zeph_tools/
lib.rs

1// SPDX-FileCopyrightText: 2026 Andrei G <bug-ops>
2// SPDX-License-Identifier: MIT OR Apache-2.0
3
4//! Tool execution abstraction, shell backend, web scraping, and audit logging for Zeph.
5//!
6//! This crate provides the [`ToolExecutor`] trait and its concrete implementations:
7//!
8//! - [`ShellExecutor`] — executes bash blocks from LLM responses with sandboxing, blocklists,
9//!   output filtering, transactional rollback, and audit logging.
10//! - [`WebScrapeExecutor`] — fetches and scrapes web pages via CSS selectors, with SSRF
11//!   protection and domain policies.
12//! - [`CompositeExecutor`] — chains two executors with first-match-wins dispatch.
13//! - [`FileExecutor`] — reads and writes local files within a sandbox.
14//! - [`DiagnosticsExecutor`] — exposes agent self-diagnostics as a tool.
15//!
16//! # Architecture
17//!
18//! The primary abstraction is [`ToolExecutor`], an async trait implemented by every backend.
19//! When dynamic dispatch is needed (e.g., storing heterogeneous executors in a `Vec`), use
20//! [`ErasedToolExecutor`] or wrap with [`DynExecutor`].
21//!
22//! Tool calls originate from two paths:
23//!
24//! 1. **Fenced code blocks** — legacy LLM responses containing ` ```bash ` or ` ```scrape `
25//!    blocks dispatched via [`ToolExecutor::execute`].
26//! 2. **Structured tool calls** — modern JSON tool calls dispatched via
27//!    [`ToolExecutor::execute_tool_call`].
28//!
29//! # Security
30//!
31//! Every executor enforces security controls before execution:
32//!
33//! - [`ShellExecutor`] checks the command against a blocklist, validates paths against an
34//!   allowlist sandbox, and optionally requires user confirmation for destructive patterns.
35//! - [`WebScrapeExecutor`] validates the URL scheme (HTTPS only), resolves DNS, and rejects
36//!   private-network addresses (SSRF protection).
37//! - [`AuditLogger`] writes a structured JSONL entry for every tool invocation.
38//!
39//! # Example
40//!
41//! ```rust,no_run
42//! use zeph_tools::{ShellExecutor, ToolExecutor, ShellConfig};
43//!
44//! # async fn example() {
45//! let config = ShellConfig::default();
46//! let executor = ShellExecutor::new(&config);
47//!
48//! // Execute a fenced bash block from an LLM response.
49//! let response = "```bash\necho hello\n```";
50//! if let Ok(Some(output)) = executor.execute(response).await {
51//!     println!("{}", output.summary);
52//! }
53//! # }
54//! ```
55
56// TODO(critic): post-v1.0 — re-evaluate splitting executor / web / shell into sub-crates if compile times degrade.
57
58pub mod adversarial_gate;
59pub mod adversarial_policy;
60pub mod anomaly;
61pub mod audit;
62pub mod cache;
63pub mod composite;
64pub mod compression;
65pub mod config;
66pub mod cwd;
67pub mod diagnostics;
68pub mod domain_match;
69pub mod error_taxonomy;
70pub mod execution_context;
71pub mod executor;
72pub mod file;
73pub mod filter;
74pub mod net;
75pub mod patterns;
76pub mod permissions;
77pub mod policy;
78pub mod policy_gate;
79pub mod registry;
80pub mod sandbox;
81pub mod schema_filter;
82pub mod scope;
83pub mod scrape;
84pub mod search_code;
85pub mod shadow_probe;
86pub mod shell;
87pub mod tool_filter;
88pub mod trust_gate;
89pub mod trust_level;
90pub mod utility;
91pub mod verifier;
92pub use adversarial_gate::AdversarialPolicyGateExecutor;
93pub use adversarial_policy::{
94    PolicyDecision as AdversarialPolicyDecision, PolicyLlmClient, PolicyMessage, PolicyRole,
95    PolicyValidator, parse_policy_lines,
96};
97pub use anomaly::{AnomalyDetector, AnomalySeverity, is_reasoning_model};
98pub use audit::{
99    AuditEntry, AuditLogger, AuditResult, EgressEvent, VigilRiskLevel, chrono_now,
100    log_tool_risk_summary,
101};
