a3s_code_core/permissions/mod.rs
1//! Permission system for tool execution control
2//!
3//! Implements a declarative permission system similar to Claude Code's permissions.
4//! Supports pattern matching with wildcards and three-tier evaluation:
5//! 1. Deny rules - checked first, any match = immediate denial
6//! 2. Allow rules - checked second, any match = auto-approval
7//! 3. Ask rules - checked third, forces confirmation prompt
8//! 4. Default behavior - falls back to HITL policy
9
10mod interactive;
11mod manager;
12mod policy;
13mod risk;
14mod rule;
15
16#[cfg(test)]
17mod tests;
18
19use serde::{Deserialize, Serialize};
20
21pub use interactive::{InteractiveApprovalMode, InteractiveToolGuardrail};
22pub use manager::{MatchingRules, PermissionManager};
23pub use policy::PermissionPolicy;
24pub use risk::{
25 EnvironmentSensitivity, ImpactScope, OperationTarget, Reversibility, ToolRiskAction,
26 ToolRiskAssessment, ToolRiskDimensions, ToolRiskLevel, ToolRiskReason, ToolRiskType,
27};
28pub use rule::PermissionRule;
29
30/// Trait for checking tool execution permissions.
31///
32/// Implement this trait to provide custom permission logic.
33/// The built-in `PermissionPolicy` implements this trait using
34/// declarative allow/deny/ask rules with pattern matching.
35pub trait PermissionChecker: Send + Sync {
36 /// Whether a tool definition should be exposed to the model.
37 ///
38 /// This controls model-visible capabilities only. [`Self::check`] remains
39 /// the authoritative execution-time decision for any tool invocation.
40 /// Existing checkers expose every tool unless they explicitly override
41 /// this method.
42 fn expose_to_model(&self, _tool_name: &str) -> bool {
43 true
44 }
45
46 /// Check whether a tool invocation is allowed, denied, or requires confirmation.
47 fn check(&self, tool_name: &str, args: &serde_json::Value) -> PermissionDecision;
48}
49
50/// Permission decision result
51#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
52#[serde(rename_all = "snake_case")]
53pub enum PermissionDecision {
54 /// Automatically allow without user confirmation
55 Allow,
56 /// Deny execution
57 Deny,
58 /// Ask user for confirmation
59 Ask,
60}