zeph_tools/
lib.rs

1// SPDX-FileCopyrightText: 2026 Andrei G <bug-ops>
2// SPDX-License-Identifier: MIT OR Apache-2.0
3
4//! Tool execution abstraction, shell backend, web scraping, and audit logging for Zeph.
5//!
6//! This crate provides the [`ToolExecutor`] trait and its concrete implementations:
7//!
8//! - [`ShellExecutor`] — executes bash blocks from LLM responses with sandboxing, blocklists,
9//!   output filtering, transactional rollback, and audit logging.
10//! - [`WebScrapeExecutor`] — fetches and scrapes web pages via CSS selectors, with SSRF
11//!   protection and domain policies.
12//! - [`CompositeExecutor`] — chains two executors with first-match-wins dispatch.
13//! - [`FileExecutor`] — reads and writes local files within a sandbox.
14//! - [`DiagnosticsExecutor`] — exposes agent self-diagnostics as a tool.
15//!
16//! # Architecture
17//!
18//! The primary abstraction is [`ToolExecutor`], an async trait implemented by every backend.
19//! When dynamic dispatch is needed (e.g., storing heterogeneous executors in a `Vec`), use
20//! [`ErasedToolExecutor`] or wrap with [`DynExecutor`].
21//!
22//! Tool calls originate from two paths:
23//!
24//! 1. **Fenced code blocks** — legacy LLM responses containing ` ```bash ` or ` ```scrape `
25//!    blocks dispatched via [`ToolExecutor::execute`].
26//! 2. **Structured tool calls** — modern JSON tool calls dispatched via
27//!    [`ToolExecutor::execute_tool_call`].
28//!
29//! # Security
30//!
31//! Every executor enforces security controls before execution:
32//!
33//! - [`ShellExecutor`] checks the command against a blocklist, validates paths against an
34//!   allowlist sandbox, and optionally requires user confirmation for destructive patterns.
35//! - [`WebScrapeExecutor`] validates the URL scheme (HTTPS only), resolves DNS, and rejects
36//!   private-network addresses (SSRF protection).
37//! - [`AuditLogger`] writes a structured JSONL entry for every tool invocation.
38//!
39//! # Example
40//!
41//! ```rust,no_run
42//! use zeph_tools::{ShellExecutor, ToolExecutor, ShellConfig};
43//!
44//! # async fn example() {
45//! let config = ShellConfig::default();
46//! let executor = ShellExecutor::new(&config);
47//!
48//! // Execute a fenced bash block from an LLM response.
49//! let response = "```bash\necho hello\n```";
50//! if let Ok(Some(output)) = executor.execute(response).await {
51//!     println!("{}", output.summary);
52//! }
53//! # }
54//! ```
55
56// TODO(critic): post-v1.0 — re-evaluate splitting executor / web / shell into sub-crates if compile times degrade.
57
58pub mod adversarial_gate;
59pub mod adversarial_policy;
60pub mod anomaly;
61pub mod audit;
62pub mod cache;
63pub mod composite;
64pub mod config;
65pub mod cwd;
66pub mod diagnostics;
67pub mod domain_match;
68pub mod error_taxonomy;
69pub mod executor;
70pub mod file;
71pub mod filter;
72pub mod net;
73pub mod patterns;
74pub mod permissions;
75pub mod policy;
76pub mod policy_gate;
77pub mod registry;
78pub mod sandbox;
79pub mod schema_filter;
80pub mod scrape;
81pub mod search_code;
82pub mod shell;
83pub mod tool_filter;
84pub mod trust_gate;
85pub mod trust_level;
86pub mod utility;
87pub mod verifier;
88pub use adversarial_gate::AdversarialPolicyGateExecutor;
89pub use adversarial_policy::{
90    PolicyDecision as AdversarialPolicyDecision, PolicyLlmClient, PolicyMessage, PolicyRole,
91    PolicyValidator, parse_policy_lines,
92};
