ai-fs-permissions 0.1.0

package/dist/config/loader.js

@@ -0,0 +1,133 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { parse as parseYaml } from 'yaml';
+import { ConfigSchema } from './schema.js';
+/**
+ * Default config file names to search for
+ */
+const CONFIG_FILE_NAMES = ['.ai-fs-permissions.yaml', '.ai-fs-permissions.yml'];
+/**
+ * User config directory
+ */
+const USER_CONFIG_DIR = path.join(process.env.HOME ?? process.env.USERPROFILE ?? '', '.config', 'ai-fs-permissions');
+/**
+ * Converts a raw rule from YAML to internal Rule format
+ */
+function normalizeRule(raw) {
+    const rules = [];
+    const paths = raw.paths ?? [raw.path];
+    for (const p of paths) {
+        const negated = p.startsWith('!');
+        const cleanPath = negated ? p.slice(1) : p;
+        rules.push({
+            path: cleanPath,
+            type: (raw.type ?? 'glob'),
+            access: raw.access,
+            reason: raw.reason,
+            negated,
+        });
+    }
+    return rules;
+}
+/**
+ * Loads a config file from a path
+ */
+export function loadConfigFile(filePath) {
+    try {
+        if (!fs.existsSync(filePath)) {
+            return null;
+        }
+        const content = fs.readFileSync(filePath, 'utf8');
+        const parsed = parseYaml(content);
+        const validated = ConfigSchema.parse(parsed);
+        const rules = [];
+        for (const rawRule of validated.rules) {
+            rules.push(...normalizeRule(rawRule));
+        }
+        return {
+            version: validated.version,
+            extends: validated.extends,
+            rules,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Finds config file by walking up the directory tree (gitignore-style)
+ */
+export function findConfigFile(startDir) {
+    let currentDir = path.resolve(startDir);
+    const root = path.parse(currentDir).root;
+    while (currentDir !== root) {
+        for (const fileName of CONFIG_FILE_NAMES) {
+            const filePath = path.join(currentDir, fileName);
+            if (fs.existsSync(filePath)) {
+                return filePath;
+            }
+        }
+        currentDir = path.dirname(currentDir);
+    }
+    return null;
+}
+/**
+ * Gets the user config file path
+ */
+export function getUserConfigPath() {
+    for (const fileName of CONFIG_FILE_NAMES) {
+        const filePath = path.join(USER_CONFIG_DIR, fileName.replace(/^\./, ''));
+        if (fs.existsSync(filePath)) {
+            return filePath;
+        }
+    }
+    // Also check for config.yaml
+    const configPath = path.join(USER_CONFIG_DIR, 'config.yaml');
+    if (fs.existsSync(configPath)) {
+        return configPath;
+    }
+    return null;
+}
+/**
+ * Merges multiple configs (later configs override earlier ones)
+ */
+export function mergeConfigs(...configs) {
+    const merged = {
+        version: 1,
+        extends: true,
+        rules: [],
+    };
+    for (const config of configs) {
+        if (config === null)
+            continue;
+        merged.version = config.version;
+        merged.extends = config.extends;
+        merged.rules = [...merged.rules, ...config.rules];
+    }
+    return merged;
+}
+/**
+ * Loads and merges all applicable configs
+ */
+export function loadConfig(cwd, explicitPath) {
+    // If explicit path provided, only use that
+    if (explicitPath) {
+        const config = loadConfigFile(explicitPath);
+        return config ?? { version: 1, extends: true, rules: [] };
+    }
+    // Load user config
+    const userConfigPath = getUserConfigPath();
+    const userConfig = userConfigPath ? loadConfigFile(userConfigPath) : null;
+    // Find and load project config
+    const projectConfigPath = findConfigFile(cwd);
+    const projectConfig = projectConfigPath
+        ? loadConfigFile(projectConfigPath)
+        : null;
+    // Check if project config wants to extend user config
+    if (projectConfig && !projectConfig.extends) {
+        return projectConfig;
+    }
+    // Merge configs (user first, project overrides)
+    return mergeConfigs(userConfig, projectConfig);
+}
+//# sourceMappingURL=loader.js.map

package/dist/config/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAA;AAC7B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAA;AACjC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAA;AACzC,OAAO,EAAE,YAAY,EAAgB,MAAM,aAAa,CAAA;AAGxD;;GAEG;AACH,MAAM,iBAAiB,GAAG,CAAC,yBAAyB,EAAE,wBAAwB,CAAC,CAAA;AAE/E;;GAEG;AACH,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAC/B,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,EACjD,SAAS,EACT,mBAAmB,CACpB,CAAA;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,KAAK,GAAW,EAAE,CAAA;IACxB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAErC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,OAAO,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;QACjC,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;QAE1C,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,CAAgB;YACzC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC7C,IAAI,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAA;QACb,CAAC;QAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,CAAA;QACjC,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QAE5C,MAAM,KAAK,GAAW,EAAE,CAAA;QACxB,KAAK,MAAM,OAAO,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,CAAA;QACvC,CAAC;QAED,OAAO;YACL,OAAO,EAAE,SAAS,CAAC,OAAO;YAC1B,OAAO,EAAE,SAAS,CAAC,OAAO;YAC1B,KAAK;SACN,CAAA;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC7C,IAAI,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IACvC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,CAAA;IAExC,OAAO,UAAU,KAAK,IAAI,EAAE,CAAC;QAC3B,KAAK,MAAM,QAAQ,IAAI,iBAAiB,EAAE,CAAC;YACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;YAChD,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,OAAO,QAAQ,CAAA;YACjB,CAAC;QACH,CAAC;QACD,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;IACvC,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,KAAK,MAAM,QAAQ,IAAI,iBAAiB,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAA;QACxE,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,OAAO,QAAQ,CAAA;QACjB,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,aAAa,CAAC,CAAA;IAC5D,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC9B,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,GAAG,OAA0B;IACxD,MAAM,MAAM,GAAW;QACrB,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,IAAI;QACb,KAAK,EAAE,EAAE;KACV,CAAA;IAED,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,KAAK,IAAI;YAAE,SAAQ;QAE7B,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;QAC/B,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAA;QAC/B,MAAM,CAAC,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,CAAA;IACnD,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,YAAqB;IAC3D,2CAA2C;IAC3C,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,cAAc,CAAC,YAAY,CAAC,CAAA;QAC3C,OAAO,MAAM,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;IAC3D,CAAC;IAED,mBAAmB;IACnB,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAA;IAC1C,MAAM,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAEzE,+BAA+B;IAC/B,MAAM,iBAAiB,GAAG,cAAc,CAAC,GAAG,CAAC,CAAA;IAC7C,MAAM,aAAa,GAAG,iBAAiB;QACrC,CAAC,CAAC,cAAc,CAAC,iBAAiB,CAAC;QACnC,CAAC,CAAC,IAAI,CAAA;IAER,sDAAsD;IACtD,IAAI,aAAa,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;QAC5C,OAAO,aAAa,CAAA;IACtB,CAAC;IAED,gDAAgD;IAChD,OAAO,YAAY,CAAC,UAAU,EAAE,aAAa,CAAC,CAAA;AAChD,CAAC"}

package/dist/config/schema.d.ts

@@ -0,0 +1,102 @@
+import { z } from 'zod';
+/**
+ * Schema for a single permission rule
+ */
+export declare const RuleSchema: z.ZodEffects<z.ZodObject<{
+    path: z.ZodString;
+    paths: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    type: z.ZodDefault<z.ZodEnum<["glob", "regex"]>>;
+    access: z.ZodEnum<["none", "read", "write", "readwrite"]>;
+    reason: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    type: "glob" | "regex";
+    access: "none" | "read" | "write" | "readwrite";
+    paths?: string[] | undefined;
+    reason?: string | undefined;
+}, {
+    path: string;
+    access: "none" | "read" | "write" | "readwrite";
+    type?: "glob" | "regex" | undefined;
+    paths?: string[] | undefined;
+    reason?: string | undefined;
+}>, {
+    path: string;
+    type: "glob" | "regex";
+    access: "none" | "read" | "write" | "readwrite";
+    paths?: string[] | undefined;
+    reason?: string | undefined;
+}, {
+    path: string;
+    access: "none" | "read" | "write" | "readwrite";
+    type?: "glob" | "regex" | undefined;
+    paths?: string[] | undefined;
+    reason?: string | undefined;
+}>;
+/**
+ * Schema for the configuration file
+ */
+export declare const ConfigSchema: z.ZodObject<{
+    version: z.ZodDefault<z.ZodNumber>;
+    extends: z.ZodDefault<z.ZodBoolean>;
+    rules: z.ZodDefault<z.ZodArray<z.ZodEffects<z.ZodObject<{
+        path: z.ZodString;
+        paths: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        type: z.ZodDefault<z.ZodEnum<["glob", "regex"]>>;
+        access: z.ZodEnum<["none", "read", "write", "readwrite"]>;
+        reason: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        type: "glob" | "regex";
+        access: "none" | "read" | "write" | "readwrite";
+        paths?: string[] | undefined;
+        reason?: string | undefined;
+    }, {
+        path: string;
+        access: "none" | "read" | "write" | "readwrite";
+        type?: "glob" | "regex" | undefined;
+        paths?: string[] | undefined;
+        reason?: string | undefined;
+    }>, {
+        path: string;
+        type: "glob" | "regex";
+        access: "none" | "read" | "write" | "readwrite";
+        paths?: string[] | undefined;
+        reason?: string | undefined;
+    }, {
+        path: string;
+        access: "none" | "read" | "write" | "readwrite";
+        type?: "glob" | "regex" | undefined;
+        paths?: string[] | undefined;
+        reason?: string | undefined;
+    }>, "many">>;
+}, "strip", z.ZodTypeAny, {
+    version: number;
+    extends: boolean;
+    rules: {
+        path: string;
+        type: "glob" | "regex";
+        access: "none" | "read" | "write" | "readwrite";
+        paths?: string[] | undefined;
+        reason?: string | undefined;
+    }[];
+}, {
+    version?: number | undefined;
+    extends?: boolean | undefined;
+    rules?: {
+        path: string;
+        access: "none" | "read" | "write" | "readwrite";
+        type?: "glob" | "regex" | undefined;
+        paths?: string[] | undefined;
+        reason?: string | undefined;
+    }[] | undefined;
+}>;
+/**
+ * Raw rule type from YAML
+ */
+export type RawRule = z.infer<typeof RuleSchema>;
+/**
+ * Raw config type from YAML
+ */
+export type RawConfig = z.infer<typeof ConfigSchema>;
+//# sourceMappingURL=schema.d.ts.map

package/dist/config/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;GAEG;AACH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAUnB,CAAA;AAEJ;;GAEG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAIvB,CAAA;AAEF;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAA;AAEhD;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAA"}

package/dist/config/schema.js

@@ -0,0 +1,24 @@
+import { z } from 'zod';
+/**
+ * Schema for a single permission rule
+ */
+export const RuleSchema = z
+    .object({
+    path: z.string().min(1),
+    paths: z.array(z.string().min(1)).optional(),
+    type: z.enum(['glob', 'regex']).default('glob'),
+    access: z.enum(['none', 'read', 'write', 'readwrite']),
+    reason: z.string().optional(),
+})
+    .refine(data => data.path || (data.paths && data.paths.length > 0), {
+    message: 'Either path or paths must be provided',
+});
+/**
+ * Schema for the configuration file
+ */
+export const ConfigSchema = z.object({
+    version: z.number().int().positive().default(1),
+    extends: z.boolean().default(true),
+    rules: z.array(RuleSchema).default([]),
+});
+//# sourceMappingURL=schema.js.map

package/dist/config/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC;KACxB,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC5C,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC/C,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;IACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC;KACD,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE;IAClE,OAAO,EAAE,uCAAuC;CACjD,CAAC,CAAA;AAEJ;;GAEG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAC/C,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IAClC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACvC,CAAC,CAAA"}

package/dist/exit-codes.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Exit codes for the CLI
+ */
+export declare const EXIT_CODES: {
+    /** Operation is allowed to proceed */
+    readonly ALLOWED: 0;
+    /** Operation is blocked */
+    readonly BLOCKED: 2;
+    /** An error occurred */
+    readonly ERROR: 1;
+};
+//# sourceMappingURL=exit-codes.d.ts.map

