permissions

package

v1.18.8 Latest Latest Go to latest Published: Jan 7, 2026 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/docker/cagent

Links

Documentation ¶

Overview ¶

Package permissions provides tool permission checking based on configurable Allow/Ask/Deny patterns.

Index ¶

type Checker
- func NewChecker(cfg *latest.PermissionsConfig) *Checker
type Decision
- func (d Decision) String() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Checker ¶

type Checker struct {
	// contains filtered or unexported fields
}

Checker evaluates tool permissions based on configured patterns

func NewChecker ¶

func NewChecker(cfg *latest.PermissionsConfig) *Checker

NewChecker creates a new permission checker from config

func (*Checker) Check ¶

func (c *Checker) Check(toolName string) Decision

Check evaluates the permission for a given tool name without arguments. This is a convenience method that calls CheckWithArgs with nil arguments. Evaluation order: Deny (checked first), then Allow, then Ask (default)

func (*Checker) CheckWithArgs ¶

func (c *Checker) CheckWithArgs(toolName string, args map[string]any) Decision

CheckWithArgs evaluates the permission for a given tool name and its arguments. Evaluation order: Deny (checked first), then Allow, then Ask (default)

The toolName can be a simple name like "shell" or a qualified name like "mcp:github:create_issue".

Patterns support: - Simple tool names: "shell", "read_*" - Argument matching: "shell:cmd=ls*" matches shell tool with cmd argument starting with "ls" - Multiple arguments: "shell:cmd=ls*:cwd=/home/*" matches both conditions - Glob patterns in both tool names and argument values

func (*Checker) IsEmpty ¶

func (c *Checker) IsEmpty() bool

IsEmpty returns true if no permissions are configured

type Decision ¶

type Decision int

Decision represents the permission decision for a tool call

const (
	// Ask means the tool requires user approval (default behavior)
	Ask Decision = iota
	// Allow means the tool is auto-approved without user confirmation
	Allow
	// Deny means the tool is rejected and should not be executed
	Deny
)

func (Decision) String ¶

func (d Decision) String() string

String returns a human-readable representation of the decision

Source Files ¶

View all Source files

permissions.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL