oasr 0.5.2__py3-none-any.whl → 0.6.0__py3-none-any.whl

commands/update.py

@@ -6,6 +6,8 @@ import argparse
 import json
 import subprocess
 import sys
+import urllib.request
+from importlib import metadata
 from pathlib import Path
 
 
@@ -215,6 +217,51 @@ def get_stats(repo_path: Path, old_commit: str, new_commit: str) -> dict:
     return stats
 
 
+def get_installed_version(package: str = "oasr") -> str | None:
+    """Get installed package version."""
+    try:
+        return metadata.version(package)
+    except metadata.PackageNotFoundError:
+        return None
+
+
+def get_latest_pypi_version(package: str = "oasr") -> str | None:
+    """Fetch the latest version from PyPI."""
+    try:
+        with urllib.request.urlopen(f"https://pypi.org/pypi/{package}/json", timeout=5) as response:
+            data = json.load(response)
+            return data.get("info", {}).get("version")
+    except Exception:
+        return None
+
+
+def upgrade_from_pypi(package: str = "oasr") -> tuple[bool, str]:
+    """Upgrade ASR using uv or pip."""
+    commands = [
+        ["uv", "pip", "install", "--upgrade", package],
+        [sys.executable, "-m", "pip", "install", "--upgrade", package],
+    ]
+    last_error = ""
+
+    for cmd in commands:
+        try:
+            result = subprocess.run(
+                cmd,
+                capture_output=True,
+                text=True,
+                timeout=60,
+            )
+            if result.returncode == 0:
+                runner = "uv" if cmd[0] == "uv" else "pip"
+                return True, f"Updated with {runner}"
+            last_error = result.stderr.strip() or result.stdout.strip()
+        except (subprocess.TimeoutExpired, FileNotFoundError):
+            last_error = "Update timed out" if isinstance(sys.exc_info()[1], subprocess.TimeoutExpired) else last_error
+            continue
+
+    return False, last_error or "Failed to update with pip"
+
+
 def reinstall_asr(repo_path: Path) -> tuple[bool, str]:
     """Reinstall ASR using uv or pip.
 
@@ -293,10 +340,29 @@ def run(args: argparse.Namespace) -> int:
 
     if not repo_path:
         if args.json:
-            print(json.dumps({"success": False, "error": "Could not find ASR git repository"}))
-        else:
-            print("✗ Could not find ASR git repository", file=sys.stderr)
-            print("  Make sure ASR is installed from git (git clone + pip install -e .)", file=sys.stderr)
+            print(
+                json.dumps(
+                    {
+                        "success": False,
+                        "error": "Could not find ASR git repository",
+                        "hint": "Install from git or use pip to update",
+                    }
+                )
+            )
+            return 1
+
+        print("✗ Could not find ASR git repository", file=sys.stderr)
+        print("  This command updates git installs only.", file=sys.stderr)
+        print("  To update PyPI installs:", file=sys.stderr)
+        print("    pip install --upgrade oasr", file=sys.stderr)
+
+        latest_version = get_latest_pypi_version()
+        installed_version = get_installed_version()
+        if latest_version and installed_version and latest_version != installed_version:
+            print(
+                f"\nUpdate available: {installed_version} → {latest_version}",
+                file=sys.stderr,
+            )
         return 1
 
     if not args.quiet and not args.json:
@@ -306,8 +372,10 @@ def run(args: argparse.Namespace) -> int:
     if not (repo_path / ".git").exists():
         if args.json:
             print(json.dumps({"success": False, "error": "Not a git repository"}))
-        else:
-            print(f"✗ {repo_path} is not a git repository", file=sys.stderr)
+            return 1
+        print(f"✗ {repo_path} is not a git repository", file=sys.stderr)
+        print("  Use pip to update PyPI installs:", file=sys.stderr)
+        print("    pip install --upgrade oasr", file=sys.stderr)
         return 1
 