package/dist/exit-codes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exit-codes.d.ts","sourceRoot":"","sources":["../src/exit-codes.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,eAAO,MAAM,UAAU;IACrB,sCAAsC;;IAEtC,2BAA2B;;IAE3B,wBAAwB;;CAEhB,CAAA"}

package/dist/exit-codes.js

@@ -0,0 +1,12 @@
+/**
+ * Exit codes for the CLI
+ */
+export const EXIT_CODES = {
+    /** Operation is allowed to proceed */
+    ALLOWED: 0,
+    /** Operation is blocked */
+    BLOCKED: 2,
+    /** An error occurred */
+    ERROR: 1,
+};
+//# sourceMappingURL=exit-codes.js.map

package/dist/exit-codes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exit-codes.js","sourceRoot":"","sources":["../src/exit-codes.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,sCAAsC;IACtC,OAAO,EAAE,CAAC;IACV,2BAA2B;IAC3B,OAAO,EAAE,CAAC;IACV,wBAAwB;IACxB,KAAK,EAAE,CAAC;CACA,CAAA"}

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * ai-fs-permissions
+ *
+ * A platform-agnostic security tool that enforces file system permissions
+ * for AI agents. Protects sensitive files and folders from unauthorized access.
+ */
+export type { AccessLevel, Operation, PatternType, Rule, Config, CheckResult, } from './types.js';
+export { TOOL_OPERATIONS } from './types.js';
+export { EXIT_CODES } from './exit-codes.js';
+export { loadConfig, loadConfigFile, findConfigFile } from './config/loader.js';
+export { ConfigSchema, RuleSchema } from './config/schema.js';
+export { matchPath, matchGlob, matchRegex } from './matcher/index.js';
+export { checkPermission } from './checker.js';
+export { formatBlockedMessage, formatAllowedMessage, formatResultJson, outputResult, } from './output.js';
+export { parseStdin, readStdin } from './stdin.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,YAAY,EACV,WAAW,EACX,SAAS,EACT,WAAW,EACX,IAAI,EACJ,MAAM,EACN,WAAW,GACZ,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAG5C,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAG5C,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAC/E,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAG7D,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAGrE,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAG9C,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,gBAAgB,EAChB,YAAY,GACb,MAAM,aAAa,CAAA;AAGpB,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA"}

package/dist/index.js

@@ -0,0 +1,21 @@
+/**
+ * ai-fs-permissions
+ *
+ * A platform-agnostic security tool that enforces file system permissions
+ * for AI agents. Protects sensitive files and folders from unauthorized access.
+ */
+export { TOOL_OPERATIONS } from './types.js';
+// Exit codes
+export { EXIT_CODES } from './exit-codes.js';
+// Config
+export { loadConfig, loadConfigFile, findConfigFile } from './config/loader.js';
+export { ConfigSchema, RuleSchema } from './config/schema.js';
+// Matchers
+export { matchPath, matchGlob, matchRegex } from './matcher/index.js';
+// Core
+export { checkPermission } from './checker.js';
+// Output
+export { formatBlockedMessage, formatAllowedMessage, formatResultJson, outputResult, } from './output.js';
+// Stdin
+export { parseStdin, readStdin } from './stdin.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAE5C,aAAa;AACb,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAE5C,SAAS;AACT,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAC/E,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAE7D,WAAW;AACX,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAErE,OAAO;AACP,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAE9C,SAAS;AACT,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,gBAAgB,EAChB,YAAY,GACb,MAAM,aAAa,CAAA;AAEpB,QAAQ;AACR,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA"}

package/dist/matcher/glob.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests if a path matches a glob pattern (gitignore-style)
+ */
+export declare function matchGlob(pattern: string, filePath: string): boolean;
+//# sourceMappingURL=glob.d.ts.map

package/dist/matcher/glob.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"glob.d.ts","sourceRoot":"","sources":["../../src/matcher/glob.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAcpE"}

