amr/passepartout
1
0
Fork 0
Code Issues 15 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
8fd56dece3847164af1faa8816565cbcfbbc83b2
passepartout/org/security-permissions.org
Amr Gharbeia 8fd56dece3 v0.8.2: cleanup + prose + structure + decomposition + budget + errors 
Phase 1 — dedup + hardening (~9 items):
- Remove duplicate *skill-registry* defvar from core-skills
- Merge *backend-registry* into *probabilistic-backends*, delete backend-register
- Remove inject-stimulus alias, standardize on stimulus-inject
- Add pre-eval sandbox (skill-source-scan) blocks restricted symbols before eval
- Remove dead plist-get function; remove duplicate json-alist-to-plist export
- Fix read-framed-message whitespace DoS (4096-iteration max)
- Add *read-eval* nil to dispatcher-approvals-process read-from-string (RCE)
- Add test-op to ASDF; update .asd version 0.4.3→0.7.2

Phase 2 — prose + contracts + reorder:
- Split ROADMAP: 2623→1089 lines (TODO only), CHANGELOG: 260→1528 lines (full DONE history, 14 versions reverse chron)
- Add Contracts + Overview to 6 channel files + embedding-native + programming-standards + symbolic-scope
- Reorder 28 .org files: Contract → Test Suite → Implementation (TDD order)
- Add 7-phase inline prose to think() in core-reason
- Expand USER_MANUAL: 183→461 lines (10 new sections)

Phase 3 — decomposition + export organization:
- Decompose think() into think-assemble-prompt, think-call-llm, think-parse-response orchestrator
- Organize 188 exports into 16 grouped sections by module

Phase 4 — budget enforcement + error protocol:
- Per-session budget enforcement (SESSION_BUDGET_USD env var, budget-exhausted-p, guard in think-call-llm)
- Error condition hierarchy (6 conditions: pipeline-error, llm-error, gate-error, budget-error, protocol-error)
- Restarts in loop-process: skip-signal, use-fallback, abort-pipeline
2026-05-13 09:17:48 -04:00

3.4 KiB
Raw Blame History

SKILL: Tool Permissions (org-skill-tool-permissions.org)

Overview: The Authorization Matrix

Every cognitive tool (file read, file write, shell execute, etc.) has a permission level: :allow (executed without asking), :ask (user is prompted before execution), or :deny (blocked entirely). Tool Permissions maintains the registry of these levels and provides the permission-gate-check that the Dispatcher calls before dispatching a tool action.

The complexity lives in the Dispatcher (security-dispatcher.org), which consults this table as one of its ten scan vectors.

Contract

  1. (permission-set tool-name level): stores level for tool-name in *permission-table*. Tool names are normalized to lowercase.
  2. (permission-get tool-name): returns the stored level, or :ask if no entry exists.
  3. Tool name matching is case-insensitive — (permission-set :FOO :allow) and (permission-get :foo) return :allow.

Boundaries

  • Does NOT enforce permissions — the Dispatcher does that.
  • Does NOT persist permissions to disk — this is runtime-only.
  • Does NOT validate that level is one of (:allow :ask :deny).

Test Suite 

(eval-when (:compile-toplevel :load-toplevel :execute)
  (ql:quickload :fiveam :silent t))

(defpackage :passepartout-security-permissions-tests
  (:use :cl :fiveam :passepartout)
  (:export #:permissions-suite))

(in-package :passepartout-security-permissions-tests)

(def-suite permissions-suite :description "Verification of Tool Permissions")
(in-suite permissions-suite)

(test test-permission-round-trip
  "Contract 1: permission-set stores a level; permission-get retrieves it."
  (permission-set "test-tool" :allow)
  (is (eq :allow (permission-get "test-tool")))
  ;; Clean up
  (permission-set "test-tool" nil))

(test test-permission-default
  "Contract 2: unregistered tools default to :ask."
  (is (eq :ask (permission-get "never-registered-tool-xyz"))))

(test test-permission-case-insensitive
  "Contract 3: tool names are normalized to lowercase."
  (permission-set :CapitalTool :deny)
  (is (eq :deny (permission-get :capitaltool)))
  (permission-set "CapitalTool" nil))

Implementation

Package Context 

(in-package :passepartout)

Permission store (tool level)

Hash table mapping tool names to their permission level. ;; REPL-VERIFIED: 2026-05-03T13:00:00

(defvar *permission-table* (make-hash-table :test 'equal))

Set permission

Sets the permission level for a specific cognitive tool. ;; REPL-VERIFIED: 2026-05-03T13:00:00

(defun permission-set (tool-name level)
  "Sets the permission level for a tool."
  (setf (gethash (string-downcase (string tool-name)) *permission-table*) level))

Get permission

Retrieves the current permission level for a tool. Defaults to :ask if unset. ;; REPL-VERIFIED: 2026-05-03T13:00:00

(defun permission-get (tool-name)
  "Retrieves the permission level for a tool. Defaults to :ask."
  (gethash (string-downcase (string tool-name)) *permission-table* :ask))

Skill Registration 

(defskill :passepartout-security-permissions
  :priority 600
  :trigger (lambda (ctx) (declare (ignore ctx)) nil))
Reference in New Issue View Git Blame Copy Permalink