feat: add permission policy engine with configurable per-job/per-plan rules (#69)

Author: nigel-dev

src/lib/config.ts

@@ -3,6 +3,7 @@ import { homedir } from 'os';
 import { z } from 'zod';
 import { getDataDir } from './paths';
 import { MCConfigSchema, PartialMCConfigSchema } from './schemas';
+import { PermissionPolicy } from './permission-policy';
 import { atomicWrite } from './utils';
 
 export type WorktreeSetup = {
@@ -26,6 +27,7 @@ const DEFAULT_CONFIG: MCConfig = {
   portRangeStart: 14100,
   portRangeEnd: 14199,
   fixBeforeRollbackTimeout: 120000,
+  defaultPermissionPolicy: PermissionPolicy.getDefaultPolicy(),
   omo: {
     enabled: false,
     defaultMode: 'vanilla',

src/lib/monitor.ts

@@ -2,9 +2,11 @@ import { EventEmitter } from 'events';
 import { getRunningJobs, updateJob, type Job } from './job-state.js';
 import { isPaneRunning, capturePane, captureExitStatus } from './tmux.js';
 import { loadConfig } from './config.js';
-import { readReport, type AgentReport } from './reports.js';
+import { readReport } from './reports.js';
 import { createJobClient } from './sdk-client.js';
 import { QuestionRelay, type PermissionRequest } from './question-relay.js';
+import { loadPlan } from './plan-state.js';
+import { PermissionPolicy, type PermissionPolicyConfig } from './permission-policy.js';
 import type { OpencodeClient } from '@opencode-ai/sdk';
 
 type JobEventType = 'complete' | 'failed' | 'blocked' | 'needs_review' | 'awaiting_input' | 'agent_report';
@@ -299,40 +301,125 @@ export class JobMonitor extends EventEmitter {
       }
 
       case 'permission.updated': {
-        const permission: PermissionRequest = {
-          id: event.properties?.id || event.id || 'unknown',
-          type: this.inferPermissionType(event),
-          path: event.properties?.path || event.path,
-          description: event.properties?.description || event.description || 'Unknown permission request',
-        };
-
-        const accumulator = this.getOrCreateEventAccumulator(job.id);
-        await this.questionRelay.handlePermissionRequest(job, permission, accumulator.currentFile);
+        void this.handlePermissionUpdate(job, event);
         break;
       }
     }
   }
 
   private inferPermissionType(event: any): PermissionRequest['type'] {
     const eventData = event.properties || event;
-    const typeHint = eventData.type || eventData.permissionType || '';
+    const metadata = eventData.metadata ?? {};
+    const typeHint = String(eventData.type || eventData.permissionType || metadata.type || '').toLowerCase();
 
-    if (typeHint.includes('file') || typeHint.includes('write') || typeHint.includes('edit')) {
-      return 'file_operation';
-    }
-    if (typeHint.includes('shell') || typeHint.includes('command') || typeHint.includes('exec')) {
-      return 'shell_command';
+    if (typeHint.includes('mcp') || typeHint.includes('tool')) {
+      return 'mcp';
     }
-    if (typeHint.includes('network') || typeHint.includes('http') || typeHint.includes('fetch')) {
+    if (typeHint.includes('network') || typeHint.includes('http') || typeHint.includes('fetch') || typeHint.includes('web')) {
       return 'network';
     }
-    if (typeHint.includes('mcp') || typeHint.includes('tool')) {
-      return 'mcp';
+    if (typeHint.includes('shell') || typeHint.includes('command') || typeHint.includes('exec') || typeHint.includes('bash')) {
+      return 'shell_command';
+    }
+    if (typeHint.includes('file') || typeHint.includes('write') || typeHint.includes('edit') || typeHint === 'read') {
+      return 'file_operation';
     }
 
