1mod approval_rules;
4mod effects;
5mod nested_budget;
6mod types;
7
8use crate::value::VmDictExt;
9use std::cell::RefCell;
10use std::collections::BTreeMap;
11use std::thread_local;
12
13use serde::{Deserialize, Serialize};
14
15use crate::runtime_limits::RuntimeLimits;
16use crate::tool_annotations::{SideEffectLevel, ToolAnnotations};
17use crate::value::{VmError, VmValue};
18use crate::workspace_path::{classify_workspace_path, WorkspacePathInfo};
19
20pub use crate::tool_annotations::{ToolArgSchema, ToolKind};
21pub use approval_rules::{
22 clear_all_approval_policy_repeat_counts, clear_approval_policy_repeat_counts,
23 next_approval_policy_repeat_count, ApprovalShape, PolicyAction, PolicyEvaluation,
24 PolicyMatchedRule, PolicyRule, PolicyRuleMatch,
25};
26pub use effects::{
27 compute_handoff_effects, effect_kind_label, effect_record_summary, effect_subset_violations,
28 effects_from_metadata, EffectKind, EffectRecord, EffectScope,
29};
30pub use nested_budget::{
31 annotate_nested_execution_options, enter_nested_execution_policy, NestedExecutionGuard,
32 NestedExecutionKind, NESTED_KIND_OPTION_KEY, NESTED_LABEL_OPTION_KEY,
33};
34pub use types::{
35 enforce_tool_arg_constraints, AutoCompactPolicy, BranchSemantics, CapabilityPolicy,
36 ContextPolicy, EqIgnored, EscalationPolicy, JoinPolicy, MapPolicy, ModelPolicy,
37 NativeToolFallbackPolicy, ProcessSandboxPolicy, ProcessSandboxPreset, ReducePolicy,
38 RetryPolicy, SandboxProfile, StageContract, ToolArgConstraint, TurnPolicy,
39};
40
41thread_local! {
42 static EXECUTION_POLICY_STACK: RefCell<Vec<CapabilityPolicy>> = const { RefCell::new(Vec::new()) };
43 static EXECUTION_APPROVAL_POLICY_STACK: RefCell<Vec<ToolApprovalPolicy>> = const { RefCell::new(Vec::new()) };
44 static TRUSTED_BRIDGE_CALL_DEPTH: RefCell<usize> = const { RefCell::new(0) };
45}
46
47pub fn push_execution_policy(policy: CapabilityPolicy) {
48 EXECUTION_POLICY_STACK.with(|stack| stack.borrow_mut().push(policy));
49}
50
51pub fn pop_execution_policy() {
52 EXECUTION_POLICY_STACK.with(|stack| {
53 stack.borrow_mut().pop();
54 });
55}
56
57pub fn clear_execution_policy_stacks() {
58 EXECUTION_POLICY_STACK.with(|stack| stack.borrow_mut().clear());
59 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow_mut().clear());
60 TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| *depth.borrow_mut() = 0);
61}
62
63pub fn current_execution_policy() -> Option<CapabilityPolicy> {
64 EXECUTION_POLICY_STACK.with(|stack| stack.borrow().last().cloned())
65}
66
67pub fn execution_policy_active() -> bool {
72 EXECUTION_POLICY_STACK.with(|stack| !stack.borrow().is_empty())
73}
74
75pub fn push_approval_policy(policy: ToolApprovalPolicy) {
76 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow_mut().push(policy));
77}
78
79pub fn pop_approval_policy() {
80 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| {
81 stack.borrow_mut().pop();
82 });
83}
84
85pub fn current_approval_policy() -> Option<ToolApprovalPolicy> {
86 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow().last().cloned())
87}
88
89pub(crate) fn swap_execution_policy_stack(next: Vec<CapabilityPolicy>) -> Vec<CapabilityPolicy> {
102 EXECUTION_POLICY_STACK.with(|stack| std::mem::replace(&mut *stack.borrow_mut(), next))
103}
104
105pub(crate) fn swap_approval_policy_stack(next: Vec<ToolApprovalPolicy>) -> Vec<ToolApprovalPolicy> {
106 EXECUTION_APPROVAL_POLICY_STACK.with(|stack| std::mem::replace(&mut *stack.borrow_mut(), next))
107}
108
109pub(crate) fn swap_trusted_bridge_depth(next: usize) -> usize {
110 TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| std::mem::replace(&mut *depth.borrow_mut(), next))
111}
112
113pub fn current_tool_annotations(tool: &str) -> Option<ToolAnnotations> {
114 current_execution_policy().and_then(|policy| policy.tool_annotations.get(tool).cloned())
115}
116
117pub fn current_allowed_tool_names() -> Vec<String> {
125 let Some(policy) = current_execution_policy() else {
126 return Vec::new();
127 };
128 if !policy.tools.is_empty() {
129 return policy.tools;
130 }
131 policy.tool_annotations.keys().cloned().collect()
132}
133
134pub(super) fn tool_kind_participates_in_write_allowlist(tool_name: &str) -> bool {
135 current_tool_annotations(tool_name)
136 .map(|annotations| !annotations.kind.is_read_only())
137 .unwrap_or(true)
138}
139
140pub struct TrustedBridgeCallGuard;
141
142pub fn allow_trusted_bridge_calls() -> TrustedBridgeCallGuard {
143 TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| {
144 *depth.borrow_mut() += 1;
145 });
146 TrustedBridgeCallGuard
147}
148
149impl Drop for TrustedBridgeCallGuard {
150 fn drop(&mut self) {
151 TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| {
152 let mut depth = depth.borrow_mut();
153 *depth = depth.saturating_sub(1);
154 });
155 }
156}
157
158fn policy_allows_tool(policy: &CapabilityPolicy, tool: &str) -> bool {
159 policy.tools.is_empty() || policy.tools.iter().any(|allowed| allowed == tool)
