aegis-mcp-server 0.1.8 → 0.1.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +6 -13
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +32 -35
- package/dist/index.js.map +1 -1
- package/dist/services/enforcement-engine.js +1 -1
- package/dist/services/enforcement-engine.js.map +1 -1
- package/dist/services/policy-loader.d.ts +28 -12
- package/dist/services/policy-loader.d.ts.map +1 -1
- package/dist/services/policy-loader.js +61 -20
- package/dist/services/policy-loader.js.map +1 -1
- package/dist/tools/file-tools.d.ts +12 -24
- package/dist/tools/file-tools.d.ts.map +1 -1
- package/dist/tools/file-tools.js +106 -42
- package/dist/tools/file-tools.js.map +1 -1
- package/package.json +1 -1
- package/src/index.ts +34 -35
- package/src/services/enforcement-engine.ts +1 -1
- package/src/services/policy-loader.ts +67 -21
- package/src/tools/file-tools.ts +121 -42
package/dist/index.d.ts
CHANGED
|
@@ -5,22 +5,15 @@
|
|
|
5
5
|
* Starts the MCP enforcement server. Loads .agentpolicy/ into process memory,
|
|
6
6
|
* registers governed tools, and connects via stdio transport.
|
|
7
7
|
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
8
|
+
* Universal mode (default): No --role flag. The agent calls aegis_policy_summary
|
|
9
|
+
* on connection, sees available roles, presents them to the user, and the user
|
|
10
|
+
* selects a role. The MCP locks to that role for the session.
|
|
11
|
+
*
|
|
12
|
+
* Fixed mode: --role <id> locks to a specific role at startup.
|
|
11
13
|
*
|
|
12
14
|
* Usage:
|
|
15
|
+
* aegis-mcp --project /path/to/project
|
|
13
16
|
* aegis-mcp --project /path/to/project --role backend
|
|
14
|
-
*
|
|
15
|
-
* Claude Code MCP config:
|
|
16
|
-
* {
|
|
17
|
-
* "mcpServers": {
|
|
18
|
-
* "aegis": {
|
|
19
|
-
* "command": "npx",
|
|
20
|
-
* "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
|
|
21
|
-
* }
|
|
22
|
-
* }
|
|
23
|
-
* }
|
|
24
17
|
*/
|
|
25
18
|
export {};
|
|
26
19
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;GAeG"}
|
package/dist/index.js
CHANGED
|
@@ -5,22 +5,15 @@
|
|
|
5
5
|
* Starts the MCP enforcement server. Loads .agentpolicy/ into process memory,
|
|
6
6
|
* registers governed tools, and connects via stdio transport.
|
|
7
7
|
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
8
|
+
* Universal mode (default): No --role flag. The agent calls aegis_policy_summary
|
|
9
|
+
* on connection, sees available roles, presents them to the user, and the user
|
|
10
|
+
* selects a role. The MCP locks to that role for the session.
|
|
11
|
+
*
|
|
12
|
+
* Fixed mode: --role <id> locks to a specific role at startup.
|
|
11
13
|
*
|
|
12
14
|
* Usage:
|
|
15
|
+
* aegis-mcp --project /path/to/project
|
|
13
16
|
* aegis-mcp --project /path/to/project --role backend
|
|
14
|
-
*
|
|
15
|
-
* Claude Code MCP config:
|
|
16
|
-
* {
|
|
17
|
-
* "mcpServers": {
|
|
18
|
-
* "aegis": {
|
|
19
|
-
* "command": "npx",
|
|
20
|
-
* "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
|
|
21
|
-
* }
|
|
22
|
-
* }
|
|
23
|
-
* }
|
|
24
17
|
*/
|
|
25
18
|
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
26
19
|
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
|
|
@@ -36,9 +29,6 @@ const __dirname = dirname(__filename);
|
|
|
36
29
|
const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
|
|
37
30
|
const VERSION = pkg.version;
|
|
38
31
|
// ─── Update Checker ─────────────────────────────────────────────────────────
|
|
39
|
-
// Non-blocking check against the npm registry. If a newer version
|
|
40
|
-
// exists, prints a one-line notice to stderr. If the check fails
|
|
41
|
-
// (offline, timeout, etc.), skips silently — never blocks startup.
|
|
42
32
|
async function checkForUpdate() {
|
|
43
33
|
try {
|
|
44
34
|
const controller = new AbortController();
|
|
@@ -61,14 +51,14 @@ async function checkForUpdate() {
|
|
|
61
51
|
}
|
|
62
52
|
}
|
|
63
53
|
catch {
|
|
64
|
-
// Silently skip
|
|
54
|
+
// Silently skip
|
|
65
55
|
}
|
|
66
56
|
}
|
|
67
57
|
// ─── Parse CLI Args ─────────────────────────────────────────────────────────
|
|
68
58
|
function parseArgs() {
|
|
69
59
|
const args = process.argv.slice(2);
|
|
70
60
|
let projectRoot = process.cwd();
|
|
71
|
-
let role = '
|
|
61
|
+
let role = 'auto'; // Universal mode by default
|
|
72
62
|
let policyDir;
|
|
73
63
|
for (let i = 0; i < args.length; i++) {
|
|
74
64
|
switch (args[i]) {
|
|
@@ -78,7 +68,7 @@ function parseArgs() {
|
|
|
78
68
|
break;
|
|
79
69
|
case '--role':
|
|
80
70
|
case '-r':
|
|
81
|
-
role = args[++i] ?? '
|
|
71
|
+
role = args[++i] ?? 'auto';
|
|
82
72
|
break;
|
|
83
73
|
case '--policy-dir':
|
|
84
74
|
policyDir = args[++i];
|
|
@@ -106,20 +96,22 @@ USAGE:
|
|
|
106
96
|
|
|
107
97
|
OPTIONS:
|
|
108
98
|
-p, --project <path> Project root directory (default: cwd)
|
|
109
|
-
-r, --role <role-id> Agent role to enforce (default: "
|
|
99
|
+
-r, --role <role-id> Agent role to enforce (default: "auto" — agent selects at runtime)
|
|
110
100
|
--policy-dir <dir> Policy directory name (default: ".agentpolicy")
|
|
111
101
|
-h, --help Show this help
|
|
112
102
|
-v, --version Show version
|
|
113
103
|
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
104
|
+
UNIVERSAL MODE (default):
|
|
105
|
+
aegis-mcp --project .
|
|
106
|
+
|
|
107
|
+
No --role flag. The agent calls aegis_policy_summary, sees available roles,
|
|
108
|
+
presents them to the user, and the user selects. The MCP locks to that role
|
|
109
|
+
for the session.
|
|
110
|
+
|
|
111
|
+
FIXED MODE:
|
|
112
|
+
aegis-mcp --project . --role backend
|
|
113
|
+
|
|
114
|
+
Locks to a specific role at startup.
|
|
123
115
|
|
|
124
116
|
TOOLS PROVIDED:
|
|
125
117
|
aegis_check_permissions Pre-check if an operation is allowed
|
|
@@ -128,17 +120,18 @@ TOOLS PROVIDED:
|
|
|
128
120
|
aegis_delete_file Governed file delete
|
|
129
121
|
aegis_execute Governed command execution
|
|
130
122
|
aegis_complete_task Task completion with quality gate validation
|
|
131
|
-
aegis_policy_summary
|
|
123
|
+
aegis_policy_summary Role boundaries and governance summary
|
|
124
|
+
aegis_select_role Select a role (universal mode only)
|
|
125
|
+
aegis_request_override Execute a blocked action with human confirmation
|
|
132
126
|
`);
|
|
133
127
|
}
|
|
134
128
|
// ─── Main ───────────────────────────────────────────────────────────────────
|
|
135
129
|
async function main() {
|
|
136
130
|
const config = parseArgs();
|
|
137
|
-
// Check for updates (non-blocking, 3s timeout)
|
|
138
131
|
await checkForUpdate();
|
|
139
132
|
log(`Starting aegis-mcp-server v${VERSION}`);
|
|
140
133
|
log(` Project: ${config.projectRoot}`);
|
|
141
|
-
log(` Role: ${config.role}`);
|
|
134
|
+
log(` Role: ${config.role === 'auto' ? 'auto (agent selects at runtime)' : config.role}`);
|
|
142
135
|
log(` Policy dir: ${config.policyDir ?? '.agentpolicy'}`);
|
|
143
136
|
// 1. Load policy into process memory
|
|
144
137
|
const loader = new PolicyLoader(config);
|
|
@@ -157,13 +150,17 @@ async function main() {
|
|
|
157
150
|
name: 'aegis-mcp-server',
|
|
158
151
|
version: VERSION,
|
|
159
152
|
});
|
|
160
|
-
// 4. Register governed tools
|
|
161
|
-
registerTools(server, () => engine, () => state, () => activeRole)
|
|
153
|
+
// 4. Register governed tools — pass loader for role selection support
|
|
154
|
+
registerTools(server, () => engine, () => state, () => activeRole, loader, (role) => {
|
|
155
|
+
// Callback when role is selected in auto mode
|
|
156
|
+
activeRole = role;
|
|
157
|
+
engine.updateState(state, role);
|
|
158
|
+
log(`Role locked: ${role.id}`);
|
|
159
|
+
});
|
|
162
160
|
// 5. Connect via stdio transport
|
|
163
161
|
const transport = new StdioServerTransport();
|
|
164
162
|
await server.connect(transport);
|
|
165
163
|
log('Connected via stdio — enforcement active');
|
|
166
|
-
// Graceful shutdown
|
|
167
164
|
const shutdown = async () => {
|
|
168
165
|
log('Shutting down...');
|
|
169
166
|
await loader.stopWatching();
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAGtD,+EAA+E;AAE/E,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACtC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AACrF,MAAM,OAAO,GAAW,GAAG,CAAC,OAAO,CAAC;AAEpC,+EAA+E;AAE/E,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;QAE3D,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,8BAA8B,GAAG,CAAC,IAAI,SAAS,EAC/C,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAC9B,CAAC;QACF,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtB,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO;QAEpB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA0B,CAAC;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC;QAC5B,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,OAAO;YAAE,OAAO;QAE1C,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GACX,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;YACtB,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACpD,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnF,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,qBAAqB,OAAO,MAAM,MAAM,yBAAyB,GAAG,CAAC,IAAI,SAAS,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gBAAgB;IAClB,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAChC,IAAI,IAAI,GAAG,MAAM,CAAC,CAAC,4BAA4B;IAC/C,IAAI,SAA6B,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAChB,KAAK,WAAW,CAAC;YACjB,KAAK,IAAI;gBACP,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;gBACxC,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI;gBACP,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC;gBAC3B,MAAM;YACR,KAAK,cAAc;gBACjB,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;gBACtB,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI;gBACP,SAAS,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAChB,MAAM;YACR,KAAK,WAAW,CAAC;YACjB,KAAK,IAAI;gBACP,GAAG,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;gBACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAChB,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,SAAS;IAChB,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmCL,CAAC,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,MAAM,cAAc,EAAE,CAAC;IAEvB,GAAG,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;IAC7C,GAAG,CAAC,cAAc,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACxC,GAAG,CAAC,WAAW,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,iCAAiC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3F,GAAG,CAAC,iBAAiB,MAAM,CAAC,SAAS,IAAI,cAAc,EAAE,CAAC,CAAC;IAE3D,qCAAqC;IACrC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,KAAK,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;IAChC,IAAI,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;IACxC,IAAI,MAAM,GAAG,IAAI,iBAAiB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAEtD,8CAA8C;IAC9C,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE;QACxB,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1B,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;QACpC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACtC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,sEAAsE;IACtE,aAAa,CACX,MAAM,EACN,GAAG,EAAE,CAAC,MAAM,EACZ,GAAG,EAAE,CAAC,KAAK,EACX,GAAG,EAAE,CAAC,UAAU,EAChB,MAAM,EACN,CAAC,IAAI,EAAE,EAAE;QACP,8CAA8C;QAC9C,UAAU,GAAG,IAAI,CAAC;QAClB,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAChC,GAAG,CAAC,gBAAgB,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;IACjC,CAAC,CACF,CAAC;IAEF,iCAAiC;IACjC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IAEhD,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;QACzC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QACxB,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,GAAG,CAAC,OAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,OAAO,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAC3E,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
|
@@ -19,7 +19,7 @@ import { randomBytes } from 'node:crypto';
|
|
|
19
19
|
import { appendFile, mkdir } from 'node:fs/promises';
|
|
20
20
|
import { dirname, join, relative, isAbsolute } from 'node:path';
|
|
21
21
|
import { minimatch } from 'minimatch';
|
|
22
|
-
const OVERRIDE_TTL_MS =
|
|
22
|
+
const OVERRIDE_TTL_MS = 300_000; // 5 minutes
|
|
23
23
|
export class EnforcementEngine {
|
|
24
24
|
state;
|
|
25
25
|
activeRole;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enforcement-engine.js","sourceRoot":"","sources":["../../src/services/enforcement-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAqBtC,MAAM,eAAe,GAAG,
|
|
1
|
+
{"version":3,"file":"enforcement-engine.js","sourceRoot":"","sources":["../../src/services/enforcement-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAqBtC,MAAM,eAAe,GAAG,OAAO,CAAC,CAAC,YAAY;AAE7C,MAAM,OAAO,iBAAiB;IAIlB;IACA;IAJF,gBAAgB,GAAG,IAAI,GAAG,EAA2B,CAAC;IAE9D,YACU,KAAkB,EAClB,UAAwB;QADxB,UAAK,GAAL,KAAK,CAAa;QAClB,eAAU,GAAV,UAAU,CAAc;IAC/B,CAAC;IAEJ;;OAEG;IACH,WAAW,CAAC,KAAkB,EAAE,IAAkB;QAChD,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IACzB,CAAC;IAED,6EAA6E;IAE7E;;;OAGG;IACH,aAAa,CAAC,UAAkB;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAEhD,yDAAyD;QACzD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC5C,IAAI,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;YACrD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,uEAAuE;gBAC/F,UAAU,EAAE,wDAAwD;gBACpE,SAAS,EAAE,IAAI;aAChB,CAAC;QACJ,CAAC;QAED,0EAA0E;QAC1E,8EAA8E;QAC9E,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAC1C,IAAI,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;YACnD,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;gBACrD,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,SAAS,OAAO,uCAAuC;oBAC/D,UAAU,EAAE,wDAAwD;oBACpE,SAAS,EAAE,KAAK;iBACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACzC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,2BAA2B,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI;gBACzE,UAAU,EAAE,SAAS,IAAI,CAAC,UAAU,CAAC,EAAE,gCAAgC;gBACvE,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,wEAAwE;QACxE,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;YAC5E,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC;gBAC5D,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;YAE5D,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;gBAChC,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,SAAS,OAAO,4CAA4C,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI;oBAC1F,UAAU,EAAE,SAAS,IAAI,CAAC,UAAU,CAAC,EAAE,eAAe;oBACtD,SAAS,EAAE,KAAK;iBACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;YAC3E,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,2CAA2C;gBACnE,UAAU,EAAE,uDAAuD;gBACnE,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAE7E;;OAEG;IACH,YAAY,CAAC,UAAkB;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;QAEhD,6BAA6B;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC5C,IAAI,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;YACrD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,2DAA2D;gBACnF,UAAU,EAAE,wDAAwD;gBACpE,SAAS,EAAE,IAAI;aAChB,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACzC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC7D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,2BAA2B,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI;gBACzE,UAAU,EAAE,SAAS,IAAI,CAAC,UAAU,CAAC,EAAE,gCAAgC;gBACvE,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACzC,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC9D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,SAAS,OAAO,4CAA4C,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI;gBAC1F,UAAU,EAAE,SAAS,IAAI,CAAC,UAAU,CAAC,EAAE,sBAAsB;gBAC7D,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAE7E;;OAEG;IACH,WAAW,CAAC,OAAe,EAAE,UAAkB;QAC7C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,EAAE,kBAAkB,CAAC;QACvE,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAEjE,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxB,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,MAAM,EAAE,gBAAgB,UAAU,mCAAmC,EAAE,CAAC,MAAM,EAAE;oBAChF,UAAU,EAAE,oDAAoD;oBAChE,SAAS,EAAE,KAAK;iBACjB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAE7E;;OAEG;IACH,mBAAmB,CAAC,UAAkB,EAAE,UAAkB;QACxD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,kBAAkB,CAAC;QACvD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,sBAAsB;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAEtE,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC;QACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAE/D,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACzD,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAEzD,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;YACpE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACvD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,6BAA6B,YAAY,SAAS,YAAY,sBAAsB,KAAK,CAAC,sBAAsB,wBAAwB,UAAU,mBAAmB;gBAC7K,UAAU,EAAE,sCAAsC;gBAClD,SAAS,EAAE,KAAK;aACjB,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,6EAA6E;IAE7E;;OAEG;IACH,mBAAmB,CAAC,SAAiB;QAInC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACzD,MAAM,QAAQ,GAAG,QAAQ,EAAE,QAAQ,IAAI,sBAAsB,CAAC;QAC9D,MAAM,SAAS,GAAG,QAAQ,EAAE,kBAAkB,IAAI,EAAE,CAAC;QAErD,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAEjE,OAAO;YACL,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ;YAClD,WAAW;SACZ,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,mBAAmB,CACjB,SAAsC,EACtC,IAAY,EACZ,MAAc,EACd,SAAiB,EACjB,OAAgB;QAEhB,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;QAEtE,4DAA4D;QAC5D,IAAI,WAAW,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,0BAA0B;QAC1B,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAE1B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9C,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,EAAE;YAC/B,KAAK;YACL,SAAS;YACT,IAAI;YACJ,OAAO;YACP,MAAM;YACN,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;SACvB,CAAC,CAAC;QAEH,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;OAIG;IACH,oBAAoB,CAAC,KAAa;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,UAAU,GAAG,eAAe,EAAE,CAAC;YACtD,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,KAAuB;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC;QACvE,MAAM,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAC1C,MAAM,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED,6EAA6E;IAE7E;;OAEG;IACH,sBAAsB;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,YAAY,EAAE,UAAU,CAAC;QAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,cAAc;YACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc;YACpC,EAAE,CAAC;QAEpB,MAAM,MAAM,GAA6C,EAAE,CAAC;QAE5D,IAAI,CAAC,KAAK;YAAE,OAAO,MAAM,CAAC;QAE1B,IAAI,KAAK,CAAC,eAAe,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC3C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,KAAK,CAAC,mBAAmB,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;YACxB,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;gBACxC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6EAA6E;IAE7E;;OAEG;IACH,IAAY,UAAU;QACpB,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,WAAW,EAAE,UAAU,IAAI,EAAE,CAAC;IAC7D,CAAC;IAEO,kBAAkB;QACxB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACrD,IAAI,GAAG,GAAG,OAAO,CAAC,UAAU,GAAG,eAAe,EAAE,CAAC;gBAC/C,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAEO,UAAU,CAAC,IAAY,EAAE,QAAkB;QACjD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;YAC/B,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBACtC,CAAC,CAAC,OAAO,GAAG,IAAI;gBAChB,CAAC,CAAC,OAAO,CAAC;YACZ,OAAO,SAAS,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,cAAc,CAAC,UAAkB;QACvC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,OAAO,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,SAAS,CACf,QAAgB,EAChB,OAA8C;QAE9C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAClD,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC7E,OAAO,MAAM,CAAC,IAAI,CAAC;YACrB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,cAAc,CAAC,OAAe;QACpC,IAAI,CAAC;YACH,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,GAAG,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,OAAe;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,OAAO,IAAI,CAAC,CAAC;IACvD,CAAC;CACF"}
|
|
@@ -2,12 +2,11 @@
|
|
|
2
2
|
* PolicyLoader — Reads .agentpolicy/ files into process memory.
|
|
3
3
|
*
|
|
4
4
|
* Core of the zero-token-overhead design. All governance files are loaded
|
|
5
|
-
* into Node.js process memory on startup. The agent never sees these files
|
|
6
|
-
* it only sees tool call results (allowed/blocked).
|
|
5
|
+
* into Node.js process memory on startup. The agent never sees these files.
|
|
7
6
|
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
7
|
+
* Supports "auto" role mode: when config.role is "auto" (or not specified),
|
|
8
|
+
* no role is locked at startup. The agent selects a role at runtime via
|
|
9
|
+
* aegis_select_role, and all enforcement uses the selected role thereafter.
|
|
11
10
|
*/
|
|
12
11
|
import type { PolicyState, ResolvedRole, AegisMcpConfig } from '../types.js';
|
|
13
12
|
export declare class PolicyLoader {
|
|
@@ -15,6 +14,7 @@ export declare class PolicyLoader {
|
|
|
15
14
|
private state;
|
|
16
15
|
private watcher;
|
|
17
16
|
private onReload?;
|
|
17
|
+
private selectedRole;
|
|
18
18
|
constructor(config: AegisMcpConfig);
|
|
19
19
|
/**
|
|
20
20
|
* Load all policy files into memory. Call once on startup.
|
|
@@ -33,7 +33,29 @@ export declare class PolicyLoader {
|
|
|
33
33
|
*/
|
|
34
34
|
stopWatching(): Promise<void>;
|
|
35
35
|
/**
|
|
36
|
-
*
|
|
36
|
+
* Whether the MCP is in auto role mode (no role pre-assigned).
|
|
37
|
+
*/
|
|
38
|
+
isAutoMode(): boolean;
|
|
39
|
+
/**
|
|
40
|
+
* Whether a role has been selected in auto mode.
|
|
41
|
+
*/
|
|
42
|
+
hasSelectedRole(): boolean;
|
|
43
|
+
/**
|
|
44
|
+
* Select a role in auto mode. Returns the resolved role, or null if not found.
|
|
45
|
+
*/
|
|
46
|
+
selectRole(roleId: string): ResolvedRole | null;
|
|
47
|
+
/**
|
|
48
|
+
* Get all available roles as a summary list.
|
|
49
|
+
*/
|
|
50
|
+
getAvailableRoles(): Array<{
|
|
51
|
+
id: string;
|
|
52
|
+
name: string;
|
|
53
|
+
purpose: string;
|
|
54
|
+
}>;
|
|
55
|
+
/**
|
|
56
|
+
* Get the resolved role for the configured agent.
|
|
57
|
+
* In auto mode: returns the selected role, or a placeholder if none selected yet.
|
|
58
|
+
* In fixed mode: returns the configured role, falling back to default.
|
|
37
59
|
*/
|
|
38
60
|
getActiveRole(): ResolvedRole;
|
|
39
61
|
private resolvePolicyDir;
|
|
@@ -41,12 +63,6 @@ export declare class PolicyLoader {
|
|
|
41
63
|
private loadRoles;
|
|
42
64
|
/**
|
|
43
65
|
* Merge skeleton and extension fields into a single ResolvedRole.
|
|
44
|
-
*
|
|
45
|
-
* Skeleton: role.name, role.purpose, scope.primary_paths/secondary_paths/excluded_paths
|
|
46
|
-
* Extensions: paths.read/write, forbidden_actions, autonomy (flat string)
|
|
47
|
-
*
|
|
48
|
-
* For writable paths: scope.primary_paths takes precedence; paths.write used as fallback.
|
|
49
|
-
* For readable paths: paths.read used when present; otherwise derived from writable + secondary.
|
|
50
66
|
*/
|
|
51
67
|
private resolveRole;
|
|
52
68
|
private handleChange;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy-loader.d.ts","sourceRoot":"","sources":["../../src/services/policy-loader.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"policy-loader.d.ts","sourceRoot":"","sources":["../../src/services/policy-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EACV,WAAW,EAIX,YAAY,EACZ,cAAc,EACf,MAAM,aAAa,CAAC;AAErB,qBAAa,YAAY;IAMX,OAAO,CAAC,MAAM;IAL1B,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,OAAO,CAAyC;IACxD,OAAO,CAAC,QAAQ,CAAC,CAAa;IAC9B,OAAO,CAAC,YAAY,CAA6B;gBAE7B,MAAM,EAAE,cAAc;IAE1C;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,WAAW,CAAC;IA4BlC;;OAEG;IACH,QAAQ,IAAI,WAAW;IAOvB;;OAEG;IACH,aAAa,CAAC,QAAQ,CAAC,EAAE,MAAM,IAAI,GAAG,IAAI;IAgB1C;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAOnC;;OAEG;IACH,UAAU,IAAI,OAAO;IAIrB;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IAU/C;;OAEG;IACH,iBAAiB,IAAI,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IASzE;;;;OAIG;IACH,aAAa,IAAI,YAAY;IAiD7B,OAAO,CAAC,gBAAgB;YAOV,QAAQ;YAYR,SAAS;IAyBvB;;OAEG;IACH,OAAO,CAAC,WAAW;YAoCL,YAAY;YAYZ,YAAY;IAQ1B,OAAO,CAAC,GAAG;CAGZ"}
|
|
@@ -2,12 +2,11 @@
|
|
|
2
2
|
* PolicyLoader — Reads .agentpolicy/ files into process memory.
