chore: import upstream snapshot with attribution
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
CI / coverage-report (push) Has been cancelled
CI / test-kubernetes (push) Has been cancelled
CI / should-run-thorough (push) Has been cancelled
CI / test-thorough (cloudwatch-demo) (push) Has been cancelled
CI / test-thorough (flink-ecs) (push) Has been cancelled
CI / test-thorough (upstream-lambda) (push) Has been cancelled
CI / test-thorough (prefect-ecs-fargate) (push) Has been cancelled
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Has been cancelled
Benchmark image — build + push to ECR (any adapter) / build + push (push) Has been cancelled
CI / quality (ubuntu-latest) (push) Has been cancelled
CI / test (tools-runtime) (push) Has been cancelled
CI / test (e2e-general) (push) Has been cancelled
CI / test (cli-runtime) (push) Has been cancelled
CI / test (e2e-provider-and-openclaw) (push) Has been cancelled
CI / test (integrations-and-misc) (push) Has been cancelled
Release / verify (push) Has been cancelled
Release / build-python-dist (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Has been cancelled
Release / publish-release (push) Has been cancelled
Release / publish-main-release (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Has been cancelled
Release / prepare (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Has been cancelled
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 13:10:45 +08:00
commit 4b6817381b
3933 changed files with 525247 additions and 0 deletions
@@ -0,0 +1,33 @@
"""Shared contracts reused across interactive-shell tools.
This package is the single import path for the cross-tool execution policy:
``from tools.interactive_shell.shared import ...``. Tool modules should import
the policy contracts and helpers from here rather than from the underlying
``execution_policy`` module.
"""
from __future__ import annotations
from tools.interactive_shell.shared.execution_policy import (
ConfirmationOutcome,
ConfirmationPlan,
ExecutionPolicyResult,
ExecutionVerdict,
ToolExecutionMode,
ToolExecutionPlan,
allow_tool,
plan_foreground_tool,
resolve_confirmation,
)
__all__ = [
"ConfirmationOutcome",
"ConfirmationPlan",
"ExecutionPolicyResult",
"ExecutionVerdict",
"ToolExecutionMode",
"ToolExecutionPlan",
"allow_tool",
"plan_foreground_tool",
"resolve_confirmation",
]
@@ -0,0 +1,182 @@
"""Central execution policy (allow / ask / deny) for interactive REPL tools.
Alpha mode: allow everything
----------------------------
OpenSRE is in **alpha**, and the interactive REPL runs with **no command
guardrails** so developer velocity stays high. Every policy decision below
resolves to ``allow`` and nothing prompts for confirmation: slash/``opensre``
commands (any tier), investigations, synthetic tests, code-agent launches, LLM
runtime switches, and shell commands of every kind — read-only, mutating,
``restricted`` (``sudo``, ``systemctl``, ``kill``, ``dd`` …), shell operators
(``| && ; > <``), and command substitution (`` ` ``/``$(...)``) — all run
immediately, in any context (TTY or not, trust mode or not).
There is intentionally **no shell-command safety policy**: the former
read-only / mutating / restricted classification and its deny floor were removed
(see ``docs/interactive-shell-action-policy.md``). The only thing shell
evaluation still rejects is genuinely empty input (a bare ``!`` or whitespace),
which is input validation rather than a guardrail.
The ``ask`` verdict is retained so that ``trust_mode`` and any future opt-in
stricter policy still have a hook, but the policy functions here never emit
``ask``. If guardrails are reintroduced after alpha, gate them here at the
execution stage (not the planner).
This module is intentionally **pure**: it has no terminal I/O, no analytics, and
no console dependency. The decision is computed by :func:`resolve_confirmation`,
and the interaction layer (printing the reason/hint, the ``Proceed? [Y/n]``
prompt, and analytics emission) lives in
``interactive_shell.ui.execution_confirm.execution_allowed``.
Shell-specific evaluation (empty-input rejection, ``plan_shell_execution``)
lives next to the rest of the shell machinery in
``tools.interactive_shell.shell.policy`` and reuses the contracts defined here.
"""
from __future__ import annotations
from dataclasses import dataclass
from enum import StrEnum
from typing import Literal
ExecutionVerdict = Literal["allow", "ask", "deny"]
class ToolExecutionMode(StrEnum):
FOREGROUND = "foreground"
BACKGROUND = "background"
FOREGROUND_STREAMING = "foreground_streaming"
@dataclass(frozen=True)
class ExecutionPolicyResult:
"""Result of evaluating whether a tool may run."""
verdict: ExecutionVerdict
tool_type: str
reason: str | None
hint: str | None = None
shell_classification: str | None = None
@dataclass(frozen=True)
class ToolExecutionPlan:
"""Unified execution plan contract shared across tool executors."""
tool_type: str
classification: str
execution_mode: ToolExecutionMode
policy: ExecutionPolicyResult
class ConfirmationOutcome(StrEnum):
"""Pure decision for how the interaction layer should treat an action."""
ALLOW = "allow" # proceed, no prompt
DENY = "deny" # blocked by policy (show reason + hint)
BLOCK_NON_TTY = "block_non_tty" # ask verdict but stdin is not a TTY
NEEDS_CONFIRMATION = "needs_confirmation" # prompt the user
@dataclass(frozen=True)
class ConfirmationPlan:
"""Result of :func:`resolve_confirmation` (side-effect free).
``analytics_outcome`` / ``analytics_reason`` carry the values the interaction
layer should emit for the non-prompt outcomes (ALLOW / DENY / BLOCK_NON_TTY).
For ``NEEDS_CONFIRMATION`` the analytics outcome depends on the user's answer
and is decided by the interaction layer, so both fields are ``None``.
