1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
//! # agnt-tools
//!
//! Built-in tools for the agnt agent runtime.
//!
//! Ships seven default tools that implement [`agnt_core::Tool`]:
//!
//! - **Filesystem**: `ReadFile`, `WriteFile`, `EditFile`, `ListDir`
//! - **Search**: `Glob`, `Grep`
//! - **Network**: `Fetch`
//!
//! Plus one **opt-in CVE-class** tool behind the `shell` feature:
//!
//! - **Shell** (`shell` feature): [`Shell`] — arbitrary command execution,
//! default-OFF, requires an explicit sandbox config at construction.
//!
//! ## Security notes
//!
//! - All filesystem tools accept an optional [`sandbox::FilesystemRoot`] via
//! `with_sandbox`. Without a sandbox they can read / write / list anywhere
//! the process has access; with one, every path is canonicalized and
//! rejected if it escapes the root.
//! - `Fetch` has a built-in SSRF guard that runs *atomically* with DNS
//! resolution via a custom [`ureq::Resolver`] ([`ssrf::SsrfResolver`]).
//! http/https only, IPv4/IPv6 private / loopback / link-local /
//! multicast / metadata addresses rejected in the same lookup that
//! `ureq` then uses to connect — no DNS-rebinding TOCTOU. Redirects
//! are disabled on the per-instance agent.
//! - `Shell` is gated behind the `shell` cargo feature; it has no
//! unsandboxed constructor. On Linux, the `bwrap-shell` feature adds
//! a bubblewrap namespace on top of the argv allowlist for defense
//! in depth.
//!
//! See `THREAT_MODEL.md` in the repo root for the current threat model
//! (updated for v0.3.1).
pub use ;
pub use FilesystemRoot;
/// The CVE-class `Shell` tool. Only available when the `shell` cargo feature
/// is enabled. See [`builtins::Shell`] for the full threat-model rustdoc.
pub use Shell;