1mod assessment;
9
10use serde::{Deserialize, Serialize};
11
12use super::{
13 EnvironmentSensitivity, ImpactScope, OperationTarget, PermissionChecker, PermissionDecision,
14 Reversibility, ToolRiskAction, ToolRiskAssessment, ToolRiskLevel, ToolRiskReason,
15};
16use assessment::{assess_tool, assessment_permission, critical_assessment, tool_risk_type};
17
18#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
20#[serde(rename_all = "snake_case")]
21pub enum InteractiveApprovalMode {
22 Default,
24 Plan,
26 Auto,
28}
29
30impl InteractiveApprovalMode {
31 pub fn from_name(value: &str) -> Self {
32 match value.trim().to_ascii_lowercase().as_str() {
33 "plan" => Self::Plan,
34 "auto" => Self::Auto,
35 _ => Self::Default,
36 }
37 }
38
39 pub const fn action_for(self, assessment: &ToolRiskAssessment) -> ToolRiskAction {
47 match (self, assessment.level) {
48 (_, ToolRiskLevel::Routine) => ToolRiskAction::Allow,
49 (Self::Auto, ToolRiskLevel::Bounded) => ToolRiskAction::Allow,
50 (_, ToolRiskLevel::Bounded) => ToolRiskAction::RequireConfirmation,
51 (_, ToolRiskLevel::High) => ToolRiskAction::ReviewByLlm,
52 (_, ToolRiskLevel::Critical) => ToolRiskAction::RuleDeny,
53 }
54 }
55
56 fn apply(self, assessment: &ToolRiskAssessment) -> PermissionDecision {
57 match self.action_for(assessment) {
58 ToolRiskAction::Allow => PermissionDecision::Allow,
59 ToolRiskAction::RequireConfirmation | ToolRiskAction::ReviewByLlm => {
60 PermissionDecision::Ask
64 }
65 ToolRiskAction::RuleDeny => PermissionDecision::Deny,
66 }
67 }
68}
69
70#[derive(Debug, Clone, PartialEq, Eq)]
72pub struct InteractiveToolGuardrail {
73 mode: InteractiveApprovalMode,
74 workspace: Option<std::path::PathBuf>,
75}
76
77impl InteractiveToolGuardrail {
78 pub const fn new(mode: InteractiveApprovalMode) -> Self {
79 Self {
80 mode,
81 workspace: None,
82 }
83 }
84
85 pub fn for_mode(mode: &str) -> Self {
86 Self::new(InteractiveApprovalMode::from_name(mode))
87 }
88
89 pub fn with_workspace(mut self, workspace: impl Into<std::path::PathBuf>) -> Self {
91 self.workspace = Some(workspace.into());
92 self
93 }
94
95 pub fn risk_assessment(tool_name: &str, args: &serde_json::Value) -> ToolRiskAssessment {
97 assess_tool(tool_name, args)
98 }
99
100 pub fn risk_decision(tool_name: &str, args: &serde_json::Value) -> PermissionDecision {
106 assessment_permission(&assess_tool(tool_name, args))
107 }
108
109 pub fn assess(&self, tool_name: &str, args: &serde_json::Value) -> ToolRiskAssessment {
111 if let Some(assessment) = self.workspace_boundary_assessment(tool_name, args) {
112 return assessment;
113 }
114 assess_tool(tool_name, args)
115 }
116
117 pub fn risk_action(&self, tool_name: &str, args: &serde_json::Value) -> ToolRiskAction {
119 self.mode.action_for(&self.assess(tool_name, args))
120 }
121
122 fn workspace_boundary_assessment(
123 &self,
124 tool_name: &str,
125 args: &serde_json::Value,
126 ) -> Option<ToolRiskAssessment> {
127 let root = self.workspace.as_deref()?;
128 invocation_crosses_local_symlink(root, tool_name, args).then(|| {
129 critical_assessment(
130 tool_risk_type(tool_name),
131 OperationTarget::OutsideWorkspace,
132 ImpactScope::Host,
133 Reversibility::Unknown,
134 EnvironmentSensitivity::Host,
135 ToolRiskReason::SymlinkBoundaryEscape,
136 )
137 })
138 }
139}
140
141impl Default for InteractiveToolGuardrail {
142 fn default() -> Self {
143 Self::new(InteractiveApprovalMode::Default)
144 }
145}
146
