tirea_extension_permission/
actions.rs

1use tirea_contract::runtime::phase::{BeforeInferenceAction, BeforeToolExecuteAction};
2use tirea_contract::runtime::tool_call::gate::SuspendTicket;
3
4/// Block tool execution with a denial reason.
5pub fn deny(reason: impl Into<String>) -> BeforeToolExecuteAction {
6    BeforeToolExecuteAction::Block(reason.into())
7}
8
9/// Block tool execution for an explicitly denied tool.
10pub fn deny_tool(tool_id: &str) -> BeforeToolExecuteAction {
11    deny(format!("Tool '{}' is denied", tool_id))
12}
13
14/// Suspend tool execution pending user permission confirmation.
15pub fn request_permission(ticket: SuspendTicket) -> BeforeToolExecuteAction {
16    BeforeToolExecuteAction::Suspend(ticket)
17}
18
19/// Block tool execution due to policy (out-of-scope).
20pub fn reject_out_of_scope(tool_id: &str) -> BeforeToolExecuteAction {
21    deny(format!(
22        "Tool '{}' is not allowed by current policy",
23        tool_id
24    ))
25}
26
27/// Block tool execution when permission check prerequisites fail (missing call id).
28pub fn deny_missing_call_id() -> BeforeToolExecuteAction {
29    deny("Permission check requires non-empty tool call id")
30}
31
32/// Apply tool policy: keep only allowed tools, remove excluded ones.
33pub fn apply_tool_policy(
34    allowed: Option<Vec<String>>,
35    excluded: Option<Vec<String>>,
36) -> Vec<BeforeInferenceAction> {
37    let mut actions = vec![];
38    if let Some(allowed) = allowed {
39        actions.push(BeforeInferenceAction::IncludeOnlyTools(allowed));
40    }
41    if let Some(excluded) = excluded {
42        for id in excluded {
43            actions.push(BeforeInferenceAction::ExcludeTool(id));
44        }
45    }
46    actions
47}