@x-code-cli/core 0.2.10 → 0.3.1

package/dist/mcp/trust.d.ts

@@ -0,0 +1,31 @@
+export declare function isProjectTrusted(projectPath: string): Promise<boolean>;
+export declare function trustProject(projectPath: string): Promise<void>;
+export type TrustChoice = 'trust' | 'skip' | 'exit';
+/** Ask the user whether to trust the project's MCP config.
+ *
+ *  Caller passes a generic askUser callback (the same one the agent loop
+ *  uses for askUser tool calls) so trust prompts render in the same dialog
+ *  style as the rest of the UI. We show the actual command strings so the
+ *  user can audit what would run.
+ *
+ *  Returns:
+ *    'trust' — user accepted; caller should persist via trustProject(...)
+ *    'skip'  — load only user-level mcpServers
+ *    'exit'  — caller should terminate the CLI */
+export declare function promptForTrust(projectPath: string, serverSummaries: Array<{
+    name: string;
+    preview: string;
+}>, askUser: (question: string, options: Array<{
+    label: string;
+    description: string;
+}>) => Promise<string>): Promise<TrustChoice>;
+/** Build the one-line preview shown for each server in the trust dialog.
+ *  Stdio servers expose their full command + args; HTTP servers show the
+ *  URL. We intentionally don't truncate — the user needs to see the whole
+ *  thing to make an informed call. */
+export declare function buildServerPreview(config: {
+    command?: string;
+    args?: string[];
+    url?: string;
+}): string;
+//# sourceMappingURL=trust.d.ts.map

package/dist/mcp/trust.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust.d.ts","sourceRoot":"","sources":["../../src/mcp/trust.ts"],"names":[],"mappings":"AA8DA,wBAAsB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAI5E;AAED,wBAAsB,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAMrE;AAED,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,CAAA;AAEnD;;;;;;;;;;kDAUkD;AAClD,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,EACzD,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CAAC,KAAK,OAAO,CAAC,MAAM,CAAC,GACrG,OAAO,CAAC,WAAW,CAAC,CAiBtB;AAED;;;sCAGsC;AACtC,wBAAgB,kBAAkB,CAAC,MAAM,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAOtG"}

package/dist/mcp/trust.js

@@ -0,0 +1,103 @@
+// @x-code-cli/core — MCP project-level trust gate
+//
+// A `.x-code/config.json` checked into a git repo can declare MCP servers
+// with arbitrary `command` strings — i.e. cloning a hostile repo and
+// launching the CLI would silently spawn whatever that command says.
+// Before honouring any project-level mcpServers block, we therefore
+// require an explicit consent step keyed to the absolute project path.
+//
+// Persistence file: ~/.x-code/trusted-projects.json (mode 0600).
+// Format: { trusted: [{ path: <absolute>, trustedAt: <ISO> }, ...] }
+//
+// User config (~/.x-code/config.json) is NOT subject to this gate —
+// the user wrote it themselves; trust is implicit.
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { userXcodeDir } from '../utils.js';
+function trustedFile() {
+    return path.join(userXcodeDir(), 'trusted-projects.json');
+}
+/** Normalise a path for stable comparison across platforms.
+ *  Absolute + resolved + lowercased on Windows (case-insensitive FS),
+ *  preserved case on macOS/Linux. */
+function normalize(p) {
+    const resolved = path.resolve(p);
+    return process.platform === 'win32' ? resolved.toLowerCase() : resolved;
+}
+async function readStore() {
+    try {
+        const raw = await fs.readFile(trustedFile(), 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === 'object' && Array.isArray(parsed.trusted)) {
+            return parsed;
+        }
+    }
+    catch {
+        // missing file or malformed — start fresh
+    }
+    return { trusted: [] };
+}
+async function writeStore(store) {
+    await fs.mkdir(userXcodeDir(), { recursive: true });
+    // Atomic write: tmp + rename. Avoids a half-written file if the process
+    // is killed mid-write (the trust file is small but the principle holds —
+    // we never want a corrupted JSON to lock the user out of MCP).
+    const tmp = trustedFile() + '.tmp';
+    await fs.writeFile(tmp, JSON.stringify(store, null, 2) + '\n', { encoding: 'utf-8', mode: 0o600 });
+    await fs.rename(tmp, trustedFile());
+}
+export async function isProjectTrusted(projectPath) {
+    const normalized = normalize(projectPath);
+    const store = await readStore();
+    return store.trusted.some((e) => normalize(e.path) === normalized);
+}
+export async function trustProject(projectPath) {
+    const normalized = normalize(projectPath);
+    const store = await readStore();
+    if (store.trusted.some((e) => normalize(e.path) === normalized))
+        return;
+    store.trusted.push({ path: path.resolve(projectPath), trustedAt: new Date().toISOString() });
+    await writeStore(store);
+}
+/** Ask the user whether to trust the project's MCP config.
+ *
+ *  Caller passes a generic askUser callback (the same one the agent loop
+ *  uses for askUser tool calls) so trust prompts render in the same dialog
+ *  style as the rest of the UI. We show the actual command strings so the
+ *  user can audit what would run.
+ *
+ *  Returns:
+ *    'trust' — user accepted; caller should persist via trustProject(...)
+ *    'skip'  — load only user-level mcpServers
+ *    'exit'  — caller should terminate the CLI */
+export async function promptForTrust(projectPath, serverSummaries, askUser) {
+    const lines = serverSummaries.map((s) => `  • ${s.name}: ${s.preview}`).join('\n');
+    const question = `This project wants to load ${serverSummaries.length} MCP server(s):\n` +
+        lines +
+        `\n\nThese commands will run on your machine. Trust only if you trust this project.`;
+    const answer = await askUser(question, [
+        { label: 'Trust this project', description: 'Remember this choice. The project MCP servers will load.' },
+        { label: 'Skip project MCP', description: 'Use only user-level mcpServers for this session. No write to disk.' },
+        { label: 'Exit X-Code', description: 'Close the CLI without loading any MCP servers.' },
+    ]);
+    const lower = answer.toLowerCase();
+    if (lower.startsWith('trust'))
+        return 'trust';
+    if (lower.startsWith('exit'))
+        return 'exit';
+    return 'skip';
+}
+/** Build the one-line preview shown for each server in the trust dialog.
+ *  Stdio servers expose their full command + args; HTTP servers show the
+ *  URL. We intentionally don't truncate — the user needs to see the whole
+ *  thing to make an informed call. */
+export function buildServerPreview(config) {
+    if (config.url)
+        return config.url;
+    if (config.command) {
+        const parts = [config.command, ...(config.args ?? [])];
+        return parts.join(' ');
+    }
+    return '(invalid config)';
+}
+//# sourceMappingURL=trust.js.map

