policy

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 6, 2026 License: MIT Imports: 7 Imported by: 0

Documentation

Overview

Package policy provides per-sender tool access control.

The policy package enables fine-grained control over which tools are available to specific senders (users, channels, etc.). This supports use cases like:

  • Restricting dangerous tools to admin users
  • Enabling different tool sets for different channels
  • Rate limiting tool usage per sender

Index

Constants

View Source
const (
	// SenderIDKey is the context key for sender ID.
	SenderIDKey contextKey = "sender_id"
)

Variables

This section is empty.

Functions

func GetSenderID

func GetSenderID(ctx context.Context) string

GetSenderID retrieves the sender ID from context.

func WithSenderID

func WithSenderID(ctx context.Context, senderID string) context.Context

WithSenderID adds a sender ID to the context.

Types

type AccessDeniedError

type AccessDeniedError struct {
	SenderID string
	ToolName string
	Reason   string
}

AccessDeniedError is returned when a sender cannot access a tool.

func (*AccessDeniedError) Error

func (e *AccessDeniedError) Error() string

type ConcurrencyError

type ConcurrencyError struct {
	SenderID string
	Limit    int
	Active   int
}

ConcurrencyError is returned when a sender exceeds concurrent execution limit.

func (*ConcurrencyError) Error

func (e *ConcurrencyError) Error() string

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager manages per-sender tool policies.

func NewManager

func NewManager() *Manager

NewManager creates a new policy manager.

func (*Manager) CheckAccess

func (m *Manager) CheckAccess(ctx context.Context, senderID, toolName string) error

CheckAccess checks if a sender can use a tool.

func (*Manager) CleanupUsage

func (m *Manager) CleanupUsage()

CleanupUsage removes stale usage data.

func (*Manager) EndExecution

func (m *Manager) EndExecution(senderID string)

EndExecution marks the end of a tool execution.

func (*Manager) GetPolicy

func (m *Manager) GetPolicy(senderID string) *Policy

GetPolicy returns the policy for a sender. Returns the default policy if no specific policy exists.

func (*Manager) RecordUsage

func (m *Manager) RecordUsage(senderID, toolName string)

RecordUsage records a tool usage for rate limiting.

func (*Manager) RemovePolicy

func (m *Manager) RemovePolicy(senderID string)

RemovePolicy removes a sender's policy.

func (*Manager) SetDefaultPolicy

func (m *Manager) SetDefaultPolicy(p *Policy)

SetDefaultPolicy sets the default policy for senders without specific policies.

func (*Manager) SetPolicy

func (m *Manager) SetPolicy(senderID string, p *Policy)

SetPolicy sets the policy for a specific sender.

func (*Manager) StartExecution

func (m *Manager) StartExecution(senderID string)

StartExecution marks the start of a tool execution.

type Policy

type Policy struct {
	// SenderID is the sender this policy applies to.
	// Can be a user ID, channel ID, or wildcard "*" for default.
	SenderID string

	// AllowedTools lists tools the sender can use.
	// Empty means all tools allowed (unless DeniedTools is set).
	AllowedTools []string

	// DeniedTools lists tools the sender cannot use.
	// Takes precedence over AllowedTools.
	DeniedTools []string

	// RateLimits sets per-tool rate limits.
	// Key is tool name, value is max calls per minute.
	RateLimits map[string]int

	// MaxConcurrent limits concurrent tool executions.
	// 0 means unlimited.
	MaxConcurrent int

	// Metadata contains additional policy data.
	Metadata map[string]any
}

Policy defines tool access control for a sender.

type PolicyToolRegistry

type PolicyToolRegistry struct {
	// contains filtered or unexported fields
}

PolicyToolRegistry wraps a ToolRegistry with policy enforcement.

func NewPolicyToolRegistry

func NewPolicyToolRegistry(registry *agent.ToolRegistry, manager *Manager) *PolicyToolRegistry

NewPolicyToolRegistry creates a policy-enforced tool registry.

func (*PolicyToolRegistry) Execute

func (r *PolicyToolRegistry) Execute(ctx context.Context, name string, args json.RawMessage) (string, error)

Execute runs a tool with policy enforcement.

func (*PolicyToolRegistry) Get

func (r *PolicyToolRegistry) Get(name string) (agent.Tool, bool)

Get retrieves a tool by name.

func (*PolicyToolRegistry) GetToolsForSender

func (r *PolicyToolRegistry) GetToolsForSender(senderID string) []provider.Tool

GetToolsForSender returns tool definitions filtered by sender policy.

func (*PolicyToolRegistry) List

func (r *PolicyToolRegistry) List() []string

List returns all registered tool names.

func (*PolicyToolRegistry) Manager

func (r *PolicyToolRegistry) Manager() *Manager

Manager returns the policy manager.

func (*PolicyToolRegistry) Register

func (r *PolicyToolRegistry) Register(tool agent.Tool)

Register adds a tool to the underlying registry.

func (*PolicyToolRegistry) Underlying

func (r *PolicyToolRegistry) Underlying() *agent.ToolRegistry

Underlying returns the underlying tool registry.

func (*PolicyToolRegistry) Unregister

func (r *PolicyToolRegistry) Unregister(name string)

Unregister removes a tool from the underlying registry.

type RateLimitError

type RateLimitError struct {
	SenderID string
	ToolName string
	Limit    int
	Window   time.Duration
}

RateLimitError is returned when a sender exceeds the rate limit.

func (*RateLimitError) Error

func (e *RateLimitError) Error() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL