Skip to main content

harn_vm/orchestration/policy/
mod.rs

1//! Policy types and capability-ceiling enforcement.
2
3mod approval_rules;
4mod effects;
5mod nested_budget;
6mod types;
7
8use crate::value::VmDictExt;
9use std::cell::RefCell;
10use std::collections::BTreeMap;
11use std::thread_local;
12
13use serde::{Deserialize, Serialize};
14
15use crate::runtime_limits::RuntimeLimits;
16use crate::tool_annotations::{SideEffectLevel, ToolAnnotations};
17use crate::value::{VmError, VmValue};
18use crate::workspace_path::{classify_workspace_path, WorkspacePathInfo};
19
20pub use crate::tool_annotations::{ToolArgSchema, ToolKind};
21pub use approval_rules::{
22    clear_all_approval_policy_repeat_counts, clear_approval_policy_repeat_counts,
23    next_approval_policy_repeat_count, ApprovalShape, PolicyAction, PolicyEvaluation,
24    PolicyMatchedRule, PolicyRule, PolicyRuleMatch,
25};
26pub use effects::{
27    compute_handoff_effects, effect_kind_label, effect_record_summary, effect_subset_violations,
28    effects_from_metadata, EffectKind, EffectRecord, EffectScope,
29};
30pub use nested_budget::{
31    annotate_nested_execution_options, enter_nested_execution_policy, NestedExecutionGuard,
32    NestedExecutionKind, NESTED_KIND_OPTION_KEY, NESTED_LABEL_OPTION_KEY,
33};
34pub use types::{
35    enforce_tool_arg_constraints, AutoCompactPolicy, BranchSemantics, CapabilityPolicy,
36    ContextPolicy, EqIgnored, EscalationPolicy, JoinPolicy, MapPolicy, ModelPolicy,
37    NativeToolFallbackPolicy, ProcessSandboxPolicy, ProcessSandboxPreset, ReducePolicy,
38    RetryPolicy, SandboxProfile, StageContract, ToolArgConstraint, TurnPolicy,
39};
40
41thread_local! {
42    static EXECUTION_POLICY_STACK: RefCell<Vec<CapabilityPolicy>> = const { RefCell::new(Vec::new()) };
43    static EXECUTION_APPROVAL_POLICY_STACK: RefCell<Vec<ToolApprovalPolicy>> = const { RefCell::new(Vec::new()) };
44    static TRUSTED_BRIDGE_CALL_DEPTH: RefCell<usize> = const { RefCell::new(0) };
45}
46
47pub fn push_execution_policy(policy: CapabilityPolicy) {
48    EXECUTION_POLICY_STACK.with(|stack| stack.borrow_mut().push(policy));
49}
50
51pub fn pop_execution_policy() {
52    EXECUTION_POLICY_STACK.with(|stack| {
53        stack.borrow_mut().pop();
54    });
55}
56
57pub fn clear_execution_policy_stacks() {
58    EXECUTION_POLICY_STACK.with(|stack| stack.borrow_mut().clear());
59    EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow_mut().clear());
60    TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| *depth.borrow_mut() = 0);
61}
62
63pub fn current_execution_policy() -> Option<CapabilityPolicy> {
64    EXECUTION_POLICY_STACK.with(|stack| stack.borrow().last().cloned())
65}
66
67/// O(1) probe for whether any execution policy scope is active on this
68/// thread/task. Lets hot paths (tool dispatch) skip policy enforcement
69/// entirely without paying the `CapabilityPolicy` clone that
70/// [`current_execution_policy`] performs.
71pub fn execution_policy_active() -> bool {
72    EXECUTION_POLICY_STACK.with(|stack| !stack.borrow().is_empty())
73}
74
75pub fn push_approval_policy(policy: ToolApprovalPolicy) {
76    EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow_mut().push(policy));
77}
78
79pub fn pop_approval_policy() {
80    EXECUTION_APPROVAL_POLICY_STACK.with(|stack| {
81        stack.borrow_mut().pop();
82    });
83}
84
85pub fn current_approval_policy() -> Option<ToolApprovalPolicy> {
86    EXECUTION_APPROVAL_POLICY_STACK.with(|stack| stack.borrow().last().cloned())
87}
88
89// --- Per-task ambient-scope swap primitives -------------------------------
90//
91// The policy/approval/trusted stacks are thread-locals managed as LIFO scopes.
92// That invariant holds for a single synchronous call stack, but a guard held
93// across an `.await` is unsound: under `spawn_local` (and any work-stealing
94// multi-thread executor) a sibling task interleaves and reads/mutates the same
95// thread-local top-of-stack. `AmbientExecutionScope` (see `ambient_scope`)
96// gives each spawned worker its own scope by swapping these stacks in on
97// poll-enter and back out on poll-exit; these `swap_*` helpers are the O(1)
98// primitives it uses. They are intentionally `pub(crate)` — only the ambient
99// combinator should move whole stacks; ordinary code uses push/pop/current.
100
101pub(crate) fn swap_execution_policy_stack(next: Vec<CapabilityPolicy>) -> Vec<CapabilityPolicy> {
102    EXECUTION_POLICY_STACK.with(|stack| std::mem::replace(&mut *stack.borrow_mut(), next))
103}
104
105pub(crate) fn swap_approval_policy_stack(next: Vec<ToolApprovalPolicy>) -> Vec<ToolApprovalPolicy> {
106    EXECUTION_APPROVAL_POLICY_STACK.with(|stack| std::mem::replace(&mut *stack.borrow_mut(), next))
107}
108
109pub(crate) fn swap_trusted_bridge_depth(next: usize) -> usize {
110    TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| std::mem::replace(&mut *depth.borrow_mut(), next))
111}
112
113pub fn current_tool_annotations(tool: &str) -> Option<ToolAnnotations> {
114    current_execution_policy().and_then(|policy| policy.tool_annotations.get(tool).cloned())
115}
116
117/// The explicit tool allowlist the active execution policy advertises, for
118/// building actionable denial feedback that names what the model *can* call.
119///
120/// Prefers `policy.tools` (the explicit ceiling — what the eval lane sets);
121/// falls back to the annotation registry keys when no explicit list is present.
122/// Returns an empty `Vec` when no policy is active or the surface is unbounded
123/// (allow-all), in which case callers keep their generic guidance.
