oxi-sdk 0.24.0

oxi AI agent SDK — build isolated, multi-agent AI systems
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

//! Security capability enforcement demo.
//!
//! Run: `cargo run -p oxi-sdk --example security`
//!
//! No API key required — this example demonstrates the security module only.

use std::sync::Arc;

use oxi_sdk::prelude::*;
use oxi_sdk::StringPattern;

fn main() {
    let audit = Arc::new(AuditLog::new(64));
    let authorizer = Arc::new(Authorizer::new(Arc::clone(&audit)));

    // Define roles
    authorizer.define_role("coder", CapabilitySet::coding("/workspace"));
    authorizer.define_role("reader", CapabilitySet::read_only("/workspace"));

    // Grant direct capabilities
    authorizer.grant(
        CapabilitySubject::Agent("admin".into()),
        CapabilitySet::all(),
    );

    // Bind roles to agents
    authorizer.bind_role("dev-agent", "coder");
    authorizer.bind_role("research-agent", "reader");

    // ── Check coder permissions ──
    let coder = CapabilitySubject::Agent("dev-agent".into());
    println!(
        "Coder can read workspace: {}",
        authorizer.check(
            &coder,
            &Capability::FileRead {
                path_pattern: "/workspace/src/main.rs".into(),
            }
        )
    );
    println!(
        "Coder can write workspace: {}",
        authorizer.check(
            &coder,
            &Capability::FileWrite {
                path_pattern: "/workspace/src/main.rs".into(),
            }
        )
    );
    println!(
        "Coder can write /etc: {}",
        authorizer.check(
            &coder,
            &Capability::FileWrite {
                path_pattern: "/etc/passwd".into(),
            }
        )
    );

    // ── Check reader permissions ──
    let reader = CapabilitySubject::Agent("research-agent".into());
    println!(
        "Reader can read: {}",
        authorizer.check(
            &reader,
            &Capability::FileRead {
                path_pattern: "/workspace/file".into(),
            }
        )
    );
    println!(
        "Reader can write: {}",
        authorizer.check(
            &reader,
            &Capability::FileWrite {
                path_pattern: "/workspace/file".into(),
            }
        )
    );

    // ── Check admin ──
    let admin = CapabilitySubject::Agent("admin".into());
    println!(
        "Admin can run bash: {}",
        authorizer.check(
            &admin,
            &Capability::Bash {
                allowed_commands: vec![StringPattern::Wildcard],
                timeout_secs: None,
            }
        )
    );

    // ── Audit log ──
    println!("\nAudit entries: {}", audit.entries().len());
    for entry in audit.entries().iter().take(3) {
        println!("  {:?}", entry);
    }
}