package/dist/mcp/trust.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust.js","sourceRoot":"","sources":["../../src/mcp/trust.ts"],"names":[],"mappings":"AAAA,kDAAkD;AAClD,EAAE;AACF,0EAA0E;AAC1E,qEAAqE;AACrE,qEAAqE;AACrE,oEAAoE;AACpE,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,qEAAqE;AACrE,EAAE;AACF,oEAAoE;AACpE,mDAAmD;AACnD,OAAO,EAAE,MAAM,kBAAkB,CAAA;AACjC,OAAO,IAAI,MAAM,WAAW,CAAA;AAE5B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE1C,SAAS,WAAW;IAClB,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,uBAAuB,CAAC,CAAA;AAC3D,CAAC;AAWD;;qCAEqC;AACrC,SAAS,SAAS,CAAC,CAAS;IAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;IAChC,OAAO,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAA;AACzE,CAAC;AAED,KAAK,UAAU,SAAS;IACtB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,CAAA;QACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAA;QACzC,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAE,MAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5F,OAAO,MAAsB,CAAA;QAC/B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0CAA0C;IAC5C,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,CAAA;AACxB,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,KAAmB;IAC3C,MAAM,EAAE,CAAC,KAAK,CAAC,YAAY,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACnD,wEAAwE;IACxE,yEAAyE;IACzE,+DAA+D;IAC/D,MAAM,GAAG,GAAG,WAAW,EAAE,GAAG,MAAM,CAAA;IAClC,MAAM,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IAClG,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,EAAE,CAAC,CAAA;AACrC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACxD,MAAM,UAAU,GAAG,SAAS,CAAC,WAAW,CAAC,CAAA;IACzC,MAAM,KAAK,GAAG,MAAM,SAAS,EAAE,CAAA;IAC/B,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,UAAU,CAAC,CAAA;AACpE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,WAAmB;IACpD,MAAM,UAAU,GAAG,SAAS,CAAC,WAAW,CAAC,CAAA;IACzC,MAAM,KAAK,GAAG,MAAM,SAAS,EAAE,CAAA;IAC/B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,UAAU,CAAC;QAAE,OAAM;IACvE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;IAC5F,MAAM,UAAU,CAAC,KAAK,CAAC,CAAA;AACzB,CAAC;AAID;;;;;;;;;;kDAUkD;AAClD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAAmB,EACnB,eAAyD,EACzD,OAAsG;IAEtG,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAClF,MAAM,QAAQ,GACZ,8BAA8B,eAAe,CAAC,MAAM,mBAAmB;QACvE,KAAK;QACL,oFAAoF,CAAA;IAEtF,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE;QACrC,EAAE,KAAK,EAAE,oBAAoB,EAAE,WAAW,EAAE,0DAA0D,EAAE;QACxG,EAAE,KAAK,EAAE,kBAAkB,EAAE,WAAW,EAAE,oEAAoE,EAAE;QAChH,EAAE,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,gDAAgD,EAAE;KACxF,CAAC,CAAA;IAEF,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,EAAE,CAAA;IAClC,IAAI,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,CAAA;IAC7C,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAA;IAC3C,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;sCAGsC;AACtC,MAAM,UAAU,kBAAkB,CAAC,MAA2D;IAC5F,IAAI,MAAM,CAAC,GAAG;QAAE,OAAO,MAAM,CAAC,GAAG,CAAA;IACjC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAA;QACtD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB,CAAC;IACD,OAAO,kBAAkB,CAAA;AAC3B,CAAC"}

