@x-code-cli/core 0.2.9 → 0.3.0

package/dist/permissions/session-store.js

@@ -8,7 +8,127 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 import { XCODE_DIR } from '../utils.js';
 // Env-var assignment prefix: VAR=value (unquoted, safe chars only).
-const ENV_VAR_RE = /^[A-Za-z_]\w*=[A-Za-z0-9_./:@-]*\s+/;
+// The capture group exposes the name so the whitelist can decide whether
+// to strip the prefix or treat it as a poison pill (see SAFE_ENV_VARS).
+const ENV_VAR_RE = /^([A-Za-z_]\w*)=[A-Za-z0-9_./:@-]*\s+/;
+// Env-var names safe to strip before deriving a "don't ask again" prefix.
+// Deliberately conservative — anything that could shift program behaviour
+// in security-relevant ways (PATH, LD_*, NODE_OPTIONS, http(s)_proxy,
+// DYLD_*, …) is excluded so a non-whitelisted assignment downgrades the
+// rule to exact-match. Without that, an agent could smuggle unaudited env
+// into an already-approved command shape.
+//
+// Picked to cover the common NODE_ENV / CI / DEBUG / locale / color
+// settings agents emit in practice, mirroring the spirit of Claude Code's
+// SAFE_ENV_VARS list.
+const SAFE_ENV_VARS = new Set([
+    'NODE_ENV',
+    'PYTHONUNBUFFERED',
+    'PYTHONIOENCODING',
+    'PYTHONDONTWRITEBYTECODE',
+    'CI',
+    'DEBUG',
+    'FORCE_COLOR',
+    'NO_COLOR',
+    'CLICOLOR',
+    'CLICOLOR_FORCE',
+    'TERM',
+    'COLORTERM',
+    'LANG',
+    'LC_ALL',
+    'LC_CTYPE',
+    'LC_MESSAGES',
+    'LC_TIME',
+    'LC_COLLATE',
+    'TZ',
+    'EDITOR',
+    'VISUAL',
+    'PAGER',
+    'LESS',
+]);
+// First-token wrappers too broad to anchor a "don't ask again" rule on.
+// `sudo ls` once approved must NOT auto-approve `sudo <anything>`, and we
+// don't (yet) crack open `bash -c "<inner>"` to re-extract — so for these
+// we return null and force exact-match. `sudo` is also caught upstream by
+// isDestructive(); listed here for defence-in-depth.
+const WRAPPER_BLOCKLIST = new Set([
+    'sudo',
+    'doas',
+    'su',
+    'bash',
+    'sh',
+    'zsh',
+    'fish',
+    'dash',
+    'ksh',
+    'cmd',
+    'env',
+    'time',
+    'nice',
+    'ionice',
+    'timeout',
+    'nohup',
+    'xargs',
+    'watch',
+    'parallel',
+    'exec',
+    'eval',
+]);
+// Per-command global-flag tables: tokens between `cmd` and its real
+// subcommand. Without these, `git -C /tmp commit` would extract `git -C`
+// and miss every prefix rule the user has for `git commit`.
+//
+// `valued` flags consume the following token; everything else starting
+// with `-` is treated as a boolean flag (skip one). `--name=value` is
+// detected by the embedded `=`. `cargo +toolchain` is the one non-flag
+// token kind that needs skipping; gated by `takesPlus`.
+const GLOBAL_FLAGS = {
+    git: {
+        valued: new Set(['-C', '-c', '--git-dir', '--work-tree', '--namespace', '--exec-path', '--super-prefix']),
+    },
+    docker: {
+        valued: new Set([
+            '-H',
+            '--host',
+            '--config',
+            '--context',
+            '-c',
+            '--log-level',
+            '--tlscacert',
+            '--tlscert',
+            '--tlskey',
+        ]),
+    },
+    podman: {
+        valued: new Set(['--connection', '-c', '--log-level', '--root', '--runroot', '--storage-driver', '--url']),
+    },
+    kubectl: {
+        valued: new Set([
+            '-n',
+            '--namespace',
+            '--context',
+            '--cluster',
+            '--kubeconfig',
+            '--server',
+            '-s',
+            '--user',
+            '--token',
+            '--as',
+            '--as-group',
+            '--cache-dir',
+            '--certificate-authority',
+            '--client-certificate',
+            '--client-key',
+        ]),
+    },
+    cargo: {
+        valued: new Set(['--config', '-Z', '--color', '--manifest-path']),
+        takesPlus: true,
+    },
+};
+// Subcommand-name shape: lowercase letter, then [a-z0-9-]. Hyphens only
+// internal (no trailing dash). Filters out `-flag`, `/flag`, and paths.
+const SUBCOMMAND_RE = /^[a-z][a-z0-9]*(-[a-z0-9]+)*$/;
 // Detects the `powershell` / `powershell.exe` / `pwsh` invocation prefix.
 // We don't try to match the WHOLE shape here — agents use a lot of flag
 // variations (`-NoProfile`, `-ExecutionPolicy Bypass`, `-File foo.ps1`,
@@ -20,12 +140,20 @@ const POWERSHELL_LAUNCHER_RE = /^(?:powershell(?:\.exe)?|pwsh(?:\.exe)?)\b/i;
 const PS_INNER_CMD_RE = /["']?\s*(?:&\s*\{?\s*)?([A-Za-z][A-Za-z0-9]*(?:-[A-Za-z0-9]+)+|[a-z][a-z0-9._-]*)/;
 /**
  * Extract a command prefix suitable for prefix-match rules.
- * Returns `null` when no meaningful prefix can be derived.
+ * Returns `null` when no meaningful prefix can be safely derived —
+ * callers fall back to exact-match.
  *
  *   'git commit -m "fix"'                                    → 'git commit'
+ *   'git -C /tmp commit -m fix'                              → 'git commit'
+ *   'docker -H tcp://host:2375 ps'                           → 'docker ps'
+ *   'kubectl -n prod get pods'                               → 'kubectl get'
+ *   'cargo +nightly build --release'                         → 'cargo build'
  *   'pnpm run build'                                         → 'pnpm run'
  *   'npm install lodash'                                     → 'npm install'
  *   'NODE_ENV=prod npm run dev'                              → 'npm run'
+ *   'FOO=1 git status'                                       → null   (unsafe env)
+ *   'sudo npm install'                                       → null   (wrapper)
+ *   'bash -c "git status"'                                   → null   (wrapper)
  *   'powershell -Command "Get-CimInstance ..."'              → 'Get-CimInstance'
  *   'powershell -NoProfile -Command "Get-CimInstance ..."'   → 'Get-CimInstance'
  *   'powershell -ExecutionPolicy Bypass -c "git status"'     → 'git'
@@ -35,64 +163,126 @@ const PS_INNER_CMD_RE = /["']?\s*(?:&\s*\{?\s*)?([A-Za-z][A-Za-z0-9]*(?:-[A-Za-z
  *   ''                                                       → null
  */
 export function extractCommandPrefix(command) {
-    let cmd = command.trim();
-    while (ENV_VAR_RE.test(cmd)) {
-        cmd = cmd.replace(ENV_VAR_RE, '');
-    }
-    // PowerShell: scan past launcher + flags to find the inner command.
-    // Agents emit varied flag combinations (`-NoProfile`, `-ExecutionPolicy
-    // Bypass`, `-c` vs `-Command`, etc.) — strip them all, then extract the
-    // first cmdlet/command from the remaining string. The earlier regex-based
-    // approach only matched a fixed flag layout and produced null for the
-    // common `-NoProfile` case, hiding the "don't ask again" option.
+    const cmd = command.trim();
+    if (!cmd)
+        return null;
+    // PowerShell first — its argument syntax doesn't follow the POSIX
+    // VAR=value convention so the env-var stripping below doesn't apply.
     if (POWERSHELL_LAUNCHER_RE.test(cmd)) {
-        const tokens = cmd.split(/\s+/).filter(Boolean);
-        let i = 1; // skip launcher
-        while (i < tokens.length) {
-            const tok = tokens[i];
-            if (!tok.startsWith('-'))
-                break;
-            const lower = tok.toLowerCase();
-            // -Command / -c ends the flag run — what follows is the actual command
-            if (lower === '-command' || lower === '-c') {
-                i++;
-                break;
-            }
-            // -File <path> — no useful prefix; bail.
-            if (lower === '-file')
-                return null;
-            // Flags that take an argument (consume next token too).
-            if (lower === '-executionpolicy' ||
-                lower === '-encodedcommand' ||
-                lower === '-inputformat' ||
-                lower === '-outputformat' ||
-                lower === '-version' ||
-                lower === '-windowstyle' ||
-                lower === '-configurationname' ||
-                lower === '-mta' ||
-                lower === '-sta') {
-                i += 2;
-                continue;
-            }
-            // Boolean flags (no argument): -NoProfile, -NoLogo, -NonInteractive, etc.
-            i++;
-        }
-        if (i >= tokens.length)
+        return extractPowershellPrefix(cmd);
+    }
+    const tokens = cmd.split(/\s+/).filter(Boolean);
+    if (tokens.length === 0)
+        return null;
+    // Per-token env-var stripping. An env-var-shaped token (NAME=…) at the
+    // head must be either whitelisted or it's a hard stop — otherwise an
+    // agent could smuggle PATH=/evil, NODE_OPTIONS=--require ./evil.js,
+    // http_proxy=…, etc. into a rule shaped like `npm run`. Value chars are
+    // intentionally not constrained at this layer: it's the NAME that gates
+    // safety, and an arbitrary value class would let weird-but-safe values
+    // (`/`, `$`, `:`) bypass the check entirely.
+    let i = 0;
+    while (i < tokens.length) {
+        const tok = tokens[i];
+        const m = /^([A-Za-z_]\w*)=/.exec(tok);
+        if (!m)
+            break;
+        if (!SAFE_ENV_VARS.has(m[1]))
             return null;
-        const inner = tokens.slice(i).join(' ');
-        const m = PS_INNER_CMD_RE.exec(inner);
-        if (m?.[1])
-            return m[1];
+        // A quoted value split across whitespace (`FOO="a b" cmd`) means our
+        // \s+ tokenizer broke the value boundary. We can't tell where the
+        // value ends without a real shell parser, so refuse the prefix.
