Skip to content

Add allow/deny path policies #52

New issue
New issue
Open
Feature
Open
Add allow/deny path policies#52
Feature
Labels
module:qstudioAI planning modulestoryFeature story linked to epic
Milestone
v1.0.0 - Production Ready
@KofTwentyTwo

Description

@KofTwentyTwo
KofTwentyTwo
opened on Jan 3, 2026

User Story

As a developer, I want to configure which files and directories qstudio can access so I can protect sensitive code and credentials from being sent to LLM providers.

Design

Command Interface

# Show current policy
qstudio policy

# Add allow rule
qstudio policy allow "src/**/*.java"

# Add deny rule (takes precedence)
qstudio policy deny "**/*.env"
qstudio policy deny "**/secrets/**"

# Remove rule
qstudio policy remove "src/**/*.java"

# Reset to defaults
qstudio policy reset

# Validate a path against policy
qstudio policy check src/main/resources/application.yaml

Output Format

Path Policy Configuration

Deny (checked first):
  **/*.env
  **/*.pem
  **/*.key
  **/secrets/**
  **/credentials/**
  **/.env*

Allow:
  src/**/*.java
  src/**/*.xml
  pom.xml
  README.md

Default: deny (paths not matching any rule are denied)

Policy Configuration

# ~/.qctl/qctl.yaml
qstudio:
  policy:
    default: deny  # deny | allow
    deny:
      - "**/*.env"
      - "**/*.pem"
      - "**/*.key"
      - "**/secrets/**"
      - "**/credentials/**"
      - "**/.git/**"
    allow:
      - "src/**/*.java"
      - "src/**/*.xml"
      - "src/**/*.yaml"
      - "src/**/*.json"
      - "pom.xml"
      - "build.gradle"
      - "README.md"
      - "docs/**/*.md"

Project-Level Override

# .qstudio.yaml (in project root)
policy:
  deny:
    - "src/main/resources/application-prod.yaml"
  allow:
    - "config/*.yaml"

Files to Create/Modify

File Action Purpose
qctl-qstudio/src/main/java/io/qrun/qctl/qstudio/PolicyCommand.java Create Policy management command
qctl-qstudio/src/main/java/io/qrun/qctl/qstudio/policy/PathPolicy.java Create Policy engine
qctl-qstudio/src/main/java/io/qrun/qctl/qstudio/policy/PolicyRule.java Create Rule model
qctl-qstudio/src/main/java/io/qrun/qctl/qstudio/policy/GlobMatcher.java Create Glob pattern matching
qctl-qstudio/src/main/java/io/qrun/qctl/qstudio/policy/PolicyLoader.java Create Load from config files
qctl-qstudio/src/main/resources/default-policy.yaml Create Default deny patterns

Implementation Tasks

  • Create PolicyCommand with subcommands (allow, deny, remove, reset, check)
  • Create PathPolicy engine with deny-first evaluation
  • Create PolicyRule model with glob patterns
  • Implement GlobMatcher using Java PathMatcher
  • Create PolicyLoader for config file merging
  • Support project-level .qstudio.yaml override
  • Bundle sensible default deny patterns
  • Integrate with CodeIndexer (filter indexed files)
  • Integrate with ContextAssembler (filter LLM context)
  • Add policy validation warnings during index
  • Write unit tests for PathPolicy
  • Write unit tests for GlobMatcher

Acceptance Criteria

  • qstudio policy shows current configuration
  • qstudio policy deny "<pattern>" adds deny rule
  • qstudio policy allow "<pattern>" adds allow rule
  • Deny rules take precedence over allow
  • Default policy denies sensitive file patterns
  • Project .qstudio.yaml overrides global config
  • qstudio policy check <path> validates a path
  • Index and plan commands respect policy
  • Clear warning when files are filtered by policy

Metadata

Metadata

Assignees

No one assigned

    Labels

    module:qstudioAI planning modulestoryFeature story linked to epic

    Type

    Feature

    Projects

    QQQ Roadmap

    Status

    No status

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions