mod types;
use std::cell::RefCell;
use std::collections::BTreeMap;
use std::rc::Rc;
use std::thread_local;
use serde::{Deserialize, Serialize};
use super::glob_match;
use crate::event_log::{active_event_log, EventLog, LogEvent, Topic};
use crate::tool_annotations::{SideEffectLevel, ToolAnnotations};
use crate::triggers::dispatcher::current_dispatch_context;
use crate::trust_graph::AutonomyTier;
use crate::value::{VmError, VmValue};
use crate::workspace_path::{classify_workspace_path, WorkspacePathInfo};
pub use crate::tool_annotations::{ToolArgSchema, ToolKind};
pub use types::{
enforce_tool_arg_constraints, AutoCompactPolicy, BranchSemantics, CapabilityPolicy,
ContextPolicy, EqIgnored, EscalationPolicy, JoinPolicy, MapPolicy, ModelPolicy,
NativeToolFallbackPolicy, ReducePolicy, RetryPolicy, StageContract, ToolArgConstraint,
TurnPolicy,
};
thread_local! {
static EXECUTION_POLICY_STACK: RefCell<Vec<CapabilityPolicy>> = const { RefCell::new(Vec::new()) };
static EXECUTION_APPROVAL_POLICY_STACK: RefCell<Vec<ToolApprovalPolicy>> = const { RefCell::new(Vec::new()) };
static TRUSTED_BRIDGE_CALL_DEPTH: RefCell<usize> = const { RefCell::new(0) };
}
pub fn push_execution_policy(policy: CapabilityPolicy) {
EXECUTION_POLICY_STACK.with(|stack| stack.borrow_mut().push(policy));
}
pub fn pop_execution_policy() {
EXECUTION_POLICY_STACK.with(|stack| {
stack.borrow_mut().pop();
});
}
pub fn current_execution_policy() -> Option<CapabilityPolicy> {
EXECUTION_POLICY_STACK.with(|stack| stack.borrow().last().cloned())
}
pub fn push_approval_policy(policy: ToolApprovalPolicy) {
EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow_mut().push(policy));
}
pub fn pop_approval_policy() {
EXECUTION_APPROVAL_POLICY_STACK.with(|stack| {
stack.borrow_mut().pop();
});
}
pub fn current_approval_policy() -> Option<ToolApprovalPolicy> {
EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow().last().cloned())
}
pub fn current_tool_annotations(tool: &str) -> Option<ToolAnnotations> {
current_execution_policy().and_then(|policy| policy.tool_annotations.get(tool).cloned())
}
fn tool_kind_participates_in_write_allowlist(tool_name: &str) -> bool {
current_tool_annotations(tool_name)
.map(|annotations| !annotations.kind.is_read_only())
.unwrap_or(true)
}
pub struct TrustedBridgeCallGuard;
pub fn allow_trusted_bridge_calls() -> TrustedBridgeCallGuard {
TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| {
*depth.borrow_mut() += 1;
});
TrustedBridgeCallGuard
}
impl Drop for TrustedBridgeCallGuard {
fn drop(&mut self) {
TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| {
let mut depth = depth.borrow_mut();
*depth = depth.saturating_sub(1);
});
}
}
fn policy_allows_tool(policy: &CapabilityPolicy, tool: &str) -> bool {
policy.tools.is_empty() || policy.tools.iter().any(|allowed| allowed == tool)
}
fn policy_allows_capability(policy: &CapabilityPolicy, capability: &str, op: &str) -> bool {
policy.capabilities.is_empty()
|| policy
.capabilities
.get(capability)
.is_some_and(|ops| ops.is_empty() || ops.iter().any(|allowed| allowed == op))
}
fn policy_allows_side_effect(policy: &CapabilityPolicy, requested: &str) -> bool {
fn rank(v: &str) -> usize {
match v {
"none" => 0,
"read_only" => 1,
"workspace_write" => 2,
"process_exec" => 3,
"network" => 4,
_ => 5,
}
}
policy
.side_effect_level
.as_ref()
.map(|allowed| rank(allowed) >= rank(requested))
.unwrap_or(true)
}
pub(super) fn reject_policy(reason: String) -> Result<(), VmError> {
Err(VmError::CategorizedError {
message: reason,
category: crate::value::ErrorCategory::ToolRejected,
})
}
pub fn current_tool_mutation_classification(tool_name: &str) -> String {
