1mod approval_rules;
4mod effects;
5mod nested_budget;
6mod types;
7
8use crate::value::VmDictExt;
9use std::cell::RefCell;
10use std::collections::BTreeMap;
11use std::thread_local;
12
13use serde::{Deserialize, Serialize};
14
15use crate::runtime_limits::RuntimeLimits;
16use crate::tool_annotations::{SideEffectLevel, ToolAnnotations};
17use crate::value::{VmError, VmValue};
18use crate::workspace_path::{classify_workspace_path, WorkspacePathInfo};
19
20pub use crate::tool_annotations::{ToolArgSchema, ToolKind};
21pub use approval_rules::{
22 clear_all_approval_policy_repeat_counts, clear_approval_policy_repeat_counts,
23 next_approval_policy_repeat_count, ApprovalShape, PolicyAction, PolicyEvaluation,
24 PolicyMatchedRule, PolicyRule, PolicyRuleMatch,
25};
26pub use effects::{
27 compute_handoff_effects, effect_kind_label, effect_record_summary, effect_subset_violations,
28 effects_from_metadata, EffectKind, EffectRecord, EffectScope,
29};
30pub use nested_budget::{
31 annotate_nested_execution_options, enter_nested_execution_policy, NestedExecutionGuard,
32 NestedExecutionKind, NESTED_KIND_OPTION_KEY, NESTED_LABEL_OPTION_KEY,
33};
34pub use types::{
35 enforce_tool_arg_constraints, AutoCompactPolicy, BranchSemantics, CapabilityPolicy,
36 ContextPolicy, EqIgnored, EscalationPolicy, FeedbackBounds, FeedbackPolicy, JoinPolicy,
37 MapPolicy, ModelPolicy, NativeToolFallbackPolicy, ProcessSandboxPolicy, ProcessSandboxPreset,
38 ReducePolicy, RetryPolicy, SandboxProfile, StageContract, ToolArgConstraint, TurnPolicy,
39};
40
41thread_local! {
42 static EXECUTION_POLICY_STACK: RefCell<Vec<CapabilityPolicy>> = const { RefCell::new(Vec::new()) };
43 static EXECUTION_APPROVAL_POLICY_STACK: RefCell<Vec<ToolApprovalPolicy>> = const { RefCell::new(Vec::new()) };
44 static TRUSTED_BRIDGE_CALL_DEPTH: RefCell<usize> = const { RefCell::new(0) };
45}
46
47pub fn push_execution_policy(policy: CapabilityPolicy) {
48 EXECUTION_POLICY_STACK.with(|stack| stack.borrow_mut().push(policy));
49}
50
51pub fn pop_execution_policy() {
52 EXECUTION_POLICY_STACK.with(|stack| {
53 stack.borrow_mut().pop();
54 });
55}
56
57pub fn clear_execution_policy_stacks() {
58 EXECUTION_POLICY_STACK.with(|stack| stack.borrow_mut().clear());
59 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow_mut().clear());
60 TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| *depth.borrow_mut() = 0);
61}
62
63pub fn current_execution_policy() -> Option<CapabilityPolicy> {
64 EXECUTION_POLICY_STACK.with(|stack| stack.borrow().last().cloned())
65}
66
67pub fn execution_policy_active() -> bool {
72 EXECUTION_POLICY_STACK.with(|stack| !stack.borrow().is_empty())
73}
74
75pub fn push_approval_policy(policy: ToolApprovalPolicy) {
76 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow_mut().push(policy));
77}
78
79pub fn pop_approval_policy() {
80 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| {
81 stack.borrow_mut().pop();
82 });
83}
84
85pub fn current_approval_policy() -> Option<ToolApprovalPolicy> {
86 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow().last().cloned())
87}
88
89pub(crate) fn swap_execution_policy_stack(next: Vec<CapabilityPolicy>) -> Vec<CapabilityPolicy> {
102 EXECUTION_POLICY_STACK.with(|stack| std::mem::replace(&mut *stack.borrow_mut(), next))
103}
104
105pub(crate) fn swap_approval_policy_stack(next: Vec<ToolApprovalPolicy>) -> Vec<ToolApprovalPolicy> {
106 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| std::mem::replace(&mut *stack.borrow_mut(), next))
107}
108
109pub(crate) fn swap_trusted_bridge_depth(next: usize) -> usize {
110 TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| std::mem::replace(&mut *depth.borrow_mut(), next))
111}
112
113pub fn current_tool_annotations(tool: &str) -> Option<ToolAnnotations> {
114 current_execution_policy().and_then(|policy| policy.tool_annotations.get(tool).cloned())
115}
116
117pub fn current_allowed_tool_names() -> Vec<String> {
125 let Some(policy) = current_execution_policy() else {
126 return Vec::new();
127 };
128 if !policy.tools.is_empty() {
129 return policy.tools;
130 }
131 policy.tool_annotations.keys().cloned().collect()
132}
133
134pub(super) fn tool_kind_participates_in_write_allowlist(tool_name: &str) -> bool {
135 current_tool_annotations(tool_name)
136 .map(|annotations| !annotations.kind.is_read_only())
137 .unwrap_or(true)
138}
139
140pub struct TrustedBridgeCallGuard;
141
142pub fn allow_trusted_bridge_calls() -> TrustedBridgeCallGuard {
143 TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| {
144 *depth.borrow_mut() += 1;
145 });
146 TrustedBridgeCallGuard
147}
148
149impl Drop for TrustedBridgeCallGuard {
150 fn drop(&mut self) {
151 TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| {
152 let mut depth = depth.borrow_mut();
153 *depth = depth.saturating_sub(1);
154 });
155 }
156}
157
158fn policy_allows_tool(policy: &CapabilityPolicy, tool: &str) -> bool {
159 policy.tools.is_empty() || policy.tools.iter().any(|allowed| allowed == tool)
160}
161