     return 'other';
   }
 
+  private extractString(value: unknown): string | undefined {
+    return typeof value === 'string' && value.length > 0 ? value : undefined;
+  }
+
+  private extractPermissionPath(event: any): string | undefined {
+    const eventData = event.properties || event;
+    const metadata = eventData.metadata;
+
+    const directPath = this.extractString(eventData.path)
+      ?? this.extractString(eventData.file)
+      ?? this.extractString(event.path);
+    if (directPath) {
+      return directPath;
+    }
+
+    if (metadata && typeof metadata === 'object') {
+      const metadataPath = (metadata as Record<string, unknown>).path;
+      return this.extractString(metadataPath);
+    }
+
+    return undefined;
+  }
+
+  private buildPermissionRequest(event: any): PermissionRequest {
+    const eventData = event.properties || event;
+    const rawType = this.extractString(eventData.type) || this.extractString(eventData.permissionType) || 'unknown';
+    const path = this.extractPermissionPath(event);
+    const description = this.extractString(eventData.description)
+      || this.extractString(eventData.title)
+      || this.extractString(event.description)
+      || 'Unknown permission request';
+
+    return {
+      id: this.extractString(eventData.id) || this.extractString(event.id) || 'unknown',
+      type: this.inferPermissionType(event),
+      path,
+      target: path,
+      action: this.extractString(eventData.title) || rawType,
+      rawType,
+      description,
+    };
+  }
+
+  private async resolvePolicyForJob(job: Job): Promise<PermissionPolicy> {
+    const config = await loadConfig();
+    const globalPolicy = config.defaultPermissionPolicy;
+
+    let planPolicy: PermissionPolicyConfig | undefined;
+    let jobPolicy: PermissionPolicyConfig | undefined;
+
+    if (job.planId) {
+      const plan = await loadPlan();
+      if (plan && plan.id === job.planId) {
+        planPolicy = plan.permissionPolicy;
+        jobPolicy = plan.jobs.find((planJob) => planJob.name === job.name)?.permissionPolicy;
+      }
+    }
+
+    return PermissionPolicy.resolvePolicy({
+      jobPolicy,
+      planPolicy,
+      globalPolicy,
+    });
+  }
+
+  private async handlePermissionUpdate(job: Job, event: any): Promise<void> {
+    try {
+      const permission = this.buildPermissionRequest(event);
+      const accumulator = this.getOrCreateEventAccumulator(job.id);
+      const policy = await this.resolvePolicyForJob(job);
+      const decision = policy.evaluate(permission, { worktreePath: job.worktreePath });
+      const decisionLog = policy.getDecisionLog();
+      const lastLog = decisionLog[decisionLog.length - 1];
+      const reason = lastLog?.reason ?? 'Permission decision from policy';
+
+      if (decision === 'auto-approve') {
+        await this.questionRelay.respondToPermission(job, permission.id, true, `Auto-approved by permission policy: ${reason}`);
+        return;
+      }
+
+      if (decision === 'deny') {
+        await this.questionRelay.respondToPermission(job, permission.id, false, `Denied by permission policy: ${reason}`);
+        console.warn(`[Monitor] Permission denied by policy for job ${job.name}: ${permission.description}`);
+        return;
+      }
+
+      await this.questionRelay.handlePermissionRequest(job, permission, accumulator.currentFile);
+    } catch (error) {
+      console.error(`[Monitor] Failed to process permission update for job ${job.name}:`, error);
+    }
+  }
+
   private isServeModeJob(job: Job): boolean {
     return job.port !== undefined && job.port > 0;
   }

