Skip to main content

harn_vm/orchestration/
nested_invocation.rs

1//! Capability-ceiling guard for nested Harn invocations.
2//!
3//! When a script that already runs under a parent execution policy
4//! launches another Harn invocation — `harn run`, `harn workflow run`,
5//! `harn supervisor fire/replay`, or an embedding host — Harn must scan
6//! the target and reject anything that asks for *more* than the parent
7//! ceiling. This module hosts the scanner: it accepts a parent
8//! [`CapabilityPolicy`] plus a description of the nested target, and
9//! returns the list of dimensions where the target widens the parent.
10//!
11//! The scanner is deliberately conservative: when in doubt about what
12//! the target requests, it errs on the side of "ask for more" so the
13//! parent rejects rather than silently widens. It is the integration
14//! layer's job to wire this into the actual launch points (the `exec`,
15//! `shell`, `host_call` builtins, the workflow CLI, the supervisor
16//! API).
17
18use std::collections::BTreeSet;
19
20use serde::{Deserialize, Serialize};
21
22use super::workflow_bundle::WorkflowBundle;
23use super::workflow_patch::{bundle_capability_ceiling, CapabilityCeilingViolation};
24use super::CapabilityPolicy;
25
26/// One Harn invocation that could be launched from inside another.
27/// Each variant carries the data the scanner needs to project an
28/// effective requested ceiling.
29#[derive(Clone, Debug)]
30pub enum NestedInvocationTarget<'a> {
31    /// A `harn workflow run`-style invocation against a parsed bundle.
32    WorkflowBundle(&'a WorkflowBundle),
33    /// A `harn run`-style invocation against a Harn script source. The
34    /// scanner does a coarse string scan for builtins that require
35    /// elevated capabilities; that is enough to catch the obvious
36    /// widening attempts without forcing the AST into this layer.
37    HarnScript { path: &'a str, source: &'a str },
38    /// An embedding-host harness manifest. The scanner reads
39    /// `capability_ceiling` and `tools` if present, falling back to
40    /// "request everything" so the parent rejects unstructured
41    /// manifests rather than rubber-stamping them.
42    BurinHarness { manifest: &'a serde_json::Value },
43}
44
45#[derive(Clone, Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
46pub struct NestedInvocationCeilingReport {
47    pub target_kind: String,
48    pub target_label: String,
49    pub parent: CapabilityPolicy,
50    pub requested: CapabilityPolicy,
51    pub violations: Vec<CapabilityCeilingViolation>,
52}
53
54impl NestedInvocationCeilingReport {
55    pub fn allowed(&self) -> bool {
56        self.violations.is_empty()
57    }
58}
59
60/// Compute the capability ceiling that running `target` would request
61/// of its parent runtime. This mirrors the projection used inside
62/// [`bundle_capability_ceiling`] so workflow bundles and standalone
63/// scripts share one comparison axis.
64pub fn requested_ceiling_for_target(target: &NestedInvocationTarget<'_>) -> CapabilityPolicy {
65    match target {
66        NestedInvocationTarget::WorkflowBundle(bundle) => bundle_capability_ceiling(bundle),
67        NestedInvocationTarget::HarnScript { source, .. } => scan_harn_script_ceiling(source),
68        NestedInvocationTarget::BurinHarness { manifest } => scan_burin_manifest_ceiling(manifest),
69    }
70}
71
72/// Enforce the parent ceiling against a nested invocation target.
73/// Returns a populated report; callers reject the launch if
74/// `report.allowed()` is false.
