fix(agent): tool permission override (#2606)

Author: dingfeli

crates/chat-cli/src/cli/agent/mod.rs

@@ -54,6 +54,10 @@ pub use wrapper_types::{
     tool_settings_schema,
 };
 
+use super::chat::tools::execute::ExecuteCommand;
+use super::chat::tools::fs_read::FsRead;
+use super::chat::tools::fs_write::FsWrite;
+use super::chat::tools::use_aws::UseAws;
 use super::chat::tools::{
     DEFAULT_APPROVE,
     NATIVE_TOOLS,
@@ -213,8 +217,8 @@ impl Agent {
 
         self.path = Some(path.to_path_buf());
 
+        let mut stderr = std::io::stderr();
         if let (true, Some(legacy_mcp_config)) = (self.use_legacy_mcp_json, legacy_mcp_config) {
-            let mut stderr = std::io::stderr();
             for (name, legacy_server) in &legacy_mcp_config.mcp_servers {
                 if mcp_servers.mcp_servers.contains_key(name) {
                     let _ = queue!(
@@ -238,6 +242,58 @@ impl Agent {
             }
         }
 
+        stderr.flush()?;
+
+        Ok(())
+    }
+
+    pub fn validate_tool_settings(&self, output: &mut impl Write) -> Result<(), AgentConfigError> {
+        let execute_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
+        for allowed_tool in &self.allowed_tools {
+            if let Some(settings) = self.tools_settings.get(allowed_tool.as_str()) {
+                // currently we only have four native tools that offers tool settings
+                match allowed_tool.as_str() {
+                    "fs_read" => {
+                        if let Some(overridden_settings) = FsRead::allowable_field_to_be_overridden(settings) {
+                            queue_permission_override_warning(
+                                allowed_tool.as_str(),
+                                overridden_settings.as_str(),
+                                output,
+                            )?;
+                        }
+                    },
+                    "fs_write" => {
+                        if let Some(overridden_settings) = FsWrite::allowable_field_to_be_overridden(settings) {
+                            queue_permission_override_warning(
+                                allowed_tool.as_str(),
+                                overridden_settings.as_str(),
+                                output,
+                            )?;
+                        }
+                    },
+                    "use_aws" => {
+                        if let Some(overridden_settings) = UseAws::allowable_field_to_be_overridden(settings) {
+                            queue_permission_override_warning(
+                                allowed_tool.as_str(),
+                                overridden_settings.as_str(),
+                                output,
+                            )?;
+                        }
+                    },
+                    name if name == execute_name => {
+                        if let Some(overridden_settings) = ExecuteCommand::allowable_field_to_be_overridden(settings) {
+                            queue_permission_override_warning(
+                                allowed_tool.as_str(),
+                                overridden_settings.as_str(),
+                                output,
+                            )?;
+                        }
+                    },
+                    _ => {},
+                }
+            }
+        }
+
         Ok(())
     }
 
@@ -803,6 +859,28 @@ async fn load_legacy_mcp_config(os: &Os) -> eyre::Result<Option<McpServerConfig>
     })
 }
 
+pub fn queue_permission_override_warning(
+    tool_name: &str,
+    overridden_settings: &str,
+    output: &mut impl Write,
+) -> Result<(), std::io::Error> {
+    Ok(queue!(
+        output,
+        style::SetForegroundColor(Color::Yellow),
+        style::Print("WARN: "),
+        style::ResetColor,
+        style::Print("You have trusted "),
+        style::SetForegroundColor(Color::Green),
+        style::Print(tool_name),
+        style::ResetColor,
+        style::Print(" tool, which overrides the toolsSettings: "),
+        style::SetForegroundColor(Color::Cyan),
+        style::Print(overridden_settings),
+        style::ResetColor,
+        style::Print("\n"),
+    )?)
+}
+
 fn default_schema() -> String {
     "https://raw.githubusercontent.com/aws/amazon-q-developer-cli/refs/heads/main/schemas/agent-v1.json".into()
 }

crates/chat-cli/src/cli/chat/mod.rs

@@ -123,7 +123,10 @@ use util::{
 use winnow::Partial;
 use winnow::stream::Offset;
 
