kernex-core 0.8.1

Core types, traits, config, and error handling for Kernex
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373

//! Declarative allow/deny permission rules for tool calls.
//!
//! Rules are evaluated in order: deny list first, then allow list.
//! An empty allow list means "allow all not explicitly denied."

/// Glob-style pattern rules controlling which tool calls are permitted.
///
/// Pattern format:
/// - `"ToolName"` — matches any call to that tool (case-insensitive).
/// - `"ToolName(glob)"` — matches the tool name and applies a wildcard glob
///   against the concatenated string values in the tool's argument JSON.
///   Example: `"Bash(git *)"` matches any Bash call whose command starts with
///   `git `.
///
/// Evaluation order:
/// 1. If any `deny` pattern matches, the call is blocked.
/// 2. If `allow` is non-empty, the call must match at least one allow pattern.
/// 3. Otherwise the call proceeds.
#[derive(Debug, Clone, Default)]
pub struct PermissionRules {
    /// Patterns that are always blocked.
    pub allow: Vec<String>,
    /// Patterns that are explicitly permitted (all others blocked when non-empty).
    pub deny: Vec<String>,
}

/// Outcome of a permission check.
pub enum PermissionOutcome {
    /// The tool call may proceed.
    Allow,
    /// The tool call is blocked. Contains a human-readable reason.
    Deny(String),
}

impl PermissionRules {
    /// Check whether a tool call is permitted.
    ///
    /// `tool_name` is the name of the tool being called.
    /// `args` is the JSON object of arguments passed to the tool.
    pub fn check(&self, tool_name: &str, args: &serde_json::Value) -> PermissionOutcome {
        let args_str = extract_args_string(args);

        // Deny list evaluated first.
        for pattern in &self.deny {
            if pattern_matches(pattern, tool_name, &args_str) {
                return PermissionOutcome::Deny(format!("denied by rule: {pattern}"));
            }
        }

        // If allow list is non-empty, the call must match at least one entry.
        if !self.allow.is_empty() {
            let allowed = self
                .allow
                .iter()
                .any(|p| pattern_matches(p, tool_name, &args_str));
            if !allowed {
                return PermissionOutcome::Deny(format!("tool '{tool_name}' not in allow list"));
            }
        }

        PermissionOutcome::Allow
    }
}

/// Concatenate every string leaf in a JSON value into one space-separated
/// string. Walks recursively so nested arguments (e.g.
/// `{"options": {"command": "rm -rf /"}}` from MCP tools) are not invisible
/// to deny patterns.
///
/// The result is capped at [`MAX_ARGS_LEN`] bytes; longer inputs are
/// truncated. The cap doubles as a defence against the O(P × A) glob matcher
/// being passed a megabyte of operator-controlled text.
fn extract_args_string(args: &serde_json::Value) -> String {
    let mut out = String::new();
    flatten_strings(args, &mut out);
    if out.len() > MAX_ARGS_LEN {
        out.truncate(crate::utf8::floor_char_boundary(&out, MAX_ARGS_LEN));
    }
    out
}

/// Upper bound on the byte length of the concatenated args string used for
/// glob matching. 64 KiB is far above any legitimate tool call, and keeps
/// the DP matrix in [`glob_match`] from becoming a DoS vector.
const MAX_ARGS_LEN: usize = 64 * 1024;

fn flatten_strings(v: &serde_json::Value, out: &mut String) {
    if out.len() >= MAX_ARGS_LEN {
        return;
    }
    match v {
        serde_json::Value::String(s) => {
            if !out.is_empty() {
                out.push(' ');
            }
            out.push_str(s);
        }
        serde_json::Value::Array(arr) => {
            for item in arr {
                if out.len() >= MAX_ARGS_LEN {
                    break;
                }
                flatten_strings(item, out);
            }
        }
        serde_json::Value::Object(map) => {
            for value in map.values() {
                if out.len() >= MAX_ARGS_LEN {
                    break;
                }
                flatten_strings(value, out);
            }
        }
        _ => {}
    }
}

