vtcode-core 0.104.0

Core library for VT Code - a Rust-based terminal coding agent
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598

//! Command execution tool

use super::types::*;
use crate::command_safety::UnifiedCommandEvaluator;
use crate::command_safety::command_might_be_dangerous;
use crate::command_safety::unified::EvaluationReason;
use crate::config::CommandsConfig;
use crate::exec_policy::command_validation::{sanitize_working_dir, validate_command};
use crate::tools::command_policy::CommandPolicyEvaluator;
use crate::tools::path_env;
use crate::tools::shell::resolve_fallback_shell;
use anyhow::{Result, anyhow};
#[cfg(test)]
use hashbrown::HashMap;
#[cfg(test)]
use std::ffi::OsString;
use std::path::PathBuf;

/// Command execution tool for non-PTY process handling with policy enforcement
#[derive(Clone)]
pub struct CommandTool {
    workspace_root: PathBuf,
    policy: CommandPolicyEvaluator,
    /// Unified command evaluator combining policy and safety rules
    unified_evaluator: UnifiedCommandEvaluator,
    extra_path_entries: Vec<PathBuf>,
}

impl CommandTool {
    pub fn new(workspace_root: PathBuf) -> Self {
        Self::with_commands_config(workspace_root, CommandsConfig::default())
    }

    pub fn with_commands_config(workspace_root: PathBuf, commands_config: CommandsConfig) -> Self {
        // Note: We use the workspace_root directly here. Full validation happens
        // in prepare_invocation which is async.
        let policy = CommandPolicyEvaluator::from_config(&commands_config);
        let unified_evaluator = UnifiedCommandEvaluator::new();
        let extra_path_entries = path_env::compute_extra_search_paths(
            &commands_config.extra_path_entries,
            &workspace_root,
        );
        Self {
            workspace_root,
            policy,
            unified_evaluator,
            extra_path_entries,
        }
    }

    pub fn update_commands_config(&mut self, commands_config: &CommandsConfig) {
        self.policy = CommandPolicyEvaluator::from_config(commands_config);
        self.unified_evaluator = UnifiedCommandEvaluator::new();
        self.extra_path_entries = path_env::compute_extra_search_paths(
            &commands_config.extra_path_entries,
            &self.workspace_root,
        );
    }

    #[cfg_attr(not(test), allow(dead_code))]
    pub(crate) async fn prepare_invocation(
        &self,
        input: &EnhancedTerminalInput,
    ) -> Result<CommandInvocation> {
        let command = &input.command;
        if command.is_empty() {
            return Err(anyhow!("Command cannot be empty"));
        }

        let program = &command[0];
        // Validate that the executable is non-empty after trimming
        if program.trim().is_empty() {
            return Err(anyhow!("Command executable cannot be empty"));
        }
        if program.contains(char::is_whitespace) {
            return Err(anyhow!(
                "Program name cannot contain whitespace: {}",
                program
            ));
        }

        let working_dir =
            sanitize_working_dir(&self.workspace_root, input.working_dir.as_deref()).await?;

        // Unified command evaluation: combines safety rules + policy rules
        let confirm_ok = input.confirm.unwrap_or(false);
        let risky_command = is_risky_command(command);
        if risky_command && !confirm_ok {
            return Err(anyhow!(
                "Command appears destructive; set the `confirm` field to true to proceed."
            ));
        }

        let policy_allowed = self.policy.allows(command);

        // Use unified evaluator with policy layer
        let eval_result = self
            .unified_evaluator
            .evaluate_with_policy(command, policy_allowed, "config policy")
            .await?;

        if !eval_result.allowed {
            if !policy_allowed {
                return Err(anyhow!(
                    "command '{}' is not permitted by the execution policy",
                    program
                ));
            }
            // If unified evaluator denied, still allow explicitly confirmed risky commands
            // when they are permitted by the configured policy.
            let allow_confirmed_risky = risky_command
                && confirm_ok
                && policy_allowed
                && matches!(
                    eval_result.primary_reason,
                    EvaluationReason::DangerousCommand(_)
                );
            if !allow_confirmed_risky {
                // If unified evaluator denied, forward to validator for custom checks
                validate_command(command, &self.workspace_root, &working_dir, confirm_ok).await?;
            }
        }

        if risky_command && confirm_ok {
            // Record audit for the explicitly confirmed destructive command
            log_audit_for_command(
                &format_command(command),
                "Confirmed destructive operation by agent",
            );
        }

