Permissions system for addons

I’ve noticed a number of addons that list folders to map in case you use a feature. Like listing /ssl in case you want to use an SSL certificate. Or the one I find most problematic, list /config in case you want to use a !secret reference in a config setting instead of inputting it directly.

It seems like a lot of the time this mapping is not required for the addon to work. It’s only required if you choose to use that particular feature. The most problematic one to me is the /config one since that folder has all sorts of credentials in it that HA has access to. I don’t like that unencrypted credentials exist at all and I certainly want anyone or anything to have access to that folder more then strictly necessary.

So therefore I would like a permissions system that does the following:

  1. Addons list what folders they wish to map
  2. For each, they give a description why they wish to map it, whether access is read only or read-write, and if that mapping is required for the addon to work
  3. For any optional mappings, users can choose not to allow that mapping
  4. (Nice-to-have bonus) For optional mappings, allow me to specify a subfolder that can be mapped instead of the entire folder.
  5. (Nice-to-have bonus) Separate read from write permission and allow them to be controlled individually (i.e. an addon can say read is required and write is optional)