Expand description
Permission system for controlling agent access to resources. Permission system for controlling agent access to resources.
This module implements a grant-based permission system where permissions are
represented as tuples of (Target, Level):
- Target: What resource is being accessed (path, domain, or command)
- Level: What level of access is permitted (read, write, execute, admin)
§Permission Levels
Permission levels form a hierarchy where higher levels imply lower levels:
Admin > Execute > Write > Read > NoneFor example, a Write grant automatically allows Read operations.
§Target Types
| Target | Controls | Examples |
|---|---|---|
Path | Files and directories | /project/src, /home/user/.config |
Domain | Network endpoints | api.github.com, *.anthropic.com |
Command | Shell commands | git *, cargo build |
§Batch Requests
When multiple tools run in parallel, their permission requests can be batched together for a single UI prompt, avoiding deadlocks and reducing user friction.
§Example
use agent_core_runtime::permissions::{Grant, GrantTarget, PermissionLevel, PermissionRequest};
// Create a grant for writing to /project/src recursively
let grant = Grant::write_path("/project/src", true);
// Create a request to write a file
let request = PermissionRequest::file_write("req-1", "/project/src/main.rs");
// Check if the grant satisfies the request
assert!(grant.satisfies(&request));
// Write grant also satisfies read requests (level hierarchy)
let read_request = PermissionRequest::file_read("req-2", "/project/src/lib.rs");
assert!(grant.satisfies(&read_request));Structs§
- Batch
Permission Request - A batch of permission requests from parallel tool executions.
- Batch
Permission Response - Response to a batch permission request.
- Grant
- A permission grant combining a target and permission level.
- Pending
Permission Info - Information about a pending permission request for UI display.
- Permission
Panel Response - Response from the UI to a permission request.
- Permission
Registry - Registry for managing permission grants and requests.
- Permission
Request - A request for permission to perform an operation.
- Tool
Permissions - Helper functions for creating tool-specific permission requests.
Enums§
- Batch
Action - User actions for responding to a batch permission request.
- Grant
Target - The target of a permission grant.
- Permission
Error - Error types for permission operations.
- Permission
Level - Permission level that determines what operations are allowed.
- Tool
Category - Tool categories for permission mapping.
Functions§
- compute_
suggested_ grants - Computes suggested grants that would cover all requests.
- generate_
batch_ id - Generates a unique batch ID.
- get_
tool_ category - Gets the tool category from a tool name.