     # Get remote URL
@@ -348,10 +416,24 @@ def run(args: argparse.Namespace) -> int:
 
     # Check if already up to date
     if message == "already_up_to_date":
+        latest_version = get_latest_pypi_version()
+        installed_version = get_installed_version()
+
         if args.json:
-            print(json.dumps({"success": True, "updated": False, "message": "Already up to date"}))
+            payload = {"success": True, "updated": False, "message": "Already up to date"}
+            if latest_version and installed_version:
+                payload["installed_version"] = installed_version
+                payload["latest_version"] = latest_version
+                payload["pypi_update_available"] = latest_version != installed_version
+            print(json.dumps(payload))
         else:
             print("✓ Already up to date")
+            if latest_version and installed_version and latest_version != installed_version:
+                print(
+                    f"\nPyPI update available: {installed_version} → {latest_version}",
+                    file=sys.stderr,
+                )
+                print("Run: pip install --upgrade oasr", file=sys.stderr)
         return 0
 
     # Get new commit

completions/bash.sh

@@ -20,13 +20,13 @@ _oasr_agents() {
 _oasr_profiles() {
     # Get profile names from config
     local profiles
-    profiles=$(oasr config list 2>/dev/null | grep "^profiles\." | sed 's/^profiles\.\([^=]*\)=.*/\1/' | sort -u)
+    profiles=$(oasr config profiles --names 2>/dev/null)
     COMPREPLY=($(compgen -W "$profiles" -- "${COMP_WORDS[COMP_CWORD]}"))
 }
 
 _oasr_config_keys() {
     # Common config keys
-    COMPREPLY=($(compgen -W "agent profile adapter.default validation.strict validation.show_references oasr.completions" -- "${COMP_WORDS[COMP_CWORD]}"))
+    COMPREPLY=($(compgen -W "agent profile oasr.default_profile adapter.default_targets validation.strict validation.reference_max_lines oasr.completions" -- "${COMP_WORDS[COMP_CWORD]}"))
 }
 
 _oasr_completion_shells() {
@@ -39,7 +39,7 @@ _oasr() {
 
     # Top-level commands
     if [ $COMP_CWORD -eq 1 ]; then
-        COMPREPLY=($(compgen -W "registry diff sync config clone exec use find validate clean adapter update info help completion" -- "$cur"))
+        COMPREPLY=($(compgen -W "registry diff sync config profile clone exec use find validate clean adapter update info help completion" -- "$cur"))
         return 0
     fi
 
@@ -69,7 +69,7 @@ _oasr() {
                 *)
                     # Complete skill names and flags
                     if [[ "$cur" == -* ]]; then
-                        COMPREPLY=($(compgen -W "--agent --profile --agent-flags -y --yes --confirm -p --prompt" -- "$cur"))
+                        COMPREPLY=($(compgen -W "--agent --profile --agent-flags -y --yes --confirm -p --prompt --unsafe" -- "$cur"))
                     else
                         _oasr_skills
                     fi
@@ -111,7 +111,7 @@ _oasr() {
 
         config)
             if [ $COMP_CWORD -eq 2 ]; then
-                COMPREPLY=($(compgen -W "set get list path" -- "$cur"))
+                COMPREPLY=($(compgen -W "set get list agent validation adapter oasr profiles man validate path" -- "$cur"))
                 return 0
             fi
 
@@ -127,12 +127,18 @@ _oasr() {
                             agent)
                                 _oasr_agents
                                 ;;
-                            profile)
+                            profile|oasr.default_profile)
                                 _oasr_profiles
                                 ;;
                             validation.strict|oasr.completions)
                                 COMPREPLY=($(compgen -W "true false" -- "$cur"))
                                 ;;
+                            adapter.default_targets)
+                                return 0
+                                ;;
+                            validation.reference_max_lines)
+                                return 0
+                                ;;
                         esac
                     fi
                     return 0
@@ -186,6 +192,13 @@ _oasr() {
             fi
             ;;
 