current_tool_annotations(tool_name)
.map(|annotations| annotations.kind.mutation_class().to_string())
.unwrap_or_else(|| "other".to_string())
}
pub fn current_tool_declared_paths(tool_name: &str, args: &serde_json::Value) -> Vec<String> {
current_tool_declared_path_entries(tool_name, args)
.into_iter()
.map(|entry| entry.display_path().to_string())
.collect()
}
pub fn current_tool_declared_path_entries(
tool_name: &str,
args: &serde_json::Value,
) -> Vec<WorkspacePathInfo> {
let Some(map) = args.as_object() else {
return Vec::new();
};
let Some(annotations) = current_tool_annotations(tool_name) else {
return Vec::new();
};
let workspace_root = crate::stdlib::process::execution_root_path();
let mut entries = Vec::new();
for key in &annotations.arg_schema.path_params {
if let Some(value) = map.get(key) {
match value {
serde_json::Value::String(path) if !path.is_empty() => {
entries.push(classify_workspace_path(path, Some(&workspace_root)));
}
serde_json::Value::Array(items) => {
for item in items.iter().filter_map(|item| item.as_str()) {
if !item.is_empty() {
entries.push(classify_workspace_path(item, Some(&workspace_root)));
}
}
}
_ => {}
}
}
}
entries.sort_by(|a, b| a.display_path().cmp(b.display_path()));
entries.dedup_by(|left, right| left.policy_candidates() == right.policy_candidates());
entries
}
fn builtin_mutates_state(name: &str) -> bool {
matches!(
name,
"write_file"
| "append_file"
| "mkdir"
| "copy_file"
| "delete_file"
| "apply_edit"
| "exec"
| "exec_at"
| "shell"
| "shell_at"
| "host_call"
| "store_set"
| "store_delete"
| "store_save"
| "store_clear"
| "metadata_set"
| "metadata_save"
| "metadata_refresh_hashes"
| "invalidate_facts"
| "checkpoint"
| "checkpoint_delete"
| "checkpoint_clear"
| "__agent_state_write"
| "__agent_state_delete"
| "__agent_state_handoff"
| "mcp_release"
)
}
fn emit_autonomy_proposal_event(
tier: AutonomyTier,
builtin_name: &str,
args: &[VmValue],
) -> Result<(), VmError> {
let Some(context) = current_dispatch_context() else {
return Ok(());
};
let Some(log) = active_event_log() else {
return Ok(());
};
let topic = Topic::new(crate::TRIGGER_OUTBOX_TOPIC)
.map_err(|error| VmError::Runtime(format!("autonomy proposal topic error: {error}")))?;
let mut headers = BTreeMap::new();
headers.insert(
"trace_id".to_string(),
context.trigger_event.trace_id.0.clone(),
);
headers.insert("agent".to_string(), context.agent_id.clone());
headers.insert("autonomy_tier".to_string(), tier.as_str().to_string());
let payload = serde_json::json!({
"agent": context.agent_id,
"action": context.action,
"builtin": builtin_name,
"args": args.iter().map(crate::llm::vm_value_to_json).collect::<Vec<_>>(),
"trace_id": context.trigger_event.trace_id.0,
"replay_of_event_id": context.replay_of_event_id,
"autonomy_tier": tier,
"proposal": true,
});
futures::executor::block_on(log.append(
&topic,
LogEvent::new("dispatch_proposed", payload).with_headers(headers),
))
.map(|_| ())
.map_err(|error| VmError::Runtime(format!("failed to append autonomy proposal: {error}")))
}
fn enforce_dispatch_autonomy_for_builtin(name: &str, args: &[VmValue]) -> Result<(), VmError> {
let Some(context) = current_dispatch_context() else {
return Ok(());
};
if !builtin_mutates_state(name) {
return Ok(());
}
match context.autonomy_tier {
AutonomyTier::Shadow => {
emit_autonomy_proposal_event(AutonomyTier::Shadow, name, args)?;
Ok(())
}
AutonomyTier::Suggest => {
emit_autonomy_proposal_event(AutonomyTier::Suggest, name, args)?;
Ok(())
}
AutonomyTier::ActWithApproval | AutonomyTier::ActAuto => Ok(()),
}
}