75pub fn enforce_nested_invocation_ceiling(
76    parent: &CapabilityPolicy,
77    target: &NestedInvocationTarget<'_>,
78) -> NestedInvocationCeilingReport {
79    let requested = requested_ceiling_for_target(target);
80    let violations = collect_violations(parent, &requested);
81    let (kind, label) = match target {
82        NestedInvocationTarget::WorkflowBundle(bundle) => {
83            ("workflow_bundle".to_string(), bundle.id.clone())
84        }
85        NestedInvocationTarget::HarnScript { path, .. } => {
86            ("harn_script".to_string(), path.to_string())
87        }
88        NestedInvocationTarget::BurinHarness { manifest } => {
89            let label = manifest
90                .get("id")
91                .and_then(|value| value.as_str())
92                .unwrap_or("<unknown>")
93                .to_string();
94            ("burin_harness".to_string(), label)
95        }
96    };
97    NestedInvocationCeilingReport {
98        target_kind: kind,
99        target_label: label,
100        parent: parent.clone(),
101        requested,
102        violations,
103    }
104}
105
106fn collect_violations(
107    parent: &CapabilityPolicy,
108    requested: &CapabilityPolicy,
109) -> Vec<CapabilityCeilingViolation> {
110    let mut violations = Vec::new();
111    if !parent.tools.is_empty() {
112        for tool in &requested.tools {
113            if !parent.tools.contains(tool) {
114                violations.push(CapabilityCeilingViolation {
115                    kind: "tool".to_string(),
116                    detail: format!("nested target requests tool '{tool}' outside parent ceiling"),
117                });
118            }
119        }
120    }
121    for (capability, ops) in &requested.capabilities {
122        match parent.capabilities.get(capability) {
123            Some(parent_ops) => {
124                for op in ops {
125                    if !parent_ops.contains(op) {
126                        violations.push(CapabilityCeilingViolation {
127                            kind: "capability".to_string(),
128                            detail: format!(
129                                "nested target requests '{capability}.{op}' outside parent ceiling"
130                            ),
131                        });
132                    }
133                }
134            }
135            None if !parent.capabilities.is_empty() => {
136                violations.push(CapabilityCeilingViolation {
137                    kind: "capability".to_string(),
138                    detail: format!(
139                        "nested target requests capability '{capability}' outside parent ceiling"
140                    ),
141                });
142            }
143            _ => {}
144        }
145    }
146    if let (Some(parent_level), Some(requested_level)) = (
147        parent.side_effect_level.as_deref(),
148        requested.side_effect_level.as_deref(),
149    ) {
150        if rank(requested_level) > rank(parent_level) {
151            violations.push(CapabilityCeilingViolation {
152                kind: "side_effect_level".to_string(),
153                detail: format!(
154                    "nested target requests side_effect_level '{requested_level}' outside parent ceiling '{parent_level}'"
155                ),
156            });
157        }
158    }
159    if !parent.workspace_roots.is_empty() {
160        for root in &requested.workspace_roots {
161            if !parent.workspace_roots.contains(root) {
162                violations.push(CapabilityCeilingViolation {
163                    kind: "workspace_root".to_string(),
164                    detail: format!(
165                        "nested target requests workspace_root '{root}' outside parent allowlist"
166                    ),
167                });
168            }
169        }
170    }
171    // A read-only root is in scope if the parent could read it — i.e. it
172    // is one of the parent's writable or read-only roots. The parent only
173    // bounds this dimension once it declares roots of either kind.
174    if !parent.workspace_roots.is_empty() || !parent.read_only_roots.is_empty() {
175        for root in &requested.read_only_roots {
176            if !parent.workspace_roots.contains(root) && !parent.read_only_roots.contains(root) {
177                violations.push(CapabilityCeilingViolation {
178                    kind: "read_only_root".to_string(),
179                    detail: format!(
180                        "nested target requests read_only_root '{root}' outside parent allowlist"
181                    ),
182                });
183            }
184        }
185    }
186    violations
187}
188
189fn rank(level: &str) -> usize {
190    crate::tool_annotations::SideEffectLevel::rank_str(level)
191}
192
193/// Coarse capability projection for a Harn script source. We look for
194/// stdlib builtin tokens (`exec`, `shell`, `http_*`, `write_file`,
195/// `connector_call`, `llm_call`, etc.) and project an `(operation,
196/// side_effect_level)` set that the parent must allow. This is not
197/// type-aware — it intentionally over-includes rather than miss a
198/// widening attempt.
199fn scan_harn_script_ceiling(source: &str) -> CapabilityPolicy {
200    let stripped = strip_comments(source);
201    let mut capabilities: std::collections::BTreeMap<String, BTreeSet<String>> =
202        std::collections::BTreeMap::new();
203    let mut max_side_effect: Option<&'static str> = None;
204
205    for (token, capability, op, side_effect) in BUILTIN_CAPABILITIES {
206        if contains_call(&stripped, token) {
207            capabilities
208                .entry((*capability).to_string())
209                .or_default()
210                .insert((*op).to_string());
211            max_side_effect = match max_side_effect {
212                Some(current) if rank(current) >= rank(side_effect) => Some(current),
213                _ => Some(side_effect),
214            };
215        }
216    }
217
218    CapabilityPolicy {
219        tools: Vec::new(),
220        capabilities: capabilities
221            .into_iter()
222            .map(|(k, v)| (k, v.into_iter().collect()))
223            .collect(),
224        workspace_roots: Vec::new(),
225        read_only_roots: Vec::new(),
226        side_effect_level: max_side_effect.map(|level| level.to_string()),
227        recursion_limit: None,
228        tool_arg_constraints: Vec::new(),
229        tool_annotations: std::collections::BTreeMap::new(),
230        sandbox_profile: crate::orchestration::SandboxProfile::default(),
231        process_sandbox: Default::default(),
232    }
233}
234
235fn scan_burin_manifest_ceiling(manifest: &serde_json::Value) -> CapabilityPolicy {
236    if let Some(ceiling) = manifest.get("capability_ceiling") {
237        if let Ok(parsed) = serde_json::from_value::<CapabilityPolicy>(ceiling.clone()) {
238            return parsed;
239        }
240    }
241    let tools = manifest
242        .get("tools")
243        .and_then(|value| value.as_array())
244        .map(|tools| {
245            tools
246                .iter()
247                .filter_map(|tool| tool.as_str().map(str::to_string))
248                .collect::<Vec<_>>()
249        })
250        .unwrap_or_default();
251
252    CapabilityPolicy {
253        tools,
254        capabilities: std::collections::BTreeMap::new(),
255        workspace_roots: Vec::new(),
256        read_only_roots: Vec::new(),
257        side_effect_level: Some("network".to_string()),
258        recursion_limit: None,
259        tool_arg_constraints: Vec::new(),
260        tool_annotations: std::collections::BTreeMap::new(),
261        sandbox_profile: crate::orchestration::SandboxProfile::default(),
262        process_sandbox: Default::default(),
263    }
264}
265
266/// Strip line/block comments and the contents of string literals so the
267/// builtin scanner only sees actual source identifiers. Quoted text is
268/// replaced with whitespace of the same length to keep byte offsets and
269/// line numbers stable for any future diagnostics.
