agent-permission 0.1.0

package/dist/api.d.ts

@@ -0,0 +1,17 @@
+import { BatchFile, CheckParams, CheckResponse, PermissionReceipt, VerifyReceiptResponse } from './types.js';
+interface ApiOptions {
+    apiUrl: string;
+    apiKey?: string;
+    fetch: typeof fetch;
+}
+export declare class AgentPermissionApiError extends Error {
+    status: number;
+    constructor(status: number, message: string);
+}
+export declare function checkPermission(params: CheckParams, options: ApiOptions): Promise<CheckResponse>;
+export declare function batchCheckPermissions(batch: BatchFile, options: ApiOptions): Promise<{
+    results: CheckResponse[];
+}>;
+export declare function verifyReceipt(receipt: PermissionReceipt, options: ApiOptions): Promise<VerifyReceiptResponse>;
+export {};
+//# sourceMappingURL=api.d.ts.map

package/dist/api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAE7G,UAAU,UAAU;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,OAAO,KAAK,CAAC;CACrB;AAED,qBAAa,uBAAwB,SAAQ,KAAK;IAChD,MAAM,EAAE,MAAM,CAAC;gBAEH,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAK5C;AAED,wBAAsB,eAAe,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAetG;AAED,wBAAsB,qBAAqB,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,aAAa,EAAE,CAAA;CAAE,CAAC,CAexH;AAED,wBAAsB,aAAa,CAAC,OAAO,EAAE,iBAAiB,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAUnH"}

package/dist/api.js

@@ -0,0 +1,57 @@
+export class AgentPermissionApiError extends Error {
+    status;
+    constructor(status, message) {
+        super(message);
+        this.name = 'AgentPermissionApiError';
+        this.status = status;
+    }
+}
+export async function checkPermission(params, options) {
+    if (!options.apiKey) {
+        throw new AgentPermissionApiError(401, 'Missing API key. Set AGENT_PERMISSION_API_KEY or run `agent-permission config set api-key <key>`.');
+    }
+    const res = await options.fetch(`${trimSlash(options.apiUrl)}/v1/check`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${options.apiKey}`,
+        },
+        body: JSON.stringify(params),
+    });
+    return readResponse(res);
+}
+export async function batchCheckPermissions(batch, options) {
+    if (!options.apiKey) {
+        throw new AgentPermissionApiError(401, 'Missing API key. Set AGENT_PERMISSION_API_KEY or run `agent-permission config set api-key <key>`.');
+    }
+    const res = await options.fetch(`${trimSlash(options.apiUrl)}/v1/batch-check`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${options.apiKey}`,
+        },
+        body: JSON.stringify(batch),
+    });
+    return readResponse(res);
+}
+export async function verifyReceipt(receipt, options) {
+    const res = await options.fetch(`${trimSlash(options.apiUrl)}/v1/verify-receipt`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(receipt),
+    });
+    return readResponse(res);
+}
+async function readResponse(res) {
+    const body = await res.json().catch(() => ({}));
+    if (!res.ok) {
+        const message = typeof body?.message === 'string' ? body.message : `API request failed with ${res.status}`;
+        throw new AgentPermissionApiError(res.status, message);
+    }
+    return body;
+}
+function trimSlash(value) {
+    return value.replace(/\/+$/, '');
+}

package/dist/cli.d.ts

@@ -0,0 +1,9 @@
+import { CliIO, Runtime } from './types.js';
+interface ParsedFlags {
+    flags: Record<string, string | boolean>;
+    positionals: string[];
+}
+export declare function runCli(argv: string[], runtime: Runtime, io: CliIO): Promise<number>;
+export declare function parseFlags(args: string[]): ParsedFlags;
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAKA,OAAO,EAAyD,KAAK,EAAuD,OAAO,EAAE,MAAM,YAAY,CAAC;AAExJ,UAAU,WAAW;IACnB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC;IACxC,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CA6BzF;AA+GD,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,WAAW,CA2BtD"}

