feat(agent): adds globbing support for tool settings deny (#2512)

* adds globbing support for deny list

* docs update for tool settings globbing support

* fixes tool name derivation for winwdows

* adds description doc for PermissionEvalResult

Author: dingfeli

crates/chat-cli/src/cli/agent/mod.rs

@@ -305,11 +305,17 @@ impl Agent {
     }
 }
 
+/// Result of evaluating tool permissions, indicating whether a tool should be allowed,
+/// require user confirmation, or be denied with specific reasons.
 #[derive(Debug, PartialEq)]
 pub enum PermissionEvalResult {
+    /// Tool is allowed to execute without user confirmation
     Allow,
+    /// Tool requires user confirmation before execution
     Ask,
-    Deny,
+    /// Denial with specific reasons explaining why the tool was denied
+    /// Tools are free to overload what these reasons are
+    Deny(Vec<String>),
 }
 
 #[derive(Clone, Default, Debug)]

crates/chat-cli/src/cli/agent/wrapper_types.rs

@@ -53,7 +53,7 @@ pub fn alias_schema(generator: &mut SchemaGenerator) -> Schema {
 
 /// The name of the tool to be configured
 #[derive(Debug, Clone, Serialize, Deserialize, Eq, Hash, PartialEq, JsonSchema)]
-pub struct ToolSettingTarget(String);
+pub struct ToolSettingTarget(pub String);
 
 impl Deref for ToolSettingTarget {
     type Target = String;

crates/chat-cli/src/cli/chat/mod.rs

@@ -1822,22 +1822,40 @@ impl ChatSession {
                 continue;
             }
 
-            let mut denied = false;
+            let mut denied_match_set = None::<Vec<String>>;
             let allowed =
                 self.conversation
                     .agents
                     .get_active()
                     .is_some_and(|a| match tool.tool.requires_acceptance(a) {
                         PermissionEvalResult::Allow => true,
                         PermissionEvalResult::Ask => false,
-                        PermissionEvalResult::Deny => {
-                            denied = true;
+                        PermissionEvalResult::Deny(matches) => {
+                            denied_match_set.replace(matches);
                             false
                         },
                     })
                     || self.conversation.agents.trust_all_tools;
 
-            if denied {
+            if let Some(match_set) = denied_match_set {
+                let formatted_set = match_set.into_iter().fold(String::new(), |mut acc, rule| {
+                    acc.push_str(&format!("\n  - {rule}"));
+                    acc
+                });
+
+                execute!(
+                    self.stderr,
+                    style::SetForegroundColor(Color::Red),
+                    style::Print("Command "),
+                    style::SetForegroundColor(Color::Yellow),
+                    style::Print(&tool.name),
+                    style::SetForegroundColor(Color::Red),
+                    style::Print(" is rejected because it matches one or more rules on the denied list:"),
+                    style::Print(formatted_set),
+                    style::Print("\n"),
+                    style::SetForegroundColor(Color::Reset),
+                )?;
+
                 return Ok(ChatState::HandleInput {
                     input: format!(
                         "Tool use with {} was rejected because the arguments supplied were forbidden",

crates/chat-cli/src/cli/chat/tools/execute/mod.rs

@@ -193,7 +193,7 @@ impl ExecuteCommand {
 
         let Self { command, .. } = self;
         let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
-        let is_in_allowlist = agent.allowed_tools.contains("execute_bash");
+        let is_in_allowlist = agent.allowed_tools.contains(tool_name);
         match agent.tools_settings.get(tool_name) {
             Some(settings) if is_in_allowlist => {
                 let Settings {
@@ -208,8 +208,15 @@ impl ExecuteCommand {
                     },
                 };
 
-                if denied_commands.iter().any(|dc| command.contains(dc)) {
-                    return PermissionEvalResult::Deny;
+                let denied_match_set = denied_commands
+                    .iter()
+                    .filter_map(|dc| Regex::new(&format!(r"\A{dc}\z")).ok())
+                    .filter(|r| r.is_match(command))
+                    .map(|r| r.to_string())
+                    .collect::<Vec<_>>();
+
+                if !denied_match_set.is_empty() {
+                    return PermissionEvalResult::Deny(denied_match_set);
                 }
 
                 if self.requires_acceptance(Some(&allowed_commands), allow_read_only) {
@@ -249,7 +256,13 @@ pub fn format_output(output: &str, max_size: usize) -> String {
 
