rs-adk 0.5.0

Agent runtime for Gemini Live — tools, streaming, agent transfer, middleware
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

//! Bash execution tool — allows agents to execute shell commands.
//!
//! Mirrors ADK-Python's `ExecuteBashTool`. Provides policy-based
//! command validation and requires user confirmation before execution.

use std::path::PathBuf;
use std::process::Stdio;

use async_trait::async_trait;

use crate::error::ToolError;
use crate::tool::ToolFunction;

/// Policy for allowed bash commands based on prefix matching.
#[derive(Debug, Clone)]
pub struct BashToolPolicy {
    /// Allowed command prefixes. Use `["*"]` to allow all commands.
    pub allowed_command_prefixes: Vec<String>,
}

impl Default for BashToolPolicy {
    fn default() -> Self {
        Self {
            allowed_command_prefixes: vec!["*".into()],
        }
    }
}

impl BashToolPolicy {
    /// Check whether a command is allowed by this policy.
    pub fn validate(&self, command: &str) -> Result<(), String> {
        let stripped = command.trim();
        if stripped.is_empty() {
            return Err("Command is required.".into());
        }

        if self.allowed_command_prefixes.iter().any(|p| p == "*") {
            return Ok(());
        }

        for prefix in &self.allowed_command_prefixes {
            if stripped.starts_with(prefix.as_str()) {
                return Ok(());
            }
        }

        Err(format!(
            "Command blocked. Permitted prefixes are: {}",
            self.allowed_command_prefixes.join(", ")
        ))
    }
}

/// Tool that executes bash commands with policy-based validation.
///
/// Commands are validated against the configured policy before execution.
/// In a real deployment, this tool should also require user confirmation
/// via the tool confirmation mechanism.
#[derive(Debug, Clone)]
pub struct ExecuteBashTool {
    /// Working directory for command execution.
    workspace: PathBuf,
    /// Command validation policy.
    policy: BashToolPolicy,
    /// Command execution timeout in seconds.
    timeout_secs: u64,
}

impl ExecuteBashTool {
    /// Create a new bash execution tool with the given workspace directory.
    pub fn new(workspace: PathBuf) -> Self {
        Self {
            workspace,
            policy: BashToolPolicy::default(),
            timeout_secs: 30,
        }
    }

    /// Set the command validation policy.
    pub fn with_policy(mut self, policy: BashToolPolicy) -> Self {
        self.policy = policy;
        self
    }

    /// Set the execution timeout in seconds.
    pub fn with_timeout(mut self, timeout_secs: u64) -> Self {
        self.timeout_secs = timeout_secs;
        self
    }
}

#[async_trait]
impl ToolFunction for ExecuteBashTool {
    fn name(&self) -> &str {
        "execute_bash"
    }

    fn description(&self) -> &str {
        "Executes a bash command with the working directory set to the workspace. \
         All commands require validation against the configured policy."
    }

    fn parameters(&self) -> Option<serde_json::Value> {
        Some(serde_json::json!({
            "type": "object",
            "properties": {
                "command": {
                    "type": "string",
                    "description": "The bash command to execute."
                }
            },
            "required": ["command"]
        }))
    }

    async fn call(&self, args: serde_json::Value) -> Result<serde_json::Value, ToolError> {
        let command = args
            .get("command")
            .and_then(|v| v.as_str())
            .ok_or_else(|| ToolError::InvalidArgs("Missing command".into()))?;

        // Validate command against policy
        if let Err(e) = self.policy.validate(command) {
            return Ok(serde_json::json!({"error": e}));
        }

        // Execute command
        let output = tokio::process::Command::new("sh")
            .arg("-c")
            .arg(command)
            .current_dir(&self.workspace)
            .stdout(Stdio::piped())
            .stderr(Stdio::piped())
            .output()
            .await
            .map_err(|e| ToolError::ExecutionFailed(format!("Failed to execute command: {e}")))?;

        Ok(serde_json::json!({
            "stdout": String::from_utf8_lossy(&output.stdout),
            "stderr": String::from_utf8_lossy(&output.stderr),
            "returncode": output.status.code().unwrap_or(-1)
        }))
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn policy_allows_all_by_default() {
        let policy = BashToolPolicy::default();
        assert!(policy.validate("ls -la").is_ok());
        assert!(policy.validate("echo hello").is_ok());
    }

    #[test]
    fn policy_blocks_unmatched_prefix() {
        let policy = BashToolPolicy {
            allowed_command_prefixes: vec!["ls".into(), "echo".into()],
        };
        assert!(policy.validate("ls -la").is_ok());
        assert!(policy.validate("echo hello").is_ok());
        assert!(policy.validate("rm -rf /").is_err());
    }

    #[test]
    fn policy_rejects_empty_command() {
        let policy = BashToolPolicy::default();
        assert!(policy.validate("").is_err());
        assert!(policy.validate("  ").is_err());
    }

    #[test]
    fn tool_metadata() {
        let tool = ExecuteBashTool::new(PathBuf::from("/tmp"));
        assert_eq!(tool.name(), "execute_bash");
        assert!(tool.parameters().is_some());
    }

    #[tokio::test]
    async fn execute_simple_command() {
        let tool = ExecuteBashTool::new(PathBuf::from("/tmp"));
        let result = tool
            .call(serde_json::json!({"command": "echo hello"}))
            .await
            .unwrap();
        assert_eq!(result["stdout"].as_str().unwrap().trim(), "hello");
        assert_eq!(result["returncode"], 0);
    }

    #[tokio::test]
    async fn blocked_command_returns_error() {
        let tool = ExecuteBashTool::new(PathBuf::from("/tmp")).with_policy(BashToolPolicy {
            allowed_command_prefixes: vec!["ls".into()],
        });
        let result = tool
            .call(serde_json::json!({"command": "rm -rf /"}))
            .await
            .unwrap();
        assert!(result["error"].as_str().unwrap().contains("blocked"));
    }
}