You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
rulesync's Amp permissions adapter only emits amp.tools.disable (a coarse disable-only list), so allow and ask rules are silently dropped and argument-level patterns are collapsed to the bare tool name. Amp has a richer declarative permission model (amp.permissions) that can express all three actions plus argument matchers, which rulesync does not emit.
permissions — project + global (partial / lossy). Upstream amp.permissions is an array of entries { tool, matches: { cmd }, action } where action ∈ allow | reject | ask | delegate, supports tool-name wildcards (*, mcp__*) and per-argument glob matchers (matches.cmd), first-match-wins. rulesync's src/features/permissions/amp-permissions.ts maps onlydeny → amp.tools.disable[] (tool name), dropping allow/ask rules with a warning and discarding the per-pattern glob. So rulesync's {category: {pattern: action}} model does not round-trip: ask/allow data is lost, and deny patterns lose their argument specificity.
Proposed Follow-up
Emit amp.permissions (array form) so rulesync's permission model round-trips fully:
deny → { tool, matches: { cmd: <pattern> }, action: "reject" } (keep amp.tools.disable only for the bare whole-tool "*" case if desired)
ask → action: "ask" (currently dropped)
allow → action: "allow" (currently dropped)
Preserve the per-pattern glob in matches instead of collapsing to the tool name.
Keep the schema loose (project convention) and retain the existing shared-settings.json merge / no-delete guard.
Summary
rulesync's Amp
permissionsadapter only emitsamp.tools.disable(a coarse disable-only list), soallowandaskrules are silently dropped and argument-level patterns are collapsed to the bare tool name. Amp has a richer declarative permission model (amp.permissions) that can express all three actions plus argument matchers, which rulesync does not emit.Recent Releases
amp.permissions,amp.guardedFiles.allowlist,amp.dangerouslyAllowAllactivate the declarative permissions plugin): https://ampcode.com/manualamp.mcpPermissions, related but separate gating surface): https://ampcode.com/news/mcp-permissions (2025-08-25)Gaps
project + global(partial / lossy). Upstreamamp.permissionsis an array of entries{ tool, matches: { cmd }, action }whereaction∈allow | reject | ask | delegate, supports tool-name wildcards (*,mcp__*) and per-argument glob matchers (matches.cmd), first-match-wins. rulesync'ssrc/features/permissions/amp-permissions.tsmaps onlydeny→amp.tools.disable[](tool name), droppingallow/askrules with a warning and discarding the per-pattern glob. So rulesync's{category: {pattern: action}}model does not round-trip:ask/allowdata is lost, anddenypatterns lose their argument specificity.Proposed Follow-up
amp.permissions(array form) so rulesync's permission model round-trips fully:deny→{ tool, matches: { cmd: <pattern> }, action: "reject" }(keepamp.tools.disableonly for the bare whole-tool"*"case if desired)ask→action: "ask"(currently dropped)allow→action: "allow"(currently dropped)matchesinstead of collapsing to the tool name.settings.jsonmerge / no-delete guard.amp.permissionsis documented as activating Amp's internal (legacy-compat) permissions plugin but remains functional; confirm the active settings file (settings.jsonvssettings.jsonc, see Amp settings-file extension divergence: MCP defaults to settings.jsonc, permissions to settings.json (splits config) #1989) when wiring output.References
amp.permissionsmodel and action vocabulary.amp.permissionsentry schema and guarded-files settings.amp.mcpPermissions(adjacent MCP-gating surface, noted for completeness).