Header menu logo Nao

ResourcePermission Module

Pure evaluation of resource-access requests against a set of granted rules. No IO — the persistence and enforcement layers live in the server; this module is the testable core.

Functions and values

Function or value Description

ResourcePermission.applicable sessionKey rules

Full Usage: ResourcePermission.applicable sessionKey rules

Parameters:
Returns: PermissionRule list

Keep only the rules that apply to the given session — every Global rule, plus the Session rules whose key matches.

sessionKey : string
rules : PermissionRule list
Returns: PermissionRule list

ResourcePermission.evaluate rules access

Full Usage: ResourcePermission.evaluate rules access

Parameters:
Returns: PermissionDecision

Evaluate with a strict allowlist default (Deny when nothing matches).

rules : PermissionRule list
access : ResourceAccess
Returns: PermissionDecision

ResourcePermission.evaluateWith defaultDecision rules access

Full Usage: ResourcePermission.evaluateWith defaultDecision rules access

Parameters:
Returns: PermissionDecision

Evaluate an access request against rules, using `defaultDecision` when nothing matches. Precedence among matching rules: an explicit Deny always wins, then Allow, then Ask. The caller chooses the default per resource class (e.g. Deny for web, Allow for unknown tool calls).

defaultDecision : PermissionDecision
rules : PermissionRule list
access : ResourceAccess
Returns: PermissionDecision

ResourcePermission.glob pattern text

Full Usage: ResourcePermission.glob pattern text

Parameters:
    pattern : string
    text : string

Returns: bool

Match a glob pattern ('*' = any run of chars, '?' = exactly one) against text, case-insensitively. Used for both path and host patterns.

pattern : string
text : string
Returns: bool

ResourcePermission.hostMatches pattern host

Full Usage: ResourcePermission.hostMatches pattern host

Parameters:
    pattern : string
    host : string

Returns: bool

Does a host match a web pattern? "*" = any; "example.com" matches that host and any subdomain; otherwise a glob over the host.

pattern : string
host : string
Returns: bool

ResourcePermission.hostOf url

Full Usage: ResourcePermission.hostOf url

Parameters:
    url : string

Returns: string option

Best-effort extraction of the host from a URL string. Accepts both fully-qualified URLs ("https://a.example.com/x") and bare host forms ("a.example.com/x").

url : string
Returns: string option

ResourcePermission.pathMatches pattern path

Full Usage: ResourcePermission.pathMatches pattern path

Parameters:
    pattern : string
    path : string

Returns: bool

Does a path match a file pattern? "*" = any; otherwise the pattern matches the path itself, anything beneath it (prefix), or a glob.

pattern : string
path : string
Returns: bool

ResourcePermission.ruleMatches access rule

Full Usage: ResourcePermission.ruleMatches access rule

Parameters:
Returns: bool

Does a rule match an access request? (Scope is filtered by the caller via `applicable`.)

access : ResourceAccess
rule : PermissionRule
Returns: bool

Type something to start searching.