iosm-cli 0.2.15 → 0.2.16

package/dist/core/policy/engine.d.ts

@@ -0,0 +1,77 @@
+import type { SettingsManager } from "../settings-manager.js";
+import type { ToolPermissionRequest } from "../tools/permissions.js";
+export type PolicyEffect = "allow" | "deny" | "ask";
+export type PolicyLayer = "admin" | "user" | "workspace" | "default" | "legacy";
+export type PolicyToolSource = "builtin" | "extension" | "custom" | "mcp";
+export interface PolicyRuleV2 {
+    id: string;
+    enabled: boolean;
+    effect: PolicyEffect;
+    priority: number;
+    tools: string[];
+    toolSource?: PolicyToolSource[];
+    mcpName?: string[];
+    profiles?: string[];
+    cwdGlob?: string[];
+    argsPattern?: string;
+    checker?: string;
+    legacyRule?: string;
+}
+export interface PolicySource {
+    layer: PolicyLayer;
+    path?: string;
+    rules: PolicyRuleV2[];
+    allowedSources: string[];
+}
+export interface PolicyEvaluationContext {
+    profile?: string;
+}
+export interface PolicyDecision {
+    effect: PolicyEffect;
+    matched: boolean;
+    reason: string;
+    rule?: PolicyRuleV2;
+    layer?: PolicyLayer;
+}
+export declare class PolicyEngineV2 {
+    private readonly cwd;
+    private readonly agentDir;
+    private readonly adminPolicyPath;
+    private readonly settingsManager;
+    private sources;
+    constructor(options: {
+        cwd: string;
+        agentDir: string;
+        settingsManager: SettingsManager;
+        adminPolicyPath?: string;
+    });
+    refresh(): void;
+    getSources(): PolicySource[];
+    getAllowedSourceHosts(): string[];
+    getLegacyRules(effect: "allow" | "deny"): string[];
+    setLegacyRules(effect: "allow" | "deny", rawRules: string[]): void;
+    addLegacyRule(effect: "allow" | "deny", rawRule: string): boolean;
+    removeLegacyRule(effect: "allow" | "deny", rawRule: string): boolean;
+    evaluate(request: ToolPermissionRequest, context?: PolicyEvaluationContext): PolicyDecision;
+    private matchesRule;
+    private matchesTools;
+    private matchesArgsPattern;
+    private matchesChecker;
+    private serializeInput;
+    private readMutablePolicy;
+    private writeMutablePolicy;
+}
+export interface PermissionEvaluationResult {
+    outcome: "allow" | "deny" | "ask";
+    decision: PolicyDecision;
+    reason: string;
+}
+export declare function evaluatePermissionWithPolicy(engine: PolicyEngineV2, request: ToolPermissionRequest, context: {
+    profile?: string;
+    runtimeMode: "interactive" | "rpc";
+    permissionMode: "ask" | "auto" | "yolo";
+    strictExtensionToolEnforcement?: boolean;
+}): PermissionEvaluationResult;
+export declare function buildLegacyRulePattern(rawRule: string): string;
+export declare function legacyRuleToChecker(rawRule: string): string | undefined;
+//# sourceMappingURL=engine.d.ts.map

package/dist/core/policy/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../src/core/policy/engine.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAErE,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,GAAG,KAAK,CAAC;AACpD,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,MAAM,GAAG,WAAW,GAAG,SAAS,GAAG,QAAQ,CAAC;AAChF,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,WAAW,GAAG,QAAQ,GAAG,KAAK,CAAC;AAE1E,MAAM,WAAW,YAAY;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,YAAY,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC5B,KAAK,EAAE,WAAW,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,YAAY,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,uBAAuB;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC9B,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,YAAY,CAAC;IACpB,KAAK,CAAC,EAAE,WAAW,CAAC;CACpB;AAoND,qBAAa,cAAc;IAC1B,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAC7B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAClD,OAAO,CAAC,OAAO,CAAsB;gBAEzB,OAAO,EAAE;QACpB,GAAG,EAAE,MAAM,CAAC;QACZ,QAAQ,EAAE,MAAM,CAAC;QACjB,eAAe,EAAE,eAAe,CAAC;QACjC,eAAe,CAAC,EAAE,MAAM,CAAC;KACzB;IAQD,OAAO,