1use std::collections::BTreeSet;
19
20use serde::{Deserialize, Serialize};
21
22use super::workflow_bundle::WorkflowBundle;
23use super::workflow_patch::{bundle_capability_ceiling, CapabilityCeilingViolation};
24use super::CapabilityPolicy;
25
26#[derive(Clone, Debug)]
30pub enum NestedInvocationTarget<'a> {
31 WorkflowBundle(&'a WorkflowBundle),
33 HarnScript { path: &'a str, source: &'a str },
38 BurinHarness { manifest: &'a serde_json::Value },
43}
44
45#[derive(Clone, Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
46pub struct NestedInvocationCeilingReport {
47 pub target_kind: String,
48 pub target_label: String,
49 pub parent: CapabilityPolicy,
50 pub requested: CapabilityPolicy,
51 pub violations: Vec<CapabilityCeilingViolation>,
52}
53
54impl NestedInvocationCeilingReport {
55 pub fn allowed(&self) -> bool {
56 self.violations.is_empty()
57 }
58}
59
60pub fn requested_ceiling_for_target(target: &NestedInvocationTarget<'_>) -> CapabilityPolicy {
65 match target {
66 NestedInvocationTarget::WorkflowBundle(bundle) => bundle_capability_ceiling(bundle),
67 NestedInvocationTarget::HarnScript { source, .. } => scan_harn_script_ceiling(source),
68 NestedInvocationTarget::BurinHarness { manifest } => scan_burin_manifest_ceiling(manifest),
69 }
70}
71
72pub fn enforce_nested_invocation_ceiling(
76 parent: &CapabilityPolicy,
77 target: &NestedInvocationTarget<'_>,
78) -> NestedInvocationCeilingReport {
79 let requested = requested_ceiling_for_target(target);
80 let violations = collect_violations(parent, &requested);
81 let (kind, label) = match target {
82 NestedInvocationTarget::WorkflowBundle(bundle) => {
83 ("workflow_bundle".to_string(), bundle.id.clone())
84 }
85 NestedInvocationTarget::HarnScript { path, .. } => {
86 ("harn_script".to_string(), path.to_string())
87 }
88 NestedInvocationTarget::BurinHarness { manifest } => {
89 let label = manifest
90 .get("id")
91 .and_then(|value| value.as_str())
92 .unwrap_or("<unknown>")
93 .to_string();
94 ("burin_harness".to_string(), label)
95 }
96 };
97 NestedInvocationCeilingReport {
98 target_kind: kind,
99 target_label: label,
100 parent: parent.clone(),
101 requested,
102 violations,
103 }
104}
105
106fn collect_violations(
107 parent: &CapabilityPolicy,
108 requested: &CapabilityPolicy,
109) -> Vec<CapabilityCeilingViolation> {
110 let mut violations = Vec::new();
111 if !parent.tools.is_empty() {
112 for tool in &requested.tools {
113 if !parent.tools.contains(tool) {
114 violations.push(CapabilityCeilingViolation {
115 kind: "tool".to_string(),
116 detail: format!("nested target requests tool '{tool}' outside parent ceiling"),
117 });
118 }
119 }
120 }
121 for (capability, ops) in &requested.capabilities {
122 match parent.capabilities.get(capability) {
123 Some(parent_ops) => {
124 for op in ops {
125 if !parent_ops.contains(op) {
126 violations.push(CapabilityCeilingViolation {
127 kind: "capability".to_string(),
128 detail: format!(
129 "nested target requests '{capability}.{op}' outside parent ceiling"
130 ),
131 });
132 }
133 }
134 }
135 None if !parent.capabilities.is_empty() => {
136 violations.push(CapabilityCeilingViolation {
137 kind: "capability".to_string(),
138 detail: format!(
139 "nested target requests capability '{capability}' outside parent ceiling"
140 ),
141 });
142 }
143 _ => {}
144 }
145 }
146 if let (Some(parent_level), Some(requested_level)) = (
147 parent.side_effect_level.as_deref(),
148 requested.side_effect_level.as_deref(),
149 ) {
150 if rank(requested_level) > rank(parent_level) {