+        const value = tok.slice(m[0].length);
+        if (hasUnclosedQuote(value))
+            return null;
+        i++;
+    }
+    const rest = tokens.slice(i);
+    if (rest.length < 2)
         return null;
+    const firstLower = rest[0].toLowerCase();
+    if (WRAPPER_BLOCKLIST.has(firstLower))
+        return null;
+    const subIdx = skipGlobalFlags(rest, firstLower);
+    if (subIdx >= rest.length)
+        return null;
+    const sub = rest[subIdx];
+    if (!SUBCOMMAND_RE.test(sub))
+        return null;
+    return `${rest[0]} ${sub}`;
+}
+function hasUnclosedQuote(s) {
+    let sq = 0;
+    let dq = 0;
+    for (const ch of s) {
+        if (ch === "'")
+            sq++;
+        else if (ch === '"')
+            dq++;
     }
+    return sq % 2 === 1 || dq % 2 === 1;
+}
+function skipGlobalFlags(tokens, firstLower) {
+    const cfg = GLOBAL_FLAGS[firstLower];
+    if (!cfg)
+        return 1;
+    let i = 1;
+    while (i < tokens.length) {
+        const tok = tokens[i];
+        if (cfg.takesPlus && tok.startsWith('+')) {
+            i++;
+            continue;
+        }
+        if (!tok.startsWith('-'))
+            break;
+        // --flag=value: single token, advance once.
+        if (tok.includes('=')) {
+            i++;
+            continue;
+        }
+        if (cfg.valued.has(tok)) {
+            i += 2;
+            continue;
+        }
+        // Unknown boolean-style flag — best-effort skip. Erring toward "find
+        // the subcommand" matches what users see at the CLI.
+        i++;
+    }
+    return i;
+}
+function extractPowershellPrefix(cmd) {
     const tokens = cmd.split(/\s+/).filter(Boolean);
-    if (tokens.length < 2)
-        return null;
-    const second = tokens[1];
-    if (/^[a-z][a-z0-9]*(-[a-z0-9]+)*$/.test(second)) {
-        return `${tokens[0]} ${second}`;
+    let i = 1; // skip launcher
+    while (i < tokens.length) {
+        const tok = tokens[i];
+        if (!tok.startsWith('-'))
+            break;
+        const lower = tok.toLowerCase();
+        if (lower === '-command' || lower === '-c') {
+            i++;
+            break;
+        }
+        if (lower === '-file')
+            return null;
+        if (lower === '-executionpolicy' ||
+            lower === '-encodedcommand' ||
+            lower === '-inputformat' ||
+            lower === '-outputformat' ||
+            lower === '-version' ||
+            lower === '-windowstyle' ||
+            lower === '-configurationname' ||
+            lower === '-mta' ||
+            lower === '-sta') {
+            i += 2;
+            continue;
+        }
+        i++;
     }
-    return null;
+    if (i >= tokens.length)
+        return null;
+    const inner = tokens.slice(i).join(' ');
+    const m = PS_INNER_CMD_RE.exec(inner);
+    return m?.[1] ?? null;
 }
 /**
  * Generate the display label for the "don't ask again" option.
@@ -106,10 +296,15 @@ export function extractCommandPrefix(command) {
  *   the prefix regex; without this fallback the user gets only Yes/No
  *   forever for repeated identical commands).
  * Write tools (writeFile / edit): `all edits this session` (session-only)
+ * MCP tools (isMcp=true):         `this MCP tool` (persisted to disk via
+ *   McpPermissionStore — the label matches that posture, unlike write
+ *   tools which fall back to session-only).
  */
-export function suggestRuleLabel(toolName, input) {
+export function suggestRuleLabel(toolName, input, isMcp = false) {
     if (toolName === 'enterPlanMode')
         return null;
+    if (isMcp)
+        return 'this MCP tool';
     if (toolName === 'shell') {
         const cmd = input.command ?? '';
         const prefix = extractCommandPrefix(cmd);
@@ -145,19 +340,26 @@ export function buildAllowRule(toolName, input) {
         if (prefix) {
             return { rule: { tool: toolName, pattern: prefix, type: 'prefix' }, persist: true };
         }
-        // Strip env-var prefixes so a `NODE_ENV=prod foo …` approval works
-        // for plain `foo …` later — same key the matcher compares against.
-        const exact = stripEnvVars(cmd);
+        // Strip *safe* env-var prefixes only — same key the matcher compares
+        // against (stripSafeEnvVars). Non-whitelisted assignments stay in the
+        // pattern so an approval for `BACKDOOR=1 findstr …` doesn't
+        // accidentally auto-allow `findstr …` on its own.