+        profile)
+            if [ $COMP_CWORD -eq 2 ]; then
+                _oasr_profiles
+                return 0
+            fi
+            ;;
+
         find|validate|sync|diff|clean|update|help)
             # These commands have limited or no additional completion
             return 0

completions/fish.fish

@@ -18,15 +18,16 @@ function __oasr_agents
 end
 
 function __oasr_profiles
-    oasr config list 2>/dev/null | grep '^profiles\.' | sed 's/^profiles\.\([^=]*\)=.*/\1/' | sort -u
+    oasr config profiles --names 2>/dev/null
 end
 
 function __oasr_config_keys
     echo agent
     echo profile
-    echo adapter.default
+    echo oasr.default_profile
+    echo adapter.default_targets
     echo validation.strict
-    echo validation.show_references
+    echo validation.reference_max_lines
     echo oasr.completions
 end
 
@@ -45,6 +46,7 @@ complete -c oasr -f -n __fish_use_subcommand -a registry -d "Manage skill regist
 complete -c oasr -f -n __fish_use_subcommand -a diff -d "Show tracked skill status"
 complete -c oasr -f -n __fish_use_subcommand -a sync -d "Refresh tracked skills"
 complete -c oasr -f -n __fish_use_subcommand -a config -d "Manage configuration"
+complete -c oasr -f -n __fish_use_subcommand -a profile -d "Select execution profile"
 complete -c oasr -f -n __fish_use_subcommand -a clone -d "Clone skills to directory"
 complete -c oasr -f -n __fish_use_subcommand -a exec -d "Execute a skill"
 complete -c oasr -f -n __fish_use_subcommand -a use -d "DEPRECATED - use clone"
@@ -58,6 +60,7 @@ complete -c oasr -f -n __fish_use_subcommand -a help -d "Show help"
 complete -c oasr -f -n __fish_use_subcommand -a completion -d "Manage shell completions"
 
 # exec command
+complete -c oasr -f -n "__fish_seen_subcommand_from exec" -l unsafe -d "Pass unsafe agent flags"
 complete -c oasr -f -n "__fish_seen_subcommand_from exec" -l agent -d "Agent to use" -a "(__oasr_agents)"
 complete -c oasr -f -n "__fish_seen_subcommand_from exec" -l profile -d "Policy profile" -a "(__oasr_profiles)"
 complete -c oasr -f -n "__fish_seen_subcommand_from exec" -l agent-flags -d "Additional agent flags"
@@ -78,17 +81,28 @@ complete -c oasr -f -n "__fish_seen_subcommand_from info; and not __fish_seen_su
 complete -c oasr -f -n "__fish_seen_subcommand_from validate; and not __fish_seen_subcommand_from (__oasr_skills)" -a "(__oasr_skills)" -d "Skill"
 
 # config subcommands
-complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list path" -a "set" -d "Set configuration value"
-complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list path" -a "get" -d "Get configuration value"
-complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list path" -a "list" -d "List all configuration"
-complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list path" -a "path" -d "Show config file path"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "set" -d "Set configuration value"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "get" -d "Get configuration value"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "list" -d "List all configuration"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "agent" -d "Show agent configuration"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "validation" -d "Show validation settings"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "adapter" -d "Show adapter settings"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "oasr" -d "Show core settings"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "profiles" -d "Show profiles"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "man" -d "Show config reference"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "validate" -d "Validate config file"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and not __fish_seen_subcommand_from set get list agent validation adapter oasr profiles man validate path" -a "path" -d "Show config file path"
 
 # config set/get
 complete -c oasr -f -n "__fish_seen_subcommand_from config; and __fish_seen_subcommand_from set get" -a "(__oasr_config_keys)" -d "Config key"
 complete -c oasr -f -n "__fish_seen_subcommand_from config; and __fish_seen_subcommand_from set; and __fish_seen_subcommand_from agent" -a "(__oasr_agents)" -d "Agent"
 complete -c oasr -f -n "__fish_seen_subcommand_from config; and __fish_seen_subcommand_from set; and __fish_seen_subcommand_from profile" -a "(__oasr_profiles)" -d "Profile"
+complete -c oasr -f -n "__fish_seen_subcommand_from config; and __fish_seen_subcommand_from set; and __fish_seen_subcommand_from oasr.default_profile" -a "(__oasr_profiles)" -d "Profile"
 complete -c oasr -f -n "__fish_seen_subcommand_from config; and __fish_seen_subcommand_from set; and __fish_seen_subcommand_from validation.strict oasr.completions" -a "true false" -d "Boolean"
 