162fn policy_grants_capability(policy: &CapabilityPolicy, capability: &str, op: &str) -> bool {
163 policy
164 .capabilities
165 .get(capability)
166 .is_some_and(|ops| ops.is_empty() || ops.iter().any(|allowed| allowed == op))
167}
168
169fn policy_allows_capability(policy: &CapabilityPolicy, capability: &str, op: &str) -> bool {
170 if policy.capabilities.is_empty() {
171 return true;
173 }
174 if policy_grants_capability(policy, capability, op) {
175 return true;
176 }
177 if capability == "workspace" && op == "exists" {
189 return policy_grants_capability(policy, "workspace", "read_text")
190 || policy_grants_capability(policy, "workspace", "list");
191 }
192 false
193}
194
195fn policy_allows_side_effect(policy: &CapabilityPolicy, requested: &str) -> bool {
196 let requested_rank = SideEffectLevel::rank_str(requested);
202 policy
203 .side_effect_level
204 .as_ref()
205 .map(|allowed| SideEffectLevel::rank_str(allowed) >= requested_rank)
206 .unwrap_or(true)
207}
208
209pub(super) fn reject_policy(reason: String) -> Result<(), VmError> {
210 Err(VmError::CategorizedError {
211 message: reason,
212 category: crate::value::ErrorCategory::ToolRejected,
213 })
214}
215
216#[derive(Clone, Debug, PartialEq, Eq)]
223pub struct PolicyDenial {
224 pub gate: crate::agent_events::DenialGate,
225 pub capability: Option<String>,
226 pub reason: String,
227}
228
229impl From<PolicyDenial> for VmError {
230 fn from(denial: PolicyDenial) -> Self {
231 VmError::CategorizedError {
232 message: denial.reason,
233 category: crate::value::ErrorCategory::ToolRejected,
234 }
235 }
236}
237
238pub(super) fn reject_tool(
239 gate: crate::agent_events::DenialGate,
240 capability: Option<String>,
241 reason: String,
242) -> Result<(), PolicyDenial> {
243 Err(PolicyDenial {
244 gate,
245 capability,
246 reason,
247 })
248}
249
250pub fn current_tool_mutation_classification(tool_name: &str) -> String {
255 current_tool_annotations(tool_name)
256 .map(|annotations| annotations.kind.mutation_class().to_string())
257 .unwrap_or_else(|| "other".to_string())
258}
259
260pub fn current_tool_declared_paths(tool_name: &str, args: &serde_json::Value) -> Vec<String> {
264 current_tool_declared_path_entries(tool_name, args)
265 .into_iter()
266 .map(|entry| entry.display_path().to_string())
267 .collect()
268}
269
270pub fn current_tool_declared_path_entries(
275 tool_name: &str,
276 args: &serde_json::Value,
277) -> Vec<WorkspacePathInfo> {
278 let Some(map) = args.as_object() else {
279 return Vec::new();
280 };
281 let Some(annotations) = current_tool_annotations(tool_name) else {
282 return Vec::new();
283 };
284 let workspace_root = crate::stdlib::process::execution_root_path();
285 let mut entries = Vec::new();
286 for key in &annotations.arg_schema.path_params {
287 if let Some(value) = map.get(key) {
288 match value {
289 serde_json::Value::String(path) if !path.is_empty() => {
290 entries.push(classify_workspace_path(path, Some(&workspace_root)));
291 }
292 serde_json::Value::Array(items) => {
293 for item in items.iter().filter_map(|item| item.as_str()) {
294 if !item.is_empty() {
295 entries.push(classify_workspace_path(item, Some(&workspace_root)));
296 }
297 }
298 }
299 _ => {}
300 }
301 }
302 }
303 entries.sort_by(|a, b| a.display_path().cmp(b.display_path()));
304 entries.dedup_by(|left, right| left.policy_candidates() == right.policy_candidates());
305 entries
306}
307
308pub fn enforce_current_policy_for_builtin(name: &str, args: &[VmValue]) -> Result<(), VmError> {
309 let Some(policy) = current_execution_policy() else {
310 return Ok(());
311 };
312 match name {
313 "find_text"
314 if !policy_allows_capability(&policy, "workspace", "read_text")
315 || !policy_allows_capability(&policy, "workspace", "list") =>
316 {
317 return reject_policy(
318 "builtin 'find_text' exceeds workspace.read_text/workspace.list ceiling"
319 .to_string(),
320 );
321 }
322 "read_file"
323 | "read_file_result"
324 | "read_file_bytes"
325 | "render"
326 | "render_prompt"
327 | "render_with_provenance"
328 | "read_lines"
329 if !policy_allows_capability(&policy, "workspace", "read_text") =>
330 {
331 return reject_policy(format!(
332 "builtin '{name}' exceeds workspace.read_text ceiling"
333 ));
334 }
335 "list_dir" | "walk_dir" | "glob"
336 if !policy_allows_capability(&policy, "workspace", "list") =>
337 {
338 return reject_policy(format!("builtin '{name}' exceeds workspace.list ceiling"));
339 }
340 "file_exists" | "stat" if !policy_allows_capability(&policy, "workspace", "exists") => {
341 return reject_policy(format!("builtin '{name}' exceeds workspace.exists ceiling"));
342 }
343 "write_file" | "write_file_bytes" | "append_file" | "mkdir" | "copy_file" | "move_file"
344 if !policy_allows_capability(&policy, "workspace", "write_text")
345 || !policy_allows_side_effect(&policy, "workspace_write") =>
346 {
347 return reject_policy(format!("builtin '{name}' exceeds workspace write ceiling"));
348 }
349 "delete_file"
350 if !policy_allows_capability(&policy, "workspace", "delete")
