Expand description
Permission policy extension.
External callers use PermissionAction, permission_state_action,
PermissionPlugin, and ToolPolicyPlugin.
Re-exports§
pub use parser::parse_pattern;pub use pattern::ArgMatcher;pub use pattern::FieldCondition;pub use pattern::MatchOp;pub use pattern::PathSegment;pub use pattern::ToolCallPattern;pub use pattern::ToolMatcher;
Modules§
- matcher
- Pattern matching engine for
ToolCallPattern. - parser
- Parse permission rule pattern strings into
ToolCallPattern. - pattern
- Function-call-style permission rule patterns.
Structs§
- Permission
Evaluation - Strategy evaluation output.
- Permission
Mechanism Input - Runtime input required to enforce permission decisions for one tool call.
- Permission
Override Granter - Concrete
tirea_contract::runtime::tool_call::ToolAccessGranterthat creates run-scoped permission overrides. Injected into skill tools via DI. - Permission
Overrides - Run-scoped permission overrides applied on top of thread-level
PermissionPolicy. - Permission
Plugin - Permission strategy plugin.
- Permission
Policy - Persisted permission rules.
- Permission
Rule - Declarative permission rule.
- Permission
Rules Config - Permission rules carried in
AgentRunConfig.extensions. - Permission
Ruleset - Resolved rule set fed into permission strategy evaluation.
- Tool
Policy Plugin - Tool scope policy plugin.
Enums§
- Permission
Action - Permission-domain action used by both
PermissionPolicyandPermissionOverridesreducers. Scope and source metadata are determined by the target reducer, not by fields on the action itself. - Permission
Destination - Target state for a permission rule change.
- Permission
Mechanism Decision - Mechanism output after combining strategy verdict with runtime state.
- Permission
Rule Scope - Lifetime of a remembered permission rule.
- Permission
Rule Source - Origin of a remembered permission rule.
- Permission
Subject - Permission rule subject.
- Tool
Permission Behavior - Tool permission behavior.
Constants§
- PERMISSION_
CONFIRM_ TOOL_ NAME - Frontend tool name for permission confirmation prompts.
- PERMISSION_
PLUGIN_ ID - Stable plugin id for permission actions.
Functions§
- apply_
tool_ policy - Apply tool policy: keep only allowed tools, remove excluded ones.
- deny
- Block tool execution with a denial reason.
- deny_
missing_ call_ id - Block tool execution when permission check prerequisites fail (missing call id).
- deny_
tool - Block tool execution for an explicitly denied tool.
- enforce_
permission - Apply runtime permission mechanism to a strategy verdict.
- evaluate_
tool_ permission - Evaluate permission rules for a tool call with arguments.
- permission_
confirmation_ ticket - Build the default tool-like permission confirmation form.
- permission_
confirmation_ ticket_ with_ rule - Build a permission confirmation form, optionally including the matched rule pattern.
- permission_
override_ action - Route a
PermissionActionto the run-scopedPermissionOverridesstate. - permission_
rules_ from_ snapshot - Load resolved permission rules from a runtime snapshot.
- permission_
state_ action - Route a
PermissionActionto the canonicalPermissionPolicystate. - permission_
update - Unified dispatch: routes a
PermissionActionto the specified destination. - reject_
out_ of_ scope - Block tool execution due to policy (out-of-scope).
- remembered_
permission_ state_ action - Translate a remembered permission decision into a persistent rule mutation.
- request_
permission - Suspend tool execution pending user permission confirmation.
- resolve_
permission_ behavior - Resolve effective permission behavior from a state snapshot.