+# profile command
+complete -c oasr -f -n "__fish_seen_subcommand_from profile" -a "(__oasr_profiles)" -d "Profile"
+
 # registry subcommands
 complete -c oasr -f -n "__fish_seen_subcommand_from registry; and not __fish_seen_subcommand_from add rm sync list validate prune" -a "add" -d "Add skill to registry"
 complete -c oasr -f -n "__fish_seen_subcommand_from registry; and not __fish_seen_subcommand_from add rm sync list validate prune" -a "rm" -d "Remove skill from registry"

completions/powershell.ps1

@@ -18,10 +18,8 @@ function Get-OasrAgents {
 }
 
 function Get-OasrProfiles {
-    $profiles = oasr config list 2>$null | Select-String '^profiles\.' | ForEach-Object {
-        if ($_ -match '^profiles\.([^=]+)=') {
-            $matches[1]
-        }
+    $profiles = oasr config profiles --names 2>$null | ForEach-Object {
+        $_
     } | Sort-Object -Unique
     return $profiles
 }
@@ -30,9 +28,10 @@ function Get-OasrConfigKeys {
     return @(
         'agent',
         'profile',
-        'adapter.default',
+        'oasr.default_profile',
+        'adapter.default_targets',
         'validation.strict',
-        'validation.show_references',
+        'validation.reference_max_lines',
         'oasr.completions'
     )
 }
@@ -48,7 +47,7 @@ $oasrCompletion = {
     # First argument - main commands
     if ($elementCount -eq 2) {
         $commands = @(
-            'registry', 'diff', 'sync', 'config', 'clone', 'exec', 'use',
+            'registry', 'diff', 'sync', 'config', 'profile', 'clone', 'exec', 'use',
             'find', 'validate', 'clean', 'adapter', 'update', 'info',
             'help', 'completion'
         )
@@ -79,7 +78,7 @@ $oasrCompletion = {
                 }
                 default {
                     if ($wordToComplete -like '-*') {
-                        @('--agent', '--profile', '--agent-flags', '-y', '--yes', '--confirm', '-p', '--prompt') |
+                        @('--agent', '--profile', '--agent-flags', '-y', '--yes', '--confirm', '-p', '--prompt', '--unsafe') |
                             Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
                             [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
                         }
@@ -93,6 +92,67 @@ $oasrCompletion = {
             }
         }
 
+        'config' {
+            if ($elementCount -eq 3) {
+                @('set', 'get', 'list', 'agent', 'validation', 'adapter', 'oasr', 'profiles', 'man', 'validate', 'path') |
+                    Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                    [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+                }
+                return
+            }
+
+            $prevWord = if ($elementCount -gt 2) { $elements[$elementCount - 2].Value } else { '' }
+            if ($prevWord -eq 'set' -and $elementCount -eq 4) {
+                Get-OasrConfigKeys | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                    [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', "Key: $_")
+                }
+                return
+            }
+
+            if ($prevWord -eq 'set' -and $elementCount -eq 5) {
+                $key = $elements[3].Value
+                switch ($key) {
+                    'agent' {
+                        Get-OasrAgents | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                            [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', "Agent: $_")
+                        }
+                        return
+                    }
+                    'profile' { 
+                        Get-OasrProfiles | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                            [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', "Profile: $_")
+                        }
+                        return
+                    }
+                    'oasr.default_profile' {
+                        Get-OasrProfiles | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                            [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', "Profile: $_")
+                        }
+                        return
+                    }
+                    'validation.strict' { 
+                        @('true', 'false') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                            [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+                        }
+                        return
+                    }
+                    'oasr.completions' { 
+                        @('true', 'false') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                            [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+                        }
+                        return
+                    }
+                }
+            }
+
+            if ($elements[2].Value -eq 'get' -and $elementCount -eq 4) {
+                Get-OasrConfigKeys | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                    [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', "Key: $_")
+                }
+                return
+            }
+        }
+
         'completion' {
             if ($elementCount -eq 3) {
                 @('bash', 'zsh', 'fish', 'powershell', 'install', 'uninstall') | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
@@ -108,6 +168,15 @@ $oasrCompletion = {
             }
             return
         }
+
+        'profile' {
+            if ($elementCount -eq 3) {
+                Get-OasrProfiles | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+                    [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', "Profile: $_")
+                }
+                return
+            }
+        }
     }
 }
 

