feat: Implement path-based and pattern-based filter rules

Add advanced matching capabilities for file transfer filtering:

New Matchers:
- MultiExtensionMatcher: Match multiple file extensions with case sensitivity option
- SizeMatcher: Match files by size (min/max/between)
- AllMatcher: AND logic for combining matchers
- CompositeMatcher: Unified AND/OR/NOT composite matching

Enhanced Configuration:
- extensions: Match by file extensions ["exe", "bat", "ps1"]
- directory: Match by path component (e.g., ".git")
- min_size/max_size: File size filtering
- composite: Complex AND/OR/NOT rules with nested matchers

SizeAwareFilter Trait:
- check_with_size() for size-based filtering decisions
- check_with_size_dest() for rename/copy operations with size

New Configuration Types:
- CompositeRuleConfig: Define composite rules
- CompositeLogicType: and/or/not logic
- MatcherConfig: Individual matcher in composite rules

Example YAML configuration:
```yaml
filter:
  enabled: true
  rules:
    - name: "block-executables"
      extensions: [exe, sh, bat]
      action: deny
    - name: "protect-env"
      composite:
        type: and
        matchers:
          - pattern: "*.env"
          - not:
              path_prefix: /home/
      action: deny
```

Closes #139

Author: inureyes

src/server/config/types.rs

@@ -289,7 +289,7 @@ pub struct FilterConfig {
 }
 
 /// A single file transfer filter rule.
-#[derive(Debug, Clone, Deserialize, Serialize)]
+#[derive(Debug, Clone, Deserialize, Serialize, Default)]
 pub struct FilterRule {
     /// Rule name (for logging and debugging).
     ///
@@ -309,6 +309,37 @@ pub struct FilterRule {
     #[serde(default)]
     pub path_prefix: Option<String>,
 
+    /// File extensions to match.
+    ///
+    /// Example: ["exe", "sh", "bat"] blocks executable files
+    #[serde(default)]
+    pub extensions: Option<Vec<String>>,
+
+    /// Directory component to match.
+    ///
+    /// Matches if any path component equals this value.
+    /// Example: ".git" matches /project/.git/config
+    #[serde(default)]
+    pub directory: Option<String>,
+
+    /// Minimum file size in bytes.
+    ///
+    /// Files smaller than this size will not match.
+    #[serde(default)]
+    pub min_size: Option<u64>,
+
+    /// Maximum file size in bytes.
+    ///
+    /// Files larger than this size will not match.
+    #[serde(default)]
+    pub max_size: Option<u64>,
+
+    /// Composite rule configuration.
+    ///
+    /// Allows combining multiple matchers with AND/OR/NOT logic.
+    #[serde(default)]
+    pub composite: Option<CompositeRuleConfig>,
+
     /// Action to take when rule matches.
     pub action: FilterAction,
 
@@ -326,6 +357,59 @@ pub struct FilterRule {
     pub users: Option<Vec<String>>,
 }
 
+/// Configuration for composite filter rules.
+#[derive(Debug, Clone, Deserialize, Serialize)]
+pub struct CompositeRuleConfig {
+    /// Type of composite logic: "and", "or", or "not"
+    #[serde(rename = "type")]
+    pub logic_type: CompositeLogicType,
+
+    /// List of matchers for AND/OR logic.
+    #[serde(default)]
+    pub matchers: Vec<MatcherConfig>,
+
+    /// Single matcher for NOT logic.
+    #[serde(default)]
+    pub matcher: Option<Box<MatcherConfig>>,
+}
+
+/// Type of composite logic.
+#[derive(Debug, Clone, Deserialize, Serialize, PartialEq, Eq)]
+#[serde(rename_all = "lowercase")]
+pub enum CompositeLogicType {
+    /// All matchers must match
+    And,
+    /// Any matcher must match
+    Or,
+    /// Invert the matcher result
+    Not,
+}
+
+/// Configuration for a single matcher within a composite rule.
+#[derive(Debug, Clone, Deserialize, Serialize, Default)]
+#[serde(default)]
+pub struct MatcherConfig {
+    /// Glob pattern
+    #[serde(default)]
+    pub pattern: Option<String>,
+
+    /// Path prefix
+    #[serde(default)]
+    pub path_prefix: Option<String>,
+
+    /// File extensions
+    #[serde(default)]
+    pub extensions: Option<Vec<String>>,
+
+    /// Directory component
+    #[serde(default)]
+    pub directory: Option<String>,
+
+    /// Nested NOT matcher
+    #[serde(default)]
+    pub not: Option<Box<MatcherConfig>>,
+}
+
 /// Action to take when a filter rule matches.
 #[derive(Debug, Clone, Deserialize, Serialize, Default)]
 #[serde(rename_all = "lowercase")]