        // If the program name includes a path separator or is absolute, execute it directly as provided
        // (unless the caller explicitly requested a shell override). Otherwise, always use the
        // user's login shell in `-lc` mode so PATH and environment are initialized consistently.
        let resolved_invocation =
            if program.contains(std::path::MAIN_SEPARATOR) || program.contains('/') {
                // Program provided as absolute/relative path: run directly
                CommandInvocation {
                    program: program.to_owned(),
                    args: command[1..].to_vec(),
                    display: input
                        .raw_command
                        .clone()
                        .unwrap_or_else(|| format_command(command)),
                }
            } else {
                // Honor explicit shell override provided in the input. If the caller set `login` to
                // false, use `-c` (no login). Otherwise use `-lc` to force login shell semantics.
                let shell = input
                    .shell
                    .clone()
                    .filter(|s| !s.trim().is_empty())
                    .unwrap_or_else(resolve_fallback_shell);
                let use_login = input.login.unwrap_or(true);
                let full_command = format_command(command);
                CommandInvocation {
                    program: shell,
                    args: vec![
                        if use_login {
                            "-lc".to_owned()
                        } else {
                            "-c".to_owned()
                        },
                        full_command.clone(),
                    ],
                    display: full_command,
                }
            };

        Ok(resolved_invocation)
    }

    /// Validate command arguments without executing them (test/helper)
    #[cfg(test)]
    pub(crate) async fn validate_args(&self, input: &EnhancedTerminalInput) -> Result<()> {
        self.prepare_invocation(input).await.map(|_| ())
    }
}

// NOTE: Tool and ModeTool trait implementations removed since CommandTool
// is no longer registered as a public tool (RUN_COMMAND was deprecated).
// CommandTool is kept for internal command preparation in the PTY system.

#[derive(Debug, Clone)]
#[allow(dead_code)]
pub(crate) struct CommandInvocation {
    pub(crate) program: String,
    pub(crate) args: Vec<String>,
    pub(crate) display: String,
}

#[allow(dead_code)]
fn format_command(command: &[String]) -> String {
    command
        .iter()
        .map(|part| quote_argument_posix(part))
        .collect::<Vec<_>>()
        .join(" ")
}

#[allow(dead_code)]
fn is_risky_command(command: &[String]) -> bool {
    if command.is_empty() {
        return false;
    }

    // Centralized detection for dangerous command patterns (git/rm/mkfs/dd/etc.).
    if command_might_be_dangerous(command) {
        return true;
    }

    let program = command[0].as_str();
    let args = &command[1..];

    // Supplemental checks outside centralized detection coverage.
    if program == "rm" && args.iter().any(|a| a == "/") {
        return true;
    }

    if program == "docker"
        && args
            .iter()
            .any(|a| a == "run" && args.iter().any(|b| b == "--privileged"))
    {
        return true;
    }

    program == "kubectl" // kubectl operations can be destructive; require confirmation
}

#[allow(dead_code)]
fn log_audit_for_command(_command: &str, _reason: &str) {
    // Audit logging removed - kept as no-op for backwards compatibility
}

#[allow(dead_code)]
fn quote_argument_posix(arg: &str) -> String {
    if arg.is_empty() {
        return "''".to_owned();
    }

    if arg
        .chars()
        .all(|ch| ch.is_ascii_alphanumeric() || "-_./:@".contains(ch))
    {
        return arg.to_owned();
    }

    let mut quoted = String::from("'");
    for ch in arg.chars() {
        if ch == '\'' {
            quoted.push_str("'\"'\"'");
        } else {
            quoted.push(ch);
        }
    }
    quoted.push('\'');
    quoted
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::tools::path_env;
    use tempfile::tempdir;

    fn make_tool() -> CommandTool {
        let cwd = std::env::current_dir().expect("current dir");
        CommandTool::new(cwd)
    }

    fn make_input(command: Vec<&str>) -> EnhancedTerminalInput {
        EnhancedTerminalInput {
            command: command.into_iter().map(String::from).collect(),
            working_dir: None,
            timeout_secs: None,
            mode: None,
            response_format: None,
            raw_command: None,
            shell: None,
            login: None,
            confirm: None,
            max_tokens: None,
        }
    }

    #[test]
    fn formats_command_for_display() {
        let parts = vec!["echo".to_string(), "hello world".to_string()];
        assert_eq!(format_command(&parts), "echo 'hello world'");
    }

    #[tokio::test]
    async fn prepare_invocation_allows_policy_command() {
        let tool = make_tool();
        let input = make_input(vec!["ls"]);
        let invocation = tool.prepare_invocation(&input).await.expect("invocation");
        let shell = resolve_fallback_shell();
        assert_eq!(invocation.program, shell);
        assert_eq!(invocation.args, vec!["-lc".to_owned(), "ls".to_owned()]);
        assert_eq!(invocation.display, "ls");
    }