package/dist/cli.js

@@ -0,0 +1,204 @@
+import { readFile } from 'node:fs/promises';
+import { batchCheckPermissions, checkPermission, verifyReceipt } from './api.js';
+import { getConfigPath, readConfig, resolveConfig, writeConfig } from './config.js';
+import { decisionExitCode, formatBatchHuman, formatCheckHuman, formatVerifyHuman } from './format.js';
+import { installAgentInstructions } from './install.js';
+import { ACTIONS } from './types.js';
+export async function runCli(argv, runtime, io) {
+    const invoked = argv[1] || 'agent-permission';
+    const args = argv.slice(2);
+    if (isSkillsInvocation(invoked, args)) {
+        return runCli([argv[0], argv[1], 'install', '--adapter', 'auto'], runtime, io);
+    }
+    const command = args[0];
+    const rest = args.slice(1);
+    try {
+        if (!command || command === '--help' || command === '-h') {
+            io.stdout(helpText());
+            return 0;
+        }
+        if (command === 'check')
+            return runCheck(rest, runtime, io);
+        if (command === 'batch')
+            return runBatch(rest, runtime, io);
+        if (command === 'verify-receipt')
+            return runVerify(rest, runtime, io);
+        if (command === 'install')
+            return runInstall(rest, runtime, io);
+        if (command === 'config')
+            return runConfig(rest, runtime, io);
+        io.stderr(`Unknown command: ${command}\n\n${helpText()}`);
+        return 1;
+    }
+    catch (err) {
+        io.stderr(err instanceof Error ? err.message : 'Unexpected CLI failure.');
+        return 1;
+    }
+}
+async function runCheck(args, runtime, io) {
+    const parsed = parseFlags(args);
+    const url = parsed.positionals[0];
+    const action = parseAction(stringFlag(parsed, 'action') || parsed.positionals[1]);
+    if (!url || !action) {
+        throw new Error('Usage: agent-permission check <url> --action <crawl|summarize|extract|train|transact|post>');
+    }
+    const config = await resolveConfig(runtime);
+    const params = {
+        url,
+        action,
+        mode: parseMode(stringFlag(parsed, 'mode')) || config.defaultMode,
+        agent_user_agent: stringFlag(parsed, 'user-agent') || stringFlag(parsed, 'agent-user-agent'),
+        bypass_cache: Boolean(parsed.flags['bypass-cache']),
+    };
+    const result = await checkPermission(params, {
+        apiUrl: stringFlag(parsed, 'api-url') || config.apiUrl,
+        apiKey: stringFlag(parsed, 'api-key') || config.apiKey,
+        fetch: runtime.fetch,
+    });
+    const format = outputFormat(parsed);
+    io.stdout(format === 'json' ? JSON.stringify(result, null, 2) : formatCheckHuman(result));
+    return parsed.flags['exit-code'] ? decisionExitCode(result.decision) : 0;
+}
+async function runBatch(args, runtime, io) {
+    const parsed = parseFlags(args);
+    const file = stringFlag(parsed, 'file');
+    if (!file) {
+        throw new Error('Usage: agent-permission batch --file checks.json');
+    }
+    const config = await resolveConfig(runtime);
+    const batch = JSON.parse(await readFile(file, 'utf8'));
+    const result = await batchCheckPermissions(batch, {
+        apiUrl: stringFlag(parsed, 'api-url') || config.apiUrl,
+        apiKey: stringFlag(parsed, 'api-key') || config.apiKey,
+        fetch: runtime.fetch,
+    });
+    const format = outputFormat(parsed);
+    io.stdout(format === 'json' ? JSON.stringify(result, null, 2) : formatBatchHuman(result.results));
+    if (parsed.flags['exit-code']) {
+        return result.results.reduce((max, item) => Math.max(max, decisionExitCode(item.decision)), 0);
+    }
+    return 0;
+}
+async function runVerify(args, runtime, io) {
+    const parsed = parseFlags(args);
+    const file = stringFlag(parsed, 'file');
+    if (!file) {
+        throw new Error('Usage: agent-permission verify-receipt --file receipt.json');
+    }
+    const config = await resolveConfig(runtime);
+    const receipt = JSON.parse(await readFile(file, 'utf8'));
+    const result = await verifyReceipt(receipt, {
+        apiUrl: stringFlag(parsed, 'api-url') || config.apiUrl,
+        fetch: runtime.fetch,
+    });
+    const format = outputFormat(parsed);
