airlock-bot 0.0.1 → 0.2.2

package/dist/config/loader.js

@@ -0,0 +1,178 @@
+import { readFileSync } from 'fs';
+import { parse as parseYaml } from 'yaml';
+import { GatewayConfig, getBuiltinProviders } from './schema.js';
+import { applyProfiles } from './profiles.js';
+import { matches } from '../allowlist/pattern.js';
+import { childLogger } from '../util/logger.js';
+const log = childLogger('config');
+export function loadConfig(path) {
+    const raw = readFileSync(path, 'utf-8');
+    const parsed = parseYaml(raw);
+    const result = GatewayConfig.safeParse(parsed);
+    if (!result.success) {
+        throw new Error(`Invalid config at ${path}:\n${result.error.toString()}`);
+    }
+    const diagnostics = validateConfig(result.data);
+    for (const d of diagnostics) {
+        const ctx = d.agent ? { agent: d.agent } : {};
+        const msg = d.suggestion ? `${d.message}\n  → ${d.suggestion}` : d.message;
+        if (d.level === 'error') {
+            log.error(ctx, msg);
+        }
+        else if (d.level === 'warn') {
+            log.warn(ctx, msg);
+        }
+        else {
+            log.info(ctx, msg);
+        }
+    }
+    const errors = diagnostics.filter((d) => d.level === 'error');
+    if (errors.length > 0) {
+        throw new Error(`Config validation failed with ${errors.length} error(s):\n` +
+            errors.map((e) => `  - ${e.agent ? `[${e.agent}] ` : ''}${e.message}`).join('\n'));
+    }
+    applyProfiles(result.data);
+    return result.data;
+}
+export function validateConfig(config) {
+    const diagnostics = [];
+    const providerNames = new Set(Object.keys(config.providers));
+    const builtins = getBuiltinProviders(config.providers);
+    const profileNames = new Set(Object.keys(config.profiles));
+    for (const [agentId, agent] of Object.entries(config.agents)) {
+        // Check for unknown profile references
+        for (const ref of agent.extends) {
+            if (!profileNames.has(ref)) {
+                diagnostics.push({
+                    level: 'error',
+                    agent: agentId,
+                    message: `extends references unknown profile "${ref}".`,
+                    suggestion: `Add "${ref}" to your profiles block, or check for typos.`,
+                });
+            }
+        }
+        // Collect all referenced namespaces from allow/ask/deny
+        const allPatterns = [...agent.allow, ...agent.ask, ...agent.deny];
+        const referencedNamespaces = new Set();
+        for (const pattern of allPatterns) {
+            const ns = pattern.split('/')[0];
+            if (ns)
+                referencedNamespaces.add(ns);
+        }
+        // Check for unknown providers
+        for (const ns of referencedNamespaces) {
+            if (!providerNames.has(ns)) {
+                diagnostics.push({
+                    level: 'error',
+                    agent: agentId,
+                    message: `Pattern references unknown provider "${ns}".`,
+                    suggestion: `Add "${ns}" to your providers block, or check for typos.`,
+                });
+            }
+        }
+        // Check for shadowed rules: allow pattern also matched by deny
+        for (const allowPattern of agent.allow) {
+            for (const denyPattern of agent.deny) {
+                if (matches(denyPattern, allowPattern) ||
+                    matches(allowPattern, denyPattern) ||
+                    patternsOverlap(allowPattern, denyPattern)) {
+                    diagnostics.push({
+                        level: 'warn',
+                        agent: agentId,
+                        message: `"${allowPattern}" in allow is shadowed by "${denyPattern}" in deny — deny always wins.`,
+                        suggestion: `Remove "${allowPattern}" from allow, or narrow the deny pattern.`,
+                    });
+                }
+            }
+        }
+        // Check for unreachable ask: ask pattern also matched by deny
+        for (const askPattern of agent.ask) {
+            for (const denyPattern of agent.deny) {
