Restore prompt-approved tool execution in CLI parity runs

ConversationRuntime already performs permission-policy checks and interactive approvals before dispatching a tool. The CLI tool executor was routing those same tool calls back through GlobalToolRegistry::execute, which re-ran the enforcer without a prompter and flipped approved bash calls back into denials. Add a preauthorized execution path for runtime-dispatched tools, keep registry enforcement for direct callers, and format the files that were already tripping rustfmt on main. Constraint: CI on main was failing both cargo fmt and the mock parity harness after permission enforcement landed Rejected: Remove registry enforcement globally | would reopen direct-dispatch permission gaps Confidence: high Scope-risk: narrow Reversibility: clean Directive: Use execute_preauthorized only after ConversationRuntime or an equivalent caller has already completed permission gating Tested: cargo fmt --all --check; cargo test -p rusty-claude-cli; cargo test -p tools Not-tested: Full workspace test matrix beyond the Rust CI workflow targets
2026-04-29 16:17:50 +02:00 · 2026-04-03 09:32:29 +00:00
parent 618a79a9f4
commit bf59abc9e9
3 changed files with 60 additions and 23 deletions
@@ -191,7 +191,10 @@ impl McpToolRegistry {
                        let mut manager = manager
                            .lock()
                            .map_err(|_| "mcp server manager lock poisoned".to_string())?;
-                        manager.discover_tools().await.map_err(|error| error.to_string())?;
+                        manager
+                            .discover_tools()
+                            .await
+                            .map_err(|error| error.to_string())?;
                        let response = manager
                            .call_tool(&qualified_tool_name, arguments)
                            .await
@@ -834,7 +837,9 @@ mod tests {
            None,
        );
        registry
-            .set_manager(Arc::new(Mutex::new(McpServerManager::from_servers(&servers))))
+            .set_manager(Arc::new(Mutex::new(McpServerManager::from_servers(
+                &servers,
+            ))))
            .expect("manager should only be set once");

        let result = registry
@@ -40,8 +40,7 @@ use plugins::{PluginHooks, PluginManager, PluginManagerConfig, PluginRegistry};
 use render::{MarkdownStreamState, Spinner, TerminalRenderer};
 use runtime::{
    clear_oauth_credentials, generate_pkce_pair, generate_state, load_system_prompt,
-    parse_oauth_callback_request_target,
-    permission_enforcer::PermissionEnforcer,
+    parse_oauth_callback_request_target, permission_enforcer::PermissionEnforcer,
    resolve_sandbox_status, save_oauth_credentials, ApiClient, ApiRequest, AssistantEvent,
    CompactionConfig, ConfigLoader, ConfigSource, ContentBlock, ConversationMessage,
    ConversationRuntime, MessageRole, OAuthAuthorizationRequest, OAuthConfig,
@@ -4976,7 +4975,7 @@ impl ToolExecutor for CliToolExecutor {
        }
        let value = serde_json::from_str(input)
            .map_err(|error| ToolError::new(format!("invalid tool input JSON: {error}")))?;
-        match self.tool_registry.execute(tool_name, &value) {
+        match self.tool_registry.execute_preauthorized(tool_name, &value) {
            Ok(output) => {
                if self.emit_output {
                    let markdown = format_tool_result(tool_name, &output, false);
@@ -127,7 +127,10 @@ impl GlobalToolRegistry {
            }
        }

-        Ok(Self { plugin_tools, enforcer: None })
+        Ok(Self {
+            plugin_tools,
+            enforcer: None,
+        })
    }

    #[must_use]
@@ -242,8 +245,23 @@ impl GlobalToolRegistry {
    }

    pub fn execute(&self, name: &str, input: &Value) -> Result<String, String> {
-        if let Some(enforcer) = &self.enforcer {
-            enforce_permission_check(enforcer, name, input)?;
+        self.execute_inner(name, input, true)
+    }
+
+    pub fn execute_preauthorized(&self, name: &str, input: &Value) -> Result<String, String> {
+        self.execute_inner(name, input, false)
+    }
+
+    fn execute_inner(
+        &self,
+        name: &str,
+        input: &Value,
+        enforce_permissions: bool,
+    ) -> Result<String, String> {
+        if enforce_permissions {
+            if let Some(enforcer) = &self.enforcer {
+                enforce_permission_check(enforcer, name, input)?;
+            }
        }
        if mvp_tool_specs().iter().any(|spec| spec.name == name) {
            return execute_tool(name, input);
@@ -2798,7 +2816,10 @@ struct SubagentToolExecutor {