351 || !policy_allows_side_effect(&policy, "workspace_write") =>
352 {
353 return reject_policy(
354 "builtin 'delete_file' exceeds workspace.delete ceiling".to_string(),
355 );
356 }
357 "apply_edit"
358 if !policy_allows_capability(&policy, "workspace", "apply_edit")
359 || !policy_allows_side_effect(&policy, "workspace_write") =>
360 {
361 return reject_policy(
362 "builtin 'apply_edit' exceeds workspace.apply_edit ceiling".to_string(),
363 );
364 }
365 "exec"
366 | "exec_at"
367 | "shell"
368 | "shell_at"
369 | "git.repo.discover"
370 | "git.worktree.create"
371 | "git.worktree.remove"
372 | "git.fetch"
373 | "git.rebase"
374 | "git.status"
375 | "git.conflicts"
376 | "git.push"
377 | "git.diff"
378 | "git.merge_base"
379 if !policy_allows_capability(&policy, "process", "exec")
380 || !policy_allows_side_effect(&policy, "process_exec") =>
381 {
382 return reject_policy(format!("builtin '{name}' exceeds process.exec ceiling"));
383 }
384 "http_get"
385 | "http_post"
386 | "http_put"
387 | "http_patch"
388 | "http_delete"
389 | "http_download"
390 | "http_request"
391 | "unix_socket_json_request"
392 | "__net_unix_socket_json_request"
393 if !policy_allows_side_effect(&policy, "network") =>
394 {
395 return reject_policy(format!("builtin '{name}' exceeds network ceiling"));
396 }
397 "__files_upload"
398 if !policy_allows_capability(&policy, "workspace", "read_text")
399 || !policy_allows_side_effect(&policy, "network") =>
400 {
401 return reject_policy(
402 "builtin '__files_upload' exceeds workspace.read_text/network ceiling".to_string(),
403 );
404 }
405 "http_session_request"
406 | "http_stream_open"
407 | "http_stream_read"
408 | "http_stream_close"
409 | "http_stream_info"
410 | "sse_connect"
411 | "sse_receive"
412 | "websocket_accept"
413 | "websocket_connect"
414 | "websocket_route"
415 | "websocket_send"
416 | "websocket_receive"
417 | "websocket_server"
418 if !policy_allows_side_effect(&policy, "network") =>
419 {
420 return reject_policy(format!("builtin '{name}' exceeds network ceiling"));
421 }
422 "llm_call" | "llm_call_safe" | "llm_completion" | "llm_stream" | "llm_stream_call"
423 | "llm_healthcheck" | "agent_loop"
424 if !policy_allows_capability(&policy, "llm", "call") =>
425 {
426 return reject_policy(format!("builtin '{name}' exceeds llm.call ceiling"));
427 }
428 "connector_call"
429 if !policy_allows_capability(&policy, "connector", "call")
430 || !policy_allows_side_effect(&policy, "network") =>
431 {
432 return reject_policy(
433 "builtin 'connector_call' exceeds connector.call/network ceiling".to_string(),
434 );
435 }
436 "secret_get" if !policy_allows_capability(&policy, "connector", "secret_get") => {
437 return reject_policy(
438 "builtin 'secret_get' exceeds connector.secret_get ceiling".to_string(),
439 );
440 }
441 "event_log_emit" if !policy_allows_capability(&policy, "connector", "event_log_emit") => {
442 return reject_policy(
443 "builtin 'event_log_emit' exceeds connector.event_log_emit ceiling".to_string(),
444 );
445 }
446 "metrics_inc" if !policy_allows_capability(&policy, "connector", "metrics_inc") => {
447 return reject_policy(
448 "builtin 'metrics_inc' exceeds connector.metrics_inc ceiling".to_string(),
449 );
450 }
451 "project_fingerprint"
452 | "project_context_profile_native"
453 | "project_scan_native"
454 | "project_scan_tree_native"
455 | "project_walk_tree_native"
456 | "project_catalog_native"
457 if !policy_allows_capability(&policy, "workspace", "list")
458 || !policy_allows_side_effect(&policy, "read_only") =>
459 {
460 return reject_policy(format!("builtin '{name}' exceeds workspace.list ceiling"));
461 }
462 "__agent_state_init"
463 | "__agent_state_resume"
464 | "__agent_state_write"
465 | "__agent_state_read"
466 | "__agent_state_list"
467 | "__agent_state_delete"
468 | "__agent_state_handoff"
469 if !policy_allows_capability(&policy, "agent_state", "access") =>
470 {
471 return reject_policy(format!(
472 "builtin '{name}' exceeds agent_state.access ceiling"
473 ));
474 }
475 "vision_ocr"
476 if !policy_allows_capability(&policy, "vision", "ocr")
477 || !policy_allows_side_effect(&policy, "process_exec") =>
478 {
479 return reject_policy(format!(
480 "builtin '{name}' exceeds vision.ocr/process ceiling"
481 ));
482 }
483 "mcp_connect"
484 | "mcp_ensure_active"
485 | "mcp_call"
486 | "mcp_list_tools"
487 | "mcp_list_resources"
488 | "mcp_list_resource_templates"
489 | "mcp_read_resource"
490 | "mcp_list_prompts"
491 | "mcp_get_prompt"
492 | "mcp_server_info"
493 | "mcp_disconnect"
494 if !policy_allows_capability(&policy, "process", "exec")
495 || !policy_allows_side_effect(&policy, "process_exec") =>
496 {
497 return reject_policy(format!("builtin '{name}' exceeds process.exec ceiling"));
498 }
499 "host_call" => {
500 let name = args.first().map(|v| v.display()).unwrap_or_default();
501 let Some((capability, op)) = name.split_once('.') else {
502 return reject_policy(format!(
503 "host_call '{name}' must use capability.operation naming"
504 ));
505 };
