pub trait PermissionPolicy: Send + Sync {
// Required methods
fn can_signal(&self, session: &Session, scope: &SignalScope) -> bool;
fn can_destructive(&self, session: &Session, action: &str) -> bool;
fn can_execute_command(&self, session: &Session, cmd: &str) -> bool;
fn can_spawn_child(&self, session: &Session) -> bool;
fn can_spawn_runner(&self, session: &Session) -> bool;
// Provided method
fn check_command_permission(
&self,
session: &Session,
cmd: &str,
) -> CommandPermission { ... }
}Expand description
Abstract permission policy for session-based access control.
Implement this trait to define custom permission policies.
The trait is runtime-independent — it doesn’t depend on
ApprovalRequest or other runtime-specific types.
§Implementors
DefaultPolicy(inorcs-runtime) — standard policy with blocked/elevated patterns- Custom impls for testing or restricted environments
§Example
use orcs_auth::{PermissionPolicy, Session, CommandPermission};
use orcs_types::{SignalScope, Principal, PrincipalId};
struct PermissivePolicy;
impl PermissionPolicy for PermissivePolicy {
fn can_signal(&self, _session: &Session, _scope: &SignalScope) -> bool {
true
}
fn can_destructive(&self, _session: &Session, _action: &str) -> bool {
true
}
fn can_execute_command(&self, _session: &Session, _cmd: &str) -> bool {
true
}
fn can_spawn_child(&self, _session: &Session) -> bool {
true
}
fn can_spawn_runner(&self, _session: &Session) -> bool {
true
}
}
let policy = PermissivePolicy;
let session = Session::new(Principal::User(PrincipalId::new()));
assert!(policy.can_execute_command(&session, "ls -la"));
assert!(policy.check_command_permission(&session, "ls -la").is_allowed());Required Methods§
Sourcefn can_signal(&self, session: &Session, scope: &SignalScope) -> bool
fn can_signal(&self, session: &Session, scope: &SignalScope) -> bool
Check if session can send a signal with the given scope.
Sourcefn can_destructive(&self, session: &Session, action: &str) -> bool
fn can_destructive(&self, session: &Session, action: &str) -> bool
Check if session can perform a destructive operation.
Destructive operations include git reset --hard, git push --force,
rm -rf, file overwrite without backup, etc.
Sourcefn can_execute_command(&self, session: &Session, cmd: &str) -> bool
fn can_execute_command(&self, session: &Session, cmd: &str) -> bool
Check if session can execute a shell command.
Sourcefn can_spawn_child(&self, session: &Session) -> bool
fn can_spawn_child(&self, session: &Session) -> bool
Check if session can spawn a child entity.
Sourcefn can_spawn_runner(&self, session: &Session) -> bool
fn can_spawn_runner(&self, session: &Session) -> bool
Check if session can spawn a runner (parallel execution).
Provided Methods§
Sourcefn check_command_permission(
&self,
session: &Session,
cmd: &str,
) -> CommandPermission
fn check_command_permission( &self, session: &Session, cmd: &str, ) -> CommandPermission
Check command with granular permission result.
Returns CommandPermission with three possible states:
Allowed: Execute immediatelyDenied: Block with reasonRequiresApproval: Needs user approval
§Default Implementation
Wraps can_execute_command:
- Returns
Allowedifcan_execute_commandreturns true - Returns
Deniedotherwise
Override this for more granular control (e.g., HIL integration).