captain-tool 0.0.39 → 0.0.41

package/README.md

@@ -89,6 +89,18 @@ claude mcp add captain -- cmd /c captain-tool
 
 > Registers under the short name `captain` (tool prefix `mcp__captain__`). If you previously added it as `captain-tool`, run `claude mcp remove captain-tool` to avoid a duplicate registration.
 
+**Auto-approve captain tools (recommended).** Registration alone does not grant permissions — Claude Code will prompt "Allow captain to …?" on every tool call. The setup wizard (`npx captain-tool setup`) offers to fix this for you; to do it by hand, add one allow rule to `~/.claude/settings.json`:
+
+```json
+{
+  "permissions": {
+    "allow": ["mcp__captain"]
+  }
+}
+```
+
+`mcp__captain` (no tool suffix) approves every tool from this server. Your own `deny` and `ask` rules always take precedence over this allow rule. Note the rule prefix is the *registration key*: if you registered under a different name, the rule must match it. Old `mcp__captain-tool__*` rules from before the rename match nothing — the wizard sweeps them out of `~/.claude/settings.json`; per-project `.claude/settings.local.json` files can hold more, so clean those by hand if Claude Code still prompts. For scripted installs, `npx captain-tool setup --yes` configures all clients and enables auto-approval without prompting.
+
 ### VS Code + Copilot
 
 [![Install in VS Code](https://img.shields.io/badge/VS_Code-Install_MCP_Server-0098FF?logo=visualstudiocode)](vscode:mcp/install?%7B%22name%22%3A%22captain%22%2C%22command%22%3A%22npx%22%2C%22args%22%3A%5B%22captain-tool%22%5D%2C%22env%22%3A%7B%22CAPTAIN_API_URL%22%3A%22https%3A%2F%2Fapp.getcaptain.dev%2F%22%7D%7D)

package/bin/captain-tool

@@ -63,30 +63,37 @@ function findBinary() {
 
 // ── Entry point ──────────────────────────────────────────────────────────────
 
-// If the first real argument is 'setup', hand off to the interactive setup CLI.
-// We use require() so it runs in the same process (no extra spawn needed).
+// If the first real argument is 'setup', hand off to the interactive setup CLI
+// in this same process. We must CALL the exported main() — the setup script
+// gates its wizard on `require.main === module` (so tests can require its
+// helpers without launching prompts), which means a bare require() runs
+// nothing. An earlier version did exactly that and then exit(0)'d, making
+// `captain-tool setup` a silent no-op. main() is async and owns its own exit
+// codes; on success the process exits naturally when the wizard finishes, so
+// there must be no process.exit() after this call — it would kill main() at
+// its first await.
 if (process.argv[2] === 'setup') {
-  require('./captain-tool-setup');
-  // captain-tool-setup manages its own process.exit(), but we add an explicit
-  // one here as a safety net in case it returns normally.
-  process.exit(0);
-}
-
-const binary = findBinary();
+  require('./captain-tool-setup').main().catch((err) => {
+    console.error('Unexpected error:', err);
+    process.exit(1);
+  });
+} else {
+  const binary = findBinary();
 
-if (!binary) {
-  process.stderr.write(
-    'captain-tool: no pre-built binary found for this platform.\n' +
-    'If you are on an unsupported platform, please open an issue at:\n' +
-    '  https://github.com/your-org/captain-tool/issues\n'
-  );
-  process.exit(1);
-}
+  if (!binary) {
+    process.stderr.write(
+      'captain-tool: no pre-built binary found for this platform.\n' +
+      'If you are on an unsupported platform, please open an issue at:\n' +
+      '  https://github.com/your-org/captain-tool/issues\n'
+    );
+    process.exit(1);
+  }
 
-// Spawn the Rust binary, forwarding all arguments after the node script name.
-// stdio: 'inherit' is non-negotiable — see the module-level comment above.
-const result = spawnSync(binary, process.argv.slice(2), { stdio: 'inherit' });
+  // Spawn the Rust binary, forwarding all arguments after the node script name.
+  // stdio: 'inherit' is non-negotiable — see the module-level comment above.
+  const result = spawnSync(binary, process.argv.slice(2), { stdio: 'inherit' });
 