506 if !policy_allows_capability(&policy, capability, op) {
507 return reject_policy(format!(
508 "host_call {capability}.{op} exceeds capability ceiling"
509 ));
510 }
511 let requested_side_effect = match (capability, op) {
512 ("workspace", "write_text" | "apply_edit" | "delete") => "workspace_write",
513 ("process", "exec") => "process_exec",
514 _ => "read_only",
515 };
516 if !policy_allows_side_effect(&policy, requested_side_effect) {
517 return reject_policy(format!(
518 "host_call {capability}.{op} exceeds side-effect ceiling"
519 ));
520 }
521 }
522 "host_tool_list" | "host_tool_call"
523 if !policy_allows_capability(&policy, "host", "tool_call") =>
524 {
525 return reject_policy(format!("builtin '{name}' exceeds host.tool_call ceiling"));
526 }
527 _ => {}
528 }
529 Ok(())
530}
531
532pub fn enforce_current_policy_for_bridge_builtin(name: &str) -> Result<(), VmError> {
533 let trusted = TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| *depth.borrow() > 0);
534 if trusted {
535 return Ok(());
536 }
537 if current_execution_policy().is_some() {
538 return reject_policy(format!(
539 "bridged builtin '{name}' exceeds execution policy; declare an explicit capability/tool surface instead"
540 ));
541 }
542 Ok(())
543}
544
545pub fn enforce_current_policy_for_tool(tool_name: &str) -> Result<(), PolicyDenial> {
546 use crate::agent_events::DenialGate;
547 let Some(policy) = current_execution_policy() else {
548 return Ok(());
549 };
550 if !policy_allows_tool(&policy, tool_name) {
551 return reject_tool(
552 DenialGate::ToolCeiling,
553 None,
554 format!("tool '{tool_name}' exceeds tool ceiling"),
555 );
556 }
557 if let Some(annotations) = policy.tool_annotations.get(tool_name) {
558 for (capability, ops) in &annotations.capabilities {
559 for op in ops {
560 if !policy_allows_capability(&policy, capability, op) {
561 return reject_tool(
562 DenialGate::CapabilityCeiling,
563 Some(format!("{capability}.{op}")),
564 format!("tool '{tool_name}' exceeds capability ceiling: {capability}.{op}"),
565 );
566 }
567 }
568 }
569 let requested_level = annotations.side_effect_level;
570 if requested_level != SideEffectLevel::None
571 && !policy_allows_side_effect(&policy, requested_level.as_str())
572 {
573 return reject_tool(
574 DenialGate::SideEffectCeiling,
575 None,
576 format!(
577 "tool '{tool_name}' exceeds side-effect ceiling: {}",
578 requested_level.as_str()
579 ),
580 );
581 }
582 }
583 Ok(())
584}
585
586pub fn redact_transcript_visibility(
598 transcript: &VmValue,
599 visibility: Option<&str>,
600) -> Option<VmValue> {
601 let Some(visibility) = visibility else {
602 return Some(transcript.clone());
603 };
604 if visibility != "public" && visibility != "public_only" {
605 return Some(transcript.clone());
606 }
607 let dict = transcript.as_dict()?;
608 let public_messages = match dict.get("messages") {
609 Some(VmValue::List(list)) => list
610 .iter()
611 .filter_map(redact_public_message)
612 .collect::<Vec<_>>(),
613 _ => Vec::new(),
614 };
615 let public_events = match dict.get("events") {
616 Some(VmValue::List(list)) => list
617 .iter()
618 .filter(|event| {
619 event
620 .as_dict()
621 .and_then(|d| d.get("visibility"))
622 .map(|v| v.display())
623 .map(|value| value == "public")
624 .unwrap_or(true)
625 })
626 .cloned()
627 .collect::<Vec<_>>(),
628 _ => Vec::new(),
629 };
630 let mut redacted = dict.clone();
631 redacted.insert(
632 crate::value::intern_key("messages"),
633 VmValue::List(std::sync::Arc::new(public_messages)),
634 );
635 redacted.insert(
636 crate::value::intern_key("events"),
637 VmValue::List(std::sync::Arc::new(public_events)),
638 );
639 Some(VmValue::dict(redacted))
640}
641
642fn redact_public_message(message: &VmValue) -> Option<VmValue> {
643 let Some(dict) = message.as_dict() else {
644 return Some(message.clone());
645 };
646 if dict.get("role").map(|value| value.display()).as_deref() == Some("tool_result") {
647 return None;
648 }
649 if dict
650 .get("visibility")
651 .map(|value| value.display())
652 .is_some_and(|visibility| visibility != "public")
653 {
654 return None;
655 }
656
657 let mut redacted = dict.clone();
658 let mut saw_structured_blocks = false;
659 let mut public_text = Vec::new();
660 for key in ["content", "blocks"] {
661 if let Some(VmValue::List(blocks)) = dict.get(key) {
662 saw_structured_blocks = true;
663 let public_blocks = blocks
664 .iter()
665 .filter_map(redact_public_block)
666 .collect::<Vec<_>>();
667 if key == "blocks" || public_text.is_empty() {
668 public_text = text_fragments_from_blocks(&public_blocks);
669 }
670 redacted.insert(
671 crate::value::intern_key(key),
672 VmValue::List(std::sync::Arc::new(public_blocks)),
673 );
674 }
675 }
676 if saw_structured_blocks {
677 if public_text.is_empty() {
678 redacted.remove("text");
679 } else {
680 redacted.put_str("text", public_text.join("\n"));
681 }
682 }
683 Some(VmValue::dict(redacted))
684}
685
686fn redact_public_block(block: &VmValue) -> Option<VmValue> {
687 let Some(dict) = block.as_dict() else {