93pub use anomaly::{AnomalyDetector, AnomalySeverity, is_reasoning_model};
94pub use audit::{
95    AuditEntry, AuditLogger, AuditResult, EgressEvent, VigilRiskLevel, chrono_now,
96    log_tool_risk_summary,
97};
98pub use cache::{CacheKey, ToolResultCache, is_cacheable};
99pub use composite::CompositeExecutor;
100pub use config::{build_permission_policy, validate_sandbox_denied_domains};
101pub use cwd::SetCwdExecutor;
102pub use diagnostics::DiagnosticsExecutor;
103pub use error_taxonomy::{
104    ErrorDomain, ToolErrorCategory, ToolErrorFeedback, ToolInvocationPhase, classify_http_status,
105    classify_io_error,
106};
107pub use executor::{
108    ClaimSource, DiffData, DynExecutor, ErasedToolExecutor, ErrorKind, FilterStats,
109    MAX_TOOL_OUTPUT_CHARS, TOOL_EVENT_CHANNEL_CAP, ToolCall, ToolError, ToolEvent, ToolEventRx,
110    ToolEventTx, ToolExecutor, ToolOutput, truncate_tool_output, truncate_tool_output_at,
111};
112pub use file::FileExecutor;
113pub use filter::{
114    CommandMatcher, FilterConfidence, FilterMetrics, FilterResult, OutputFilter,
115    OutputFilterRegistry, sanitize_output, strip_ansi,
116};
117pub use net::is_private_ip;
118pub use permissions::PermissionPolicy;
119pub use policy::{PolicyCompileError, PolicyContext, PolicyDecision, PolicyEnforcer};
120pub use policy_gate::PolicyGateExecutor;
121pub use registry::ToolRegistry;
122#[cfg(target_os = "macos")]
123pub use sandbox::MacosSandbox;
124pub use sandbox::{
125    NoopSandbox, Sandbox, SandboxError, SandboxPolicy, build_sandbox, build_sandbox_with_policy,
126};
127pub use schema_filter::{
128    DependencyExclusion, InclusionReason, ToolDependencyGraph, ToolEmbedding, ToolFilterResult,
129    ToolSchemaFilter,
130};
131pub use scrape::WebScrapeExecutor;
132pub use search_code::{
133    LspSearchBackend, SearchCodeExecutor, SearchCodeHit, SearchCodeSource, SemanticSearchBackend,
134};
135pub use shell::background::{BackgroundCompletion, BackgroundRunSnapshot, RunId};
136pub use shell::{
137    DEFAULT_BLOCKED_COMMANDS, SHELL_INTERPRETERS, ShellExecutor, ShellOutputEnvelope,
138    ShellPolicyHandle, check_blocklist, effective_shell_command,
139};
140pub use tool_filter::ToolFilter;
141pub use trust_gate::TrustGateExecutor;
142pub use trust_level::SkillTrustLevel;
143pub use utility::{
144    UtilityAction, UtilityContext, UtilityScore, UtilityScorer, has_explicit_tool_request,
145};
146pub use verifier::{
147    DestructiveCommandVerifier, FirewallVerifier, InjectionPatternVerifier, PreExecutionVerifier,
148    UrlGroundingVerifier, VerificationResult,
149};
150pub use zeph_common::ToolName;
151pub use zeph_config::tools::{
152    AdversarialPolicyConfig, AnomalyConfig, AuditConfig, AuthorizationConfig, DefaultEffect,
153    DependencyConfig, EgressConfig, FileConfig, FilterConfig, OverflowConfig, PolicyConfig,
154    PolicyEffect, PolicyRuleConfig, ResultCacheConfig, RetryConfig, SandboxConfig, SandboxProfile,
155    ScrapeConfig, SecurityFilterConfig, ShellConfig, TafcConfig, ToolDependency, ToolsConfig,
156    UtilityScoringConfig,
157};
158pub use zeph_config::tools::{
159    AutonomyLevel, PermissionAction, PermissionRule, PermissionsConfig, SpeculationMode,
160    SpeculativeAllowlistConfig, SpeculativeConfig, SpeculativePatternConfig,
161};
162pub use zeph_config::tools::{
163    DestructiveVerifierConfig, FirewallVerifierConfig, InjectionVerifierConfig,
164    PreExecutionVerifierConfig, UrlGroundingVerifierConfig,
165};
zeph_tools/lib.rs

zeph_tools/
lib.rs
