oasr 0.4.2__py3-none-any.whl → 0.5.1__py3-none-any.whl

cli.py

@@ -13,7 +13,7 @@ from pathlib import Path
 from commands import adapter, clean, clone, config, diff, exec, find, registry, sync, update, use, validate
 from commands import help as help_cmd
 
-__version__ = "0.4.2"
+__version__ = "0.5.1"
 
 
 def main(argv: list[str] | None = None) -> int:

commands/config.py

@@ -3,8 +3,9 @@
 import argparse
 import sys
 
-from agents import detect_available_agents, get_all_agent_names
+from agents import detect_available_agents
 from config import CONFIG_FILE, load_config, save_config
+from config.schema import validate_agent, validate_profile_reference
 
 
 def register(subparsers: argparse._SubParsersAction) -> None:
@@ -25,6 +26,11 @@ def register(subparsers: argparse._SubParsersAction) -> None:
     )
     set_parser.add_argument("key", help="Configuration key (e.g., 'agent')")
     set_parser.add_argument("value", help="Configuration value")
+    set_parser.add_argument(
+        "--force",
+        action="store_true",
+        help="Skip validation (use carefully)",
+    )
     set_parser.set_defaults(func=run_set)
 
     # config get
@@ -57,40 +63,86 @@ def register(subparsers: argparse._SubParsersAction) -> None:
 
 
 def run_set(args: argparse.Namespace) -> int:
-    """Set a configuration value."""
+    """Set a configuration value with validation."""
     key = args.key.lower()
     value = args.value
+    force = getattr(args, "force", False)
 
-    # Only support agent for now
-    if key == "agent":
-        # Validate agent name
-        valid_agents = get_all_agent_names()
-        if value not in valid_agents:
-            print(
-                f"Error: Invalid agent '{value}'. Must be one of: {', '.join(valid_agents)}",
-                file=sys.stderr,
-            )
+    # Parse key (support dotted notation like "validation.strict")
+    if "." in key:
+        parts = key.split(".", 1)
+        if len(parts) != 2:
+            print(f"Error: Invalid key '{key}'. Use format 'section.field' or 'agent'", file=sys.stderr)
             return 1
+        section, field = parts
+    elif key == "agent":
+        # Special case: bare "agent" means "agent.default"
+        section, field = "agent", "default"
+    else:
+        print(f"Error: Invalid key '{key}'. Use format 'section.field' or 'agent'", file=sys.stderr)
+        return 1
 
-        # Load config, update, save
-        config = load_config(args.config if hasattr(args, "config") else None)
-        config["agent"]["default"] = value
-        save_config(config, args.config if hasattr(args, "config") else None)
+    # Type coercion based on field
+    original_value = value
+    if field == "strict":
+        value = value.lower() in ("true", "1", "yes", "on")
+    elif field == "reference_max_lines":
+        try:
+            value = int(value)
+            if value < 1:
+                print(f"Error: '{field}' must be a positive integer", file=sys.stderr)
+                return 1
+        except ValueError:
+            print(f"Error: '{field}' must be an integer", file=sys.stderr)
+            return 1
 
-        # Show available vs configured
-        available = detect_available_agents()
-        if value in available:
-            print(f"✓ Default agent set to: {value}")
+    # Load config
+    config_path = getattr(args, "config", None)
+    config = load_config(config_path=config_path)
+
+    # Validate before setting (unless --force)
+    if not force:
+        # Validate agent
+        if section == "agent" and field == "default":
+            is_valid, error_msg = validate_agent(value)
+            if not is_valid:
+                print(f"Error: {error_msg}", file=sys.stderr)
+                print("\nTo set anyway, use: oasr config set --force agent <name>", file=sys.stderr)
+                return 1
+
+        # Validate profile reference
+        if section == "oasr" and field == "default_profile":
+            is_valid, error_msg = validate_profile_reference(value, config)
+            if not is_valid:
+                print(f"Error: {error_msg}", file=sys.stderr)
+                print("\nCreate the profile in ~/.oasr/config.toml first, or use:", file=sys.stderr)
+                print(f"  oasr config set --force oasr.default_profile {value}", file=sys.stderr)
+                return 1
+
+    # Set the value
+    if section not in config:
+        config[section] = {}
+
+    config[section][field] = value
+
+    try:
+        save_config(config, config_path=config_path)
+
+        # Show confirmation
+        if section == "agent" and field == "default":
+            # Special handling for agent - check if available
+            available = detect_available_agents()
+            if value in available:
+                print(f"✓ Default agent set to: {value}")
+            else:
+                print(f"✓ Default agent set to: {value}")
+                print(f"  Warning: '{value}' binary not found in PATH. Install it to use this agent.", file=sys.stderr)
         else:
-            print(f"✓ Default agent set to: {value}")
-            print(
-                f"  Warning: '{value}' binary not found in PATH. Install it to use this agent.",
-                file=sys.stderr,
-            )
+            print(f"✓ Set {section}.{field} = {original_value}")
 
         return 0
-    else:
-        print(f"Error: Unsupported config key '{key}'. Only 'agent' is supported.", file=sys.stderr)
+    except ValueError as e:
+        print(f"Error: {e}", file=sys.stderr)
         return 1
 
 

commands/exec.py

@@ -4,6 +4,7 @@ import argparse
 import sys
 from pathlib import Path
 
+import policy
 from agents.registry import detect_available_agents, get_driver
 from config import load_config
 from registry import load_registry
@@ -42,6 +43,21 @@ def setup_parser(subparsers):
         "--agent",
         help="Override the default agent (codex, copilot, claude, opencode)",
     )
+    parser.add_argument(
+        "--profile",
+        help="Execution policy profile to use (default: from config)",
+    )
+    parser.add_argument(
+        "-y",
+        "--yes",
+        action="store_true",
+        help="Skip confirmation prompt for risky operations",
+    )
+    parser.add_argument(
+        "--confirm",
+        action="store_true",
+        help="Force confirmation prompt even for safe operations",
+    )
     parser.set_defaults(func=run)
 
 
@@ -85,12 +101,54 @@ def run(args: argparse.Namespace) -> int:
         # Error already printed by _get_user_prompt
         return 1
 
-    # Determine which agent to use
-    agent_name = _get_agent_name(args)
-    if agent_name is None:
-        # Error already printed by _get_agent_name
+    # === POLICY ENFORCEMENT ===
+    # Build CLI overrides for config loading
+    cli_overrides = {}
+    if args.agent:
+        cli_overrides["agent"] = {"default": args.agent}
+    if args.profile:
+        cli_overrides["oasr"] = cli_overrides.get("oasr", {})
+        cli_overrides["oasr"]["default_profile"] = args.profile
+
+    # Load configuration with precedence: CLI > env > file > defaults
+    config = load_config(cli_overrides=cli_overrides)
+
+    # Determine agent and profile from merged config
+    agent_name = config.get("agent", {}).get("default")
+    profile_name = config.get("oasr", {}).get("default_profile", "safe")
+
+    # Validate agent is set
+    if not agent_name:
+        print(
+            "Error: No agent configured. Set OASR_AGENT, use --agent flag, or run:",
+            file=sys.stderr,
+        )
+        print("  oasr config set agent <name>", file=sys.stderr)
         return 1
 
+    # Load the policy profile
+    profile = policy.load(config, profile_name)
+
+    # Detect execution context for risk assessment
+    stdin_used = not sys.stdin.isatty() and not args.prompt and not args.instructions
+    instructions_file_used = bool(args.instructions)
+
+    # Assess risk and determine if confirmation is needed
+    needs_confirm, reasons = policy.assess_risk(
+        profile=profile,
+        stdin_used=stdin_used,
+        instructions_file_used=instructions_file_used,
+        force_confirm=args.confirm,
+    )
+
+    # Require confirmation unless --yes flag is present
+    if needs_confirm and not args.yes:
+        summary = policy.summarize(profile, skill_name, agent_name)
+        if not policy.prompt_confirmation(summary, reasons):
+            return 1  # User aborted
+
+    # === END POLICY ENFORCEMENT ===
+
     # Get the agent driver
     try:
         driver = get_driver(agent_name)

config/__init__.py

@@ -12,6 +12,7 @@ else:
 import tomli_w
 
 from config.defaults import DEFAULT_CONFIG
+from config.env import load_env_config, merge_configs
 from config.schema import validate_config
 
 OASR_DIR = Path.home() / ".oasr"
@@ -40,34 +41,50 @@ def ensure_skills_dir() -> Path:
     return ensure_oasr_dir()
 
 
-def load_config(config_path: Path | None = None) -> dict[str, Any]:
-    """Load configuration from TOML file.
+def load_config(config_path: Path | None = None, cli_overrides: dict[str, Any] | None = None) -> dict[str, Any]:
+    """Load configuration from multiple sources with precedence.
+
+    Precedence order (highest to lowest):
+        1. cli_overrides - explicit CLI flags
+        2. Environment variables (OASR_*)
+        3. Config file (~/.oasr/config.toml)
+        4. Built-in defaults
 
     Args:
         config_path: Override config file path. Defaults to ~/.oasr/config.toml.
+        cli_overrides: Optional CLI flag overrides (highest precedence)
 
     Returns:
-        Configuration dictionary with defaults applied.
+        Merged configuration dictionary with all sources applied.
     """
     path = config_path or CONFIG_FILE
+    cli_overrides = cli_overrides or {}
 
     # Deep copy defaults
-    config = {
+    defaults = {
         "validation": DEFAULT_CONFIG["validation"].copy(),
         "adapter": DEFAULT_CONFIG["adapter"].copy(),
         "agent": DEFAULT_CONFIG["agent"].copy(),
+        "oasr": DEFAULT_CONFIG["oasr"].copy(),
+        "profiles": {k: v.copy() for k, v in DEFAULT_CONFIG["profiles"].items()},
     }
 
+    # Load config file
+    file_config = {}
     if path.exists():
         with open(path, "rb") as f:
-            loaded = tomllib.load(f)
+            file_config = tomllib.load(f)
+
+    # Load environment variables
+    env_config = load_env_config()
 
