Permission policy (ADR 0006). Pure decision function — the Executor consults it and,
for :ask, calls a front-end-supplied asker.
Modes:
:auto(default) — everything is allowed; no prompts. The blessed common path.:ask— only genuinely risky operations prompt.readnever asks;bashcommands on a conservative safe-list auto-run;writeand non-safebashask.:read_only— mutating tools are denied; reads and safe commands run.
Workspace confinement is enforced elsewhere (the tools) and is the real floor in every mode — this layer is a convenience gate on top.
Summary
Functions
Classify whether a shell token contains a parent-directory path segment.
Decide whether a tool call may run under mode.
All valid permission modes.
Whether a tool call mutates state (and so is gated outside :auto).
Whether a find token is a mutating predicate such as -delete or -exec.
Return the first shell token that resolves outside workspace.
Whether a shell command is read-only and safe to auto-run: command executable
on the safe-list, no shell metacharacters, no parent-directory path references,
no mutating git subcommand, and no mutating find predicate.
Strip simple single/double quote wrapping from a shell token.
Types
@type decision() :: :allow | :deny | {:ask, String.t()}
@type mode() :: :auto | :ask | :read_only
Functions
Classify whether a shell token contains a parent-directory path segment.
Decide whether a tool call may run under mode.
@spec modes() :: [mode()]
All valid permission modes.
Whether a tool call mutates state (and so is gated outside :auto).
Whether a find token is a mutating predicate such as -delete or -exec.
Return the first shell token that resolves outside workspace.
This is a conservative workspace-confinement tripwire for shell-shaped commands. It catches explicit parent-directory references, absolute paths outside the workspace, home/env-home references, and relative paths whose deepest existing prefix resolves outside the workspace. It is not a full shell parser; callers should still keep shell execution behind their normal permission and command-boundary gates.
Whether a shell command is read-only and safe to auto-run: command executable
on the safe-list, no shell metacharacters, no parent-directory path references,
no mutating git subcommand, and no mutating find predicate.
Strip simple single/double quote wrapping from a shell token.