Create a temporary permission policy that grants the skill's allowed-tools
(skill: &Skill)
| 224 | |
| 225 | /// Create a temporary permission policy that grants the skill's allowed-tools |
| 226 | fn create_skill_permission_policy(skill: &Skill) -> PermissionPolicy { |
| 227 | let permissions = skill.parse_allowed_tools(); |
| 228 | |
| 229 | if permissions.is_empty() { |
| 230 | tracing::warn!( |
| 231 | skill = %skill.name, |
| 232 | "Skill has no allowed-tools grants; Skill invocation remains fail-secure and will deny tool use" |
| 233 | ); |
| 234 | return PermissionPolicy { |
| 235 | deny: Vec::new(), |
| 236 | allow: Vec::new(), |
| 237 | ask: Vec::new(), |
| 238 | default_decision: PermissionDecision::Deny, |
| 239 | enabled: true, |
| 240 | }; |
| 241 | } |
| 242 | |
| 243 | // Convert skill permissions to PermissionRules |
| 244 | let mut allow_rules = Vec::new(); |
| 245 | for perm in permissions { |
| 246 | // Create a rule string in the format "Tool(pattern)" |
| 247 | let rule_str = if perm.pattern == "*" { |
| 248 | perm.tool.clone() |
| 249 | } else { |
| 250 | format!("{}({})", perm.tool, perm.pattern) |
| 251 | }; |
| 252 | allow_rules.push(PermissionRule::new(&rule_str)); |
| 253 | } |
| 254 | |
| 255 | PermissionPolicy { |
| 256 | deny: Vec::new(), |
| 257 | allow: allow_rules, |
| 258 | ask: Vec::new(), |
| 259 | default_decision: PermissionDecision::Deny, // Deny by default - only allow what skill specifies |
| 260 | enabled: true, |
| 261 | } |
| 262 | } |
| 263 | } |
| 264 | |
| 265 | #[async_trait] |
nothing calls this directly
no test coverage detected