src/lib/permission-policy.ts

@@ -0,0 +1,213 @@
+import { resolve } from 'path';
+
+export type PermissionPolicyDecision = 'auto-approve' | 'deny' | 'ask-user';
+
+export type PolicyScopedRule = {
+  insideWorktree: PermissionPolicyDecision;
+  outsideWorktree: PermissionPolicyDecision;
+};
+
+export type PermissionPolicyConfig = {
+  permissions: {
+    fileEdit: PolicyScopedRule;
+    shellCommand: PolicyScopedRule;
+    networkAccess: PermissionPolicyDecision;
+    installPackages: PermissionPolicyDecision;
+    mcpTools: PermissionPolicyDecision;
+  };
+};
+
+export type PermissionPolicyRequest = {
+  type: 'file_operation' | 'shell_command' | 'network' | 'mcp' | 'other';
+  path?: string;
+  description?: string;
+  action?: string;
+  target?: string;
+};
+
+export type PermissionJobContext = {
+  worktreePath: string;
+};
+
+export type PermissionPolicyLogEntry = {
+  timestamp: string;
+  permissionType: keyof PermissionPolicyConfig['permissions'] | 'unknown';
+  action: string;
+  target: string;
+  policyDecision: PermissionPolicyDecision;
+  reason: string;
+};
+
+export type PermissionPolicySources = {
+  jobPolicy?: PermissionPolicyConfig;
+  planPolicy?: PermissionPolicyConfig;
+  globalPolicy?: PermissionPolicyConfig;
+};
+
+function normalizePathForComparison(path: string): string {
+  return resolve(path).replace(/\\/g, '/');
+}
+
+function isInsideWorktree(path: string, worktreePath: string): boolean {
+  const normalizedPath = normalizePathForComparison(path);
+  const normalizedWorktree = normalizePathForComparison(worktreePath);
+
+  if (normalizedPath === normalizedWorktree) {
+    return true;
+  }
+
+  const suffix = normalizedWorktree.endsWith('/') ? '' : '/';
+  return normalizedPath.startsWith(`${normalizedWorktree}${suffix}`);
+}
+
+function looksLikePackageInstall(input?: string): boolean {
+  if (!input) {
+    return false;
+  }
+
+  const normalized = input.toLowerCase();
+  const installSignals = ['npm install', 'pnpm add', 'yarn add', 'bun add', 'pip install', 'apt install'];
+  return installSignals.some((signal) => normalized.includes(signal));
+}
+
+export class PermissionPolicy {
+  private readonly policy: PermissionPolicyConfig;
+  private readonly decisionLog: PermissionPolicyLogEntry[] = [];
+
+  constructor(policy: PermissionPolicyConfig = PermissionPolicy.getDefaultPolicy()) {
+    this.policy = policy;
+  }
+
+  static loadPolicy(config?: PermissionPolicyConfig | null): PermissionPolicy {
+    if (!config) {
+      return new PermissionPolicy(PermissionPolicy.getDefaultPolicy());
+    }
+    return new PermissionPolicy(config);
+  }
+
+  static resolvePolicy(sources: PermissionPolicySources = {}): PermissionPolicy {
+    return PermissionPolicy.loadPolicy(
+      sources.jobPolicy
+      ?? sources.planPolicy
+      ?? sources.globalPolicy
+      ?? PermissionPolicy.getDefaultPolicy(),
+    );
+  }
+
+  static getDefaultPolicy(): PermissionPolicyConfig {
+    return {
+      permissions: {
+        fileEdit: { insideWorktree: 'auto-approve', outsideWorktree: 'deny' },
+        shellCommand: { insideWorktree: 'auto-approve', outsideWorktree: 'ask-user' },
+        networkAccess: 'deny',
+        installPackages: 'ask-user',
+        mcpTools: 'auto-approve',
+      },
+    };
+  }
+
+  evaluate(
+    permissionRequest: PermissionPolicyRequest,
+    jobContext: PermissionJobContext,
+  ): PermissionPolicyDecision {
+    const permissionType = this.resolvePermissionType(permissionRequest);
+
+    let policyDecision: PermissionPolicyDecision;
+    let reason: string;
+
+    switch (permissionType) {
+      case 'fileEdit': {
+        const targetPath = permissionRequest.path;
+        if (!targetPath) {
+          policyDecision = 'ask-user';
+          reason = 'File edit request is missing path context';
+          break;
+        }
+
+        const inWorktree = isInsideWorktree(targetPath, jobContext.worktreePath);
+        policyDecision = inWorktree
+          ? this.policy.permissions.fileEdit.insideWorktree
+          : this.policy.permissions.fileEdit.outsideWorktree;
+        reason = inWorktree
+          ? 'File edit target is inside worktree'
+          : 'File edit target is outside worktree';
+        break;
+      }
+
+      case 'shellCommand': {
+        const targetPath = permissionRequest.path ?? jobContext.worktreePath;
+        const inWorktree = isInsideWorktree(targetPath, jobContext.worktreePath);
+        policyDecision = inWorktree
+          ? this.policy.permissions.shellCommand.insideWorktree
+          : this.policy.permissions.shellCommand.outsideWorktree;
+        reason = inWorktree
+          ? 'Shell command target is inside worktree'
+          : 'Shell command target is outside worktree';
+        break;
+      }
+
+      case 'installPackages':
+        policyDecision = this.policy.permissions.installPackages;
+        reason = 'Package installation request';
+        break;
+
+      case 'networkAccess':
+        policyDecision = this.policy.permissions.networkAccess;
+        reason = 'Network access request';
+        break;
+
+      case 'mcpTools':
+        policyDecision = this.policy.permissions.mcpTools;
+        reason = 'MCP tool request';
+        break;
+
+      default:
+        policyDecision = 'ask-user';
+        reason = 'Unknown permission type';
+        break;
+    }
+
+    const action = permissionRequest.action ?? permissionRequest.description ?? permissionRequest.type;
+    const target = permissionRequest.target ?? permissionRequest.path ?? '(unknown target)';
+
+    this.decisionLog.push({
+      timestamp: new Date().toISOString(),
+      permissionType,
+      action,
+      target,
+      policyDecision,
+      reason,
+    });
+
+    return policyDecision;
+  }
+
+  getDecisionLog(): readonly PermissionPolicyLogEntry[] {
+    return this.decisionLog;
+  }
+
+  private resolvePermissionType(
+    permissionRequest: PermissionPolicyRequest,
+  ): keyof PermissionPolicyConfig['permissions'] | 'unknown' {
+    if (permissionRequest.type === 'mcp') {
+      return 'mcpTools';
+    }
+
+    if (permissionRequest.type === 'network') {
+      return 'networkAccess';
+    }
+
+    if (permissionRequest.type === 'file_operation') {
+      return 'fileEdit';
+    }
+
+    if (permissionRequest.type === 'shell_command') {
+      const packageInstall =
+        looksLikePackageInstall(permissionRequest.description) ||
+        looksLikePackageInstall(permissionRequest.action);
+      return packageInstall ? 'installPackages' : 'shellCommand';
+    }
+
+    return 'unknown';
+  }
+}