(&self, input: ToolGateInput<'_>)
| 73 | } |
| 74 | |
| 75 | pub(crate) async fn decide(&self, input: ToolGateInput<'_>) -> ToolGateDecision { |
| 76 | if let Some(decision) = self.check_skill_restrictions(input.tool_name) { |
| 77 | return decision; |
| 78 | } |
| 79 | |
| 80 | if let Some(reason) = input.pre_tool_block { |
| 81 | return ToolGateDecision::Deny { |
| 82 | output: format!("Tool '{}' blocked by hook: {}", input.tool_name, reason), |
| 83 | event_reason: reason, |
| 84 | reason: ToolGateDenial::HookBlock, |
| 85 | }; |
| 86 | } |
| 87 | |
| 88 | match self.permission_decision(input.tool_name, input.args) { |
| 89 | PermissionDecision::Deny => ToolGateDecision::Deny { |
| 90 | output: format!( |
| 91 | "Permission denied: Tool '{}' is blocked by permission policy.", |
| 92 | input.tool_name |
| 93 | ), |
| 94 | event_reason: "Blocked by deny rule in permission policy".to_string(), |
| 95 | reason: ToolGateDenial::PermissionDeny, |
| 96 | }, |
| 97 | PermissionDecision::Allow => ToolGateDecision::Execute { |
| 98 | reason: ToolGateApproval::PermissionAllow, |
| 99 | }, |
| 100 | PermissionDecision::Ask => self.confirmation_decision(input.tool_name).await, |
| 101 | } |
| 102 | } |
| 103 | |
| 104 | pub(crate) fn check_skill_restrictions(&self, tool_name: &str) -> Option<ToolGateDecision> { |
| 105 | if !self.config.enforce_active_skill_tool_restrictions { |
no test coverage detected