chore: import upstream snapshot with attribution
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
CI / coverage-report (push) Has been cancelled
CI / test-kubernetes (push) Has been cancelled
CI / should-run-thorough (push) Has been cancelled
CI / test-thorough (cloudwatch-demo) (push) Has been cancelled
CI / test-thorough (flink-ecs) (push) Has been cancelled
CI / test-thorough (upstream-lambda) (push) Has been cancelled
CI / test-thorough (prefect-ecs-fargate) (push) Has been cancelled
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Has been cancelled
Benchmark image — build + push to ECR (any adapter) / build + push (push) Has been cancelled
CI / quality (ubuntu-latest) (push) Has been cancelled
CI / test (tools-runtime) (push) Has been cancelled
CI / test (e2e-general) (push) Has been cancelled
CI / test (cli-runtime) (push) Has been cancelled
CI / test (e2e-provider-and-openclaw) (push) Has been cancelled
CI / test (integrations-and-misc) (push) Has been cancelled
Release / verify (push) Has been cancelled
Release / build-python-dist (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Has been cancelled
Release / publish-release (push) Has been cancelled
Release / publish-main-release (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Has been cancelled
Release / prepare (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Has been cancelled
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Has been cancelled
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
CI / coverage-report (push) Has been cancelled
CI / test-kubernetes (push) Has been cancelled
CI / should-run-thorough (push) Has been cancelled
CI / test-thorough (cloudwatch-demo) (push) Has been cancelled
CI / test-thorough (flink-ecs) (push) Has been cancelled
CI / test-thorough (upstream-lambda) (push) Has been cancelled
CI / test-thorough (prefect-ecs-fargate) (push) Has been cancelled
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Has been cancelled
Benchmark image — build + push to ECR (any adapter) / build + push (push) Has been cancelled
CI / quality (ubuntu-latest) (push) Has been cancelled
CI / test (tools-runtime) (push) Has been cancelled
CI / test (e2e-general) (push) Has been cancelled
CI / test (cli-runtime) (push) Has been cancelled
CI / test (e2e-provider-and-openclaw) (push) Has been cancelled
CI / test (integrations-and-misc) (push) Has been cancelled
Release / verify (push) Has been cancelled
Release / build-python-dist (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Has been cancelled
Release / publish-release (push) Has been cancelled
Release / publish-main-release (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Has been cancelled
Release / prepare (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Has been cancelled
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
"""Shared contracts reused across interactive-shell tools.
|
||||
|
||||
This package is the single import path for the cross-tool execution policy:
|
||||
``from tools.interactive_shell.shared import ...``. Tool modules should import
|
||||
the policy contracts and helpers from here rather than from the underlying
|
||||
``execution_policy`` module.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from tools.interactive_shell.shared.execution_policy import (
|
||||
ConfirmationOutcome,
|
||||
ConfirmationPlan,
|
||||
ExecutionPolicyResult,
|
||||
ExecutionVerdict,
|
||||
ToolExecutionMode,
|
||||
ToolExecutionPlan,
|
||||
allow_tool,
|
||||
plan_foreground_tool,
|
||||
resolve_confirmation,
|
||||
)
|
||||
|
||||
__all__ = [
|
||||
"ConfirmationOutcome",
|
||||
"ConfirmationPlan",
|
||||
"ExecutionPolicyResult",
|
||||
"ExecutionVerdict",
|
||||
"ToolExecutionMode",
|
||||
"ToolExecutionPlan",
|
||||
"allow_tool",
|
||||
"plan_foreground_tool",
|
||||
"resolve_confirmation",
|
||||
]
|
||||
@@ -0,0 +1,182 @@
|
||||
"""Central execution policy (allow / ask / deny) for interactive REPL tools.
|
||||
|
||||
Alpha mode: allow everything
|
||||
----------------------------
|
||||
OpenSRE is in **alpha**, and the interactive REPL runs with **no command
|
||||
guardrails** so developer velocity stays high. Every policy decision below
|
||||
resolves to ``allow`` and nothing prompts for confirmation: slash/``opensre``
|
||||
commands (any tier), investigations, synthetic tests, code-agent launches, LLM
|
||||
runtime switches, and shell commands of every kind — read-only, mutating,
|
||||
``restricted`` (``sudo``, ``systemctl``, ``kill``, ``dd`` …), shell operators
|
||||
(``| && ; > <``), and command substitution (`` ` ``/``$(...)``) — all run
|
||||
immediately, in any context (TTY or not, trust mode or not).