 impl SubagentToolExecutor {
    fn new(allowed_tools: BTreeSet<String>) -> Self {
-        Self { allowed_tools, enforcer: None }
+        Self {
+            allowed_tools,
+            enforcer: None,
+        }
    }

    fn with_enforcer(mut self, enforcer: PermissionEnforcer) -> Self {
@@ -2817,8 +2838,7 @@ impl ToolExecutor for SubagentToolExecutor {
        let value = serde_json::from_str(input)
            .map_err(|error| ToolError::new(format!("invalid tool input JSON: {error}")))?;
        if let Some(enforcer) = &self.enforcer {
-            enforce_permission_check(enforcer, tool_name, &value)
-                .map_err(ToolError::new)?;
+            enforce_permission_check(enforcer, tool_name, &value).map_err(ToolError::new)?;
        }
        execute_tool(tool_name, &value).map_err(ToolError::new)
    }
@@ -4219,8 +4239,8 @@ mod tests {
    use super::{
        agent_permission_policy, allowed_tools_for_subagent, execute_agent_with_spawn,
        execute_tool, final_assistant_text, mvp_tool_specs, permission_mode_from_plugin,
-        persist_agent_terminal_state, push_output_block, AgentInput, AgentJob,
-        GlobalToolRegistry, SubagentToolExecutor,
+        persist_agent_terminal_state, push_output_block, AgentInput, AgentJob, GlobalToolRegistry,
+        SubagentToolExecutor,
    };
    use api::OutputContentBlock;
    use runtime::{
@@ -4243,10 +4263,11 @@ mod tests {
    }

    fn permission_policy_for_mode(mode: PermissionMode) -> PermissionPolicy {
-        mvp_tool_specs().into_iter().fold(
-            PermissionPolicy::new(mode),
-            |policy, spec| policy.with_tool_requirement(spec.name, spec.required_permission),
-        )
+        mvp_tool_specs()
+            .into_iter()
+            .fold(PermissionPolicy::new(mode), |policy, spec| {
+                policy.with_tool_requirement(spec.name, spec.required_permission)
+            })
    }

    #[test]
@@ -4321,7 +4342,9 @@ mod tests {
            .expect_err("subagent write tool should be denied before dispatch");

        // then
-        assert!(error.to_string().contains("requires workspace-write permission"));
+        assert!(error
+            .to_string()
+            .contains("requires workspace-write permission"));
    }

    #[test]
@@ -5813,7 +5836,10 @@ printf 'pwsh:%s' "$1"
    fn given_read_only_enforcer_when_write_file_then_denied() {
        let registry = read_only_registry();
        let err = registry
-            .execute("write_file", &json!({ "path": "/tmp/x.txt", "content": "x" }))
+            .execute(
+                "write_file",
+                &json!({ "path": "/tmp/x.txt", "content": "x" }),
+            )
            .expect_err("write_file should be denied in read-only mode");
        assert!(
            err.contains("current mode is read-only"),
@@ -5847,10 +5873,7 @@ printf 'pwsh:%s' "$1"
        fs::write(&file, "content\n").expect("write test file");

        let registry = read_only_registry();
-        let result = registry.execute(
-            "read_file",
-            &json!({ "path": file.display().to_string() }),
-        );
+        let result = registry.execute("read_file", &json!({ "path": file.display().to_string() }));
        assert!(result.is_ok(), "read_file should be allowed: {result:?}");

        let _ = fs::remove_dir_all(root);
@@ -5876,6 +5899,16 @@ printf 'pwsh:%s' "$1"
        assert_eq!(output["stdout"], "ok");
    }

+    #[test]
+    fn given_enforcer_when_execute_preauthorized_then_skips_redundant_permission_check() {
+        let registry = read_only_registry();
+        let result = registry
+            .execute_preauthorized("bash", &json!({ "command": "printf 'ok'" }))
+            .expect("preauthorized bash should skip registry enforcement");
+        let output: serde_json::Value = serde_json::from_str(&result).expect("json");
+        assert_eq!(output["stdout"], "ok");
+    }
+
    struct TestServer {
        addr: SocketAddr,
        shutdown: Option<std::sync::mpsc::Sender<()>>,