+    io.stdout(format === 'json' ? JSON.stringify(result, null, 2) : formatVerifyHuman(result));
+    return result.valid ? 0 : 1;
+}
+async function runInstall(args, runtime, io) {
+    const parsed = parseFlags(args);
+    const adapter = parseAdapter(stringFlag(parsed, 'adapter') || parsed.positionals[0] || 'auto');
+    const scope = parseScope(stringFlag(parsed, 'scope') || 'project');
+    const result = await installAgentInstructions(adapter, scope, runtime);
+    io.stdout(`Installed Agent Permission instructions for ${result.adapter} at ${result.path}`);
+    return 0;
+}
+async function runConfig(args, runtime, io) {
+    const subcommand = args[0];
+    if (subcommand === 'set' && args[1] === 'api-key' && args[2]) {
+        const current = await readConfig(runtime);
+        const path = await writeConfig(runtime, { ...current, apiKey: args[2] });
+        io.stdout(`Saved API key to ${path}`);
+        return 0;
+    }
+    if (subcommand === 'set' && args[1] === 'api-url' && args[2]) {
+        const current = await readConfig(runtime);
+        const path = await writeConfig(runtime, { ...current, apiUrl: args[2] });
+        io.stdout(`Saved API URL to ${path}`);
+        return 0;
+    }
+    if (subcommand === 'doctor') {
+        const config = await resolveConfig(runtime);
+        io.stdout([
+            `Config: ${getConfigPath(runtime)}`,
+            `API URL: ${config.apiUrl}`,
+            `API key: ${config.apiKey ? 'configured' : 'missing'}`,
+            `Default mode: ${config.defaultMode}`,
+        ].join('\n'));
+        return config.apiKey ? 0 : 1;
+    }
+    throw new Error('Usage: agent-permission config set api-key <key> | config set api-url <url> | config doctor');
+}
+export function parseFlags(args) {
+    const flags = {};
+    const positionals = [];
+    for (let i = 0; i < args.length; i += 1) {
+        const arg = args[i];
+        if (!arg.startsWith('--')) {
+            positionals.push(arg);
+            continue;
+        }
+        const [rawKey, inlineValue] = arg.slice(2).split('=', 2);
+        if (inlineValue !== undefined) {
+            flags[rawKey] = inlineValue;
+            continue;
+        }
+        const next = args[i + 1];
+        if (next && !next.startsWith('--')) {
+            flags[rawKey] = next;
+            i += 1;
+        }
+        else {
+            flags[rawKey] = true;
+        }
+    }
+    return { flags, positionals };
+}
+function stringFlag(parsed, name) {
+    const value = parsed.flags[name];
+    return typeof value === 'string' ? value : undefined;
+}
+function outputFormat(parsed) {
+    return parsed.flags.json ? 'json' : 'human';
+}
+function parseAction(value) {
+    return ACTIONS.includes(value) ? value : undefined;
+}
+function parseMode(value) {
+    if (!value)
+        return undefined;
+    if (value === 'strict' || value === 'permissive')
+        return value;
+    throw new Error('Mode must be strict or permissive.');
+}
+function parseAdapter(value) {
+    if (value === 'auto' || value === 'codex' || value === 'claude' || value === 'chatgpt' || value === 'openclaw')
+        return value;
+    throw new Error('Adapter must be auto, codex, claude, chatgpt, or openclaw.');
+}
+function parseScope(value) {
+    if (value === 'project' || value === 'user')
+        return value;
+    throw new Error('Scope must be project or user.');
+}
+function isSkillsInvocation(invoked, args) {
+    const name = invoked.split('/').pop() || invoked;
+    return name === 'skills' && args[0] === 'add' && args[1] === 'agent-permission';
+}
+function helpText() {
+    return `Agent Permission CLI
+
+Usage:
+  agent-permission check <url> --action <action> [--json] [--exit-code]
+  agent-permission batch --file checks.json [--json]
+  agent-permission verify-receipt --file receipt.json
+  agent-permission install --adapter auto|codex|claude|chatgpt|openclaw [--scope project|user]
+  agent-permission config set api-key <key>
+  agent-permission config doctor
+
+Actions:
+  crawl, summarize, extract, train, transact, post
+
+Environment:
+  AGENT_PERMISSION_API_KEY, AGENT_PERMISSION_API_URL, AGENT_PERMISSION_DEFAULT_MODE`;
+}

