capgate 0.0.1

package/dist/policy/compiler.js

@@ -0,0 +1,235 @@
+// Compiler: ServerManifest → NormalizedPolicy.
+//
+// Responsibilities:
+//   1. Parse capability strings in raw manifests into typed Capability values.
+//   2. Union server-level + per-tool capabilities into a single flat list.
+//   3. Normalize (write implies read; longer fs paths absorb shorter overlaps).
+//   4. Dedupe by (kind, scope key).
+//   5. Partition by kind into the NormalizedPolicy shape.
+//
+// The compiler is a pure function. No I/O. No adapter knowledge.
+import { GRAMMAR_VERSION, parseCapability } from './grammar.js';
+import { CompilationError, } from './ir.js';
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export function compile(raw) {
+    assertManifestShape(raw);
+    const parsed = parseManifest(raw);
+    const all = [
+        ...(parsed.serverCapabilities ?? []),
+        ...parsed.tools.flatMap((t) => t.capabilities),
+    ];
+    return normalize({ name: raw.name, version: raw.version }, all);
+}
+/** Parse a RawServerManifest into a ServerManifest with typed Capability[]. */
+export function parseManifest(raw) {
+    const serverCapabilities = raw.serverCapabilities?.map((s) => parseCapability(s).capability) ?? [];
+    const tools = raw.tools.map((t) => ({
+        name: t.name,
+        description: t.description,
+        inputSchema: t.inputSchema,
+        capabilities: t.capabilities.map((s) => parseCapability(s).capability),
+    }));
+    return { name: raw.name, version: raw.version, serverCapabilities, tools };
+}
+// ---------------------------------------------------------------------------
+// Normalization pipeline
+// ---------------------------------------------------------------------------
+export function normalize(server, caps) {
+    const policy = {
+        server,
+        fs: [],
+        net: [],
+        exec: [],
+        env: [],
+        ipc: [],
+        clock: 'none',
+        assertions: [],
+        nestedSandbox: false,
+    };
+    // Per-kind accumulators keyed by a canonical scope key.
+    const fsAcc = new Map();
+    const netAcc = new Map();
+    const execAcc = new Map();
+    const envAcc = new Map();
+    const ipcAcc = new Map();
+    const assertAcc = new Map();
+    for (const cap of caps) {
+        if (cap.refinements?.nestedSandbox)
+            policy.nestedSandbox = true;
+        switch (cap.kind) {
+            case 'fs': {
+                const key = cap.scope.path;
+                const entry = fsAcc.get(key) ?? {
+                    path: cap.scope.path,
+                    actions: new Set(),
+                    isGlob: cap.scope.isGlob,
+                };
+                for (const a of cap.actions)
+                    entry.actions.add(a);
+                fsAcc.set(key, entry);
+                break;
+            }
+            case 'net': {
+                const key = `${cap.scope.host}:${cap.scope.port ?? '*'}`;
+                const entry = netAcc.get(key) ?? { ...cap.scope };
+                // blockPrivate is OR-ed: if any declaration wants it blocked, block it.
+                entry.blockPrivate = entry.blockPrivate || cap.scope.blockPrivate;
+                netAcc.set(key, entry);
+                break;
+            }
+            case 'exec': {
+                execAcc.set(cap.scope.binary, { binary: cap.scope.binary });
+                break;
+            }
+            case 'env': {
+                // Inject dominates read (inject requires read); collapse to inject if present.
+                const existing = envAcc.get(cap.scope.name);
+                const action = existing?.action === 'inject' || cap.actions.includes('inject') ? 'inject' : 'read';
+                envAcc.set(cap.scope.name, { name: cap.scope.name, action });
+                break;
+            }
+            case 'ipc': {
+                ipcAcc.set(cap.scope.endpoint, { endpoint: cap.scope.endpoint });
+                break;
+            }
+            case 'clock': {
+                // tzdata dominates system.
+                if (cap.scope.source === 'tzdata')
+                    policy.clock = 'tzdata';
+                else if (policy.clock === 'none')
+                    policy.clock = 'system';
+                break;
+            }
+            case 'assert': {
+                assertAcc.set(cap.scope.id, cap.scope);
+                break;
+            }
+        }
+    }
+    policy.fs = mergeFsRoots([...fsAcc.values()].map((e) => ({
+        path: e.path,
+        actions: normalizeFsActions([...e.actions]),
+        isGlob: e.isGlob,
+    })));
+    policy.net = [...netAcc.values()];
+    policy.exec = [...execAcc.values()];
+    policy.env = [...envAcc.values()];
+    policy.ipc = [...ipcAcc.values()];
+    policy.assertions = [...assertAcc.values()];
+    stableSort(policy);
+    return policy;
+}
+// ---------------------------------------------------------------------------
+// FS normalization helpers
+// ---------------------------------------------------------------------------
+/** write/create/delete imply read; delete implies write. Canonical order. */
+function normalizeFsActions(actions) {
+    const set = new Set(actions);
+    if (set.has('delete'))
+        set.add('write');
+    if (set.has('write') || set.has('create') || set.has('delete'))
+        set.add('read');
+    const order = ['read', 'create', 'write', 'delete'];
+    return order.filter((a) => set.has(a));
+}
+/**
+ * Merge fs roots where one path is a prefix-superset of another. bwrap and
+ * friends bind directories — once /workspace/** is bound, /workspace/src is
+ * redundant. We pick the shortest covering path and union the actions.
+ *
+ * This is a deliberately conservative merge: exact equality and simple prefix
+ * only. No glob-intersection solver.
+ */
+function mergeFsRoots(roots) {
+    // Stable sort by path length ascending → shortest first.
+    const sorted = [...roots].sort((a, b) => prefixKey(a.path).localeCompare(prefixKey(b.path)));
+    const out = [];
+    for (const r of sorted) {
+        const covering = out.find((existing) => covers(existing.path, r.path));
+        if (covering) {
+            covering.actions = normalizeFsActions([...covering.actions, ...r.actions]);
+            continue;
+        }
+        out.push({ ...r });
+    }
+    return out;
+}
+/** Strip glob suffixes for prefix comparison. "/a/**" → "/a/". */
+function prefixKey(path) {
+    return path.replace(/\/\*\*$/, '/').replace(/\/\*$/, '/');
+}
+/** True if `a` covers `b` (a is a directory prefix of b, treating globs as open-ended). */
+function covers(a, b) {
+    if (a === b)
+        return true;
+    const aKey = prefixKey(a);
+    const bKey = prefixKey(b);
+    if (aKey === bKey)
+        return true;
+    // a must end in "/" after normalization to be a directory prefix.
+    if (!aKey.endsWith('/'))
+        return false;
+    return bKey.startsWith(aKey);
+}
+// ---------------------------------------------------------------------------
+// Deterministic output — golden files demand stable ordering.
+// ---------------------------------------------------------------------------
+function stableSort(p) {
+    p.fs.sort((a, b) => a.path.localeCompare(b.path));
+    p.net.sort((a, b) => a.host.localeCompare(b.host) || portCmp(a.port, b.port));
+    p.exec.sort((a, b) => a.binary.localeCompare(b.binary));
+    p.env.sort((a, b) => a.name.localeCompare(b.name));
+    p.ipc.sort((a, b) => a.endpoint.localeCompare(b.endpoint));
+    p.assertions.sort((a, b) => a.id.localeCompare(b.id));
+}
+function portCmp(a, b) {
+    if (a === b)
+        return 0;
+    if (a === null)
+        return -1;
+    if (b === null)
+        return 1;
+    return a - b;
+}
+// ---------------------------------------------------------------------------
+// Input validation — shape-only. Grammar errors surface from parseCapability.
+// ---------------------------------------------------------------------------
+function assertManifestShape(raw) {
+    if (!raw || typeof raw !== 'object') {
+        throw new CompilationError('MANIFEST_SHAPE', 'manifest must be an object');
+    }
+    if (raw.grammar !== undefined) {
+        if (typeof raw.grammar !== 'string') {
+            throw new CompilationError('MANIFEST_SHAPE', 'manifest.grammar must be a string');
+        }
+        if (raw.grammar !== GRAMMAR_VERSION) {
+            throw new CompilationError('GRAMMAR_VERSION_MISMATCH', `manifest declares grammar "${raw.grammar}" but compiler is at "${GRAMMAR_VERSION}"`, { declared: raw.grammar, supported: GRAMMAR_VERSION });
+        }
+    }
+    if (typeof raw.name !== 'string' || !raw.name) {
+        throw new CompilationError('MANIFEST_SHAPE', 'manifest.name must be a non-empty string');
+    }
+    if (typeof raw.version !== 'string' || !raw.version) {
+        throw new CompilationError('MANIFEST_SHAPE', 'manifest.version must be a non-empty string');
+    }
+    if (!Array.isArray(raw.tools)) {
+        throw new CompilationError('MANIFEST_SHAPE', 'manifest.tools must be an array');
+    }
+    if (raw.serverCapabilities && !Array.isArray(raw.serverCapabilities)) {
+        throw new CompilationError('MANIFEST_SHAPE', 'manifest.serverCapabilities must be an array');
+    }
+    for (const [i, t] of raw.tools.entries()) {
+        if (!t || typeof t !== 'object') {
+            throw new CompilationError('MANIFEST_SHAPE', `tools[${i}] must be an object`);
+        }
+        if (typeof t.name !== 'string' || !t.name) {
+            throw new CompilationError('MANIFEST_SHAPE', `tools[${i}].name must be a non-empty string`);
+        }
+        if (!Array.isArray(t.capabilities)) {
+            throw new CompilationError('MANIFEST_SHAPE', `tools[${i}].capabilities must be an array`);
+        }
+    }
+}
+//# sourceMappingURL=compiler.js.map

package/dist/policy/compiler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compiler.js","sourceRoot":"","sources":["../../src/policy/compiler.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAC/C,EAAE;AACF,oBAAoB;AACpB,+EAA+E;AAC/E,2EAA2E;AAC3E,gFAAgF;AAChF,oCAAoC;AACpC,0DAA0D;AAC1D,EAAE;AACF,iEAAiE;AAEjE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAGL,gBAAgB,GAMjB,MAAM,SAAS,CAAC;AAuBjB,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,MAAM,UAAU,OAAO,CAAC,GAAsB;IAC5C,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAEzB,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAClC,MAAM,GAAG,GAAiB;QACxB,GAAG,CAAC,MAAM,CAAC,kBAAkB,IAAI,EAAE,CAAC;QACpC,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC;KAC/C,CAAC;IAEF,OAAO,SAAS,CACd,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,EACxC,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,aAAa,CAAC,GAAsB;IAClD,MAAM,kBAAkB,GACtB,GAAG,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC1E,MAAM,KAAK,GAAmB,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAClD,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,YAAY,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;KACvE,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC;AAC7E,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,MAAM,UAAU,SAAS,CACvB,MAAyC,EACzC,IAAkB;IAElB,MAAM,MAAM,GAAqB;QAC/B,MAAM;QACN,EAAE,EAAE,EAAE;QACN,GAAG,EAAE,EAAE;QACP,IAAI,EAAE,EAAE;QACR,GAAG,EAAE,EAAE;QACP,GAAG,EAAE,EAAE;QACP,KAAK,EAAE,MAAM;QACb,UAAU,EAAE,EAAE;QACd,aAAa,EAAE,KAAK;KACrB,CAAC;IAEF,wDAAwD;IACxD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqE,CAAC;IAC3F,MAAM,MAAM,GAAG,IAAI,GAAG,EAAwE,CAAC;IAC/F,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8B,CAAC;IACtD,MAAM,MAAM,GAAG,IAAI,GAAG,EAA+C,CAAC;IACtE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAgC,CAAC;IACvD