pub fn enforce_current_policy_for_builtin(name: &str, args: &[VmValue]) -> Result<(), VmError> {
enforce_dispatch_autonomy_for_builtin(name, args)?;
let Some(policy) = current_execution_policy() else {
return Ok(());
};
match name {
"read_file" | "read_file_result" | "read_file_bytes"
if !policy_allows_capability(&policy, "workspace", "read_text") =>
{
return reject_policy(format!(
"builtin '{name}' exceeds workspace.read_text ceiling"
));
}
"list_dir" if !policy_allows_capability(&policy, "workspace", "list") => {
return reject_policy(format!("builtin '{name}' exceeds workspace.list ceiling"));
}
"file_exists" | "stat" if !policy_allows_capability(&policy, "workspace", "exists") => {
return reject_policy(format!("builtin '{name}' exceeds workspace.exists ceiling"));
}
"write_file" | "write_file_bytes" | "append_file" | "mkdir" | "copy_file"
if !policy_allows_capability(&policy, "workspace", "write_text")
|| !policy_allows_side_effect(&policy, "workspace_write") =>
{
return reject_policy(format!("builtin '{name}' exceeds workspace write ceiling"));
}
"delete_file"
if !policy_allows_capability(&policy, "workspace", "delete")
|| !policy_allows_side_effect(&policy, "workspace_write") =>
{
return reject_policy(
"builtin 'delete_file' exceeds workspace.delete ceiling".to_string(),
);
}
"apply_edit"
if !policy_allows_capability(&policy, "workspace", "apply_edit")
|| !policy_allows_side_effect(&policy, "workspace_write") =>
{
return reject_policy(
"builtin 'apply_edit' exceeds workspace.apply_edit ceiling".to_string(),
);
}
"exec" | "exec_at" | "shell" | "shell_at"
if !policy_allows_capability(&policy, "process", "exec")
|| !policy_allows_side_effect(&policy, "process_exec") =>
{
return reject_policy(format!("builtin '{name}' exceeds process.exec ceiling"));
}
"http_get" | "http_post" | "http_put" | "http_patch" | "http_delete" | "http_request"
if !policy_allows_side_effect(&policy, "network") =>
{
return reject_policy(format!("builtin '{name}' exceeds network ceiling"));
}
"http_session_request"
| "sse_connect"
| "sse_receive"
| "websocket_connect"
| "websocket_send"
| "websocket_receive"
if !policy_allows_side_effect(&policy, "network") =>
{
return reject_policy(format!("builtin '{name}' exceeds network ceiling"));
}
"llm_call" | "llm_call_safe" | "llm_completion" | "llm_stream" | "llm_healthcheck"
| "agent_loop"
if !policy_allows_capability(&policy, "llm", "call")
|| !policy_allows_side_effect(&policy, "network") =>
{
return reject_policy(format!("builtin '{name}' exceeds LLM/network ceiling"));
}
"connector_call"
if !policy_allows_capability(&policy, "connector", "call")
|| !policy_allows_side_effect(&policy, "network") =>
{
return reject_policy(
"builtin 'connector_call' exceeds connector.call/network ceiling".to_string(),
);
}
"secret_get" if !policy_allows_capability(&policy, "connector", "secret_get") => {
return reject_policy(
"builtin 'secret_get' exceeds connector.secret_get ceiling".to_string(),
);
}
"event_log_emit" if !policy_allows_capability(&policy, "connector", "event_log_emit") => {
return reject_policy(
"builtin 'event_log_emit' exceeds connector.event_log_emit ceiling".to_string(),
);
}
"metrics_inc" if !policy_allows_capability(&policy, "connector", "metrics_inc") => {
return reject_policy(
"builtin 'metrics_inc' exceeds connector.metrics_inc ceiling".to_string(),
);
}
"project_fingerprint"
| "project_scan_native"
| "project_scan_tree_native"
| "project_walk_tree_native"
| "project_catalog_native"
if !policy_allows_capability(&policy, "workspace", "list")
|| !policy_allows_side_effect(&policy, "read_only") =>
{
return reject_policy(format!("builtin '{name}' exceeds workspace.list ceiling"));
