oxi-sdk 0.26.1

oxi AI agent SDK — build isolated, multi-agent AI systems
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

//! Execution policy configuration for command allowlisting.
//!
//! Defines which binaries agents can execute and how arguments are validated.

use serde::{Deserialize, Serialize};
use std::collections::HashSet;

/// How the execution allowlist is enforced.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
#[serde(rename_all = "snake_case")]
pub enum AllowlistMode {
    /// All binaries allowed (default for development).
    #[default]
    Permissive,
    /// Only explicitly listed binaries allowed.
    Enforced,
}

/// Execution policy — controls which binaries agents can run.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ExecPolicy {
    /// Allowlist enforcement mode.
    #[serde(default)]
    pub allowlist_mode: AllowlistMode,
    /// Explicitly allowed binary names.
    #[serde(default)]
    pub allowed_commands: HashSet<String>,
    /// Default safe commands always allowed.
    #[serde(default)]
    pub default_safe_commands: HashSet<String>,
}

impl ExecPolicy {
    /// Create a permissive policy (all allowed).
    pub fn permissive() -> Self {
        Self {
            allowlist_mode: AllowlistMode::Permissive,
            allowed_commands: HashSet::new(),
            default_safe_commands: Self::safe_defaults(),
        }
    }

    /// Create an enforced policy with only the given commands.
    pub fn enforced(commands: Vec<&str>) -> Self {
        Self {
            allowlist_mode: AllowlistMode::Enforced,
            allowed_commands: commands.into_iter().map(String::from).collect(),
            default_safe_commands: Self::safe_defaults(),
        }
    }

    /// Check if a binary is allowed.
    pub fn is_binary_allowed(&self, binary: &str) -> bool {
        match self.allowlist_mode {
            AllowlistMode::Permissive => true,
            AllowlistMode::Enforced => {
                self.allowed_commands.contains(binary)
                    || self.default_safe_commands.contains(binary)
            }
        }
    }

    fn safe_defaults() -> HashSet<String> {
        ["git", "grep", "find", "cat", "ls", "head", "tail", "wc", "sort", "uniq"]
            .iter()
            .map(|s| s.to_string())
            .collect()
    }
}

impl Default for ExecPolicy {
    fn default() -> Self {
        Self::permissive()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn permissive_allows_all() {
        let policy = ExecPolicy::permissive();
        assert!(policy.is_binary_allowed("rm"));
        assert!(policy.is_binary_allowed("anything"));
    }

    #[test]
    fn enforced_allows_listed() {
        let policy = ExecPolicy::enforced(vec!["echo", "git"]);
        assert!(policy.is_binary_allowed("echo"));
        assert!(policy.is_binary_allowed("git"));
        assert!(!policy.is_binary_allowed("rm"));
    }

    #[test]
    fn enforced_safe_defaults() {
        let policy = ExecPolicy::enforced(vec![]);
        // Safe defaults should always be allowed
        assert!(policy.is_binary_allowed("git"));
        assert!(policy.is_binary_allowed("grep"));
        assert!(policy.is_binary_allowed("cat"));
    }
}