147impl PermissionChecker for InteractiveToolGuardrail {
148 fn check(&self, tool_name: &str, args: &serde_json::Value) -> PermissionDecision {
149 self.mode.apply(&self.assess(tool_name, args))
150 }
151}
152
153fn invocation_crosses_local_symlink(
154 root: &std::path::Path,
155 tool_name: &str,
156 args: &serde_json::Value,
157) -> bool {
158 if tool_name.eq_ignore_ascii_case("batch") {
159 return args
160 .get("invocations")
161 .and_then(serde_json::Value::as_array)
162 .is_some_and(|invocations| {
163 invocations.iter().any(|invocation| {
164 let Some(tool) = invocation.get("tool").and_then(serde_json::Value::as_str)
165 else {
166 return false;
167 };
168 let Some(tool_args) = invocation.get("args") else {
169 return false;
170 };
171 invocation_crosses_local_symlink(root, tool, tool_args)
172 })
173 });
174 }
175
176 let tool = tool_name.to_ascii_lowercase();
177 if tool == "bash" {
178 return shell_path_crosses_symlink(root, args);
179 }
180 let field = match tool.as_str() {
181 "read" | "write" | "edit" | "patch" => "file_path",
182 "grep" | "glob" | "ls" | "code_symbols" | "code_navigation" | "code_diagnostics" => "path",
183 _ => return false,
184 };
185 let Some(path) = args.get(field).and_then(serde_json::Value::as_str) else {
186 return false;
187 };
188 local_path_crosses_symlink(root, path)
189}
190
191fn shell_path_crosses_symlink(root: &std::path::Path, args: &serde_json::Value) -> bool {
192 args.get("command")
193 .and_then(serde_json::Value::as_str)
194 .is_some_and(|command| {
195 command
196 .split_whitespace()
197 .map(clean_shell_token)
198 .filter(|token| !token.is_empty() && !token.starts_with('-'))
199 .any(|token| local_path_crosses_symlink(root, token))
200 })
201}
202
203fn local_path_crosses_symlink(root: &std::path::Path, path: &str) -> bool {
204 if path_is_outside_workspace(path) {
205 return false;
206 }
207 let mut current = root.to_path_buf();
208 for component in std::path::Path::new(path).components() {
209 match component {
210 std::path::Component::CurDir => continue,
211 std::path::Component::Normal(component) => current.push(component),
212 _ => return true,
213 }
214 match std::fs::symlink_metadata(¤t) {
215 Ok(metadata) if metadata.file_type().is_symlink() => return true,
216 Ok(_) => {}
217 Err(error) if error.kind() == std::io::ErrorKind::NotFound => return false,
218 Err(_) => return true,
219 }
220 }
221 false
222}
223
224pub(super) fn atomic_tool_is_bounded(tool_name: &str, args: &serde_json::Value) -> bool {
225 match tool_name.to_ascii_lowercase().as_str() {
226 "write" | "edit" | "patch" => bounded_file_target(args),
229 "git" => {
230 classify_git(args) == PermissionDecision::Ask
231 && git_call_is_known_bounded_mutation(args)
232 }
233 _ => false,
236 }
237}
238
239fn bounded_file_target(args: &serde_json::Value) -> bool {
240 args.get("file_path")
241 .and_then(serde_json::Value::as_str)
242 .is_some_and(|path| !path.trim().is_empty() && !path_is_outside_workspace(path))
243}
244
245fn git_call_is_known_bounded_mutation(args: &serde_json::Value) -> bool {
246 if git_requires_explicit_confirmation(args) {
247 return false;
248 }
249 match args.get("command").and_then(serde_json::Value::as_str) {
250 Some("branch") => valid_non_option_string(args, "name"),
251 Some("checkout") => valid_non_option_string(args, "ref"),
252 Some("stash") => {
253 args.get("message")
254 .and_then(serde_json::Value::as_str)
255 .is_some()
256 || args
257 .get("include_untracked")
