aegis-mcp-server 0.1.9 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/README.md +59 -29
  2. package/assets/icon-512.png +0 -0
  3. package/assets/icon.png +0 -0
  4. package/assets/icon.svg +54 -0
  5. package/dist/index.d.ts +6 -13
  6. package/dist/index.d.ts.map +1 -1
  7. package/dist/index.js +32 -35
  8. package/dist/index.js.map +1 -1
  9. package/dist/services/policy-loader.d.ts +28 -12
  10. package/dist/services/policy-loader.d.ts.map +1 -1
  11. package/dist/services/policy-loader.js +61 -20
  12. package/dist/services/policy-loader.js.map +1 -1
  13. package/dist/tools/file-tools.d.ts +12 -24
  14. package/dist/tools/file-tools.d.ts.map +1 -1
  15. package/dist/tools/file-tools.js +103 -39
  16. package/dist/tools/file-tools.js.map +1 -1
  17. package/package.json +1 -1
  18. package/server.json +27 -0
  19. package/src/index.ts +34 -35
  20. package/src/services/policy-loader.ts +67 -21
  21. package/src/tools/file-tools.ts +118 -39
package/README.md CHANGED
@@ -1,5 +1,5 @@
1
1
  # aegis-mcp-server
2
-
2
+ <!-- mcp-name: io.github.cleburn/aegis-mcp -->
3
3
  **MCP enforcement layer for the [Aegis](https://github.com/cleburn/aegis-spec) agent governance specification.**
4
4
 
5
5
  The spec writes the law. The CLI generates the law. This enforces the law.
@@ -8,54 +8,65 @@ The spec writes the law. The CLI generates the law. This enforces the law.
8
8
 
9
9
  `aegis-mcp-server` is an MCP server that validates every agent action against your `.agentpolicy/` files **before** it happens. Path permissions, content scanning, role boundaries, quality gates — all enforced at runtime with zero token overhead to the agent.
10
10
 
11
- The agent never loads your governance files. The MCP server reads them into its own process memory and validates silently. The agent calls governed tools (`aegis_write_file`, `aegis_read_file`, etc.) and gets back either a success or a blocked response with the specific reason.
11
+ The agent never loads your governance files. The MCP server reads them into its own process memory and validates silently. The agent calls governed tools and gets back either a success or a blocked response with the specific reason.
12
12
 
13
13
  ## Quick Start
14
14
 
15
15
  ```bash
16
+ # Install globally
16
17
  npm install -g aegis-mcp-server
17
-
18
- # Or use npx
19
- npx aegis-mcp-server --project . --role default
20
18
  ```
21
19
 
22
- ### Claude Code Configuration
20
+ If you generated your policy with [aegis-cli](https://github.com/cleburn/aegis-cli), the `.mcp.json` connection config is already in your project root. Just install the MCP and open your agent — it connects automatically.
23
21
 
24
- ```json
25
- {
26
- "mcpServers": {
27
- "aegis": {
28
- "command": "npx",
29
- "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
30
- }
31
- }
32
- }
22
+ ### First Prompt
23
+
24
+ When starting a new agent session in a governed project, use this as your first prompt:
25
+
26
+ ```
27
+ Call aegis_policy_summary now. This is your governance contract — it defines your
28
+ role, your boundaries, and which tools to use. Do not read files, do not take any
29
+ action, and do not assume your role until you have called this tool.
33
30
  ```
34
31
 
35
- For role-specific enforcement:
32
+ ## How It Works
33
+
34
+ ### Universal Mode (Default)
35
+
36
+ The MCP starts without a pre-assigned role. When the agent calls `aegis_policy_summary`, it receives the list of available roles from `.agentpolicy/roles/`. The agent presents them to the user, the user picks, and the agent calls `aegis_select_role` to lock in. All enforcement uses the selected role for the rest of the session.
37
+
38
+ This is the default behavior — no configuration needed beyond the `.mcp.json` that `aegis init` creates automatically.
39
+
40
+ ### Fixed Mode
41
+
42
+ If you know which role to assign at startup:
36
43
 
37
44
  ```json
38
45
  {
39
46
  "mcpServers": {
40
47
  "aegis": {
41
- "command": "npx",
42
- "args": ["aegis-mcp-server", "--project", ".", "--role", "backend"]
48
+ "command": "aegis-mcp",
49
+ "args": ["--project", ".", "--role", "backend"]
43
50
  }
44
51
  }
45
52
  }
46
53
  ```
47
54
 
55
+ The MCP locks to that role immediately. `aegis_policy_summary` returns the role's boundaries directly, skipping role selection.
56
+
48
57
  ## Tools
49
58
 
50
59
  | Tool | What it does | Token cost |
51
60
  |------|-------------|------------|
52
- | `aegis_check_permissions` | Pre-check if an operation is allowed | Tiny just the verdict |
53
- | `aegis_write_file` | Write with path + content validation | Same as a normal write |
54
- | `aegis_read_file` | Read with path validation | Same as a normal read |
55
- | `aegis_delete_file` | Delete with path validation | Tiny just the verdict |
56
- | `aegis_execute` | Execute a command in project root | Command output only |
61
+ | `aegis_policy_summary` | Role boundaries and governance summary (or available roles in universal mode) | ~200 tokens |
62
+ | `aegis_select_role` | Select a role in universal mode | Tiny |
63
+ | `aegis_check_permissions` | Pre-check if an operation is allowed | Tiny |
64
+ | `aegis_write_file` | Governed write with path + content validation | Same as a normal write |
65
+ | `aegis_read_file` | Governed read with path validation | Same as a normal read |
66
+ | `aegis_delete_file` | Governed delete with path validation | Tiny |
67
+ | `aegis_execute` | Governed command execution | Command output only |
57
68
  | `aegis_complete_task` | Run quality gates before marking done | Gate results only |
58
- | `aegis_policy_summary` | Minimal role + permissions summary | ~200 tokens |
69
+ | `aegis_request_override` | Execute a blocked action after human confirmation | Tiny |
59
70
 
60
71
  ## Zero Token Overhead
61
72
 
@@ -65,13 +76,31 @@ Aegis MCP approach: the server loads policy into its own process memory. The age
65
76
 
66
77
  ## Enforcement
67
78
 
68
- - **Governance boundaries** — `writable`, `read_only`, `forbidden` path lists from governance.json
79
+ - **Governance boundaries** — `writable`, `read_only`, `forbidden` path lists
69
80
  - **Role scoping** — agents confined to their role's writable and readable paths
70
81
  - **Sensitive pattern detection** — content scanned against governance-defined patterns
71
- - **Cross-domain boundaries** — imports validated against shared interface rules (when configured)
82
+ - **Cross-domain boundaries** — imports validated against shared interface rules
72
83
  - **Quality gate validation** — `pre_commit` flags mapped to `build_commands` and executed
73
- - **Override logging** — violations logged to append-only `overrides.jsonl`
74
- - **Immutable policies** — designated rules that cannot be overridden, even with human confirmation
84
+ - **Override logging** — every blocked action logged to append-only `overrides.jsonl`
85
+ - **Immutable policies** — designated rules that cannot be overridden, ever
86
+
87
+ ## Override Protocol
88
+
89
+ When an action is blocked and the governance override behavior is `warn_confirm_and_log`:
90
+
91
+ 1. The blocked response includes an `override_token` and the specific policy violated
92
+ 2. The agent presents the violation to the user
93
+ 3. If the user confirms, the agent calls `aegis_request_override` with the token and the user's rationale
94
+ 4. The action proceeds — the override is logged with `human_confirmed: true`
95
+ 5. Normal governance resumes immediately — the override is a one-time exception
96
+
97
+ Immutable policies (e.g., HIPAA compliance, audit completeness) return `override_available: false` and cannot be overridden. The user must modify the governance through `aegis init`.
98
+
99
+ ## Consent-Based Governance
100
+
101
+ The Aegis MCP does not override the agent's native directives. It introduces itself through tool descriptions, explains why governance is active, and asks the agent to seek user permission to route write operations through Aegis tools. The user's authority is the enforcement mechanism.
102
+
103
+ Native tools for reading, searching, and exploring the codebase work fine without governance gating. Only write, delete, and execute operations benefit from routing through Aegis.
75
104
 
76
105
  ## Architecture
77
106
 
@@ -81,7 +110,8 @@ Agent ──→ aegis-mcp-server ──→ File System
81
110
  ├── Loads .agentpolicy/ into process memory (once)
82
111
  ├── Watches for policy changes (auto-reload)
83
112
  ├── Validates every tool call against policy
84
- └── Returns success or blocked with reason
113
+ ├── Returns success or blocked with override option
114
+ └── Logs all enforcement decisions to overrides.jsonl
85
115
  ```
86
116
 
87
117
  Three artifacts, one governance framework:
package/assets/icon-512.png ADDED
Binary file
package/assets/icon.png ADDED
Binary file
package/assets/icon.svg ADDED
@@ -0,0 +1,54 @@
1
+ <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" width="512" height="512">
2
+ <defs>
3
+ <linearGradient id="shieldGrad" x1="0%" y1="0%" x2="0%" y2="100%">
4
+ <stop offset="0%" stop-color="#79c0ff"/>
5
+ <stop offset="35%" stop-color="#58a6ff"/>
6
+ <stop offset="100%" stop-color="#1f6feb"/>
7
+ </linearGradient>
8
+ <clipPath id="roundedBg">
9
+ <rect width="512" height="512" rx="80"/>
10
+ </clipPath>
11
+ </defs>
12
+
13
+ <!-- Rounded rectangle background -->
14
+ <rect width="512" height="512" rx="80" fill="#0d1117"/>
15
+
16
+ <!-- Outer shield (blue filled) -->
17
+ <path d="
18
+ M 256 56
19
+ L 120 116
20
+ L 120 248
21
+ C 120 348 178 432 256 472
22
+ C 334 432 392 348 392 248
23
+ L 392 116
24
+ Z
25
+ " fill="url(#shieldGrad)"/>
26
+
27
+ <!-- Inner shield cutout (dark) -->
28
+ <path d="
29
+ M 256 96
30
+ L 152 142
31
+ L 152 248
32
+ C 152 332 200 404 256 438
33
+ C 312 404 360 332 360 248
34
+ L 360 142
35
+ Z
36
+ " fill="#0d1117" opacity="0.87"/>
37
+
38
+ <!-- Policy line 1 (top, faintest) -->
39
+ <line x1="196" y1="212" x2="316" y2="212"
40
+ stroke="#58a6ff" stroke-width="9" stroke-linecap="round" opacity="0.45"/>
41
+
42
+ <!-- Policy line 2 (middle) -->
43
+ <line x1="196" y1="252" x2="316" y2="252"
44
+ stroke="#58a6ff" stroke-width="9" stroke-linecap="round" opacity="0.7"/>
45
+
46
+ <!-- Policy line 3 (shorter, full) -->
47
+ <line x1="196" y1="292" x2="288" y2="292"
48
+ stroke="#58a6ff" stroke-width="9" stroke-linecap="round" opacity="1.0"/>
49
+
50
+ <!-- Checkmark -->
51
+ <polyline points="270,332 290,352 330,304"
52
+ fill="none" stroke="#58a6ff" stroke-width="10"
53
+ stroke-linecap="round" stroke-linejoin="round"/>
54
+ </svg>
package/dist/index.d.ts CHANGED
@@ -5,22 +5,15 @@
5
5
  * Starts the MCP enforcement server. Loads .agentpolicy/ into process memory,
6
6
  * registers governed tools, and connects via stdio transport.