"""
outcome: ConfirmationOutcome
result: ExecutionPolicyResult
analytics_outcome: str | None = None
analytics_reason: str | None = None
def resolve_confirmation(
result: ExecutionPolicyResult,
*,
trust_mode: bool,
is_tty: bool,
) -> ConfirmationPlan:
"""Resolve a policy result into a confirmation decision, with no side effects.
Pure function: no console, no ``input``, no analytics. The interaction layer
(``interactive_shell.ui.execution_confirm``) renders the decision and emits
analytics.
"""
if result.verdict == "deny":
return ConfirmationPlan(
outcome=ConfirmationOutcome.DENY,
result=result,
analytics_outcome="blocked",
analytics_reason=result.reason,
)
if result.verdict == "allow":
return ConfirmationPlan(
outcome=ConfirmationOutcome.ALLOW,
result=result,
analytics_outcome="allowed",
analytics_reason=result.reason,
)
# ask
if trust_mode:
return ConfirmationPlan(
outcome=ConfirmationOutcome.ALLOW,
result=result,
analytics_outcome="allowed",
analytics_reason="trust_mode_skipped_prompt",
)
if not is_tty:
return ConfirmationPlan(
outcome=ConfirmationOutcome.BLOCK_NON_TTY,
result=result,
analytics_outcome="blocked",
analytics_reason="non_interactive_stdin",
)
return ConfirmationPlan(
outcome=ConfirmationOutcome.NEEDS_CONFIRMATION,
result=result,
)
def allow_tool(tool_type: str) -> ExecutionPolicyResult:
"""Default-allow verdict for a tool launch.
Under alpha the policy never denies a tool launch (slash commands,
investigations, synthetic tests, code-agent launches, LLM runtime switches),
so every caller resolves to ``allow``. ``tool_type`` is carried through for
analytics and confirmation UX.
"""
return ExecutionPolicyResult(verdict="allow", tool_type=tool_type, reason=None)
def plan_foreground_tool(
tool_type: str,
classification: str | None = None,
) -> ToolExecutionPlan:
"""Build a FOREGROUND execution plan around a default-allow verdict."""
return ToolExecutionPlan(
tool_type=tool_type,
classification=classification or tool_type,
execution_mode=ToolExecutionMode.FOREGROUND,
policy=allow_tool(tool_type),
)
__all__ = [
"ConfirmationOutcome",
"ConfirmationPlan",
"ExecutionPolicyResult",
"ExecutionVerdict",
"ToolExecutionMode",
"ToolExecutionPlan",
"allow_tool",
"plan_foreground_tool",
"resolve_confirmation",
]
@@ -0,0 +1,131 @@
"""Shared launch flow for investigation-style tools.
``investigation_start`` (free-text) and ``alert_sample`` (template) share the
same shape: gate through the execution policy, announce, run in the background or
foreground, and record the outcome. This helper holds that flow once; each tool
supplies only the parts that differ (the run callable, the background launcher,
and the display/record strings).
"""
from __future__ import annotations
from collections.abc import Callable
from dataclasses import dataclass
from typing import Literal, Protocol, runtime_checkable
from rich.console import Console
from rich.markup import escape
from core.agent_harness.session.terminal_access import background_mode_enabled
from platform.common.task_types import TaskRecord
from surfaces.interactive_shell.session import Session
from tools.interactive_shell.shared.execution_policy import (
ExecutionPolicyResult,
plan_foreground_tool,
)
ForegroundInvestigationStatus = Literal["completed", "failed", "cancelled"]
@dataclass(frozen=True)
class ForegroundInvestigationResult:
"""Minimal foreground investigation outcome for launch gating."""
status: ForegroundInvestigationStatus
@runtime_checkable
class InvestigationLaunchPorts(Protocol):
"""Surface-specific hooks for gating and foreground investigation UX."""
def execution_allowed(
self,
*,
policy: ExecutionPolicyResult,
session: Session,
console: Console,
action_summary: str,
confirm_fn: Callable[[str], str] | None,
is_tty: bool | None,
action_already_listed: bool,
) -> bool:
raise NotImplementedError
def run_foreground_investigation(
self,
*,
session: Session,
console: Console,
task_command: str,
run: Callable[[TaskRecord], dict[str, object]],
exception_context: str,
target: str,
) -> ForegroundInvestigationResult:
raise NotImplementedError
def launch_investigation(
*,
session: Session,
console: Console,
ports: InvestigationLaunchPorts,
tool_type: str,
action_summary: str,
announce_label: str,
announce_value: str,
record_value: str,
foreground_task_command: str,
exception_context: str,
run: Callable[[TaskRecord], dict[str, object]],
start_background: Callable[[], None],
confirm_fn: Callable[[str], str] | None = None,
is_tty: bool | None = None,
action_already_listed: bool = False,
) -> None:
"""Gate, announce, and run an investigation-style tool, recording the outcome.
Every outcome is recorded on the ``alert`` channel keyed by ``record_value``.
"""
plan = plan_foreground_tool(tool_type, "investigation_launch")
if not ports.execution_allowed(
policy=plan.policy,
session=session,
console=console,
action_summary=action_summary,
confirm_fn=confirm_fn,
is_tty=is_tty,
action_already_listed=action_already_listed,
):
session.record("alert", record_value, ok=False)
return
console.print(f"[bold]{announce_label}:[/bold] {escape(announce_value)}")
if background_mode_enabled(session):
start_background()
session.record("alert", record_value)
return
if (
ports.run_foreground_investigation(
session=session,
console=console,
task_command=foreground_task_command,
run=run,
exception_context=exception_context,
target=record_value,
).status
!= "completed"
):
session.record("alert", record_value, ok=False)
return
session.record("alert", record_value)
__all__ = [
"ForegroundInvestigationResult",
"InvestigationLaunchPorts",
"Session",
"launch_investigation",
]