IAAI,IAAI;IAgBf,UAAU,IAAI,YAAY,EAAE;IAS5B,qBAAqB,IAAI,MAAM,EAAE;IAUjC,cAAc,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,EAAE;IAclD,cAAc,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI;IAqClE,aAAa,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO;IASjE,gBAAgB,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO;IAUpE,QAAQ,CAAC,OAAO,EAAE,qBAAqB,EAAE,OAAO,GAAE,uBAA4B,GAAG,cAAc;IA6C/F,OAAO,CAAC,WAAW;IA4BnB,OAAO,CAAC,YAAY;IAWpB,OAAO,CAAC,kBAAkB;IAU1B,OAAO,CAAC,cAAc;IAoCtB,OAAO,CAAC,cAAc;IAQtB,OAAO,CAAC,iBAAiB;IAqBzB,OAAO,CAAC,kBAAkB;CAQ1B;AAED,MAAM,WAAW,0BAA0B;IAC1C,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,KAAK,CAAC;IAClC,QAAQ,EAAE,cAAc,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;CACf;AAID,wBAAgB,4BAA4B,CAC3C,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,qBAAqB,EAC9B,OAAO,EAAE;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,aAAa,GAAG,KAAK,CAAC;IACnC,cAAc,EAAE,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;IACxC,8BAA8B,CAAC,EAAE,OAAO,CAAC;CACzC,GACC,0BAA0B,CA0H5B;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAO9D;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAMvE"}

package/dist/core/policy/engine.js

@@ -0,0 +1,614 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { dirname, join } from "node:path";
+import TOML from "@iarna/toml";
+import { minimatch } from "minimatch";
+import { CONFIG_DIR_NAME } from "../../config.js";
+const DEFAULT_ALLOWED_SOURCES = [
+    "registry.npmjs.org",
+    "npmjs.org",
+    "github.com",
+    "gitlab.com",
+    "bitbucket.org",
+    "api.github.com",
+    "raw.githubusercontent.com",
+];
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function normalizeStringArray(value) {
+    if (!Array.isArray(value))
+        return [];
+    return value
+        .filter((item) => typeof item === "string")
+        .map((item) => item.trim())
+        .filter((item) => item.length > 0);
+}
+function toPolicyToolSourceArray(value) {
+    const values = normalizeStringArray(value)
+        .map((item) => item.toLowerCase())
+        .filter((item) => item === "builtin" || item === "extension" || item === "custom" || item === "mcp");
+    return values.length > 0 ? values : undefined;
+}
+function asPolicyEffect(value) {
+    if (typeof value !== "string")
+        return undefined;
+    if (value === "allow" || value === "deny" || value === "ask")
+        return value;
+    return undefined;
+}
+function asFiniteNumber(value, fallback) {
+    if (typeof value !== "number" || Number.isNaN(value))
+        return fallback;
+    return value;
+}
+function normalizeRule(raw, index) {
+    if (!raw || typeof raw !== "object")
+        return undefined;
+    const obj = raw;
+    const effect = asPolicyEffect(obj.effect);
+    if (!effect)
+        return undefined;
+    const idRaw = typeof obj.id === "string" ? obj.id.trim() : "";
+    const id = idRaw.length > 0 ? idRaw : `rule-${index + 1}`;
+    const tools = normalizeStringArray(obj.tools);
+    const normalizedTools = tools.length > 0 ? tools : ["*"];
+    const enabled = typeof obj.enabled === "boolean" ? obj.enabled : true;
+    const priority = Math.trunc(asFiniteNumber(obj.priority, 0));
+    const toolSource = toPolicyToolSourceArray(obj.tool_source);
+    const mcpName = normalizeStringArray(obj.mcp_name);
+    const profiles = normalizeStringArray(obj.profiles);
+    const cwdGlob = normalizeStringArray(obj.cwd_glob);
+    const argsPattern = typeof obj.args_pattern === "string" && obj.args_pattern.trim().length > 0 ? obj.args_pattern : undefined;
+    const checker = typeof obj.checker === "string" && obj.checker.trim().length > 0 ? obj.checker : undefined;
+    const legacyRule = typeof obj.legacy_rule === "string" && obj.legacy_rule.trim().length > 0 ? obj.legacy_rule.trim() : undefined;
+    return {
+        id,
+        enabled,
+        effect,
+        priority,
+        tools: normalizedTools,
+        toolSource,