270fn strip_comments(source: &str) -> String {
271    let mut out = String::with_capacity(source.len());
272    let mut in_block = false;
273    let mut chars = source.chars().peekable();
274    while let Some(c) = chars.next() {
275        if in_block {
276            if c == '*' && matches!(chars.peek(), Some('/')) {
277                chars.next();
278                in_block = false;
279            }
280            continue;
281        }
282        if c == '/' {
283            match chars.peek() {
284                Some('/') => {
285                    for next in chars.by_ref() {
286                        if next == '\n' {
287                            out.push('\n');
288                            break;
289                        }
290                    }
291                    continue;
292                }
293                Some('*') => {
294                    chars.next();
295                    in_block = true;
296                    continue;
297                }
298                _ => {}
299            }
300        }
301        if c == '#' {
302            for next in chars.by_ref() {
303                if next == '\n' {
304                    out.push('\n');
305                    break;
306                }
307            }
308            continue;
309        }
310        if c == '"' || c == '\'' {
311            out.push(' ');
312            let quote = c;
313            while let Some(next) = chars.next() {
314                if next == '\\' {
315                    chars.next();
316                    out.push(' ');
317                    out.push(' ');
318                    continue;
319                }
320                if next == quote {
321                    out.push(' ');
322                    break;
323                }
324                out.push(if next == '\n' { '\n' } else { ' ' });
325            }
326            continue;
327        }
328        out.push(c);
329    }
330    out
331}
332
333fn contains_call(source: &str, token: &str) -> bool {
334    let bytes = source.as_bytes();
335    let needle = token.as_bytes();
336    if bytes.len() < needle.len() + 1 {
337        return false;
338    }
339    let mut start = 0;
340    while let Some(pos) = find_subslice(&bytes[start..], needle) {
341        let absolute = start + pos;
342        let before = if absolute == 0 {
343            None
344        } else {
345            Some(bytes[absolute - 1])
346        };
347        let after = bytes.get(absolute + needle.len()).copied();
348        let valid_before = match before {
349            None => true,
350            Some(c) => !is_identifier_byte(c),
351        };
352        let valid_after = matches!(after, Some(b'(') | Some(b' ') | Some(b'\t'))
353            || matches!(after, Some(b'\n') | Some(b'\r'));
354        if valid_before && valid_after {
355            return true;
356        }
357        start = absolute + needle.len();
358    }
359    false
360}
361
362fn find_subslice(haystack: &[u8], needle: &[u8]) -> Option<usize> {
363    if needle.is_empty() || haystack.len() < needle.len() {
364        return None;
365    }
366    haystack
367        .windows(needle.len())
368        .position(|window| window == needle)
369}
370
371fn is_identifier_byte(b: u8) -> bool {
372    b.is_ascii_alphanumeric() || b == b'_'
373}
374
375const BUILTIN_CAPABILITIES: &[(&str, &str, &str, &str)] = &[
376    ("read_file", "workspace", "read_text", "read_only"),
377    ("read_file_result", "workspace", "read_text", "read_only"),
378    ("read_file_bytes", "workspace", "read_text", "read_only"),
379    ("render", "workspace", "read_text", "read_only"),
380    ("render_prompt", "workspace", "read_text", "read_only"),
381    (
382        "render_with_provenance",
383        "workspace",
384        "read_text",
385        "read_only",
386    ),
387    ("list_dir", "workspace", "list", "read_only"),
388    ("file_exists", "workspace", "exists", "read_only"),
389    ("path_status", "workspace", "exists", "read_only"),
390    ("stat", "workspace", "exists", "read_only"),
391    ("write_file", "workspace", "write_text", "workspace_write"),
392    (
393        "write_file_bytes",
394        "workspace",
395        "write_text",
396        "workspace_write",
397    ),
398    ("append_file", "workspace", "write_text", "workspace_write"),
399    ("mkdir", "workspace", "write_text", "workspace_write"),
400    ("copy_file", "workspace", "write_text", "workspace_write"),