160}
161
162fn policy_grants_capability(policy: &CapabilityPolicy, capability: &str, op: &str) -> bool {
163 policy
164 .capabilities
165 .get(capability)
166 .is_some_and(|ops| ops.is_empty() || ops.iter().any(|allowed| allowed == op))
167}
168
169fn policy_allows_capability(policy: &CapabilityPolicy, capability: &str, op: &str) -> bool {
170 if policy.capabilities.is_empty() {
171 return true;
173 }
174 if policy_grants_capability(policy, capability, op) {
175 return true;
176 }
177 if capability == "workspace" && op == "exists" {
189 return policy_grants_capability(policy, "workspace", "read_text")
190 || policy_grants_capability(policy, "workspace", "list");
191 }
192 false
193}
194
195fn policy_allows_side_effect(policy: &CapabilityPolicy, requested: &str) -> bool {
196 fn rank(v: &str) -> usize {
197 match v {
198 "none" => 0,
199 "read_only" => 1,
200 "workspace_write" => 2,
201 "process_exec" => 3,
202 "network" => 4,
203 _ => 5,
204 }
205 }
206 policy
207 .side_effect_level
208 .as_ref()
209 .map(|allowed| rank(allowed) >= rank(requested))
210 .unwrap_or(true)
211}
212
213pub(super) fn reject_policy(reason: String) -> Result<(), VmError> {
214 Err(VmError::CategorizedError {
215 message: reason,
216 category: crate::value::ErrorCategory::ToolRejected,
217 })
218}
219
220#[derive(Clone, Debug, PartialEq, Eq)]
227pub struct PolicyDenial {
228 pub gate: crate::agent_events::DenialGate,
229 pub capability: Option<String>,
230 pub reason: String,
231}
232
233impl From<PolicyDenial> for VmError {
234 fn from(denial: PolicyDenial) -> Self {
235 VmError::CategorizedError {
236 message: denial.reason,
237 category: crate::value::ErrorCategory::ToolRejected,
238 }
239 }
240}
241
242pub(super) fn reject_tool(
243 gate: crate::agent_events::DenialGate,
244 capability: Option<String>,
245 reason: String,
246) -> Result<(), PolicyDenial> {
247 Err(PolicyDenial {
248 gate,
249 capability,
250 reason,
251 })
252}
253
254pub fn current_tool_mutation_classification(tool_name: &str) -> String {
259 current_tool_annotations(tool_name)
260 .map(|annotations| annotations.kind.mutation_class().to_string())
261 .unwrap_or_else(|| "other".to_string())
262}
263
264pub fn current_tool_declared_paths(tool_name: &str, args: &serde_json::Value) -> Vec<String> {
268 current_tool_declared_path_entries(tool_name, args)
269 .into_iter()
270 .map(|entry| entry.display_path().to_string())
271 .collect()
272}
273
274pub fn current_tool_declared_path_entries(
279 tool_name: &str,
280 args: &serde_json::Value,
281) -> Vec<WorkspacePathInfo> {
282 let Some(map) = args.as_object() else {
283 return Vec::new();
284 };
285 let Some(annotations) = current_tool_annotations(tool_name) else {
286 return Vec::new();
287 };
288 let workspace_root = crate::stdlib::process::execution_root_path();
289 let mut entries = Vec::new();
290 for key in &annotations.arg_schema.path_params {
291 if let Some(value) = map.get(key) {
292 match value {
293 serde_json::Value::String(path) if !path.is_empty() => {
294 entries.push(classify_workspace_path(path, Some(&workspace_root)));
295 }
296 serde_json::Value::Array(items) => {
297 for item in items.iter().filter_map(|item| item.as_str()) {
298 if !item.is_empty() {
299 entries.push(classify_workspace_path(item, Some(&workspace_root)));
300 }
301 }
302 }
303 _ => {}
304 }
305 }
306 }
307 entries.sort_by(|a, b| a.display_path().cmp(b.display_path()));
308 entries.dedup_by(|left, right| left.policy_candidates() == right.policy_candidates());
309 entries
310}
311
312pub fn enforce_current_policy_for_builtin(name: &str, args: &[VmValue]) -> Result<(), VmError> {
313 let Some(policy) = current_execution_policy() else {
314 return Ok(());
315 };
316 match name {
317 "find_text"
318 if !policy_allows_capability(&policy, "workspace", "read_text")
319 || !policy_allows_capability(&policy, "workspace", "list") =>
320 {
321 return reject_policy(
322 "builtin 'find_text' exceeds workspace.read_text/workspace.list ceiling"
323 .to_string(),
324 );
325 }
326 "read_file"
327 | "read_file_result"
328 | "read_file_bytes"
329 | "render"
330 | "render_prompt"
331 | "render_with_provenance"
332 | "read_lines"
333 if !policy_allows_capability(&policy, "workspace", "read_text") =>
334 {
335 return reject_policy(format!(
336 "builtin '{name}' exceeds workspace.read_text ceiling"
337 ));
338 }
339 "list_dir" | "walk_dir" | "glob"
340 if !policy_allows_capability(&policy, "workspace", "list") =>
341 {
342 return reject_policy(format!("builtin '{name}' exceeds workspace.list ceiling"));
343 }
344 "file_exists" | "stat" if !policy_allows_capability(&policy, "workspace", "exists") => {
345 return reject_policy(format!("builtin '{name}' exceeds workspace.exists ceiling"));
346 }
347 "write_file" | "write_file_bytes" | "append_file" | "mkdir" | "copy_file" | "move_file"
348 if !policy_allows_capability(&policy, "workspace", "write_text")