+        mcpName: mcpName.length > 0 ? mcpName : undefined,
+        profiles: profiles.length > 0 ? profiles : undefined,
+        cwdGlob: cwdGlob.length > 0 ? cwdGlob : undefined,
+        argsPattern,
+        checker,
+        legacyRule,
+    };
+}
+function toTomlRule(rule) {
+    const serialized = {
+        id: rule.id,
+        enabled: rule.enabled,
+        effect: rule.effect,
+        priority: rule.priority,
+        tools: [...rule.tools],
+    };
+    if (rule.toolSource && rule.toolSource.length > 0)
+        serialized.tool_source = [...rule.toolSource];
+    if (rule.mcpName && rule.mcpName.length > 0)
+        serialized.mcp_name = [...rule.mcpName];
+    if (rule.profiles && rule.profiles.length > 0)
+        serialized.profiles = [...rule.profiles];
+    if (rule.cwdGlob && rule.cwdGlob.length > 0)
+        serialized.cwd_glob = [...rule.cwdGlob];
+    if (rule.argsPattern)
+        serialized.args_pattern = rule.argsPattern;
+    if (rule.checker)
+        serialized.checker = rule.checker;
+    if (rule.legacyRule)
+        serialized.legacy_rule = rule.legacyRule;
+    return serialized;
+}
+function parsePolicyToml(content) {
+    const parsed = TOML.parse(content);
+    const ruleEntries = Array.isArray(parsed.rules) ? parsed.rules : [];
+    const rules = [];
+    for (let index = 0; index < ruleEntries.length; index += 1) {
+        const normalized = normalizeRule(ruleEntries[index], index);
+        if (normalized) {
+            rules.push(normalized);
+        }
+    }
+    return {
+        rules,
+        allowedSources: normalizeStringArray(parsed.allowed_sources),
+    };
+}
+function buildLegacyPolicyRules(settingsManager) {
+    const rules = [];
+    for (const [index, raw] of settingsManager.getPermissionDenyRules().entries()) {
+        const normalized = raw.trim();
+        if (!normalized)
+            continue;
+        const [toolRaw, ...rest] = normalized.split(":");
+        const tool = toolRaw.trim() || "*";
+        const needle = rest.join(":").trim();
+        rules.push({
+            id: `legacy-deny-${index + 1}`,
+            enabled: true,
+            effect: "deny",
+            priority: 1000 - index,
+            tools: [tool],
+            checker: needle ? `summary_contains:${needle}` : undefined,
+            legacyRule: `${tool}:${needle}`,
+        });
+    }
+    for (const [index, raw] of settingsManager.getPermissionAllowRules().entries()) {
+        const normalized = raw.trim();
+        if (!normalized)
+            continue;
+        const [toolRaw, ...rest] = normalized.split(":");
+        const tool = toolRaw.trim() || "*";
+        const needle = rest.join(":").trim();
+        rules.push({
+            id: `legacy-allow-${index + 1}`,
+            enabled: true,
+            effect: "allow",
+            priority: 1000 - index,
+            tools: [tool],
+            checker: needle ? `summary_contains:${needle}` : undefined,
+            legacyRule: `${tool}:${needle}`,
+        });
+    }
+    return rules;
+}
+function loadPolicyFile(path) {
+    if (!existsSync(path)) {
+        return { rules: [], allowedSources: [] };
+    }
+    const content = readFileSync(path, "utf8");
+    return parsePolicyToml(content);
+}
+function normalizePolicyPath(path) {
+    if (path === "~")
+        return homedir();
+    if (path.startsWith("~/"))
+        return join(homedir(), path.slice(2));
+    return path;
+}
+function defaultAdminPolicyPath() {
+    if (process.platform === "win32") {
+        return "C:\\ProgramData\\iosm\\policy.toml";
+    }
+    return "/etc/iosm/policy.toml";
+}
+function buildDefaultRuleSet() {
+    return {
+        layer: "default",
+        rules: [],
+        allowedSources: [...DEFAULT_ALLOWED_SOURCES],
+    };
+}
+function getLayerRank(layer) {
+    switch (layer) {
+        case "admin":
+            return 0;
+        case "user":
+            return 1;
+        case "workspace":
+            return 2;
+        case "default":