package/dist/mcp/types.d.ts

@@ -0,0 +1,73 @@
+/** stdio-based MCP server (local subprocess). */
+export interface McpStdioServerConfig {
+    command: string;
+    args?: string[];
+    env?: Record<string, string>;
+    cwd?: string;
+    /** First-connect timeout in ms. Default 30_000. */
+    timeout?: number;
+    /** Default true. Setting to false skips the server entirely. */
+    enabled?: boolean;
+}
+/** Streamable HTTP MCP server (remote). */
+export interface McpHttpServerConfig {
+    url: string;
+    /** Static headers attached to every request (e.g. `X-Custom: foo`).
+     *  OAuth `Authorization: Bearer ...` is added automatically — do NOT put
+     *  the access token here, store it via the OAuth flow instead. */
+    headers?: Record<string, string>;
+    timeout?: number;
+    enabled?: boolean;
+}
+export type McpServerConfig = McpStdioServerConfig | McpHttpServerConfig;
+/** Discriminator: tells stdio vs http servers apart at runtime. */
+export declare function isStdioConfig(c: McpServerConfig): c is McpStdioServerConfig;
+export declare function isHttpConfig(c: McpServerConfig): c is McpHttpServerConfig;
+/** Per-server runtime status. UI reads this via /mcp list. */
+export type McpServerStatus = {
+    kind: 'disabled';
+} | {
+    kind: 'connecting';
+} | {
+    kind: 'connected';
+    toolCount: number;
+    resourceCount: number;
+} | {
+    kind: 'needs_auth';
+    authUrl?: string;
+} | {
+    kind: 'failed';
+    error: string;
+};
+/** One MCP tool, after name-mangling.
+ *
+ *  callableName is the model-facing name (<server>__<tool>);
+ *  rawName is what we pass back to client.callTool — MCP servers don't
+ *  know about our prefix scheme. */
+export interface McpToolEntry {
+    callableName: string;
+    rawName: string;
+    serverName: string;
+    description: string;
+    /** JSON Schema as received from the server. We pass it directly to the
+     *  AI SDK via `jsonSchema(...)` — no zod conversion. */
+    inputSchema: Record<string, unknown>;
+}
+/** One MCP resource (data the server lets us pull). */
+export interface McpResourceEntry {
+    uri: string;
+    name: string;
+    description?: string;
+    mimeType?: string;
+    serverName: string;
+}
+/** Result of calling an MCP tool — flattened from MCP's content-blocks
+ *  into something we can shove into a tool_result message. The raw blocks
+ *  are kept on the side in case a future UI wants images/audio. */
+export interface McpCallResult {
+    /** Text representation suitable for tool_result. */
+    text: string;
+    /** True iff the server marked the call as an error (MCP `isError` flag). */
+    isError: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/mcp/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/mcp/types.ts"],"names":[],"mappings":"AAMA,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;IACf,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,gEAAgE;IAChE,OAAO,CAAC,EAAE,OAAO,CAAA;CAClB;AAED,2CAA2C;AAC3C,MAAM,WAAW,mBAAmB;IAClC,GAAG,EAAE,MAAM,CAAA;IACX;;sEAEkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAChC,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,MAAM,eAAe,GAAG,oBAAoB,GAAG,mBAAmB,CAAA;AAExE,mEAAmE;AACnE,wBAAgB,aAAa,CAAC,CAAC,EAAE,eAAe,GAAG,CAAC,IAAI,oBAAoB,CAE3E;AACD,wBAAgB,YAAY,CAAC,CAAC,EAAE,eAAe,GAAG,CAAC,IAAI,mBAAmB,CAEzE;AAED,8DAA8D;AAC9D,MAAM,MAAM,eAAe,GACvB;IAAE,IAAI,EAAE,UAAU,CAAA;CAAE,GACpB;IAAE,IAAI,EAAE,YAAY,CAAA;CAAE,GACtB;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,GAC/D;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAA;AAErC;;;;oCAIoC;AACpC,MAAM,WAAW,YAAY;IAC3B,YAAY,EAAE,MAAM,CAAA;IACpB,OAAO,EAAE,MAAM,CAAA;IACf,UAAU,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB;4DACwD;IACxD,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACrC;AAED,uDAAuD;AACvD,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;CACnB;AAED;;mEAEmE;AACnE,MAAM,WAAW,aAAa;IAC5B,oDAAoD;IACpD,IAAI,EAAE,MAAM,CAAA;IACZ,4EAA4E;IAC5E,OAAO,EAAE,OAAO,CAAA;CACjB"}

