ai-agent 0.88.0

Idiomatic agent sdk inspired by the claude code source leak
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

// Source: ~/claudecode/openclaudecode/src/tools/BashTool/modeValidation.ts

/// Permission mode for tool execution.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum ToolPermissionMode {
    /// Bypass all permission checks.
    BypassPermissions,
    /// Don't ask for permission (auto-allow or auto-deny based on rules).
    DontAsk,
    /// Auto-allow edits-related commands.
    AcceptEdits,
    /// Normal interactive mode -- ask for each command.
    Default,
}

/// Result of a permission check.
#[derive(Debug, Clone)]
pub enum PermissionBehavior {
    /// Allow the command without prompting.
    Allow {
        updated_input: serde_json::Value,
        decision_reason: DecisionReason,
    },
    /// Ask the user for permission.
    Ask,
    /// No mode-specific handling; pass through to normal permission flow.
    Passthrough {
        message: String,
    },
}

/// Reason for a permission decision.
#[derive(Debug, Clone)]
pub enum DecisionReason {
    Mode {
        mode: ToolPermissionMode,
    },
}

/// Context containing mode and permissions for tool execution.
#[derive(Debug, Clone)]
pub struct ToolPermissionContext {
    pub mode: ToolPermissionMode,
}

/// Input for the bash tool (simplified).
pub struct BashToolInput {
    pub command: String,
}

const ACCEPT_EDITS_ALLOWED_COMMANDS: &[&str] = &[
    "mkdir", "touch", "rm", "rmdir", "mv", "cp", "sed",
];

fn is_filesystem_command(command: &str) -> bool {
    ACCEPT_EDITS_ALLOWED_COMMANDS.contains(&command)
}

fn validate_command_for_mode(
    cmd: &str,
    context: &ToolPermissionContext,
) -> PermissionBehavior {
    let trimmed = cmd.trim();
    let base_cmd = trimmed.split_whitespace().next();

    let Some(base_cmd) = base_cmd else {
        return PermissionBehavior::Passthrough {
            message: "Base command not found".to_string(),
        };
    };

    // In Accept Edits mode, auto-allow filesystem operations
    if context.mode == ToolPermissionMode::AcceptEdits && is_filesystem_command(base_cmd) {
        return PermissionBehavior::Allow {
            updated_input: serde_json::json!({ "command": cmd }),
            decision_reason: DecisionReason::Mode {
                mode: ToolPermissionMode::AcceptEdits,
            },
        };
    }

    PermissionBehavior::Passthrough {
        message: format!("No mode-specific handling for '{base_cmd}' in {:?} mode", context.mode),
    }
}

/// Splits a command string into individual commands (simplified version).
fn split_commands(command: &str) -> Vec<&str> {
    // Simplified: split on `;`, `&&`, `||`, newlines
    command
        .split(|c: char| c == ';' || c == '\n')
        .map(|s| s.trim())
        .filter(|s| !s.is_empty())
        .collect()
}

/// Checks if commands should be handled differently based on the current permission mode.
///
/// This is the main entry point for mode-based permission logic.
/// Currently handles Accept Edits mode for filesystem commands,
/// but designed to be extended for other modes.
///
/// Returns:
/// - `PermissionBehavior::Allow` if the current mode permits auto-approval
/// - `PermissionBehavior::Ask` if the command needs approval in current mode
/// - `PermissionBehavior::Passthrough` if no mode-specific handling applies
pub fn check_permission_mode(
    input: &BashToolInput,
    context: &ToolPermissionContext,
) -> PermissionBehavior {
    // Skip if in bypass mode (handled elsewhere)
    if context.mode == ToolPermissionMode::BypassPermissions {
        return PermissionBehavior::Passthrough {
            message: "Bypass mode is handled in main permission flow".to_string(),
        };
    }

    // Skip if in dontAsk mode (handled in main permission flow)
    if context.mode == ToolPermissionMode::DontAsk {
        return PermissionBehavior::Passthrough {
            message: "DontAsk mode is handled in main permission flow".to_string(),
        };
    }

    let commands = split_commands(&input.command);

    // Check each subcommand
    for cmd in &commands {
        let result = validate_command_for_mode(cmd, context);

        // If any command triggers mode-specific behavior, return that result
        if !matches!(&result, PermissionBehavior::Passthrough { .. }) {
            return result;
        }
    }

    // No mode-specific handling needed
    PermissionBehavior::Passthrough {
        message: "No mode-specific validation required".to_string(),
    }
}

/// Get the list of commands that are auto-allowed in a given mode.
pub fn get_auto_allowed_commands(mode: &ToolPermissionMode) -> Vec<&'static str> {
    match mode {
        ToolPermissionMode::AcceptEdits => ACCEPT_EDITS_ALLOWED_COMMANDS.to_vec(),
        _ => vec![],
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_bypass_mode_returns_passthrough() {
        let ctx = ToolPermissionContext {
            mode: ToolPermissionMode::BypassPermissions,
        };
        let input = BashToolInput {
            command: "mkdir test".to_string(),
        };
        assert!(matches!(
            check_permission_mode(&input, &ctx),
            PermissionBehavior::Passthrough { .. }
        ));
    }

    #[test]
    fn test_accept_edits_allows_mkdir() {
        let ctx = ToolPermissionContext {
            mode: ToolPermissionMode::AcceptEdits,
        };
        let input = BashToolInput {
            command: "mkdir test".to_string(),
        };
        assert!(matches!(
            check_permission_mode(&input, &ctx),
            PermissionBehavior::Allow { .. }
        ));
    }

    #[test]
    fn test_default_mode_passthrough() {
        let ctx = ToolPermissionContext {
            mode: ToolPermissionMode::Default,
        };
        let input = BashToolInput {
            command: "cargo test".to_string(),
        };
        assert!(matches!(
            check_permission_mode(&input, &ctx),
            PermissionBehavior::Passthrough { .. }
        ));
    }

    #[test]
    fn test_get_auto_allowed_commands() {
        assert_eq!(
            get_auto_allowed_commands(&ToolPermissionMode::AcceptEdits),
            vec!["mkdir", "touch", "rm", "rmdir", "mv", "cp", "sed"]
        );
        assert!(get_auto_allowed_commands(&ToolPermissionMode::Default).is_empty());
    }
}