}
"__agent_state_init"
| "__agent_state_resume"
| "__agent_state_write"
| "__agent_state_read"
| "__agent_state_list"
| "__agent_state_delete"
| "__agent_state_handoff"
if !policy_allows_capability(&policy, "agent_state", "access") =>
{
return reject_policy(format!(
"builtin '{name}' exceeds agent_state.access ceiling"
));
}
"vision_ocr"
if !policy_allows_capability(&policy, "vision", "ocr")
|| !policy_allows_side_effect(&policy, "process_exec") =>
{
return reject_policy(format!(
"builtin '{name}' exceeds vision.ocr/process ceiling"
));
}
"mcp_connect"
| "mcp_ensure_active"
| "mcp_call"
| "mcp_list_tools"
| "mcp_list_resources"
| "mcp_list_resource_templates"
| "mcp_read_resource"
| "mcp_list_prompts"
| "mcp_get_prompt"
| "mcp_server_info"
| "mcp_disconnect"
if !policy_allows_capability(&policy, "process", "exec")
|| !policy_allows_side_effect(&policy, "process_exec") =>
{
return reject_policy(format!("builtin '{name}' exceeds process.exec ceiling"));
}
"host_call" => {
let name = args.first().map(|v| v.display()).unwrap_or_default();
let Some((capability, op)) = name.split_once('.') else {
return reject_policy(format!(
"host_call '{name}' must use capability.operation naming"
));
};
if !policy_allows_capability(&policy, capability, op) {
return reject_policy(format!(
"host_call {capability}.{op} exceeds capability ceiling"
));
}
let requested_side_effect = match (capability, op) {
("workspace", "write_text" | "apply_edit" | "delete") => "workspace_write",
("process", "exec") => "process_exec",
_ => "read_only",
};
if !policy_allows_side_effect(&policy, requested_side_effect) {
return reject_policy(format!(
"host_call {capability}.{op} exceeds side-effect ceiling"
));
}
}
"host_tool_list" | "host_tool_call"
if !policy_allows_capability(&policy, "host", "tool_call") =>
{
return reject_policy(format!("builtin '{name}' exceeds host.tool_call ceiling"));
}
_ => {}
}
Ok(())
}
pub fn enforce_current_policy_for_bridge_builtin(name: &str) -> Result<(), VmError> {
let trusted = TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| *depth.borrow() > 0);
if trusted {
return Ok(());
}
if current_execution_policy().is_some() {
return reject_policy(format!(
"bridged builtin '{name}' exceeds execution policy; declare an explicit capability/tool surface instead"
));
}
Ok(())
}
pub fn enforce_current_policy_for_tool(tool_name: &str) -> Result<(), VmError> {
let Some(policy) = current_execution_policy() else {
return Ok(());
};
if !policy_allows_tool(&policy, tool_name) {
return reject_policy(format!("tool '{tool_name}' exceeds tool ceiling"));
}
if let Some(annotations) = policy.tool_annotations.get(tool_name) {
for (capability, ops) in &annotations.capabilities {
for op in ops {
if !policy_allows_capability(&policy, capability, op) {
return reject_policy(format!(
"tool '{tool_name}' exceeds capability ceiling: {capability}.{op}"
));
}
}
}
let requested_level = annotations.side_effect_level;
if requested_level != SideEffectLevel::None
&& !policy_allows_side_effect(&policy, requested_level.as_str())
{
return reject_policy(format!(
"tool '{tool_name}' exceeds side-effect ceiling: {}",
requested_level.as_str()
));
}
}
Ok(())
}
pub fn redact_transcript_visibility(
transcript: &VmValue,
visibility: Option<&str>,
) -> Option<VmValue> {
let Some(visibility) = visibility else {
return Some(transcript.clone());
};
if visibility != "public" && visibility != "public_only" {
return Some(transcript.clone());
}
let dict = transcript.as_dict()?;
let public_messages = match dict.get("messages") {
Some(VmValue::List(list)) => list
.iter()
.filter(|message| {