124pub fn current_allowed_tool_names() -> Vec<String> {
125    let Some(policy) = current_execution_policy() else {
126        return Vec::new();
127    };
128    if !policy.tools.is_empty() {
129        return policy.tools;
130    }
131    policy.tool_annotations.keys().cloned().collect()
132}
133
134pub(super) fn tool_kind_participates_in_write_allowlist(tool_name: &str) -> bool {
135    current_tool_annotations(tool_name)
136        .map(|annotations| !annotations.kind.is_read_only())
137        .unwrap_or(true)
138}
139
140pub struct TrustedBridgeCallGuard;
141
142pub fn allow_trusted_bridge_calls() -> TrustedBridgeCallGuard {
143    TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| {
144        *depth.borrow_mut() += 1;
145    });
146    TrustedBridgeCallGuard
147}
148
149impl Drop for TrustedBridgeCallGuard {
150    fn drop(&mut self) {
151        TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| {
152            let mut depth = depth.borrow_mut();
153            *depth = depth.saturating_sub(1);
154        });
155    }
156}
157
158fn policy_allows_tool(policy: &CapabilityPolicy, tool: &str) -> bool {
159    policy.tools.is_empty() || policy.tools.iter().any(|allowed| allowed == tool)
160}
161
162fn policy_grants_capability(policy: &CapabilityPolicy, capability: &str, op: &str) -> bool {
163    policy
164        .capabilities
165        .get(capability)
166        .is_some_and(|ops| ops.is_empty() || ops.iter().any(|allowed| allowed == op))
167}
168
169fn policy_allows_capability(policy: &CapabilityPolicy, capability: &str, op: &str) -> bool {
170    if policy.capabilities.is_empty() {
171        // Empty capability map = allow-all (e.g. the root agent policy).
172        return true;
173    }
174    if policy_grants_capability(policy, capability, op) {
175        return true;
176    }
177    // Capability subsumption: a stronger read grant implies the weaker
178    // observations it already exposes. An existence/metadata probe
179    // (`workspace.exists`, used by `file_exists`/`stat`) reveals strictly less
180    // than reading file contents (`workspace.read_text`) or listing a directory
181    // (`workspace.list`) — both of which already disclose whether a path
182    // exists. A policy that grants read/list but withholds the existence probe
183    // is incoherent, and silently wedges any tool that stats a path before
184    // reading it (look, read_file, edit/scaffold preflight). Narrowed worker
185    // policies derived from tool annotations hit this constantly because no
186    // annotation declares `workspace.exists`. Encode the lattice once here so
187    // every narrowed policy benefits, not one dispatch surface at a time.
188    if capability == "workspace" && op == "exists" {
189        return policy_grants_capability(policy, "workspace", "read_text")
190            || policy_grants_capability(policy, "workspace", "list");
191    }
192    false
193}
194
195fn policy_allows_side_effect(policy: &CapabilityPolicy, requested: &str) -> bool {
196    fn rank(v: &str) -> usize {
197        match v {
198            "none" => 0,
199            "read_only" => 1,
200            "workspace_write" => 2,
201            "process_exec" => 3,
202            "network" => 4,
203            _ => 5,
204        }
205    }
206    policy
207        .side_effect_level
208        .as_ref()
209        .map(|allowed| rank(allowed) >= rank(requested))
210        .unwrap_or(true)
211}
212
213pub(super) fn reject_policy(reason: String) -> Result<(), VmError> {
214    Err(VmError::CategorizedError {
215        message: reason,
216        category: crate::value::ErrorCategory::ToolRejected,
217    })
218}
219
220/// Structured refusal produced by the agent-tool capability gates
221/// (`enforce_current_policy_for_tool`, `enforce_tool_arg_constraints`).
222/// Records the gate identity and the exceeded capability so the dispatch
223/// boundary can build a full [`crate::agent_events::ToolDenial`] for the
224/// model and host. `From<PolicyDenial> for VmError` keeps the legacy
225/// `?`-using callers — which only need the categorized error — unchanged.
226#[derive(Clone, Debug, PartialEq, Eq)]
227pub struct PolicyDenial {
228    pub gate: crate::agent_events::DenialGate,
229    pub capability: Option<String>,
230    pub reason: String,
231}
232
233impl From<PolicyDenial> for VmError {
234    fn from(denial: PolicyDenial) -> Self {
235        VmError::CategorizedError {
236            message: denial.reason,
237            category: crate::value::ErrorCategory::ToolRejected,
238        }
239    }
240}
241
242pub(super) fn reject_tool(
243    gate: crate::agent_events::DenialGate,
244    capability: Option<String>,
245    reason: String,
246) -> Result<(), PolicyDenial> {
247    Err(PolicyDenial {
248        gate,
249        capability,
250        reason,
251    })
252}
253
254/// Mutation classification for a tool, derived from the pipeline's
255/// declared `ToolKind`. Used in telemetry and pre/post-bridge payloads
256/// while those methods still exist. Returns `"other"` for unannotated
257/// tools (fail-safe; unknown tools don't auto-classify).
258pub fn current_tool_mutation_classification(tool_name: &str) -> String {
259    current_tool_annotations(tool_name)
260        .map(|annotations| annotations.kind.mutation_class().to_string())
261        .unwrap_or_else(|| "other".to_string())
262}
263
264/// Workspace paths declared by this tool call, read from the tool's
265/// annotated `arg_schema.path_params`. Unannotated tools declare no
266/// paths — the VM no longer guesses by common argument names.
267pub fn current_tool_declared_paths(tool_name: &str, args: &serde_json::Value) -> Vec<String> {
268    current_tool_declared_path_entries(tool_name, args)
269        .into_iter()
270        .map(|entry| entry.display_path().to_string())
271        .collect()
272}
273
274/// Rich workspace-path descriptors declared by this tool call. Each
275/// entry preserves the original input while also projecting the path
276/// into workspace-relative and host-absolute forms when that mapping is
277/// known.
