vtcode_config/core/
security.rs

1use serde::{Deserialize, Serialize};
2
3/// Security configuration
4#[cfg_attr(feature = "schema", derive(schemars::JsonSchema))]
5#[derive(Debug, Clone, Deserialize, Serialize)]
6pub struct SecurityConfig {
7    /// Require human confirmation for critical actions
8    #[serde(default = "default_true")]
9    pub human_in_the_loop: bool,
10
11    /// Require a successful write tool before accepting claims like
12    /// "I've updated the file" as applied. When true, such claims are
13    /// treated as proposals unless a write tool executed successfully.
14    #[serde(default = "default_true")]
15    pub require_write_tool_for_claims: bool,
16
17    /// Automatically apply detected patch blocks in assistant replies
18    /// when no write tool was executed. Defaults to false for safety.
19    #[serde(default)]
20    pub auto_apply_detected_patches: bool,
21
22    /// Enable zero-trust checks between components.
23    #[serde(default)]
24    pub zero_trust_mode: bool,
25
26    /// Encrypt payloads passed across executors.
27    #[serde(default)]
28    pub encrypt_payloads: bool,
29
30    /// Enable runtime integrity tagging for critical paths.
31    #[serde(default = "default_true")]
32    pub integrity_checks: bool,
33
34    /// Play terminal bell notification when HITL approval is required.
35    #[serde(default = "default_true")]
36    pub hitl_notification_bell: bool,
37}
38
39impl Default for SecurityConfig {
40    fn default() -> Self {
41        Self {
42            human_in_the_loop: default_true(),
43            require_write_tool_for_claims: default_true(),
44            auto_apply_detected_patches: false,
45            zero_trust_mode: true,
46            encrypt_payloads: true,
47            integrity_checks: default_true(),
48            hitl_notification_bell: default_true(),
49        }
50    }
51}
52
53#[inline]
54const fn default_true() -> bool {
55    true
56}
57
58#[cfg(test)]
59#[path = "security_test.rs"]
60mod security_test;