use crate::registry::ToolScope;
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum PermissionDecision {
Allow,
Deny(String),
}
#[derive(Debug, Clone)]
pub struct PermissionModel {
pub allow_shell: bool,
pub allow_network: bool,
pub allow_cloud: bool,
pub path_jail: Option<String>,
}
impl PermissionModel {
pub fn permissive() -> Self {
Self {
allow_shell: true,
allow_network: true,
allow_cloud: false,
path_jail: None,
}
}
pub fn restrictive() -> Self {
Self {
allow_shell: false,
allow_network: false,
allow_cloud: false,
path_jail: None,
}
}
}
pub struct PermissionEngine {
model: PermissionModel,
}
impl PermissionEngine {
pub fn new(model: PermissionModel) -> Self {
Self { model }
}
pub fn check(&self, scope: ToolScope, _caller: &str) -> PermissionDecision {
match scope {
ToolScope::Shell if !self.model.allow_shell => {
PermissionDecision::Deny("shell execution not permitted".into())
}
ToolScope::Network if !self.model.allow_network => {
PermissionDecision::Deny("network access not permitted".into())
}
ToolScope::Cloud if !self.model.allow_cloud => {
PermissionDecision::Deny("cloud access not permitted".into())
}
_ => PermissionDecision::Allow,
}
}
}