1use std::collections::BTreeSet;
19
20use serde::{Deserialize, Serialize};
21
22use super::workflow_bundle::WorkflowBundle;
23use super::workflow_patch::{bundle_capability_ceiling, CapabilityCeilingViolation};
24use super::CapabilityPolicy;
25
26#[derive(Clone, Debug)]
30pub enum NestedInvocationTarget<'a> {
31 WorkflowBundle(&'a WorkflowBundle),
33 HarnScript { path: &'a str, source: &'a str },
38 BurinHarness { manifest: &'a serde_json::Value },
43}
44
45#[derive(Clone, Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
46pub struct NestedInvocationCeilingReport {
47 pub target_kind: String,
48 pub target_label: String,
49 pub parent: CapabilityPolicy,
50 pub requested: CapabilityPolicy,
51 pub violations: Vec<CapabilityCeilingViolation>,
52}
53
54impl NestedInvocationCeilingReport {
55 pub fn allowed(&self) -> bool {
56 self.violations.is_empty()
57 }
58}
59
60pub fn requested_ceiling_for_target(target: &NestedInvocationTarget<'_>) -> CapabilityPolicy {
65 match target {
66 NestedInvocationTarget::WorkflowBundle(bundle) => bundle_capability_ceiling(bundle),
67 NestedInvocationTarget::HarnScript { source, .. } => scan_harn_script_ceiling(source),
68 NestedInvocationTarget::BurinHarness { manifest } => scan_burin_manifest_ceiling(manifest),
69 }
70}
71
72pub fn enforce_nested_invocation_ceiling(
76 parent: &CapabilityPolicy,
77 target: &NestedInvocationTarget<'_>,
78) -> NestedInvocationCeilingReport {
79 let requested = requested_ceiling_for_target(target);
80 let violations = collect_violations(parent, &requested);
81 let (kind, label) = match target {
82 NestedInvocationTarget::WorkflowBundle(bundle) => {
83 ("workflow_bundle".to_string(), bundle.id.clone())
84 }
85 NestedInvocationTarget::HarnScript { path, .. } => {
86 ("harn_script".to_string(), path.to_string())
87 }
88 NestedInvocationTarget::BurinHarness { manifest } => {
89 let label = manifest
90 .get("id")
91 .and_then(|value| value.as_str())
92 .unwrap_or("<unknown>")
93 .to_string();
94 ("burin_harness".to_string(), label)
95 }
96 };
97 NestedInvocationCeilingReport {
98 target_kind: kind,
99 target_label: label,
100 parent: parent.clone(),
101 requested,
102 violations,
103 }
104}
105
106fn collect_violations(
107 parent: &CapabilityPolicy,
108 requested: &CapabilityPolicy,
109) -> Vec<CapabilityCeilingViolation> {
110 let mut violations = Vec::new();
111 if !parent.tools.is_empty() {
112 for tool in &requested.tools {
113 if !parent.tools.contains(tool) {
114 violations.push(CapabilityCeilingViolation {
115 kind: "tool".to_string(),
116 detail: format!("nested target requests tool '{tool}' outside parent ceiling"),
117 });
118 }
119 }
120 }
121 for (capability, ops) in &requested.capabilities {
122 match parent.capabilities.get(capability) {
123 Some(parent_ops) => {
124 for op in ops {
125 if !parent_ops.contains(op) {
126 violations.push(CapabilityCeilingViolation {
127 kind: "capability".to_string(),
128 detail: format!(
129 "nested target requests '{capability}.{op}' outside parent ceiling"
130 ),
131 });
132 }
133 }
134 }
135 None if !parent.capabilities.is_empty() => {
136 violations.push(CapabilityCeilingViolation {
137 kind: "capability".to_string(),
138 detail: format!(
139 "nested target requests capability '{capability}' outside parent ceiling"
140 ),
141 });
142 }
143 _ => {}
144 }
145 }
146 if let (Some(parent_level), Some(requested_level)) = (
147 parent.side_effect_level.as_deref(),
148 requested.side_effect_level.as_deref(),
149 ) {
