salmon-loop 0.2.3

package/dist/core/tools/permissions/permission-rules.js

@@ -0,0 +1,503 @@
+import { text } from '../../../locales/index.js';
+import { normalizeDiff, validateDiff } from '../../patch/diff.js';
+import { ArtifactStore } from '../../sub-agent/artifacts/store.js';
+const DEFAULT_TOOL_ALIASES = {
+    bash: 'Bash',
+    read: 'Read',
+    edit: 'Edit',
+    ls: 'LS',
+    grep: 'Grep',
+    glob: 'Glob',
+    webfetch: 'WebFetch',
+};
+const BASELINE_TOOL_NAMES = new Set(['plan.init', 'plan.read', 'plan.update']);
+const ALIAS_TOOL_TO_INTERNAL_TOOL_NAMES = {
+    Bash: ['shell.exec', 'test.run'],
+    Read: ['fs.read', 'code.read', 'git.cat', 'artifact.read'],
+    Edit: ['proposal.apply'],
+    LS: ['fs.list', 'git.status'],
+    Grep: ['code.search'],
+    Glob: ['code.search'],
+    WebFetch: [],
+};
+function isAliasToolName(tool) {
+    return Boolean(DEFAULT_TOOL_ALIASES[String(tool || '')
+        .trim()
+        .toLowerCase()]);
+}
+function canonicalizeToolName(tool) {
+    const normalized = String(tool || '').trim();
+    const key = normalized.toLowerCase();
+    return DEFAULT_TOOL_ALIASES[key] ?? normalized;
+}
+function parseRuleString(raw) {
+    const original = String(raw ?? '');
+    const trimmed = original.trim();
+    if (!trimmed) {
+        return { ok: false, error: { raw: original, message: 'Rule is empty' } };
+    }
+    const open = trimmed.indexOf('(');
+    if (open === -1) {
+        return {
+            ok: true,
+            rule: {
+                raw: trimmed,
+                tool: canonicalizeToolName(trimmed),
+            },
+        };
+    }
+    if (!trimmed.endsWith(')')) {
+        return {
+            ok: false,
+            error: { raw: trimmed, message: 'Rule has "(" but does not end with ")"' },
+        };
+    }
+    const toolPart = trimmed.slice(0, open).trim();
+    const specifier = trimmed.slice(open + 1, -1).trim();
+    if (!toolPart) {
+        return { ok: false, error: { raw: trimmed, message: 'Rule tool name is missing' } };
+    }
+    if (!specifier) {
+        return { ok: true, rule: { raw: trimmed, tool: canonicalizeToolName(toolPart) } };
+    }
+    return {
+        ok: true,
+        rule: {
+            raw: trimmed,
+            tool: canonicalizeToolName(toolPart),
+            specifier,
+        },
+    };
+}
+export function parsePermissionRules(input) {
+    const rules = [];
+    const errors = [];
+    const all = [...(input.allow ?? []), ...(input.deny ?? [])];
+    if (!Array.isArray(all)) {
+        return { ok: true, rules: [], errors: [] };
+    }
+    for (const raw of all) {
+        const parsed = parseRuleString(String(raw ?? ''));
+        if (!parsed.ok) {
+            errors.push(parsed.error);
+            continue;
+        }
+        rules.push(parsed.rule);
+    }
+    return { ok: errors.length === 0, rules, errors };
+}
+function escapeRegExpLiteral(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+function normalizeDeprecatedBashSuffix(specifier) {
+    const s = String(specifier ?? '').trim();
+    if (s.endsWith(':*')) {
+        return `${s.slice(0, -2)} *`;
+    }
+    return s;
+}
+function commandHasShellOperatorsOutsideQuotes(command) {
+    const s = String(command ?? '');
+    let inSingle = false;
+    let inDouble = false;
+    let escaped = false;
+    for (let i = 0; i < s.length; i++) {
+        const ch = s[i];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (ch === '\\') {
+            escaped = true;
+            continue;
+        }
+        if (!inDouble && ch === "'") {
+            inSingle = !inSingle;
+            continue;
+        }
+        if (!inSingle && ch === '"') {
+            inDouble = !inDouble;
+            continue;
+        }
+        if (ch === '\n' || ch === '\r')
+            return true;
+        if (!inSingle && !inDouble) {
+            const next = s[i + 1] ?? '';
+            if (ch === '&' && next === '&')
+                return true;
+            if (ch === '|' && next === '|')
+                return true;
+            if (ch === ';' || ch === '|' || ch === '>' || ch === '<')
+                return true;
+            if (ch === '`')
+                return true;
+            if (ch === '$' && next === '(')
