feat(profiles): add 7 role-based presets (#63)

polaz · web-flow · commit 5f059135d590 · 2026-01-20T17:57:55.000+02:00
* feat(profiles): add 7 role-based presets Add built-in presets for different user personas: - junior-dev: code, MRs, basic issue tracking - senior-dev: + code review, pipeline monitoring - devops: CI/CD, pipelines, variables, infrastructure - team-lead: planning, milestones, oversight - pm: planning, tracking, documentation (no code ops) - ci: minimal tools for automation - gitlab-com: rate-limit friendly for gitlab.com Each preset is optimized for its role to minimize LLM context usage while providing sufficient tools. Closes #55 * fix(profiles): correct regex anchor precedence in preset patterns Fix denied_tools_regex patterns to properly anchor at start: - Use ^manage_(a|b|c) instead of ^manage_a|^manage_b|^manage_c - The latter incorrectly matches 'manage_b' anywhere in the string Also simplify junior-dev description to match preset name.
diff --git a/src/profiles/builtin/ci.yaml b/src/profiles/builtin/ci.yaml
@@ -0,0 +1,30 @@
+# CI/CD Bot preset - automation
+#
+# Minimal tools for CI/CD automation:
+# - Pipeline operations
+# - File management
+# - Variables access
+#
+# No access to development workflow tools.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "CI/CD Bot - minimal tools for automation"
+
+read_only: false
+
+features:
+  wiki: false
+  milestones: false
+  pipelines: true
+  labels: false
+  mrs: false
+  files: true
+  variables: true
+  workitems: false
+  webhooks: false
+  snippets: false
+  integrations: false
+
+# Block workflow-related operations
+denied_tools_regex: "^manage_(work_item|mr|label|milestone|wiki)"
diff --git a/src/profiles/builtin/devops.yaml b/src/profiles/builtin/devops.yaml
@@ -0,0 +1,28 @@
+# DevOps Engineer preset - CI/CD and infrastructure
+#
+# Focused on infrastructure and automation:
+# - Full pipeline management
+# - Variables and secrets
+# - Webhooks and integrations
+# - File operations for configs
+#
+# No access to development workflow tools (MRs, issues, wiki).
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "DevOps Engineer - CI/CD pipelines, variables, infrastructure"
+
+read_only: false
+
+features:
+  wiki: false
+  milestones: false
+  pipelines: true
+  labels: false
+  mrs: false
+  files: true
+  variables: true
+  workitems: false
+  webhooks: true
+  snippets: false
+  integrations: true
diff --git a/src/profiles/builtin/gitlab-com.yaml b/src/profiles/builtin/gitlab-com.yaml
@@ -0,0 +1,35 @@
+# gitlab.com preset - rate-limit friendly
+#
+# Optimized for gitlab.com public instance:
+# - Standard development features enabled
+# - Rate-limit friendly restrictions
+# - Safe defaults for public projects
+#
+# Features that typically require elevated access are disabled.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Optimized for gitlab.com - respects rate limits, safe defaults"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: false     # Often restricted on public projects
+  workitems: true
+  webhooks: false      # Requires maintainer+ access
+  snippets: true
+  integrations: false  # Requires admin access
+
+# Rate-limit friendly restrictions
+denied_actions:
+  # Pagination-heavy operations
+  - "browse_commits:list"
+  - "browse_pipelines:list"
+  # Operations that can trigger many API calls
+  - "manage_pipeline:retry"
diff --git a/src/profiles/builtin/junior-dev.yaml b/src/profiles/builtin/junior-dev.yaml
@@ -0,0 +1,30 @@
+# Junior Developer preset - day-to-day development
+#
+# Focused on core development tasks:
+# - Code browsing and file management
+# - Work items and merge requests
+# - Labels and snippets
+#
+# No access to pipelines, variables, or admin features.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Junior Developer - code, MRs, basic issue tracking"
+
+read_only: false
+
+features:
+  wiki: false
+  milestones: false
+  pipelines: false
+  labels: true
+  mrs: true
+  files: true
+  variables: false
+  workitems: true
+  webhooks: false
+  snippets: true
+  integrations: false
+
+# Block pipeline and admin operations
+denied_tools_regex: "^manage_(pipeline|variable|webhook)"
