cersei-tools 0.1.9

Tool trait, built-in tools, and permission system for the Cersei SDK
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

//! Permission policies for tool execution.

use super::PermissionLevel;
use async_trait::async_trait;
use serde::{Deserialize, Serialize};

// ─── Permission policy trait ─────────────────────────────────────────────────

#[async_trait]
pub trait PermissionPolicy: Send + Sync {
    async fn check(&self, request: &PermissionRequest) -> PermissionDecision;
}

#[derive(Debug, Clone)]
pub struct PermissionRequest {
    pub tool_name: String,
    pub tool_input: serde_json::Value,
    pub permission_level: PermissionLevel,
    pub description: String,
    pub id: String,
}

#[derive(Debug, Clone)]
pub enum PermissionDecision {
    Allow,
    Deny(String),
    AllowOnce,
    AllowForSession,
}

// ─── Built-in policies ──────────────────────────────────────────────────────

/// Allow all tool invocations. Suitable for CI/headless/trusted environments.
pub struct AllowAll;

#[async_trait]
impl PermissionPolicy for AllowAll {
    async fn check(&self, _request: &PermissionRequest) -> PermissionDecision {
        PermissionDecision::Allow
    }
}

/// Only allow tools with PermissionLevel::None or ReadOnly.
pub struct AllowReadOnly;

#[async_trait]
impl PermissionPolicy for AllowReadOnly {
    async fn check(&self, request: &PermissionRequest) -> PermissionDecision {
        match request.permission_level {
            PermissionLevel::None | PermissionLevel::ReadOnly => PermissionDecision::Allow,
            _ => PermissionDecision::Deny(format!(
                "Tool '{}' requires {:?} permission (read-only mode)",
                request.tool_name, request.permission_level
            )),
        }
    }
}

/// Deny all tool invocations.
pub struct DenyAll;

#[async_trait]
impl PermissionPolicy for DenyAll {
    async fn check(&self, request: &PermissionRequest) -> PermissionDecision {
        PermissionDecision::Deny(format!(
            "Tool '{}' blocked by DenyAll policy",
            request.tool_name
        ))
    }
}

/// Rule-based permission policy with pattern matching.
pub struct RuleBased {
    pub rules: Vec<PermissionRule>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PermissionRule {
    pub tool_name: Option<String>,
    pub path_pattern: Option<String>,
    pub action: PermissionAction,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum PermissionAction {
    Allow,
    Deny,
}

#[async_trait]
impl PermissionPolicy for RuleBased {
    async fn check(&self, request: &PermissionRequest) -> PermissionDecision {
        for rule in &self.rules {
            let name_matches = rule
                .tool_name
                .as_ref()
                .map(|n| n == &request.tool_name || n == "all")
                .unwrap_or(true);

            if name_matches {
                return match rule.action {
                    PermissionAction::Allow => PermissionDecision::Allow,
                    PermissionAction::Deny => PermissionDecision::Deny(format!(
                        "Tool '{}' blocked by rule",
                        request.tool_name
                    )),
                };
            }
        }
        // Default: allow if no rules match
        PermissionDecision::Allow
    }
}

/// Interactive permission policy that defers to a callback.
pub struct InteractivePolicy {
    pub handler: Box<dyn Fn(&PermissionRequest) -> PermissionDecision + Send + Sync>,
}

impl InteractivePolicy {
    pub fn new(
        handler: impl Fn(&PermissionRequest) -> PermissionDecision + Send + Sync + 'static,
    ) -> Self {
        Self {
            handler: Box::new(handler),
        }
    }

    /// Create a policy that defers to the AgentStream for interactive decisions.
    pub fn via_stream() -> StreamDeferredPolicy {
        StreamDeferredPolicy
    }
}

#[async_trait]
impl PermissionPolicy for InteractivePolicy {
    async fn check(&self, request: &PermissionRequest) -> PermissionDecision {
        (self.handler)(request)
    }
}

/// Placeholder policy that emits PermissionRequired events via the agent stream.
pub struct StreamDeferredPolicy;

#[async_trait]
impl PermissionPolicy for StreamDeferredPolicy {
    async fn check(&self, _request: &PermissionRequest) -> PermissionDecision {
        // In practice, the agent loop intercepts this and emits
        // AgentEvent::PermissionRequired, then waits for a response.
        PermissionDecision::Allow
    }
}