+                return true;
+        }
+        else if (!inSingle && inDouble) {
+            const next = s[i + 1] ?? '';
+            if (ch === '`')
+                return true;
+            if (ch === '$' && next === '(')
+                return true;
+        }
+    }
+    return false;
+}
+function compileBashMatcher(specifier) {
+    const spec = normalizeDeprecatedBashSuffix(String(specifier ?? '').trim());
+    if (!spec || spec === '*') {
+        return {
+            kind: 'all',
+            rawSpecifier: specifier,
+            matches: () => true,
+            isExactMatch: () => false,
+        };
+    }
+    const expanded = spec.endsWith(' *') ? [spec, spec.slice(0, -2)] : [spec];
+    const exact = new Set();
+    const regexes = [];
+    for (const p of expanded) {
+        if (!p.includes('*')) {
+            exact.add(p);
+            continue;
+        }
+        const parts = p.split('*').map(escapeRegExpLiteral);
+        const re = new RegExp(`^${parts.join('.*')}$`);
+        regexes.push(re);
+    }
+    const isExactMatch = (command) => exact.has(command);
+    const matches = (command) => {
+        if (commandHasShellOperatorsOutsideQuotes(command)) {
+            // Wildcard safety: prefix/suffix/contains rules must not allow shell operator chaining.
+            return isExactMatch(command);
+        }
+        if (isExactMatch(command))
+            return true;
+        for (const re of regexes) {
+            if (re.test(command))
+                return true;
+        }
+        return false;
+    };
+    return { kind: 'pattern', rawSpecifier: specifier, matches, isExactMatch };
+}
+function normalizeRepoRelativePath(input) {
+    const raw = String(input ?? '')
+        .replace(/\\/g, '/')
+        .trim();
+    const withoutDot = raw.replace(/^\.\//, '');
+    const withoutLeadingSlash = withoutDot.replace(/^\/+/, '');
+    return withoutLeadingSlash.replace(/\/{2,}/g, '/');
+}
+function compilePathMatcher(specifier) {
+    const spec = normalizeRepoRelativePath(String(specifier ?? '').trim());
+    if (!spec || spec === '*') {
+        return { rawSpecifier: specifier, matches: () => true };
+    }
+    const tokens = [];
+    for (let i = 0; i < spec.length; i++) {
+        const ch = spec[i];
+        const next = spec[i + 1] ?? '';
+        if (ch === '*' && next === '*') {
+            tokens.push('**');
+            i++;
+            continue;
+        }
+        if (ch === '*') {
+            tokens.push('*');
+            continue;
+        }
+        tokens.push(ch);
+    }
+    const reBody = tokens
+        .map((t) => {
+        if (t === '**')
+            return '.*';
+        if (t === '*')
+            return '[^/]*';
+        return escapeRegExpLiteral(t);
+    })
+        .join('');
+    const re = new RegExp(`^${reBody}$`);
+    return {
+        rawSpecifier: specifier,
+        matches: (repoRelativePath) => re.test(normalizeRepoRelativePath(repoRelativePath)),
+    };
+}
+function compileRule(effect, parsed) {
+    const tool = parsed.tool;
+    const specifier = parsed.specifier;
+    const asAlias = typeof tool === 'string' && isAliasToolName(tool) ? tool : null;
+    const shouldTreatAsBash = tool === 'Bash' ||
+        tool === 'bash' ||
+        tool === 'shell.exec' ||
+        tool === 'test.run' ||
+        asAlias === 'Bash';
+    const shouldTreatAsEdit = tool === 'Edit' || tool === 'edit' || tool === 'proposal.apply' || asAlias === 'Edit';
+    const shouldTreatAsPath = tool === 'Read' ||
+        tool === 'read' ||
+        tool === 'LS' ||
+        tool === 'ls' ||
+        tool === 'fs.read' ||
+        tool === 'code.read' ||
+        tool === 'git.cat' ||
+        tool === 'fs.list' ||
+        tool === 'artifact.read' ||
+        asAlias === 'Read' ||
+        asAlias === 'LS';
+    if (shouldTreatAsBash) {
+        return {
+            effect,
+            tool,
+            raw: parsed.raw,
+            specifier,
+            compiled: { kind: 'bash', matcher: compileBashMatcher(specifier) },
+        };
+    }
+    if (shouldTreatAsEdit) {
+        return {
+            effect,
+            tool,
+            raw: parsed.raw,
+            specifier,