package/dist/config.d.ts

@@ -0,0 +1,6 @@
+import { CliConfig, Runtime } from './types.js';
+export declare function getConfigPath(runtime: Pick<Runtime, 'env' | 'platform' | 'homeDir'>): string;
+export declare function readConfig(runtime: Runtime): Promise<CliConfig>;
+export declare function writeConfig(runtime: Runtime, config: CliConfig): Promise<string>;
+export declare function resolveConfig(runtime: Runtime): Promise<Required<CliConfig>>;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,SAAS,EAAyB,OAAO,EAAE,MAAM,YAAY,CAAC;AAIvE,wBAAgB,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,GAAG,UAAU,GAAG,SAAS,CAAC,UAenF;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC,CAerE;AAED,wBAAsB,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,mBAKpE;AAED,wBAAsB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAOlF"}

package/dist/config.js

@@ -0,0 +1,51 @@
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+import { DEFAULT_API_URL } from './types.js';
+const CONFIG_FILE_NAME = 'config.json';
+export function getConfigPath(runtime) {
+    if (runtime.env.AGENT_PERMISSION_CONFIG) {
+        return runtime.env.AGENT_PERMISSION_CONFIG;
+    }
+    const home = runtime.homeDir || runtime.env.HOME || runtime.env.USERPROFILE || '.';
+    if (runtime.env.XDG_CONFIG_HOME) {
+        return join(runtime.env.XDG_CONFIG_HOME, 'agent-permission', CONFIG_FILE_NAME);
+    }
+    if (runtime.platform === 'darwin') {
+        return join(home, 'Library', 'Application Support', 'agent-permission', CONFIG_FILE_NAME);
+    }
+    return join(home, '.config', 'agent-permission', CONFIG_FILE_NAME);
+}
+export async function readConfig(runtime) {
+    try {
+        const raw = await readFile(getConfigPath(runtime), 'utf8');
+        const parsed = JSON.parse(raw);
+        return {
+            apiKey: typeof parsed.apiKey === 'string' ? parsed.apiKey : undefined,
+            apiUrl: typeof parsed.apiUrl === 'string' ? parsed.apiUrl : undefined,
+            defaultMode: parsed.defaultMode === 'permissive' || parsed.defaultMode === 'strict' ? parsed.defaultMode : undefined,
+        };
+    }
+    catch (err) {
+        if (err && typeof err === 'object' && 'code' in err && err.code === 'ENOENT') {
+            return {};
+        }
+        throw err;
+    }
+}
+export async function writeConfig(runtime, config) {
+    const path = getConfigPath(runtime);
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, `${JSON.stringify(config, null, 2)}\n`, { mode: 0o600 });
+    return path;
+}
+export async function resolveConfig(runtime) {
+    const stored = await readConfig(runtime);
+    return {
+        apiKey: runtime.env.AGENT_PERMISSION_API_KEY || stored.apiKey || '',
+        apiUrl: runtime.env.AGENT_PERMISSION_API_URL || stored.apiUrl || DEFAULT_API_URL,
+        defaultMode: parseMode(runtime.env.AGENT_PERMISSION_DEFAULT_MODE) || stored.defaultMode || 'strict',
+    };
+}
+function parseMode(value) {
+    return value === 'strict' || value === 'permissive' ? value : undefined;
+}

package/dist/format.d.ts

@@ -0,0 +1,6 @@
+import { CheckResponse, VerifyReceiptResponse } from './types.js';
+export declare function decisionExitCode(decision: string): 2 | 0 | 3 | 1;
+export declare function formatCheckHuman(result: CheckResponse): string;
+export declare function formatBatchHuman(results: CheckResponse[]): string;
+export declare function formatVerifyHuman(result: VerifyReceiptResponse): string;
+//# sourceMappingURL=format.d.ts.map

package/dist/format.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"format.d.ts","sourceRoot":"","sources":["../src/format.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAElE,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,iBAKhD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,aAAa,UAwBrD;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,aAAa,EAAE,UAKxD;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,qBAAqB,UAK9D"}

package/dist/format.js

@@ -0,0 +1,43 @@
+export function decisionExitCode(decision) {
+    if (decision === 'allow')
+        return 0;
+    if (decision === 'escalate')
+        return 2;
+    if (decision === 'deny')
+        return 3;
+    return 1;
+}
+export function formatCheckHuman(result) {
+    const lines = [
+        `Decision: ${result.decision}`,
+        `Confidence: ${result.confidence}`,
+        `Risk: ${result.risk}`,
+        `Check: ${result.id}`,
+    ];
+    if (result.reasons.length > 0) {
+        lines.push('', 'Reasons:');
+        for (const reason of result.reasons) {
+            lines.push(`- ${reason}`);
+        }
+    }
+    if (result.sources.length > 0) {
+        lines.push('', 'Sources:');
+        for (const source of result.sources) {
+            lines.push(`- ${source.type}: ${source.url}`);
+        }
+    }
+    lines.push('', `Receipt: ${result.receipt.receipt_id}`);
+    return lines.join('\n');
+}
+export function formatBatchHuman(results) {
+    return results.map((result) => {
+        const urlHash = result.receipt?.url_hash ? ` url_hash=${result.receipt.url_hash}` : '';
+        return `${result.decision.padEnd(8)} ${result.receipt?.action || 'unknown'} ${result.id}${urlHash}`;
+    }).join('\n');
+}
+export function formatVerifyHuman(result) {
+    return [
+        `Valid: ${result.valid ? 'yes' : 'no'}`,
+        `Message: ${result.message}`,
+    ].join('\n');
+}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+import { homedir } from 'node:os';
+import { runCli } from './cli.js';
+const exitCode = await runCli(process.argv, {
+    cwd: process.cwd(),
+    env: process.env,
+    platform: process.platform,
+    fetch,
+    homeDir: homedir(),
+}, {
+    stdout: (message) => process.stdout.write(`${message}\n`),
+    stderr: (message) => process.stderr.write(`${message}\n`),
+});
+process.exitCode = exitCode;

