adjusts tool settings eval order

dingfeli · dingfeli · commit 19873a4ecdd9 · 2025-08-13T17:18:04.000-07:00
diff --git a/crates/chat-cli/src/cli/chat/tools/execute/mod.rs b/crates/chat-cli/src/cli/chat/tools/execute/mod.rs
@@ -202,7 +202,7 @@ impl ExecuteCommand {
         let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
         let is_in_allowlist = agent.allowed_tools.contains(tool_name);
         match agent.tools_settings.get(tool_name) {
-            Some(settings) if is_in_allowlist => {
+            Some(settings) => {
                 let Settings {
                     allowed_commands,
                     denied_commands,
@@ -226,7 +226,7 @@ impl ExecuteCommand {
                     return PermissionEvalResult::Deny(denied_match_set);
                 }
 
-                if self.requires_acceptance(Some(&allowed_commands), allow_read_only) {
+                if !is_in_allowlist || self.requires_acceptance(Some(&allowed_commands), allow_read_only) {
                     PermissionEvalResult::Ask
                 } else {
                     PermissionEvalResult::Allow
@@ -263,10 +263,7 @@ pub fn format_output(output: &str, max_size: usize) -> String {
 
 #[cfg(test)]
 mod tests {
-    use std::collections::{
-        HashMap,
-        HashSet,
-    };
+    use std::collections::HashMap;
 
     use super::*;
     use crate::cli::agent::ToolSettingTarget;
@@ -408,13 +405,8 @@ mod tests {
     #[test]
     fn test_eval_perm() {
         let tool_name = if cfg!(windows) { "execute_cmd" } else { "execute_bash" };
-        let agent = Agent {
+        let mut agent = Agent {
             name: "test_agent".to_string(),
-            allowed_tools: {
-                let mut allowed_tools = HashSet::<String>::new();
-                allowed_tools.insert(tool_name.to_string());
-                allowed_tools
-            },
             tools_settings: {
                 let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
                 map.insert(
@@ -428,20 +420,32 @@ mod tests {
             ..Default::default()
         };
 
-        let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
+        let tool_one = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
             "command": "git status",
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_one.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Deny(ref rules) if rules.contains(&"\\Agit .*\\z".to_string())));
 
-        let tool = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
+        let tool_two = serde_json::from_value::<ExecuteCommand>(serde_json::json!({
             "command": "echo hello",
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_two.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Ask));
+
+        agent.allowed_tools.insert(tool_name.to_string());
+
+        let res = tool_two.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Allow));
+
+        // Denied list should remain denied
+        let res = tool_one.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Deny(ref rules) if rules.contains(&"\\Agit .*\\z".to_string())));
+
+        let res = tool_two.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Allow));
     }
 
diff --git a/crates/chat-cli/src/cli/chat/tools/fs_read.rs b/crates/chat-cli/src/cli/chat/tools/fs_read.rs
@@ -126,7 +126,7 @@ impl FsRead {
 
         let is_in_allowlist = agent.allowed_tools.contains("fs_read");
         match agent.tools_settings.get("fs_read") {
-            Some(settings) if is_in_allowlist => {
+            Some(settings) => {
                 let Settings {
                     allowed_paths,
                     denied_paths,
@@ -188,7 +188,7 @@ impl FsRead {
 
                                     // We only want to ask if we are not allowing read only
                                     // operation
-                                    if !allow_read_only && !allow_set.is_match(path) {
+                                    if !is_in_allowlist && !allow_read_only && !allow_set.is_match(path) {
                                         ask = true;
                                     }
                                 },
@@ -209,7 +209,10 @@ impl FsRead {
 
                                     // We only want to ask if we are not allowing read only
                                     // operation
-                                    if !allow_read_only && !paths.iter().any(|path| allow_set.is_match(path)) {
+                                    if !is_in_allowlist
+                                        && !allow_read_only
+                                        && !paths.iter().any(|path| allow_set.is_match(path))
+                                    {
                                         ask = true;
                                     }
                                 },
@@ -844,10 +847,7 @@ fn format_mode(mode: u32) -> [char; 9] {
 
 #[cfg(test)]
 mod tests {
-    use std::collections::{
-        HashMap,
-        HashSet,
-    };
+    use std::collections::HashMap;
 
     use super::*;
     use crate::cli::agent::ToolSettingTarget;
@@ -1387,13 +1387,8 @@ mod tests {
         const DENIED_PATH_ONE: &str = "/some/denied/path";
         const DENIED_PATH_GLOB: &str = "/denied/glob/**/path";
 