+            return 3;
+        case "legacy":
+            return 4;
+    }
+}
+export class PolicyEngineV2 {
+    constructor(options) {
+        this.sources = [];
+        this.cwd = options.cwd;
+        this.agentDir = options.agentDir;
+        this.settingsManager = options.settingsManager;
+        this.adminPolicyPath = normalizePolicyPath(options.adminPolicyPath ?? defaultAdminPolicyPath());
+        this.refresh();
+    }
+    refresh() {
+        const userPath = join(this.agentDir, "policy.toml");
+        const workspacePath = join(this.cwd, CONFIG_DIR_NAME, "policy.toml");
+        const admin = loadPolicyFile(this.adminPolicyPath);
+        const user = loadPolicyFile(userPath);
+        const workspace = loadPolicyFile(workspacePath);
+        const legacyRules = buildLegacyPolicyRules(this.settingsManager);
+        this.sources = [
+            { layer: "admin", path: this.adminPolicyPath, rules: admin.rules, allowedSources: admin.allowedSources },
+            { layer: "user", path: userPath, rules: user.rules, allowedSources: user.allowedSources },
+            { layer: "workspace", path: workspacePath, rules: workspace.rules, allowedSources: workspace.allowedSources },
+            buildDefaultRuleSet(),
+            { layer: "legacy", rules: legacyRules, allowedSources: [] },
+        ];
+    }
+    getSources() {
+        return this.sources.map((source) => ({
+            layer: source.layer,
+            path: source.path,
+            rules: source.rules.map((rule) => ({ ...rule })),
+            allowedSources: [...source.allowedSources],
+        }));
+    }
+    getAllowedSourceHosts() {
+        const merged = new Set();
+        for (const source of this.sources) {
+            for (const host of source.allowedSources) {
+                merged.add(host.toLowerCase());
+            }
+        }
+        return [...merged];
+    }
+    getLegacyRules(effect) {
+        const values = [];
+        for (const source of this.sources) {
+            if (source.layer !== "user")
+                continue;
+            for (const rule of source.rules) {
+                if (rule.effect !== effect)
+                    continue;
+                if (rule.legacyRule && rule.legacyRule.trim().length > 0) {
+                    values.push(rule.legacyRule.trim());
+                }
+            }
+        }
+        return values;
+    }
+    setLegacyRules(effect, rawRules) {
+        const path = join(this.agentDir, "policy.toml");
+        const file = this.readMutablePolicy(path);
+        const keep = file.rules
+            .map((entry, index) => ({ entry, index }))
+            .filter(({ entry }) => {
+            const rule = normalizeRule(entry, 0);
+            if (!rule)
+                return true;
+            if (rule.effect !== effect)
+                return true;
+            return !rule.legacyRule;
+        })
+            .map(({ entry }) => entry);
+        const nextRules = [...keep];
+        let counter = 1;
+        for (const raw of rawRules) {
+            const normalized = raw.trim();
+            if (!normalized || !normalized.includes(":"))
+                continue;
+            const [toolRaw, ...rest] = normalized.split(":");
+            const tool = toolRaw.trim() || "*";
+            const needle = rest.join(":").trim();
+            const rule = {
+                id: `legacy-${effect}-${counter}`,
+                enabled: true,
+                effect,
+                priority: 1000 - counter,
+                tools: [tool],
+                checker: needle ? `summary_contains:${needle}` : undefined,
+                legacyRule: `${tool}:${needle}`,
+            };
+            nextRules.push(toTomlRule(rule));
+            counter += 1;
+        }
+        file.rules = nextRules;
+        this.writeMutablePolicy(path, file);
+        this.refresh();
+    }
+    addLegacyRule(effect, rawRule) {
+        const normalized = rawRule.trim();
