axconfig 3.5.2 → 3.6.1

package/README.md

@@ -1,6 +1,6 @@
 # axconfig
 
-Unified configuration management for AI coding agents — common API for permissions, settings, and config across Claude Code, Codex, Gemini CLI, and OpenCode.
+Unified configuration management for AI coding agents — common API for permissions, settings, and config across Claude Code, Codex, Gemini CLI, GitHub Copilot CLI, and OpenCode.
 
 ## Overview
 
@@ -26,11 +26,11 @@ Unified syntax for all agents:
 
 ```bash
 # Tool permissions
-read, write, edit, bash, glob, grep, web
+read, write, bash, glob, grep, webfetch
 
 # Bash command patterns
 bash:git *
-bash:npm run build
+bash:npm run build*
 
 # Path restrictions (agent-dependent)
 read:src/**
@@ -45,19 +45,27 @@ Translates unified permissions to agent-specific formats:
 | -------- | --------------------------------------------------------- |
 | claude   | JSON `settings.json` with `permissions.allow/deny` arrays |
 | codex    | TOML `config.toml` + Starlark `.rules` files              |
-| gemini   | TOML policy files with `[[rule]]` entries                 |
+| copilot  | JSON `config.json` (no pre-configured permissions)        |
+| gemini   | JSON `settings.json` + TOML policy files in `policies/`   |
 | opencode | JSON with `permission.{edit,bash,webfetch}`               |
 
 ### Capability Validation
 
 Each agent has different capabilities:
 
-| Agent    | Tool Perms  | Bash Patterns | Path Restrictions | Can Deny Read |
-| -------- | ----------- | ------------- | ----------------- | ------------- |
-| claude   | ✓           | ✓             | ✓                 | ✓             |
-| codex    | ✗ (sandbox) | ✓             | ✗                 | ✗             |
-| gemini   | ✓           | ✓             | ✗                 | ✓             |
-| opencode | ✓           | ✓             | ✗                 | ✓             |
+| Agent    | Tool Perms  | Bash Patterns | Path Restrictions | Can Deny Read | Notes                                        |
+| -------- | ----------- | ------------- | ----------------- | ------------- | -------------------------------------------- |
+| claude   | ✓           | ✓             | ✓                 | ✓             | Permissions + OS-level sandbox               |
+| codex    | ✗ (sandbox) | ✓             | ✗                 | ✗             | OS-level sandbox (Landlock+seccomp/Seatbelt) |
+| copilot  | ✗           | ✗             | ✗                 | ✗             | Runtime prompts only (no pre-config)         |
+| gemini   | ✓           | ✓             | ✗                 | ✓             | Permissions only (no sandbox)                |
+| opencode | ✓           | ✓             | ✓                 | ✓             | UX-only permissions (no sandbox)             |
+
+**Security notes:**
+
+- **Claude Code** manages application-level permissions; OS-level sandbox settings (network filtering, filesystem isolation) are configured separately
+- **Copilot CLI** does not support pre-configured permissions; all actions require runtime approval prompts
+- **OpenCode** permissions are UX-only to keep users informed; they do not provide security isolation
 
 axconfig validates permissions against agent capabilities:
 
@@ -217,6 +225,7 @@ src/
 └── agents/
     ├── claude.ts           # Claude Code config builder + reader
     ├── codex.ts            # Codex config builder + reader
+    ├── copilot.ts          # GitHub Copilot CLI config builder + reader
     ├── gemini.ts           # Gemini CLI config builder + reader
     └── opencode.ts         # OpenCode config builder + reader
 ```
@@ -232,7 +241,7 @@ Run `npx -y axconfig --help` to learn available options.
 
 Use `axconfig` to manage AI agent configurations with unified permission syntax.
 It translates `--allow` and `--deny` rules to agent-specific formats (Claude Code,
-Codex, Gemini CLI, OpenCode).
+Codex, Gemini CLI, GitHub Copilot CLI, OpenCode).