|
|
3
3
|
*
|
|
4
4
|
* Core of the zero-token-overhead design. All governance files are loaded
|
|
5
|
-
* into Node.js process memory on startup. The agent never sees these files
|
|
6
|
-
* it only sees tool call results (allowed/blocked).
|
|
5
|
+
* into Node.js process memory on startup. The agent never sees these files.
|
|
7
6
|
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
7
|
+
* Supports "auto" role mode: when config.role is "auto" (or not specified),
|
|
8
|
+
* no role is locked at startup. The agent selects a role at runtime via
|
|
9
|
+
* aegis_select_role, and all enforcement uses the selected role thereafter.
|
|
11
10
|
*/
|
|
12
11
|
import { readFile, readdir, access } from 'node:fs/promises';
|
|
13
12
|
import { join, basename } from 'node:path';
|
|
@@ -17,6 +16,7 @@ export class PolicyLoader {
|
|
|
17
16
|
state = null;
|
|
18
17
|
watcher = null;
|
|
19
18
|
onReload;
|
|
19
|
+
selectedRole = null;
|
|
20
20
|
constructor(config) {
|
|
21
21
|
this.config = config;
|
|
22
22
|
}
|
|
@@ -73,10 +73,65 @@ export class PolicyLoader {
|
|
|
73
73
|
}
|
|
74
74
|
}
|
|
75
75
|
/**
|
|
76
|
-
*
|
|
76
|
+
* Whether the MCP is in auto role mode (no role pre-assigned).
|
|
77
|
+
*/
|
|
78
|
+
isAutoMode() {
|
|
79
|
+
return this.config.role === 'auto';
|
|
80
|
+
}
|
|
81
|
+
/**
|
|
82
|
+
* Whether a role has been selected in auto mode.
|
|
83
|
+
*/
|
|
84
|
+
hasSelectedRole() {
|
|
85
|
+
return this.selectedRole !== null;
|
|
86
|
+
}
|
|
87
|
+
/**
|
|
88
|
+
* Select a role in auto mode. Returns the resolved role, or null if not found.
|
|
89
|
+
*/
|
|
90
|
+
selectRole(roleId) {
|
|
91
|
+
const state = this.getState();
|
|
92
|
+
const role = state.roles.get(roleId);
|
|
93
|
+
if (!role)
|
|
94
|
+
return null;
|
|
95
|
+
this.selectedRole = role;
|
|
96
|
+
this.log(`Role selected: ${roleId}`);
|
|
97
|
+
return role;
|
|
98
|
+
}
|
|
99
|
+
/**
|
|
100
|
+
* Get all available roles as a summary list.
|
|
101
|
+
*/
|
|
102
|
+
getAvailableRoles() {
|
|
103
|
+
const state = this.getState();
|
|
104
|
+
const roles = [];
|
|
105
|
+
for (const [id, role] of state.roles) {
|
|
106
|
+
roles.push({ id, name: role.name, purpose: role.purpose });
|
|
107
|
+
}
|
|
108
|
+
return roles;
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Get the resolved role for the configured agent.
|
|
112
|
+
* In auto mode: returns the selected role, or a placeholder if none selected yet.
|
|
113
|
+
* In fixed mode: returns the configured role, falling back to default.
|
|
77
114
|
*/
|
|
78
115
|
getActiveRole() {
|
|
79
116
|
const state = this.getState();
|
|
117
|
+
// Auto mode — return selected role or placeholder
|
|
118
|
+
if (this.isAutoMode()) {
|
|
119
|
+
if (this.selectedRole)
|
|
120
|
+
return this.selectedRole;
|
|
121
|
+
// No role selected yet — return a restrictive placeholder
|
|
122
|
+
return {
|
|
123
|
+
id: 'unassigned',
|
|
124
|
+
name: 'unassigned',
|
|
125
|
+
purpose: 'No role selected. Call aegis_select_role to choose a role before performing any actions.',
|
|
126
|
+
writable_paths: [],
|
|
127
|
+
secondary_paths: [],
|
|
128
|
+
excluded_paths: [],
|
|
129
|
+
readable_paths: [],
|
|
130
|
+
autonomy: 'conservative',
|
|
131
|
+
forbidden_actions: ['All actions — no role has been selected yet.'],
|
|
132
|
+
};
|
|
133
|
+
}
|
|
134
|
+
// Fixed mode — use configured role
|
|
80
135
|
const roleId = this.config.role;
|
|
81
136
|
const role = state.roles.get(roleId);
|
|
82
137
|
if (role)
|
|
@@ -86,7 +141,6 @@ export class PolicyLoader {
|
|
|
86
141
|
this.log(`Role "${roleId}" not found, using default`);
|
|
87
142
|
return defaultRole;
|
|
88
143
|
}
|
|
89
|
-
// Synthesize a permissive default if no role files exist
|
|
90
144
|
this.log('No role files found, using synthesized permissive default');
|
|
91
145
|
return {
|
|
92
146
|
id: 'default',
|
|
@@ -134,36 +188,23 @@ export class PolicyLoader {
|
|
|
134
188
|
}
|
|
135
189
|
/**
|
|
136
190
|
* Merge skeleton and extension fields into a single ResolvedRole.