package/dist/install.d.ts

@@ -0,0 +1,9 @@
+import { Adapter, InstallScope, Runtime } from './types.js';
+export interface InstallResult {
+    adapter: Exclude<Adapter, 'auto'>;
+    path: string;
+}
+export declare function installAgentInstructions(adapter: Adapter, scope: InstallScope, runtime: Runtime): Promise<InstallResult>;
+export declare function upsertBlock(existing: string, blockBody: string): string;
+export declare function buildInstructionBlock(adapter: Exclude<Adapter, 'auto'>): string;
+//# sourceMappingURL=install.d.ts.map

package/dist/install.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.d.ts","sourceRoot":"","sources":["../src/install.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAK5D,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAClC,IAAI,EAAE,MAAM,CAAC;CACd;AAED,wBAAsB,wBAAwB,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,aAAa,CAAC,CAa9H;AAED,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,UAU9D;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,UAqBtE"}

package/dist/install.js

@@ -0,0 +1,82 @@
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+const BLOCK_START = '<!-- BEGIN:agent-permission -->';
+const BLOCK_END = '<!-- END:agent-permission -->';
+export async function installAgentInstructions(adapter, scope, runtime) {
+    const resolved = adapter === 'auto' ? await detectAdapter(runtime) : adapter;
+    const path = getInstructionPath(resolved, scope, runtime);
+    const existing = await readFile(path, 'utf8').catch((err) => {
+        if (err && typeof err === 'object' && 'code' in err && err.code === 'ENOENT')
+            return '';
+        throw err;
+    });
+    const next = upsertBlock(existing, buildInstructionBlock(resolved));
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, next);
+    return { adapter: resolved, path };
+}
+export function upsertBlock(existing, blockBody) {
+    const block = `${BLOCK_START}\n${blockBody.trim()}\n${BLOCK_END}`;
+    const pattern = new RegExp(`${escapeRegExp(BLOCK_START)}[\\s\\S]*?${escapeRegExp(BLOCK_END)}`);
+    if (pattern.test(existing)) {
+        return existing.replace(pattern, block);
+    }
+    const prefix = existing.trimEnd();
+    return prefix ? `${prefix}\n\n${block}\n` : `${block}\n`;
+}
+export function buildInstructionBlock(adapter) {
+    const agentName = {
+        codex: 'Codex',
+        claude: 'Claude',
+        chatgpt: 'ChatGPT',
+        openclaw: 'OpenClaw',
+    }[adapter];
+    return `# Agent Permission
+
+These instructions equip ${agentName} with Agent Permission preflight checks.
+
+Before crawling, summarizing, extracting, training on, transacting with, or posting to a URL, run:
+
+\`\`\`bash
+agent-permission check <url> --action <crawl|summarize|extract|train|transact|post> --exit-code
+\`\`\`
+
+Use \`crawl\` for fetching or indexing pages, \`summarize\` for compacting page content, \`extract\` for structured data pulls, \`train\` for model training or dataset creation, \`transact\` for purchase/account-changing actions, and \`post\` for creating or modifying remote content.
+
+Treat \`allow\` as permitted, \`deny\` as blocked, and \`escalate\` as requiring human approval before continuing. Preserve the returned receipt ID in task notes when a permission decision affects user-visible work.`;
+}
+async function detectAdapter(runtime) {
+    const claudePath = join(runtime.cwd, 'CLAUDE.md');
+    const agentsPath = join(runtime.cwd, 'AGENTS.md');
+    if (await fileExists(claudePath))
+        return 'claude';
+    if (await fileExists(agentsPath))
+        return 'codex';
+    return 'codex';
+}
+function getInstructionPath(adapter, scope, runtime) {
+    if (scope === 'user') {
+        const home = runtime.homeDir || runtime.env.HOME || runtime.env.USERPROFILE || runtime.cwd;
+        const base = runtime.env.XDG_CONFIG_HOME || join(home, '.config');
+        return join(base, 'agent-permission', `${adapter}.md`);
+    }
+    if (adapter === 'claude')
+        return join(runtime.cwd, 'CLAUDE.md');
+    if (adapter === 'chatgpt')
+        return join(runtime.cwd, 'agent-permission.chatgpt.md');
+    if (adapter === 'openclaw')
+        return join(runtime.cwd, 'AGENTS.md');
+    return join(runtime.cwd, 'AGENTS.md');
+}
+async function fileExists(path) {
+    try {
+        await readFile(path, 'utf8');
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/dist/types.d.ts