 ```
 
 ## License

package/dist/agents/claude-reader.js

@@ -13,15 +13,15 @@ import { createJsonConfigOperations, readJsonConfig, } from "../read-write-json-
 const REVERSE_TOOL_MAP = {
     Read: "read",
     Write: "write",
-    Edit: "edit",
+    Edit: "write", // Claude's Edit tool maps to canonical "write"
     Bash: "bash",
     Glob: "glob",
     Grep: "grep",
-    WebFetch: "web",
-    WebSearch: "web",
+    WebFetch: "webfetch",
+    WebSearch: "webfetch",
 };
 /** Path-restricted tools (lowercase) */
-const PATH_TOOLS = new Set(["read", "write", "edit"]);
+const PATH_TOOLS = new Set(["read", "write"]);
 /**
  * Get the settings.json path for a config directory.
  */
@@ -45,11 +45,11 @@ function parseClaudeRule(rule) {
     if (parenIndex > 0 && rule.endsWith(")")) {
         const toolName = rule.slice(0, parenIndex);
         const pattern = rule.slice(parenIndex + 1, -1);
-        // Bash pattern: "Bash(git:*)" → pattern is "git:*", we want "git"
+        // Bash pattern: "Bash(git:*)" → pattern is "git:*", we want "git*"
+        // Append * to indicate prefix matching (required by axconfig's canonical format)
         if (toolName === "Bash") {
-            const bashPattern = pattern.endsWith(":*")
-                ? pattern.slice(0, -2)
-                : pattern;
+            const prefix = pattern.endsWith(":*") ? pattern.slice(0, -2) : pattern;
+            const bashPattern = prefix === "" ? "*" : `${prefix}*`;
             return { type: "bash", pattern: bashPattern };
         }
         // Path pattern: "Read(src/**)" → tool is "read", pattern is "src/**"

package/dist/agents/claude.js

@@ -17,12 +17,11 @@ export { claudeCodeConfigReader } from "./claude-reader.js";
 /** Claude Code tool name mapping */
 const TOOL_MAP = {
     read: "Read",
-    write: "Write",
-    edit: "Edit",
+    write: ["Write", "Edit"], // Canonical "write" maps to both Claude's Write and Edit tools
     bash: "Bash",
     glob: "Glob",
     grep: "Grep",
-    web: "WebFetch",
+    webfetch: "WebFetch",
 };
 /** Claude Code capabilities */
 const CAPABILITIES = {
@@ -33,20 +32,33 @@ const CAPABILITIES = {
 };
 /**
  * Translate a permission rule to Claude Code format.
+ * Returns an array since some canonical tools map to multiple Claude tools.
  */
 function translateRule(rule) {
     switch (rule.type) {
         case "tool": {
-            return TOOL_MAP[rule.name];
+            const mapped = TOOL_MAP[rule.name];
+            return Array.isArray(mapped) ? mapped : [mapped];
         }
         case "bash": {
-            // Claude Code uses "Bash(pattern:*)" for command patterns
-            return `Bash(${rule.pattern}:*)`;
+            // User provides pattern with explicit trailing *
+            // Strip it to get the prefix for Claude format
+            const prefix = rule.pattern.slice(0, -1);
+            // bash:* (all commands) → Bash (without parentheses)
+            // bash:git* → Bash(git:*)
+            if (prefix === "" || prefix.trim() === "") {
+                return ["Bash"];
+            }
+            return [`Bash(${prefix}:*)`];
         }
         case "path": {
             // Claude Code uses "Tool(path/**)" for path patterns
+            // write:pattern maps to both Write(pattern) and Edit(pattern)
+            if (rule.tool === "write") {
+                return [`Write(${rule.pattern})`, `Edit(${rule.pattern})`];
+            }
             const toolName = rule.tool.charAt(0).toUpperCase() + rule.tool.slice(1);
-            return `${toolName}(${rule.pattern})`;
+            return [`${toolName}(${rule.pattern})`];
         }
     }
 }
@@ -96,9 +108,9 @@ function build(config, output) {
         };
     }
     // Claude Code supports all permission types, so no warnings/errors needed
-    // All rules can be translated directly
-    const allowRules = permissions.allow.map((rule) => translateRule(rule));
-    const denyRules = permissions.deny.map((rule) => translateRule(rule));
+    // All rules can be translated directly (flatMap since translateRule returns arrays)
+    const allowRules = permissions.allow.flatMap((rule) => translateRule(rule));
