Module policy 

Sandbox policy: “Allow / Deny / Ask user” decision for tool calls.

Interface with the main loop

SandboxPolicy::classify is a pure decision; it returns a PolicyDecision:

• Allow / Deny: the main loop branches directly.
• Ask(Ask): the main loop packs Ask::options into an ACP RequestPermissionRequest and waits for the user’s response. When the response arrives, it calls SandboxPolicy::record so the policy can update its internal “already authorized” table.

Boundary with the OS-level sandbox

This module only makes decisions — OS-level isolation (landlock / seatbelt / child process permission dropping) is a separate trait (a future ToolSandbox). This module’s output is “whether to execute”, orthogonal to “how much permission to grant at execution time”.

Structs

Ask

Payload for populating Ask options.

AskOption

A permission option presented to the user.

AskWritesPolicy

Default policy: ReadOnly is directly Allow; Mutating, Destructive, and Network go through Ask. AllowAlways maintains an internal whitelist of tool names; a match results in an immediate Allow.

DenyAllPolicy

Deny everything. Used for smoke testing.

ModeCatalog

A set of mutually exclusive permission modes plus the currently selected one. Maps to ACP’s SessionModeState.

NonInteractivePolicy

Adapts any inner policy to a non-interactive semantics: when the inner policy returns PolicyDecision::Ask, it is downgraded to PolicyDecision::Deny; Allow / Deny are passed through unchanged.

OpenPolicy

Allows everything. Intended for testing / dev mode.

PolicyCtx

Context shared by classify and record.

PolicyMode

A permission mode entry that can be selected by an ACP client.

ReadOnlyPolicy

Only allows ReadOnly; everything else is denied.

Enums

PolicyDecision

The decision result.

RecordedOutcome

The “user response” that the main loop writes back to the policy.

Traits

SandboxPolicy

A decision-maker for tool invocations.