+                if (matches(denyPattern, askPattern) ||
+                    matches(askPattern, denyPattern) ||
+                    patternsOverlap(askPattern, denyPattern)) {
+                    diagnostics.push({
+                        level: 'warn',
+                        agent: agentId,
+                        message: `"${askPattern}" in ask is shadowed by "${denyPattern}" in deny — approval will never be requested.`,
+                        suggestion: `Remove "${askPattern}" from ask, or narrow the deny pattern.`,
+                    });
+                }
+            }
+        }
+        // Check exec command routing without exec provider
+        const hasExecPatterns = agent.exec.allow.length > 0 || agent.exec.ask.length > 0;
+        if (hasExecPatterns && !builtins.has('exec')) {
+            diagnostics.push({
+                level: 'warn',
+                agent: agentId,
+                message: 'exec command patterns defined but "exec" is not declared as a provider.',
+                suggestion: 'Add exec: builtin to your providers block.',
+            });
+        }
+        // Check exec deny-all with other exec patterns
+        const hasCatchAllDeny = agent.exec.deny.some((p) => p === '*');
+        if (hasCatchAllDeny && (agent.exec.allow.length > 0 || agent.exec.ask.length > 0)) {
+            diagnostics.push({
+                level: 'warn',
+                agent: agentId,
+                message: 'exec.deny contains "*" which overrides all exec.allow and exec.ask patterns.',
+                suggestion: 'Remove deny: ["*"] and rely on fail-closed behavior instead.',
+            });
+        }
+        // Check empty agent
+        if (agent.allow.length === 0 && agent.ask.length === 0) {
+            diagnostics.push({
+                level: 'info',
+                agent: agentId,
+                message: 'Agent has no allow or ask rules — all tools will be denied.',
+            });
+        }
+        // Check http domain_allowlist without http provider
+        if (agent.http.domain_allowlist.length > 0 && !builtins.has('http')) {
+            diagnostics.push({
+                level: 'warn',
+                agent: agentId,
+                message: 'http.domain_allowlist configured but "http" is not declared as a provider.',
+                suggestion: 'Add http: builtin to your providers block.',
+            });
+        }
+    }
+    // Validate CLI configs
+    for (const [cliId, cli] of Object.entries(config.clis)) {
+        for (const [cmdName, cmd] of Object.entries(cli.commands)) {
+            const templateParams = new Set();
+            cmd.exec.replace(/\{(\w+)\}/g, (_, name) => {
+                templateParams.add(name);
+                return '';
+            });
+            for (const [paramName, param] of Object.entries(cmd.params)) {
+                const inTemplate = templateParams.has(paramName);
+                const hasFlag = !!param.flag;
+                const isPositional = param.positional;
+                if (!inTemplate && !hasFlag && !isPositional) {
+                    diagnostics.push({
+                        level: 'warn',
+                        message: `clis.${cliId}.commands.${cmdName}: param "${paramName}" has no flag, is not positional, and is not referenced in exec template — it will be ignored at runtime.`,
+                        suggestion: `Add a "flag" (e.g. "--${paramName}"), set "positional: true", or reference it as {${paramName}} in the exec string.`,
+                    });
+                }
+            }
+        }
+    }
+    return diagnostics;
+}
+/** Check if two glob patterns could match the same tool name */
+function patternsOverlap(a, b) {
+    // If either is a wildcard that covers the other's namespace
+    const nsA = a.split('/')[0];
+    const nsB = b.split('/')[0];
+    if (nsA !== nsB)
+        return false;
+    // Same namespace — wildcards overlap
+    if (a.endsWith('*') || b.endsWith('*'))
+        return true;
+    // Exact match
+    return a === b;
+}
+//# sourceMappingURL=loader.js.map