278pub fn current_tool_declared_path_entries(
279    tool_name: &str,
280    args: &serde_json::Value,
281) -> Vec<WorkspacePathInfo> {
282    let Some(map) = args.as_object() else {
283        return Vec::new();
284    };
285    let Some(annotations) = current_tool_annotations(tool_name) else {
286        return Vec::new();
287    };
288    let workspace_root = crate::stdlib::process::execution_root_path();
289    let mut entries = Vec::new();
290    for key in &annotations.arg_schema.path_params {
291        if let Some(value) = map.get(key) {
292            match value {
293                serde_json::Value::String(path) if !path.is_empty() => {
294                    entries.push(classify_workspace_path(path, Some(&workspace_root)));
295                }
296                serde_json::Value::Array(items) => {
297                    for item in items.iter().filter_map(|item| item.as_str()) {
298                        if !item.is_empty() {
299                            entries.push(classify_workspace_path(item, Some(&workspace_root)));
300                        }
301                    }
302                }
303                _ => {}
304            }
305        }
306    }
307    entries.sort_by(|a, b| a.display_path().cmp(b.display_path()));
308    entries.dedup_by(|left, right| left.policy_candidates() == right.policy_candidates());
309    entries
310}
311
312pub fn enforce_current_policy_for_builtin(name: &str, args: &[VmValue]) -> Result<(), VmError> {
313    let Some(policy) = current_execution_policy() else {
314        return Ok(());
315    };
316    match name {
317        "find_text"
318            if !policy_allows_capability(&policy, "workspace", "read_text")
319                || !policy_allows_capability(&policy, "workspace", "list") =>
320        {
321            return reject_policy(
322                "builtin 'find_text' exceeds workspace.read_text/workspace.list ceiling"
323                    .to_string(),
324            );
325        }
326        "read_file"
327        | "read_file_result"
328        | "read_file_bytes"
329        | "render"
330        | "render_prompt"
331        | "render_with_provenance"
332        | "read_lines"
333            if !policy_allows_capability(&policy, "workspace", "read_text") =>
334        {
335            return reject_policy(format!(
336                "builtin '{name}' exceeds workspace.read_text ceiling"
337            ));
338        }
339        "list_dir" | "walk_dir" | "glob"
340            if !policy_allows_capability(&policy, "workspace", "list") =>
341        {
342            return reject_policy(format!("builtin '{name}' exceeds workspace.list ceiling"));
343        }
344        "file_exists" | "stat" if !policy_allows_capability(&policy, "workspace", "exists") => {
345            return reject_policy(format!("builtin '{name}' exceeds workspace.exists ceiling"));
346        }
347        "write_file" | "write_file_bytes" | "append_file" | "mkdir" | "copy_file" | "move_file"
348            if !policy_allows_capability(&policy, "workspace", "write_text")
349                || !policy_allows_side_effect(&policy, "workspace_write") =>
350        {
351            return reject_policy(format!("builtin '{name}' exceeds workspace write ceiling"));
352        }
353        "delete_file"
354            if !policy_allows_capability(&policy, "workspace", "delete")
355                || !policy_allows_side_effect(&policy, "workspace_write") =>
356        {
357            return reject_policy(
358                "builtin 'delete_file' exceeds workspace.delete ceiling".to_string(),
359            );
360        }
361        "apply_edit"
362            if !policy_allows_capability(&policy, "workspace", "apply_edit")
363                || !policy_allows_side_effect(&policy, "workspace_write") =>
364        {
365            return reject_policy(
366                "builtin 'apply_edit' exceeds workspace.apply_edit ceiling".to_string(),
367            );
368        }
369        "exec"
370        | "exec_at"
371        | "shell"
372        | "shell_at"
373        | "git.repo.discover"
374        | "git.worktree.create"
375        | "git.worktree.remove"
376        | "git.fetch"
377        | "git.rebase"
378        | "git.status"
379        | "git.conflicts"
380        | "git.push"
381        | "git.diff"
382        | "git.merge_base"
383            if !policy_allows_capability(&policy, "process", "exec")
384                || !policy_allows_side_effect(&policy, "process_exec") =>
385        {
386            return reject_policy(format!("builtin '{name}' exceeds process.exec ceiling"));
387        }
388        "http_get"
389        | "http_post"
390        | "http_put"
391        | "http_patch"
392        | "http_delete"
393        | "http_download"
394        | "http_request"
395        | "unix_socket_json_request"
396        | "__net_unix_socket_json_request"
397            if !policy_allows_side_effect(&policy, "network") =>
398        {
399            return reject_policy(format!("builtin '{name}' exceeds network ceiling"));
400        }
401        "__files_upload"
402            if !policy_allows_capability(&policy, "workspace", "read_text")
403                || !policy_allows_side_effect(&policy, "network") =>
404        {
405            return reject_policy(
406                "builtin '__files_upload' exceeds workspace.read_text/network ceiling".to_string(),
407            );
408        }
409        "http_session_request"
410        | "http_stream_open"
411        | "http_stream_read"
412        | "http_stream_close"
413        | "http_stream_info"
414        | "sse_connect"
415        | "sse_receive"
416        | "websocket_accept"
417        | "websocket_connect"
418        | "websocket_route"
419        | "websocket_send"
420        | "websocket_receive"
421        | "websocket_server"
422            if !policy_allows_side_effect(&policy, "network") =>
423        {
424            return reject_policy(format!("builtin '{name}' exceeds network ceiling"));
425        }
426        "llm_call" | "llm_call_safe" | "llm_completion" | "llm_stream" | "llm_stream_call"
427        | "llm_healthcheck" | "agent_loop"
428            if !policy_allows_capability(&policy, "llm", "call") =>
429        {
430            return reject_policy(format!("builtin '{name}' exceeds llm.call ceiling"));
431        }
432        "connector_call"
433            if !policy_allows_capability(&policy, "connector", "call")
434                || !policy_allows_side_effect(&policy, "network") =>
435        {
436            return reject_policy(
437                "builtin 'connector_call' exceeds connector.call/network ceiling".to_string(),
438            );
439        }
440        "secret_get" if !policy_allows_capability(&policy, "connector", "secret_get") => {
441            return reject_policy(
442                "builtin 'secret_get' exceeds connector.secret_get ceiling".to_string(),
443            );
444        }
445        "event_log_emit" if !policy_allows_capability(&policy, "connector", "event_log_emit") => {
446            return reject_policy(
447                "builtin 'event_log_emit' exceeds connector.event_log_emit ceiling".to_string(),
448            );
449        }
450        "metrics_inc" if !policy_allows_capability(&policy, "connector", "metrics_inc") => {
451            return reject_policy(
452                "builtin 'metrics_inc' exceeds connector.metrics_inc ceiling".to_string(),
453            );
454        }
455        "project_fingerprint"
456        | "project_context_profile_native"
457        | "project_scan_native"
458        | "project_scan_tree_native"
459        | "project_walk_tree_native"
460        | "project_catalog_native"
461            if !policy_allows_capability(&policy, "workspace", "list")
462                || !policy_allows_side_effect(&policy, "read_only") =>
463        {
464            return reject_policy(format!("builtin '{name}' exceeds workspace.list ceiling"));
465        }
466        "__agent_state_init"
467        | "__agent_state_resume"
468        | "__agent_state_write"
469        | "__agent_state_read"
470        | "__agent_state_list"
471        | "__agent_state_delete"
472        | "__agent_state_handoff"
473            if !policy_allows_capability(&policy, "agent_state", "access") =>
474        {
475            return reject_policy(format!(
476                "builtin '{name}' exceeds agent_state.access ceiling"
477            ));
478        }
479        "vision_ocr"
480            if !policy_allows_capability(&policy, "vision", "ocr")
481                || !policy_allows_side_effect(&policy, "process_exec") =>
482        {
483            return reject_policy(format!(
484                "builtin '{name}' exceeds vision.ocr/process ceiling"
485            ));
486        }
487        "mcp_connect"