|
||||
|
||||
There is intentionally **no shell-command safety policy**: the former
|
||||
read-only / mutating / restricted classification and its deny floor were removed
|
||||
(see ``docs/interactive-shell-action-policy.md``). The only thing shell
|
||||
evaluation still rejects is genuinely empty input (a bare ``!`` or whitespace),
|
||||
which is input validation rather than a guardrail.
|
||||
|
||||
The ``ask`` verdict is retained so that ``trust_mode`` and any future opt-in
|
||||
stricter policy still have a hook, but the policy functions here never emit
|
||||
``ask``. If guardrails are reintroduced after alpha, gate them here at the
|
||||
execution stage (not the planner).
|
||||
|
||||
This module is intentionally **pure**: it has no terminal I/O, no analytics, and
|
||||
no console dependency. The decision is computed by :func:`resolve_confirmation`,
|
||||
and the interaction layer (printing the reason/hint, the ``Proceed? [Y/n]``
|
||||
prompt, and analytics emission) lives in
|
||||
``interactive_shell.ui.execution_confirm.execution_allowed``.
|
||||
|
||||
Shell-specific evaluation (empty-input rejection, ``plan_shell_execution``)
|
||||
lives next to the rest of the shell machinery in
|
||||
``tools.interactive_shell.shell.policy`` and reuses the contracts defined here.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from dataclasses import dataclass
|
||||
from enum import StrEnum
|
||||
from typing import Literal
|
||||
|
||||
ExecutionVerdict = Literal["allow", "ask", "deny"]
|
||||
|
||||
|
||||
class ToolExecutionMode(StrEnum):
|
||||
FOREGROUND = "foreground"
|
||||
BACKGROUND = "background"
|
||||
FOREGROUND_STREAMING = "foreground_streaming"
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class ExecutionPolicyResult:
|
||||
"""Result of evaluating whether a tool may run."""
|
||||
|
||||
verdict: ExecutionVerdict
|
||||
tool_type: str
|
||||
reason: str | None
|
||||
hint: str | None = None
|
||||
shell_classification: str | None = None
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class ToolExecutionPlan:
|
||||
"""Unified execution plan contract shared across tool executors."""
|
||||
|
||||
tool_type: str
|
||||
classification: str
|
||||
execution_mode: ToolExecutionMode
|
||||
policy: ExecutionPolicyResult
|
||||
|
||||
|
||||
class ConfirmationOutcome(StrEnum):
|
||||
"""Pure decision for how the interaction layer should treat an action."""
|
||||
|
||||
ALLOW = "allow" # proceed, no prompt
|
||||
DENY = "deny" # blocked by policy (show reason + hint)
|
||||
BLOCK_NON_TTY = "block_non_tty" # ask verdict but stdin is not a TTY
|
||||
NEEDS_CONFIRMATION = "needs_confirmation" # prompt the user
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class ConfirmationPlan:
|
||||
"""Result of :func:`resolve_confirmation` (side-effect free).
|
||||
|
||||
``analytics_outcome`` / ``analytics_reason`` carry the values the interaction
|
||||
layer should emit for the non-prompt outcomes (ALLOW / DENY / BLOCK_NON_TTY).
|
||||
For ``NEEDS_CONFIRMATION`` the analytics outcome depends on the user's answer
|
||||
and is decided by the interaction layer, so both fields are ``None``.
|
||||
"""
|
||||
|
||||
outcome: ConfirmationOutcome
|
||||
result: ExecutionPolicyResult
|
||||
analytics_outcome: str | None = None
|
||||
analytics_reason: str | None = None
|
||||
|
||||
|
||||
def resolve_confirmation(
|
||||
result: ExecutionPolicyResult,
|
||||
*,
|
||||
trust_mode: bool,
|
||||
is_tty: bool,
|
||||
) -> ConfirmationPlan:
|
||||
"""Resolve a policy result into a confirmation decision, with no side effects.
