Module: Parse::Agent::Describe

Included in:

Parse::Agent

Defined in:

lib/parse/agent/describe.rb

Overview

Developer-facing introspection mixin. Mixed into Parse::Agent via ‘include Describe` so `agent.describe`, `agent.describe_for(class_name)`, and `agent.would_permit?(…)` are instance methods on every agent.

SECURITY POSTURE — this is operator-side observability, NOT data exposed to the LLM. The operator wrote every rule the helper echoes back; showing them their own configuration is just transparency. The output is NOT included in any tool response, MCP ‘tools/list`, or `parse.agent.tool_call` notification payload by default. If a deployment chooses to surface the output (e.g. via a debug HTTP endpoint), it should be auth-gated on the same boundary that authenticates the operator console.

The ‘session_token` value is NEVER returned verbatim. #auth_descriptor emits a stable SHA256-truncated fingerprint so two `describe` calls on the same session correlate, but the raw bearer token never leaves the method. Master-key mode is identified by the `:master_key` symbol only.

Instance Method Summary

• #describe(pretty: false) ⇒ Hash, String

  Full introspection Hash for the agent.

• #describe_for(class_name) ⇒ Hash

  Per-class breakdown for a single Parse class.

• #would_permit?(tool_name, class_name: nil, op: nil, method_name: nil, **_kwargs) ⇒ Hash

  Dispatch-gate simulator.

Instance Method Details

#describe(pretty: false) ⇒ Hash, String

Full introspection Hash for the agent. Lists every layer that gates what the agent can see and do, plus per-class metadata for the classes the agent explicitly references.

Parameters:

• pretty (Boolean) (defaults to: false) —

  when true, returns a multi-line String formatted for ‘puts` debugging instead of the structured Hash. The String is generated from the same data the Hash exposes.

Returns:

• (Hash, String)

# File 'lib/parse/agent/describe.rb', line 33

def describe(pretty: false)
  data = describe_hash
  pretty ? describe_pretty(data) : data
end

#describe_for(class_name) ⇒ Hash

Per-class breakdown for a single Parse class. Includes the agent’s effective reach for the class (visible? class-filter permitted? canonical filter? per-agent filter? tenant-scoped?) plus the class-level metadata declared via ‘agent_fields` / `agent_methods` / `agent_large_fields`. Useful when an agent has 30 visible classes and a developer is debugging one specific refusal.

Parameters:

• class_name (String, Symbol, Class) —

  the Parse class to look up

Returns:

• (Hash) —

  per-class introspection envelope

# File 'lib/parse/agent/describe.rb', line 47

def describe_for(class_name)
  cn = if class_name.is_a?(Class) && class_name.respond_to?(:parse_class)
      class_name.parse_class
    else
      class_name.to_s
    end
  {
    class_name:              cn,
    accessible:              describe_class_accessibility(cn),
    agent_fields:            class_field_allowlist(cn),
    agent_canonical_filter:  Parse::Agent::MetadataRegistry.canonical_filter(cn),
    per_agent_filter:        respond_to?(:filter_for) ? filter_for(cn) : nil,
    tenant_scope:            class_tenant_scope(cn),
    large_fields:            class_large_fields(cn),
    agent_methods:           class_agent_method_names(cn),
  }
end

#would_permit?(tool_name, class_name: nil, op: nil, method_name: nil, **_kwargs) ⇒ Hash

Dispatch-gate simulator. Runs every accessibility check that the tool dispatcher would run, without actually invoking the tool. Lets a developer answer “why is this agent refusing this call?” in one line, without parsing the audit payload or tracing through the tool implementation.

TRACK-AGENT-8: mirrors the REAL dispatch gates in Parse::Agent#execute and Tools.assert_class_accessible!. The simulator now checks:

* tool filter (`tools:` kwarg / `tool_filter_*` sets) and
  permission-tier membership
* env-gate (`PARSE_AGENT_ALLOW_WRITE_TOOLS` /
  `PARSE_AGENT_ALLOW_RAW_CRUD` for write tools;
  `PARSE_AGENT_ALLOW_SCHEMA_OPS` /
  `PARSE_AGENT_ALLOW_RAW_SCHEMA` for schema tools)
* `class_name` accessibility, including hidden-class +
  master-key-except, per-agent class allowlist, AND the
  CLP `op:` gate (forwarded when an `op:` is supplied)
* `master_atlas?` opt-in gate for `atlas_faceted_search`
* `method_filtered?` for `call_method` when a
  `method_name:` is supplied

Parameters:

• tool_name (Symbol) —

  the tool being checked

• class_name (String, Symbol, Class, nil) (defaults to: nil) —

  optional class scope for tools that take a ‘class_name:` argument

• op (Symbol, nil) (defaults to: nil) —

  optional CLP op (‘:find`, `:get`, `:count`, `:create`, `:update`, `:delete`, `:addField`) for class-level CLP checks. When omitted, only the class-visibility gate runs; CLP is not consulted.

• method_name (Symbol, String, nil) (defaults to: nil) —

  optional ‘agent_method` target for `call_method` simulation

Returns:

• (Hash) —

  ‘Boolean, reason: Symbol?, denied_at: Symbol?` `reason` and `denied_at` are populated only when `allowed: false`.

# File 'lib/parse/agent/describe.rb', line 99

def would_permit?(tool_name, class_name: nil, op: nil, method_name: nil, **_kwargs)
  tool_sym = tool_name.to_sym

  # Tool filter — present at the per-instance layer. Preserve
  # the historical `:tool_filtered` reason regardless of whether
  # the denial came from tier or instance filter, since the
  # describe consumer reads it as "this tool will be refused"
  # rather than as the dispatcher's split error_code.
  unless allowed_tools.include?(tool_sym)
    return { allowed: false, reason: :tool_filtered, denied_at: :allowed_tools }
  end

  # Env-gate for raw CRUD / schema-mutating tools. Mirrors the
  # gate in Parse::Agent#execute at line 1639-1662.
  if Parse::Agent::WRITE_GATED_TOOLS.include?(tool_sym) &&
     !(Parse::Agent.write_tools_enabled? && Parse::Agent.raw_crud_enabled?)
    return { allowed: false, reason: :write_env_gate_disabled,
             denied_at: :write_env_gate }
  end
  if Parse::Agent::SCHEMA_GATED_TOOLS.include?(tool_sym) &&
     !(Parse::Agent.schema_ops_enabled? && Parse::Agent.raw_schema_enabled?)
    return { allowed: false, reason: :schema_env_gate_disabled,
             denied_at: :schema_env_gate }
  end

  # atlas_faceted_search opt-in (master_atlas: true required —
  # see tools.rb:atlas_faceted_search). Mirrors the explicit
  # opt-in inside the tool body so the simulator doesn't
  # over-report :permitted for a session-bound agent.
  if tool_sym == :atlas_faceted_search &&
     !(respond_to?(:master_atlas?) && master_atlas?)
    return { allowed: false, reason: :master_atlas_required,
             denied_at: :master_atlas_gate }
  end

  # Class access gate — when the tool takes a class_name argument.
  # Includes CLP `op:` check when the caller supplied one,
  # mirroring assert_class_accessible!'s signature.
  if class_name
    cn = class_name.is_a?(Class) && class_name.respond_to?(:parse_class) ?
           class_name.parse_class : class_name.to_s
    begin
      Parse::Agent::Tools.assert_class_accessible!(cn, agent: self, op: op)
    rescue Parse::Agent::AccessDenied => e
      kind = e.respond_to?(:kind) && e.kind ? e.kind : :access_denied
      return { allowed: false, reason: kind, denied_at: :assert_class_accessible! }
    rescue Parse::Agent::ValidationError
      return { allowed: false, reason: :invalid_argument, denied_at: :assert_class_accessible! }
    end
  end

  # method_filtered? — mirror the call_method gate at tools.rb:3948.
  # Only fires when the caller supplied a method_name AND the
  # tool is call_method (the method-filter only narrows that tool).
  if tool_sym == :call_method && method_name && class_name
    cn = class_name.is_a?(Class) && class_name.respond_to?(:parse_class) ?
           class_name.parse_class : class_name.to_s
    if respond_to?(:method_filtered?) &&
       method_filtered?(method_name.to_sym, class_name: cn)
      return { allowed: false, reason: :method_filtered,
               denied_at: :method_filtered }
    end
  end

  { allowed: true }
end