 #[cfg(test)]
 mod tests {
+    use std::collections::{
+        HashMap,
+        HashSet,
+    };
+
     use super::*;
+    use crate::cli::agent::ToolSettingTarget;
 
     #[test]
     fn test_requires_acceptance_for_readonly_commands() {
@@ -384,4 +397,44 @@ mod tests {
             );
         }
     }
+
+    #[test]
+    fn test_eval_perm() {
+        let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
+        let agent = Agent {
+            name: "test_agent".to_string(),
+            allowed_tools: {
+                let mut allowed_tools = HashSet::<String>::new();
+                allowed_tools.insert(tool_name.to_string());
+                allowed_tools
+            },
+            tools_settings: {
+                let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
+                map.insert(
+                    ToolSettingTarget(tool_name.to_string()),
+                    serde_json::json!({
+                        "deniedCommands": ["git .*"]
+                    }),
+                );
+                map
+            },
+            ..Default::default()
+        };
+
+        let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
+            "command": "git status",
+        }))
+        .unwrap();
+
+        let res = tool.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Deny(ref rules) if rules.contains(&"\\Agit .*\\z".to_string())));
+
+        let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
+            "command": "echo hello",
+        }))
+        .unwrap();
+
+        let res = tool.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Allow));
+    }
 }

crates/chat-cli/src/cli/chat/tools/fs_read.rs

@@ -144,10 +144,12 @@ impl FsRead {
                     builder.build()
                 };
 
+                let mut sanitized_deny_list = Vec::<&String>::new();
                 let deny_set = {
                     let mut builder = GlobSetBuilder::new();
                     for path in &denied_paths {
                         if let Ok(glob) = Glob::new(path) {
+                            sanitized_deny_list.push(path);
                             builder.add(glob);
                         } else {
                             warn!("Failed to create glob from path given: {path}. Ignoring.");
@@ -158,43 +160,66 @@ impl FsRead {
 
                 match (allow_set, deny_set) {
                     (Ok(allow_set), Ok(deny_set)) => {
-                        let eval_res = self
-                            .operations
-                            .iter()
-                            .map(|op| {
-                                match op {
-                                    FsReadOperation::Line(FsLine { path, .. })
-                                    | FsReadOperation::Directory(FsDirectory { path, .. })
-                                    | FsReadOperation::Search(FsSearch { path, .. }) => {
-                                        if deny_set.is_match(path) {
-                                            return PermissionEvalResult::Deny;
-                                        }
-                                        if allow_set.is_match(path) {
-                                            return PermissionEvalResult::Allow;
-                                        }
-                                    },
-                                    FsReadOperation::Image(fs_image) => {
-                                        let paths = &fs_image.image_paths;
-                                        if paths.iter().any(|path| deny_set.is_match(path)) {
-                                            return PermissionEvalResult::Deny;
-                                        }
-                                        if paths.iter().all(|path| allow_set.is_match(path)) {
-                                            return PermissionEvalResult::Allow;
-                                        }
-                                    },
-                                }
-
-                                if allow_read_only {
-                                    PermissionEvalResult::Allow
-                                } else {
-                                    PermissionEvalResult::Ask
-                                }
-                            })
-                            .collect::<Vec<_>>();
+                        let mut deny_list = Vec::<PermissionEvalResult>::new();
+                        let mut ask = false;
+
+                        for op in &self.operations {
+                            match op {
+                                FsReadOperation::Line(FsLine { path, .. })
+                                | FsReadOperation::Directory(FsDirectory { path, .. })
+                                | FsReadOperation::Search(FsSearch { path, .. }) => {
+                                    let denied_match_set = deny_set.matches(path);
+                                    if !denied_match_set.is_empty() {
+                                        let deny_res = PermissionEvalResult::Deny({
+                                            denied_match_set
+                                                .iter()
+                                                .filter_map(|i| sanitized_deny_list.get(*i).map(|s| (*s).clone()))
+                                                .collect::<Vec<_>>()
+                                        });
+                                        deny_list.push(deny_res);
+                                        continue;
+                                    }
+
+                                    // We only want to ask if we are not allowing read only
+                                    // operation
+                                    if !allow_read_only && !allow_set.is_match(path) {
+                                        ask = true;
+                                    }
+                                },
+                                FsReadOperation::Image(fs_image) => {
+                                    let paths = &fs_image.image_paths;
+                                    let denied_match_set =
+                                        paths.iter().flat_map(|p| deny_set.matches(p)).collect::<Vec<_>>();
+                                    if !denied_match_set.is_empty() {
+                                        let deny_res = PermissionEvalResult::Deny({
+                                            denied_match_set
+                                                .iter()
+                                                .filter_map(|i| sanitized_deny_list.get(*i).map(|s| (*s).clone()))
+                                                .collect::<Vec<_>>()
+                                        });
+                                        deny_list.push(deny_res);
+                                        continue;
+                                    }
+
+                                    // We only want to ask if we are not allowing read only
+                                    // operation
+                                    if !allow_read_only && !paths.iter().any(|path| allow_set.is_match(path)) {
+                                        ask = true;
+                                    }
+                                },
+                            }
+                        }
 
-                        if eval_res.contains(&PermissionEvalResult::Deny) {
-                            PermissionEvalResult::Deny
-                        } else if eval_res.contains(&PermissionEvalResult::Ask) {
+                        if !deny_list.is_empty() {
+                            PermissionEvalResult::Deny({
+                                deny_list.into_iter().fold(Vec::<String>::new(), |mut acc, res| {
+                                    if let PermissionEvalResult::Deny(mut rules) = res {
+                                        acc.append(&mut rules);
+                                    }
+                                    acc
+                                })
+                            })
+                        } else if ask {
                             PermissionEvalResult::Ask
                         } else {
                             PermissionEvalResult::Allow
@@ -813,7 +838,13 @@ fn format_mode(mode: u32) -> [char; 9] {
 
 #[cfg(test)]
 mod tests {
+    use std::collections::{
+        HashMap,
+        HashSet,
+    };
+
     use super::*;
+    use crate::cli::agent::ToolSettingTarget;
     use crate::cli::chat::util::test::{
         TEST_FILE_CONTENTS,
         TEST_FILE_PATH,
@@ -1323,6 +1354,7 @@ mod tests {
             panic!("expected text output for batch operations");
         }
     }
+
     #[tokio::test]
     async fn test_fs_read_empty_operations() {
         let os = Os::new().await.unwrap();
@@ -1343,4 +1375,49 @@ mod tests {
                 .contains("At least one operation must be provided")
         );
     }
+
+    #[test]
+    fn test_eval_perm() {
+        const DENIED_PATH_ONE: &str = "/some/denied/path";
+        const DENIED_PATH_GLOB: &str = "/denied/glob/**/path";
+
+        let agent = Agent {
+            name: "test_agent".to_string(),
+            allowed_tools: {
+                let mut allowed_tools = HashSet::<String>::new();
+                allowed_tools.insert("fs_read".to_string());
+                allowed_tools
+            },
+            tools_settings: {
+                let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
+                map.insert(
+                    ToolSettingTarget("fs_read".to_string()),
+                    serde_json::json!({
+                        "deniedPaths": [DENIED_PATH_ONE, DENIED_PATH_GLOB]
+                    }),
+                );
+                map
+            },
+            ..Default::default()
+        };
+
+        let tool = serde_json::from_value::<FsRead>(serde_json::json!({
+            "operations": [
+                { "path": DENIED_PATH_ONE, "mode": "Line", "start_line": 1, "end_line": 2 },
+                { "path": "/denied/glob", "mode": "Directory" },
+                { "path": "/denied/glob/child_one/path", "mode": "Directory" },
+                { "path": "/denied/glob/child_one/grand_child_one/path", "mode": "Directory" },
+                { "path": TEST_FILE_PATH, "mode": "Search", "pattern": "hello" }
+            ],
+        }))
+        .unwrap();
+
+        let res = tool.eval_perm(&agent);
+        assert!(matches!(
+            res,
+            PermissionEvalResult::Deny(ref deny_list)
+                if deny_list.iter().filter(|p| *p == DENIED_PATH_GLOB).collect::<Vec<_>>().len() == 2
+                && deny_list.iter().filter(|p| *p == DENIED_PATH_ONE).collect::<Vec<_>>().len() == 1
+        ));
+    }
 }