tools

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 7, 2026 License: MIT Imports: 31 Imported by: 0

Documentation

Overview

Ported from rust/crates/runtime/src/bash_validation.rs — pipeline and security gate extensions.

Ported from rust/crates/runtime/src/bash_validation.rs

Index

Constants

This section is empty.

Variables

View Source 
var ErrComputerUseUnavailable = errors.New("computer_use: not available on this host")

ErrComputerUseUnavailable is returned when the host environment cannot support computer-use actions: no display server, missing required binaries, or unsupported OS. Callers can wrap or unwrap with errors.As.

View Source 
var ErrNoAsker = fmt.Errorf("ask_user: no interactive Asker configured (non-interactive mode)")

ErrNoAsker is returned when ask_user runs with no Asker wired in a non-interactive context.

Functions

func AgentTool 

func AgentTool() api.Tool

func AllowedToolsForSubagent 

func AllowedToolsForSubagent(subagentType string) map[string]bool

AllowedToolsForSubagent returns the set of allowed tool names for a subagent type.

func AskUserFallback 

func AskUserFallback(question string) api.ContentBlock

AskUserFallback returns a tool_result block for non-interactive contexts. Preserved for the legacy code path.

func AskUserInput 

func AskUserInput(input map[string]any) (string, bool)

AskUserInput pulls the (legacy) plain-text question from a tool input map. Kept for callers that only need the question string; new code should use ParseAskUserInput for the structured form.

func AskUserQuestionTool 

func AskUserQuestionTool() api.Tool

AskUserQuestionTool returns the tool definition for ask_user.

func BashTool 

func BashTool() api.Tool

BashTool returns the tool definition for the bash tool.

func ComputerUseTool 

func ComputerUseTool() api.Tool

ComputerUseTool returns the tool definition for the computer_use tool. The schema mirrors the Anthropic computer-use-20241022 contract closely enough that prompt-side guidance written for Claude Code transfers verbatim, while remaining a generic api.Tool (no provider-specific cache_control plumbing).

func ConfigTool 

func ConfigTool() api.Tool

func CronCreateTool 

func CronCreateTool() api.Tool

func CronDeleteTool 

func CronDeleteTool() api.Tool

func CronGetTool 

func CronGetTool() api.Tool

func CronListTool 

func CronListTool() api.Tool

func DetectCommandSubstitution 

func DetectCommandSubstitution(command string) bool

DetectCommandSubstitution returns true if the command contains $(...) or backtick substitution outside single quotes.

func EnterPlanModeTool 

func EnterPlanModeTool() api.Tool

func ExecuteAgent 

func ExecuteAgent(input map[string]any) (string, error)

ExecuteAgent validates input and returns agent metadata. Actual goroutine spawning is handled by the ConversationLoop.

func ExecuteAskUser 

func ExecuteAskUser(ctx context.Context, asker Asker, input map[string]any) (string, error)

ExecuteAskUser invokes the supplied Asker and returns a string suitable for embedding in a tool_result content block. A nil Asker returns ErrNoAsker so callers can decide whether to fall back to a placeholder.

func ExecuteBash 

func ExecuteBash(input map[string]any, mode permissions.PermissionMode, workspace string) (string, error)

ExecuteBash runs a bash command and returns combined stdout+stderr. It validates the command against the current permission mode and workspace path before execution. Pass permissions.ModeAllow and "" to skip validation.

The spawned bash inherits os.Environ() of the calling process. Use ExecuteBashWithEnv when the caller needs to surface a project-managed toolchain (devbox, nix, asdf) whose bin path is not in the parent shell's PATH.

func ExecuteBashWithEnv 

func ExecuteBashWithEnv(input map[string]any, mode permissions.PermissionMode, workspace string, extraEnv []string) (string, error)

ExecuteBashWithEnv runs a bash command with extra environment variables appended to the inherited process environment. Each extraEnv entry uses the standard "KEY=value" format; later entries for the same key win (Go's exec.Cmd convention).

The use case driving this entry point: when iterion is launched without the project's devbox/nix/asdf toolchain in PATH, the bash tool can't find go/gofmt/etc. and the LLM-driven fixer can't run `go test` to validate its patch. Passing devbox's bin path via extraEnv from the iterion side restores autonomy without forcing every operator to remember `devbox run --` at launch.