488        | "mcp_ensure_active"
489        | "mcp_call"
490        | "mcp_list_tools"
491        | "mcp_list_resources"
492        | "mcp_list_resource_templates"
493        | "mcp_read_resource"
494        | "mcp_list_prompts"
495        | "mcp_get_prompt"
496        | "mcp_server_info"
497        | "mcp_disconnect"
498            if !policy_allows_capability(&policy, "process", "exec")
499                || !policy_allows_side_effect(&policy, "process_exec") =>
500        {
501            return reject_policy(format!("builtin '{name}' exceeds process.exec ceiling"));
502        }
503        "host_call" => {
504            let name = args.first().map(|v| v.display()).unwrap_or_default();
505            let Some((capability, op)) = name.split_once('.') else {
506                return reject_policy(format!(
507                    "host_call '{name}' must use capability.operation naming"
508                ));
509            };
510            if !policy_allows_capability(&policy, capability, op) {
511                return reject_policy(format!(
512                    "host_call {capability}.{op} exceeds capability ceiling"
513                ));
514            }
515            let requested_side_effect = match (capability, op) {
516                ("workspace", "write_text" | "apply_edit" | "delete") => "workspace_write",
517                ("process", "exec") => "process_exec",
518                _ => "read_only",
519            };
520            if !policy_allows_side_effect(&policy, requested_side_effect) {
521                return reject_policy(format!(
522                    "host_call {capability}.{op} exceeds side-effect ceiling"
523                ));
524            }
525        }
526        "host_tool_list" | "host_tool_call"
527            if !policy_allows_capability(&policy, "host", "tool_call") =>
528        {
529            return reject_policy(format!("builtin '{name}' exceeds host.tool_call ceiling"));
530        }
531        _ => {}
532    }
533    Ok(())
534}
535
536pub fn enforce_current_policy_for_bridge_builtin(name: &str) -> Result<(), VmError> {
537    let trusted = TRUSTED_BRIDGE_CALL_DEPTH.with(|depth| *depth.borrow() > 0);
538    if trusted {
539        return Ok(());
540    }
541    if current_execution_policy().is_some() {
542        return reject_policy(format!(
543            "bridged builtin '{name}' exceeds execution policy; declare an explicit capability/tool surface instead"
544        ));
545    }
546    Ok(())
547}
548
549pub fn enforce_current_policy_for_tool(tool_name: &str) -> Result<(), PolicyDenial> {
550    use crate::agent_events::DenialGate;
551    let Some(policy) = current_execution_policy() else {
552        return Ok(());
553    };
554    if !policy_allows_tool(&policy, tool_name) {
555        return reject_tool(
556            DenialGate::ToolCeiling,
557            None,
558            format!("tool '{tool_name}' exceeds tool ceiling"),
559        );
560    }
561    if let Some(annotations) = policy.tool_annotations.get(tool_name) {
562        for (capability, ops) in &annotations.capabilities {
563            for op in ops {
564                if !policy_allows_capability(&policy, capability, op) {
565                    return reject_tool(
566                        DenialGate::CapabilityCeiling,
567                        Some(format!("{capability}.{op}")),
568                        format!("tool '{tool_name}' exceeds capability ceiling: {capability}.{op}"),
569                    );
570                }
571            }
572        }
573        let requested_level = annotations.side_effect_level;
574        if requested_level != SideEffectLevel::None
575            && !policy_allows_side_effect(&policy, requested_level.as_str())
576        {
577            return reject_tool(
578                DenialGate::SideEffectCeiling,
579                None,
580                format!(
581                    "tool '{tool_name}' exceeds side-effect ceiling: {}",
582                    requested_level.as_str()
583                ),
584            );
585        }
586    }
587    Ok(())
588}
589
590// ── Output visibility redaction ─────────────────────────────────────
591//
592// Transcript lifecycle (reset, fork, trim, compact) now lives on
593// `crate::agent_sessions` as explicit imperative builtins. All that
594// remains here is the per-call visibility filter, which is
595// output-shaping (not lifecycle).
596
597/// Filter a transcript dict down to the caller-visible subset, based
598/// on the `output_visibility` node option. `None` or any unknown
599/// visibility returns the transcript unchanged — callers are expected
600/// to validate the string against a known set upstream.
601pub fn redact_transcript_visibility(
602    transcript: &VmValue,
603    visibility: Option<&str>,
604) -> Option<VmValue> {
605    let Some(visibility) = visibility else {
606        return Some(transcript.clone());
607    };
608    if visibility != "public" && visibility != "public_only" {
609        return Some(transcript.clone());
610    }
611    let dict = transcript.as_dict()?;
612    let public_messages = match dict.get("messages") {
613        Some(VmValue::List(list)) => list
614            .iter()
615            .filter_map(redact_public_message)
616            .collect::<Vec<_>>(),
617        _ => Vec::new(),
618    };
619    let public_events = match dict.get("events") {
620        Some(VmValue::List(list)) => list
621            .iter()
622            .filter(|event| {
623                event
624                    .as_dict()
625                    .and_then(|d| d.get("visibility"))
626                    .map(|v| v.display())
627                    .map(|value| value == "public")
628                    .unwrap_or(true)
629            })
630            .cloned()
631            .collect::<Vec<_>>(),
632        _ => Vec::new(),
633    };
634    let mut redacted = dict.clone();
635    redacted.insert(
636        crate::value::intern_key("messages"),
637        VmValue::List(std::sync::Arc::new(public_messages)),
638    );
639    redacted.insert(
640        crate::value::intern_key("events"),
641        VmValue::List(std::sync::Arc::new(public_events)),
642    );
643    Some(VmValue::dict(redacted))
644}
645
646fn redact_public_message(message: &VmValue) -> Option<VmValue> {
647    let Some(dict) = message.as_dict() else {
648        return Some(message.clone());
649    };
650    if dict.get("role").map(|value| value.display()).as_deref() == Some("tool_result") {
651        return None;
652    }
653    if dict
654        .get("visibility")
655        .map(|value| value.display())
656        .is_some_and(|visibility| visibility != "public")
657    {
658        return None;
659    }
660
661    let mut redacted = dict.clone();
662    let mut saw_structured_blocks = false;
663    let mut public_text = Vec::new();
664    for key in ["content", "blocks"] {
665        if let Some(VmValue::List(blocks)) = dict.get(key) {
666            saw_structured_blocks = true;
667            let public_blocks = blocks
668                .iter()
669                .filter_map(redact_public_block)
670                .collect::<Vec<_>>();
671            if key == "blocks" || public_text.is_empty() {
672                public_text = text_fragments_from_blocks(&public_blocks);
673            }
674            redacted.insert(
675                crate::value::intern_key(key),
676                VmValue::List(std::sync::Arc::new(public_blocks)),
677            );
678        }
679    }
680    if saw_structured_blocks {
681        if public_text.is_empty() {
682            redacted.remove("text");
683        } else {
684            redacted.put_str("text", public_text.join("\n"));
685        }
686    }
687    Some(VmValue::dict(redacted))
688}
689
690fn redact_public_block(block: &VmValue) -> Option<VmValue> {
691    let Some(dict) = block.as_dict() else {
692        return Some(block.clone());
693    };
694    if dict
695        .get("visibility")
696        .map(|value| value.display())
697        .is_some_and(|visibility| visibility != "public")
698    {
699        return None;
700    }
701    Some(block.clone())
702}
703
704fn text_fragments_from_blocks(blocks: &[VmValue]) -> Vec<String> {
705    blocks
706        .iter()
707        .filter_map(|block| block.as_dict())
708        .filter_map(|dict| dict.get("text"))
709        .filter_map(|text| match text {
710            VmValue::String(value) if !value.is_empty() => Some(value.to_string()),
711            _ => None,
712        })
713        .collect()
714}
715
716pub fn builtin_ceiling() -> CapabilityPolicy {
717    CapabilityPolicy {
718        // `capabilities` is intentionally empty: the host capability manifest
719        // is the sole authority, and an allowlist here would silently block
720        // any capability the host adds later.