-// spawnSync returns null for status if the process was killed by a signal.
-// We default to exit code 1 in that case so the MCP host sees a failure.
-process.exit(result.status ?? 1);
+  // spawnSync returns null for status if the process was killed by a signal.
+  // We default to exit code 1 in that case so the MCP host sees a failure.
+  process.exit(result.status ?? 1);
+}

package/bin/captain-tool-setup

@@ -39,6 +39,21 @@ const SERVER_NAME = 'captain';
 // is left alone.
 const LEGACY_NAMES = ['captain-tool'];
 
+// Claude Code permission rule that auto-approves every captain tool call.
+// Registering an MCP server does NOT grant it permissions — without an allow
+// rule Claude Code prompts on every single tool call, which makes captain
+// unusable as a background workflow tool. `mcp__<server>` (no tool suffix) is
+// the documented "all tools from this server" form. Derived from SERVER_NAME
+// because the rule prefix IS the registration key — a future rename must not
+// be able to update one without the other.
+const PERMISSION_RULE = `mcp__${SERVER_NAME}`;
+
+// Permission-rule prefixes for every name this server was registered under
+// previously (same derivation, one per LEGACY_NAMES entry). After a rename
+// the old rules match nothing — they silently re-enable per-call prompting
+// while still looking like a working allowlist — so the wizard sweeps them.
+const LEGACY_PERMISSION_PREFIXES = LEGACY_NAMES.map((name) => `mcp__${name}`);
+
 // ── Binary resolution (same logic as the runner) ─────────────────────────────
 
 const PLATFORMS = [
@@ -109,6 +124,10 @@ const CLIENTS = [
     // ~/.claude.json is special: it has many top-level keys (auth state, prefs, etc.)
     // We only touch the mcpServers key and leave everything else alone.
     rootKey: 'mcpServers',
+    // Claude Code is the only client whose permission system we can configure
+    // from a file (~/.claude/settings.json). Other clients use in-app
+    // "always allow" buttons, so they get no permissions step.
+    permissionsPath: () => expandPath('~/.claude/settings.json'),
   },
   {
     name: 'VS Code + Copilot',
@@ -312,6 +331,101 @@ function removeLegacyEverywhere(config) {
   }
 }
 
