Skip to content

feat(tools): permission policy, output overflow, stale file cleanup#266

Merged
bug-ops merged 3 commits intomainfrom
feat/m19/tool-permissions
Feb 14, 2026
Merged

feat(tools): permission policy, output overflow, stale file cleanup#266
bug-ops merged 3 commits intomainfrom
feat/m19/tool-permissions

Conversation

@bug-ops
Copy link
Copy Markdown
Owner

@bug-ops bug-ops commented Feb 14, 2026

Summary

Phase C — Pattern-Based Permissions (#248-#250):

  • PermissionPolicy with glob matching per tool, first-match-wins rule ordering, Ask default fallback
  • Case-insensitive input normalization to prevent casing bypass on deny rules
  • Legacy blocked_commands/confirm_patterns auto-migrated to permission rules (backward compatible)
  • ShellExecutor uses PermissionPolicy::check() instead of legacy find_blocked_command()/find_confirm_command()
  • Fully-denied tools excluded from system prompt via ToolRegistry::format_for_prompt_filtered()

Phase D — Output Overflow (#251-#252):

  • Full tool output saved to ~/.zeph/data/tool-output/{uuid}.txt when exceeding MAX_TOOL_OUTPUT_CHARS
  • Truncated output includes path notice so LLM can use read tool to access full content
  • Stale overflow files (>24h) cleaned up on startup via spawn_blocking

Additional fixes:

  • Replace unmaintained dirs-next 2.0 with dirs 6.x
  • Deduplicate permission_policy() call in main.rs

Test plan

  • 14 permission tests: glob matching, rule ordering, case-insensitive bypass prevention, legacy migration
  • 6 config/shell integration tests: policy from legacy fields, policy deny/ask/allow in executor
  • 3 prompt filtering tests: denied tools excluded, mixed rules visible
  • 2 overflow tests: save to file, notice appended
  • 3 cleanup tests: stale removal, dir creation, error handling
  • 1337 total tests pass, clippy zero warnings

Closes #248, closes #249, closes #250, closes #251, closes #252

@bug-ops
feat(tools): permission policy, output overflow, stale file cleanup
5749a76 
Phase C — Pattern-Based Permissions:
- Add PermissionPolicy with glob matching, first-match-wins, case-
  insensitive input normalization (#248)
- Migrate blocked_commands/confirm_patterns to permission rules with
  backward-compatible config aliases (#249)
- Exclude fully-denied tools from system prompt via filtered formatting
  (#250)

Phase D — Output Overflow:
- Save full output to ~/.zeph/data/tool-output/{uuid}.txt when truncated,
  append path notice for LLM read access (#251)
- Cleanup stale overflow files (>24h) on startup via spawn_blocking (#252)

Security: case-insensitive glob matching prevents casing bypass on deny
rules. Replace dirs-next with dirs 6.x.

Closes #248, closes #249, closes #250, closes #251, closes #252
@github-actions github-actions bot added enhancement New feature or request rust Rust code changes core zeph-core crate dependencies Dependency updates size/XL Extra large PR (500+ lines) and removed enhancement New feature or request labels Feb 14, 2026
@bug-ops
docs: update documentation for M19 permission policy and output overflow
dfecf0b 
Update mdBook pages (tools, configuration, security), CHANGELOG.md, and
README.md to reflect pattern-based permission policy, output overflow to
file, and stale cleanup.
@github-actions github-actions bot added documentation Improvements or additions to documentation enhancement New feature or request labels Feb 14, 2026
@bug-ops bug-ops enabled auto-merge (squash) February 14, 2026 15:24
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 14, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 92.82297% with 30 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/zeph-tools/src/overflow.rs 80.48% 16 Missing ⚠️
src/main.rs 0.00% 7 Missing ⚠️
crates/zeph-core/src/agent.rs 57.14% 6 Missing ⚠️
crates/zeph-tools/src/registry.rs 98.36% 1 Missing ⚠️

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #266      +/-   ##
==========================================
+ Coverage   81.04%   81.23%   +0.18%     
==========================================
  Files          81       83       +2     
  Lines       24220    24614     +394     
==========================================
+ Hits        19630    19994     +364     
- Misses       4590     4620      +30
Files with missing lines Coverage Δ
crates/zeph-tools/src/config.rs 100.00% <100.00%> (ø)
crates/zeph-tools/src/permissions.rs 100.00% <100.00%> (ø)
crates/zeph-tools/src/shell.rs 97.05% <100.00%> (+0.23%) ⬆️
crates/zeph-tools/src/registry.rs 99.23% <98.36%> (-0.27%) ⬇️
crates/zeph-core/src/agent.rs 69.14% <57.14%> (-0.13%) ⬇️
src/main.rs 65.36% <0.00%> (-0.31%) ⬇️
crates/zeph-tools/src/overflow.rs 80.48% <80.48%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@bug-ops bug-ops merged commit 56012b4 into main Feb 14, 2026
20 checks passed
@bug-ops bug-ops deleted the feat/m19/tool-permissions branch February 14, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core zeph-core crate dependencies Dependency updates documentation Improvements or additions to documentation enhancement New feature or request rust Rust code changes size/XL Extra large PR (500+ lines)

Projects

None yet

Milestone

No milestone

2 participants

@bug-ops @codecov-commenter