721        tools: Vec::new(),
722        capabilities: BTreeMap::new(),
723        workspace_roots: Vec::new(),
724        read_only_roots: Vec::new(),
725        side_effect_level: Some("network".to_string()),
726        recursion_limit: Some(RuntimeLimits::DEFAULT.max_nested_execution_depth),
727        tool_arg_constraints: Vec::new(),
728        tool_annotations: BTreeMap::new(),
729        sandbox_profile: SandboxProfile::Worktree,
730        process_sandbox: Default::default(),
731    }
732}
733
734/// Declarative policy for tool approval gating. Allows pipelines to
735/// specify which tools are auto-approved, auto-denied, or require
736/// host confirmation, plus write-path allowlists.
737#[derive(Clone, Debug, Default, Serialize, Deserialize, PartialEq, Eq)]
738#[serde(default)]
739pub struct ToolApprovalPolicy {
740    /// Ordered allow/ask/deny rules over tool metadata, path, command,
741    /// URL, MCP, agent/persona/mode, and repeat-count dimensions.
742    #[serde(default)]
743    pub rules: Vec<PolicyRule>,
744    /// Glob patterns for tools that should be auto-approved.
745    #[serde(default)]
746    pub auto_approve: Vec<String>,
747    /// Glob patterns for tools that should always be denied.
748    #[serde(default)]
749    pub auto_deny: Vec<String>,
750    /// Glob patterns for tools that require host confirmation.
751    #[serde(default)]
752    pub require_approval: Vec<String>,
753    /// Glob patterns for writable paths.
754    #[serde(default)]
755    pub write_path_allowlist: Vec<String>,
756    /// Explicit opt-out for the deny-by-default sensitive-path guard.
757    #[serde(default)]
758    pub allow_sensitive_paths: bool,
759    /// Additional or replacement sensitive path globs. Empty uses the
760    /// runtime defaults such as `.env`, private keys, and credential files.
761    #[serde(default)]
762    pub sensitive_path_patterns: Vec<String>,
763    /// Explicit opt-out for the external-path guard on declared path args.
764    #[serde(default)]
765    pub allow_external_paths: bool,
766    /// Host-absolute roots allowed when `allow_external_paths` is false.
767    #[serde(default)]
768    pub external_roots: Vec<String>,
769    /// Optional repeated-call threshold for the same `(session, tool, args)`.
770    #[serde(default, alias = "repeated_call_limit")]
771    pub repeat_limit: Option<u64>,
772    /// Action for `repeat_limit`; defaults to `ask`.
773    #[serde(default, alias = "repeated_call_action")]
774    pub repeat_action: Option<PolicyAction>,
775}
776
777/// Result of evaluating a tool call against a ToolApprovalPolicy.
778#[derive(Debug, Clone, PartialEq, Eq)]
779pub enum ToolApprovalDecision {
780    /// Tool is auto-approved by policy.
781    AutoApproved,
782    /// Tool is auto-denied by policy.
783    AutoDenied { reason: String },
784    /// Tool requires explicit host approval; the caller already owns the
785    /// tool name and args and forwards them to the host bridge.
786    RequiresHostApproval,
787}
788
789impl ToolApprovalPolicy {
790    pub fn evaluate_detailed(&self, tool_name: &str, args: &serde_json::Value) -> PolicyEvaluation {
791        approval_rules::evaluate_tool_approval_policy(self, tool_name, args, None)
792    }
793
794    pub fn evaluate_detailed_with_repeat(
795        &self,
796        tool_name: &str,
797        args: &serde_json::Value,
798        repeat_count: u64,
799    ) -> PolicyEvaluation {
800        approval_rules::evaluate_tool_approval_policy(self, tool_name, args, Some(repeat_count))
801    }
802
803    /// Evaluate whether a tool call should be approved, denied, or needs
804    /// host confirmation.
805    pub fn evaluate(&self, tool_name: &str, args: &serde_json::Value) -> ToolApprovalDecision {
806        let decision = self.evaluate_detailed(tool_name, args);
807        if decision.is_deny() {
808            return ToolApprovalDecision::AutoDenied {
809                reason: decision.reason,
810            };
811        }
812        if decision.is_ask() {
813            return ToolApprovalDecision::RequiresHostApproval;
814        }
815        ToolApprovalDecision::AutoApproved
816    }
817
818    /// Merge two approval policies, taking the most restrictive combination.