Pass nil to inherit only the parent process's environment (same behaviour as the legacy ExecuteBash entry point).

func ExecuteConfig 

func ExecuteConfig(input map[string]any, configMap map[string]any) (string, error)

ExecuteConfig reads a config value. The configMap is typically populated from ConversationLoop.Config fields exposed as a flat map.

func ExecuteCronCreate 

func ExecuteCronCreate(input map[string]any, reg *team.CronRegistry) (string, error)

func ExecuteCronDelete 

func ExecuteCronDelete(input map[string]any, reg *team.CronRegistry) (string, error)

func ExecuteCronGet 

func ExecuteCronGet(input map[string]any, reg *team.CronRegistry) (string, error)

func ExecuteCronList 

func ExecuteCronList(input map[string]any, reg *team.CronRegistry) (string, error)

func ExecuteEnterPlanMode 

func ExecuteEnterPlanMode(planModeActive *bool, stateDir string) (string, error)

func ExecuteExitPlanMode 

func ExecuteExitPlanMode(planModeActive *bool, stateDir string) (string, error)

func ExecuteFileEdit 

func ExecuteFileEdit(input map[string]any) (string, error)

ExecuteFileEdit performs a targeted string replacement in a file.

func ExecuteGlob 

func ExecuteGlob(input map[string]any) (string, error)

ExecuteGlob finds files matching a glob pattern.

func ExecuteGrep 

func ExecuteGrep(input map[string]any) (string, error)

ExecuteGrep searches for a regex pattern in files.

func ExecuteLSP 

func ExecuteLSP(input map[string]any, registry *lsp.Registry) (string, error)

func ExecuteListMcpResources 

func ExecuteListMcpResources(ctx context.Context, input map[string]any, provider mcp.Provider) (string, error)

func ExecuteMcpAuth 

func ExecuteMcpAuth(ctx context.Context, input map[string]any, provider mcp.Provider) (string, error)

func ExecuteNotebookEdit 

func ExecuteNotebookEdit(input map[string]any) (string, error)

func ExecuteREPL 

func ExecuteREPL(input map[string]any) (string, error)

func ExecuteReadFile 

func ExecuteReadFile(input map[string]any) (string, error)

ExecuteReadFile reads a file and returns its contents.

func ExecuteReadMcpResource 

func ExecuteReadMcpResource(ctx context.Context, input map[string]any, provider mcp.Provider) (string, error)

func ExecuteRemoteTrigger 

func ExecuteRemoteTrigger(ctx context.Context, input map[string]any) (string, error)

ExecuteRemoteTrigger runs a remote_trigger invocation with the default runtime options. ctx governs timeout/cancellation.

func ExecuteRemoteTriggerWith 

func ExecuteRemoteTriggerWith(ctx context.Context, input map[string]any, opts RemoteTriggerOptions) (string, error)

ExecuteRemoteTriggerWith is the variant that accepts custom options for tests or hosts that need to relax / tighten the defaults.

func ExecuteRunTaskPacket 

func ExecuteRunTaskPacket(input map[string]any, reg *task.Registry) (string, error)

func ExecuteSendUserMessage 

func ExecuteSendUserMessage(input map[string]any) (string, error)

func ExecuteSkill 

func ExecuteSkill(input map[string]any, workDir string) (string, error)

func ExecuteSleep 

func ExecuteSleep(input map[string]any) (string, error)

func ExecuteStructuredOutput 

func ExecuteStructuredOutput(input map[string]any) (string, error)

func ExecuteTaskCreate 

func ExecuteTaskCreate(input map[string]any, reg *task.Registry) (string, error)

func ExecuteTaskGet 

func ExecuteTaskGet(input map[string]any, reg *task.Registry) (string, error)

func ExecuteTaskList 

func ExecuteTaskList(input map[string]any, reg *task.Registry) (string, error)

func ExecuteTaskOutput 

func ExecuteTaskOutput(input map[string]any, reg *task.Registry) (string, error)

func ExecuteTaskStop 

func ExecuteTaskStop(input map[string]any, reg *task.Registry) (string, error)

func ExecuteTaskUpdate 

func ExecuteTaskUpdate(input map[string]any, reg *task.Registry) (string, error)

func ExecuteTeamCreate 

func ExecuteTeamCreate(input map[string]any, reg *team.TeamRegistry) (string, error)

func ExecuteTeamDelete 

func ExecuteTeamDelete(input map[string]any, reg *team.TeamRegistry) (string, error)

func ExecuteTeamGet 

func ExecuteTeamGet(input map[string]any, reg *team.TeamRegistry) (string, error)

func ExecuteTeamList 

func ExecuteTeamList(input map[string]any, reg *team.TeamRegistry) (string, error)

func ExecuteTodoWrite 

func ExecuteTodoWrite(input map[string]any) (string, error)