7
7
  *
8
- * The agent connects to this server and calls governed tools (aegis_write_file,
9
- * aegis_read_file, etc.) instead of raw file system operations. All validation
10
- * happens in this process at zero token cost to the agent.
8
+ * Universal mode (default): No --role flag. The agent calls aegis_policy_summary
9
+ * on connection, sees available roles, presents them to the user, and the user
10
+ * selects a role. The MCP locks to that role for the session.
11
+ *
12
+ * Fixed mode: --role <id> locks to a specific role at startup.
11
13
  *
12
14
  * Usage:
15
+ * aegis-mcp --project /path/to/project
13
16
  * aegis-mcp --project /path/to/project --role backend
14
- *
15
- * Claude Code MCP config:
16
- * {
17
- * "mcpServers": {
18
- * "aegis": {
19
- * "command": "npx",
20
- * "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
21
- * }
22
- * }
23
- * }
24
17
  */
25
18
  export {};
26
19
  //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;;;GAsBG"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;GAeG"}
package/dist/index.js CHANGED
@@ -5,22 +5,15 @@
5
5
  * Starts the MCP enforcement server. Loads .agentpolicy/ into process memory,
6
6
  * registers governed tools, and connects via stdio transport.
7
7
  *
8
- * The agent connects to this server and calls governed tools (aegis_write_file,
9
- * aegis_read_file, etc.) instead of raw file system operations. All validation
10
- * happens in this process at zero token cost to the agent.
8
+ * Universal mode (default): No --role flag. The agent calls aegis_policy_summary
9
+ * on connection, sees available roles, presents them to the user, and the user
10
+ * selects a role. The MCP locks to that role for the session.
11
+ *
12
+ * Fixed mode: --role <id> locks to a specific role at startup.
11
13
  *
12
14
  * Usage:
15
+ * aegis-mcp --project /path/to/project
13
16
  * aegis-mcp --project /path/to/project --role backend
14
- *
15
- * Claude Code MCP config:
16
- * {
17
- * "mcpServers": {
18
- * "aegis": {
19
- * "command": "npx",
20
- * "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
21
- * }
22
- * }
23
- * }
24
17
  */
25
18
  import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
26
19
  import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
@@ -36,9 +29,6 @@ const __dirname = dirname(__filename);
36
29
  const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
37
30
  const VERSION = pkg.version;
38
31
  // ─── Update Checker ─────────────────────────────────────────────────────────
39
- // Non-blocking check against the npm registry. If a newer version
40
- // exists, prints a one-line notice to stderr. If the check fails
41
- // (offline, timeout, etc.), skips silently — never blocks startup.
42
32
  async function checkForUpdate() {
43
33
  try {
44
34
  const controller = new AbortController();
@@ -61,14 +51,14 @@ async function checkForUpdate() {
61
51
  }
62
52
  }
63
53
  catch {
64
- // Silently skip — network issues should never block the MCP server
54
+ // Silently skip
65
55
  }
66
56
  }
67
57
  // ─── Parse CLI Args ─────────────────────────────────────────────────────────
68
58
  function parseArgs() {
69
59
  const args = process.argv.slice(2);
70
60
  let projectRoot = process.cwd();
71
- let role = 'default';
61
+ let role = 'auto'; // Universal mode by default
72
62
  let policyDir;
73
63
  for (let i = 0; i < args.length; i++) {
74
64
  switch (args[i]) {
@@ -78,7 +68,7 @@ function parseArgs() {
78
68
  break;
79
69
  case '--role':
80
70
  case '-r':
81
- role = args[++i] ?? 'default';
71
+ role = args[++i] ?? 'auto';
82
72
  break;
83
73
  case '--policy-dir':
84
74
  policyDir = args[++i];
@@ -106,20 +96,22 @@ USAGE:
106
96
 
107
97
  OPTIONS:
108
98
  -p, --project <path> Project root directory (default: cwd)
109
- -r, --role <role-id> Agent role to enforce (default: "default")
99
+ -r, --role <role-id> Agent role to enforce (default: "auto" — agent selects at runtime)
110
100
  --policy-dir <dir> Policy directory name (default: ".agentpolicy")
111
101
  -h, --help Show this help
112
102
  -v, --version Show version
113
103
 
114
- CLAUDE CODE CONFIG:
115
- {
116
- "mcpServers": {
117
- "aegis": {
118
- "command": "npx",
119
- "args": ["aegis-mcp-server", "--project", ".", "--role", "default"]
120
- }
121
- }
122
- }
104
+ UNIVERSAL MODE (default):
105
+ aegis-mcp --project .
106
+
107
+ No --role flag. The agent calls aegis_policy_summary, sees available roles,
108
+ presents them to the user, and the user selects. The MCP locks to that role
109
+ for the session.
110
+
111
+ FIXED MODE:
112
+ aegis-mcp --project . --role backend
113
+
114
+ Locks to a specific role at startup.
