Revert "fix(agent): tool permission override (#2606)" (#2618)

This reverts commit dfaa580.

Author: dingfeli

crates/chat-cli/src/cli/agent/mod.rs

@@ -54,10 +54,6 @@ pub use wrapper_types::{
     tool_settings_schema,
 };
 
-use super::chat::tools::execute::ExecuteCommand;
-use super::chat::tools::fs_read::FsRead;
-use super::chat::tools::fs_write::FsWrite;
-use super::chat::tools::use_aws::UseAws;
 use super::chat::tools::{
     DEFAULT_APPROVE,
     NATIVE_TOOLS,
@@ -217,8 +213,8 @@ impl Agent {
 
         self.path = Some(path.to_path_buf());
 
-        let mut stderr = std::io::stderr();
         if let (true, Some(legacy_mcp_config)) = (self.use_legacy_mcp_json, legacy_mcp_config) {
+            let mut stderr = std::io::stderr();
             for (name, legacy_server) in &legacy_mcp_config.mcp_servers {
                 if mcp_servers.mcp_servers.contains_key(name) {
                     let _ = queue!(
@@ -242,58 +238,6 @@ impl Agent {
             }
         }
 
-        stderr.flush()?;
-
-        Ok(())
-    }
-
-    pub fn validate_tool_settings(&self, output: &mut impl Write) -> Result<(), AgentConfigError> {
-        let execute_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
-        for allowed_tool in &self.allowed_tools {
-            if let Some(settings) = self.tools_settings.get(allowed_tool.as_str()) {
-                // currently we only have four native tools that offers tool settings
-                match allowed_tool.as_str() {
-                    "fs_read" => {
-                        if let Some(overridden_settings) = FsRead::allowable_field_to_be_overridden(settings) {
-                            queue_permission_override_warning(
-                                allowed_tool.as_str(),
-                                overridden_settings.as_str(),
-                                output,
-                            )?;
-                        }
-                    },
-                    "fs_write" => {
-                        if let Some(overridden_settings) = FsWrite::allowable_field_to_be_overridden(settings) {
-                            queue_permission_override_warning(
-                                allowed_tool.as_str(),
-                                overridden_settings.as_str(),
-                                output,
-                            )?;
-                        }
-                    },
-                    "use_aws" => {
-                        if let Some(overridden_settings) = UseAws::allowable_field_to_be_overridden(settings) {
-                            queue_permission_override_warning(
-                                allowed_tool.as_str(),
-                                overridden_settings.as_str(),
-                                output,
-                            )?;
-                        }
-                    },
-                    name if name == execute_name => {
-                        if let Some(overridden_settings) = ExecuteCommand::allowable_field_to_be_overridden(settings) {
-                            queue_permission_override_warning(
-                                allowed_tool.as_str(),
-                                overridden_settings.as_str(),
-                                output,
-                            )?;
-                        }
-                    },
-                    _ => {},
-                }
-            }
-        }
-
         Ok(())
     }
 
@@ -859,28 +803,6 @@ async fn load_legacy_mcp_config(os: &Os) -> eyre::Result<Option<McpServerConfig>
     })
 }
 
-pub fn queue_permission_override_warning(
-    tool_name: &str,
-    overridden_settings: &str,
-    output: &mut impl Write,
-) -> Result<(), std::io::Error> {
-    Ok(queue!(
-        output,
-        style::SetForegroundColor(Color::Yellow),
-        style::Print("WARN: "),
-        style::ResetColor,
-        style::Print("You have trusted "),
-        style::SetForegroundColor(Color::Green),
-        style::Print(tool_name),
-        style::ResetColor,
-        style::Print(" tool, which overrides the toolsSettings: "),
-        style::SetForegroundColor(Color::Cyan),
-        style::Print(overridden_settings),
-        style::ResetColor,
-        style::Print("\n"),
-    )?)
-}
-
 fn default_schema() -> String {
     "https://raw.githubusercontent.com/aws/amazon-q-developer-cli/refs/heads/main/schemas/agent-v1.json".into()
 }

crates/chat-cli/src/cli/chat/mod.rs

@@ -123,10 +123,7 @@ use util::{
 use winnow::Partial;
 use winnow::stream::Offset;
 
