everruns-core 0.15.0

Core agent abstractions for Everruns - agent loop, events, tools, LLM providers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380

// Guardrail gallery — ready-made `GuardrailsConfig` presets.
//
// A curated catalogue of deterministic guardrail configs that an author can
// adopt as a starting point instead of authoring checks from scratch. See
// specs/guardrails.md ("guardrail gallery").
//
// Design constraints:
//  - Adoption is client-side config composition. A gallery item carries a
//    full `GuardrailsConfig`; the client drops it into an agent's `guardrails`
//    capability config (merging or replacing checks). There is no new
//    persisted resource — guardrail configs already live in agent capability
//    config — so the gallery is a read-only catalogue, mirroring the
//    harness-examples pattern.
//  - Every preset must `compile()` (enforced by a test) so an adopted preset
//    is always valid against the engine's limits.
//  - Presets are deterministic-only in this phase: nothing a preset does
//    leaves the platform (see `data_egress`). Model-based and MCP-served
//    presets will carry a different egress marker when those check types land.

use crate::guardrail_checks::{
    GuardrailCheck, GuardrailOnFail, GuardrailRule, GuardrailStage, GuardrailsConfig,
};

/// Where a preset's checks send data when they run. Deterministic checks run
/// in-process and send nothing; future model-based / MCP-served presets will
/// use other variants so a UI can warn before adoption.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum DataEgress {
    /// Runs entirely in-process; no data leaves the platform.
    None,
}

impl DataEgress {
    pub fn as_str(&self) -> &'static str {
        match self {
            DataEgress::None => "none",
        }
    }
}

/// A read-only, adoptable guardrails preset.
pub struct GuardrailGalleryItem {
    /// Stable slug used to reference the preset (e.g. `secret-detection`).
    pub name: &'static str,
    /// Human-facing label.
    pub display_name: &'static str,
    /// What the preset protects against and how to tune it.
    pub description: &'static str,
    /// Free-form tags for grouping/filtering in a picker.
    pub tags: Vec<&'static str>,
    /// The adoptable config. Always compiles (see tests).
    pub config: GuardrailsConfig,
}

impl GuardrailGalleryItem {
    /// Distinct rule types used across the preset's checks, in first-seen
    /// order. This is the "check-type composition" trust signal.
    pub fn check_types(&self) -> Vec<&'static str> {
        let mut seen = Vec::new();
        for check in &self.config.checks {
            let t = check.rule.rule_type();
            if !seen.contains(&t) {
                seen.push(t);
            }
        }
        seen
    }

    /// Distinct stages the preset's checks run in, in first-seen order.
    pub fn stages(&self) -> Vec<&'static str> {
        let mut seen = Vec::new();
        for check in &self.config.checks {
            let s = check.stage.as_str();
            if !seen.contains(&s) {
                seen.push(s);
            }
        }
        seen
    }

    /// Where this preset sends data. Deterministic presets never leave the
    /// platform; derived from check types so it stays correct as new types
    /// (model/MCP) are added.
    pub fn data_egress(&self) -> DataEgress {
        DataEgress::None
    }
}

// ---- check builders -------------------------------------------------------

fn check(
    id: &'static str,
    stage: GuardrailStage,
    on_fail: GuardrailOnFail,
    replacement: Option<&'static str>,
    rule: GuardrailRule,
) -> GuardrailCheck {
    GuardrailCheck {
        id: Some(id.to_string()),
        stage,
        on_fail,
        replacement: replacement.map(str::to_string),
        rule,
    }
}

fn regex(patterns: &[&str]) -> GuardrailRule {
    GuardrailRule::Regex {
        patterns: patterns.iter().map(|p| p.to_string()).collect(),
    }
}

fn blocklist(words: &[&str]) -> GuardrailRule {
    GuardrailRule::Blocklist {
        words: words.iter().map(|w| w.to_string()).collect(),
        case_sensitive: false,
    }
}

fn tool_pattern(tools: &[&str]) -> GuardrailRule {
    GuardrailRule::ToolPattern {
        tools: tools.iter().map(|t| t.to_string()).collect(),
    }
}

fn config(checks: Vec<GuardrailCheck>) -> GuardrailsConfig {
    GuardrailsConfig {
        mode: crate::guardrail_checks::GuardrailMode::Active,
        checks,
    }
}

/// The adoptable guardrail presets, in display order.
pub fn guardrail_gallery() -> Vec<GuardrailGalleryItem> {
    use GuardrailOnFail::{Block, Log};
    use GuardrailStage::{Output, ToolOutput, ToolUse};

