car-server-core 0.33.0

Transport-neutral library for the CAR daemon JSON-RPC dispatcher (used by car-server and tokhn-daemon)
//! The assistant's default policy hardening.
//!
//! A general assistant with a real shell + file tools needs the same
//! footgun-blocking the coder has: no git-remote mutation, no history rewrite,
//! no privilege escalation (`sudo`), no credential reads, no destructive ops or
//! writes outside its root. We reuse the coder's inspector set verbatim rather
//! than maintain a parallel one — the hardening is identical and any
//! improvement there benefits both.
//!
//! This is hardening, **not** the sandbox: in the default sandbox-first mode the
//! Docker container is the real boundary and these inspectors are
//! belt-and-suspenders; in `--local` mode they are the first line, backed by
//! permission-tier HITL on writes and shell.

use std::path::Path;

use car_policy::InspectorChain;

/// Build the assistant's inspector chain rooted at `root` (the sandbox mount or
/// the local working directory). First Deny wins; the denial reason becomes the
/// tool error the model sees, so it can adapt instead of silently failing.
pub fn assistant_inspector_chain(root: &Path) -> InspectorChain {
    // The coder chain is exactly the footgun set a general assistant needs;
    // reuse it rather than fork. `root` plays the role the worktree plays for
    // the coder — the boundary for out-of-root destructive ops and path escape.
    crate::coder::policy::coder_inspector_chain(root)
}