-use super::agent::PermissionEvalResult;
+use super::agent::{
+    DEFAULT_AGENT_NAME,
+    PermissionEvalResult,
+};
 use crate::api_client::model::ToolResultStatus;
 use crate::api_client::{
     self,
@@ -611,7 +614,7 @@ impl ChatSession {
                                 ": cannot resume conversation with {profile} because it no longer exists. Using default.\n"
                             ))
                         )?;
-                        let _ = agents.switch("default");
+                        let _ = agents.switch(DEFAULT_AGENT_NAME);
                     }
                 }
                 cs.agents = agents;
@@ -622,6 +625,10 @@ impl ChatSession {
             false => ConversationState::new(conversation_id, agents, tool_config, tool_manager, model_id, os).await,
         };
 
+        if let Some(agent) = conversation.agents.get_active() {
+            agent.validate_tool_settings(&mut stderr)?;
+        }
+
         // Spawn a task for listening and broadcasting sigints.
         let (ctrlc_tx, ctrlc_rx) = tokio::sync::broadcast::channel(4);
         tokio::spawn(async move {
@@ -1739,6 +1746,12 @@ impl ChatSession {
                             .clone()
                             .unwrap_or(tool_use.name.clone());
                         self.conversation.agents.trust_tools(vec![formatted_tool_name]);
+
+                        if let Some(agent) = self.conversation.agents.get_active() {
+                            agent
+                                .validate_tool_settings(&mut self.stderr)
+                                .map_err(|_e| ChatError::Custom("Failed to validate agent tool settings".into()))?;
+                        }
                     }
                     tool_use.accepted = true;
 

crates/chat-cli/src/cli/chat/tools/execute/mod.rs

@@ -176,6 +176,12 @@ impl ExecuteCommand {
         Ok(())
     }
 
+    pub fn allowable_field_to_be_overridden(settings: &serde_json::Value) -> Option<String> {
+        settings
+            .get("allowedCommands")
+            .map(|value| format!("allowedCommands: {}", value))
+    }
+
     pub fn eval_perm(&self, agent: &Agent) -> PermissionEvalResult {
         #[derive(Debug, Deserialize)]
         #[serde(rename_all = "camelCase")]
@@ -196,7 +202,7 @@ impl ExecuteCommand {
         let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
         let is_in_allowlist = agent.allowed_tools.contains(tool_name);
         match agent.tools_settings.get(tool_name) {
-            Some(settings) if is_in_allowlist => {
+            Some(settings) => {
                 let Settings {
                     allowed_commands,
                     denied_commands,
@@ -220,7 +226,7 @@ impl ExecuteCommand {
                     return PermissionEvalResult::Deny(denied_match_set);
                 }
 
-                if self.requires_acceptance(Some(&allowed_commands), allow_read_only) {
+                if !is_in_allowlist || self.requires_acceptance(Some(&allowed_commands), allow_read_only) {
                     PermissionEvalResult::Ask
                 } else {
                     PermissionEvalResult::Allow
@@ -257,10 +263,7 @@ pub fn format_output(output: &str, max_size: usize) -> String {
 
 #[cfg(test)]
 mod tests {
-    use std::collections::{
-        HashMap,
-        HashSet,
-    };
+    use std::collections::HashMap;
 
     use super::*;
     use crate::cli::agent::ToolSettingTarget;
@@ -402,13 +405,8 @@ mod tests {
     #[test]
     fn test_eval_perm() {
         let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
-        let agent = Agent {
+        let mut agent = Agent {
             name: "test_agent".to_string(),
-            allowed_tools: {
-                let mut allowed_tools = HashSet::<String>::new();
-                allowed_tools.insert(tool_name.to_string());
-                allowed_tools
-            },
             tools_settings: {
                 let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
                 map.insert(
@@ -422,20 +420,32 @@ mod tests {
             ..Default::default()
         };
 
-        let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
+        let tool_one = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
             "command": "git status",
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_one.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Deny(ref rules) if rules.contains(&"\\Agit .*\\z".to_string())));
 