123
115
 
124
116
  TOOLS PROVIDED:
125
117
  aegis_check_permissions Pre-check if an operation is allowed
@@ -128,17 +120,18 @@ TOOLS PROVIDED:
128
120
  aegis_delete_file Governed file delete
129
121
  aegis_execute Governed command execution
130
122
  aegis_complete_task Task completion with quality gate validation
131
- aegis_policy_summary Minimal summary of current role and permissions
123
+ aegis_policy_summary Role boundaries and governance summary
124
+ aegis_select_role Select a role (universal mode only)
125
+ aegis_request_override Execute a blocked action with human confirmation
132
126
  `);
133
127
  }
134
128
  // ─── Main ───────────────────────────────────────────────────────────────────
135
129
  async function main() {
136
130
  const config = parseArgs();
137
- // Check for updates (non-blocking, 3s timeout)
138
131
  await checkForUpdate();
139
132
  log(`Starting aegis-mcp-server v${VERSION}`);
140
133
  log(` Project: ${config.projectRoot}`);
141
- log(` Role: ${config.role}`);
134
+ log(` Role: ${config.role === 'auto' ? 'auto (agent selects at runtime)' : config.role}`);
142
135
  log(` Policy dir: ${config.policyDir ?? '.agentpolicy'}`);
143
136
  // 1. Load policy into process memory
144
137
  const loader = new PolicyLoader(config);
@@ -157,13 +150,17 @@ async function main() {
157
150
  name: 'aegis-mcp-server',
158
151
  version: VERSION,
159
152
  });
160
- // 4. Register governed tools
161
- registerTools(server, () => engine, () => state, () => activeRole);
153
+ // 4. Register governed tools — pass loader for role selection support
154
+ registerTools(server, () => engine, () => state, () => activeRole, loader, (role) => {
155
+ // Callback when role is selected in auto mode
156
+ activeRole = role;
157
+ engine.updateState(state, role);
158
+ log(`Role locked: ${role.id}`);
159
+ });
162
160
  // 5. Connect via stdio transport
163
161
  const transport = new StdioServerTransport();
164
162
  await server.connect(transport);
165
163
  log('Connected via stdio — enforcement active');
166
- // Graceful shutdown
167
164
  const shutdown = async () => {
168
165
  log('Shutting down...');
169
166
  await loader.stopWatching();
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAGtD,+EAA+E;AAE/E,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACtC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AACrF,MAAM,OAAO,GAAW,GAAG,CAAC,OAAO,CAAC;AAEpC,+EAA+E;AAC/E,kEAAkE;AAClE,iEAAiE;AACjE,mEAAmE;AAEnE,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;QAE3D,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,8BAA8B,GAAG,CAAC,IAAI,SAAS,EAC/C,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAC9B,CAAC;QACF,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtB,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO;QAEpB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA0B,CAAC;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC;QAC5B,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,OAAO;YAAE,OAAO;QAE1C,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GACX,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;YACtB,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACpD,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnF,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,qBAAqB,OAAO,MAAM,MAAM,yBAAyB,GAAG,CAAC,IAAI,SAAS,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;IACrE,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAChC,IAAI,IAAI,GAAG,SAAS,CAAC;IACrB,IAAI,SAA6B,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAChB,KAAK,WAAW,CAAC;YACjB,KAAK,IAAI;gBACP,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;gBACxC,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI;gBACP,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,SAAS,CAAC;gBAC9B,MAAM;YACR,KAAK,cAAc;gBACjB,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;gBACtB,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI;gBACP,SAAS,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAChB,MAAM;YACR,KAAK,WAAW,CAAC;YACjB,KAAK,IAAI;gBACP,GAAG,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;gBACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAChB,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,SAAS;IAChB,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+BL,CAAC,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,+CAA+C;IAC/C,MAAM,cAAc,EAAE,CAAC;IAEvB,GAAG,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;IAC7C,GAAG,CAAC,cAAc,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACxC,GAAG,CAAC,WAAW,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9B,GAAG,CAAC,iBAAiB,MAAM,CAAC,SAAS,IAAI,cAAc,EAAE,CAAC,CAAC;IAE3D,qCAAqC;IACrC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,KAAK,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;IAChC,IAAI,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;IACxC,IAAI,MAAM,GAAG,IAAI,iBAAiB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAEtD,8CAA8C;IAC9C,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE;QACxB,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1B,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;QACpC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACtC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,6BAA6B;IAC7B,aAAa,CACX,MAAM,EACN,GAAG,EAAE,CAAC,MAAM,EACZ,GAAG,EAAE,CAAC,KAAK,EACX,GAAG,EAAE,CAAC,UAAU,CACjB,CAAC;IAEF,iCAAiC;IACjC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IAEhD,oBAAoB;IACpB,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;QACzC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QACxB,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,GAAG,CAAC,OAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,OAAO,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAC3E,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kCAAkC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAGtD,+EAA+E;AAE/E,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AACtC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AACrF,MAAM,OAAO,GAAW,GAAG,CAAC,OAAO,CAAC;AAEpC,+EAA+E;AAE/E,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;QAE3D,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,8BAA8B,GAAG,CAAC,IAAI,SAAS,EAC/C,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,CAC9B,CAAC;QACF,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtB,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO;QAEpB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA0B,CAAC;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC;QAC5B,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,OAAO;YAAE,OAAO;QAE1C,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GACX,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;YACtB,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACpD,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnF,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,qBAAqB,OAAO,MAAM,MAAM,yBAAyB,GAAG,CAAC,IAAI,SAAS,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gBAAgB;IAClB,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACnC,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAChC,IAAI,IAAI,GAAG,MAAM,CAAC,CAAC,4BAA4B;IAC/C,IAAI,SAA6B,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAChB,KAAK,WAAW,CAAC;YACjB,KAAK,IAAI;gBACP,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;gBACxC,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI;gBACP,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC;gBAC3B,MAAM;YACR,KAAK,cAAc;gBACjB,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;gBACtB,MAAM;YACR,KAAK,QAAQ,CAAC;YACd,KAAK,IAAI;gBACP,SAAS,EAAE,CAAC;gBACZ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAChB,MAAM;YACR,KAAK,WAAW,CAAC;YACjB,KAAK,IAAI;gBACP,GAAG,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;gBACpC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAChB,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,SAAS;IAChB,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmCL,CAAC,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,MAAM,cAAc,EAAE,CAAC;IAEvB,GAAG,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;IAC7C,GAAG,CAAC,cAAc,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACxC,GAAG,CAAC,WAAW,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,iCAAiC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3F,GAAG,CAAC,iBAAiB,MAAM,CAAC,SAAS,IAAI,cAAc,EAAE,CAAC,CAAC;IAE3D,qCAAqC;IACrC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,KAAK,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;IAChC,IAAI,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;IACxC,IAAI,MAAM,GAAG,IAAI,iBAAiB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAEtD,8CAA8C;IAC9C,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE;QACxB,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1B,UAAU,GAAG,MAAM,CAAC,aAAa,EAAE,CAAC;QACpC,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACtC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,sEAAsE;IACtE,aAAa,CACX,MAAM,EACN,GAAG,EAAE,CAAC,MAAM,EACZ,GAAG,EAAE,CAAC,KAAK,EACX,GAAG,EAAE,CAAC,UAAU,EAChB,MAAM,EACN,CAAC,IAAI,EAAE,EAAE;QACP,8CAA8C;QAC9C,UAAU,GAAG,IAAI,CAAC;QAClB,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAChC,GAAG,CAAC,gBAAgB,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;IACjC,CAAC,CACF,CAAC;IAEF,iCAAiC;IACjC,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IAEhD,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;QACzC,GAAG,CAAC,kBAAkB,CAAC,CAAC;QACxB,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;QAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,GAAG,CAAC,OAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,OAAO,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAC3E,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
package/dist/services/policy-loader.d.ts CHANGED
@@ -2,12 +2,11 @@
2
2
  * PolicyLoader — Reads .agentpolicy/ files into process memory.
3
3
  *
4
4
  * Core of the zero-token-overhead design. All governance files are loaded
5
- * into Node.js process memory on startup. The agent never sees these files
6
- * it only sees tool call results (allowed/blocked).
5
+ * into Node.js process memory on startup. The agent never sees these files.
7
6
  *
8
- * Role resolution merges the skeleton fields (role.name, scope.primary_paths)
9
- * with extension fields (paths.read/write, forbidden_actions) into a single
10
- * ResolvedRole for fast enforcement lookups.
7
+ * Supports "auto" role mode: when config.role is "auto" (or not specified),
8
+ * no role is locked at startup. The agent selects a role at runtime via
9
+ * aegis_select_role, and all enforcement uses the selected role thereafter.
11
10
  */
12
11
  import type { PolicyState, ResolvedRole, AegisMcpConfig } from '../types.js';
13
12
  export declare class PolicyLoader {
@@ -15,6 +14,7 @@ export declare class PolicyLoader {
15
14
  private state;
16
15
  private watcher;
17
16
  private onReload?;
17
+ private selectedRole;
18
18
  constructor(config: AegisMcpConfig);
19
19
  /**
20
20
  * Load all policy files into memory. Call once on startup.
@@ -33,7 +33,29 @@ export declare class PolicyLoader {
33
33
  */
34
34
  stopWatching(): Promise<void>;
35
35
  /**
36
- * Get the resolved role for the configured agent, falling back to default.
36
+ * Whether the MCP is in auto role mode (no role pre-assigned).
37
+ */
38
+ isAutoMode(): boolean;
39
+ /**
40
+ * Whether a role has been selected in auto mode.
41
+ */
42
+ hasSelectedRole(): boolean;
43
+ /**
44
+ * Select a role in auto mode. Returns the resolved role, or null if not found.
45
+ */
46
+ selectRole(roleId: string): ResolvedRole | null;
47
+ /**
48
+ * Get all available roles as a summary list.
49
+ */
50
+ getAvailableRoles(): Array<{
51
+ id: string;
52
+ name: string;
53
+ purpose: string;
54
+ }>;
55
+ /**
56
+ * Get the resolved role for the configured agent.
57
+ * In auto mode: returns the selected role, or a placeholder if none selected yet.
58
+ * In fixed mode: returns the configured role, falling back to default.
37
59
  */
38
60
  getActiveRole(): ResolvedRole;
39
61
  private resolvePolicyDir;
@@ -41,12 +63,6 @@ export declare class PolicyLoader {
41
63
  private loadRoles;
42
64
  /**
43
65
  * Merge skeleton and extension fields into a single ResolvedRole.
44
- *
45
- * Skeleton: role.name, role.purpose, scope.primary_paths/secondary_paths/excluded_paths
46
- * Extensions: paths.read/write, forbidden_actions, autonomy (flat string)
47
- *
48
- * For writable paths: scope.primary_paths takes precedence; paths.write used as fallback.
49
- * For readable paths: paths.read used when present; otherwise derived from writable + secondary.