package/dist/mcp/types.js

@@ -0,0 +1,13 @@
+// @x-code-cli/core — MCP public types
+//
+// Shared shapes used across the mcp/ subsystem. Kept dependency-free so the
+// loader/registry/UI layers can import without circular hops back into the
+// agent loop or CLI.
+/** Discriminator: tells stdio vs http servers apart at runtime. */
+export function isStdioConfig(c) {
+    return 'command' in c;
+}
+export function isHttpConfig(c) {
+    return 'url' in c;
+}
+//# sourceMappingURL=types.js.map

package/dist/mcp/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/mcp/types.ts"],"names":[],"mappings":"AAAA,sCAAsC;AACtC,EAAE;AACF,4EAA4E;AAC5E,2EAA2E;AAC3E,qBAAqB;AA2BrB,mEAAmE;AACnE,MAAM,UAAU,aAAa,CAAC,CAAkB;IAC9C,OAAO,SAAS,IAAI,CAAC,CAAA;AACvB,CAAC;AACD,MAAM,UAAU,YAAY,CAAC,CAAkB;IAC7C,OAAO,KAAK,IAAI,CAAC,CAAA;AACnB,CAAC"}

package/dist/permissions/index.d.ts

@@ -33,6 +33,6 @@ export declare function checkPermission(toolCall: {
     input: PermissionInput;
 }) => Promise<'yes' | 'always' | 'no'>, permissionMode?: PermissionMode, cwd?: string): Promise<boolean>;
 export { addSessionAllowRule, clearSessionRules, buildAllowRule } from './session-store.js';
-export { extractCommandPrefix, suggestRuleLabel } from './session-store.js';
+export { extractCommandPrefix, extractCompoundPrefixes, extractCompoundRules, suggestRuleLabel, } from './session-store.js';
 export { loadPersistedRules, persistRule } from './session-store.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/permissions/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/permissions/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAGxE,KAAK,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAmD9C,2CAA2C;AAC3C,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,eAAe,CAI5F;AAmBD;;uDAEuD;AACvD,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAKjF;AAMD;;;;;;;;;;;;;;;;uBAgBuB;AACvB,wBAAsB,eAAe,CACnC,QAAQ,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,eAAe,CAAA;CAAE,EAC1E,SAAS,EAAE,OAAO,EAClB,eAAe,EAAE,CAAC,QAAQ,EAAE;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,EAAE,eAAe,CAAA;CACvB,KAAK,OAAO,CAAC,KAAK,GAAG,QAAQ,GAAG,IAAI,CAAC,EACtC,cAAc,GAAE,cAA0B,EAC1C,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,OAAO,CAAC,CAwBlB;AAED,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAC3F,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAC3E,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/permissions/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAGxE,KAAK,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAmD9C,2CAA2C;AAC3C,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG,eAAe,CAI5F;AAmBD;;uDAEuD;AACvD,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAKjF;AAMD;;;;;;;;;;;;;;;;uBAgBuB;AACvB,wBAAsB,eAAe,CACnC,QAAQ,EAAE;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,eAAe,CAAA;CAAE,EAC1E,SAAS,EAAE,OAAO,EAClB,eAAe,EAAE,CAAC,QAAQ,EAAE;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,EAAE,eAAe,CAAA;CACvB,KAAK,OAAO,CAAC,KAAK,GAAG,QAAQ,GAAG,IAAI,CAAC,EACtC,cAAc,GAAE,cAA0B,EAC1C,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,OAAO,CAAC,CA8BlB;AAED,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAC3F,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA"}