258 .and_then(serde_json::Value::as_bool)
259 .unwrap_or(false)
260 }
261 Some("remote") => args
262 .get("remote_name")
263 .and_then(serde_json::Value::as_str)
264 .is_some(),
265 Some("worktree") => matches!(
266 args.get("subcommand").and_then(serde_json::Value::as_str),
267 Some("add")
268 ),
269 _ => false,
270 }
271}
272
273fn git_requires_explicit_confirmation(args: &serde_json::Value) -> bool {
274 args.get("force").is_some_and(|value| value != false)
275}
276
277pub(super) fn classify_atomic_tool(
278 tool_name: &str,
279 args: &serde_json::Value,
280) -> PermissionDecision {
281 match tool_name.to_ascii_lowercase().as_str() {
282 "read" => classify_scoped_path(args, "file_path", PermissionDecision::Allow),
283 "grep" | "glob" | "ls" | "code_symbols" | "code_navigation" | "code_diagnostics" => {
284 classify_scoped_path(args, "path", PermissionDecision::Allow)
285 }
286 "web_search" | "web_fetch" | "search_skills" | "generate_object" => {
287 PermissionDecision::Allow
288 }
289 "write" | "edit" => classify_scoped_path(args, "file_path", PermissionDecision::Ask),
290 "patch" => classify_scoped_path(args, "file_path", PermissionDecision::Ask),
293 "bash" => classify_bash(args),
294 "git" => classify_git(args),
295 _ => PermissionDecision::Ask,
298 }
299}
300
301fn classify_scoped_path(
302 args: &serde_json::Value,
303 field: &str,
304 safe_decision: PermissionDecision,
305) -> PermissionDecision {
306 let Some(path) = args.get(field).and_then(serde_json::Value::as_str) else {
307 return if field == "path" {
310 safe_decision
311 } else {
312 PermissionDecision::Ask
313 };
314 };
315 if path.trim().is_empty() {
316 return if field == "path" {
317 safe_decision
318 } else {
319 PermissionDecision::Ask
320 };
321 }
322 if path_is_outside_workspace(path) {
323 PermissionDecision::Deny
324 } else {
325 safe_decision
326 }
327}
328
329fn classify_git(args: &serde_json::Value) -> PermissionDecision {
330 let Some(command) = args.get("command").and_then(serde_json::Value::as_str) else {
331 return PermissionDecision::Ask;
332 };
333 if args
334 .get("force")
335 .is_some_and(|value| value.as_bool() != Some(false))
336 {
337 return PermissionDecision::Ask;
338 }
339
340 match command {
341 "status" if only_git_keys(args, &["command"]) => PermissionDecision::Allow,
342 "log"
343 if only_git_keys(args, &["command", "limit", "max_count", "cursor"])
344 && valid_optional_positive_integer(args, "limit")
345 && valid_optional_positive_integer(args, "max_count")
346 && valid_optional_string(args, "cursor") =>
347 {
348 PermissionDecision::Allow
349 }
350 "diff"
351 if only_git_keys(args, &["command", "target", "byte_offset", "max_bytes"])
352 && valid_optional_non_option_string(args, "target")
353 && valid_optional_nonnegative_integer(args, "byte_offset")
354 && valid_optional_positive_integer(args, "max_bytes") =>
355 {
356 PermissionDecision::Allow
357 }
358 "remote"
359 if only_git_keys(args, &["command", "remote_name", "cursor"])
360 && valid_optional_string(args, "remote_name")
361 && valid_optional_string(args, "cursor") =>
362 {
363 PermissionDecision::Allow
364 }
365 "branch"
366 if args.get("name").is_none()
367 && only_git_keys(args, &["command", "limit", "max_count", "cursor"])
368 && valid_optional_positive_integer(args, "limit")
369 && valid_optional_positive_integer(args, "max_count")
370 && valid_optional_string(args, "cursor") =>
371 {
372 PermissionDecision::Allow
373 }
374 "stash"
375 if args.get("message").is_none()