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAuB,CAAC;IAEjD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,CAAC,WAAW,EAAE,aAAa;YAAE,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC;QAEhE,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC;YACjB,KAAK,IAAI,CAAC,CAAC,CAAC;gBACV,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;gBAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI;oBAC9B,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI;oBACpB,OAAO,EAAE,IAAI,GAAG,EAAY;oBAC5B,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM;iBACzB,CAAC;gBACF,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO;oBAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBAClD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBACtB,MAAM;YACR,CAAC;YACD,KAAK,KAAK,CAAC,CAAC,CAAC;gBACX,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC;gBACzD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,GAAG,CAAC,KAAK,EAAE,CAAC;gBAClD,wEAAwE;gBACxE,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,IAAI,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC;gBAClE,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBACvB,MAAM;YACR,CAAC;YACD,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC5D,MAAM;YACR,CAAC;YACD,KAAK,KAAK,CAAC,CAAC,CAAC;gBACX,+EAA+E;gBAC/E,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAC5C,MAAM,MAAM,GACV,QAAQ,EAAE,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC;gBACtF,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;gBAC7D,MAAM;YACR,CAAC;YACD,KAAK,KAAK,CAAC,CAAC,CAAC;gBACX,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACjE,MAAM;YACR,CAAC;YACD,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,2BAA2B;gBAC3B,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,QAAQ;oBAAE,MAAM,CAAC,KAAK,GAAG,QAAQ,CAAC;qBACtD,IAAI,MAAM,CAAC,KAAK,KAAK,MAAM;oBAAE,MAAM,CAAC,KAAK,GAAG,QAAQ,CAAC;gBAC1D,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;gBACvC,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,CAAC,EAAE,GAAG,YAAY,CACtB,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9B,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,OAAO,EAAE,kBAAkB,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC;QAC3C,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC,CAAC,CACJ,CAAC;IACF,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAClC,MAAM,CAAC,IAAI,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAClC,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAClC,MAAM,CAAC,UAAU,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAE5C,UAAU,CAAC,MAAM,CAAC,CAAC;IACnB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,6EAA6E;AAC7E,SAAS,kBAAkB,CAAC,OAAmB;IAC7C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IAC7B,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC;QAAE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxC,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC;QAAE,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChF,MAAM,KAAK,GAAe,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAChE,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,YAAY,CACnB,KAA+D;IAE/D,yDAAyD;IACzD,MAAM,MAAM,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC7F,MAAM,GAAG,GAAkB,EAAE,CAAC;IAE9B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QACvE,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,OAAO,GAAG,kBAAkB,CAAC,CAAC,GAAG,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;YAC3E,SAAS;QACX,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,kEAAkE;AAClE,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED,2FAA2F;AAC3F,SAAS,MAAM,CAAC,CAAS,EAAE,CAAS;IAClC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAC1B,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC/B,kEAAkE;IAClE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED,8EAA8E;AAC9E,8DAA8D;AAC9D,8EAA8E;AAE9E,SAAS,UAAU,CAAC,CAAmB;IACrC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAClD,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9E,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,OAAO,CAAC,CAAgB,EAAE,CAAgB;IACjD,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACtB,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,CAAC,CAAC,CAAC;IAC1B,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,CAAC,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,8EAA8E;AAC9E,8EAA8E;AAE9E,SAAS,mBAAmB,CAAC,GAAsB;IACjD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,4BAA4B,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,GAAG,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,mCAAmC,CAAC,CAAC;QACpF,CAAC;QACD,IAAI,GAAG,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;YACpC,MAAM,IAAI,gBAAgB,CACxB,0BAA0B,EAC1B,8BAA8B,GAAG,CAAC,OAAO,yBAAyB,eAAe,GAAG,EACpF,EAAE,QAAQ,EAAE,GAAG,CAAC,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,CACtD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9C,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,0CAA0C,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACpD,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,6CAA6C,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,iCAAiC,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,GAAG,CAAC,kBAAkB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,8CAA8C,CAAC,CAAC;IAC/F,CAAC;IACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;QACzC,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChC,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,SAAS,CAAC,qBAAqB,CAAC,CAAC;QAChF,CAAC;QACD,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1C,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,SAAS,CAAC,mCAAmC,CAAC,CAAC;QAC9F,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,SAAS,CAAC,iCAAiC,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/policy/grammar.d.ts

@@ -0,0 +1,15 @@
+import { Capability } from './ir.js';
+/**
+ * Grammar version. Bumped whenever the capability string syntax, refinement
+ * keys, or IR shape changes in a non-backwards-compatible way. Manifests MAY
+ * declare `"grammar": "0.0"` to pin; the compiler rejects mismatches.