+// ── Claude Code permission allowlist ──────────────────────────────────────────
+
+/**
+ * Mutate a parsed ~/.claude/settings.json object so captain tools are
+ * auto-approved. Two independent changes, each gated by its own option:
+ *
+ *   1. sweepLegacy — drop allow rules for legacy server names
+ *      (`mcp__captain-tool` and `mcp__captain-tool__<tool>`). The rule prefix
+ *      is the registration key, so after the rename these match nothing —
+ *      keeping them around just hides the fact that nothing is allowlisted
+ *      anymore. Removing them never narrows what's allowed, which is why the
+ *      caller runs the sweep even when the user declines auto-approval.
+ *   2. addAllowRule — add the server-wide `mcp__captain` rule unless an
+ *      equivalent is already present. This one widens permissions, so it is
+ *      consent-gated.
+ *
+ * Only `permissions.allow` is touched; deny/ask rules and every other settings
+ * key are preserved verbatim (a user deny or ask rule outranks our allow rule
+ * anyway, so we must not edit those). Returns { added, removed } so the caller
+ * can tell the user exactly what changed.
+ */
+function applyPermissionRule(settings, { addAllowRule = true, sweepLegacy = true } = {}) {
+  if (!settings.permissions || typeof settings.permissions !== 'object') {
+    settings.permissions = {};
+  }
+  if (!Array.isArray(settings.permissions.allow)) {
+    settings.permissions.allow = [];
+  }
+
+  let removed = 0;
+  if (sweepLegacy) {
+    const isLegacy = (rule) =>
+      typeof rule === 'string' &&
+      LEGACY_PERMISSION_PREFIXES.some((p) => rule === p || rule.startsWith(`${p}__`));
+    // Single pass: keep the survivors, derive the count from the length delta,
+    // and reassign immediately so no later code can touch the stale array.
+    const kept = settings.permissions.allow.filter((rule) => !isLegacy(rule));
+    removed = settings.permissions.allow.length - kept.length;
+    settings.permissions.allow = kept;
+  }
+
+  let added = false;
+  if (addAllowRule) {
+    // `mcp__captain` and `mcp__captain__*` are equivalent server-wide rules;
+    // don't stack a duplicate if either form is already there.
+    const covered = settings.permissions.allow.some(
+      (rule) => rule === PERMISSION_RULE || rule === `${PERMISSION_RULE}__*`
+    );
+    if (!covered) {
+      settings.permissions.allow.push(PERMISSION_RULE);
+      added = true;
+    }
+  }
+  return { added, removed };
+}
+
+/**
+ * Read ~/.claude/settings.json (or start fresh), apply the allow rule /
+ * legacy sweep, and write back atomically. Same read-merge-write discipline
+ * as the MCP config writer: every key we don't own is left untouched — and
+ * when nothing changed we skip the write entirely, so a re-run never
+ * reformats the user's file or churns its mtime for a no-op.
+ */
+function configurePermissions(permissionsPath, opts) {
+  const settings = readJsonConfig(permissionsPath);
+  const result = applyPermissionRule(settings, opts);
+  if (result.added || result.removed > 0) {
+    atomicWriteJson(permissionsPath, settings);
+  }
+  return result;
+}
+
+/**
+ * True if the agent config registers a server under a legacy name that is NOT
+ * our binary. entryIsOurs promises such a server "is left alone" — that must
+ * extend to its permission rules: `mcp__captain-tool__*` rules are only stale
+ * if `captain-tool` was OUR dead registration, not someone else's live server.
+ * Checks every scope removeLegacyEverywhere does (top-level + per-project).
+ */
+function hasUnrelatedLegacyServer(config) {
+  const maps = [config.mcpServers, config.servers];
+  if (config.projects && typeof config.projects === 'object') {
+    for (const proj of Object.values(config.projects)) {
+      if (proj && typeof proj === 'object') {
+        maps.push(proj.mcpServers, proj.servers);
+      }
+    }
+  }
+  return maps.some(
+    (m) =>
+      m && typeof m === 'object' &&
+      LEGACY_NAMES.some((name) => m[name] && !entryIsOurs(m[name]))
+  );
+}
+
 // ── Per-client config writer ──────────────────────────────────────────────────
 
 /**
@@ -351,16 +465,36 @@ function configureClient(client, binaryPath) {
 // ── Interactive prompt helpers ────────────────────────────────────────────────
 
 /**
- * Read a single line from stdin. Returns a Promise<string>.
+ * Read a single line from stdin. Returns a Promise<string|null>.
  * We keep our own readline interface and close it when done to avoid holding
  * the event loop open after the prompts finish.
+ *
+ * Resolves null on EOF. WHY: when piped stdin runs out, readline emits
+ * 'close' and the question callback simply never fires — the awaited promise
+ * would stay pending forever, the event loop would drain, and node would exit
+ * 0 having configured nothing. Resolving null lets callers abort loudly
+ * instead of vanishing with a success exit code.
  */
 function prompt(rl, question) {
   return new Promise((resolve) => {
-    rl.question(question, (answer) => resolve(answer.trim()));
+    const onClose = () => resolve(null);
+    rl.once('close', onClose);
+    rl.question(question, (answer) => {
+      rl.removeListener('close', onClose);
+      resolve(answer.trim());
+    });
   });
 }
 
+/**
+ * Bail out when stdin hits EOF mid-wizard. Exiting non-zero matters: a
+ * calling script must not believe setup succeeded when nothing was written.
+ */
+function abortNoInput() {
+  console.error('\nNo input (stdin closed) — aborting without changes. Use --yes for non-interactive setup.');
+  process.exit(1);
+}
+
 // ── Main ──────────────────────────────────────────────────────────────────────
 
 async function main() {
@@ -388,57 +522,93 @@ async function main() {
   }
   console.log('');
 