151 violations.push(CapabilityCeilingViolation {
152 kind: "side_effect_level".to_string(),
153 detail: format!(
154 "nested target requests side_effect_level '{requested_level}' outside parent ceiling '{parent_level}'"
155 ),
156 });
157 }
158 }
159 if !parent.workspace_roots.is_empty() {
160 for root in &requested.workspace_roots {
161 if !parent.workspace_roots.contains(root) {
162 violations.push(CapabilityCeilingViolation {
163 kind: "workspace_root".to_string(),
164 detail: format!(
165 "nested target requests workspace_root '{root}' outside parent allowlist"
166 ),
167 });
168 }
169 }
170 }
171 if !parent.workspace_roots.is_empty() || !parent.read_only_roots.is_empty() {
175 for root in &requested.read_only_roots {
176 if !parent.workspace_roots.contains(root) && !parent.read_only_roots.contains(root) {
177 violations.push(CapabilityCeilingViolation {
178 kind: "read_only_root".to_string(),
179 detail: format!(
180 "nested target requests read_only_root '{root}' outside parent allowlist"
181 ),
182 });
183 }
184 }
185 }
186 violations
187}
188
189fn rank(level: &str) -> usize {
190 crate::tool_annotations::SideEffectLevel::rank_str(level)
191}
192
193fn scan_harn_script_ceiling(source: &str) -> CapabilityPolicy {
200 let stripped = strip_comments(source);
201 let mut capabilities: std::collections::BTreeMap<String, BTreeSet<String>> =
202 std::collections::BTreeMap::new();
203 let mut max_side_effect: Option<&'static str> = None;
204
205 for (token, capability, op, side_effect) in BUILTIN_CAPABILITIES {
206 if contains_call(&stripped, token) {
207 capabilities
208 .entry((*capability).to_string())
209 .or_default()
210 .insert((*op).to_string());
211 max_side_effect = match max_side_effect {
212 Some(current) if rank(current) >= rank(side_effect) => Some(current),
213 _ => Some(side_effect),
214 };
215 }
216 }
217
218 CapabilityPolicy {
219 tools: Vec::new(),
220 capabilities: capabilities
221 .into_iter()
222 .map(|(k, v)| (k, v.into_iter().collect()))
223 .collect(),
224 workspace_roots: Vec::new(),
225 read_only_roots: Vec::new(),
226 side_effect_level: max_side_effect.map(|level| level.to_string()),
227 recursion_limit: None,
228 tool_arg_constraints: Vec::new(),
229 tool_annotations: std::collections::BTreeMap::new(),
230 sandbox_profile: crate::orchestration::SandboxProfile::default(),
231 process_sandbox: Default::default(),
232 }
233}
234
235fn scan_burin_manifest_ceiling(manifest: &serde_json::Value) -> CapabilityPolicy {
236 if let Some(ceiling) = manifest.get("capability_ceiling") {
237 if let Ok(parsed) = serde_json::from_value::<CapabilityPolicy>(ceiling.clone()) {
238 return parsed;
239 }
240 }
241 let tools = manifest
242 .get("tools")
243 .and_then(|value| value.as_array())
244 .map(|tools| {
245 tools
246 .iter()
247 .filter_map(|tool| tool.as_str().map(str::to_string))
248 .collect::<Vec<_>>()
249 })
250 .unwrap_or_default();
251
252 CapabilityPolicy {
253 tools,
254 capabilities: std::collections::BTreeMap::new(),
255 workspace_roots: Vec::new(),
256 read_only_roots: Vec::new(),
257 side_effect_level: Some("network".to_string()),
258 recursion_limit: None,
259 tool_arg_constraints: Vec::new(),
260 tool_annotations: std::collections::BTreeMap::new(),
261 sandbox_profile: crate::orchestration::SandboxProfile::default(),
262 process_sandbox: Default::default(),
263 }
264}
265
266fn strip_comments(source: &str) -> String {
271 let mut out = String::with_capacity(source.len());
272 let mut in_block = false;