102pub use cache::{CacheKey, ToolResultCache, is_cacheable};
103pub use composite::CompositeExecutor;
104pub use compression::{
105    CompressedExecutor, CompressionError, CompressionRule, CompressionRuleStore,
106    IdentityCompressor, OutputCompressor, RuleBasedCompressor, safe_compile,
107};
108pub use config::{build_permission_policy, validate_sandbox_denied_domains};
109pub use cwd::SetCwdExecutor;
110pub use diagnostics::DiagnosticsExecutor;
111pub use error_taxonomy::{
112    ErrorDomain, ToolErrorCategory, ToolErrorFeedback, ToolInvocationPhase, classify_http_status,
113    classify_io_error,
114};
115pub use execution_context::ExecutionContext;
116pub use executor::{
117    ClaimSource, DiffData, DynExecutor, ErasedToolExecutor, ErrorKind, FilterStats,
118    MAX_TOOL_OUTPUT_CHARS, TOOL_EVENT_CHANNEL_CAP, ToolCall, ToolError, ToolEvent, ToolEventRx,
119    ToolEventTx, ToolExecutor, ToolOutput, truncate_tool_output, truncate_tool_output_at,
120};
121pub use file::FileExecutor;
122pub use filter::{
123    CommandMatcher, FilterConfidence, FilterMetrics, FilterResult, OutputFilter,
124    OutputFilterRegistry, sanitize_output, strip_ansi,
125};
126pub use net::is_private_ip;
127pub use permissions::PermissionPolicy;
128pub use policy::{PolicyCompileError, PolicyContext, PolicyDecision, PolicyEnforcer};
129pub use policy_gate::{PolicyGateExecutor, RiskSignalQueue, TrajectoryRiskSlot};
130pub use registry::ToolRegistry;
131#[cfg(target_os = "macos")]
132pub use sandbox::MacosSandbox;
133pub use sandbox::{
134    NoopSandbox, Sandbox, SandboxError, SandboxPolicy, build_sandbox, build_sandbox_with_policy,
135};
136pub use schema_filter::{
137    DependencyExclusion, InclusionReason, ToolDependencyGraph, ToolEmbedding, ToolFilterResult,
138    ToolSchemaFilter,
139};
140pub use scope::{ScopeError, ScopeWarning, ScopedToolExecutor, ToolScope, build_scoped_executor};
141pub use scrape::WebScrapeExecutor;
142pub use search_code::{
143    LspSearchBackend, SearchCodeExecutor, SearchCodeHit, SearchCodeSource, SemanticSearchBackend,
144};
145pub use shadow_probe::{ProbeGate, ProbeOutcome, ShadowProbeExecutor};
146pub use shell::background::{BackgroundCompletion, BackgroundRunSnapshot, RunId};
147pub use shell::{
148    DEFAULT_BLOCKED_COMMANDS, SHELL_INTERPRETERS, ShellExecutor, ShellOutputEnvelope,
149    ShellPolicyHandle, check_blocklist, effective_shell_command,
150};
151pub use tool_filter::ToolFilter;
152pub use trust_gate::TrustGateExecutor;
153pub use trust_level::SkillTrustLevel;
154pub use utility::{
155    UtilityAction, UtilityContext, UtilityScore, UtilityScorer, has_explicit_tool_request,
156};
157pub use verifier::{
158    DestructiveCommandVerifier, FirewallVerifier, InjectionPatternVerifier, PreExecutionVerifier,
159    UrlGroundingVerifier, VerificationResult,
160};
161pub use zeph_common::ToolName;
162pub use zeph_config::tools::{
163    AdversarialPolicyConfig, AnomalyConfig, AuditConfig, AuthorizationConfig, DefaultEffect,
164    DependencyConfig, EgressConfig, FileConfig, FilterConfig, OverflowConfig, PolicyConfig,
165    PolicyEffect, PolicyRuleConfig, ResultCacheConfig, RetryConfig, SandboxConfig, SandboxProfile,
166    ScrapeConfig, SecurityFilterConfig, ShellConfig, TafcConfig, ToolDependency, ToolsConfig,
167    UtilityScoringConfig,
168};
169pub use zeph_config::tools::{
170    AutonomyLevel, PermissionAction, PermissionRule, PermissionsConfig, SpeculationMode,
171    SpeculativeAllowlistConfig, SpeculativeConfig, SpeculativePatternConfig,
172};
173pub use zeph_config::tools::{
174    DestructiveVerifierConfig, FirewallVerifierConfig, InjectionVerifierConfig,
175    PreExecutionVerifierConfig, UrlGroundingVerifierConfig,
176};
zeph_tools/lib.rs

zeph_tools/
lib.rs
