mixtape-tools 0.4.0

Ready-to-use tool implementations for the mixtape agent framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485

//! Filesystem tools with path traversal protection.
//!
//! All tools in this module operate within a configured `base_path` directory,
//! preventing access to files outside this boundary. This security model protects
//! against directory traversal attacks where malicious input like `../../../etc/passwd`
//! attempts to escape the intended directory.
//!
//! # Security Model
//!
//! Every file operation validates paths using [`validate_path`] before execution:
//!
//! - Paths are resolved relative to `base_path` (or used directly if absolute)
//! - The resolved path is canonicalized to eliminate `..`, `.`, and symlinks
//! - The canonical path must start with the canonical `base_path`
//! - For non-existent paths, the nearest existing ancestor is validated instead
//!
//! This means symlinks that point outside `base_path` are rejected, and crafted
//! paths like `subdir/../../../etc/passwd` are caught after canonicalization.
//!
//! # Defense in Depth
//!
//! Path validation provides **guardrails for AI agents**, not a complete security
//! boundary. Error messages intentionally include path details to help agents
//! understand and correct invalid requests.
//!
//! For production deployments with untrusted input, use defense in depth:
//!
//! - **Docker isolation**: Run tools in containers with only necessary directories mounted
//! - **OS-level permissions**: Use a dedicated user with minimal filesystem access
//! - **Network isolation**: Restrict container network access where possible
//!
//! These tools are one layer in a security stack, not a standalone sandbox.
//!
//! # Available Tools
//!
//! | Tool | Description |
//! |------|-------------|
//! | [`ReadFileTool`] | Read file contents with optional offset/limit |
//! | [`ReadMultipleFilesTool`] | Read multiple files concurrently |
//! | [`WriteFileTool`] | Write or append to files |
//! | [`CreateDirectoryTool`] | Create directories (including parents) |
//! | [`ListDirectoryTool`] | List directory contents recursively |
//! | [`MoveFileTool`] | Move or rename files and directories |
//! | [`FileInfoTool`] | Get file metadata (size, timestamps, type) |
//!
//! # Building Custom Tools
//!
//! Use [`validate_path`] when building your own filesystem tools:
//!
//! ```
//! use mixtape_tools::filesystem::validate_path;
//! use std::path::Path;
//!
//! let base = Path::new("/app/data");
//! let user_input = Path::new("../etc/passwd");
//!
//! // This will return an error because the path escapes base
//! assert!(validate_path(base, user_input).is_err());
//! ```

mod create_directory;
mod file_info;
mod list_directory;
mod move_file;
mod read_file;
mod read_multiple_files;
mod write_file;

pub use create_directory::CreateDirectoryTool;
pub use file_info::FileInfoTool;
pub use list_directory::ListDirectoryTool;
pub use move_file::MoveFileTool;
pub use read_file::ReadFileTool;
pub use read_multiple_files::ReadMultipleFilesTool;
pub use write_file::WriteFileTool;

use mixtape_core::tool::{box_tool, DynTool};
use mixtape_core::ToolError;
use std::path::{Path, PathBuf};

/// Validates that a path is within the base directory, preventing directory traversal attacks.
///
/// This function is the security foundation for all filesystem tools. It ensures that
/// user-provided paths cannot escape the configured base directory, even when using
/// tricks like `..` components, absolute paths, or symlinks.
///
/// # Arguments
///
/// * `base_path` - The root directory that all paths must stay within
/// * `target_path` - The user-provided path to validate (relative or absolute)
///
/// # Returns
///
/// * `Ok(PathBuf)` - The validated path, canonicalized if the file exists
/// * `Err(ToolError::PathValidation)` - If the path escapes the base directory
///
/// # Security Properties
///
/// - **Symlink resolution**: Symlinks are resolved via canonicalization, so a symlink
///   pointing outside `base_path` will be rejected
/// - **Parent traversal**: Paths like `foo/../../../etc` are caught after canonicalization
/// - **Absolute paths**: Absolute paths outside `base_path` are rejected
/// - **Non-existent paths**: For paths that don't exist yet (e.g., for write operations),
///   the nearest existing ancestor is validated instead
///
/// # Example
///
/// ```
/// use mixtape_tools::filesystem::validate_path;
/// use std::path::Path;
///
/// let base = Path::new("/home/user/documents");
///
/// // Relative path within base - OK
/// let result = validate_path(base, Path::new("report.txt"));
/// // Returns Ok with resolved path
///
/// // Traversal attempt - REJECTED
/// let result = validate_path(base, Path::new("../../../etc/passwd"));
/// assert!(result.is_err());
///
/// // Absolute path outside base - REJECTED
/// let result = validate_path(base, Path::new("/etc/passwd"));
/// assert!(result.is_err());
/// ```
pub fn validate_path(base_path: &Path, target_path: &Path) -> Result<PathBuf, ToolError> {
    let full_path = if target_path.is_absolute() {
        target_path.to_path_buf()
    } else {
        base_path.join(target_path)
    };