401    ("delete_file", "workspace", "delete", "workspace_write"),
402    ("apply_edit", "workspace", "apply_edit", "workspace_write"),
403    ("exec", "process", "exec", "process_exec"),
404    ("exec_at", "process", "exec", "process_exec"),
405    ("shell", "process", "exec", "process_exec"),
406    ("shell_at", "process", "exec", "process_exec"),
407    ("http_get", "network", "http", "network"),
408    ("http_post", "network", "http", "network"),
409    ("http_put", "network", "http", "network"),
410    ("http_patch", "network", "http", "network"),
411    ("http_delete", "network", "http", "network"),
412    ("http_request", "network", "http", "network"),
413    ("http_download", "network", "http", "network"),
414    ("connector_call", "connector", "call", "network"),
415    ("secret_get", "connector", "secret_get", "read_only"),
416    ("llm_call", "llm", "call", "network"),
417    ("llm_call_safe", "llm", "call", "network"),
418    ("llm_completion", "llm", "call", "network"),
419    ("llm_stream", "llm", "call", "network"),
420    ("agent_loop", "llm", "call", "network"),
421    ("vision_ocr", "vision", "ocr", "process_exec"),
422    ("mcp_call", "process", "exec", "process_exec"),
423    ("mcp_connect", "process", "exec", "process_exec"),
424];
425
426#[cfg(test)]
427mod tests {
428    use super::*;
429    use std::collections::BTreeMap;
430
431    fn permissive_parent() -> CapabilityPolicy {
432        let mut capabilities = BTreeMap::new();
433        capabilities.insert(
434            "workspace".to_string(),
435            vec!["read_text".to_string(), "list".to_string()],
436        );
437        capabilities.insert("connector".to_string(), vec!["call".to_string()]);
438        capabilities.insert("process".to_string(), vec!["exec".to_string()]);
439        capabilities.insert("network".to_string(), vec!["http".to_string()]);
440        capabilities.insert("llm".to_string(), vec!["call".to_string()]);
441        CapabilityPolicy {
442            tools: Vec::new(),
443            capabilities,
444            workspace_roots: Vec::new(),
445            read_only_roots: Vec::new(),
446            side_effect_level: Some("network".to_string()),
447            recursion_limit: None,
448            tool_arg_constraints: Vec::new(),
449            tool_annotations: BTreeMap::new(),
450            sandbox_profile: crate::orchestration::SandboxProfile::default(),
451            process_sandbox: Default::default(),
452        }
453    }
454
455    fn read_only_parent() -> CapabilityPolicy {
456        let mut capabilities = BTreeMap::new();
457        capabilities.insert(
458            "workspace".to_string(),
459            vec![
460                "read_text".to_string(),
461                "list".to_string(),
462                "exists".to_string(),
463            ],
464        );
465        CapabilityPolicy {
466            tools: Vec::new(),
467            capabilities,
468            workspace_roots: Vec::new(),
469            read_only_roots: Vec::new(),
470            side_effect_level: Some("read_only".to_string()),
471            recursion_limit: None,
472            tool_arg_constraints: Vec::new(),
473            tool_annotations: BTreeMap::new(),
474            sandbox_profile: crate::orchestration::SandboxProfile::default(),
475            process_sandbox: Default::default(),
476        }
477    }
478
479    #[test]
480    fn harn_script_with_only_reads_passes_under_read_only_parent() {
481        let source = r#"
482            let body = read_file("README.md")
483            let exists = file_exists("Cargo.toml")
484        "#;
485        let report = enforce_nested_invocation_ceiling(
486            &read_only_parent(),
487            &NestedInvocationTarget::HarnScript {
488                path: "test.harn",
489                source,
490            },
491        );
492        assert!(report.allowed(), "{report:#?}");
493    }
494
495    #[test]
496    fn harn_script_with_exec_is_rejected_under_read_only_parent() {
497        let source = r#"
498            let result = exec("ls", ["-la"])
499        "#;
500        let report = enforce_nested_invocation_ceiling(
501            &read_only_parent(),
502            &NestedInvocationTarget::HarnScript {
503                path: "exec.harn",
504                source,
505            },
506        );
507        assert!(!report.allowed());
508        let kinds: Vec<&str> = report.violations.iter().map(|v| v.kind.as_str()).collect();
509        assert!(kinds.contains(&"capability"));
