feat: Implement wildcard pattern matching for agent allowedTools (#2612)

- Add globset-based pattern matching to support wildcards (* and ?) in allowedTools
- Create util/pattern_matching.rs module with matches_any_pattern function
- Update all native tools (fs_read, fs_write, execute_bash, use_aws, knowledge) to use pattern matching
- Update MCP custom tools to support wildcard patterns while preserving exact server-level matching
- Standardize imports across tool files for consistency
- Maintain backward compatibility with existing exact-match behavior

Enables agent configs like:
- "fs_*" matches fs_read, fs_write
- "@mcp-server/tool_*" matches tool_read, tool_write
- "execute_*" matches execute_bash, execute_cmd

Author: abhraina-aws

crates/chat-cli/src/cli/agent/mod.rs

@@ -693,18 +693,31 @@ impl Agents {
 
     /// Returns a label to describe the permission status for a given tool.
     pub fn display_label(&self, tool_name: &str, origin: &ToolOrigin) -> String {
+        use crate::util::pattern_matching::matches_any_pattern;
+        
         let tool_trusted = self.get_active().is_some_and(|a| {
+            if matches!(origin, &ToolOrigin::Native) {
+                return matches_any_pattern(&a.allowed_tools, tool_name);
+            }
+            
             a.allowed_tools.iter().any(|name| {
-                // Here the tool names can take the following forms:
-                // - @{server_name}{delimiter}{tool_name}
-                // - native_tool_name
-                name == tool_name && matches!(origin, &ToolOrigin::Native)
-                    || name.strip_prefix("@").is_some_and(|remainder| {
-                        remainder
-                            .split_once(MCP_SERVER_TOOL_DELIMITER)
-                            .is_some_and(|(_left, right)| right == tool_name)
-                            || remainder == <ToolOrigin as Borrow<str>>::borrow(origin)
-                    })
+                name.strip_prefix("@").is_some_and(|remainder| {
+                    remainder
+                        .split_once(MCP_SERVER_TOOL_DELIMITER)
+                        .is_some_and(|(_left, right)| right == tool_name)
+                        || remainder == <ToolOrigin as Borrow<str>>::borrow(origin)
+                }) || {
+                    if let Some(server_name) = name.strip_prefix("@").and_then(|s| s.split('/').next()) {
+                        if server_name == <ToolOrigin as Borrow<str>>::borrow(origin) {
+                            let tool_pattern = format!("@{}/{}", server_name, tool_name);
+                            matches_any_pattern(&a.allowed_tools, &tool_pattern)
+                        } else {
+                            false
+                        }
+                    } else {
+                        false
+                    }
+                }
             })
         });
 