+    const denyRules = permissions.deny.flatMap((rule) => translateRule(rule));
     const settings = {
         ...existingSettings,
         permissions: {

package/dist/agents/codex-reader.js

@@ -85,17 +85,19 @@ function readPermissions(configDirectory) {
         const sandboxMode = config.sandbox_mode;
         if (sandboxMode === "workspace-write" ||
             sandboxMode === "danger-full-access") {
-            allowRules.push({ type: "tool", name: "write" }, { type: "tool", name: "edit" });
+            allowRules.push({ type: "tool", name: "write" });
         }
         // Read is always allowed in Codex sandbox
         allowRules.push({ type: "tool", name: "read" });
         // Parse bash patterns from rules files
+        // Append * to indicate prefix matching (required by axconfig's canonical format)
         for (const rule of rules) {
+            const pattern = rule.pattern === "" ? "*" : `${rule.pattern}*`;
             if (rule.decision === "allow") {
-                allowRules.push({ type: "bash", pattern: rule.pattern });
+                allowRules.push({ type: "bash", pattern });
             }
             else {
-                denyRules.push({ type: "bash", pattern: rule.pattern });
+                denyRules.push({ type: "bash", pattern });
             }
         }
         const permConfig = {

package/dist/agents/codex.js

@@ -26,11 +26,11 @@ const CAPABILITIES = {
 /**
  * Infer sandbox mode from permissions.
  *
- * - If write or edit is allowed → workspace-write
+ * - If write is allowed → workspace-write
  * - Otherwise → read-only
  */
 function inferSandboxMode(permissions) {
-    const allowsWrite = permissions.allow.some((r) => r.type === "tool" && (r.name === "write" || r.name === "edit"));
+    const allowsWrite = permissions.allow.some((r) => r.type === "tool" && r.name === "write");
     return allowsWrite ? "workspace-write" : "read-only";
 }
 /**
@@ -98,9 +98,8 @@ function build(config, output) {
                 });
             }
         }
-        // Tool permissions other than read/write/edit - warn as Codex uses sandbox
-        const nonFileTools = permissions.allow.filter((r) => r.type === "tool" &&
-            !["read", "write", "edit", "bash"].includes(r.name));
+        // Tool permissions other than read/write - warn as Codex uses sandbox
+        const nonFileTools = permissions.allow.filter((r) => r.type === "tool" && !["read", "write", "bash"].includes(r.name));
         for (const rule of nonFileTools) {
             if (rule.type === "tool") {
                 warnings.push({
@@ -146,13 +145,17 @@ function build(config, output) {
     // Generate execpolicy rules
     const rules = ["# Generated by axconfig"];
     if (permissions) {
-        // Collect bash patterns
+        // Collect bash patterns, stripping trailing * since Codex does prefix matching natively
+        // Filter out empty patterns (from bash:*) - Codex doesn't support empty prefix
+        // bash:* means "all commands" which is the default when no rules exist
         const allowBash = permissions.allow
             .filter((r) => r.type === "bash")
-            .map((r) => r.pattern);
+            .map((r) => r.pattern.slice(0, -1).trim())
+            .filter((p) => p !== "");
         const denyBash = permissions.deny
             .filter((r) => r.type === "bash")
-            .map((r) => r.pattern);
+            .map((r) => r.pattern.slice(0, -1).trim())
+            .filter((p) => p !== "");
         // Generate allow rules
         for (const pattern of allowBash) {
             rules.push(generatePrefixRule(pattern, "allow"));

package/dist/agents/gemini-reader.js

@@ -14,11 +14,11 @@ import { createJsonConfigOperations, readJsonConfig, } from "../read-write-json-
 const REVERSE_TOOL_MAP = {
     read_file: "read",
     write_file: "write",
-    edit_file: "edit",
+    edit_file: "write", // Gemini's edit_file maps to canonical "write"
     run_shell_command: "bash",
     glob: "glob",
     grep: "grep",
-    web_fetch: "web",
+    web_fetch: "webfetch",
 };
 /**
  * Get the settings.json path for a config directory.
