], problemFiles: [], readError: null };
+    const records = [];
+    const problemFiles = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(dir).filter((name) => name.endsWith('.meta.json'));
+    }
+    catch (error) {
+        const reason = error instanceof Error ? error.message : 'unable to read install metadata directory';
+        return { records, problemFiles, readError: reason };
+    }
+    for (const name of entries) {
+        const metaFile = path.join(dir, name);
+        try {
+            const raw = JSON.parse(fs.readFileSync(metaFile, 'utf-8'));
+            if ((raw['scope'] !== 'user' && raw['scope'] !== 'project') ||
+                typeof raw['settingsPath'] !== 'string' ||
+                typeof raw['installedAt'] !== 'string') {
+                problemFiles.push(metaFile);
+                continue;
+            }
+            records.push({
+                meta: {
+                    scope: raw['scope'],
+                    settingsPath: raw['settingsPath'],
+                    installedAt: raw['installedAt'],
+                },
+                metaFile,
+            });
+        }
+        catch {
+            problemFiles.push(metaFile);
+        }
+    }
+    return { records, problemFiles, readError: null };
+}
+function currentSettingsPath(scope) {
+    try {
+        return resolveSettingsPath(scope);
+    }
+    catch {
+        return null;
+    }
+}
+function readOnly(reason, records) {
+    return {
+        ok: false,
+        mode: 'read-only',
+        reason,
+        candidates: records.map((record) => record.meta.settingsPath),
+    };
+}
+export function resolveCcPermissionsTarget() {
+    const { records, problemFiles, readError } = readInstallMetadata();
+    if (readError !== null) {
+        return {
+            ok: false,
+            mode: 'read-only',
+            reason: `Unable to read install metadata: ${readError}`,
+            candidates: [],
+        };
+    }
+    const diagnostic = problemFiles.length > 0
+        ? `Ignored unreadable or malformed install metadata: ${problemFiles.join(', ')}. `
+        : '';
+    if (records.length === 0) {
+        return readOnly(`${diagnostic}No install metadata found for vge-cc-guard.`, records);
+    }
+    const userPath = currentSettingsPath('user');
+    const projectPath = currentSettingsPath('project');
+    const exactMatches = records.filter((record) => {
+        if (record.meta.scope === 'user')
+            return userPath !== null && record.meta.settingsPath === userPath;
+        return projectPath !== null && record.meta.settingsPath === projectPath;
+    });
+    if (exactMatches.length === 1) {
+        const match = exactMatches[0];
+        return {
+            ok: true,
+            scope: match.meta.scope,
+            settingsPath: match.meta.settingsPath,
+            installKey: installKey(match.meta.settingsPath),
+            source: 'install-metadata',
+        };
+    }
+    if (records.length > 1) {
+        return readOnly(`${diagnostic}Multiple install records exist, but no exact current target can be chosen.`, records);
+    }
+    return readOnly(`${diagnostic}No exact install metadata matches the current Claude Code settings path.`, records);
+}
+//# sourceMappingURL=cc-permissions-scope.js.map

package/dist/tui/lib/cc-permissions-scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cc-permissions-scope.js","sourceRoot":"","sources":["../../../src/tui/lib/cc-permissions-scope.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EACL,UAAU,EACV,WAAW,EACX,mBAAmB,GAEpB,MAAM,sCAAsC,CAAC;AAwB9C,SAAS,mBAAmB;IAC1B,MAAM,GAAG,GAAG,WAAW,EAAE,CAAC;IAC1B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAEnF,MAAM,OAAO,GAAqB,EAAE,CAAC;IACrC,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,2CAA2C,CAAC;QACpG,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IACtD,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAA4B,CAAC;YACtF,IACE,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,KAAK,SAAS,CAAC;gBACvD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,QAAQ;gBACvC,OAAO,GAAG,CAAC,aAAa,CAAC,KAAK,QAAQ,EACtC,CAAC;gBACD,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC5B,SAAS;YACX,CAAC;YACD,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE;oBACJ,KAAK,EAAE,GAAG,CAAC,OAAO,CAAC;oBACnB,YAAY,EAAE,GAAG,CAAC,cAAc,CAAC;oBACjC,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;iBAChC;gBACD,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAyB;IACpD,IAAI,CAAC;QACH,OAAO,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,MAAc,EAAE,OAAkC;IAClE,OAAO;QACL,EAAE,EAAE,KAAK;QACT,IAAI,EAAE,WAAW;QACjB,MAAM;QACN,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC;KAC9D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,0BAA0B;IACxC,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,mBAAmB,EAAE,CAAC;IACnE,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,oCAAoC,SAAS,EAAE;YACvD,UAAU,EAAE,EAAE;SACf,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC;QACxC,CAAC,CAAC,qDAAqD,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;QAClF,CAAC,CAAC,EAAE,CAAC;IAEP,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,QAAQ,CAAC,GAAG,UAAU,6CAA6C,EAAE,OAAO,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACnD,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE;QAC7C,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,KAAK,MAAM;YAAE,OAAO,QAAQ,KAAK,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,KAAK,QAAQ,CAAC;QACpG,OAAO,WAAW,KAAK,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,KAAK,WAAW,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,YAAY,CAAC,CAAC,CAAE,CAAC;QAC/B,OAAO;YACL,EAAE,EAAE,IAAI;YACR,KAAK,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK;YACvB,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY;YACrC,UAAU,EAAE,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC;YAC/C,MAAM,EAAE,kBAAkB;SAC3B,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,QAAQ,CACb,GAAG,UAAU,4EAA4E,EACzF,OAAO,CACR,CAAC;IACJ,CAAC;IAED,OAAO,QAAQ,CAAC,GAAG,UAAU,0EAA0E,EAAE,OAAO,CAAC,CAAC;AACpH,CAAC"}

package/dist/tui/lib/config-save.d.ts

@@ -0,0 +1,14 @@
+import { type SaveOutcome } from '../../shared/config-io.js';
+import type { Config } from '../../shared/config-schema.js';
+import { type DaemonConfigReloadOutcome, type DaemonStatusOutcome } from './daemon-client.js';
+export type ConfigSaveOutcome = SaveOutcome & {
+    daemonReload?: DaemonConfigReloadOutcome;
+    daemonStatus?: DaemonStatusOutcome;
+};
+export interface ConfigSaveStatus {
+    message: string;
+    color?: 'yellow';
+}
+export declare function saveConfigAndReloadDaemon(next: Config): Promise<ConfigSaveOutcome>;
+export declare function statusForConfigSave(outcome: ConfigSaveOutcome, successMessage: string): ConfigSaveStatus;
+//# sourceMappingURL=config-save.d.ts.map

package/dist/tui/lib/config-save.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-save.d.ts","sourceRoot":"","sources":["../../../src/tui/lib/config-save.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACzE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,+BAA+B,CAAC;AAC5D,OAAO,EAGL,KAAK,yBAAyB,EAC9B,KAAK,mBAAmB,EACzB,MAAM,oBAAoB,CAAC;AAE5B,MAAM,MAAM,iBAAiB,GAAG,WAAW,GAAG;IAC5C,YAAY,CAAC,EAAE,yBAAyB,CAAC;IACzC,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC,CAAC;AAEF,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,QAAQ,CAAC;CAClB;AAED,wBAAsB,yBAAyB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAWxF;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,GAAG,gBAAgB,CAwBxG"}