dirge-agent 0.11.0

Minimalistic coding agent written in Rust, optimized for memory footprint and performance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300

pub mod allowlist;
pub mod approval;
pub mod ask;
pub mod checker;
pub mod engine;
pub mod path;
pub mod pattern;

/// Push the active prompt's `deny_tools` list into the permission
/// checker so subsequent tool calls observe the new restriction.
/// Best-effort: a poisoned mutex falls through to `into_inner`,
/// matching the recovery pattern used elsewhere on the checker.
/// `None` perm (e.g. `--no-tools` builds) is a no-op.
pub fn apply_prompt_deny(perm: &Option<checker::PermCheck>, deny: &[String]) {
    if let Some(p) = perm {
        let mut guard = p.lock_ignore_poison();
        guard.set_prompt_deny_tools(deny.to_vec());
    }
}

#[allow(unused_imports)]
use crate::sync_util::LockExt;
use serde::Deserialize;

#[derive(Debug, Clone, Copy, PartialEq, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum Action {
    Allow,
    Ask,
    Deny,
}

/// The operation class a rule governs — the resource KIND, not a tool
/// name. `Any` (`"*"`) matches every operation; `tool` on the rule can
/// narrow to a concrete tool when needed.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum OpSpec {
    #[default]
    #[serde(rename = "*", alias = "any")]
    Any,
    Read,
    Edit,
    Execute,
    Network,
    Mcp,
    Memory,
    Skill,
    Agent,
    Meta,
}

/// One configured authorization rule. The ordered `rules` list reads
/// top-to-bottom; **last match wins**. Glob style is inferred from the
/// operation (path-style for read/edit, shell-style for execute/etc.).
///
/// ```jsonc
/// { "op": "edit",    "match": "/etc/**",  "effect": "deny" }
/// { "op": "execute", "match": "cargo *",  "effect": "allow" }
/// { "op": "mcp",     "match": "lattice:*", "effect": "allow" }
/// ```
#[derive(Debug, Clone, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct RuleConfig {
    #[serde(default)]
    pub op: OpSpec,
    #[serde(rename = "match")]
    pub pattern: String,
    pub effect: Action,
    /// Optional: narrow the rule to a single concrete tool name (e.g.
    /// `"grep"` so a Read rule doesn't also gate `read`).
    #[serde(default)]
    pub tool: Option<String>,
}

/// Permission configuration: a default effect, an ordered rule list,
/// out-of-project rules, and the loop-guard toggle. Built-in defaults
/// (read-only/memory/skill/dev-null/in-cwd-write allows + the curated
/// safe-bash rules) live in the engine and aren't configured here.
#[derive(Debug, Clone, Default, Deserialize)]
#[serde(deny_unknown_fields)]
pub struct PermissionConfig {
    /// Fallback effect when no rule matches (alias `*`). Defaults to Ask.
    #[serde(rename = "*", alias = "default")]
    pub default: Option<Action>,
    /// Loop-guard control: `"allow"` disables the retry-loop hard-deny;
    /// any other value (default) keeps it on.
    pub doom_loop: Option<Action>,
    /// Ordered authorization rules (last match wins).
    #[serde(default)]
    pub rules: Vec<RuleConfig>,
    /// Rules for paths OUTSIDE the working directory (op defaults to
    /// `*`). An out-of-project write with no matching rule prompts.
    #[serde(default)]
    pub external_directory: Vec<RuleConfig>,
}

/// Per-session security mode. Selected via `--yolo` / `--accept-all` /
/// `--restrictive` CLI flags or the `default_permission_mode` config
/// key. Mode precedence (high to low): `Yolo > Accept > Restrictive >
/// Standard`.
#[derive(Debug, Clone, Copy, PartialEq)]
pub enum SecurityMode {
    /// Every rule in `PermissionConfig` is consulted; tools with no
    /// matching rule fall back to the `*` default action.
    Standard,
    /// Like `Standard`, but any tool whose rule resolves to `Allow`
    /// *via the `*` fallback* (no explicit allow rule matched) gets
    /// upgraded to `Ask`. Explicit allow rules still allow; explicit
    /// deny rules still deny. The semantic difference from
    /// `Standard`: "if nothing explicitly approved this, ask the
    /// user." It does NOT flip every Allow to Ask.
    Restrictive,
    /// Auto-allows tools whose targets resolve inside the working
    /// directory; tools touching paths outside `cwd` still consult
    /// `external_directory` rules. Useful for fast iteration on a
    /// trusted project.
    Accept,
    /// Bypasses every check. Use with caution.
    Yolo,
}

