agnt_tools/lib.rs
1//! # agnt-tools
2//!
3//! Built-in tools for the agnt agent runtime.
4//!
5//! Ships seven default tools that implement [`agnt_core::Tool`]:
6//!
7//! - **Filesystem**: `ReadFile`, `WriteFile`, `EditFile`, `ListDir`
8//! - **Search**: `Glob`, `Grep`
9//! - **Network**: `Fetch`
10//!
11//! Plus one **opt-in CVE-class** tool behind the `shell` feature:
12//!
13//! - **Shell** (`shell` feature): [`Shell`] — arbitrary command execution,
14//! default-OFF, requires an explicit sandbox config at construction.
15//!
16//! ## Security notes
17//!
18//! - All filesystem tools accept an optional [`sandbox::FilesystemRoot`] via
19//! `with_sandbox`. Without a sandbox they can read / write / list anywhere
20//! the process has access; with one, every path is canonicalized and
21//! rejected if it escapes the root.
22//! - `Fetch` has a built-in SSRF guard: http/https only, IPv4/IPv6
23//! private / loopback / link-local / multicast / metadata addresses
24//! rejected, redirects disabled on the shared ureq agent.
25//! - `Shell` is gated behind the `shell` cargo feature; it has no
26//! unsandboxed constructor. See its rustdoc for the threat model.
27//!
28//! See the v0.2 threat model (`agnt-v0.2-plan.md` Part 2 S1–S7) for
29//! details.
30
31pub mod builtins;
32pub mod http;
33pub mod sandbox;
34
35pub use builtins::{EditFile, Fetch, Glob, Grep, ListDir, ReadFile, WriteFile};
36pub use sandbox::FilesystemRoot;
37
38/// The CVE-class `Shell` tool. Only available when the `shell` cargo feature
39/// is enabled. See [`builtins::Shell`] for the full threat-model rustdoc.
40#[cfg(feature = "shell")]
41pub use builtins::Shell;