349 || !policy_allows_side_effect(&policy, "workspace_write") =>
350 {
351 return reject_policy(format!("builtin '{name}' exceeds workspace write ceiling"));
352 }
353 "delete_file"
354 if !policy_allows_capability(&policy, "workspace", "delete")
355 || !policy_allows_side_effect(&policy, "workspace_write") =>
356 {
357 return reject_policy(
358 "builtin 'delete_file' exceeds workspace.delete ceiling".to_string(),
359 );
360 }
361 "apply_edit"
362 if !policy_allows_capability(&policy, "workspace", "apply_edit")
363 || !policy_allows_side_effect(&policy, "workspace_write") =>
364 {
365 return reject_policy(
366 "builtin 'apply_edit' exceeds workspace.apply_edit ceiling".to_string(),
367 );
368 }
369 "exec"
370 | "exec_at"
371 | "shell"
372 | "shell_at"
373 | "git.repo.discover"
374 | "git.worktree.create"
375 | "git.worktree.remove"
376 | "git.fetch"
377 | "git.rebase"
378 | "git.status"
379 | "git.conflicts"
380 | "git.push"
381 | "git.diff"
382 | "git.merge_base"
383 if !policy_allows_capability(&policy, "process", "exec")
384 || !policy_allows_side_effect(&policy, "process_exec") =>
385 {
386 return reject_policy(format!("builtin '{name}' exceeds process.exec ceiling"));
387 }
388 "http_get"
389 | "http_post"
390 | "http_put"
391 | "http_patch"
392 | "http_delete"
393 | "http_download"
394 | "http_request"
395 | "unix_socket_json_request"
396 | "__net_unix_socket_json_request"
397 if !policy_allows_side_effect(&policy, "network") =>
398 {
399 return reject_policy(format!("builtin '{name}' exceeds network ceiling"));
400 }
401 "__files_upload"
402 if !policy_allows_capability(&policy, "workspace", "read_text")
403 || !policy_allows_side_effect(&policy, "network") =>
404 {
405 return reject_policy(
406 "builtin '__files_upload' exceeds workspace.read_text/network ceiling".to_string(),
407 );
408 }
409 "http_session_request"
410 | "http_stream_open"
411 | "http_stream_read"
412 | "http_stream_close"
413 | "http_stream_info"
414 | "sse_connect"
415 | "sse_receive"
416 | "websocket_accept"
417 | "websocket_connect"
418 | "websocket_route"
419 | "websocket_send"
420 | "websocket_receive"
421 | "websocket_server"
422 if !policy_allows_side_effect(&policy, "network") =>
423 {
424 return reject_policy(format!("builtin '{name}' exceeds network ceiling"));
425 }
426 "llm_call" | "llm_call_safe" | "llm_completion" | "llm_stream" | "llm_stream_call"
427 | "llm_healthcheck" | "agent_loop"
428 if !policy_allows_capability(&policy, "llm", "call") =>
429 {
430 return reject_policy(format!("builtin '{name}' exceeds llm.call ceiling"));
431 }
432 "connector_call"
433 if !policy_allows_capability(&policy, "connector", "call")
434 || !policy_allows_side_effect(&policy, "network") =>
435 {
436 return reject_policy(
437 "builtin 'connector_call' exceeds connector.call/network ceiling".to_string(),
438 );
439 }
440 "secret_get" if !policy_allows_capability(&policy, "connector", "secret_get") => {
441 return reject_policy(
442 "builtin 'secret_get' exceeds connector.secret_get ceiling".to_string(),
443 );
444 }
445 "event_log_emit" if !policy_allows_capability(&policy, "connector", "event_log_emit") => {
446 return reject_policy(
447 "builtin 'event_log_emit' exceeds connector.event_log_emit ceiling".to_string(),
448 );
449 }
450 "metrics_inc" if !policy_allows_capability(&policy, "connector", "metrics_inc") => {
451 return reject_policy(
452 "builtin 'metrics_inc' exceeds connector.metrics_inc ceiling".to_string(),
453 );
454 }
455 "project_fingerprint"
456 | "project_context_profile_native"
457 | "project_scan_native"
458 | "project_scan_tree_native"
459 | "project_walk_tree_native"
460 | "project_catalog_native"
461 if !policy_allows_capability(&policy, "workspace", "list")
462 || !policy_allows_side_effect(&policy, "read_only") =>
463 {
464 return reject_policy(format!("builtin '{name}' exceeds workspace.list ceiling"));
465 }
466 "__agent_state_init"
467 | "__agent_state_resume"
468 | "__agent_state_write"
469 | "__agent_state_read"
470 | "__agent_state_list"
471 | "__agent_state_delete"
472 | "__agent_state_handoff"
473 if !policy_allows_capability(&policy, "agent_state", "access") =>
474 {
475 return reject_policy(format!(
476 "builtin '{name}' exceeds agent_state.access ceiling"
477 ));
478 }
479 "vision_ocr"
480 if !policy_allows_capability(&policy, "vision", "ocr")
481 || !policy_allows_side_effect(&policy, "process_exec") =>
482 {
483 return reject_policy(format!(
484 "builtin '{name}' exceeds vision.ocr/process ceiling"
485 ));
486 }
487 "mcp_connect"
488 | "mcp_ensure_active"
489 | "mcp_call"
490 | "mcp_list_tools"
491 | "mcp_list_resources"
492 | "mcp_list_resource_templates"
493 | "mcp_read_resource"
494 | "mcp_list_prompts"
495 | "mcp_get_prompt"
496 | "mcp_server_info"
497 | "mcp_disconnect"
498 if !policy_allows_capability(&policy, "process", "exec")
499 || !policy_allows_side_effect(&policy, "process_exec") =>
500 {
501 return reject_policy(format!("builtin '{name}' exceeds process.exec ceiling"));
