xiaotime 0.2.0 → 0.3.0

package/dist/settings.d.ts

@@ -0,0 +1,109 @@
+/**
+ * Per-user CLI settings + approval allowlist.
+ *
+ * SPRINT-CLI-APPROVAL-MENU-1 (#6509) PR2.
+ *
+ * Backs the option-2 "Run and don't ask again" path of
+ * `promptApprovalMenu`. Allowlist is persisted to
+ * `~/.xiaotime/settings.json` (mode 0600) and consulted before every
+ * `executeTool` invocation of the three prompting client-side tools
+ * (`shell_command` / `write_file` / `git_commit`). A match short-
+ * circuits the menu entirely; the inline log line gets an
+ * ` (auto-approved)` suffix so the user can still see what ran.
+ *
+ * Schema is `version: 1`; missing/malformed/unknown-version files
+ * fall back to an empty allowlist (with a stderr warning for
+ * malformed/unknown cases) — never crash the CLI on corrupted local
+ * config (ISC-6509-007).
+ *
+ * Pattern derivation differs per tool (see D2 in the sprint spec):
+ *   - shell_command: argv[0] + leading flags + first subcommand
+ *     token. `npm install --no-save lodash` → "npm install".
+ *     Multi-level subcommand grammars (gh issue list) collapse to
+ *     the first 2 tokens; users can hand-edit settings.json for
+ *     finer-grained patterns.
+ *   - write_file: `dirname(path) + "/**"`. Glob-matched against
+ *     subsequent write_file invocations so allowlisting a write to
+ *     `/repo/foo.ts` covers `/repo/bar.ts`.
+ *   - git_commit: literal `"*"` — allowlisting one commit
+ *     allowlists all future commits (the commit message + staged
+ *     files vary by definition; there's no meaningful pattern
+ *     parameter to narrow on).
+ *
+ * Distinct from `terminal_orchestrator/task_manager.py:57`'s
+ * server-side allowlist (EXACT-NAME on argv[0] basename, binary `gh`
+ * only). That's a security perimeter for `task_create`'s long-running
+ * managed-task envelope; this is a UX gate for client-side tool
+ * approvals. Two allowlists, two audiences, two update cadences.
+ */
+export type AllowlistTool = "shell_command" | "write_file" | "git_commit";
+export interface AllowlistEntry {
+    tool: AllowlistTool;
+    pattern: string;
+    added_at: string;
+}
+/**
+ * Settings-file location. Resolved lazily per call so the
+ * `XIAOTIME_SETTINGS_PATH` env-var override can redirect (used by
+ * tests to avoid touching the real `~/.xiaotime/settings.json`).
+ * Default: `~/.xiaotime/settings.json`.
+ */
+export declare function _settingsPath(): string;
+/**
+ * Read the allowlist from disk. Returns [] for any of:
+ *   - file missing (first run; not an error)
+ *   - file unreadable (permissions; logged + treated as empty)
+ *   - malformed JSON (logged + treated as empty)
+ *   - unknown schema version (logged + treated as empty)
+ *   - shape doesn't match SettingsV1 (silently treated as empty)
+ *
+ * Never throws. The CLI must remain usable when the user has a
+ * corrupted local config (ISC-6509-007).
+ */
+export declare function loadAllowlist(): AllowlistEntry[];
+/**
+ * Append a new entry to the allowlist + persist. Creates
+ * ~/.xiaotime/ with mode 0700 if it doesn't exist; writes
+ * settings.json with mode 0600. Idempotent on duplicate
+ * (tool, pattern) — duplicate appends are silently dropped.
+ */
+export declare function appendAllowlist(entry: {
+    tool: AllowlistTool;
+    pattern: string;
+}): void;
+/**
+ * Derive the allowlist pattern for a tool invocation. Returns null
+ * if the input shape is unusable (empty command, missing path). The
+ * pattern is used both at write time (option-2 selection persists
+ * `derivePattern(tool, input)`) and at read time (the next call's
+ * derived pattern feeds `matchAllowlist`).