ExecuteTodoWrite reads or writes the todo list.

func ExecuteToolSearch 

func ExecuteToolSearch(input map[string]any, allTools []api.Tool) (string, error)

ExecuteToolSearch searches the provided tool list by name/description.

func ExecuteWebFetch 

func ExecuteWebFetch(input map[string]any) (string, error)

ExecuteWebFetch fetches a URL and returns its text content.

func ExecuteWebSearch 

func ExecuteWebSearch(input map[string]any) (string, error)

ExecuteWebSearch performs a web search and returns formatted results.

func ExecuteWorkerAwaitReady 

func ExecuteWorkerAwaitReady(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWorkerCreate 

func ExecuteWorkerCreate(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWorkerGet 

func ExecuteWorkerGet(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWorkerObserve 

func ExecuteWorkerObserve(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWorkerObserveCompletion 

func ExecuteWorkerObserveCompletion(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWorkerResolveTrust 

func ExecuteWorkerResolveTrust(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWorkerRestart 

func ExecuteWorkerRestart(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWorkerSendPrompt 

func ExecuteWorkerSendPrompt(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWorkerTerminate 

func ExecuteWorkerTerminate(input map[string]any, reg *worker.WorkerRegistry) (string, error)

func ExecuteWriteFile 

func ExecuteWriteFile(input map[string]any) (string, error)

ExecuteWriteFile writes content to a file, creating parent directories as needed.

func ExitPlanModeTool 

func ExitPlanModeTool() api.Tool

func ExtractText 

func ExtractText(path string) (string, error)

ExtractText reads a PDF file and extracts all readable text from BT/ET operators across all content streams. Non-text pages or encrypted PDFs yield an empty string rather than an error.

func ExtractTextFromBytes 

func ExtractTextFromBytes(data []byte) string

ExtractTextFromBytes extracts text from raw PDF bytes. This is the core extraction function, useful for testing without touching the filesystem.

func FileEditTool 

func FileEditTool() api.Tool

FileEditTool returns the tool definition for targeted string-replace file edits.

func GlobTool 

func GlobTool() api.Tool

GlobTool returns the tool definition for glob file search.

func GrepTool 

func GrepTool() api.Tool

GrepTool returns the tool definition for grep file search.

func ListMcpResourcesTool 

func ListMcpResourcesTool() api.Tool

func LoadPersistedPlanMode 

func LoadPersistedPlanMode(stateDir string) (bool, error)

LoadPersistedPlanMode reads the persisted plan mode state from disk. Returns (true, nil) if a state file exists (indicating plan mode was entered via ExecuteEnterPlanMode). Returns (false, nil) if stateDir is empty or the file doesn't exist. Returns (false, error) for real filesystem failures (permission denied, I/O errors), matching Rust's error propagation.

func LooksLikePDFPath 

func LooksLikePDFPath(text string) (string, bool)

LooksLikePDFPath checks if a user-supplied text contains a PDF file reference. Returns the cleaned path and true if found, or empty string and false.

func LspTool 

func LspTool() api.Tool

func MaybeExtractPDFFromPrompt 

func MaybeExtractPDFFromPrompt(prompt string) (string, string, bool)

MaybeExtractPDFFromPrompt auto-extracts text from a PDF path mentioned in a user prompt. Returns (path, text, true) when a .pdf path is detected and the file exists with extractable text, otherwise ("", "", false).

func McpAuthTool 

func McpAuthTool() api.Tool

func NotebookEditTool 

func NotebookEditTool() api.Tool

func REPLTool 

func REPLTool() api.Tool

func ReadFileTool 

func ReadFileTool() api.Tool

ReadFileTool returns the tool definition for reading files.

func ReadImageTool 

func ReadImageTool() api.Tool

ReadImageTool returns the tool definition for loading an image into the conversation as an Anthropic vision content block.

