ResourcePermission Module
Pure evaluation of resource-access requests against a set of granted rules. No IO — the persistence and enforcement layers live in the server; this module is the testable core.
Functions and values
| Function or value |
Description
|
Full Usage:
ResourcePermission.applicable sessionKey rules
Parameters:
string
rules : PermissionRule list
Returns: PermissionRule list
|
Keep only the rules that apply to the given session — every Global rule, plus the Session rules whose key matches.
|
Full Usage:
ResourcePermission.evaluate rules access
Parameters:
PermissionRule list
access : ResourceAccess
Returns: PermissionDecision
|
Evaluate with a strict allowlist default (Deny when nothing matches).
|
Full Usage:
ResourcePermission.evaluateWith defaultDecision rules access
Parameters:
PermissionDecision
rules : PermissionRule list
access : ResourceAccess
Returns: PermissionDecision
|
Evaluate an access request against rules, using `defaultDecision` when nothing matches. Precedence among matching rules: an explicit Deny always wins, then Allow, then Ask. The caller chooses the default per resource class (e.g. Deny for web, Allow for unknown tool calls).
|
Full Usage:
ResourcePermission.glob pattern text
Parameters:
string
text : string
Returns: bool
|
Match a glob pattern ('*' = any run of chars, '?' = exactly one) against text, case-insensitively. Used for both path and host patterns.
|
Full Usage:
ResourcePermission.hostMatches pattern host
Parameters:
string
host : string
Returns: bool
|
Does a host match a web pattern? "*" = any; "example.com" matches that host and any subdomain; otherwise a glob over the host.
|
Full Usage:
ResourcePermission.hostOf url
Parameters:
string
Returns: string option
|
Best-effort extraction of the host from a URL string. Accepts both fully-qualified URLs ("https://a.example.com/x") and bare host forms ("a.example.com/x").
|
Full Usage:
ResourcePermission.pathMatches pattern path
Parameters:
string
path : string
Returns: bool
|
Does a path match a file pattern? "*" = any; otherwise the pattern matches the path itself, anything beneath it (prefix), or a glob.
|
Full Usage:
ResourcePermission.ruleMatches access rule
Parameters:
ResourceAccess
rule : PermissionRule
Returns: bool
|
Does a rule match an access request? (Scope is filtered by the caller via `applicable`.)
|
Nao