requestpermissions

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 14, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

View Source
const Description = `Requests additional permissions before performing an operation that exceeds the current authorization.

Use this tool when you need to:
- Read or write to paths outside the current workspace
- Access network resources that are not yet permitted
- Perform file system operations (create, delete, move) that require explicit user consent
- Execute commands that would normally require approval

## When to use

Call this tool BEFORE the operation that needs the permission, not after a failure.
Be specific: list the exact paths or network targets needed.
Provide a clear reason that explains WHY the permission is necessary.

## Scope

- ` + "`turn`" + ` (default): permission is valid for the remainder of this turn only.
- ` + "`session`" + `: permission persists for the entire session.

## Handling denial

If the user denies the request (` + "`granted: false`" + `), you must find a safe alternative or inform the user that the task cannot be completed without the requested permissions. Do NOT retry the same request.

## Examples

Good reason: "Need to read ~/.ssh/config to verify the SSH key used by the deployment script."
Bad reason: "Need more permissions."

Good reason: "Writing build artifacts to /tmp/seshat-build/ to avoid polluting the workspace."
Bad reason: "Write access needed."
`

Description is the model-facing description of this tool.

View Source
const SearchHint = "request additional permissions for file system or network access"

SearchHint is used by tool_search for ranking.

View Source
const ToolName = "request_permissions"

ToolName is the canonical name of this tool.

Variables

This section is empty.

Functions

This section is empty.

Types

type DeniedResponse

type DeniedResponse struct {
	Granted bool   `json:"granted"`
	Reason  string `json:"reason"`
}

DeniedResponse is returned when the user denies the request.

type FilesystemPermissions

type FilesystemPermissions struct {
	Paths  []string `json:"paths"`
	Access []string `json:"access"`
}

FilesystemPermissions describes the filesystem access being requested.

type GrantedResponse

type GrantedResponse struct {
	Granted     bool                 `json:"granted"`
	Scope       PermissionGrantScope `json:"scope"`
	Permissions RequestedPermissions `json:"permissions"`
}

GrantedResponse is returned when the user approves the request.

type Input

type Input struct {
	Reason      string               `json:"reason"`
	Permissions RequestedPermissions `json:"permissions"`
	Scope       PermissionGrantScope `json:"scope"`
}

Input is the parsed input to request_permissions.

type NetworkPermissions

type NetworkPermissions struct {
	Targets []string `json:"targets,omitempty"`
	Enabled bool     `json:"enabled,omitempty"`
}

NetworkPermissions describes the network access being requested.

type PermissionGrantScope

type PermissionGrantScope string

PermissionGrantScope controls how long a granted permission remains valid.

const (
	GrantScopeTurn    PermissionGrantScope = "turn"
	GrantScopeSession PermissionGrantScope = "session"
)

type RequestedPermissions

type RequestedPermissions struct {
	Filesystem *FilesystemPermissions `json:"filesystem,omitempty"`
	Network    *NetworkPermissions    `json:"network,omitempty"`
}

RequestedPermissions is the top-level permissions payload.

type Tool

type Tool struct{}

Tool implements the request_permissions tool.

func NewTool

func NewTool() *Tool

NewTool creates a new request_permissions tool.

func (*Tool) BackfillInput

func (t *Tool) BackfillInput(_ context.Context, input map[string]any) map[string]any

BackfillInput returns input unchanged.

func (*Tool) Call

func (t *Tool) Call(
	ctx context.Context,
	input tool.CallInput,
	permissionCheck types.CanUseToolFn,
) (tool.CallResult, error)

Call executes the permission request through the approval pipeline. A user denial returns a structured JSON response (not an error) so the model can handle it gracefully and propose a safe alternative.

func (*Tool) CheckPermissions

func (t *Tool) CheckPermissions(_ context.Context, input map[string]any, _ tool.ToolUseContext) types.PermissionResult

CheckPermissions always delegates to the global pipeline — the approval happens inside Call via ResolveToolPermission.

func (*Tool) Definition

func (t *Tool) Definition() tool.Definition

Definition returns the tool definition.

func (*Tool) Description

func (t *Tool) Description(_ context.Context) (string, error)

Description returns the tool description.

func (*Tool) FormatResult

func (t *Tool) FormatResult(data any) string

FormatResult serialises the tool output.

func (*Tool) IsConcurrencySafe

func (t *Tool) IsConcurrencySafe(_ map[string]any) bool

IsConcurrencySafe reports that permission requests must run serially.

func (*Tool) IsEnabled

func (t *Tool) IsEnabled() bool

IsEnabled reports that this tool is always active.

func (*Tool) IsReadOnly

func (t *Tool) IsReadOnly(_ map[string]any) bool

IsReadOnly reports that permission requests have side-effects (they change the session grant state).

func (*Tool) RequiresUserInteraction

func (t *Tool) RequiresUserInteraction() bool

RequiresUserInteraction ensures this tool is never auto-approved in bypass mode.

func (*Tool) ValidateInput

func (t *Tool) ValidateInput(_ context.Context, input map[string]any) (map[string]any, error)

ValidateInput validates the tool input.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL