pe-core 0.1.0

Core types for Potential Expectations — messages, channels, state, traits
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290

//! Agent boundary types — library primitives, user policies.
//!
//! Six typed boundary mechanisms that control what an agent can do.
//! All default to fully open. Opt-in, not opt-out.
//! Enforced by the runtime automatically — nodes don't check manually.

use serde::{Deserialize, Serialize};
use std::collections::{HashMap, HashSet};

use crate::agent::AgentId;

// ── Permissions ───────────────────────────────────────────────────────

/// What actions are allowed/denied.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct PermissionSet {
    pub allowed: HashSet<Permission>,
    pub denied: HashSet<Permission>,
    pub default_policy: DefaultPolicy,
}

#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[non_exhaustive]
pub enum Permission {
    VaultRead,
    VaultWrite,
    VaultDelete,
    FileRead,
    FileWrite,
    FileDelete,
    ShellExec,
    NetworkAccess,
    MemoryRead,
    MemoryWrite,
    TaskCreate,
    TaskModify,
    CollectiveRead,
    CollectiveWrite,
    Custom(String),
}

#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub enum DefaultPolicy {
    #[default]
    AllowUnlessExplicitlyDenied,
    DenyUnlessExplicitlyAllowed,
}

impl PermissionSet {
    pub fn fully_open() -> Self {
        Self {
            allowed: HashSet::new(),
            denied: HashSet::new(),
            default_policy: DefaultPolicy::AllowUnlessExplicitlyDenied,
        }
    }

    pub fn fully_locked() -> Self {
        Self {
            allowed: HashSet::new(),
            denied: HashSet::new(),
            default_policy: DefaultPolicy::DenyUnlessExplicitlyAllowed,
        }
    }

    pub fn is_allowed(&self, permission: &Permission) -> bool {
        if self.denied.contains(permission) {
            return false;
        }
        if self.allowed.contains(permission) {
            return true;
        }
        matches!(
            self.default_policy,
            DefaultPolicy::AllowUnlessExplicitlyDenied
        )
    }
}

impl Default for PermissionSet {
    fn default() -> Self {
        Self::fully_open()
    }
}

// ── Tool Policy ───────────────────────────────────────────────────────

/// Which tools, with what limits.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ToolPolicy {
    pub rules: HashMap<String, ToolConstraint>,
    pub default: ToolDefaultPolicy,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[non_exhaustive]
pub enum ToolConstraint {
    Allowed {
        max_calls_per_turn: Option<u32>,
        max_calls_per_session: Option<u32>,
    },
    Denied,
    RequiresApproval,
}

#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub enum ToolDefaultPolicy {
    #[default]
    AllowAll,
    DenyUnlisted,
}

impl ToolPolicy {
    pub fn open() -> Self {
        Self {
            rules: HashMap::new(),
            default: ToolDefaultPolicy::AllowAll,
        }
    }

    /// Whether a tool is executable without any further approval step.
    pub fn allows_without_approval(&self, tool_name: &str) -> bool {
        match self.rules.get(tool_name) {
            Some(ToolConstraint::Denied) => false,
            Some(ToolConstraint::Allowed { .. }) => true,
            Some(ToolConstraint::RequiresApproval) => false,
            None => matches!(self.default, ToolDefaultPolicy::AllowAll),
        }
    }

    /// Whether this tool requires an explicit approval step before execution.
    pub fn requires_approval(&self, tool_name: &str) -> bool {
        matches!(
            self.rules.get(tool_name),
            Some(ToolConstraint::RequiresApproval)
        )
    }

    /// Access the configured rule for a specific tool, if one exists.
    pub fn constraint(&self, tool_name: &str) -> Option<&ToolConstraint> {
        self.rules.get(tool_name)
    }

    /// Backward-compatible helper retained for existing callers.
    pub fn is_tool_allowed(&self, tool_name: &str) -> bool {
        self.allows_without_approval(tool_name)
    }
}

impl Default for ToolPolicy {
    fn default() -> Self {
        Self::open()
    }
}

// ── Communication Rules ───────────────────────────────────────────────

/// Who can this agent reach.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CommunicationRules {
    pub can_delegate_to: Option<HashSet<AgentId>>,
    pub can_query: Option<HashSet<AgentId>>,
    pub cannot_contact: HashSet<AgentId>,
    pub default: CommunicationDefault,
}

#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub enum CommunicationDefault {
    #[default]
    AllowAll,
    DelegateOnly,
    DenyAll,
}

impl CommunicationRules {
    pub fn open() -> Self {
        Self {
            can_delegate_to: None,
            can_query: None,
            cannot_contact: HashSet::new(),
            default: CommunicationDefault::AllowAll,
        }
    }

    pub fn can_reach(&self, target: &AgentId) -> bool {
        if self.cannot_contact.contains(target) {
            return false;
        }
        match &self.can_delegate_to {
            Some(allowed) => allowed.contains(target),
            None => !matches!(self.default, CommunicationDefault::DenyAll),
        }
    }

    /// Check whether this agent can query the target agent.
    pub fn can_query(&self, target: &AgentId) -> bool {
        if self.cannot_contact.contains(target) {
            return false;
        }
        match &self.can_query {
            Some(allowed) => allowed.contains(target),
            None => !matches!(self.default, CommunicationDefault::DenyAll),
        }
    }
}

impl Default for CommunicationRules {
    fn default() -> Self {
        Self::open()
    }
}

// ── Context Budget ────────────────────────────────────────────────────

/// Token budgets per context layer.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ContextBudget {
    pub self_context_tokens: u32,
    pub collective_tokens: u32,
    pub task_context_tokens: u32,
    pub execution_awareness_tokens: u32,
    pub handoff_context_tokens: u32,
    pub overflow_policy: OverflowPolicy,
}

#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub enum OverflowPolicy {
    Compress,
    Truncate,
    #[default]
    Warn,
}

impl Default for ContextBudget {
    fn default() -> Self {
        Self {
            self_context_tokens: 4096,
            collective_tokens: 2048,
            task_context_tokens: 1024,
            execution_awareness_tokens: 512,
            handoff_context_tokens: 512,
            overflow_policy: OverflowPolicy::Warn,
        }
    }
}

// ── Write Governance ──────────────────────────────────────────────────

/// What can be persisted, where.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct WriteGovernance {
    pub own_memory: WriteAccess,
    pub collective: WriteAccess,
    pub vault: WriteAccess,
    pub task_store: WriteAccess,
}

#[derive(Debug, Clone, Default, Serialize, Deserialize)]
#[non_exhaustive]
pub enum WriteAccess {
    #[default]
    Free,
    RequiresGrant,
    ReadOnly,
    Attributed,
}

impl Default for WriteGovernance {
    fn default() -> Self {
        Self {
            own_memory: WriteAccess::Free,
            collective: WriteAccess::Free,
            vault: WriteAccess::Free,
            task_store: WriteAccess::Free,
        }
    }
}

// ── Guardrails ────────────────────────────────────────────────────────

/// Output constraints enforced after execution.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[non_exhaustive]
pub enum Guardrail {
    MaxOutputTokens(u32),
    MustCiteSources,
    NoCodeExecution,
    MaxToolCallsPerTurn(u32),
    Custom { name: String, description: String },
}