impl std::fmt::Display for SecurityMode {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            SecurityMode::Standard => write!(f, "standard"),
            SecurityMode::Restrictive => write!(f, "restrictive"),
            SecurityMode::Accept => write!(f, "accept"),
            SecurityMode::Yolo => write!(f, "yolo"),
        }
    }
}

pub fn default_bash_rules() -> Vec<(&'static str, Action)> {
    // Allow-list ordering / shape — three buckets:
    //   1. Read-only inspection (cat / ls / grep / etc.)
    //   2. Project-scoped dev workflow inside CWD (cargo / git
    //      writes that stay local / make / npm test / language
    //      runners). Same trust model as the CWD-scoped write/edit
    //      allow installed in `checker.rs:install_cwd_allow_rules`:
    //      if you trust the agent to edit project files, running
    //      project code is the same trust level.
    //   3. Filesystem mutators (mkdir / touch / mv / cp) — they
    //      ALSO route their path arguments through the `write` rules
    //      via `extract_mutation_paths`, so the CWD-allow on write
    //      still gates the actual filesystem destination.
    //
    // Patterns use `**` (any chars including `/`) instead of exact
    // match because every prior exact pattern (`cargo build`,
    // `git status`, etc.) silently re-prompted on common flagged
    // invocations like `cargo build --release` or `git status -s` —
    // friction that drove the "permissions are too aggressive"
    // complaint.
    //
    // Intentionally NOT auto-allowed (each gets one permission dialog;
    // "allow always" then persists the grant for the session):
    //   - `npx`, `node`, `python`, `python3` — general interpreters that
    //     run ARBITRARY code (`-e`/`-c` inline scripts, remote `npx`
    //     packages, any `*.py`/`*.js` file). Not guaranteed to operate
    //     within the working folder, so unlike `cargo`/`go`/`make`/`pytest`
    //     (which run the project's OWN code) they aren't pre-trusted.
    //   - `git push **`           — side effect outside the project
    //   - `git rebase/reset/stash`— destructive, can lose work
    //   - `npm install **`, `pip install **` — executes install
    //     scripts as arbitrary code outside the repo tree
    //   - `sudo **`               — privilege escalation always asks
    //   - `curl/wget`             — network egress always asks
    vec![
        // Read-only inspection
        ("ls **", Action::Allow),
        ("cd **", Action::Allow),
        ("pwd", Action::Allow),
        ("echo **", Action::Allow),
        ("which **", Action::Allow),
        ("type **", Action::Allow),
        ("cat **", Action::Allow),
        ("head **", Action::Allow),
        ("tail **", Action::Allow),
        ("wc **", Action::Allow),
        ("sort **", Action::Allow),
        ("uniq **", Action::Allow),
        ("cut **", Action::Allow),
        ("diff **", Action::Allow),
        ("grep **", Action::Allow),
        ("rg **", Action::Allow),
        ("find **", Action::Allow),
        ("file **", Action::Allow),
        ("stat **", Action::Allow),
        ("env", Action::Allow),
        ("date **", Action::Allow),
        ("whoami", Action::Allow),
        ("hostname", Action::Allow),
        // Benign shell builtins — set env vars / navigate / no-ops, no
        // filesystem or code-execution side effects (a `$(...)` inside
        // would flip the whole command to the complex/whole-command
        // check, not these rules). These MUST stay in sync with the
        // `significant_bash_head` skip-list (dirge-9zbd): that function
        // skips these prefixes when suggesting an "allow always" pattern,
        // so a compound like `export X=1 && cd app && <cmd>` resolves to
        // `<cmd> *` — which only covers the whole command if the skipped
        // prefixes are themselves auto-allowed. `*` (not `**`) so a bare
        // builtin with no args (`pushd`, `:`) also matches.
        ("export *", Action::Allow),
        ("set *", Action::Allow),
        ("unset *", Action::Allow),
        ("pushd *", Action::Allow),
        ("popd *", Action::Allow),
        (": *", Action::Allow),
