ai-agent 0.88.0

Idiomatic agent sdk inspired by the claude code source leak
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286

// Source: /data/home/swei/claudecode/openclaudecode/src/tools/PowerShellTool/modeValidation.ts
//! PowerShell permission mode validation.
//!
//! Checks if commands should be auto-allowed based on the current permission mode.
//! In acceptEdits mode, filesystem-modifying PowerShell cmdlets are auto-allowed.

use once_cell::sync::Lazy;
use std::collections::HashSet;

use super::read_only_validation::{
    is_cwd_changing_cmdlet, is_safe_output_command, resolve_to_canonical,
};

/// Filesystem-modifying cmdlets that are auto-allowed in acceptEdits mode
static ACCEPT_EDITS_ALLOWED_CMDLETS: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    set.insert("set-content");
    set.insert("add-content");
    set.insert("remove-item");
    set.insert("clear-content");
    set
});

/// Link-creating -ItemType values
static LINK_ITEM_TYPES: Lazy<HashSet<&'static str>> = Lazy::new(|| {
    let mut set = HashSet::new();
    set.insert("symboliclink");
    set.insert("junction");
    set.insert("hardlink");
    set
});

/// Check if cmdlet is allowed in acceptEdits mode
fn is_accept_edits_allowed_cmdlet(name: &str) -> bool {
    let canonical = resolve_to_canonical(name);
    ACCEPT_EDITS_ALLOWED_CMDLETS.contains(canonical.as_str())
}

/// Check if a lowered, dash-normalized arg is an unambiguous PowerShell
/// abbreviation of New-Item's -ItemType or -Type param.
fn is_item_type_param_abbrev(param: &str) -> bool {
    let lower = param.to_lowercase();
    (lower.len() >= 3 && lower.starts_with("-it"))
        || (lower.len() >= 3
            && (lower == "-ty" || lower.starts_with("-typ") || lower.starts_with("-type")))
}

/// Detects New-Item creating a filesystem link
pub fn is_symlink_creating_command(name: &str, args: &[String]) -> bool {
    let canonical = resolve_to_canonical(name);
    if canonical != "new-item" {
        return false;
    }

    let mut i = 0;
    while i < args.len() {
        let raw = &args[i];
        if raw.is_empty() {
            i += 1;
            continue;
        }

        // Normalize dash prefixes
        let normalized = if raw.starts_with('-')
            || raw.starts_with('')
            || raw.starts_with('')
            || raw.starts_with('')
            || raw.starts_with('/')
        {
            format!("-{}", &raw[1..])
        } else {
            raw.clone()
        };

        let lower = normalized.to_lowercase();

        // Split colon-bound value: -it:SymbolicLink
        let colon_idx = lower[1..].find(':').map(|p| p + 1).unwrap_or(0);
        let param_raw = if colon_idx > 0 {
            lower.get(1..=colon_idx).unwrap_or(&lower).to_string()
        } else {
            lower.clone()
        };

        // Strip backtick escapes
        let param = param_raw.replace('`', "");

        if !is_item_type_param_abbrev(&param) {
            i += 1;
            continue;
        }

        // Get value
        let raw_val = if colon_idx > 0 {
            lower.get(colon_idx + 1..).unwrap_or("").to_string()
        } else {
            args.get(i + 1)
                .map(|s| s.to_lowercase())
                .unwrap_or_default()
        };

        // Strip backtick and quotes
        let val = raw_val
            .replace('`', "")
            .trim_matches('"')
            .trim_matches('\'')
            .to_string();

        if LINK_ITEM_TYPES.contains(val.as_str()) {
            return true;
        }

        i += 1;
    }

    false
}

/// Permission result behavior
#[derive(Debug, Clone)]
pub enum PermissionBehavior {
    Allow,
    Deny,
    Ask,
    Passthrough,
}

/// Permission result
#[derive(Debug, Clone)]
pub struct PermissionModeResult {
    pub behavior: PermissionBehavior,
    pub message: String,
}

impl PermissionModeResult {
    pub fn allow() -> Self {
        Self {
            behavior: PermissionBehavior::Allow,
            message: "Auto-allowed in acceptEdits mode".to_string(),
        }
    }

    pub fn deny(message: &str) -> Self {
        Self {
            behavior: PermissionBehavior::Deny,
            message: message.to_string(),
        }
    }

    pub fn ask(message: &str) -> Self {
        Self {
            behavior: PermissionBehavior::Ask,
            message: message.to_string(),
        }
    }

    pub fn passthrough(message: &str) -> Self {
        Self {
            behavior: PermissionBehavior::Passthrough,
            message: message.to_string(),
        }
    }
}