    #[tokio::test]
    async fn prepare_invocation_allows_cargo_via_policy() {
        let tool = make_tool();
        let input = make_input(vec!["cargo", "check"]);
        let invocation = tool
            .prepare_invocation(&input)
            .await
            .expect("cargo check should be allowed");
        let shell = resolve_fallback_shell();
        assert_eq!(invocation.program, shell);
        assert_eq!(
            invocation.args,
            vec!["-lc".to_owned(), "cargo check".to_owned()]
        );
        assert_eq!(invocation.display, "cargo check");
    }

    #[tokio::test]
    async fn prepare_invocation_rejects_command_not_in_policy() {
        let tool = make_tool();
        let input = make_input(vec!["custom-tool"]);
        let error = tool
            .prepare_invocation(&input)
            .await
            .expect_err("custom-tool should be blocked");
        assert!(
            error
                .to_string()
                .contains("is not permitted by the execution policy")
        );
    }

    #[tokio::test]
    async fn prepare_invocation_requires_confirm_for_git_reset_hard() {
        let tool = make_tool();
        let input = make_input(vec!["git", "reset", "--hard"]);
        // No explicit confirm set - should error
        let error = tool
            .prepare_invocation(&input)
            .await
            .expect_err("git reset --hard should require confirmation");
        assert!(error.to_string().contains("set the `confirm` field"));
    }

    #[tokio::test]
    async fn prepare_invocation_allows_git_reset_with_confirm() {
        let tool = make_tool();
        let mut input = make_input(vec!["git", "reset", "--hard"]);
        input.confirm = Some(true);
        let invocation = tool
            .prepare_invocation(&input)
            .await
            .expect("git reset --hard should be allowed when confirm=true");
        assert!(invocation.display.contains("git reset"));
    }

    #[tokio::test]
    async fn prepare_invocation_respects_custom_allow_list() {
        let cwd = std::env::current_dir().expect("current dir");
        let mut config = CommandsConfig::default();
        config.allow_list.push("my-build".to_owned());
        let tool = CommandTool::with_commands_config(cwd, config);
        let input = make_input(vec!["my-build"]);
        let invocation = tool
            .prepare_invocation(&input)
            .await
            .expect("custom allow list should enable command");
        let shell = resolve_fallback_shell();
        assert_eq!(invocation.program, shell);
        assert_eq!(
            invocation.args,
            vec!["-lc".to_owned(), "my-build".to_owned()]
        );
    }

    #[tokio::test]
    async fn prepare_invocation_respects_shell_override_and_login_false() {
        let cwd = std::env::current_dir().expect("current dir");
        let tool = CommandTool::new(cwd);
        let mut input = make_input(vec!["ls"]);
        input.shell = Some("/bin/sh".to_string());
        input.login = Some(false);
        let invocation = tool.prepare_invocation(&input).await.expect("invocation");
        assert_eq!(invocation.program, "/bin/sh".to_owned());
        assert_eq!(invocation.args, vec!["-c".to_owned(), "ls".to_owned()]);
    }

    #[test]
    fn resolve_program_path_respects_os_path_separator() {
        let noise_dir = tempdir().expect("noise tempdir");
        let target_dir = tempdir().expect("target tempdir");
        let fake_tool_path = target_dir.path().join("fake-tool");
        std::fs::write(&fake_tool_path, b"#!/bin/sh\n").expect("write fake tool");

        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let mut perms = std::fs::metadata(&fake_tool_path)
                .expect("metadata")
                .permissions();
            perms.set_mode(0o755);
            std::fs::set_permissions(&fake_tool_path, perms).expect("set perms");
        }

        let custom_paths = vec![
            noise_dir.path().to_path_buf(),
            target_dir.path().to_path_buf(),
        ];
        let resolved =
            path_env::resolve_program_path_from_paths("fake-tool", custom_paths.into_iter());
        let expected = fake_tool_path.to_string_lossy().into_owned();
        assert_eq!(resolved, Some(expected));
    }

    #[tokio::test]
    async fn prepare_invocation_respects_custom_deny_list() {
        let cwd = std::env::current_dir().expect("current dir");
        let mut config = CommandsConfig::default();
        config.deny_list.push("cargo".to_string());
        let tool = CommandTool::with_commands_config(cwd, config);
        let input = make_input(vec!["cargo", "check"]);
        let error = tool
            .prepare_invocation(&input)
            .await
            .expect_err("deny list should block cargo");
        assert!(error.to_string().contains("is not permitted"));
    }

    #[tokio::test]
    async fn prepare_invocation_uses_shell_for_command_execution() {
        let tool = make_tool();
        let input = make_input(vec!["cargo", "check"]);
        let invocation = tool.prepare_invocation(&input).await.expect("invocation");
        let shell = resolve_fallback_shell();
        assert_eq!(invocation.program, shell);
        assert_eq!(
            invocation.args,
            vec!["-lc".to_owned(), "cargo check".to_owned()]
        );
        assert_eq!(invocation.display, "cargo check");
    }