|
||||
|
||||
Pure function: no console, no ``input``, no analytics. The interaction layer
|
||||
(``interactive_shell.ui.execution_confirm``) renders the decision and emits
|
||||
analytics.
|
||||
"""
|
||||
if result.verdict == "deny":
|
||||
return ConfirmationPlan(
|
||||
outcome=ConfirmationOutcome.DENY,
|
||||
result=result,
|
||||
analytics_outcome="blocked",
|
||||
analytics_reason=result.reason,
|
||||
)
|
||||
|
||||
if result.verdict == "allow":
|
||||
return ConfirmationPlan(
|
||||
outcome=ConfirmationOutcome.ALLOW,
|
||||
result=result,
|
||||
analytics_outcome="allowed",
|
||||
analytics_reason=result.reason,
|
||||
)
|
||||
|
||||
# ask
|
||||
if trust_mode:
|
||||
return ConfirmationPlan(
|
||||
outcome=ConfirmationOutcome.ALLOW,
|
||||
result=result,
|
||||
analytics_outcome="allowed",
|
||||
analytics_reason="trust_mode_skipped_prompt",
|
||||
)
|
||||
|
||||
if not is_tty:
|
||||
return ConfirmationPlan(
|
||||
outcome=ConfirmationOutcome.BLOCK_NON_TTY,
|
||||
result=result,
|
||||
analytics_outcome="blocked",
|
||||
analytics_reason="non_interactive_stdin",
|
||||
)
|
||||
|
||||
return ConfirmationPlan(
|
||||
outcome=ConfirmationOutcome.NEEDS_CONFIRMATION,
|
||||
result=result,
|
||||
)
|
||||
|
||||
|
||||
def allow_tool(tool_type: str) -> ExecutionPolicyResult:
|
||||
"""Default-allow verdict for a tool launch.
|
||||
|
||||
Under alpha the policy never denies a tool launch (slash commands,
|
||||
investigations, synthetic tests, code-agent launches, LLM runtime switches),
|
||||
so every caller resolves to ``allow``. ``tool_type`` is carried through for
|
||||
analytics and confirmation UX.
|
||||
"""
|
||||
return ExecutionPolicyResult(verdict="allow", tool_type=tool_type, reason=None)
|
||||
|
||||
|
||||
def plan_foreground_tool(
|
||||
tool_type: str,
|
||||
classification: str | None = None,
|
||||
) -> ToolExecutionPlan:
|
||||
"""Build a FOREGROUND execution plan around a default-allow verdict."""
|
||||
return ToolExecutionPlan(
|
||||
tool_type=tool_type,
|
||||
classification=classification or tool_type,
|
||||
execution_mode=ToolExecutionMode.FOREGROUND,
|
||||
policy=allow_tool(tool_type),
|
||||
)
|
||||
|
||||
|
||||
__all__ = [
|
||||
"ConfirmationOutcome",
|
||||
"ConfirmationPlan",
|
||||
"ExecutionPolicyResult",
|
||||
"ExecutionVerdict",
|
||||
"ToolExecutionMode",
|
||||
"ToolExecutionPlan",
|
||||
"allow_tool",
|
||||
"plan_foreground_tool",
|
||||
"resolve_confirmation",
|
||||
]
|
||||
@@ -0,0 +1,131 @@
|
||||
"""Shared launch flow for investigation-style tools.
|
||||
|
||||
``investigation_start`` (free-text) and ``alert_sample`` (template) share the
|
||||
same shape: gate through the execution policy, announce, run in the background or
|
||||
foreground, and record the outcome. This helper holds that flow once; each tool
|
||||
supplies only the parts that differ (the run callable, the background launcher,
|
||||
and the display/record strings).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from collections.abc import Callable
|
||||
from dataclasses import dataclass
|
||||
from typing import Literal, Protocol, runtime_checkable
|
||||
|
||||
from rich.console import Console
|
||||
from rich.markup import escape
|
||||
|
||||
from core.agent_harness.session.terminal_access import background_mode_enabled
|
||||
from platform.common.task_types import TaskRecord
|
||||
from surfaces.interactive_shell.session import Session
|
||||
from tools.interactive_shell.shared.execution_policy import (
|
||||
ExecutionPolicyResult,
|
||||
plan_foreground_tool,
|
||||
)
|
||||
|
||||
ForegroundInvestigationStatus = Literal["completed", "failed", "cancelled"]
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class ForegroundInvestigationResult:
|
||||
"""Minimal foreground investigation outcome for launch gating."""