diff --git a/src/profiles/builtin/pm.yaml b/src/profiles/builtin/pm.yaml
@@ -0,0 +1,31 @@
+# Project Manager preset - planning and tracking
+#
+# Focused on project management:
+# - Work items and milestones
+# - Merge request status tracking
+# - Wiki and documentation
+# - Labels for organization
+#
+# No access to code operations, pipelines, or technical features.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Project Manager - planning, tracking, documentation (no code ops)"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: false
+  labels: true
+  mrs: true
+  files: false
+  variables: false
+  workitems: true
+  webhooks: false
+  snippets: false
+  integrations: false
+
+# Block code and pipeline operations
+denied_tools_regex: "^manage_(files|pipeline|variable)"
diff --git a/src/profiles/builtin/senior-dev.yaml b/src/profiles/builtin/senior-dev.yaml
@@ -0,0 +1,36 @@
+# Senior Developer preset - code review and pipeline monitoring
+#
+# Extended access for senior developers:
+# - Full code browsing and file management
+# - Work items and merge requests
+# - Pipeline monitoring (read-only)
+# - Wiki and documentation
+#
+# No control over pipelines, variables, or webhooks.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Senior Developer - code review, discussions, pipeline monitoring"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: false
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: false
+  workitems: true
+  webhooks: false
+  snippets: true
+  integrations: false
+
+# Block pipeline control and webhook management
+denied_actions:
+  - "manage_pipeline:cancel"
+  - "manage_pipeline:retry"
+  - "manage_webhook:create"
+  - "manage_webhook:update"
+  - "manage_webhook:delete"
diff --git a/src/profiles/builtin/team-lead.yaml b/src/profiles/builtin/team-lead.yaml
@@ -0,0 +1,37 @@
+# Team Lead preset - planning and oversight
+#
+# Focused on team management:
+# - Planning with milestones and work items
+# - Code review via merge requests
+# - Pipeline monitoring
+# - Wiki and documentation
+#
+# No access to sensitive variables or webhooks.
+#
+# NOTE: This is a PRESET - host/auth come from environment variables.
+
+description: "Team Lead - planning, milestones, team oversight, code review"
+
+read_only: false
+
+features:
+  wiki: true
+  milestones: true
+  pipelines: true
+  labels: true
+  mrs: true
+  files: true
+  variables: false
+  workitems: true
+  webhooks: false
+  snippets: true
+  integrations: false
+
+# Block sensitive operations
+denied_actions:
+  - "manage_variable:create"
+  - "manage_variable:update"
+  - "manage_variable:delete"
+  - "manage_webhook:create"
+  - "manage_webhook:update"
+  - "manage_webhook:delete"
diff --git a/tests/unit/profiles/builtin-presets.test.ts b/tests/unit/profiles/builtin-presets.test.ts
@@ -0,0 +1,164 @@
+/**
+ * Unit tests for built-in presets
+ * Validates that all preset YAML files conform to the schema
+ * and contain no host/auth (security requirement)
+ */
+
+import * as fs from "fs";
+import * as path from "path";
+import * as yaml from "yaml";
+import { PresetSchema, Preset } from "../../../src/profiles/types";
+
+// Mock logger to suppress output during tests
+jest.mock("../../../src/logger", () => ({
+  logger: {
+    info: jest.fn(),
+    warn: jest.fn(),
+    error: jest.fn(),
+    debug: jest.fn(),
+  },
+}));
+
+describe("Built-in Presets", () => {
+  const builtinDir = path.join(__dirname, "../../../src/profiles/builtin");
+
+  // Get all yaml files in the builtin directory
+  const presetFiles = fs.readdirSync(builtinDir).filter(f => f.endsWith(".yaml"));
+
+  describe("all presets should be valid", () => {
+    it.each(presetFiles)("%s should conform to PresetSchema", filename => {
+      const filepath = path.join(builtinDir, filename);
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content);
+
+      const result = PresetSchema.safeParse(parsed);
+      if (!result.success) {
+        console.error(`Validation errors for ${filename}:`, result.error.issues);
+      }
+      expect(result.success).toBe(true);
+    });
+
+    it.each(presetFiles)("%s should have a description", filename => {
+      const filepath = path.join(builtinDir, filename);
