onetool 0.0.1-alpha.9

Sandboxed Lua REPL for LLM tool use
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

/// An action that requires policy approval before execution.
#[derive(Debug, Clone)]
pub enum Action {
    /// Calling a wrapped unsafe function (e.g., `os.execute`, `io.open`)
    CallFunction {
        /// Qualified function name (e.g., `"os.execute"`, `"io.open"`)
        name: String,
        /// Arguments passed to the function
        args: mlua::MultiValue,
    },
}

/// Decision result from an access policy check
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum Decision {
    /// Access is granted
    Allow,
    /// Access is denied with a reason
    Deny(String),
}

/// Policy controls access to dangerous/restricted APIs
///
/// Implementations of this trait determine whether specific actions
/// should be allowed in the sandboxed environment.
pub trait Policy: Send + Sync {
    /// Check if an action should be allowed
    ///
    /// # Arguments
    /// * `action` - The action being requested
    ///
    /// # Returns
    /// [`Decision::Allow`] if the action should be permitted,
    /// [`Decision::Deny`] with a reason otherwise
    fn check_access(&self, action: &Action) -> Decision;
}

/// Strict policy that denies all access requests
///
/// This is the default policy that blocks all attempts to call unsafe
/// functions or perform restricted operations.
pub struct DenyAllPolicy;

impl Policy for DenyAllPolicy {
    fn check_access(&self, _: &Action) -> Decision {
        Decision::Deny("Access denied by strict policy".to_string())
    }
}

/// Permissive policy that allows **Unsafe** functions to execute
///
/// This policy grants access to policy-controlled **Unsafe** functions (like `os.execute`,
/// `io.open`, etc.), while **Forbidden** functions (like `debug`, `coroutine`, `package`)
/// remain completely blocked (set to nil).
///
/// # Function Categories
/// - **Safe** functions: Always available (no policy check needed)
/// - **Unsafe** functions: Allowed by this policy (normally require approval)
/// - **Forbidden** functions: Still blocked (removed from environment)
///
/// # Security Implications
/// **WARNING**: This policy bypasses access control for Unsafe functions and should
/// only be used in trusted environments:
/// - During development and testing
/// - In completely trusted environments
/// - When you need filesystem/process access but still want Forbidden APIs blocked
///
/// # Example
/// ```ignore
/// use onetool::runtime::sandbox;
/// use onetool::runtime::sandbox::policy::DangerousAllowAllPolicy;
///
/// let lua = mlua::Lua::new();
/// sandbox::apply_with_policy(&lua, DangerousAllowAllPolicy)?;
///
/// // Unsafe functions now work
/// lua.load("os.execute('echo hello')").exec()?;  // ✓ Allowed
///
/// // Forbidden functions are still blocked
/// let result: mlua::Value = lua.load("return debug").eval()?;
/// assert!(matches!(result, mlua::Value::Nil));  // ✓ Still nil
/// ```
pub struct DangerousAllowAllPolicy;

impl Policy for DangerousAllowAllPolicy {
    fn check_access(&self, _: &Action) -> Decision {
        Decision::Allow
    }
}