+        const exact = stripSafeEnvVars(cmd);
         if (!exact)
             return null;
         return { rule: { tool: toolName, pattern: exact, type: 'exact' }, persist: true };
     }
     return { rule: { tool: toolName, pattern: '*', type: 'tool' }, persist: false };
 }
-function stripEnvVars(command) {
+function stripSafeEnvVars(command) {
     let cmd = command.trim();
-    while (ENV_VAR_RE.test(cmd)) {
-        cmd = cmd.replace(ENV_VAR_RE, '');
+    while (true) {
+        const m = ENV_VAR_RE.exec(cmd);
+        if (!m)
+            break;
+        if (!SAFE_ENV_VARS.has(m[1]))
+            break;
+        cmd = cmd.slice(m[0].length);
     }
     return cmd.trim();
 }
@@ -204,7 +406,7 @@ class SessionPermissionStore {
             if (toolName === 'shell') {
                 const cmd = input.command ?? '';
                 const prefix = extractCommandPrefix(cmd);
-                if (rule.type === 'exact' && stripEnvVars(cmd) === rule.pattern)
+                if (rule.type === 'exact' && stripSafeEnvVars(cmd) === rule.pattern)
                     return true;
                 if (rule.type === 'prefix' && prefix) {
                     if (prefix === rule.pattern)

package/dist/permissions/session-store.js.map

@@ -1 +1 @@
-{"version":3,"file":"session-store.js","sourceRoot":"","sources":["../../src/permissions/session-store.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,EAAE;AACF,wEAAwE;AACxE,0DAA0D;AAC1D,wEAAwE;AACxE,mDAAmD;AACnD,OAAO,KAAK,EAAE,MAAM,SAAS,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAA;AAEjC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAQvC,oEAAoE;AACpE,MAAM,UAAU,GAAG,qCAAqC,CAAA;AAExD,0EAA0E;AAC1E,wEAAwE;AACxE,wEAAwE;AACxE,uEAAuE;AACvE,8DAA8D;AAC9D,MAAM,sBAAsB,GAAG,6CAA6C,CAAA;AAE5E,2EAA2E;AAC3E,yEAAyE;AACzE,MAAM,eAAe,GAAG,mFAAmF,CAAA;AAE3G;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,IAAI,GAAG,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IACxB,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA;IACnC,CAAC;IAED,oEAAoE;IACpE,wEAAwE;IACxE,wEAAwE;IACxE,0EAA0E;IAC1E,sEAAsE;IACtE,iEAAiE;IACjE,IAAI,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;QAC/C,IAAI,CAAC,GAAG,CAAC,CAAA,CAAC,gBAAgB;QAC1B,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAE,CAAA;YACtB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,MAAK;YAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;YAC/B,uEAAuE;YACvE,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBAC3C,CAAC,EAAE,CAAA;gBACH,MAAK;YACP,CAAC;YACD,yCAAyC;YACzC,IAAI,KAAK,KAAK,OAAO;gBAAE,OAAO,IAAI,CAAA;YAClC,wDAAwD;YACxD,IACE,KAAK,KAAK,kBAAkB;gBAC5B,KAAK,KAAK,iBAAiB;gBAC3B,KAAK,KAAK,cAAc;gBACxB,KAAK,KAAK,eAAe;gBACzB,KAAK,KAAK,UAAU;gBACpB,KAAK,KAAK,cAAc;gBACxB,KAAK,KAAK,oBAAoB;gBAC9B,KAAK,KAAK,MAAM;gBAChB,KAAK,KAAK,MAAM,EAChB,CAAC;gBACD,CAAC,IAAI,CAAC,CAAA;gBACN,SAAQ;YACV,CAAC;YACD,0EAA0E;YAC1E,CAAC,EAAE,CAAA;QACL,CAAC;QACD,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QACnC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACvC,MAAM,CAAC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACrC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAA;QACvB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAC/C,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAE,CAAA;IACzB,IAAI,+BAA+B,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACjD,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,MAAM,EAAE,CAAA;IACjC,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,KAA8B;IAC/E,IAAI,QAAQ,KAAK,eAAe;QAAE,OAAO,IAAI,CAAA;IAC7C,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,GAAG,GAAI,KAAK,CAAC,OAAkB,IAAI,EAAE,CAAA;QAC3C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,MAAM;YAAE,OAAO,GAAG,MAAM,IAAI,CAAA;QAChC,OAAO,oBAAoB,CAAA;IAC7B,CAAC;IACD,OAAO,wBAAwB,CAAA;AACjC,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAgB,EAChB,KAA8B;IAE9B,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,GAAG,GAAI,KAAK,CAAC,OAAkB,IAAI,EAAE,CAAA;QAC3C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QACrF,CAAC;QACD,mEAAmE;QACnE,mEAAmE;QACnE,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;QAC/B,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IACnF,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AACjF,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,IAAI,GAAG,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IACxB,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA;IACnC,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAA;AACnB,CAAC;AAED,gCAAgC;AAEhC,SAAS,YAAY,CAAC,IAAe;IACnC,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM;QAAE,OAAO,GAAG,IAAI,CAAC,IAAI,IAAI,CAAA;IACjD,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,IAAI,CAAA;IACnE,OAAO,GAAG,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,OAAO,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,sBAAsB;IACtB,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAA;IACxC,IAAI,QAAQ;QAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAE,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;IACvE,gCAAgC;IAChC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;IAC3C,IAAI,MAAM;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAE,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;IAC5E,6BAA6B;IAC7B,