1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
use anyhow::Result;
use async_trait::async_trait;
use serde::Deserialize;
use serde_json::json;
use super::{ApprovalRequirement, Tool, ToolContext, ToolDef, ToolResult};
pub struct WriteFileTool;
#[derive(Deserialize)]
struct WriteFileArgs {
file_path: String,
content: String,
}
#[async_trait]
impl Tool for WriteFileTool {
fn definition(&self) -> ToolDef {
ToolDef {
name: "write_file",
description:
"Write content to a file. Creates new files or overwrites existing ones.\n\
Use this for: creating new files, or rewriting an entire file from scratch.\n\
For small edits to existing files, prefer edit_file instead.\n\
Parent directories are auto-created if they don't exist."
.to_string(),
parameters: json!({
"type": "object",
"properties": {
"file_path": { "type": "string", "description": "Absolute path to the file" },
"content": { "type": "string", "description": "The full content to write" }
},
"required": ["file_path", "content"]
}),
}
}
fn validate_args(&self, args: &str) -> std::result::Result<(), String> {
// Surface a model-friendly diagnostic (provided/missing keys + a
// one-line example) instead of the raw serde "line 1 column N"
// error which weak models read as a parser-position complaint and
// try to "fix" by switching to positional arguments. See
// `diagnose_args` doc for the failure mode this replaces.
super::diagnose_args(
"write_file",
args,
&[&["file_path", "content"]],
"write_file({\"file_path\": \"<absolute path>\", \"content\": \"<file body>\"})",
)?;
// Strict struct parse only AFTER the keys are known to be present
// — catches type mismatches (e.g. content sent as an array).
serde_json::from_str::<WriteFileArgs>(args)
.map(|_| ())
.map_err(|e| {
format!(
"write_file: {e}. Re-issue with file_path as a string and content as a string."
)
})
}
fn approval(&self, args: &str) -> ApprovalRequirement {
let parsed = match serde_json::from_str::<WriteFileArgs>(args) {
Ok(p) => p,
Err(_) => {
// Fail-closed: if we can't parse args, require approval rather than auto-approving.
return ApprovalRequirement::RequireApproval(
"Could not parse create_file arguments for safety check.".to_string(),
);
}
};
if super::is_sensitive_input_path(&parsed.file_path) {
return ApprovalRequirement::RequireApproval(
format!("Writing to sensitive system path: {}", parsed.file_path),
);
}
// Overwriting existing files is blocked in execute() — no need to
// RequireApproval here. Only new file creation is auto-approved.
ApprovalRequirement::AutoApprove
}
fn approval_with_context(&self, args: &str, ctx: &ToolContext) -> ApprovalRequirement {
let base = self.approval(args);
let parsed = match serde_json::from_str::<WriteFileArgs>(args) {
Ok(parsed) => parsed,
Err(_) => return base,
};
let working_dir = match ctx.working_dir.try_read() {
Ok(wd) => wd.clone(),
Err(_) => return base,
};
match super::approval_for_path(
&parsed.file_path,
&working_dir,
super::ExternalPathAction::Write,
) {
Ok(ApprovalRequirement::RequireApprovalAlways(reason)) => {
ApprovalRequirement::RequireApprovalAlways(reason)
}
Ok(ApprovalRequirement::RequireApproval(reason)) => {
ApprovalRequirement::RequireApproval(reason)
}
Ok(ApprovalRequirement::AutoApprove) => match base {
ApprovalRequirement::RequireApproval(reason) => {
ApprovalRequirement::RequireApprovalAlways(reason)
}
other => other,
},
Err(_) => base,
}
}
async fn execute(&self, args: &str, ctx: &ToolContext) -> Result<ToolResult> {
// Defense-in-depth: validate_args runs at the runner gate, but if
// it's bypassed (or args mutated between gate and execute), we fall
// back to the same diagnose_args path so the model sees a uniform
// recovery hint instead of a raw serde error.
if let Err(msg) = super::diagnose_args(
"write_file",
args,
&[&["file_path", "content"]],
"write_file({\"file_path\": \"<absolute path>\", \"content\": \"<file body>\"})",
) {
return Ok(ToolResult {
call_id: String::new(),
output: msg,
success: false,
});
}
let parsed: WriteFileArgs = match serde_json::from_str(args) {
Ok(p) => p,
Err(e) => {
return Ok(ToolResult {
call_id: String::new(),
output: format!(
"write_file: {e}. Re-issue with file_path as a string and content as a string."
),
success: false,
});
}
};
let working_dir = ctx.working_dir.read().await.clone();
let path = match super::inspect_path_access(&parsed.file_path, &working_dir) {
Ok(access) => access.path,
Err(err) => {
return Ok(ToolResult {
call_id: String::new(),
output: err.to_string(),
success: false,
});
}
};
// Backup before write (git checkpoint + file-level backup)
ctx.file_history
.lock()
.await
.backup_before_write(&path.to_string_lossy())
.await;
// Check if overwriting existing file — build appropriate output message
let overwrite_info = if path.exists() {
let old_lines = std::fs::read_to_string(&path)
.map(|c| c.lines().count())
.unwrap_or(0);
Some(old_lines)
} else {
None
};
if let Some(parent) = path.parent() {
tokio::fs::create_dir_all(parent).await?;
}
let new_lines = parsed.content.lines().count();
let bytes = parsed.content.len();
tokio::fs::write(&path, &parsed.content).await?;
// D3: drop any FileStore entry for this path. The next peek_file
// against the old store_id will report "stale" and route the
// model toward a fresh read_file. Without this invalidation a
// peek_file could hand the model pre-write content that no
// longer matches what just landed on disk.
ctx.file_store.write().await.invalidate(&path);
// Defense-in-depth: read_cache mtime gate is normally sufficient
// because tokio::fs::write bumps mtime, but on FS with coarse
// mtime granularity (ext4 1-second precision, NFS) a write within
// the same tick as the prior read keeps the same mtime and the
// gate stops protecting us. Explicit purge eliminates that
// corner case for any path we just wrote.
ctx.read_cache
.write()
.await
.retain(|(p, _, _), _| p != &path);
// Notify LSP that file changed (if LSP is enabled).
ctx.notify_lsp_file_changed(&path, &parsed.content).await;
let output = if let Some(old_lines) = overwrite_info {
let diff = new_lines as i64 - old_lines as i64;
let sign = if diff >= 0 { "+" } else { "" };
let mut msg = format!(
"Overwrote {} (was {} lines, now {} lines, {}{})",
path.display(),
old_lines,
new_lines,
sign,
diff
);
// Warn if significant content reduction (might have lost code)
if old_lines > 20 && new_lines < old_lines / 2 {
msg.push_str(&format!(
"\n⚠ WARNING: File shrank by {}%. Verify no important code was lost. Use /undo to revert if needed.",
100 - (new_lines * 100 / old_lines)
));
}
msg
} else {
format!(
"Created new file {} ({} bytes, {} lines)",
path.display(),
bytes,
new_lines
)
};
Ok(ToolResult {
call_id: String::new(),
output,
success: true,
})
}
}