+ *
+ * Per D2 in the sprint spec, derivation is coarse on purpose. For
+ * shell_command, the v1 rule captures argv[0] + leading flags + at
+ * most one subcommand token. Multi-level grammars (gh issue list,
+ * git remote add) collapse to 2-token prefixes; users who want finer
+ * patterns can hand-edit settings.json. For write_file, the directory
+ * the file lives in is allowlisted (`/**` suffix); writes deeper in
+ * the tree match. For git_commit, the literal `"*"` allowlists all
+ * future commits.
+ */
+export declare function derivePattern(tool: AllowlistTool, input: Record<string, unknown>): string | null;
+/**
+ * Check whether a tool invocation matches any entry in the
+ * allowlist. Matching semantics differ per tool:
+ *   - shell_command: exact equality between derived pattern and
+ *     stored pattern (`npm install` matches only `npm install`,
+ *     not `npm install lodash` directly — but the derived pattern
+ *     for `npm install lodash` IS `npm install`, so it matches.)
+ *   - write_file: glob-match the incoming path against each
+ *     `write_file` entry's stored glob.
+ *   - git_commit: any `git_commit` entry matches (stored pattern
+ *     is `"*"`).
+ *
+ * The cross-tool isolation invariant (PR3 ISC-spec): an entry with
+ * `tool === "shell_command"` can never authorize a `write_file` call
+ * even if patterns coincidentally match — the tool field is checked
+ * first.
+ */
+export declare function matchAllowlist(tool: AllowlistTool, input: Record<string, unknown>, allowlist: AllowlistEntry[]): AllowlistEntry | null;
+//# sourceMappingURL=settings.d.ts.map

package/dist/settings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.d.ts","sourceRoot":"","sources":["../src/settings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAMH,MAAM,MAAM,aAAa,GAAG,eAAe,GAAG,YAAY,GAAG,YAAY,CAAC;AAQ1E,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,aAAa,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AASD;;;;;GAKG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAKtC;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,IAAI,cAAc,EAAE,CAoChD;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC9C,IAAI,CAwCN;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,MAAM,GAAG,IAAI,CA+Cf;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,SAAS,EAAE,cAAc,EAAE,GAC1B,cAAc,GAAG,IAAI,CAsBvB"}

package/dist/settings.js

@@ -0,0 +1,332 @@
+"use strict";
+/**
+ * Per-user CLI settings + approval allowlist.
+ *
+ * SPRINT-CLI-APPROVAL-MENU-1 (#6509) PR2.
+ *
+ * Backs the option-2 "Run and don't ask again" path of
+ * `promptApprovalMenu`. Allowlist is persisted to
+ * `~/.xiaotime/settings.json` (mode 0600) and consulted before every
+ * `executeTool` invocation of the three prompting client-side tools
+ * (`shell_command` / `write_file` / `git_commit`). A match short-
+ * circuits the menu entirely; the inline log line gets an
+ * ` (auto-approved)` suffix so the user can still see what ran.
+ *
+ * Schema is `version: 1`; missing/malformed/unknown-version files
+ * fall back to an empty allowlist (with a stderr warning for
+ * malformed/unknown cases) — never crash the CLI on corrupted local
+ * config (ISC-6509-007).
+ *
+ * Pattern derivation differs per tool (see D2 in the sprint spec):
+ *   - shell_command: argv[0] + leading flags + first subcommand
+ *     token. `npm install --no-save lodash` → "npm install".
+ *     Multi-level subcommand grammars (gh issue list) collapse to
+ *     the first 2 tokens; users can hand-edit settings.json for
+ *     finer-grained patterns.
+ *   - write_file: `dirname(path) + "/**"`. Glob-matched against
+ *     subsequent write_file invocations so allowlisting a write to
+ *     `/repo/foo.ts` covers `/repo/bar.ts`.
+ *   - git_commit: literal `"*"` — allowlisting one commit
+ *     allowlists all future commits (the commit message + staged
+ *     files vary by definition; there's no meaningful pattern
+ *     parameter to narrow on).
+ *
+ * Distinct from `terminal_orchestrator/task_manager.py:57`'s
+ * server-side allowlist (EXACT-NAME on argv[0] basename, binary `gh`
+ * only). That's a security perimeter for `task_create`'s long-running
+ * managed-task envelope; this is a UX gate for client-side tool
+ * approvals. Two allowlists, two audiences, two update cadences.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._settingsPath = _settingsPath;
+exports.loadAllowlist = loadAllowlist;
+exports.appendAllowlist = appendAllowlist;
+exports.derivePattern = derivePattern;
+exports.matchAllowlist = matchAllowlist;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const ALLOWLIST_TOOLS = new Set([
+    "shell_command",
+    "write_file",
+    "git_commit",
+]);
+/**
+ * Settings-file location. Resolved lazily per call so the
+ * `XIAOTIME_SETTINGS_PATH` env-var override can redirect (used by
+ * tests to avoid touching the real `~/.xiaotime/settings.json`).
+ * Default: `~/.xiaotime/settings.json`.
+ */
+function _settingsPath() {
+    return (process.env.XIAOTIME_SETTINGS_PATH
+        ?? path.join(os.homedir(), ".xiaotime", "settings.json"));
+}
+function _settingsDir() {
+    return path.dirname(_settingsPath());
+}
+/**
+ * Read the allowlist from disk. Returns [] for any of:
+ *   - file missing (first run; not an error)
+ *   - file unreadable (permissions; logged + treated as empty)
+ *   - malformed JSON (logged + treated as empty)
+ *   - unknown schema version (logged + treated as empty)
+ *   - shape doesn't match SettingsV1 (silently treated as empty)
+ *
+ * Never throws. The CLI must remain usable when the user has a
+ * corrupted local config (ISC-6509-007).
+ */
+function loadAllowlist() {
+    if (!fs.existsSync(_settingsPath()))
+        return [];
+    let raw;
+    try {
+        raw = fs.readFileSync(_settingsPath(), "utf-8");
+    }
+    catch (err) {
+        process.stderr.write(`[xiaotime] ~/.xiaotime/settings.json unreadable: ${err.message}\n`);
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        process.stderr.write(`[xiaotime] ~/.xiaotime/settings.json malformed JSON, treating as empty: ${err.message}\n`);
+        return [];
+    }
+    const obj = parsed;
+    if (!obj || typeof obj !== "object")
+        return [];
+    if (obj.version !== 1) {
+        process.stderr.write(`[xiaotime] ~/.xiaotime/settings.json: unrecognized schema version ${JSON.stringify(obj.version)}, treating as empty\n`);
+        return [];
+    }
+    const entries = obj.permissions?.allow;
+    if (!Array.isArray(entries))
+        return [];
+    return entries.filter(_isValidEntry);
+}
+/**
+ * Append a new entry to the allowlist + persist. Creates
+ * ~/.xiaotime/ with mode 0700 if it doesn't exist; writes
+ * settings.json with mode 0600. Idempotent on duplicate
+ * (tool, pattern) — duplicate appends are silently dropped.
+ */
+function appendAllowlist(entry) {
+    const existing = loadAllowlist();
+    const isDup = existing.some((e) => e.tool === entry.tool && e.pattern === entry.pattern);
+    if (isDup)
+        return;
+    const newEntries = [
+        ...existing,
+        {
+            tool: entry.tool,
+            pattern: entry.pattern,
+            added_at: new Date().toISOString(),
+        },
+    ];
+    const settings = {
+        version: 1,
+        permissions: { allow: newEntries },
+    };
+    // Directory: mode 0700 (user-only). The settings file's mode is the
+    // load-bearing one but the parent permission tightens the surface
+    // against a hostile-co-tenant scenario on shared boxes.
+    fs.mkdirSync(_settingsDir(), { recursive: true, mode: 0o700 });
+    // openSync + writeSync + closeSync (with O_TRUNC + O_CREAT + 0o600
+    // mode) so the file is created with 0600 from the first byte. Using
+    // writeFileSync's `mode` option only sets mode on CREATE — but on
+    // overwrite of an existing file Node skips chmod entirely on some
+    // platforms. Explicit fchmod closes that gap.