273 let mut chars = source.chars().peekable();
274 while let Some(c) = chars.next() {
275 if in_block {
276 if c == '*' && matches!(chars.peek(), Some('/')) {
277 chars.next();
278 in_block = false;
279 }
280 continue;
281 }
282 if c == '/' {
283 match chars.peek() {
284 Some('/') => {
285 for next in chars.by_ref() {
286 if next == '\n' {
287 out.push('\n');
288 break;
289 }
290 }
291 continue;
292 }
293 Some('*') => {
294 chars.next();
295 in_block = true;
296 continue;
297 }
298 _ => {}
299 }
300 }
301 if c == '#' {
302 for next in chars.by_ref() {
303 if next == '\n' {
304 out.push('\n');
305 break;
306 }
307 }
308 continue;
309 }
310 if c == '"' || c == '\'' {
311 out.push(' ');
312 let quote = c;
313 while let Some(next) = chars.next() {
314 if next == '\\' {
315 chars.next();
316 out.push(' ');
317 out.push(' ');
318 continue;
319 }
320 if next == quote {
321 out.push(' ');
322 break;
323 }
324 out.push(if next == '\n' { '\n' } else { ' ' });
325 }
326 continue;
327 }
328 out.push(c);
329 }
330 out
331}
332
333fn contains_call(source: &str, token: &str) -> bool {
334 let bytes = source.as_bytes();
335 let needle = token.as_bytes();
336 if bytes.len() < needle.len() + 1 {
337 return false;
338 }
339 let mut start = 0;
340 while let Some(pos) = find_subslice(&bytes[start..], needle) {
341 let absolute = start + pos;
342 let before = if absolute == 0 {
343 None
344 } else {
345 Some(bytes[absolute - 1])
346 };
347 let after = bytes.get(absolute + needle.len()).copied();
348 let valid_before = match before {
349 None => true,
350 Some(c) => !is_identifier_byte(c),
351 };
352 let valid_after = matches!(after, Some(b'(') | Some(b' ') | Some(b'\t'))
353 || matches!(after, Some(b'\n') | Some(b'\r'));
354 if valid_before && valid_after {
355 return true;
356 }
357 start = absolute + needle.len();
358 }
359 false
360}
361
362fn find_subslice(haystack: &[u8], needle: &[u8]) -> Option<usize> {
363 if needle.is_empty() || haystack.len() < needle.len() {
364 return None;
365 }
366 haystack
367 .windows(needle.len())
368 .position(|window| window == needle)
369}
370
371fn is_identifier_byte(b: u8) -> bool {
372 b.is_ascii_alphanumeric() || b == b'_'
373}
374
375const BUILTIN_CAPABILITIES: &[(&str, &str, &str, &str)] = &[
376 ("read_file", "workspace", "read_text", "read_only"),
377 ("read_file_result", "workspace", "read_text", "read_only"),
378 ("read_file_bytes", "workspace", "read_text", "read_only"),
379 (
380 "package_snapshot_open",
381 "workspace",
382 "read_text",
383 "read_only",
384 ),
385 ("render", "workspace", "read_text", "read_only"),
386 ("render_prompt", "workspace", "read_text", "read_only"),
387 (
388 "render_with_provenance",
389 "workspace",
390 "read_text",
391 "read_only",
392 ),
393 ("list_dir", "workspace", "list", "read_only"),
394 ("file_exists", "workspace", "exists", "read_only"),
395 ("path_status", "workspace", "exists", "read_only"),
396 ("stat", "workspace", "exists", "read_only"),
397 ("write_file", "workspace", "write_text", "workspace_write"),
398 (
399 "write_file_bytes",
400 "workspace",
401 "write_text",
402 "workspace_write",
403 ),
404 ("append_file", "workspace", "write_text", "workspace_write"),
405 ("mkdir", "workspace", "write_text", "workspace_write"),
406 ("copy_file", "workspace", "write_text", "workspace_write"),
407 ("delete_file", "workspace", "delete", "workspace_write"),
408 ("apply_edit", "workspace", "apply_edit", "workspace_write"),
409 ("exec", "process", "exec", "process_exec"),
410 ("exec_at", "process", "exec", "process_exec"),
