claude_agent/security/policy/
mod.rs1use crate::permissions::{PermissionMode, PermissionPolicy};
4
5#[derive(Debug, Clone)]
6pub struct SecurityPolicy {
7 pub permission: PermissionPolicy,
8 pub allow_sandbox_bypass: bool,
9 pub max_symlink_depth: u8,
10}
11
12impl SecurityPolicy {
13 pub fn new(permission: PermissionPolicy) -> Self {
14 Self {
15 permission,
16 allow_sandbox_bypass: false,
17 max_symlink_depth: 10,
18 }
19 }
20
21 pub fn permissive() -> Self {
22 Self {
23 permission: PermissionPolicy::permissive(),
24 allow_sandbox_bypass: true,
25 max_symlink_depth: 255,
26 }
27 }
28
29 pub fn strict() -> Self {
30 Self {
31 permission: PermissionPolicy::new(),
32 allow_sandbox_bypass: false,
33 max_symlink_depth: 5,
34 }
35 }
36
37 pub fn with_permission(mut self, policy: PermissionPolicy) -> Self {
38 self.permission = policy;
39 self
40 }
41
42 pub fn with_sandbox_bypass(mut self, allow: bool) -> Self {
43 self.allow_sandbox_bypass = allow;
44 self
45 }
46
47 pub fn with_symlink_depth(mut self, depth: u8) -> Self {
48 self.max_symlink_depth = depth;
49 self
50 }
51
52 pub fn can_bypass_sandbox(&self) -> bool {
53 self.allow_sandbox_bypass
54 }
55
56 pub fn mode(&self) -> PermissionMode {
57 self.permission.mode
58 }
59}
60
61impl Default for SecurityPolicy {
62 fn default() -> Self {
63 Self::new(PermissionPolicy::default())
64 }
65}
66
67#[cfg(test)]
68mod tests {
69 use super::*;
70
71 #[test]
72 fn test_default_policy() {
73 let policy = SecurityPolicy::default();
74 assert!(!policy.allow_sandbox_bypass);
75 assert_eq!(policy.max_symlink_depth, 10);
76 }
77
78 #[test]
79 fn test_permissive_policy() {
80 let policy = SecurityPolicy::permissive();
81 assert!(policy.allow_sandbox_bypass);
82 }
83
84 #[test]
85 fn test_strict_policy() {
86 let policy = SecurityPolicy::strict();
87 assert!(!policy.allow_sandbox_bypass);
88 assert_eq!(policy.max_symlink_depth, 5);
89 }
90}