vtcode-config 0.98.7

Config loader components shared across VT Code and downstream adopters
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372

use serde::{Deserialize, Serialize};

/// Unified permission mode for authored policy evaluation.
#[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
#[derive(Debug, Clone, Copy, Deserialize, Serialize, PartialEq, Eq, Default)]
#[serde(rename_all = "snake_case")]
pub enum PermissionMode {
    /// Standard interactive behavior with prompts when policy requires them.
    #[default]
    #[serde(alias = "ask", alias = "suggest")]
    Default,
    /// Auto-allow built-in file mutations for the active session.
    #[serde(alias = "acceptEdits", alias = "accept-edits", alias = "auto-approved")]
    AcceptEdits,
    /// Classifier-backed autonomous mode.
    #[serde(alias = "trusted_auto", alias = "trusted-auto")]
    Auto,
    /// Read-only planning mode.
    Plan,
    /// Deny any action that is not explicitly allowed.
    #[serde(alias = "dontAsk", alias = "dont-ask")]
    DontAsk,
    /// Skip prompts except protected writes and sandbox escalation prompts.
    #[serde(
        alias = "bypassPermissions",
        alias = "bypass-permissions",
        alias = "full-auto"
    )]
    BypassPermissions,
}

/// Permission system configuration - Controls command resolution, audit logging, and caching
#[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
#[derive(Debug, Clone, Deserialize, Serialize)]
pub struct PermissionsConfig {
    /// Default unified permission mode for the current session.
    #[serde(default)]
    pub default_mode: PermissionMode,

    /// Classifier-backed auto mode policy and environment settings.
    #[serde(default)]
    pub auto_mode: AutoModeConfig,

    /// Rules that allow matching tool calls without prompting.
    #[serde(default)]
    pub allow: Vec<String>,

    /// Rules that require an interactive prompt when they match.
    #[serde(default)]
    pub ask: Vec<String>,

    /// Rules that deny matching tool calls.
    #[serde(default)]
    pub deny: Vec<String>,

    /// Enable the enhanced permission system (resolver + audit logger + cache)
    #[serde(default = "default_enabled")]
    pub enabled: bool,

    /// Enable command resolution to actual paths (helps identify suspicious commands)
    #[serde(default = "default_resolve_commands")]
    pub resolve_commands: bool,

    /// Enable audit logging of all permission decisions
    #[serde(default = "default_audit_enabled")]
    pub audit_enabled: bool,

    /// Directory for audit logs (created if not exists)
    /// Defaults to ~/.vtcode/audit
    #[serde(default = "default_audit_directory")]
    pub audit_directory: String,

    /// Log allowed commands to audit trail
    #[serde(default = "default_log_allowed_commands")]
    pub log_allowed_commands: bool,

    /// Log denied commands to audit trail
    #[serde(default = "default_log_denied_commands")]
    pub log_denied_commands: bool,

    /// Log permission prompts (when user is asked for confirmation)
    #[serde(default = "default_log_permission_prompts")]
    pub log_permission_prompts: bool,

    /// Enable permission decision caching to avoid redundant evaluations
    #[serde(default = "default_cache_enabled")]
    pub cache_enabled: bool,

    /// Cache time-to-live in seconds (how long to cache decisions)
    /// Default: 300 seconds (5 minutes)
    #[serde(default = "default_cache_ttl_seconds")]
    pub cache_ttl_seconds: u64,
}

/// Classifier-backed auto mode configuration.
#[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
#[derive(Debug, Clone, Deserialize, Serialize)]
pub struct AutoModeConfig {
    /// Optional model override for the transcript reviewer.
    #[serde(default)]
    pub model: String,

    /// Optional model override for the prompt-injection probe.
    #[serde(default)]
    pub probe_model: String,

    /// Maximum consecutive denials before auto mode falls back.
    #[serde(default = "default_auto_mode_max_consecutive_denials")]
    pub max_consecutive_denials: u32,

    /// Maximum total denials before auto mode falls back.
    #[serde(default = "default_auto_mode_max_total_denials")]
    pub max_total_denials: u32,