        ("true *", Action::Allow),
        // Git — local read/write inside the repo
        ("git status **", Action::Allow),
        ("git log **", Action::Allow),
        ("git diff **", Action::Allow),
        ("git show **", Action::Allow),
        ("git branch **", Action::Allow),
        ("git add **", Action::Allow),
        ("git commit **", Action::Allow),
        // git checkout / switch / restore / reset / clean are deliberately
        // NOT auto-allowed (#429): they discard uncommitted working-tree
        // changes (`git checkout -- file`, `git restore file`, `reset
        // --hard`, `clean -fd`), so they must prompt rather than run
        // silently — an agent reverting "its own" edit can otherwise wipe a
        // user's pending changes. They fall through to the default Ask.
        // `git pull`/`fetch` stay allowed (routine; conflicts surface).
        ("git pull **", Action::Allow),
        ("git fetch **", Action::Allow),
        ("git remote **", Action::Allow),
        ("git tag **", Action::Allow),
        ("git blame **", Action::Allow),
        ("git rev-parse **", Action::Allow),
        ("git rev-list **", Action::Allow),
        ("git ls-files **", Action::Allow),
        ("git config --get **", Action::Allow),
        // Rust toolchain
        ("cargo check **", Action::Allow),
        ("cargo build **", Action::Allow),
        ("cargo test **", Action::Allow),
        ("cargo fmt **", Action::Allow),
        ("cargo clippy **", Action::Allow),
        ("cargo run **", Action::Allow),
        ("cargo doc **", Action::Allow),
        ("cargo tree **", Action::Allow),
        ("cargo metadata **", Action::Allow),
        ("rustc --version", Action::Allow),
        // Filesystem mutators — path args still route through
        // `write` rules via `extract_mutation_paths` (F1 dirge-dvy),
        // so the CWD-allow on write still gates the destination.
        ("mkdir **", Action::Allow),
        ("touch **", Action::Allow),
        ("mv **", Action::Allow),
        ("cp **", Action::Allow),
        ("ln **", Action::Allow),
        ("chmod **", Action::Allow),
        // Node / npm / yarn / pnpm — PROJECT-SCOPED runners only.
        // `npm run`/`npm test` execute scripts defined in the repo's
        // package.json (same trust model as editing project files);
        // `npm ls` is read-only.
        //
        // `npx` and `node` are intentionally NOT here: `npx <pkg>` fetches
        // and runs ARBITRARY remote packages, and `node -e "…"` /
        // `node any.js` runs arbitrary JavaScript — neither is guaranteed
        // to stay in the working folder, so each gets one permission
        // dialog. After "allow always" the grant sticks (incl. multi-line
        // scripts — dirge-9zbd).
        ("npm test **", Action::Allow),
        ("npm run **", Action::Allow),
        ("npm ls **", Action::Allow),
        ("yarn run **", Action::Allow),
        ("pnpm run **", Action::Allow),
        // Python — project-scoped tools + read-only pip. The bare
        // `python`/`python3` interpreters are intentionally NOT allowed
        // (`python -c "…"` / `python any.py` runs arbitrary code) — they
        // prompt once. `pytest`/`ruff`/`black`/`mypy` operate on the
        // project tree (same trust as editing it).
        ("pytest **", Action::Allow),
        ("ruff **", Action::Allow),
        ("black **", Action::Allow),
        ("mypy **", Action::Allow),
        ("pip list **", Action::Allow),
        ("pip show **", Action::Allow),
        ("pip freeze", Action::Allow),
        // Go
        ("go build **", Action::Allow),
        ("go test **", Action::Allow),
        ("go run **", Action::Allow),
        ("go fmt **", Action::Allow),
        ("go vet **", Action::Allow),
        ("go mod **", Action::Allow),
        // Make + general task runners
        ("make **", Action::Allow),
        ("just **", Action::Allow),
        // Hard denies — destructive system-level operations
        ("rm -rf /**", Action::Deny),
        ("sudo rm -rf /**", Action::Deny),
        ("dd **", Action::Deny),
        ("mkfs **", Action::Deny),
        ("fdisk **", Action::Deny),
        ("mkswap **", Action::Deny),
    ]
}