502 }
503 "host_call" => {
504 let name = args.first().map(|v| v.display()).unwrap_or_default();
505 let Some((capability, op)) = name.split_once('.') else {
506 return reject_policy(format!(
507 "host_call '{name}' must use capability.operation naming"
508 ));
509 };
510 if !policy_allows_capability(&policy, capability, op) {
511 return reject_policy(format!(
512 "host_call {capability}.{op} exceeds capability ceiling"
513 ));
514 }
515 let requested_side_effect = match (capability, op) {
516 ("workspace", "write_text" | "apply_edit" | "delete") => "workspace_write",
517 ("process", "exec") => "process_exec",
518 _ => "read_only",
519 };
520 if !policy_allows_side_effect(&policy, requested_side_effect) {
521 return reject_policy(format!(
522 "host_call {capability}.{op} exceeds side-effect ceiling"
523 ));
524 }
525 }
526 "host_tool_list" | "host_tool_call"
527 if !policy_allows_capability(&policy, "host", "tool_call") =>
528 {
529 return reject_policy(format!("builtin '{name}' exceeds host.tool_call ceiling"));
530 }
531 _ => {}
532 }
533 Ok(())
534}
535
536pub fn enforce_current_policy_for_bridge_builtin(name: &str) -> Result<(), VmError> {
537 let trusted = TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| *depth.borrow() > 0);
538 if trusted {
539 return Ok(());
540 }
541 if current_execution_policy().is_some() {
542 return reject_policy(format!(
543 "bridged builtin '{name}' exceeds execution policy; declare an explicit capability/tool surface instead"
544 ));
545 }
546 Ok(())
547}
548
549pub fn enforce_current_policy_for_tool(tool_name: &str) -> Result<(), PolicyDenial> {
550 use crate::agent_events::DenialGate;
551 let Some(policy) = current_execution_policy() else {
552 return Ok(());
553 };
554 if !policy_allows_tool(&policy, tool_name) {
555 return reject_tool(
556 DenialGate::ToolCeiling,
557 None,
558 format!("tool '{tool_name}' exceeds tool ceiling"),
559 );
560 }
561 if let Some(annotations) = policy.tool_annotations.get(tool_name) {
562 for (capability, ops) in &annotations.capabilities {
563 for op in ops {
564 if !policy_allows_capability(&policy, capability, op) {
565 return reject_tool(
566 DenialGate::CapabilityCeiling,
567 Some(format!("{capability}.{op}")),
568 format!("tool '{tool_name}' exceeds capability ceiling: {capability}.{op}"),
569 );
570 }
571 }
572 }
573 let requested_level = annotations.side_effect_level;
574 if requested_level != SideEffectLevel::None
575 && !policy_allows_side_effect(&policy, requested_level.as_str())
576 {
577 return reject_tool(
578 DenialGate::SideEffectCeiling,
579 None,
580 format!(
581 "tool '{tool_name}' exceeds side-effect ceiling: {}",
582 requested_level.as_str()
583 ),
584 );
585 }
586 }
587 Ok(())
588}
589
590pub fn redact_transcript_visibility(
602 transcript: &VmValue,
603 visibility: Option<&str>,
604) -> Option<VmValue> {
605 let Some(visibility) = visibility else {
606 return Some(transcript.clone());
607 };
608 if visibility != "public" && visibility != "public_only" {
609 return Some(transcript.clone());
610 }
611 let dict = transcript.as_dict()?;
612 let public_messages = match dict.get("messages") {
613 Some(VmValue::List(list)) => list
614 .iter()
615 .filter_map(redact_public_message)
616 .collect::<Vec<_>>(),
617 _ => Vec::new(),
618 };
619 let public_events = match dict.get("events") {
620 Some(VmValue::List(list)) => list
621 .iter()
622 .filter(|event| {
623 event
624 .as_dict()
625 .and_then(|d| d.get("visibility"))
626 .map(|v| v.display())
627 .map(|value| value == "public")
628 .unwrap_or(true)
629 })
630 .cloned()
631 .collect::<Vec<_>>(),
632 _ => Vec::new(),
633 };
634 let mut redacted = dict.clone();
635 redacted.insert(
636 crate::value::intern_key("messages"),
637 VmValue::List(std::sync::Arc::new(public_messages)),
638 );
639 redacted.insert(
640 crate::value::intern_key("events"),
641 VmValue::List(std::sync::Arc::new(public_events)),
642 );
643 Some(VmValue::dict(redacted))
644}
645
646fn redact_public_message(message: &VmValue) -> Option<VmValue> {
647 let Some(dict) = message.as_dict() else {
648 return Some(message.clone());
649 };
650 if dict.get("role").map(|value| value.display()).as_deref() == Some("tool_result") {
651 return None;
652 }
653 if dict
654 .get("visibility")
655 .map(|value| value.display())
656 .is_some_and(|visibility| visibility != "public")
657 {
658 return None;
659 }
660
661 let mut redacted = dict.clone();
662 let mut saw_structured_blocks = false;
663 let mut public_text = Vec::new();
664 for key in ["content", "blocks"] {
665 if let Some(VmValue::List(blocks)) = dict.get(key) {
666 saw_structured_blocks = true;
667 let public_blocks = blocks
668 .iter()
669 .filter_map(redact_public_block)
670 .collect::<Vec<_>>();
671 if key == "blocks" || public_text.is_empty() {
672 public_text = text_fragments_from_blocks(&public_blocks);
673 }
674 redacted.insert(
675 crate::value::intern_key(key),