/// Returns true if `pattern` matches the given tool call.
///
/// Patterns with parentheses — e.g. `Bash(git *)` — match the tool name and
/// apply a wildcard glob to the args string. Patterns without parentheses
/// match on tool name alone (case-insensitive).
fn pattern_matches(pattern: &str, tool_name: &str, args_str: &str) -> bool {
    if let Some(paren_idx) = pattern.find('(') {
        if pattern.ends_with(')') {
            let pat_tool = &pattern[..paren_idx];
            let glob = &pattern[paren_idx + 1..pattern.len() - 1];
            if !pat_tool.eq_ignore_ascii_case(tool_name) {
                return false;
            }
            return glob_match(glob, args_str);
        }
    }
    // No parentheses: tool name match only.
    pattern.eq_ignore_ascii_case(tool_name)
}

/// Wildcard glob match where `*` matches any sequence of characters.
///
/// Matching is case-insensitive. `?` is not supported (not needed for the
/// current permission rule format).
fn glob_match(pattern: &str, text: &str) -> bool {
    let p: Vec<char> = pattern.chars().collect();
    let t: Vec<char> = text.chars().collect();
    let plen = p.len();
    let tlen = t.len();

    // dp[i][j] = pattern[0..i] matches text[0..j]
    let mut dp = vec![vec![false; tlen + 1]; plen + 1];
    dp[0][0] = true;

    // Leading stars match the empty string.
    for i in 1..=plen {
        if p[i - 1] == '*' {
            dp[i][0] = dp[i - 1][0];
        }
    }

    for i in 1..=plen {
        for j in 1..=tlen {
            if p[i - 1] == '*' {
                // Star: match zero chars (dp[i][j-1]) or one more char (dp[i-1][j]).
                dp[i][j] = dp[i][j - 1] || dp[i - 1][j];
            } else {
                dp[i][j] = dp[i - 1][j - 1] && p[i - 1].eq_ignore_ascii_case(&t[j - 1]);
            }
        }
    }

    dp[plen][tlen]
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde_json::json;

    // --- glob_match ---

    #[test]
    fn test_glob_exact_match() {
        assert!(glob_match("git status", "git status"));
    }

    #[test]
    fn test_glob_star_prefix() {
        assert!(glob_match("git *", "git status"));
        assert!(glob_match("git *", "git commit -m \"fix\""));
        assert!(!glob_match("git *", "rm -rf /"));
    }

    #[test]
    fn test_glob_star_anywhere() {
        assert!(glob_match("*rm*", "sudo rm -rf /"));
        assert!(glob_match("*rm*", "rm -rf"));
        assert!(!glob_match("*rm*", "git status"));
    }

    #[test]
    fn test_glob_case_insensitive() {
        assert!(glob_match("GIT *", "git status"));
        assert!(glob_match("git *", "GIT STATUS"));
    }

    #[test]
    fn test_glob_empty_pattern_matches_empty_only() {
        assert!(glob_match("", ""));
        assert!(!glob_match("", "anything"));
    }

    #[test]
    fn test_glob_star_only_matches_anything() {
        assert!(glob_match("*", ""));
        assert!(glob_match("*", "anything at all"));
    }

    // --- pattern_matches ---

    #[test]
    fn test_pattern_tool_name_only() {
        assert!(pattern_matches("Bash", "bash", "some args"));
        assert!(pattern_matches("Write", "write", ""));
        assert!(!pattern_matches("Read", "write", ""));
    }

    #[test]
    fn test_pattern_with_glob() {
        assert!(pattern_matches("Bash(git *)", "bash", "git status"));
        assert!(!pattern_matches("Bash(git *)", "bash", "rm -rf /"));
        assert!(!pattern_matches("Bash(git *)", "read", "git status"));
    }

    // --- PermissionRules::check ---

    #[test]
    fn test_empty_rules_allows_everything() {
        let rules = PermissionRules::default();
        assert!(matches!(
            rules.check("bash", &json!({"command": "rm -rf /"})),
            PermissionOutcome::Allow
        ));
    }