message
.as_dict()
.and_then(|d| d.get("role"))
.map(|v| v.display())
.map(|role| role != "tool_result")
.unwrap_or(true)
})
.cloned()
.collect::<Vec<_>>(),
_ => Vec::new(),
};
let public_events = match dict.get("events") {
Some(VmValue::List(list)) => list
.iter()
.filter(|event| {
event
.as_dict()
.and_then(|d| d.get("visibility"))
.map(|v| v.display())
.map(|value| value == "public")
.unwrap_or(true)
})
.cloned()
.collect::<Vec<_>>(),
_ => Vec::new(),
};
let mut redacted = dict.clone();
redacted.insert(
"messages".to_string(),
VmValue::List(Rc::new(public_messages)),
);
redacted.insert("events".to_string(), VmValue::List(Rc::new(public_events)));
Some(VmValue::Dict(Rc::new(redacted)))
}
pub fn builtin_ceiling() -> CapabilityPolicy {
CapabilityPolicy {
tools: Vec::new(),
capabilities: BTreeMap::new(),
workspace_roots: Vec::new(),
side_effect_level: Some("network".to_string()),
recursion_limit: Some(8),
tool_arg_constraints: Vec::new(),
tool_annotations: BTreeMap::new(),
}
}
#[derive(Clone, Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
#[serde(default)]
pub struct ToolApprovalPolicy {
#[serde(default)]
pub auto_approve: Vec<String>,
#[serde(default)]
pub auto_deny: Vec<String>,
#[serde(default)]
pub require_approval: Vec<String>,
#[serde(default)]
pub write_path_allowlist: Vec<String>,
}
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum ToolApprovalDecision {
AutoApproved,
AutoDenied { reason: String },
RequiresHostApproval,
}
impl ToolApprovalPolicy {
pub fn evaluate(&self, tool_name: &str, args: &serde_json::Value) -> ToolApprovalDecision {
for pattern in &self.auto_deny {
if glob_match(pattern, tool_name) {
return ToolApprovalDecision::AutoDenied {
reason: format!("tool '{tool_name}' matches deny pattern '{pattern}'"),
};
}
}
if !self.write_path_allowlist.is_empty()
&& tool_kind_participates_in_write_allowlist(tool_name)
{
let paths = super::current_tool_declared_path_entries(tool_name, args);
for path in &paths {
let allowed = self.write_path_allowlist.iter().any(|pattern| {
path.policy_candidates()
.iter()
.any(|candidate| glob_match(pattern, candidate))
});
if !allowed {
return ToolApprovalDecision::AutoDenied {
reason: format!(
"tool '{tool_name}' targets '{}' which is not in the write-path allowlist",
path.display_path()
),
};
}
}
}
for pattern in &self.auto_approve {
if glob_match(pattern, tool_name) {
return ToolApprovalDecision::AutoApproved;
}
}
for pattern in &self.require_approval {
if glob_match(pattern, tool_name) {
return ToolApprovalDecision::RequiresHostApproval;
}
}
ToolApprovalDecision::AutoApproved
}
pub fn intersect(&self, other: &ToolApprovalPolicy) -> ToolApprovalPolicy {
let auto_approve = if self.auto_approve.is_empty() {
other.auto_approve.clone()
} else if other.auto_approve.is_empty() {
self.auto_approve.clone()
} else {
self.auto_approve
.iter()
.filter(|p| other.auto_approve.contains(p))
.cloned()
.collect()
};
let mut auto_deny = self.auto_deny.clone();
auto_deny.extend(other.auto_deny.iter().cloned());
let mut require_approval = self.require_approval.clone();
require_approval.extend(other.require_approval.iter().cloned());
let write_path_allowlist = if self.write_path_allowlist.is_empty() {
other.write_path_allowlist.clone()
} else if other.write_path_allowlist.is_empty() {
self.write_path_allowlist.clone()
} else {
self.write_path_allowlist
.iter()
.filter(|p| other.write_path_allowlist.contains(p))
.cloned()
.collect()
};
ToolApprovalPolicy {
auto_approve,
auto_deny,
require_approval,
write_path_allowlist,
}
}
}
#[cfg(test)]
mod approval_policy_tests {
use super::*;