package/dist/permissions/index.js

@@ -121,15 +121,21 @@ export async function checkPermission(toolCall, trustMode, onAskPermission, perm
     if (decision === 'always') {
         const result = buildAllowRule(toolCall.toolName, toolCall.input);
         if (result) {
-            addSessionAllowRule(result.rule);
-            if (result.persist && cwd)
-                persistRule(cwd, result.rule);
+            // buildAllowRule may return >1 rule for compound shells like
+            // `git commit && git push` — the user-visible label
+            // ("git commit:*, git push:*") shows both, and we save both
+            // here so the next compound invocation auto-approves.
+            for (const rule of result.rules) {
+                addSessionAllowRule(rule);
+                if (result.persist && cwd)
+                    persistRule(cwd, rule);
+            }
         }
         return true;
     }
     return decision === 'yes';
 }
 export { addSessionAllowRule, clearSessionRules, buildAllowRule } from './session-store.js';
-export { extractCommandPrefix, suggestRuleLabel } from './session-store.js';
+export { extractCommandPrefix, extractCompoundPrefixes, extractCompoundRules, suggestRuleLabel, } from './session-store.js';
 export { loadPersistedRules, persistRule } from './session-store.js';
 //# sourceMappingURL=index.js.map

package/dist/permissions/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/permissions/index.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,OAAO,IAAI,MAAM,WAAW,CAAA;AAE5B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAEvF,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAIxG;;;;;GAKG;AACH,MAAM,0BAA0B,GAAG,GAAG,CAAA;AACtC,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAA2B,CAAA;AAE/D,SAAS,uBAAuB,CAAC,OAAe;IAC9C,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;IAC/C,uDAAuD;IACvD,IAAI,WAAW,CAAC,IAAI,CAAC,aAAa,CAAC;QAAE,OAAO,MAAM,CAAA;IAClD,0CAA0C;IAC1C,IAAI,WAAW,CAAC,KAAK,CAAC,UAAU,CAAC;QAAE,OAAO,cAAc,CAAA;IACxD,kBAAkB;IAClB,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAsB;IACpD,MAAM,GAAG,GAAI,KAAK,CAAC,OAAkB,IAAI,EAAE,CAAA;IAC3C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC5C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IAEzB,MAAM,KAAK,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;IAE1C,IAAI,oBAAoB,CAAC,IAAI,IAAI,0BAA0B,EAAE,CAAC;QAC5D,0DAA0D;QAC1D,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAA;QACvD,IAAI,MAAM,KAAK,SAAS;YAAE,oBAAoB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAC/D,CAAC;IACD,oBAAoB,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,KAAK,CAAA;AACd,CAAC;AAED,qCAAqC;AACrC,MAAM,KAAK,GAAgE;IACzE,QAAQ,EAAE,GAAG,EAAE,CAAC,cAAc;IAC9B,IAAI,EAAE,GAAG,EAAE,CAAC,cAAc;IAC1B,IAAI,EAAE,GAAG,EAAE,CAAC,cAAc;IAC1B,OAAO,EAAE,GAAG,EAAE,CAAC,cAAc;IAC7B,SAAS,EAAE,GAAG,EAAE,CAAC,cAAc;IAC/B,QAAQ,EAAE,GAAG,EAAE,CAAC,cAAc;IAC9B,OAAO,EAAE,GAAG,EAAE,CAAC,cAAc;IAC7B,IAAI,EAAE,GAAG,EAAE,CAAC,KAAK;IACjB,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK;IACtB,KAAK,EAAE,sBAAsB;CAC9B,CAAA;AAED,2CAA2C;AAC3C,MAAM,UAAU,kBAAkB,CAAC,QAAgB,EAAE,KAAsB;IACzE,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAA;IAC5B,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA,CAAC,+BAA+B;IACvD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAA;AACpB,CAAC;AAED,oCAAoC;AACpC,2EAA2E;AAC3E,mFAAmF;AACnF,MAAM,uBAAuB,GAAG;IAC9B,gBAAgB;IAChB,sBAAsB;IACtB,iBAAiB;IACjB,eAAe;IACf,kBAAkB;IAClB,mBAAmB;IACnB,iBAAiB;IACjB,aAAa;IACb,iBAAiB;IACjB,oBAAoB;IACpB,kBAAkB;CACnB,CAAA;AAED;;uDAEuD;AACvD,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,UAAkB;IACtE,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAA;IAClF,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAA;IAChC,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAC,CAAA;IACjC,OAAO,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,CAAA;AACnD,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChE,CAAC;AAED;;;;;;;;;;;;;;;;uBAgBuB;AACvB,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAA0E,EAC1E,SAAkB,EAClB,eAIsC,EACtC,iBAAiC,SAAS,EAC1C,GAAY;IAEZ,MAAM,KAAK,GAAG,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;IACnE,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,KAAK,CAAA;IAClC,IAAI,KAAK,KAAK,cAAc,IAAI,SAAS;QAAE,OAAO,IAAI,CAAA;IACtD,IAAI,cAAc,KAAK,aAAa,IAAI,CAAC,QAAQ,CAAC,QAAQ,KAAK,WAAW,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,CAAC;QAC5G,MAAM,QAAQ,GAAI,QAAQ,CAAC,KAAK,CAAC,QAAmB,IAAI,EAAE,CAAA;QAC1D,MAAM,UAAU,GAAG,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAA;QACvC,IAAI,QAAQ,IAAI,mBAAmB,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxF,OAAO,IAAI,CAAA;QACb,CAAC;QACD,yEAAyE;IAC3E,CAAC;IACD,IAAI,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAErE,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAA;IAChD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;QAChE,IAAI,MAAM,EAAE,CAAC;YACX,mBAAmB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;YAChC,IAAI,MAAM,CAAC,OAAO,IAAI,GAAG;gBAAE,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,CAAA;QAC1D,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,QAAQ,KAAK,KAAK,CAAA;AAC3B,CAAC;AAED,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAC3F,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAC3E,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/permissions/index.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,OAAO,IAAI,MAAM,WAAW,CAAA;AAE5B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAEvF,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAIxG;;;;;GAKG;AACH,MAAM,0BAA0B,GAAG,GAAG,CAAA;AACtC,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAA2B,CAAA;AAE/D,SAAS,uBAAuB,CAAC,OAAe;IAC9C,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;IAC/C,uDAAuD;IACvD,IAAI,WAAW,CAAC,IAAI,CAAC,aAAa,CAAC;QAAE,OAAO,MAAM,CAAA;IAClD,0CAA0C;IAC1C,IAAI,WAAW,CAAC,KAAK,CAAC,UAAU,CAAC;QAAE,OAAO,cAAc,CAAA;IACxD,kBAAkB;IAClB,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAsB;IACpD,MAAM,GAAG,GAAI,KAAK,CAAC,OAAkB,IAAI,EAAE,CAAA;IAC3C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC5C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAA;IAEzB,MAAM,KAAK,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;IAE1C,IAAI,oBAAoB,CAAC,IAAI,IAAI,0BAA0B,EAAE,CAAC;QAC5D,0DAA0D;QAC1D,MAAM,MAAM,GAAG,oBAAoB,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAA;QACvD,IAAI,MAAM,KAAK,SAAS;YAAE,oBAAoB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAC/D,CAAC;IACD,oBAAoB,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACpC,OAAO,KAAK,CAAA;AACd,CAAC;AAED,qCAAqC;AACrC,MAAM,KAAK,GAAgE;IACzE,QAAQ,EAAE,GAAG,EAAE,CAAC,cAAc;IAC9B,IAAI,EAAE,GAAG,EAAE,CAAC,cAAc;IAC1B,IAAI,EAAE,GAAG,EAAE,CAAC,cAAc;IAC1B,OAAO,EAAE,GAAG,EAAE,CAAC,cAAc;IAC7B,SAAS,EAAE,GAAG,EAAE,CAAC,cAAc;IAC/B,QAAQ,EAAE,GAAG,EAAE,CAAC,cAAc;IAC9B,OAAO,EAAE,GAAG,EAAE,CAAC,cAAc;IAC7B,IAAI,EAAE,GAAG,EAAE,CAAC,KAAK;IACjB,SAAS,EAAE,GAAG,EAAE,CAAC,KAAK;IACtB,KAAK,EAAE,sBAAsB;CAC9B,CAAA;AAED,2CAA2C;AAC3C,MAAM,UAAU,kBAAkB,CAAC,QAAgB,EAAE,KAAsB;IACzE,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAA;IAC5B,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAA,CAAC,+BAA+B;IACvD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAA;AACpB,CAAC;AAED,oCAAoC;AACpC,2EAA2E;AAC3E,mFAAmF;AACnF,MAAM,uBAAuB,GAAG;IAC9B,gBAAgB;IAChB,sBAAsB;IACtB,iBAAiB;IACjB,eAAe;IACf,kBAAkB;IAClB,mBAAmB;IACnB,iBAAiB;IACjB,aAAa;IACb,iBAAiB;IACjB,oBAAoB;IACpB,kBAAkB;CACnB,CAAA;AAED;;uDAEuD;AACvD,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,UAAkB;IACtE,MAAM,SAAS,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,WAAW,EAAE,CAAA;IAClF,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAA;IAChC,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAC,CAAA;IACjC,OAAO,IAAI,KAAK,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,CAAA;AACnD,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChE,CAAC;AAED;;;;;;;;;;;;;;;;uBAgBuB;AACvB,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAA0E,EAC1E,SAAkB,EAClB,eAIsC,EACtC,iBAAiC,SAAS,EAC1C,GAAY;IAEZ,MAAM,KAAK,GAAG,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;IACnE,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,KAAK,CAAA;IAClC,IAAI,KAAK,KAAK,cAAc,IAAI,SAAS;QAAE,OAAO,IAAI,CAAA;IACtD,IAAI,cAAc,KAAK,aAAa,IAAI,CAAC,QAAQ,CAAC,QAAQ,KAAK,WAAW,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,CAAC;QAC5G,MAAM,QAAQ,GAAI,QAAQ,CAAC,KAAK,CAAC,QAAmB,IAAI,EAAE,CAAA;QAC1D,MAAM,UAAU,GAAG,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAA;QACvC,IAAI,QAAQ,IAAI,mBAAmB,CAAC,QAAQ,EAAE,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,CAAC;YACxF,OAAO,IAAI,CAAA;QACb,CAAC;QACD,yEAAyE;IAC3E,CAAC;IACD,IAAI,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAErE,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAA;IAChD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAA;QAChE,IAAI,MAAM,EAAE,CAAC;YACX,6DAA6D;YAC7D,oDAAoD;YACpD,4DAA4D;YAC5D,sDAAsD;YACtD,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAChC,mBAAmB,CAAC,IAAI,CAAC,CAAA;gBACzB,IAAI,MAAM,CAAC,OAAO,IAAI,GAAG;oBAAE,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,QAAQ,KAAK,KAAK,CAAA;AAC3B,CAAC;AAED,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAC3F,OAAO,EACL,oBAAoB,EACpB,uBAAuB,EACvB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA"}