150 if rank(requested_level) > rank(parent_level) {
151 violations.push(CapabilityCeilingViolation {
152 kind: "side_effect_level".to_string(),
153 detail: format!(
154 "nested target requests side_effect_level '{requested_level}' outside parent ceiling '{parent_level}'"
155 ),
156 });
157 }
158 }
159 if !parent.workspace_roots.is_empty() {
160 for root in &requested.workspace_roots {
161 if !parent.workspace_roots.contains(root) {
162 violations.push(CapabilityCeilingViolation {
163 kind: "workspace_root".to_string(),
164 detail: format!(
165 "nested target requests workspace_root '{root}' outside parent allowlist"
166 ),
167 });
168 }
169 }
170 }
171 if !parent.workspace_roots.is_empty() || !parent.read_only_roots.is_empty() {
175 for root in &requested.read_only_roots {
176 if !parent.workspace_roots.contains(root) && !parent.read_only_roots.contains(root) {
177 violations.push(CapabilityCeilingViolation {
178 kind: "read_only_root".to_string(),
179 detail: format!(
180 "nested target requests read_only_root '{root}' outside parent allowlist"
181 ),
182 });
183 }
184 }
185 }
186 violations
187}
188
189fn rank(level: &str) -> usize {
190 crate::tool_annotations::SideEffectLevel::rank_str(level)
191}
192
193fn scan_harn_script_ceiling(source: &str) -> CapabilityPolicy {
200 let stripped = strip_comments(source);
201 let mut capabilities: std::collections::BTreeMap<String, BTreeSet<String>> =
202 std::collections::BTreeMap::new();
203 let mut max_side_effect: Option<&'static str> = None;
204
205 for (token, capability, op, side_effect) in BUILTIN_CAPABILITIES {
206 if contains_call(&stripped, token) {
207 capabilities
208 .entry((*capability).to_string())
209 .or_default()
210 .insert((*op).to_string());
211 max_side_effect = match max_side_effect {
212 Some(current) if rank(current) >= rank(side_effect) => Some(current),
213 _ => Some(side_effect),
214 };
215 }
216 }
217
218 CapabilityPolicy {
219 tools: Vec::new(),
220 capabilities: capabilities
221 .into_iter()
222 .map(|(k, v)| (k, v.into_iter().collect()))
223 .collect(),
224 workspace_roots: Vec::new(),
225 read_only_roots: Vec::new(),
226 side_effect_level: max_side_effect.map(|level| level.to_string()),
227 recursion_limit: None,
228 tool_arg_constraints: Vec::new(),
229 tool_annotations: std::collections::BTreeMap::new(),
230 sandbox_profile: crate::orchestration::SandboxProfile::default(),
231 process_sandbox: Default::default(),
232 }
233}
234
235fn scan_burin_manifest_ceiling(manifest: &serde_json::Value) -> CapabilityPolicy {
236 if let Some(ceiling) = manifest.get("capability_ceiling") {
237 if let Ok(parsed) = serde_json::from_value::<CapabilityPolicy>(ceiling.clone()) {
238 return parsed;
239 }
240 }
241 let tools = manifest
242 .get("tools")
243 .and_then(|value| value.as_array())
244 .map(|tools| {
245 tools
246 .iter()
247 .filter_map(|tool| tool.as_str().map(str::to_string))
248 .collect::<Vec<_>>()
249 })
250 .unwrap_or_default();
251
252 CapabilityPolicy {
253 tools,
254 capabilities: std::collections::BTreeMap::new(),
255 workspace_roots: Vec::new(),
256 read_only_roots: Vec::new(),
257 side_effect_level: Some("network".to_string()),
258 recursion_limit: None,
259 tool_arg_constraints: Vec::new(),
260 tool_annotations: std::collections::BTreeMap::new(),
261 sandbox_profile: crate::orchestration::SandboxProfile::default(),
262 process_sandbox: Default::default(),
263 }
264}
265
266fn strip_comments(source: &str) -> String {
271 let mut out = String::with_capacity(source.len());