func ReadMcpResourceTool 

func ReadMcpResourceTool() api.Tool

func RemoteTriggerTool 

func RemoteTriggerTool() api.Tool

func RunTaskPacketTool 

func RunTaskPacketTool() api.Tool

func ScreenshotTool 

func ScreenshotTool() api.Tool

ScreenshotTool is preserved for backward compatibility. It returns the computer_use tool definition rebranded with a screenshot-only description so existing callers that only ever want screenshots keep working.

func SendUserMessageTool 

func SendUserMessageTool() api.Tool

func SkillTool 

func SkillTool() api.Tool

func SleepTool 

func SleepTool() api.Tool

func StructuredOutputTool 

func StructuredOutputTool() api.Tool

func TaskCreateTool 

func TaskCreateTool() api.Tool

func TaskGetTool 

func TaskGetTool() api.Tool

func TaskListTool 

func TaskListTool() api.Tool

func TaskOutputTool 

func TaskOutputTool() api.Tool

func TaskStopTool 

func TaskStopTool() api.Tool

func TaskUpdateTool 

func TaskUpdateTool() api.Tool

func TeamCreateTool 

func TeamCreateTool() api.Tool

func TeamDeleteTool 

func TeamDeleteTool() api.Tool

func TeamGetTool 

func TeamGetTool() api.Tool

func TeamListTool 

func TeamListTool() api.Tool

func TodoWriteTool 

func TodoWriteTool() api.Tool

TodoWriteTool returns the tool definition for reading/writing the todo list.

func ToolSearchTool 

func ToolSearchTool() api.Tool

func WebFetchTool 

func WebFetchTool() api.Tool

WebFetchTool returns the tool definition for fetching URLs.

func WebSearchTool 

func WebSearchTool() api.Tool

WebSearchTool returns the tool definition for web search.

func WorkerAwaitReadyTool 

func WorkerAwaitReadyTool() api.Tool

func WorkerCreateTool 

func WorkerCreateTool() api.Tool

func WorkerGetTool 

func WorkerGetTool() api.Tool

func WorkerObserveCompletionTool 

func WorkerObserveCompletionTool() api.Tool

func WorkerObserveTool 

func WorkerObserveTool() api.Tool

func WorkerResolveTrustTool 

func WorkerResolveTrustTool() api.Tool

func WorkerRestartTool 

func WorkerRestartTool() api.Tool

func WorkerSendPromptTool 

func WorkerSendPromptTool() api.Tool

func WorkerTerminateTool 

func WorkerTerminateTool() api.Tool

func WriteFileTool 

func WriteFileTool() api.Tool

WriteFileTool returns the tool definition for writing files.

Types

type AgentSpec 

type AgentSpec struct {
	AgentID      string `json:"agent_id"`
	Name         string `json:"name"`
	Description  string `json:"description"`
	Prompt       string `json:"prompt"`
	SubagentType string `json:"subagent_type"`
	Model        string `json:"model"`
}

AgentSpec holds validated agent parameters for spawning.

func ValidateAgentInput 

func ValidateAgentInput(input map[string]any) (*AgentSpec, error)

ValidateAgentInput validates agent tool input and returns an AgentSpec.

type Answer 

type Answer struct {
	OptionID string
	FreeText string
	Skipped  bool
}

Answer carries the user's response. Exactly one of OptionID / FreeText is populated for a successful answer; both empty indicates a skip.

type Asker 

type Asker interface {
	Ask(ctx context.Context, q Question) (Answer, error)
}

Asker pulls an answer from the user (or a batch source).

type CommandIntent 

type CommandIntent int

CommandIntent is a semantic classification of a bash command's intent. 

const (
	// ReadOnly operations: ls, cat, grep, find, etc.
	ReadOnly CommandIntent = iota
	// Write operations: cp, mv, mkdir, touch, tee, etc.
	Write
	// Destructive operations: rm, shred, truncate, etc.
	Destructive
	// Network operations: curl, wget, ssh, etc.
	Network
	// ProcessManagement operations: kill, pkill, etc.
	ProcessManagement
	// PackageManagement operations: apt, brew, pip, npm, etc.
	PackageManagement
	// SystemAdmin operations: sudo, chmod, chown, mount, etc.
	SystemAdmin
	// Unknown or unclassifiable command.
	Unknown
)

func ClassifyCommand 

func ClassifyCommand(command string) CommandIntent

ClassifyCommand classifies the semantic intent of a bash command.