+    const fd = fs.openSync(_settingsPath(), fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_TRUNC, 0o600);
+    try {
+        fs.writeSync(fd, JSON.stringify(settings, null, 2) + "\n");
+        fs.fchmodSync(fd, 0o600);
+    }
+    finally {
+        fs.closeSync(fd);
+    }
+}
+/**
+ * Derive the allowlist pattern for a tool invocation. Returns null
+ * if the input shape is unusable (empty command, missing path). The
+ * pattern is used both at write time (option-2 selection persists
+ * `derivePattern(tool, input)`) and at read time (the next call's
+ * derived pattern feeds `matchAllowlist`).
+ *
+ * Per D2 in the sprint spec, derivation is coarse on purpose. For
+ * shell_command, the v1 rule captures argv[0] + leading flags + at
+ * most one subcommand token. Multi-level grammars (gh issue list,
+ * git remote add) collapse to 2-token prefixes; users who want finer
+ * patterns can hand-edit settings.json. For write_file, the directory
+ * the file lives in is allowlisted (`/**` suffix); writes deeper in
+ * the tree match. For git_commit, the literal `"*"` allowlists all
+ * future commits.
+ */
+function derivePattern(tool, input) {
+    if (tool === "shell_command") {
+        const cmd = String(input.command ?? "").trim();
+        if (!cmd)
+            return null;
+        const tokens = cmd.split(/\s+/);
+        // #6538 CR-r1: guard flag-only input. `"-la -h"` would
+        // otherwise produce pattern `"-la -h"`, which is nonsensical
+        // (no argv[0]) and would persist as a broken allowlist entry.
+        if (tokens[0].startsWith("-"))
+            return null;
+        const result = [tokens[0]];
+        for (let i = 1; i < tokens.length; i++) {
+            const tok = tokens[i];
+            if (tok.startsWith("-")) {
+                result.push(tok);
+                continue;
+            }
+            // First non-flag arg. Treat as a subcommand iff it's at
+            // position 1 (immediately after argv[0]). Otherwise stop —
+            // it's a data argument (path / value / package name) we
+            // don't want to bake into the pattern.
+            if (i === 1)
+                result.push(tok);
+            break;
+        }
+        return result.join(" ");
+    }
+    if (tool === "write_file") {
+        const p = String(input.path ?? "");
+        if (!p)
+            return null;
+        // #6538 CR-r1: normalize BEFORE deriving the pattern. Without
+        // this, a malicious or careless `input.path` like
+        // `"../../etc/passwd"` would persist as allowlist pattern
+        // `"../../etc/**"`, opening every future write to that
+        // resolved location to bypass the prompt. `path.resolve`
+        // anchors against the process cwd; tools.ts calls
+        // `resolvePath` (which uses the session cwd) before the file
+        // write itself, but derivePattern was operating on raw input
+        // — closing the gap here.
+        const normalized = path.resolve(p);
+        return path.dirname(normalized) + path.sep + "**";
+    }
+    if (tool === "git_commit") {
+        return "*";
+    }
+    return null;
+}
+/**
+ * Check whether a tool invocation matches any entry in the
+ * allowlist. Matching semantics differ per tool:
+ *   - shell_command: exact equality between derived pattern and
+ *     stored pattern (`npm install` matches only `npm install`,
+ *     not `npm install lodash` directly — but the derived pattern
+ *     for `npm install lodash` IS `npm install`, so it matches.)
+ *   - write_file: glob-match the incoming path against each
+ *     `write_file` entry's stored glob.
+ *   - git_commit: any `git_commit` entry matches (stored pattern
+ *     is `"*"`).
+ *
+ * The cross-tool isolation invariant (PR3 ISC-spec): an entry with
+ * `tool === "shell_command"` can never authorize a `write_file` call
+ * even if patterns coincidentally match — the tool field is checked
+ * first.
+ */
+function matchAllowlist(tool, input, allowlist) {
+    for (const entry of allowlist) {
+        if (entry.tool !== tool)
+            continue;
+        if (tool === "git_commit")
+            return entry;
+        if (tool === "shell_command") {
+            const derived = derivePattern(tool, input);
+            if (derived !== null && derived === entry.pattern)
+                return entry;
+            continue;
+        }
+        if (tool === "write_file") {
+            const raw = String(input.path ?? "");
+            if (!raw)
+                continue;
+            // #6538 CR-r1: normalize the input path before matching for
+            // the same reason derivePattern does — so `../foo.txt`
+            // resolves to its absolute canonical form before being
+            // compared against stored absolute patterns.