688 return Some(block.clone());
689 };
690 if dict
691 .get("visibility")
692 .map(|value| value.display())
693 .is_some_and(|visibility| visibility != "public")
694 {
695 return None;
696 }
697 Some(block.clone())
698}
699
700fn text_fragments_from_blocks(blocks: &[VmValue]) -> Vec<String> {
701 blocks
702 .iter()
703 .filter_map(|block| block.as_dict())
704 .filter_map(|dict| dict.get("text"))
705 .filter_map(|text| match text {
706 VmValue::String(value) if !value.is_empty() => Some(value.to_string()),
707 _ => None,
708 })
709 .collect()
710}
711
712pub fn builtin_ceiling() -> CapabilityPolicy {
713 CapabilityPolicy {
714 tools: Vec::new(),
718 capabilities: BTreeMap::new(),
719 workspace_roots: Vec::new(),
720 read_only_roots: Vec::new(),
721 side_effect_level: Some(SideEffectLevel::MAX.as_str().to_string()),
731 recursion_limit: Some(RuntimeLimits::DEFAULT.max_nested_execution_depth),
732 tool_arg_constraints: Vec::new(),
733 tool_annotations: BTreeMap::new(),
734 sandbox_profile: SandboxProfile::Worktree,
735 process_sandbox: Default::default(),
736 }
737}
738
739#[derive(Clone, Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
743#[serde(default)]
744pub struct ToolApprovalPolicy {
745 #[serde(default)]
748 pub rules: Vec<PolicyRule>,
749 #[serde(default)]
751 pub auto_approve: Vec<String>,
752 #[serde(default)]
754 pub auto_deny: Vec<String>,
755 #[serde(default)]
757 pub require_approval: Vec<String>,
758 #[serde(default)]
760 pub write_path_allowlist: Vec<String>,
761 #[serde(default)]
763 pub allow_sensitive_paths: bool,
764 #[serde(default)]
767 pub sensitive_path_patterns: Vec<String>,
768 #[serde(default)]
770 pub allow_external_paths: bool,
771 #[serde(default)]
773 pub external_roots: Vec<String>,
774 #[serde(default, alias = "repeated_call_limit")]
776 pub repeat_limit: Option<u64>,
777 #[serde(default, alias = "repeated_call_action")]
779 pub repeat_action: Option<PolicyAction>,
780}
781
782#[derive(Debug, Clone, PartialEq, Eq)]
784pub enum ToolApprovalDecision {
785 AutoApproved,
787 AutoDenied { reason: String },
789 RequiresHostApproval,
792}
793
794impl ToolApprovalPolicy {
795 pub fn evaluate_detailed(&self, tool_name: &str, args: &serde_json::Value) -> PolicyEvaluation {
796 approval_rules::evaluate_tool_approval_policy(self, tool_name, args, None)
797 }
798
799 pub fn evaluate_detailed_with_repeat(
800 &self,
801 tool_name: &str,
802 args: &serde_json::Value,
803 repeat_count: u64,
804 ) -> PolicyEvaluation {
805 approval_rules::evaluate_tool_approval_policy(self, tool_name, args, Some(repeat_count))
806 }
807
808 pub fn evaluate(&self, tool_name: &str, args: &serde_json::Value) -> ToolApprovalDecision {
811 let decision = self.evaluate_detailed(tool_name, args);
812 if decision.is_deny() {
813 return ToolApprovalDecision::AutoDenied {
814 reason: decision.reason,
815 };
816 }
817 if decision.is_ask() {
818 return ToolApprovalDecision::RequiresHostApproval;
819 }
820 ToolApprovalDecision::AutoApproved
821 }
822
823 pub fn intersect(&self, other: &ToolApprovalPolicy) -> ToolApprovalPolicy {
829 let auto_approve = if self.auto_approve.is_empty() {
830 other.auto_approve.clone()
831 } else if other.auto_approve.is_empty() {
832 self.auto_approve.clone()
833 } else {
834 self.auto_approve
835 .iter()
836 .filter(|p| other.auto_approve.contains(p))
837 .cloned()
838 .collect()
839 };
840 let mut auto_deny = self.auto_deny.clone();
841 auto_deny.extend(other.auto_deny.iter().cloned());
842 let mut require_approval = self.require_approval.clone();
843 require_approval.extend(other.require_approval.iter().cloned());
844 let write_path_allowlist = if self.write_path_allowlist.is_empty() {
845 other.write_path_allowlist.clone()
846 } else if other.write_path_allowlist.is_empty() {
847 self.write_path_allowlist.clone()
848 } else {
849 self.write_path_allowlist
850 .iter()
851 .filter(|p| other.write_path_allowlist.contains(p))
852 .cloned()
853 .collect()
854 };
855 let mut rules = self.rules.clone();
856 rules.extend(other.rules.iter().cloned());
857 let mut sensitive_path_patterns = self.sensitive_path_patterns.clone();
858 sensitive_path_patterns.extend(other.sensitive_path_patterns.iter().cloned());
859 sensitive_path_patterns.sort();
860 sensitive_path_patterns.dedup();
861 let external_roots = if self.external_roots.is_empty() {
862 other.external_roots.clone()
863 } else if other.external_roots.is_empty() {
864 self.external_roots.clone()
865 } else {
866 self.external_roots
867 .iter()
868 .filter(|root| other.external_roots.contains(root))
869 .cloned()
870 .collect()
871 };
872 ToolApprovalPolicy {
873 rules,
874 auto_approve,
875 auto_deny,
876 require_approval,
877 write_path_allowlist,
878 allow_sensitive_paths: self.allow_sensitive_paths && other.allow_sensitive_paths,
879 sensitive_path_patterns,
880 allow_external_paths: self.allow_external_paths && other.allow_external_paths,
881 external_roots,
882 repeat_limit: match (self.repeat_limit, other.repeat_limit) {