@@ -73,12 +73,14 @@ function readPermissions(configDirectory) {
                 ? rule.toolName
                 : [rule.toolName];
             // Check for bash command patterns
+            // Append * to indicate prefix matching (required by axconfig's canonical format)
             if (rule.commandPrefix) {
                 const prefixes = Array.isArray(rule.commandPrefix)
                     ? rule.commandPrefix
                     : [rule.commandPrefix];
                 for (const prefix of prefixes) {
-                    targetList.push({ type: "bash", pattern: prefix });
+                    const pattern = prefix === "" ? "*" : `${prefix}*`;
+                    targetList.push({ type: "bash", pattern });
                 }
                 continue;
             }
@@ -109,7 +111,7 @@ function readModel(configDirectory) {
     try {
         const settings = readSettings(configDirectory);
         const modelObject = settings.model;
-        if (!modelObject || modelObject.name === undefined) {
+        if (modelObject?.name === undefined) {
             return { ok: true, value: undefined };
         }
         if (typeof modelObject.name !== "string") {

package/dist/agents/gemini.js

@@ -18,12 +18,11 @@ import { readExistingSettings } from "./gemini-settings.js";
 /** Gemini CLI tool name mapping */
 const TOOL_MAP = {
     read: "read_file",
-    write: "write_file",
-    edit: "edit_file",
+    write: ["write_file", "edit_file"], // Canonical "write" maps to both Gemini's write_file and edit_file
     bash: "run_shell_command",
     glob: "glob",
     grep: "grep",
-    web: "web_fetch",
+    webfetch: "web_fetch",
 };
 /** Gemini CLI capabilities */
 const CAPABILITIES = {
@@ -106,29 +105,51 @@ function build(config, output) {
     const rules = [];
     if (permissions) {
         // Collect tool permissions (excluding path rules which were warned about)
+        // Use flatMap since canonical "write" maps to both write_file and edit_file
         const allowTools = permissions.allow
             .filter((r) => r.type === "tool")
-            .map((r) => TOOL_MAP[r.name]);
+            .flatMap((r) => {
+            const mapped = TOOL_MAP[r.name];
+            return Array.isArray(mapped) ? mapped : [mapped];
+        });
         const denyTools = permissions.deny
             .filter((r) => r.type === "tool")
-            .map((r) => TOOL_MAP[r.name]);
-        // Collect bash patterns
-        const allowBash = permissions.allow
-            .filter((r) => r.type === "bash")
-            .map((r) => r.pattern);
-        const denyBash = permissions.deny
-            .filter((r) => r.type === "bash")
-            .map((r) => r.pattern);
+            .flatMap((r) => {
+            const mapped = TOOL_MAP[r.name];
+            return Array.isArray(mapped) ? mapped : [mapped];
+        });
+        // Collect bash patterns, stripping trailing * since Gemini does prefix matching natively
+        // bash:* (empty prefix after strip) → allow run_shell_command tool entirely
+        // bash:git* → commandPrefix = "git"
+        const allowBashPatterns = permissions.allow.filter((r) => r.type === "bash");
+        const denyBashPatterns = permissions.deny.filter((r) => r.type === "bash");
+        // Separate bash:* (all commands) from specific patterns
+        const allowAllBash = allowBashPatterns.some((r) => r.pattern.slice(0, -1).trim() === "");
+        const denyAllBash = denyBashPatterns.some((r) => r.pattern.slice(0, -1).trim() === "");
+        const allowBash = allowBashPatterns
+            .map((r) => r.pattern.slice(0, -1).trim())
+            .filter((p) => p !== "");