completions/zsh.sh

@@ -25,7 +25,7 @@ _oasr_agents() {
 
 _oasr_profiles() {
     local profiles
-    profiles=(${(f)"$(oasr config list 2>/dev/null | grep '^profiles\.' | sed 's/^profiles\.\([^=]*\)=.*/\1/' | sort -u)"})
+    profiles=(${(f)"$(oasr config profiles --names 2>/dev/null)"})
     _describe 'profile' profiles
 }
 
@@ -34,9 +34,9 @@ _oasr_config_keys() {
     keys=(
         'agent:Default agent'
         'profile:Default policy profile'
-        'adapter.default:Default adapter target'
+        'adapter.default_targets:Default adapter targets'
         'validation.strict:Strict validation'
-        'validation.show_references:Show references'
+        'validation.reference_max_lines:Reference max lines'
         'oasr.completions:Enable completions'
     )
     _describe 'config key' keys
@@ -48,7 +48,8 @@ _oasr_exec() {
         '--profile[Policy profile]:profile:_oasr_profiles' \
         '--agent-flags[Additional agent flags]:flags:' \
         '(-y --yes)'{-y,--yes}'[Skip confirmation]' \
-        '--confirm[Force confirmation]' \
+        '--confirm[Force confirmation] \
+        --unsafe[Pass unsafe agent flags]' \
         '(-p --prompt)'{-p,--prompt}'[Prompt from file]:file:_files' \
         '1:skill:_oasr_skills'
 }
@@ -76,6 +77,13 @@ _oasr_config() {
         'set:Set a configuration value'
         'get:Get a configuration value'
         'list:List all configuration'
+        'agent:Show agent configuration'
+        'validation:Show validation settings'
+        'adapter:Show adapter settings'
+        'oasr:Show core settings'
+        'profiles:Show profiles'
+        'man:Show config reference'
+        'validate:Validate config file'
         'path:Show config file path'
     )
 
@@ -97,12 +105,18 @@ _oasr_config() {
                             agent)
                                 _oasr_agents
                                 ;;
-                            profile)
+                            profile|oasr.default_profile)
                                 _oasr_profiles
                                 ;;
                             validation.strict|oasr.completions)
                                 _values 'boolean' true false
                                 ;;
+                            validation.reference_max_lines)
+                                _message 'integer'
+                                ;;
+                            adapter.default_targets)
+                                _message 'comma-separated list'
+                                ;;
                         esac
                     fi
                     ;;
@@ -114,6 +128,11 @@ _oasr_config() {
     esac
 }
 
+_oasr_profile() {
+    _arguments \
+        '1:profile:_oasr_profiles'
+}
+
 _oasr_registry() {
     local -a subcommands
     subcommands=(
@@ -199,6 +218,7 @@ _oasr() {
         'diff:Show tracked skill status'
         'sync:Refresh tracked skills'
         'config:Manage configuration'
+        'profile:Select execution profile'
         'clone:Clone skills to directory'
         'exec:Execute a skill'
         'use:DEPRECATED - use clone instead'
@@ -230,6 +250,9 @@ _oasr() {
                 exec)
                     _oasr_exec
                     ;;
+                profile)
+                    _oasr_profile
+                    ;;
                 clone)
                     _oasr_clone
                     ;;
@@ -242,6 +265,9 @@ _oasr() {
                 config)
                     _oasr_config
                     ;;
+                profile)
+                    _oasr_profile
+                    ;;
                 registry)
                     _oasr_registry
                     ;;

config/__init__.py

@@ -14,6 +14,7 @@ import tomli_w
 from config.defaults import DEFAULT_CONFIG
 from config.env import load_env_config, merge_configs
 from config.schema import validate_config
+from profiles.loader import load_profiles
 