883 (Some(left), Some(right)) => Some(left.min(right)),
884 (Some(left), None) => Some(left),
885 (None, Some(right)) => Some(right),
886 (None, None) => None,
887 },
888 repeat_action: match (self.repeat_action, other.repeat_action) {
889 (Some(PolicyAction::Deny), _) | (_, Some(PolicyAction::Deny)) => {
890 Some(PolicyAction::Deny)
891 }
892 (Some(PolicyAction::Ask), _) | (_, Some(PolicyAction::Ask)) => {
893 Some(PolicyAction::Ask)
894 }
895 (Some(PolicyAction::Allow), Some(PolicyAction::Allow)) => Some(PolicyAction::Allow),
896 (Some(action), None) | (None, Some(action)) => Some(action),
897 (None, None) => None,
898 },
899 }
900 }
901}
902
903#[cfg(test)]
904mod approval_policy_tests {
905 use super::*;
906 use crate::orchestration::{pop_execution_policy, push_execution_policy, CapabilityPolicy};
907 use crate::tool_annotations::{ToolAnnotations, ToolArgSchema, ToolKind};
908
909 fn workspace_caps(ops: &[&str]) -> CapabilityPolicy {
910 CapabilityPolicy {
911 capabilities: std::collections::BTreeMap::from([(
912 "workspace".to_string(),
913 ops.iter().map(|s| s.to_string()).collect(),
914 )]),
915 ..Default::default()
916 }
917 }
918
919 #[test]
920 fn builtin_ceiling_permits_desktop_control_but_a_lower_ceiling_denies_it() {
921 let builtin = builtin_ceiling();
925 assert!(policy_allows_side_effect(
926 &builtin,
927 SideEffectLevel::DesktopControl.as_str()
928 ));
929
930 let network_ceiling = CapabilityPolicy {
934 side_effect_level: Some(SideEffectLevel::Network.as_str().to_string()),
935 ..Default::default()
936 };
937 assert!(!policy_allows_side_effect(
938 &network_ceiling,
939 SideEffectLevel::DesktopControl.as_str()
940 ));
941 assert!(policy_allows_side_effect(
943 &network_ceiling,
944 SideEffectLevel::ProcessExec.as_str()
945 ));
946 }
947
948 #[test]
949 fn read_text_subsumes_exists_probe() {
950 push_execution_policy(workspace_caps(&[
957 "read_text",
958 "list",
959 "write_text",
960 "apply_edit",
961 ]));
962 assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_ok());
963 assert!(enforce_current_policy_for_builtin("stat", &[]).is_ok());
964 pop_execution_policy();
965 }
966
967 #[test]
968 fn list_alone_subsumes_exists_probe() {
969 push_execution_policy(workspace_caps(&["list"]));
971 assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_ok());
972 pop_execution_policy();
973 }
974
975 #[test]
976 fn exists_probe_rejected_without_any_read_grant() {
977 push_execution_policy(workspace_caps(&["write_text", "apply_edit"]));
980 assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_err());
981 pop_execution_policy();
982 }
983
984 #[test]
985 fn auto_deny_takes_precedence_over_auto_approve() {
986 let policy = ToolApprovalPolicy {
987 auto_approve: vec!["*".to_string()],
988 auto_deny: vec!["dangerous_*".to_string()],
989 ..Default::default()
990 };
991 assert_eq!(
992 policy.evaluate("dangerous_rm", &serde_json::json!({})),
993 ToolApprovalDecision::AutoDenied {
994 reason: "tool 'dangerous_rm' matches deny pattern 'dangerous_*'".to_string()
995 }
996 );
997 }
998
999 #[test]
1000 fn auto_approve_matches_glob() {
1001 let policy = ToolApprovalPolicy {
1002 auto_approve: vec!["read*".to_string(), "search*".to_string()],
1003 ..Default::default()
1004 };
1005 assert_eq!(
1006 policy.evaluate("read_file", &serde_json::json!({})),
1007 ToolApprovalDecision::AutoApproved
1008 );
1009 assert_eq!(
1010 policy.evaluate("search", &serde_json::json!({})),
1011 ToolApprovalDecision::AutoApproved
1012 );
1013 }
1014
1015 #[test]
1016 fn require_approval_emits_decision() {
1017 let policy = ToolApprovalPolicy {
1018 require_approval: vec!["edit*".to_string()],
1019 ..Default::default()
1020 };
1021 let decision = policy.evaluate("edit_file", &serde_json::json!({"path": "foo.rs"}));
1022 assert!(matches!(
1023 decision,
1024 ToolApprovalDecision::RequiresHostApproval
1025 ));
1026 }
1027
1028 #[test]
1029 fn unmatched_tool_defaults_to_approved() {
1030 let policy = ToolApprovalPolicy {
1031 auto_approve: vec!["read*".to_string()],
1032 require_approval: vec!["edit*".to_string()],
1033 ..Default::default()
1034 };
1035 assert_eq!(
1036 policy.evaluate("unknown_tool", &serde_json::json!({})),
1037 ToolApprovalDecision::AutoApproved
1038 );
1039 }
1040
1041 #[test]
1042 fn intersect_merges_deny_lists() {
1043 let a = ToolApprovalPolicy {
1044 auto_deny: vec!["rm*".to_string()],
1045 ..Default::default()
1046 };
1047 let b = ToolApprovalPolicy {
1048 auto_deny: vec!["drop*".to_string()],
1049 ..Default::default()
1050 };
1051 let merged = a.intersect(&b);
1052 assert_eq!(merged.auto_deny.len(), 2);
1053 }
1054
1055 #[test]
1056 fn intersect_restricts_auto_approve_to_common_patterns() {
1057 let a = ToolApprovalPolicy {
1058 auto_approve: vec!["read*".to_string(), "search*".to_string()],
1059 ..Default::default()
1060 };
1061 let b = ToolApprovalPolicy {
1062 auto_approve: vec!["read*".to_string(), "write*".to_string()],
1063 ..Default::default()
1064 };
1065 let merged = a.intersect(&b);
1066 assert_eq!(merged.auto_approve, vec!["read*".to_string()]);