    // High-precision secret formats. Blocked on output (model echoing a
    // secret) and on tool_output (a fetched file/page carrying one), which is
    // the untrusted-content trust boundary.
    let secret_patterns: &[&str] = &[
        r"AKIA[0-9A-Z]{16}",                   // AWS access key id
        r"ghp_[A-Za-z0-9]{36}",                // GitHub personal access token
        r"xox[baprs]-[A-Za-z0-9-]{10,}",       // Slack token
        r"AIza[0-9A-Za-z\-_]{35}",             // Google API key
        r"-----BEGIN [A-Z ]*PRIVATE KEY-----", // PEM private key header
    ];

    vec![
        GuardrailGalleryItem {
            name: "secret-detection",
            display_name: "Secret & Credential Detection",
            description: "Blocks well-known credential formats (AWS, GitHub, Slack, Google keys, PEM \
                 private keys) in model output and in tool results before they reach context. \
                 High-precision patterns; safe to run active.",
            tags: vec!["security", "secrets"],
            config: config(vec![
                check(
                    "secret-output",
                    Output,
                    Block,
                    Some("[Response withheld: appears to contain a credential.]"),
                    regex(secret_patterns),
                ),
                check(
                    "secret-tool-output",
                    ToolOutput,
                    Block,
                    Some("[Tool output withheld: appears to contain a credential.]"),
                    regex(secret_patterns),
                ),
            ]),
        },
        GuardrailGalleryItem {
            name: "pii-detection",
            display_name: "PII Detection (email, SSN, phone)",
            description: "Logs likely PII (emails, US SSNs, phone numbers) in output and tool results. \
                 Regex PII is noisy, so this ships as log-only — review hits, then switch \
                 individual checks to block (or run the capability in advisory mode) once tuned.",
            tags: vec!["privacy", "pii"],
            config: config(vec![
                check(
                    "pii-output",
                    Output,
                    Log,
                    None,
                    regex(&[
                        r"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}",
                        r"\b\d{3}-\d{2}-\d{4}\b",
                        r"\b\d{3}[-.\s]\d{3}[-.\s]\d{4}\b",
                    ]),
                ),
                check(
                    "pii-tool-output",
                    ToolOutput,
                    Log,
                    None,
                    regex(&[
                        r"[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}",
                        r"\b\d{3}-\d{2}-\d{4}\b",
                        r"\b\d{3}[-.\s]\d{3}[-.\s]\d{4}\b",
                    ]),
                ),
            ]),
        },
        GuardrailGalleryItem {
            name: "profanity-filter",
            display_name: "Profanity Filter (starter)",
            description: "Blocks output containing words from a small starter list (case-insensitive). \
                 Extend `words` with your own terms — the shipped list is intentionally minimal.",
            tags: vec!["content", "profanity"],
            config: config(vec![check(
                "profanity",
                Output,
                Block,
                Some("[Response withheld: contains filtered language.]"),
                blocklist(&["damn", "crap"]),
            )]),
        },
        GuardrailGalleryItem {
            name: "dangerous-shell-commands",
            display_name: "Dangerous Shell Commands",
            description: "Blocks tool calls whose arguments contain destructive shell patterns \
                 (recursive force-remove of root, mkfs, dd to a device, curl|wget piped to a \
                 shell). Matches serialized tool arguments at the tool_use stage.",
            tags: vec!["security", "tools"],
            config: config(vec![check(
                "dangerous-shell",
                ToolUse,
                Block,
                Some("This command was blocked as potentially destructive."),
                regex(&[
                    r"\brm\s+-[a-zA-Z]*r[a-zA-Z]*f",
                    r"\brm\s+-[a-zA-Z]*f[a-zA-Z]*r",
                    r"\bmkfs\.[a-z0-9]+\b",
                    r"\bdd\s+if=.*\bof=/dev/",
                    r"(?:curl|wget)\s+[^|]*\|\s*(?:sudo\s+)?(?:ba)?sh\b",
                ]),
            )]),
        },
        GuardrailGalleryItem {
            name: "block-shell-access",
            display_name: "Block Shell & Code Execution",
            description: "Refuses tool calls to shell/exec-style tools by name pattern. Tool names vary \
                 by deployment — adjust `tools` to match the runtime's shell/code tools.",
            tags: vec!["security", "tools"],
            config: config(vec![check(
                "no-shell",
                ToolUse,
                Block,
                Some("Shell and code execution are disabled for this agent."),
                tool_pattern(&["bash*", "*shell*", "*exec*", "run_command*"]),
            )]),
        },
        GuardrailGalleryItem {
            name: "prompt-injection-heuristics",
            display_name: "Prompt-Injection Heuristics (tool output)",
            description: "Logs common indirect prompt-injection phrasings in tool results — the \
                 untrusted-content trust boundary. Heuristic and noisy, so it ships as \
                 log-only; review hits before switching to block.",
            tags: vec!["security", "prompt-injection"],
            config: config(vec![check(
                "injection-phrases",
                ToolOutput,
                Log,
                None,
                regex(&[
                    r"(?i)ignore (all )?(previous|prior|above) instructions",
                    r"(?i)disregard (the )?(previous|above|system|prior)",
                    r"(?i)you are now ",
                    r"(?i)new instructions:",
                ]),
            )]),
        },
    ]
}