    #[tokio::test]
    async fn prepare_invocation_uses_extra_path_entries() {
        let cwd = std::env::current_dir().expect("current dir");
        let temp_dir = tempdir().expect("tempdir");
        let binary_path = temp_dir.path().join("fake-extra");
        std::fs::write(&binary_path, b"#!/bin/sh\n").expect("write fake binary");
        #[cfg(unix)]
        {
            use std::os::unix::fs::PermissionsExt;
            let mut perms = std::fs::metadata(&binary_path)
                .expect("metadata")
                .permissions();
            perms.set_mode(0o755);
            std::fs::set_permissions(&binary_path, perms).expect("set perms");
        }

        let mut config = CommandsConfig::default();
        config.allow_list.push("fake-extra".to_owned());
        config.extra_path_entries = vec![
            binary_path
                .parent()
                .expect("parent")
                .to_string_lossy()
                .into_owned(),
        ];

        let tool = CommandTool::with_commands_config(cwd, config);
        let input = make_input(vec!["fake-extra"]);
        let invocation = tool
            .prepare_invocation(&input)
            .await
            .expect("extra path should allow command");
        let shell = resolve_fallback_shell();
        assert_eq!(invocation.program, shell);
        assert_eq!(
            invocation.args,
            vec!["-lc".to_owned(), "fake-extra".to_owned()]
        );
        assert_eq!(
            tool.extra_path_entries,
            vec![binary_path.parent().expect("parent").to_path_buf()]
        );
    }

    #[tokio::test]
    async fn working_dir_escape_is_rejected() {
        let tool = make_tool();
        let mut input = make_input(vec!["ls"]);
        input.working_dir = Some("../".into());
        let error = tool
            .prepare_invocation(&input)
            .await
            .expect_err("working dir escape should fail");
        assert!(
            error
                .to_string()
                .contains("working directory '../' escapes the workspace root")
        );
    }

    #[tokio::test]
    async fn prepare_invocation_rejects_empty_command() {
        let tool = make_tool();
        let input = make_input(vec![]);
        let error = tool
            .prepare_invocation(&input)
            .await
            .expect_err("empty command should be rejected");
        assert!(error.to_string().contains("Command cannot be empty"));
    }

    #[tokio::test]
    async fn prepare_invocation_rejects_empty_executable() {
        let tool = make_tool();
        let input = make_input(vec!["", "arg1"]);
        let error = tool
            .prepare_invocation(&input)
            .await
            .expect_err("empty executable should be rejected");
        assert!(
            error
                .to_string()
                .contains("Command executable cannot be empty")
        );
    }

    #[tokio::test]
    async fn prepare_invocation_rejects_whitespace_only_executable() {
        let tool = make_tool();
        let input = make_input(vec!["   ", "arg1"]);
        let error = tool
            .prepare_invocation(&input)
            .await
            .expect_err("whitespace-only executable should be rejected");
        assert!(
            error
                .to_string()
                .contains("Command executable cannot be empty")
        );
    }

    #[tokio::test]
    async fn validate_args_rejects_empty_command() {
        let tool = make_tool();
        let args = make_input(vec![]);
        let error = tool
            .validate_args(&args)
            .await
            .expect_err("empty command should fail validation");
        assert!(error.to_string().contains("Command cannot be empty"));
    }

    #[tokio::test]
    async fn validate_args_rejects_empty_executable() {
        let tool = make_tool();
        let args = make_input(vec!["", "arg1"]);
        let error = tool
            .validate_args(&args)
            .await
            .expect_err("empty executable should fail validation");
        assert!(
            error
                .to_string()
                .contains("Command executable cannot be empty")
        );
    }

    #[tokio::test]
    async fn validate_args_accepts_valid_command() {
        let tool = make_tool();
        let args = make_input(vec!["ls", "-la"]);
        tool.validate_args(&args)
            .await
            .expect("valid command should pass validation");
    }

    #[test]
    fn environment_variables_are_inherited_from_parent() {
        // Verify that the environment setup includes inherited parent process variables.
        // This test documents the fix for the cargo fmt issue where PATH and other
        // critical environment variables were not being passed to subprocesses.
        // See: vtcode-core/src/tools/command.rs:execute_terminal_command()

        // The fix uses std::env::vars_os().collect() which inherits all parent variables
        let env: HashMap<OsString, OsString> = std::env::vars_os().collect();

        // Verify critical system variables are present
        assert!(
            env.contains_key(&OsString::from("PATH")),
            "PATH environment variable must be inherited for command resolution"
        );
    }
}