@@ -942,4 +955,108 @@ mod tests {
         assert!(validate_agent_name("invalid!").is_err());
         assert!(validate_agent_name("invalid space").is_err());
     }
+
+    #[test]
+    fn test_display_label_no_active_agent() {
+        let agents = Agents::default();
+        
+        let label = agents.display_label("fs_read", &ToolOrigin::Native);
+        // With no active agent, it should fall back to default permissions
+        // fs_read has a default of "trusted"
+        assert!(label.contains("trusted"), "fs_read should show default trusted permission, instead found: {}", label);
+    }
+
+    #[test]
+    fn test_display_label_trust_all_tools() {
+        let mut agents = Agents::default();
+        agents.trust_all_tools = true;
+        
+        // Should be trusted even if not in allowed_tools
+        let label = agents.display_label("random_tool", &ToolOrigin::Native);
+        assert!(label.contains("trusted"), "trust_all_tools should make everything trusted, instead found: {}", label);
+    }
+
+    #[test]
+    fn test_display_label_default_permissions() {
+        let agents = Agents::default();
+        
+        // Test default permissions for known tools
+        let fs_read_label = agents.display_label("fs_read", &ToolOrigin::Native);
+        assert!(fs_read_label.contains("trusted"), "fs_read should be trusted by default, instead found: {}", fs_read_label);
+        
+        let fs_write_label = agents.display_label("fs_write", &ToolOrigin::Native);
+        assert!(fs_write_label.contains("not trusted"), "fs_write should not be trusted by default, instead found: {}", fs_write_label);
+        
+        let execute_bash_label = agents.display_label("execute_bash", &ToolOrigin::Native);
+        assert!(execute_bash_label.contains("read-only"), "execute_bash should show read-only by default, instead found: {}", execute_bash_label);
+    }
+
+    #[test]
+    fn test_display_label_comprehensive_patterns() {
+        let mut agents = Agents::default();
+        
+        // Create agent with all types of patterns
+        let mut allowed_tools = HashSet::new();
+        // Native exact match
+        allowed_tools.insert("fs_read".to_string());
+        // Native wildcard
+        allowed_tools.insert("execute_*".to_string());
+        // MCP server exact (allows all tools from that server)
+        allowed_tools.insert("@server1".to_string());
+        // MCP tool exact
+        allowed_tools.insert("@server2/specific_tool".to_string());
+        // MCP tool wildcard
+        allowed_tools.insert("@server3/tool_*".to_string());
+        
+        let agent = Agent {
+            schema: "test".to_string(),
+            name: "test-agent".to_string(),
+            description: None,
+            prompt: None,
+            mcp_servers: Default::default(),
+            tools: Vec::new(),
+            tool_aliases: Default::default(),
+            allowed_tools,
+            tools_settings: Default::default(),
+            resources: Vec::new(),
+            hooks: Default::default(),
+            use_legacy_mcp_json: false,
+            path: None,
+        };
+        
+        agents.agents.insert("test-agent".to_string(), agent);
+        agents.active_idx = "test-agent".to_string();
+        
+        // Test 1: Native exact match
+        let label = agents.display_label("fs_read", &ToolOrigin::Native);
+        assert!(label.contains("trusted"), "fs_read should be trusted (exact match), instead found: {}", label);
+        
+        // Test 2: Native wildcard match
+        let label = agents.display_label("execute_bash", &ToolOrigin::Native);
+        assert!(label.contains("trusted"), "execute_bash should match execute_* pattern, instead found: {}", label);
+        
+        // Test 3: Native no match
+        let label = agents.display_label("fs_write", &ToolOrigin::Native);
+        assert!(!label.contains("trusted") || label.contains("not trusted"), "fs_write should not be trusted, instead found: {}", label);
+        
+        // Test 4: MCP server exact match (allows any tool from server1)
+        let label = agents.display_label("any_tool", &ToolOrigin::McpServer("server1".to_string()));
+        assert!(label.contains("trusted"), "Server-level permission should allow any tool, instead found: {}", label);
+        
+        // Test 5: MCP tool exact match
+        let label = agents.display_label("specific_tool", &ToolOrigin::McpServer("server2".to_string()));
+        assert!(label.contains("trusted"), "Exact MCP tool should be trusted, instead found: {}", label);
+        
+        // Test 6: MCP tool wildcard match
+        let label = agents.display_label("tool_read", &ToolOrigin::McpServer("server3".to_string()));
+        assert!(label.contains("trusted"), "tool_read should match @server3/tool_* pattern, instead found: {}", label);
+        
+        // Test 7: MCP tool no match
+        let label = agents.display_label("other_tool", &ToolOrigin::McpServer("server2".to_string()));
+        assert!(!label.contains("trusted") || label.contains("not trusted"), "Non-matching MCP tool should not be trusted, instead found: {}", label);
+        
+        // Test 8: MCP server no match
+        let label = agents.display_label("some_tool", &ToolOrigin::McpServer("unknown_server".to_string()));
+        assert!(!label.contains("trusted") || label.contains("not trusted"), "Unknown server should not be trusted, instead found: {}", label);
+    }
 }

crates/chat-cli/src/cli/chat/conversation.rs

@@ -135,6 +135,7 @@ impl ConversationState {
         current_model_id: Option<String>,
         os: &Os,
     ) -> Self {
+
         let model = if let Some(model_id) = current_model_id {
             match get_model_info(&model_id, os).await {
                 Ok(info) => Some(info),
@@ -1278,4 +1279,5 @@ mod tests {
             conversation.set_next_user_message(i.to_string()).await;
         }
     }
+
 }

crates/chat-cli/src/cli/chat/tools/custom_tool.rs

@@ -35,6 +35,8 @@ use crate::mcp_client::{
     ToolCallResult,
 };
 use crate::os::Os;
+use crate::util::pattern_matching::matches_any_pattern;
+use crate::util::MCP_SERVER_TOOL_DELIMITER;
 