/// Look up a gallery preset by its `name` slug.
pub fn find_guardrail_gallery_item(name: &str) -> Option<GuardrailGalleryItem> {
    guardrail_gallery().into_iter().find(|i| i.name == name)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn every_preset_compiles() {
        for item in guardrail_gallery() {
            item.config
                .compile()
                .unwrap_or_else(|e| panic!("preset '{}' must compile: {e}", item.name));
        }
    }

    #[test]
    fn preset_names_are_unique_nonempty_slugs() {
        let items = guardrail_gallery();
        let mut names: Vec<&str> = items.iter().map(|i| i.name).collect();
        let count = names.len();
        names.sort_unstable();
        names.dedup();
        assert_eq!(count, names.len(), "duplicate gallery slugs");
        for item in &items {
            assert!(!item.name.is_empty(), "empty slug");
            assert!(!item.display_name.is_empty(), "empty display name");
            assert!(!item.config.checks.is_empty(), "preset has no checks");
        }
    }

    #[test]
    fn trust_metadata_is_derived_from_config() {
        let secret = find_guardrail_gallery_item("secret-detection").expect("present");
        assert_eq!(secret.check_types(), vec!["regex"]);
        assert_eq!(secret.stages(), vec!["output", "tool_output"]);
        assert_eq!(secret.data_egress(), DataEgress::None);

        let shell = find_guardrail_gallery_item("block-shell-access").expect("present");
        assert_eq!(shell.check_types(), vec!["tool_pattern"]);
        assert_eq!(shell.stages(), vec!["tool_use"]);
    }

    #[test]
    fn find_returns_none_for_unknown() {
        assert!(find_guardrail_gallery_item("nope").is_none());
    }

    #[test]
    fn secret_detection_blocks_aws_key_on_tool_output() {
        let item = find_guardrail_gallery_item("secret-detection").expect("present");
        let compiled = item.config.compile().expect("compiles");
        let hits = compiled.evaluate(
            GuardrailStage::ToolOutput,
            "the key is AKIAIOSFODNN7EXAMPLE here",
            None,
            &|_| false,
        );
        assert_eq!(hits.len(), 1, "expected a single secret hit");
        assert_eq!(
            hits[0].action,
            crate::guardrail_checks::GuardrailAction::Block
        );
    }

    #[test]
    fn pii_detection_logs_not_blocks() {
        let item = find_guardrail_gallery_item("pii-detection").expect("present");
        let compiled = item.config.compile().expect("compiles");
        let hits = compiled.evaluate(
            GuardrailStage::Output,
            "reach me at jane.doe@example.com",
            None,
            &|_| false,
        );
        assert_eq!(hits.len(), 1);
        assert_eq!(
            hits[0].action,
            crate::guardrail_checks::GuardrailAction::Log,
            "PII preset must ship log-only"
        );
    }

    #[test]
    fn dangerous_shell_blocks_rm_rf_in_args() {
        let item = find_guardrail_gallery_item("dangerous-shell-commands").expect("present");
        let compiled = item.config.compile().expect("compiles");
        let args = serde_json::json!({"cmd": "rm -rf /"}).to_string();
        let hits = compiled.evaluate(
            GuardrailStage::ToolUse,
            &args,
            Some("bashkit_exec"),
            &|_| false,
        );
        assert_eq!(hits.len(), 1);
        assert_eq!(
            hits[0].action,
            crate::guardrail_checks::GuardrailAction::Block
        );
    }
}