npm - kly - Versions diffs - 0.1.0 → 0.1.1 - Mend

kly 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/bin/config-builder-D5EtwOB3.mjs +3 -0
package/dist/bin/kly.mjs +65 -18
package/dist/bin/kly.mjs.map +1 -1
package/dist/bin/launcher-Ex3ynZdE.mjs +3 -0
package/dist/bin/permissions-C_WgoA3t.mjs +3 -0
package/dist/bin/permissions-extractor-BfUPS0Tr.mjs +29 -0
package/dist/bin/permissions-extractor-BfUPS0Tr.mjs.map +1 -0
package/dist/types.d.mts +18 -1
package/dist/types.d.mts.map +1 -1
package/dist/types.mjs.map +1 -1
package/package.json +1 -1
package/dist/bin/launcher-vTpgdO9n.mjs +0 -3
package/dist/bin/permissions-2r_7ZqaH.mjs +0 -3

package/dist/bin/config-builder-D5EtwOB3.mjs ADDED Viewed

@@ -0,0 +1,3 @@
+import { n as formatPermissionsSummary, t as buildSandboxConfig } from "./kly.mjs";
+export { buildSandboxConfig, formatPermissionsSummary };

package/dist/bin/kly.mjs CHANGED Viewed

@@ -1851,14 +1851,32 @@ const PROTECTED_PATHS = {
 	alwaysDenyRead: [join(homedir(), ".kly")]
 };
 /**
+* Resolve filesystem path with special marker support
+*
+* Special markers:
+* - "*": User's home directory (allows access to all non-sensitive files)
+* - Absolute paths: Used as-is
+*
+* @param path - Path to resolve (may contain special markers)
+* @returns Resolved absolute path, or undefined if path is undefined
+*/
+function resolveFilesystemPath(path) {
+	if (!path) return void 0;
+	if (path === "*") return homedir();
+	return path;
+}
+/**
 * Build a complete SandboxRuntimeConfig from declared app permissions
 *
 * This merges:
 * 1. Default safe configuration
 * 2. Automatic LLM domains (if apiKeys: true)
-* 3. User-declared sandbox config
+* 3. User-declared sandbox config (with special marker support)
 * 4. Mandatory protections (always applied)
 *
+* Special markers in filesystem paths:
+* - "*": Allows access to all files in user's home directory (except sensitive paths)
+*
 * @param permissions - Declared app permissions
 * @returns Complete sandbox configuration ready for SandboxManager
 */
@@ -1870,10 +1888,16 @@ function buildSandboxConfig(permissions) {
 	if (permissions?.apiKeys) allowedDomains = [...LLM_API_DOMAINS];
 	if (permissions?.sandbox) {
 		const userSandbox = permissions.sandbox;
-		if (userSandbox.network?.allowedDomains) allowedDomains = [...allowedDomains, ...userSandbox.network.allowedDomains];
+		if (userSandbox.network?.allowedDomains) {
+			const domains = userSandbox.network.allowedDomains.filter((d) => d !== void 0);
+			allowedDomains = [...allowedDomains, ...domains];
+		}
 		if (userSandbox.filesystem) {
-			if (userSandbox.filesystem.allowWrite) allowWrite = userSandbox.filesystem.allowWrite;
-			if (userSandbox.filesystem.denyRead) denyRead = [...denyRead, ...userSandbox.filesystem.denyRead];
+			if (userSandbox.filesystem.allowWrite) allowWrite = userSandbox.filesystem.allowWrite.map(resolveFilesystemPath).filter((p) => p !== void 0);
+			if (userSandbox.filesystem.denyRead) {
+				const deniedPaths = userSandbox.filesystem.denyRead.map(resolveFilesystemPath).filter((p) => p !== void 0);
+				denyRead = [...denyRead, ...deniedPaths];
+			}
 		}
 	}
 	return {
@@ -1904,9 +1928,13 @@ function formatPermissionsSummary(permissions) {
 		summary.push(`• Network: ${domains}${more}`);
 	}
 	if (config.filesystem.allowWrite.length > 1 || config.filesystem.allowWrite.length === 1 && config.filesystem.allowWrite[0] !== currentDir) {
-		const dirs = config.filesystem.allowWrite.map((p) => p === currentDir ? "current directory" : p).slice(0, 2).join(", ");
-		const more = config.filesystem.allowWrite.length > 2 ? ` +${config.filesystem.allowWrite.length - 2} more` : "";
-		summary.push(`• Filesystem write: ${dirs}${more}`);
+		const homeDir = homedir();