376 && args.get("include_untracked").is_none()
377 && only_git_keys(args, &["command", "cursor"])
378 && valid_optional_string(args, "cursor") =>
379 {
380 PermissionDecision::Allow
381 }
382 "worktree"
383 if args
384 .get("subcommand")
385 .and_then(serde_json::Value::as_str)
386 .unwrap_or("list")
387 == "list"
388 && only_git_keys(args, &["command", "subcommand", "cursor"])
389 && valid_optional_string(args, "subcommand")
390 && valid_optional_string(args, "cursor") =>
391 {
392 PermissionDecision::Allow
393 }
394 _ => PermissionDecision::Ask,
395 }
396}
397
398fn only_git_keys(args: &serde_json::Value, allowed: &[&str]) -> bool {
399 args.as_object().is_some_and(|object| {
400 object
401 .keys()
402 .all(|key| allowed.iter().any(|allowed| key == allowed))
403 })
404}
405
406fn valid_non_option_string(args: &serde_json::Value, field: &str) -> bool {
407 args.get(field)
408 .and_then(serde_json::Value::as_str)
409 .is_some_and(|value| {
410 let value = value.trim();
411 !value.is_empty() && !value.starts_with('-')
412 })
413}
414
415fn valid_optional_non_option_string(args: &serde_json::Value, field: &str) -> bool {
416 args.get(field)
417 .is_none_or(|_| valid_non_option_string(args, field))
418}
419
420fn valid_optional_string(args: &serde_json::Value, field: &str) -> bool {
421 args.get(field).is_none_or(serde_json::Value::is_string)
422}
423
424fn valid_optional_positive_integer(args: &serde_json::Value, field: &str) -> bool {
425 args.get(field)
426 .is_none_or(|value| value.as_u64().is_some_and(|number| number > 0))
427}
428
429fn valid_optional_nonnegative_integer(args: &serde_json::Value, field: &str) -> bool {
430 args.get(field).is_none_or(|value| value.as_u64().is_some())
431}
432
433fn classify_bash(args: &serde_json::Value) -> PermissionDecision {
434 let Some(command) = args.get("command").and_then(serde_json::Value::as_str) else {
435 return PermissionDecision::Ask;
436 };
437 let command = command.trim();
438 if command.is_empty() {
439 return PermissionDecision::Ask;
440 }
441 if is_catastrophic_bash_command(command) {
442 PermissionDecision::Deny
443 } else if is_read_only_bash_command(command) {
444 PermissionDecision::Allow
445 } else {
446 PermissionDecision::Ask
447 }
448}
449
450fn is_catastrophic_bash_command(command: &str) -> bool {
451 let lower = normalize_shell(command).to_ascii_lowercase();
452 if lower == "sudo"
453 || lower.starts_with("sudo ")
454 || lower.starts_with("doas ")
455 || lower == "su"
456 || lower.starts_with("su ")
457 || lower.starts_with("su -")
458 {
459 return true;
460 }
461 if lower.contains("mkfs")
462 || lower.contains("diskutil erase")
463 || lower.contains(":(){")
464 || lower.contains("kill -9 -1")
465 || lower.starts_with("shutdown")
466 || lower.starts_with("reboot")
467 {
468 return true;
469 }
470 if (lower.contains("curl ") || lower.contains("wget "))
471 && ["| sh", "|sh", "| bash", "|bash", "| zsh", "|zsh"]
472 .iter()
473 .any(|pipe| lower.contains(pipe))
474 {
475 return true;
476 }
477 if (lower.starts_with("dd ") || lower.contains(" dd "))
478 && (lower.contains(" of=/dev/") || lower.contains("of=/dev/"))
479 {
480 return true;
481 }
482
483 lower.contains("rm -rf /")
484 || lower.contains("rm -fr /")
485 || lower.contains("rm -rf ~")
486 || lower.contains("rm -fr ~")
487 || lower.contains("rm -rf $home")
488 || lower.contains("rm -fr $home")
489 || lower.contains("rm -rf *")
490 || lower.contains("rm -fr *")
491 || lower == "rm -rf ."
492 || lower == "rm -fr ."
493}
494
495fn is_read_only_bash_command(command: &str) -> bool {
496 if command
500 .chars()
501 .any(|character| character.is_whitespace() && character != ' ')
502 || command.contains(['\'', '"', '*', '?', '[', ']', '{', '}'])
503 || contains_unsafe_shell_syntax(command)
504 {
505 return false;
506 }
507 command
508 .split('|')
509 .all(|segment| is_read_only_bash_segment(segment.trim()))
510}
511
512fn contains_unsafe_shell_syntax(command: &str) -> bool {
513 command.contains("&&")
514 || command.contains("||")
515 || command.contains(';')
516 || command.contains('>')
517 || command.contains('<')
518 || command.contains('`')
519 || command.contains("$(")
520 || command.contains('&')
521 || command.contains('\n')
522 || command.contains('\r')
523 || command.contains('$')
524 || has_unscoped_path_token(command)
525}
526
527fn has_unscoped_path_token(command: &str) -> bool {
528 command
529 .split_whitespace()
530 .map(clean_shell_token)
531 .filter(|token| !token.is_empty())
532 .any(path_is_outside_workspace)
533}
534
535fn clean_shell_token(token: &str) -> &str {
536 token.trim_matches(|character: char| {
537 matches!(
538 character,
539 '\'' | '"' | '(' | ')' | '[' | ']' | '{' | '}' | ',' | ':'
540 )
541 })
542}
543
544fn path_is_outside_workspace(path: &str) -> bool {
545 let normalized = path.replace('\\', "/");
546 let path = normalized.trim();
547 let bytes = path.as_bytes();
548 if (bytes.len() >= 2 && bytes[0].is_ascii_alphabetic() && bytes[1] == b':')
549 || path.starts_with("//")
550 || path.starts_with('/')
551 || path.starts_with('~')
552 || path.starts_with("$HOME")
553 || path.starts_with("${HOME}")
554 {
555 return true;
556 }
557
558 let mut depth = 0_i32;
559 for component in path.split('/') {
560 match component {
561 "" | "." => {}
562 ".." if depth == 0 => return true,
563 ".." => depth -= 1,
564 _ => depth += 1,
565 }
566 }
567 false
568}
569
570fn is_read_only_bash_segment(segment: &str) -> bool {
571 let tokens: Vec<&str> = segment.split_whitespace().collect();
572 let Some(command) = tokens.first().copied().map(clean_shell_token) else {
573 return false;
574 };
575 let lower = segment.to_ascii_lowercase();
576
577 match command {
578 "pwd" | "cat" | "head" | "tail" | "wc" | "stat" | "file" | "cut" | "tr" | "whoami" => {
579 tokens
580 .iter()
581 .skip(1)
582 .all(|value| !option_executes_or_writes(value))
583 }
584 "ls" => tokens.iter().skip(1).all(|value| {
585 !option_executes_or_writes(value)
586 && !short_option_contains(value, 'L')
587 && !short_option_contains(value, 'R')
588 && !matches!(*value, "--dereference" | "--recursive")
589 }),
590 "rg" => tokens.iter().skip(1).all(|value| {
591 !option_executes_or_writes(value)
592 && !matches!(*value, "--pre" | "--hostname-bin" | "-L" | "--follow")
593 && !value.starts_with("--pre=")
594 && !value.starts_with("--hostname-bin=")
595 }),
596 "grep" => tokens.iter().skip(1).all(|value| {
597 !option_executes_or_writes(value)
598 && !matches!(
599 *value,
600 "-R" | "-r"
601 | "--recursive"
602 | "--dereference-recursive"
603 | "--include"
604 | "--exclude-from"
605 )
606 }),
607 "du" => tokens.iter().skip(1).all(|value| {
608 !short_option_contains(value, 'L')
609 && !matches!(*value, "--dereference")
610 && !option_executes_or_writes(value)
611 }),
612 "df" => tokens
613 .iter()
614 .skip(1)
615 .all(|value| !option_executes_or_writes(value)),
616 "date" => tokens.iter().skip(1).all(|value| {
617 !matches!(*value, "-s" | "--set")
618 && !value.starts_with("--set=")
619 && !option_executes_or_writes(value)
620 }),
621 "uname" => tokens
622 .iter()
623 .skip(1)
624 .all(|value| !option_executes_or_writes(value)),
625 "sort" => tokens.iter().skip(1).all(|value| {
626 !matches!(*value, "-o" | "--output" | "--compress-program")
627 && !value.starts_with("--output=")
628 && !value.starts_with("--compress-program=")
629 && !option_executes_or_writes(value)
630 }),
631 "uniq" => positional_argument_count(&tokens[1..]) <= 1,
634 "printf" | "echo" => tokens.iter().skip(1).all(|value| !value.starts_with('-')),
637 "find" => {
638 !tokens
639 .iter()
640 .skip(1)
641 .any(|value| matches!(*value, "-L" | "-H"))
642 && ![
643 " -delete",
644 " -exec",
645 " -execdir",
646 " -ok",
647 " -okdir",
648 " -fprint",
649 " -fprint0",
650 " -fprintf",
651 " -follow",
652 " -lname",
653 ]
654 .iter()
655 .any(|action| lower.contains(action))
656 }
657 "sed" => !tokens.iter().skip(1).any(|value| {
658 *value == "-i"
659 || value.starts_with("-i")
660 || value.starts_with("--in-place")
661 || option_executes_or_writes(value)
662 }),
663 "git" => is_read_only_git_segment(&tokens),
664 _ => false,
665 }
666}
667
668fn short_option_contains(value: &str, flag: char) -> bool {
669 value.starts_with('-')
670 && !value.starts_with("--")
671 && value.chars().skip(1).any(|candidate| candidate == flag)
672}
673
674fn option_executes_or_writes(value: &str) -> bool {
675 matches!(
676 value,
677 "--output" | "--exec" | "--command" | "--config" | "--files-from"
678 ) || value.starts_with("--output=")
679 || value.starts_with("--exec=")
680 || value.starts_with("--command=")
681 || value.starts_with("--config=")
682 || value.starts_with("--files-from=")
683}
684
685fn positional_argument_count(tokens: &[&str]) -> usize {
686 tokens
687 .iter()
688 .filter(|value| !value.starts_with('-'))
689 .count()
690}
691
692fn is_read_only_git_segment(tokens: &[&str]) -> bool {
693 if tokens.first().copied() != Some("git") {
694 return false;
695 }
696 let mut index = 1;
697 while index < tokens.len() {
698 match tokens[index] {
699 "--no-pager" | "-P" | "--no-optional-locks" => index += 1,
700 value if value.starts_with('-') => return false,
704 _ => break,
705 }
706 }
707
708 let Some(subcommand) = tokens.get(index).copied() else {
709 return false;
710 };
711 let args = &tokens[index + 1..];
712 if args.iter().any(|value| {
713 matches!(
714 *value,
715 "--ext-diff" | "--textconv" | "--exec-path" | "--config-env"
716 ) || value.starts_with("--exec-path=")
717 || value.starts_with("--config-env=")
718 }) {
719 return false;
720 }
721
722 match subcommand {
723 "status" | "diff" | "log" | "show" | "blame" | "grep" | "ls-files" | "rev-parse" => {
724 !args.iter().any(|value| {
725 option_executes_or_writes(value)
726 || matches!(*value, "--paginate" | "-p" | "--ext-diff" | "--textconv")
727 || value.starts_with("--format=") && value.contains("%(rest)")
728 })
729 }
730 "remote" => match args.first() {
731 Some(value) => matches!(*value, "-v" | "show"),
732 None => true,
733 },
734 "branch" => args.iter().all(|value| {
735 matches!(
736 *value,
737 "--all" | "-a" | "--list" | "--show-current" | "--verbose" | "-v" | "-vv"
738 )
739 }),
740 _ => false,
741 }
742}
743
744fn normalize_shell(command: &str) -> String {
745 command.split_whitespace().collect::<Vec<_>>().join(" ")
746}