Pixir.Permissions.WritePolicy (pixir v0.1.7)

Copy Markdown View Source

Bounded write policy for headless executor/delegate runs.

The policy is deliberately narrower than :auto: it only authorizes write and edit against canonical workspace-relative paths, keeps unsafe shell disabled, and fails closed when paths or rules are ambiguous. It is a runtime object carried in context.permission.policy, not a replacement for the existing permission-mode atom.

Summary

Functions

Whether a policy explicitly allows the whole workspace.

Authorize one tool call under a bounded write policy.

Canonical workspace-relative target for policy checks.

Load and normalize a bounded write policy JSON file.

Rehydrate a runtime policy from safe metadata previously written to the Log.

Machine-readable policy metadata safe for CLI/delegate JSON output.

Return a policy narrowed to the given write set.

Normalize a bounded write policy map and compute stable metadata.

Validate that every write_set rule is within a parent policy allow rule.

Functions

allows_global?(arg1)

@spec allows_global?(map() | nil) :: boolean()

Whether a policy explicitly allows the whole workspace.

authorize_tool(policy, tool, args, workspace)

@spec authorize_tool(map() | nil, String.t(), map(), String.t()) ::
  :allow | {:deny, map()} | {:error, map()}

Authorize one tool call under a bounded write policy.

canonical_relative(workspace, path)

@spec canonical_relative(String.t(), String.t()) ::
  {:ok, String.t()} | {:error, map()}

Canonical workspace-relative target for policy checks.

from_file(path, workspace)

@spec from_file(String.t(), String.t()) :: {:ok, map()} | {:error, map()}

Load and normalize a bounded write policy JSON file.

from_metadata(metadata)

@spec from_metadata(map() | nil) :: {:ok, map() | nil} | {:error, map()}

Rehydrate a runtime policy from safe metadata previously written to the Log.

The recorded metadata is intentionally enough for later diagnostics or live-handle reattachment without trusting a prompt or model-supplied override. It preserves the original hash instead of recomputing it from a lossy projection.

metadata(policy)

@spec metadata(map() | nil) :: map() | nil

Machine-readable policy metadata safe for CLI/delegate JSON output.

narrow_to_write_set(policy, write_set)

@spec narrow_to_write_set(map(), [String.t()]) :: {:ok, map()} | {:error, map()}

Return a policy narrowed to the given write set.

normalize(raw, opts \\ [])

@spec normalize(
  map(),
  keyword()
) :: {:ok, map()} | {:error, map()}

Normalize a bounded write policy map and compute stable metadata.

validate_write_set_within_policy(policy, write_set)

@spec validate_write_set_within_policy(map(), [String.t()]) :: :ok | {:error, map()}

Validate that every write_set rule is within a parent policy allow rule.