+            compiled: { kind: 'edit', matcher: compilePathMatcher(specifier) },
+        };
+    }
+    if (shouldTreatAsPath) {
+        return {
+            effect,
+            tool,
+            raw: parsed.raw,
+            specifier,
+            compiled: { kind: 'path', matcher: compilePathMatcher(specifier) },
+        };
+    }
+    return { effect, tool, raw: parsed.raw, specifier, compiled: { kind: 'tool_any' } };
+}
+function buildVisibleToolNamesFromAllow(allowRules) {
+    const visible = new Set();
+    for (const rule of allowRules) {
+        const tool = rule.tool;
+        if (typeof tool === 'string' && isAliasToolName(tool)) {
+            for (const name of ALIAS_TOOL_TO_INTERNAL_TOOL_NAMES[tool] ?? []) {
+                visible.add(name);
+            }
+            continue;
+        }
+        if (typeof tool === 'string' && (tool.includes('.') || tool.includes('_'))) {
+            visible.add(tool);
+        }
+    }
+    for (const baseline of BASELINE_TOOL_NAMES)
+        visible.add(baseline);
+    return visible;
+}
+export function compilePermissionRules(input) {
+    const parsedAllow = (input.allow ?? []).flatMap((raw) => {
+        const res = parseRuleString(String(raw ?? ''));
+        return res.ok ? [res.rule] : [];
+    });
+    const parsedDeny = (input.deny ?? []).flatMap((raw) => {
+        const res = parseRuleString(String(raw ?? ''));
+        return res.ok ? [res.rule] : [];
+    });
+    const parseAll = parsePermissionRules(input);
+    if (!parseAll.ok) {
+        return { ok: false, errors: parseAll.errors };
+    }
+    const allow = parsedAllow.map((r) => compileRule('allow', r));
+    const deny = parsedDeny.map((r) => compileRule('deny', r));
+    return {
+        ok: true,
+        compiled: {
+            allow,
+            deny,
+            enforceAllowRules: allow.length > 0,
+            visibleToolNamesFromAllow: buildVisibleToolNamesFromAllow(allow),
+        },
+    };
+}
+function toolMatchesRuleTool(toolName, ruleTool) {
+    if (typeof ruleTool !== 'string')
+        return false;
+    if (isAliasToolName(ruleTool)) {
+        const internal = ALIAS_TOOL_TO_INTERNAL_TOOL_NAMES[ruleTool] ?? [];
+        return internal.includes(toolName);
+    }
+    return toolName === ruleTool;
+}
+function extractPrimaryPathArg(toolName, args) {
+    if (!args || typeof args !== 'object' || Array.isArray(args))
+        return undefined;
+    const obj = args;
+    if (toolName === 'fs.read' || toolName === 'code.read')
+        return typeof obj.file === 'string' ? obj.file : undefined;
+    if (toolName === 'git.cat')
+        return typeof obj.file === 'string' ? obj.file : undefined;
+    if (toolName === 'fs.list')
+        return typeof obj.path === 'string' ? obj.path : undefined;
+    return undefined;
+}
+function extractCommandArg(toolName, args) {
+    if (!args || typeof args !== 'object' || Array.isArray(args))
+        return undefined;
+    const obj = args;
+    if (toolName === 'shell.exec')
+        return typeof obj.command === 'string' ? obj.command : undefined;
+    if (toolName === 'test.run')
+        return typeof obj.command === 'string' ? obj.command : undefined;
+    return undefined;
+}
+async function loadProposalChangedFiles(handle) {
+    const read = await ArtifactStore.readText(handle);
+    if (!read.ok)
+        return null;
+    try {
+        const normalized = normalizeDiff(read.content);
+        const meta = validateDiff(normalized);
+        return meta.changedFiles ?? [];
+    }
+    catch {
+        return null;
+    }
+}
+function matchAllowRule(rule, toolName, args) {
+    if (!toolMatchesRuleTool(toolName, rule.tool))
+        return false;
+    if (rule.compiled.kind === 'tool_any')
+        return true;
+    if (rule.compiled.kind === 'bash') {
+        const cmd = extractCommandArg(toolName, args);
+        if (!cmd)
+            return false;
+        return rule.compiled.matcher.matches(cmd);
+    }
+    if (rule.compiled.kind === 'path') {
+        const p = extractPrimaryPathArg(toolName, args);
+        if (!p)
+            return false;
+        return rule.compiled.matcher.matches(p);
+    }
+    if (rule.compiled.kind === 'edit') {
+        // Edit allow rules are handled by an async path-aware matcher.
