zeph_tools/
lib.rs

1// SPDX-FileCopyrightText: 2026 Andrei G <bug-ops>
2// SPDX-License-Identifier: MIT OR Apache-2.0
3
4//! Tool execution abstraction, shell backend, web scraping, and audit logging for Zeph.
5//!
6//! This crate provides the [`ToolExecutor`] trait and its concrete implementations:
7//!
8//! - [`ShellExecutor`] — executes bash blocks from LLM responses with sandboxing, blocklists,
9//!   output filtering, transactional rollback, and audit logging.
10//! - [`WebScrapeExecutor`] — fetches and scrapes web pages via CSS selectors, with SSRF
11//!   protection and domain policies.
12//! - [`CompositeExecutor`] — chains two executors with first-match-wins dispatch.
13//! - [`FileExecutor`] — reads and writes local files within a sandbox.
14//! - [`DiagnosticsExecutor`] — exposes agent self-diagnostics as a tool.
15//!
16//! # Architecture
17//!
18//! The primary abstraction is [`ToolExecutor`], an async trait implemented by every backend.
19//! When dynamic dispatch is needed (e.g., storing heterogeneous executors in a `Vec`), use
20//! [`ErasedToolExecutor`] or wrap with [`DynExecutor`].
21//!
22//! Tool calls originate from two paths:
23//!
24//! 1. **Fenced code blocks** — legacy LLM responses containing ` ```bash ` or ` ```scrape `
25//!    blocks dispatched via [`ToolExecutor::execute`].
26//! 2. **Structured tool calls** — modern JSON tool calls dispatched via
27//!    [`ToolExecutor::execute_tool_call`].
28//!
29//! # Security
30//!
31//! Every executor enforces security controls before execution:
32//!
33//! - [`ShellExecutor`] checks the command against a blocklist, validates paths against an
34//!   allowlist sandbox, and optionally requires user confirmation for destructive patterns.
35//! - [`WebScrapeExecutor`] validates the URL scheme (HTTPS only), resolves DNS, and rejects
36//!   private-network addresses (SSRF protection).
37//! - [`AuditLogger`] writes a structured JSONL entry for every tool invocation.
38//!
39//! # Example
40//!
41//! ```rust,no_run
42//! use zeph_tools::{ShellExecutor, ToolExecutor, ShellConfig};
43//!
44//! # async fn example() {
45//! let config = ShellConfig::default();
46//! let executor = ShellExecutor::new(&config);
47//!
48//! // Execute a fenced bash block from an LLM response.
49//! let response = "```bash\necho hello\n```";
50//! if let Ok(Some(output)) = executor.execute(response).await {
51//!     println!("{}", output.summary);
52//! }
53//! # }
54//! ```
55
56// TODO(critic): post-v1.0 — re-evaluate splitting executor / web / shell into sub-crates if compile times degrade.
57
58pub mod adversarial_gate;
59pub mod adversarial_policy;
60pub mod anomaly;
61pub mod audit;
62pub mod cache;
63pub mod composite;
64pub mod compression;
65pub mod config;
66pub mod cwd;
67pub mod diagnostics;
68pub mod domain_match;
69pub mod error_taxonomy;
70pub mod execution_context;
71pub mod executor;
72pub mod file;
73pub mod filter;
74pub mod net;
75pub mod patterns;
76pub mod permissions;
77pub mod policy;
78pub mod policy_gate;
79pub mod registry;
80pub mod sandbox;
81pub mod schema_filter;
82pub mod scope;
83pub mod scrape;
84pub mod search_code;
85pub mod shell;
86pub mod tool_filter;
87pub mod trust_gate;
88pub mod trust_level;
89pub mod utility;
90pub mod verifier;
91pub use adversarial_gate::AdversarialPolicyGateExecutor;
92pub use adversarial_policy::{
93    PolicyDecision as AdversarialPolicyDecision, PolicyLlmClient, PolicyMessage, PolicyRole,
94    PolicyValidator, parse_policy_lines,
95};
96pub use anomaly::{AnomalyDetector, AnomalySeverity, is_reasoning_model};
97pub use audit::{
98    AuditEntry, AuditLogger, AuditResult, EgressEvent, VigilRiskLevel, chrono_now,
99    log_tool_risk_summary,