510        assert!(kinds.contains(&"side_effect_level"));
511    }
512
513    #[test]
514    fn harn_script_with_http_is_rejected_under_read_only_parent() {
515        let source = r#"
516            http_get("https://example.com")
517        "#;
518        let report = enforce_nested_invocation_ceiling(
519            &read_only_parent(),
520            &NestedInvocationTarget::HarnScript {
521                path: "http.harn",
522                source,
523            },
524        );
525        assert!(!report.allowed());
526    }
527
528    #[test]
529    fn harn_script_with_vision_ocr_is_rejected_under_read_only_parent() {
530        let source = r#"
531            vision_ocr("receipt.png")
532        "#;
533        let report = enforce_nested_invocation_ceiling(
534            &read_only_parent(),
535            &NestedInvocationTarget::HarnScript {
536                path: "vision.harn",
537                source,
538            },
539        );
540        assert!(!report.allowed());
541        let kinds: Vec<&str> = report.violations.iter().map(|v| v.kind.as_str()).collect();
542        assert!(kinds.contains(&"capability"));
543        assert!(kinds.contains(&"side_effect_level"));
544    }
545
546    #[test]
547    fn harn_script_keyword_inside_string_does_not_trigger() {
548        let source = r#"
549            let label = "exec is not invoked here"
550            let body = read_file("README.md")
551        "#;
552        let report = enforce_nested_invocation_ceiling(
553            &read_only_parent(),
554            &NestedInvocationTarget::HarnScript {
555                path: "string.harn",
556                source,
557            },
558        );
559        assert!(
560            report.allowed(),
561            "false positive on quoted token: {report:#?}"
562        );
563    }
564
565    #[test]
566    fn harn_script_keyword_in_comment_is_ignored() {
567        let source = r#"
568            // exec("rm -rf /") is a comment-only token and must not trip policy.
569            let x = read_file("README.md")
570        "#;
571        let report = enforce_nested_invocation_ceiling(
572            &read_only_parent(),
573            &NestedInvocationTarget::HarnScript {
574                path: "comments.harn",
575                source,
576            },
577        );
578        assert!(
579            report.allowed(),
580            "false positive on commented token: {report:#?}"
581        );
582    }
583
584    #[test]
585    fn workflow_bundle_with_act_auto_is_rejected_under_read_only_parent() {
586        let mut bundle = super::super::workflow_test_fixtures::pr_monitor_bundle();
587        bundle.policy.autonomy_tier = "act_auto".to_string();
588        let report = enforce_nested_invocation_ceiling(
589            &read_only_parent(),
590            &NestedInvocationTarget::WorkflowBundle(&bundle),
591        );
592        assert!(!report.allowed());
593    }
594
595    #[test]
596    fn burin_manifest_with_explicit_ceiling_is_used_directly() {
597        let manifest = serde_json::json!({
598            "id": "burin.harness.repair",
599            "capability_ceiling": {
600                "capabilities": {
601                    "workspace": ["read_text"]
602                },
603                "side_effect_level": "read_only"
604            }
605        });
606        let report = enforce_nested_invocation_ceiling(
607            &read_only_parent(),
608            &NestedInvocationTarget::BurinHarness {
609                manifest: &manifest,
610            },
611        );
612        assert!(report.allowed(), "{report:#?}");
613    }
614
615    #[test]
616    fn burin_manifest_without_ceiling_falls_back_to_network_and_is_rejected() {
617        let manifest = serde_json::json!({"id": "burin.harness.unknown"});
618        let report = enforce_nested_invocation_ceiling(
619            &read_only_parent(),
620            &NestedInvocationTarget::BurinHarness {
621                manifest: &manifest,
622            },
623        );
624        assert!(!report.allowed());
625    }
626
627    #[test]
628    fn permissive_parent_accepts_workflow_bundle() {
629        let bundle = super::super::workflow_test_fixtures::pr_monitor_bundle();
630        let report = enforce_nested_invocation_ceiling(
631            &permissive_parent(),
632            &NestedInvocationTarget::WorkflowBundle(&bundle),
633        );
634        assert!(report.allowed(), "{report:#?}");
635    }
636}