819    /// - auto_approve: only tools approved by BOTH policies stay approved
820    ///   (if either policy has no patterns, the other's patterns are used)
821    /// - auto_deny / require_approval: union (either policy can deny/gate)
822    /// - write_path_allowlist: intersection (both must allow the path)
823    pub fn intersect(&self, other: &ToolApprovalPolicy) -> ToolApprovalPolicy {
824        let auto_approve = if self.auto_approve.is_empty() {
825            other.auto_approve.clone()
826        } else if other.auto_approve.is_empty() {
827            self.auto_approve.clone()
828        } else {
829            self.auto_approve
830                .iter()
831                .filter(|p| other.auto_approve.contains(p))
832                .cloned()
833                .collect()
834        };
835        let mut auto_deny = self.auto_deny.clone();
836        auto_deny.extend(other.auto_deny.iter().cloned());
837        let mut require_approval = self.require_approval.clone();
838        require_approval.extend(other.require_approval.iter().cloned());
839        let write_path_allowlist = if self.write_path_allowlist.is_empty() {
840            other.write_path_allowlist.clone()
841        } else if other.write_path_allowlist.is_empty() {
842            self.write_path_allowlist.clone()
843        } else {
844            self.write_path_allowlist
845                .iter()
846                .filter(|p| other.write_path_allowlist.contains(p))
847                .cloned()
848                .collect()
849        };
850        let mut rules = self.rules.clone();
851        rules.extend(other.rules.iter().cloned());
852        let mut sensitive_path_patterns = self.sensitive_path_patterns.clone();
853        sensitive_path_patterns.extend(other.sensitive_path_patterns.iter().cloned());
854        sensitive_path_patterns.sort();
855        sensitive_path_patterns.dedup();
856        let external_roots = if self.external_roots.is_empty() {
857            other.external_roots.clone()
858        } else if other.external_roots.is_empty() {
859            self.external_roots.clone()
860        } else {
861            self.external_roots
862                .iter()
863                .filter(|root| other.external_roots.contains(root))
864                .cloned()
865                .collect()
866        };
867        ToolApprovalPolicy {
868            rules,
869            auto_approve,
870            auto_deny,
871            require_approval,
872            write_path_allowlist,
873            allow_sensitive_paths: self.allow_sensitive_paths && other.allow_sensitive_paths,
874            sensitive_path_patterns,
875            allow_external_paths: self.allow_external_paths && other.allow_external_paths,
876            external_roots,
877            repeat_limit: match (self.repeat_limit, other.repeat_limit) {
878                (Some(left), Some(right)) => Some(left.min(right)),
879                (Some(left), None) => Some(left),
880                (None, Some(right)) => Some(right),
881                (None, None) => None,
882            },
883            repeat_action: match (self.repeat_action, other.repeat_action) {
884                (Some(PolicyAction::Deny), _) | (_, Some(PolicyAction::Deny)) => {
885                    Some(PolicyAction::Deny)
886                }
887                (Some(PolicyAction::Ask), _) | (_, Some(PolicyAction::Ask)) => {
888                    Some(PolicyAction::Ask)
889                }
890                (Some(PolicyAction::Allow), Some(PolicyAction::Allow)) => Some(PolicyAction::Allow),
891                (Some(action), None) | (None, Some(action)) => Some(action),
892                (None, None) => None,
893            },
894        }
895    }
896}
897
898#[cfg(test)]
899mod approval_policy_tests {
900    use super::*;
901    use crate::orchestration::{pop_execution_policy, push_execution_policy, CapabilityPolicy};
902    use crate::tool_annotations::{ToolAnnotations, ToolArgSchema, ToolKind};
903
904    fn workspace_caps(ops: &[&str]) -> CapabilityPolicy {
905        CapabilityPolicy {
906            capabilities: std::collections::BTreeMap::from([(
907                "workspace".to_string(),
908                ops.iter().map(|s| s.to_string()).collect(),
909            )]),
910            ..Default::default()
911        }
912    }
913
914    #[test]
915    fn read_text_subsumes_exists_probe() {
916        // A narrowed worker policy that grants read_text/list (the shape derived
917        // from look/edit/scaffold tool annotations) but never declares the
918        // weaker `workspace.exists` op must still permit `file_exists`/`stat`:
919        // existence is strictly less information than reading the file. Without
920        // subsumption this silently wedged every parallel sub-agent (look denied
921        // -> zero progress -> zero edits).
922        push_execution_policy(workspace_caps(&[
923            "read_text",
924            "list",
925            "write_text",
926            "apply_edit",
927        ]));
928        assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_ok());
929        assert!(enforce_current_policy_for_builtin("stat", &[]).is_ok());
930        pop_execution_policy();
931    }
932
933    #[test]
934    fn list_alone_subsumes_exists_probe() {
935        // Listing a directory already reveals which entries exist.
936        push_execution_policy(workspace_caps(&["list"]));
937        assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_ok());
938        pop_execution_policy();
939    }
940
941    #[test]
942    fn exists_probe_rejected_without_any_read_grant() {
943        // A write-only grant exposes no read surface, so the existence probe is
944        // genuinely above the ceiling and must still be rejected.
945        push_execution_policy(workspace_caps(&["write_text", "apply_edit"]));
946        assert!(enforce_current_policy_for_builtin("file_exists", &[]).is_err());
947        pop_execution_policy();
948    }
949
950    #[test]
951    fn auto_deny_takes_precedence_over_auto_approve() {
952        let policy = ToolApprovalPolicy {
953            auto_approve: vec!["*".to_string()],
954            auto_deny: vec!["dangerous_*".to_string()],
955            ..Default::default()
956        };
957        assert_eq!(
958            policy.evaluate("dangerous_rm", &serde_json::json!({})),
959            ToolApprovalDecision::AutoDenied {
960                reason: "tool 'dangerous_rm' matches deny pattern 'dangerous_*'".to_string()
961            }
962        );
963    }
964
965    #[test]
966    fn auto_approve_matches_glob() {
967        let policy = ToolApprovalPolicy {
968            auto_approve: vec!["read*".to_string(), "search*".to_string()],
969            ..Default::default()
970        };
971        assert_eq!(
972            policy.evaluate("read_file", &serde_json::json!({})),
973            ToolApprovalDecision::AutoApproved
974        );
975        assert_eq!(
976            policy.evaluate("search", &serde_json::json!({})),
977            ToolApprovalDecision::AutoApproved
978        );
979    }
980
981    #[test]
982    fn require_approval_emits_decision() {
983        let policy = ToolApprovalPolicy {
984            require_approval: vec!["edit*".to_string()],
985            ..Default::default()
986        };
987        let decision = policy.evaluate("edit_file", &serde_json::json!({"path": "foo.rs"}));
988        assert!(matches!(
989            decision,
990            ToolApprovalDecision::RequiresHostApproval
991        ));
992    }
993
994    #[test]
995    fn unmatched_tool_defaults_to_approved() {
996        let policy = ToolApprovalPolicy {
997            auto_approve: vec!["read*".to_string()],
998            require_approval: vec!["edit*".to_string()],
999            ..Default::default()
1000        };
1001        assert_eq!(
1002            policy.evaluate("unknown_tool", &serde_json::json!({})),
1003            ToolApprovalDecision::AutoApproved
1004        );
1005    }
1006
1007    #[test]
1008    fn intersect_merges_deny_lists() {
1009        let a = ToolApprovalPolicy {
1010            auto_deny: vec!["rm*".to_string()],
1011            ..Default::default()
1012        };
1013        let b = ToolApprovalPolicy {
1014            auto_deny: vec!["drop*".to_string()],
1015            ..Default::default()
1016        };
1017        let merged = a.intersect(&b);
1018        assert_eq!(merged.auto_deny.len(), 2);
1019    }
1020
1021    #[test]
1022    fn intersect_restricts_auto_approve_to_common_patterns() {
1023        let a = ToolApprovalPolicy {
1024            auto_approve: vec!["read*".to_string(), "search*".to_string()],
1025            ..Default::default()
1026        };
1027        let b = ToolApprovalPolicy {
1028            auto_approve: vec!["read*".to_string(), "write*".to_string()],
1029            ..Default::default()
1030        };
1031        let merged = a.intersect(&b);
1032        assert_eq!(merged.auto_approve, vec!["read*".to_string()]);
1033    }
1034
1035    #[test]
1036    fn intersect_defers_auto_approve_when_one_side_empty() {
1037        let a = ToolApprovalPolicy {
1038            auto_approve: vec!["read*".to_string()],
1039            ..Default::default()
1040        };
1041        let b = ToolApprovalPolicy::default();
1042        let merged = a.intersect(&b);
1043        assert_eq!(merged.auto_approve, vec!["read*".to_string()]);
1044    }
1045
1046    #[test]
1047    fn write_path_allowlist_matches_recovered_workspace_relative_path() {
1048        let temp = tempfile::tempdir().unwrap();
1049        std::fs::create_dir_all(temp.path().join("packages/demo")).unwrap();
1050        std::fs::write(temp.path().join("packages/demo/file.txt"), "ok").unwrap();
1051        crate::stdlib::process::set_thread_execution_context(Some(
1052            crate::orchestration::RunExecutionRecord {
1053                cwd: Some(temp.path().to_string_lossy().into_owned()),
1054                source_dir: Some(temp.path().to_string_lossy().into_owned()),
1055                env: BTreeMap::new(),
1056                adapter: None,
1057                repo_path: None,
1058                worktree_path: None,
1059                branch: None,
1060                base_ref: None,
1061                cleanup: None,
1062            },
1063        ));
1064
1065        let mut tool_annotations = BTreeMap::new();
1066        tool_annotations.insert(
1067            "write_file".to_string(),
1068            ToolAnnotations {
1069                kind: ToolKind::Edit,
1070                arg_schema: ToolArgSchema {
1071                    path_params: vec!["path".to_string()],
1072                    ..Default::default()
1073                },
1074                ..Default::default()
1075            },
1076        );
1077        push_execution_policy(CapabilityPolicy {
1078            tool_annotations,
1079            ..Default::default()
1080        });
1081
1082        let policy = ToolApprovalPolicy {
1083            write_path_allowlist: vec!["packages/demo/file.txt".to_string()],
1084            ..Default::default()
1085        };
1086        let decision = policy.evaluate(
1087            "write_file",
1088            &serde_json::json!({"path": "/packages/demo/file.txt"}),
1089        );
1090        assert_eq!(decision, ToolApprovalDecision::AutoApproved);
1091
1092        pop_execution_policy();
1093        crate::stdlib::process::set_thread_execution_context(None);
1094    }
1095
1096    #[test]
1097    fn write_path_allowlist_does_not_block_read_only_tools() {
1098        let temp = tempfile::tempdir().unwrap();
1099        std::fs::create_dir_all(temp.path().join("packages/demo")).unwrap();
1100        std::fs::write(temp.path().join("packages/demo/context.txt"), "ok").unwrap();
1101        crate::stdlib::process::set_thread_execution_context(Some(
1102            crate::orchestration::RunExecutionRecord {
1103                cwd: Some(temp.path().to_string_lossy().into_owned()),
1104                source_dir: Some(temp.path().to_string_lossy().into_owned()),
1105                env: BTreeMap::new(),
1106                adapter: None,
1107                repo_path: None,
1108                worktree_path: None,
1109                branch: None,
1110                base_ref: None,
1111                cleanup: None,
1112            },
1113        ));
1114
1115        let mut tool_annotations = BTreeMap::new();
1116        tool_annotations.insert(
1117            "read_file".to_string(),
1118            ToolAnnotations {
1119                kind: ToolKind::Read,
1120                arg_schema: ToolArgSchema {
1121                    path_params: vec!["path".to_string()],
1122                    ..Default::default()
1123                },
1124                ..Default::default()
1125            },
1126        );
1127        push_execution_policy(CapabilityPolicy {
1128            tool_annotations,
1129            ..Default::default()
1130        });
1131
1132        let policy = ToolApprovalPolicy {
1133            write_path_allowlist: vec!["packages/demo/file.txt".to_string()],
1134            ..Default::default()
1135        };
1136        let decision = policy.evaluate(
1137            "read_file",
1138            &serde_json::json!({"path": "/packages/demo/context.txt"}),
1139        );
1140        assert_eq!(decision, ToolApprovalDecision::AutoApproved);
1141
1142        pop_execution_policy();
1143        crate::stdlib::process::set_thread_execution_context(None);
1144    }
1145
1146    #[test]
1147    fn builtin_policy_covers_fs_read_and_list_helpers() {
1148        clear_execution_policy_stacks();
1149        push_execution_policy(CapabilityPolicy {
1150            capabilities: BTreeMap::from([("workspace".to_string(), vec!["exists".to_string()])]),
1151            side_effect_level: Some("read_only".to_string()),
1152            ..CapabilityPolicy::default()
1153        });
1154
1155        for name in [
1156            "read_lines",
1157            "find_text",
1158            "walk_dir",
1159            "glob",
1160            "project_context_profile_native",
1161        ] {
1162            assert!(
1163                enforce_current_policy_for_builtin(name, &[]).is_err(),
1164                "{name} should be rejected when the matching workspace capability is absent"
1165            );
1166        }
1167
1168        pop_execution_policy();
1169    }
1170
1171    #[test]
1172    fn move_file_requires_workspace_write_side_effect() {
1173        clear_execution_policy_stacks();
1174        push_execution_policy(CapabilityPolicy {