+        if (!normalized || !normalized.includes(":"))
+            return false;
+        const existing = new Set(this.getLegacyRules(effect));
+        if (existing.has(normalized))
+            return false;
+        this.setLegacyRules(effect, [...existing, normalized]);
+        return true;
+    }
+    removeLegacyRule(effect, rawRule) {
+        const normalized = rawRule.trim();
+        if (!normalized)
+            return false;
+        const current = this.getLegacyRules(effect);
+        const next = current.filter((rule) => rule !== normalized);
+        if (next.length === current.length)
+            return false;
+        this.setLegacyRules(effect, next);
+        return true;
+    }
+    evaluate(request, context = {}) {
+        const decorated = [];
+        let order = 0;
+        for (const source of this.sources) {
+            for (const rule of source.rules) {
+                decorated.push({
+                    layer: source.layer,
+                    rule,
+                    layerRank: getLayerRank(source.layer),
+                    order: order++,
+                });
+            }
+        }
+        decorated.sort((a, b) => {
+            if (a.layerRank !== b.layerRank)
+                return a.layerRank - b.layerRank;
+            if (a.rule.priority !== b.rule.priority)
+                return b.rule.priority - a.rule.priority;
+            return a.order - b.order;
+        });
+        for (const entry of decorated) {
+            const rule = entry.rule;
+            if (!rule.enabled)
+                continue;
+            if (!this.matchesRule(rule, request, context))
+                continue;
+            return {
+                effect: rule.effect,
+                matched: true,
+                reason: `Matched policy rule ${rule.id} (${entry.layer})`,
+                rule,
+                layer: entry.layer,
+            };
+        }
+        return {
+            effect: "ask",
+            matched: false,
+            reason: "No policy rule matched.",
+        };
+    }
+    matchesRule(rule, request, context) {
+        if (!this.matchesTools(rule, request))
+            return false;
+        if (rule.toolSource && rule.toolSource.length > 0) {
+            const source = request.toolSource ?? "builtin";
+            if (!rule.toolSource.includes(source))
+                return false;
+        }
+        if (rule.mcpName && rule.mcpName.length > 0) {
+            const serverName = request.mcpServerName?.trim();
+            if (!serverName)
+                return false;
+            if (!rule.mcpName.some((candidate) => candidate === "*" || candidate === serverName))
+                return false;
+        }
+        if (rule.profiles && rule.profiles.length > 0) {
+            const profile = context.profile?.trim();
+            if (!profile)
+                return false;
+            if (!rule.profiles.some((candidate) => candidate === "*" || candidate === profile))
+                return false;
+        }
+        if (rule.cwdGlob && rule.cwdGlob.length > 0) {
+            if (!rule.cwdGlob.some((glob) => minimatch(request.cwd, glob, { dot: true })))
+                return false;
+        }
+        if (rule.argsPattern && !this.matchesArgsPattern(rule.argsPattern, request)) {
+            return false;
+        }
+        if (rule.checker && !this.matchesChecker(rule.checker, request)) {
+            return false;
+        }
+        return true;
+    }
+    matchesTools(rule, request) {
+        const toolCandidates = [request.toolName];
+        if (request.toolSource === "mcp") {
+            if (request.mcpToolName)
+                toolCandidates.push(request.mcpToolName);
+        }
+        return rule.tools.some((pattern) => {
+            if (pattern === "*")
+                return true;
+            return toolCandidates.some((toolName) => minimatch(toolName, pattern));
+        });
+    }
+    matchesArgsPattern(pattern, request) {