-use super::agent::{
-    DEFAULT_AGENT_NAME,
-    PermissionEvalResult,
-};
+use super::agent::PermissionEvalResult;
 use crate::api_client::model::ToolResultStatus;
 use crate::api_client::{
     self,
@@ -614,7 +611,7 @@ impl ChatSession {
                                 ": cannot resume conversation with {profile} because it no longer exists. Using default.\n"
                             ))
                         )?;
-                        let _ = agents.switch(DEFAULT_AGENT_NAME);
+                        let _ = agents.switch("default");
                     }
                 }
                 cs.agents = agents;
@@ -625,10 +622,6 @@ impl ChatSession {
             false => ConversationState::new(conversation_id, agents, tool_config, tool_manager, model_id, os).await,
         };
 
-        if let Some(agent) = conversation.agents.get_active() {
-            agent.validate_tool_settings(&mut stderr)?;
-        }
-
         // Spawn a task for listening and broadcasting sigints.
         let (ctrlc_tx, ctrlc_rx) = tokio::sync::broadcast::channel(4);
         tokio::spawn(async move {
@@ -1746,12 +1739,6 @@ impl ChatSession {
                             .clone()
                             .unwrap_or(tool_use.name.clone());
                         self.conversation.agents.trust_tools(vec![formatted_tool_name]);
-
-                        if let Some(agent) = self.conversation.agents.get_active() {
-                            agent
-                                .validate_tool_settings(&mut self.stderr)
-                                .map_err(|_e| ChatError::Custom("Failed to validate agent tool settings".into()))?;
-                        }
                     }
                     tool_use.accepted = true;
 

crates/chat-cli/src/cli/chat/tools/execute/mod.rs

@@ -186,12 +186,6 @@ impl ExecuteCommand {
         Ok(())
     }
 
-    pub fn allowable_field_to_be_overridden(settings: &serde_json::Value) -> Option<String> {
-        settings
-            .get("allowedCommands")
-            .map(|value| format!("allowedCommands: {}", value))
-    }
-
     pub fn eval_perm(&self, agent: &Agent) -> PermissionEvalResult {
         #[derive(Debug, Deserialize)]
         #[serde(rename_all = "camelCase")]
@@ -212,7 +206,7 @@ impl ExecuteCommand {
         let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
         let is_in_allowlist = agent.allowed_tools.contains(tool_name);
         match agent.tools_settings.get(tool_name) {
-            Some(settings) => {
+            Some(settings) if is_in_allowlist => {
                 let Settings {
                     allowed_commands,
                     denied_commands,
@@ -236,7 +230,7 @@ impl ExecuteCommand {
                     return PermissionEvalResult::Deny(denied_match_set);
                 }
 
-                if !is_in_allowlist || self.requires_acceptance(Some(&allowed_commands), allow_read_only) {
+                if self.requires_acceptance(Some(&allowed_commands), allow_read_only) {
                     PermissionEvalResult::Ask
                 } else {
                     PermissionEvalResult::Allow
@@ -273,7 +267,10 @@ pub fn format_output(output: &str, max_size: usize) -> String {
 
 #[cfg(test)]
 mod tests {
-    use std::collections::HashMap;
+    use std::collections::{
+        HashMap,
+        HashSet,
+    };
 
     use super::*;
     use crate::cli::agent::ToolSettingTarget;
@@ -427,8 +424,13 @@ mod tests {
     #[test]
     fn test_eval_perm() {
         let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
-        let mut agent = Agent {
+        let agent = Agent {
             name: "test_agent".to_string(),
+            allowed_tools: {
+                let mut allowed_tools = HashSet::<String>::new();
+                allowed_tools.insert(tool_name.to_string());
+                allowed_tools
+            },
             tools_settings: {
                 let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
                 map.insert(
@@ -442,32 +444,20 @@ mod tests {
             ..Default::default()
         };
 
-        let tool_one = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
+        let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
             "command": "git status",
         }))
         .unwrap();
 
-        let res = tool_one.eval_perm(&agent);
+        let res = tool.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Deny(ref rules) if rules.contains(&"\\Agit .*\\z".to_string())));
 
-        let tool_two = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
+        let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
             "command": "echo hello",
         }))
         .unwrap();
 