/// Checks if commands should be handled differently based on the current permission mode
pub fn check_permission_mode(command: &str, mode: &str) -> PermissionModeResult {
    // Skip bypass and dontAsk modes
    if mode == "bypassPermissions" || mode == "dontAsk" {
        return PermissionModeResult::passthrough("Mode is handled in main permission flow");
    }

    if mode != "acceptEdits" {
        return PermissionModeResult::passthrough("No mode-specific validation required");
    }

    // Check for security concerns that require approval
    use super::read_only_validation::has_sync_security_concerns;
    if has_sync_security_concerns(command) {
        return PermissionModeResult::passthrough(
            "Command contains subexpressions, script blocks, or member invocations that require approval",
        );
    }

    // Check for compound command with cwd change
    let parts: Vec<&str> = command.split(|c| c == ';' || c == '|').collect();
    if parts.len() > 1 {
        let mut has_cd = false;
        let mut has_write = false;
        let mut has_symlink = false;

        for part in &parts {
            let first_word = part.trim().split_whitespace().next().unwrap_or("");
            if is_cwd_changing_cmdlet(first_word) {
                has_cd = true;
            }
            if is_accept_edits_allowed_cmdlet(first_word) {
                has_write = true;
            }
            // Check for symlink creation
            let args: Vec<String> = part
                .trim()
                .split_whitespace()
                .skip(1)
                .map(String::from)
                .collect();
            if is_symlink_creating_command(first_word, &args) {
                has_symlink = true;
            }
        }

        if has_cd && has_write {
            return PermissionModeResult::passthrough(
                "Compound command contains a directory-changing command with a write operation",
            );
        }

        if has_symlink {
            return PermissionModeResult::passthrough("Compound command creates a filesystem link");
        }
    }

    // Check if the command is an acceptEdits-allowed cmdlet
    let first_word = command.trim().split_whitespace().next().unwrap_or("");
    if is_accept_edits_allowed_cmdlet(first_word) {
        // Additional checks for safe arguments
        use super::read_only_validation::arg_leaks_value;

        let args: Vec<&str> = command.trim().split_whitespace().skip(1).collect();
        for arg in args {
            // Skip flags
            if arg.starts_with('-') {
                continue;
            }
            if arg_leaks_value(arg) {
                return PermissionModeResult::passthrough(
                    "Command contains potentially unsafe arguments",
                );
            }
        }

        return PermissionModeResult::allow();
    }

    PermissionModeResult::passthrough("Command not in acceptEdits allowlist")
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_is_accept_edits_allowed_cmdlet() {
        assert!(is_accept_edits_allowed_cmdlet("set-content"));
        assert!(is_accept_edits_allowed_cmdlet("remove-item"));
        assert!(!is_accept_edits_allowed_cmdlet("get-content"));
    }

    #[test]
    fn test_is_symlink_creating_command() {
        assert!(is_symlink_creating_command(
            "new-item",
            &["-ItemType".to_string(), "SymbolicLink".to_string()]
        ));
        assert!(is_symlink_creating_command(
            "ni",
            &["-ItemType".to_string(), "Junction".to_string()]
        ));
        assert!(!is_symlink_creating_command(
            "new-item",
            &["-ItemType".to_string(), "File".to_string()]
        ));
        assert!(!is_symlink_creating_command("get-content", &[]));
    }

    #[test]
    fn test_check_permission_mode() {
        let result = check_permission_mode("Get-Content test.txt", "readOnly");
        assert!(matches!(result.behavior, PermissionBehavior::Passthrough));

        let result = check_permission_mode("Set-Content test.txt 'hello'", "acceptEdits");
        assert!(matches!(result.behavior, PermissionBehavior::Allow));

        let result = check_permission_mode("$(malicious)", "acceptEdits");
        assert!(matches!(result.behavior, PermissionBehavior::Passthrough));
    }
}