type ComputerUseAction 

type ComputerUseAction string

ComputerUseAction enumerates the action verbs accepted by the computer_use tool. The set mirrors Anthropic's official computer_use_20241022 spec, minus scroll variants which depend on toolkit-specific keysyms. 

const (
	ActionScreenshot     ComputerUseAction = "screenshot"
	ActionLeftClick      ComputerUseAction = "left_click"
	ActionRightClick     ComputerUseAction = "right_click"
	ActionMiddleClick    ComputerUseAction = "middle_click"
	ActionDoubleClick    ComputerUseAction = "double_click"
	ActionType           ComputerUseAction = "type"
	ActionKey            ComputerUseAction = "key"
	ActionMouseMove      ComputerUseAction = "mouse_move"
	ActionCursorPosition ComputerUseAction = "cursor_position"
	ActionLeftClickDrag  ComputerUseAction = "left_click_drag"
)

type ComputerUseResult 

type ComputerUseResult = ReadImageResult

ComputerUseResult is what ExecuteComputerUse produces. For screenshot actions, Blocks holds a single image ContentBlock and Description carries a caption. For input actions, Blocks is empty and Description carries a short success summary (e.g. "clicked at (120, 240)").

func ExecuteComputerUse 

func ExecuteComputerUse(ctx context.Context, input map[string]any) (ComputerUseResult, error)

ExecuteComputerUse dispatches an action verb to its handler. Validates inputs, then either captures a screenshot or invokes xdotool. Always returns ErrComputerUseUnavailable (wrapped) when prerequisites are missing.

type Option 

type Option struct {
	ID    string
	Label string
}

Option is a single selectable answer surfaced to the user.

type PipelineSegment 

type PipelineSegment struct {
	Command  string
	Operator string // "|", "&&", "||", ";", or "" for the first segment
}

PipelineSegment represents a single command in a pipeline/chain.

func SplitPipeline 

func SplitPipeline(command string) []PipelineSegment

SplitPipeline splits a command string on |, &&, ||, ; while respecting single quotes, double quotes, and escape sequences.

type ProgrammaticAsker 

type ProgrammaticAsker struct {
	Handler func(ctx context.Context, q Question) (Answer, error)
}

ProgrammaticAsker resolves answers via a caller-supplied function. Used for SDK / batch / test contexts where there is no human at a terminal.

func (*ProgrammaticAsker) Ask 

func (p *ProgrammaticAsker) Ask(ctx context.Context, q Question) (Answer, error)

Ask delegates to Handler; nil handler returns ErrNoAsker.

type Question 

type Question struct {
	Prompt        string
	Options       []Option
	AllowFreeText bool
}

Question describes a structured question put to the user.

func ParseAskUserInput 

func ParseAskUserInput(input map[string]any) (Question, error)

ParseAskUserInput extracts a Question from a tool input map.

type ReadImageResult 

type ReadImageResult struct {
	Description string             `json:"description"`
	Blocks      []api.ContentBlock `json:"blocks"`
}

ReadImageResult is what ExecuteReadImage produces. The Blocks field is shaped so callers can splice it directly into a tool_result content list destined for the next user-turn message.

func ExecuteReadImage 

func ExecuteReadImage(ctx context.Context, input map[string]any) (ReadImageResult, error)

ExecuteReadImage validates input, loads bytes from path or url, sniffs the media type, and returns a single image ContentBlock encoded as base64. Exactly one of path / url must be provided.

func ExecuteScreenshot 

func ExecuteScreenshot(ctx context.Context, input map[string]any) (ReadImageResult, error)

ExecuteScreenshot is a thin shim around the computer_use screenshot action, kept to preserve the legacy API. New code should call ExecuteComputerUse with action="screenshot".

type RemoteTriggerOptions 

type RemoteTriggerOptions struct {
	HTTPClient      *http.Client // nil => internal default with per-request timeout
	MaxBodyBytes    int          // <=0 => remoteTriggerDefaultMaxBody
	AllowAuthHeader bool         // permit caller to set Authorization in input
	URLValidator    func(*url.URL) error
}

