vtcode-core 0.103.1

Core library for VT Code - a Rust-based terminal coding agent
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

//! Audit logging for command safety decisions.
//!
//! Records all command safety checks for compliance and debugging.
//! Can be used to generate security audit trails and identify patterns.

use serde::{Deserialize, Serialize};
use std::sync::Arc;
use tokio::sync::Mutex;

/// A single command safety audit entry
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AuditEntry {
    /// The command that was evaluated
    pub command: Vec<String>,
    /// Whether the command was allowed
    pub allowed: bool,
    /// Reason for the decision
    pub reason: String,
    /// Decision type (Allow, Deny, Unknown)
    pub decision_type: String,
    /// Timestamp (ISO 8601 format)
    pub timestamp: String,
}

impl AuditEntry {
    /// Creates a new audit entry
    pub fn new(command: Vec<String>, allowed: bool, reason: String, decision_type: String) -> Self {
        // Use a simple timestamp (can be improved with chrono if available)
        let timestamp = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .map(|d| d.as_secs().to_string())
            .unwrap_or_else(|_| "unknown".to_string());

        Self {
            command,
            allowed,
            reason,
            decision_type,
            timestamp,
        }
    }
}

/// Audit logger for command safety decisions
pub struct SafetyAuditLogger {
    entries: Arc<Mutex<Vec<AuditEntry>>>,
    enabled: bool,
}

impl SafetyAuditLogger {
    /// Creates a new audit logger
    pub fn new(enabled: bool) -> Self {
        Self {
            entries: Arc::new(Mutex::new(Vec::new())),
            enabled,
        }
    }

    /// Logs an audit entry
    pub async fn log(&self, entry: AuditEntry) {
        if self.enabled {
            let mut entries = self.entries.lock().await;
            entries.push(entry);
        }
    }

    /// Returns all logged entries
    pub async fn entries(&self) -> Vec<AuditEntry> {
        let entries = self.entries.lock().await;
        entries.clone()
    }

    /// Returns entries for a specific command
    pub async fn entries_for_command(&self, cmd: &str) -> Vec<AuditEntry> {
        let entries = self.entries.lock().await;
        entries
            .iter()
            .filter(|e| e.command.join(" ").contains(cmd))
            .cloned()
            .collect()
    }

    /// Returns denied entries only
    pub async fn denied_entries(&self) -> Vec<AuditEntry> {
        let entries = self.entries.lock().await;
        entries.iter().filter(|e| !e.allowed).cloned().collect()
    }

    /// Clears all entries
    pub async fn clear(&self) {
        let mut entries = self.entries.lock().await;
        entries.clear();
    }

    /// Returns count of entries
    pub async fn count(&self) -> usize {
        let entries = self.entries.lock().await;
        entries.len()
    }
}

impl Clone for SafetyAuditLogger {
    fn clone(&self) -> Self {
        Self {
            entries: Arc::clone(&self.entries),
            enabled: self.enabled,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn creates_audit_entry() {
        let cmd = vec!["git".to_string(), "status".to_string()];
        let entry = AuditEntry::new(
            cmd,
            true,
            "git status allowed".to_string(),
            "Allow".to_string(),
        );
        assert!(entry.allowed);
        assert!(!entry.timestamp.is_empty());
    }

    #[tokio::test]
    async fn logs_entries() {
        let logger = SafetyAuditLogger::new(true);
        let cmd = vec!["git".to_string(), "status".to_string()];
        let entry = AuditEntry::new(
            cmd,
            true,
            "git status allowed".to_string(),
            "Allow".to_string(),
        );

        logger.log(entry).await;
        assert_eq!(logger.count().await, 1);
    }

    #[tokio::test]
    async fn filters_denied_entries() {
        let logger = SafetyAuditLogger::new(true);

        let cmd1 = vec!["git".to_string(), "status".to_string()];
        logger
            .log(AuditEntry::new(
                cmd1,
                true,
                "allowed".to_string(),
                "Allow".to_string(),
            ))
            .await;

        let cmd2 = vec!["git".to_string(), "reset".to_string()];
        logger
            .log(AuditEntry::new(
                cmd2,
                false,
                "denied".to_string(),
                "Deny".to_string(),
            ))
            .await;

        let denied = logger.denied_entries().await;
        assert_eq!(denied.len(), 1);
        assert!(!denied[0].allowed);
    }

    #[tokio::test]
    async fn disabled_logger_ignores_entries() {
        let logger = SafetyAuditLogger::new(false);
        let cmd = vec!["git".to_string(), "status".to_string()];
        let entry = AuditEntry::new(cmd, true, "allowed".to_string(), "Allow".to_string());

        logger.log(entry).await;
        assert_eq!(logger.count().await, 0);
    }

    #[tokio::test]
    async fn clones_share_same_entries() {
        let logger1 = SafetyAuditLogger::new(true);
        let logger2 = logger1.clone();

        let cmd = vec!["git".to_string(), "status".to_string()];
        let entry = AuditEntry::new(cmd, true, "allowed".to_string(), "Allow".to_string());

        logger1.log(entry).await;

        // Both loggers see the same entry
        assert_eq!(logger1.count().await, 1);
        assert_eq!(logger2.count().await, 1);
    }
}