+        return toolName === 'proposal.apply';
+    }
+    return false;
+}
+async function matchAllowEditRule(rule, args) {
+    if (rule.compiled.kind !== 'edit')
+        return false;
+    const matcher = rule.compiled.matcher;
+    if (!args || typeof args !== 'object' || Array.isArray(args))
+        return false;
+    const handle = args.handle;
+    if (typeof handle !== 'string' || !handle.trim())
+        return false;
+    const changedFiles = await loadProposalChangedFiles(handle);
+    if (!changedFiles)
+        return false;
+    if (changedFiles.length === 0)
+        return false;
+    return changedFiles.every((p) => matcher.matches(p));
+}
+async function matchDenyEditRule(rule, args) {
+    if (rule.compiled.kind !== 'edit')
+        return false;
+    const matcher = rule.compiled.matcher;
+    if (!args || typeof args !== 'object' || Array.isArray(args))
+        return false;
+    const handle = args.handle;
+    if (typeof handle !== 'string' || !handle.trim())
+        return false;
+    const changedFiles = await loadProposalChangedFiles(handle);
+    if (!changedFiles)
+        return false;
+    return changedFiles.some((p) => matcher.matches(p));
+}
+function matchDenyRule(rule, toolName, args) {
+    if (!toolMatchesRuleTool(toolName, rule.tool))
+        return false;
+    if (rule.compiled.kind === 'tool_any')
+        return true;
+    if (rule.compiled.kind === 'bash') {
+        const cmd = extractCommandArg(toolName, args);
+        if (!cmd)
+            return false;
+        return rule.compiled.matcher.matches(cmd);
+    }
+    if (rule.compiled.kind === 'path') {
+        const p = extractPrimaryPathArg(toolName, args);
+        if (!p)
+            return false;
+        return rule.compiled.matcher.matches(p);
+    }
+    if (rule.compiled.kind === 'edit') {
+        // Deny edit rules are handled by an async path-aware matcher.
+        return toolName === 'proposal.apply';
+    }
+    return false;
+}
+export async function decidePermissionForToolCall(options) {
+    const rules = options.rules;
+    if (!rules)
+        return { kind: 'no_match' };
+    if (BASELINE_TOOL_NAMES.has(options.toolName)) {
+        return { kind: 'allow', reason: 'baseline' };
+    }
+    // Deny rules win.
+    for (const rule of rules.deny) {
+        if (rule.compiled.kind === 'edit') {
+            if (options.toolName === 'proposal.apply' && (await matchDenyEditRule(rule, options.args))) {
+                return {
+                    kind: 'deny',
+                    reason: text.tools.permissionRuleDenied(rule.raw),
+                    rule: { effect: 'deny', raw: rule.raw, tool: rule.tool },
+                };
+            }
+            continue;
+        }
+        if (matchDenyRule(rule, options.toolName, options.args)) {
+            return {
+                kind: 'deny',
+                reason: text.tools.permissionRuleDenied(rule.raw),
+                rule: { effect: 'deny', raw: rule.raw, tool: rule.tool },
+            };
+        }
+    }
+    for (const rule of rules.allow) {
+        if (rule.compiled.kind === 'edit') {
+            if (options.toolName === 'proposal.apply' && (await matchAllowEditRule(rule, options.args))) {
+                return {
+                    kind: 'allow',
+                    reason: rule.raw,
+                    rule: { effect: 'allow', raw: rule.raw, tool: rule.tool },
+                };
+            }
+            continue;
+        }
+        if (matchAllowRule(rule, options.toolName, options.args)) {
+            return {
+                kind: 'allow',
+                reason: rule.raw,
+                rule: { effect: 'allow', raw: rule.raw, tool: rule.tool },
+            };
+        }
+    }
+    if (rules.enforceAllowRules) {
+        return {
+            kind: 'deny',
+            reason: text.tools.permissionRulesRequired(),
+        };
+    }
+    return { kind: 'no_match' };
+}
+export function shouldFilterRegistryByAllowRules(rules) {
+    return Boolean(rules && rules.allow.length > 0);
+}
+export function getVisibleToolNamesFromAllowRules(rules) {
+    if (!rules)
+        return new Set();
+    return new Set(rules.visibleToolNamesFromAllow);
+}
+//# sourceMappingURL=permission-rules.js.map

package/dist/core/tools/plugins/loader.js

@@ -0,0 +1,102 @@
+import path from 'node:path';
+import { pathToFileURL } from 'node:url';
+import { syncFs as fs } from '../../adapters/fs/node-fs.js';
+import { getLogger } from '../../observability/logger.js';
