clash 0.5.2

Command Line Agent Safety Harness — permission policies for coding agents
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222

//! Compiler: Starlark JSON → CompiledPolicy.
//!
//! Parses v5 match-tree JSON emitted by the Starlark evaluator,
//! merges internal policies, validates sandbox references, and
//! sorts by specificity.

use anyhow::{Result, bail};

use crate::policy::match_tree::{CompiledPolicy, Node};

/// Environment variable resolver used during compilation to expand `(env NAME)`.
pub trait EnvResolver {
    fn resolve(&self, name: &str) -> Result<String>;
}

/// Default resolver that reads from `std::env`.
pub struct StdEnvResolver;

/// Sentinel path for session variables not available outside a hook context.
pub const UNAVAILABLE_SESSION_PATH: &str = "/dev/null/.clash-no-session";

/// Session-level variables with safe defaults for when no hook context exists.
const SESSION_VAR_DEFAULTS: &[(&str, &str)] = &[("TRANSCRIPT_DIR", UNAVAILABLE_SESSION_PATH)];

impl EnvResolver for StdEnvResolver {
    fn resolve(&self, name: &str) -> Result<String> {
        match std::env::var(name) {
            Ok(val) => Ok(val),
            Err(_) => {
                for &(var, default) in SESSION_VAR_DEFAULTS {
                    if name == var {
                        return Ok(default.to_string());
                    }
                }
                anyhow::bail!("environment variable not set: {name}")
            }
        }
    }
}

/// Compile a JSON policy source string into a `CompiledPolicy`.
pub fn compile_to_tree(source: &str) -> Result<CompiledPolicy> {
    compile_policy(source)
}

/// Compile multiple policy levels with internals, returning a merged `CompiledPolicy`.
///
/// Merges all levels into a single policy: higher-precedence rules come first
/// so they match before lower-precedence ones (first-match semantics).
///
/// Each tuple is `(level, json_source, source_path)` where `source_path` is the
/// display path of the file the policy was loaded from (e.g. `~/.config/clash/policy.star`).
pub fn compile_multi_level_to_tree(
    levels: &[(crate::settings::PolicyLevel, &str, &str)],
) -> Result<CompiledPolicy> {
    if levels.is_empty() {
        bail!("no policy levels to compile");
    }

    if levels.len() == 1 {
        return compile_policy_with_source(levels[0].1, levels[0].2);
    }

    // Sort by precedence (highest first) for first-match semantics.
    let mut sorted: Vec<(crate::settings::PolicyLevel, &str, &str)> = levels.to_vec();
    sorted.sort_by(|a, b| b.0.cmp(&a.0));

    // Start with an empty merged policy using the default from the highest level.
    let first: CompiledPolicy = serde_json::from_str(sorted[0].1)
        .map_err(|e| anyhow::anyhow!("{} policy: invalid JSON: {}", sorted[0].0.name(), e))?;
    let mut merged = CompiledPolicy {
        sandboxes: first.sandboxes,
        default_sandbox: first.default_sandbox,
        tree: first.tree,
        default_effect: first.default_effect,
    };

    // Annotate root-level nodes from the first level with source provenance.
    let first_source = sorted[0].2;
    for node in &mut merged.tree {
        node.stamp_source(first_source);
    }

    // Append rules from lower-precedence levels.
    for (level, src, path) in &sorted[1..] {
        let mut policy: CompiledPolicy = serde_json::from_str(src)
            .map_err(|e| anyhow::anyhow!("{} policy: invalid JSON: {}", level.name(), e))?;
        for node in &mut policy.tree {
            node.stamp_source(path);
        }
        merged.tree.extend(policy.tree);
        for (k, v) in policy.sandboxes {
            merged.sandboxes.entry(k).or_insert(v);
        }
    }

    let errors = merged.validate();
    if !errors.is_empty() {
        bail!("match tree validation errors: {}", errors.join("; "));
    }

    merged.tree = Node::compact(merged.tree);

    Ok(merged)
}

/// Compile a single policy source.
fn compile_policy(source: &str) -> Result<CompiledPolicy> {
    compile_policy_with_source(source, "")
}

/// Compile a single policy source, annotating root nodes with the given source path.
fn compile_policy_with_source(source: &str, source_path: &str) -> Result<CompiledPolicy> {
    let mut policy: CompiledPolicy = serde_json::from_str(source)
        .map_err(|e| anyhow::anyhow!("invalid match tree policy JSON: {e}"))?;

    if !source_path.is_empty() {
        for node in &mut policy.tree {
            node.stamp_source(source_path);
        }
    }

    let errors = policy.validate();
    if !errors.is_empty() {
        bail!("match tree validation errors: {}", errors.join("; "));
    }

    policy.tree = Node::compact(policy.tree);

    Ok(policy)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn compile_basic_policy() {
        let source = r#"{
            "schema_version": 5,
            "default_effect": "deny",
            "sandboxes": {},
            "tree": [{
                "condition": {
                    "observe": "tool_name",
                    "pattern": {"literal": {"literal": "Bash"}},
                    "children": [{"decision": {"allow": null}}]
                }
            }]
        }"#;
        let policy = compile_to_tree(source).unwrap();
        assert_eq!(policy.tree.len(), 1);
        assert_eq!(policy.default_effect, crate::policy::Effect::Deny);
    }

    #[test]
    fn compile_with_internals() {
        let source = r#"{
            "schema_version": 5,
            "default_effect": "deny",
            "sandboxes": {},
            "tree": [{
                "condition": {
                    "observe": "tool_name",
                    "pattern": {"literal": {"literal": "Bash"}},
                    "children": [{"decision": {"allow": null}}]
                }
            }]
        }"#;
        // With no internals, should just compile the source.
        let policy = compile_policy(source).unwrap();
        assert_eq!(policy.tree.len(), 1);
    }

    #[test]
    fn compile_valid_sandbox_reference() {
        let source = r#"{
            "schema_version": 5,
            "default_effect": "deny",
            "sandboxes": {
                "dev": {
                    "default": ["read", "execute"],
                    "network": "deny"
                }
            },
            "tree": [{
                "condition": {
                    "observe": "tool_name",
                    "pattern": {"literal": {"literal": "Bash"}},
                    "children": [{"decision": {"allow": "dev"}}]
                }
            }]
        }"#;
        let policy = compile_to_tree(source);
        assert!(policy.is_ok(), "valid sandbox reference should compile");
        let policy = policy.unwrap();
        assert!(policy.sandboxes.contains_key("dev"));
    }

    #[test]
    fn compile_undefined_sandbox_reference_fails() {
        let source = r#"{
            "schema_version": 5,
            "default_effect": "deny",
            "sandboxes": {},
            "tree": [{
                "condition": {
                    "observe": "tool_name",
                    "pattern": {"literal": {"literal": "Bash"}},
                    "children": [{"decision": {"allow": "nonexistent"}}]
                }
            }]
        }"#;
        let result = compile_to_tree(source);
        assert!(result.is_err(), "undefined sandbox reference should fail");
        let err = result.unwrap_err().to_string();
        assert!(
            err.contains("nonexistent"),
            "error should mention the undefined sandbox name, got: {err}"
        );
    }
}