package/dist/permissions/session-store.d.ts

@@ -24,45 +24,107 @@ export interface AllowRule {
  *   'powershell -ExecutionPolicy Bypass -c "git status"'     → 'git'
  *   'pwsh -Command "& { Get-Process }"'                      → 'Get-Process'
  *   'powershell -Command Get-Date'                           → 'Get-Date'
+ *   'Get-ChildItem -Recurse -Filter *.ts'                    → 'Get-ChildItem'
+ *   'Invoke-WebRequest -Uri http://api'                      → 'Invoke-WebRequest'
+ *   'cd /tmp && npm test'                                    → 'npm test'
+ *   'cd D:\\foo && npx tsc --noEmit | head -40'              → 'npx tsc'
+ *   'Set-Location D:\\foo; Get-ChildItem -Recurse | Sort-Object Name'
+ *                                                            → 'Get-ChildItem'
+ *   'npm install && curl bad.com'                            → null
+ *                                                              (two distinct
+ *                                                              non-readonly
+ *                                                              segments — no
+ *                                                              shared prefix,
+ *                                                              fall back to
+ *                                                              exact)
+ *   'git commit -m a && git push'                            → null   (segments
+ *                                                              disagree on
+ *                                                              prefix)
  *   'ls -la'                                                 → null
  *   ''                                                       → null
  */
 export declare function extractCommandPrefix(command: string): string | null;
+/**
+ * Like {@link extractCommandPrefix} but for compound commands returns the
+ * full set of distinct prefixes — one per non-read-only, non-cd segment.
+ *
+ * Returns `null` if any non-read-only segment has no derivable prefix
+ * (the caller has a richer fallback via {@link extractCompoundRules} now)
+ * or if every segment was filtered out as read-only / cd-like (mostly
+ * defensive — those auto-allow upstream).
+ *
+ * Kept exported for compatibility with consumers that only need the
+ * prefix list — current internal callers use the richer
+ * {@link extractCompoundRules}.
+ */
+export declare function extractCompoundPrefixes(command: string): string[] | null;
+/**
+ * Per-segment rule extraction for compound commands. Returns one rule
+ * per non-read-only, non-cd segment:
+ *   - prefix rule when the segment has a derivable prefix (e.g.
+ *     `git commit -m foo` → `{ type: 'prefix', pattern: 'git commit' }`)
+ *   - segment-level exact rule otherwise (e.g. `curl evil.com` →
+ *     `{ type: 'exact', pattern: 'curl evil.com' }`)
+ *
+ * The mix is the point: `git commit && curl evil.com` was previously
+ * collapsing to a single full-command exact-match because `curl evil.com`
+ * has no prefix, throwing away the perfectly-derivable `git commit:*`.
+ * The label now reads `git commit:*, curl evil.com` and one click saves
+ * both rules. The matcher accepts an exact rule either against the full
+ * command (legacy) or against any non-readonly segment, so future
+ * `cd /tmp && git commit -m b && curl evil.com` auto-approves cleanly.
+ *
+ * Returns `null` if no segment yielded a rule (all-readonly compounds —
+ * auto-allowed upstream, never reaches us in practice) or if we hit a
+ * non-whitelisted env-var prefix that disqualifies the segment (same
+ * security gate as the single-cmd path).
+ */
+export declare function extractCompoundRules(command: string): AllowRule[] | null;
 /**
  * Generate the display label for the "don't ask again" option.
  * Returns `null` only for tools where a "don't ask again" affordance
  * makes no sense (enterPlanMode toggles a mode, not a recurring action).
  *
- * Shell with derivable prefix:    `git commit:*`
- * Shell without derivable prefix: `this exact command` (exact-match rule —
- *   covers Windows-style commands like `findstr /n …`, `cmd /c …`,
+ * Shell, single derivable prefix:   `git commit:*`
+ * Shell, multiple derivable prefixes (compound where segments disagree
+ *   — e.g. `git commit && git push`):  `git commit:*, git push:*`
+ *   — the click saves BOTH rules so subsequent compound invocations
+ *   stop prompting.
+ * Shell, no derivable prefix:       `this exact command` (exact-match
+ *   rule — covers Windows-style commands like `findstr /n …`, `cmd /c …`,