-        if "validation" in loaded:
-            config["validation"].update(loaded["validation"])
-        if "adapter" in loaded:
-            config["adapter"].update(loaded["adapter"])
-        if "agent" in loaded:
-            config["agent"].update(loaded["agent"])
+    # Merge all sources with precedence
+    config = merge_configs(
+        cli_overrides=cli_overrides,
+        env_config=env_config,
+        file_config=file_config,
+        defaults=defaults,
+    )
 
     return config
 
@@ -106,4 +123,6 @@ def get_default_config() -> dict[str, Any]:
         "validation": DEFAULT_CONFIG["validation"].copy(),
         "adapter": DEFAULT_CONFIG["adapter"].copy(),
         "agent": DEFAULT_CONFIG["agent"].copy(),
+        "oasr": DEFAULT_CONFIG["oasr"].copy(),
+        "profiles": {k: v.copy() for k, v in DEFAULT_CONFIG["profiles"].items()},
     }

config/defaults.py

@@ -13,4 +13,28 @@ DEFAULT_CONFIG: dict[str, Any] = {
     "agent": {
         "default": None,
     },
+    "oasr": {
+        "default_profile": "safe",
+    },
+    "profiles": {
+        # Built-in safe profile (always available as fallback)
+        "safe": {
+            "fs_read_roots": ["./"],
+            "fs_write_roots": ["./out", "./.oasr"],
+            "deny_paths": [
+                "~/.ssh",
+                "~/.aws",
+                "~/.gnupg",
+                "~/.config",
+                ".env",
+                "~/.bashrc",
+                "~/.zshrc",
+                "~/.profile",
+            ],
+            "allowed_commands": ["rg", "fd", "jq", "cat"],
+            "deny_shell": True,
+            "network": False,
+            "allow_env": False,
+        },
+    },
 }

config/env.py

@@ -0,0 +1,248 @@
+"""Environment variable configuration support.
+
+This module provides functionality to load OASR configuration from environment
+variables, following the pattern: OASR_<SECTION>_<KEY>
+
+Precedence order:
+    1. CLI flags (highest)
+    2. Environment variables
+    3. Config file
+    4. Built-in defaults (lowest)
+
+Environment variable naming:
+    - Prefix: OASR_
+    - Format: OASR_<SECTION>_<KEY> (uppercase, underscore-separated)
+    - Examples:
+        OASR_AGENT=codex             → agent.default = "codex"
+        OASR_PROFILE=dev             → oasr.default_profile = "dev"
+        OASR_VALIDATION_STRICT=true  → validation.strict = true
+
+Type handling:
+    - Strings: as-is
+    - Booleans: true/false, 1/0, yes/no, on/off (case-insensitive)
+    - Integers: parsed with int()
+    - Lists: comma-separated values
+"""
+
+import os
+from typing import Any
+
+# Mapping of environment variable names to config paths
+ENV_VAR_MAP = {
+    "OASR_AGENT": ("agent", "default"),
+    "OASR_PROFILE": ("oasr", "default_profile"),
+    "OASR_VALIDATION_STRICT": ("validation", "strict"),
+    "OASR_VALIDATION_MAX_LINES": ("validation", "reference_max_lines"),
+    "OASR_ADAPTER_TARGETS": ("adapter", "default_targets"),
+}
+
+
+def parse_bool(value: str) -> bool:
+    """Parse boolean from string.
+
+    Args:
+        value: String value to parse
+
+    Returns:
+        Boolean value
+
+    Raises:
+        ValueError: If value cannot be parsed as boolean
+    """
+    value_lower = value.lower()
+    if value_lower in ("true", "1", "yes", "on"):
+        return True
+    if value_lower in ("false", "0", "no", "off"):
+        return False
+    raise ValueError(f"Cannot parse '{value}' as boolean")
+
+
+def parse_int(value: str) -> int:
+    """Parse integer from string.
+
+    Args:
+        value: String value to parse
+
+    Returns:
+        Integer value
+
+    Raises:
+        ValueError: If value cannot be parsed as integer
+    """
+    return int(value)
+
+
+def parse_list(value: str) -> list[str]:
+    """Parse list from comma-separated string.
+
+    Args:
+        value: Comma-separated string
+
+    Returns:
+        List of strings (trimmed)
+    """
+    return [item.strip() for item in value.split(",") if item.strip()]
+
+
+def parse_value(value: str, expected_type: type) -> Any:
+    """Parse environment variable value based on expected type.
+
+    Args:
+        value: String value from environment
+        expected_type: Expected Python type
+
+    Returns:
+        Parsed value of appropriate type
+
+    Raises:
+        ValueError: If value cannot be parsed to expected type
+    """
+    if expected_type is bool:
+        return parse_bool(value)
+    elif expected_type is int:
+        return parse_int(value)
+    elif expected_type is list:
+        return parse_list(value)
+    else:
+        return value  # String, return as-is
+
+
+def load_env_config() -> dict[str, dict[str, Any]]:
+    """Load configuration from environment variables.
+
+    Reads all OASR_* environment variables and converts them to a nested
+    dictionary structure matching the config file format.
+
+    Returns:
+        Nested dictionary with config values from environment variables
+        Example: {"agent": {"default": "codex"}, "oasr": {"default_profile": "safe"}}
+
+    Notes:
+        - Only processes variables defined in ENV_VAR_MAP
+        - Silently skips variables with invalid values (logs warning)
+        - Returns empty sections if no relevant env vars set
+    """
+    config = {}
+
+    for env_var, (section, key) in ENV_VAR_MAP.items():
+        value = os.getenv(env_var)
+        if value is None:
+            continue
+
+        # Determine expected type based on key
+        # This is a heuristic - we infer type from key name
+        expected_type = str  # Default
+        if key == "strict":
+            expected_type = bool
+        elif key == "reference_max_lines":
+            expected_type = int
+        elif key == "default_targets":
+            expected_type = list
+
+        try:
+            parsed_value = parse_value(value, expected_type)
+
+            # Create section if it doesn't exist
+            if section not in config:
+                config[section] = {}
+
+            config[section][key] = parsed_value
+
+        except (ValueError, TypeError) as e:
+            # Log warning but continue (fail-safe)
+            import sys
+
+            print(
+                f"⚠ Warning: Invalid value for {env_var}='{value}': {e}. Skipping.",
+                file=sys.stderr,
+            )
+            continue
+
+    return config
+
+
+def merge_configs(
+    cli_overrides: dict[str, Any],
+    env_config: dict[str, dict[str, Any]],
+    file_config: dict[str, dict[str, Any]],
+    defaults: dict[str, dict[str, Any]],
+) -> dict[str, dict[str, Any]]:
+    """Merge configurations from multiple sources with correct precedence.
+
+    Precedence order (highest to lowest):
+        1. cli_overrides - explicit CLI flags
+        2. env_config - environment variables
+        3. file_config - config file values
+        4. defaults - built-in defaults
+
+    Args:
+        cli_overrides: Values explicitly set via CLI flags
+        env_config: Values from environment variables
+        file_config: Values from config file
+        defaults: Built-in default values
+
+    Returns:
+        Merged configuration dictionary
+
+    Notes:
+        - CLI overrides take precedence over everything
+        - Environment variables override config file
+        - Config file overrides defaults
+        - Sections are merged independently
+    """
+    result = {}
+
+    # Get all sections from all sources
+    all_sections = set()
+    for config in [defaults, file_config, env_config, cli_overrides]:
+        all_sections.update(config.keys())
+
+    # Merge each section with precedence
+    for section in all_sections:
+        result[section] = {}
+
+        # Start with defaults
+        if section in defaults:
+            result[section].update(defaults[section])
+
+        # Override with file config
+        if section in file_config:
+            result[section].update(file_config[section])
+
+        # Override with env config
+        if section in env_config:
+            result[section].update(env_config[section])
+
+        # Override with CLI (if present)
+        if section in cli_overrides:
+            result[section].update(cli_overrides[section])
+
+    return result
+
+
+def get_config_source(
+    section: str,
+    key: str,
+    cli_overrides: dict[str, Any],
+    env_config: dict[str, dict[str, Any]],
+    file_config: dict[str, dict[str, Any]],
+) -> str:
+    """Determine the source of a config value.
+
+    Args:
+        section: Config section name
+        key: Config key name
+        cli_overrides: CLI flag overrides
+        env_config: Environment variable config
+        file_config: Config file values
+
+    Returns:
+        Source string: "cli flag", "env var", "config file", or "default"
+    """
+    if section in cli_overrides and key in cli_overrides[section]:
+        return "cli flag"
+    if section in env_config and key in env_config.get(section, {}):
+        return "env var"
+    if section in file_config and key in file_config.get(section, {}):
+        return "config file"
+    return "default"