676 VmValue::List(std::sync::Arc::new(public_blocks)),
677 );
678 }
679 }
680 if saw_structured_blocks {
681 if public_text.is_empty() {
682 redacted.remove("text");
683 } else {
684 redacted.put_str("text", public_text.join("\n"));
685 }
686 }
687 Some(VmValue::dict(redacted))
688}
689
690fn redact_public_block(block: &VmValue) -> Option<VmValue> {
691 let Some(dict) = block.as_dict() else {
692 return Some(block.clone());
693 };
694 if dict
695 .get("visibility")
696 .map(|value| value.display())
697 .is_some_and(|visibility| visibility != "public")
698 {
699 return None;
700 }
701 Some(block.clone())
702}
703
704fn text_fragments_from_blocks(blocks: &[VmValue]) -> Vec<String> {
705 blocks
706 .iter()
707 .filter_map(|block| block.as_dict())
708 .filter_map(|dict| dict.get("text"))
709 .filter_map(|text| match text {
710 VmValue::String(value) if !value.is_empty() => Some(value.to_string()),
711 _ => None,
712 })
713 .collect()
714}
715
716pub fn builtin_ceiling() -> CapabilityPolicy {
717 CapabilityPolicy {
718 tools: Vec::new(),
722 capabilities: BTreeMap::new(),
723 workspace_roots: Vec::new(),
724 read_only_roots: Vec::new(),
725 side_effect_level: Some("network".to_string()),
726 recursion_limit: Some(RuntimeLimits::DEFAULT.max_nested_execution_depth),
727 tool_arg_constraints: Vec::new(),
728 tool_annotations: BTreeMap::new(),
729 sandbox_profile: SandboxProfile::Worktree,
730 process_sandbox: Default::default(),
731 }
732}
733
734#[derive(Clone, Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
738#[serde(default)]
739pub struct ToolApprovalPolicy {
740 #[serde(default)]
743 pub rules: Vec<PolicyRule>,
744 #[serde(default)]
746 pub auto_approve: Vec<String>,
747 #[serde(default)]
749 pub auto_deny: Vec<String>,
750 #[serde(default)]
752 pub require_approval: Vec<String>,
753 #[serde(default)]
755 pub write_path_allowlist: Vec<String>,
756 #[serde(default)]
758 pub allow_sensitive_paths: bool,
759 #[serde(default)]
762 pub sensitive_path_patterns: Vec<String>,
763 #[serde(default)]
765 pub allow_external_paths: bool,
766 #[serde(default)]
768 pub external_roots: Vec<String>,
769 #[serde(default, alias = "repeated_call_limit")]
771 pub repeat_limit: Option<u64>,
772 #[serde(default, alias = "repeated_call_action")]
774 pub repeat_action: Option<PolicyAction>,
775}
776
777#[derive(Debug, Clone, PartialEq, Eq)]
779pub enum ToolApprovalDecision {
780 AutoApproved,
782 AutoDenied { reason: String },
784 RequiresHostApproval,
787}
788
789impl ToolApprovalPolicy {
790 pub fn evaluate_detailed(&self, tool_name: &str, args: &serde_json::Value) -> PolicyEvaluation {
791 approval_rules::evaluate_tool_approval_policy(self, tool_name, args, None)
792 }
793
794 pub fn evaluate_detailed_with_repeat(
795 &self,
796 tool_name: &str,
797 args: &serde_json::Value,
798 repeat_count: u64,
799 ) -> PolicyEvaluation {
800 approval_rules::evaluate_tool_approval_policy(self, tool_name, args, Some(repeat_count))
801 }
802
803 pub fn evaluate(&self, tool_name: &str, args: &serde_json::Value) -> ToolApprovalDecision {
806 let decision = self.evaluate_detailed(tool_name, args);
807 if decision.is_deny() {
808 return ToolApprovalDecision::AutoDenied {
809 reason: decision.reason,
810 };
811 }
812 if decision.is_ask() {
813 return ToolApprovalDecision::RequiresHostApproval;
814 }
815 ToolApprovalDecision::AutoApproved
816 }
817
818 pub fn intersect(&self, other: &ToolApprovalPolicy) -> ToolApprovalPolicy {
824 let auto_approve = if self.auto_approve.is_empty() {
825 other.auto_approve.clone()
826 } else if other.auto_approve.is_empty() {
827 self.auto_approve.clone()
828 } else {
829 self.auto_approve
830 .iter()
831 .filter(|p| other.auto_approve.contains(p))
832 .cloned()
833 .collect()
834 };
835 let mut auto_deny = self.auto_deny.clone();
836 auto_deny.extend(other.auto_deny.iter().cloned());
837 let mut require_approval = self.require_approval.clone();
838 require_approval.extend(other.require_approval.iter().cloned());
839 let write_path_allowlist = if self.write_path_allowlist.is_empty() {
840 other.write_path_allowlist.clone()
841 } else if other.write_path_allowlist.is_empty() {
842 self.write_path_allowlist.clone()
843 } else {
844 self.write_path_allowlist
845 .iter()
846 .filter(|p| other.write_path_allowlist.contains(p))
847 .cloned()
848 .collect()
849 };
850 let mut rules = self.rules.clone();
851 rules.extend(other.rules.iter().cloned());
852 let mut sensitive_path_patterns = self.sensitive_path_patterns.clone();
853 sensitive_path_patterns.extend(other.sensitive_path_patterns.iter().cloned());
854 sensitive_path_patterns.sort();
855 sensitive_path_patterns.dedup();
856 let external_roots = if self.external_roots.is_empty() {
857 other.external_roots.clone()
858 } else if other.external_roots.is_empty() {
859 self.external_roots.clone()
860 } else {
861 self.external_roots
862 .iter()
863 .filter(|root| other.external_roots.contains(root))
864 .cloned()
865 .collect()
866 };
