Class: OllamaAgent::Runtime::Permissions

Inherits:

Object

Object
OllamaAgent::Runtime::Permissions

show all

Defined in:: lib/ollama_agent/runtime/permissions.rb

Overview

Tool permission system. Controls which tools are accessible in a given run.

Built-in profiles:

:read_only  — file reads + search only
:standard   — read + write files, no shell or git writes
:developer  — full file + git + shell tools
:full       — everything

Constant Summary collapse

PROFILES =

{
  read_only: {
    allowed: %w[read_file list_files search_code git_status git_log git_diff
                memory_recall memory_list http_get
                list_directory_contents calculate],
    denied: []
  },
  standard: {
    allowed: %w[read_file list_files search_code edit_file write_file
                memory_store memory_recall memory_list memory_delete
                git_status git_log git_diff http_get
                list_directory_contents calculate],
    denied: %w[run_shell git_commit http_post]
  },
  developer: {
    allowed: %w[read_file list_files search_code edit_file write_file
                git_status git_log git_diff git_commit git_branch
                run_shell memory_store memory_recall memory_list memory_delete
                http_get list_directory_contents calculate],
    denied: %w[http_post]
  },
  full: {
    allowed: :all,
    denied: []
  }
}.freeze

Instance Attribute Summary collapse

#profile ⇒ Object readonly

Returns the value of attribute profile.

Instance Method Summary collapse

#allowed?(tool_name) ⇒ Boolean

Is this tool allowed?.
#filter_schemas(schemas) ⇒ Object

Filtered list of tool schemas — only allowed tools.
#initialize(profile: :standard, allowed: nil, denied: nil) ⇒ Permissions constructor

A new instance of Permissions.
#to_h ⇒ Object

Constructor Details

#initialize(profile: :standard, allowed: nil, denied: nil) ⇒ `Permissions`

Returns a new instance of Permissions.

Parameters:

profile (Symbol) (defaults to: :standard) —

one of PROFILES keys
allowed (Array, :all) (defaults to: nil) —

explicit tool allowlist (overrides profile)
denied (Array) (defaults to: nil) —

explicit denylist (always wins)

# File 'lib/ollama_agent/runtime/permissions.rb', line 43

def initialize(profile: :standard, allowed: nil, denied: nil)
  @profile = profile.to_sym
  @custom_allowed = allowed
  @custom_denied  = Array(denied).map(&:to_s)
end

Instance Attribute Details

#profile ⇒ `Object` (readonly)

Returns the value of attribute profile.



68
69
70

# File 'lib/ollama_agent/runtime/permissions.rb', line 68

def profile
  @profile
end

Instance Method Details

#allowed?(tool_name) ⇒ `Boolean`

Is this tool allowed?

Parameters:

tool_name (String, Symbol)

Returns:

(Boolean)

# File 'lib/ollama_agent/runtime/permissions.rb', line 52

def allowed?(tool_name)
  name = tool_name.to_s

  return false if effective_denied.include?(name)

  eff_allowed = effective_allowed
  return true if eff_allowed == :all

  eff_allowed.include?(name)
end

#filter_schemas(schemas) ⇒ `Object`

Filtered list of tool schemas — only allowed tools.



64
65
66

# File 'lib/ollama_agent/runtime/permissions.rb', line 64

def filter_schemas(schemas)
  schemas.select { |s| allowed?(schema_name(s)) }
end

#to_h ⇒ `Object`

# File 'lib/ollama_agent/runtime/permissions.rb', line 70

def to_h
  {
    profile: @profile,
    effective_allowed: effective_allowed,
    effective_denied: effective_denied
  }
end