+ *
+ * Semver: MAJOR.MINOR, no patch. MINOR bumps are additive (new kind, new
+ * refinement). MAJOR bumps remove or redefine existing syntax.
+ */
+export declare const GRAMMAR_VERSION = "0.0";
+export interface ParseResult {
+    capability: Capability;
+}
+export declare function parseCapability(raw: string): ParseResult;
+//# sourceMappingURL=grammar.d.ts.map

package/dist/policy/grammar.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"grammar.d.ts","sourceRoot":"","sources":["../../src/policy/grammar.ts"],"names":[],"mappings":"AAiBA,OAAO,EACL,UAAU,EAQX,MAAM,SAAS,CAAC;AAEjB;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe,QAAQ,CAAC;AAYrC,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAqBxD"}

package/dist/policy/grammar.js

@@ -0,0 +1,201 @@
+// Capability string grammar — the shorthand humans write in manifests.
+//
+// Format:   <kind>:<actions>:<scope>[?refinement=value&...]
+// Examples:
+//   fs:read,write:/workspace/**
+//   fs:read:/usr/share/zoneinfo
+//   net:connect:api.github.com:443
+//   net:connect:*                        (any host, any port; implicit blockPrivate=true)
+//   exec:spawn:git
+//   env:inject:GITHUB_PAT
+//   ipc:connect:x11
+//   clock:tzdata
+//   assert:postgres.read_only_txn:"all queries run in READ ONLY TRANSACTION"
+//
+// The grammar is deliberately small. Anything that cannot be expressed here
+// (e.g. seccomp syscall filters) is an adapter concern, not a capability.
+import { CompilationError, } from './ir.js';
+/**
+ * Grammar version. Bumped whenever the capability string syntax, refinement
+ * keys, or IR shape changes in a non-backwards-compatible way. Manifests MAY
+ * declare `"grammar": "0.0"` to pin; the compiler rejects mismatches.
+ *
+ * Semver: MAJOR.MINOR, no patch. MINOR bumps are additive (new kind, new
+ * refinement). MAJOR bumps remove or redefine existing syntax.
+ */
+export const GRAMMAR_VERSION = '0.0';
+const FS_ACTIONS = new Set(['read', 'write', 'create', 'delete']);
+const NET_ACTIONS = new Set(['connect']);
+const EXEC_ACTIONS = new Set(['spawn']);
+const ENV_ACTIONS = new Set(['read', 'inject']);
+const IPC_ACTIONS = new Set(['connect']);
+const GLOB_CHARS = /[*?[\]]/;
+const RFC1918_OR_LOOPBACK = /^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|127\.|::1$|localhost$)/i;
+export function parseCapability(raw) {
+    const [body, refinementStr] = splitRefinements(raw);
+    const parts = splitTop(body, ':');
+    if (parts.length < 2) {
+        throw new CompilationError('CAP_MALFORMED', `expected at least <kind>:<scope>, got "${raw}"`);
+    }
+    const kind = parts[0];
+    const refinements = parseRefinements(refinementStr);
+    switch (kind) {
+        case 'fs': return { capability: parseFs(parts, refinements, raw) };
+        case 'net': return { capability: parseNet(parts, refinements, raw) };
+        case 'exec': return { capability: parseExec(parts, refinements, raw) };
+        case 'env': return { capability: parseEnv(parts, refinements, raw) };
+        case 'ipc': return { capability: parseIpc(parts, refinements, raw) };
+        case 'clock': return { capability: parseClock(parts, refinements, raw) };
+        case 'assert': return { capability: parseAssert(parts, refinements, raw) };
+        default:
+            throw new CompilationError('CAP_UNKNOWN_KIND', `unknown capability kind "${kind}"`, { raw });
+    }
+}
+// ---------------------------------------------------------------------------
+// Per-kind parsers
+// ---------------------------------------------------------------------------
+function parseFs(parts, refinements, raw) {
+    if (parts.length !== 3) {
+        throw new CompilationError('CAP_FS_SHAPE', `fs needs <actions>:<path>, got "${raw}"`);
+    }
+    const actions = parseActions(parts[1], FS_ACTIONS, 'fs', raw);
+    const path = parts[2];
+    if (!path.startsWith('/')) {
+        throw new CompilationError('CAP_FS_RELATIVE', `fs path must be absolute: "${path}"`);
+    }
+    return {
+        kind: 'fs',
+        actions,
+        scope: { path, isGlob: GLOB_CHARS.test(path) },
+        refinements,
+    };
+}
+function parseNet(parts, refinements, raw) {
+    // net:connect:host  OR  net:connect:host:port