272 let mut in_block = false;
273 let mut chars = source.chars().peekable();
274 while let Some(c) = chars.next() {
275 if in_block {
276 if c == '*' && matches!(chars.peek(), Some('/')) {
277 chars.next();
278 in_block = false;
279 }
280 continue;
281 }
282 if c == '/' {
283 match chars.peek() {
284 Some('/') => {
285 for next in chars.by_ref() {
286 if next == '\n' {
287 out.push('\n');
288 break;
289 }
290 }
291 continue;
292 }
293 Some('*') => {
294 chars.next();
295 in_block = true;
296 continue;
297 }
298 _ => {}
299 }
300 }
301 if c == '#' {
302 for next in chars.by_ref() {
303 if next == '\n' {
304 out.push('\n');
305 break;
306 }
307 }
308 continue;
309 }
310 if c == '"' || c == '\'' {
311 out.push(' ');
312 let quote = c;
313 while let Some(next) = chars.next() {
314 if next == '\\' {
315 chars.next();
316 out.push(' ');
317 out.push(' ');
318 continue;
319 }
320 if next == quote {
321 out.push(' ');
322 break;
323 }
324 out.push(if next == '\n' { '\n' } else { ' ' });
325 }
326 continue;
327 }
328 out.push(c);
329 }
330 out
331}
332
333fn contains_call(source: &str, token: &str) -> bool {
334 let bytes = source.as_bytes();
335 let needle = token.as_bytes();
336 if bytes.len() < needle.len() + 1 {
337 return false;
338 }
339 let mut start = 0;
340 while let Some(pos) = find_subslice(&bytes[start..], needle) {
341 let absolute = start + pos;
342 let before = if absolute == 0 {
343 None
344 } else {
345 Some(bytes[absolute - 1])
346 };
347 let after = bytes.get(absolute + needle.len()).copied();
348 let valid_before = match before {
349 None => true,
350 Some(c) => !is_identifier_byte(c),
351 };
352 let valid_after = matches!(after, Some(b'(') | Some(b' ') | Some(b'\t'))
353 || matches!(after, Some(b'\n') | Some(b'\r'));
354 if valid_before && valid_after {
355 return true;
356 }
357 start = absolute + needle.len();
358 }
359 false
360}
361
362fn find_subslice(haystack: &[u8], needle: &[u8]) -> Option<usize> {
363 if needle.is_empty() || haystack.len() < needle.len() {
364 return None;
365 }
366 haystack
367 .windows(needle.len())
368 .position(|window| window == needle)
369}
370
371fn is_identifier_byte(b: u8) -> bool {
372 b.is_ascii_alphanumeric() || b == b'_'
373}
374
375const BUILTIN_CAPABILITIES: &[(&str, &str, &str, &str)] = &[
376 ("read_file", "workspace", "read_text", "read_only"),
377 ("read_file_result", "workspace", "read_text", "read_only"),
378 ("read_file_bytes", "workspace", "read_text", "read_only"),
379 ("render", "workspace", "read_text", "read_only"),
380 ("render_prompt", "workspace", "read_text", "read_only"),
381 (
382 "render_with_provenance",
383 "workspace",
384 "read_text",
385 "read_only",
386 ),
387 ("list_dir", "workspace", "list", "read_only"),
388 ("file_exists", "workspace", "exists", "read_only"),
389 ("path_status", "workspace", "exists", "read_only"),
390 ("stat", "workspace", "exists", "read_only"),
391 ("write_file", "workspace", "write_text", "workspace_write"),
392 (
393 "write_file_bytes",
394 "workspace",
395 "write_text",
396 "workspace_write",
397 ),
398 ("append_file", "workspace", "write_text", "workspace_write"),
399 ("mkdir", "workspace", "write_text", "workspace_write"),
400 ("copy_file", "workspace", "write_text", "workspace_write"),
401 ("delete_file", "workspace", "delete", "workspace_write"),
402 ("apply_edit", "workspace", "apply_edit", "workspace_write"),
403 ("exec", "process", "exec", "process_exec"),
404 ("exec_at", "process", "exec", "process_exec"),
405 ("shell", "process", "exec", "process_exec"),