|
|
137
|
-
*
|
|
138
|
-
* Skeleton: role.name, role.purpose, scope.primary_paths/secondary_paths/excluded_paths
|
|
139
|
-
* Extensions: paths.read/write, forbidden_actions, autonomy (flat string)
|
|
140
|
-
*
|
|
141
|
-
* For writable paths: scope.primary_paths takes precedence; paths.write used as fallback.
|
|
142
|
-
* For readable paths: paths.read used when present; otherwise derived from writable + secondary.
|
|
143
191
|
*/
|
|
144
192
|
resolveRole(id, raw) {
|
|
145
|
-
// Role identity — skeleton nested object, or flat string + description
|
|
146
193
|
const name = typeof raw.role === 'object' ? raw.role.name : String(raw.role);
|
|
147
194
|
const purpose = typeof raw.role === 'object'
|
|
148
195
|
? raw.role.purpose
|
|
149
196
|
: (raw.description ?? '');
|
|
150
|
-
// Writable paths — skeleton primary_paths, or extension paths.write
|
|
151
197
|
const writable_paths = raw.scope?.primary_paths?.length
|
|
152
198
|
? raw.scope.primary_paths
|
|
153
199
|
: (raw.paths?.write ?? []);
|
|
154
|
-
// Secondary paths
|
|
155
200
|
const secondary_paths = raw.scope?.secondary_paths ?? [];
|
|
156
|
-
// Excluded paths
|
|
157
201
|
const excluded_paths = raw.scope?.excluded_paths ?? [];
|
|
158
|
-
// Readable paths — extension paths.read, or all writable + secondary
|
|
159
202
|
const readable_paths = raw.paths?.read?.length
|
|
160
203
|
? raw.paths.read
|
|
161
204
|
: [...writable_paths, ...secondary_paths];
|
|
162
|
-
// Autonomy — flat extension string or skeleton override
|
|
163
205
|
const autonomy = raw.autonomy
|
|
164
206
|
? String(raw.autonomy)
|
|
165
207
|
: 'advisory';
|
|
166
|
-
// Forbidden actions
|
|
167
208
|
const forbidden_actions = raw.forbidden_actions ?? [];
|
|
168
209
|
return {
|
|
169
210
|
id,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy-loader.js","sourceRoot":"","sources":["../../src/services/policy-loader.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"policy-loader.js","sourceRoot":"","sources":["../../src/services/policy-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AAUjC,MAAM,OAAO,YAAY;IAMH;IALZ,KAAK,GAAuB,IAAI,CAAC;IACjC,OAAO,GAAoC,IAAI,CAAC;IAChD,QAAQ,CAAc;IACtB,YAAY,GAAwB,IAAI,CAAC;IAEjD,YAAoB,MAAsB;QAAtB,WAAM,GAAN,MAAM,CAAgB;IAAG,CAAC;IAE9C;;OAEG;IACH,KAAK,CAAC,IAAI;QACR,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC1C,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;QAEvD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,QAAQ,CACtC,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,EACpC,mBAAmB,CACpB,CAAC;QAEF,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,QAAQ,CACpC,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,EAClC,iBAAiB,CAClB,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;QAE7D,IAAI,CAAC,KAAK,GAAG;YACX,YAAY;YACZ,UAAU;YACV,KAAK;YACL,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,SAAS;SACV,CAAC;QAEF,IAAI,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAqB;QACjC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAE1C,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,SAAS,EAAE;YAC9B,aAAa,EAAE,IAAI;YACnB,gBAAgB,EAAE,EAAE,kBAAkB,EAAE,GAAG,EAAE;SAC9C,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAE7D,IAAI,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,MAAc;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,GAAG,CAAC,kBAAkB,MAAM,EAAE,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAyD,EAAE,CAAC;QACvE,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;OAIG;IACH,aAAa;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAE9B,kDAAkD;QAClD,IAAI,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC;YACtB,IAAI,IAAI,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC,YAAY,CAAC;YAEhD,0DAA0D;YAC1D,OAAO;gBACL,EAAE,EAAE,YAAY;gBAChB,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,0FAA0F;gBACnG,cAAc,EAAE,EAAE;gBAClB,eAAe,EAAE,EAAE;gBACnB,cAAc,EAAE,EAAE;gBAClB,cAAc,EAAE,EAAE;gBAClB,QAAQ,EAAE,cAAc;gBACxB,iBAAiB,EAAE,CAAC,8CAA8C,CAAC;aACpE,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAEhC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;QAEtB,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,CAAC,GAAG,CAAC,SAAS,MAAM,4BAA4B,CAAC,CAAC;YACtD,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QACtE,OAAO;YACL,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,gDAAgD;YACzD,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,QAAQ,EAAE,UAAU;YACpB,iBAAiB,EAAE,EAAE;SACtB,CAAC;IACJ,CAAC;IAED,+EAA+E;IAEvE,gBAAgB;QACtB,OAAO,IAAI,CACT,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,cAAc,CACxC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAI,IAAY,EAAE,KAAa;QACnD,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAM,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,mBAAmB,KAAK,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAChF,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,QAAgB;QACtC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAwB,CAAC;QAE9C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE/D,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC7C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAC7B,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,EAC1B,SAAS,KAAK,CAAC,IAAI,EAAE,CACtB,CAAC;YAEF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,EAAU,EAAE,GAAa;QAC3C,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7E,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;YAC1C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO;YAClB,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAE5B,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,aAAa,EAAE,MAAM;YACrD,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,aAAa;YACzB,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAE7B,MAAM,eAAe,GAAG,GAAG,CAAC,KAAK,EAAE,eAAe,IAAI,EAAE,CAAC;QACzD,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,cAAc,IAAI,EAAE,CAAC;QAEvD,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM;YAC5C,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI;YAChB,CAAC,CAAC,CAAC,GAAG,cAAc,EAAE,GAAG,eAAe,CAAC,CAAC;QAE5C,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ;YAC3B,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;YACtB,CAAC,CAAC,UAAU,CAAC;QAEf,MAAM,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QAEtD,OAAO;YACL,EAAE;YACF,IAAI;YACJ,OAAO;YACP,cAAc;YACd,eAAe;YACf,cAAc;YACd,cAAc;YACd,QAAQ;YACR,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,IAAY;QACrC,IAAI,CAAC,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CACN,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,KAAa;QACpD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,kBAAkB,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,OAAe;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,OAAO,IAAI,CAAC,CAAC;IACnD,CAAC;CACF"}
|
|
@@ -1,35 +1,23 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Governed File Tools — MCP tool registrations for file operations.