package/dist/matcher/glob.js

@@ -0,0 +1,18 @@
+import picomatch from 'picomatch';
+/**
+ * Tests if a path matches a glob pattern (gitignore-style)
+ */
+export function matchGlob(pattern, filePath) {
+    // Normalize path separators
+    const normalizedPath = filePath.replace(/\\/g, '/');
+    const normalizedPattern = pattern.replace(/\\/g, '/');
+    // Create matcher with gitignore-like options
+    const isMatch = picomatch(normalizedPattern, {
+        dot: true, // Match dotfiles
+        bash: true, // Enable bash-like globbing
+        nobrace: false, // Enable brace expansion
+        noglobstar: false, // Enable **
+    });
+    return isMatch(normalizedPath);
+}
+//# sourceMappingURL=glob.js.map

package/dist/matcher/glob.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"glob.js","sourceRoot":"","sources":["../../src/matcher/glob.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,WAAW,CAAA;AAEjC;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,OAAe,EAAE,QAAgB;IACzD,4BAA4B;IAC5B,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IACnD,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IAErD,6CAA6C;IAC7C,MAAM,OAAO,GAAG,SAAS,CAAC,iBAAiB,EAAE;QAC3C,GAAG,EAAE,IAAI,EAAE,iBAAiB;QAC5B,IAAI,EAAE,IAAI,EAAE,4BAA4B;QACxC,OAAO,EAAE,KAAK,EAAE,yBAAyB;QACzC,UAAU,EAAE,KAAK,EAAE,YAAY;KAChC,CAAC,CAAA;IAEF,OAAO,OAAO,CAAC,cAAc,CAAC,CAAA;AAChC,CAAC"}

package/dist/matcher/index.d.ts

@@ -0,0 +1,8 @@
+import type { PatternType } from '../types.js';
+/**
+ * Tests if a path matches a pattern of the specified type
+ */
+export declare function matchPath(pattern: string, type: PatternType, filePath: string): boolean;
+export { matchGlob } from './glob.js';
+export { matchRegex } from './regex.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/matcher/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/matcher/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAI9C;;GAEG;AACH,wBAAgB,SAAS,CACvB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,WAAW,EACjB,QAAQ,EAAE,MAAM,GACf,OAAO,CAKT;AAED,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA"}

package/dist/matcher/index.js

@@ -0,0 +1,14 @@
+import { matchGlob } from './glob.js';
+import { matchRegex } from './regex.js';
+/**
+ * Tests if a path matches a pattern of the specified type
+ */
+export function matchPath(pattern, type, filePath) {
+    if (type === 'regex') {
+        return matchRegex(pattern, filePath);
+    }
+    return matchGlob(pattern, filePath);
+}
+export { matchGlob } from './glob.js';
+export { matchRegex } from './regex.js';
+//# sourceMappingURL=index.js.map

package/dist/matcher/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/matcher/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA;AAEvC;;GAEG;AACH,MAAM,UAAU,SAAS,CACvB,OAAe,EACf,IAAiB,EACjB,QAAgB;IAEhB,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,OAAO,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IACtC,CAAC;IACD,OAAO,SAAS,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;AACrC,CAAC;AAED,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAA;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA"}

package/dist/matcher/regex.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests if a path matches a regex pattern
+ */
+export declare function matchRegex(pattern: string, filePath: string): boolean;
+//# sourceMappingURL=regex.d.ts.map

package/dist/matcher/regex.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex.d.ts","sourceRoot":"","sources":["../../src/matcher/regex.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAUrE"}

package/dist/matcher/regex.js

@@ -0,0 +1,16 @@
+/**
+ * Tests if a path matches a regex pattern
+ */
+export function matchRegex(pattern, filePath) {
+    try {
+        const regex = new RegExp(pattern);
+        // Normalize path separators for consistent matching
+        const normalizedPath = filePath.replace(/\\/g, '/');
+        return regex.test(normalizedPath);
+    }
+    catch {
+        // Invalid regex pattern
+        return false;
+    }
+}
+//# sourceMappingURL=regex.js.map

package/dist/matcher/regex.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex.js","sourceRoot":"","sources":["../../src/matcher/regex.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,QAAgB;IAC1D,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,CAAA;QACjC,oDAAoD;QACpD,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;QACnD,OAAO,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,wBAAwB;QACxB,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC"}

