npm - @mmmbuto/masix - Versions diffs - 0.4.0 → 0.4.2 - Mend

@mmmbuto/masix 0.4.0 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/packages/plugin-base/codex-backend/source/src/policy.rs ADDED Viewed

@@ -0,0 +1,297 @@
+//! Admin policy enforcement for codex-backend module
+//!
+//! This module enforces admin-only execution for the coding backend.
+//! The policy is designed to integrate with MasiX's role-based permission system.
+use crate::CodingError;
+/// Permission levels matching MasiX core
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
+pub enum PermissionLevel {
+    #[default]
+    Readonly,
+    User,
+    Admin,
+}
+impl PermissionLevel {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            PermissionLevel::Readonly => "readonly",
+            PermissionLevel::User => "user",
+            PermissionLevel::Admin => "admin",
+        }
+    }
+    pub fn from_str(s: &str) -> Option<Self> {
+        match s.to_lowercase().as_str() {
+            "readonly" | "read-only" | "read_only" => Some(PermissionLevel::Readonly),
+            "user" => Some(PermissionLevel::User),
+            "admin" | "administrator" => Some(PermissionLevel::Admin),
+            _ => None,
+        }
+    }
+    /// Returns true if this level has admin privileges
+    pub fn is_admin(&self) -> bool {
+        matches!(self, PermissionLevel::Admin)
+    }
+}
+/// Policy context provided by the runtime
+#[derive(Debug, Clone, Default)]
+pub struct PolicyContext {
+    /// User's permission level
+    pub permission_level: PermissionLevel,
+    /// User ID (for logging)
+    pub user_id: Option<String>,
+    /// Chat ID (for logging)
+    pub chat_id: Option<i64>,
+    /// Account tag (for multi-bot isolation)
+    pub account_tag: Option<String>,
+    /// Whether policy enforcement is enabled
+    pub enforcement_enabled: bool,
+}
+impl PolicyContext {
+    /// Create a new policy context with the given permission level
+    pub fn new(level: PermissionLevel) -> Self {
+        Self {
+            permission_level: level,
+            enforcement_enabled: true,
+            ..Default::default()
+        }
+    }
+    /// Create an admin context (for testing or privileged execution)
+    pub fn admin() -> Self {
+        Self {
+            permission_level: PermissionLevel::Admin,
+            enforcement_enabled: true,
+            ..Default::default()
+        }
+    }
+    /// Create a readonly context
+    pub fn readonly() -> Self {
+        Self {
+            permission_level: PermissionLevel::Readonly,
+            enforcement_enabled: true,
+            ..Default::default()
+        }
+    }
+    /// Create a user context
+    pub fn user() -> Self {
+        Self {
+            permission_level: PermissionLevel::User,
+            enforcement_enabled: true,
+            ..Default::default()
+        }
+    }
+    /// Disable policy enforcement (for local/CLI use)
+    pub fn unenforced() -> Self {
+        Self {
+            enforcement_enabled: false,
+            ..Default::default()
+        }
+    }
+    /// Set user ID
+    pub fn with_user_id(mut self, user_id: impl Into<String>) -> Self {
+        self.user_id = Some(user_id.into());
+        self
+    }
+    /// Set chat ID
+    pub fn with_chat_id(mut self, chat_id: i64) -> Self {
+        self.chat_id = Some(chat_id);
+        self
+    }
+    /// Set account tag
+    pub fn with_account_tag(mut self, tag: impl Into<String>) -> Self {
+        self.account_tag = Some(tag.into());
+        self
+    }
+}
+/// Admin policy checker for codex-backend
+#[derive(Debug, Clone, Default)]
+pub struct AdminPolicy {
+    /// Whether admin is required (default: true)
+    require_admin: bool,
+    /// Whether enforcement is enabled
+    enforcement_enabled: bool,
+}
+impl AdminPolicy {
+    /// Create a new admin policy with enforcement enabled
+    pub fn new() -> Self {
+        Self {
+            require_admin: true,
+            enforcement_enabled: true,
+        }
+    }
+    /// Create a policy that doesn't require admin (for testing)
+    pub fn permissive() -> Self {
+        Self {
+            require_admin: false,
+            enforcement_enabled: true,
+        }
+    }
+    /// Create a policy with enforcement disabled (for CLI/local use)
+    pub fn disabled() -> Self {
+        Self {
+            require_admin: true,
+            enforcement_enabled: false,
+        }
+    }
+    /// Check if a task is allowed based on policy context
+    pub fn check(&self, context: Option<&PolicyContext>) -> Result<(), CodingError> {
+        // If enforcement is disabled, always allow
+        if !self.enforcement_enabled {
+            return Ok(());
+        }
+        // If admin is not required, always allow
+        if !self.require_admin {
+            return Ok(());
+        }
+        // If no context provided, deny (fail-safe)
+        let ctx = context.ok_or_else(|| {
+            CodingError::PolicyError("Policy context required but not provided".into())
+        })?;
+        // If context has enforcement disabled, allow
+        if !ctx.enforcement_enabled {
+            return Ok(());
+        }
+        // Check permission level
+        if ctx.permission_level.is_admin() {
+            return Ok(());
+        }
+        // Deny with detailed error
+        Err(CodingError::PolicyError(format!(
+            "Admin privileges required. User '{}' has level '{}'",
+            ctx.user_id.as_deref().unwrap_or("unknown"),
+            ctx.permission_level.as_str()
+        )))
+    }
+    /// Returns true if admin is required
+    pub fn requires_admin(&self) -> bool {
+        self.require_admin && self.enforcement_enabled
+    }
+}
+#[cfg(test)]
+mod tests {
+    use super::*;
+    #[test]
+    fn test_permission_level_is_admin() {
+        assert!(PermissionLevel::Admin.is_admin());
+        assert!(!PermissionLevel::User.is_admin());
+        assert!(!PermissionLevel::Readonly.is_admin());
+    }
+    #[test]
+    fn test_permission_level_from_str() {
+        assert_eq!(
+            PermissionLevel::from_str("admin"),
+            Some(PermissionLevel::Admin)
+        );
+        assert_eq!(
+            PermissionLevel::from_str("user"),
+            Some(PermissionLevel::User)
+        );
+        assert_eq!(
+            PermissionLevel::from_str("readonly"),
+            Some(PermissionLevel::Readonly)
+        );
+        assert_eq!(PermissionLevel::from_str("invalid"), None);
+    }
+    #[test]
+    fn test_policy_context_admin() {
+        let ctx = PolicyContext::admin();
+        assert!(ctx.permission_level.is_admin());
+        assert!(ctx.enforcement_enabled);
+    }
+    #[test]
+    fn test_admin_policy_check_admin() {
+        let policy = AdminPolicy::new();
+        let ctx = PolicyContext::admin();
+        assert!(policy.check(Some(&ctx)).is_ok());
+    }
+    #[test]
+    fn test_admin_policy_check_user_denied() {
+        let policy = AdminPolicy::new();
+        let ctx = PolicyContext::user();
+        assert!(policy.check(Some(&ctx)).is_err());
+    }
+    #[test]
+    fn test_admin_policy_check_readonly_denied() {
+        let policy = AdminPolicy::new();
+        let ctx = PolicyContext::readonly();
+        let result = policy.check(Some(&ctx));
+        assert!(result.is_err());
+        if let Err(CodingError::PolicyError(msg)) = result {
+            assert!(msg.contains("Admin privileges required"));
+        } else {
+            panic!("Expected PolicyError");
+        }
+    }
+    #[test]
+    fn test_admin_policy_check_no_context_denied() {
+        let policy = AdminPolicy::new();
+        let result = policy.check(None);
+        assert!(result.is_err());
+    }
+    #[test]
+    fn test_admin_policy_permissive() {
+        let policy = AdminPolicy::permissive();
+        let ctx = PolicyContext::readonly();
+        assert!(policy.check(Some(&ctx)).is_ok());
+    }
+    #[test]
+    fn test_admin_policy_disabled() {
+        let policy = AdminPolicy::disabled();
+        assert!(policy.check(None).is_ok());
+    }
+    #[test]
+    fn test_policy_context_unenforced() {
+        let ctx = PolicyContext::unenforced();
+        assert!(!ctx.enforcement_enabled);
+        let policy = AdminPolicy::new();
+        assert!(policy.check(Some(&ctx)).is_ok());
+    }
+    #[test]
+    fn test_policy_context_builder() {
+        let ctx = PolicyContext::admin()
+            .with_user_id("test_user")
+            .with_chat_id(12345)
+            .with_account_tag("test_account");
+        assert_eq!(ctx.user_id, Some("test_user".to_string()));
+        assert_eq!(ctx.chat_id, Some(12345));
+        assert_eq!(ctx.account_tag, Some("test_account".to_string()));
+    }
+}