 // TODO: support http transport type
 #[derive(Clone, Serialize, Deserialize, Debug, Eq, PartialEq, JsonSchema)]
@@ -274,23 +276,24 @@ impl CustomTool {
     }
 
     pub fn eval_perm(&self, agent: &Agent) -> PermissionEvalResult {
-        use crate::util::MCP_SERVER_TOOL_DELIMITER;
         let Self {
             name: tool_name,
             client,
             ..
         } = self;
         let server_name = client.get_server_name();
 
-        if agent.allowed_tools.contains(&format!("@{server_name}"))
-            || agent
-                .allowed_tools
-                .contains(&format!("@{server_name}{MCP_SERVER_TOOL_DELIMITER}{tool_name}"))
-        {
-            PermissionEvalResult::Allow
-        } else {
-            PermissionEvalResult::Ask
+        let server_pattern = format!("@{server_name}");
+        if agent.allowed_tools.contains(&server_pattern) {
+            return PermissionEvalResult::Allow;
+        }
+
+        let tool_pattern = format!("@{server_name}{MCP_SERVER_TOOL_DELIMITER}{tool_name}");
+        if matches_any_pattern(&agent.allowed_tools, &tool_pattern) {
+            return PermissionEvalResult::Allow;
         }
+
+        PermissionEvalResult::Ask
     }
 }
 

crates/chat-cli/src/cli/chat/tools/execute/mod.rs

@@ -23,6 +23,7 @@ use crate::cli::chat::tools::{
 };
 use crate::cli::chat::util::truncate_safe;
 use crate::os::Os;
+use crate::util::pattern_matching::matches_any_pattern;
 
 // Platform-specific modules
 #[cfg(windows)]
@@ -204,7 +205,7 @@ impl ExecuteCommand {
 
         let Self { command, .. } = self;
         let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
-        let is_in_allowlist = agent.allowed_tools.contains(tool_name);
+        let is_in_allowlist = matches_any_pattern(&agent.allowed_tools, tool_name);
         match agent.tools_settings.get(tool_name) {
             Some(settings) if is_in_allowlist => {
                 let Settings {

crates/chat-cli/src/cli/chat/tools/fs_read.rs

@@ -48,6 +48,7 @@ use crate::cli::chat::{
     sanitize_unicode_tags,
 };
 use crate::os::Os;
+use crate::util::pattern_matching::matches_any_pattern;
 
 #[derive(Debug, Clone, Deserialize)]
 pub struct FsRead {
@@ -118,7 +119,7 @@ impl FsRead {
             true
         }
 
-        let is_in_allowlist = agent.allowed_tools.contains("fs_read");
+        let is_in_allowlist = matches_any_pattern(&agent.allowed_tools, "fs_read");
         match agent.tools_settings.get("fs_read") {
             Some(settings) if is_in_allowlist => {
                 let Settings {

crates/chat-cli/src/cli/chat/tools/fs_write.rs

@@ -47,6 +47,7 @@ use crate::cli::agent::{
 };
 use crate::cli::chat::line_tracker::FileLineTracker;
 use crate::os::Os;
+use crate::util::pattern_matching::matches_any_pattern;
 
 static SYNTAX_SET: LazyLock<SyntaxSet> = LazyLock::new(SyntaxSet::load_defaults_newlines);
 static THEME_SET: LazyLock<ThemeSet> = LazyLock::new(ThemeSet::load_defaults);
@@ -425,7 +426,7 @@ impl FsWrite {
             denied_paths: Vec<String>,
         }
 
-        let is_in_allowlist = agent.allowed_tools.contains("fs_write");
+        let is_in_allowlist = matches_any_pattern(&agent.allowed_tools, "fs_write");
         match agent.tools_settings.get("fs_write") {
             Some(settings) if is_in_allowlist => {
                 let Settings {

crates/chat-cli/src/cli/chat/tools/knowledge.rs

@@ -19,6 +19,7 @@ use crate::cli::agent::{
 };
 use crate::database::settings::Setting;
 use crate::os::Os;
+use crate::util::pattern_matching::matches_any_pattern;
 use crate::util::knowledge_store::KnowledgeStore;
 
 /// The Knowledge tool allows storing and retrieving information across chat sessions.
@@ -490,7 +491,7 @@ impl Knowledge {
 
     pub fn eval_perm(&self, agent: &Agent) -> PermissionEvalResult {
         _ = self;
-        if agent.allowed_tools.contains("knowledge") {
+        if matches_any_pattern(&agent.allowed_tools, "knowledge") {
             PermissionEvalResult::Allow
         } else {
             PermissionEvalResult::Ask

crates/chat-cli/src/cli/chat/tools/use_aws.rs

@@ -29,6 +29,7 @@ use crate::cli::agent::{
     PermissionEvalResult,
 };
 use crate::os::Os;
+use crate::util::pattern_matching::matches_any_pattern;
 
 const READONLY_OPS: [&str; 6] = ["get", "describe", "list", "ls", "search", "batch_get"];
 
@@ -184,7 +185,7 @@ impl UseAws {
         }
 
         let Self { service_name, .. } = self;
-        let is_in_allowlist = agent.allowed_tools.contains("use_aws");
+        let is_in_allowlist = matches_any_pattern(&agent.allowed_tools, "use_aws");
         match agent.tools_settings.get("use_aws") {
             Some(settings) if is_in_allowlist => {
                 let settings = match serde_json::from_value::<Settings>(settings.clone()) {

crates/chat-cli/src/util/mod.rs

@@ -2,6 +2,7 @@ pub mod consts;
 pub mod directories;
 pub mod knowledge_store;
 pub mod open;
+pub mod pattern_matching;
 pub mod process;
 pub mod spinner;
 pub mod system_info;

crates/chat-cli/src/util/pattern_matching.rs

@@ -0,0 +1,65 @@
+use std::collections::HashSet;
+use globset::Glob;
+
+/// Check if a string matches any pattern in a set of patterns
+pub fn matches_any_pattern(patterns: &HashSet<String>, text: &str) -> bool {
+    patterns.iter().any(|pattern| {
+        // Exact match first
+        if pattern == text {
+            return true;
+        }
+        
+        // Glob pattern match if contains wildcards
+        if pattern.contains('*') || pattern.contains('?') {
+            if let Ok(glob) = Glob::new(pattern) {
+                return glob.compile_matcher().is_match(text);
+            }
+        }
+        
+        false
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::collections::HashSet;
+
+    #[test]
+    fn test_exact_match() {
+        let mut patterns = HashSet::new();
+        patterns.insert("fs_read".to_string());
+        
+        assert!(matches_any_pattern(&patterns, "fs_read"));
+        assert!(!matches_any_pattern(&patterns, "fs_write"));
+    }
+
+    #[test]
+    fn test_wildcard_patterns() {
+        let mut patterns = HashSet::new();
+        patterns.insert("fs_*".to_string());
+        
+        assert!(matches_any_pattern(&patterns, "fs_read"));
+        assert!(matches_any_pattern(&patterns, "fs_write"));
+        assert!(!matches_any_pattern(&patterns, "execute_bash"));
+    }
+
+    #[test]
+    fn test_mcp_patterns() {
+        let mut patterns = HashSet::new();
+        patterns.insert("@mcp-server/*".to_string());
+        
+        assert!(matches_any_pattern(&patterns, "@mcp-server/tool1"));
+        assert!(matches_any_pattern(&patterns, "@mcp-server/tool2"));
+        assert!(!matches_any_pattern(&patterns, "@other-server/tool"));
+    }
+
+    #[test]
+    fn test_question_mark_wildcard() {
+        let mut patterns = HashSet::new();
+        patterns.insert("fs_?ead".to_string());
+        
+        assert!(matches_any_pattern(&patterns, "fs_read"));
+        assert!(!matches_any_pattern(&patterns, "fs_write"));
+    }
+}