100};
101pub use cache::{CacheKey, ToolResultCache, is_cacheable};
102pub use composite::CompositeExecutor;
103pub use compression::{
104    CompressedExecutor, CompressionError, CompressionRule, CompressionRuleStore,
105    IdentityCompressor, OutputCompressor, RuleBasedCompressor, safe_compile,
106};
107pub use config::{build_permission_policy, validate_sandbox_denied_domains};
108pub use cwd::SetCwdExecutor;
109pub use diagnostics::DiagnosticsExecutor;
110pub use error_taxonomy::{
111    ErrorDomain, ToolErrorCategory, ToolErrorFeedback, ToolInvocationPhase, classify_http_status,
112    classify_io_error,
113};
114pub use execution_context::ExecutionContext;
115pub use executor::{
116    ClaimSource, DiffData, DynExecutor, ErasedToolExecutor, ErrorKind, FilterStats,
117    MAX_TOOL_OUTPUT_CHARS, TOOL_EVENT_CHANNEL_CAP, ToolCall, ToolError, ToolEvent, ToolEventRx,
118    ToolEventTx, ToolExecutor, ToolOutput, truncate_tool_output, truncate_tool_output_at,
119};
120pub use file::FileExecutor;
121pub use filter::{
122    CommandMatcher, FilterConfidence, FilterMetrics, FilterResult, OutputFilter,
123    OutputFilterRegistry, sanitize_output, strip_ansi,
124};
125pub use net::is_private_ip;
126pub use permissions::PermissionPolicy;
127pub use policy::{PolicyCompileError, PolicyContext, PolicyDecision, PolicyEnforcer};
128pub use policy_gate::{PolicyGateExecutor, RiskSignalQueue, TrajectoryRiskSlot};
129pub use registry::ToolRegistry;
130#[cfg(target_os = "macos")]
131pub use sandbox::MacosSandbox;
132pub use sandbox::{
133    NoopSandbox, Sandbox, SandboxError, SandboxPolicy, build_sandbox, build_sandbox_with_policy,
134};
135pub use schema_filter::{
136    DependencyExclusion, InclusionReason, ToolDependencyGraph, ToolEmbedding, ToolFilterResult,
137    ToolSchemaFilter,
138};
139pub use scope::{ScopeError, ScopeWarning, ScopedToolExecutor, ToolScope, build_scoped_executor};
140pub use scrape::WebScrapeExecutor;
141pub use search_code::{
142    LspSearchBackend, SearchCodeExecutor, SearchCodeHit, SearchCodeSource, SemanticSearchBackend,
143};
144pub use shell::background::{BackgroundCompletion, BackgroundRunSnapshot, RunId};
145pub use shell::{
146    DEFAULT_BLOCKED_COMMANDS, SHELL_INTERPRETERS, ShellExecutor, ShellOutputEnvelope,
147    ShellPolicyHandle, check_blocklist, effective_shell_command,
148};
149pub use tool_filter::ToolFilter;
150pub use trust_gate::TrustGateExecutor;
151pub use trust_level::SkillTrustLevel;
152pub use utility::{
153    UtilityAction, UtilityContext, UtilityScore, UtilityScorer, has_explicit_tool_request,
154};
155pub use verifier::{
156    DestructiveCommandVerifier, FirewallVerifier, InjectionPatternVerifier, PreExecutionVerifier,
157    UrlGroundingVerifier, VerificationResult,
158};
159pub use zeph_common::ToolName;
160pub use zeph_config::tools::{
161    AdversarialPolicyConfig, AnomalyConfig, AuditConfig, AuthorizationConfig, DefaultEffect,
162    DependencyConfig, EgressConfig, FileConfig, FilterConfig, OverflowConfig, PolicyConfig,
163    PolicyEffect, PolicyRuleConfig, ResultCacheConfig, RetryConfig, SandboxConfig, SandboxProfile,
164    ScrapeConfig, SecurityFilterConfig, ShellConfig, TafcConfig, ToolDependency, ToolsConfig,
165    UtilityScoringConfig,
166};
167pub use zeph_config::tools::{
168    AutonomyLevel, PermissionAction, PermissionRule, PermissionsConfig, SpeculationMode,
169    SpeculativeAllowlistConfig, SpeculativeConfig, SpeculativePatternConfig,
170};
171pub use zeph_config::tools::{
172    DestructiveVerifierConfig, FirewallVerifierConfig, InjectionVerifierConfig,
173    PreExecutionVerifierConfig, UrlGroundingVerifierConfig,
174};
zeph_tools/lib.rs

zeph_tools/
lib.rs