    // Try to canonicalize if the file exists
    if full_path.exists() {
        let canonical = full_path.canonicalize().map_err(|e| {
            ToolError::PathValidation(format!(
                "Failed to canonicalize '{}': {}",
                full_path.display(),
                e
            ))
        })?;

        // Canonicalize base path for comparison
        let canonical_base = base_path.canonicalize().map_err(|e| {
            ToolError::PathValidation(format!(
                "Failed to canonicalize base path '{}': {}",
                base_path.display(),
                e
            ))
        })?;

        if !canonical.starts_with(&canonical_base) {
            return Err(ToolError::PathValidation(format!(
                "Path '{}' escapes base directory '{}' (resolved to '{}')",
                target_path.display(),
                canonical_base.display(),
                canonical.display()
            )));
        }

        Ok(canonical)
    } else {
        // For non-existent paths, verify the parent is within base
        let mut check_path = full_path.clone();

        // Find the first existing ancestor
        while !check_path.exists() {
            match check_path.parent() {
                Some(parent) => check_path = parent.to_path_buf(),
                None => {
                    return Err(ToolError::PathValidation(format!(
                        "Invalid path '{}': no valid parent directory exists",
                        target_path.display()
                    )))
                }
            }
        }

        // Canonicalize the existing ancestor and verify it's within base
        let canonical_ancestor = check_path.canonicalize().map_err(|e| {
            ToolError::PathValidation(format!(
                "Failed to canonicalize ancestor '{}': {}",
                check_path.display(),
                e
            ))
        })?;

        let canonical_base = base_path.canonicalize().map_err(|e| {
            ToolError::PathValidation(format!(
                "Failed to canonicalize base path '{}': {}",
                base_path.display(),
                e
            ))
        })?;

        if !canonical_ancestor.starts_with(&canonical_base) {
            return Err(ToolError::PathValidation(format!(
                "Path '{}' escapes base directory '{}' (nearest ancestor '{}' is outside)",
                target_path.display(),
                canonical_base.display(),
                canonical_ancestor.display()
            )));
        }

        Ok(full_path)
    }
}

/// Returns all read-only filesystem tools
///
/// These tools can read and inspect files but cannot modify the filesystem.
pub fn read_only_tools() -> Vec<Box<dyn DynTool>> {
    vec![
        box_tool(ReadFileTool::default()),
        box_tool(ReadMultipleFilesTool::default()),
        box_tool(ListDirectoryTool::default()),
        box_tool(FileInfoTool::default()),
    ]
}

/// Returns all mutative filesystem tools
///
/// These tools can modify the filesystem by writing, creating, or moving files.
pub fn mutative_tools() -> Vec<Box<dyn DynTool>> {
    vec![
        box_tool(WriteFileTool::default()),
        box_tool(CreateDirectoryTool::default()),
        box_tool(MoveFileTool::default()),
    ]
}

/// Returns all filesystem tools
pub fn all_tools() -> Vec<Box<dyn DynTool>> {
    let mut tools = read_only_tools();
    tools.extend(mutative_tools());
    tools
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::fs;
    use tempfile::TempDir;

    #[test]
    fn test_validate_path_accepts_relative_path_to_existing_file() {
        let temp_dir = TempDir::new().unwrap();
        fs::write(temp_dir.path().join("test.txt"), "content").unwrap();

        let result = validate_path(temp_dir.path(), Path::new("test.txt"));
        assert!(result.is_ok());
        let path = result.unwrap();
        assert!(path.ends_with("test.txt"));
    }

    #[test]
    fn test_validate_path_accepts_relative_path_to_nonexistent_file() {
        let temp_dir = TempDir::new().unwrap();

        let result = validate_path(temp_dir.path(), Path::new("new_file.txt"));
        assert!(result.is_ok());
        let path = result.unwrap();
        assert!(path.ends_with("new_file.txt"));
    }

    #[test]
    fn test_validate_path_accepts_nested_nonexistent_path() {
        let temp_dir = TempDir::new().unwrap();
        fs::create_dir(temp_dir.path().join("subdir")).unwrap();

        let result = validate_path(temp_dir.path(), Path::new("subdir/new_file.txt"));
        assert!(result.is_ok());
    }

    #[test]
    fn test_validate_path_rejects_traversal_existing_file() {
        let temp_dir = TempDir::new().unwrap();
        let sibling_dir = TempDir::new().unwrap();
        fs::write(sibling_dir.path().join("secret.txt"), "secret").unwrap();

        // Try to escape via ..
        let evil_path = format!(
            "../{}/secret.txt",
            sibling_dir.path().file_name().unwrap().to_str().unwrap()
        );
        let result = validate_path(temp_dir.path(), Path::new(&evil_path));

        assert!(result.is_err());
        let err = result.unwrap_err();
        assert!(
            err.to_string().contains("escapes") || err.to_string().contains("Invalid"),
            "Error should mention path escape: {}",
            err
        );
    }

    #[test]
    fn test_validate_path_rejects_absolute_path_outside_base() {
        let temp_dir = TempDir::new().unwrap();
        let other_dir = TempDir::new().unwrap();
        fs::write(other_dir.path().join("file.txt"), "content").unwrap();

        let result = validate_path(temp_dir.path(), other_dir.path().join("file.txt").as_path());

        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("escapes"));
    }

    #[test]
    fn test_validate_path_accepts_absolute_path_inside_base() {
        let temp_dir = TempDir::new().unwrap();
        fs::write(temp_dir.path().join("file.txt"), "content").unwrap();

        let absolute_path = temp_dir.path().join("file.txt");
        let result = validate_path(temp_dir.path(), &absolute_path);

        assert!(result.is_ok());
    }

    #[test]
    fn test_validate_path_rejects_nonexistent_with_traversal() {
        let temp_dir = TempDir::new().unwrap();

        // Path doesn't exist but tries to escape
        let result = validate_path(temp_dir.path(), Path::new("../../../etc/shadow"));

        assert!(result.is_err());
    }

    #[test]
    fn test_validate_path_handles_symlink_inside_base() {
        let temp_dir = TempDir::new().unwrap();
        let real_file = temp_dir.path().join("real.txt");
        let symlink = temp_dir.path().join("link.txt");

        fs::write(&real_file, "content").unwrap();

        #[cfg(unix)]
        {
            std::os::unix::fs::symlink(&real_file, &symlink).unwrap();

            let result = validate_path(temp_dir.path(), Path::new("link.txt"));
            assert!(result.is_ok(), "Symlink within base should be allowed");
        }
    }

    #[test]
    fn test_validate_path_rejects_symlink_escaping_base() {
        let temp_dir = TempDir::new().unwrap();
        let outside_dir = TempDir::new().unwrap();
        let outside_file = outside_dir.path().join("secret.txt");
        fs::write(&outside_file, "secret").unwrap();

        let symlink = temp_dir.path().join("escape_link.txt");

        #[cfg(unix)]
        {
            std::os::unix::fs::symlink(&outside_file, &symlink).unwrap();

            let result = validate_path(temp_dir.path(), Path::new("escape_link.txt"));
            // After canonicalization, the symlink resolves outside base
            assert!(result.is_err(), "Symlink escaping base should be rejected");
        }
    }