-  // Present the client menu.
-  console.log('Select which agent(s) to configure:');
-  console.log('  0. All of the above');
-  CLIENTS.forEach((client, i) => {
-    console.log(`  ${i + 1}. ${client.name}`);
-  });
-  console.log('');
-
-  const rl = readline.createInterface({
-    input:  process.stdin,
-    output: process.stdout,
-  });
+  // Non-interactive paths first. `--yes`/`-y` configures every client and
+  // enables auto-approval without prompting (for scripts/CI). Without the
+  // flag, a non-interactive stdin must be rejected up front — see prompt()
+  // for why EOF mid-question would otherwise end as a silent exit 0.
+  const assumeYes = process.argv.includes('--yes') || process.argv.includes('-y');
 
   let selected;
-  while (true) {
-    const answer = await prompt(
-      rl,
-      `Enter number(s) separated by commas (e.g. "1,3") or 0 for all: `
-    );
+  let wantPermissions = false;
+  if (assumeYes) {
+    selected = CLIENTS.map((_, i) => i);
+    wantPermissions = true;
+    console.log('--yes: configuring all clients and enabling auto-approval.');
+    console.log('');
+  } else if (!process.stdin.isTTY) {
+    console.error('stdin is not interactive. Re-run with --yes to configure all clients without prompts.');
+    process.exit(1);
+  } else {
+    // Present the client menu.
+    console.log('Select which agent(s) to configure:');
+    console.log('  0. All of the above');
+    CLIENTS.forEach((client, i) => {
+      console.log(`  ${i + 1}. ${client.name}`);
+    });
+    console.log('');
+
+    const rl = readline.createInterface({
+      input:  process.stdin,
+      output: process.stdout,
+    });
+
+    while (true) {
+      const answer = await prompt(
+        rl,
+        `Enter number(s) separated by commas (e.g. "1,3") or 0 for all: `
+      );
+      if (answer === null) abortNoInput();
+
+      // Parse the answer into a list of client indices (0-based into CLIENTS).
+      if (answer === '0') {
+        selected = CLIENTS.map((_, i) => i);
+        break;
+      }
+
+      const indices = answer
+        .split(',')
+        .map((s) => parseInt(s.trim(), 10) - 1) // convert 1-based menu to 0-based
+        .filter((n) => Number.isInteger(n) && n >= 0 && n < CLIENTS.length);
 
-    // Parse the answer into a list of client indices (0-based into CLIENTS).
-    if (answer === '0') {
-      selected = CLIENTS.map((_, i) => i);
+      if (indices.length === 0) {
+        console.log(`Please enter a number between 0 and ${CLIENTS.length}.`);
+        continue;
+      }
+
+      selected = indices;
       break;
     }
 
-    const indices = answer
-      .split(',')
-      .map((s) => parseInt(s.trim(), 10) - 1) // convert 1-based menu to 0-based
-      .filter((n) => Number.isInteger(n) && n >= 0 && n < CLIENTS.length);
-
-    if (indices.length === 0) {
-      console.log(`Please enter a number between 0 and ${CLIENTS.length}.`);
-      continue;
+    // If Claude Code is among the selections, offer to auto-approve captain's
+    // tools. Registration alone still leaves Claude Code prompting "Allow
+    // captain to ...?" on every call; one allow rule makes it seamless. The
+    // user already opted into installing this server, so default to yes — but
+    // do ask, because the rule widens what an agent may run without prompting
+    // in every project on this machine.
+    const permClient = selected.map((idx) => CLIENTS[idx]).find((c) => c.permissionsPath);
+    if (permClient) {
+      const answer = await prompt(
+        rl,
+        `Auto-approve captain tools in Claude Code? Adds "${PERMISSION_RULE}" to\n` +
+        `permissions.allow in ${permClient.permissionsPath()} so tool calls never prompt. [Y/n]: `
+      );
+      if (answer === null) abortNoInput();
+      wantPermissions = answer === '' || /^y(es)?$/i.test(answer);
     }
 
-    selected = indices;
-    break;
+    rl.close();
+    console.log('');
   }
 
-  rl.close();
-
-  console.log('');
-
   // Configure each selected client.
   let anyFailed = false;
+  const succeeded = new Set();
   for (const idx of selected) {
     const client = CLIENTS[idx];
     process.stdout.write(`Configuring ${client.name}... `);
     try {
       const writtenPath = configureClient(client, binaryPath);
+      succeeded.add(idx);
       console.log('done.');
       console.log(`  Written to: ${writtenPath}`);
       console.log(`  ${client.restartMsg}`);
@@ -450,6 +620,46 @@ async function main() {
     console.log('');
   }
 