406 ("shell_at", "process", "exec", "process_exec"),
407 ("http_get", "network", "http", "network"),
408 ("http_post", "network", "http", "network"),
409 ("http_put", "network", "http", "network"),
410 ("http_patch", "network", "http", "network"),
411 ("http_delete", "network", "http", "network"),
412 ("http_request", "network", "http", "network"),
413 ("http_download", "network", "http", "network"),
414 ("connector_call", "connector", "call", "network"),
415 ("secret_get", "connector", "secret_get", "read_only"),
416 ("llm_call", "llm", "call", "network"),
417 ("llm_call_safe", "llm", "call", "network"),
418 ("llm_completion", "llm", "call", "network"),
419 ("llm_stream", "llm", "call", "network"),
420 ("agent_loop", "llm", "call", "network"),
421 ("vision_ocr", "vision", "ocr", "process_exec"),
422 ("mcp_call", "process", "exec", "process_exec"),
423 ("mcp_connect", "process", "exec", "process_exec"),
424];
425
426#[cfg(test)]
427mod tests {
428 use super::*;
429 use std::collections::BTreeMap;
430
431 fn permissive_parent() -> CapabilityPolicy {
432 let mut capabilities = BTreeMap::new();
433 capabilities.insert(
434 "workspace".to_string(),
435 vec!["read_text".to_string(), "list".to_string()],
436 );
437 capabilities.insert("connector".to_string(), vec!["call".to_string()]);
438 capabilities.insert("process".to_string(), vec!["exec".to_string()]);
439 capabilities.insert("network".to_string(), vec!["http".to_string()]);
440 capabilities.insert("llm".to_string(), vec!["call".to_string()]);
441 CapabilityPolicy {
442 tools: Vec::new(),
443 capabilities,
444 workspace_roots: Vec::new(),
445 read_only_roots: Vec::new(),
446 side_effect_level: Some("network".to_string()),
447 recursion_limit: None,
448 tool_arg_constraints: Vec::new(),
449 tool_annotations: BTreeMap::new(),
450 sandbox_profile: crate::orchestration::SandboxProfile::default(),
451 process_sandbox: Default::default(),
452 }
453 }
454
455 fn read_only_parent() -> CapabilityPolicy {
456 let mut capabilities = BTreeMap::new();
457 capabilities.insert(
458 "workspace".to_string(),
459 vec![
460 "read_text".to_string(),
461 "list".to_string(),
462 "exists".to_string(),
463 ],
464 );
465 CapabilityPolicy {
466 tools: Vec::new(),
467 capabilities,
468 workspace_roots: Vec::new(),
469 read_only_roots: Vec::new(),
470 side_effect_level: Some("read_only".to_string()),
471 recursion_limit: None,
472 tool_arg_constraints: Vec::new(),
473 tool_annotations: BTreeMap::new(),
474 sandbox_profile: crate::orchestration::SandboxProfile::default(),
475 process_sandbox: Default::default(),
476 }
477 }
478
479 #[test]
480 fn harn_script_with_only_reads_passes_under_read_only_parent() {
481 let source = r#"
482 let body = read_file("README.md")
483 let exists = file_exists("Cargo.toml")
484 "#;
485 let report = enforce_nested_invocation_ceiling(
486 &read_only_parent(),
487 &NestedInvocationTarget::HarnScript {
488 path: "test.harn",
489 source,
490 },
491 );
492 assert!(report.allowed(), "{report:#?}");
493 }
494
495 #[test]
496 fn harn_script_with_exec_is_rejected_under_read_only_parent() {
497 let source = r#"
498 let result = exec("ls", ["-la"])
499 "#;
500 let report = enforce_nested_invocation_ceiling(
501 &read_only_parent(),
502 &NestedInvocationTarget::HarnScript {
503 path: "exec.harn",
504 source,
505 },
506 );
507 assert!(!report.allowed());
508 let kinds: Vec<&str> = report.violations.iter().map(|v| v.kind.as_str()).collect();
509 assert!(kinds.contains(&"capability"));
