Added: AllowedGlobResolver for fine-grained path sandboxing with glob patterns

Implements ordered allow/deny glob policy for directory-restricted path resolution.

- Add AllowedGlobResolver with glob pattern matching support
- Enforces root containment (all resolved paths stay within allowed roots)
- Rules evaluated in order: first match wins (allow or deny)
- GlobPolicyBuilder for ergonomic rule construction
- Export from path module and crate root (llm-coding-tools-core)
- Re-export from serdesai for convenience
- Comprehensive tests covering policy evaluation, edge cases, and error handling
- Update README with usage examples

Author: Sewer56

src/Cargo.lock

@@ -44,6 +44,9 @@ serde_json = "1.0"
 # Zero overhead compile time bitflag generation
 bitflags = "2.11.0"
 
+# Shell-like expansion for home directory paths (~/ and $HOME/)
+shellexpand = "3.1.2"
+
 # Fast binary serialization for catalog cache types
 bitcode = "0.6.9"
 

src/llm-coding-tools-core/Cargo.toml

@@ -69,10 +69,14 @@ Path-based tools are generic over [`PathResolver`], so wrappers can choose unres
 
 - [`AbsolutePathResolver`] enforces absolute-path inputs (unrestricted mode).
 - [`AllowedPathResolver`] constrains operations to configured directories (sandbox mode).
+- [`AllowedGlobResolver`] constrains to directories with glob pattern filtering (fine-grained sandbox mode).
 - Failed resolution rejects traversal and out-of-sandbox paths before tool execution.
 
 ```rust,no_run
-use llm_coding_tools_core::{AbsolutePathResolver, AllowedPathResolver, PathResolver, ToolResult};
+use llm_coding_tools_core::{
+    path::{AllowedGlobResolver, GlobPolicy, RuleAction},
+    AbsolutePathResolver, AllowedPathResolver, PathResolver, ToolResult,
+};
 
 fn demo() -> ToolResult<()> {
     // Unrestricted mode: any absolute path is allowed.
@@ -82,6 +86,19 @@ fn demo() -> ToolResult<()> {
     // Sandboxed mode: only configured directories are allowed.
     let sandbox = AllowedPathResolver::new(["/workspace/project", "/tmp"])?;
     let _lib = sandbox.resolve("src/lib.rs")?;
+
+    // Fine-grained sandbox (last-match-wins).
+    let glob = AllowedGlobResolver::new(["/workspace/project"])?
+        .with_policy(
+            GlobPolicy::builder()
+                .add("src/**", RuleAction::Allow)?    // Matches src/lib.rs
+                .add("*.rs", RuleAction::Allow)?      // Also matches src/lib.rs
+                .add("target/**", RuleAction::Deny)?  // Blocks target/ even if *.rs matches
+                .build()?
+        );
+    let _lib = glob.resolve("src/lib.rs")?;
+    let _main = glob.resolve("main.rs")?;
+    // glob.resolve("target/debug/app")?; // Denied
     Ok(())
 }
 ```
@@ -313,6 +330,7 @@ let key = resolver.resolve("OPENAI_API_KEY");
 [`ToolContext`]: crate::context::ToolContext
 [`PathResolver`]: crate::PathResolver
 [`AbsolutePathResolver`]: crate::AbsolutePathResolver
+[`AllowedGlobResolver`]: crate::path::AllowedGlobResolver
 [`AllowedPathResolver`]: crate::AllowedPathResolver
 [`permissions`]: crate::permissions
 [`Rule`]: crate::permissions::Rule

src/llm-coding-tools-core/README.md

@@ -26,7 +26,7 @@ pub use context::ToolContext;
 pub use credentials::{CredentialLookup, CredentialResolver};
 pub use error::{ToolError, ToolResult};
 pub use output::ToolOutput;
-pub use path::{AbsolutePathResolver, AllowedPathResolver, PathResolver};
+pub use path::{AbsolutePathResolver, AllowedGlobResolver, AllowedPathResolver, PathResolver};
 pub use system_prompt::SystemPromptBuilder;
 
 // Re-export tools (always available, sync or async based on runtime feature)

src/llm-coding-tools-core/src/lib.rs

@@ -60,10 +60,15 @@ impl AllowedPathResolver {
         })
     }
 
-    /// Creates a resolver from already-canonicalized paths.
+    /// Creates a resolver from already-canonicalized paths, skipping
+    /// filesystem validation.
     ///
-    /// Use this when paths are known to be valid and canonicalized,
-    /// skipping the filesystem check.
+    /// A canonical path is absolute, with all symlinks resolved and all
+    /// `.` and `..` components normalized. Use [`std::fs::canonicalize`] or
+    /// [`std::path::Path::canonicalize`] to canonicalize paths.
+    ///
+    /// Use this when paths are known to be valid and canonicalized, skipping
+    /// the filesystem check.
     ///
     /// # Safety
     ///