Skip to main content

a3s_code_core/permissions/
mod.rs

1//! Permission system for tool execution control
2//!
3//! Implements a declarative permission system similar to Claude Code's permissions.
4//! Supports pattern matching with wildcards and three-tier evaluation:
5//! 1. Deny rules - checked first, any match = immediate denial
6//! 2. Allow rules - checked second, any match = auto-approval
7//! 3. Ask rules - checked third, forces confirmation prompt
8//! 4. Default behavior - falls back to HITL policy
9
10mod interactive;
11mod manager;
12mod policy;
13mod risk;
14mod rule;
15
16#[cfg(test)]
17mod tests;
18
19use serde::{Deserialize, Serialize};
20
21pub use interactive::{InteractiveApprovalMode, InteractiveToolGuardrail};
22pub use manager::{MatchingRules, PermissionManager};
23pub use policy::PermissionPolicy;
24pub use risk::{
25    EnvironmentSensitivity, ImpactScope, OperationTarget, Reversibility, ToolRiskAction,
26    ToolRiskAssessment, ToolRiskDimensions, ToolRiskLevel, ToolRiskReason, ToolRiskType,
27};
28pub use rule::PermissionRule;
29
30/// Trait for checking tool execution permissions.
31///
32/// Implement this trait to provide custom permission logic.
33/// The built-in `PermissionPolicy` implements this trait using
34/// declarative allow/deny/ask rules with pattern matching.
35pub trait PermissionChecker: Send + Sync {
36    /// Whether a tool definition should be exposed to the model.
37    ///
38    /// This controls model-visible capabilities only. [`Self::check`] remains
39    /// the authoritative execution-time decision for any tool invocation.
40    /// Existing checkers expose every tool unless they explicitly override
41    /// this method.
42    fn expose_to_model(&self, _tool_name: &str) -> bool {
43        true
44    }
45
46    /// Check whether a tool invocation is allowed, denied, or requires confirmation.
47    fn check(&self, tool_name: &str, args: &serde_json::Value) -> PermissionDecision;
48}
49
50/// Permission decision result
51#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
52#[serde(rename_all = "snake_case")]
53pub enum PermissionDecision {
54    /// Automatically allow without user confirmation
55    Allow,
56    /// Deny execution
57    Deny,
58    /// Ask user for confirmation
59    Ask,
60}