Skip to main content

a3s_code_core/permissions/
mod.rs

1//! Permission system for tool execution control
2//!
3//! Implements a declarative permission system similar to Claude Code's permissions.
4//! Supports pattern matching with wildcards and three-tier evaluation:
5//! 1. Deny rules - checked first, any match = immediate denial
6//! 2. Allow rules - checked second, any match = auto-approval
7//! 3. Ask rules - checked third, forces confirmation prompt
8//! 4. Default behavior - falls back to HITL policy
9
10mod manager;
11mod policy;
12mod rule;
13
14#[cfg(test)]
15mod tests;
16
17use serde::{Deserialize, Serialize};
18
19pub use manager::{MatchingRules, PermissionManager};
20pub use policy::PermissionPolicy;
21pub use rule::PermissionRule;
22
23/// Trait for checking tool execution permissions.
24///
25/// Implement this trait to provide custom permission logic.
26/// The built-in `PermissionPolicy` implements this trait using
27/// declarative allow/deny/ask rules with pattern matching.
28pub trait PermissionChecker: Send + Sync {
29    /// Whether a tool definition should be exposed to the model.
30    ///
31    /// This controls model-visible capabilities only. [`Self::check`] remains
32    /// the authoritative execution-time decision for any tool invocation.
33    /// Existing checkers expose every tool unless they explicitly override
34    /// this method.
35    fn expose_to_model(&self, _tool_name: &str) -> bool {
36        true
37    }
38
39    /// Check whether a tool invocation is allowed, denied, or requires confirmation.
40    fn check(&self, tool_name: &str, args: &serde_json::Value) -> PermissionDecision;
41}
42
43/// Permission decision result
44#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
45#[serde(rename_all = "snake_case")]
46pub enum PermissionDecision {
47    /// Automatically allow without user confirmation
48    Allow,
49    /// Deny execution
50    Deny,
51    /// Ask user for confirmation
52    Ask,
53}