-        let agent = Agent {
+        let mut agent = Agent {
             name: "test_agent".to_string(),
-            allowed_tools: {
-                let mut allowed_tools = HashSet::<String>::new();
-                allowed_tools.insert("fs_read".to_string());
-                allowed_tools
-            },
             tools_settings: {
                 let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
                 map.insert(
@@ -1407,7 +1402,7 @@ mod tests {
             ..Default::default()
         };
 
-        let tool = serde_json::from_value::<FsRead>(serde_json::json!({
+        let tool_one = serde_json::from_value::<FsRead>(serde_json::json!({
             "operations": [
                 { "path": DENIED_PATH_ONE, "mode": "Line", "start_line": 1, "end_line": 2 },
                 { "path": "/denied/glob", "mode": "Directory" },
@@ -1418,7 +1413,17 @@ mod tests {
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_one.eval_perm(&agent);
+        assert!(matches!(
+            res,
+            PermissionEvalResult::Deny(ref deny_list)
+                if deny_list.iter().filter(|p| *p == DENIED_PATH_GLOB).collect::<Vec<_>>().len() == 2
+                && deny_list.iter().filter(|p| *p == DENIED_PATH_ONE).collect::<Vec<_>>().len() == 1
+        ));
+
+        agent.allowed_tools.insert("fs_read".to_string());
+
+        let res = tool_one.eval_perm(&agent);
         assert!(matches!(
             res,
             PermissionEvalResult::Deny(ref deny_list)
diff --git a/crates/chat-cli/src/cli/chat/tools/fs_write.rs b/crates/chat-cli/src/cli/chat/tools/fs_write.rs
@@ -433,7 +433,7 @@ impl FsWrite {
 
         let is_in_allowlist = agent.allowed_tools.contains("fs_write");
         match agent.tools_settings.get("fs_write") {
-            Some(settings) if is_in_allowlist => {
+            Some(settings) => {
                 let Settings {
                     allowed_paths,
                     denied_paths,
@@ -486,7 +486,7 @@ impl FsWrite {
                                             .collect::<Vec<_>>()
                                     });
                                 }
-                                if allow_set.is_match(path) {
+                                if is_in_allowlist || allow_set.is_match(path) {
                                     return PermissionEvalResult::Allow;
                                 }
                             },
@@ -808,10 +808,7 @@ fn syntect_to_crossterm_color(syntect: syntect::highlighting::Color) -> style::C
 
 #[cfg(test)]
 mod tests {
-    use std::collections::{
-        HashMap,
-        HashSet,
-    };
+    use std::collections::HashMap;
 
     use super::*;
     use crate::cli::agent::ToolSettingTarget;
@@ -1270,13 +1267,8 @@ mod tests {
         const DENIED_PATH_ONE: &str = "/some/denied/path/**";
         const DENIED_PATH_GLOB: &str = "/denied/glob/**/path/**";
 
-        let agent = Agent {
+        let mut agent = Agent {
             name: "test_agent".to_string(),
-            allowed_tools: {
-                let mut allowed_tools = HashSet::<String>::new();
-                allowed_tools.insert("fs_write".to_string());
-                allowed_tools
-            },
             tools_settings: {
                 let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
                 map.insert(
@@ -1290,51 +1282,62 @@ mod tests {
             ..Default::default()
         };
 
-        let tool = serde_json::from_value::<FsWrite>(serde_json::json!({
+        let tool_one = serde_json::from_value::<FsWrite>(serde_json::json!({
             "path": "/not/a/denied/path/file.txt",
             "command": "create",
             "file_text": "content in nested path"
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_one.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Ask));
 
-        let tool = serde_json::from_value::<FsWrite>(serde_json::json!({
+        let tool_two = serde_json::from_value::<FsWrite>(serde_json::json!({
             "path": format!("{DENIED_PATH_ONE}/file.txt"),
             "command": "create",
             "file_text": "content in nested path"
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_two.eval_perm(&agent);
         assert!(
             matches!(res, PermissionEvalResult::Deny(ref deny_list) if deny_list.contains(&DENIED_PATH_ONE.to_string()))
         );
 
