Skip to main content

harn_vm/
tool_annotations.rs

1//! Tool annotations — the single source of truth for tool semantics.
2//!
3//! These types describe what a tool does at a semantic level. The VM
4//! consumes them to make policy decisions (read-only vs mutating, which
5//! argument holds the workspace path, which aliases to normalize, etc.)
6//! without hardcoding tool names or file-extension lists. Pipeline
7//! authors declare a `ToolAnnotations` value per tool in their
8//! `CapabilityPolicy.tool_annotations` registry; everything downstream
9//! is driven by that declaration.
10//!
11//! This alignment is ACP-compliant: `ToolKind` matches the canonical
12//! tool-kind vocabulary from the [Agent Client Protocol schema]
13//! (https://agentclientprotocol.com/protocol/schema) one-for-one.
14
15use std::collections::BTreeMap;
16
17use serde::{Deserialize, Serialize};
18
19/// Canonical tool-kind vocabulary. Matches the ACP `ToolKind` enum so
20/// harn-cli's ACP server can forward the value unchanged in
21/// `sessionUpdate` variants.
22///
23/// The VM treats `Read`, `Search`, `Think`, and `Fetch` as read-only
24/// for concurrent-dispatch purposes. `Other` is intentionally NOT
25/// treated as read-only — unannotated tools should not slip through
26/// as auto-approved by default (fail-safe).
27#[derive(Clone, Copy, Debug, Default, Eq, PartialEq, Hash, Serialize, Deserialize)]
28#[serde(rename_all = "snake_case")]
29pub enum ToolKind {
30    /// Reads file/workspace content without mutation.
31    Read,
32    /// Mutates workspace content (write, patch, edit).
33    Edit,
34    /// Removes content irreversibly.
35    Delete,
36    /// Relocates or renames content.
37    Move,
38    /// Queries indexes or directories; no mutation.
39    Search,
40    /// Runs a subprocess or a shell command.
41    Execute,
42    /// Pure reasoning/thought invocation, no side effects.
43    Think,
44    /// Retrieves remote content (HTTP, MCP fetch, etc.).
45    Fetch,
46    /// Anything that doesn't map cleanly into the canonical kinds.
47    /// Not treated as read-only — the fail-safe default.
48    #[default]
49    Other,
50}
51
52impl ToolKind {
53    pub const ALL: [Self; 9] = [
54        Self::Read,
55        Self::Edit,
56        Self::Delete,
57        Self::Move,
58        Self::Search,
59        Self::Execute,
60        Self::Think,
61        Self::Fetch,
62        Self::Other,
63    ];
64
65    /// Read-only tools can dispatch concurrently without risking
66    /// conflicting state mutations. `Other` is excluded by design —
67    /// unannotated tools must not auto-approve as read-only.
68    pub fn is_read_only(&self) -> bool {
69        matches!(self, Self::Read | Self::Search | Self::Think | Self::Fetch)
70    }
71
72    /// Coarse mutation-classification string used in tool-call
73    /// telemetry and pre/post bridge payloads. Derived directly from
74    /// the kind — the VM no longer guesses from tool names.
75    pub fn mutation_class(&self) -> &'static str {
76        match self {
77            Self::Read | Self::Search | Self::Think | Self::Fetch => "read_only",
78            Self::Edit => "workspace_write",
79            Self::Delete | Self::Move => "destructive",
80            Self::Execute => "ambient_side_effect",
81            Self::Other => "other",
82        }
83    }
84}
85
86/// Rough side-effect taxonomy for the capability-ceiling check.
87#[derive(Clone, Copy, Debug, Default, Eq, PartialEq, Hash, Serialize, Deserialize)]
88#[serde(rename_all = "snake_case")]
89pub enum SideEffectLevel {
90    /// No side effect declared (conservative default; permission logic
91    /// treats this as "unknown → deny unless explicitly allowed").
92    #[default]
93    None,
94    /// Pure reads only.
95    ReadOnly,
96    /// Writes to workspace files.
97    WorkspaceWrite,
98    /// Runs subprocesses.
99    ProcessExec,
100    /// Reaches external services over the network.
101    Network,
102    /// Drives the physical desktop — synthetic mouse/keyboard input and screen
103    /// capture. The most invasive local class: it can operate ANY application
104    /// (not just a sandboxed subprocess or a single network sink), inject
105    /// keystrokes that paste secrets or dismiss dialogs, and every screenshot
106    /// exfiltrates whatever is on screen to the model. It therefore sits at the
107    /// top of the ceiling ladder — a policy must opt into it explicitly, above
108    /// even network access.
109    DesktopControl,
110}
111
112impl SideEffectLevel {
113    pub const ALL: [Self; 6] = [
114        Self::None,
115        Self::ReadOnly,
116        Self::WorkspaceWrite,
117        Self::ProcessExec,
118        Self::Network,
119        Self::DesktopControl,
120    ];
121
122    /// The most-permissive side-effect level — the TOP of the ladder. This is
123    /// the single source of truth for "the outermost / most-autonomous ceiling":
124    /// the runtime's builtin ceiling and the top autonomy tier both reference it,
125    /// so adding a new most-invasive level (as `desktop_control` was added above
126    /// `network`) automatically raises every permissive bound instead of leaving
127    /// hardcoded `"network"` strings that silently cap the new level out. NEVER
128    /// hardcode a specific top level as "the max"; call this.
129    pub const MAX: Self = Self::DesktopControl;
130
131    /// Numeric rank used by the policy intersector and side-effect
132    /// ceiling check. Higher rank ⇒ more invasive.
133    pub fn rank(&self) -> usize {
134        match self {
135            Self::None => 0,
136            Self::ReadOnly => 1,
137            Self::WorkspaceWrite => 2,
138            Self::ProcessExec => 3,
139            Self::Network => 4,
140            Self::DesktopControl => 5,
141        }
142    }
143
144    /// Short string used in policy documents, bridge payloads, and
145    /// error messages. Stable wire identifier.
146    pub fn as_str(&self) -> &'static str {
147        match self {
148            Self::None => "none",
149            Self::ReadOnly => "read_only",
150            Self::WorkspaceWrite => "workspace_write",
151            Self::ProcessExec => "process_exec",
152            Self::Network => "network",
153            Self::DesktopControl => "desktop_control",
154        }
155    }
156
157    /// Rank a level given as a string, through the canonical ladder — the single
158    /// source of truth for every ceiling/effect comparison that works with the
159    /// wire strings instead of the typed enum. An unrecognized value ranks as
160    /// `None` (0): tool levels always come from [`Self::as_str`] so they are
161    /// never unknown, and for a ceiling a typo then grants nothing above `none`
162    /// rather than silently widening the ceiling.
163    pub fn rank_str(level: &str) -> usize {
164        Self::parse(level).rank()
165    }
166
167    /// Parse from the stable string used in policy documents. Unknown
168    /// values deserialize to `None` (the conservative default).
169    pub fn parse(value: &str) -> Self {
170        match value {
171            "none" => Self::None,
172            "read_only" => Self::ReadOnly,
173            "workspace_write" => Self::WorkspaceWrite,
174            "process_exec" => Self::ProcessExec,
175            "network" => Self::Network,
176            "desktop_control" => Self::DesktopControl,
177            _ => Self::None,
178        }
179    }
180}
181
182/// Declarative description of a tool's argument shape. The VM uses
183/// this to:
184///
185/// - resolve `ToolArgConstraint` lookups (`path_params`),
186/// - rewrite high-level aliases to canonical keys without any
187///   per-tool hardcoded branches (`arg_aliases`),
188/// - validate presence of required arguments at the dispatch boundary
189///   (`required`).
190#[derive(Clone, Debug, Default, Eq, PartialEq, Serialize, Deserialize)]
191#[serde(default)]
192pub struct ToolArgSchema {
193    /// Argument keys whose values are workspace-relative paths.
194    /// First matching key whose value is a string wins.
195    pub path_params: Vec<String>,
196    /// Alias → canonical key. When a tool call arrives with an alias
197    /// in its argument object, the VM rewrites the key to the canonical
198    /// form before dispatch (generic; no tool-name branches).
199    pub arg_aliases: BTreeMap<String, String>,
200    /// Argument keys that must be present (non-null) on every call.
201    pub required: Vec<String>,
202}
203
204/// Full annotations for one tool. Pipelines populate one of these per
205/// tool in the capability-policy registry; the VM consults the registry
206/// on every tool call.
207#[derive(Clone, Debug, Default, Eq, PartialEq, Serialize, Deserialize)]
208#[serde(default)]
209pub struct ToolAnnotations {
210    /// ACP-aligned tool-kind classification.
211    pub kind: ToolKind,
212    /// Required side-effect level for the capability ceiling check.
213    pub side_effect_level: SideEffectLevel,
214    /// Argument shape declarations.