+        const denyBash = denyBashPatterns
+            .map((r) => r.pattern.slice(0, -1).trim())
+            .filter((p) => p !== "");
         // Generate allow rules (high priority)
-        if (allowTools.length > 0) {
-            rules.push(generateToolRule(allowTools, "allow", 999));
+        // Include run_shell_command if bash:* is in allow list
+        const effectiveAllowTools = allowAllBash
+            ? [...allowTools, "run_shell_command"]
+            : allowTools;
+        if (effectiveAllowTools.length > 0) {
+            rules.push(generateToolRule(effectiveAllowTools, "allow", 999));
         }
         if (allowBash.length > 0) {
             rules.push(generateBashRule(allowBash, "allow", 998));
         }
         // Generate deny rules (medium priority)
-        if (denyTools.length > 0) {
-            rules.push(generateToolRule(denyTools, "deny", 500));
+        // Include run_shell_command if bash:* is in deny list
+        const effectiveDenyTools = denyAllBash
+            ? [...denyTools, "run_shell_command"]
+            : denyTools;
+        if (effectiveDenyTools.length > 0) {
+            rules.push(generateToolRule(effectiveDenyTools, "deny", 500));
         }
         if (denyBash.length > 0) {
             rules.push(generateBashRule(denyBash, "deny", 499));

package/dist/agents/opencode-permission-builder.d.ts

@@ -32,9 +32,9 @@ export declare const BASE_PERMISSION_OVERRIDES: Record<string, OpenCodePermissio
 /**
  * Collect path patterns from permission rules, grouped by OpenCode permission name.
  *
- * Note: Only read/write/edit rules can have path patterns per the PathPatternRule type.
+ * Note: Only read/write rules can have path patterns per the PathPatternRule type.
  * The TOOL_TO_OPENCODE mapping includes glob/grep for tool-level permissions, but these
- * will never appear here since PathRestrictedTool is limited to read/write/edit.
+ * will never appear here since PathRestrictedTool is limited to read/write.
  */
 export declare function collectPathPatterns(rules: PermissionRule[]): Map<string, string[]>;
 /**

package/dist/agents/opencode-permission-builder.js

@@ -8,11 +8,10 @@
  */
 const TOOL_TO_OPENCODE = {
     read: "read",
-    edit: "edit",
-    write: "edit", // OpenCode uses single "edit" for both
+    write: "edit", // OpenCode uses single "edit" for write operations
     glob: "glob",
     grep: "grep",
-    web: "webfetch",
+    webfetch: "webfetch",
     bash: "bash",
 };
 /**
@@ -42,9 +41,9 @@ export const BASE_PERMISSION_OVERRIDES = {
 /**
  * Collect path patterns from permission rules, grouped by OpenCode permission name.
  *
- * Note: Only read/write/edit rules can have path patterns per the PathPatternRule type.
+ * Note: Only read/write rules can have path patterns per the PathPatternRule type.
  * The TOOL_TO_OPENCODE mapping includes glob/grep for tool-level permissions, but these
- * will never appear here since PathRestrictedTool is limited to read/write/edit.
+ * will never appear here since PathRestrictedTool is limited to read/write.
  */
 export function collectPathPatterns(rules) {
     const patterns = new Map();
@@ -76,29 +75,6 @@ export function collectBashPatterns(rules) {
         .filter((r) => r.type === "bash")
         .map((r) => r.pattern);
 }
-/**
- * Normalize a bash pattern for OpenCode by adding a trailing wildcard if needed.
- *
- * OpenCode uses an "arity" system to extract command prefixes for permission
- * checking. For example, `gh` has arity 3, so `gh api repos/foo/bar` extracts
- * the prefix `gh api repos/foo/bar` (first 3 tokens). A pattern `gh api` won't
- * match because it's missing the third token.