-        let res = tool_two.eval_perm(&agent);
-        assert!(matches!(res, PermissionEvalResult::Ask));
-
-        agent.allowed_tools.insert(tool_name.to_string());
-
-        let res = tool_two.eval_perm(&agent);
-        assert!(matches!(res, PermissionEvalResult::Allow));
-
-        // Denied list should remain denied
-        let res = tool_one.eval_perm(&agent);
-        assert!(matches!(res, PermissionEvalResult::Deny(ref rules) if rules.contains(&"\\Agit .*\\z".to_string())));
-
-        let res = tool_two.eval_perm(&agent);
+        let res = tool.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Allow));
     }
 

crates/chat-cli/src/cli/chat/tools/fs_read.rs

@@ -102,12 +102,6 @@ impl FsRead {
         }
     }
 
-    pub fn allowable_field_to_be_overridden(settings: &serde_json::Value) -> Option<String> {
-        settings
-            .get("allowedPaths")
-            .map(|value| format!("allowedPaths: {}", value))
-    }
-
     pub fn eval_perm(&self, agent: &Agent) -> PermissionEvalResult {
         #[derive(Debug, Deserialize)]
         #[serde(rename_all = "camelCase")]
@@ -126,7 +120,7 @@ impl FsRead {
 
         let is_in_allowlist = agent.allowed_tools.contains("fs_read");
         match agent.tools_settings.get("fs_read") {
-            Some(settings) => {
+            Some(settings) if is_in_allowlist => {
                 let Settings {
                     allowed_paths,
                     denied_paths,
@@ -188,7 +182,7 @@ impl FsRead {
 
                                     // We only want to ask if we are not allowing read only
                                     // operation
-                                    if !is_in_allowlist && !allow_read_only && !allow_set.is_match(path) {
+                                    if !allow_read_only && !allow_set.is_match(path) {
                                         ask = true;
                                     }
                                 },
@@ -209,10 +203,7 @@ impl FsRead {
 
                                     // We only want to ask if we are not allowing read only
                                     // operation
-                                    if !is_in_allowlist
-                                        && !allow_read_only
-                                        && !paths.iter().any(|path| allow_set.is_match(path))
-                                    {
+                                    if !allow_read_only && !paths.iter().any(|path| allow_set.is_match(path)) {
                                         ask = true;
                                     }
                                 },
@@ -847,7 +838,10 @@ fn format_mode(mode: u32) -> [char; 9] {
 
 #[cfg(test)]
 mod tests {
-    use std::collections::HashMap;
+    use std::collections::{
+        HashMap,
+        HashSet,
+    };
 
     use super::*;
     use crate::cli::agent::ToolSettingTarget;
@@ -1387,8 +1381,13 @@ mod tests {
         const DENIED_PATH_ONE: &str = "/some/denied/path";
         const DENIED_PATH_GLOB: &str = "/denied/glob/**/path";
 
-        let mut agent = Agent {
+        let agent = Agent {
             name: "test_agent".to_string(),
+            allowed_tools: {
+                let mut allowed_tools = HashSet::<String>::new();
+                allowed_tools.insert("fs_read".to_string());
+                allowed_tools
+            },
             tools_settings: {
                 let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
                 map.insert(
@@ -1402,7 +1401,7 @@ mod tests {
             ..Default::default()
         };
 
-        let tool_one = serde_json::from_value::<FsRead>(serde_json::json!({
+        let tool = serde_json::from_value::<FsRead>(serde_json::json!({
             "operations": [
                 { "path": DENIED_PATH_ONE, "mode": "Line", "start_line": 1, "end_line": 2 },
                 { "path": "/denied/glob", "mode": "Directory" },
@@ -1413,17 +1412,7 @@ mod tests {
         }))
         .unwrap();
 
-        let res = tool_one.eval_perm(&agent);
-        assert!(matches!(
-            res,
-            PermissionEvalResult::Deny(ref deny_list)
-                if deny_list.iter().filter(|p| *p == DENIED_PATH_GLOB).collect::<Vec<_>>().len() == 2
-                && deny_list.iter().filter(|p| *p == DENIED_PATH_ONE).collect::<Vec<_>>().len() == 1
-        ));
-
-        agent.allowed_tools.insert("fs_read".to_string());
-
-        let res = tool_one.eval_perm(&agent);
+        let res = tool.eval_perm(&agent);
         assert!(matches!(
             res,
             PermissionEvalResult::Deny(ref deny_list)