+    if (parts.length < 3 || parts.length > 4) {
+        throw new CompilationError('CAP_NET_SHAPE', `net needs <actions>:<host>[:<port>], got "${raw}"`);
+    }
+    const actions = parseActions(parts[1], NET_ACTIONS, 'net', raw);
+    const host = parts[2];
+    const port = parts.length === 4 ? parseInt(parts[3], 10) : null;
+    if (port !== null && (Number.isNaN(port) || port < 1 || port > 65535)) {
+        throw new CompilationError('CAP_NET_PORT', `net port out of range: "${parts[3]}"`);
+    }
+    const blockPrivate = host === '*' ? true : !RFC1918_OR_LOOPBACK.test(host);
+    return {
+        kind: 'net',
+        actions,
+        scope: { host, port, blockPrivate },
+        refinements,
+    };
+}
+function parseExec(parts, refinements, raw) {
+    if (parts.length !== 3) {
+        throw new CompilationError('CAP_EXEC_SHAPE', `exec needs <actions>:<binary>, got "${raw}"`);
+    }
+    const actions = parseActions(parts[1], EXEC_ACTIONS, 'exec', raw);
+    const binary = parts[2];
+    if (binary.includes('/')) {
+        throw new CompilationError('CAP_EXEC_PATH', `exec binary is a basename only: "${binary}"`);
+    }
+    return { kind: 'exec', actions, scope: { binary }, refinements };
+}
+function parseEnv(parts, refinements, raw) {
+    if (parts.length !== 3) {
+        throw new CompilationError('CAP_ENV_SHAPE', `env needs <actions>:<name>, got "${raw}"`);
+    }
+    const actions = parseActions(parts[1], ENV_ACTIONS, 'env', raw);
+    const name = parts[2];
+    if (!/^[A-Z_][A-Z0-9_]*$/.test(name)) {
+        throw new CompilationError('CAP_ENV_NAME', `env var name must be UPPER_SNAKE: "${name}"`);
+    }
+    return { kind: 'env', actions, scope: { name }, refinements };
+}
+function parseIpc(parts, refinements, raw) {
+    if (parts.length !== 3) {
+        throw new CompilationError('CAP_IPC_SHAPE', `ipc needs <actions>:<endpoint>, got "${raw}"`);
+    }
+    const actions = parseActions(parts[1], IPC_ACTIONS, 'ipc', raw);
+    return { kind: 'ipc', actions, scope: { endpoint: parts[2] }, refinements };
+}
+function parseClock(parts, refinements, raw) {
+    if (parts.length !== 2) {
+        throw new CompilationError('CAP_CLOCK_SHAPE', `clock needs <source>, got "${raw}"`);
+    }
+    const source = parts[1];
+    if (source !== 'system' && source !== 'tzdata') {
+        throw new CompilationError('CAP_CLOCK_SOURCE', `clock source must be system|tzdata: "${source}"`);
+    }
+    return { kind: 'clock', actions: [], scope: { source }, refinements };
+}
+function parseAssert(parts, refinements, raw) {
+    if (parts.length < 2) {
+        throw new CompilationError('CAP_ASSERT_SHAPE', `assert needs <id>[:<description>], got "${raw}"`);
+    }
+    const id = parts[1];
+    const description = parts.slice(2).join(':') || id;
+    return { kind: 'assert', actions: [], scope: { id, description }, refinements };
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function parseActions(raw, allowed, kind, full) {
+    if (!raw)
+        throw new CompilationError('CAP_ACTIONS_EMPTY', `${kind} requires actions in "${full}"`);
+    const parts = raw.split(',').map((a) => a.trim());
+    const out = [];
+    for (const a of parts) {
+        if (!allowed.has(a)) {
+            throw new CompilationError('CAP_ACTION_UNKNOWN', `${kind} action "${a}" not allowed`, {
+                allowed: [...allowed],
+            });
+        }
+        if (!out.includes(a))
+            out.push(a);
+    }
+    return out;
+}
+function splitRefinements(raw) {
+    const q = raw.indexOf('?');
+    if (q === -1)
+        return [raw, undefined];
+    return [raw.slice(0, q), raw.slice(q + 1)];
+}
+function parseRefinements(raw) {
+    if (!raw)
+        return undefined;
+    const out = {};
+    for (const pair of raw.split('&')) {
+        const [k, v] = pair.split('=');
+        if (k === 'nestedSandbox') {
+            out.nestedSandbox = v === 'true' || v === '1';
+        }
+        else {
+            (out.adapter ??= {})[k] = v ?? true;
+        }
+    }
+    return out;
+}
+// splitTop is a colon-splitter that respects quoted segments so that
+// assert:id:"text with : inside" parses correctly.