411 ("shell", "process", "exec", "process_exec"),
412 ("shell_at", "process", "exec", "process_exec"),
413 ("http_get", "network", "http", "network"),
414 ("http_post", "network", "http", "network"),
415 ("http_put", "network", "http", "network"),
416 ("http_patch", "network", "http", "network"),
417 ("http_delete", "network", "http", "network"),
418 ("http_request", "network", "http", "network"),
419 ("http_download", "network", "http", "network"),
420 ("connector_call", "connector", "call", "network"),
421 ("secret_get", "connector", "secret_get", "read_only"),
422 ("llm_call", "llm", "call", "network"),
423 ("llm_call_safe", "llm", "call", "network"),
424 ("llm_completion", "llm", "call", "network"),
425 ("llm_stream", "llm", "call", "network"),
426 ("agent_loop", "llm", "call", "network"),
427 ("vision_ocr", "vision", "ocr", "process_exec"),
428 ("mcp_call", "process", "exec", "process_exec"),
429 ("mcp_connect", "process", "exec", "process_exec"),
430];
431
432#[cfg(test)]
433mod tests {
434 use super::*;
435 use std::collections::BTreeMap;
436
437 fn permissive_parent() -> CapabilityPolicy {
438 let mut capabilities = BTreeMap::new();
439 capabilities.insert(
440 "workspace".to_string(),
441 vec!["read_text".to_string(), "list".to_string()],
442 );
443 capabilities.insert("connector".to_string(), vec!["call".to_string()]);
444 capabilities.insert("process".to_string(), vec!["exec".to_string()]);
445 capabilities.insert("network".to_string(), vec!["http".to_string()]);
446 capabilities.insert("llm".to_string(), vec!["call".to_string()]);
447 CapabilityPolicy {
448 tools: Vec::new(),
449 capabilities,
450 workspace_roots: Vec::new(),
451 read_only_roots: Vec::new(),
452 side_effect_level: Some("network".to_string()),
453 recursion_limit: None,
454 tool_arg_constraints: Vec::new(),
455 tool_annotations: BTreeMap::new(),
456 sandbox_profile: crate::orchestration::SandboxProfile::default(),
457 process_sandbox: Default::default(),
458 }
459 }
460
461 fn read_only_parent() -> CapabilityPolicy {
462 let mut capabilities = BTreeMap::new();
463 capabilities.insert(
464 "workspace".to_string(),
465 vec![
466 "read_text".to_string(),
467 "list".to_string(),
468 "exists".to_string(),
469 ],
470 );
471 CapabilityPolicy {
472 tools: Vec::new(),
473 capabilities,
474 workspace_roots: Vec::new(),
475 read_only_roots: Vec::new(),
476 side_effect_level: Some("read_only".to_string()),
477 recursion_limit: None,
478 tool_arg_constraints: Vec::new(),
479 tool_annotations: BTreeMap::new(),
480 sandbox_profile: crate::orchestration::SandboxProfile::default(),
481 process_sandbox: Default::default(),
482 }
483 }
484
485 #[test]
486 fn harn_script_with_only_reads_passes_under_read_only_parent() {
487 let source = r#"
488 let body = read_file("README.md")
489 let exists = file_exists("Cargo.toml")
490 "#;
491 let report = enforce_nested_invocation_ceiling(
492 &read_only_parent(),
493 &NestedInvocationTarget::HarnScript {
494 path: "test.harn",
495 source,
496 },
497 );
498 assert!(report.allowed(), "{report:#?}");
499 }
500
501 #[test]
502 fn harn_script_with_exec_is_rejected_under_read_only_parent() {
503 let source = r#"
504 let result = exec("ls", ["-la"])
505 "#;
506 let report = enforce_nested_invocation_ceiling(
507 &read_only_parent(),
508 &NestedInvocationTarget::HarnScript {
509 path: "exec.harn",
510 source,
511 },
512 );
513 assert!(!report.allowed());
514 let kinds: Vec<&str> = report.violations.iter().map(|v| v.kind.as_str()).collect();
515 assert!(kinds.contains(&"capability"));