867 ToolApprovalPolicy {
868 rules,
869 auto_approve,
870 auto_deny,
871 require_approval,
872 write_path_allowlist,
873 allow_sensitive_paths: self.allow_sensitive_paths && other.allow_sensitive_paths,
874 sensitive_path_patterns,
875 allow_external_paths: self.allow_external_paths && other.allow_external_paths,
876 external_roots,
877 repeat_limit: match (self.repeat_limit, other.repeat_limit) {
878 (Some(left), Some(right)) => Some(left.min(right)),
879 (Some(left), None) => Some(left),
880 (None, Some(right)) => Some(right),
881 (None, None) => None,
882 },
883 repeat_action: match (self.repeat_action, other.repeat_action) {
884 (Some(PolicyAction::Deny), _) | (_, Some(PolicyAction::Deny)) => {
885 Some(PolicyAction::Deny)
886 }
887 (Some(PolicyAction::Ask), _) | (_, Some(PolicyAction::Ask)) => {
888 Some(PolicyAction::Ask)
889 }
890 (Some(PolicyAction::Allow), Some(PolicyAction::Allow)) => Some(PolicyAction::Allow),
891 (Some(action), None) | (None, Some(action)) => Some(action),
892 (None, None) => None,
893 },
894 }
895 }
896}
897
898#[cfg(test)]
899mod approval_policy_tests {
900 use super::*;
901 use crate::orchestration::{pop_execution_policy, push_execution_policy, CapabilityPolicy};
902 use crate::tool_annotations::{ToolAnnotations, ToolArgSchema, ToolKind};
903
904 fn workspace_caps(ops: &[&str]) -> CapabilityPolicy {
905 CapabilityPolicy {
906 capabilities: std::collections::BTreeMap::from([(
907 "workspace".to_string(),
908 ops.iter().map(|s| s.to_string()).collect(),
909 )]),
910 ..Default::default()
911 }
912 }
913
914 #[test]
915 fn read_text_subsumes_exists_probe() {
916 push_execution_policy(workspace_caps(&[
923 "read_text",
924 "list",
925 "write_text",
926 "apply_edit",
927 ]));
928 assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_ok());
929 assert!(enforce_current_policy_for_builtin("stat", &[]).is_ok());
930 pop_execution_policy();
931 }
932
933 #[test]
934 fn list_alone_subsumes_exists_probe() {
935 push_execution_policy(workspace_caps(&["list"]));
937 assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_ok());
938 pop_execution_policy();
939 }
940
941 #[test]
942 fn exists_probe_rejected_without_any_read_grant() {
943 push_execution_policy(workspace_caps(&["write_text", "apply_edit"]));
946 assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_err());
947 pop_execution_policy();
948 }
949
950 #[test]
951 fn auto_deny_takes_precedence_over_auto_approve() {
952 let policy = ToolApprovalPolicy {
953 auto_approve: vec!["*".to_string()],
954 auto_deny: vec!["dangerous_*".to_string()],
955 ..Default::default()
956 };
957 assert_eq!(
958 policy.evaluate("dangerous_rm", &serde_json::json!({})),
959 ToolApprovalDecision::AutoDenied {
960 reason: "tool 'dangerous_rm' matches deny pattern 'dangerous_*'".to_string()
961 }
962 );
963 }
964
965 #[test]
966 fn auto_approve_matches_glob() {
967 let policy = ToolApprovalPolicy {
968 auto_approve: vec!["read*".to_string(), "search*".to_string()],
969 ..Default::default()
970 };
971 assert_eq!(
972 policy.evaluate("read_file", &serde_json::json!({})),
973 ToolApprovalDecision::AutoApproved
974 );
975 assert_eq!(
976 policy.evaluate("search", &serde_json::json!({})),
977 ToolApprovalDecision::AutoApproved
978 );
979 }
980
981 #[test]
982 fn require_approval_emits_decision() {
983 let policy = ToolApprovalPolicy {
984 require_approval: vec!["edit*".to_string()],
985 ..Default::default()
986 };
987 let decision = policy.evaluate("edit_file", &serde_json::json!({"path": "foo.rs"}));
988 assert!(matches!(
989 decision,
990 ToolApprovalDecision::RequiresHostApproval
991 ));
992 }
993
994 #[test]
995 fn unmatched_tool_defaults_to_approved() {
996 let policy = ToolApprovalPolicy {
997 auto_approve: vec!["read*".to_string()],
998 require_approval: vec!["edit*".to_string()],
999 ..Default::default()
1000 };
1001 assert_eq!(
1002 policy.evaluate("unknown_tool", &serde_json::json!({})),
1003 ToolApprovalDecision::AutoApproved
1004 );
1005 }
1006
1007 #[test]
1008 fn intersect_merges_deny_lists() {
1009 let a = ToolApprovalPolicy {
1010 auto_deny: vec!["rm*".to_string()],
1011 ..Default::default()
1012 };
1013 let b = ToolApprovalPolicy {
1014 auto_deny: vec!["drop*".to_string()],
1015 ..Default::default()
1016 };
1017 let merged = a.intersect(&b);
1018 assert_eq!(merged.auto_deny.len(), 2);
1019 }
1020
1021 #[test]
1022 fn intersect_restricts_auto_approve_to_common_patterns() {
1023 let a = ToolApprovalPolicy {
1024 auto_approve: vec!["read*".to_string(), "search*".to_string()],
1025 ..Default::default()
1026 };
1027 let b = ToolApprovalPolicy {
1028 auto_approve: vec!["read*".to_string(), "write*".to_string()],
1029 ..Default::default()
1030 };
1031 let merged = a.intersect(&b);
1032 assert_eq!(merged.auto_approve, vec!["read*".to_string()]);
1033 }
1034
1035 #[test]
1036 fn intersect_defers_auto_approve_when_one_side_empty() {
1037 let a = ToolApprovalPolicy {
1038 auto_approve: vec!["read*".to_string()],