+            const p = path.resolve(raw);
+            if (_globMatch(p, entry.pattern))
+                return entry;
+            continue;
+        }
+    }
+    return null;
+}
+// ── Internals ────────────────────────────────────────────────────
+function _isValidEntry(e) {
+    if (!e || typeof e !== "object")
+        return false;
+    const entry = e;
+    return (typeof entry.tool === "string" &&
+        ALLOWLIST_TOOLS.has(entry.tool) &&
+        typeof entry.pattern === "string" &&
+        typeof entry.added_at === "string");
+}
+/**
+ * Tiny glob matcher. Supports `*` (matches everything) and
+ * `<prefix><sep>**` (matches `<prefix>` and any path under it),
+ * where `<sep>` is the platform path separator (`/` on Unix, `\`
+ * on Windows). Plain patterns require exact equality. Sufficient
+ * for write_file's directory-scope allowlist; not a general-
+ * purpose glob engine.
+ *
+ * #6538 CR-r1: was hardcoded to `/` — broken on Windows where
+ * `path.dirname` returns backslash-separated paths. Now uses
+ * `path.sep` so the comparison matches the form derivePattern
+ * stores (also using `path.sep`).
+ */
+function _globMatch(p, pattern) {
+    if (pattern === "*")
+        return true;
+    const sepGlob = path.sep + "**";
+    if (pattern.endsWith(sepGlob)) {
+        const prefix = pattern.slice(0, -sepGlob.length);
+        return p === prefix || p.startsWith(prefix + path.sep);
+    }
+    // Tolerant of legacy entries that stored `/**` on Unix (no-op
+    // on Linux/macOS; harmless on Windows since path.sep is `\`).
+    if (pattern.endsWith("/**")) {
+        const prefix = pattern.slice(0, -3);
+        return p === prefix || p.startsWith(prefix + "/");
+    }
+    return p === pattern;
+}
+//# sourceMappingURL=settings.js.map

package/dist/settings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.js","sourceRoot":"","sources":["../src/settings.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCH,sCAKC;AAiBD,sCAoCC;AAQD,0CA0CC;AAkBD,sCAkDC;AAmBD,wCA0BC;AA5PD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAIzB,MAAM,eAAe,GAA+B,IAAI,GAAG,CAAC;IAC1D,eAAe;IACf,YAAY;IACZ,YAAY;CACb,CAAC,CAAC;AAeH;;;;;GAKG;AACH,SAAgB,aAAa;IAC3B,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,sBAAsB;WAC/B,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CACzD,CAAC;AACJ,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,aAAa;IAC3B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,EAAE,CAAC;QAAE,OAAO,EAAE,CAAC;IAE/C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,oDAAqD,GAAa,CAAC,OAAO,IAAI,CAC/E,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2EAA4E,GAAa,CAAC,OAAO,IAAI,CACtG,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,GAAG,GAAG,MAAoC,CAAC;IACjD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IAC/C,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,qEAAqE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,uBAAuB,CACxH,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC;IACvC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IAEvC,OAAO,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAC7B,KAA+C;IAE/C,MAAM,QAAQ,GAAG,aAAa,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CACzB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO,CAC5D,CAAC;IACF,IAAI,KAAK;QAAE,OAAO;IAElB,MAAM,UAAU,GAAqB;QACnC,GAAG,QAAQ;QACX;YACE,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACnC;KACF,CAAC;IACF,MAAM,QAAQ,GAAe;QAC3B,OAAO,EAAE,CAAC;QACV,WAAW,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE;KACnC,CAAC;IAEF,oEAAoE;IACpE,kEAAkE;IAClE,wDAAwD;IACxD,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/D,mEAAmE;IACnE,oEAAoE;IACpE,kEAAkE;IAClE,kEAAkE;IAClE,8CAA8C;IAC9C,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CACpB,aAAa,EAAE,EACf,EAAE,CAAC,SAAS,CAAC,QAAQ,GAAG,EAAE,CAAC,SAAS,CAAC,OAAO,GAAG,EAAE,CAAC,SAAS,CAAC,OAAO,EACnE,KAAK,CACN,CAAC;IACF,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3D,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,aAAa,CAC3B,IAAmB,EACnB,KAA8B;IAE9B,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAChC,uDAAuD;QACvD,6DAA6D;QAC7D,8DAA8D;QAC9D,