    #[test]
    fn test_validate_path_deep_nesting() {
        let temp_dir = TempDir::new().unwrap();
        fs::create_dir_all(temp_dir.path().join("a/b/c/d/e")).unwrap();
        fs::write(temp_dir.path().join("a/b/c/d/e/deep.txt"), "deep").unwrap();

        let result = validate_path(temp_dir.path(), Path::new("a/b/c/d/e/deep.txt"));
        assert!(result.is_ok());
    }

    #[test]
    fn test_validate_path_dot_components() {
        let temp_dir = TempDir::new().unwrap();
        fs::create_dir(temp_dir.path().join("subdir")).unwrap();
        fs::write(temp_dir.path().join("subdir/file.txt"), "content").unwrap();

        // Path with . component
        let result = validate_path(temp_dir.path(), Path::new("./subdir/./file.txt"));
        assert!(result.is_ok());
    }

    #[test]
    fn test_validate_path_nonexistent_with_ancestor_escaping_base() {
        // This tests the branch at lines 71-75: when a non-existent path's
        // existing ancestor is outside the base directory
        let base_dir = TempDir::new().unwrap();
        let outside_dir = TempDir::new().unwrap();

        // Create a subdirectory outside base that will be our existing ancestor
        fs::create_dir(outside_dir.path().join("existing_subdir")).unwrap();

        // Try to access a non-existent file inside outside_dir using an absolute path
        // The file doesn't exist, but its ancestor (outside_dir/existing_subdir) does
        // and is outside base_dir
        let nonexistent_file = outside_dir.path().join("existing_subdir/new_file.txt");

        let result = validate_path(base_dir.path(), &nonexistent_file);

        assert!(
            result.is_err(),
            "Non-existent path with ancestor outside base should be rejected"
        );
        assert!(
            result.unwrap_err().to_string().contains("escapes"),
            "Error should mention path escape"
        );
    }

    #[test]
    fn test_validate_path_deeply_nested_nonexistent() {
        // Test deeply nested non-existent path where we walk up multiple levels
        let temp_dir = TempDir::new().unwrap();

        // Only the base exists, but we're trying to access deeply nested non-existent path
        let result = validate_path(temp_dir.path(), Path::new("a/b/c/d/e/f/g/new_file.txt"));

        // Should succeed because ancestor (temp_dir) is within base
        assert!(result.is_ok());
        let path = result.unwrap();
        assert!(path.ends_with("a/b/c/d/e/f/g/new_file.txt"));
    }

    #[test]
    fn test_validate_path_nonexistent_relative_traversal_to_outside() {
        // Test traversal that ends up with existing ancestor outside base
        let base_dir = TempDir::new().unwrap();
        let sibling_dir = TempDir::new().unwrap();

        // Create a subdir in sibling so it's the ancestor found
        fs::create_dir(sibling_dir.path().join("subdir")).unwrap();

        // Try: ../sibling_temp_name/subdir/nonexistent.txt
        // The existing ancestor will be sibling_dir/subdir which is outside base
        let evil_path = format!(
            "../{}/subdir/nonexistent.txt",
            sibling_dir.path().file_name().unwrap().to_str().unwrap()
        );

        let result = validate_path(base_dir.path(), Path::new(&evil_path));

        assert!(
            result.is_err(),
            "Traversal to outside ancestor should be rejected"
        );
    }

    #[test]
    fn test_validate_path_error_includes_path_details() {
        // Verify error messages include actionable details for debugging
        let temp_dir = TempDir::new().unwrap();
        let other_dir = TempDir::new().unwrap();
        fs::write(other_dir.path().join("file.txt"), "content").unwrap();

        let result = validate_path(temp_dir.path(), other_dir.path().join("file.txt").as_path());

        let err = result.unwrap_err();
        let err_msg = err.to_string();

        // Error should mention the attempted path
        assert!(
            err_msg.contains("file.txt"),
            "Error should include the target path: {}",
            err_msg
        );

        // Error should mention escaping
        assert!(
            err_msg.contains("escapes"),
            "Error should mention 'escapes': {}",
            err_msg
        );

        // Error should include "resolved to" showing the canonical path
        assert!(
            err_msg.contains("resolved to"),
            "Error should show resolved path: {}",
            err_msg
        );
    }
}