+        const haystack = `${request.summary}\n${this.serializeInput(request.input)}`;
+        try {
+            const regex = new RegExp(pattern, "i");
+            return regex.test(haystack);
+        }
+        catch {
+            return false;
+        }
+    }
+    matchesChecker(checker, request) {
+        const trimmed = checker.trim();
+        if (trimmed.length === 0)
+            return true;
+        if (trimmed.startsWith("summary_contains:")) {
+            const needle = trimmed.slice("summary_contains:".length).trim().toLowerCase();
+            if (!needle)
+                return true;
+            return request.summary.toLowerCase().includes(needle);
+        }
+        if (trimmed.startsWith("summary_regex:")) {
+            const pattern = trimmed.slice("summary_regex:".length).trim();
+            if (!pattern)
+                return true;
+            try {
+                return new RegExp(pattern, "i").test(request.summary);
+            }
+            catch {
+                return false;
+            }
+        }
+        if (trimmed.startsWith("legacy_substring:")) {
+            const needle = trimmed.slice("legacy_substring:".length).trim().toLowerCase();
+            return !needle || request.summary.toLowerCase().includes(needle);
+        }
+        if (trimmed.startsWith("tool_exact:")) {
+            const expected = trimmed.slice("tool_exact:".length).trim();
+            return !expected || request.toolName === expected;
+        }
+        if (trimmed.startsWith("args_regex:")) {
+            const pattern = trimmed.slice("args_regex:".length).trim();
+            try {
+                return new RegExp(pattern, "i").test(this.serializeInput(request.input));
+            }
+            catch {
+                return false;
+            }
+        }
+        return false;
+    }
+    serializeInput(input) {
+        try {
+            return JSON.stringify(input);
+        }
+        catch {
+            return "";
+        }
+    }
+    readMutablePolicy(path) {
+        if (!existsSync(path)) {
+            return {
+                version: 2,
+                allowed_sources: [...DEFAULT_ALLOWED_SOURCES],
+                rules: [],
+            };
+        }
+        const raw = readFileSync(path, "utf8");
+        const parsed = TOML.parse(raw);
+        const rules = Array.isArray(parsed.rules)
+            ? parsed.rules.filter((entry) => !!entry && typeof entry === "object")
+            : [];
+        return {
+            ...parsed,
+            version: typeof parsed.version === "number" ? parsed.version : 2,
+            allowed_sources: normalizeStringArray(parsed.allowed_sources),
+            rules,
+        };
+    }
+    writeMutablePolicy(path, file) {
+        const dir = dirname(path);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        const content = TOML.stringify(file);
+        writeFileSync(path, content, "utf8");
+    }
+}
+const DANGEROUS_TOOL_NAMES = new Set(["bash", "edit", "write", "apply_patch", "git_write", "fs_ops", "db_run"]);
+export function evaluatePermissionWithPolicy(engine, request, context) {
+    const policyDecision = engine.evaluate(request, { profile: context.profile });
+    const isMcpRequest = request.toolSource === "mcp";
+    const mcpApprovalMode = isMcpRequest ? (request.mcpApprovalMode ?? "auto") : "auto";
+    if (policyDecision.effect === "deny") {
+        return {
+            outcome: "deny",
+            decision: policyDecision,
+            reason: policyDecision.reason,
+        };
+    }
+    if (isMcpRequest && mcpApprovalMode === "prompt") {
+        return {
+            outcome: "ask",
+            decision: policyDecision,
+            reason: "MCP tool approval mode is prompt; confirmation required.",
+        };
+    }
+    if (isMcpRequest && mcpApprovalMode === "approve") {
+        if (!request.mcpServerTrusted) {
+            return {
+                outcome: "ask",