config/schema.py

@@ -5,6 +5,44 @@ from typing import Any
 VALID_AGENTS = {"codex", "copilot", "claude", "opencode"}
 
 
+def validate_agent(agent: str | None) -> tuple[bool, str | None]:
+    """Validate agent configuration value.
+
+    Args:
+        agent: Agent name to validate
+
+    Returns:
+        Tuple of (is_valid, error_message)
+    """
+    if agent is None:
+        return (True, None)
+
+    if agent not in VALID_AGENTS:
+        sorted_agents = ", ".join(sorted(VALID_AGENTS))
+        return (False, f"Invalid agent '{agent}'. Valid agents: {sorted_agents}")
+
+    return (True, None)
+
+
+def validate_profile_reference(profile_name: str, config: dict[str, Any]) -> tuple[bool, str | None]:
+    """Validate that a profile reference exists in config.
+
+    Args:
+        profile_name: Profile name to validate
+        config: Full config dictionary
+
+    Returns:
+        Tuple of (is_valid, error_message)
+    """
+    profiles = config.get("profiles", {})
+
+    if profile_name not in profiles:
+        available = ", ".join(sorted(profiles.keys()))
+        return (False, f"Profile '{profile_name}' not found. Available profiles: {available}")
+
+    return (True, None)
+
+
 def validate_config(config: dict[str, Any]) -> None:
     """Validate configuration dictionary.
 