@@ -0,0 +1,66 @@
+export declare const DEFAULT_API_URL = "https://agent-permission-api-788656703262.us-central1.run.app";
+export declare const ACTIONS: readonly ["crawl", "summarize", "extract", "train", "transact", "post"];
+export type AgentAction = typeof ACTIONS[number];
+export type Mode = 'strict' | 'permissive';
+export type OutputFormat = 'human' | 'json';
+export type Adapter = 'auto' | 'codex' | 'claude' | 'chatgpt' | 'openclaw';
+export type InstallScope = 'project' | 'user';
+export interface CliConfig {
+    apiKey?: string;
+    apiUrl?: string;
+    defaultMode?: Mode;
+}
+export interface CheckParams {
+    url: string;
+    action: AgentAction;
+    agent_user_agent?: string;
+    mode?: Mode;
+    bypass_cache?: boolean;
+}
+export interface PermissionSource {
+    type: string;
+    url: string;
+    fetched_at: string;
+    evidence: string;
+}
+export interface PermissionReceipt {
+    receipt_id: string;
+    check_id: string;
+    url_hash: string;
+    action: string;
+    decision: string;
+    source_hashes: string[];
+    issued_at: string;
+    account_id: string;
+    signature_alg: string;
+    signature: string;
+}
+export interface CheckResponse {
+    id: string;
+    decision: 'allow' | 'deny' | 'escalate';
+    confidence: string;
+    risk: string;
+    reasons: string[];
+    sources: PermissionSource[];
+    receipt: PermissionReceipt;
+}
+export interface VerifyReceiptResponse {
+    valid: boolean;
+    message: string;
+    metadata?: Record<string, unknown>;
+}
+export interface BatchFile {
+    checks: CheckParams[];
+}
+export interface CliIO {
+    stdout: (message: string) => void;
+    stderr: (message: string) => void;
+}
+export interface Runtime {
+    cwd: string;
+    env: Record<string, string | undefined>;
+    platform: NodeJS.Platform;
+    fetch: typeof fetch;
+    homeDir?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,kEAAkE,CAAC;AAE/F,eAAO,MAAM,OAAO,yEAA0E,CAAC;AAC/F,MAAM,MAAM,WAAW,GAAG,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC;AAEjD,MAAM,MAAM,IAAI,GAAG,QAAQ,GAAG,YAAY,CAAC;AAC3C,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,CAAC;AAC5C,MAAM,MAAM,OAAO,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,SAAS,GAAG,UAAU,CAAC;AAC3E,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,MAAM,CAAC;AAE9C,MAAM,WAAW,SAAS;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,IAAI,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,WAAW,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,UAAU,CAAC;IACxC,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,OAAO,EAAE,iBAAiB,CAAC;CAC5B;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,WAAW,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,KAAK;IACpB,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAClC,MAAM,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACnC;AAED,MAAM,WAAW,OAAO;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACxC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC1B,KAAK,EAAE,OAAO,KAAK,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export const DEFAULT_API_URL = 'https://agent-permission-api-788656703262.us-central1.run.app';
+export const ACTIONS = ['crawl', 'summarize', 'extract', 'train', 'transact', 'post'];

package/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "agent-permission",
+  "version": "0.1.0",
+  "description": "Public CLI for Agent Permission checks and agent workspace installation.",
+  "type": "module",
+  "bin": {
+    "agent-permission": "dist/index.js",
+    "skills": "dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "prepack": "npm run build"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "dependencies": {}
+}