eeymoo/claw-code
1
0
Fork 0
mirror of https://github.com/instructkr/claw-code.git synced 2026-06-05 05:57:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: remove stale retry_after field, Team variant, config_load_error_kind, denied_tools initializer errors

Browse Source 
- Remove retry_after: None from ApiError::Api structs in openai_compat.rs (field was removed)
- Remove SlashCommand::Team parse arm (variant was removed from enum)
- Add config_load_error_kind: None to doctor path StatusContext initializer
- Add Thinking arm to all ContentBlock match blocks in trident.rs
- Remove cargo fmt drift across commands, config, compact, tools, trident
This commit is contained in:
YeonGyu-Kim
2026-05-25 12:01:09 +09:00
parent 3364dc4bee
commit 495e7a015c
8 changed files with 1189 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
rust/crates/runtime/src/permissions.rs
View File

@@ -102,6 +102,10 @@ pub struct PermissionPolicy {
allow_rules: Vec<PermissionRule>,
deny_rules: Vec<PermissionRule>,
ask_rules: Vec<PermissionRule>,
/// #159: simple tool-name denials. Tools in this list are unconditionally
/// denied regardless of permission mode, checked before the rule-based
/// deny/allow/ask evaluation.
denied_tools: Vec<String>,
}
impl PermissionPolicy {
@@ -113,6 +117,7 @@ impl PermissionPolicy {
allow_rules: Vec::new(),
deny_rules: Vec::new(),
ask_rules: Vec::new(),
denied_tools: Vec::new(),
}
}
@@ -144,6 +149,7 @@ impl PermissionPolicy {
.iter()
.map(|rule| PermissionRule::parse(rule))
.collect();
self.denied_tools = config.denied_tools().to_vec();
self
}
@@ -179,6 +185,15 @@ impl PermissionPolicy {
context: &PermissionContext,
prompter: Option<&mut dyn PermissionPrompter>,
) -> PermissionOutcome {
// #159: check denied_tools before rule-based evaluation. Tools listed
// in the denied_tools config are unconditionally denied regardless of
// permission mode.
if self.denied_tools.iter().any(|t| t == tool_name) {
return PermissionOutcome::Deny {
reason: format!("tool '{tool_name}' has been denied by denied_tools configuration"),
};
}
if let Some(rule) = Self::find_matching_rule(&self.deny_rules, tool_name, input) {
return PermissionOutcome::Deny {
reason: format!(
@@ -571,6 +586,7 @@ mod tests {
vec!["bash(git:*)".to_string()],
vec!["bash(rm -rf:*)".to_string()],
Vec::new(),
Vec::new(),
);
let policy = PermissionPolicy::new(PermissionMode::ReadOnly)
.with_tool_requirement("bash", PermissionMode::DangerFullAccess)
@@ -586,12 +602,39 @@ mod tests {
));
}
#[test]
fn denied_tools_denies_listed_tools_unconditionally() {
let rules = RuntimePermissionRuleConfig::new(
Vec::new(),
Vec::new(),
Vec::new(),
vec!["bash".to_string(), "write_file".to_string()],
);
let policy = PermissionPolicy::new(PermissionMode::Allow).with_permission_rules(&rules);
let result = policy.authorize("bash", "echo hello", None);
assert!(matches!(
result,
PermissionOutcome::Deny { reason } if reason.contains("denied_tools")
));
let result = policy.authorize("write_file", "{}", None);
assert!(matches!(
result,
PermissionOutcome::Deny { reason } if reason.contains("denied_tools")
));
let result = policy.authorize("read_file", "{}", None);
assert_eq!(result, PermissionOutcome::Allow);
}
#[test]
fn ask_rules_force_prompt_even_when_mode_allows() {
let rules = RuntimePermissionRuleConfig::new(
Vec::new(),
Vec::new(),
vec!["bash(git:*)".to_string()],
Vec::new(),
);
let policy = PermissionPolicy::new(PermissionMode::DangerFullAccess)
.with_tool_requirement("bash", PermissionMode::DangerFullAccess)
@@ -617,6 +660,7 @@ mod tests {
Vec::new(),
Vec::new(),
vec!["bash(git:*)".to_string()],
Vec::new(),
);
let policy = PermissionPolicy::new(PermissionMode::ReadOnly)
.with_tool_requirement("bash", PermissionMode::DangerFullAccess)