|
||||
|
||||
status: ForegroundInvestigationStatus
|
||||
|
||||
|
||||
@runtime_checkable
|
||||
class InvestigationLaunchPorts(Protocol):
|
||||
"""Surface-specific hooks for gating and foreground investigation UX."""
|
||||
|
||||
def execution_allowed(
|
||||
self,
|
||||
*,
|
||||
policy: ExecutionPolicyResult,
|
||||
session: Session,
|
||||
console: Console,
|
||||
action_summary: str,
|
||||
confirm_fn: Callable[[str], str] | None,
|
||||
is_tty: bool | None,
|
||||
action_already_listed: bool,
|
||||
) -> bool:
|
||||
raise NotImplementedError
|
||||
|
||||
def run_foreground_investigation(
|
||||
self,
|
||||
*,
|
||||
session: Session,
|
||||
console: Console,
|
||||
task_command: str,
|
||||
run: Callable[[TaskRecord], dict[str, object]],
|
||||
exception_context: str,
|
||||
target: str,
|
||||
) -> ForegroundInvestigationResult:
|
||||
raise NotImplementedError
|
||||
|
||||
|
||||
def launch_investigation(
|
||||
*,
|
||||
session: Session,
|
||||
console: Console,
|
||||
ports: InvestigationLaunchPorts,
|
||||
tool_type: str,
|
||||
action_summary: str,
|
||||
announce_label: str,
|
||||
announce_value: str,
|
||||
record_value: str,
|
||||
foreground_task_command: str,
|
||||
exception_context: str,
|
||||
run: Callable[[TaskRecord], dict[str, object]],
|
||||
start_background: Callable[[], None],
|
||||
confirm_fn: Callable[[str], str] | None = None,
|
||||
is_tty: bool | None = None,
|
||||
action_already_listed: bool = False,
|
||||
) -> None:
|
||||
"""Gate, announce, and run an investigation-style tool, recording the outcome.
|
||||
|
||||
Every outcome is recorded on the ``alert`` channel keyed by ``record_value``.
|
||||
"""
|
||||
plan = plan_foreground_tool(tool_type, "investigation_launch")
|
||||
if not ports.execution_allowed(
|
||||
policy=plan.policy,
|
||||
session=session,
|
||||
console=console,
|
||||
action_summary=action_summary,
|
||||
confirm_fn=confirm_fn,
|
||||
is_tty=is_tty,
|
||||
action_already_listed=action_already_listed,
|
||||
):
|
||||
session.record("alert", record_value, ok=False)
|
||||
return
|
||||
|
||||
console.print(f"[bold]{announce_label}:[/bold] {escape(announce_value)}")
|
||||
|
||||
if background_mode_enabled(session):
|
||||
start_background()
|
||||
session.record("alert", record_value)
|
||||
return
|
||||
|
||||
if (
|
||||
ports.run_foreground_investigation(
|
||||
session=session,
|
||||
console=console,
|
||||
task_command=foreground_task_command,
|
||||
run=run,
|
||||
exception_context=exception_context,
|
||||
target=record_value,
|
||||
).status
|
||||
!= "completed"
|
||||
):
|
||||
session.record("alert", record_value, ok=False)
|
||||
return
|
||||
|
||||
session.record("alert", record_value)
|
||||
|
||||
|
||||
__all__ = [
|
||||
"ForegroundInvestigationResult",
|
||||
"InvestigationLaunchPorts",
|
||||
"Session",
|
||||
"launch_investigation",
|
||||
]
|
||||
Reference in New Issue
Block a user