-        let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
+        let tool_two = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
             "command": "echo hello",
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_two.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Ask));
+
+        agent.allowed_tools.insert(tool_name.to_string());
+
+        let res = tool_two.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Allow));
+
+        // Denied list should remain denied
+        let res = tool_one.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Deny(ref rules) if rules.contains(&"\\Agit .*\\z".to_string())));
+
+        let res = tool_two.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Allow));
     }
 

crates/chat-cli/src/cli/chat/tools/fs_read.rs

@@ -102,6 +102,12 @@ impl FsRead {
         }
     }
 
+    pub fn allowable_field_to_be_overridden(settings: &serde_json::Value) -> Option<String> {
+        settings
+            .get("allowedPaths")
+            .map(|value| format!("allowedPaths: {}", value))
+    }
+
     pub fn eval_perm(&self, agent: &Agent) -> PermissionEvalResult {
         #[derive(Debug, Deserialize)]
         #[serde(rename_all = "camelCase")]
@@ -120,7 +126,7 @@ impl FsRead {
 
         let is_in_allowlist = agent.allowed_tools.contains("fs_read");
         match agent.tools_settings.get("fs_read") {
-            Some(settings) if is_in_allowlist => {
+            Some(settings) => {
                 let Settings {
                     allowed_paths,
                     denied_paths,
@@ -182,7 +188,7 @@ impl FsRead {
 
                                     // We only want to ask if we are not allowing read only
                                     // operation
-                                    if !allow_read_only && !allow_set.is_match(path) {
+                                    if !is_in_allowlist && !allow_read_only && !allow_set.is_match(path) {
                                         ask = true;
                                     }
                                 },
@@ -203,7 +209,10 @@ impl FsRead {
 
                                     // We only want to ask if we are not allowing read only
                                     // operation
-                                    if !allow_read_only && !paths.iter().any(|path| allow_set.is_match(path)) {
+                                    if !is_in_allowlist
+                                        && !allow_read_only
+                                        && !paths.iter().any(|path| allow_set.is_match(path))
+                                    {
                                         ask = true;
                                     }
                                 },
@@ -838,10 +847,7 @@ fn format_mode(mode: u32) -> [char; 9] {
 
 #[cfg(test)]
 mod tests {
-    use std::collections::{
-        HashMap,
-        HashSet,
-    };
+    use std::collections::HashMap;
 
     use super::*;
     use crate::cli::agent::ToolSettingTarget;
@@ -1381,13 +1387,8 @@ mod tests {
         const DENIED_PATH_ONE: &str = "/some/denied/path";
         const DENIED_PATH_GLOB: &str = "/denied/glob/**/path";
 
-        let agent = Agent {
+        let mut agent = Agent {
             name: "test_agent".to_string(),
-            allowed_tools: {
-                let mut allowed_tools = HashSet::<String>::new();
-                allowed_tools.insert("fs_read".to_string());
-                allowed_tools
-            },
             tools_settings: {
                 let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
                 map.insert(
@@ -1401,7 +1402,7 @@ mod tests {
             ..Default::default()
         };
 
-        let tool = serde_json::from_value::<FsRead>(serde_json::json!({
+        let tool_one = serde_json::from_value::<FsRead>(serde_json::json!({
             "operations": [
                 { "path": DENIED_PATH_ONE, "mode": "Line", "start_line": 1, "end_line": 2 },
                 { "path": "/denied/glob", "mode": "Directory" },
@@ -1412,7 +1413,17 @@ mod tests {
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_one.eval_perm(&agent);
+        assert!(matches!(
+            res,
+            PermissionEvalResult::Deny(ref deny_list)
+                if deny_list.iter().filter(|p| *p == DENIED_PATH_GLOB).collect::<Vec<_>>().len() == 2
+                && deny_list.iter().filter(|p| *p == DENIED_PATH_ONE).collect::<Vec<_>>().len() == 1
+        ));
+
+        agent.allowed_tools.insert("fs_read".to_string());
+
+        let res = tool_one.eval_perm(&agent);
         assert!(matches!(
             res,
             PermissionEvalResult::Deny(ref deny_list)