package/dist/config/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAGhD,MAAM,GAAG,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;AAWlC,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAY,SAAS,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAChD,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,MAAM,GAAG,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,SAAS,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAC3E,IAAI,CAAC,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;YACxB,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACtB,CAAC;aAAM,IAAI,CAAC,CAAC,KAAK,KAAK,MAAM,EAAE,CAAC;YAC9B,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,CAAC;IAC9D,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,iCAAiC,MAAM,CAAC,MAAM,cAAc;YAC1D,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CACpF,CAAC;IACJ,CAAC;IACD,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,MAAM,WAAW,GAAuB,EAAE,CAAC;IAC3C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEvD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE3D,KAAK,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7D,uCAAuC;QACvC,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAChC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3B,WAAW,CAAC,IAAI,CAAC;oBACf,KAAK,EAAE,OAAO;oBACd,KAAK,EAAE,OAAO;oBACd,OAAO,EAAE,uCAAuC,GAAG,IAAI;oBACvD,UAAU,EAAE,QAAQ,GAAG,+CAA+C;iBACvE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,MAAM,WAAW,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QAClE,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAU,CAAC;QAE/C,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,IAAI,EAAE;gBAAE,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,8BAA8B;QAC9B,KAAK,MAAM,EAAE,IAAI,oBAAoB,EAAE,CAAC;YACtC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC3B,WAAW,CAAC,IAAI,CAAC;oBACf,KAAK,EAAE,OAAO;oBACd,KAAK,EAAE,OAAO;oBACd,OAAO,EAAE,wCAAwC,EAAE,IAAI;oBACvD,UAAU,EAAE,QAAQ,EAAE,gDAAgD;iBACvE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,KAAK,MAAM,YAAY,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YACvC,KAAK,MAAM,WAAW,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;gBACrC,IACE,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC;oBAClC,OAAO,CAAC,YAAY,EAAE,WAAW,CAAC;oBAClC,eAAe,CAAC,YAAY,EAAE,WAAW,CAAC,EAC1C,CAAC;oBACD,WAAW,CAAC,IAAI,CAAC;wBACf,KAAK,EAAE,MAAM;wBACb,KAAK,EAAE,OAAO;wBACd,OAAO,EAAE,IAAI,YAAY,8BAA8B,WAAW,+BAA+B;wBACjG,UAAU,EAAE,WAAW,YAAY,2CAA2C;qBAC/E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,KAAK,MAAM,UAAU,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACnC,KAAK,MAAM,WAAW,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;gBACrC,IACE,OAAO,CAAC,WAAW,EAAE,UAAU,CAAC;oBAChC,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC;oBAChC,eAAe,CAAC,UAAU,EAAE,WAAW,CAAC,EACxC,CAAC;oBACD,WAAW,CAAC,IAAI,CAAC;wBACf,KAAK,EAAE,MAAM;wBACb,KAAK,EAAE,OAAO;wBACd,OAAO,EAAE,IAAI,UAAU,4BAA4B,WAAW,+CAA+C;wBAC7G,UAAU,EAAE,WAAW,UAAU,yCAAyC;qBAC3E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;QACjF,IAAI,eAAe,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7C,WAAW,CAAC,IAAI,CAAC;gBACf,KAAK,EAAE,MAAM;gBACb,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,yEAAyE;gBAClF,UAAU,EAAE,4CAA4C;aACzD,CAAC,CAAC;QACL,CAAC;QAED,+CAA+C;QAC/C,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;QAC/D,IAAI,eAAe,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;YAClF,WAAW,CAAC,IAAI,CAAC;gBACf,KAAK,EAAE,MAAM;gBACb,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,8EAA8E;gBACvF,UAAU,EAAE,8DAA8D;aAC3E,CAAC,CAAC;QACL,CAAC;QAED,oBAAoB;QACpB,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvD,WAAW,CAAC,IAAI,CAAC;gBACf,KAAK,EAAE,MAAM;gBACb,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,6DAA6D;aACvE,CAAC,CAAC;QACL,CAAC;QAED,oDAAoD;QACpD,IAAI,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACpE,WAAW,CAAC,IAAI,CAAC;gBACf,KAAK,EAAE,MAAM;gBACb,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,4EAA4E;gBACrF,UAAU,EAAE,4CAA4C;aACzD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QACvD,KAAK,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC1D,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;YACzC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;gBACjD,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACzB,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YAEH,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5D,MAAM,UAAU,GAAG,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBACjD,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;gBAC7B,MAAM,YAAY,GAAG,KAAK,CAAC,UAAU,CAAC;gBAEtC,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;oBAC7C,WAAW,CAAC,IAAI,CAAC;wBACf,KAAK,EAAE,MAAM;wBACb,OAAO,EAAE,QAAQ,KAAK,aAAa,OAAO,YAAY,SAAS,2GAA2G;wBAC1K,UAAU,EAAE,yBAAyB,SAAS,mDAAmD,SAAS,uBAAuB;qBAClI,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,gEAAgE;AAChE,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,4DAA4D;IAC5D,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAE9B,qCAAqC;IACrC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpD,cAAc;IACd,OAAO,CAAC,KAAK,CAAC,CAAC;AACjB,CAAC"}