@@ -34,3 +72,40 @@ def validate_config(config: dict[str, Any]) -> None:
             targets = config["adapter"]["default_targets"]
             if not isinstance(targets, list):
                 raise ValueError("adapter.default_targets must be a list")
+
+    if "oasr" in config:
+        if "default_profile" in config["oasr"]:
+            profile = config["oasr"]["default_profile"]
+            if not isinstance(profile, str):
+                raise ValueError("oasr.default_profile must be a string")
+
+    if "profiles" in config:
+        if not isinstance(config["profiles"], dict):
+            raise ValueError("profiles must be a table (dictionary)")
+
+        # Validate each profile structure
+        for profile_name, profile_data in config["profiles"].items():
+            if not isinstance(profile_data, dict):
+                raise ValueError(f"Profile '{profile_name}' must be a table (dictionary)")
+
+            # Validate profile fields if present
+            if "fs_read_roots" in profile_data and not isinstance(profile_data["fs_read_roots"], list):
+                raise ValueError(f"Profile '{profile_name}': fs_read_roots must be a list")
+
+            if "fs_write_roots" in profile_data and not isinstance(profile_data["fs_write_roots"], list):
+                raise ValueError(f"Profile '{profile_name}': fs_write_roots must be a list")
+
+            if "deny_paths" in profile_data and not isinstance(profile_data["deny_paths"], list):
+                raise ValueError(f"Profile '{profile_name}': deny_paths must be a list")
+
+            if "allowed_commands" in profile_data and not isinstance(profile_data["allowed_commands"], list):
+                raise ValueError(f"Profile '{profile_name}': allowed_commands must be a list")
+
+            if "deny_shell" in profile_data and not isinstance(profile_data["deny_shell"], bool):
+                raise ValueError(f"Profile '{profile_name}': deny_shell must be a boolean")
+
+            if "network" in profile_data and not isinstance(profile_data["network"], bool):
+                raise ValueError(f"Profile '{profile_name}': network must be a boolean")
+
+            if "allow_env" in profile_data and not isinstance(profile_data["allow_env"], bool):
+                raise ValueError(f"Profile '{profile_name}': allow_env must be a boolean")

{oasr-0.4.2.dist-info → oasr-0.5.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: oasr
-Version: 0.4.2
+Version: 0.5.1
 Summary: CLI for managing agent skills across IDE integrations
 Project-URL: Homepage, https://github.com/jgodau/asr
 Project-URL: Repository, https://github.com/jgodau/asr