+function splitTop(raw, sep) {
+    const out = [];
+    let cur = '';
+    let inQuote = false;
+    for (let i = 0; i < raw.length; i++) {
+        const ch = raw[i];
+        if (ch === '"') {
+            inQuote = !inQuote;
+            continue;
+        }
+        if (ch === sep && !inQuote) {
+            out.push(cur);
+            cur = '';
+            continue;
+        }
+        cur += ch;
+    }
+    out.push(cur);
+    return out;
+}
+//# sourceMappingURL=grammar.js.map

package/dist/policy/grammar.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"grammar.js","sourceRoot":"","sources":["../../src/policy/grammar.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,EAAE;AACF,4DAA4D;AAC5D,YAAY;AACZ,gCAAgC;AAChC,gCAAgC;AAChC,mCAAmC;AACnC,0FAA0F;AAC1F,mBAAmB;AACnB,0BAA0B;AAC1B,oBAAoB;AACpB,iBAAiB;AACjB,6EAA6E;AAC7E,EAAE;AACF,4EAA4E;AAC5E,0EAA0E;AAE1E,OAAO,EAEL,gBAAgB,GAOjB,MAAM,SAAS,CAAC;AAEjB;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,CAAC;AAErC,MAAM,UAAU,GAA0B,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;AACzF,MAAM,WAAW,GAA2B,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;AACjE,MAAM,YAAY,GAA4B,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AACjE,MAAM,WAAW,GAA2B,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AACxE,MAAM,WAAW,GAA2B,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;AAEjE,MAAM,UAAU,GAAG,SAAS,CAAC;AAC7B,MAAM,mBAAmB,GACvB,qEAAqE,CAAC;AAMxE,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,CAAC,IAAI,EAAE,aAAa,CAAC,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACpD,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,gBAAgB,CAAC,eAAe,EAAE,0CAA0C,GAAG,GAAG,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACtB,MAAM,WAAW,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAEpD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,IAAI,CAAC,CAAK,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QACvE,KAAK,KAAK,CAAC,CAAI,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QACxE,KAAK,MAAM,CAAC,CAAG,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QACzE,KAAK,KAAK,CAAC,CAAI,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QACxE,KAAK,KAAK,CAAC,CAAI,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QACxE,KAAK,OAAO,CAAC,CAAE,OAAO,EAAE,UAAU,EAAE,UAAU,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QAC1E,KAAK,QAAQ,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,CAAC;QAC3E;YACE,MAAM,IAAI,gBAAgB,CAAC,kBAAkB,EAAE,4BAA4B,IAAI,GAAG,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;IACjG,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,OAAO,CAAC,KAAe,EAAE,WAAoC,EAAE,GAAW;IACjF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,gBAAgB,CAAC,cAAc,EAAE,mCAAmC,GAAG,GAAG,CAAC,CAAC;IACxF,CAAC;IACD,MAAM,OAAO,GAAG,YAAY,CAAW,KAAK,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IACxE,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACtB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,gBAAgB,CAAC,iBAAiB,EAAE,8BAA8B,IAAI,GAAG,CAAC,CAAC;IACvF,CAAC;IACD,OAAO;QACL,IAAI,EAAE,IAAI;QACV,OAAO;QACP,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QAC9C,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,KAAe,EAAE,WAAoC,EAAE,GAAW;IAClF,8CAA8C;IAC9C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,gBAAgB,CAAC,eAAe,EAAE,6CAA6C,GAAG,GAAG,CAAC,CAAC;IACnG,CAAC;IACD,MAAM,OAAO,GAAG,YAAY,CAAY,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACtB,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,gBAAgB,CAAC,cAAc,EAAE,2BAA2B,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrF,CAAC;IACD,MAAM,YAAY,GAChB,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxD,OAAO;QACL,IAAI,EAAE,KAAK;QACX,OAAO;QACP,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE;QACnC,WAAW;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,KAAe,EAAE,WAAoC,EAAE,GAAW;IACnF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,gBAAgB,CAAC,gBAAgB,EAAE,uCAAuC,GAAG,GAAG,CAAC,CAAC;IAC9F,CAAC;IACD,MAAM,OAAO,GAAG,YAAY,CAAa,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;IAC9E,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,gBAAgB,CAAC,eAAe,EAAE,oCAAoC,MAAM,GAAG,CAAC,CAAC;IAC7F,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,WAAW,EAAE,CAAC;AACnE,CAAC;AAED,SAAS,QAAQ,CAAC,KAAe,EAAE,WAAoC,EAAE,GAAW;IAClF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,gBAAgB,CAAC,eAAe,EAAE