RemoteTriggerOptions tunes the runtime defence-in-depth knobs without exposing them through the LLM-facing tool schema.

type ResolvedAttachment 

type ResolvedAttachment struct {
	Path    string `json:"path"`
	Size    int64  `json:"size"`
	IsImage bool   `json:"isImage"`
}

ResolvedAttachment holds metadata for a resolved file attachment.

type StdinAsker 

type StdinAsker struct {
	In  io.Reader
	Out io.Writer
}

StdinAsker reads the answer from os.Stdin and writes the prompt to os.Stdout.

func NewStdinAsker 

func NewStdinAsker() *StdinAsker

NewStdinAsker returns an Asker bound to stdio.

func (*StdinAsker) Ask 

func (s *StdinAsker) Ask(ctx context.Context, q Question) (Answer, error)

Ask renders the question on Out, reads a line on In, and resolves it to an Option (by index or label) or to free text.

type TUIAsker 

type TUIAsker struct {
	Deliver func(ctx context.Context, q Question) (Answer, error)
}

TUIAsker bridges to a TUI through a delivery callback. The TUI layer of claw-code-go itself does not use this — it consumes the runtime's TurnEventAskUser channel directly — but external TUIs that embed the SDK can wire this implementation.

func (*TUIAsker) Ask 

func (t *TUIAsker) Ask(ctx context.Context, q Question) (Answer, error)

Ask delegates to Deliver; nil deliver returns ErrNoAsker.

type TodoItem 

type TodoItem struct {
	ID       string `json:"id"`
	Content  string `json:"content"`
	Status   string `json:"status"`   // "pending" | "in_progress" | "done"
	Priority string `json:"priority"` // "high" | "medium" | "low"
}

TodoItem represents a single task in the todo list.

type ToolSearchResult 

type ToolSearchResult struct {
	Matches            []string `json:"matches"`
	Query              string   `json:"query"`
	NormalizedQuery    string   `json:"normalized_query"`
	TotalDeferredTools int      `json:"total_deferred_tools"`
}

ToolSearchResult holds search results.

type ValidationKind 

type ValidationKind int

ValidationKind classifies the outcome of a bash command validation. 

const (
	// ValidationAllow means the command is safe to execute.
	ValidationAllow ValidationKind = iota
	// ValidationBlock means the command should be blocked.
	ValidationBlock
	// ValidationWarn means the command requires user confirmation.
	ValidationWarn
)

type ValidationResult 

type ValidationResult struct {
	Kind    ValidationKind
	Reason  string
	Message string
}

ValidationResult is the outcome of validating a bash command before execution.

func CheckDestructive 

func CheckDestructive(command string) ValidationResult

CheckDestructive warns if a command looks destructive.

func DetectEnvVarLeak 

func DetectEnvVarLeak(command string) ValidationResult

DetectEnvVarLeak checks for commands that might leak sensitive environment variables.

func DetectSudoElevatedFlags 

func DetectSudoElevatedFlags(command string) *ValidationResult

DetectSudoElevatedFlags checks for sudo -E (preserve env) and sudo -u (run as user). Returns nil if no elevated flags detected.

func ValidateArchiveExtraction 

func ValidateArchiveExtraction(command string) ValidationResult

ValidateArchiveExtraction checks tar/unzip for path safety.

func ValidateCommand 

func ValidateCommand(command string, mode permissions.PermissionMode, workspace string) ValidationResult

ValidateCommand runs the full validation pipeline on a bash command. Returns the first non-Allow result, or Allow if all validations pass.

func ValidateMode 

func ValidateMode(command string, mode permissions.PermissionMode) ValidationResult

ValidateMode validates that a command is consistent with the given permission mode.

func ValidateNetworkTimeout 

func ValidateNetworkTimeout(command string) ValidationResult

ValidateNetworkTimeout warns when network commands lack explicit timeout flags.

func ValidatePaths 

func ValidatePaths(command string, workspace string) ValidationResult

ValidatePaths validates that command paths don't include suspicious traversal patterns.

func ValidateReadOnly 

func ValidateReadOnly(command string, mode permissions.PermissionMode) ValidationResult

ValidateReadOnly validates that a command is allowed under read-only mode.

func ValidateSed 

func ValidateSed(command string, mode permissions.PermissionMode) ValidationResult

ValidateSed validates sed expressions for safety.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.