{oasr-0.4.2.dist-info → oasr-0.5.1.dist-info}/RECORD

@@ -1,7 +1,7 @@
 __init__.py,sha256=cYuwXNht5J2GDPEbHz57rmXRyWzaUgAaCXz8okR0rKE,84
 __main__.py,sha256=Due_Us-4KNlLZhf8MkmoP1hWS5qMWmpZvz2ZaCqPHT4,120
 adapter.py,sha256=WEpYkKDTb7We0zU9i6Z-r5ydtUdghNhxTZ5Eq58h4fU,10027
-cli.py,sha256=gb2A9vxiD4q67oRynUJr9W0vHUHm02S2qR56SwAU1MM,2672
+cli.py,sha256=xghN20mgfEeh3vR_Vaiv0i2f1MBN6gk8J0uU3kXRK8g,2672
 discovery.py,sha256=WWF8SN2LH88mOUBJLavM7rvXcxi6uDQGpqRK20GysxA,3298
 manifest.py,sha256=feNCjkFWfhoVubevKjLtKoIEuzT1YGQn6wWgs9XM8_o,12229
 registry.py,sha256=zGutwVP39xaYqc3KDEXMWCV1tORYpqc5JISO8OaWP1Q,4470
@@ -27,9 +27,9 @@ commands/adapter.py,sha256=_68v3t-dRU0mszzL4udKs1bKennyg7RfBTaK2fDGTsE,3215
 commands/add.py,sha256=NJLQ-8-3zy7o6S9VLfL_wauP-Vz0oNGwN3nvtiwxNYM,15255
 commands/clean.py,sha256=RQBAfe6iCLsjMqUyVR55JdYX9MBqgrUuIrA8rFKs1J0,1102
 commands/clone.py,sha256=4APH34-yHjiXQIQwBnKOSEQ_sxV24_GKypcOJMfncvs,5912
-commands/config.py,sha256=PKuOX7CPRAy2j5NG1rhHYDFJT1XvZnOTF2qJW04v34Q,4940
+commands/config.py,sha256=4kzDEjVpwrmMPK_DPYePdQe2lGh_b8waYORZDHCDYZw,6976
 commands/diff.py,sha256=37JMjvfAEfvK7-4X5iFbD-IGkS8ae4YSY7ZDIZF5B9E,5766
-commands/exec.py,sha256=ePbU25PiD9_kYBB0WdY3-A8yDHbSxZXbO3YhNFdlVzg,6706
+commands/exec.py,sha256=zFmxxclpHQF39sqDpR5436XQiEYo334BGcQ5a8gbR9I,8711
 commands/find.py,sha256=zgqwUnaG5aLX6gJIU2ZeQzxsFh2s7oDNNtmV-e-62Jg,1663
 commands/help.py,sha256=5yhIpgGs1xPs2f39lg-ELE7D0tV_uUTjxQsgkWusIwo,1449
 commands/info.py,sha256=zywaUQsrvcPXcX8W49P7Jqnr90pX8nBPqnH1XcIs0Uk,4396
@@ -41,15 +41,20 @@ commands/sync.py,sha256=ZQoB5hBqrzvM6LUQVlKqHQVJib4dB5qe5M-pVG2vtGM,4946
 commands/update.py,sha256=bOWjdTNyeYg-hvXv5GfUzEtsTA7gU9JLM592GI9Oq68,11939
 commands/use.py,sha256=ggB28g2BDg3Lv3nF40wnDAJ7p0mo6C1pc1KgahvQYXM,1452
 commands/validate.py,sha256=Y8TLHxW4Z98onmzu-h-kDIET-48lVaIdQXOvuyBemLw,2361
-config/__init__.py,sha256=hNR-z3XcEI0nVdYbLAD3gvegNRejRJaNwksn1Au2ls0,2885
-config/defaults.py,sha256=mCtLnk641l5wnmEyVfJLozqkBnHheap2Px8A1KTROmA,308
-config/schema.py,sha256=KUebMCokJkymPyNcT2Bwm5BKwXk0SVGdoW24PRNX350,1387
+config/__init__.py,sha256=glSjT1_y4aOfhZ8odrUWCGF1hBbY_huTjVp6suepHDY,3647
+config/defaults.py,sha256=JfCltQYoE7EqBYlxsNrSITLmwifTvRrJe5lqL0Ys7Cs,986
+config/env.py,sha256=WgnQXjhfvV7m1oxZCK9WdIX_rqLy_-BOSuPjbpjdI1c,7163
+config/schema.py,sha256=VlvmiYWjU2hExBJfME90Oyqp-H4OHcUs_hvvp54K9jA,4498
+policy/__init__.py,sha256=0sPJaruOyc9ioNyIcrTW72RgpaE64FgibS0h5mQELb8,1353
+policy/defaults.py,sha256=9GMQM2l2OKTmhXlKwyTfcICR5vD9qEvyvqaR5KrN7ZI,620
+policy/enforcement.py,sha256=djsosjjfdyr0SjnHF2kz4u3glvMNgd1CJztN6yZE-fM,2749
+policy/profile.py,sha256=WDKaUagsWnBPGz5a_OOcxTsdZ66WjaIaR0R7ITVqy8g,6790
 skillcopy/__init__.py,sha256=YUglUkDzKfnCt4ar_DU33ksI9fGyn2UYbV7qn2c_BcU,2322
 skillcopy/local.py,sha256=QH6484dCenjg8pfNOyTRbQQBklEWhkkTnfQok5ssf_4,1049
 skillcopy/remote.py,sha256=83jRA2VfjtSDGO-YM1x3WGJjKvWzK1RmSTL7SdUOz8s,3155
-oasr-0.4.2.dist-info/METADATA,sha256=kzX9QzNlvAXMGO7RuiMpXUBbKj0Zj8LgdobXV3leyoE,17924
-oasr-0.4.2.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-oasr-0.4.2.dist-info/entry_points.txt,sha256=VnMuOi6XYMbzAD2bP0X5uV1sQXjOqoDWJ33Lsxwq8u8,52
-oasr-0.4.2.dist-info/licenses/LICENSE,sha256=nQ1j9Ldb8FlJ-z7y2WuXPIlyfnYC7YPasjGdOBgcfP4,10561
-oasr-0.4.2.dist-info/licenses/NOTICE,sha256=EsfkCN0ZRDS0oj3ADvMKeKrAXaPlC8YfpSjvjGVv9jE,207
-oasr-0.4.2.dist-info/RECORD,,
+oasr-0.5.1.dist-info/METADATA,sha256=fAfdWjbFnZGfRpQ7gJx1IgpKLbaXgpFZz6ddjdzumxc,17924
+oasr-0.5.1.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+oasr-0.5.1.dist-info/entry_points.txt,sha256=VnMuOi6XYMbzAD2bP0X5uV1sQXjOqoDWJ33Lsxwq8u8,52
+oasr-0.5.1.dist-info/licenses/LICENSE,sha256=nQ1j9Ldb8FlJ-z7y2WuXPIlyfnYC7YPasjGdOBgcfP4,10561
+oasr-0.5.1.dist-info/licenses/NOTICE,sha256=EsfkCN0ZRDS0oj3ADvMKeKrAXaPlC8YfpSjvjGVv9jE,207
+oasr-0.5.1.dist-info/RECORD,,

policy/__init__.py

@@ -0,0 +1,50 @@
+"""Execution policy system for OASR.
+
+Enforces host-level security boundaries for skill execution by defining what
+agents can and cannot do. Policy profiles are user-defined in config.toml and
+enforced at runtime before agent invocation.
+
+Usage:
+    import policy
+
+    # Load profile from config
+    profile = policy.load(config, "safe")
+
+    # Assess risk
+    needs_confirm, reasons = policy.assess_risk(
+        profile,
+        stdin_used=True,
+        instructions_file_used=False
+    )
+
+    # Get confirmation if needed
+    if needs_confirm:
+        summary = policy.summarize(profile, skill_name, agent_name)
+        if not policy.prompt_confirmation(summary, reasons):
+            return 1  # aborted
+
+This module does NOT:
+- Detect prompt injection via NLP
+- Rewrite or sanitize prompts
+- Validate skill correctness
+- Implement agent-specific permissions
+
+It DOES:
+- Load and validate policy profiles from config
+- Assess execution risk based on context
+- Require explicit confirmation for risky operations
+- Fail closed with conservative defaults
+"""
+
+from policy.defaults import SAFE as SAFE_DEFAULTS
+from policy.enforcement import assess_risk, prompt_confirmation
+from policy.profile import Profile, load, summarize
+
+__all__ = [
+    "Profile",
+    "load",
+    "summarize",
+    "assess_risk",
+    "prompt_confirmation",
+    "SAFE_DEFAULTS",
+]