use crate::orchestration::{pop_execution_policy, push_execution_policy, CapabilityPolicy};
use crate::tool_annotations::{ToolAnnotations, ToolArgSchema, ToolKind};
#[test]
fn auto_deny_takes_precedence_over_auto_approve() {
let policy = ToolApprovalPolicy {
auto_approve: vec!["*".to_string()],
auto_deny: vec!["dangerous_*".to_string()],
..Default::default()
};
assert_eq!(
policy.evaluate("dangerous_rm", &serde_json::json!({})),
ToolApprovalDecision::AutoDenied {
reason: "tool 'dangerous_rm' matches deny pattern 'dangerous_*'".to_string()
}
);
}
#[test]
fn auto_approve_matches_glob() {
let policy = ToolApprovalPolicy {
auto_approve: vec!["read*".to_string(), "search*".to_string()],
..Default::default()
};
assert_eq!(
policy.evaluate("read_file", &serde_json::json!({})),
ToolApprovalDecision::AutoApproved
);
assert_eq!(
policy.evaluate("search", &serde_json::json!({})),
ToolApprovalDecision::AutoApproved
);
}
#[test]
fn require_approval_emits_decision() {
let policy = ToolApprovalPolicy {
require_approval: vec!["edit*".to_string()],
..Default::default()
};
let decision = policy.evaluate("edit_file", &serde_json::json!({"path": "foo.rs"}));
assert!(matches!(
decision,
ToolApprovalDecision::RequiresHostApproval
));
}
#[test]
fn unmatched_tool_defaults_to_approved() {
let policy = ToolApprovalPolicy {
auto_approve: vec!["read*".to_string()],
require_approval: vec!["edit*".to_string()],
..Default::default()
};
assert_eq!(
policy.evaluate("unknown_tool", &serde_json::json!({})),
ToolApprovalDecision::AutoApproved
);
}
#[test]
fn intersect_merges_deny_lists() {
let a = ToolApprovalPolicy {
auto_deny: vec!["rm*".to_string()],
..Default::default()
};
let b = ToolApprovalPolicy {
auto_deny: vec!["drop*".to_string()],
..Default::default()
};
let merged = a.intersect(&b);
assert_eq!(merged.auto_deny.len(), 2);
}
#[test]
fn intersect_restricts_auto_approve_to_common_patterns() {
let a = ToolApprovalPolicy {
auto_approve: vec!["read*".to_string(), "search*".to_string()],
..Default::default()
};
let b = ToolApprovalPolicy {
auto_approve: vec!["read*".to_string(), "write*".to_string()],
..Default::default()
};
let merged = a.intersect(&b);
assert_eq!(merged.auto_approve, vec!["read*".to_string()]);
}
#[test]
fn intersect_defers_auto_approve_when_one_side_empty() {
let a = ToolApprovalPolicy {
auto_approve: vec!["read*".to_string()],
..Default::default()
};
let b = ToolApprovalPolicy::default();
let merged = a.intersect(&b);
assert_eq!(merged.auto_approve, vec!["read*".to_string()]);
}
#[test]
fn write_path_allowlist_matches_recovered_workspace_relative_path() {
let temp = tempfile::tempdir().unwrap();
std::fs::create_dir_all(temp.path().join("packages/demo")).unwrap();
std::fs::write(temp.path().join("packages/demo/file.txt"), "ok").unwrap();
crate::stdlib::process::set_thread_execution_context(Some(
crate::orchestration::RunExecutionRecord {
cwd: Some(temp.path().to_string_lossy().into_owned()),
source_dir: Some(temp.path().to_string_lossy().into_owned()),
env: BTreeMap::new(),
adapter: None,
repo_path: None,
worktree_path: None,
branch: None,
base_ref: None,
cleanup: None,
},
));
let mut tool_annotations = BTreeMap::new();
tool_annotations.insert(
"write_file".to_string(),
ToolAnnotations {
kind: ToolKind::Edit,
arg_schema: ToolArgSchema {
path_params: vec!["path".to_string()],
..Default::default()
},
..Default::default()
},
);
push_execution_policy(CapabilityPolicy {
tool_annotations,
..Default::default()
});
let policy = ToolApprovalPolicy {
write_path_allowlist: vec!["packages/demo/file.txt".to_string()],
..Default::default()
};
let decision = policy.evaluate(
"write_file",