1175            capabilities: BTreeMap::from([(
1176                "workspace".to_string(),
1177                vec!["write_text".to_string()],
1178            )]),
1179            side_effect_level: Some("read_only".to_string()),
1180            ..CapabilityPolicy::default()
1181        });
1182
1183        let error = enforce_current_policy_for_builtin("move_file", &[]).unwrap_err();
1184        assert!(
1185            error.to_string().contains("workspace write ceiling"),
1186            "unexpected error: {error}"
1187        );
1188
1189        pop_execution_policy();
1190    }
1191
1192    #[test]
1193    fn unix_socket_json_request_requires_network_side_effect() {
1194        clear_execution_policy_stacks();
1195        push_execution_policy(CapabilityPolicy {
1196            side_effect_level: Some("read_only".to_string()),
1197            ..CapabilityPolicy::default()
1198        });
1199
1200        let error =
1201            enforce_current_policy_for_builtin("__net_unix_socket_json_request", &[]).unwrap_err();
1202        assert!(
1203            error.to_string().contains("network ceiling"),
1204            "unexpected error: {error}"
1205        );
1206
1207        pop_execution_policy();
1208    }
1209
1210    #[test]
1211    fn files_upload_requires_workspace_read_and_network_side_effect() {
1212        clear_execution_policy_stacks();
1213        push_execution_policy(CapabilityPolicy {
1214            capabilities: BTreeMap::from([(
1215                "workspace".to_string(),
1216                vec!["read_text".to_string()],
1217            )]),
1218            side_effect_level: Some("read_only".to_string()),
1219            ..CapabilityPolicy::default()
1220        });
1221
1222        let network_error = enforce_current_policy_for_builtin("__files_upload", &[]).unwrap_err();
1223        assert!(
1224            network_error.to_string().contains("network ceiling"),
1225            "unexpected error: {network_error}"
1226        );
1227        pop_execution_policy();
1228
1229        push_execution_policy(CapabilityPolicy {
1230            capabilities: BTreeMap::from([("workspace".to_string(), vec!["exists".to_string()])]),
1231            side_effect_level: Some("network".to_string()),
1232            ..CapabilityPolicy::default()
1233        });
1234        let read_error = enforce_current_policy_for_builtin("__files_upload", &[]).unwrap_err();
1235        assert!(
1236            read_error.to_string().contains("workspace.read_text"),
1237            "unexpected error: {read_error}"
1238        );
1239
1240        pop_execution_policy();
1241    }
1242}
1243
1244#[cfg(test)]
1245mod turn_policy_tests {
1246    use super::TurnPolicy;
1247
1248    #[test]
1249    fn default_allows_done_sentinel() {
1250        let policy = TurnPolicy::default();
1251        assert!(policy.allow_done_sentinel);
1252        assert!(!policy.require_action_or_yield);
1253        assert!(policy.max_prose_chars.is_none());
1254    }
1255
1256    #[test]
1257    fn deserializing_partial_dict_preserves_done_sentinel_pathway() {
1258        // Pre-existing workflows passed `turn_policy: { require_action_or_yield: true }`
1259        // without knowing about `allow_done_sentinel`. Deserializing such a dict
1260        // must keep the done-sentinel pathway enabled so loop-until-done agents
1261        // don't lose their completion signal.
1262        let policy: TurnPolicy =
1263            serde_json::from_value(serde_json::json!({ "require_action_or_yield": true }))
1264                .expect("deserialize");
1265        assert!(policy.require_action_or_yield);
1266        assert!(policy.allow_done_sentinel);
1267    }
1268
1269    #[test]
1270    fn deserializing_explicit_false_disables_done_sentinel() {
1271        let policy: TurnPolicy = serde_json::from_value(serde_json::json!({
1272            "require_action_or_yield": true,
1273            "allow_done_sentinel": false,
1274        }))
1275        .expect("deserialize");
1276        assert!(policy.require_action_or_yield);
1277        assert!(!policy.allow_done_sentinel);
1278    }
1279}
1280
1281#[cfg(test)]
1282mod visibility_redaction_tests {
1283    use super::*;
1284    use crate::value::VmValue;
1285
1286    fn mock_transcript() -> VmValue {
1287        let messages = vec![
1288            serde_json::json!({"role": "user", "content": "hi"}),
1289            serde_json::json!({"role": "assistant", "content": "hello"}),
1290            serde_json::json!({"role": "tool_result", "content": "internal tool output"}),
1291        ];
1292        crate::llm::helpers::transcript_to_vm_with_events(
1293            Some("test-id".to_string()),
1294            None,
1295            None,
1296            &messages,
1297            Vec::new(),
1298            Vec::new(),
1299            Some("active"),
1300        )
1301    }
1302
1303    fn message_count(transcript: &VmValue) -> usize {
1304        transcript
1305            .as_dict()
1306            .and_then(|d| d.get("messages"))
1307            .and_then(|v| match v {
1308                VmValue::List(list) => Some(list.len()),
1309                _ => None,
1310            })
1311            .unwrap_or(0)
1312    }
1313
1314    #[test]
1315    fn visibility_none_returns_unchanged() {
1316        let t = mock_transcript();
1317        let result = redact_transcript_visibility(&t, None).unwrap();
1318        assert_eq!(message_count(&result), 3);
1319    }
1320
1321    #[test]
1322    fn visibility_public_drops_tool_results() {
1323        let t = mock_transcript();
1324        let result = redact_transcript_visibility(&t, Some("public")).unwrap();
1325        assert_eq!(message_count(&result), 2);
1326    }
1327
1328    #[test]
1329    fn visibility_public_drops_private_content_blocks() {
1330        let t = crate::schema::json_to_vm_value(&serde_json::json!({
1331            "messages": [
1332                {
1333                    "role": "assistant",
1334                    "visibility": "public",
1335                    "text": "visible answer\nsecret chain",
1336                    "content": [
1337                        {"type": "output_text", "text": "visible answer", "visibility": "public"},
1338                        {"type": "reasoning", "text": "secret chain", "visibility": "private"}
1339                    ],
1340                    "blocks": [
1341                        {"type": "output_text", "text": "visible block", "visibility": "public"},
1342                        {"type": "tool_call", "text": "internal args", "visibility": "internal"}
1343                    ]
1344                }
1345            ],
1346            "events": []
1347        }));
1348
1349        let result = redact_transcript_visibility(&t, Some("public")).unwrap();
1350        let rendered = result.display();
1351        assert!(rendered.contains("visible answer"));
1352        assert!(rendered.contains("visible block"));
1353        assert!(!rendered.contains("secret chain"));
1354        assert!(!rendered.contains("internal args"));
1355    }
1356
1357    #[test]
1358    fn visibility_unknown_string_is_pass_through() {
1359        let t = mock_transcript();
1360        let result = redact_transcript_visibility(&t, Some("internal")).unwrap();
1361        assert_eq!(message_count(&result), 3);
1362    }
1363}