+import { Phase } from '../../types/runtime.js';
+const FORBIDDEN_PHASES = new Set([
+    Phase.PLAN,
+    Phase.PATCH,
+    Phase.APPLY,
+    Phase.APPLY_BACK,
+]);
+export async function registerPluginTools(registry, plugins) {
+    for (const plugin of plugins) {
+        if (!plugin.enabled)
+            continue;
+        if (plugin.scope === 'user' && !plugin.allowUserScope) {
+            getLogger().warn(`Skipping user plugin ${plugin.id} because allowUserScope is false.`);
+            continue;
+        }
+        let entryPoint = plugin.path;
+        try {
+            const stats = fs.statSync(entryPoint);
+            if (stats.isDirectory()) {
+                entryPoint = path.join(entryPoint, 'index.js');
+            }
+        }
+        catch (error) {
+            getLogger().warn(`Plugin ${plugin.id} path ${entryPoint} is not accessible: ${error instanceof Error ? error.message : String(error)}`);
+            continue;
+        }
+        const moduleUrl = pathToFileURL(entryPoint).href;
+        let manifest;
+        try {
+            const mod = await import(moduleUrl);
+            manifest = (mod.default ?? mod);
+        }
+        catch (error) {
+            getLogger().error(`Failed to import plugin ${plugin.id} from ${entryPoint}: ${error instanceof Error ? error.message : String(error)}`);
+            continue;
+        }
+        const registerFn = manifest?.register;
+        if (typeof registerFn !== 'function') {
+            getLogger().warn(`Plugin ${plugin.id} does not expose register(); skipping.`);
+            continue;
+        }
+        const pluginId = typeof manifest?.pluginId === 'string' ? manifest.pluginId : plugin.id;
+        if (pluginId !== plugin.id) {
+            getLogger().warn(`Plugin manifest id ${pluginId} differs from config ${plugin.id}, using config id.`);
+        }
+        let tools = [];
+        try {
+            tools = await registerFn();
+        }
+        catch (error) {
+            getLogger().error(`Plugin ${pluginId} register() failed: ${error instanceof Error ? error.message : String(error)}`);
+            continue;
+        }
+        if (!Array.isArray(tools)) {
+            getLogger().warn(`Plugin ${pluginId} register() did not return an array; skipping.`);
+            continue;
+        }
+        for (const original of tools) {
+            if (!original || typeof original !== 'object')
+                continue;
+            const candidateName = original.name;
+            if (!candidateName || typeof candidateName !== 'string') {
+                getLogger().warn(`Plugin ${pluginId} exported a tool without a name; skipping.`);
+                continue;
+            }
+            if (original.source !== 'plugin') {
+                getLogger().warn(`Plugin ${pluginId} tool ${original.name} missing source 'plugin'; skipping.`);
+                continue;
+            }
+            if (!original.sideEffects || original.sideEffects.length === 0) {
+                getLogger().warn(`Plugin ${pluginId} tool ${original.name} must declare sideEffects.`);
+                continue;
+            }
+            if (!original.intent) {
+                getLogger().warn(`Plugin ${pluginId} tool ${original.name} must declare intent.`);
+                continue;
+            }
+            if (!original.allowedPhases || original.allowedPhases.length === 0) {
+                getLogger().warn(`Plugin ${pluginId} tool ${original.name} must declare allowedPhases.`);
+                continue;
+            }
+            if (original.allowedPhases.some((phase) => FORBIDDEN_PHASES.has(phase))) {
+                getLogger().warn(`Plugin ${pluginId} tool ${original.name} declares forbidden phases; skipping.`);
+                continue;
+            }
+            const normalizedName = candidateName.startsWith(`plugin.${pluginId}.`)
+                ? candidateName
+                : `plugin.${pluginId}.${candidateName}`;
+            const spec = {
+                ...original,
+                name: normalizedName,
+            };
+            registry.register(spec);
+            getLogger().info(`Registered plugin tool ${spec.name} from ${pluginId}`);
+        }
+    }
+}
+//# sourceMappingURL=loader.js.map

package/dist/core/tools/policy.js

@@ -0,0 +1,87 @@
+import { Phase } from '../types/runtime.js';
+export class ToolPolicy {
+    /**
+     * Decide if a tool execution is allowed in the current phase and context.