  *   `dir /b`, where the second token is a `/flag` or path that fails
  *   the prefix regex; without this fallback the user gets only Yes/No
  *   forever for repeated identical commands).
  * Write tools (writeFile / edit): `all edits this session` (session-only)
+ * MCP tools (isMcp=true):         `this MCP tool` (persisted to disk via
+ *   McpPermissionStore — the label matches that posture, unlike write
+ *   tools which fall back to session-only).
  */
-export declare function suggestRuleLabel(toolName: string, input: Record<string, unknown>): string | null;
+export declare function suggestRuleLabel(toolName: string, input: Record<string, unknown>, isMcp?: boolean): string | null;
 /**
- * Build the AllowRule for a "don't ask again" approval.
+ * Build the AllowRule(s) for a "don't ask again" approval.
  *
- * - Shell with derivable prefix (e.g. `git commit`) → prefix rule, persisted
- * - Shell without derivable prefix                  → exact-match rule,
- *   persisted (mirrors Claude Code's `suggestionForExactCommand`
- *   fallback in `bashPermissions.ts`). Less reusable than a prefix rule
- *   (any arg change breaks the match) but at least suppresses repeated
- *   identical invocations — better than "Yes/No forever". The matcher
- *   compares against `stripEnvVars(cmd)` so leading `NODE_ENV=…` etc.
- *   don't defeat the rule.
- * - writeFile / edit                                → tool-wide allow,
- *   session-only (matches Claude Code).
+ * - Shell with derivable prefix(es) → one prefix rule per distinct
+ *   non-read-only segment. `git commit && git push` saves BOTH
+ *   `git commit:*` and `git push:*` on a single click (matching the
+ *   compound label shown to the user). Persisted to disk.
+ * - Shell without derivable prefix  → single exact-match rule, persisted
+ *   (mirrors Claude Code's `suggestionForExactCommand` fallback in
+ *   `bashPermissions.ts`). Less reusable than a prefix rule (any arg
+ *   change breaks the match) but at least suppresses repeated identical
+ *   invocations — better than "Yes/No forever". The matcher compares
+ *   against `stripEnvVars(cmd)` so leading `NODE_ENV=…` etc. don't defeat
+ *   the rule.
+ * - writeFile / edit  → single tool-wide allow, session-only (matches
+ *   Claude Code).
  *
- * `persist` indicates whether the rule should be saved to disk. Write
+ * `persist` indicates whether the rules should be saved to disk. Write
  * tools return persist=false; everything else returns persist=true.
  * Returns `null` only for the very few cases where no rule shape applies
  * (currently nothing — kept in the signature so callers stay defensive).
  */
 export declare function buildAllowRule(toolName: string, input: Record<string, unknown>): {
-    rule: AllowRule;
+    rules: AllowRule[];
     persist: boolean;
 } | null;
 export declare function addSessionAllowRule(rule: AllowRule): void;

package/dist/permissions/session-store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../../src/permissions/session-store.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAA;CAClC;AA4ID;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA+CnE;AAyED;;;;;;;;;;;;GAYG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,GAAG,IAAI,CAShG;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,GAAG,IAAI,CAgB9C;AA8ED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAEzD;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAE3F;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAID;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAoBpD;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,IAAI,CA+B9D"}
+{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../../src/permissions/session-store.ts"],"names":[],"mappings":"AAYA,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAA;CAClC;AA6JD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAuCnE;AAyID;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,IAAI,CAwBxE;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE,GAAG,IAAI,CA6CxE;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,UAAQ,GAAG,MAAM,GAAG,IAAI,CAmB/G;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B;IAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,GAAG,IAAI,CAgBjD;AAyHD,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI,CAEzD;AAED,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAE3F;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAExC;AAID;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAoBpD;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,IAAI,CA+B9D"}