- *
- * By appending `*` to patterns that don't already have wildcards, we ensure
- * patterns like `gh api` become `gh api*` which matches `gh api repos/...`.
- *
- * @example
- * normalizeBashPattern("gh api") // "gh api*"
- * normalizeBashPattern("git *")  // "git *" (already has wildcard)
- * normalizeBashPattern("cat")    // "cat*"
- */
-function normalizeBashPattern(pattern) {
-    // Don't add another * if pattern already ends with one
-    if (pattern.endsWith("*")) {
-        return pattern;
-    }
-    return `${pattern}*`;
-}
 /**
  * Build bash permission config from patterns and tool permissions.
  *
@@ -124,10 +100,10 @@ export function buildBashPermission(allowPatterns, denyPatterns, bashAllowed, ba
             "*": bashAllowed ? "allow" : "deny",
         };
         for (const pattern of allowPatterns) {
-            bashConfig[normalizeBashPattern(pattern)] = "allow";
+            bashConfig[pattern] = "allow";
         }
         for (const pattern of denyPatterns) {
-            bashConfig[normalizeBashPattern(pattern)] = "deny";
+            bashConfig[pattern] = "deny";
         }
         return bashConfig;
     }
@@ -143,14 +119,8 @@ export function buildBashPermission(allowPatterns, denyPatterns, bashAllowed, ba
 export function buildToolPermission(canonicalName, opencodeName, allowedTools, deniedTools, allowPathPatterns, denyPathPatterns) {
     const hasAllowPatterns = allowPathPatterns.has(opencodeName);
     const hasDenyPatterns = denyPathPatterns.has(opencodeName);
-    // Handle write -> edit mapping (both map to same OpenCode permission)
-    const isEditOrWrite = canonicalName === "edit" || canonicalName === "write";
-    const effectiveAllowed = isEditOrWrite
-        ? allowedTools.has("edit") || allowedTools.has("write")
-        : allowedTools.has(canonicalName);
-    const effectiveDenied = isEditOrWrite
-        ? deniedTools.has("edit") || deniedTools.has("write")
-        : deniedTools.has(canonicalName);
+    const effectiveAllowed = allowedTools.has(canonicalName);
+    const effectiveDenied = deniedTools.has(canonicalName);
     if (effectiveDenied && !hasDenyPatterns && !hasAllowPatterns) {
         return "deny";
     }

package/dist/agents/opencode-reader.js

@@ -23,10 +23,10 @@ import { createJsonConfigOperations, readJsonConfig, } from "../read-write-json-
  */
 const OPENCODE_TO_TOOL = {
     read: "read",
-    edit: ["edit", "write"], // OpenCode's "edit" maps to both canonical tools
+    edit: "write", // OpenCode's "edit" maps to canonical "write"
     glob: "glob",
     grep: "grep",
-    webfetch: "web",
+    webfetch: "webfetch",
     bash: "bash",
 };
 /**
@@ -55,18 +55,13 @@ function isAllowAction(action) {
  * Parse a permission value (simple or object-based) and add rules to the arrays.
  */
 function parsePermissionValue(opencodeName, value, allowRules, denyRules) {
-    const canonicalTools = OPENCODE_TO_TOOL[opencodeName];
-    if (!canonicalTools)
+    const canonicalTool = OPENCODE_TO_TOOL[opencodeName];
+    if (!canonicalTool)
         return; // Unknown permission, skip
-    const tools = Array.isArray(canonicalTools)
-        ? canonicalTools
-        : [canonicalTools];
     if (typeof value === "string") {
         // Simple value: "allow", "deny", or "ask"
         const rules = isAllowAction(value) ? allowRules : denyRules;
-        for (const tool of tools) {
-            rules.push({ type: "tool", name: tool });
-        }
+        rules.push({ type: "tool", name: canonicalTool });
     }
     else if (typeof value === "object") {
         // Object with patterns
@@ -74,9 +69,7 @@ function parsePermissionValue(opencodeName, value, allowRules, denyRules) {
             const rules = isAllowAction(action) ? allowRules : denyRules;
             if (pattern === "*") {
                 // Catch-all represents tool-level permission
-                for (const tool of tools) {
-                    rules.push({ type: "tool", name: tool });
-                }
+                rules.push({ type: "tool", name: canonicalTool });
                 continue;
             }
             if (opencodeName === "bash") {
@@ -84,13 +77,11 @@ function parsePermissionValue(opencodeName, value, allowRules, denyRules) {
                 rules.push({ type: "bash", pattern });
             }
             else {
-                // Only read/write/edit support path patterns in axconfig's type system.
+                // Only read/write support path patterns in axconfig's type system.
                 // OpenCode's glob/grep patterns match against glob patterns or regexes,
                 // not file paths, so they're intentionally excluded here.
-                for (const tool of tools) {
-                    if (tool === "read" || tool === "write" || tool === "edit") {
-                        rules.push({ type: "path", tool, pattern });
-                    }
+                if (canonicalTool === "read" || canonicalTool === "write") {
+                    rules.push({ type: "path", tool: canonicalTool, pattern });
                 }
             }
         }

package/dist/agents/opencode.js

@@ -40,10 +40,10 @@ function buildPermissionConfig(permissions) {
     // Set permissions for standard tools
     const tools = [
         { canonical: "read", opencode: "read" },
-        { canonical: "edit", opencode: "edit" },
+        { canonical: "write", opencode: "edit" }, // OpenCode uses "edit" for write operations
         { canonical: "glob", opencode: "glob" },
         { canonical: "grep", opencode: "grep" },
-        { canonical: "web", opencode: "webfetch" },
+        { canonical: "webfetch", opencode: "webfetch" },
     ];
     for (const { canonical, opencode } of tools) {
         permissionConfig[opencode] = buildToolPermission(canonical, opencode, allowedTools, deniedTools, allowPathPatterns, denyPathPatterns);
@@ -85,7 +85,7 @@ function build(config, output) {
     };
     atomicWriteFileSync(configPath, JSON.stringify(openCodeConfig, undefined, 2));
     // Build environment variables:
-    // - OPENCODE_CONFIG_DIR: axpoint convention for config directory
+    // - OPENCODE_CONFIG_DIR: axkit convention for config directory
     // - XDG_DATA_HOME/XDG_CONFIG_HOME: OpenCode uses these for auth and other XDG-based paths
     const runtimeEnvironment = buildAgentRuntimeEnvironment("opencode", output);
     return {

package/dist/parse-permissions.d.ts

@@ -3,10 +3,13 @@
  *
  * Parses --allow and --deny CLI arguments into PermissionConfig.
  *
+ * Bash patterns require an explicit trailing wildcard (*) to indicate
+ * prefix matching. Patterns without wildcards will throw an error.
+ *
  * @example
  * parsePermissions(
  *   ["read,glob,bash:git *"],
- *   ["bash:rm *"]
+ *   ["bash:rm*"]
  * )
  * // Returns:
  * // {
@@ -16,7 +19,7 @@
  * //     { type: "bash", pattern: "git *" }
  * //   ],
  * //   deny: [
- * //     { type: "bash", pattern: "rm *" }
+ * //     { type: "bash", pattern: "rm*" }
  * //   ]
  * // }
  */

package/dist/parse-permissions.js

@@ -3,10 +3,13 @@
  *
  * Parses --allow and --deny CLI arguments into PermissionConfig.
  *
+ * Bash patterns require an explicit trailing wildcard (*) to indicate
+ * prefix matching. Patterns without wildcards will throw an error.