    #[test]
    fn test_deny_by_tool_name() {
        let rules = PermissionRules {
            allow: vec![],
            deny: vec!["Write".to_string()],
        };
        assert!(matches!(
            rules.check("write", &json!({"path": "/etc/passwd"})),
            PermissionOutcome::Deny(_)
        ));
        assert!(matches!(
            rules.check("read", &json!({"path": "/etc/passwd"})),
            PermissionOutcome::Allow
        ));
    }

    #[test]
    fn test_deny_by_glob_pattern() {
        let rules = PermissionRules {
            allow: vec![],
            deny: vec!["Bash(rm *)".to_string()],
        };
        assert!(matches!(
            rules.check("bash", &json!({"command": "rm -rf /"})),
            PermissionOutcome::Deny(_)
        ));
        assert!(matches!(
            rules.check("bash", &json!({"command": "git status"})),
            PermissionOutcome::Allow
        ));
    }

    #[test]
    fn test_allow_list_restricts_unlisted_tools() {
        let rules = PermissionRules {
            allow: vec!["Read".to_string(), "Bash(git *)".to_string()],
            deny: vec![],
        };
        assert!(matches!(
            rules.check("read", &json!({"path": "src/lib.rs"})),
            PermissionOutcome::Allow
        ));
        assert!(matches!(
            rules.check("bash", &json!({"command": "git log"})),
            PermissionOutcome::Allow
        ));
        // Write is not in the allow list.
        assert!(matches!(
            rules.check("write", &json!({"path": "out.txt"})),
            PermissionOutcome::Deny(_)
        ));
        // Bash with non-git command is not in the allow list.
        assert!(matches!(
            rules.check("bash", &json!({"command": "curl https://example.com"})),
            PermissionOutcome::Deny(_)
        ));
    }

    #[test]
    fn test_deny_takes_precedence_over_allow() {
        let rules = PermissionRules {
            allow: vec!["Bash".to_string()],
            deny: vec!["Bash(rm *)".to_string()],
        };
        // Bash is allowed, but rm is denied — deny wins.
        assert!(matches!(
            rules.check("bash", &json!({"command": "rm file.txt"})),
            PermissionOutcome::Deny(_)
        ));
        // Other bash commands still pass.
        assert!(matches!(
            rules.check("bash", &json!({"command": "echo hello"})),
            PermissionOutcome::Allow
        ));
    }

    #[test]
    fn test_deny_matches_nested_object_arg() {
        // MCP tools routinely wrap params under a key. The deny rule should
        // still see the inner string. Pre-fix, this test would have passed
        // because the matcher never looked inside `options`.
        let rules = PermissionRules {
            allow: vec![],
            deny: vec!["Bash(*rm -rf*)".to_string()],
        };
        let nested = json!({
            "options": { "command": "rm -rf /" }
        });
        assert!(matches!(
            rules.check("bash", &nested),
            PermissionOutcome::Deny(_)
        ));
    }

    #[test]
    fn test_deny_matches_array_arg() {
        let rules = PermissionRules {
            allow: vec![],
            deny: vec!["Bash(*sudo*)".to_string()],
        };
        let arr = json!({ "argv": ["bash", "-c", "sudo poweroff"] });
        assert!(matches!(
            rules.check("bash", &arr),
            PermissionOutcome::Deny(_)
        ));
    }

    #[test]
    fn test_extract_args_string_caps_at_max() {
        let huge = "x".repeat(80 * 1024);
        let v = json!({ "command": huge });
        let s = extract_args_string(&v);
        assert!(s.len() <= MAX_ARGS_LEN);
    }

    #[test]
    fn test_deny_reason_contains_pattern() {
        let rules = PermissionRules {
            allow: vec![],
            deny: vec!["Bash(sudo *)".to_string()],
        };
        if let PermissionOutcome::Deny(reason) =
            rules.check("bash", &json!({"command": "sudo apt-get install vim"}))
        {
            assert!(reason.contains("Bash(sudo *)"));
        } else {
            panic!("expected Deny");
        }
    }
}