,oCAAoC,GAAG,GAAG,CAAC,CAAC;IAC1F,CAAC;IACD,MAAM,OAAO,GAAG,YAAY,CAAY,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACtB,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,gBAAgB,CAAC,cAAc,EAAE,sCAAsC,IAAI,GAAG,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,CAAC;AAChE,CAAC;AAED,SAAS,QAAQ,CAAC,KAAe,EAAE,WAAoC,EAAE,GAAW;IAClF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,gBAAgB,CAAC,eAAe,EAAE,wCAAwC,GAAG,GAAG,CAAC,CAAC;IAC9F,CAAC;IACD,MAAM,OAAO,GAAG,YAAY,CAAY,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IAC3E,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,WAAW,EAAE,CAAC;AAC9E,CAAC;AAED,SAAS,UAAU,CAAC,KAAe,EAAE,WAAoC,EAAE,GAAW;IACpF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,gBAAgB,CAAC,iBAAiB,EAAE,8BAA8B,GAAG,GAAG,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/C,MAAM,IAAI,gBAAgB,CAAC,kBAAkB,EAAE,wCAAwC,MAAM,GAAG,CAAC,CAAC;IACpG,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,WAAW,EAAE,CAAC;AACxE,CAAC;AAED,SAAS,WAAW,CAAC,KAAe,EAAE,WAAoC,EAAE,GAAW;IACrF,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,gBAAgB,CAAC,kBAAkB,EAAE,2CAA2C,GAAG,GAAG,CAAC,CAAC;IACpG,CAAC;IACD,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IACnD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,WAAW,EAAE,CAAC;AAClF,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,YAAY,CACnB,GAAW,EACX,OAAuB,EACvB,IAAY,EACZ,IAAY;IAEZ,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,gBAAgB,CAAC,mBAAmB,EAAE,GAAG,IAAI,yBAAyB,IAAI,GAAG,CAAC,CAAC;IACnG,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAClD,MAAM,GAAG,GAAQ,EAAE,CAAC;IACpB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAM,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,gBAAgB,CAAC,oBAAoB,EAAE,GAAG,IAAI,YAAY,CAAC,eAAe,EAAE;gBACpF,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC;aACtB,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAM,CAAC;YAAE,GAAG,CAAC,IAAI,CAAC,CAAM,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,CAAC;QAAE,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAuB;IAC/C,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,MAAM,GAAG,GAAgB,EAAE,CAAC;IAC5B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,CAAC,KAAK,eAAe,EAAE,CAAC;YAC1B,GAAG,CAAC,aAAa,GAAG,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,GAAG,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,CAAC,GAAG,CAAC,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;QACtC,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,qEAAqE;AACrE,mDAAmD;AACnD,SAAS,QAAQ,CAAC,GAAW,EAAE,GAAW;IACxC,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAAC,OAAO,GAAG,CAAC,OAAO,CAAC;YAAC,SAAS;QAAC,CAAC;QACjD,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAAC,GAAG,GAAG,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QAClE,GAAG,IAAI,EAAE,CAAC;IACZ,CAAC;IACD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACd,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/policy/index.d.ts

@@ -0,0 +1,9 @@
+export type { Capability, CapabilityKind, FsAction, NetAction, ExecAction, EnvAction, IpcAction, FsScope, NetScope, ExecScope, EnvScope, IpcScope, ClockScope, AssertScope, Refinements, ToolManifest, ServerManifest, NormalizedPolicy, } from './ir.js';
+export { CompilationError, isEnforceable } from './ir.js';
+export { parseCapability, GRAMMAR_VERSION } from './grammar.js';
+export type { ParseResult } from './grammar.js';
+export { compile, parseManifest, normalize } from './compiler.js';
+export type { RawServerManifest, RawToolManifest } from './compiler.js';
+export { lowerToBwrap } from './adapters/bwrap.js';
+export type { BwrapArtifact, BwrapOptions, EgressRule } from './adapters/bwrap.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/policy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAGA,YAAY,EACV,UAAU,EACV,cAAc,EACd,QAAQ,EACR,SAAS,EACT,UAAU,EACV,SAAS,EACT,SAAS,EACT,OAAO,EACP,QAAQ,EACR,SAAS,EACT,QAAQ,EACR,QAAQ,EACR,UAAU,EACV,WAAW,EACX,WAAW,EACX,YAAY,EACZ,cAAc,EACd,gBAAgB,GACjB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAChE,YAAY,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAClE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAExE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/policy/index.js

@@ -0,0 +1,7 @@
+// Public surface of the policy compiler. Re-exported from the root "capgate"
+// entry point in src/index.ts.