1039 ..Default::default()
1040 };
1041 let b = ToolApprovalPolicy::default();
1042 let merged = a.intersect(&b);
1043 assert_eq!(merged.auto_approve, vec!["read*".to_string()]);
1044 }
1045
1046 #[test]
1047 fn write_path_allowlist_matches_recovered_workspace_relative_path() {
1048 let temp = tempfile::tempdir().unwrap();
1049 std::fs::create_dir_all(temp.path().join("packages/demo")).unwrap();
1050 std::fs::write(temp.path().join("packages/demo/file.txt"), "ok").unwrap();
1051 crate::stdlib::process::set_thread_execution_context(Some(
1052 crate::orchestration::RunExecutionRecord {
1053 cwd: Some(temp.path().to_string_lossy().into_owned()),
1054 source_dir: Some(temp.path().to_string_lossy().into_owned()),
1055 env: BTreeMap::new(),
1056 adapter: None,
1057 repo_path: None,
1058 worktree_path: None,
1059 branch: None,
1060 base_ref: None,
1061 cleanup: None,
1062 },
1063 ));
1064
1065 let mut tool_annotations = BTreeMap::new();
1066 tool_annotations.insert(
1067 "write_file".to_string(),
1068 ToolAnnotations {
1069 kind: ToolKind::Edit,
1070 arg_schema: ToolArgSchema {
1071 path_params: vec!["path".to_string()],
1072 ..Default::default()
1073 },
1074 ..Default::default()
1075 },
1076 );
1077 push_execution_policy(CapabilityPolicy {
1078 tool_annotations,
1079 ..Default::default()
1080 });
1081
1082 let policy = ToolApprovalPolicy {
1083 write_path_allowlist: vec!["packages/demo/file.txt".to_string()],
1084 ..Default::default()
1085 };
1086 let decision = policy.evaluate(
1087 "write_file",
1088 &serde_json::json!({"path": "/packages/demo/file.txt"}),
1089 );
1090 assert_eq!(decision, ToolApprovalDecision::AutoApproved);
1091
1092 pop_execution_policy();
1093 crate::stdlib::process::set_thread_execution_context(None);
1094 }
1095
1096 #[test]
1097 fn write_path_allowlist_does_not_block_read_only_tools() {
1098 let temp = tempfile::tempdir().unwrap();
1099 std::fs::create_dir_all(temp.path().join("packages/demo")).unwrap();
1100 std::fs::write(temp.path().join("packages/demo/context.txt"), "ok").unwrap();
1101 crate::stdlib::process::set_thread_execution_context(Some(
1102 crate::orchestration::RunExecutionRecord {
1103 cwd: Some(temp.path().to_string_lossy().into_owned()),
1104 source_dir: Some(temp.path().to_string_lossy().into_owned()),
1105 env: BTreeMap::new(),
1106 adapter: None,
1107 repo_path: None,
1108 worktree_path: None,
1109 branch: None,
1110 base_ref: None,
1111 cleanup: None,
1112 },
1113 ));
1114
1115 let mut tool_annotations = BTreeMap::new();
1116 tool_annotations.insert(
1117 "read_file".to_string(),
1118 ToolAnnotations {
1119 kind: ToolKind::Read,
1120 arg_schema: ToolArgSchema {
1121 path_params: vec!["path".to_string()],
1122 ..Default::default()
1123 },
1124 ..Default::default()
1125 },
1126 );
1127 push_execution_policy(CapabilityPolicy {
1128 tool_annotations,
1129 ..Default::default()
1130 });
1131
1132 let policy = ToolApprovalPolicy {
1133 write_path_allowlist: vec!["packages/demo/file.txt".to_string()],
1134 ..Default::default()
1135 };
1136 let decision = policy.evaluate(
1137 "read_file",
1138 &serde_json::json!({"path": "/packages/demo/context.txt"}),
1139 );
1140 assert_eq!(decision, ToolApprovalDecision::AutoApproved);
1141
1142 pop_execution_policy();
1143 crate::stdlib::process::set_thread_execution_context(None);
1144 }
1145
1146 #[test]
1147 fn builtin_policy_covers_fs_read_and_list_helpers() {
1148 clear_execution_policy_stacks();
1149 push_execution_policy(CapabilityPolicy {
1150 capabilities: BTreeMap::from([("workspace".to_string(), vec!["exists".to_string()])]),
1151 side_effect_level: Some("read_only".to_string()),
1152 ..CapabilityPolicy::default()
1153 });
1154
1155 for name in [
1156 "read_lines",
1157 "find_text",
1158 "walk_dir",
1159 "glob",
1160 "project_context_profile_native",
1161 ] {
1162 assert!(
1163 enforce_current_policy_for_builtin(name, &[]).is_err(),
1164 "{name} should be rejected when the matching workspace capability is absent"
1165 );
1166 }
1167
1168 pop_execution_policy();
1169 }
1170
1171 #[test]
1172 fn move_file_requires_workspace_write_side_effect() {
1173 clear_execution_policy_stacks();
1174 push_execution_policy(CapabilityPolicy {
1175 capabilities: BTreeMap::from([(
1176 "workspace".to_string(),
1177 vec!["write_text".to_string()],
1178 )]),
1179 side_effect_level: Some("read_only".to_string()),
1180 ..CapabilityPolicy::default()
1181 });
1182
1183 let error = enforce_current_policy_for_builtin("move_file", &[]).unwrap_err();
1184 assert!(
1185 error.to_string().contains("workspace write ceiling"),
1186 "unexpected error: {error}"
1187 );
1188
1189 pop_execution_policy();
1190 }
1191
1192 #[test]
1193 fn unix_socket_json_request_requires_network_side_effect() {
1194 clear_execution_policy_stacks();
1195 push_execution_policy(CapabilityPolicy {
1196 side_effect_level: Some("read_only".to_string()),
1197 ..CapabilityPolicy::default()
1198 });
1199
1200 let error =