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;IACxC,IAAI,KAAK;QAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;IACxE,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,kBAAkB,CAAC,CAAA;AAC/D,CAAC;AAED,gBAAgB;AAEhB,MAAM,sBAAsB;IAClB,KAAK,GAAgB,EAAE,CAAA;IAE/B,OAAO,CAAC,IAAe;QACrB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,CAAA;QACjH,IAAI,CAAC,MAAM;YAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACpC,CAAC;IAED,OAAO,CAAC,QAAgB,EAAE,KAA8B;QACtD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;gBAAE,SAAQ;YAEpC,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAA;YAErC,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAI,KAAK,CAAC,OAAkB,IAAI,EAAE,CAAA;gBAC3C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;gBACxC,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,OAAO;oBAAE,OAAO,IAAI,CAAA;gBAC5E,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,EAAE,CAAC;oBACrC,IAAI,MAAM,KAAK,IAAI,CAAC,OAAO;wBAAE,OAAO,IAAI,CAAA;oBACxC,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC;wBAAE,OAAO,IAAI,CAAA;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,EAAE,CAAA;IACjB,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAA;IAC1B,CAAC;CACF;AAED,MAAM,KAAK,GAAG,IAAI,sBAAsB,EAAE,CAAA;AAE1C,MAAM,UAAU,mBAAmB,CAAC,IAAe;IACjD,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;AACrB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,KAA8B;IAChF,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;AACvC,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,KAAK,CAAC,KAAK,EAAE,CAAA;AACf,CAAC;AAED,2BAA2B;AAE3B;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,GAAW,CAAA;IACf,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAM;IACR,CAAC;IACD,IAAI,IAA0B,CAAA;IAC9B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyB,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAM;IACR,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAM;IACtC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAC/B,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,SAAQ;QACvC,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAA;QACnC,IAAI,IAAI;YAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,IAAe;IACtD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;IACxC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;IAElC,MAAM,IAAI,GAAwB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyB,CAAA;QACtD,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAA;QAC7E,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;IACtD,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAM;IAExC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAExB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClC,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACtC,uEAAuE;IACvE,sEAAsE;IACtE,wEAAwE;IACxE,0EAA0E;IAC1E,uBAAuB;IACvB,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAA;IAClD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA;IACjD,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAA;AAC3E,CAAC"}
+{"version":3,"file":"session-store.js","sourceRoot":"","sources":["../../src/permissions/session-store.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,EAAE;AACF,wEAAwE;AACxE,0DAA0D;AAC1D,wEAAwE;AACxE,mDAAmD;AACnD,OAAO,KAAK,EAAE,MAAM,SAAS,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAA;AAEjC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAQvC,oEAAoE;AACpE,yEAAyE;AACzE,wEAAwE;AACxE,MAAM,UAAU,GAAG,uCAAuC,CAAA;AAE1D,0EAA0E;AAC1E,0EAA0E;AAC1E,sEAAsE;AACtE,wEAAwE;AACxE,0EAA0E;AAC1E,0CAA0C;AAC1C,EAAE;AACF,oEAAoE;AACpE,0EAA0E;AAC1E,sBAAsB;AACtB,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,UAAU;IACV,kBAAkB;IAClB,kBAAkB;IAClB,yBAAyB;IACzB,IAAI;IACJ,OAAO;IACP,aAAa;IACb,UAAU;IACV,UAAU;IACV,gBAAgB;IAChB,MAAM;IACN,WAAW;IACX,MAAM;IACN,QAAQ;IACR,UAAU;IACV,aAAa;IACb,SAAS;IACT,YAAY;IACZ,IAAI;IACJ,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,MAAM;CACP,CAAC,CAAA;AAEF,wEAAwE;AACxE,0EAA0E;AAC1E,0EAA0E;AAC1E,0EAA0E;AAC1E,qDAAqD;AACrD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,MAAM;IACN,MAAM;IACN,IAAI;IACJ,MAAM;IACN,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,MAAM;IACN,QAAQ;IACR,SAAS;IACT,OAAO;IACP,OAAO;IACP,OAAO;IACP,UAAU;IACV,MAAM;IACN,MAAM;CACP,CAAC,CAAA;AAEF,oEAAoE;AACpE,yEAAyE;AACzE,4DAA4D;AAC5D,EAAE;AACF,uEAAuE;AACvE,sEAAsE;AACtE,uEAAuE;AACvE,wDAAwD;AACxD,MAAM,YAAY,GAAiE;IACjF,GAAG,EAAE;QACH,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,aAAa,EAAE,aAAa,EAAE,aAAa,EAAE,gBAAgB,CAAC,CAAC;KAC1G;IACD,MAAM,EAAE;QACN,MAAM,EAAE,IAAI,GAAG,CAAC;YACd,IAAI;YACJ,QAAQ;YACR,UAAU;YACV,WAAW;YACX,IAAI;YACJ,aAAa;YACb,aAAa;YACb,WAAW;YACX,UAAU;SACX,CAAC;KACH;IACD,MAAM,EAAE;QACN,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,WAAW,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC;KAC3G;IACD,OAAO,EAAE;QACP,MAAM,EAAE,IAAI,GAAG,CAAC;YACd,IAAI;YACJ,aAAa;YACb,WAAW;YACX,WAAW;YACX,cAAc;YACd,UAAU;YACV,IAAI;YACJ,QAAQ;YACR,SAAS;YACT,MAAM;YACN,YAAY;YACZ,aAAa;YACb,yBAAyB;YACzB,sBAAsB;YACtB,cAAc;SACf,CAAC;KACH;IACD,KAAK,EAAE;QACL,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,iBAAiB,CAAC,CAAC;QACjE,SAAS,EAAE,IAAI;KAChB;CACF,CAAA;AAED,wEAAwE;AACxE,wEAAwE;AACxE,MAAM,aAAa,GAAG,+BAA+B,CAAA;AAErD,0EAA0E;AAC1E,wEAAwE;AACxE,wEAAwE;AACxE,uEAAuE;AACvE,8DAA8D;AAC9D,MAAM,sBAAsB,GAAG,6CAA6C,CAAA;AAE5E,2EAA2E;AAC3E,yEAAyE;