package/dist/config/profiles.d.ts

@@ -0,0 +1,12 @@
+import type { AgentConfig, GatewayConfig } from './schema.js';
+interface ResolvedPermissions {
+    allow: string[];
+    ask: string[];
+}
+export declare function resolveAgentPermissions(agentConfig: AgentConfig, profiles: Record<string, {
+    allow: string[];
+    ask: string[];
+}>): ResolvedPermissions;
+export declare function applyProfiles(config: GatewayConfig): void;
+export {};
+//# sourceMappingURL=profiles.d.ts.map

package/dist/config/profiles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"profiles.d.ts","sourceRoot":"","sources":["../../src/config/profiles.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE9D,UAAU,mBAAmB;IAC3B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,EAAE,MAAM,EAAE,CAAC;CACf;AAED,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,WAAW,EACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE;IAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAAC,GAAG,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,GAC3D,mBAAmB,CAqBrB;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CASzD"}

package/dist/config/profiles.js

@@ -0,0 +1,34 @@
+export function resolveAgentPermissions(agentConfig, profiles) {
+    const allow = new Set();
+    const ask = new Set();
+    // Apply profiles in extends order, skipping unknown refs (caught by validateConfig)
+    for (const profileName of agentConfig.extends) {
+        const profile = profiles[profileName];
+        if (profile) {
+            for (const p of profile.allow)
+                allow.add(p);
+            for (const p of profile.ask)
+                ask.add(p);
+        }
+    }
+    // Union with agent's own allow/ask
+    for (const p of agentConfig.allow)
+        allow.add(p);
+    for (const p of agentConfig.ask)
+        ask.add(p);
+    return {
+        allow: Array.from(allow),
+        ask: Array.from(ask),
+    };
+}
+export function applyProfiles(config) {
+    for (const agent of Object.values(config.agents)) {
+        if (agent.extends.length === 0)
+            continue;
+        const resolved = resolveAgentPermissions(agent, config.profiles);
+        agent.allow = resolved.allow;
+        agent.ask = resolved.ask;
+        agent.extends = [];
+    }
+}
+//# sourceMappingURL=profiles.js.map

package/dist/config/profiles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"profiles.js","sourceRoot":"","sources":["../../src/config/profiles.ts"],"names":[],"mappings":"AAOA,MAAM,UAAU,uBAAuB,CACrC,WAAwB,EACxB,QAA4D;IAE5D,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAE9B,oFAAoF;IACpF,KAAK,MAAM,WAAW,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,KAAK;gBAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC5C,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,GAAG;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,KAAK;QAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAChD,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,GAAG;QAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAE5C,OAAO;QACL,KAAK,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QACxB,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAqB;IACjD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QACjD,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEzC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjE,KAAK,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;QAC7B,KAAK,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC;QACzB,KAAK,CAAC,OAAO,GAAG,EAAE,CAAC;IACrB,CAAC;AACH,CAAC"}