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      expect(parsed.description).toBeDefined();
+      expect(parsed.description?.length).toBeGreaterThan(0);
+    });
+
+    it.each(presetFiles)("%s should NOT contain host (security)", filename => {
+      const filepath = path.join(builtinDir, filename);
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content);
+
+      // Presets must NEVER contain host/auth
+      expect(parsed.host).toBeUndefined();
+    });
+
+    it.each(presetFiles)("%s should NOT contain auth (security)", filename => {
+      const filepath = path.join(builtinDir, filename);
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content);
+
+      // Presets must NEVER contain host/auth
+      expect(parsed.auth).toBeUndefined();
+    });
+
+    it.each(presetFiles)("%s should have valid denied_tools_regex if present", filename => {
+      const filepath = path.join(builtinDir, filename);
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      if (parsed.denied_tools_regex) {
+        expect(() => new RegExp(parsed.denied_tools_regex!)).not.toThrow();
+      }
+    });
+
+    it.each(presetFiles)("%s should have valid denied_actions format if present", filename => {
+      const filepath = path.join(builtinDir, filename);
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      if (parsed.denied_actions) {
+        for (const action of parsed.denied_actions) {
+          // Format: tool:action
+          expect(action).toMatch(/^[a-z_]+:[a-z_]+$/);
+        }
+      }
+    });
+  });
+
+  describe("specific preset validations", () => {
+    it("readonly.yaml should have read_only: true", () => {
+      const filepath = path.join(builtinDir, "readonly.yaml");
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      expect(parsed.read_only).toBe(true);
+    });
+
+    it("admin.yaml should have all features enabled", () => {
+      const filepath = path.join(builtinDir, "admin.yaml");
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      expect(parsed.features?.wiki).toBe(true);
+      expect(parsed.features?.pipelines).toBe(true);
+      expect(parsed.features?.variables).toBe(true);
+      expect(parsed.features?.webhooks).toBe(true);
+      expect(parsed.features?.integrations).toBe(true);
+    });
+
+    it("junior-dev.yaml should have pipelines disabled", () => {
+      const filepath = path.join(builtinDir, "junior-dev.yaml");
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      expect(parsed.features?.pipelines).toBe(false);
+      expect(parsed.features?.variables).toBe(false);
+    });
+
+    it("devops.yaml should have pipelines and variables enabled", () => {
+      const filepath = path.join(builtinDir, "devops.yaml");
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      expect(parsed.features?.pipelines).toBe(true);
+      expect(parsed.features?.variables).toBe(true);
+      expect(parsed.features?.webhooks).toBe(true);
+    });
+
+    it("pm.yaml should have files disabled", () => {
+      const filepath = path.join(builtinDir, "pm.yaml");
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      expect(parsed.features?.files).toBe(false);
+      expect(parsed.features?.pipelines).toBe(false);
+    });
+
+    it("ci.yaml should have minimal features for automation", () => {
+      const filepath = path.join(builtinDir, "ci.yaml");
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      expect(parsed.features?.pipelines).toBe(true);
+      expect(parsed.features?.files).toBe(true);
+      expect(parsed.features?.variables).toBe(true);
+      expect(parsed.features?.wiki).toBe(false);
+      expect(parsed.features?.workitems).toBe(false);
+    });
+
+    it("gitlab-com.yaml should have rate-limit friendly restrictions", () => {
+      const filepath = path.join(builtinDir, "gitlab-com.yaml");
+      const content = fs.readFileSync(filepath, "utf8");
+      const parsed = yaml.parse(content) as Preset;
+
+      expect(parsed.features?.webhooks).toBe(false);
+      expect(parsed.features?.integrations).toBe(false);
+      expect(parsed.denied_actions).toBeDefined();
+      expect(parsed.denied_actions?.length).toBeGreaterThan(0);
+    });
+  });
+});
