Expand description
Pre-execution verification for tool calls.
Based on the TrustBench pattern (arXiv:2603.09157): intercept tool calls before
execution to block or warn on destructive or injection patterns.
§Blocklist separation
DESTRUCTIVE_PATTERNS (this module) is intentionally separate from
DEFAULT_BLOCKED_COMMANDS in shell.rs. The two lists serve different purposes:
-
DEFAULT_BLOCKED_COMMANDS— shell safety net: prevents the shell executor from running network tools (curl,wget,nc) and a few destructive commands. It is applied at tool-execution time byShellExecutor. -
DESTRUCTIVE_PATTERNS— pre-execution guard: targets filesystem/system destruction commands (disk formats, wipefs, fork bombs, recursive permission changes). It runs before dispatch, in the LLM-call hot path, and must not be conflated with the shell safety net to avoid accidental allow-listing via config drift.
Overlap (3 entries: rm -rf /, mkfs, dd if=) is intentional — belt-and-suspenders.
Structs§
- Destructive
Command Verifier - Verifier that blocks destructive shell commands (e.g.,
rm -rf /,dd,mkfs) before the shell tool executes them. - Destructive
Verifier Config - Configuration for the destructive command verifier.
- Injection
Pattern Verifier - Verifier that blocks tool arguments containing SQL injection, command injection, or path traversal patterns. Applies to ALL tools using field-aware matching.
- Injection
Verifier Config - Configuration for the injection pattern verifier.
- PreExecution
Verifier Config - Top-level configuration for all pre-execution verifiers.
Enums§
- Verification
Result - Result of a pre-execution verification check.
Traits§
- PreExecution
Verifier - Pre-execution verification trait. Implementations intercept tool calls
before the executor runs them. Based on
TrustBenchpattern (arXiv:2603.09157).