philipnee · philipnee · Apr 29, 2026 · Apr 29, 2026
@@ -136,7 +136,7 @@ export const PermissionAction = z.enum(['search', 'read', 'write']);
 
 export const PermissionSchema = z.object({
   path: z.string().min(1).regex(/^\/(?!$)/, 'permission path must be absolute and cannot be /'),
-  actions: z.array(PermissionAction).default([]),
+  actions: z.array(PermissionAction).min(1, 'permission actions must include at least one action').default([]),
 });
 
 export const ClientAuthTokenSchema = z.object({
@@ -209,6 +209,7 @@ export const ConfigSchema = z
   })
   .superRefine((data, ctx) => {
     const knownSourceIds = collectKnownSourceIds(data);
+    const knownPolicyRoots = collectKnownPolicyRoots(data);
     validateUniqueSourceIds(data, ctx);
     const seenClientIds = new Set<string>();
     // Track auth bindings across clients so config order does not silently
@@ -256,7 +257,12 @@ export const ConfigSchema = z
       }
 
       for (const [permIndex, permission] of client.permissions.entries()) {
-        validatePermissionPath(permission.path, ctx, ['clients', clientIndex, 'permissions', permIndex, 'path']);
+        validatePermissionPath(
+          permission.path,
+          knownPolicyRoots,
+          ctx,
+          ['clients', clientIndex, 'permissions', permIndex, 'path'],
+        );
       }
     }
 
@@ -297,25 +303,50 @@ function validateUniqueSourceIds(data: { proxy: ProxyConfig[]; mounts: LocalFold
   const seenMountPaths = new Map<string, number>();
   for (const [index, mount] of data.mounts.entries()) {
     track(mount.name, ['mounts', index, 'name']);
-    const firstMountPath = seenMountPaths.get(mount.path);
+    validateMountPath(mount.path, ctx, ['mounts', index, 'path']);
+    const normalizedMountPath = normalizePolicyPath(mount.path);
+    const firstMountPath = seenMountPaths.get(normalizedMountPath);
     if (firstMountPath !== undefined) {
       ctx.addIssue({
         code: z.ZodIssueCode.custom,
-        message: `duplicate mount path "${mount.path}"; first seen at mounts.${firstMountPath}.path`,
+        message: `duplicate mount path "${normalizedMountPath}"; first seen at mounts.${firstMountPath}.path`,
         path: ['mounts', index, 'path'],
       });
     } else {
-      seenMountPaths.set(mount.path, index);
+      seenMountPaths.set(normalizedMountPath, index);
     }
   }
 }
 
-function validatePermissionPath(pathPattern: string, ctx: z.RefinementCtx, issuePath: (string | number)[]): void {
-  if (pathPattern === '/**') return;
-  if (pathPattern.includes('**') && !pathPattern.endsWith('/**')) {
+function validateMountPath(pathPattern: string, ctx: z.RefinementCtx, issuePath: (string | number)[]): void {
+  if (pathPattern.includes('*')) {
     ctx.addIssue({
       code: z.ZodIssueCode.custom,
-      message: 'permission path may only use ** as a trailing subtree wildcard',
+      message: 'mount path must be a literal virtual path and cannot include wildcards',
+      path: issuePath,
+    });
+  }
+}
+
+function validatePermissionPath(
+  pathPattern: string,
+  knownPolicyRoots: string[],
+  ctx: z.RefinementCtx,
+  issuePath: (string | number)[],
+): void {
+  if (!hasSupportedPermissionWildcard(pathPattern)) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: 'permission path may only use /** as a trailing subtree wildcard',
+      path: issuePath,
+    });
+    return;
+  }
+
+  if (!permissionTargetsKnownRoot(pathPattern, knownPolicyRoots)) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: `permission path "${pathPattern}" does not target any configured mount or proxy source`,
       path: issuePath,
     });
   }
@@ -339,6 +370,39 @@ function collectKnownSourceIds(data: { proxy: ProxyConfig[]; mounts: LocalFolder
   return ids;
 }
 
+function collectKnownPolicyRoots(data: { proxy: ProxyConfig[]; mounts: LocalFolderMountConfig[] }): string[] {
+  const roots = new Set<string>();
+  for (const proxy of data.proxy) {
+    roots.add(normalizePolicyPath(`/${resolveProxySourceId(proxy)}`));
+  }
+  for (const mount of data.mounts) {
+    roots.add(normalizePolicyPath(mount.path));
+  }
+  return [...roots];
+}
+
+function hasSupportedPermissionWildcard(pathPattern: string): boolean {
+  if (pathPattern === '/**') return true;
+  if (!pathPattern.includes('*')) return true;
+  return pathPattern.endsWith('/**') && !pathPattern.slice(0, -3).includes('*');
+}
+
+function permissionTargetsKnownRoot(pathPattern: string, knownPolicyRoots: string[]): boolean {
+  if (pathPattern === '/**') return true;
+  const base = pathPattern.endsWith('/**')
+    ? normalizePolicyPath(pathPattern.slice(0, -3))
+    : normalizePolicyPath(pathPattern);
+  return knownPolicyRoots.some((root) => base === root || base.startsWith(`${root}/`));
+}
+
+function normalizePolicyPath(value: string): string {
+  const withForwardSlashes = value.replaceAll('\\', '/');
+  let end = withForwardSlashes.length;
+  while (end > 0 && withForwardSlashes[end - 1] === '/') end -= 1;
+  const normalized = withForwardSlashes.slice(0, end);
+  return normalized || '/';
+}
+
 export type TunnelConfig = z.infer<typeof TunnelSchema>;
 export type ProxyConfig = z.infer<typeof ProxySchema>;
 export type LocalFolderMountConfig = z.infer<typeof LocalFolderMountSchema>;