src/server/filter/mod.rs

@@ -60,9 +60,14 @@ pub mod policy;
 use std::fmt;
 use std::path::Path;
 
-pub use self::path::{ExactMatcher, PrefixMatcher};
-pub use self::pattern::{GlobMatcher, RegexMatcher};
-pub use self::policy::{FilterPolicy, FilterRule, Matcher};
+pub use self::path::{
+    normalize_path, ComponentMatcher, ExactMatcher, ExtensionMatcher, MultiExtensionMatcher,
+    PrefixMatcher, SizeMatcher,
+};
+pub use self::pattern::{
+    AllMatcher, CombinedMatcher, CompositeMatcher, GlobMatcher, NotMatcher, RegexMatcher,
+};
+pub use self::policy::{FilterPolicy, FilterRule, Matcher, SharedFilterPolicy};
 
 /// File transfer operation type.
 ///
@@ -244,6 +249,90 @@ impl TransferFilter for NoOpFilter {
     }
 }
 
+/// Trait for size-aware file transfer filters.
+///
+/// This extends the basic `TransferFilter` trait to include file size
+/// in the filtering decision. Use this when you need to filter based
+/// on file size (e.g., block uploads larger than 100MB).
+///
+/// # Example
+///
+/// ```rust
+/// use bssh::server::filter::{FilterResult, Operation, SizeAwareFilter, TransferFilter};
+/// use bssh::server::filter::path::SizeMatcher;
+/// use std::path::Path;
+///
+/// struct MaxUploadSizeFilter {
+///     max_bytes: u64,
+/// }
+///
+/// impl TransferFilter for MaxUploadSizeFilter {
+///     fn check(&self, _path: &Path, _operation: Operation, _user: &str) -> FilterResult {
+///         // Without size info, we allow by default
+///         FilterResult::Allow
+///     }
+/// }
+///
+/// impl SizeAwareFilter for MaxUploadSizeFilter {
+///     fn check_with_size(
+///         &self,
+///         _path: &Path,
+///         size: u64,
+///         operation: Operation,
+///         _user: &str,
+///     ) -> FilterResult {
+///         if operation == Operation::Upload && size > self.max_bytes {
+///             FilterResult::Deny
+///         } else {
+///             FilterResult::Allow
+///         }
+///     }
+/// }
+/// ```
+pub trait SizeAwareFilter: TransferFilter {
+    /// Check if an operation is allowed, taking file size into account.
+    ///
+    /// # Arguments
+    ///
+    /// * `path` - The file path being operated on
+    /// * `size` - The file size in bytes
+    /// * `operation` - The type of operation
+    /// * `user` - The username performing the operation
+    ///
+    /// # Returns
+    ///
+    /// A `FilterResult` indicating whether to allow, deny, or log the operation.
+    fn check_with_size(
+        &self,
+        path: &Path,
+        size: u64,
+        operation: Operation,
+        user: &str,
+    ) -> FilterResult;
+
+    /// Check a two-path operation with size information.
+    ///
+    /// Used for rename/copy operations where both source and destination
+    /// are considered.
+    fn check_with_size_dest(
+        &self,
+        src: &Path,
+        src_size: u64,
+        dest: &Path,
+        operation: Operation,
+        user: &str,
+    ) -> FilterResult {
+        let src_result = self.check_with_size(src, src_size, operation, user);
+        let dest_result = self.check(dest, operation, user);
+
+        match (src_result, dest_result) {
+            (FilterResult::Deny, _) | (_, FilterResult::Deny) => FilterResult::Deny,
+            (FilterResult::Log, _) | (_, FilterResult::Log) => FilterResult::Log,
+            _ => FilterResult::Allow,
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;