50
66
  */
51
67
  private resolveRole;
52
68
  private handleChange;
package/dist/services/policy-loader.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"policy-loader.d.ts","sourceRoot":"","sources":["../../src/services/policy-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,OAAO,KAAK,EACV,WAAW,EAIX,YAAY,EACZ,cAAc,EACf,MAAM,aAAa,CAAC;AAErB,qBAAa,YAAY;IAKX,OAAO,CAAC,MAAM;IAJ1B,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,OAAO,CAAyC;IACxD,OAAO,CAAC,QAAQ,CAAC,CAAa;gBAEV,MAAM,EAAE,cAAc;IAE1C;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,WAAW,CAAC;IA4BlC;;OAEG;IACH,QAAQ,IAAI,WAAW;IAOvB;;OAEG;IACH,aAAa,CAAC,QAAQ,CAAC,EAAE,MAAM,IAAI,GAAG,IAAI;IAgB1C;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAOnC;;OAEG;IACH,aAAa,IAAI,YAAY;IA8B7B,OAAO,CAAC,gBAAgB;YAOV,QAAQ;YAYR,SAAS;IAyBvB;;;;;;;;OAQG;IACH,OAAO,CAAC,WAAW;YA4CL,YAAY;YAYZ,YAAY;IAQ1B,OAAO,CAAC,GAAG;CAGZ"}
1
+ {"version":3,"file":"policy-loader.d.ts","sourceRoot":"","sources":["../../src/services/policy-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EACV,WAAW,EAIX,YAAY,EACZ,cAAc,EACf,MAAM,aAAa,CAAC;AAErB,qBAAa,YAAY;IAMX,OAAO,CAAC,MAAM;IAL1B,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,OAAO,CAAyC;IACxD,OAAO,CAAC,QAAQ,CAAC,CAAa;IAC9B,OAAO,CAAC,YAAY,CAA6B;gBAE7B,MAAM,EAAE,cAAc;IAE1C;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,WAAW,CAAC;IA4BlC;;OAEG;IACH,QAAQ,IAAI,WAAW;IAOvB;;OAEG;IACH,aAAa,CAAC,QAAQ,CAAC,EAAE,MAAM,IAAI,GAAG,IAAI;IAgB1C;;OAEG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAOnC;;OAEG;IACH,UAAU,IAAI,OAAO;IAIrB;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI;IAU/C;;OAEG;IACH,iBAAiB,IAAI,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IASzE;;;;OAIG;IACH,aAAa,IAAI,YAAY;IAiD7B,OAAO,CAAC,gBAAgB;YAOV,QAAQ;YAYR,SAAS;IAyBvB;;OAEG;IACH,OAAO,CAAC,WAAW;YAoCL,YAAY;YAYZ,YAAY;IAQ1B,OAAO,CAAC,GAAG;CAGZ"}
package/dist/services/policy-loader.js CHANGED
@@ -2,12 +2,11 @@
2
2
  * PolicyLoader — Reads .agentpolicy/ files into process memory.
3
3
  *
4
4
  * Core of the zero-token-overhead design. All governance files are loaded
5
- * into Node.js process memory on startup. The agent never sees these files
6
- * it only sees tool call results (allowed/blocked).
5
+ * into Node.js process memory on startup. The agent never sees these files.
7
6
  *
8
- * Role resolution merges the skeleton fields (role.name, scope.primary_paths)
9
- * with extension fields (paths.read/write, forbidden_actions) into a single
10
- * ResolvedRole for fast enforcement lookups.
7
+ * Supports "auto" role mode: when config.role is "auto" (or not specified),
8
+ * no role is locked at startup. The agent selects a role at runtime via
9
+ * aegis_select_role, and all enforcement uses the selected role thereafter.
11
10
  */
12
11
  import { readFile, readdir, access } from 'node:fs/promises';
13
12
  import { join, basename } from 'node:path';
@@ -17,6 +16,7 @@ export class PolicyLoader {
17
16
  state = null;
18
17
  watcher = null;
19
18
  onReload;
19
+ selectedRole = null;
20
20
  constructor(config) {
21
21
  this.config = config;
22
22
  }
@@ -73,10 +73,65 @@ export class PolicyLoader {
73
73
  }
74
74
  }
75
75
  /**
76
- * Get the resolved role for the configured agent, falling back to default.
76
+ * Whether the MCP is in auto role mode (no role pre-assigned).
77
+ */
78
+ isAutoMode() {
79
+ return this.config.role === 'auto';
80
+ }
81
+ /**
82
+ * Whether a role has been selected in auto mode.
83
+ */
84
+ hasSelectedRole() {
85
+ return this.selectedRole !== null;
86
+ }
87
+ /**
88
+ * Select a role in auto mode. Returns the resolved role, or null if not found.
89
+ */
90
+ selectRole(roleId) {
91
+ const state = this.getState();
92
+ const role = state.roles.get(roleId);
93
+ if (!role)
94
+ return null;
95
+ this.selectedRole = role;
96
+ this.log(`Role selected: ${roleId}`);
97
+ return role;
98
+ }
99
+ /**
100
+ * Get all available roles as a summary list.
101
+ */
102
+ getAvailableRoles() {
103
+ const state = this.getState();
104
+ const roles = [];
105
+ for (const [id, role] of state.roles) {
106
+ roles.push({ id, name: role.name, purpose: role.purpose });
107
+ }
108
+ return roles;
109
+ }
110
+ /**
111
+ * Get the resolved role for the configured agent.
112
+ * In auto mode: returns the selected role, or a placeholder if none selected yet.
113
+ * In fixed mode: returns the configured role, falling back to default.
77
114
  */
78
115
  getActiveRole() {
79
116
  const state = this.getState();
117
+ // Auto mode — return selected role or placeholder
118
+ if (this.isAutoMode()) {
119
+ if (this.selectedRole)
120
+ return this.selectedRole;
121
+ // No role selected yet — return a restrictive placeholder
122
+ return {
123
+ id: 'unassigned',
124
+ name: 'unassigned',
125
+ purpose: 'No role selected. Call aegis_select_role to choose a role before performing any actions.',
126
+ writable_paths: [],
127
+ secondary_paths: [],
128
+ excluded_paths: [],
129
+ readable_paths: [],
130
+ autonomy: 'conservative',
131
+ forbidden_actions: ['All actions — no role has been selected yet.'],
132
+ };
133
+ }
134
+ // Fixed mode — use configured role
80
135
  const roleId = this.config.role;
81
136
  const role = state.roles.get(roleId);
82
137
  if (role)
@@ -86,7 +141,6 @@ export class PolicyLoader {
86
141
  this.log(`Role "${roleId}" not found, using default`);
87
142
  return defaultRole;
88
143
  }
89
- // Synthesize a permissive default if no role files exist
90
144
  this.log('No role files found, using synthesized permissive default');
91
145
  return {
92
146
  id: 'default',
@@ -134,36 +188,23 @@ export class PolicyLoader {
134
188
  }
135
189
  /**
136
190
  * Merge skeleton and extension fields into a single ResolvedRole.
137
- *
138
- * Skeleton: role.name, role.purpose, scope.primary_paths/secondary_paths/excluded_paths
139
- * Extensions: paths.read/write, forbidden_actions, autonomy (flat string)
140
- *
141
- * For writable paths: scope.primary_paths takes precedence; paths.write used as fallback.
142
- * For readable paths: paths.read used when present; otherwise derived from writable + secondary.
143
191
  */
144
192
  resolveRole(id, raw) {
145
- // Role identity — skeleton nested object, or flat string + description
146
193
  const name = typeof raw.role === 'object' ? raw.role.name : String(raw.role);
147
194
  const purpose = typeof raw.role === 'object'
148
195
  ? raw.role.purpose
149
196
  : (raw.description ?? '');
150
- // Writable paths — skeleton primary_paths, or extension paths.write
151
197
  const writable_paths = raw.scope?.primary_paths?.length
152
198
  ? raw.scope.primary_paths
153
199
  : (raw.paths?.write ?? []);
154
- // Secondary paths
155
200
  const secondary_paths = raw.scope?.secondary_paths ?? [];
156
- // Excluded paths
157
201
  const excluded_paths = raw.scope?.excluded_paths ?? [];
158
- // Readable paths — extension paths.read, or all writable + secondary
159
202
  const readable_paths = raw.paths?.read?.length
160
203
  ? raw.paths.read
161
204
  : [...writable_paths, ...secondary_paths];
162
- // Autonomy — flat extension string or skeleton override
163
205
  const autonomy = raw.autonomy
164
206
  ? String(raw.autonomy)
165
207
  : 'advisory';
166
- // Forbidden actions
167
208
  const forbidden_actions = raw.forbidden_actions ?? [];
168
209
  return {
169
210
  id,
package/dist/services/policy-loader.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"policy-loader.js","sourceRoot":"","sources":["../../src/services/policy-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AAUjC,MAAM,OAAO,YAAY;IAKH;IAJZ,KAAK,GAAuB,IAAI,CAAC;IACjC,OAAO,GAAoC,IAAI,CAAC;IAChD,QAAQ,CAAc;IAE9B,YAAoB,MAAsB;QAAtB,WAAM,GAAN,MAAM,CAAgB;IAAG,CAAC;IAE9C;;OAEG;IACH,KAAK,CAAC,IAAI;QACR,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC1C,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;QAEvD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,QAAQ,CACtC,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,EACpC,mBAAmB,CACpB,CAAC;QAEF,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,QAAQ,CACpC,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,EAClC,iBAAiB,CAClB,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;QAE7D,IAAI,CAAC,KAAK,GAAG;YACX,YAAY;YACZ,UAAU;YACV,KAAK;YACL,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,SAAS;SACV,CAAC;QAEF,IAAI,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAqB;QACjC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAE1C,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,SAAS,EAAE;YAC9B,aAAa,EAAE,IAAI;YACnB,gBAAgB,EAAE,EAAE,kBAAkB,EAAE,GAAG,EAAE;SAC9C,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAE7D,IAAI,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,aAAa;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAEhC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;QAEtB,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,CAAC,GAAG,CAAC,SAAS,MAAM,4BAA4B,CAAC,CAAC;YACtD,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QACtE,OAAO;YACL,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,gDAAgD;YACzD,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,QAAQ,EAAE,UAAU;YACpB,iBAAiB,EAAE,EAAE;SACtB,CAAC;IACJ,CAAC;IAED,+EAA+E;IAEvE,gBAAgB;QACtB,OAAO,IAAI,CACT,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,cAAc,CACxC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAI,IAAY,EAAE,KAAa;QACnD,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAM,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,mBAAmB,KAAK,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAChF,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,QAAgB;QACtC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAwB,CAAC;QAE9C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE/D,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC7C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAC7B,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,EAC1B,SAAS,KAAK,CAAC,IAAI,EAAE,CACtB,CAAC;YAEF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;;;;OAQG;IACK,WAAW,CAAC,EAAU,EAAE,GAAa;QAC3C,uEAAuE;QACvE,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7E,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;YAC1C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO;YAClB,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAE5B,oEAAoE;QACpE,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,aAAa,EAAE,MAAM;YACrD,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,aAAa;YACzB,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAE7B,kBAAkB;QAClB,MAAM,eAAe,GAAG,GAAG,CAAC,KAAK,EAAE,eAAe,IAAI,EAAE,CAAC;QAEzD,iBAAiB;QACjB,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,cAAc,IAAI,EAAE,CAAC;QAEvD,qEAAqE;QACrE,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM;YAC5C,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI;YAChB,CAAC,CAAC,CAAC,GAAG,cAAc,EAAE,GAAG,eAAe,CAAC,CAAC;QAE5C,wDAAwD;QACxD,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ;YAC3B,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;YACtB,CAAC,CAAC,UAAU,CAAC;QAEf,oBAAoB;QACpB,MAAM,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QAEtD,OAAO;YACL,EAAE;YACF,IAAI;YACJ,OAAO;YACP,cAAc;YACd,eAAe;YACf,cAAc;YACd,cAAc;YACd,QAAQ;YACR,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,IAAY;QACrC,IAAI,CAAC,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CACN,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,KAAa;QACpD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,kBAAkB,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,OAAe;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,OAAO,IAAI,CAAC,CAAC;IACnD,CAAC;CACF"}
1
+ {"version":3,"file":"policy-loader.js","sourceRoot":"","sources":["../../src/services/policy-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAC3C,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AAUjC,MAAM,OAAO,YAAY;IAMH;IALZ,KAAK,GAAuB,IAAI,CAAC;IACjC,OAAO,GAAoC,IAAI,CAAC;IAChD,QAAQ,CAAc;IACtB,YAAY,GAAwB,IAAI,CAAC;IAEjD,YAAoB,MAAsB;QAAtB,WAAM,GAAN,MAAM,CAAgB;IAAG,CAAC;IAE9C;;OAEG;IACH,KAAK,CAAC,IAAI;QACR,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC1C,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC;QAEvD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,QAAQ,CACtC,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,EACpC,mBAAmB,CACpB,CAAC;QAEF,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,QAAQ,CACpC,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,EAClC,iBAAiB,CAClB,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;QAE7D,IAAI,CAAC,KAAK,GAAG;YACX,YAAY;YACZ,UAAU;YACV,KAAK;YACL,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,SAAS;SACV,CAAC;QAEF,IAAI,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,IAAI,UAAU,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,QAAqB;QACjC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAE1C,IAAI,CAAC,OAAO,GAAG,KAAK,CAAC,SAAS,EAAE;YAC9B,aAAa,EAAE,IAAI;YACnB,gBAAgB,EAAE,EAAE,kBAAkB,EAAE,GAAG,EAAE;SAC9C,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;QAE7D,IAAI,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,MAAc;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,GAAG,CAAC,kBAAkB,MAAM,EAAE,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAyD,EAAE,CAAC;QACvE,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;OAIG;IACH,aAAa;QACX,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAE9B,kDAAkD;QAClD,IAAI,IAAI,CAAC,UAAU,EAAE,EAAE,CAAC;YACtB,IAAI,IAAI,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC,YAAY,CAAC;YAEhD,0DAA0D;YAC1D,OAAO;gBACL,EAAE,EAAE,YAAY;gBAChB,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,0FAA0F;gBACnG,cAAc,EAAE,EAAE;gBAClB,eAAe,EAAE,EAAE;gBACnB,cAAc,EAAE,EAAE;gBAClB,cAAc,EAAE,EAAE;gBAClB,QAAQ,EAAE,cAAc;gBACxB,iBAAiB,EAAE,CAAC,8CAA8C,CAAC;aACpE,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAEhC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;QAEtB,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,WAAW,EAAE,CAAC;YAChB,IAAI,CAAC,GAAG,CAAC,SAAS,MAAM,4BAA4B,CAAC,CAAC;YACtD,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QACtE,OAAO;YACL,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,gDAAgD;YACzD,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,EAAE;YAClB,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,QAAQ,EAAE,UAAU;YACpB,iBAAiB,EAAE,EAAE;SACtB,CAAC;IACJ,CAAC;IAED,+EAA+E;IAEvE,gBAAgB;QACtB,OAAO,IAAI,CACT,IAAI,CAAC,MAAM,CAAC,WAAW,EACvB,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,cAAc,CACxC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAI,IAAY,EAAE,KAAa;QACnD,MAAM,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAM,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,mBAAmB,KAAK,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAChF,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,QAAgB;QACtC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAwB,CAAC;QAE9C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE/D,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC7C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAC7B,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,EAC1B,SAAS,KAAK,CAAC,IAAI,EAAE,CACtB,CAAC;YAEF,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,EAAU,EAAE,GAAa;QAC3C,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7E,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;YAC1C,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO;YAClB,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAE5B,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,aAAa,EAAE,MAAM;YACrD,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,aAAa;YACzB,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QAE7B,MAAM,eAAe,GAAG,GAAG,CAAC,KAAK,EAAE,eAAe,IAAI,EAAE,CAAC;QACzD,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,cAAc,IAAI,EAAE,CAAC;QAEvD,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM;YAC5C,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI;YAChB,CAAC,CAAC,CAAC,GAAG,cAAc,EAAE,GAAG,eAAe,CAAC,CAAC;QAE5C,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ;YAC3B,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC;YACtB,CAAC,CAAC,UAAU,CAAC;QAEf,MAAM,iBAAiB,GAAG,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QAEtD,OAAO;YACL,EAAE;YACF,IAAI;YACJ,OAAO;YACP,cAAc;YACd,eAAe;YACf,cAAc;YACd,cAAc;YACd,QAAQ;YACR,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,IAAY;QACrC,IAAI,CAAC,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CACN,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,IAAY,EAAE,KAAa;QACpD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,kBAAkB,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAEO,GAAG,CAAC,OAAe;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,OAAO,IAAI,CAAC,CAAC;IACnD,CAAC;CACF"}