|
|
3
3
|
*
|
|
4
|
-
* GOVERNANCE MODEL: The
|
|
5
|
-
*
|
|
6
|
-
* identifies which operations benefit from compliance validation, and
|
|
7
|
-
* asks the agent to seek user permission to route governed operations
|
|
8
|
-
* through Aegis tools. The user's authority is the enforcement mechanism.
|
|
4
|
+
* GOVERNANCE MODEL: Consent-based. The MCP introduces itself, explains
|
|
5
|
+
* governance, and asks the agent to seek user permission.
|
|
9
6
|
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
* with the token. The action proceeds and is logged with human_confirmed: true.
|
|
15
|
-
* The token is single-use and expires after 60 seconds.
|
|
16
|
-
* Immutable policies cannot be overridden.
|
|
7
|
+
* ROLE SELECTION: In universal/auto mode, aegis_policy_summary returns
|
|
8
|
+
* available roles. The agent presents them to the user, who picks one.
|
|
9
|
+
* The agent calls aegis_select_role to lock in. All enforcement uses
|
|
10
|
+
* the selected role thereafter.
|
|
17
11
|
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
12
|
+
* OVERRIDE HANDSHAKE: Blocked actions return override tokens when policy
|
|
13
|
+
* allows. Human confirms → agent calls aegis_request_override → action
|
|
14
|
+
* proceeds and is logged with human_confirmed: true. Single-use, 5-min TTL.
|
|
20
15
|
*
|
|
21
|
-
*
|
|
22
|
-
* aegis_check_permissions — Pre-check before writing
|
|
23
|
-
* aegis_write_file — Governed write with path + content validation
|
|
24
|
-
* aegis_read_file — Governed read with path validation
|
|
25
|
-
* aegis_delete_file — Governed delete (uses write permissions)
|
|
26
|
-
* aegis_execute — Governed command execution
|
|
27
|
-
* aegis_complete_task — Task completion with quality gate validation
|
|
28
|
-
* aegis_policy_summary — Minimal role/permissions summary
|
|
29
|
-
* aegis_request_override — Consume an override token after human confirmation
|
|
16
|
+
* LOGGING: Every denied action is logged automatically by the server.
|
|
30
17
|
*/
|
|
31
18
|
import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
32
19
|
import type { EnforcementEngine } from '../services/enforcement-engine.js';
|
|
20
|
+
import type { PolicyLoader } from '../services/policy-loader.js';
|
|
33
21
|
import type { PolicyState, ResolvedRole } from '../types.js';
|
|
34
|
-
export declare function registerTools(server: McpServer, getEngine: () => EnforcementEngine, getState: () => PolicyState, getRole: () => ResolvedRole): void;
|
|
22
|
+
export declare function registerTools(server: McpServer, getEngine: () => EnforcementEngine, getState: () => PolicyState, getRole: () => ResolvedRole, loader: PolicyLoader, onRoleSelected: (role: ResolvedRole) => void): void;
|
|
35
23
|
//# sourceMappingURL=file-tools.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"file-tools.d.ts","sourceRoot":"","sources":["../../src/tools/file-tools.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"file-tools.d.ts","sourceRoot":"","sources":["../../src/tools/file-tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAKH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AAC3E,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAM7D,wBAAgB,aAAa,CAC3B,MAAM,EAAE,SAAS,EACjB,SAAS,EAAE,MAAM,iBAAiB,EAClC,QAAQ,EAAE,MAAM,WAAW,EAC3B,OAAO,EAAE,MAAM,YAAY,EAC3B,MAAM,EAAE,YAAY,EACpB,cAAc,EAAE,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI,GAC3C,IAAI,CAqnBN"}
|