516 assert!(kinds.contains(&"side_effect_level"));
517 }
518
519 #[test]
520 fn harn_script_with_http_is_rejected_under_read_only_parent() {
521 let source = r#"
522 http_get("https://example.com")
523 "#;
524 let report = enforce_nested_invocation_ceiling(
525 &read_only_parent(),
526 &NestedInvocationTarget::HarnScript {
527 path: "http.harn",
528 source,
529 },
530 );
531 assert!(!report.allowed());
532 }
533
534 #[test]
535 fn harn_script_with_vision_ocr_is_rejected_under_read_only_parent() {
536 let source = r#"
537 vision_ocr("receipt.png")
538 "#;
539 let report = enforce_nested_invocation_ceiling(
540 &read_only_parent(),
541 &NestedInvocationTarget::HarnScript {
542 path: "vision.harn",
543 source,
544 },
545 );
546 assert!(!report.allowed());
547 let kinds: Vec<&str> = report.violations.iter().map(|v| v.kind.as_str()).collect();
548 assert!(kinds.contains(&"capability"));
549 assert!(kinds.contains(&"side_effect_level"));
550 }
551
552 #[test]
553 fn harn_script_keyword_inside_string_does_not_trigger() {
554 let source = r#"
555 let label = "exec is not invoked here"
556 let body = read_file("README.md")
557 "#;
558 let report = enforce_nested_invocation_ceiling(
559 &read_only_parent(),
560 &NestedInvocationTarget::HarnScript {
561 path: "string.harn",
562 source,
563 },
564 );
565 assert!(
566 report.allowed(),
567 "false positive on quoted token: {report:#?}"
568 );
569 }
570
571 #[test]
572 fn harn_script_keyword_in_comment_is_ignored() {
573 let source = r#"
574 // exec("rm -rf /") is a comment-only token and must not trip policy.
575 let x = read_file("README.md")
576 "#;
577 let report = enforce_nested_invocation_ceiling(
578 &read_only_parent(),
579 &NestedInvocationTarget::HarnScript {
580 path: "comments.harn",
581 source,
582 },
583 );
584 assert!(
585 report.allowed(),
586 "false positive on commented token: {report:#?}"
587 );
588 }
589
590 #[test]
591 fn workflow_bundle_with_act_auto_is_rejected_under_read_only_parent() {
592 let mut bundle = super::super::workflow_test_fixtures::pr_monitor_bundle();
593 bundle.policy.autonomy_tier = "act_auto".to_string();
594 let report = enforce_nested_invocation_ceiling(
595 &read_only_parent(),
596 &NestedInvocationTarget::WorkflowBundle(&bundle),
597 );
598 assert!(!report.allowed());
599 }
600
601 #[test]
602 fn burin_manifest_with_explicit_ceiling_is_used_directly() {
603 let manifest = serde_json::json!({
604 "id": "burin.harness.repair",
605 "capability_ceiling": {
606 "capabilities": {
607 "workspace": ["read_text"]
608 },
609 "side_effect_level": "read_only"
610 }
611 });
612 let report = enforce_nested_invocation_ceiling(
613 &read_only_parent(),
614 &NestedInvocationTarget::BurinHarness {
615 manifest: &manifest,
616 },
617 );
618 assert!(report.allowed(), "{report:#?}");
619 }
620
621 #[test]
622 fn burin_manifest_without_ceiling_falls_back_to_network_and_is_rejected() {
623 let manifest = serde_json::json!({"id": "burin.harness.unknown"});
624 let report = enforce_nested_invocation_ceiling(
625 &read_only_parent(),
626 &NestedInvocationTarget::BurinHarness {
627 manifest: &manifest,
628 },
629 );
630 assert!(!report.allowed());
631 }
632
633 #[test]
634 fn permissive_parent_accepts_workflow_bundle() {
635 let bundle = super::super::workflow_test_fixtures::pr_monitor_bundle();
636 let report = enforce_nested_invocation_ceiling(
637 &permissive_parent(),
638 &NestedInvocationTarget::WorkflowBundle(&bundle),
639 );
640 assert!(report.allowed(), "{report:#?}");
641 }
642}