+export { CompilationError, isEnforceable } from './ir.js';
+export { parseCapability, GRAMMAR_VERSION } from './grammar.js';
+export { compile, parseManifest, normalize } from './compiler.js';
+export { lowerToBwrap } from './adapters/bwrap.js';
+//# sourceMappingURL=index.js.map

package/dist/policy/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/policy/index.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,+BAA+B;AAsB/B,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAGlE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/policy/ir.d.ts

@@ -0,0 +1,147 @@
+export type CapabilityKind = 'fs' | 'net' | 'exec' | 'env' | 'ipc' | 'clock' | 'assert';
+export type FsAction = 'read' | 'write' | 'create' | 'delete';
+export type NetAction = 'connect';
+export type ExecAction = 'spawn';
+export type EnvAction = 'read' | 'inject';
+export type IpcAction = 'connect';
+export interface FsScope {
+    /** Absolute path or glob. Relative paths are rejected at parse time. */
+    path: string;
+    /** True if `path` is a glob (contains *, **, ?, [). Derived, not input. */
+    isGlob: boolean;
+}
+export interface NetScope {
+    /** Hostname, IP, or wildcard ("*"). RFC1918 blocks are a separate flag. */
+    host: string;
+    /** TCP/UDP port. null = any port. */
+    port: number | null;
+    /** If true, RFC1918 + loopback destinations must be rejected by the proxy. */
+    blockPrivate: boolean;
+}
+export interface ExecScope {
+    /** Binary name resolved against PATH at compile time (e.g. "git", "chromium"). */
+    binary: string;
+}
+export interface EnvScope {
+    /** Variable name. Values are never embedded in the IR — handled by secret layer. */
+    name: string;
+}
+export interface IpcScope {
+    /** "unix:/path", "x11", "dbus:session", "dbus:system". */
+    endpoint: string;
+}
+export interface ClockScope {
+    /** "system" = wall clock only; "tzdata" = also needs /usr/share/zoneinfo. */
+    source: 'system' | 'tzdata';
+}
+export interface AssertScope {
+    /** Machine-readable assertion id, e.g. "postgres.read_only_txn". */
+    id: string;
+    /** Human explanation for audit logs and policy reviewers. */
+    description: string;
+}
+export type Capability = {
+    kind: 'fs';
+    actions: FsAction[];
+    scope: FsScope;
+    refinements?: Refinements;
+} | {
+    kind: 'net';
+    actions: NetAction[];
+    scope: NetScope;
+    refinements?: Refinements;
+} | {
+    kind: 'exec';
+    actions: ExecAction[];
+    scope: ExecScope;
+    refinements?: Refinements;
+} | {
+    kind: 'env';
+    actions: EnvAction[];
+    scope: EnvScope;
+    refinements?: Refinements;
+} | {
+    kind: 'ipc';
+    actions: IpcAction[];
+    scope: IpcScope;
+    refinements?: Refinements;
+} | {
+    kind: 'clock';
+    actions: [];
+    scope: ClockScope;
+    refinements?: Refinements;
+} | {
+    kind: 'assert';
+    actions: [];
+    scope: AssertScope;
+    refinements?: Refinements;
+};
+export interface Refinements {
+    /** Tool carries its own sandbox that conflicts with namespace isolation (e.g. Chromium). */
+    nestedSandbox?: boolean;
+    /** Adapter-specific free-form. Compiler passes through; adapters may read. */
+    adapter?: Record<string, unknown>;
+}
+export declare function isEnforceable(cap: Capability): boolean;
+export interface ToolManifest {
+    /** MCP tool name. Unique within a server. */
+    name: string;
+    /** MCP-declared description. Informational only; not used for enforcement. */
+    description?: string;
+    /** JSON Schema for tool input. Used for input validation, not policy. */
+    inputSchema?: Record<string, unknown>;
+    /** Declared capabilities. Empty array = pure function, no side effects. */
+    capabilities: Capability[];
+}
+export interface ServerManifest {
+    /** Server identifier, e.g. "@modelcontextprotocol/server-filesystem". */
+    name: string;
+    version: string;
+    /** Capabilities that apply to every tool (e.g. "read tzdata" for time server). */
+    serverCapabilities?: Capability[];
+    tools: ToolManifest[];
+}
+export interface NormalizedPolicy {
+    /** Server identity — carried through for logging and provenance. */
+    server: {
+        name: string;
+        version: string;
+    };
+    /** Deduped, merged fs roots. Write implies read. */
+    fs: {
+        path: string;
+        actions: FsAction[];
+        isGlob: boolean;
+    }[];
+    /** Deduped net endpoints. blockPrivate is OR-ed across merges. */
+    net: {
+        host: string;
+        port: number | null;
+        blockPrivate: boolean;
+    }[];
+    /** Binaries the sandbox must keep executable. */
+    exec: {
+        binary: string;
+    }[];
+    /** Env vars to inject (values resolved out-of-band from a secret store). */
+    env: {
+        name: string;
+        action: EnvAction;
+    }[];
+    /** IPC endpoints to expose. */
+    ipc: {
+        endpoint: string;
+    }[];
+    /** Clock access profile. "none" if no clock capability declared. */
+    clock: 'none' | 'system' | 'tzdata';
+    /** Declared assertions. Adapter emits them as metadata, not as enforcement. */
+    assertions: AssertScope[];
+    /** True if any capability requested a nested sandbox. Adapters MUST react. */
+    nestedSandbox: boolean;
+}
+export declare class CompilationError extends Error {
+    code: string;
+    context?: Record<string, unknown> | undefined;
+    constructor(code: string, message: string, context?: Record<string, unknown> | undefined);
+}
+//# sourceMappingURL=ir.d.ts.map