1067 }
1068
1069 #[test]
1070 fn intersect_defers_auto_approve_when_one_side_empty() {
1071 let a = ToolApprovalPolicy {
1072 auto_approve: vec!["read*".to_string()],
1073 ..Default::default()
1074 };
1075 let b = ToolApprovalPolicy::default();
1076 let merged = a.intersect(&b);
1077 assert_eq!(merged.auto_approve, vec!["read*".to_string()]);
1078 }
1079
1080 #[test]
1081 fn write_path_allowlist_matches_recovered_workspace_relative_path() {
1082 let temp = tempfile::tempdir().unwrap();
1083 std::fs::create_dir_all(temp.path().join("packages/demo")).unwrap();
1084 std::fs::write(temp.path().join("packages/demo/file.txt"), "ok").unwrap();
1085 crate::stdlib::process::set_thread_execution_context(Some(
1086 crate::orchestration::RunExecutionRecord {
1087 cwd: Some(temp.path().to_string_lossy().into_owned()),
1088 source_dir: Some(temp.path().to_string_lossy().into_owned()),
1089 env: BTreeMap::new(),
1090 adapter: None,
1091 repo_path: None,
1092 worktree_path: None,
1093 branch: None,
1094 base_ref: None,
1095 cleanup: None,
1096 },
1097 ));
1098
1099 let mut tool_annotations = BTreeMap::new();
1100 tool_annotations.insert(
1101 "write_file".to_string(),
1102 ToolAnnotations {
1103 kind: ToolKind::Edit,
1104 arg_schema: ToolArgSchema {
1105 path_params: vec!["path".to_string()],
1106 ..Default::default()
1107 },
1108 ..Default::default()
1109 },
1110 );
1111 push_execution_policy(CapabilityPolicy {
1112 tool_annotations,
1113 ..Default::default()
1114 });
1115
1116 let policy = ToolApprovalPolicy {
1117 write_path_allowlist: vec!["packages/demo/file.txt".to_string()],
1118 ..Default::default()
1119 };
1120 let decision = policy.evaluate(
1121 "write_file",
1122 &serde_json::json!({"path": "/packages/demo/file.txt"}),
1123 );
1124 assert_eq!(decision, ToolApprovalDecision::AutoApproved);
1125
1126 pop_execution_policy();
1127 crate::stdlib::process::set_thread_execution_context(None);
1128 }
1129
1130 #[test]
1131 fn write_path_allowlist_does_not_block_read_only_tools() {
1132 let temp = tempfile::tempdir().unwrap();
1133 std::fs::create_dir_all(temp.path().join("packages/demo")).unwrap();
1134 std::fs::write(temp.path().join("packages/demo/context.txt"), "ok").unwrap();
1135 crate::stdlib::process::set_thread_execution_context(Some(
1136 crate::orchestration::RunExecutionRecord {
1137 cwd: Some(temp.path().to_string_lossy().into_owned()),
1138 source_dir: Some(temp.path().to_string_lossy().into_owned()),
1139 env: BTreeMap::new(),
1140 adapter: None,
1141 repo_path: None,
1142 worktree_path: None,
1143 branch: None,
1144 base_ref: None,
1145 cleanup: None,
1146 },
1147 ));
1148
1149 let mut tool_annotations = BTreeMap::new();
1150 tool_annotations.insert(
1151 "read_file".to_string(),
1152 ToolAnnotations {
1153 kind: ToolKind::Read,
1154 arg_schema: ToolArgSchema {
1155 path_params: vec!["path".to_string()],
1156 ..Default::default()
1157 },
1158 ..Default::default()
1159 },
1160 );
1161 push_execution_policy(CapabilityPolicy {
1162 tool_annotations,
1163 ..Default::default()
1164 });
1165
1166 let policy = ToolApprovalPolicy {
1167 write_path_allowlist: vec!["packages/demo/file.txt".to_string()],
1168 ..Default::default()
1169 };
1170 let decision = policy.evaluate(
1171 "read_file",
1172 &serde_json::json!({"path": "/packages/demo/context.txt"}),
1173 );
1174 assert_eq!(decision, ToolApprovalDecision::AutoApproved);
1175
1176 pop_execution_policy();
1177 crate::stdlib::process::set_thread_execution_context(None);
1178 }
1179
1180 #[test]
1181 fn builtin_policy_covers_fs_read_and_list_helpers() {
1182 clear_execution_policy_stacks();
1183 push_execution_policy(CapabilityPolicy {
1184 capabilities: BTreeMap::from([("workspace".to_string(), vec!["exists".to_string()])]),
1185 side_effect_level: Some("read_only".to_string()),
1186 ..CapabilityPolicy::default()
1187 });
1188
1189 for name in [
1190 "read_lines",
1191 "find_text",
1192 "walk_dir",
1193 "glob",
1194 "project_context_profile_native",
1195 ] {
1196 assert!(
1197 enforce_current_policy_for_builtin(name, &[]).is_err(),
1198 "{name} should be rejected when the matching workspace capability is absent"
1199 );
1200 }
1201
1202 pop_execution_policy();
1203 }
1204
1205 #[test]
1206 fn move_file_requires_workspace_write_side_effect() {
1207 clear_execution_policy_stacks();
1208 push_execution_policy(CapabilityPolicy {
1209 capabilities: BTreeMap::from([(
1210 "workspace".to_string(),
1211 vec!["write_text".to_string()],
1212 )]),
1213 side_effect_level: Some("read_only".to_string()),
1214 ..CapabilityPolicy::default()
1215 });
1216
1217 let error = enforce_current_policy_for_builtin("move_file", &[]).unwrap_err();
1218 assert!(
1219 error.to_string().contains("workspace write ceiling"),
1220 "unexpected error: {error}"
1221 );
1222
1223 pop_execution_policy();
1224 }
1225
1226 #[test]
1227 fn unix_socket_json_request_requires_network_side_effect() {
1228 clear_execution_policy_stacks();
1229 push_execution_policy(CapabilityPolicy {
1230 side_effect_level: Some("read_only".to_string()),