package/dist/output.d.ts

@@ -0,0 +1,18 @@
+import type { Operation, Rule, CheckResult } from './types.js';
+/**
+ * Formats a blocked message with clear instructions for LLMs
+ */
+export declare function formatBlockedMessage(path: string, operation: Operation, rule: Rule): string;
+/**
+ * Formats an allowed message
+ */
+export declare function formatAllowedMessage(path: string, operation: Operation): string;
+/**
+ * Formats the check result as JSON for stdout
+ */
+export declare function formatResultJson(result: CheckResult): string;
+/**
+ * Outputs the result to stdout/stderr as appropriate
+ */
+export declare function outputResult(result: CheckResult): void;
+//# sourceMappingURL=output.d.ts.map

package/dist/output.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output.d.ts","sourceRoot":"","sources":["../src/output.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAE9D;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,SAAS,EACpB,IAAI,EAAE,IAAI,GACT,MAAM,CAeR;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,SAAS,GACnB,MAAM,CAER;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CAE5D;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI,CAStD"}

package/dist/output.js

@@ -0,0 +1,44 @@
+/**
+ * Formats a blocked message with clear instructions for LLMs
+ */
+export function formatBlockedMessage(path, operation, rule) {
+    const operationVerb = operation === 'read' ? 'Reading from' : 'Writing to';
+    const reason = rule.reason ?? 'Access restricted by project configuration';
+    return `PERMISSION DENIED: ${operationVerb} '${path}' is blocked.
+
+Reason: ${reason}
+
+This rule is configured by the project owner and cannot be overridden.
+Do NOT attempt to:
+- Use Bash commands to bypass this restriction
+- Suggest workarounds that modify this path
+- Ask the user to disable this protection
+
+If this file must be modified, ask the user to do it manually.`;
+}
+/**
+ * Formats an allowed message
+ */
+export function formatAllowedMessage(path, operation) {
+    return `Operation permitted: ${operation} on '${path}'`;
+}
+/**
+ * Formats the check result as JSON for stdout
+ */
+export function formatResultJson(result) {
+    return JSON.stringify(result, null, 2);
+}
+/**
+ * Outputs the result to stdout/stderr as appropriate
+ */
+export function outputResult(result) {
+    const json = formatResultJson(result);
+    if (result.allowed) {
+        console.log(json);
+    }
+    else {
+        // Output to stderr for blocked operations
+        console.error(json);
+    }
+}
+//# sourceMappingURL=output.js.map

package/dist/output.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output.js","sourceRoot":"","sources":["../src/output.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,IAAY,EACZ,SAAoB,EACpB,IAAU;IAEV,MAAM,aAAa,GAAG,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,CAAA;IAC1E,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,4CAA4C,CAAA;IAE1E,OAAO,sBAAsB,aAAa,KAAK,IAAI;;UAE3C,MAAM;;;;;;;;+DAQ+C,CAAA;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,IAAY,EACZ,SAAoB;IAEpB,OAAO,wBAAwB,SAAS,QAAQ,IAAI,GAAG,CAAA;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAmB;IAClD,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAA;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,MAAmB;IAC9C,MAAM,IAAI,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAA;IAErC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IACnB,CAAC;SAAM,CAAC;QACN,0CAA0C;QAC1C,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACrB,CAAC;AACH,CAAC"}

package/dist/stdin.d.ts

@@ -0,0 +1,21 @@
+import { type Operation } from './types.js';
+/**
+ * Result of parsing stdin input
+ */
+export interface StdinParseResult {
+    /** The file path extracted from input */
+    path: string | null;
+    /** The tool name if detected */
+    tool?: string;
+    /** The inferred operation based on tool */
+    inferredOperation?: Operation;
+}
+/**
+ * Parses stdin input and extracts file path
+ */
+export declare function parseStdin(input: string): StdinParseResult;
+/**
+ * Reads stdin asynchronously
+ */
+export declare function readStdin(): Promise<string>;
+//# sourceMappingURL=stdin.d.ts.map

package/dist/stdin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stdin.d.ts","sourceRoot":"","sources":["../src/stdin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,KAAK,SAAS,EAAE,MAAM,YAAY,CAAA;AAE5D;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,yCAAyC;IACzC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IACnB,gCAAgC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,2CAA2C;IAC3C,iBAAiB,CAAC,EAAE,SAAS,CAAA;CAC9B;AA2FD;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,gBAAgB,CAqB1D;AAED;;GAEG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,CAsBjD"}