+                decision: policyDecision,
+                reason: "MCP server is untrusted. approvalMode=approve requires trusted server.",
+            };
+        }
+        return {
+            outcome: "allow",
+            decision: policyDecision,
+            reason: policyDecision.effect === "allow"
+                ? policyDecision.reason
+                : "MCP tool approval mode is approve on trusted server.",
+        };
+    }
+    if (policyDecision.effect === "allow") {
+        if (isMcpRequest) {
+            const explicitMcpRule = Boolean(policyDecision.rule?.mcpName && policyDecision.rule.mcpName.length > 0) &&
+                Boolean(policyDecision.rule?.tools && policyDecision.rule.tools.some((tool) => tool !== "*"));
+            if (!request.mcpServerTrusted) {
+                return {
+                    outcome: "ask",
+                    decision: policyDecision,
+                    reason: "MCP server is untrusted. Explicit allow requires trusted server for bypass.",
+                };
+            }
+            if (!explicitMcpRule) {
+                return {
+                    outcome: "ask",
+                    decision: policyDecision,
+                    reason: "MCP allow rule is not explicit (mcp_name + specific tool required).",
+                };
+            }
+        }
+        return {
+            outcome: "allow",
+            decision: policyDecision,
+            reason: policyDecision.reason,
+        };
+    }
+    if (isMcpRequest) {
+        return {
+            outcome: "ask",
+            decision: policyDecision,
+            reason: "MCP calls require explicit allow policy.",
+        };
+    }
+    if (context.strictExtensionToolEnforcement && request.toolSource === "extension" && context.permissionMode === "auto") {
+        if (request.requiredPermission === "read-only") {
+            return {
+                outcome: "allow",
+                decision: policyDecision,
+                reason: "Auto mode allows read-only extension tools.",
+            };
+        }
+        if (!request.requiredPermission) {
+            return {
+                outcome: "deny",
+                decision: policyDecision,
+                reason: "Extension tool lacks requiredPermission metadata.",
+            };
+        }
+    }
+    if (context.permissionMode === "yolo") {
+        return {
+            outcome: "allow",
+            decision: policyDecision,
+            reason: "Permission mode is yolo.",
+        };
+    }
+    if (context.permissionMode === "auto" &&
+        (request.toolName === "edit" || request.toolName === "write" || request.toolName === "apply_patch")) {
+        return {
+            outcome: "allow",
+            decision: policyDecision,
+            reason: "Auto mode allows edit/write/apply_patch.",
+        };
+    }
+    if (context.runtimeMode === "rpc" && !DANGEROUS_TOOL_NAMES.has(request.toolName)) {
+        return {
+            outcome: "allow",
+            decision: policyDecision,
+            reason: "RPC mode auto-approves non-dangerous tools.",
+        };
+    }
+    return {
+        outcome: "ask",
+        decision: policyDecision,
+        reason: "No policy allow/deny matched; confirmation required.",
+    };
+}
+export function buildLegacyRulePattern(rawRule) {
+    const normalized = rawRule.trim();
+    const [toolRaw, ...rest] = normalized.split(":");
+    const tool = toolRaw.trim() || "*";
+    const needle = rest.join(":").trim();
+    const checker = needle.length > 0 ? `summary_contains:${needle}` : "summary_contains:";
+    return `${tool}:${checker.replace(/^summary_contains:/, "")}`;
+}
+export function legacyRuleToChecker(rawRule) {
+    const normalized = rawRule.trim();
+    const [, ...rest] = normalized.split(":");
+    const needle = rest.join(":").trim();
+    if (!needle)
+        return undefined;
+    return `summary_contains:${escapeRegExp(needle)}`;
+}
+//# sourceMappingURL=engine.js.map