1231 ..CapabilityPolicy::default()
1232 });
1233
1234 let error =
1235 enforce_current_policy_for_builtin("__net_unix_socket_json_request", &[]).unwrap_err();
1236 assert!(
1237 error.to_string().contains("network ceiling"),
1238 "unexpected error: {error}"
1239 );
1240
1241 pop_execution_policy();
1242 }
1243
1244 #[test]
1245 fn files_upload_requires_workspace_read_and_network_side_effect() {
1246 clear_execution_policy_stacks();
1247 push_execution_policy(CapabilityPolicy {
1248 capabilities: BTreeMap::from([(
1249 "workspace".to_string(),
1250 vec!["read_text".to_string()],
1251 )]),
1252 side_effect_level: Some("read_only".to_string()),
1253 ..CapabilityPolicy::default()
1254 });
1255
1256 let network_error = enforce_current_policy_for_builtin("__files_upload", &[]).unwrap_err();
1257 assert!(
1258 network_error.to_string().contains("network ceiling"),
1259 "unexpected error: {network_error}"
1260 );
1261 pop_execution_policy();
1262
1263 push_execution_policy(CapabilityPolicy {
1264 capabilities: BTreeMap::from([("workspace".to_string(), vec!["exists".to_string()])]),
1265 side_effect_level: Some("network".to_string()),
1266 ..CapabilityPolicy::default()
1267 });
1268 let read_error = enforce_current_policy_for_builtin("__files_upload", &[]).unwrap_err();
1269 assert!(
1270 read_error.to_string().contains("workspace.read_text"),
1271 "unexpected error: {read_error}"
1272 );
1273
1274 pop_execution_policy();
1275 }
1276}
1277
1278#[cfg(test)]
1279mod turn_policy_tests {
1280 use super::TurnPolicy;
1281
1282 #[test]
1283 fn default_allows_done_sentinel() {
1284 let policy = TurnPolicy::default();
1285 assert!(policy.allow_done_sentinel);
1286 assert!(!policy.require_action_or_yield);
1287 assert!(policy.max_prose_chars.is_none());
1288 }
1289
1290 #[test]
1291 fn deserializing_partial_dict_preserves_done_sentinel_pathway() {
1292 let policy: TurnPolicy =
1297 serde_json::from_value(serde_json::json!({ "require_action_or_yield": true }))
1298 .expect("deserialize");
1299 assert!(policy.require_action_or_yield);
1300 assert!(policy.allow_done_sentinel);
1301 }
1302
1303 #[test]
1304 fn deserializing_explicit_false_disables_done_sentinel() {
1305 let policy: TurnPolicy = serde_json::from_value(serde_json::json!({
1306 "require_action_or_yield": true,
1307 "allow_done_sentinel": false,
1308 }))
1309 .expect("deserialize");
1310 assert!(policy.require_action_or_yield);
1311 assert!(!policy.allow_done_sentinel);
1312 }
1313}
1314
1315#[cfg(test)]
1316mod visibility_redaction_tests {
1317 use super::*;
1318 use crate::value::VmValue;
1319
1320 fn mock_transcript() -> VmValue {
1321 let messages = vec![
1322 serde_json::json!({"role": "user", "content": "hi"}),
1323 serde_json::json!({"role": "assistant", "content": "hello"}),
1324 serde_json::json!({"role": "tool_result", "content": "internal tool output"}),
1325 ];
1326 crate::llm::helpers::transcript_to_vm_with_events(
1327 Some("test-id".to_string()),
1328 None,
1329 None,
1330 &messages,
1331 Vec::new(),
1332 Vec::new(),
1333 Some("active"),
1334 )
1335 }
1336
1337 fn message_count(transcript: &VmValue) -> usize {
1338 transcript
1339 .as_dict()
1340 .and_then(|d| d.get("messages"))
1341 .and_then(|v| match v {
1342 VmValue::List(list) => Some(list.len()),
1343 _ => None,
1344 })
1345 .unwrap_or(0)
1346 }
1347
1348 #[test]
1349 fn visibility_none_returns_unchanged() {
1350 let t = mock_transcript();
1351 let result = redact_transcript_visibility(&t, None).unwrap();
1352 assert_eq!(message_count(&result), 3);
1353 }
1354
1355 #[test]
1356 fn visibility_public_drops_tool_results() {
1357 let t = mock_transcript();
1358 let result = redact_transcript_visibility(&t, Some("public")).unwrap();
1359 assert_eq!(message_count(&result), 2);
1360 }
1361
1362 #[test]
1363 fn visibility_public_drops_private_content_blocks() {
1364 let t = crate::schema::json_to_vm_value(&serde_json::json!({
1365 "messages": [
1366 {
1367 "role": "assistant",
1368 "visibility": "public",
1369 "text": "visible answer\nsecret chain",
1370 "content": [
1371 {"type": "output_text", "text": "visible answer", "visibility": "public"},
1372 {"type": "reasoning", "text": "secret chain", "visibility": "private"}
1373 ],
1374 "blocks": [
1375 {"type": "output_text", "text": "visible block", "visibility": "public"},
1376 {"type": "tool_call", "text": "internal args", "visibility": "internal"}
1377 ]
1378 }
1379 ],
1380 "events": []
1381 }));
1382
1383 let result = redact_transcript_visibility(&t, Some("public")).unwrap();
1384 let rendered = result.display();
1385 assert!(rendered.contains("visible answer"));
1386 assert!(rendered.contains("visible block"));
1387 assert!(!rendered.contains("secret chain"));
1388 assert!(!rendered.contains("internal args"));
1389 }
1390
1391 #[test]
1392 fn visibility_unknown_string_is_pass_through() {
1393 let t = mock_transcript();
1394 let result = redact_transcript_visibility(&t, Some("internal")).unwrap();
1395 assert_eq!(message_count(&result), 3);
1396 }
1397}