    /// Drop broad code-execution allow rules while auto mode is active.
    #[serde(default = "default_auto_mode_drop_broad_allow_rules")]
    pub drop_broad_allow_rules: bool,

    /// Classifier block rules applied in stage 2 reasoning.
    #[serde(default = "default_auto_mode_block_rules")]
    pub block_rules: Vec<String>,

    /// Narrow allow exceptions applied after block rules.
    #[serde(default = "default_auto_mode_allow_exceptions")]
    pub allow_exceptions: Vec<String>,

    /// Trusted environment boundaries for the classifier.
    #[serde(default)]
    pub environment: AutoModeEnvironmentConfig,
}

/// Trust-boundary configuration for auto mode.
#[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
#[derive(Debug, Clone, Default, Deserialize, Serialize)]
pub struct AutoModeEnvironmentConfig {
    #[serde(default)]
    pub trusted_paths: Vec<String>,

    #[serde(default)]
    pub trusted_domains: Vec<String>,

    #[serde(default)]
    pub trusted_git_hosts: Vec<String>,

    #[serde(default)]
    pub trusted_git_orgs: Vec<String>,

    #[serde(default)]
    pub trusted_services: Vec<String>,
}

impl Default for AutoModeConfig {
    fn default() -> Self {
        Self {
            model: String::new(),
            probe_model: String::new(),
            max_consecutive_denials: default_auto_mode_max_consecutive_denials(),
            max_total_denials: default_auto_mode_max_total_denials(),
            drop_broad_allow_rules: default_auto_mode_drop_broad_allow_rules(),
            block_rules: default_auto_mode_block_rules(),
            allow_exceptions: default_auto_mode_allow_exceptions(),
            environment: AutoModeEnvironmentConfig::default(),
        }
    }
}

#[inline]
const fn default_enabled() -> bool {
    true
}

#[inline]
const fn default_resolve_commands() -> bool {
    true
}

#[inline]
const fn default_audit_enabled() -> bool {
    true
}

const DEFAULT_AUDIT_DIR: &str = "~/.vtcode/audit";

#[inline]
fn default_audit_directory() -> String {
    DEFAULT_AUDIT_DIR.into()
}

#[inline]
const fn default_log_allowed_commands() -> bool {
    true
}

#[inline]
const fn default_log_denied_commands() -> bool {
    true
}

#[inline]
const fn default_log_permission_prompts() -> bool {
    true
}

#[inline]
const fn default_cache_enabled() -> bool {
    true
}

#[inline]
const fn default_cache_ttl_seconds() -> u64 {
    300 // 5 minutes
}

#[inline]
const fn default_auto_mode_max_consecutive_denials() -> u32 {
    3
}

#[inline]
const fn default_auto_mode_max_total_denials() -> u32 {
    20
}

#[inline]
const fn default_auto_mode_drop_broad_allow_rules() -> bool {
    true
}

fn default_auto_mode_block_rules() -> Vec<String> {
    vec![
        "Block destructive source-control actions such as force-pushes, direct pushes to protected branches, or remote branch deletion unless the user explicitly authorized that exact blast radius.".to_string(),
        "Block remote code download-and-execute flows, including curl-or-wget pipes into interpreters or shells, and running code from freshly cloned external repositories.".to_string(),
        "Block sending workspace contents, credentials, environment variables, or other sensitive data to external endpoints unless the user explicitly named both the destination and the data.".to_string(),
        "Block credential hunting, secret discovery, or scanning config and environment stores for alternative tokens unless the user explicitly asked for that credential workflow.".to_string(),
        "Block commands that bypass safety checks, disable verification, install persistence, or weaken the host security posture.".to_string(),
        "Block destructive or production/shared-infrastructure actions unless the user explicitly authorized the target and the action.".to_string(),
        "Block destructive actions against inferred, fuzzy-matched, or agent-selected targets when the user did not name the exact target.".to_string(),
    ]
}