policy/defaults.py

@@ -0,0 +1,27 @@
+"""Safe default execution policy profile.
+
+Conservative defaults that fail closed. Used when:
+- No config exists
+- Requested profile not found
+- Config parsing errors occur
+"""
+
+# Safe default profile - conservative and restrictive
+SAFE = {
+    "fs_read_roots": ["./"],
+    "fs_write_roots": ["./out", "./.oasr"],
+    "deny_paths": [
+        "~/.ssh",
+        "~/.aws",
+        "~/.gnupg",
+        "~/.config",
+        ".env",
+        "~/.bashrc",
+        "~/.zshrc",
+        "~/.profile",
+    ],
+    "allowed_commands": ["rg", "fd", "jq", "cat"],
+    "deny_shell": True,
+    "network": False,
+    "allow_env": False,
+}

policy/enforcement.py

@@ -0,0 +1,98 @@
+"""Policy enforcement logic - risk assessment and confirmation prompts.
+
+Determines when execution requires user confirmation and handles the
+confirmation flow.
+"""
+
+from __future__ import annotations
+
+import sys
+
+from policy.profile import Profile
+
+
+def assess_risk(
+    profile: Profile,
+    stdin_used: bool,
+    instructions_file_used: bool,
+    force_confirm: bool = False,
+) -> tuple[bool, list[str]]:
+    """Determine if execution requires user confirmation based on risk triggers.
+
+    Risk triggers:
+    1. Input from stdin (non-interactive) or file
+    2. Profile is not "safe"
+    3. Environment exposure enabled
+    4. Network enabled
+    5. Shell execution allowed
+    6. Force confirmation flag set
+
+    Args:
+        profile: Policy profile being used
+        stdin_used: True if stdin is non-tty (piped input)
+        instructions_file_used: True if prompt read from file
+        force_confirm: Force confirmation even if otherwise safe
+
+    Returns:
+        Tuple of (requires_confirmation, reasons)
+        where reasons is list of human-readable trigger descriptions
+    """
+    reasons = []
+
+    if force_confirm:
+        reasons.append("Explicit confirmation requested (--confirm)")
+
+    if stdin_used:
+        reasons.append("Input from stdin (non-interactive)")
+
+    if instructions_file_used:
+        reasons.append("Prompt loaded from file")
+
+    if profile.name != "safe":
+        reasons.append(f"Non-safe profile '{profile.name}' in use")
+
+    if profile.allow_env:
+        reasons.append("Environment variable access enabled")
+
+    if profile.network:
+        reasons.append("Network access enabled")
+
+    if not profile.deny_shell:
+        reasons.append("Shell execution allowed")
+
+    return (len(reasons) > 0, reasons)
+
+
+def prompt_confirmation(
+    policy_summary: str,
+    reasons: list[str],
+) -> bool:
+    """Display policy summary and prompt for user confirmation.
+
+    Args:
+        policy_summary: Formatted policy summary from profile.summarize()
+        reasons: List of risk trigger reasons
+
+    Returns:
+        True if user confirms, False otherwise
+
+    Notes:
+        - Writes to stderr (not stdout)
+        - Handles Ctrl+C gracefully (returns False)
+        - Default answer is No (safe)
+    """
+    print(policy_summary, file=sys.stderr)
+    print(file=sys.stderr)
+
+    if reasons:
+        print("⚠  This execution requires confirmation due to:", file=sys.stderr)
+        for reason in reasons:
+            print(f"   - {reason}", file=sys.stderr)
+        print(file=sys.stderr)
+
+    try:
+        response = input("Proceed? [y/N] ").strip().lower()
+        return response in ("y", "yes")
+    except (EOFError, KeyboardInterrupt):
+        print("\nAborted.", file=sys.stderr)
+        return False