215    pub arg_schema: ToolArgSchema,
216    /// Capability operations requested by this tool (e.g.
217    /// `"workspace": ["read_text", "list"]`).
218    pub capabilities: BTreeMap<String, Vec<String>>,
219    /// True when the tool may return only a handle/reference to a large
220    /// output artifact instead of inline output. Execute tools with this
221    /// flag must also declare an inspection route.
222    pub emits_artifacts: bool,
223    /// Tool names that can inspect artifacts/results emitted by this tool.
224    pub result_readers: Vec<String>,
225    /// Explicit escape hatch for tools whose results are always complete
226    /// inline, even though they are execute-like.
227    pub inline_result: bool,
228    /// MCP `readOnlyHint`. This remains advisory; policy decides whether
229    /// the server that supplied it is trusted enough to rely on it.
230    #[serde(rename = "readOnlyHint", skip_serializing_if = "Option::is_none")]
231    pub read_only_hint: Option<bool>,
232    /// MCP `destructiveHint`. This remains advisory; policy decides whether
233    /// the server that supplied it is trusted enough to rely on it.
234    #[serde(rename = "destructiveHint", skip_serializing_if = "Option::is_none")]
235    pub destructive_hint: Option<bool>,
236    /// MCP `idempotentHint`. This remains advisory; policy decides whether
237    /// the server that supplied it is trusted enough to rely on it.
238    #[serde(rename = "idempotentHint", skip_serializing_if = "Option::is_none")]
239    pub idempotent_hint: Option<bool>,
240    /// MCP `openWorldHint`. This remains advisory; policy decides whether
241    /// the server that supplied it is trusted enough to rely on it.
242    #[serde(rename = "openWorldHint", skip_serializing_if = "Option::is_none")]
243    pub open_world_hint: Option<bool>,
244}
245
246#[cfg(test)]
247mod tests {
248    use super::*;
249
250    #[test]
251    fn tool_kind_serde_roundtrip() {
252        for (kind, expected) in [
253            (ToolKind::Read, "\"read\""),
254            (ToolKind::Edit, "\"edit\""),
255            (ToolKind::Delete, "\"delete\""),
256            (ToolKind::Move, "\"move\""),
257            (ToolKind::Search, "\"search\""),
258            (ToolKind::Execute, "\"execute\""),
259            (ToolKind::Think, "\"think\""),
260            (ToolKind::Fetch, "\"fetch\""),
261            (ToolKind::Other, "\"other\""),
262        ] {
263            let encoded = serde_json::to_string(&kind).unwrap();
264            assert_eq!(encoded, expected);
265            let decoded: ToolKind = serde_json::from_str(expected).unwrap();
266            assert_eq!(decoded, kind);
267        }
268    }
269
270    #[test]
271    fn only_read_search_think_fetch_are_read_only() {
272        assert!(ToolKind::Read.is_read_only());
273        assert!(ToolKind::Search.is_read_only());
274        assert!(ToolKind::Think.is_read_only());
275        assert!(ToolKind::Fetch.is_read_only());
276        // Fail-safe: Other is NOT read-only.
277        assert!(!ToolKind::Other.is_read_only());
278        assert!(!ToolKind::Edit.is_read_only());
279        assert!(!ToolKind::Delete.is_read_only());
280        assert!(!ToolKind::Move.is_read_only());
281        assert!(!ToolKind::Execute.is_read_only());
282    }
283
284    #[test]
285    fn mutation_class_derived_from_kind() {
286        assert_eq!(ToolKind::Read.mutation_class(), "read_only");
287        assert_eq!(ToolKind::Search.mutation_class(), "read_only");
288        assert_eq!(ToolKind::Edit.mutation_class(), "workspace_write");
289        assert_eq!(ToolKind::Delete.mutation_class(), "destructive");
290        assert_eq!(ToolKind::Move.mutation_class(), "destructive");
291        assert_eq!(ToolKind::Execute.mutation_class(), "ambient_side_effect");
292        assert_eq!(ToolKind::Other.mutation_class(), "other");
293    }
294
295    #[test]
296    fn side_effect_level_round_trip() {
297        for level in [
298            SideEffectLevel::None,
299            SideEffectLevel::ReadOnly,
300            SideEffectLevel::WorkspaceWrite,
301            SideEffectLevel::ProcessExec,
302            SideEffectLevel::Network,
303        ] {
304            assert_eq!(SideEffectLevel::parse(level.as_str()), level);
305            let encoded = serde_json::to_string(&level).unwrap();
306            let decoded: SideEffectLevel = serde_json::from_str(&encoded).unwrap();
307            assert_eq!(decoded, level);
308        }
309    }
310
311    #[test]
312    fn side_effect_level_rank_orders() {
313        assert!(SideEffectLevel::None.rank() < SideEffectLevel::ReadOnly.rank());
314        assert!(SideEffectLevel::ReadOnly.rank() < SideEffectLevel::WorkspaceWrite.rank());
315        assert!(SideEffectLevel::WorkspaceWrite.rank() < SideEffectLevel::ProcessExec.rank());
316        assert!(SideEffectLevel::ProcessExec.rank() < SideEffectLevel::Network.rank());
317        // Desktop control is the most invasive local class — top of the ladder,
318        // above even network egress.