+  // Permissions step — deliberately OUTSIDE the registration loop and its
+  // try/catch: a problem in ~/.claude/settings.json must not be reported as a
+  // failed registration (the MCP entry was already written above), so this
+  // step warns instead of setting anyFailed. The stale-rule sweep runs even
+  // when the user declined auto-approval: dead legacy rules match nothing, so
+  // removing them never narrows what is allowed.
+  const permIdx = selected.find((idx) => CLIENTS[idx].permissionsPath && succeeded.has(idx));
+  if (permIdx !== undefined) {
+    const client = CLIENTS[permIdx];
+    const permissionsPath = client.permissionsPath();
+    try {
+      // Honor the "an unrelated server named captain-tool is left alone"
+      // promise (see LEGACY_NAMES): if such a server is still registered, its
+      // legacy-prefixed rules are live, not stale — skip the sweep.
+      const sweepLegacy = !hasUnrelatedLegacyServer(readJsonConfig(client.configPath(binaryPath)));
+      const { added, removed } = configurePermissions(permissionsPath, {
+        addAllowRule: wantPermissions,
+        sweepLegacy,
+      });
+      if (added) {
+        console.log(`Auto-approval: added "${PERMISSION_RULE}" to ${permissionsPath}`);
+      } else if (wantPermissions) {
+        console.log(`Auto-approval: "${PERMISSION_RULE}" already allowed in ${permissionsPath}`);
+      }
+      if (removed > 0) {
+        console.log(`Removed ${removed} stale permission rule(s) for the old server name (${LEGACY_PERMISSION_PREFIXES.join(', ')}).`);
+      }
+      if (wantPermissions) {
+        console.log('Note: stale rules can also live in per-project .claude/settings.local.json files — clean those by hand if Claude Code still prompts.');
+      }
+      console.log('');
+    } catch (err) {
+      const reason = err instanceof SyntaxError
+        ? `${permissionsPath} is not valid JSON — fix it, or add "${PERMISSION_RULE}" to permissions.allow yourself`
+        : err.message;
+      console.warn(`Warning: auto-approval step skipped: ${reason}`);
+      console.log('');
+    }
+  }
+
   if (anyFailed) {
     process.exit(1);
   }
@@ -471,9 +681,17 @@ if (require.main === module) {
 module.exports = {
   SERVER_NAME,
   LEGACY_NAMES,
+  PERMISSION_RULE,
+  LEGACY_PERMISSION_PREFIXES,
   entryIsOurs,
   removeLegacyEntries,
   removeLegacyEverywhere,
   configureClient,
   resolveCommand,
+  applyPermissionRule,
+  configurePermissions,
+  hasUnrelatedLegacyServer,
+  // Exported so the npx runner (`captain-tool setup`) can launch the wizard:
+  // the require.main gate above means a bare require() runs nothing.
+  main,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "captain-tool",
-  "version": "0.0.39",
+  "version": "0.0.41",
   "description": "MCP server connecting Claude Desktop and VS Code Copilot to Captain Cloud",
   "bin": {
     "captain-tool": "bin/captain-tool",
@@ -11,10 +11,10 @@
     "test": "node test/setup.test.js"
   },
   "optionalDependencies": {
-    "@captain-tool/captain-tool-win32-x64": "0.0.39",
-    "@captain-tool/captain-tool-darwin-x64": "0.0.39",
-    "@captain-tool/captain-tool-darwin-arm64": "0.0.39",
-    "@captain-tool/captain-tool-linux-x64": "0.0.39"
+    "@captain-tool/captain-tool-win32-x64": "0.0.41",
+    "@captain-tool/captain-tool-darwin-x64": "0.0.41",
+    "@captain-tool/captain-tool-darwin-arm64": "0.0.41",
+    "@captain-tool/captain-tool-linux-x64": "0.0.41"
   },
   "files": [
     "bin/",