510 assert!(kinds.contains(&"side_effect_level"));
511 }
512
513 #[test]
514 fn harn_script_with_http_is_rejected_under_read_only_parent() {
515 let source = r#"
516 http_get("https://example.com")
517 "#;
518 let report = enforce_nested_invocation_ceiling(
519 &read_only_parent(),
520 &NestedInvocationTarget::HarnScript {
521 path: "http.harn",
522 source,
523 },
524 );
525 assert!(!report.allowed());
526 }
527
528 #[test]
529 fn harn_script_with_vision_ocr_is_rejected_under_read_only_parent() {
530 let source = r#"
531 vision_ocr("receipt.png")
532 "#;
533 let report = enforce_nested_invocation_ceiling(
534 &read_only_parent(),
535 &NestedInvocationTarget::HarnScript {
536 path: "vision.harn",
537 source,
538 },
539 );
540 assert!(!report.allowed());
541 let kinds: Vec<&str> = report.violations.iter().map(|v| v.kind.as_str()).collect();
542 assert!(kinds.contains(&"capability"));
543 assert!(kinds.contains(&"side_effect_level"));
544 }
545
546 #[test]
547 fn harn_script_keyword_inside_string_does_not_trigger() {
548 let source = r#"
549 let label = "exec is not invoked here"
550 let body = read_file("README.md")
551 "#;
552 let report = enforce_nested_invocation_ceiling(
553 &read_only_parent(),
554 &NestedInvocationTarget::HarnScript {
555 path: "string.harn",
556 source,
557 },
558 );
559 assert!(
560 report.allowed(),
561 "false positive on quoted token: {report:#?}"
562 );
563 }
564
565 #[test]
566 fn harn_script_keyword_in_comment_is_ignored() {
567 let source = r#"
568 // exec("rm -rf /") is a comment-only token and must not trip policy.
569 let x = read_file("README.md")
570 "#;
571 let report = enforce_nested_invocation_ceiling(
572 &read_only_parent(),
573 &NestedInvocationTarget::HarnScript {
574 path: "comments.harn",
575 source,
576 },
577 );
578 assert!(
579 report.allowed(),
580 "false positive on commented token: {report:#?}"
581 );
582 }
583
584 #[test]
585 fn workflow_bundle_with_act_auto_is_rejected_under_read_only_parent() {
586 let mut bundle = super::super::workflow_test_fixtures::pr_monitor_bundle();
587 bundle.policy.autonomy_tier = "act_auto".to_string();
588 let report = enforce_nested_invocation_ceiling(
589 &read_only_parent(),
590 &NestedInvocationTarget::WorkflowBundle(&bundle),
591 );
592 assert!(!report.allowed());
593 }
594
595 #[test]
596 fn burin_manifest_with_explicit_ceiling_is_used_directly() {
597 let manifest = serde_json::json!({
598 "id": "burin.harness.repair",
599 "capability_ceiling": {
600 "capabilities": {
601 "workspace": ["read_text"]
602 },
603 "side_effect_level": "read_only"
604 }
605 });
606 let report = enforce_nested_invocation_ceiling(
607 &read_only_parent(),
608 &NestedInvocationTarget::BurinHarness {
609 manifest: &manifest,
610 },
611 );
612 assert!(report.allowed(), "{report:#?}");
613 }
614
615 #[test]
616 fn burin_manifest_without_ceiling_falls_back_to_network_and_is_rejected() {
617 let manifest = serde_json::json!({"id": "burin.harness.unknown"});
618 let report = enforce_nested_invocation_ceiling(
619 &read_only_parent(),
620 &NestedInvocationTarget::BurinHarness {
621 manifest: &manifest,
622 },
623 );
624 assert!(!report.allowed());
625 }
626
627 #[test]
628 fn permissive_parent_accepts_workflow_bundle() {
629 let bundle = super::super::workflow_test_fixtures::pr_monitor_bundle();
630 let report = enforce_nested_invocation_ceiling(
631 &permissive_parent(),
632 &NestedInvocationTarget::WorkflowBundle(&bundle),
633 );
634 assert!(report.allowed(), "{report:#?}");
635 }
636}