Struct CommandPolicy 

pub struct CommandPolicy { /* private fields */ }

A PermissionPolicy that governs ShellPermissionRequests by checking the executable name, working directory, and environment variables.

Denied executables and env keys are rejected immediately. Allowed executables pass. Unknown executables either require approval or are denied, depending on require_approval_for_unknown.

Example

use agentkit_tools_core::CommandPolicy;

let policy = CommandPolicy::new()
    .allow_executable("git")
    .allow_executable("cargo")
    .deny_executable("rm")
    .deny_env_key("AWS_SECRET_ACCESS_KEY")
    .allow_cwd("/workspace")
    .require_approval_for_unknown(true);

Implementations

impl CommandPolicy

pub fn new() -> Self

Creates a new command policy with no rules and approval required for unknown executables.

pub fn allow_executable(self, executable: impl Into<String>) -> Self

Adds an executable name to the allow-list.

pub fn deny_executable(self, executable: impl Into<String>) -> Self

Adds an executable name to the deny-list.

pub fn allow_cwd(self, cwd: impl Into<PathBuf>) -> Self

Adds a directory root that commands are allowed to run in.

pub fn deny_env_key(self, key: impl Into<String>) -> Self

Adds an environment variable name to the deny-list.

pub fn require_approval_for_unknown(self, value: bool) -> Self

When true (the default), executables not in the allow-list trigger an approval request instead of an outright denial.

Trait Implementations

impl Default for CommandPolicy

fn default() -> Self

Returns the “default value” for a type.

impl PermissionPolicy for CommandPolicy

fn evaluate(&self, request: &dyn PermissionRequest) -> PolicyMatch

Evaluate the request and return a match or PolicyMatch::NoOpinion.