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3C,MAAM,MAAM,GAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACjB,SAAS;YACX,CAAC;YACD,wDAAwD;YACxD,2DAA2D;YAC3D,wDAAwD;YACxD,uCAAuC;YACvC,IAAI,CAAC,KAAK,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC9B,MAAM;QACR,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACnC,IAAI,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpB,8DAA8D;QAC9D,kDAAkD;QAClD,0DAA0D;QAC1D,uDAAuD;QACvD,yDAAyD;QACzD,kDAAkD;QAClD,6DAA6D;QAC7D,6DAA6D;QAC7D,0BAA0B;QAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC;IACpD,CAAC;IAED,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,cAAc,CAC5B,IAAmB,EACnB,KAA8B,EAC9B,SAA2B;IAE3B,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI;YAAE,SAAS;QAClC,IAAI,IAAI,KAAK,YAAY;YAAE,OAAO,KAAK,CAAC;QACxC,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC3C,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC;YAChE,SAAS;QACX,CAAC;QACD,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;YACrC,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,4DAA4D;YAC5D,uDAAuD;YACvD,uDAAuD;YACvD,6CAA6C;YAC7C,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,UAAU,CAAC,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC/C,SAAS;QACX,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,oEAAoE;AAEpE,SAAS,aAAa,CAAC,CAAU;IAC/B,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9C,MAAM,KAAK,GAAG,CAA4B,CAAC;IAC3C,OAAO,CACL,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAC9B,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,IAAqB,CAAC;QAChD,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ;QACjC,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,CACnC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,UAAU,CAAC,CAAS,EAAE,OAAe;IAC5C,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC;IAChC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACjD,OAAO,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACzD,CAAC;IACD,8DAA8D;IAC9D,8DAA8D;IAC9D,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACpC,OAAO,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,CAAC,KAAK,OAAO,CAAC;AACvB,CAAC"}

package/dist/tools.d.ts

@@ -1,9 +1,17 @@
 /**
  * Local tool execution + approval gate.
  *
- * All tools execute on Harvey's machine. write_file and shell_command
- * require explicit y/N approval before executing.
+ * All tools execute on Harvey's machine. write_file, shell_command,
+ * and git_commit pass through `_gateApproval` which checks the
+ * persisted allowlist (`~/.xiaotime/settings.json`) before prompting.
+ * Matching allowlist entries short-circuit the menu; the post-execute
+ * status line is suffixed with ` (auto-approved)` so the user can
+ * see which calls bypassed the prompt (ISC-6509-004).
+ *
+ * Read-only tools (`read_file`, `list_directory`, `git_status`,
+ * `git_diff`) never gate (ISC-6509-006).
  */
+import type { SessionUI } from "./ui_state.js";
 export interface ToolCall {
     tool_use_id: string;
     name: string;
@@ -15,5 +23,5 @@ export interface ToolResult {
     is_error: boolean;
 }
 export declare function setSessionCwd(cwd: string): void;
-export declare function executeTool(call: ToolCall): Promise<ToolResult>;
+export declare function executeTool(call: ToolCall, ui: SessionUI): Promise<ToolResult>;
 //# sourceMappingURL=tools.d.ts.map

package/dist/tools.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tools.d.ts","sourceRoot":"","sources":["../src/tools.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH,MAAM,WAAW,QAAQ;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAID,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,QAExC;AAmBD,wBAAsB,WAAW,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAwJrE"}
+{"version":3,"file":"tools.d.ts","sourceRoot":"","sources":["../src/tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAOH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAS/C,MAAM,WAAW,QAAQ;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAID,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,QAExC;AA2ED,wBAAsB,WAAW,CAC/B,IAAI,EAAE,QAAQ,EACd,EAAE,EAAE,SAAS,GACZ,OAAO,CAAC,UAAU,CAAC,CA2KrB"}