AACzE,MAAM,eAAe,GAAG,mFAAmF,CAAA;AAE3G;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IAC1B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA;IAErB,kEAAkE;IAClE,qEAAqE;IACrE,IAAI,sBAAsB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,OAAO,uBAAuB,CAAC,GAAG,CAAC,CAAA;IACrC,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAC/C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAEpC,uEAAuE;IACvE,qEAAqE;IACrE,oEAAoE;IACpE,wEAAwE;IACxE,wEAAwE;IACxE,uEAAuE;IACvE,6CAA6C;IAC7C,IAAI,CAAC,GAAG,CAAC,CAAA;IACT,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAE,CAAA;QACtB,MAAM,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACtC,IAAI,CAAC,CAAC;YAAE,MAAK;QACb,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC;YAAE,OAAO,IAAI,CAAA;QAC1C,qEAAqE;QACrE,kEAAkE;QAClE,gEAAgE;QAChE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAA;QACpC,IAAI,gBAAgB,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAA;QACxC,CAAC,EAAE,CAAA;IACL,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC5B,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEhC,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAA;IACzC,IAAI,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,IAAI,CAAA;IAElD,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IAChD,IAAI,MAAM,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IAEtC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAE,CAAA;IACzB,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEzC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAA;AAC5B,CAAC;AAED,SAAS,gBAAgB,CAAC,CAAS;IACjC,IAAI,EAAE,GAAG,CAAC,CAAA;IACV,IAAI,EAAE,GAAG,CAAC,CAAA;IACV,KAAK,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;QACnB,IAAI,EAAE,KAAK,GAAG;YAAE,EAAE,EAAE,CAAA;aACf,IAAI,EAAE,KAAK,GAAG;YAAE,EAAE,EAAE,CAAA;IAC3B,CAAC;IACD,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,CAAA;AACrC,CAAC;AAED,SAAS,eAAe,CAAC,MAAgB,EAAE,UAAkB;IAC3D,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAA;IACpC,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,CAAA;IAClB,IAAI,CAAC,GAAG,CAAC,CAAA;IACT,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAE,CAAA;QACtB,IAAI,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACzC,CAAC,EAAE,CAAA;YACH,SAAQ;QACV,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,MAAK;QAC/B,4CAA4C;QAC5C,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,CAAC,EAAE,CAAA;YACH,SAAQ;QACV,CAAC;QACD,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,CAAC,IAAI,CAAC,CAAA;YACN,SAAQ;QACV,CAAC;QACD,qEAAqE;QACrE,qDAAqD;QACrD,CAAC,EAAE,CAAA;IACL,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,SAAS,uBAAuB,CAAC,GAAW;IAC1C,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAC/C,IAAI,CAAC,GAAG,CAAC,CAAA,CAAC,gBAAgB;IAC1B,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAE,CAAA;QACtB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,MAAK;QAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;QAC/B,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAC3C,CAAC,EAAE,CAAA;YACH,MAAK;QACP,CAAC;QACD,IAAI,KAAK,KAAK,OAAO;YAAE,OAAO,IAAI,CAAA;QAClC,IACE,KAAK,KAAK,kBAAkB;YAC5B,KAAK,KAAK,iBAAiB;YAC3B,KAAK,KAAK,cAAc;YACxB,KAAK,KAAK,eAAe;YACzB,KAAK,KAAK,UAAU;YACpB,KAAK,KAAK,cAAc;YACxB,KAAK,KAAK,oBAAoB;YAC9B,KAAK,KAAK,MAAM;YAChB,KAAK,KAAK,MAAM,EAChB,CAAC;YACD,CAAC,IAAI,CAAC,CAAA;YACN,SAAQ;QACV,CAAC;QACD,CAAC,EAAE,CAAA;IACL,CAAC;IACD,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAA;IACnC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACvC,MAAM,CAAC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;IACrC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAA;AACvB,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,KAA8B,EAAE,KAAK,GAAG,KAAK;IAC9F,IAAI,QAAQ,KAAK,eAAe;QAAE,OAAO,IAAI,CAAA;IAC7C,IAAI,KAAK;QAAE,OAAO,eAAe,CAAA;IACjC,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,GAAG,GAAI,KAAK,CAAC,OAAkB,IAAI,EAAE,CAAA;QAC3C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,MAAM;YAAE,OAAO,GAAG,MAAM,IAAI,CAAA;QAChC,OAAO,oBAAoB,CAAA;IAC7B,CAAC;IACD,OAAO,wBAAwB,CAAA;AACjC,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAgB,EAChB,KAA8B;IAE9B,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,GAAG,GAAI,KAAK,CAAC,OAAkB,IAAI,EAAE,CAAA;QAC3C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QACrF,CAAC;QACD,qEAAqE;QACrE,sEAAsE;QACtE,4DAA4D;QAC5D,kDAAkD;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAA;QACnC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IACnF,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AACjF,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,IAAI,GAAG,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IACxB,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC9B,IAAI,CAAC,CAAC;YAAE,MAAK;QACb,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAE,CAAC;YAAE,MAAK;QACpC,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAA;IAC9B,CAAC;IACD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAA;AACnB,CAAC;AAED,gCAAgC;AAEhC,SAAS,YAAY,CAAC,IAAe;IACnC,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM;QAAE,OAAO,GAAG,IAAI,CAAC,IAAI,IAAI,CAAA;IACjD,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,IAAI,CAAA;IACnE,OAAO,GAAG,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,OAAO,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,sBAAsB;IACtB,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAA;IACxC,IAAI,QAAQ;QAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAE,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;IACvE,gCAAgC;IAChC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;IAC3C,IAAI,MAAM;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAE,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,CAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAA;IAC5E,6BAA6B;IAC7B,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;IACxC,IAAI,KAAK;QAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;IACxE,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,kBAAkB,CAAC,CAAA;AAC/D,CAAC;AAED,gBAAgB;AAEhB,MAAM,sBAAsB;IAClB,KAAK,GAAgB,EAAE,CAAA;IAE/B,OAAO,CAAC,IAAe;QACrB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,CAAA;QACjH,IAAI,CAAC,MAAM;YAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACpC,CAAC;IAED,OAAO,CAAC,QAAgB,EAAE,KAA8B;QACtD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ;gBAAE,SAAQ;YAEpC,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAA;YAErC,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAI,KAAK,CAAC,OAAkB,IAAI,EAAE,CAAA;gBAC3C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;gBACxC,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,OAAO;oBAAE,OAAO,IAAI,CAAA;gBAChF,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,MAAM,EAAE,CAAC;oBACrC,IAAI,MAAM,KAAK,IAAI,CAAC,OAAO;wBAAE,OAAO,IAAI,CAAA;oBACxC,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC;wBAAE,OAAO,IAAI,CAAA;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,EAAE,CAAA;IACjB,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAA;IAC1B,CAAC;CACF;AAED,MAAM,KAAK,GAAG,IAAI,sBAAsB,EAAE,CAAA;AAE1C,MAAM,UAAU,mBAAmB,CAAC,IAAe;IACjD,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;AACrB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,KAA8B;IAChF,OAAO,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;AACvC,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,KAAK,CAAC,KAAK,EAAE,CAAA;AACf,CAAC;AAED,2BAA2B;AAE3B;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,GAAW,CAAA;IACf,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAM;IACR,CAAC;IACD,IAAI,IAA0B,CAAA;IAC9B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyB,CAAA;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAM;IACR,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAM;IACtC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAC/B,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,SAAQ;QACvC,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAA;QACnC,IAAI,IAAI;YAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/B,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,IAAe;IACtD,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;IACxC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;IAElC,MAAM,IAAI,GAAwB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;IAC/C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAyB,CAAA;QACtD,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAA;QAC7E,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;IACtD,CAAC;IAED,IAAI,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAM;IAExC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAExB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAClC,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACtC,uEAAuE;IACvE,sEAAsE;IACtE,wEAAwE;IACxE,0EAA0E;IAC1E,uBAAuB;IACvB,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAA;IAClD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,KAAK,EAAE,OAAO,CAAC,CAAA;IACjD,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAA;AAC3E,CAAC"}

package/dist/plugins/consent.d.ts

@@ -0,0 +1,87 @@
+import type { HookEventName } from '../hooks/types.js';
+import type { PluginManifest, PluginSource } from './types.js';
+export interface ConsentPreview {
+    pluginId: string;
+    version: string;
+    description?: string;
+    source: PluginSource;
+    marketplace: string;
+    /** True when the install came from a marketplace flagged `verified`. */
+    verified: boolean;
+    /** True when the marketplace's name is one of `RESERVED_MARKETPLACE_NAMES`. */
+    fromReservedMarketplace: boolean;
+    /** Hook event names the plugin registers. Empty means no hooks. */
+    hookEvents: HookEventName[];
+    /** MCP server names contributed inline (path-form not previewed —
+     *  requires reading another file before consent). */
+    inlineMcpServerNames: string[];
+    hasSkillsDir: boolean;
+    hasAgentsDir: boolean;
+    hasCommandsDir: boolean;
+    /** True when manifest declares `mcpServers` as a file path (not
+     *  inline) — we don't have the names yet at consent time, but we can
+     *  warn the user that the plugin DOES bring MCP servers. */
+    hasPathMcpServers: boolean;
+    /** Same as above for hooks declared via path rather than inline. */
+    hasPathHooks: boolean;
+    author?: string;
+    license?: string;
+    homepage?: string;
+}
+/** Filesystem-side info about a plugin's root directory — the things
+ *  a manifest-only inspection can't see. Populated by [[probePluginRoot]]
+ *  and passed to [[buildConsentPreview]] so the install-time "Will
+ *  contribute" line reflects auto-discovered contributions (e.g.