1201 enforce_current_policy_for_builtin("__net_unix_socket_json_request", &[]).unwrap_err();
1202 assert!(
1203 error.to_string().contains("network ceiling"),
1204 "unexpected error: {error}"
1205 );
1206
1207 pop_execution_policy();
1208 }
1209
1210 #[test]
1211 fn files_upload_requires_workspace_read_and_network_side_effect() {
1212 clear_execution_policy_stacks();
1213 push_execution_policy(CapabilityPolicy {
1214 capabilities: BTreeMap::from([(
1215 "workspace".to_string(),
1216 vec!["read_text".to_string()],
1217 )]),
1218 side_effect_level: Some("read_only".to_string()),
1219 ..CapabilityPolicy::default()
1220 });
1221
1222 let network_error = enforce_current_policy_for_builtin("__files_upload", &[]).unwrap_err();
1223 assert!(
1224 network_error.to_string().contains("network ceiling"),
1225 "unexpected error: {network_error}"
1226 );
1227 pop_execution_policy();
1228
1229 push_execution_policy(CapabilityPolicy {
1230 capabilities: BTreeMap::from([("workspace".to_string(), vec!["exists".to_string()])]),
1231 side_effect_level: Some("network".to_string()),
1232 ..CapabilityPolicy::default()
1233 });
1234 let read_error = enforce_current_policy_for_builtin("__files_upload", &[]).unwrap_err();
1235 assert!(
1236 read_error.to_string().contains("workspace.read_text"),
1237 "unexpected error: {read_error}"
1238 );
1239
1240 pop_execution_policy();
1241 }
1242}
1243
1244#[cfg(test)]
1245mod turn_policy_tests {
1246 use super::TurnPolicy;
1247
1248 #[test]
1249 fn default_allows_done_sentinel() {
1250 let policy = TurnPolicy::default();
1251 assert!(policy.allow_done_sentinel);
1252 assert!(!policy.require_action_or_yield);
1253 assert!(policy.max_prose_chars.is_none());
1254 }
1255
1256 #[test]
1257 fn deserializing_partial_dict_preserves_done_sentinel_pathway() {
1258 let policy: TurnPolicy =
1263 serde_json::from_value(serde_json::json!({ "require_action_or_yield": true }))
1264 .expect("deserialize");
1265 assert!(policy.require_action_or_yield);
1266 assert!(policy.allow_done_sentinel);
1267 }
1268
1269 #[test]
1270 fn deserializing_explicit_false_disables_done_sentinel() {
1271 let policy: TurnPolicy = serde_json::from_value(serde_json::json!({
1272 "require_action_or_yield": true,
1273 "allow_done_sentinel": false,
1274 }))
1275 .expect("deserialize");
1276 assert!(policy.require_action_or_yield);
1277 assert!(!policy.allow_done_sentinel);
1278 }
1279}
1280
1281#[cfg(test)]
1282mod visibility_redaction_tests {
1283 use super::*;
1284 use crate::value::VmValue;
1285
1286 fn mock_transcript() -> VmValue {
1287 let messages = vec![
1288 serde_json::json!({"role": "user", "content": "hi"}),
1289 serde_json::json!({"role": "assistant", "content": "hello"}),
1290 serde_json::json!({"role": "tool_result", "content": "internal tool output"}),
1291 ];
1292 crate::llm::helpers::transcript_to_vm_with_events(
1293 Some("test-id".to_string()),
1294 None,
1295 None,
1296 &messages,
1297 Vec::new(),
1298 Vec::new(),
1299 Some("active"),
1300 )
1301 }
1302
1303 fn message_count(transcript: &VmValue) -> usize {
1304 transcript
1305 .as_dict()
1306 .and_then(|d| d.get("messages"))
1307 .and_then(|v| match v {
1308 VmValue::List(list) => Some(list.len()),
1309 _ => None,
1310 })
1311 .unwrap_or(0)
1312 }
1313
1314 #[test]
1315 fn visibility_none_returns_unchanged() {
1316 let t = mock_transcript();
1317 let result = redact_transcript_visibility(&t, None).unwrap();
1318 assert_eq!(message_count(&result), 3);
1319 }
1320
1321 #[test]
1322 fn visibility_public_drops_tool_results() {
1323 let t = mock_transcript();
1324 let result = redact_transcript_visibility(&t, Some("public")).unwrap();
1325 assert_eq!(message_count(&result), 2);
1326 }
1327
1328 #[test]
1329 fn visibility_public_drops_private_content_blocks() {
1330 let t = crate::schema::json_to_vm_value(&serde_json::json!({
1331 "messages": [
1332 {
1333 "role": "assistant",
1334 "visibility": "public",
1335 "text": "visible answer\nsecret chain",
1336 "content": [
1337 {"type": "output_text", "text": "visible answer", "visibility": "public"},
1338 {"type": "reasoning", "text": "secret chain", "visibility": "private"}
1339 ],
1340 "blocks": [
1341 {"type": "output_text", "text": "visible block", "visibility": "public"},
1342 {"type": "tool_call", "text": "internal args", "visibility": "internal"}
1343 ]
1344 }
1345 ],
1346 "events": []
1347 }));
1348
1349 let result = redact_transcript_visibility(&t, Some("public")).unwrap();
1350 let rendered = result.display();
1351 assert!(rendered.contains("visible answer"));
1352 assert!(rendered.contains("visible block"));
1353 assert!(!rendered.contains("secret chain"));
1354 assert!(!rendered.contains("internal args"));
1355 }
1356
1357 #[test]
1358 fn visibility_unknown_string_is_pass_through() {
1359 let t = mock_transcript();
1360 let result = redact_transcript_visibility(&t, Some("internal")).unwrap();
1361 assert_eq!(message_count(&result), 3);
1362 }
1363}