zeph_tools/
lib.rs

1// SPDX-FileCopyrightText: 2026 Andrei G <bug-ops>
2// SPDX-License-Identifier: MIT OR Apache-2.0
3
4//! Tool execution abstraction, shell backend, web scraping, and audit logging for Zeph.
5//!
6//! This crate provides the [`ToolExecutor`] trait and its concrete implementations:
7//!
8//! - [`ShellExecutor`] — executes bash blocks from LLM responses with sandboxing, blocklists,
9//!   output filtering, transactional rollback, and audit logging.
10//! - [`WebScrapeExecutor`] — fetches and scrapes web pages via CSS selectors, with SSRF
11//!   protection and domain policies.
12//! - [`CompositeExecutor`] — chains two executors with first-match-wins dispatch.
13//! - [`FileExecutor`] — reads and writes local files within a sandbox.
14//! - [`DiagnosticsExecutor`] — exposes agent self-diagnostics as a tool.
15//!
16//! # Architecture
17//!
18//! The primary abstraction is [`ToolExecutor`], an async trait implemented by every backend.
19//! When dynamic dispatch is needed (e.g., storing heterogeneous executors in a `Vec`), use
20//! [`ErasedToolExecutor`] or wrap with [`DynExecutor`].
21//!
22//! Tool calls originate from two paths:
23//!
24//! 1. **Fenced code blocks** — legacy LLM responses containing ` ```bash ` or ` ```scrape `
25//!    blocks dispatched via [`ToolExecutor::execute`].
26//! 2. **Structured tool calls** — modern JSON tool calls dispatched via
27//!    [`ToolExecutor::execute_tool_call`].
28//!
29//! # Security
30//!
31//! Every executor enforces security controls before execution:
32//!
33//! - [`ShellExecutor`] checks the command against a blocklist, validates paths against an
34//!   allowlist sandbox, and optionally requires user confirmation for destructive patterns.
35//! - [`WebScrapeExecutor`] validates the URL scheme (HTTPS only), resolves DNS, and rejects
36//!   private-network addresses (SSRF protection).
37//! - [`AuditLogger`] writes a structured JSONL entry for every tool invocation.
38//!
39//! # Example
40//!
41//! ```rust,no_run
42//! use zeph_tools::{ShellExecutor, ToolExecutor, config::ShellConfig};
43//!
44//! # async fn example() {
45//! let config = ShellConfig::default();
46//! let executor = ShellExecutor::new(&config);
47//!
48//! // Execute a fenced bash block from an LLM response.
49//! let response = "```bash\necho hello\n```";
50//! if let Ok(Some(output)) = executor.execute(response).await {
51//!     println!("{}", output.summary);
52//! }
53//! # }
54//! ```
55pub mod adversarial_gate;
56pub mod adversarial_policy;
57pub mod anomaly;
58pub mod audit;
59pub mod cache;
60pub mod composite;
61pub mod config;
62pub mod cwd;
63pub mod diagnostics;
64pub mod error_taxonomy;
65pub mod executor;
66pub mod file;
67pub mod filter;
68pub mod net;
69pub mod patterns;
70pub mod permissions;
71pub mod policy;
72pub mod policy_gate;
73pub mod registry;
74pub mod schema_filter;
75pub mod scrape;
76pub mod search_code;
77pub mod shell;
78pub mod tool_filter;
79pub mod trust_gate;
80pub mod trust_level;
81pub mod utility;
82pub mod verifier;
83pub use adversarial_gate::AdversarialPolicyGateExecutor;
84pub use adversarial_policy::{
85    PolicyDecision as AdversarialPolicyDecision, PolicyLlmClient, PolicyMessage, PolicyRole,
86    PolicyValidator, parse_policy_lines,
87};
88pub use anomaly::{AnomalyDetector, AnomalySeverity, is_reasoning_model};
89pub use audit::{AuditEntry, AuditLogger, AuditResult, chrono_now, log_tool_risk_summary};
90pub use cache::{CacheKey, ToolResultCache, is_cacheable};
91pub use composite::CompositeExecutor;
92pub use config::AdversarialPolicyConfig;
93pub use config::{
94    AnomalyConfig, AuditConfig, AuthorizationConfig, DependencyConfig, FileConfig, OverflowConfig,
95    ResultCacheConfig, RetryConfig, ScrapeConfig, ShellConfig, TafcConfig, ToolDependency,
96    ToolsConfig, UtilityScoringConfig,
97};
98pub use cwd::SetCwdExecutor;
99pub use diagnostics::DiagnosticsExecutor;
100pub use error_taxonomy::{
101    ErrorDomain, ToolErrorCategory, ToolErrorFeedback, ToolInvocationPhase, classify_http_status,
102    classify_io_error,
103};
104pub use executor::{
105    ClaimSource, DiffData, DynExecutor, ErasedToolExecutor, ErrorKind, FilterStats,
106    MAX_TOOL_OUTPUT_CHARS, ToolCall, ToolError, ToolEvent, ToolEventTx, ToolExecutor, ToolOutput,
107    truncate_tool_output, truncate_tool_output_at,
108};
109pub use file::FileExecutor;
110pub use filter::{
111    CommandMatcher, FilterConfidence, FilterConfig, FilterMetrics, FilterResult, OutputFilter,
112    OutputFilterRegistry, sanitize_output, strip_ansi,
113};
114pub use net::is_private_ip;
115pub use permissions::{
116    AutonomyLevel, PermissionAction, PermissionPolicy, PermissionRule, PermissionsConfig,
117};
118pub use policy::{
119    DefaultEffect, PolicyCompileError, PolicyConfig, PolicyContext, PolicyDecision, PolicyEffect,
120    PolicyEnforcer, PolicyRuleConfig,
121};
122pub use policy_gate::PolicyGateExecutor;
123pub use registry::ToolRegistry;
124pub use schema_filter::{
125    DependencyExclusion, InclusionReason, ToolDependencyGraph, ToolEmbedding, ToolFilterResult,
126    ToolSchemaFilter,
127};
128pub use scrape::WebScrapeExecutor;
129pub use search_code::{
130    LspSearchBackend, SearchCodeExecutor, SearchCodeHit, SearchCodeSource, SemanticSearchBackend,
131};
132pub use shell::{
133    DEFAULT_BLOCKED_COMMANDS, SHELL_INTERPRETERS, ShellExecutor, ShellOutputEnvelope,
134    check_blocklist, effective_shell_command,
135};
136pub use tool_filter::ToolFilter;
137pub use trust_gate::TrustGateExecutor;
138pub use trust_level::SkillTrustLevel;
139pub use utility::{
140    UtilityAction, UtilityContext, UtilityScore, UtilityScorer, has_explicit_tool_request,
141};
142pub use verifier::{
143    DestructiveCommandVerifier, DestructiveVerifierConfig, FirewallVerifier,
144    FirewallVerifierConfig, InjectionPatternVerifier, InjectionVerifierConfig,
145    PreExecutionVerifier, PreExecutionVerifierConfig, UrlGroundingVerifier,
146    UrlGroundingVerifierConfig, VerificationResult,
147};
148pub use zeph_common::ToolName;
zeph_tools/lib.rs

zeph_tools/
lib.rs