@@ -322,6 +322,7 @@ describe('client policy schema', () => {
     const config = parseConfig({
       version: 1,
       proxy: [{ name: 'workspace', command: 'npx' }],
+      mounts: [{ name: 'notes', type: 'local_folder', path: '/notes', root: '/vault' }],
       clients: [
         {
           id: 'codex',
@@ -348,6 +349,7 @@ describe('client policy schema', () => {
   it('parses an oauth-auth client with mapped client ids', () => {
     const config = parseConfig({
       version: 1,
+      mounts: [{ name: 'notes', type: 'local_folder', path: '/notes', root: '/vault' }],
       clients: [
         {
           id: 'chatgpt',
@@ -369,6 +371,7 @@ describe('client policy schema', () => {
     expect(() =>
       parseConfig({
         version: 1,
+        mounts: [{ name: 'workspace', type: 'local_folder', path: '/workspace', root: '/workspace' }],
         clients: [
           {
             id: 'codex',
@@ -383,6 +386,7 @@ describe('client policy schema', () => {
     expect(() =>
       parseConfig({
         version: 1,
+        mounts: [{ name: 'workspace', type: 'local_folder', path: '/workspace', root: '/workspace' }],
         clients: [
           {
             id: 'codex',
@@ -392,7 +396,88 @@ describe('client policy schema', () => {
           },
         ],
       }),
-    ).toThrow(/permission path may only use \*\* as a trailing subtree wildcard/);
+    ).toThrow(/permission path may only use \/\*\* as a trailing subtree wildcard/);
+
+    expect(() =>
+      parseConfig({
+        version: 1,
+        mounts: [{ name: 'workspace', type: 'local_folder', path: '/workspace', root: '/workspace' }],
+        clients: [
+          {
+            id: 'codex',
+            name: 'Codex',
+            auth: { type: 'token', tokenHash: SHA256_HEX_64 },
+            permissions: [{ path: '/workspace/*.md', actions: ['read'] }],
+          },
+        ],
+      }),
+    ).toThrow(/permission path may only use \/\*\* as a trailing subtree wildcard/);
+  });
+
+  it('rejects empty client permission actions', () => {
+    expect(() =>
+      parseConfig({
+        version: 1,
+        mounts: [{ name: 'workspace', type: 'local_folder', path: '/workspace', root: '/workspace' }],
+        clients: [
+          {
+            id: 'codex',
+            name: 'Codex',
+            auth: { type: 'token', tokenHash: SHA256_HEX_64 },
+            permissions: [{ path: '/workspace/**', actions: [] }],
+          },
+        ],
+      }),
+    ).toThrow(/permission actions must include at least one action/);
+  });
+
+  it('rejects permission paths that do not target a configured mount or proxy source', () => {
+    expect(() =>
+      parseConfig({
+        version: 1,
+        mounts: [{ name: 'workspace', type: 'local_folder', path: '/workspace', root: '/workspace' }],
+        clients: [
+          {
+            id: 'codex',
+            name: 'Codex',
+            auth: { type: 'token', tokenHash: SHA256_HEX_64 },
+            permissions: [{ path: '/notes/**', actions: ['read'] }],
+          },
+        ],
+      }),
+    ).toThrow(/permission path "\/notes\/\*\*" does not target any configured mount or proxy source/);
+  });
+
+  it('allows global and nested mount permissions', () => {
+    const config = parseConfig({
+      version: 1,
+      mounts: [{ name: 'project', type: 'local_folder', path: '/workspace/project', root: '/workspace/project' }],
+      clients: [
+        {
+          id: 'codex',
+          name: 'Codex',
+          auth: { type: 'token', tokenHash: SHA256_HEX_64 },
+          permissions: [
+            { path: '/workspace/project/src/**', actions: ['read'] },
+            { path: '/**', actions: ['search'] },
+          ],
+        },
+      ],
+    });
+
+    expect(config.clients?.[0].permissions).toEqual([
+      { path: '/workspace/project/src/**', actions: ['read'] },
+      { path: '/**', actions: ['search'] },
+    ]);
+  });
+
+  it('rejects wildcard mount paths', () => {
+    expect(() =>
+      parseConfig({
+        version: 1,
+        mounts: [{ name: 'workspace', type: 'local_folder', path: '/workspace/*', root: '/workspace' }],
+      }),
+    ).toThrow(/mount path must be a literal virtual path/);
   });
 
   it('rejects duplicate client ids', () => {