+     */
+    decide(phase, spec, ctx) {
+        // 1. Phase Allowlist Check
+        if (!this.isToolAllowedInPhase(phase, spec)) {
+            return { allowed: false, denyReason: `Tool ${spec.name} is not allowed in phase ${phase}` };
+        }
+        // 2. Side Effect Analysis
+        const hasRepoWrite = spec.sideEffects.includes('fs_write') ||
+            spec.sideEffects.includes('git_write') ||
+            spec.sideEffects.includes('snapshot_mutate');
+        const hasRuntimeWrite = spec.sideEffects.includes('runtime_write');
+        const hasProcess = spec.sideEffects.includes('process');
+        const hasNetwork = spec.sideEffects.includes('network');
+        // 3. APPLY phase is strictly for patch application, NO tool calls allowed
+        if (phase === Phase.APPLY) {
+            return {
+                allowed: false,
+                denyReason: 'Tool execution is strictly forbidden in APPLY phase (use patch apply mechanism)',
+            };
+        }
+        // 4. Runtime write is a narrow exemption for local runtime artifacts (e.g. .salmonloop/**).
+        // It must never be used as a backdoor for arbitrary workspace mutation.
+        if (hasRuntimeWrite && !spec.name.startsWith('plan.')) {
+            return {
+                allowed: false,
+                denyReason: `runtime_write is only allowed for plan.* tools (got: ${spec.name})`,
+            };
+        }
+        // 5. Worktree Requirement for Side Effects
+        // Any repo-mutating tool or process/network execution MUST have a worktree.
+        if ((hasRepoWrite || hasProcess || hasNetwork) && !ctx.worktreeRoot) {
+            return {
+                allowed: false,
+                denyReason: `Tool ${spec.name} has side effects [${spec.sideEffects.join(',')}] and requires worktree isolation`,
+            };
+        }
+        // 6. PLAN/PATCH phases should remain deterministic for code assets.
+        // runtime_write is permitted for local runtime artifacts in narrow, path-sandboxed tools.
+        if ((phase === Phase.PLAN || phase === Phase.PATCH) &&
+            (hasRepoWrite || hasProcess || hasNetwork)) {
+            return {
+                allowed: false,
+                denyReason: `Mutating tool ${spec.name} is forbidden in ${phase} phase to maintain determinism`,
+            };
+        }
+        return { allowed: true };
+    }
+    isToolAllowedInPhase(phase, spec) {
+        // If tool explicitly declares allowed phases, check that first
+        if (spec.allowedPhases && spec.allowedPhases.length > 0) {
+            return spec.allowedPhases.includes(phase);
+        }
+        // Default Phase Policy (Best Practices)
+        switch (phase) {
+            case Phase.SLASH:
+                // Slash routing is an interactive adapter concern. Default to read-only tool usage;
+                // any higher-risk tools must explicitly declare allowedPhases including SLASH.
+                return spec.sideEffects.every((se) => se === 'none' || se === 'fs_read' || se === 'git_read');
+            case Phase.CONTEXT:
+            case Phase.SHRINK:
+                // Allow read-only operations
+                return spec.sideEffects.every((se) => se === 'none' || se === 'fs_read' || se === 'git_read');
+            case Phase.VERIFY:
+                // Allow process execution for tests/verification
+                return true;
+            case Phase.PREFLIGHT:
+            case Phase.VALIDATE:
+                // Allow read-only or low-risk validation
+                return (spec.riskLevel !== 'high' &&
+                    !spec.sideEffects.includes('fs_write') &&
+                    !spec.sideEffects.includes('git_write'));
+            case Phase.PLAN:
+            case Phase.PATCH:
+            case Phase.APPLY:
+            case Phase.APPLY_BACK:
+                // Default deny for mutation phases (controlled by host logic)
+                return false;
+            default:
+                return false;
+        }
+    }
+}
+//# sourceMappingURL=policy.js.map