+		if (config.filesystem.allowWrite.includes(homeDir)) summary.push("• Filesystem write: All non-sensitive directories");
+		else {
+			const dirs = config.filesystem.allowWrite.map((p) => p === currentDir ? "current directory" : p).slice(0, 2).join(", ");
+			const more = config.filesystem.allowWrite.length > 2 ? ` +${config.filesystem.allowWrite.length - 2} more` : "";
+			summary.push(`• Filesystem write: ${dirs}${more}`);
+		}
 	}
 	if (permissions?.sandbox?.filesystem?.denyRead) summary.push(`• Filesystem read denied: ${permissions.sandbox.filesystem.denyRead.length} path(s)`);
 	return summary;
@@ -2703,19 +2731,38 @@ async function executeApp(ref, repoPath, args$1, mcp) {
 	const prevRemoteRef = process.env[ENV_VARS.REMOTE_REF];
 	process.env[ENV_VARS.REMOTE_REF] = remoteRef;
 	try {
-		const { getAppIdentifier: getAppIdentifier$1, checkApiKeyPermission: checkApiKeyPermission$1, getAppSandboxConfig: getAppSandboxConfig$1 } = await import("./permissions-2r_7ZqaH.mjs");
-		const { launchSandbox: launchSandbox$1 } = await import("./launcher-vTpgdO9n.mjs");
+		const { getAppIdentifier: getAppIdentifier$1, checkApiKeyPermission: checkApiKeyPermission$1, getAppSandboxConfig: getAppSandboxConfig$1 } = await import("./permissions-C_WgoA3t.mjs");
+		const { launchSandbox: launchSandbox$1 } = await import("./launcher-Ex3ynZdE.mjs");
+		const { buildSandboxConfig: buildSandboxConfig$1, formatPermissionsSummary: formatPermissionsSummary$1 } = await import("./config-builder-D5EtwOB3.mjs");
+		const { extractAppPermissions: extractAppPermissions$1 } = await import("./permissions-extractor-BfUPS0Tr.mjs");
 		const appId = getAppIdentifier$1();
+		console.log("📋 Reading app permissions...");
+		const declaredPermissions = await extractAppPermissions$1(absoluteEntryPath);
+		if (declaredPermissions) {
+			const summary = formatPermissionsSummary$1(declaredPermissions);
+			if (summary.length > 0) {
+				console.log("\nThis app requests the following permissions:");
+				for (const item of summary) console.log(item);
+				console.log("");
+			}
+		}
 		console.log("🔐 Checking permissions...");
-		const allowApiKey = await checkApiKeyPermission$1(appId);
-		if (!allowApiKey) {
-			console.error("❌ Permission denied: API key access rejected");
-			process.exit(1);
+		let allowApiKey = false;
+		let sandboxConfig = null;
+		if (declaredPermissions?.apiKeys) {
+			allowApiKey = await checkApiKeyPermission$1(appId);
+			if (!allowApiKey) {
+				console.error("❌ Permission denied: API key access rejected");
+				process.exit(1);
+			}
 		}
-		const sandboxConfig = await getAppSandboxConfig$1(appId);
-		if (!sandboxConfig) {
-			console.error("❌ Permission denied: Sandbox configuration rejected");
-			process.exit(1);
+		if (declaredPermissions) sandboxConfig = buildSandboxConfig$1(declaredPermissions);
+		else {
+			sandboxConfig = await getAppSandboxConfig$1(appId);
+			if (!sandboxConfig) {
+				console.error("❌ Permission denied: Sandbox configuration rejected");
+				process.exit(1);
+			}
 		}
 		if (mcp) {
 			console.warn("⚠️  MCP mode with remote repos not yet fully supported in new architecture");
@@ -2884,5 +2931,5 @@ main().catch((err) => {
 });
 //#endregion
-export { getAppSandboxConfig as a, revokePermission as c, getAppName as i, savePermissions as l, clearAllPermissions as n, listPermissions as o, getAppIdentifier as r, loadPermissions as s, checkApiKeyPermission as t, launchSandbox as u };
+export { getAppIdentifier as a, listPermissions as c, savePermissions as d, launchSandbox as f, clearAllPermissions as i, loadPermissions as l, formatPermissionsSummary as n, getAppName as o, checkApiKeyPermission as r, getAppSandboxConfig as s, buildSandboxConfig as t, revokePermission as u };
 //# sourceMappingURL=kly.mjs.map