-        let tool = serde_json::from_value::<FsWrite>(serde_json::json!({
+        let tool_three = serde_json::from_value::<FsWrite>(serde_json::json!({
             "path": format!("/denied/glob/child_one/path/file.txt"),
             "command": "create",
             "file_text": "content in nested path"
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_three.eval_perm(&agent);
         assert!(
             matches!(res, PermissionEvalResult::Deny(ref deny_list) if deny_list.contains(&DENIED_PATH_GLOB.to_string()))
         );
 
-        let tool = serde_json::from_value::<FsWrite>(serde_json::json!({
+        let tool_four = serde_json::from_value::<FsWrite>(serde_json::json!({
             "path": format!("/denied/glob/child_one/grand_child_one/path/file.txt"),
             "command": "create",
             "file_text": "content in nested path"
         }))
         .unwrap();
 
-        let res = tool.eval_perm(&agent);
+        let res = tool_four.eval_perm(&agent);
+        assert!(
+            matches!(res, PermissionEvalResult::Deny(ref deny_list) if deny_list.contains(&DENIED_PATH_GLOB.to_string()))
+        );
+
+        agent.allowed_tools.insert("fs_write".to_string());
+
+        // Denied list should remained denied
+        let res = tool_four.eval_perm(&agent);
         assert!(
             matches!(res, PermissionEvalResult::Deny(ref deny_list) if deny_list.contains(&DENIED_PATH_GLOB.to_string()))
         );
+
+        let res = tool_one.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Allow));
     }
 
     #[tokio::test]
diff --git a/crates/chat-cli/src/cli/chat/tools/use_aws.rs b/crates/chat-cli/src/cli/chat/tools/use_aws.rs
@@ -194,7 +194,7 @@ impl UseAws {
         let Self { service_name, .. } = self;
         let is_in_allowlist = agent.allowed_tools.contains("use_aws");
         match agent.tools_settings.get("use_aws") {
-            Some(settings) if is_in_allowlist => {
+            Some(settings) => {
                 let settings = match serde_json::from_value::<Settings>(settings.clone()) {
                     Ok(settings) => settings,
                     Err(e) => {
@@ -205,7 +205,7 @@ impl UseAws {
                 if settings.denied_services.contains(service_name) {
                     return PermissionEvalResult::Deny(vec![service_name.clone()]);
                 }
-                if settings.allowed_services.contains(service_name) {
+                if is_in_allowlist || settings.allowed_services.contains(service_name) {
                     return PermissionEvalResult::Allow;
                 }
                 PermissionEvalResult::Ask
@@ -224,8 +224,6 @@ impl UseAws {
 
 #[cfg(test)]
 mod tests {
-    use std::collections::HashSet;
-
     use super::*;
     use crate::cli::agent::ToolSettingTarget;
 
@@ -351,21 +349,16 @@ mod tests {
 
     #[test]
     fn test_eval_perm() {
-        let cmd = use_aws! {{
+        let cmd_one = use_aws! {{
             "service_name": "s3",
             "operation_name": "put-object",
             "region": "us-west-2",
             "profile_name": "default",
             "label": ""
         }};
 
-        let agent = Agent {
+        let mut agent = Agent {
             name: "test_agent".to_string(),
-            allowed_tools: {
-                let mut allowed_tools = HashSet::<String>::new();
-                allowed_tools.insert("use_aws".to_string());
-                allowed_tools
-            },
             tools_settings: {
                 let mut map = HashMap::<ToolSettingTarget, serde_json::Value>::new();
                 map.insert(
@@ -379,18 +372,27 @@ mod tests {
             ..Default::default()
         };
 
-        let res = cmd.eval_perm(&agent);
+        let res = cmd_one.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Deny(ref services) if services.contains(&"s3".to_string())));
 
-        let cmd = use_aws! {{
+        let cmd_two = use_aws! {{
             "service_name": "api_gateway",
             "operation_name": "request",
             "region": "us-west-2",
             "profile_name": "default",
             "label": ""
         }};
 
-        let res = cmd.eval_perm(&agent);
+        let res = cmd_two.eval_perm(&agent);
         assert!(matches!(res, PermissionEvalResult::Ask));
+
+        agent.allowed_tools.insert("use_aws".to_string());
+
+        let res = cmd_two.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Allow));
+
+        // Denied services should still be denied after trusting tool
+        let res = cmd_one.eval_perm(&agent);
+        assert!(matches!(res, PermissionEvalResult::Deny(ref services) if services.contains(&"s3".to_string())));
     }
 }