319        assert!(SideEffectLevel::Network.rank() < SideEffectLevel::DesktopControl.rank());
320        assert_eq!(
321            SideEffectLevel::parse("desktop_control"),
322            SideEffectLevel::DesktopControl
323        );
324        assert_eq!(SideEffectLevel::DesktopControl.as_str(), "desktop_control");
325    }
326
327    #[test]
328    fn max_is_the_unique_top_of_the_ladder() {
329        // Guardrail: `SideEffectLevel::MAX` MUST be the strictly-highest-ranked
330        // level. Adding a new most-invasive variant without updating `MAX` (the
331        // single "most-permissive ceiling" the builtin ceiling and top autonomy
332        // tier both reference) fails here — so the "network was the top" footgun
333        // that silently capped `desktop_control` cannot recur.
334        for level in SideEffectLevel::ALL {
335            assert!(
336                level.rank() <= SideEffectLevel::MAX.rank(),
337                "{level:?} outranks MAX ({:?}); update SideEffectLevel::MAX",
338                SideEffectLevel::MAX
339            );
340        }
341        // And MAX is uniquely the top (exactly one level at the max rank).
342        let at_top = SideEffectLevel::ALL
343            .iter()
344            .filter(|l| l.rank() == SideEffectLevel::MAX.rank())
345            .count();
346        assert_eq!(at_top, 1, "MAX must be the unique top of the ladder");
347
348        // Compiler guardrail on `ALL` completeness: this match is exhaustive
349        // over the TYPE, so adding a variant fails the build here — and the
350        // count assertion then forces that variant into `ALL`. Without both,
351        // a variant omitted from the (hand-maintained) `ALL` array would
352        // silently escape the uniqueness check above.
353        fn _every_variant_accounted_for(level: SideEffectLevel) {
354            match level {
355                SideEffectLevel::None
356                | SideEffectLevel::ReadOnly
357                | SideEffectLevel::WorkspaceWrite
358                | SideEffectLevel::ProcessExec
359                | SideEffectLevel::Network
360                | SideEffectLevel::DesktopControl => {}
361            }
362        }
363        assert_eq!(
364            SideEffectLevel::ALL.len(),
365            6,
366            "a SideEffectLevel variant was added; list it in ALL and bump this count"
367        );
368    }
369
370    #[test]
371    fn arg_schema_defaults_empty() {
372        let schema = ToolArgSchema::default();
373        assert!(schema.path_params.is_empty());
374        assert!(schema.arg_aliases.is_empty());
375        assert!(schema.required.is_empty());
376    }
377
378    #[test]
379    fn annotations_default_result_routes_empty() {
380        let annotations = ToolAnnotations::default();
381        assert!(!annotations.emits_artifacts);
382        assert!(annotations.result_readers.is_empty());
383        assert!(!annotations.inline_result);
384    }
385
386    #[test]
387    fn mcp_annotation_hints_round_trip() {
388        let annotations: ToolAnnotations = serde_json::from_value(serde_json::json!({
389            "readOnlyHint": true,
390            "destructiveHint": false,
391            "idempotentHint": true,
392            "openWorldHint": false
393        }))
394        .expect("MCP hints should deserialize");
395        assert_eq!(annotations.read_only_hint, Some(true));
396        assert_eq!(annotations.destructive_hint, Some(false));
397        assert_eq!(annotations.idempotent_hint, Some(true));
398        assert_eq!(annotations.open_world_hint, Some(false));
399
400        let encoded = serde_json::to_value(&annotations).expect("serialize annotations");
401        assert_eq!(encoded["readOnlyHint"], true);
402        assert_eq!(encoded["idempotentHint"], true);
403    }
404}