+ *  Claude Code's convention of dropping `.mcp.json` next to plugin.json
+ *  instead of declaring `mcpServers` in the manifest). */
+export interface RootProbe {
+    hasSkillsDir: boolean;
+    hasAgentsDir: boolean;
+    hasCommandsDir: boolean;
+    /** Server names parsed from a root-level `.mcp.json` / `mcp.json`
+     *  (both flat and wrapped shapes accepted; see
+     *  [[extractMcpServersBlock]]). Empty when neither file is present
+     *  or the file failed to parse. */
+    rootMcpServerNames: string[];
+    /** True when a root-level mcp file exists, even if no names could
+     *  be parsed from it. Lets the consent UI still warn "this plugin
+     *  contributes MCP servers" when names are momentarily unknown. */
+    hasRootMcpFile: boolean;
+    /** Hook event names parsed from `hooks/hooks.json` at root, if present. */
+    rootHookEvents: HookEventName[];
+    /** True when `hooks/hooks.json` exists, regardless of parse result. */
+    hasRootHooksFile: boolean;
+}
+export interface BuildPreviewInput {
+    pluginId: string;
+    manifest: PluginManifest;
+    source: PluginSource;
+    marketplace: string;
+    verified?: boolean;
+    fromReservedMarketplace?: boolean;
+    /** Optional probe of the plugin's root directory. Without it,
+     *  consent shows only what the manifest declares — which misses
+     *  Claude Code-convention plugins that ship contributions as
+     *  conventional files / dirs alongside `plugin.json`. */
+    rootProbe?: RootProbe;
+}
+/** Stat the plugin root for the conventional contribution files / dirs
+ *  the loader's `resolveContributions` will pick up at runtime. The
+ *  consent UI uses this so "Will contribute" doesn't lie when a plugin
+ *  drops `skills/`, `.mcp.json`, etc. at root without naming them in
+ *  the manifest. Safe to call on any directory — every probe is a
+ *  best-effort stat / read and missing or unreadable files just count
+ *  as "absent". */
+export declare function probePluginRoot(rootDir: string): Promise<RootProbe>;
+/** Build a `ConsentPreview` from a parsed manifest. The hook + mcp
+ *  fields are inspected only for the inline shape; path-form
+ *  contributions are surfaced as `has*` booleans so the consent UI can
+ *  warn "this plugin contributes MCP servers" even when their names
+ *  aren't yet known.
+ *
+ *  When `input.rootProbe` is present, conventional root-level
+ *  contributions (an undeclared `.mcp.json`, `hooks/hooks.json`,
+ *  `skills/`, etc.) are merged in too — the loader will pick those up
+ *  at runtime, so the consent UI needs to know about them now. */
+export declare function buildConsentPreview(input: BuildPreviewInput): ConsentPreview;
+//# sourceMappingURL=consent.d.ts.map

package/dist/plugins/consent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent.d.ts","sourceRoot":"","sources":["../../src/plugins/consent.ts"],"names":[],"mappings":"AA6BA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAGtD,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAE9D,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAA;IAChB,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,MAAM,EAAE,YAAY,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;IACnB,wEAAwE;IACxE,QAAQ,EAAE,OAAO,CAAA;IACjB,+EAA+E;IAC/E,uBAAuB,EAAE,OAAO,CAAA;IAChC,mEAAmE;IACnE,UAAU,EAAE,aAAa,EAAE,CAAA;IAC3B;yDACqD;IACrD,oBAAoB,EAAE,MAAM,EAAE,CAAA;IAC9B,YAAY,EAAE,OAAO,CAAA;IACrB,YAAY,EAAE,OAAO,CAAA;IACrB,cAAc,EAAE,OAAO,CAAA;IACvB;;gEAE4D;IAC5D,iBAAiB,EAAE,OAAO,CAAA;IAC1B,oEAAoE;IACpE,YAAY,EAAE,OAAO,CAAA;IACrB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED;;;;;0DAK0D;AAC1D,MAAM,WAAW,SAAS;IACxB,YAAY,EAAE,OAAO,CAAA;IACrB,YAAY,EAAE,OAAO,CAAA;IACrB,cAAc,EAAE,OAAO,CAAA;IACvB;;;uCAGmC;IACnC,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B;;uEAEmE;IACnE,cAAc,EAAE,OAAO,CAAA;IACvB,2EAA2E;IAC3E,cAAc,EAAE,aAAa,EAAE,CAAA;IAC/B,uEAAuE;IACvE,gBAAgB,EAAE,OAAO,CAAA;CAC1B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAA;IAChB,QAAQ,EAAE,cAAc,CAAA;IACxB,MAAM,EAAE,YAAY,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,uBAAuB,CAAC,EAAE,OAAO,CAAA;IACjC;;;6DAGyD;IACzD,SAAS,CAAC,EAAE,SAAS,CAAA;CACtB;AAED;;;;;;mBAMmB;AACnB,wBAAsB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAmDzE;AAoBD;;;;;;;;;kEASkE;AAClE,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,iBAAiB,GAAG,cAAc,CA4D5E"}