fn default_auto_mode_allow_exceptions() -> Vec<String> {
    vec![
        "Allow read-only tools and read-only browsing/search actions.".to_string(),
        "Allow file edits and writes inside the current workspace when the path is not protected.".to_string(),
        "Allow pushes only to the current session branch or configured git remotes inside the trusted environment.".to_string(),
    ]
}

impl Default for PermissionsConfig {
    fn default() -> Self {
        Self {
            default_mode: PermissionMode::default(),
            auto_mode: AutoModeConfig::default(),
            allow: Vec::new(),
            ask: Vec::new(),
            deny: Vec::new(),
            enabled: default_enabled(),
            resolve_commands: default_resolve_commands(),
            audit_enabled: default_audit_enabled(),
            audit_directory: default_audit_directory(),
            log_allowed_commands: default_log_allowed_commands(),
            log_denied_commands: default_log_denied_commands(),
            log_permission_prompts: default_log_permission_prompts(),
            cache_enabled: default_cache_enabled(),
            cache_ttl_seconds: default_cache_ttl_seconds(),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::{PermissionMode, PermissionsConfig};

    #[test]
    fn parses_claude_style_mode_aliases() {
        let config: PermissionsConfig = toml::from_str(
            r#"
            default_mode = "acceptEdits"
            "#,
        )
        .expect("permissions config");
        assert_eq!(config.default_mode, PermissionMode::AcceptEdits);

        let config: PermissionsConfig = toml::from_str(
            r#"
            default_mode = "dontAsk"
            "#,
        )
        .expect("permissions config");
        assert_eq!(config.default_mode, PermissionMode::DontAsk);

        let config: PermissionsConfig = toml::from_str(
            r#"
            default_mode = "bypassPermissions"
            "#,
        )
        .expect("permissions config");
        assert_eq!(config.default_mode, PermissionMode::BypassPermissions);

        let config: PermissionsConfig = toml::from_str(
            r#"
            default_mode = "auto"
            "#,
        )
        .expect("permissions config");
        assert_eq!(config.default_mode, PermissionMode::Auto);
    }

    #[test]
    fn parses_legacy_mode_aliases() {
        let config: PermissionsConfig = toml::from_str(
            r#"
            default_mode = "ask"
            "#,
        )
        .expect("permissions config");
        assert_eq!(config.default_mode, PermissionMode::Default);

        let config: PermissionsConfig = toml::from_str(
            r#"
            default_mode = "auto-approved"
            "#,
        )
        .expect("permissions config");
        assert_eq!(config.default_mode, PermissionMode::AcceptEdits);

        let config: PermissionsConfig = toml::from_str(
            r#"
            default_mode = "full-auto"
            "#,
        )
        .expect("permissions config");
        assert_eq!(config.default_mode, PermissionMode::BypassPermissions);

        let config: PermissionsConfig = toml::from_str(
            r#"
            default_mode = "trusted_auto"
            "#,
        )
        .expect("permissions config");
        assert_eq!(config.default_mode, PermissionMode::Auto);
    }

    #[test]
    fn parses_exact_tool_rules() {
        let config: PermissionsConfig = toml::from_str(
            r#"
            allow = ["read_file", "unified_search"]
            deny = ["unified_exec"]
            "#,
        )
        .expect("permissions config");

        assert_eq!(
            config.allow,
            vec!["read_file".to_string(), "unified_search".to_string()]
        );
        assert_eq!(config.deny, vec!["unified_exec".to_string()]);
    }

    #[test]
    fn auto_mode_defaults_are_conservative() {
        let config = PermissionsConfig::default();

        assert_eq!(config.auto_mode.max_consecutive_denials, 3);
        assert_eq!(config.auto_mode.max_total_denials, 20);
        assert!(config.auto_mode.drop_broad_allow_rules);
        assert!(!config.auto_mode.block_rules.is_empty());
        assert!(!config.auto_mode.allow_exceptions.is_empty());
        assert!(config.auto_mode.environment.trusted_paths.is_empty());
    }
}