odium/claw-code-parity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Restore prompt-approved tool execution in CLI parity runs

Browse source 
ConversationRuntime already performs permission-policy checks and interactive approvals before dispatching a tool. The CLI tool executor was routing those same tool calls back through GlobalToolRegistry::execute, which re-ran the enforcer without a prompter and flipped approved bash calls back into denials.

Add a preauthorized execution path for runtime-dispatched tools, keep registry enforcement for direct callers, and format the files that were already tripping rustfmt on main.

Constraint: CI on main was failing both cargo fmt and the mock parity harness after permission enforcement landed
Rejected: Remove registry enforcement globally | would reopen direct-dispatch permission gaps
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Use execute_preauthorized only after ConversationRuntime or an equivalent caller has already completed permission gating
Tested: cargo fmt --all --check; cargo test -p rusty-claude-cli; cargo test -p tools
Not-tested: Full workspace test matrix beyond the Rust CI workflow targets
This commit is contained in:
Yeachan-Heo 2026-04-03 09:32:29 +00:00
parent 618a79a9f4
commit bf59abc9e9
3 changed files with 60 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
rust/crates/runtime/src/mcp_tool_bridge.rs
View file

@ -191,7 +191,10 @@ impl McpToolRegistry {
let mut manager = manager let mut manager = manager
.lock() .lock()
.map_err(|_| "mcp server manager lock poisoned".to_string())?; .map_err(|_| "mcp server manager lock poisoned".to_string())?;
manager.discover_tools().await.map_err(|error| error.to_string())?; manager
.discover_tools()
.await
.map_err(|error| error.to_string())?;
let response = manager let response = manager
.call_tool(&qualified_tool_name, arguments) .call_tool(&qualified_tool_name, arguments)
.await .await
@ -834,7 +837,9 @@ mod tests {
None, None,
); );
registry registry
.set_manager(Arc::new(Mutex::new(McpServerManager::from_servers(&servers)))) .set_manager(Arc::new(Mutex::new(McpServerManager::from_servers(
&servers,
))))
.expect("manager should only be set once"); .expect("manager should only be set once");
let result = registry let result = registry

5
rust/crates/rusty-claude-cli/src/main.rs
View file

@ -40,8 +40,7 @@ use plugins::{PluginHooks, PluginManager, PluginManagerConfig, PluginRegistry};
use render::{MarkdownStreamState, Spinner, TerminalRenderer}; use render::{MarkdownStreamState, Spinner, TerminalRenderer};
use runtime::{ use runtime::{
clear_oauth_credentials, generate_pkce_pair, generate_state, load_system_prompt, clear_oauth_credentials, generate_pkce_pair, generate_state, load_system_prompt,
parse_oauth_callback_request_target, parse_oauth_callback_request_target, permission_enforcer::PermissionEnforcer,
permission_enforcer::PermissionEnforcer,
resolve_sandbox_status, save_oauth_credentials, ApiClient, ApiRequest, AssistantEvent, resolve_sandbox_status, save_oauth_credentials, ApiClient, ApiRequest, AssistantEvent,
CompactionConfig, ConfigLoader, ConfigSource, ContentBlock, ConversationMessage, CompactionConfig, ConfigLoader, ConfigSource, ContentBlock, ConversationMessage,
ConversationRuntime, MessageRole, OAuthAuthorizationRequest, OAuthConfig, ConversationRuntime, MessageRole, OAuthAuthorizationRequest, OAuthConfig,
@ -4976,7 +4975,7 @@ impl ToolExecutor for CliToolExecutor {
} }
let value = serde_json::from_str(input) let value = serde_json::from_str(input)
.map_err(|error| ToolError::new(format!("invalid tool input JSON: {error}")))?; .map_err(|error| ToolError::new(format!("invalid tool input JSON: {error}")))?;
match self.tool_registry.execute(tool_name, &value) { match self.tool_registry.execute_preauthorized(tool_name, &value) {
Ok(output) => { Ok(output) => {
if self.emit_output { if self.emit_output {
let markdown = format_tool_result(tool_name, &output, false); let markdown = format_tool_result(tool_name, &output, false);