package/packages/plugin-base/codex-backend/source/src/tools.rs ADDED Viewed

@@ -0,0 +1,72 @@
+use serde_json::json;
+pub fn get_read_tools() -> Vec<serde_json::Value> {
+    vec![
+        json!({
+            "type": "function",
+            "function": {
+                "name": "read_file",
+                "description": "Read the contents of a file",
+                "parameters": {
+                    "type": "object",
+                    "properties": {
+                        "path": {"type": "string", "description": "File path relative to repo root"}
+                    },
+                    "required": ["path"]
+                }
+            }
+        }),
+        json!({
+            "type": "function",
+            "function": {
+                "name": "list_dir",
+                "description": "List contents of a directory",
+                "parameters": {
+                    "type": "object",
+                    "properties": {
+                        "path": {"type": "string", "description": "Directory path relative to repo root"}
+                    },
+                    "required": ["path"]
+                }
+            }
+        }),
+    ]
+}
+pub fn get_write_tools() -> Vec<serde_json::Value> {
+    let mut tools = get_read_tools();
+    tools.push(json!({
+        "type": "function",
+        "function": {
+            "name": "write_file",
+            "description": "Write content to a file (creates or overwrites)",
+            "parameters": {
+                "type": "object",
+                "properties": {
+                    "path": {"type": "string", "description": "File path relative to repo root"},
+                    "content": {"type": "string", "description": "Content to write"}
+                },
+                "required": ["path", "content"]
+            }
+        }
+    }));
+    tools
+}
+pub fn tools_to_anthropic_format(tools: &[serde_json::Value]) -> Vec<serde_json::Value> {
+    tools
+        .iter()
+        .filter_map(|t| {
+            let func = t.get("function")?;
+            Some(json!({
+                "name": func["name"],
+                "description": func["description"],
+                "input_schema": func["parameters"]
+            }))
+        })
+        .collect()
+}
+pub fn tools_to_openai_format(tools: &[serde_json::Value]) -> Vec<serde_json::Value> {
+    tools.to_vec()
+}