 OASR_DIR = Path.home() / ".oasr"
 CONFIG_FILE = OASR_DIR / "config.toml"
@@ -75,6 +76,16 @@ def load_config(config_path: Path | None = None, cli_overrides: dict[str, Any] |
         with open(path, "rb") as f:
             file_config = tomllib.load(f)
 
+    if not isinstance(file_config, dict):
+        file_config = {}
+
+    # Merge profile files with inline profiles (inline wins)
+    inline_profiles = file_config.get("profiles", {})
+    if not isinstance(inline_profiles, dict):
+        inline_profiles = {}
+    merged_profiles = load_profiles(inline_profiles=inline_profiles)
+    file_config["profiles"] = merged_profiles
+
     # Load environment variables
     env_config = load_env_config()
 

config/defaults.py

@@ -2,6 +2,8 @@
 
 from typing import Any
 
+from profiles.builtins import BUILTIN_PROFILES
+
 DEFAULT_CONFIG: dict[str, Any] = {
     "validation": {
         "reference_max_lines": 500,
@@ -15,26 +17,7 @@ DEFAULT_CONFIG: dict[str, Any] = {
     },
     "oasr": {
         "default_profile": "safe",
+        "completions": True,
     },
-    "profiles": {
-        # Built-in safe profile (always available as fallback)
-        "safe": {
-            "fs_read_roots": ["./"],
-            "fs_write_roots": ["./out", "./.oasr"],
-            "deny_paths": [
-                "~/.ssh",
-                "~/.aws",
-                "~/.gnupg",
-                "~/.config",
-                ".env",
-                "~/.bashrc",
-                "~/.zshrc",
-                "~/.profile",
-            ],
-            "allowed_commands": ["rg", "fd", "jq", "cat"],
-            "deny_shell": True,
-            "network": False,
-            "allow_env": False,
-        },
-    },
+    "profiles": {name: values.copy() for name, values in BUILTIN_PROFILES.items()},
 }

config/schema.py

@@ -2,6 +2,8 @@
 
 from typing import Any
 
+from profiles.validation import validate_profiles
+
 VALID_AGENTS = {"codex", "copilot", "claude", "opencode"}
 
 
@@ -80,32 +82,4 @@ def validate_config(config: dict[str, Any]) -> None:
                 raise ValueError("oasr.default_profile must be a string")
 
     if "profiles" in config:
-        if not isinstance(config["profiles"], dict):
-            raise ValueError("profiles must be a table (dictionary)")
-
-        # Validate each profile structure
-        for profile_name, profile_data in config["profiles"].items():
-            if not isinstance(profile_data, dict):
-                raise ValueError(f"Profile '{profile_name}' must be a table (dictionary)")
-
-            # Validate profile fields if present
-            if "fs_read_roots" in profile_data and not isinstance(profile_data["fs_read_roots"], list):
-                raise ValueError(f"Profile '{profile_name}': fs_read_roots must be a list")
-
-            if "fs_write_roots" in profile_data and not isinstance(profile_data["fs_write_roots"], list):
-                raise ValueError(f"Profile '{profile_name}': fs_write_roots must be a list")
-
-            if "deny_paths" in profile_data and not isinstance(profile_data["deny_paths"], list):
-                raise ValueError(f"Profile '{profile_name}': deny_paths must be a list")
-
-            if "allowed_commands" in profile_data and not isinstance(profile_data["allowed_commands"], list):
-                raise ValueError(f"Profile '{profile_name}': allowed_commands must be a list")
-
-            if "deny_shell" in profile_data and not isinstance(profile_data["deny_shell"], bool):
-                raise ValueError(f"Profile '{profile_name}': deny_shell must be a boolean")
-
-            if "network" in profile_data and not isinstance(profile_data["network"], bool):
-                raise ValueError(f"Profile '{profile_name}': network must be a boolean")
-
-            if "allow_env" in profile_data and not isinstance(profile_data["allow_env"], bool):
-                raise ValueError(f"Profile '{profile_name}': allow_env must be a boolean")
+        validate_profiles(config["profiles"])