69
rust/crates/tools/src/lib.rs
View file

@ -127,7 +127,10 @@ impl GlobalToolRegistry {
} }
} }
Ok(Self { plugin_tools, enforcer: None }) Ok(Self {
plugin_tools,
enforcer: None,
})
} }
#[must_use] #[must_use]
@ -242,8 +245,23 @@ impl GlobalToolRegistry {
} }
pub fn execute(&self, name: &str, input: &Value) -> Result<String, String> { pub fn execute(&self, name: &str, input: &Value) -> Result<String, String> {
if let Some(enforcer) = &self.enforcer { self.execute_inner(name, input, true)
enforce_permission_check(enforcer, name, input)?; }
pub fn execute_preauthorized(&self, name: &str, input: &Value) -> Result<String, String> {
self.execute_inner(name, input, false)
}
fn execute_inner(
&self,
name: &str,
input: &Value,
enforce_permissions: bool,
) -> Result<String, String> {
if enforce_permissions {
if let Some(enforcer) = &self.enforcer {
enforce_permission_check(enforcer, name, input)?;
}
} }
if mvp_tool_specs().iter().any(|spec| spec.name == name) { if mvp_tool_specs().iter().any(|spec| spec.name == name) {
return execute_tool(name, input); return execute_tool(name, input);
@ -2798,7 +2816,10 @@ struct SubagentToolExecutor {
impl SubagentToolExecutor { impl SubagentToolExecutor {
fn new(allowed_tools: BTreeSet<String>) -> Self { fn new(allowed_tools: BTreeSet<String>) -> Self {
Self { allowed_tools, enforcer: None } Self {
allowed_tools,
enforcer: None,
}
} }
fn with_enforcer(mut self, enforcer: PermissionEnforcer) -> Self { fn with_enforcer(mut self, enforcer: PermissionEnforcer) -> Self {
@ -2817,8 +2838,7 @@ impl ToolExecutor for SubagentToolExecutor {
let value = serde_json::from_str(input) let value = serde_json::from_str(input)
.map_err(|error| ToolError::new(format!("invalid tool input JSON: {error}")))?; .map_err(|error| ToolError::new(format!("invalid tool input JSON: {error}")))?;
if let Some(enforcer) = &self.enforcer { if let Some(enforcer) = &self.enforcer {
enforce_permission_check(enforcer, tool_name, &value) enforce_permission_check(enforcer, tool_name, &value).map_err(ToolError::new)?;
.map_err(ToolError::new)?;
} }
execute_tool(tool_name, &value).map_err(ToolError::new) execute_tool(tool_name, &value).map_err(ToolError::new)
} }
@ -4219,8 +4239,8 @@ mod tests {
use super::{ use super::{
agent_permission_policy, allowed_tools_for_subagent, execute_agent_with_spawn, agent_permission_policy, allowed_tools_for_subagent, execute_agent_with_spawn,
execute_tool, final_assistant_text, mvp_tool_specs, permission_mode_from_plugin, execute_tool, final_assistant_text, mvp_tool_specs, permission_mode_from_plugin,
persist_agent_terminal_state, push_output_block, AgentInput, AgentJob, persist_agent_terminal_state, push_output_block, AgentInput, AgentJob, GlobalToolRegistry,
GlobalToolRegistry, SubagentToolExecutor, SubagentToolExecutor,
}; };
use api::OutputContentBlock; use api::OutputContentBlock;
use runtime::{ use runtime::{
@ -4243,10 +4263,11 @@ mod tests {
} }
fn permission_policy_for_mode(mode: PermissionMode) -> PermissionPolicy { fn permission_policy_for_mode(mode: PermissionMode) -> PermissionPolicy {
mvp_tool_specs().into_iter().fold( mvp_tool_specs()
PermissionPolicy::new(mode), .into_iter()
|policy, spec| policy.with_tool_requirement(spec.name, spec.required_permission), .fold(PermissionPolicy::new(mode), |policy, spec| {
) policy.with_tool_requirement(spec.name, spec.required_permission)
})
} }
#[test] #[test]
@ -4321,7 +4342,9 @@ mod tests {
.expect_err("subagent write tool should be denied before dispatch"); .expect_err("subagent write tool should be denied before dispatch");
// then // then
assert!(error.to_string().contains("requires workspace-write permission")); assert!(error
.to_string()
.contains("requires workspace-write permission"));
} }
#[test] #[test]
@ -5813,7 +5836,10 @@ printf 'pwsh:%s' "$1"
fn given_read_only_enforcer_when_write_file_then_denied() { fn given_read_only_enforcer_when_write_file_then_denied() {
let registry = read_only_registry(); let registry = read_only_registry();
let err = registry let err = registry
.execute("write_file", &json!({ "path": "/tmp/x.txt", "content": "x" })) .execute(
"write_file",
&json!({ "path": "/tmp/x.txt", "content": "x" }),
)
.expect_err("write_file should be denied in read-only mode"); .expect_err("write_file should be denied in read-only mode");
assert!( assert!(
err.contains("current mode is read-only"), err.contains("current mode is read-only"),
@ -5847,10 +5873,7 @@ printf 'pwsh:%s' "$1"
fs::write(&file, "content\n").expect("write test file"); fs::write(&file, "content\n").expect("write test file");
let registry = read_only_registry(); let registry = read_only_registry();
let result = registry.execute( let result = registry.execute("read_file", &json!({ "path": file.display().to_string() }));
"read_file",
&json!({ "path": file.display().to_string() }),
);
assert!(result.is_ok(), "read_file should be allowed: {result:?}"); assert!(result.is_ok(), "read_file should be allowed: {result:?}");
let _ = fs::remove_dir_all(root); let _ = fs::remove_dir_all(root);
@ -5876,6 +5899,16 @@ printf 'pwsh:%s' "$1"
assert_eq!(output["stdout"], "ok"); assert_eq!(output["stdout"], "ok");
} }
#[test]
fn given_enforcer_when_execute_preauthorized_then_skips_redundant_permission_check() {
let registry = read_only_registry();
let result = registry
.execute_preauthorized("bash", &json!({ "command": "printf 'ok'" }))
.expect("preauthorized bash should skip registry enforcement");
let output: serde_json::Value = serde_json::from_str(&result).expect("json");
assert_eq!(output["stdout"], "ok");
}
struct TestServer { struct TestServer {
addr: SocketAddr, addr: SocketAddr,
shutdown: Option<std::sync::mpsc::Sender<()>>, shutdown: Option<std::sync::mpsc::Sender<()>>,