+ *
  * @example
  * parsePermissions(
  *   ["read,glob,bash:git *"],
- *   ["bash:rm *"]
+ *   ["bash:rm*"]
  * )
  * // Returns:
  * // {
@@ -16,7 +19,7 @@
  * //     { type: "bash", pattern: "git *" }
  * //   ],
  * //   deny: [
- * //     { type: "bash", pattern: "rm *" }
+ * //     { type: "bash", pattern: "rm*" }
  * //   ]
  * // }
  */
@@ -24,14 +27,13 @@
 const CANONICAL_TOOLS = new Set([
     "read",
     "write",
-    "edit",
     "bash",
     "glob",
     "grep",
-    "web",
+    "webfetch",
 ]);
 /** Tools that support path restrictions */
-const PATH_TOOLS = new Set(["read", "write", "edit"]);
+const PATH_TOOLS = new Set(["read", "write"]);
 /**
  * Parse a single permission rule string.
  *
@@ -51,6 +53,11 @@ function parseRule(rule) {
         if (pattern === "") {
             throw new Error('Invalid bash pattern: "bash:" requires a command pattern');
         }
+        if (!pattern.endsWith("*")) {
+            throw new Error(`Bash pattern "${pattern}" requires a trailing wildcard.\n` +
+                `Use "bash:${pattern}*" to match commands starting with "${pattern}".\n` +
+                `All bash patterns are prefix matches.`);
+        }
         return { type: "bash", pattern };
     }
     // Check for path restriction: "read:src/**"

package/dist/types.d.ts

@@ -5,9 +5,9 @@
  */
 import type { AgentCli } from "axshared";
 /** Canonical tool names used in axrun permissions */
-type CanonicalTool = "read" | "write" | "edit" | "bash" | "glob" | "grep" | "web";
+type CanonicalTool = "read" | "write" | "bash" | "glob" | "grep" | "webfetch";
 /** Tools that support path restrictions */
-type PathRestrictedTool = "read" | "write" | "edit";
+type PathRestrictedTool = "read" | "write";
 /** Permission rule for a tool (e.g., "read", "bash") */
 interface ToolPermissionRule {
     type: "tool";

package/package.json

@@ -2,8 +2,8 @@
   "name": "axconfig",
   "author": "Łukasz Jerciński",
   "license": "MIT",
-  "version": "3.5.2",
-  "description": "Unified configuration management for AI coding agents - common API for permissions, settings, and config across Claude Code, Codex, Gemini CLI, and OpenCode",
+  "version": "3.6.1",
+  "description": "Unified configuration management for AI coding agents - common API for permissions, settings, and config across Claude Code, Codex, Gemini CLI, GitHub Copilot CLI, and OpenCode",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/Jercik/axconfig.git"
@@ -55,6 +55,7 @@
     "configuration",
     "claude-code",
     "codex",
+    "copilot-cli",
     "gemini",
     "opencode",
     "llm",
@@ -68,22 +69,22 @@
   "dependencies": {
     "@commander-js/extra-typings": "^14.0.0",
     "@iarna/toml": "^2.2.5",
-    "axshared": "^1.7.1",
+    "axshared": "^1.9.0",
     "commander": "^14.0.2"
   },
   "devDependencies": {
     "@total-typescript/ts-reset": "^0.6.1",
     "@types/iarna__toml": "^2.0.5",
-    "@types/node": "^25.0.3",
-    "@vitest/coverage-v8": "^4.0.16",
+    "@types/node": "^25.0.6",
+    "@vitest/coverage-v8": "^4.0.17",
     "eslint": "^9.39.2",
-    "eslint-config-axpoint": "^1.0.0",
+    "eslint-config-axkit": "^1.1.0",
     "fta-check": "^1.5.1",
     "fta-cli": "^3.0.0",
-    "knip": "^5.79.0",
+    "knip": "^5.80.2",
     "prettier": "3.7.4",
     "semantic-release": "^25.0.2",
     "typescript": "^5.9.3",
-    "vitest": "^4.0.16"
+    "vitest": "^4.0.17"
   }
 }