policy/profile.py

@@ -0,0 +1,185 @@
+"""Policy profile definitions and loading.
+
+Defines what agents can do during skill execution. Profiles are user-defined
+in config.toml and enforced at runtime.
+"""
+
+from __future__ import annotations
+
+import sys
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Any
+
+from policy.defaults import SAFE
+
+
+@dataclass
+class Profile:
+    """Execution policy profile defining agent capabilities and restrictions.
+
+    Attributes:
+        name: Profile identifier (e.g., "safe", "dev")
+        fs_read_roots: Allowed filesystem read locations
+        fs_write_roots: Allowed filesystem write locations
+        deny_paths: Explicitly denied paths (takes precedence)
+        allowed_commands: Permitted shell commands
+        deny_shell: If True, deny all shell/subprocess execution
+        network: Allow network access
+        allow_env: Allow reading environment variables
+    """
+
+    name: str
+    fs_read_roots: list[str] = field(default_factory=lambda: ["./"])
+    fs_write_roots: list[str] = field(default_factory=lambda: ["./out", "./.oasr"])
+    deny_paths: list[str] = field(
+        default_factory=lambda: [
+            "~/.ssh",
+            "~/.aws",
+            "~/.gnupg",
+            "~/.config",
+            ".env",
+            "~/.bashrc",
+            "~/.zshrc",
+            "~/.profile",
+        ]
+    )
+    allowed_commands: list[str] = field(default_factory=lambda: ["rg", "fd", "jq", "cat"])
+    deny_shell: bool = True
+    network: bool = False
+    allow_env: bool = False
+
+    def __post_init__(self):
+        """Resolve and normalize paths after initialization."""
+        self.fs_read_roots = [self._resolve_path(p) for p in self.fs_read_roots]
+        self.fs_write_roots = [self._resolve_path(p) for p in self.fs_write_roots]
+        self.deny_paths = [self._resolve_path(p) for p in self.deny_paths]
+
+    def _resolve_path(self, path: str) -> str:
+        """Resolve path: expand ~, make absolute if relative to cwd.
+
+        Relative paths are workspace-relative (relative to current directory).
+        Tilde (~) is expanded to user home directory.
+
+        Args:
+            path: Path string (may contain ~, be relative or absolute)
+
+        Returns:
+            Normalized absolute path string
+        """
+        p = Path(path).expanduser()
+        if not p.is_absolute():
+            p = Path.cwd() / p
+        return str(p.resolve())
+
+
+def load(config: dict[str, Any], profile_name: str, cwd: Path | None = None) -> Profile:
+    """Load a policy profile from config with fallback to safe defaults.
+
+    Args:
+        config: Full config dict (may contain profiles.<name> tables)
+        profile_name: Name of profile to load (e.g., "safe", "dev")
+        cwd: Working directory for relative path resolution (default: current)
+
+    Returns:
+        Profile with merged defaults + user overrides
+
+    Notes:
+        - Missing profiles fall back to hardcoded safe defaults
+        - Malformed config falls back to safe + logs warning
+        - All paths are resolved to absolute paths
+        - Fail-closed behavior: errors → safe defaults
+    """
+    if cwd:
+        # Temporarily change directory context for path resolution
+        import os
+
+        old_cwd = os.getcwd()
+        try:
+            os.chdir(cwd)
+            return _load_impl(config, profile_name)
+        finally:
+            os.chdir(old_cwd)
+    else:
+        return _load_impl(config, profile_name)
+
+
+def _load_impl(config: dict[str, Any], profile_name: str) -> Profile:
+    """Internal implementation of load()."""
+    # Start with safe defaults
+    profile_data = SAFE.copy()
+
+    # Try to load user-defined profile
+    try:
+        profiles = config.get("profiles", {})
+        if profile_name in profiles:
+            user_profile = profiles[profile_name]
+            # Merge user overrides
+            for key in SAFE.keys():
+                if key in user_profile:
+                    profile_data[key] = user_profile[key]
+        elif profile_name != "safe":
+            # Warn if non-safe profile doesn't exist, but continue with safe defaults
+            print(
+                f"⚠ Warning: Profile '{profile_name}' not found in config. Using 'safe' defaults.",
+                file=sys.stderr,
+            )
+    except Exception as e:
+        # Fail closed: any error in config parsing → safe defaults
+        print(
+            f"⚠ Warning: Error loading profile config: {e}. Using 'safe' defaults.",
+            file=sys.stderr,
+        )
+
+    return Profile(name=profile_name, **profile_data)
+
+
+def summarize(profile: Profile, skill_name: str, agent_name: str) -> str:
+    """Generate human-readable policy summary for confirmation prompt.
+
+    Args:
+        profile: Policy profile to summarize
+        skill_name: Name of skill being executed
+        agent_name: Name of agent being used
+
+    Returns:
+        Formatted multi-line string suitable for stderr output
+    """
+    lines = [
+        "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━",
+        "EXECUTION POLICY REVIEW",
+        "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━",
+        f"Skill:             {skill_name}",
+        f"Agent:             {agent_name}",
+        f"Profile:           {profile.name}",
+        f"Network:           {'allowed' if profile.network else 'denied'}",
+        f"Environment:       {'allowed' if profile.allow_env else 'denied'}",
+        f"Shell:             {'allowed' if not profile.deny_shell else 'denied'}",
+    ]
+
+    # Format allowed commands (truncate if too long)
+    if profile.allowed_commands:
+        commands = ", ".join(profile.allowed_commands)
+        if len(commands) > 60:
+            commands = commands[:57] + "..."
+        lines.append(f"Allowed commands:  {commands}")
+    else:
+        lines.append("Allowed commands:  (none)")
+
+    # Format paths (show first few, indicate if more)
+    lines.append(f"Read roots:        {', '.join(profile.fs_read_roots[:3])}")
+    if len(profile.fs_read_roots) > 3:
+        lines.append(f"                   ... and {len(profile.fs_read_roots) - 3} more")
+
+    lines.append(f"Write roots:       {', '.join(profile.fs_write_roots[:3])}")
+    if len(profile.fs_write_roots) > 3:
+        lines.append(f"                   ... and {len(profile.fs_write_roots) - 3} more")
+
+    # Show some deny paths (not all - could be long)
+    if profile.deny_paths:
+        deny_sample = profile.deny_paths[:5]
+        lines.append(f"Deny paths:        {', '.join(deny_sample)}")
+        if len(profile.deny_paths) > 5:
+            lines.append(f"                   ... and {len(profile.deny_paths) - 5} more")
+
+    return "\n".join(lines)