&serde_json::json!({"path": "/packages/demo/file.txt"}),
);
assert_eq!(decision, ToolApprovalDecision::AutoApproved);
pop_execution_policy();
crate::stdlib::process::set_thread_execution_context(None);
}
#[test]
fn write_path_allowlist_does_not_block_read_only_tools() {
let temp = tempfile::tempdir().unwrap();
std::fs::create_dir_all(temp.path().join("packages/demo")).unwrap();
std::fs::write(temp.path().join("packages/demo/context.txt"), "ok").unwrap();
crate::stdlib::process::set_thread_execution_context(Some(
crate::orchestration::RunExecutionRecord {
cwd: Some(temp.path().to_string_lossy().into_owned()),
source_dir: Some(temp.path().to_string_lossy().into_owned()),
env: BTreeMap::new(),
adapter: None,
repo_path: None,
worktree_path: None,
branch: None,
base_ref: None,
cleanup: None,
},
));
let mut tool_annotations = BTreeMap::new();
tool_annotations.insert(
"read_file".to_string(),
ToolAnnotations {
kind: ToolKind::Read,
arg_schema: ToolArgSchema {
path_params: vec!["path".to_string()],
..Default::default()
},
..Default::default()
},
);
push_execution_policy(CapabilityPolicy {
tool_annotations,
..Default::default()
});
let policy = ToolApprovalPolicy {
write_path_allowlist: vec!["packages/demo/file.txt".to_string()],
..Default::default()
};
let decision = policy.evaluate(
"read_file",
&serde_json::json!({"path": "/packages/demo/context.txt"}),
);
assert_eq!(decision, ToolApprovalDecision::AutoApproved);
pop_execution_policy();
crate::stdlib::process::set_thread_execution_context(None);
}
}
#[cfg(test)]
mod turn_policy_tests {
use super::TurnPolicy;
#[test]
fn default_allows_done_sentinel() {
let policy = TurnPolicy::default();
assert!(policy.allow_done_sentinel);
assert!(!policy.require_action_or_yield);
assert!(policy.max_prose_chars.is_none());
}
#[test]
fn deserializing_partial_dict_preserves_done_sentinel_pathway() {
let policy: TurnPolicy =
serde_json::from_value(serde_json::json!({ "require_action_or_yield": true }))
.expect("deserialize");
assert!(policy.require_action_or_yield);
assert!(policy.allow_done_sentinel);
}
#[test]
fn deserializing_explicit_false_disables_done_sentinel() {
let policy: TurnPolicy = serde_json::from_value(serde_json::json!({
"require_action_or_yield": true,
"allow_done_sentinel": false,
}))
.expect("deserialize");
assert!(policy.require_action_or_yield);
assert!(!policy.allow_done_sentinel);
}
}
#[cfg(test)]
mod visibility_redaction_tests {
use super::*;
use crate::value::VmValue;
fn mock_transcript() -> VmValue {
let messages = vec![
serde_json::json!({"role": "user", "content": "hi"}),
serde_json::json!({"role": "assistant", "content": "hello"}),
serde_json::json!({"role": "tool_result", "content": "internal tool output"}),
];
crate::llm::helpers::transcript_to_vm_with_events(
Some("test-id".to_string()),
None,
None,
&messages,
Vec::new(),
Vec::new(),
Some("active"),
)
}
fn message_count(transcript: &VmValue) -> usize {
transcript
.as_dict()
.and_then(|d| d.get("messages"))
.and_then(|v| match v {
VmValue::List(list) => Some(list.len()),
_ => None,
})
.unwrap_or(0)
}
#[test]
fn visibility_none_returns_unchanged() {
let t = mock_transcript();
let result = redact_transcript_visibility(&t, None).unwrap();
assert_eq!(message_count(&result), 3);
}
#[test]
fn visibility_public_drops_tool_results() {
let t = mock_transcript();
let result = redact_transcript_visibility(&t, Some("public")).unwrap();
assert_eq!(message_count(&result), 2);
}
#[test]
fn visibility_unknown_string_is_pass_through() {
let t = mock_transcript();
let result = redact_transcript_visibility(&t, Some("internal")).unwrap();
assert_eq!(message_count(&result), 3);
}
}